samlr 2.1.0 → 2.2.0

data/test/unit/test_fingerprint.rb

@@ -1,45 +0,0 @@
-require File.expand_path("test/test_helper")
-
-describe Samlr::Fingerprint do
-  describe "#new" do
-    it "generates an invalid fingerprint for nil" do
-      refute Samlr::Fingerprint.new(nil).valid?
-    end
-  end
-
-  describe "::normalize!" do
-    it "converts input to fingerprint normal form" do
-      assert_equal "AF:44", Samlr::Fingerprint.normalize("aF44 :-+6t")
-    end
-  end
-
-  describe "#==" do
-    it "compares two fingerprints" do
-      assert (Samlr::Fingerprint.new("aa:33") == Samlr::Fingerprint.new("AA:33"))
-      assert (Samlr::Fingerprint.new("aa:33") != Samlr::Fingerprint.new("AA:34"))
-      assert (Samlr::Fingerprint.new("") != Samlr::Fingerprint.new(""))
-    end
-  end
-
-  describe "#compare!" do
-    it "raises when fingerprints do not equal" do
-      assert_raises(Samlr::FingerprintError) do
-        Samlr::Fingerprint.new("aa:34").compare!(Samlr::Fingerprint.new("bb:35"))
-      end
-    end
-
-    it "stores fingerprints on the exception" do
-      begin
-        Samlr::Fingerprint.new("aa:34").compare!(Samlr::Fingerprint.new("bb:35"))
-        flunk "Exception expected"
-      rescue Samlr::FingerprintError => e
-        assert_equal "Fingerprint mismatch", e.message
-        assert_equal "AA:34 vs. BB:35", e.details
-      end
-    end
-
-    it "doesn't raise when fingerprints are equal" do
-      assert Samlr::Fingerprint.new("aa:34").compare!(Samlr::Fingerprint.new("aa:34"))
-    end
-  end
-end

data/test/unit/test_logout_request.rb

@@ -1,73 +0,0 @@
-require File.expand_path("test/test_helper")
-
-describe Samlr::LogoutRequest do
-  let(:options) {
-    {
-      :issuer => "https://sp.example.com/saml2",
-      :name_id => "test@test.com"
-    }
-  }
-
-  before do
-    @request = Samlr::LogoutRequest.new(options)
-  end
-
-  describe "#body" do
-    it "should return the generated XML" do
-      document = Nokogiri::XML(@request.body) { |c| c.strict }
-      assert document.at("/samlp:LogoutRequest", Samlr::NS_MAP)
-    end
-
-    it "should delegate the building to the LogoutRequestBuilder" do
-      Samlr::Tools::LogoutRequestBuilder.stub(:build, "hello") do
-        assert_match "hello", @request.body
-      end
-    end
-  end
-
-  describe "#param" do
-    it "returns the encoded body" do
-      @request.stub(:body, "hello") do
-        assert_equal Samlr::Tools.encode("hello"), @request.param
-      end
-    end
-  end
-
-  describe "#url" do
-    it "returns a valid URL" do
-      @request.stub(:param, "hello") do
-        assert_equal("https://foo.com/?SAMLRequest=hello&foo=bar", @request.url("https://foo.com/", :foo => "bar"))
-      end
-    end
-  end
-
-  describe "with optional params" do
-    it "understands name_id_format" do
-      options.merge!(:name_id_format => "some format")
-      request = Samlr::LogoutRequest.new(options)
-
-      assert_match /<saml:NameID Format="some format">/, request.body
-    end
-
-    it "understands [:name_id_options][:format]" do
-      options.merge!(:name_id_options => {:format => "some format"})
-      request = Samlr::LogoutRequest.new(options)
-
-      assert_match /<saml:NameID Format="some format">/, request.body
-    end
-
-    it "understands NameQualifier" do
-      options.merge!(:name_id_options => {:name_qualifier => "Some name qualifier"})
-      request = Samlr::LogoutRequest.new(options)
-
-      assert_match /NameQualifier="Some name qualifier"/, request.body
-    end
-
-    it "understands SPNameQualifier" do
-      options.merge!(:name_id_options => {:spname_qualifier => "Some SPName qualifier"})
-      request = Samlr::LogoutRequest.new(options)
-
-      assert_match /SPNameQualifier="Some SPName qualifier"/, request.body
-    end
-  end
-end

data/test/unit/test_reference.rb

@@ -1,32 +0,0 @@
-require File.expand_path("test/test_helper")
-
-describe Samlr::Reference do
-  before do
-    @response  = fixed_saml_response
-    @reference = @response.signature.send(:references).first
-  end
-
-  describe "#uri" do
-    it "should return the normalized URI" do
-      assert_equal "samlr123", @reference.uri
-    end
-  end
-
-  describe "#digest_method" do
-    it "should return the digest implementation" do
-      assert_equal OpenSSL::Digest::SHA1, @reference.digest_method
-    end
-  end
-
-  describe "#digest_value" do
-    it "should return the verbatim value" do
-      assert_equal "OSVXSTu8W+eGao6muxUHXcKQwZU=", @reference.digest_value
-    end
-  end
-
-  describe "namespaces" do
-    it "should return the inclusive namespaces" do
-      assert_equal ["#default", "samlp", "saml", "ds", "xs", "xsi"].sort, @reference.namespaces.sort
-    end
-  end
-end

data/test/unit/test_request.rb

@@ -1,34 +0,0 @@
-require File.expand_path("test/test_helper")
-
-describe Samlr::Request do
-  before { @request = Samlr::Request.new }
-
-  describe "#body" do
-    it "should return the generated XML" do
-      document = Nokogiri::XML(@request.body) { |c| c.strict }
-      assert document.at("/samlp:AuthnRequest", Samlr::NS_MAP)
-    end
-
-    it "should delegate the building to the RequestBuilder" do
-      Samlr::Tools::RequestBuilder.stub(:build, "hello") do
-        assert_match "hello", @request.body
-      end
-    end
-  end
-
-  describe "#param" do
-    it "returns the encoded body" do
-      @request.stub(:body, "hello") do
-        assert_equal Samlr::Tools.encode("hello"), @request.param
-      end
-    end
-  end
-
-  describe "#url" do
-    it "returns a valid URL" do
-      @request.stub(:param, "hello") do
-        assert_equal("https://foo.com/?SAMLRequest=hello&foo=bar", @request.url("https://foo.com/", :foo => "bar"))
-      end
-    end
-  end
-end

data/test/unit/test_response.rb

@@ -1,94 +0,0 @@
-require File.expand_path("test/test_helper")
-
-describe Samlr::Response do
-
-  subject { fixed_saml_response }
-
-  describe "#name_id" do
-    it "delegates to the assertion" do
-      subject.assertion.stub(:name_id, "george") do
-        assert_equal("george", subject.name_id)
-      end
-    end
-  end
-
-  describe "#attributes" do
-    it "delegates to the assertion" do
-      subject.assertion.stub(:attributes, { :name => "george" }) do
-        assert_equal({ :name => "george" }, subject.attributes)
-      end
-    end
-  end
-
-  describe "#location" do
-    it "should return proper assertion location" do
-      assert_equal "//saml:Assertion[@ID='samlr456']", subject.assertion.location
-    end
-  end
-
-  describe "XSW attack" do
-    it "should not validate if SAML response is hacked" do
-      document = saml_response_document(:certificate => TEST_CERTIFICATE)
-
-      modified_document = Nokogiri::XML(document)
-
-      original_assertion = modified_document.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first
-
-      response_signature = modified_document.xpath("/samlp:Response/ds:Signature", Samlr::NS_MAP).first
-
-      extensions = Nokogiri::XML::Node.new "Extensions", modified_document
-      extensions << original_assertion.to_xml(:save_with => Nokogiri::XML::Node::SaveOptions::AS_XML)
-      response_signature.add_next_sibling(extensions)
-      response_signature.remove()
-
-      modified_document.xpath("/samlp:Response/samlp:Extensions/saml:Assertion/ds:Signature", Samlr::NS_MAP).remove
-      modified_document.xpath("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Samlr::NS_MAP).first.content="evil@example.org"
-      modified_document.xpath("/samlp:Response/saml:Assertion", Samlr::NS_MAP).first["ID"] = "evil_id"
-
-      response = Samlr::Response.new(modified_document.to_xml(:save_with => Nokogiri::XML::Node::SaveOptions::AS_XML), {:certificate => TEST_CERTIFICATE.x509})
-      assert_raises(Samlr::FormatError) { response.verify! }
-    end
-  end
-
-  describe "::parse" do
-    before { @document = saml_response_document(:certificate => TEST_CERTIFICATE) }
-
-    describe "when given a raw XML response" do
-      it "constructs and XML document" do
-        assert_equal Nokogiri::XML::Document, Samlr::Response.parse(@document).class
-      end
-    end
-
-    describe "when given a Base64 encoded response" do
-      subject { Base64.encode64(@document) }
-
-      it "constructs and XML document" do
-        assert_equal Nokogiri::XML::Document, Samlr::Response.parse(subject).class
-      end
-    end
-
-    describe "when given an invalid string" do
-      it "fails" do
-        assert_raises(Samlr::FormatError) { Samlr::Response.parse("hello") }
-      end
-    end
-
-    describe "when given a malformed XML response" do
-      subject { saml_response_document(:certificate => TEST_CERTIFICATE).gsub("Assertion", "AyCaramba") }
-      after   { Samlr.validation_mode = :reject }
-
-      describe "and Samlr.validation_mode == :log" do
-        before { Samlr.validation_mode = :log }
-        it "does not raise" do
-          assert Samlr::Response.parse(subject)
-        end
-      end
-
-      describe "and Samlr.validation_mode != :log" do
-        it "raises" do
-          assert_raises(Samlr::FormatError) { Samlr::Response.parse(subject) }
-        end
-      end
-    end
-  end
-end

data/test/unit/test_response_scenarios.rb

@@ -1,126 +0,0 @@
-require File.expand_path("test/test_helper")
-
-# The tests in here are integraton level tests. They pass various mutations of a response
-# document to the stack and asserts behavior.
-describe Samlr do
-
-  describe "a valid response" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE) }
-
-    it "verifies" do
-      assert subject.verify!
-      assert_equal "someone@example.org", subject.name_id
-    end
-  end
-
-  describe "an invalid fingerprint" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :fingerprint => "hello") }
-    it "fails" do
-      assert_raises(Samlr::FingerprintError) { subject.verify! }
-    end
-  end
-
-  describe "an unsatisfied before condition" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :not_before => Samlr::Tools::Timestamp.stamp(Time.now + 60)) }
-
-    it "fails" do
-      assert_raises(Samlr::ConditionsError) { subject.verify! }
-    end
-
-    describe "when jitter is in effect" do
-      after  { Samlr.jitter = nil }
-
-      it "passes" do
-        Samlr.jitter = 500
-        assert subject.verify!
-      end
-    end
-  end
-
-  describe "an unsatisfied after condition" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now - 60)) }
-
-    it "fails" do
-      assert_raises(Samlr::ConditionsError) { subject.verify! }
-    end
-
-    describe "when jitter is in effect" do
-      after  { Samlr.jitter = nil }
-
-      it "passes" do
-        Samlr.jitter = 500
-        assert subject.verify!
-      end
-    end
-  end
-
-  describe "when there are no attributes" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :attributes => {}) }
-
-    it "returns an empty hash" do
-      assert_equal({}, subject.attributes)
-    end
-  end
-
-  describe "when there are no signatures" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :sign_assertion => false, :sign_response => false) }
-
-    it "fails" do
-      assert_raises(Samlr::SignatureError) { subject.verify! }
-    end
-  end
-
-  describe "when there is no keyinfo" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_response_keyinfo => true, :skip_assertion_keyinfo => true) }
-
-    it "fails" do
-      assert_raises(Samlr::SignatureError) { subject.verify! }
-    end
-
-    describe "when a matching external cert is provided" do
-      it "passes" do
-        subject.options[:certificate] = TEST_CERTIFICATE.x509
-        assert subject.verify!
-      end
-    end
-
-    describe "when a non-matching external cert is provided" do
-      it "fails" do
-        subject.options[:certificate] = Samlr::Tools::CertificateBuilder.new.x509
-        assert_raises(Samlr::FingerprintError) { subject.verify! }
-      end
-    end
-  end
-
-  describe "when there's no assertion" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :sign_assertion => false, :skip_assertion => true) }
-
-    it "fails" do
-      assert_raises(Samlr::FormatError) { subject.verify! }
-    end
-  end
-
-  describe "duplicate element ids" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :response_id => "abcdef", :assertion_id => "abcdef") }
-
-    it "fails" do
-      assert_raises(Samlr::FormatError) { subject.verify! }
-    end
-  end
-
-  describe "when only the response signature is missing a certificate" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_response_keyinfo => true) }
-
-    it "verifies" do
-      assert subject.verify!
-    end
-  end
-
-  describe "when only the assertion signature is missing a certificate" do
-    subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_assertion_keyinfo => true) }
-
-    it "verifies" do
-      assert subject.verify!
-    end
-  end
-end

data/test/unit/test_signature.rb

@@ -1,54 +0,0 @@
-require File.expand_path("test/test_helper")
-require "openssl"
-
-describe Samlr::Signature do
-  before do
-    @response  = fixed_saml_response
-    @signature = @response.signature
-  end
-
-  describe "#signature_algorithm" do
-    it "should defer to Samlr::Tools::algorithm" do
-      Samlr::Tools.stub(:algorithm, "hello") do
-        assert_match "hello", @signature.send(:signature_method)
-      end
-    end
-  end
-
-  describe "#references" do
-    it "should extract the reference to the signed document" do
-      assert_equal @response.document.children.first, @response.document.at(".//*[@ID='#{@signature.send(:references).first.uri}']")
-    end
-  end
-
-  describe "#certificate!" do
-    it "should extract the certificate" do
-      assert_equal TEST_CERTIFICATE.to_certificate, @signature.send(:certificate!)
-    end
-
-    describe "when there is no X509 certificate" do
-      it "should raise a signature error" do
-        @signature.stub(:certificate_node, nil) do
-          assert_raises(Samlr::SignatureError) { @signature.send(:certificate!) }
-        end
-      end
-    end
-  end
-
-  describe "#verify_digests!" do
-    describe "when there are duplicate element ids" do
-      before do
-        @signature.document.at("/samlp:Response/saml:Assertion")["ID"] = @signature.document.root["ID"]
-      end
-
-      it "should raise" do
-        begin
-          @signature.send(:verify_digests!)
-          flunk("Excepted to raise due to duplicate elements")
-        rescue Samlr::SignatureError => e
-          assert_equal "Reference validation error: Invalid element references", e.message
-        end
-      end
-    end
-  end
-end