require File.expand_path(File.join(File.dirname(__FILE__), "test_helper")) require 'logout_responses/logoutresponse_fixtures' require 'onelogin/ruby-saml/slo_logoutrequest' require 'timecop' class RubySamlTest < Minitest::Test describe "SloLogoutrequest" do let(:settings) { OneLogin::RubySaml::Settings.new } let(:logout_request) { OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document) } let(:invalid_logout_request) { OneLogin::RubySaml::SloLogoutrequest.new(invalid_logout_request_document) } before do settings.idp_entity_id = 'https://app.onelogin.com/saml/metadata/SOMEACCOUNT' settings.soft = true logout_request.settings = settings invalid_logout_request.settings = settings end describe "initiator" do it "raise an exception when logout request is initialized with nil" do assert_raises(ArgumentError) { OneLogin::RubySaml::SloLogoutrequest.new(nil) } end end describe "#is_valid?" do it "return false when logout request is initialized with blank data" do logout_request_blank = OneLogin::RubySaml::SloLogoutrequest.new('') assert !logout_request_blank.is_valid? assert_includes logout_request_blank.errors, 'Blank logout request' end it "return true when the logout request is initialized with valid data" do assert logout_request.is_valid? assert_empty logout_request.errors assert_equal 'someone@example.org', logout_request.nameid end it "should be idempotent when the logout request is initialized with invalid data" do assert !invalid_logout_request.is_valid? assert_equal ['Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd'], invalid_logout_request.errors assert !invalid_logout_request.is_valid? assert_equal ['Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd'], invalid_logout_request.errors end it "should be idempotent when the logout request is initialized with valid data" do assert logout_request.is_valid? assert_empty logout_request.errors assert logout_request.is_valid? assert_empty logout_request.errors end it "collect errors when collect_errors=true" do settings.idp_entity_id = 'http://idp.example.com/invalid' settings.security[:logout_requests_signed] = true settings.certificate = ruby_saml_cert_text settings.private_key = ruby_saml_key_text settings.idp_cert = ruby_saml_cert_text settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 params = {} params['SAMLRequest'] = logout_request_deflated_base64 params['RelayState'] = 'http://invalid.example.com' params['Signature'] = 'invalid_signature' params['SigAlg'] = XMLSecurity::Document::RSA_SHA1 options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) logout_request_sign_test.settings = settings collect_errors = true assert !logout_request_sign_test.is_valid?(collect_errors) assert_includes logout_request_sign_test.errors, "Invalid Signature on Logout Request" assert_includes logout_request_sign_test.errors, "Doesn't match the issuer, expected: , but was: " end it "raise error for invalid xml" do invalid_logout_request.soft = false assert_raises(OneLogin::RubySaml::ValidationError) { invalid_logout_request.is_valid? } end end describe "#nameid" do it "extract the value of the name id element" do assert_equal "someone@example.org", logout_request.nameid end end describe "#nameid_format" do let(:logout_request) { OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document_with_name_id_format) } it "extract the format attribute of the name id element" do assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", logout_request.nameid_format end end describe "#issuer" do it "return the issuer inside the logout request" do assert_equal "https://app.onelogin.com/saml/metadata/SOMEACCOUNT", logout_request.issuer end end describe "#id" do it "extract the value of the ID attribute" do assert_equal "_c0348950-935b-0131-1060-782bcb56fcaa", logout_request.id end end describe "#not_on_or_after" do it "extract the value of the NotOnOrAfter attribute" do time_value = '2014-07-17T01:01:48Z' assert_nil logout_request.not_on_or_after logout_request.document.root.attributes['NotOnOrAfter'] = time_value assert_equal Time.parse(time_value), logout_request.not_on_or_after end end describe '#session_indexes' do it "return empty array when no SessionIndex" do assert_equal [], logout_request.session_indexes end it "return an Array with one SessionIndex" do logout_request_with_session_index = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_xml_with_session_index) assert_equal ['_ea853497-c58a-408a-bc23-c849752d9741'], logout_request_with_session_index.session_indexes end end describe "#validate_id" do it "return true when there is a valid ID in the logout request" do assert logout_request.send(:validate_id) assert_empty logout_request.errors end it "return false when there is an invalid ID in the logout request" do logout_request_blank = OneLogin::RubySaml::SloLogoutrequest.new('') assert !logout_request_blank.send(:validate_id) assert_includes logout_request_blank.errors, "Missing ID attribute on Logout Request" end end describe "#validate_version" do it "return true when the logout request is SAML 2.0 Version" do assert logout_request.send(:validate_version) end it "return false when the logout request is not SAML 2.0 Version" do logout_request_blank = OneLogin::RubySaml::SloLogoutrequest.new('') assert !logout_request_blank.send(:validate_version) assert_includes logout_request_blank.errors, "Unsupported SAML version" end end describe "#validate_not_on_or_after" do it "return true when the logout request has a valid NotOnOrAfter or does not contain any" do assert logout_request.send(:validate_not_on_or_after) assert_empty logout_request.errors Timecop.freeze Time.parse('2014-07-17T01:01:47Z') do logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z' assert logout_request.send(:validate_not_on_or_after) assert_empty logout_request.errors end end it "return false when the logout request has an invalid NotOnOrAfter" do Timecop.freeze Time.parse('2014-07-17T01:01:49Z') do logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z' assert !logout_request.send(:validate_not_on_or_after) assert_match(/Current time is on or after NotOnOrAfter/, logout_request.errors[0]) end end it "raise when the logout request has an invalid NotOnOrAfter" do Timecop.freeze Time.parse('2014-07-17T01:01:49Z') do logout_request.document.root.attributes['NotOnOrAfter'] = '2014-07-17T01:01:48Z' logout_request.soft = false assert_raises(OneLogin::RubySaml::ValidationError, "Current time is on or after NotOnOrAfter") do logout_request.send(:validate_not_on_or_after) end end end it "optionally allows for clock drift" do # Java Floats behave differently than MRI java = defined?(RUBY_ENGINE) && %w[jruby truffleruby].include?(RUBY_ENGINE) logout_request.soft = true logout_request.document.root.attributes['NotOnOrAfter'] = '2011-06-14T18:31:01.516Z' # The NotBefore condition in the document is 2011-06-1418:31:01.516Z Timecop.freeze(Time.parse("2011-06-14T18:31:02Z")) do logout_request.options[:allowed_clock_drift] = 0.483 assert !logout_request.send(:validate_not_on_or_after) logout_request.options[:allowed_clock_drift] = java ? 0.485 : 0.484 assert logout_request.send(:validate_not_on_or_after) logout_request.options[:allowed_clock_drift] = '0.483' assert !logout_request.send(:validate_not_on_or_after) logout_request.options[:allowed_clock_drift] = java ? '0.485' : '0.484' assert logout_request.send(:validate_not_on_or_after) end end end describe "#validate_request_state" do it "return true when valid logout request xml" do assert logout_request.send(:validate_request_state) assert_empty logout_request.errors assert logout_request.send(:validate_request_state) assert_empty logout_request.errors end it "return false when invalid logout request xml" do logout_request_blank = OneLogin::RubySaml::SloLogoutrequest.new('') logout_request_blank.soft = true assert !logout_request_blank.send(:validate_request_state) assert_includes logout_request_blank.errors, "Blank logout request" end it "raise error for invalid xml" do logout_request_blank = OneLogin::RubySaml::SloLogoutrequest.new('') logout_request_blank.soft = false assert_raises(OneLogin::RubySaml::ValidationError, "Blank logout request") do logout_request_blank.send(:validate_request_state) end end end describe "#validate_structure" do it "return true when encountering a valid Logout Request xml" do assert logout_request.send(:validate_structure) assert_empty logout_request.errors end it "return false when encountering a Logout Request bad formatted" do assert !invalid_logout_request.send(:validate_structure) assert_includes invalid_logout_request.errors, "Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd" end it "raise when encountering a Logout Request bad formatted" do invalid_logout_request.soft = false assert_raises(OneLogin::RubySaml::ValidationError, "Element '{urn:oasis:names:tc:SAML:2.0:assertion}Issuer': This element is not expected") do invalid_logout_request.send(:validate_structure) end end end describe "#validate_issuer" do it "return true when the issuer of the Logout Request matchs the IdP entityId" do logout_request.settings.idp_entity_id = 'https://app.onelogin.com/saml/metadata/SOMEACCOUNT' assert logout_request.send(:validate_issuer) end it "return false when the issuer of the Logout Request does not match the IdP entityId" do logout_request.settings.idp_entity_id = 'http://idp.example.com/invalid' assert !logout_request.send(:validate_issuer) assert_includes logout_request.errors, "Doesn't match the issuer, expected: <#{logout_request.settings.idp_entity_id}>, but was: " end it "raise when the issuer of the Logout Request does not match the IdP entityId" do logout_request.settings.idp_entity_id = 'http://idp.example.com/invalid' logout_request.soft = false assert_raises(OneLogin::RubySaml::ValidationError, "Doesn't match the issuer, expected: <#{logout_request.settings.idp_entity_id}>, but was: ") do logout_request.send(:validate_issuer) end end end describe "#validate_signature" do before do settings.security[:logout_requests_signed] = true settings.certificate = ruby_saml_cert_text settings.private_key = ruby_saml_key_text settings.idp_cert = ruby_saml_cert_text end it "return true when no idp_cert is provided and option :relax_signature_validation is present" do settings.idp_cert = nil settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = params[:RelayState] options = {} options[:get_params] = params options[:relax_signature_validation] = true logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) logout_request_sign_test.settings = settings assert logout_request_sign_test.send(:validate_signature) end it "return false when no idp_cert is provided and no option :relax_signature_validation is present" do settings.idp_cert = nil settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = params[:RelayState] options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) logout_request_sign_test.settings = settings assert !logout_request_sign_test.send(:validate_signature) end it "return true when valid RSA_SHA1 Signature" do settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = params[:RelayState] options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) logout_request_sign_test.settings = settings assert logout_request_sign_test.send(:validate_signature) end it "return true when valid RSA_SHA256 Signature" do settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256 params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) params['RelayState'] = params[:RelayState] logout_request_sign_test.settings = settings assert logout_request_sign_test.send(:validate_signature) end it "return false when invalid RSA_SHA1 Signature" do settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = 'http://invalid.example.com' params[:RelayState] = params['RelayState'] options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) logout_request_sign_test.settings = settings assert !logout_request_sign_test.send(:validate_signature) end it "raise when invalid RSA_SHA1 Signature" do settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 settings.soft = false params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = 'http://invalid.example.com' params[:RelayState] = params['RelayState'] options = {} options[:get_params] = params options[:settings] = settings logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do logout_request_sign_test.send(:validate_signature) end end it "raise when get_params encoding differs from what this library generates" do # Use Logoutrequest only to build the SAMLRequest parameter. settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 settings.soft = false params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, "RelayState" => "http://example.com") # Assemble query string. query = OneLogin::RubySaml::Utils.build_query( :type => 'SAMLRequest', :data => params['SAMLRequest'], :relay_state => params['RelayState'], :sig_alg => params['SigAlg'] ) # Modify the query string so that it encodes the same values, # but with different percent-encoding. Sanity-check that they # really are equialent before moving on. original_query = query.dup query.gsub!("example", "ex%61mple") refute_equal(query, original_query) assert_equal(CGI.unescape(query), CGI.unescape(original_query)) # Make normalised signature based on our modified params. sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]) signature = settings.get_sp_key.sign(sign_algorithm.new, query) params['Signature'] = Base64.encode64(signature).gsub(/\n/, "") # Construct SloLogoutrequest and ask it to validate the signature. # It will do it incorrectly, because it will compute it based on re-encoded # query parameters, rather than their original encodings. options = {} options[:get_params] = params options[:settings] = settings logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do logout_request_sign_test.send(:validate_signature) end end it "return true even if raw_get_params encoding differs from what this library generates" do # Use Logoutrequest only to build the SAMLRequest parameter. settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 settings.soft = false params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, "RelayState" => "http://example.com") # Assemble query string. query = OneLogin::RubySaml::Utils.build_query( :type => 'SAMLRequest', :data => params['SAMLRequest'], :relay_state => params['RelayState'], :sig_alg => params['SigAlg'] ) # Modify the query string so that it encodes the same values, # but with different percent-encoding. Sanity-check that they # really are equialent before moving on. original_query = query.dup query.gsub!("example", "ex%61mple") refute_equal(query, original_query) assert_equal(CGI.unescape(query), CGI.unescape(original_query)) # Make normalised signature based on our modified params. sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]) signature = settings.get_sp_key.sign(sign_algorithm.new, query) params['Signature'] = Base64.encode64(signature).gsub(/\n/, "") # Construct SloLogoutrequest and ask it to validate the signature. # Provide the altered parameter in its raw URI-encoded form, # so that we don't have to guess the value that contributed to the signature. options = {} options[:get_params] = params options[:get_params].delete("RelayState") options[:raw_get_params] = { "RelayState" => "http%3A%2F%2Fex%61mple.com", } options[:settings] = settings logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) assert logout_request_sign_test.send(:validate_signature) end it "handles Azure AD downcased request encoding" do # Use Logoutrequest only to build the SAMLRequest parameter. settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256 settings.soft = false # Creating the query manually to tweak it later instead of using # OneLogin::RubySaml::Utils.build_query request_doc = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings) request = Zlib::Deflate.deflate(request_doc.to_s, 9)[2..-5] base64_request = Base64.encode64(request).gsub(/\n/, "") # The original request received from Azure AD comes with downcased # encoded characters, like %2f instead of %2F, and the signature they # send is based on this base64 request. params = { 'SAMLRequest' => downcased_escape(base64_request), 'SigAlg' => downcased_escape(settings.security[:signature_method]), } # Assemble query string. query = "SAMLRequest=#{params['SAMLRequest']}&SigAlg=#{params['SigAlg']}" # Make normalised signature based on our modified params. sign_algorithm = XMLSecurity::BaseDocument.new.algorithm( settings.security[:signature_method] ) signature = settings.get_sp_key.sign(sign_algorithm.new, query) params['Signature'] = downcased_escape(Base64.encode64(signature).gsub(/\n/, "")) # Then parameters are usually unescaped, like we manage them in rails params = params.map { |k, v| [k, CGI.unescape(v)] }.to_h # Construct SloLogoutrequest and ask it to validate the signature. # It will fail because the signature is based on the downcased request logout_request_downcased_test = OneLogin::RubySaml::SloLogoutrequest.new( params['SAMLRequest'], get_params: params, settings: settings, ) assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do logout_request_downcased_test.send(:validate_signature) end # For this case, the parameters will be forced to be downcased after # being escaped with :lowercase_url_encoding security option settings.security[:lowercase_url_encoding] = true logout_request_force_downcasing_test = OneLogin::RubySaml::SloLogoutrequest.new( params['SAMLRequest'], get_params: params, settings: settings ) assert logout_request_force_downcasing_test.send(:validate_signature) end end describe "#validate_signature with multiple idp certs" do before do settings.certificate = ruby_saml_cert_text settings.private_key = ruby_saml_key_text settings.idp_cert = nil settings.security[:logout_requests_signed] = true settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1 end it "return true when at least a idp_cert is valid" do params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = params[:RelayState] options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) settings.idp_cert_multi = { :signing => [ruby_saml_cert_text2, ruby_saml_cert_text], :encryption => [] } logout_request_sign_test.settings = settings assert logout_request_sign_test.send(:validate_signature) end it "return false when cert expired and check_idp_cert_expiration expired" do params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = params[:RelayState] options = {} options[:get_params] = params settings.security[:check_idp_cert_expiration] = true logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) settings.idp_cert = nil settings.idp_cert_multi = { :signing => [ruby_saml_cert_text], :encryption => [] } logout_request_sign_test.settings = settings assert !logout_request_sign_test.send(:validate_signature) assert_includes logout_request_sign_test.errors, "IdP x509 certificate expired" end it "return false when none cert on idp_cert_multi is valid" do params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com') params['RelayState'] = params[:RelayState] options = {} options[:get_params] = params logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options) settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint settings.idp_cert_multi = { :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2], :encryption => [] } logout_request_sign_test.settings = settings assert !logout_request_sign_test.send(:validate_signature) assert_includes logout_request_sign_test.errors, "Invalid Signature on Logout Request" end end end end