github.com/blend/go-sdk@v1.20240719.1/samlv2/provider_test.go (about)

     1  /*
     2  
     3  Copyright (c) 2024 - Present. Blend Labs, Inc. All rights reserved
     4  Use of this source code is governed by a MIT license that can be found in the LICENSE file.
     5  
     6  */
     7  
     8  package samlv2_test
     9  
    10  import (
    11  	"errors"
    12  	"os"
    13  	"strings"
    14  	"testing"
    15  
    16  	"github.com/blend/go-sdk/assert"
    17  	"github.com/blend/go-sdk/ex"
    18  	"github.com/blend/go-sdk/samlv2"
    19  )
    20  
    21  const signURLPrefix = "https://blend-oie.oktapreview.com/app/blend-oie_samltest_1/exk3vd6k1xkRwxIly1d7/sso/saml?SAMLRequest="
    22  
    23  func NewSAMLProvider(audience string) (*samlv2.SAMLProvider, error) {
    24  	metadataRaw, err := os.ReadFile("testdata/metadata.xml")
    25  	if err != nil {
    26  		return nil, err
    27  	}
    28  	config := &samlv2.SAMLConfig{
    29  		AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml",
    30  		AudienceURI:                 "Audience",
    31  		Metadata:                    string(metadataRaw),
    32  	}
    33  
    34  	provider, err := samlv2.New(
    35  		samlv2.OptConfig(config),
    36  		samlv2.OptSkipSignatureValidation(true),
    37  		samlv2.OptValidateEncryptionCert(false),
    38  	)
    39  	if err != nil {
    40  		return nil, err
    41  	}
    42  
    43  	return provider, nil
    44  }
    45  
    46  func Test_SamlResponse(t *testing.T) {
    47  	its := assert.New(t)
    48  
    49  	provider, err := NewSAMLProvider("Audience")
    50  	its.Nil(err)
    51  
    52  	samlResponse, err := os.ReadFile("testdata/saml_valid.response")
    53  	its.Nil(err)
    54  
    55  	assertionInfo, err := provider.OnSAMLResponse(string(samlResponse))
    56  	its.Nil(err)
    57  
    58  	its.False(assertionInfo.WarningInfo.NotInAudience)
    59  	its.False(assertionInfo.WarningInfo.InvalidTime)
    60  }
    61  
    62  func Test_SamlInvalidTime(t *testing.T) {
    63  	its := assert.New(t)
    64  
    65  	provider, err := NewSAMLProvider("Audience")
    66  	its.Nil(err)
    67  
    68  	samlResponse, err := os.ReadFile("testdata/saml_invalid.response")
    69  	its.Nil(err)
    70  
    71  	assertionInfo, err := provider.OnSAMLResponse(string(samlResponse))
    72  	its.Nil(err)
    73  
    74  	its.True(assertionInfo.WarningInfo.InvalidTime)
    75  }
    76  
    77  func Test_SamlInvalidAudience(t *testing.T) {
    78  	its := assert.New(t)
    79  
    80  	provider, err := NewSAMLProvider("WrongAudience")
    81  	its.Nil(err)
    82  
    83  	samlResponse, err := os.ReadFile("testdata/saml_invalid.response")
    84  	its.Nil(err)
    85  
    86  	assertionInfo, err := provider.OnSAMLResponse(string(samlResponse))
    87  	its.Nil(err)
    88  
    89  	its.True(assertionInfo.WarningInfo.NotInAudience)
    90  }
    91  
    92  func Test_BuildURL(t *testing.T) {
    93  	its := assert.New(t)
    94  
    95  	provider, err := NewSAMLProvider("WrongAudience")
    96  	its.Nil(err)
    97  
    98  	url, err := provider.BuildURL("")
    99  	its.Nil(err)
   100  
   101  	its.Equal(strings.HasPrefix(url, signURLPrefix), true)
   102  
   103  }
   104  
   105  func Test_DefaultCanonicalizer(t *testing.T) {
   106  	its := assert.New(t)
   107  
   108  	provider, err := NewSAMLProvider("Audience")
   109  	its.Nil(err)
   110  	its.Equal(provider.Provider.SigningContext().Canonicalizer.Algorithm().String(), "http://www.w3.org/2006/12/xml-c14n11")
   111  }
   112  
   113  func Test_ExclusiveCanonicalizer(t *testing.T) {
   114  	its := assert.New(t)
   115  	metadataRaw, err := os.ReadFile("testdata/metadata.xml")
   116  	its.Nil(err)
   117  	config := &samlv2.SAMLConfig{
   118  		AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml",
   119  		AudienceURI:                 "Audience",
   120  		Metadata:                    string(metadataRaw),
   121  		SigningXMLCanonicalizer:     samlv2.CanonicalXML10ExclusiveAlgorithmID,
   122  	}
   123  
   124  	provider, err := samlv2.New(
   125  		samlv2.OptConfig(config),
   126  		samlv2.OptSkipSignatureValidation(true),
   127  		samlv2.OptValidateEncryptionCert(false),
   128  	)
   129  	its.Nil(err)
   130  	its.Equal(provider.Provider.SigningContext().Canonicalizer.Algorithm().String(), "http://www.w3.org/2001/10/xml-exc-c14n#")
   131  }
   132  
   133  func Test_InclusiveCanonicalizer(t *testing.T) {
   134  	its := assert.New(t)
   135  	metadataRaw, err := os.ReadFile("testdata/metadata.xml")
   136  	its.Nil(err)
   137  	config := &samlv2.SAMLConfig{
   138  		AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml",
   139  		AudienceURI:                 "Audience",
   140  		Metadata:                    string(metadataRaw),
   141  		SigningXMLCanonicalizer:     samlv2.CanonicalXML11AlgorithmID,
   142  	}
   143  
   144  	provider, err := samlv2.New(
   145  		samlv2.OptConfig(config),
   146  		samlv2.OptSkipSignatureValidation(true),
   147  		samlv2.OptValidateEncryptionCert(false),
   148  	)
   149  	its.Nil(err)
   150  	its.Equal(provider.Provider.SigningContext().Canonicalizer.Algorithm().String(), "http://www.w3.org/2006/12/xml-c14n11")
   151  }
   152  
   153  func Test_UnsupportCanonicalizer(t *testing.T) {
   154  	its := assert.New(t)
   155  	metadataRaw, err := os.ReadFile("testdata/metadata.xml")
   156  	its.Nil(err)
   157  	config := &samlv2.SAMLConfig{
   158  		AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml",
   159  		AudienceURI:                 "Audience",
   160  		Metadata:                    string(metadataRaw),
   161  		SigningXMLCanonicalizer:     "Unsupported Canonicalizer",
   162  	}
   163  
   164  	provider, err := samlv2.New(
   165  		samlv2.OptConfig(config),
   166  		samlv2.OptSkipSignatureValidation(true),
   167  		samlv2.OptValidateEncryptionCert(false),
   168  	)
   169  	its.Nil(provider)
   170  	its.True(errors.Is(err, ex.Class(samlv2.ErrorUnsupportedCanonicalizer)))
   171  }