ruby-openid 1.0

data/test/linkparse.rb

@@ -0,0 +1,305 @@
+require 'test/unit'
+
+require "openid/parse"
+
+class LinkParseTestCase < Test::Unit::TestCase
+
+  def test_bad
+    cases = <<EOF
+    <foo>
+
+    <><barf
+
+    not even html
+
+    <link>
+
+    <html>
+    <link>
+
+    <head>
+    <link>
+
+    <html>
+    <head>
+    </head>
+    <link>
+
+    <html>
+    <link>
+    <head>
+
+    <link>
+    <html>
+    <head>
+
+    <html>
+    <head>
+    </head>
+    </html>
+    <link>
+
+    <html>
+    <head>
+    <html>
+    <link>
+
+    <head>
+    <html>
+    <link>
+
+    <html>
+    <head>
+    <body>
+    <link>
+
+    <html>
+    <head>
+    <head>
+    <link>
+
+    <html>
+    <head>
+    <script>
+    <link>
+    </script>
+
+    <html>
+    <head>
+    <!--
+    <link>
+    -->
+
+    <html>
+    <head>
+    <![CDATA[
+    <link>
+    ]]>
+
+    <html>
+    <head>
+    <![cDaTa[
+    <link>
+    ]]>
+
+    <htmlx>
+    <head>
+    <link>
+
+    <html:summer>
+    <head>
+    <link>
+
+    <html>
+    <head:zucchini>
+    <link>
+
+    <html/>
+    <head>
+    <link>
+
+    <html/>
+    <html>
+    <head>
+    <link>
+
+    <html>
+    <head/>
+    <link>
+
+    <html>
+    <head/>
+    <head>
+    <link>
+
+    <!-- Plain vanilla -->
+    <html>
+    <head>
+    <link>
+
+    <!-- Ignore tags in the <script:... > namespace -->
+    <html>
+    <head>
+    <script:paddypan>
+    <link>
+    </script:paddypan>
+
+    <!-- Short link tag -->
+    <html>
+    <head>
+    <link/>
+
+    <!-- Spaces in the HTML tag -->
+    <html >
+    <head>
+    <link>
+
+    <!-- Spaces in the head tag -->
+    <html>
+    <head >
+    <link>
+
+    <html>
+    <head>
+    <link >
+
+    <html><head><link>
+
+    <html>
+    <head>
+    <link>
+    </head>
+
+    <html>
+    <head>
+    <link>
+    </head>
+    <link>
+
+    <html>
+    <head>
+    <link>
+    <body>
+    <link>
+
+    <html>
+    <head>
+    <link>
+    </html>
+
+    <html>
+    <head>
+    <link>
+    </html>
+    <link>
+
+    <html>
+    <delicata>
+    <head>
+    <title>
+    <link>
+
+    <HtMl>
+    <hEaD>
+    <LiNk>
+
+    <butternut>
+    <html>
+    <summer>
+    <head>
+    <turban>
+    <link>
+
+    <html>
+    <head>
+    <script>
+    <link>
+
+    <html><head><script><link>
+
+    <html>
+    <head>
+    <!--
+    <link>
+
+    <html>
+    <head>
+    <![CDATA[
+    <link>
+
+    <html>
+    <head>
+    <![ACORN[
+    <link>
+    ]]>
+
+    <html>
+    <head>
+    <link>
+
+    <html>
+    <head>
+    <link>
+    <link>
+
+    <html>
+    <gold nugget>
+    <head>
+    <link>
+    <link>
+
+    <html>
+    <head>
+    <link>
+    <LiNk>
+    <body>
+    <link>
+EOF
+
+
+    results = []
+    cases.split("\n\n").each do |c|
+      parse_link_attrs(c){ |x| results << x }
+    end
+
+    results.each {|r| assert(r == {}, r.to_s)}
+  end
+
+  def test_good_rel
+    cases = [
+             "<html><head><link rel=openid.server>",             
+             "<html><head><link rel=openid.server />",
+             "<html><head><link hubbard rel=openid.server>",
+             "<html><head><link hubbard rel=openid.server></link>",
+             "<html><head><link hubbard rel=openid.server />",
+             "<html><head><link / rel=openid.server>",
+             "<html><head><link rel='openid.server'>"
+            ]
+    
+    results = []
+    cases.each do |c|
+      parse_link_attrs(c) { |x| results << x }
+    end
+
+    assert_equal(cases.length, results.length)
+    results.each { |x| assert(x["rel"] == "openid.server", x["rel"]) }
+  end
+
+  def test_good
+    lj_test = <<EOF
+<!DOCTYPE html
+          PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+                 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+                 <html xmlns="http://www.w3.org/1999/xhtml">
+                   <head>
+                     <link rel="stylesheet" href="http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711" type="text/css" />
+         <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <meta name="foaf:maker" content="foaf:mbox_sha1sum '12f8abdacb5b1a806711e23249da592c0d316260'" />
+ <meta name="robots" content="noindex, nofollow, noarchive" />
+ <meta name="googlebot" content="nosnippet" />
+ <link rel="openid.server" href="http://www.livejournal.com/openid/server.bml" />
+                   <title>Brian</title>
+         </head>
+EOF
+    cases = [
+             ["<html><head><link rel=\"openid.server\" href=\"http://www.myopenid.com/server\" /></head></html>", [{"rel"=>"openid.server","href"=>"http://www.myopenid.com/server"}]],
+###
+             ["<html><head><link rel='openid.server' href='http://www.myopenid.com/server' /><link rel='openid.delegate' href='http://example.myopenid.com/' /></head></html>",
+              [{"rel"=>"openid.server","href"=>"http://www.myopenid.com/server"},
+               {"rel"=>"openid.delegate","href"=>"http://example.myopenid.com/"}]],
+###
+             [lj_test,
+              [{"rel"=>"stylesheet","type"=>"text/css","href"=>"http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711"},
+               {"rel"=>"openid.server","href"=>"http://www.livejournal.com/openid/server.bml"}]]
+
+         ]
+
+    cases.each do |unparsed, expected|
+      actual = []
+      parse_link_attrs(unparsed) {|x| actual << x}
+      assert_equal(expected, actual)
+    end
+
+  end
+
+end

data/test/runtests.rb

@@ -0,0 +1,11 @@
+#!/usr/bin/ruby
+
+require "teststore"
+require "assoc"
+require "dh"
+require "util"
+require "linkparse"
+require "trustroot"
+require "assoc"
+require "server2"
+require "consumer"

data/test/server2.rb

@@ -0,0 +1,1053 @@
+require 'test/unit'
+require 'uri'
+
+require 'openid/server'
+require 'openid/stores'
+
+include OpenID::Server
+
+ALT_MODULUS = 0xCAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7AFFE86A7
+ALT_GEN = 5
+
+class TestProtocolError < Test::Unit::TestCase
+  
+  def test_browser_with_return_to
+    return_to = 'http://rp.unittest/consumer'
+    # will be a ProtocolError raised by Decode or CheckAuthRequest.answer
+    args = {
+      'openid.mode' => 'monkeydance',
+      'openid.identity' => 'http://wagu.unittest/',
+      'openid.return_to' => return_to
+    }
+    e = ProtocolError.new(args, 'plucky')
+    
+    assert_equal(true, e.has_return_to?)
+
+    expected_args = {
+      'openid.mode' => 'error',
+      'openid.error' => 'plucky'
+    }
+
+    actual_args = OpenID::Util.parse_query(URI.parse(e.encode_to_url).query)
+    assert_equal(expected_args, actual_args)
+    assert_equal(ENCODE_URL, e.which_encoding?)
+  end
+
+  def test_no_return_to
+    args = {
+      'openid.mode' => 'zebradance',
+      'openid.identity' => 'http://wagu.unittest/',
+    }
+    
+    e = ProtocolError.new(args, "waffles")
+    assert_equal(false, e.has_return_to?)
+    
+    expected = {
+      'error' => 'waffles',
+      'mode' => 'error'
+    }
+    
+    actual = OpenID::Util.parsekv(e.encode_to_kvform)
+    assert_equal(expected, actual)
+    assert_equal(ENCODE_KVFORM, e.which_encoding?)
+  end
+
+end
+
+class TestDecode < Test::Unit::TestCase
+  
+  def setup
+    @id_url = "http://decoder.am.unittest/"
+    @rt_url = "http://rp.unittest/foobot/?qux=zam"
+    @tr_url = "http://rp.unittest/"
+    @assoc_handle = "{assoc}{handle}"
+  end
+
+  def decode(args)
+    Decoder.new.decode(args)
+  end
+
+  def test_nil
+    args = {}
+    r = self.decode(args)
+    assert_equal(nil, r)
+  end
+
+  def test_irrelevant
+    args = {
+      'pony' => 'spotted',
+      'sreg.mutant_power' => 'decaffinator',
+    }
+    r = self.decode(args)
+    assert_equal(nil, r)
+  end
+
+  def test_bad
+      args = {
+      'openid.mode' => 'twos-compliment',
+      'openid.pants' => 'zippered'
+    }
+
+    begin
+      self.decode(args)
+    rescue ProtocolError
+      assert true
+    else
+      assert false, 'failed to raise ProtocolError'
+    end
+  end
+
+  def test_dict_of_lists
+    args = {
+      'openid.mode' => ['checkid_setup'],
+      'openid.identity' => @id_url,
+      'openid.assoc_handle' => @assoc_handle,
+      'openid.return_to' => @rt_url,
+      'openid.trust_root' => @tr_url
+    }
+    
+    # this should raise an argument error
+    begin
+      result = self.decode(args)
+    rescue ArgumentError
+      assert true
+    end
+  end
+
+
+  def test_checkid_immediate
+    args = {
+      'openid.mode' => 'checkid_immediate',
+      'openid.identity' => @id_url,
+      'openid.assoc_handle' => @assoc_handle,
+      'openid.return_to' => @rt_url,
+      'openid.trust_root' => @tr_url,
+      # should be ignored
+      'openid.some.extension' => 'junk'
+    }
+
+    r = self.decode(args)
+
+    assert_equal(CheckIDRequest, r.class)
+    assert_equal('checkid_immediate', r.mode)
+    assert_equal(true, r.immediate)
+    assert_equal(@id_url, r.identity)
+    assert_equal(@tr_url, r.trust_root)
+    assert_equal(@rt_url, r.return_to)
+    assert_equal(@assoc_handle, r.assoc_handle)
+  end
+
+  def test_checkid_setup_no_identity
+    args = {
+      'openid.mode' => 'checkid_setup',
+      'openid.assoc_handle' => @assoc_handle,
+      'openid.return_to' => @rt_url,
+      'openid.trust_root' => @tr_url,
+    }
+
+    begin
+      result = self.decode(args)
+    rescue ProtocolError => e
+      assert e.query == args
+    else
+      flunk('Expected a ProtocolError, but did not get one')
+    end
+  end
+
+
+  def test_checkid_setup_no_return_to
+    args = {
+      'openid.mode' => 'checkid_setup',
+      'openid.identity' => @id_url,
+      'openid.assoc_handle' => @assoc_handle,
+      'openid.trust_root' => @tr_url,
+    }
+    begin
+      result = self.decode(args)
+    rescue ProtocolError => e
+      assert e.query == args
+    else
+      flunk('Expected a ProtocolError, but did not get one')
+    end
+  end
+
+  def test_checkid_setup_bad_return_to
+    args = {
+      'openid.mode' => 'checkid_setup',
+      'openid.identity' => @id_url,
+      'openid.assoc_handle' => @assoc_handle,
+      'openid.return_to' => 'not a url',
+      'openid.trust_root' => @tr_url,
+    }
+    begin
+      result = self.decode(args)
+    rescue MalformedReturnURL => e
+      assert e.query == args
+    else
+      flunk('Expected a MalformedReturnURL, but did not get one')
+    end
+  end
+
+  def test_checkid_setup_untrusted_return_to
+    args = {
+      'openid.mode' => 'checkid_setup',
+      'openid.identity' => @id_url,
+      'openid.assoc_handle' => @assoc_handle,
+      'openid.return_to' => 'http://incorrect.example.com/',
+      'openid.trust_root' => @tr_url,
+    }
+    begin
+      result = self.decode(args)
+    rescue UntrustedReturnURL => e
+      assert true
+    else
+      flunk('Expected a UntrustedReturnURL, but did not get one')
+    end
+  end
+
+
+  def test_check_auth
+    args = {
+      'openid.mode' => 'check_authentication',
+      'openid.assoc_handle' => '{dumb}{handle}',
+      'openid.sig' => 'sigblob',
+      'openid.signed' => 'foo,bar,mode',
+      'openid.foo' => 'signedval1',
+      'openid.bar' => 'signedval2',
+      'openid.baz' => 'unsigned',
+    }
+    r = self.decode(args)
+    assert_equal(r.class, CheckAuthRequest)
+    assert_equal('check_authentication', r.mode)
+    assert_equal('sigblob', r.sig)
+    assert_equal([['foo', 'signedval1'],
+                  ['bar', 'signedval2'],
+                  ['mode', 'id_res']], r.signed)
+                           
+  end
+
+  def test_check_auth_missing_signed_field
+    args = {
+      'openid.mode' => 'check_authentication',
+      'openid.assoc_handle' => '{dumb}{handle}',
+      'openid.sig' => 'sigblob',
+      'openid.signed' => 'foo,bar,mode',
+      'openid.foo' => 'signedval1',
+      'openid.baz' => 'unsigned'
+    }
+    begin
+      r = self.decode(args)
+    rescue ProtocolError => e
+      assert e.query == args
+    else
+      flunk('Expected a ProtocolError, but did not get one')
+    end
+  end
+
+  def test_check_auth_missing_signature
+    args = {
+      'openid.mode' => 'check_authentication',
+      'openid.assoc_handle' => '{dumb}{handle}',
+      'openid.signed' => 'foo,bar,mode',
+      'openid.foo' => 'signedval1',
+      'openid.bar' => 'signedval2',
+      'openid.baz' => 'unsigned'
+    }
+    begin
+      r = self.decode(args)
+    rescue ProtocolError => e
+      assert e.query == args
+    else
+      flunk('Expected a ProtocolError, but did not get one')
+    end
+  end
+  
+
+  def test_check_auth_and_invalidate
+    args = {
+      'openid.mode' => 'check_authentication',
+      'openid.assoc_handle' => '{dumb}{handle}',
+      'openid.invalidate_handle' => '[[SMART_handle]]',
+      'openid.sig' => 'sigblob',
+      'openid.signed' => 'foo,bar,mode',
+      'openid.foo' => 'signedval1',
+      'openid.bar' => 'signedval2',
+      'openid.baz' => 'unsigned'
+    }
+    r = self.decode(args)
+    assert_equal(CheckAuthRequest, r.class)
+    assert_equal('[[SMART_handle]]', r.invalidate_handle)
+  end
+
+
+  def test_associate_DH
+    args = {
+      'openid.mode' => 'associate',
+      'openid.session_type' => 'DH-SHA1',
+      'openid.dh_consumer_public' => "Rzup9265tw=="
+    }
+    r = self.decode(args)
+    assert_equal(AssociateRequest, r.class)
+    assert_equal("associate", r.mode)
+    assert_equal("DH-SHA1", r.session.session_type)
+    assert_equal("HMAC-SHA1", r.assoc_type)
+    assert(r.session.consumer_pubkey)
+  end
+
+  # Trying DH assoc w/o public key
+  def test_associate_DH_missing_key
+    args = {
+      'openid.mode' => 'associate',
+      'openid.session_type' => 'DH-SHA1'
+    }
+    # Using DH-SHA1 without supplying dh_consumer_public is an error.
+    begin
+      self.decode(args)
+    rescue ProtocolError => e
+      assert e.query == args
+    else
+      flunk('Wanted a ProtocolError')
+    end
+  end
+
+  # test associate w/ non default mod and gen
+  def test_associate_DH_mod_gen
+    args = {
+      'openid.mode' => 'associate',
+      'openid.session_type' => 'DH-SHA1',
+      'openid.dh_consumer_public' => "Rzup9265tw==",
+      'openid.dh_modulus' => OpenID::Util.num_to_base64(ALT_MODULUS),
+      'openid.dh_gen' => OpenID::Util.num_to_base64(ALT_GEN)
+    }
+    r = self.decode(args)
+    assert_equal(AssociateRequest, r.class)
+    assert_equal('DH-SHA1', r.session.session_type)
+    assert_equal('HMAC-SHA1', r.assoc_type)
+    assert_equal(ALT_MODULUS, r.session.dh.p)
+    assert_equal(ALT_GEN, r.session.dh.g)
+    assert r.session.consumer_pubkey
+  end
+
+  def test_associate_weird_session
+    args = {
+      'openid.mode' => 'associate',
+      'openid.session_type' => 'FLCL6',
+      'openid.dh_consumer_public' => "YQ==\n"
+    }
+    begin
+      self.decode(args)
+    rescue ProtocolError => e
+      assert e.query == args
+    else
+      flunk('Wanted a ProtocolError')
+    end      
+  end
+
+  def test_associate_plain_session
+    args = {'openid.mode' => 'associate'}
+    r = self.decode(args)
+    assert_equal(AssociateRequest, r.class)
+    assert_equal('associate', r.mode)
+    assert_equal('plaintext', r.session.session_type)
+    assert_equal('HMAC-SHA1', r.assoc_type)
+  end
+
+end
+
+class TestEncode < Test::Unit::TestCase
+  
+  def setup
+    @encoder = Encoder.new
+  end
+
+  def test_id_res
+    request = CheckIDRequest.new('checkid_setup',
+                                 'http://bombom.unittest/',
+                                 'http://burr.unittest/999',
+                                 'http://burr.unittest/')
+    response = OpenIDResponse.new(request)
+    response.fields = {
+      'mode' => 'id_res',
+      'identity' => request.identity,
+      'return_to' => request.return_to
+    }
+    webresponse = @encoder.encode(response)
+    assert_equal(HTTP_REDIRECT, webresponse.code)
+    assert webresponse.headers.has_key?('location')    
+    loc = webresponse.headers['location']
+    assert loc.starts_with?(request.return_to)
+
+    query = OpenID::Util.parse_query(URI.parse(loc).query)
+    expected = {}
+    response.fields.each {|k,v| expected['openid.'+k] = v}
+    assert_equal(expected, query)
+  end
+
+  def test_cancel
+    request = CheckIDRequest.new('checkid_setup',
+                                 'http://bombom.unittest/',
+                                 'http://burr.unittest/999',
+                                 'http://burr.unittest/')
+    response = OpenIDResponse.new(request)
+    response.fields = {'mode' => 'cancel'}
+    wr = @encoder.encode(response)
+    assert_equal(HTTP_REDIRECT, wr.code)
+    assert wr.headers.has_key?('location')
+    assert wr.headers['location'].starts_with?(request.return_to)
+  end
+
+  def test_assoc_reply
+    req = AssociateRequest.from_query({})
+    resp = OpenIDResponse.new(req)
+    resp.fields = {'assoc_handle' => 'every-zig'}
+    wr = @encoder.encode(resp)
+    assert_equal(HTTP_OK, wr.code)
+    assert_equal({}, wr.headers)
+    assert_equal("assoc_handle:every-zig\n", wr.body)
+  end
+
+  def test_check_auth_reply
+    req = CheckAuthRequest.new('sock', 'sigg', [])
+    res = OpenIDResponse.new(req)
+    res.fields = {'is_valid' => 'true', 'invalidate_handle' => 'xxx:xxx'}
+    wr = @encoder.encode(res)
+    
+    expected = "invalidate_handle:xxx:xxx\nis_valid:true\n"
+    expected = OpenID::Util.parsekv(expected)
+
+    assert_equal(HTTP_OK, wr.code)
+    assert_equal({}, wr.headers)
+    assert_equal(expected, OpenID::Util.parsekv(wr.body))
+  end
+
+  def test_unencodable_error
+    args = {'openid.identity' => 'http://limu.unittest/'}
+    e = ProtocolError.new(args, 'foo')
+    begin
+      @encoder.encode(e)
+    rescue EncodingError => e
+      assert true
+    else
+      flunk('Expected an EncodingError')
+    end
+  end
+
+  def test_encodable_error
+    args = {
+      'openid.mode' => 'associate',
+      'openid.identity' => 'http://limu.unittest/'
+    }
+    e = ProtocolError.new(args, 'snoot')
+
+    expected_body = "error:snoot\nmode:error\n"
+    expected_body = OpenID::Util.parsekv(expected_body)   
+    
+    wr = @encoder.encode(e)
+    assert_equal(HTTP_ERROR, wr.code)
+    assert_equal({}, wr.headers)
+    assert_equal(expected_body, OpenID::Util.parsekv(wr.body))
+  end
+
+end
+
+class TestSigningEncode < Test::Unit::TestCase
+
+  def setup
+    @dumb_key = 'http://localhost/|dumb'
+    @normal_key = 'http://localhost/|normal'
+    @store = OpenID::MemoryStore.new
+    @request = CheckIDRequest.new('checkid_setup',
+                                  'http://bombom.unittest/',
+                                  'http://burr.unittest/999',
+                                  'http://burr.unittest/')
+    @response = OpenIDResponse.new(@request)
+    @response.fields = {
+      'mode' => 'id_res',
+      'identity' => @request.identity,
+      'return_to' => @request.return_to
+    }
+    @response.signed += ['mode','identity','return_to']
+    @signatory = Signatory.new(@store)
+    @encoder = SigningEncoder.new(@signatory)
+  end
+
+  def test_id_res
+    assoc_handle = '{bicycle}{shed}'
+    assoc = OpenID::Association.from_expires_in(60, assoc_handle,
+                                                'sekrit','HMAC-SHA1')
+    @store.store_association(@normal_key, assoc)
+    @request.assoc_handle = assoc_handle
+    wr = @encoder.encode(@response)
+    
+    assert_equal(HTTP_REDIRECT, wr.code)
+    assert wr.headers.has_key?('location')
+    
+    loc = wr.headers['location']
+    query = OpenID::Util.parse_query(URI.parse(loc).query)
+
+    assert query.has_key?('openid.sig')
+    assert query.has_key?('openid.signed')
+    assert query.has_key?('openid.assoc_handle')
+  end
+
+  def test_id_res_dumb
+    wr = @encoder.encode(@response)
+
+    assert_equal(HTTP_REDIRECT, wr.code)
+    assert wr.headers.has_key?('location')
+
+    loc = wr.headers['location']
+    query = OpenID::Util.parse_query(URI.parse(loc).query)
+    
+    assert query.has_key?('openid.sig')
+    assert query.has_key?('openid.signed')
+    assert query.has_key?('openid.assoc_handle')
+  end
+
+  def test_cancel
+    response = OpenIDResponse.new(@request)
+    response.fields['mode'] = 'cancel'
+    response.signed.clear
+    wr = @encoder.encode(response)
+    assert_equal(HTTP_REDIRECT, wr.code)
+    assert wr.headers.has_key?('location')
+
+    loc = wr.headers['location']
+    query = OpenID::Util.parse_query(URI.parse(loc).query)
+    assert(!query.has_key?('openid.sig'))
+  end
+
+  def test_assoc_reply
+    req = AssociateRequest.from_query({})
+    res = OpenIDResponse.new(req)
+    res.fields = {'assoc_handle' => 'every-zig'}
+    wr = @encoder.encode(res)
+    assert_equal(HTTP_OK, wr.code)
+    assert_equal({}, wr.headers)
+    assert_equal("assoc_handle:every-zig\n", wr.body)
+  end
+
+  def test_already_signed
+    @response.fields['sig'] = 'priorSig=='
+    begin
+      @encoder.encode(@response)
+    rescue AlreadySigned => e
+      assert true
+    else
+      flunk('Wanted an AlreadySigned exception')
+    end
+  end
+
+end
+
+class TestCheckID < Test::Unit::TestCase
+  
+  def setup
+    @request = CheckIDRequest.new('checkid_setup',
+                                  'http://bombom.unittest/',
+                                  'http://burr.unittest/999',
+                                  'http://burr.unittest/')    
+  end
+
+  def test_trust_root_invalid
+    @request.trust_root = 'http://foo.un/17'
+    @request.return_to = 'http://foo.un/39'
+    assert !@request.trust_root_valid
+  end
+
+  def test_trust_root_hvalid
+    @request.trust_root = 'http://foo.un/'
+    @request.return_to = 'http://foo.un/39'
+    assert @request.trust_root_valid
+  end
+
+  def test_answer_allow
+    answer = @request.answer(true)
+    assert_equal(@request, answer.request)
+    assert_equal({'mode'=>'id_res','identity'=>@request.identity,
+                   'return_to'=>@request.return_to}, answer.fields)
+    signed = answer.signed.dup.sort
+    assert_equal(['identity','mode','return_to'], signed)
+  end
+  
+  def test_answer_allow_no_trust_root
+    @request.trust_root = nil
+    answer = @request.answer(true)
+    assert_equal(@request, answer.request)
+    assert_equal({'mode'=>'id_res','identity'=>@request.identity,
+                   'return_to'=>@request.return_to}, answer.fields)
+    signed = answer.signed.dup.sort
+    assert_equal(['identity','mode','return_to'], signed)
+  end
+
+  def test_answer_immediate_deny
+    @request.mode = 'checkid_immediate'
+    @request.immediate = true
+    server_url = 'http://server-url.unittest/'
+    answer = @request.answer(false, server_url)
+    assert_equal(@request, answer.request)
+    assert_equal(2, answer.fields.length)
+    assert_equal('id_res', answer.fields['mode'])
+    assert answer.fields['user_setup_url'].starts_with?(server_url)
+    assert_equal([], answer.signed)
+  end
+
+  def test_answer_setup_deny
+    answer = @request.answer(false)
+    assert_equal({'mode' => 'cancel'}, answer.fields)
+    assert_equal([], answer.signed)
+  end
+
+  def test_encode_to_url
+    server_url = 'http://openid-server.un/'
+    url = @request.encode_to_url(server_url)
+    query = OpenID::Util.parse_query(URI.parse(url).query)
+    
+    req = CheckIDRequest.from_query(query)
+    assert_equal(@request.mode, req.mode)
+    assert_equal(@request.identity, req.identity)
+    assert_equal(@request.return_to, req.return_to)
+    assert_equal(@request.trust_root, req.trust_root)
+    assert_equal(@request.immediate, req.immediate)
+    assert_equal(@request.assoc_handle, req.assoc_handle)
+  end
+
+  def test_cancel_url
+    url = @request.cancel_url
+    expected = OpenID::Util.append_args(@request.return_to, 
+                                        {'openid.mode'=>'cancel'})
+    assert_equal(expected, url)
+  end
+  
+  def test_cancel_url_immediate
+    @request.immediate = true
+    begin
+      url = @request.cancel_url
+    rescue ProtocolError => e
+      assert true
+    else
+      flunk('Wanted a ProtoclError')
+    end
+  end
+
+end
+
+
+class TestCheckIDExtension < Test::Unit::TestCase
+  
+  def setup
+    @request = CheckIDRequest.new('checkid_setup',
+                                  'http://bombom.unittest/',
+                                  'http://burr.unittest/999',
+                                  'http://burr.unittest/')
+    @response = OpenIDResponse.new(@request)
+    @response.fields['mode'] = 'id_res'
+    @response.fields['blue'] = 'star'
+    @response.signed += ['mode','identity','return_to']
+  end
+
+  def test_add_field
+    ns = 'mj12'
+    @response.add_field(ns, 'bright', 'potato')
+    assert_equal({'blue'=>'star',
+                 'mode'=>'id_res',
+                 'mj12.bright'=>'potato'}, @response.fields)
+    assert_equal(['mode','identity','return_to','mj12.bright'], @response.signed)    
+  end
+
+  def test_add_field_unsigned
+    ns = 'mj12'
+    @response.add_field(ns, 'bright', 'potato', false)
+    assert_equal({'blue'=>'star',
+                 'mode'=>'id_res',
+                 'mj12.bright'=>'potato'}, @response.fields)
+    assert_equal(['mode','identity','return_to'], @response.signed)    
+  end
+
+  def test_add_fields
+    ns = 'mj12'
+    @response.add_fields(ns, {'bright'=>'potato', 'xxx'=>'yyy'})
+    assert_equal({'blue'=>'star',
+                 'mode'=>'id_res',
+                 'mj12.bright'=>'potato',
+                 'mj12.xxx'=>'yyy'}, @response.fields)
+    assert_equal(['mode','identity','return_to','mj12.bright','mj12.xxx'].sort, @response.signed.sort)    
+  end
+
+  def test_add_fields_unsigned
+    ns = 'mj12'
+    @response.add_fields(ns, {'bright'=>'potato', 'xxx'=>'yyy'}, false)
+    assert_equal({'blue'=>'star',
+                 'mode'=>'id_res',
+                 'mj12.bright'=>'potato',
+                 'mj12.xxx'=>'yyy'}, @response.fields)
+    assert_equal(['mode','identity','return_to'].sort, @response.signed.sort)    
+  end
+
+  def test_update
+    eres = OpenIDResponse.new(nil)
+    eres.fields.update({'a'=>'b','c'=>'d'})
+    eres.signed = ['c']
+    
+    @response.update('ns', eres)
+    assert_equal({'blue'=>'star','mode'=>'id_res','ns.a'=>'b','ns.c'=>'d'},
+                 @response.fields)
+    assert_equal(['mode', 'identity', 'return_to', 'ns.c'], @response.signed)
+  end
+  
+  def test_update_no_namespace
+    eres = OpenIDResponse.new(nil)
+    eres.fields.update({'a'=>'b','c'=>'d'})
+    eres.signed = ['c']
+    
+    @response.update(nil, eres)
+    assert_equal({'blue'=>'star','mode'=>'id_res','a'=>'b','c'=>'d'},
+                 @response.fields)
+    assert_equal(['mode', 'identity', 'return_to', 'c'], @response.signed)
+  end
+
+end
+
+class MockSignatory
+  
+  attr_accessor :is_valid, :assocs
+
+  def initialize(assoc)
+    @assocs = [assoc]
+    @is_valid = true
+  end
+
+  def is_valid?
+    @is_valid
+  end
+
+  def verify(assoc_handle, sig, signed_pairs)
+    if @assocs.member?([true, assoc_handle])
+      return self.is_valid?
+    else
+      return false
+    end
+  end
+
+  def get_association(assoc_handle, dumb)
+    if @assocs.member?([dumb, assoc_handle])
+      return true
+    else
+      return nil
+    end
+  end
+
+  def invalidate(assoc_handle, dumb)
+    @assocs.delete([dumb, assoc_handle])
+  end
+
+end
+
+class TestCheckAuthServer < Test::Unit::TestCase
+
+  def setup
+    @assoc_handle = 'moo'
+    @request = CheckAuthRequest.new(@assoc_handle, 'signature',
+                                    [['one','alpha'],['two','beta']])
+    @signatory = MockSignatory.new([true, @assoc_handle])
+  end
+
+  def test_valid
+    r = @request.answer(@signatory)
+    assert_equal({'is_valid'=>'true'}, r.fields)
+    assert_equal(r.request, @request)
+  end
+
+  def test_invalid
+    assert_not_nil(@signatory)
+
+    @signatory.is_valid = false
+    r = @request.answer(@signatory)
+    assert_equal({'is_valid'=>'false'}, r.fields)
+    assert_equal(r.request, @request)
+  end
+
+  def test_replay
+    r = @request.answer(@signatory)
+    r = @request.answer(@signatory)
+    assert_equal({'is_valid'=>'false'}, r.fields)
+  end
+
+  def test_invalidate_handle
+    @request.invalidate_handle = 'bogushandle'
+    r = @request.answer(@signatory)
+    assert_equal({'is_valid'=>'true',
+                 'invalidate_handle'=>'bogushandle'}, r.fields)
+    assert_equal(r.request, @request)    
+  end
+
+  def test_invalidate_handle_no
+    assoc_handle = 'goodhandle'
+    @signatory.assocs << [false, assoc_handle]
+    @request.invalidate_handle = assoc_handle
+    r = @request.answer(@signatory)
+    assert_equal({'is_valid'=>'true'}, r.fields)
+  end
+
+end
+
+
+class TestAssociate < Test::Unit::TestCase
+  
+  def setup
+    @request = AssociateRequest.from_query({})
+    @store = OpenID::MemoryStore.new
+    @signatory = Signatory.new(@store)
+    @assoc = @signatory.create_association(false)
+  end
+
+  def test_dh
+    consumer_dh = OpenID::DiffieHellman.new
+    cpub = consumer_dh.public
+    session = DiffieHellmanServerSession.new(OpenID::DiffieHellman.new, cpub)
+    @request = AssociateRequest.new(session)
+    response = @request.answer(@assoc)
+    rf = response.fields
+    assert_equal('HMAC-SHA1', rf['assoc_type'])
+    assert_equal('DH-SHA1', rf['session_type'])
+    assert_equal(@assoc.handle, rf['assoc_handle'])
+    assert_nil(rf['mac_key'])
+    assert_not_nil(rf['enc_mac_key'])
+    assert_not_nil(rf['dh_server_public'])
+
+    enc_key = OpenID::Util.from_base64(rf['enc_mac_key'])
+    spub = OpenID::Util.base64_to_num(rf['dh_server_public'])
+    secret = consumer_dh.xor_secrect(spub, enc_key)
+    assert_equal(@assoc.secret, secret)
+  end
+
+  def test_plaintext
+    response = @request.answer(@assoc)
+    rf = response.fields
+    
+    assert_equal('HMAC-SHA1', rf['assoc_type'])
+    assert_equal(@assoc.handle, rf['assoc_handle'])
+    assert_equal(OpenID::Util.to_base64(@assoc.secret), rf['mac_key'])
+    assert_equal("#{14 * 24 * 60 * 6}", rf['expires_in'])
+    assert_nil(rf['session_type'])
+    assert_nil(rf['enc_mac_key'])
+    assert_nil(rf['dh_server_public'])
+  end
+
+end
+
+class Counter
+  
+  attr_accessor :count
+
+  def initialize
+    @count = 0
+  end
+
+  def inc
+    @count += 1
+  end
+
+end
+
+class TestServer < Test::Unit::TestCase
+
+  def setup
+    @store = OpenID::MemoryStore.new
+    @server = Server.new(@store)
+  end
+
+  def test_associate
+    req = AssociateRequest.from_query({})
+    res = @server.openid_associate(req)
+    assert res.fields.has_key?('assoc_handle')
+  end
+
+  def test_check_auth
+    req = CheckAuthRequest.new('arrrrg', '0x3999', [])
+    res = @server.openid_check_authentication(req)
+    assert res.fields.has_key?('is_valid')
+  end
+
+end
+
+class TestSignatory < Test::Unit::TestCase
+
+  def setup
+    @store = OpenID::MemoryStore.new
+    @signatory = Signatory.new(@store)
+    @dumb_key = 'http://localhost/|dumb'
+    @normal_key = 'http://localhost/|normal'    
+  end
+
+  def test_sign
+    request = CheckIDRequest.new('checkid_setup','foo','bar','baz')
+    assoc_handle = '{assoc}{lookatme}'
+    @store.store_association(@normal_key,
+                             OpenID::Association.from_expires_in(60,
+                                                                 assoc_handle,
+                                                                 'sekrit',
+                                                                 'HMAC-SHA1'))
+    request.assoc_handle = assoc_handle
+    response = OpenIDResponse.new(request)
+    response.fields = {
+      'foo' => 'amsigned',
+      'bar' => 'notsigned',
+      'azu' => 'alsosigned'
+    }
+    response.signed = ['foo','azu']
+    sresponse = @signatory.sign(response)
+    
+    assert_equal(assoc_handle, sresponse.fields['assoc_handle'])
+    assert_equal('foo,azu', sresponse.fields['signed'])
+    assert_not_nil(sresponse.fields['sig'])
+  end
+
+  def test_sign_dumb
+    request = CheckIDRequest.new('checkid_setup','foo','bar','baz')
+    request.assoc_handle = nil
+    response = OpenIDResponse.new(request)
+    response.fields = {
+      'foo' => 'amsigned',
+      'bar' => 'notsigned',
+      'azu' => 'alsosigned'
+    }
+    response.signed = ['foo','azu']
+    sresponse = @signatory.sign(response)
+    assoc_handle = sresponse.fields['assoc_handle']
+    assert_not_nil(assoc_handle)
+    assoc = @signatory.get_association(assoc_handle, true)
+    assert_not_nil(assoc)
+    assert_equal('foo,azu', sresponse.fields['signed'])
+    assert_not_nil(sresponse.fields['sig'])
+  end
+  
+  def test_sign_expired
+    request = CheckIDRequest.new('checkid_setup','foo','bar','baz')
+    assoc_handle = '{assoc}{lookatme}'
+    @store.store_association(@normal_key,
+                             OpenID::Association.from_expires_in(-10,
+                                                                 assoc_handle,
+                                                                 'sekrit',
+                                                                 'HMAC-SHA1'))
+    assert_not_nil(@store.get_association(@normal_key, assoc_handle))
+    
+    request.assoc_handle = assoc_handle
+    response = OpenIDResponse.new(request)
+    response.fields = {
+      'foo' => 'amsigned',
+      'bar' => 'notsigned',
+      'azu' => 'alsosigned'
+    }
+    response.signed = ['foo','azu']
+    sresponse = @signatory.sign(response)
+    
+    new_assoc_handle = sresponse.fields['assoc_handle']
+    assert_not_nil(new_assoc_handle)
+    assert new_assoc_handle != assoc_handle
+    
+    assert_equal(assoc_handle, sresponse.fields['invalidate_handle'])
+    assert_equal('foo,azu', sresponse.fields['signed'])
+    assert_not_nil(sresponse.fields['sig'])
+
+    assert_nil(@store.get_association(@normal_key, assoc_handle))
+    assert_not_nil(@store.get_association(@dumb_key, new_assoc_handle))
+    assert_nil(@store.get_association(@normal_key, new_assoc_handle))
+  end
+  
+  def test_verify
+    assoc_handle = '{vroom}{zoom}'
+    assoc = OpenID::Association.from_expires_in(60, assoc_handle,
+                                                'sekrit', 'HMAC-SHA1')
+    
+    @store.store_association(@dumb_key, assoc)
+    
+    signed_pairs = [['foo', 'bar'],['apple', 'orange']]
+    
+    sig = "Ylu0KcIR7PvNegB/K41KpnRgJl0="
+    verified = @signatory.verify(assoc_handle, sig, signed_pairs)
+    assert_not_nil(verified)
+  end
+
+  def test_verify_bad_sig
+    assoc_handle = '{vroom}{zoom}'
+    assoc = OpenID::Association.from_expires_in(60, assoc_handle,
+                                                'sekrit', 'HMAC-SHA1')
+    
+    @store.store_association(@dumb_key, assoc)
+    
+    signed_pairs = [['foo', 'bar'],['apple', 'orange']]
+    
+    sig = "Ylu0KcIR7PvNegB/K41KpnRgXXX="
+    verified = @signatory.verify(assoc_handle, sig, signed_pairs)
+    assert(!verified)
+  end
+
+  def test_verify_bad_handle
+    assoc_handle = '{vroom}{zoom}'
+    signed_pairs = [['foo', 'bar'],['apple', 'orange']]
+    
+    sig = "Ylu0KcIR7PvNegB/K41KpnRgJl0="
+    verified = @signatory.verify(assoc_handle, sig, signed_pairs)
+    assert(!verified)
+  end
+
+  def make_assoc(dumb, lifetime=60)
+    assoc_handle = '{bling}'
+    assoc = OpenID::Association.from_expires_in(lifetime, assoc_handle,
+                                                'sekrit', 'HMAC-SHA1')
+    key = dumb ? @dumb_key : @normal_key
+    @store.store_association(key, assoc)
+    return assoc_handle                                                
+  end
+  
+  def test_get_assoc
+    assoc_handle = self.make_assoc(true)
+    assoc = @signatory.get_association(assoc_handle, true)
+    assert_not_nil(assoc)
+    assert_equal(assoc_handle, assoc.handle)    
+  end
+
+  def test_get_assoc_expired
+    assoc_handle = self.make_assoc(true, -10)
+    assoc = @signatory.get_association(assoc_handle, true)
+    assert_nil(assoc)
+  end
+
+  def test_get_assoc_invalid
+    assoc_handle = 'no-such-handle'
+    assoc = @signatory.get_association(assoc_handle, false)
+    assert_nil(assoc)
+  end
+
+  def test_get_assoc_dumb_vs_normal
+    assoc_handle = self.make_assoc(true)
+    assoc = @signatory.get_association(assoc_handle, false)
+    assert_nil(assoc)
+  end
+
+  def test_create_assoc
+    assoc = @signatory.create_association(false)
+    assoc2 = @signatory.get_association(assoc.handle, false)
+    assert_not_nil(assoc2)
+    assert_equal(assoc, assoc2)
+  end
+  
+  def test_invalidate
+    assoc_handle = '-squash-'
+    assoc = OpenID::Association.from_expires_in(60, assoc_handle,
+                                                'sekrit', 'HMAC-SHA1')
+    @store.store_association(@dumb_key, assoc)
+    assoc = @signatory.get_association(assoc_handle, true)
+    assert_not_nil(assoc)
+
+    assoc = @signatory.get_association(assoc_handle, true)
+    assert_not_nil(assoc)
+
+    @signatory.invalidate(assoc_handle, true)
+    assoc = @signatory.get_association(assoc_handle, true)
+    assert_nil(assoc)
+  end
+
+end
+