maestrano-ruby-test 0.8.3

data/test/maestrano/saml/response_test.rb

@@ -0,0 +1,290 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module Saml
+    class SamlTest < Test::Unit::TestCase
+      include SamlTestHelper
+  
+      context "Response" do
+        should "raise an exception when response is initialized with nil" do
+          assert_raises(ArgumentError) { Maestrano::Saml::Response.new(nil) }
+        end
+
+        should "be able to parse a document which contains ampersands" do
+          Maestrano::XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
+          Maestrano::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
+
+          response = Maestrano::Saml::Response.new(ampersands_response)
+          settings = Maestrano::Saml::Settings.new
+          settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
+          response.settings = settings
+          response.validate!
+        end
+
+        should "adapt namespace" do
+          response = Maestrano::Saml::Response.new(response_document)
+          assert !response.name_id.nil?
+          response = Maestrano::Saml::Response.new(response_document_2)
+          assert !response.name_id.nil?
+          response = Maestrano::Saml::Response.new(response_document_3)
+          assert !response.name_id.nil?
+        end
+
+        should "default to raw input when a response is not Base64 encoded" do
+          decoded  = Base64.decode64(response_document_2)
+          response = Maestrano::Saml::Response.new(decoded)
+          assert response.document
+        end
+
+        context "Assertion" do
+          should "only retreive an assertion with an ID that matches the signature's reference URI" do
+            response = Maestrano::Saml::Response.new(wrapped_response_2)
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            settings.idp_cert_fingerprint = signature_fingerprint_1
+            response.settings = settings
+            assert response.name_id.nil?
+          end
+        end
+
+        context "#validate!" do
+          should "raise when encountering a condition that prevents the document from being valid" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert_raise(Maestrano::Saml::ValidationError) do
+              response.validate!
+            end
+          end
+        end
+
+        context "#is_valid?" do
+          should "return false when response is initialized with blank data" do
+            response = Maestrano::Saml::Response.new('')
+            assert !response.is_valid?
+          end
+
+          should "return false if settings have not been set" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert !response.is_valid?
+          end
+
+          should "return true when the response is initialized with valid data" do
+            response = Maestrano::Saml::Response.new(response_document_4)
+            response.stubs(:conditions).returns(nil)
+            assert !response.is_valid?
+            settings = Maestrano::Saml::Settings.new
+            assert !response.is_valid?
+            response.settings = settings
+            assert !response.is_valid?
+            settings.idp_cert_fingerprint = signature_fingerprint_1
+            assert response.is_valid?
+          end
+
+          should "should be idempotent when the response is initialized with invalid data" do
+            response = Maestrano::Saml::Response.new(response_document_4)
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            response.settings = settings
+            assert !response.is_valid?
+            assert !response.is_valid?
+          end
+
+          should "should be idempotent when the response is initialized with valid data" do
+            response = Maestrano::Saml::Response.new(response_document_4)
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            response.settings = settings
+            settings.idp_cert_fingerprint = signature_fingerprint_1
+            assert response.is_valid?
+            assert response.is_valid?
+          end
+
+          should "return true when using certificate instead of fingerprint" do
+            response = Maestrano::Saml::Response.new(response_document_4)
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            response.settings = settings
+            settings.idp_cert = signature_1
+            assert response.is_valid?
+          end
+
+          should "not allow signature wrapping attack" do
+            response = Maestrano::Saml::Response.new(response_document_4)
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            settings.idp_cert_fingerprint = signature_fingerprint_1
+            response.settings = settings
+            assert response.is_valid?
+            assert response.name_id == "test@onelogin.com"
+          end
+
+          should "support dynamic namespace resolution on signature elements" do
+            response = Maestrano::Saml::Response.new(fixture("no_signature_ns.xml"))
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            response.settings = settings
+            settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+            Maestrano::XMLSecurity::SignedDocument.any_instance.expects(:validate_signature).returns(true)
+            assert response.validate!
+          end
+
+          should "validate ADFS assertions" do
+            response = Maestrano::Saml::Response.new(fixture(:adfs_response_sha256))
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+            response.settings = settings
+            assert response.validate!
+          end
+
+          should "validate the digest" do
+            response = Maestrano::Saml::Response.new(r1_response_document_6)
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            settings.idp_cert = Base64.decode64(r1_signature_2)
+            response.settings = settings
+            assert response.validate!
+          end
+
+          should "validate SAML 2.0 XML structure" do
+            resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
+            response = Maestrano::Saml::Response.new(Base64.encode64(resp_xml))
+            response.stubs(:conditions).returns(nil)
+            settings = Maestrano::Saml::Settings.new
+            settings.idp_cert_fingerprint = signature_fingerprint_1
+            response.settings = settings
+            assert_raises(Maestrano::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
+          end
+        end
+
+        context "#name_id" do
+          should "extract the value of the name id element" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert_equal "support@onelogin.com", response.name_id
+
+            response = Maestrano::Saml::Response.new(response_document_3)
+            assert_equal "someone@example.com", response.name_id
+          end
+
+          should "be extractable from an OpenSAML response" do
+            response = Maestrano::Saml::Response.new(fixture(:open_saml))
+            assert_equal "someone@example.org", response.name_id
+          end
+
+          should "be extractable from a Simple SAML PHP response" do
+            response = Maestrano::Saml::Response.new(fixture(:simple_saml_php))
+            assert_equal "someone@example.com", response.name_id
+          end
+        end
+
+        context "#check_conditions" do
+          should "check time conditions" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert !response.send(:validate_conditions, true)
+            response = Maestrano::Saml::Response.new(response_document_6)
+            assert response.send(:validate_conditions, true)
+            time     = Time.parse("2011-06-14T18:25:01.516Z")
+            Time.stubs(:now).returns(time)
+            response = Maestrano::Saml::Response.new(response_document_5)
+            assert response.send(:validate_conditions, true)
+          end
+
+          should "optionally allow for clock drift" do
+            # The NotBefore condition in the document is 2011-06-14T18:21:01.516Z
+            Time.stubs(:now).returns(Time.parse("2011-06-14T18:21:01Z"))
+            response = Maestrano::Saml::Response.new(response_document_5, :allowed_clock_drift => 0.515)
+            assert !response.send(:validate_conditions, true)
+
+            Time.stubs(:now).returns(Time.parse("2011-06-14T18:21:01Z"))
+            response = Maestrano::Saml::Response.new(response_document_5, :allowed_clock_drift => 0.516)
+            assert response.send(:validate_conditions, true)
+          end
+        end
+
+        context "#attributes" do
+          should "extract the first attribute in a hash accessed via its symbol" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert_equal "demo", response.attributes[:uid]
+          end
+
+          should "extract the first attribute in a hash accessed via its name" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert_equal "demo", response.attributes["uid"]
+          end
+
+          should "extract all attributes" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert_equal "demo", response.attributes[:uid]
+            assert_equal "value", response.attributes[:another_value]
+          end
+
+          should "work for implicit namespaces" do
+            response = Maestrano::Saml::Response.new(response_document_3)
+            assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
+          end
+
+          should "not raise on responses without attributes" do
+            response = Maestrano::Saml::Response.new(response_document_4)
+            assert_equal Hash.new, response.attributes
+          end
+
+          context "#multiple values" do
+            should "extract single value as string" do
+              response = Maestrano::Saml::Response.new(fixture(:response_with_multiple_attribute_values))
+              assert_equal "demo", response.attributes[:uid]
+            end
+
+            should "extract first of multiple values as string for b/w compatibility" do
+              response = Maestrano::Saml::Response.new(fixture(:response_with_multiple_attribute_values))
+              assert_equal 'value1', response.attributes[:another_value]
+            end
+
+            should "return array with all attributes when asked" do
+              response = Maestrano::Saml::Response.new(fixture(:response_with_multiple_attribute_values))
+              assert_equal ['value2', 'value1'], response.attributes[:another_value].values
+            end
+
+            should "return last of multiple values when multiple Attribute tags in XML" do
+              response = Maestrano::Saml::Response.new(fixture(:response_with_multiple_attribute_values))
+              assert_equal 'role2', response.attributes[:role]
+            end
+
+            should "return all of multiple values in reverse order when multiple Attribute tags in XML" do
+              response = Maestrano::Saml::Response.new(fixture(:response_with_multiple_attribute_values))
+              assert_equal ['role2', 'role1'], response.attributes[:role].values
+            end
+          end
+        end
+
+        context "#session_expires_at" do
+          should "extract the value of the SessionNotOnOrAfter attribute" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert response.session_expires_at.is_a?(Time)
+
+            response = Maestrano::Saml::Response.new(response_document_2)
+            assert response.session_expires_at.nil?
+          end
+        end
+
+        context "#issuer" do
+          should "return the issuer inside the response assertion" do
+            response = Maestrano::Saml::Response.new(response_document)
+            assert_equal "https://app.onelogin.com/saml/metadata/13590", response.issuer
+          end
+
+          should "return the issuer inside the response" do
+            response = Maestrano::Saml::Response.new(response_document_2)
+            assert_equal "wibble", response.issuer
+          end
+        end
+
+        context "#success" do
+          should "find a status code that says success" do
+            response = Maestrano::Saml::Response.new(response_document)
+            response.success?
+          end
+        end
+
+      end
+    end
+  end
+end

data/test/maestrano/saml/settings_test.rb

@@ -0,0 +1,51 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module Saml
+    class SettingsTest < Test::Unit::TestCase
+
+      context "Settings" do
+        setup do
+          @settings = Maestrano::Saml::Settings.new
+        end
+        should "should provide getters and settings" do
+          accessors = [
+            :assertion_consumer_service_url, :issuer, :sp_name_qualifier,
+            :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
+            :idp_slo_target_url, :name_identifier_value, :sessionindex,
+            :assertion_consumer_logout_service_url,
+            :passive, :protocol_binding
+          ]
+
+          accessors.each do |accessor|
+            value = Kernel.rand
+            @settings.send("#{accessor}=".to_sym, value)
+            assert_equal value, @settings.send(accessor)
+          end
+        end
+
+        should "create settings from hash" do
+
+          config = {
+              :assertion_consumer_service_url => "http://app.muda.no/sso",
+              :issuer => "http://muda.no",
+              :sp_name_qualifier => "http://sso.muda.no",
+              :idp_sso_target_url => "http://sso.muda.no/sso",
+              :idp_slo_target_url => "http://sso.muda.no/slo",
+              :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+              :name_identifier_format => Maestrano::Saml::Settings::NAMEID_TRANSIENT,
+              :passive => true,
+              :protocol_binding => Maestrano::Saml::Settings::PROTOCOL_BINDING_POST
+          }
+          @settings = Maestrano::Saml::Settings.new(config)
+
+          config.each do |k,v|
+            assert_equal v, @settings.send(k)
+          end
+        end
+
+      end
+
+    end
+  end
+end

data/test/maestrano/sso/base_group_test.rb

@@ -0,0 +1,54 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module SSO
+    class BaseGroupTest < Test::Unit::TestCase
+      include SamlTestHelper
+  
+      setup do
+        @saml_response = Maestrano::Saml::Response.new(response_document)
+        @saml_response.stubs(:attributes).returns({
+          'mno_session'          => 'f54sd54fd64fs5df4s3d48gf2',
+          'mno_session_recheck'  => Time.now.utc.iso8601,
+          'group_uid'            => 'cld-1',
+          'group_end_free_trial' => Time.now.utc.iso8601,
+          'group_role'           => 'Admin',
+          'uid'                  => "usr-1",
+          'virtual_uid'          => "usr-1.cld-1",
+          'email'                => "j.doe@doecorp.com",
+          'virtual_email'        => "usr-1.cld-1@mail.maestrano.com",
+          'name'                 => "John",
+          "surname"              => "Doe",
+          "country"              => "AU",
+          "company_name"         => "DoeCorp"
+        })
+      end
+  
+      should "have a local_id accessor" do
+        assert Maestrano::SSO::BaseGroup.new(@saml_response).respond_to?(:local_id) == true
+      end
+  
+      should "extract the rights attributes from the saml response" do
+        group = Maestrano::SSO::BaseGroup.new(@saml_response)
+        assert group.uid == @saml_response.attributes['group_uid']
+        assert group.free_trial_end_at == Time.iso8601(@saml_response.attributes['group_end_free_trial'])
+        assert group.company_name == @saml_response.attributes['company_name']
+        assert group.country == @saml_response.attributes['country']
+      end
+  
+      should "have the right hash representation" do
+        sso_group = Maestrano::SSO::BaseGroup.new(@saml_response)
+        assert sso_group.to_hash == {
+          provider: 'maestrano',
+          uid: sso_group.uid,
+          info: {
+            free_trial_end_at: sso_group.free_trial_end_at,
+            company_name: sso_group.company_name,
+            country: sso_group.country,
+          },
+          extra: {}
+        }
+      end
+    end
+  end
+end

data/test/maestrano/sso/base_membership_test.rb

@@ -0,0 +1,45 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module SSO
+    class BaseMembershipTest < Test::Unit::TestCase
+      include SamlTestHelper
+  
+      setup do
+        @saml_response = Maestrano::Saml::Response.new(response_document)
+        @saml_response.stubs(:attributes).returns({
+          'mno_session'          => 'f54sd54fd64fs5df4s3d48gf2',
+          'mno_session_recheck'  => Time.now.utc.iso8601,
+          'group_uid'            => 'cld-1',
+          'group_end_free_trial' => Time.now.utc.iso8601,
+          'group_role'           => 'Admin',
+          'uid'                  => "usr-1",
+          'virtual_uid'          => "usr-1.cld-1",
+          'email'                => "j.doe@doecorp.com",
+          'virtual_email'        => "usr-1.cld-1@mail.maestrano.com",
+          'name'                 => "John",
+          "surname"              => "Doe",
+          "country"              => "AU",
+          "company_name"         => "DoeCorp"
+        })
+      end
+  
+      should "extract the rights attributes from the saml response" do
+        membership = Maestrano::SSO::BaseMembership.new(@saml_response)
+        assert membership.group_uid == @saml_response.attributes['group_uid']
+        assert membership.user_uid == @saml_response.attributes['uid']
+        assert membership.role == @saml_response.attributes['group_role']
+      end
+  
+      should "have the right hash representation" do
+        membership = Maestrano::SSO::BaseMembership.new(@saml_response)
+        assert membership.to_hash == {
+          provider: 'maestrano',
+          group_uid: membership.group_uid,
+          user_uid: membership.user_uid,
+          role: membership.role,
+        }
+      end
+    end
+  end
+end

data/test/maestrano/sso/base_user_test.rb

@@ -0,0 +1,114 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module SSO
+    class BaseUserTest < Test::Unit::TestCase
+      include SamlTestHelper
+  
+      setup do
+        @saml_response = Maestrano::Saml::Response.new(response_document)
+        @saml_response.stubs(:attributes).returns({
+          'mno_session'          => 'f54sd54fd64fs5df4s3d48gf2',
+          'mno_session_recheck'  => Time.now.utc.iso8601,
+          'group_uid'            => 'cld-1',
+          'group_end_free_trial' => Time.now.utc.iso8601,
+          'group_role'           => 'Admin',
+          'uid'                  => "usr-1",
+          'virtual_uid'          => "usr-1.cld-1",
+          'email'                => "j.doe@doecorp.com",
+          'virtual_email'        => "usr-1.cld-1@mail.maestrano.com",
+          'name'                 => "John",
+          "surname"              => "Doe",
+          "country"              => "AU",
+          "company_name"         => "DoeCorp"
+        })
+      end
+  
+      should "have a local_id accessor" do
+        assert Maestrano::SSO::BaseUser.new(@saml_response).respond_to?(:local_id) == true
+      end
+  
+      should "extract the rights attributes from the saml response" do
+        user = Maestrano::SSO::BaseUser.new(@saml_response)
+        assert user.sso_session == @saml_response.attributes['mno_session']
+        assert user.sso_session_recheck == Time.iso8601(@saml_response.attributes['mno_session_recheck'])
+        assert user.group_uid == @saml_response.attributes['group_uid']
+        assert user.group_role == @saml_response.attributes['group_role']
+        assert user.uid == @saml_response.attributes['uid']
+        assert user.virtual_uid == @saml_response.attributes['virtual_uid']
+        assert user.email == @saml_response.attributes['email']
+        assert user.virtual_email == @saml_response.attributes['virtual_email']
+        assert user.first_name == @saml_response.attributes['name']
+        assert user.last_name == @saml_response.attributes['surname']
+        assert user.country == @saml_response.attributes['country']
+        assert user.company_name == @saml_response.attributes['company_name']
+      end
+  
+      context "to_hash presentation" do
+        should "have the right representation when user_creation_mode is virtual" do
+          Maestrano.configure { |config| config.user_creation_mode = 'virtual' }
+          sso_user = Maestrano::SSO::BaseUser.new(@saml_response)
+          assert_equal sso_user.to_hash, {
+            provider: 'maestrano',
+            uid: sso_user.virtual_uid,
+            info: {
+              email: sso_user.virtual_email,
+              first_name: sso_user.first_name,
+              last_name: sso_user.last_name,
+              country: sso_user.country,
+              company_name: sso_user.company_name,
+            },
+            extra: {
+              uid: sso_user.uid,
+              virtual_uid: sso_user.virtual_uid,
+              real_email: sso_user.email,
+              virtual_email: sso_user.virtual_email,
+              group: {
+                uid: sso_user.group_uid,
+                role: sso_user.group_role
+              },
+              session: {
+                uid: sso_user.uid,
+                token: sso_user.sso_session,
+                recheck: sso_user.sso_session_recheck,
+                group_uid: sso_user.group_uid
+              }
+            }
+          }
+        end
+    
+        should "have the right representation when user_creation_mode is real" do
+          Maestrano.configure { |config| config.user_creation_mode = 'real' }
+          sso_user = Maestrano::SSO::BaseUser.new(@saml_response)
+          assert_equal sso_user.to_hash, {
+            provider: 'maestrano',
+            uid: sso_user.uid,
+            info: {
+              email: sso_user.email,
+              first_name: sso_user.first_name,
+              last_name: sso_user.last_name,
+              country: sso_user.country,
+              company_name: sso_user.company_name,
+            },
+            extra: {
+              uid: sso_user.uid,
+              virtual_uid: sso_user.virtual_uid,
+              real_email: sso_user.email,
+              virtual_email: sso_user.virtual_email,
+              group: {
+                uid: sso_user.group_uid,
+                role: sso_user.group_role,
+              },
+              session: {
+                uid: sso_user.uid,
+                token: sso_user.sso_session,
+                recheck: sso_user.sso_session_recheck,
+                group_uid: sso_user.group_uid
+              }
+            }
+          }
+        end
+      end
+    end
+  end
+end