maestrano-ruby-test 0.8.3

data/test/maestrano/sso/group_test.rb

@@ -0,0 +1,47 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module SSO
+    class GroupTest < Test::Unit::TestCase
+      setup do
+        @group = mock('group')
+        class << @group
+          include Maestrano::SSO::Group
+        end
+      end
+  
+      context "find_for_maestrano_auth" do
+        should "raise an error if not overriden" do
+          assert_raise(NoMethodError.new("You need to override find_for_maestrano_auth in your Mocha::Mock model")) do
+            @group.find_for_maestrano_auth({})
+          end
+        end
+    
+        should "execute properly otherwise" do
+          def @group.find_for_maestrano_auth(auth); return true; end
+          assert_nothing_thrown do
+            @group.find_for_maestrano_auth({})
+          end
+        end
+      end
+  
+      context "maestrano?" do
+        should "raise an error if no provider attribute and not overriden" do
+          assert_raise(NoMethodError.new("You need to override maestrano? in your Mocha::Mock model")) do
+            @group.maestrano?
+          end
+        end
+    
+        should "return true if the provider is 'maestrano'" do
+          @group.stubs(:provider).returns('maestrano')
+          assert @group.maestrano?
+        end
+    
+        should "return false if the provider is something else" do
+          @group.stubs(:provider).returns('someprovider')
+          assert !@group.maestrano?
+        end
+      end
+    end
+  end
+end

data/test/maestrano/sso/session_test.rb

@@ -0,0 +1,161 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module SSO
+    class SessionTest < Test::Unit::TestCase
+      setup do
+        @mno_session = {
+          uid: 'usr-1',
+          session: 'g4dfg4fdg8378d6acf45',
+          session_recheck: Time.now.utc.iso8601,
+          group_uid: 'cld-2'
+        }
+        @session = {
+          maestrano: Base64.encode64(@mno_session.to_json)
+        }
+      end
+  
+      should "initialize the sso session properly" do
+        sso_session = Maestrano::SSO::Session.new(@session)
+        assert_equal sso_session.uid, @mno_session[:uid]
+        assert_equal sso_session.session_token, @mno_session[:session]
+        assert_equal sso_session.recheck, Time.iso8601(@mno_session[:session_recheck])
+        assert_equal sso_session.group_uid, @mno_session[:group_uid]
+      end
+      
+      context "from_user_auth_hash" do
+        should "set the session correctly" do
+          sso_session = {}
+          auth = {
+            extra: {
+              session: {
+                uid: 'usr-1',
+                token: '15fg6d',
+                recheck: Time.now,
+                group_uid: 'cld-3'
+              }
+            }
+          }
+          sso_session = Maestrano::SSO::Session.from_user_auth_hash(@session,auth)
+          assert_equal sso_session.uid, auth[:extra][:session][:uid]
+          assert_equal sso_session.session_token, auth[:extra][:session][:token]
+          assert_equal sso_session.recheck.utc.iso8601, auth[:extra][:session][:recheck].utc.iso8601
+          assert_equal sso_session.group_uid, auth[:extra][:session][:group_uid]
+        end
+      end
+      
+      
+      context "remote_check_required?" do
+        setup do
+          @sso_session = Maestrano::SSO::Session.new(@session)
+        end
+  
+        should "should return true if uid is missing" do
+          @sso_session.uid = nil
+          assert @sso_session.remote_check_required?
+        end
+    
+        should "should return true if session_token is missing" do
+          @sso_session.session_token = nil
+          assert @sso_session.remote_check_required?
+        end
+    
+        should "should return true if recheck is missing" do
+          @sso_session.recheck = nil
+          assert @sso_session.remote_check_required?
+        end
+    
+        should "return true if now is after recheck" do
+          Timecop.freeze(@sso_session.recheck + 60) do
+            assert @sso_session.remote_check_required?
+          end
+        end
+    
+        should "return false if now is before recheck" do
+          Timecop.freeze(@sso_session.recheck - 60) do
+            assert !@sso_session.remote_check_required?
+          end
+        end
+      end
+  
+      context "perform_remote_check" do
+        setup do
+          @sso_session = Maestrano::SSO::Session.new(@session)
+        end
+  
+        should "update the session recheck and return true if valid" do
+          recheck = @sso_session.recheck + 600
+          RestClient.stubs(:get).returns({'valid' => true, 'recheck' => recheck.utc.iso8601 }.to_json)
+          assert @sso_session.perform_remote_check
+          assert_equal @sso_session.recheck, recheck
+        end
+    
+        should "leave the session recheck unchanged and return false if invalid" do
+          recheck = @sso_session.recheck
+          RestClient.stubs(:get).returns({'valid' => false, 'recheck' => (recheck + 600).utc.iso8601 }.to_json)
+          assert !@sso_session.perform_remote_check
+          assert_equal @sso_session.recheck, recheck
+        end
+      end
+  
+      context "valid?" do
+        setup do
+          @sso_session = Maestrano::SSO::Session.new(@session)
+          Maestrano.configure { |c| c.sso.slo_enabled = true }
+        end
+        
+        should "return true if Single Logout is disabled" do
+          Maestrano.configure { |c| c.sso.slo_enabled = false }
+          @sso_session.stubs(:remote_check_required?).returns(true)
+          @sso_session.stubs(:perform_remote_check).returns(false)
+          assert @sso_session.valid?
+        end
+
+        should "return true if_session is enabled and session is nil" do
+          sso_session = Maestrano::SSO::Session.new(nil)
+          assert sso_session.valid?(if_session: true)
+        end
+        
+        should "return true if_session is enabled and session is empty" do
+          sso_session = Maestrano::SSO::Session.new({})
+          assert sso_session.valid?(if_session: true)
+        end
+  
+        should "return true if no remote_check_required?" do
+          @sso_session.stubs(:remote_check_required?).returns(false)
+          assert @sso_session.valid?
+          assert @sso_session.valid?(if_session: true)
+        end
+    
+        should "return true if remote_check_required? and valid" do
+          @sso_session.stubs(:remote_check_required?).returns(true)
+          @sso_session.stubs(:perform_remote_check).returns(true)
+          assert @sso_session.valid?
+          assert @sso_session.valid?(if_session: true)
+        end
+    
+        should "update maestrano session with recheck timestamp if remote_check_required? and valid" do
+          recheck = (@sso_session.recheck + 600)
+          @sso_session.recheck = recheck
+          @sso_session.stubs(:remote_check_required?).returns(true)
+          @sso_session.stubs(:perform_remote_check).returns(true)
+          @sso_session.valid?
+          assert_equal JSON.parse(Base64.decode64(@session[:maestrano]))['session_recheck'], recheck.utc.iso8601
+        end
+    
+        should "return false if remote_check_required? and invalid" do
+          @sso_session.stubs(:remote_check_required?).returns(true)
+          @sso_session.stubs(:perform_remote_check).returns(false)
+          assert_false @sso_session.valid?
+          assert_false @sso_session.valid?(if_session: true)
+        end
+        
+        should "return false if internal session is nil" do
+          sso_session = Maestrano::SSO::Session.new(nil)
+          assert_false @sso_session.valid?
+        end
+      end
+  
+    end
+  end
+end

data/test/maestrano/sso/user_test.rb

@@ -0,0 +1,65 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module SSO
+    class UserTest < Test::Unit::TestCase
+      setup do
+        @user = mock('user')
+        class << @user
+          include Maestrano::SSO::User
+        end
+      end
+  
+      context "find_for_maestrano_auth" do
+        should "raise an error if not overriden" do
+          assert_raise(NoMethodError.new("You need to override find_for_maestrano_auth in your Mocha::Mock model")) do
+            @user.find_for_maestrano_auth({})
+          end
+        end
+    
+        should "execute properly otherwise" do
+          def @user.find_for_maestrano_auth(auth); return true; end
+          assert_nothing_thrown do
+            @user.find_for_maestrano_auth({})
+          end
+        end
+      end
+  
+      context "maestrano?" do
+        should "raise an error if no provider attribute and not overriden" do
+          assert_raise(NoMethodError.new("You need to override maestrano? in your Mocha::Mock model")) do
+            @user.maestrano?
+          end
+        end
+    
+        should "return true if the provider is 'maestrano'" do
+          @user.stubs(:provider).returns('maestrano')
+          assert @user.maestrano?
+        end
+    
+        should "return false if the provider is something else" do
+          @user.stubs(:provider).returns('someprovider')
+          assert !@user.maestrano?
+        end
+      end
+  
+      context "maestrano_session_valid?" do
+        should "return true if the sso session is valid" do
+          session = {}
+          sso_session = mock('sso_session')
+          Maestrano::SSO::Session.stubs(:new).with(session).returns(sso_session)
+          sso_session.stubs(:valid?).returns(true)
+          assert @user.maestrano_session_valid?(session)
+        end
+    
+        should "return false if the sso session is invalid" do
+          session = {}
+          sso_session = mock('sso_session')
+          Maestrano::SSO::Session.stubs(:new).with(session).returns(sso_session)
+          sso_session.stubs(:valid?).returns(false)
+          assert !@user.maestrano_session_valid?(session)
+        end
+      end
+    end
+  end
+end

data/test/maestrano/sso_test.rb

@@ -0,0 +1,105 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+module Maestrano
+  class SSOTest < Test::Unit::TestCase
+    include SamlTestHelper
+  
+    setup do
+      Maestrano.config = nil
+      Maestrano.configure { |config| config.environment = 'production' }
+    end
+  
+    should "return the right init_url" do
+      assert Maestrano::SSO.init_url == "http://localhost:3000/maestrano/auth/saml/init"
+    end
+  
+    should "return the right consume_url" do
+      assert Maestrano::SSO.consume_url == "http://localhost:3000/maestrano/auth/saml/consume"
+    end
+  
+    should "return the right logout_url" do
+      assert Maestrano::SSO.logout_url == "https://maestrano.com/app_logout"
+    end
+  
+    should "return the right unauthorized_url" do
+      assert Maestrano::SSO.unauthorized_url == "https://maestrano.com/app_access_unauthorized"
+    end
+  
+    should "return the right idp_url" do
+      assert Maestrano::SSO.idp_url == "https://maestrano.com/api/v1/auth/saml"
+    end
+  
+    should "return the right session_check_url" do
+      assert Maestrano::SSO.session_check_url('usr-1','f9ds8fdg7f89') == "https://maestrano.com/api/v1/auth/saml/usr-1?session=f9ds8fdg7f89"
+    end
+  
+    should "return the right enabled parameter" do
+      assert Maestrano::SSO.enabled? == !!Maestrano.param('sso.enabled')
+    end
+  
+    should "return the right saml_settings" do
+      settings = Maestrano::SSO.saml_settings
+      assert settings.assertion_consumer_service_url == Maestrano::SSO.consume_url
+      assert settings.issuer == Maestrano.param('api.id')
+      assert settings.idp_sso_target_url == Maestrano::SSO.idp_url
+      assert settings.idp_cert_fingerprint == Maestrano.param('sso_x509_fingerprint')
+      assert settings.name_identifier_format == Maestrano.param('sso_name_id_format')
+    end
+  
+    should "build the right saml request" do
+      request = mock('request')
+      Maestrano::Saml::Request.stubs(:new).with(group_id: "cld-3").returns(request)
+      assert Maestrano::SSO.build_request(group_id: "cld-3") == request
+    end
+  
+    should "build the right saml response" do
+      response = mock('response')
+      Maestrano::Saml::Response.stubs(:new).with(response_document).returns(response)
+      response = Maestrano::SSO.build_response(response_document)
+      assert Maestrano::SSO.build_response(response_document) == response
+    end
+    
+    context "session management" do
+      setup do
+        @session = {}
+        @auth = {
+          extra: {
+            session: {
+              uid: 'usr-1',
+              token: '15fg6d',
+              recheck: Time.now,
+              group_uid: 'cld-3'
+            }
+          }
+        }
+      end
+    
+      should "set the session correctly" do
+        Maestrano::SSO.set_session(@session,@auth)
+        decrypt_session = JSON.parse(Base64.decode64(@session[:maestrano]))
+        assert_equal decrypt_session['uid'], @auth[:extra][:session][:uid]
+        assert_equal decrypt_session['session'], @auth[:extra][:session][:token]
+        assert_equal decrypt_session['session_recheck'], @auth[:extra][:session][:recheck].utc.iso8601
+        assert_equal decrypt_session['group_uid'], @auth[:extra][:session][:group_uid]
+      end
+      
+      should "unset the session correctly" do
+        Maestrano::SSO.set_session(@session,@auth)
+        Maestrano::SSO.clear_session(@session)
+        assert @session[:maestrano].nil?
+      end
+      
+      should "unset the session if key is a string" do
+        @session['maestrano'] = "bla"
+        Maestrano::SSO.clear_session(@session)
+        assert @session["maestrano"].nil?
+      end
+      
+      should "alias clear_session as unset_session" do
+        Maestrano::SSO.set_session(@session,@auth)
+        Maestrano::SSO.unset_session(@session)
+        assert @session[:maestrano].nil?
+      end
+    end
+  end
+end

data/test/maestrano/xml_security/signed_document.rb

@@ -0,0 +1,163 @@
+require File.expand_path('../../../test_helper', __FILE__)
+
+module Maestrano
+  module XMLSecurity
+    class XmlSecurityTest < Test::Unit::TestCase
+      include XMLSecurity
+
+      context "XmlSecurity" do
+        setup do
+          @document = Maestrano::XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
+          @base64cert = @document.elements["//ds:X509Certificate"].text
+        end
+
+        should "should run validate without throwing NS related exceptions" do
+          assert !@document.validate_signature(@base64cert, true)
+        end
+
+        should "should run validate with throwing NS related exceptions" do
+          assert_raise(Maestrano::Saml::ValidationError) do
+            @document.validate_signature(@base64cert, false)
+          end
+        end
+
+        should "not raise an error when softly validating the document multiple times" do
+          assert_nothing_raised do
+            2.times { @document.validate_signature(@base64cert, true) }
+          end
+        end
+
+        should "should raise Fingerprint mismatch" do
+          exception = assert_raise(Maestrano::Saml::ValidationError) do
+            @document.validate_document("no:fi:ng:er:pr:in:t", false)
+          end
+          assert_equal("Fingerprint mismatch", exception.message)
+        end
+
+        should "should raise Digest mismatch" do
+          exception = assert_raise(Maestrano::Saml::ValidationError) do
+            @document.validate_signature(@base64cert, false)
+          end
+          assert_equal("Digest mismatch", exception.message)
+        end
+
+        should "should raise Key validation error" do
+          response = Base64.decode64(response_document)
+          response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
+                        "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
+          document = Maestrano::XMLSecurity::SignedDocument.new(response)
+          base64cert = document.elements["//ds:X509Certificate"].text
+          exception = assert_raise(Maestrano::Saml::ValidationError) do
+            document.validate_signature(base64cert, false)
+          end
+          assert_equal("Key validation error", exception.message)
+        end
+
+        should "raise validation error when the X509Certificate is missing" do
+          response = Base64.decode64(response_document)
+          response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+          document = Maestrano::XMLSecurity::SignedDocument.new(response)
+          exception = assert_raise(Maestrano::Saml::ValidationError) do
+            document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
+          end
+          assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
+        end
+      end
+
+      context "Algorithms" do
+        should "validate using SHA1" do
+          @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
+          assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+        end
+
+        should "validate using SHA256" do
+          @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
+          assert @document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+        end
+
+        should "validate using SHA384" do
+          @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
+          assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+        end
+
+        should "validate using SHA512" do
+          @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
+          assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+        end
+      end
+
+      context "XmlSecurity::SignedDocument" do
+
+        context "#extract_inclusive_namespaces" do
+          should "support explicit namespace resolution for exclusive canonicalization" do
+            response = fixture(:open_saml_response, false)
+            document = Maestrano::XMLSecurity::SignedDocument.new(response)
+            inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+
+            assert_equal %w[ xs ], inclusive_namespaces
+          end
+
+          should "support implicit namespace resolution for exclusive canonicalization" do
+            response = fixture(:no_signature_ns, false)
+            document = Maestrano::XMLSecurity::SignedDocument.new(response)
+            inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+
+            assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
+          end
+
+          should_eventually 'support inclusive canonicalization' do
+
+            response = Maestrano::Saml::Response.new(fixture("tdnf_response.xml"))
+            response.stubs(:conditions).returns(nil)
+            assert !response.is_valid?
+            settings = Maestrano::Saml::Settings.new
+            assert !response.is_valid?
+            response.settings = settings
+            assert !response.is_valid?
+            settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
+            assert response.validate!
+          end
+
+          should "return an empty list when inclusive namespace element is missing" do
+            response = fixture(:no_signature_ns, false)
+            response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
+
+            document = Maestrano::XMLSecurity::SignedDocument.new(response)
+            inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+
+            assert inclusive_namespaces.empty?
+          end
+        end
+
+        context "StarfieldTMS" do
+          setup do
+            @response = Maestrano::Saml::Response.new(fixture(:starfield_response))
+            @response.settings = Maestrano::Saml::Settings.new(
+                                                              :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
+                                                              )
+          end
+
+          should "be able to validate a good response" do
+            Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
+              assert @response.validate!
+            end
+          end
+
+          should "fail before response is valid" do
+            Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
+              assert ! @response.is_valid?
+            end
+          end
+
+          should "fail after response expires" do
+            Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
+              assert ! @response.is_valid?
+            end
+          end
+        end
+
+      end
+
+    end
+  end
+end