github.com/blend/go-sdk@v1.20240719.1/samlv2/provider_test.go (about) 1 /* 2 3 Copyright (c) 2024 - Present. Blend Labs, Inc. All rights reserved 4 Use of this source code is governed by a MIT license that can be found in the LICENSE file. 5 6 */ 7 8 package samlv2_test 9 10 import ( 11 "errors" 12 "os" 13 "strings" 14 "testing" 15 16 "github.com/blend/go-sdk/assert" 17 "github.com/blend/go-sdk/ex" 18 "github.com/blend/go-sdk/samlv2" 19 ) 20 21 const signURLPrefix = "https://blend-oie.oktapreview.com/app/blend-oie_samltest_1/exk3vd6k1xkRwxIly1d7/sso/saml?SAMLRequest=" 22 23 func NewSAMLProvider(audience string) (*samlv2.SAMLProvider, error) { 24 metadataRaw, err := os.ReadFile("testdata/metadata.xml") 25 if err != nil { 26 return nil, err 27 } 28 config := &samlv2.SAMLConfig{ 29 AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml", 30 AudienceURI: "Audience", 31 Metadata: string(metadataRaw), 32 } 33 34 provider, err := samlv2.New( 35 samlv2.OptConfig(config), 36 samlv2.OptSkipSignatureValidation(true), 37 samlv2.OptValidateEncryptionCert(false), 38 ) 39 if err != nil { 40 return nil, err 41 } 42 43 return provider, nil 44 } 45 46 func Test_SamlResponse(t *testing.T) { 47 its := assert.New(t) 48 49 provider, err := NewSAMLProvider("Audience") 50 its.Nil(err) 51 52 samlResponse, err := os.ReadFile("testdata/saml_valid.response") 53 its.Nil(err) 54 55 assertionInfo, err := provider.OnSAMLResponse(string(samlResponse)) 56 its.Nil(err) 57 58 its.False(assertionInfo.WarningInfo.NotInAudience) 59 its.False(assertionInfo.WarningInfo.InvalidTime) 60 } 61 62 func Test_SamlInvalidTime(t *testing.T) { 63 its := assert.New(t) 64 65 provider, err := NewSAMLProvider("Audience") 66 its.Nil(err) 67 68 samlResponse, err := os.ReadFile("testdata/saml_invalid.response") 69 its.Nil(err) 70 71 assertionInfo, err := provider.OnSAMLResponse(string(samlResponse)) 72 its.Nil(err) 73 74 its.True(assertionInfo.WarningInfo.InvalidTime) 75 } 76 77 func Test_SamlInvalidAudience(t *testing.T) { 78 its := assert.New(t) 79 80 provider, err := NewSAMLProvider("WrongAudience") 81 its.Nil(err) 82 83 samlResponse, err := os.ReadFile("testdata/saml_invalid.response") 84 its.Nil(err) 85 86 assertionInfo, err := provider.OnSAMLResponse(string(samlResponse)) 87 its.Nil(err) 88 89 its.True(assertionInfo.WarningInfo.NotInAudience) 90 } 91 92 func Test_BuildURL(t *testing.T) { 93 its := assert.New(t) 94 95 provider, err := NewSAMLProvider("WrongAudience") 96 its.Nil(err) 97 98 url, err := provider.BuildURL("") 99 its.Nil(err) 100 101 its.Equal(strings.HasPrefix(url, signURLPrefix), true) 102 103 } 104 105 func Test_DefaultCanonicalizer(t *testing.T) { 106 its := assert.New(t) 107 108 provider, err := NewSAMLProvider("Audience") 109 its.Nil(err) 110 its.Equal(provider.Provider.SigningContext().Canonicalizer.Algorithm().String(), "http://www.w3.org/2006/12/xml-c14n11") 111 } 112 113 func Test_ExclusiveCanonicalizer(t *testing.T) { 114 its := assert.New(t) 115 metadataRaw, err := os.ReadFile("testdata/metadata.xml") 116 its.Nil(err) 117 config := &samlv2.SAMLConfig{ 118 AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml", 119 AudienceURI: "Audience", 120 Metadata: string(metadataRaw), 121 SigningXMLCanonicalizer: samlv2.CanonicalXML10ExclusiveAlgorithmID, 122 } 123 124 provider, err := samlv2.New( 125 samlv2.OptConfig(config), 126 samlv2.OptSkipSignatureValidation(true), 127 samlv2.OptValidateEncryptionCert(false), 128 ) 129 its.Nil(err) 130 its.Equal(provider.Provider.SigningContext().Canonicalizer.Algorithm().String(), "http://www.w3.org/2001/10/xml-exc-c14n#") 131 } 132 133 func Test_InclusiveCanonicalizer(t *testing.T) { 134 its := assert.New(t) 135 metadataRaw, err := os.ReadFile("testdata/metadata.xml") 136 its.Nil(err) 137 config := &samlv2.SAMLConfig{ 138 AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml", 139 AudienceURI: "Audience", 140 Metadata: string(metadataRaw), 141 SigningXMLCanonicalizer: samlv2.CanonicalXML11AlgorithmID, 142 } 143 144 provider, err := samlv2.New( 145 samlv2.OptConfig(config), 146 samlv2.OptSkipSignatureValidation(true), 147 samlv2.OptValidateEncryptionCert(false), 148 ) 149 its.Nil(err) 150 its.Equal(provider.Provider.SigningContext().Canonicalizer.Algorithm().String(), "http://www.w3.org/2006/12/xml-c14n11") 151 } 152 153 func Test_UnsupportCanonicalizer(t *testing.T) { 154 its := assert.New(t) 155 metadataRaw, err := os.ReadFile("testdata/metadata.xml") 156 its.Nil(err) 157 config := &samlv2.SAMLConfig{ 158 AssertionConsumerServiceURL: "http://localhost:8080/saml?redirect_uri=localhost:8081/saml", 159 AudienceURI: "Audience", 160 Metadata: string(metadataRaw), 161 SigningXMLCanonicalizer: "Unsupported Canonicalizer", 162 } 163 164 provider, err := samlv2.New( 165 samlv2.OptConfig(config), 166 samlv2.OptSkipSignatureValidation(true), 167 samlv2.OptValidateEncryptionCert(false), 168 ) 169 its.Nil(provider) 170 its.True(errors.Is(err, ex.Class(samlv2.ErrorUnsupportedCanonicalizer))) 171 }