pelle-ruby-openid 2.1.8

data/test/test_associationmanager.rb

@@ -0,0 +1,917 @@
+require "openid/consumer/associationmanager"
+require "openid/association"
+require "openid/dh"
+require "openid/util"
+require "openid/cryptutil"
+require "openid/message"
+require "openid/store/memory"
+require "test/unit"
+require "util"
+require "time"
+
+module OpenID
+  class DHAssocSessionTest < Test::Unit::TestCase
+    def test_sha1_get_request
+      # Initialized without an explicit DH gets defaults
+      sess = Consumer::DiffieHellmanSHA1Session.new
+      assert_equal(['dh_consumer_public'], sess.get_request.keys)
+      assert_nothing_raised do
+        Util::from_base64(sess.get_request['dh_consumer_public'])
+      end
+    end
+
+    def test_sha1_get_request_custom_dh
+      dh = DiffieHellman.new(1299721, 2)
+      sess = Consumer::DiffieHellmanSHA1Session.new(dh)
+      req = sess.get_request
+      assert_equal(['dh_consumer_public', 'dh_modulus', 'dh_gen'].sort,
+                   req.keys.sort)
+      assert_equal(dh.modulus, CryptUtil.base64_to_num(req['dh_modulus']))
+      assert_equal(dh.generator, CryptUtil.base64_to_num(req['dh_gen']))
+      assert_nothing_raised do
+        Util::from_base64(req['dh_consumer_public'])
+      end
+    end
+  end
+
+  module TestDiffieHellmanResponseParametersMixin
+    def setup
+      session_cls = self.class.session_cls
+
+      # Pre-compute DH with small prime so tests run quickly.
+      @server_dh = DiffieHellman.new(100389557, 2)
+      @consumer_dh = DiffieHellman.new(100389557, 2)
+
+      # base64(btwoc(g ^ xb mod p))
+      @dh_server_public = CryptUtil.num_to_base64(@server_dh.public)
+
+      @secret = CryptUtil.random_string(session_cls.secret_size)
+
+      enc_mac_key_unencoded =
+        @server_dh.xor_secret(session_cls.hashfunc,
+                              @consumer_dh.public,
+                              @secret)
+
+      @enc_mac_key = Util.to_base64(enc_mac_key_unencoded)
+
+      @consumer_session = session_cls.new(@consumer_dh)
+
+      @msg = Message.new(self.class.message_namespace)
+    end
+
+    def test_extract_secret
+      @msg.set_arg(OPENID_NS, 'dh_server_public', @dh_server_public)
+      @msg.set_arg(OPENID_NS, 'enc_mac_key', @enc_mac_key)
+
+      extracted = @consumer_session.extract_secret(@msg)
+      assert_equal(extracted, @secret)
+    end
+
+    def test_absent_serve_public
+      @msg.set_arg(OPENID_NS, 'enc_mac_key', @enc_mac_key)
+
+      assert_raises(Message::KeyNotFound) {
+        @consumer_session.extract_secret(@msg)
+      }
+    end
+
+    def test_absent_mac_key
+      @msg.set_arg(OPENID_NS, 'dh_server_public', @dh_server_public)
+
+      assert_raises(Message::KeyNotFound) {
+        @consumer_session.extract_secret(@msg)
+      }
+    end
+
+    def test_invalid_base64_public
+      @msg.set_arg(OPENID_NS, 'dh_server_public', 'n o t b a s e 6 4.')
+      @msg.set_arg(OPENID_NS, 'enc_mac_key', @enc_mac_key)
+
+      assert_raises(ArgumentError) {
+        @consumer_session.extract_secret(@msg)
+      }
+    end
+
+    def test_invalid_base64_mac_key
+      @msg.set_arg(OPENID_NS, 'dh_server_public', @dh_server_public)
+      @msg.set_arg(OPENID_NS, 'enc_mac_key', 'n o t base 64')
+
+      assert_raises(ArgumentError) {
+        @consumer_session.extract_secret(@msg)
+      }
+    end
+  end
+
+  class TestConsumerOpenID1DHSHA1 < Test::Unit::TestCase
+    include TestDiffieHellmanResponseParametersMixin
+    class << self
+      attr_reader :session_cls, :message_namespace
+    end
+
+    @session_cls = Consumer::DiffieHellmanSHA1Session
+    @message_namespace = OPENID1_NS
+  end
+
+  class TestConsumerOpenID2DHSHA1 < Test::Unit::TestCase
+    include TestDiffieHellmanResponseParametersMixin
+    class << self
+      attr_reader :session_cls, :message_namespace
+    end
+
+    @session_cls = Consumer::DiffieHellmanSHA1Session
+    @message_namespace = OPENID2_NS
+  end
+
+  class TestConsumerOpenID2DHSHA256 < Test::Unit::TestCase
+    include TestDiffieHellmanResponseParametersMixin
+    class << self
+      attr_reader :session_cls, :message_namespace
+    end
+
+    @session_cls = Consumer::DiffieHellmanSHA256Session
+    @message_namespace = OPENID2_NS
+  end
+
+  class TestConsumerNoEncryptionSession < Test::Unit::TestCase
+    def setup
+      @sess = Consumer::NoEncryptionSession.new
+    end
+
+    def test_empty_request
+      assert_equal(@sess.get_request, {})
+    end
+
+    def test_get_secret
+      secret = 'shhh!' * 4
+      mac_key = Util.to_base64(secret)
+      msg = Message.from_openid_args({'mac_key' => mac_key})
+      assert_equal(secret, @sess.extract_secret(msg))
+    end
+  end
+
+  class TestCreateAssociationRequest < Test::Unit::TestCase
+    def setup
+      @server_url = 'http://invalid/'
+      @assoc_manager = Consumer::AssociationManager.new(nil, @server_url)
+      class << @assoc_manager
+        def compatibility_mode=(val)
+            @compatibility_mode = val
+        end
+      end
+      @assoc_type = 'HMAC-SHA1'
+    end
+
+    def test_no_encryption_sends_type
+      session_type = 'no-encryption'
+      session, args = @assoc_manager.send(:create_associate_request,
+                                          @assoc_type,
+                                          session_type)
+
+      assert(session.is_a?(Consumer::NoEncryptionSession))
+      expected = Message.from_openid_args(
+            {'ns' => OPENID2_NS,
+             'session_type' => session_type,
+             'mode' => 'associate',
+             'assoc_type' => @assoc_type,
+             })
+
+      assert_equal(expected, args)
+    end
+
+    def test_no_encryption_compatibility
+      @assoc_manager.compatibility_mode = true
+      session_type = 'no-encryption'
+      session, args = @assoc_manager.send(:create_associate_request,
+                                          @assoc_type,
+                                          session_type)
+
+      assert(session.is_a?(Consumer::NoEncryptionSession))
+      assert_equal(Message.from_openid_args({'mode' => 'associate',
+                                              'assoc_type' => @assoc_type,
+                                            }), args)
+    end
+
+    def test_dh_sha1_compatibility
+      @assoc_manager.compatibility_mode = true
+      session_type = 'DH-SHA1'
+      session, args = @assoc_manager.send(:create_associate_request,
+                                          @assoc_type,
+                                          session_type)
+
+
+      assert(session.is_a?(Consumer::DiffieHellmanSHA1Session))
+
+      # This is a random base-64 value, so just check that it's
+      # present.
+      assert_not_nil(args.get_arg(OPENID1_NS, 'dh_consumer_public'))
+      args.del_arg(OPENID1_NS, 'dh_consumer_public')
+
+      # OK, session_type is set here and not for no-encryption
+      # compatibility
+      expected = Message.from_openid_args({'mode' => 'associate',
+                                            'session_type' => 'DH-SHA1',
+                                            'assoc_type' => @assoc_type,
+                                          })
+      assert_equal(expected, args)
+    end
+  end
+
+  class TestAssociationManagerExpiresIn < Test::Unit::TestCase
+    def expires_in_msg(val)
+      msg = Message.from_openid_args({'expires_in' => val})
+      Consumer::AssociationManager.extract_expires_in(msg)
+    end
+
+    def test_parse_fail
+      ['',
+       '-2',
+       ' 1',
+       ' ',
+       '0x00',
+       'foosball',
+       '1\n',
+       '100,000,000,000',
+      ].each do |x|
+        assert_raises(ProtocolError) {expires_in_msg(x)}
+      end
+    end
+
+    def test_parse
+      ['0',
+       '1',
+       '1000',
+       '9999999',
+       '01',
+      ].each do |n|
+        assert_equal(n.to_i, expires_in_msg(n))
+      end
+    end
+  end
+
+  class TestAssociationManagerCreateSession < Test::Unit::TestCase
+    def test_invalid
+      assert_raises(ArgumentError) {
+        Consumer::AssociationManager.create_session('monkeys')
+      }
+    end
+
+    def test_sha256
+      sess = Consumer::AssociationManager.create_session('DH-SHA256')
+      assert(sess.is_a?(Consumer::DiffieHellmanSHA256Session))
+    end
+  end
+
+  module NegotiationTestMixin
+    include TestUtil
+    def mk_message(args)
+      args['ns'] = @openid_ns
+      Message.from_openid_args(args)
+    end
+
+    def call_negotiate(responses, negotiator=nil)
+      store = nil
+      compat = self.class::Compat
+      assoc_manager = Consumer::AssociationManager.new(store, @server_url,
+                                                       compat, negotiator)
+      class << assoc_manager
+        attr_accessor :responses
+
+        def request_association(assoc_type, session_type)
+          m = @responses.shift
+          if m.is_a?(Message)
+            raise ServerError.from_message(m)
+          else
+            return m
+          end
+        end
+      end
+      assoc_manager.responses = responses
+      assoc_manager.negotiate_association
+    end
+  end
+
+  # Test the session type negotiation behavior of an OpenID 2
+  # consumer.
+  class TestOpenID2SessionNegotiation < Test::Unit::TestCase
+    include NegotiationTestMixin
+
+    Compat = false
+
+    def setup
+      @server_url = 'http://invalid/'
+      @openid_ns = OPENID2_NS
+    end
+
+    # Test the case where the response to an associate request is a
+    # server error or is otherwise undecipherable.
+    def test_bad_response
+      assert_log_matches('Server error when requesting an association') {
+        assert_equal(call_negotiate([mk_message({})]), nil)
+      }
+    end
+
+    # Test the case where the association type (assoc_type) returned
+    # in an unsupported-type response is absent.
+    def test_empty_assoc_type
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'session_type' => 'new-session-type',
+                       })
+
+      assert_log_matches('Unsupported association type',
+                         "Server #{@server_url} responded with unsupported "\
+                         "association session but did not supply a fallback."
+                         ) {
+        assert_equal(call_negotiate([msg]), nil)
+      }
+
+    end
+
+    # Test the case where the session type (session_type) returned
+    # in an unsupported-type response is absent.
+    def test_empty_session_type
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'new-assoc-type',
+                       })
+
+      assert_log_matches('Unsupported association type',
+                         "Server #{@server_url} responded with unsupported "\
+                         "association session but did not supply a fallback."
+                         ) {
+        assert_equal(call_negotiate([msg]), nil)
+      }
+    end
+
+    # Test the case where an unsupported-type response specifies a
+    # preferred (assoc_type, session_type) combination that is not
+    # allowed by the consumer's SessionNegotiator.
+    def test_not_allowed
+      negotiator = AssociationNegotiator.new([])
+      negotiator.instance_eval{
+        @allowed_types = [['assoc_bogus', 'session_bogus']]
+      }
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'not-allowed',
+                         'session_type' => 'not-allowed',
+                       })
+
+      assert_log_matches('Unsupported association type',
+                         'Server sent unsupported session/association type:') {
+        assert_equal(call_negotiate([msg], negotiator), nil)
+      }
+    end
+
+    # Test the case where an unsupported-type response triggers a
+    # retry to get an association with the new preferred type.
+    def test_unsupported_with_retry
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'HMAC-SHA1',
+                         'session_type' => 'DH-SHA1',
+                       })
+
+      assoc = Association.new('handle', 'secret', Time.now, 10000, 'HMAC-SHA1')
+
+      assert_log_matches('Unsupported association type') {
+        assert_equal(assoc, call_negotiate([msg, assoc]))
+      }
+    end
+
+    # Test the case where an unsupported-typ response triggers a
+    # retry, but the retry fails and nil is returned instead.
+    def test_unsupported_with_retry_and_fail
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'HMAC-SHA1',
+                         'session_type' => 'DH-SHA1',
+                       })
+
+      assert_log_matches('Unsupported association type',
+                         "Server #{@server_url} refused") {
+        assert_equal(call_negotiate([msg, msg]), nil)
+      }
+    end
+
+    # Test the valid case, wherein an association is returned on the
+    # first attempt to get one.
+    def test_valid
+      assoc = Association.new('handle', 'secret', Time.now, 10000, 'HMAC-SHA1')
+
+      assert_log_matches() {
+        assert_equal(call_negotiate([assoc]), assoc)
+      }
+    end
+  end
+
+
+  # Tests for the OpenID 1 consumer association session behavior.  See
+  # the docs for TestOpenID2SessionNegotiation.  Notice that this
+  # class is not a subclass of the OpenID 2 tests.  Instead, it uses
+  # many of the same inputs but inspects the log messages logged with
+  # oidutil.log.  See the calls to self.failUnlessLogMatches.  Some of
+  # these tests pass openid2-style messages to the openid 1
+  # association processing logic to be sure it ignores the extra data.
+  class TestOpenID1SessionNegotiation < Test::Unit::TestCase
+    include NegotiationTestMixin
+
+    Compat = true
+
+    def setup
+      @server_url = 'http://invalid/'
+      @openid_ns = OPENID1_NS
+    end
+
+    def test_bad_response
+      assert_log_matches('Server error when requesting an association') {
+        response = call_negotiate([mk_message({})])
+        assert_equal(nil, response)
+      }
+    end
+
+    def test_empty_assoc_type
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'session_type' => 'new-session-type',
+                       })
+
+      assert_log_matches('Server error when requesting an association') {
+        response = call_negotiate([msg])
+        assert_equal(nil, response)
+      }
+    end
+
+    def test_empty_session_type
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'new-assoc-type',
+                       })
+
+      assert_log_matches('Server error when requesting an association') {
+        response = call_negotiate([msg])
+        assert_equal(nil, response)
+      }
+    end
+
+    def test_not_allowed
+      negotiator = AssociationNegotiator.new([])
+      negotiator.instance_eval{
+        @allowed_types = [['assoc_bogus', 'session_bogus']]
+      }
+
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'not-allowed',
+                         'session_type' => 'not-allowed',
+                       })
+
+      assert_log_matches('Server error when requesting an association') {
+        response = call_negotiate([msg])
+        assert_equal(nil, response)
+      }
+    end
+
+    def test_unsupported_with_retry
+      msg = mk_message({'error' => 'Unsupported type',
+                         'error_code' => 'unsupported-type',
+                         'assoc_type' => 'HMAC-SHA1',
+                         'session_type' => 'DH-SHA1',
+                       })
+
+      assoc = Association.new('handle', 'secret', Time.now, 10000, 'HMAC-SHA1')
+
+
+      assert_log_matches('Server error when requesting an association') {
+        response = call_negotiate([msg, assoc])
+        assert_equal(nil, response)
+      }
+    end
+
+    def test_valid
+      assoc = Association.new('handle', 'secret', Time.now, 10000, 'HMAC-SHA1')
+      assert_log_matches() {
+        response = call_negotiate([assoc])
+        assert_equal(assoc, response)
+      }
+    end
+  end
+
+
+  class TestExtractAssociation < Test::Unit::TestCase
+    include ProtocolErrorMixin
+
+    # An OpenID associate response (without the namespace)
+    DEFAULTS = {
+      'expires_in' => '1000',
+      'assoc_handle' => 'a handle',
+      'assoc_type' => 'a type',
+      'session_type' => 'a session type',
+    }
+
+    def setup
+      @assoc_manager = Consumer::AssociationManager.new(nil, nil)
+    end
+
+    # Make tests that ensure that an association response that is
+    # missing required fields will raise an Message::KeyNotFound.
+    #
+    # According to 'Association Session Response' subsection 'Common
+    # Response Parameters', the following fields are required for
+    # OpenID 2.0:
+    #
+    #  * ns
+    #  * session_type
+    #  * assoc_handle
+    #  * assoc_type
+    #  * expires_in
+    #
+    # In OpenID 1, everything except 'session_type' and 'ns' are
+    # required.
+    MISSING_FIELD_SETS = ([["no_fields", []]] +
+                          (DEFAULTS.keys.map do |f|
+                             fields = DEFAULTS.keys
+                             fields.delete(f)
+                             ["missing_#{f}", fields]
+                           end)
+                          )
+
+    [OPENID1_NS, OPENID2_NS].each do |ns|
+      MISSING_FIELD_SETS.each do |name, fields|
+        # OpenID 1 is allowed to be missing session_type
+        if ns != OPENID1_NS and name != 'missing_session_type'
+          test = lambda do
+            msg = Message.new(ns)
+            fields.each do |field|
+              msg.set_arg(ns, field, DEFAULTS[field])
+            end
+            assert_raises(Message::KeyNotFound) do
+              @assoc_manager.send(:extract_association, msg, nil)
+            end
+          end
+          define_method("test_#{name}", test)
+        end
+      end
+    end
+
+    # assert that extracting a response that contains the given
+    # response session type when the request was made for the given
+    # request session type will raise a ProtocolError indicating
+    # session type mismatch
+    def assert_session_mismatch(req_type, resp_type, ns)
+      # Create an association session that has "req_type" as its
+      # session_type and no allowed_assoc_types
+      assoc_session_class = Class.new do
+        @session_type = req_type
+        def self.session_type
+          @session_type
+        end
+        def self.allowed_assoc_types
+          []
+        end
+      end
+      assoc_session = assoc_session_class.new
+
+      # Build an OpenID 1 or 2 association response message that has
+      # the specified association session type
+      msg = Message.new(ns)
+      msg.update_args(ns, DEFAULTS)
+      msg.set_arg(ns, 'session_type', resp_type)
+
+      # The request type and response type have been chosen to produce
+      # a session type mismatch.
+      assert_protocol_error('Session type mismatch') {
+        @assoc_manager.send(:extract_association, msg, assoc_session)
+      }
+    end
+
+    [['no-encryption', '', OPENID2_NS],
+     ['DH-SHA1', 'no-encryption', OPENID2_NS],
+     ['DH-SHA256', 'no-encryption', OPENID2_NS],
+     ['no-encryption', 'DH-SHA1', OPENID2_NS],
+     ['DH-SHA1', 'DH-SHA256', OPENID1_NS],
+     ['DH-SHA256', 'DH-SHA1', OPENID1_NS],
+     ['no-encryption', 'DH-SHA1', OPENID1_NS],
+    ].each do |req_type, resp_type, ns|
+      test = lambda { assert_session_mismatch(req_type, resp_type, ns) }
+      name = "test_mismatch_req_#{req_type}_resp_#{resp_type}_#{ns}"
+      define_method(name, test)
+    end
+
+    def test_openid1_no_encryption_fallback
+      # A DH-SHA1 session
+      assoc_session = Consumer::DiffieHellmanSHA1Session.new
+
+      # An OpenID 1 no-encryption association response
+      msg = Message.from_openid_args({
+                                       'expires_in' => '1000',
+                                       'assoc_handle' => 'a handle',
+                                       'assoc_type' => 'HMAC-SHA1',
+                                       'mac_key' => 'X' * 20,
+                                     })
+
+      # Should succeed
+      assoc = @assoc_manager.send(:extract_association, msg, assoc_session)
+      assert_equal('a handle', assoc.handle)
+      assert_equal('HMAC-SHA1', assoc.assoc_type)
+      assert(assoc.expires_in.between?(999, 1000))
+      assert('X' * 20, assoc.secret)
+    end
+  end
+
+  class GetOpenIDSessionTypeTest < Test::Unit::TestCase
+    include TestUtil
+
+    SERVER_URL = 'http://invalid/'
+
+    def do_test(expected_session_type, session_type_value)
+      # Create a Message with just 'session_type' in it, since
+      # that's all this function will use. 'session_type' may be
+      # absent if it's set to None.
+      args = {}
+      if !session_type_value.nil?
+        args['session_type'] = session_type_value
+      end
+      message = Message.from_openid_args(args)
+      assert(message.is_openid1)
+
+      assoc_manager = Consumer::AssociationManager.new(nil, SERVER_URL)
+      actual_session_type = assoc_manager.send(:get_openid1_session_type,
+                                               message)
+      error_message = ("Returned session type parameter #{session_type_value}"\
+                       "was expected to yield session type "\
+                       "#{expected_session_type}, but yielded "\
+                       "#{actual_session_type}")
+      assert_equal(expected_session_type, actual_session_type, error_message)
+    end
+
+
+    [['nil', 'no-encryption', nil],
+     ['empty', 'no-encryption', ''],
+     ['dh_sha1', 'DH-SHA1', 'DH-SHA1'],
+     ['dh_sha256', 'DH-SHA256', 'DH-SHA256'],
+    ].each {|name, expected, input|
+      # Define a test method that will check what session type will be
+      # used if the OpenID 1 response to an associate call sets the
+      # 'session_type' field to `session_type_value`
+      test = lambda {assert_log_matches() { do_test(expected, input) } }
+      define_method("test_#{name}", &test)
+    }
+
+    # This one's different because it expects log messages
+    def test_explicit_no_encryption
+      assert_log_matches("WARNING: #{SERVER_URL} sent 'no-encryption'"){
+        do_test('no-encryption', 'no-encryption')
+      }
+    end
+  end
+
+  class ExtractAssociationTest < Test::Unit::TestCase
+    include ProtocolErrorMixin
+
+    SERVER_URL = 'http://invalid/'
+
+    def setup
+      @session_type = 'testing-session'
+
+      # This must something that works for Association::from_expires_in
+      @assoc_type = 'HMAC-SHA1'
+
+      @assoc_handle = 'testing-assoc-handle'
+
+      # These arguments should all be valid
+      @assoc_response =
+        Message.from_openid_args({
+                                   'expires_in' => '1000',
+                                   'assoc_handle' => @assoc_handle,
+                                   'assoc_type' => @assoc_type,
+                                   'session_type' => @session_type,
+                                   'ns' => OPENID2_NS,
+                                 })
+      assoc_session_cls = Class.new do
+        class << self
+          attr_accessor :allowed_assoc_types, :session_type
+        end
+
+        attr_reader :extract_secret_called, :secret
+        def initialize
+          @extract_secret_called = false
+          @secret = 'shhhhh!'
+        end
+
+        def extract_secret(_)
+          @extract_secret_called = true
+          @secret
+        end
+      end
+      @assoc_session = assoc_session_cls.new
+      @assoc_session.class.allowed_assoc_types = [@assoc_type]
+      @assoc_session.class.session_type = @session_type
+
+      @assoc_manager = Consumer::AssociationManager.new(nil, SERVER_URL)
+    end
+
+    def call_extract
+      @assoc_manager.send(:extract_association,
+                          @assoc_response, @assoc_session)
+    end
+
+    # Handle a full successful association response
+    def test_works_with_good_fields
+      assoc = call_extract
+      assert(@assoc_session.extract_secret_called)
+      assert_equal(@assoc_session.secret, assoc.secret)
+      assert_equal(1000, assoc.lifetime)
+      assert_equal(@assoc_handle, assoc.handle)
+      assert_equal(@assoc_type, assoc.assoc_type)
+    end
+
+    def test_bad_assoc_type
+      # Make sure that the assoc type in the response is not valid
+      # for the given session.
+      @assoc_session.class.allowed_assoc_types = []
+      assert_protocol_error('Unsupported assoc_type for sess') {call_extract}
+    end
+
+    def test_bad_expires_in
+      # Invalid value for expires_in should cause failure
+      @assoc_response.set_arg(OPENID_NS, 'expires_in', 'forever')
+      assert_protocol_error('Invalid expires_in') {call_extract}
+    end
+  end
+
+  class TestExtractAssociationDiffieHellman < Test::Unit::TestCase
+    include ProtocolErrorMixin
+
+    SECRET = 'x' * 20
+
+    def setup
+      @assoc_manager = Consumer::AssociationManager.new(nil, nil)
+    end
+
+    def setup_dh
+      sess, message = @assoc_manager.send(:create_associate_request,
+                                          'HMAC-SHA1', 'DH-SHA1')
+
+      server_dh = DiffieHellman.new
+      cons_dh = sess.instance_variable_get('@dh')
+
+      enc_mac_key = server_dh.xor_secret(CryptUtil.method(:sha1),
+                                         cons_dh.public, SECRET)
+
+      server_resp = {
+        'dh_server_public' => CryptUtil.num_to_base64(server_dh.public),
+        'enc_mac_key' => Util.to_base64(enc_mac_key),
+        'assoc_type' => 'HMAC-SHA1',
+        'assoc_handle' => 'handle',
+        'expires_in' => '1000',
+        'session_type' => 'DH-SHA1',
+      }
+      if @assoc_manager.instance_variable_get(:@compatibility_mode)
+        server_resp['ns'] = OPENID2_NS
+      end
+      return [sess, Message.from_openid_args(server_resp)]
+    end
+
+    def test_success
+      sess, server_resp = setup_dh
+      ret = @assoc_manager.send(:extract_association, server_resp, sess)
+      assert(!ret.nil?)
+      assert_equal(ret.assoc_type, 'HMAC-SHA1')
+      assert_equal(ret.secret, SECRET)
+      assert_equal(ret.handle, 'handle')
+      assert_equal(ret.lifetime, 1000)
+    end
+
+    def test_openid2success
+      # Use openid 1 type in endpoint so _setUpDH checks
+      # compatibility mode state properly
+      @assoc_manager.instance_variable_set('@compatibility_mode', true)
+      test_success()
+    end
+
+    def test_bad_dh_values
+      sess, server_resp = setup_dh
+      server_resp.set_arg(OPENID_NS, 'enc_mac_key', '\x00\x00\x00')
+      assert_protocol_error('Malformed response for') {
+        @assoc_manager.send(:extract_association, server_resp, sess)
+      }
+    end
+  end
+
+  class TestAssocManagerGetAssociation < Test::Unit::TestCase
+    include FetcherMixin
+    include TestUtil
+
+    attr_reader :negotiate_association
+
+    def setup
+      @server_url = 'http://invalid/'
+      @store = Store::Memory.new
+      @assoc_manager = Consumer::AssociationManager.new(@store, @server_url)
+      @assoc_manager.extend(Const)
+      @assoc = Association.new('handle', 'secret', Time.now, 10000,
+                               'HMAC-SHA1')
+    end
+
+    def set_negotiate_response(assoc)
+      @assoc_manager.const(:negotiate_association, assoc)
+    end
+
+    def test_not_in_store_no_response
+      set_negotiate_response(nil)
+      assert_equal(nil, @assoc_manager.get_association)
+    end
+
+    def test_not_in_store_negotiate_assoc
+      # Not stored beforehand:
+      stored_assoc = @store.get_association(@server_url, @assoc.handle)
+      assert_equal(nil, stored_assoc)
+
+      # Returned from associate call:
+      set_negotiate_response(@assoc)
+      assert_equal(@assoc, @assoc_manager.get_association)
+
+      # It should have been stored:
+      stored_assoc = @store.get_association(@server_url, @assoc.handle)
+      assert_equal(@assoc, stored_assoc)
+    end
+
+    def test_in_store_no_response
+      set_negotiate_response(nil)
+      @store.store_association(@server_url, @assoc)
+      assert_equal(@assoc, @assoc_manager.get_association)
+    end
+
+    def test_request_assoc_with_status_error
+      fetcher_class = Class.new do
+        define_method(:fetch) do |*args|
+          MockResponse.new(500, '')
+        end
+      end
+      with_fetcher(fetcher_class.new) do
+        assert_log_matches('Got HTTP status error when requesting') {
+          result = @assoc_manager.send(:request_association, 'HMAC-SHA1',
+                                       'no-encryption')
+          assert(result.nil?)
+        }
+      end
+    end
+  end
+
+  class TestAssocManagerRequestAssociation < Test::Unit::TestCase
+    include FetcherMixin
+    include TestUtil
+
+    def setup
+      @assoc_manager = Consumer::AssociationManager.new(nil, 'http://invalid/')
+      @assoc_type = 'HMAC-SHA1'
+      @session_type = 'no-encryption'
+      @message = Message.new(OPENID2_NS)
+      @message.update_args(OPENID_NS, {
+                             'assoc_type' => @assoc_type,
+                             'session_type' => @session_type,
+                             'assoc_handle' => 'kaboodle',
+                             'expires_in' => '1000',
+                             'mac_key' => 'X' * 20,
+                           })
+    end
+
+    def make_request
+      kv = @message.to_kvform
+      fetcher_class = Class.new do
+        define_method(:fetch) do |*args|
+          MockResponse.new(200, kv)
+        end
+      end
+      with_fetcher(fetcher_class.new) do
+        @assoc_manager.send(:request_association, @assoc_type, @session_type)
+      end
+    end
+
+    # The association we get is from valid processing of our result,
+    # and that no errors are raised
+    def test_success
+      assert_equal('kaboodle', make_request.handle)
+    end
+
+    # A missing parameter gets translated into a log message and
+    # causes the method to return nil
+    def test_missing_fields
+      @message.del_arg(OPENID_NS, 'assoc_type')
+      assert_log_matches('Missing required par') {
+        assert_equal(nil, make_request)
+      }
+    end
+
+    # A bad value results in a log message and causes the method to
+    # return nil
+    def test_protocol_error
+      @message.set_arg(OPENID_NS, 'expires_in', 'goats')
+      assert_log_matches('Protocol error processing') {
+        assert_equal(nil, make_request)
+      }
+    end
+  end
+
+end