require File.expand_path(File.join(File.dirname(__FILE__), "test_helper")) require 'onelogin/ruby-saml/settings' require 'onelogin/ruby-saml/validation_error' class SettingsTest < Minitest::Test describe "Settings" do before do @settings = OneLogin::RubySaml::Settings.new end it "should provide getters and settings" do accessors = [ :idp_entity_id, :idp_sso_target_url, :idp_sso_service_url, :idp_slo_target_url, :idp_slo_service_url, :valid_until, :idp_cert, :idp_cert_fingerprint, :idp_cert_fingerprint_algorithm, :idp_cert_multi, :idp_attribute_names, :issuer, :assertion_consumer_service_url, :single_logout_service_url, :sp_name_qualifier, :name_identifier_format, :name_identifier_value, :name_identifier_value_requested, :sessionindex, :attributes_index, :passive, :force_authn, :compress_request, :double_quote_xml_attribute_values, :message_max_bytesize, :security, :certificate, :private_key, :authn_context, :authn_context_comparison, :authn_context_decl_ref, :assertion_consumer_logout_service_url ] accessors.each do |accessor| value = Kernel.rand @settings.send("#{accessor}=".to_sym, value) assert_equal value, @settings.send(accessor) @settings.send("#{accessor}=".to_sym, nil) assert_nil @settings.send(accessor) end end it "should provide getters and settings for binding parameters" do accessors = [ :protocol_binding, :assertion_consumer_service_binding, :single_logout_service_binding, :assertion_consumer_logout_service_binding ] accessors.each do |accessor| value = Kernel.rand.to_s @settings.send("#{accessor}=".to_sym, value) assert_equal value, @settings.send(accessor) @settings.send("#{accessor}=".to_sym, :redirect) assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.send(accessor) @settings.send("#{accessor}=".to_sym, :post) assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", @settings.send(accessor) @settings.send("#{accessor}=".to_sym, nil) assert_nil @settings.send(accessor) end end it "idp_sso/slo_service_binding should fallback to :embed_sign inferred value" do accessors = [:idp_sso_service_binding, :idp_slo_service_binding] accessors.each do |accessor| @settings.security[:embed_sign] = true value = Kernel.rand.to_s @settings.send("#{accessor}=".to_sym, value) assert_equal value, @settings.send(accessor) @settings.send("#{accessor}=".to_sym, :redirect) assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.send(accessor) @settings.send("#{accessor}=".to_sym, :post) assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", @settings.send(accessor) @settings.send("#{accessor}=".to_sym, nil) assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", @settings.send(accessor) @settings.security[:embed_sign] = false assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.send(accessor) end end it "create settings from hash" do config = { :assertion_consumer_service_url => "http://app.muda.no/sso", :issuer => "http://muda.no", :sp_name_qualifier => "http://sso.muda.no", :idp_sso_service_url => "http://sso.muda.no/sso", :idp_sso_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", :idp_slo_service_url => "http://sso.muda.no/slo", :idp_slo_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00", :message_max_bytesize => 750000, :valid_until => '2029-04-16T03:35:08.277Z', :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", :attributes_index => 30, :passive => true, :protocol_binding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' } @settings = OneLogin::RubySaml::Settings.new(config) config.each do |k,v| assert_equal v, @settings.send(k) end end it "configure attribute service attributes correctly" do @settings.attribute_consuming_service.configure do service_name "Test Service" add_attribute :name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name" end assert_equal @settings.attribute_consuming_service.configured?, true assert_equal @settings.attribute_consuming_service.name, "Test Service" assert_equal @settings.attribute_consuming_service.attributes, [{:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name" }] end it "does not modify default security settings" do settings = OneLogin::RubySaml::Settings.new settings.security[:authn_requests_signed] = true settings.security[:embed_sign] = true settings.security[:digest_method] = XMLSecurity::Document::SHA256 settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256 new_settings = OneLogin::RubySaml::Settings.new assert_equal new_settings.security[:authn_requests_signed], false assert_equal new_settings.security[:embed_sign], false assert_equal new_settings.security[:digest_method], XMLSecurity::Document::SHA1 assert_equal new_settings.security[:signature_method], XMLSecurity::Document::RSA_SHA1 end it "overrides only provided security attributes passing a second parameter" do config = { :security => { :metadata_signed => true } } @default_attributes = OneLogin::RubySaml::Settings::DEFAULTS @settings = OneLogin::RubySaml::Settings.new(config, true) assert_equal @settings.security[:metadata_signed], true assert_equal @settings.security[:digest_method], @default_attributes[:security][:digest_method] end it "doesn't override only provided security attributes without passing a second parameter" do config = { :security => { :metadata_signed => true } } @default_attributes = OneLogin::RubySaml::Settings::DEFAULTS @settings = OneLogin::RubySaml::Settings.new(config) assert_equal @settings.security[:metadata_signed], true assert_nil @settings.security[:digest_method] end describe "#single_logout_service_url" do it "when single_logout_service_url is nil but assertion_consumer_logout_service_url returns its value" do @settings.single_logout_service_url = nil @settings.assertion_consumer_logout_service_url = "http://app.muda.no/sls" assert_equal "http://app.muda.no/sls", @settings.single_logout_service_url end end describe "#single_logout_service_binding" do it "when single_logout_service_binding is nil but assertion_consumer_logout_service_binding returns its value" do @settings.single_logout_service_binding = nil @settings.assertion_consumer_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.single_logout_service_binding end end describe "#idp_sso_service_url" do it "when idp_sso_service_url is nil but idp_sso_target_url returns its value" do @settings.idp_sso_service_url = nil @settings.idp_sso_target_url = "https://idp.example.com/sso" assert_equal "https://idp.example.com/sso", @settings.idp_sso_service_url end end describe "#idp_slo_service_url" do it "when idp_slo_service_url is nil but idp_slo_target_url returns its value" do @settings.idp_slo_service_url = nil @settings.idp_slo_target_url = "https://idp.example.com/slo" assert_equal "https://idp.example.com/slo", @settings.idp_slo_service_url end end describe "#get_idp_cert" do it "returns nil when the cert is an empty string" do @settings.idp_cert = "" assert_nil @settings.get_idp_cert end it "returns nil when the cert is nil" do @settings.idp_cert = nil assert_nil @settings.get_idp_cert end it "returns the certificate when it is valid" do @settings.idp_cert = ruby_saml_cert_text assert @settings.get_idp_cert.kind_of? OpenSSL::X509::Certificate end it "raises when the certificate is not valid" do # formatted but invalid cert @settings.idp_cert = read_certificate("formatted_certificate") assert_raises(OpenSSL::X509::CertificateError) { @settings.get_idp_cert } end end describe "#get_idp_cert_multi" do it "returns nil when the value is empty" do @settings.idp_cert = {} assert_nil @settings.get_idp_cert_multi end it "returns nil when the idp_cert_multi is nil or empty" do @settings.idp_cert_multi = nil assert_nil @settings.get_idp_cert_multi end it "returns partial hash when contains some values" do empty_multi = { :signing => [], :encryption => [] } @settings.idp_cert_multi = { :signing => [] } assert_equal empty_multi, @settings.get_idp_cert_multi @settings.idp_cert_multi = { :encryption => [] } assert_equal empty_multi, @settings.get_idp_cert_multi @settings.idp_cert_multi = { :signing => [], :encryption => [] } assert_equal empty_multi, @settings.get_idp_cert_multi @settings.idp_cert_multi = { :yyy => [], :zzz => [] } assert_equal empty_multi, @settings.get_idp_cert_multi end it "returns the hash with certificates when values were valid" do certificates = ruby_saml_cert_text @settings.idp_cert_multi = { :signing => [ruby_saml_cert_text], :encryption => [ruby_saml_cert_text], } assert @settings.get_idp_cert_multi.kind_of? Hash assert @settings.get_idp_cert_multi[:signing].kind_of? Array assert @settings.get_idp_cert_multi[:encryption].kind_of? Array assert @settings.get_idp_cert_multi[:signing][0].kind_of? OpenSSL::X509::Certificate assert @settings.get_idp_cert_multi[:encryption][0].kind_of? OpenSSL::X509::Certificate end it "raises when there is a cert in idp_cert_multi not valid" do certificate = read_certificate("formatted_certificate") @settings.idp_cert_multi = { :signing => [], :encryption => [] } @settings.idp_cert_multi[:signing].push(certificate) @settings.idp_cert_multi[:encryption].push(certificate) assert_raises(OpenSSL::X509::CertificateError) { @settings.get_idp_cert_multi } end end describe "#get_sp_cert" do it "returns nil when the cert is an empty string" do @settings.certificate = "" assert_nil @settings.get_sp_cert end it "returns nil when the cert is nil" do @settings.certificate = nil assert_nil @settings.get_sp_cert end it "returns the certificate when it is valid" do @settings.certificate = ruby_saml_cert_text assert @settings.get_sp_cert.kind_of? OpenSSL::X509::Certificate end it "raises when the certificate is not valid" do # formatted but invalid cert @settings.certificate = read_certificate("formatted_certificate") assert_raises(OpenSSL::X509::CertificateError) { @settings.get_sp_cert } end it "raises an error if SP certificate expired and check_sp_cert_expiration enabled" do @settings.certificate = ruby_saml_cert_text @settings.security[:check_sp_cert_expiration] = true assert_raises(OneLogin::RubySaml::ValidationError) { @settings.get_sp_cert } end end describe "#get_sp_cert_new" do it "returns nil when the cert is an empty string" do @settings.certificate_new = "" assert_nil @settings.get_sp_cert_new end it "returns nil when the cert is nil" do @settings.certificate_new = nil assert_nil @settings.get_sp_cert_new end it "returns the certificate when it is valid" do @settings.certificate_new = ruby_saml_cert_text assert @settings.get_sp_cert_new.kind_of? OpenSSL::X509::Certificate end it "raises when the certificate is not valid" do # formatted but invalid cert @settings.certificate_new = read_certificate("formatted_certificate") assert_raises(OpenSSL::X509::CertificateError) { @settings.get_sp_cert_new } end end describe "#get_sp_key" do it "returns nil when the private key is an empty string" do @settings.private_key = "" assert_nil @settings.get_sp_key end it "returns nil when the private key is nil" do @settings.private_key = nil assert_nil @settings.get_sp_key end it "returns the private key when it is valid" do @settings.private_key = ruby_saml_key_text assert @settings.get_sp_key.kind_of? OpenSSL::PKey::RSA end it "raises when the private key is not valid" do # formatted but invalid rsa private key @settings.private_key = read_certificate("formatted_rsa_private_key") assert_raises(OpenSSL::PKey::RSAError) { @settings.get_sp_key } end end describe "#get_fingerprint" do it "get the fingerprint value when cert and fingerprint in settings are nil" do @settings.idp_cert_fingerprint = nil @settings.idp_cert = nil fingerprint = @settings.get_fingerprint assert_nil fingerprint end it "get the fingerprint value when there is a cert at the settings" do @settings.idp_cert_fingerprint = nil @settings.idp_cert = ruby_saml_cert_text fingerprint = @settings.get_fingerprint assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase end it "get the fingerprint value when there is a fingerprint at the settings" do @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint @settings.idp_cert = nil fingerprint = @settings.get_fingerprint assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase end it "get the fingerprint value when there are cert and fingerprint at the settings" do @settings.idp_cert_fingerprint = ruby_saml_cert_fingerprint @settings.idp_cert = ruby_saml_cert_text fingerprint = @settings.get_fingerprint assert fingerprint.downcase == ruby_saml_cert_fingerprint.downcase end end end end