ruby-saml 0.9.4 → 1.0.0

data/test/logoutresponse_test.rb

@@ -1,110 +1,257 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 require 'onelogin/ruby-saml/logoutresponse'
-require 'responses/logoutresponse_fixtures'
+require 'logout_responses/logoutresponse_fixtures'
 
 class RubySamlTest < Minitest::Test
 
   describe "Logoutresponse" do
+
+    let(:valid_logout_response_without_settings) { OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document) }
+    let(:valid_logout_response) { OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings) }
+
     describe "#new" do
       it "raise an exception when response is initialized with nil" do
         assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
       end
       it "default to empty settings" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new( valid_response)
-        assert_nil logoutresponse.settings
+        assert_nil valid_logout_response_without_settings.settings
       end
       it "accept constructor-injected settings" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings)
-        refute_nil logoutresponse.settings
+        refute_nil valid_logout_response.settings
       end
       it "accept constructor-injected options" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, nil, { :foo => :bar} )
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, nil, { :foo => :bar} )
         assert !logoutresponse.options.empty?
       end
       it "support base64 encoded responses" do
-        expected_response = valid_response
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(expected_response), settings)
-
-        assert_equal expected_response, logoutresponse.response
+        generated_logout_response = valid_logout_response_document
+        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(generated_logout_response), settings)
+        assert_equal generated_logout_response, logoutresponse.response
       end
     end
 
+    describe "#validate_structure" do
+        it "invalidates when the logout response has an invalid xml" do
+          settings.soft = true
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_logout_response_document, settings)
+          assert !logoutresponse.send(:validate_structure)
+          assert_includes logoutresponse.errors, "Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd"
+        end
+
+        it "raise when the logout response has an invalid xml" do
+          settings.soft = false
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_logout_response_document, settings)
+          assert_raises OneLogin::RubySaml::ValidationError do
+            logoutresponse.send(:validate_structure)
+          end
+        end
+    end
+
     describe "#validate" do
-      it "validate the response" do
-        in_relation_to_request_id = random_id
+      describe "when soft=true" do
+        before do
+          settings.soft = true
+        end
 
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
+        it "validate the logout response" do
+          in_relation_to_request_id = random_id
+          opts = { :matches_request_id => in_relation_to_request_id}
 
-        assert logoutresponse.validate
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings, opts)
 
-        assert_equal settings.issuer, logoutresponse.issuer
-        assert_equal in_relation_to_request_id, logoutresponse.in_response_to
+          assert logoutresponse.validate
 
-        assert logoutresponse.success?
-      end
+          assert_equal settings.issuer, logoutresponse.issuer
+          assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
-      it "invalidate responses with wrong id when given option :matches_uuid" do
+          assert logoutresponse.success?
+          assert_empty logoutresponse.errors
+        end
 
-        expected_request_id = "_some_other_expected_uuid"
-        opts = { :matches_request_id => expected_request_id}
+        it "validate the logout response extended" do
+          in_relation_to_request_id = random_id
+          settings.idp_entity_id = 'http://app.muda.no'
+          opts = { :matches_request_id => in_relation_to_request_id}
 
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings, opts)
+          assert logoutresponse.validate
+          assert_equal in_relation_to_request_id, logoutresponse.in_response_to
+          assert logoutresponse.success?
+          assert_empty logoutresponse.errors
+        end
 
-        assert !logoutresponse.validate
-        refute_equal expected_request_id, logoutresponse.in_response_to
-      end
+        it "invalidate logout response when initiated with blank" do
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new("", settings)
+          assert !logoutresponse.validate
+          assert_includes logoutresponse.errors, "Blank logout response"
+        end
 
-      it "invalidate responses with wrong request status" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
+        it "invalidate logout response when initiated with no idp cert or fingerprint" do
+          settings.idp_cert_fingerprint = nil
+          settings.idp_cert = nil
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
+          assert !logoutresponse.validate
+          assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"
+        end
 
-        assert !logoutresponse.validate
-        assert !logoutresponse.success?
-      end
-    end
+        it "invalidate logout response with wrong id when given option :matches_request_id" do
+          expected_request_id = "_some_other_expected_uuid"
+          opts = { :matches_request_id => expected_request_id}
 
-    describe "#validate!" do
-      it "validates good responses" do
-        in_relation_to_request_id = random_id
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
 
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response({:uuid => in_relation_to_request_id}), settings)
+          assert !logoutresponse.validate
+          refute_equal expected_request_id, logoutresponse.in_response_to
+          assert_includes logoutresponse.errors, "Response does not match the request ID, expected: <#{expected_request_id}>, but was: <#{logoutresponse.in_response_to}>"
+        end
 
-        logoutresponse.validate!
-      end
+        it "invalidate logout response with wrong request status" do
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
 
-      it "raises validation error when matching for wrong request id" do
+          assert !logoutresponse.success?
+          assert !logoutresponse.validate
+          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
+          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
+        end
 
-        expected_request_id = "_some_other_expected_id"
-        opts = { :matches_request_id => expected_request_id}
+        it "invalidate logout response when in lack of issuer setting" do
+          bad_settings = settings
+          bad_settings.issuer = nil
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, bad_settings)
+          assert !logoutresponse.validate
+          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
+        end
 
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_response, settings, opts)
+        it "invalidate logout response with wrong issuer" do
+          in_relation_to_request_id = random_id
+          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
+          assert !logoutresponse.validate
+          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
+        end
 
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      it "raise validation error for wrong request status" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, settings)
+      describe "when soft=false" do
+        before do
+          settings.soft = false
+        end
 
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
-      end
+        it "validates good logout response" do
+          in_relation_to_request_id = random_id
 
-      it "raise validation error when in bad state" do
-        # no settings
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response)
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
-      end
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
+          assert logoutresponse.validate
+          assert_empty logoutresponse.errors
+        end
+
+        it "raises validation error when response initiated with blank" do
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new("", settings)
 
-      it "raise validation error when in lack of issuer setting" do
-        bad_settings = settings
-        bad_settings.issuer = nil
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
+          assert_includes logoutresponse.errors, "Blank logout response"
+        end
+
+        it "raises validation error when initiated with no idp cert or fingerprint" do
+          settings.idp_cert_fingerprint = nil
+          settings.idp_cert = nil
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
+          assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"
+        end
+
+        it "raises validation error when matching for wrong request id" do
+
+          expected_request_id = "_some_other_expected_id"
+          opts = { :matches_request_id => expected_request_id}
+
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }          
+          assert_includes logoutresponse.errors, "Response does not match the request ID, expected: <#{expected_request_id}>, but was: <#{logoutresponse.in_response_to}>"
+        end
+
+        it "raise validation error for wrong request status" do
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
+
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
+          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
+        end
+
+        it "raise validation error when in bad state" do
+          # no settings
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
+          assert_includes logoutresponse.errors, "Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <urn:oasis:names:tc:SAML:2.0:status:Requester>"
+        end
+
+        it "raise validation error when in lack of issuer setting" do
+          settings.issuer = nil
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
+          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
+        end
+
+        it "raise validation error when logout response with wrong issuer" do
+          in_relation_to_request_id = random_id
+          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
+          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
+        end
       end
 
-      it "raise error for invalid xml" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_response, settings)
+      describe "#validate_signature" do
+        let (:params) { OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, random_id, "Custom Logout Message", :RelayState => 'http://example.com') }
+
+        before do
+          settings.soft = true
+          settings.idp_slo_target_url = "http://example.com?field=value"
+          settings.security[:logout_responses_signed] = true
+          settings.security[:embed_sign] = false
+          settings.certificate = ruby_saml_cert_text
+          settings.private_key = ruby_saml_key_text
+          settings.idp_cert = ruby_saml_cert_text
+        end
+
+        it "return true when valid RSA_SHA1 Signature" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert logoutresponse_sign_test.send(:validate_signature)
+        end
+
+        it "return true when valid RSA_SHA256 Signature" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert logoutresponse.send(:validate_signature)
+        end
+
+        it "return false when invalid RSA_SHA1 Signature" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          params['RelayState'] = 'http://invalid.example.com'
+          options = {}
+          options[:get_params] = params
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert !logoutresponse.send(:validate_signature)
+        end
+
+        it "raise when invalid RSA_SHA1 Signature" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          settings.soft = false
+          params['RelayState'] = 'http://invalid.example.com'
+          options = {}
+          options[:get_params] = params
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
 
-        assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.send(:validate_signature) }
+          assert logoutresponse.errors.include? "Invalid Signature on Logout Response"
+        end
       end
     end
   end

data/test/metadata_test.rb

@@ -33,10 +33,31 @@ class MetadataTest < Minitest::Test
 
       assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
       assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value      
+
+      assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
     end
 
     it "generates Service Provider Metadata" do
-      # assert correct xml declaration
+      settings.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      settings.single_logout_service_url = "https://foo.example/saml/sls"
+      xml_metadata = OneLogin::RubySaml::Metadata.new.generate(settings, false)
+
+      start = "<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor"
+      assert_equal xml_metadata[0..start.length-1],start
+
+      doc_metadata = REXML::Document.new(xml_metadata)
+      sls = REXML::XPath.first(doc_metadata, "//md:SingleLogoutService")
+
+      assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", sls.attribute("Binding").value
+      assert_equal "https://foo.example/saml/sls", sls.attribute("Location").value
+      assert_equal "https://foo.example/saml/sls", sls.attribute("ResponseLocation").value
+      assert_nil sls.attribute("isDefault")
+      assert_nil sls.attribute("index")
+
+      assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+    end
+
+    it "generates Service Provider Metadata with single logout service" do
       start = "<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor"
       assert_equal xml_text[0..start.length-1], start
 
@@ -50,27 +71,50 @@ class MetadataTest < Minitest::Test
 
       assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
       assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value
+
+      assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
     end
 
     describe "when auth requests are signed" do
-      let(:cert_node) do
-        REXML::XPath.first(
+      let(:key_descriptors) do
+        REXML::XPath.match(
+          xml_doc,
+          "//md:KeyDescriptor",
+          "md" => "urn:oasis:names:tc:SAML:2.0:metadata"
+        )
+      end
+      let(:cert_nodes) do
+        REXML::XPath.match(
           xml_doc,
           "//md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
           "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
           "ds" => "http://www.w3.org/2000/09/xmldsig#"
         )
       end
-      let(:cert)  { OpenSSL::X509::Certificate.new(Base64.decode64(cert_node.text)) }
+      let(:cert)  { OpenSSL::X509::Certificate.new(Base64.decode64(cert_nodes[0].text)) }
 
       before do
-        settings.security[:authn_requests_signed] = true
         settings.certificate = ruby_saml_cert_text
       end
 
-      it "generates Service Provider Metadata with X509Certificate" do
+      it "generates Service Provider Metadata with AuthnRequestsSigned" do
+        settings.security[:authn_requests_signed] = true
         assert_equal "true", spsso_descriptor.attribute("AuthnRequestsSigned").value
         assert_equal ruby_saml_cert.to_der, cert.to_der
+
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+
+      it "generates Service Provider Metadata with X509Certificate for sign and encrypt" do
+        assert_equal 2, key_descriptors.length
+        assert_equal "signing", key_descriptors[0].attribute("use").value
+        assert_equal "encryption", key_descriptors[1].attribute("use").value
+
+        assert_equal 2, cert_nodes.length
+        assert_equal ruby_saml_cert.to_der, cert.to_der
+        assert_equal cert_nodes[0].text, cert_nodes[1].text
+
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
     end
 
@@ -93,7 +137,29 @@ class MetadataTest < Minitest::Test
         assert_equal "Name", req_attr.attribute("Name").value
         assert_equal "Name Format", req_attr.attribute("NameFormat").value
         assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
-        assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//md:AttributeValue").text.strip
+        assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//saml:AttributeValue").text.strip
+
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
+      end
+
+      describe "#service_name" do
+        before do
+          settings.attribute_consuming_service.service_name("Test2 Service")
+        end
+
+        it "change service name" do
+          assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test2 Service"
+        end
+      end
+
+      describe "#service_index" do
+        before do
+          settings.attribute_consuming_service.service_index(2)
+        end
+
+        it "change service index" do
+          assert_equal "2", attr_svc.attribute("index").value
+        end
       end
     end
 
@@ -110,6 +176,8 @@ class MetadataTest < Minitest::Test
         assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], xml_text
         signed_metadata = XMLSecurity::SignedDocument.new(xml_text)
         assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)        
+
+        assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
 
       describe "when digest and signature methods are specified" do
@@ -126,6 +194,8 @@ class MetadataTest < Minitest::Test
           signed_metadata_2 = XMLSecurity::SignedDocument.new(xml_text)
 
           assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)          
+
+          assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
         end
       end
     end