samlr 2.0.0

data/test/unit/test_response_scenarios.rb

@@ -0,0 +1,111 @@
+require File.expand_path("test/test_helper")
+
+# The tests in here are integraton level tests. They pass various mutations of a response
+# document to the stack and asserts behavior.
+describe Samlr do
+
+  describe "a valid response" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE) }
+
+    it "verifies" do
+      assert subject.verify!
+      assert_equal "someone@example.org", subject.name_id
+    end
+  end
+
+  describe "an invalid fingerprint" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :fingerprint => "hello") }
+    it "fails" do
+      assert_raises(Samlr::FingerprintError) { subject.verify! }
+    end
+  end
+
+  describe "an unsatisfied before condition" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :not_before => Samlr::Tools::Timestamp.stamp(Time.now + 60)) }
+
+    it "fails" do
+      assert_raises(Samlr::ConditionsError) { subject.verify! }
+    end
+
+    describe "when jitter is in effect" do
+      after  { Samlr.jitter = nil }
+
+      it "passes" do
+        Samlr.jitter = 500
+        assert subject.verify!
+      end
+    end
+  end
+
+  describe "an unsatisfied after condition" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now - 60)) }
+
+    it "fails" do
+      assert_raises(Samlr::ConditionsError) { subject.verify! }
+    end
+
+    describe "when jitter is in effect" do
+      after  { Samlr.jitter = nil }
+
+      it "passes" do
+        Samlr.jitter = 500
+        assert subject.verify!
+      end
+    end
+  end
+
+  describe "when there are no attributes" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :attributes => {}) }
+
+    it "returns an empty hash" do
+      assert_equal({}, subject.attributes)
+    end
+  end
+
+  describe "when there are no signatures" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :sign_assertion => false, :sign_response => false) }
+
+    it "fails" do
+      assert_raises(Samlr::SignatureError) { subject.verify! }
+    end
+  end
+
+  describe "when there is no keyinfo" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_keyinfo => true) }
+
+    it "fails" do
+      assert_raises(Samlr::SignatureError) { subject.verify! }
+    end
+
+    describe "when a matching external cert is provided" do
+      it "passes" do
+        subject.options[:certificate] = TEST_CERTIFICATE.x509
+        assert subject.verify!
+      end
+    end
+
+    describe "when a non-matching external cert is provided" do
+      it "fails" do
+        subject.options[:certificate] = Samlr::Tools::CertificateBuilder.new.x509
+        assert_raises(Samlr::FingerprintError) { subject.verify! }
+      end
+    end
+  end
+
+  describe "when there's no assertion" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :sign_assertion => false, :skip_assertion => true) }
+
+    it "fails" do
+      assert_raises(Samlr::FormatError) { subject.verify! }
+    end
+  end
+
+  describe "duplicate element ids" do
+    subject { saml_response(:certificate => TEST_CERTIFICATE, :response_id => "abcdef", :assertion_id => "abcdef") }
+
+    it "fails" do
+      assert_raises(Samlr::FormatError) { subject.verify! }
+    end
+  end
+
+end

data/test/unit/test_signature.rb

@@ -0,0 +1,54 @@
+require File.expand_path("test/test_helper")
+require "openssl"
+
+describe Samlr::Signature do
+  before do
+    @response  = fixed_saml_response
+    @signature = @response.signature
+  end
+
+  describe "#signature_algorithm" do
+    it "should defer to Samlr::Tools::algorithm" do
+      Samlr::Tools.stub(:algorithm, "hello") do
+        assert_match "hello", @signature.send(:signature_method)
+      end
+    end
+  end
+
+  describe "#references" do
+    it "should extract the reference to the signed document" do
+      assert_equal @response.document.children.first, @response.document.at(".//*[@ID='#{@signature.send(:references).first.uri}']")
+    end
+  end
+
+  describe "#certificate" do
+    it "should extract the certificate" do
+      assert_equal TEST_CERTIFICATE.to_certificate, @signature.send(:certificate)
+    end
+
+    describe "when there is no X509 certificate" do
+      it "should raise a signature error" do
+        @signature.stub(:certificate_node, nil) do
+          assert_raises(Samlr::SignatureError) { @signature.send(:certificate) }
+        end
+      end
+    end
+  end
+
+  describe "#verify_digests!" do
+    describe "when there are duplicate element ids" do
+      before do
+        @signature.document.at("/samlp:Response/saml:Assertion")["ID"] = @signature.document.root["ID"]
+      end
+
+      it "should raise" do
+        begin
+          @signature.send(:verify_digests!)
+          flunk("Excepted to raise due to duplicate elements")
+        rescue Samlr::SignatureError => e
+          assert_equal "Reference validation error: Invalid element references", e.message
+        end
+      end
+    end
+  end
+end

data/test/unit/test_timestamp.rb

@@ -0,0 +1,58 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Tools::Timestamp do
+  before { Samlr.jitter = nil }
+  after  { Samlr.jitter = nil }
+
+  describe "::parse" do
+    before { @time = ::Time.now }
+    it "turns an iso8601 string into a time instance" do
+      iso8601 = @time.utc.iso8601
+      assert_equal @time.to_i, Samlr::Tools::Timestamp.parse(iso8601).to_i
+    end
+  end
+
+  describe "::stamp" do
+    it "converts a given time to an iso8601 string in UTC" do
+      assert_equal "2012-08-08T18:28:38Z", Samlr::Tools::Timestamp.stamp(Time.at(1344450518))
+    end
+
+    it "defaults to a current timestamp in iso8601" do
+      assert ::Time.iso8601(Samlr::Tools::Timestamp.stamp).is_a?(Time)
+    end
+  end
+
+  describe "::not_on_or_after?" do
+    describe "when no jitter is allowed" do
+      it "disallows imprecision" do
+        assert Samlr::Tools::Timestamp.not_on_or_after?(Time.now + 5)
+      end
+    end
+
+    describe "when jitter is allowed" do
+      before { Samlr.jitter = 10 }
+
+      it "allows imprecision" do
+        assert Samlr::Tools::Timestamp.not_on_or_after?(Time.now - 5)
+        refute Samlr::Tools::Timestamp.not_on_or_after?(Time.now - 15)
+      end
+    end
+  end
+
+  describe "::before?" do
+    describe "when no jitter is allowed" do
+      it "disallows imprecision" do
+        assert Samlr::Tools::Timestamp.not_before?(Time.now - 5)
+      end
+    end
+
+    describe "when jitter is allowed" do
+      before { Samlr.jitter = 10 }
+
+      it "allows imprecision" do
+        assert Samlr::Tools::Timestamp.not_before?(Time.now + 5)
+        refute Samlr::Tools::Timestamp.not_before?(Time.now + 15)
+      end
+    end
+  end
+end

data/test/unit/test_tools.rb

@@ -0,0 +1,100 @@
+require File.expand_path("test/test_helper")
+require "openssl"
+
+describe Samlr::Tools do
+
+  describe "::canonicalize" do
+    before do
+      @fixture = fixed_saml_response.document.to_xml
+    end
+
+    it "should namespace the SignedInfo element" do
+      path = "/samlp:Response/ds:Signature/ds:SignedInfo"
+      assert_match '<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">', Samlr::Tools.canonicalize(@fixture, { :path => path })
+    end
+  end
+
+  describe "::uuid" do
+    it "generates a valid xs:ID" do
+      assert Samlr::Tools.uuid !~ /^\d/
+    end
+  end
+
+  describe "::algorithm" do
+    [ 1, 384, 512 ].each do |i|
+      describe "when fed SHA#{i}" do
+        subject { "#sha#{i}" }
+
+        it "should return the corresponding implementation" do
+          assert_equal eval("OpenSSL::Digest::SHA#{i}"), Samlr::Tools.algorithm(subject)
+        end
+      end
+    end
+
+    describe "when not specified" do
+      subject { nil }
+
+      it "should default to SHA1" do
+        assert_equal OpenSSL::Digest::SHA1, Samlr::Tools.algorithm(subject)
+      end
+    end
+
+    describe "when not known" do
+      subject { "sha73" }
+
+      it "should default to SHA1" do
+        assert_equal OpenSSL::Digest::SHA1, Samlr::Tools.algorithm(subject)
+      end
+    end
+  end
+
+  describe "::encode and ::decode" do
+    it "compresses a string in a reversible fashion" do
+      assert_equal "12345678", Samlr::Tools.decode(Samlr::Tools.encode("12345678"))
+    end
+  end
+
+  describe "::validate" do
+    subject { saml_response_document(:certificate => TEST_CERTIFICATE) }
+
+    it "returns true for valid documents" do
+      assert Samlr::Tools.validate(:document => subject)
+    end
+
+    it "returns false for invalid documents" do
+      mangled = subject.gsub("Assertion", "AyCaramba")
+      refute Samlr::Tools.validate(:document => mangled)
+    end
+
+    it "does not change the working directory" do
+      path = Dir.pwd
+      assert Samlr::Tools.validate(:document => subject)
+      assert_equal path, Dir.pwd
+    end
+  end
+
+  describe "::validate!" do
+    subject { saml_response_document(:certificate => TEST_CERTIFICATE) }
+
+    it "returns true for valid documents" do
+      assert Samlr::Tools.validate!(:document => subject)
+    end
+
+    it "raises for invalid documents" do
+      mangled = subject.gsub("Assertion", "AyCaramba")
+
+      begin
+        Samlr::Tools.validate!(:document => mangled)
+        flunk "Errors expected"
+      rescue Samlr::FormatError => e
+        assert_equal "Schema validation failed", e.message
+      end
+    end
+
+    it "does not change the working directory" do
+      path = Dir.pwd
+      assert Samlr::Tools.validate!(:document => subject)
+      assert_equal path, Dir.pwd
+    end
+  end
+end

data/test/unit/tools/test_certificate_builder.rb

@@ -0,0 +1,41 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Tools::CertificateBuilder do
+  before { @certificate = TEST_CERTIFICATE }
+
+  it "provides a certificate" do
+    assert_equal OpenSSL::X509::Certificate, @certificate.x509.class
+  end
+
+  describe "#verify" do
+    it "verifies its own signature" do
+      assert @certificate.verify(@certificate.sign("12345678"), "12345678")
+    end
+  end
+
+  describe "serialization" do
+    before do
+      @path  = Dir.tmpdir
+      Dir.glob("#{@path}/*.pem").map { |f| File.unlink(f) }
+    end
+
+    describe "self#dump" do
+      before { Samlr::Tools::CertificateBuilder.dump(@path, @certificate) }
+
+      it "creates a key file and a certificate file on disk" do
+        state = Dir.glob("#{@path}/*.pem")
+        assert_equal 2, state.size
+      end
+
+      describe "#load" do
+        before { @loaded = Samlr::Tools::CertificateBuilder.load(@path) }
+
+        it "verified the signature signed by the unserialized certificate" do
+          assert @loaded.verify(@certificate.sign("12345678"), "12345678")
+          assert @certificate.verify(@loaded.sign("12345678"), "12345678")
+        end
+      end
+    end
+
+  end
+end

data/test/unit/tools/test_logout_request_builder.rb

@@ -0,0 +1,26 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Tools::LogoutRequestBuilder do
+  describe "#build" do
+    before do
+      @xml = Samlr::Tools::LogoutRequestBuilder.build(
+        :issuer => "https://sp.example.com/saml2",
+        :name_id => "test@test.com"
+      )
+
+      @doc = Nokogiri::XML(@xml) { |c| c.strict }
+    end
+
+    it "generates a request document" do
+      assert_equal "LogoutRequest", @doc.root.name
+
+      issuer = @doc.root.at("./saml:Issuer", Samlr::NS_MAP)
+      assert_equal "https://sp.example.com/saml2", issuer.text
+    end
+
+    it "validates against schemas" do
+      result = Samlr::Tools.validate(:document => @xml)
+      assert result
+    end
+  end
+end

data/test/unit/tools/test_metadata_builder.rb

@@ -0,0 +1,26 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Tools::MetadataBuilder do
+  describe "#build" do
+    before do
+      @xml = Samlr::Tools::MetadataBuilder.build({
+        :entity_id            => "https://sp.example.com/saml2",
+        :name_identity_format => "identity_format",
+        :consumer_service_url => "https://support.sp.example.com/"
+      })
+
+      @doc = Nokogiri::XML(@xml) { |c| c.strict }
+    end
+
+    it "generates a metadata document" do
+      assert_equal "EntityDescriptor", @doc.root.name
+      assert_equal "identity_format", @doc.at("//md:NameIDFormat", { "md" => Samlr::NS_MAP["md"] }).text
+    end
+
+    it "validates against schemas" do
+      result = Samlr::Tools.validate(:document => @xml, :schema => Samlr::META_SCHEMA)
+      assert result
+    end
+
+  end
+end

data/test/unit/tools/test_request_builder.rb

@@ -0,0 +1,35 @@
+require File.expand_path("test/test_helper")
+
+describe Samlr::Tools::RequestBuilder do
+  describe "#build" do
+    before do
+      @xml = Samlr::Tools::RequestBuilder.build({
+        :issuer               => "https://sp.example.com/saml2",
+        :name_identity_format => "identity_format",
+        :allow_create         => "true",
+        :consumer_service_url => "https://support.sp.example.com/",
+        :authn_context        => "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      })
+
+      @doc = Nokogiri::XML(@xml) { |c| c.strict }
+    end
+
+    it "generates a request document" do
+      assert_equal "AuthnRequest", @doc.root.name
+      assert_equal "https://support.sp.example.com/", @doc.root["AssertionConsumerServiceURL"]
+
+      issuer = @doc.root.at("./saml:Issuer", Samlr::NS_MAP)
+      assert_equal "https://sp.example.com/saml2", issuer.text
+
+      name_id_policy = @doc.root.at("./samlp:NameIDPolicy", Samlr::NS_MAP)
+      assert_equal "true", name_id_policy["AllowCreate"]
+      assert_equal "identity_format", name_id_policy["Format"]
+    end
+
+    it "validates against schemas" do
+      result = Samlr::Tools.validate(:document => @xml)
+      assert result
+    end
+
+  end
+end