Skip to content

Commit 95cc64a

Browse files
johnnyshieldsjohnnyshields
committed
Add more tests
1 parent 17925cf commit 95cc64a

6 files changed

Lines changed: 129 additions & 19 deletions

File tree

test/logoutrequest_test.rb

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ class RequestTest < Minitest::Test
9494
end
9595
end
9696

97-
describe "when the settings indicate logout request with HTTP-POST binding" do
97+
describe "signing with HTTP-POST binding" do
9898

9999
before do
100100
settings.security[:logout_requests_signed] = true
@@ -177,7 +177,7 @@ class RequestTest < Minitest::Test
177177
end
178178
end
179179

180-
describe "when the settings indicate logout request with HTTP-Redirect binding" do
180+
describe "signing with HTTP-Redirect binding" do
181181

182182
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
183183

@@ -256,8 +256,7 @@ class RequestTest < Minitest::Test
256256
end
257257
end
258258

259-
260-
describe "DEPRECATED: when the settings indicate logout request with HTTP-POST binding using security[:embed_sign]" do
259+
describe "DEPRECATED: signing with HTTP-POST binding via :embed_sign" do
261260

262261
before do
263262
# sign the logout request
@@ -280,7 +279,7 @@ class RequestTest < Minitest::Test
280279
end
281280
end
282281

283-
describe "DEPRECATED: when the settings indicate logout request with HTTP-Redirect binding using security[:embed_sign]" do
282+
describe "DEPRECATED: signing with HTTP-Redirect binding via :embed_sign" do
284283

285284
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
286285

test/logoutresponse_test.rb

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -227,7 +227,6 @@ class RubySamlTest < Minitest::Test
227227
settings.soft = true
228228
settings.idp_slo_service_url = "http://example.com?field=value"
229229
settings.security[:logout_responses_signed] = true
230-
settings.security[:embed_sign] = false
231230
settings.certificate = ruby_saml_cert_text
232231
settings.private_key = ruby_saml_key_text
233232
settings.idp_cert = ruby_saml_cert_text
@@ -376,7 +375,6 @@ class RubySamlTest < Minitest::Test
376375
settings.idp_slo_service_url = "http://example.com?field=value"
377376
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
378377
settings.security[:logout_responses_signed] = true
379-
settings.security[:embed_sign] = false
380378
settings.certificate = ruby_saml_cert_text
381379
settings.private_key = ruby_saml_key_text
382380
settings.idp_cert = nil

test/request_test.rb

Lines changed: 55 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -225,12 +225,12 @@ class RequestTest < Minitest::Test
225225
assert_match /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/, auth_doc.to_s
226226
end
227227

228-
describe "#create_params when the settings indicate to sign (embebed) the request" do
228+
describe "#create_params signing with HTTP-POST binding" do
229229
before do
230230
settings.compress_request = false
231231
settings.idp_sso_service_url = "http://example.com?field=value"
232+
settings.idp_sso_service_binding = :post
232233
settings.security[:authn_requests_signed] = true
233-
settings.security[:embed_sign] = true
234234
settings.certificate = ruby_saml_cert_text
235235
settings.private_key = ruby_saml_key_text
236236
end
@@ -255,15 +255,15 @@ class RequestTest < Minitest::Test
255255
end
256256
end
257257

258-
describe "#create_params when the settings indicate to sign the request" do
258+
describe "#create_params signing with HTTP-Redirect binding" do
259259
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
260260

261261
before do
262262
settings.compress_request = false
263263
settings.idp_sso_service_url = "http://example.com?field=value"
264+
settings.idp_sso_service_binding = :redirect
264265
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
265266
settings.security[:authn_requests_signed] = true
266-
settings.security[:embed_sign] = false
267267
settings.certificate = ruby_saml_cert_text
268268
settings.private_key = ruby_saml_key_text
269269
end
@@ -337,5 +337,56 @@ class RequestTest < Minitest::Test
337337
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>name\/password\/uri<\/saml:AuthnContextDeclRef>/
338338
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>example\/decl\/ref<\/saml:AuthnContextDeclRef>/
339339
end
340+
341+
describe "DEPRECATED: #create_params signing with HTTP-POST binding via :embed_sign" do
342+
before do
343+
settings.compress_request = false
344+
settings.idp_sso_service_url = "http://example.com?field=value"
345+
settings.security[:authn_requests_signed] = true
346+
settings.security[:embed_sign] = true
347+
settings.certificate = ruby_saml_cert_text
348+
settings.private_key = ruby_saml_key_text
349+
end
350+
351+
it "create a signed request" do
352+
params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
353+
request_xml = Base64.decode64(params["SAMLRequest"])
354+
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
355+
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
356+
end
357+
end
358+
359+
describe "DEPRECATED: #create_params signing with HTTP-Redirect binding via :embed_sign" do
360+
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
361+
362+
before do
363+
settings.compress_request = false
364+
settings.idp_sso_service_url = "http://example.com?field=value"
365+
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
366+
settings.security[:authn_requests_signed] = true
367+
settings.security[:embed_sign] = false
368+
settings.certificate = ruby_saml_cert_text
369+
settings.private_key = ruby_saml_key_text
370+
end
371+
372+
it "create a signature parameter with RSA_SHA1 and validate it" do
373+
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
374+
375+
params = OneLogin::RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
376+
assert params['SAMLRequest']
377+
assert params[:RelayState]
378+
assert params['Signature']
379+
assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
380+
381+
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
382+
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
383+
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
384+
385+
signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
386+
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
387+
388+
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
389+
end
390+
end
340391
end
341392
end

test/settings_test.rb

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ class SettingsTest < Minitest::Test
4949

5050
@settings.send("#{accessor}=".to_sym, :post)
5151
assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", @settings.send(accessor)
52+
53+
@settings.send("#{accessor}=".to_sym, nil)
54+
assert_nil @settings.send(accessor)
5255
end
5356
end
5457

test/slo_logoutrequest_test.rb

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,6 @@ class RubySamlTest < Minitest::Test
5555
it "collect errors when collect_errors=true" do
5656
settings.idp_entity_id = 'http://idp.example.com/invalid'
5757
settings.security[:logout_requests_signed] = true
58-
settings.security[:embed_sign] = false
5958
settings.certificate = ruby_saml_cert_text
6059
settings.private_key = ruby_saml_key_text
6160
settings.idp_cert = ruby_saml_cert_text
@@ -247,7 +246,6 @@ class RubySamlTest < Minitest::Test
247246
describe "#validate_signature" do
248247
before do
249248
settings.security[:logout_requests_signed] = true
250-
settings.security[:embed_sign] = false
251249
settings.certificate = ruby_saml_cert_text
252250
settings.private_key = ruby_saml_key_text
253251
settings.idp_cert = ruby_saml_cert_text
@@ -408,7 +406,6 @@ class RubySamlTest < Minitest::Test
408406
settings.private_key = ruby_saml_key_text
409407
settings.idp_cert = nil
410408
settings.security[:logout_requests_signed] = true
411-
settings.security[:embed_sign] = false
412409
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
413410
end
414411

test/slo_logoutresponse_test.rb

Lines changed: 67 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -83,12 +83,13 @@ class SloLogoutresponseTest < Minitest::Test
8383
assert_match /Destination='http:\/\/unauth.com\/logout\/return'/, inflated
8484
end
8585

86-
describe "when the settings indicate to sign (embedded) logout response" do
86+
describe "signing with HTTP-POST binding" do
8787

8888
before do
89+
settings.idp_sso_service_binding = :redirect
90+
settings.idp_slo_service_binding = :post
8991
settings.compress_response = false
9092
settings.security[:logout_responses_signed] = true
91-
settings.security[:embed_sign] = true
9293
end
9394

9495
it "doesn't sign through create_xml_document" do
@@ -161,14 +162,14 @@ class SloLogoutresponseTest < Minitest::Test
161162
end
162163
end
163164

164-
describe "#create_params when the settings indicate to sign the logout response" do
165-
165+
describe "signing with HTTP-Redirect binding" do
166166
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
167167

168168
before do
169+
settings.idp_sso_service_binding = :post
170+
settings.idp_slo_service_binding = :redirect
169171
settings.compress_response = false
170172
settings.security[:logout_responses_signed] = true
171-
settings.security[:embed_sign] = false
172173
end
173174

174175
it "create a signature parameter with RSA_SHA1 and validate it" do
@@ -245,7 +246,68 @@ class SloLogoutresponseTest < Minitest::Test
245246
assert_equal signature_algorithm, OpenSSL::Digest::SHA512
246247
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
247248
end
249+
end
250+
251+
describe "DEPRECATED: signing with HTTP-POST binding via :embed_sign" do
252+
253+
before do
254+
settings.compress_response = false
255+
settings.security[:logout_responses_signed] = true
256+
settings.security[:embed_sign] = true
257+
end
258+
259+
it "doesn't sign through create_xml_document" do
260+
unauth_res = OneLogin::RubySaml::SloLogoutresponse.new
261+
inflated = unauth_res.create_xml_document(settings).to_s
262+
263+
refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
264+
refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
265+
refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
266+
end
267+
268+
it "sign unsigned request" do
269+
unauth_res = OneLogin::RubySaml::SloLogoutresponse.new
270+
unauth_res_doc = unauth_res.create_xml_document(settings)
271+
inflated = unauth_res_doc.to_s
272+
273+
refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
274+
refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
275+
refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
276+
277+
inflated = unauth_res.sign_document(unauth_res_doc, settings).to_s
278+
279+
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
280+
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
281+
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
282+
end
283+
end
284+
285+
describe "DEPRECATED: signing with HTTP-Redirect binding via :embed_sign" do
286+
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
287+
288+
before do
289+
settings.compress_response = false
290+
settings.security[:logout_responses_signed] = true
291+
settings.security[:embed_sign] = false
292+
end
248293

294+
it "create a signature parameter with RSA_SHA1 and validate it" do
295+
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
296+
297+
params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
298+
assert params['SAMLResponse']
299+
assert params[:RelayState]
300+
assert params['Signature']
301+
assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
302+
303+
query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
304+
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
305+
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
306+
307+
signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
308+
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
309+
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
310+
end
249311
end
250312
end
251313
end

0 commit comments

Comments
 (0)