forked from hashicorp/cap
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig_test.go
More file actions
259 lines (242 loc) · 8.26 KB
/
config_test.go
File metadata and controls
259 lines (242 loc) · 8.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package saml_test
import (
"strings"
"testing"
"github.com/hashicorp/go-uuid"
"github.com/stretchr/testify/require"
"github.com/hashicorp/cap/saml"
"github.com/hashicorp/cap/saml/models/core"
)
func Test_NewConfig(t *testing.T) {
t.Parallel()
const (
entityID = "http://test.me/entity"
acs = "http://test.me/sso/acs"
metadata = "http://test.me/sso/metadata"
)
cases := []struct {
name string
entityID string
acs string
issuer string
metadata string
opts []saml.Option
cfgOverride func(*saml.Config)
expectedErr string
}{
{
name: "When all URLs are provided",
entityID: entityID,
acs: acs,
metadata: metadata,
expectedErr: "",
},
{
name: "When there is no entity ID provided",
acs: acs,
metadata: metadata,
expectedErr: "saml.NewConfig: invalid provider config: saml.Config.Validate: EntityID not set: invalid parameter",
},
{
name: "When there is no ACS URL provided",
entityID: entityID,
metadata: metadata,
expectedErr: "saml.NewConfig: invalid provider config: saml.Config.Validate: ACS URL not set: invalid parameter",
},
{
name: "When there is no metadata URL provided",
acs: acs,
entityID: entityID,
expectedErr: "saml.NewConfig: invalid provider config: saml.Config.Validate: One of MetadataURL, MetadataXML, or MetadataParameters must be set: invalid parameter",
},
{
name: "valid-WithMetadataParameters",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: "https://samltest.id/idp",
SingleSignOnURL: "https://samltest.id/idp/profile/Shibboleth/SSO",
IDPCertificate: testEncodedMetadataCert,
Binding: core.ServiceBindingHTTPPost,
}),
},
},
{
name: "err-WithMetadataParameters-empty",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{}),
},
expectedErr: "saml.Config.Validate: issuer not set",
},
{
name: "err-WithMetadataParameters-invalid-issuer",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: " https://samltest.id/idp", // extra space at the start makes it invalid
SingleSignOnURL: "https://samltest.id/idp/profile/Shibboleth/SSO",
IDPCertificate: testEncodedMetadataCert,
Binding: core.ServiceBindingHTTPPost,
}),
},
expectedErr: "provided Issuer is not a valid URL",
},
{
name: "err-WithMetadataParameters-missing-sso-url",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: "https://samltest.id/idp",
SingleSignOnURL: "",
IDPCertificate: testEncodedMetadataCert,
Binding: core.ServiceBindingHTTPPost,
}),
},
expectedErr: "SSO URL not set",
},
{
name: "err-WithMetadataParameters-invalid-sso-url",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: "https://samltest.id/idp",
SingleSignOnURL: " https://samltest.id/idp/profile/Shibboleth/SSO", // extra space at the start makes it invalid
IDPCertificate: testEncodedMetadataCert,
Binding: core.ServiceBindingHTTPPost,
}),
},
expectedErr: "provided SSO URL is not a valid URL",
},
{
name: "err-WithMetadataParameters-missing-cert",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: "https://samltest.id/idp",
SingleSignOnURL: "https://samltest.id/idp/profile/Shibboleth/SSO",
IDPCertificate: "",
Binding: core.ServiceBindingHTTPPost,
}),
},
expectedErr: "no certificate found",
},
{
name: "err-WithMetadataParameters-extra-data",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: "https://samltest.id/idp",
SingleSignOnURL: "https://samltest.id/idp/profile/Shibboleth/SSO",
IDPCertificate: testEncodedMetadataCert + "\nextra bits",
Binding: core.ServiceBindingHTTPPost,
}),
},
expectedErr: "extra data found after certificate",
},
{
name: "err-WithMetadataParameters-invalid-block-identifier",
entityID: entityID,
acs: acs,
metadata: metadata,
opts: []saml.Option{
saml.WithMetadataParameters(saml.MetadataParameters{
Issuer: "https://samltest.id/idp",
SingleSignOnURL: "https://samltest.id/idp/profile/Shibboleth/SSO",
IDPCertificate: testEncodedMetadataCertWithInvalidBlockIdentifier,
Binding: core.ServiceBindingHTTPPost,
}),
},
expectedErr: `wrong block type found: "PRIVATE KEY"`,
},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
r := require.New(t)
got, err := saml.NewConfig(
c.entityID,
c.acs,
c.metadata,
c.opts...,
)
if c.expectedErr != "" {
r.ErrorContains(err, c.expectedErr)
return
}
r.NoError(err)
r.Equal(got.EntityID, "http://test.me/entity")
r.Equal(got.AssertionConsumerServiceURL, "http://test.me/sso/acs")
r.Equal(got.MetadataURL, "http://test.me/sso/metadata")
r.NotNil(got.GenerateAuthRequestID)
r.NotNil(got.ValidUntil)
})
}
}
func Test_GenerateAuthRequestID(t *testing.T) {
t.Parallel()
r := require.New(t)
id, err := saml.DefaultGenerateAuthRequestID()
r.NoError(err)
r.Contains(id, "_")
splitted := strings.Split(id, "_")
_, err = uuid.ParseUUID(splitted[1])
r.NoError(err)
}
const testEncodedMetadataCert = `
-----BEGIN CERTIFICATE-----
MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB
CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0
ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE
jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl
bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF
/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n
spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G
A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz
dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn
7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT
TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl
D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU
ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==
-----END CERTIFICATE-----
`
const testEncodedMetadataCertWithInvalidBlockIdentifier = `
-----BEGIN PRIVATE KEY-----
MIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB
CwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4
MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0
ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE
jj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl
bN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF
/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n
spXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G
A1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz
dC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF
AAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn
7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT
TNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl
D1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU
ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==
-----END PRIVATE KEY-----
`