openlogic-saml-sp 3.1.3

data/spec/saml2/assertion_spec.rb

@@ -0,0 +1,177 @@
+require File.join(File.dirname(__FILE__), '../spec_helper')
+
+describe Saml2::Assertion do 
+  describe "w/ 2 attributes" do 
+    before do 
+      @assertion = Saml2::Assertion.new('http://idp.invalid', 'abcd', 'this' => 'that', 'foo' => 'bar')
+    end
+
+    it "should provide read access for issuer" do 
+      @assertion.issuer.should == 'http://idp.invalid'
+    end
+
+    it "should provide read access to subject name id" do 
+      @assertion.subject_name_id.should == 'abcd'
+    end
+
+    it "should provide read access to attributes ('this')" do 
+      @assertion['this'].should == 'that'
+    end
+
+    it "should provide read access to attributes (:this)" do 
+      @assertion[:this].should == 'that'
+    end
+
+    it "should provide read access to attributes ('foo')" do 
+      @assertion['foo'].should == 'bar'
+    end
+
+    it "should provide read access to attributes (:foo)" do 
+      @assertion[:foo].should == 'bar'
+    end
+  end
+
+  describe "instantiation" do 
+    it 'should be creatable from artifact string' do 
+      mock_artifact = mock('artifact', :resolve => :assertion_marker)
+      Saml2::Type4Artifact.should_receive(:new_from_string).with('artifact_marker').and_return(mock_artifact)
+
+      Saml2::Assertion.new_from_artifact("artifact_marker").should == :assertion_marker
+    end
+
+    it 'should be creatable from a type 4 artifact' do 
+      artifact = Saml2::Type4Artifact.new(0, 'a-source-id', 'http://idp.invalid/')
+      artifact.should_receive(:resolve).and_return(:assertion_marker)
+
+      Saml2::Assertion.new_from_artifact(artifact).should == :assertion_marker
+    end
+  end
+
+  describe "parsing" do 
+    before do 
+      @assertion_xml = <<-XML
+        <SOAP-ENV:Envelope
+            xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+        <SOAP-ENV:Body>
+          <ArtifactResponse
+              ID="_423adb988f2673de74553f9f26ff27eda8af"
+              InResponseTo="_gIPoW.YXQpZj17m.EpboPCp9cT"
+              IssueInstant="2006-11-28T23:07:43.738+00:00"
+              Version="2.0"
+              xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
+            <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
+              https://idp.invalid
+            </ns1:Issuer>
+
+            <Status>
+              <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+            </Status>
+  
+            <Response
+                Destination="https://service_provider/SAMLConsumer"
+                ID="_dcfacebe4f2fca1cbdae749c5f5738995e0"
+                IssueInstant="2006-11-28T23:04:32Z"
+                Version="2.0">
+              <ns2:Issuer
+                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+                  xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
+                https://idp.invalid
+              </ns2:Issuer>
+
+              <Status>
+                <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+              </Status>
+
+              <ns3:Assertion
+                  ID="_1ebc0cd2f88ade6396bccb22fc20a42792c4"
+                  IssueInstant="2006-11-28T23:04:32Z"
+                  Version="2.0"
+                  xmlns:ns3="urn:oasis:names:tc:SAML:2.0:assertion">
+                <ns3:Issuer
+                    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
+                  https://idp.invalid
+                </ns3:Issuer>
+
+                <ns3:Subject>
+                  <ns3:NameID
+                      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
+                    12345678
+                  </ns3:NameID>
+
+                  <ns3:SubjectConfirmation
+                      Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                    <ns3:SubjectConfirmationData
+                        NotOnOrAfter="2006-11-28T23:24:32Z"
+                        Recipient="https://sp.invalid/SAMLConsumer"/>
+                  </ns3:SubjectConfirmation>
+                </ns3:Subject>
+
+                <ns3:Conditions
+                    NotBefore="2006-11-28T22:54:32Z"
+                    NotOnOrAfter="2006-11-28T23:24:32Z">
+                  <ns3:AudienceRestriction>
+                    <ns3:Audience>https://sp.invalid</ns3:Audience>
+                  </ns3:AudienceRestriction>
+                </ns3:Conditions>
+
+                <ns3:AuthnStatement
+                    AuthnInstant="2006-11-28T23:03:14Z"
+                    SessionIndex="MQSnyIps57sm2wRDKP+f9PsY+2A=nFfVrw=="
+                    SessionNotOnOrAfter="2006-11-28T23:24:32Z">
+                  <ns3:AuthnContext>
+                    <ns3:AuthnContextClassRef>
+                      urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+                    </ns3:AuthnContextClassRef>
+                  </ns3:AuthnContext>
+                </ns3:AuthnStatement>
+            
+                <ns3:AttributeStatement>
+                  <ns3:Attribute
+                      Name="cn"
+                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
+                    <ns3:AttributeValue>Smith, James</ns3:AttributeValue>
+                  </ns3:Attribute>
+            
+                  <ns3:Attribute
+                      Name="email"
+                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
+                    <ns3:AttributeValue>james.smith@idp.invalid</ns3:AttributeValue>
+                  </ns3:Attribute>
+            
+                </ns3:AttributeStatement>
+            
+              </ns3:Assertion>
+            </Response>
+          </ArtifactResponse>
+        </SOAP-ENV:Body>
+        </SOAP-ENV:Envelope> 
+      XML
+    end
+
+    def self.it_should_extract(prop, expected_value)
+      eval(<<-EXAMPLE)
+        it "should extract #{prop}" do 
+          Saml2::Assertion.new_from_xml(@assertion_xml).#{prop}.should == #{expected_value.inspect}
+        end
+      EXAMPLE
+    end
+
+    it_should_extract :issuer, 'https://idp.invalid'
+    it_should_extract :subject_name_id, '12345678'
+    
+    it "should extract attributes (cn)" do 
+      Saml2::Assertion.new_from_xml(@assertion_xml)['cn'].should == 'Smith, James'
+    end
+
+    it "should extract attributes (email)" do 
+      Saml2::Assertion.new_from_xml(@assertion_xml)['email'].should == 'james.smith@idp.invalid'
+    end
+  end
+
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/spec/saml2/type4_artifact_spec.rb

@@ -0,0 +1,66 @@
+require File.join(File.dirname(__FILE__), '../spec_helper')
+
+describe Saml2::Type4Artifact do 
+  describe "parsing wrong type" do 
+    it "should raise error" do 
+      lambda {
+        # unencoded artifact: "\000\052\000\030test"
+        Saml2::Type4Artifact.new_from_string "ACoAGHRlc3Q=" 
+      }.should raise_error UnexpectedTypeCodeError
+    end
+
+    it "should have meaningful message" do 
+      lambda {
+        # unencoded artifact: "\000\052\000\030test"
+        Saml2::Type4Artifact.new_from_string "ACoAGHRlc3Q=" 
+      }.should raise_error(/incorrect artifact type.*expected.*4.*found.*42/i)
+    end
+
+  end
+
+  describe "parsing type 4" do 
+    before do
+      # unencoded artifact: "\000\004\000\00001234567890123456789abcdefghijklmnopqrst"
+      @artifact = Saml2::Type4Artifact.new_from_string "AAQAADAxMjM0NTY3ODkwMTIzNDU2Nzg5YWJjZGVmZ2hpamtsbW5vcHFyc3Q=" 
+    end
+
+    it "should know its type code" do 
+      @artifact.type_code.should == 4
+    end
+
+    it "should know its endpoint index" do 
+      @artifact.endpoint_index.should == 0
+    end
+
+    it "should know the source id" do 
+      @artifact.source_id.should == '01234567890123456789'
+    end
+
+    it "should know the message handle" do 
+      @artifact.message_handle.should == 'abcdefghijklmnopqrst'
+    end
+  end
+
+  describe "simple artifact" do 
+    before do 
+      @resolver = Saml2::ArtifactResolver.new('01234567890123456789', 'http://idp.invalid/artifact-resolver', 'http://idp.invalid/', 'http://sp.invalid/')
+
+      @artifact = Saml2::Type4Artifact.new(0, '01234567890123456789', 'abcdefghijklmnopqrst')
+    end
+
+    it "should be able to render itself to a string" do 
+      @artifact.to_s.should == "AAQAADAxMjM0NTY3ODkwMTIzNDU2Nzg5YWJjZGVmZ2hpamtsbW5vcHFyc3Q=" 
+    end
+
+    it "should be able to resolve itself" do 
+      @resolver.should_receive(:resolve).with(@artifact).and_return(:assertion_marker)
+      @artifact.resolve.should == :assertion_marker
+    end
+  end
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/spec/saml_sp/config_spec.rb

@@ -0,0 +1,299 @@
+require File.join(File.dirname(__FILE__), '../spec_helper')
+require 'tempfile'
+
+describe SamlSp::Config do 
+  before do 
+    @dsl = SamlSp::Config.new
+  end
+
+  describe "loading from file" do
+    before do 
+      @source_id = Time.now.xmlschema(10)
+
+      @tmpfile = Tempfile.open('saml-sp-config') 
+      @tmpfile << <<-CONFIG
+          artifact_resolution_service {
+            source_id         "#{@source_id}"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+          }
+        CONFIG
+      @tmpfile.flush
+    end
+
+    after do 
+      @tmpfile.close!
+    end
+
+    it "should build resolver" do 
+      SamlSp::Config.load_file(@tmpfile.path)
+
+      Saml2::ArtifactResolver(@source_id).should be_kind_of(Saml2::ArtifactResolver)
+    end
+  end
+
+  describe "global log configuration" do 
+    before do 
+      @orig_logger = SamlSp.logger
+      @dsl = SamlSp::Config.new
+      @resolver = @dsl.interpret(<<-CONFIG)
+          logger :MARKER
+        CONFIG
+    end
+    
+    it "should set SamlSp.logger correctly" do 
+      SamlSp.logger.should == :MARKER
+    end
+
+    after do 
+      SamlSp.logger = @orig_logger
+    end
+  end
+
+  describe "valid basic auth'd service description" do 
+    before do 
+      @dsl = SamlSp::Config.new
+      @resolver = @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+
+            http_basic_auth {
+              realm    "myssorealm"
+              user_id  "myuserid"
+              password "mypassword"
+            }
+          }
+        CONFIG
+    end
+    
+    it "should build a resolver" do 
+      @resolver.should be_kind_of(Saml2::ArtifactResolver)
+    end
+    
+    it "should build a resolver with correct source id" do 
+      @resolver.source_id.should == '01234567890123456789'
+    end
+    
+    it "should build a resolver with correct service uri" do 
+      @resolver.resolution_service_uri.to_s.should == "http://idp.invalid/resolve-artifacts"
+    end
+
+    it "should build a resolver with correct identity provider id" do 
+      @resolver.idp_id.should == "http://idp.invalid/"
+    end
+
+    it "should build a resolver with correct service provider id" do 
+      @resolver.sp_id.should == "http://sp.invalid/"
+    end
+    
+    it "should build a resolver with correct realm" do 
+      @resolver.basic_auth_realm.should == 'myssorealm'
+    end
+      
+    it "should build a resolver with correct user id" do 
+      @resolver.basic_auth_user_id.should == 'myuserid'
+    end
+    
+    it "should build a resolver with correct password" do 
+      @resolver.basic_auth_password.should == 'mypassword'
+      end
+  end
+
+  describe "valid basic promiscuous auth'd service description" do 
+    before do 
+      @dsl = SamlSp::Config.new
+      @resolver = @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+
+            http_basic_auth {
+              promiscuous
+              user_id  "myuserid"
+              password "mypassword"
+            }
+          }
+        CONFIG
+    end
+    
+    it "should build a resolver" do 
+      @resolver.should be_kind_of(Saml2::ArtifactResolver)
+    end
+    
+      it "should build a resolver with correct source id" do 
+      @resolver.source_id.should == '01234567890123456789'
+    end
+    
+    it "should build a resolver with correct service uri" do 
+      @resolver.resolution_service_uri.to_s.should == "http://idp.invalid/resolve-artifacts"
+    end
+
+    it "should build a resolver with correct identity provider id" do 
+      @resolver.idp_id.should == "http://idp.invalid/"
+    end
+
+    it "should build a resolver with correct service provider id" do 
+      @resolver.sp_id.should == "http://sp.invalid/"
+    end
+    
+    it "should build a resolver with correct realm" do 
+      @resolver.basic_auth_realm.should be_nil
+    end
+      
+    it "should build a resolver with correct user id" do 
+      @resolver.basic_auth_user_id.should == 'myuserid'
+    end
+    
+    it "should build a resolver with correct password" do 
+      @resolver.basic_auth_password.should == 'mypassword'
+      end
+  end
+  
+  describe "valid non-auth service description" do 
+    before do 
+      @dsl = SamlSp::Config.new
+      @resolver = @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+          }
+        CONFIG
+    end
+    
+    it "should build a resolver" do 
+      @resolver.should be_kind_of(Saml2::ArtifactResolver)
+    end
+    
+    it "should build a resolver with correct source id" do 
+      @resolver.source_id.should == '01234567890123456789'
+    end
+    
+    it "should build a resolver with correct service uri" do 
+        @resolver.resolution_service_uri.to_s.should == "http://idp.invalid/resolve-artifacts"
+    end
+    
+    it "should build a resolver with correct identity provider id" do 
+      @resolver.idp_id.should == "http://idp.invalid/"
+    end
+
+    it "should build a resolver with correct service provider id" do 
+      @resolver.sp_id.should == "http://sp.invalid/"
+    end
+
+    it "should build a resolver with correct realm" do 
+      @resolver.basic_auth_realm.should == nil
+    end
+    
+    it "should build a resolver with correct user id" do 
+      @resolver.basic_auth_user_id.should == nil
+    end
+    
+    it "should build a resolver with correct password" do 
+      @resolver.basic_auth_password.should == nil
+    end
+  end
+
+  it "should raise error on missing source_id" do  
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+  it "should raise error on missing uri" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+  it "should raise error on missing issuer" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id "01234567890123456789"
+            uri       "http://idp.invalid/resolve-artifacts"
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+  it "should raise error on missing basic auth realm" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+
+            http_basic_auth {
+              user_id  "myuserid"
+              password "mypassword"
+            }
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+  it "should raise error on missing basic auth user id" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+
+            http_basic_auth {
+              realm    "myssorealm"
+              password "mypassword"
+            }
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+  it "should raise error on missing basic auth password" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          artifact_resolution_service {
+            source_id         "01234567890123456789"
+            uri               "http://idp.invalid/resolve-artifacts"
+            identity_provider "http://idp.invalid/"
+            service_provider  "http://sp.invalid/"
+
+            http_basic_auth {
+              realm    "myssorealm"
+              user_id  "myuserid"
+            }
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+