ruby-openid 1.1.4 → 2.0.1

data/test/test_nonce.rb

@@ -0,0 +1,89 @@
+require 'test/unit'
+require 'openid/store/nonce'
+
+module OpenID
+  class NonceTestCase < Test::Unit::TestCase
+
+     NONCE_RE = /\A\d{4}-\d\d-\d\dT\d\d:\d\d:\d\dZ/
+
+    def test_mk_nonce
+      nonce = Nonce::mk_nonce
+      assert(nonce.match(NONCE_RE))
+      assert(nonce.size == 26)
+    end
+
+    def test_mk_nonce_time
+      nonce = Nonce::mk_nonce(0)
+      assert(nonce.match(NONCE_RE))
+      assert(nonce.size == 26)
+      assert(nonce.match(/^1970-01-01T00:00:00Z/))
+    end
+
+    def test_split
+      s = '1970-01-01T00:00:00Z'
+      expected_t = 0
+      expected_salt = ''
+      actual_t, actual_salt = Nonce::split_nonce(s)
+      assert_equal(expected_t, actual_t)
+      assert_equal(expected_salt, actual_salt)
+    end
+
+    def test_mk_split
+      t = 42
+      nonce_str = Nonce::mk_nonce(t)
+      assert(nonce_str.match(NONCE_RE))
+      at, salt = Nonce::split_nonce(nonce_str)
+      assert_equal(6, salt.size)
+      assert_equal(t, at)
+    end
+
+    def test_bad_split
+      cases = [
+        '',
+        '1970-01-01T00:00:00+1:00',
+        '1969-01-01T00:00:00Z',
+        '1970-00-01T00:00:00Z',
+        '1970.01-01T00:00:00Z',
+        'Thu Sep  7 13:29:31 PDT 2006',
+        'monkeys',
+        ]
+      cases.each{|c|
+        assert_raises(ArgumentError, c.inspect) { Nonce::split_nonce(c) }
+      }
+    end
+
+    def test_check_timestamp
+      cases = [
+        # exact, no allowed skew
+        ['1970-01-01T00:00:00Z', 0, 0, true],
+
+        # exact, large skew
+        ['1970-01-01T00:00:00Z', 1000, 0, true],
+
+        # no allowed skew, one second old
+        ['1970-01-01T00:00:00Z', 0, 1, false],
+
+        # many seconds old, outside of skew
+        ['1970-01-01T00:00:00Z', 10, 50, false],
+
+        # one second old, one second skew allowed
+        ['1970-01-01T00:00:00Z', 1, 1, true],
+
+        # One second in the future, one second skew allowed
+        ['1970-01-01T00:00:02Z', 1, 1, true],
+
+        # two seconds in the future, one second skew allowed
+        ['1970-01-01T00:00:02Z', 1, 0, false],
+
+        # malformed nonce string
+        ['monkeys', 0, 0, false],
+      ]
+      
+      cases.each{|c|
+        (nonce_str, allowed_skew, now, expected) = c
+        actual = Nonce::check_timestamp(nonce_str, allowed_skew, now)
+        assert_equal(expected, actual, c.inspect)
+      }
+    end
+  end
+end

data/test/test_openid_yadis.rb

@@ -0,0 +1,178 @@
+
+require 'test/unit'
+require 'openid/consumer/discovery'
+require 'openid/yadis/services'
+
+module OpenID
+
+  XRDS_BOILERPLATE = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS xmlns:xrds="xri://$xrds"
+           xmlns="xri://$xrd*($v*2.0)"
+           xmlns:openid="http://openid.net/xmlns/1.0">
+    <XRD>
+%s
+    </XRD>
+</xrds:XRDS>
+EOF
+
+  def self.mkXRDS(services)
+    return sprintf(XRDS_BOILERPLATE, services)
+  end
+
+  def self.mkService(uris=nil, type_uris=nil, local_id=nil, dent="        ")
+    chunks = [dent, "<Service>\n"]
+    dent2 = dent + "    "
+    if type_uris
+      type_uris.each { |type_uri|
+        chunks += [dent2 + "<Type>", type_uri, "</Type>\n"]
+      }
+    end
+
+    if uris
+      uris.each { |uri|
+        if uri.is_a?(Array)
+          uri, prio = uri
+        else
+          prio = nil
+        end
+
+        chunks += [dent2, "<URI"]
+        if !prio.nil?
+          chunks += [" priority='", str(prio), "'"]
+        end
+        chunks += [">", uri, "</URI>\n"]
+      }
+    end
+
+    if local_id
+      chunks += [dent2, "<openid:Delegate>", local_id, "</openid:Delegate>\n"]
+    end
+
+    chunks += [dent, "</Service>\n"]
+
+    return chunks.join("")
+  end
+
+  # Different sets of server URLs for use in the URI tag
+  SERVER_URL_OPTIONS = [
+                        [], # This case should not generate an endpoint object
+                        ['http://server.url/'],
+                        ['https://server.url/'],
+                        ['https://server.url/', 'http://server.url/'],
+                        ['https://server.url/',
+                         'http://server.url/',
+                         'http://example.server.url/'],
+                       ]
+
+  # Used for generating test data
+  def OpenID.subsets(l)
+    subsets_list = [[]]
+    l.each { |x|
+      subsets_list += subsets_list.collect { |t| [x] + t }
+    }
+
+    return subsets_list
+  end
+
+  # A couple of example extension type URIs. These are not at all
+  # official, but are just here for testing.
+  EXT_TYPES = [
+               'http://janrain.com/extension/blah',
+               'http://openid.net/sreg/1.0',
+              ]
+
+  # Range of valid Delegate tag values for generating test data
+  LOCAL_ID_OPTIONS = [
+                      nil,
+                      'http://vanity.domain/',
+                      'https://somewhere/yadis/',
+                     ]
+
+  class OpenIDYadisTest
+    def initialize(uris, type_uris, local_id)
+      super()
+      @uris = uris
+      @type_uris = type_uris
+      @local_id = local_id
+
+      @yadis_url = 'http://unit.test/'
+
+      # Create an XRDS document to parse
+      services = OpenID.mkService(@uris,
+                                  @type_uris,
+                                  @local_id)
+      @xrds = OpenID.mkXRDS(services)
+    end
+
+    def runTest(testcase)
+      # Parse into endpoint objects that we will check
+      endpoints = Yadis.apply_filter(@yadis_url, @xrds, OpenIDServiceEndpoint)
+
+      # make sure there are the same number of endpoints as URIs. This
+      # assumes that the type_uris contains at least one OpenID type.
+      testcase.assert_equal(@uris.length, endpoints.length)
+
+      # So that we can check equality on the endpoint types
+      type_uris = @type_uris.dup
+      type_uris.sort!
+
+      seen_uris = []
+      endpoints.each { |endpoint|
+        seen_uris << endpoint.server_url
+
+        # All endpoints will have same yadis_url
+        testcase.assert_equal(@yadis_url, endpoint.claimed_id)
+
+        # and local_id
+        testcase.assert_equal(@local_id, endpoint.local_id)
+
+        # and types
+        actual_types = endpoint.type_uris.dup
+        actual_types.sort!
+        testcase.assert_equal(type_uris, actual_types, actual_types.inspect)
+      }
+
+      # So that they will compare equal, because we don't care what
+      # order they are in
+      seen_uris.sort!
+      uris = @uris.dup
+      uris.sort!
+
+      # Make sure we saw all URIs, and saw each one once
+      testcase.assert_equal(uris, seen_uris)
+    end
+  end
+
+  class OpenIDYadisTests < Test::Unit::TestCase
+    def test_openid_yadis
+      data = []
+
+      # All valid combinations of Type tags that should produce an
+      # OpenID endpoint
+      type_uri_options = []
+
+      OpenID.subsets([OPENID_1_0_TYPE, OPENID_1_1_TYPE]).each { |ts|
+        OpenID.subsets(EXT_TYPES).each { |exts|
+          if !ts.empty?
+            type_uri_options << exts + ts
+          end
+        }
+      }
+
+      # All combinations of valid URIs, Type URIs and Delegate tags
+      SERVER_URL_OPTIONS.each { |uris|
+        type_uri_options.each { |type_uris|
+          LOCAL_ID_OPTIONS.each { |local_id|
+            data << [uris, type_uris, local_id]
+          }
+        }
+      }
+
+      data.each { |args|
+        t = OpenIDYadisTest.new(*args)
+        t.runTest(self)
+      }
+    end
+  end
+end

data/test/test_pape.rb

@@ -0,0 +1,233 @@
+require 'openid/extensions/pape'
+require 'openid/message'
+require 'openid/server'
+
+module OpenID
+  module PAPETest
+    class PapeRequestTestCase < Test::Unit::TestCase
+      def setup
+        @req = PAPE::Request.new
+      end
+
+      def test_construct
+        assert_equal([], @req.preferred_auth_policies)
+        assert_equal(nil, @req.max_auth_age)
+        assert_equal('pape', @req.ns_alias)
+
+        req2 = PAPE::Request.new([PAPE::AUTH_MULTI_FACTOR], 1000)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], req2.preferred_auth_policies)
+        assert_equal(1000, req2.max_auth_age)
+      end
+
+      def test_add_policy_uri
+        assert_equal([], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_PHISHING_RESISTANT)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.preferred_auth_policies)
+      end
+
+      def test_get_extension_args
+        assert_equal({'preferred_auth_policies' => ''}, @req.get_extension_args)
+        @req.add_policy_uri('http://uri')
+        assert_equal({'preferred_auth_policies' => 'http://uri'}, @req.get_extension_args)
+        @req.add_policy_uri('http://zig')
+        assert_equal({'preferred_auth_policies' => 'http://uri http://zig'}, @req.get_extension_args)
+        @req.max_auth_age = 789
+        assert_equal({'preferred_auth_policies' => 'http://uri http://zig', 'max_auth_age' => '789'}, @req.get_extension_args)
+      end
+
+      def test_parse_extension_args
+        args = {'preferred_auth_policies' => 'http://foo http://bar',
+                'max_auth_age' => '9'}
+        @req.parse_extension_args(args)
+        assert_equal(9, @req.max_auth_age)
+        assert_equal(['http://foo','http://bar'], @req.preferred_auth_policies)
+      end
+
+      def test_parse_extension_args_empty
+        @req.parse_extension_args({})
+        assert_equal(nil, @req.max_auth_age)
+        assert_equal([], @req.preferred_auth_policies)
+      end
+
+      def test_from_openid_request
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'checkid_setup',
+          'ns' => OPENID2_NS,
+          'ns.pape' => PAPE::NS_URI,
+          'pape.preferred_auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'pape.max_auth_age' => '5476'
+          })
+        oid_req = Server::OpenIDRequest.new
+        oid_req.message = openid_req_msg
+        req = PAPE::Request.from_openid_request(oid_req)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], req.preferred_auth_policies)
+        assert_equal(5476, req.max_auth_age)
+      end
+
+      def test_from_openid_request_no_pape
+        message = Message.new
+        openid_req = Server::OpenIDRequest.new
+        openid_req.message = message
+        pape_req = PAPE::Request.from_openid_request(openid_req)
+        assert(pape_req.nil?)
+      end
+
+      def test_preferred_types
+        @req.add_policy_uri(PAPE::AUTH_PHISHING_RESISTANT)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        pt = @req.preferred_types([PAPE::AUTH_MULTI_FACTOR,
+                                   PAPE::AUTH_MULTI_FACTOR_PHYSICAL])
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], pt)
+      end
+    end
+
+    class DummySuccessResponse
+      attr_accessor :message
+
+      def initialize(message, signed_stuff)
+        @message = message
+        @signed_stuff = signed_stuff
+      end
+
+      def get_signed_ns(ns_uri)
+        return @signed_stuff
+      end
+
+    end
+
+    class PapeResponseTestCase < Test::Unit::TestCase
+      def setup
+        @req = PAPE::Response.new
+      end
+
+      def test_construct
+        assert_equal([], @req.auth_policies)
+        assert_equal(nil, @req.auth_age)
+        assert_equal('pape', @req.ns_alias)
+        assert_equal(nil, @req.nist_auth_level)
+
+        req2 = PAPE::Response.new([PAPE::AUTH_MULTI_FACTOR], 1000, 3)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], req2.auth_policies)
+        assert_equal(1000, req2.auth_age)
+        assert_equal(3, req2.nist_auth_level)
+      end
+
+      def test_add_policy_uri
+        assert_equal([], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_PHISHING_RESISTANT)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.auth_policies)
+      end
+
+      def test_get_extension_args
+        assert_equal({'auth_policies' => ''}, @req.get_extension_args)
+        @req.add_policy_uri('http://uri')
+        assert_equal({'auth_policies' => 'http://uri'}, @req.get_extension_args)
+        @req.add_policy_uri('http://zig')
+        assert_equal({'auth_policies' => 'http://uri http://zig'}, @req.get_extension_args)
+        @req.auth_age = 789
+        assert_equal({'auth_policies' => 'http://uri http://zig', 'auth_age' => '789'}, @req.get_extension_args)
+        @req.nist_auth_level = 3
+        assert_equal({'auth_policies' => 'http://uri http://zig', 'auth_age' => '789', 'nist_auth_level' => '3'}, @req.get_extension_args)
+      end
+
+      def test_get_extension_args_error_auth_age
+        @req.auth_age = "older than the sun"
+        assert_raises(ArgumentError) { @req.get_extension_args }
+        @req.auth_age = -10
+        assert_raises(ArgumentError) { @req.get_extension_args }
+      end
+
+      def test_get_extension_args_error_nist_auth_level
+        @req.nist_auth_level = "high as a kite"
+        assert_raises(ArgumentError) { @req.get_extension_args }
+        @req.nist_auth_level = 5
+        assert_raises(ArgumentError) { @req.get_extension_args }
+        @req.nist_auth_level = -1
+        assert_raises(ArgumentError) { @req.get_extension_args }
+      end
+
+      def test_parse_extension_args
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_age' => '9'}
+        @req.parse_extension_args(args)
+        assert_equal(9, @req.auth_age)
+        assert_equal(['http://foo','http://bar'], @req.auth_policies)
+      end
+
+      def test_parse_extension_args_empty
+        @req.parse_extension_args({})
+        assert_equal(nil, @req.auth_age)
+        assert_equal([], @req.auth_policies)
+      end
+      
+      def test_parse_extension_args_strict_bogus1
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_age' => 'not too old'}
+        assert_raises(ArgumentError) { 
+          @req.parse_extension_args(args, true)
+        }
+      end
+
+      def test_parse_extension_args_strict_bogus2
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_age' => '63',
+                'nist_auth_level' => 'some'}
+        assert_raises(ArgumentError) { 
+          @req.parse_extension_args(args, true)
+        }
+      end
+      
+      def test_parse_extension_args_strict_good
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_age' => '0',
+                'nist_auth_level' => '0'}
+        @req.parse_extension_args(args, true)
+        assert_equal(['http://foo','http://bar'], @req.auth_policies)
+        assert_equal(0, @req.auth_age)
+        assert_equal(0, @req.nist_auth_level)
+      end
+
+      def test_parse_extension_args_nostrict_bogus
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_age' => 'old',
+                'nist_auth_level' => 'some'}
+        @req.parse_extension_args(args)
+        assert_equal(['http://foo','http://bar'], @req.auth_policies)
+        assert_equal(nil, @req.auth_age)
+        assert_equal(nil, @req.nist_auth_level)
+      end
+
+      
+      def test_from_success_response
+        
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'id_res',
+          'ns' => OPENID2_NS,
+          'ns.pape' => PAPE::NS_URI,
+          'pape.auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'pape.auth_age' => '5476'
+          })
+        signed_stuff = {
+          'auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'auth_age' => '5476'
+        }
+        oid_req = DummySuccessResponse.new(openid_req_msg, signed_stuff)
+        req = PAPE::Response.from_success_response(oid_req)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], req.auth_policies)
+        assert_equal(5476, req.auth_age)
+      end
+    end
+  end
+end

data/test/test_parsehtml.rb

@@ -0,0 +1,80 @@
+require 'test/unit'
+require "openid/yadis/parsehtml"
+require "testutil"
+
+module OpenID
+  class ParseHTMLTestCase < Test::Unit::TestCase
+    include OpenID::TestDataMixin
+
+    def test_parsehtml
+      reserved_values = ['None', 'EOF']
+      chunks = read_data_file('test1-parsehtml.txt', false).split("\f\n")
+      test_num = 1
+
+      chunks.each{|c|
+        expected, html = c.split("\n", 2)
+        found = Yadis::html_yadis_location(html)
+
+        assert(!reserved_values.member?(found))
+
+        # this case is a little hard to detect and the distinction
+        # seems unimportant
+        expected = "None" if expected == "EOF"
+
+        found = "None" if found.nil?
+        assert_equal(expected, found, html.split("\n",2)[0])
+      }
+    end
+  end
+
+  # the HTML tokenizer test
+  class TC_TestHTMLTokenizer < Test::Unit::TestCase
+    def test_bad_link
+      toke = HTMLTokenizer.new("<p><a href=http://bad.com/link>foo</a></p>")
+      assert("http://bad.com/link" == toke.getTag("a").attr_hash['href'])
+    end
+
+    def test_namespace
+      toke = HTMLTokenizer.new("<f:table xmlns:f=\"http://www.com/foo\">")
+      assert("http://www.com/foo" == toke.getTag("f:table").attr_hash['xmlns:f'])
+    end
+
+    def test_comment
+      toke = HTMLTokenizer.new("<!-- comment on me -->")
+      t = toke.getNextToken
+      assert(HTMLComment == t.class)
+      assert("comment on me" == t.contents)
+    end
+
+    def test_full
+      page = "<HTML>
+<HEAD>
+<TITLE>This is the title</TITLE>
+</HEAD>
+<!-- Here comes the <a href=\"missing.link\">blah</a>
+comment body
+-->
+<BODY>
+<H1>This is the header</H1>
+<P>
+  This is the paragraph, it contains
+  <a href=\"link.html\">links</a>,
+  <img src=\"blah.gif\" optional alt='images
+are
+really cool'>.  Ok, here is some more text and
+  <A href=\"http://another.link.com/\" target=\"_blank\">another link</A>.
+</P>
+</body>
+</HTML>
+"
+      toke = HTMLTokenizer.new(page)
+
+      assert("<h1>" == toke.getTag("h1", "h2", "h3").to_s.downcase)
+      assert(HTMLTag.new("<a href=\"link.html\">") == toke.getTag("IMG", "A"))
+      assert("links" == toke.getTrimmedText)
+      assert(toke.getTag("IMG", "A").attr_hash['optional'])
+      assert("_blank" == toke.getTag("IMG", "A").attr_hash['target'])
+    end
+  end
+end
+

data/test/test_responses.rb

@@ -0,0 +1,63 @@
+require "test/unit"
+require "openid/consumer/discovery"
+require "openid/consumer/responses"
+
+module OpenID
+  class Consumer
+    module TestResponses
+      class TestSuccessResponse < Test::Unit::TestCase
+        def setup
+          @endpoint = OpenIDServiceEndpoint.new
+          @endpoint.claimed_id = 'identity_url'
+        end
+
+        def test_extension_response
+          q = {
+            'ns.sreg' => 'urn:sreg',
+            'ns.unittest' => 'urn:unittest',
+            'unittest.one' => '1',
+            'unittest.two' => '2',
+            'sreg.nickname' => 'j3h',
+            'return_to' => 'return_to',
+          }
+          signed_list = q.keys.map { |k| 'openid.' + k }
+          msg = Message.from_openid_args(q)
+          resp = SuccessResponse.new(@endpoint, msg, signed_list)
+          utargs = resp.extension_response('urn:unittest', false)
+          assert_equal(utargs, {'one' => '1', 'two' => '2'})
+          sregargs = resp.extension_response('urn:sreg', false)
+          assert_equal(sregargs, {'nickname' => 'j3h'})
+        end
+
+        def test_extension_response_signed
+          args = {
+            'ns.sreg' => 'urn:sreg',
+            'ns.unittest' => 'urn:unittest',
+            'unittest.one' => '1',
+            'unittest.two' => '2',
+            'sreg.nickname' => 'j3h',
+            'sreg.dob' => 'yesterday',
+            'return_to' => 'return_to',
+            'signed' => 'sreg.nickname,unittest.one,sreg.dob',
+          }
+
+          signed_list = ['openid.sreg.nickname',
+                         'openid.unittest.one',
+                         'openid.sreg.dob',]
+
+          msg = Message.from_openid_args(args)
+          resp = SuccessResponse.new(@endpoint, msg, signed_list)
+
+          # All args in this NS are signed, so expect all.
+          sregargs = resp.extension_response('urn:sreg', true)
+          assert_equal(sregargs, {'nickname' => 'j3h', 'dob' => 'yesterday'})
+
+          # Not all args in this NS are signed, so expect nil when
+          # asking for them.
+          utargs = resp.extension_response('urn:unittest', true)
+          assert_equal(nil, utargs)
+        end
+      end
+    end
+  end
+end