require File.expand_path('../../../test_helper', __FILE__) module Maestrano module XMLSecurity class XmlSecurityTest < Test::Unit::TestCase include XMLSecurity context "XmlSecurity" do setup do @document = Maestrano::XMLSecurity::SignedDocument.new(Base64.decode64(response_document)) @base64cert = @document.elements["//ds:X509Certificate"].text end should "should run validate without throwing NS related exceptions" do assert !@document.validate_signature(@base64cert, true) end should "should run validate with throwing NS related exceptions" do assert_raise(Maestrano::Saml::ValidationError) do @document.validate_signature(@base64cert, false) end end should "not raise an error when softly validating the document multiple times" do assert_nothing_raised do 2.times { @document.validate_signature(@base64cert, true) } end end should "should raise Fingerprint mismatch" do exception = assert_raise(Maestrano::Saml::ValidationError) do @document.validate_document("no:fi:ng:er:pr:in:t", false) end assert_equal("Fingerprint mismatch", exception.message) end should "should raise Digest mismatch" do exception = assert_raise(Maestrano::Saml::ValidationError) do @document.validate_signature(@base64cert, false) end assert_equal("Digest mismatch", exception.message) end should "should raise Key validation error" do response = Base64.decode64(response_document) response.sub!("pJQ7MS/ek4KRRWGmv/H43ReHYMs=", "b9xsAXLsynugg3Wc1CI3kpWku+0=") document = Maestrano::XMLSecurity::SignedDocument.new(response) base64cert = document.elements["//ds:X509Certificate"].text exception = assert_raise(Maestrano::Saml::ValidationError) do document.validate_signature(base64cert, false) end assert_equal("Key validation error", exception.message) end should "raise validation error when the X509Certificate is missing" do response = Base64.decode64(response_document) response.sub!(/.*<\/ds:X509Certificate>/, "") document = Maestrano::XMLSecurity::SignedDocument.new(response) exception = assert_raise(Maestrano::Saml::ValidationError) do document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test end assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message) end end context "Algorithms" do should "validate using SHA1" do @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false)) assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72") end should "validate using SHA256" do @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false)) assert @document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA") end should "validate using SHA384" do @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false)) assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72") end should "validate using SHA512" do @document = Maestrano::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false)) assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72") end end context "XmlSecurity::SignedDocument" do context "#extract_inclusive_namespaces" do should "support explicit namespace resolution for exclusive canonicalization" do response = fixture(:open_saml_response, false) document = Maestrano::XMLSecurity::SignedDocument.new(response) inclusive_namespaces = document.send(:extract_inclusive_namespaces) assert_equal %w[ xs ], inclusive_namespaces end should "support implicit namespace resolution for exclusive canonicalization" do response = fixture(:no_signature_ns, false) document = Maestrano::XMLSecurity::SignedDocument.new(response) inclusive_namespaces = document.send(:extract_inclusive_namespaces) assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces end should_eventually 'support inclusive canonicalization' do response = Maestrano::Saml::Response.new(fixture("tdnf_response.xml")) response.stubs(:conditions).returns(nil) assert !response.is_valid? settings = Maestrano::Saml::Settings.new assert !response.is_valid? response.settings = settings assert !response.is_valid? settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":") assert response.validate! end should "return an empty list when inclusive namespace element is missing" do response = fixture(:no_signature_ns, false) response.slice! %r{} document = Maestrano::XMLSecurity::SignedDocument.new(response) inclusive_namespaces = document.send(:extract_inclusive_namespaces) assert inclusive_namespaces.empty? end end context "StarfieldTMS" do setup do @response = Maestrano::Saml::Response.new(fixture(:starfield_response)) @response.settings = Maestrano::Saml::Settings.new( :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D" ) end should "be able to validate a good response" do Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do assert @response.validate! end end should "fail before response is valid" do Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do assert ! @response.is_valid? end end should "fail after response expires" do Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do assert ! @response.is_valid? end end end end end end end