saml_tools 0.0.1

data/test/units/saml_tool/encoder_test.rb

@@ -0,0 +1,38 @@
+require_relative '../../test_helper'
+
+module SamlTool
+  class EncoderTest < Minitest::Test
+
+    def test_class_encode
+      encoded_saml = Encoder.encode(saml)
+      inflated = inflate Base64.decode64(encoded_saml)
+      assert_equal saml, inflated
+    end
+
+    def test_encode
+      encoded_saml = Encoder.new(saml).encode
+      inflated = inflate Base64.decode64(encoded_saml)
+      assert_equal saml, inflated
+    end
+
+    def test_base64
+      encoded_saml = Encoder.new(saml).base64
+      assert_equal Base64.encode64(saml), encoded_saml
+    end
+
+    def test_zlib
+      encoded_saml = Encoder.new(saml).zlib
+      inflated = inflate encoded_saml
+      assert_equal saml, inflated
+    end
+
+    def inflate(encoded)
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS) # I have no idea why we're using minus Zlib::MAX_WBITS. Zlib documentation suggests just Zlib::MAX_WBITS should work, but it doesn't
+        inflated = zstream.inflate(encoded)
+      zstream.finish
+      zstream.close
+      return inflated
+    end
+
+  end
+end

data/test/units/saml_tool/erb_builder_test.rb

@@ -0,0 +1,50 @@
+require_relative '../../test_helper'
+
+module SamlTool
+  class ErbBuilderTest < Minitest::Test
+
+    def test_build
+      saml = ErbBuilder.build(
+        template: '<foo><%= settings %></foo>',
+        settings: 'bar'
+      )
+      assert_equal '<foo>bar</foo>', saml
+    end
+
+    def test_erb
+      saml = ErbBuilder.new(
+        template: '<foo><%= settings %></foo>',
+        settings: 'bar'
+      )
+      assert_equal '<foo>bar</foo>', saml.to_s
+    end
+
+    def test_erb_can_create_valid_saml
+      saml = ErbBuilder.new(
+        template: request_saml_erb,
+        settings: settings
+      )
+      assert_equal true, Validator.new(saml.to_s).valid?
+    end
+
+
+    def settings
+      Hashie::Mash.new(
+        id:                             ('_' + SecureRandom.uuid),
+        issue_instance:                 Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
+        assertion_consumer_service_url: 'http://localhost:3000/demo',
+        issuer:                         'http://localhost:3000',
+        idp_sso_target_url:             'http://localhost:3000/saml/auth',
+        idp_cert_fingerprint:           '9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D',
+        name_identifier_format:         'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+      # Optional for most SAML IdPs
+        authn_context:                  "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+      )
+    end
+
+    def thing
+      'bar'
+    end
+  end
+end

data/test/units/saml_tool/reader_test.rb

@@ -0,0 +1,104 @@
+require_relative '../../test_helper'
+
+module SamlTool
+  class ReaderTest < Minitest::Test
+
+    def test_reader
+      config = Settings.new(
+        foo: xpath_to_return_foo_text
+      )
+      @reader = Reader.new(nested_saml, config)
+      assert_equal 'bar', @reader.foo
+    end
+
+    def test_reader_with_string_hash_config
+      reader = Reader.new(
+                 nested_saml,
+                 'foo' => xpath_to_return_foo_text
+               )
+      assert_equal 'bar', reader.foo
+    end
+
+    def test_reader_can_get_attribute
+      reader = Reader.new(
+                 nested_saml,
+                 'foo' => xpath_to_return_foo_attribute
+               )
+      assert_equal 'that', reader.foo
+    end
+    
+    def test_reader_with_name_space
+      reader =  Reader.new(
+                  response_xml,
+                  {foo: '//ds:X509Certificate/text()'},
+                  {ds: 'http://www.w3.org/2000/09/xmldsig#'}
+                )
+      assert_equal 'MIIC6D', reader.foo[0...6]
+    end
+    
+    def test_value_remembers_source
+      saml = SamlTool::SAML(nested_saml)
+      source = saml.xpath(xpath_to_return_foo_text)
+      test_reader
+      assert_equal source.class, @reader.foo.source.class
+      assert_equal source.to_s, @reader.foo.source.to_s
+      assert_equal @reader.foo, @reader.foo.source.to_s
+    end
+
+    # If nokogiri is passed a namespace of {} it assumes an explicit entry of no namespaces.
+    # Whereas it sees nil namespaces as meaning namesspaces should be ignored.
+    # So nil should be the default behaviour, and can be overridden with {} as required.
+    # This reflects the normal Nokogiri behaviour that is more likely to be the expected
+    # behaviour.
+    def test_default_namespaces
+      reader = Reader.new(nested_saml)
+      assert_equal nil, reader.namespaces
+    end
+    
+    def test_to_hash
+      reader = Reader.new(
+        nested_saml,
+        {
+          foo: xpath_to_return_foo_text,
+          this: xpath_to_return_foo_attribute
+        }
+      )
+      expected = {
+        foo: 'bar',
+        this: 'that'
+      }
+      assert_equal expected, reader.to_hash
+    end
+    
+    class FooReader < Reader
+      def initialize(saml)
+        super(
+          saml,
+          {
+            foo: 'level_one/foo[1]/text()',
+            this: 'level_one/foo[1]/@this'
+          }
+        )
+      end
+    end
+
+    def test_reader_via_inherited_class
+      reader = FooReader.new(nested_saml)
+      assert_equal 'bar', reader.foo
+      assert_equal 'that', reader.this
+    end
+
+    def nested_saml
+      '<level_one><foo this="that">bar</foo></level_one>'
+    end
+    
+    def xpath_to_return_foo_text
+      'level_one/foo[1]/text()'
+    end
+    
+    def xpath_to_return_foo_attribute
+      'level_one/foo[1]/@this'
+    end
+
+  end
+end

data/test/units/saml_tool/redirect_test.rb

@@ -0,0 +1,70 @@
+require_relative '../../test_helper'
+
+module SamlTool
+  class RedirectTest < Minitest::Test
+
+    def test_uri
+      redirect = Redirect.uri(
+        to: url,
+        data: {
+          foo: 'bar'
+        }
+      )
+      assert_equal "#{url}?foo=bar", redirect
+    end
+
+    def test_to_s 
+      redirect = Redirect.new(
+        to: url,
+        data: {
+          foo: 'bar'
+        }
+      )
+      assert_equal "#{url}?foo=bar", redirect.to_s
+    end
+
+    def test_to_s_with_multiple_data
+      redirect = Redirect.new(
+        to: url,
+        data: {
+          foo: 'bar',
+          this: 'that'
+        }
+      )
+      assert_equal "#{url}?foo=bar&this=that", redirect.to_s
+    end
+
+    def test_to_s_with_existing_parameters
+      redirect = Redirect.new(
+        to: url + '?foo=bar',
+        data: {
+          this: 'that'
+        }
+      )
+      assert_equal "#{url}?foo=bar&this=that", redirect.to_s
+    end
+
+    def test_to_s_with_data_string
+      redirect = Redirect.new(
+        to: url,
+        data: 'foo=bar'
+      )
+      assert_equal "#{url}?foo=bar", redirect.to_s
+    end
+
+    def test_to_s_escapes_data
+      redirect = Redirect.new(
+        to: url,
+        data: {
+          foo: '<bar>'
+        }
+      )
+      assert_equal "#{url}?foo=%3Cbar%3E", redirect.to_s
+    end
+
+    def url
+      'http://example.com/saml/auth'
+    end
+
+  end
+end

data/test/units/saml_tool/response_reader_test.rb

@@ -0,0 +1,144 @@
+require_relative '../../test_helper'
+
+module SamlTool
+  class ResponseReaderTest < Minitest::Test
+    
+    def test_saml
+      assert_kind_of SAML::Document, response_document.saml
+    end
+    
+    def test_signatureless
+      assert_kind_of SAML::Document, response_document.signatureless
+      expected = response_document.saml.clone
+      expected.xpath('//ds:Signature', { 'ds' => dsig }).remove
+      assert_equal expected.to_s, response_document.signatureless.to_s
+    end
+    
+    def test_signatureless_does_not_impact_saml
+      response_document.signatureless
+      assert response_document.saml.to_s != response_document.signatureless.to_s, 'Changes made in forming signatureless should not also happen to saml'
+    end
+    
+    def test_base64_cert
+      base64_cert = response_document_saml.xpath('//ds:X509Certificate/text()', { 'ds' => dsig })
+      assert_equal base64_cert.to_s, response_document.base64_cert
+    end
+    
+    def test_certificate
+      assert_kind_of OpenSSL::X509::Certificate, response_document.certificate
+    end
+    
+    def test_fingerprint
+      expected = Digest::SHA1.hexdigest(response_document.certificate.to_der)
+      assert_equal expected, response_document.fingerprint
+    end
+    
+    def test_canonicalization_method
+      expected = response_document_saml.xpath('//ds:CanonicalizationMethod/@Algorithm', { 'ds' => dsig })
+      assert_equal expected.to_s, response_document.canonicalization_method
+    end
+    
+    def test_canonicalization_algorithm
+      expected = Nokogiri::XML::XML_C14N_1_0
+      assert_equal expected, response_document.canonicalization_algorithm
+    end
+    
+    def test_reference_uri
+      expected = response_document_saml.xpath('//ds:Reference/@URI', { 'ds' => dsig })
+      assert_equal expected.to_s, response_document.reference_uri
+    end
+    
+    def test_inclusive_namespaces
+      assert_equal "", response_document.inclusive_namespaces
+    end
+    
+    def test_inclusive_namespaces_when_they_exist_in_saml
+      document = ResponseReader.new(open_saml_request)
+      assert_equal 'xs', document.inclusive_namespaces
+    end
+    
+    def test_hashed_element
+      remove_signature_from_assertion
+      assert_equal assertion.to_s, response_document.hashed_element.to_s
+    end
+    
+    def test_canonicalized_hashed_element
+      remove_signature_from_assertion
+      expected = assertion.canonicalize(Nokogiri::XML::XML_C14N_1_0, [])
+      assert_equal expected, response_document.canonicalized_hashed_element
+    end
+    
+    def test_digest_algorithm
+      assert_equal 'http://www.w3.org/2000/09/xmldsig#sha1', response_document.digest_algorithm
+    end
+    
+    def test_digest_algorithm_class
+      assert_equal OpenSSL::Digest::SHA1, response_document.digest_algorithm_class
+    end
+    
+    def test_digest_hash
+      expected = OpenSSL::Digest::SHA1.digest(response_document.canonicalized_hashed_element)
+      assert_equal expected, response_document.digest_hash
+    end
+    
+    def test_digest_hash_matches_digest_value
+      assert_equal response_document.digest_hash, response_document.decoded_digest_value
+    end
+
+    def test_digests_match?
+      assert_equal true, response_document.digests_match?
+    end
+
+    def test_signature
+      signature_value = response_document_saml.xpath('//ds:SignatureValue', { 'ds' => dsig }).text
+      assert_equal Base64.decode64(signature_value), response_document.signature
+    end
+
+    def test_signature_algorithm_class
+      assert_equal OpenSSL::Digest::SHA1, response_document.signature_algorithm_class
+    end
+
+    def test_canonicalized_signed_info
+      expected = response_document.signed_info.source.first.canonicalize(Nokogiri::XML::XML_C14N_1_0, [])
+      assert_equal expected, response_document.canonicalized_signed_info
+    end
+
+    def test_signature_verified
+      assert_equal true, response_document.signature_verified?
+    end
+
+    def test_structurally_valid
+      assert Validator.new(response_xml).valid?, 'response.xml needs to be valid SAML'
+      assert_equal true, response_document.structurally_valid?
+    end
+
+    def test_valid
+      assert_equal true, response_document.valid?
+    end
+
+    def response_document
+      @response_document ||= ResponseReader.new(response_xml)
+    end
+    
+    def assertion
+      @assertion ||= response_document_saml.at_xpath('//saml:Assertion')
+    end
+    
+    def remove_signature_from_assertion
+      assertion.xpath('//ds:Signature', { 'ds' => dsig }).remove
+    end
+    
+    def response_document_saml
+      @response_document_saml ||= SamlTool::SAML(response_xml)
+    end
+    
+    def c14m
+      'http://www.w3.org/2001/10/xml-exc-c14n#'
+    end
+        
+    def dsig
+      'http://www.w3.org/2000/09/xmldsig#'
+    end
+    
+  end
+end

data/test/units/saml_tool/rsa_key_test.rb

@@ -0,0 +1,21 @@
+require_relative '../../test_helper'
+
+module SamlTool
+  class RsaKeyTest < Minitest::Test
+
+    def test_modulous
+      expected = Base64.encode64(open_ssl_rsa_key.n.to_s(2))
+      assert_equal expected, rsa_key.modulus
+    end
+    
+    def test_exponent
+      expected = Base64.encode64(open_ssl_rsa_key.e.to_s(2))
+      assert_equal expected, rsa_key.exponent
+    end
+  
+    def rsa_key
+      @rsa_key ||= RsaKey.new(open_ssl_rsa_key)
+    end    
+    
+  end
+end

data/test/units/saml_tool/saml_test.rb

@@ -0,0 +1,21 @@
+
+
+module SamlTool
+  class SamlTest < Minitest::Test
+    
+    def test_document     
+      document = SamlTool::SAML(valid_xml)    
+      assert_kind_of Nokogiri::XML::Document, document
+    end
+    
+    def test_parse
+      document = SamlTool::SAML.parse valid_xml
+      assert_kind_of Nokogiri::XML::Document, document
+    end
+    
+    def test_document_parse
+      document = SamlTool::SAML::Document.parse valid_xml
+      assert_kind_of Nokogiri::XML::Document, document
+    end
+  end
+end