END_TEST
START_TEST(test06_lib_statuscode)
{
/* check status code value in samlp:Response; it is a QName, if it
* starts with lib:, that namespace must be defined. (was bug#416)
*/
LassoSamlpResponse *response = LASSO_SAMLP_RESPONSE(lasso_samlp_response_new());
char *dump = NULL;
lasso_assign_string(response->Status->StatusCode->Value, LASSO_SAML_STATUS_CODE_SUCCESS);
dump = lasso_node_dump(LASSO_NODE(response));
fail_unless(strstr(dump, "xmlns:lib=") == NULL,
"liberty namespace should not be defined");
lasso_release_string(dump);
lasso_assign_string(response->Status->StatusCode->Value, LASSO_SAML_STATUS_CODE_RESPONDER);
response->Status->StatusCode->StatusCode = lasso_samlp_status_code_new();
response->Status->StatusCode->StatusCode->Value = g_strdup(
LASSO_LIB_STATUS_CODE_UNKNOWN_PRINCIPAL);
dump = lasso_node_dump(LASSO_NODE(response));
fail_unless(strstr(dump, "xmlns:lib=") != NULL,
"liberty namespace should be defined");
lasso_release_string(dump);
g_object_unref(response);
}
END_TEST
START_TEST(test03_server_new_from_dump)
{
LassoServer *server1, *server2;
char *dump;
server1 = lasso_server_new(
TESTSDATADIR "/idp1-la/metadata.xml",
TESTSDATADIR "/idp1-la/private-key-raw.pem",
NULL, /* Secret key to unlock private key */
TESTSDATADIR "/idp1-la/certificate.pem");
lasso_server_add_provider(
server1,
LASSO_PROVIDER_ROLE_SP,
TESTSDATADIR "/sp1-la/metadata.xml",
TESTSDATADIR "/sp1-la/public-key.pem",
TESTSDATADIR "/ca1-la/certificate.pem");
dump = lasso_node_dump(LASSO_NODE(server1));
server2 = lasso_server_new_from_dump(dump);
g_free(dump);
dump = lasso_node_dump(LASSO_NODE(server2));
g_object_unref(server1);
g_object_unref(server2);
g_free(dump);
}
END_TEST
START_TEST(test04_node_new_from_dump)
{
LassoNode *node;
char *msg = \
"<lib:LogoutRequest xmlns:lib=\"urn:liberty:iff:2003-08\" "\
"xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" "\
"RequestID=\"_52EDD5A8A0BF74977C0A16B827CA4229\" MajorVersion=\"1\" "\
"MinorVersion=\"2\" IssueInstant=\"2004-12-04T11:05:26Z\">" \
"<lib:ProviderID>https://idp1/metadata</lib:ProviderID>" \
"<saml:NameIdentifier xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" "\
"NameQualifier=\"https://idp1/metadata\" "\
"Format=\"urn:liberty:iff:nameid:federated\">_AF452F97C9E1590DDEB91D5BA6AA48ED"\
"</saml:NameIdentifier>"\
"</lib:LogoutRequest>";
char *dump;
node = lasso_node_new_from_dump(msg);
fail_unless(node != NULL, "new_from_dump failed");
dump = lasso_node_dump(node);
fail_unless(dump != NULL, "node_dump failed");
g_object_unref(node);
g_free(dump);
}
END_TEST
START_TEST(test02_server_add_provider)
{
LassoServer *server;
char *dump;
server = lasso_server_new(
TESTSDATADIR "/idp1-la/metadata.xml",
TESTSDATADIR "/idp1-la/private-key-raw.pem",
NULL, /* Secret key to unlock private key */
TESTSDATADIR "/idp1-la/certificate.pem");
fail_unless(LASSO_IS_SERVER(server));
fail_unless(server->private_key != NULL);
fail_unless(! server->private_key_password);
fail_unless(server->certificate != NULL);
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
fail_unless(server->providers != NULL);
lasso_server_add_provider(
server,
LASSO_PROVIDER_ROLE_SP,
TESTSDATADIR "/sp1-la/metadata.xml",
TESTSDATADIR "/sp1-la/public-key.pem",
TESTSDATADIR "/ca1-la/certificate.pem");
fail_unless(g_hash_table_size(server->providers) == 1);
dump = lasso_node_dump(LASSO_NODE(server));
g_object_unref(server);
lasso_release_string(dump);
}
END_TEST
START_TEST(test05_xsi_type)
{
/* check lib:AuthnContext element is not converted to
* saml:AuthnContext xsi:type="lib:AuthnContextType" and
* lib:AuthenticationStatement is converted to
* saml:AuthenticationStatement * xsi:type="lib:AuthenticationStatementType"
*/
LassoSamlAssertion *assertion;
LassoLibAuthenticationStatement *stmt;
LassoSamlNameIdentifier *name_identifier;
char *dump;
name_identifier = lasso_saml_name_identifier_new();
assertion = LASSO_SAML_ASSERTION(lasso_lib_assertion_new_full("", "", "", "", ""));
assertion->AuthenticationStatement = LASSO_SAML_AUTHENTICATION_STATEMENT(
lasso_lib_authentication_statement_new_full(
"toto", "toto", "toto",
NULL,
name_identifier));
g_object_unref(name_identifier);
stmt = LASSO_LIB_AUTHENTICATION_STATEMENT(assertion->AuthenticationStatement);
stmt->AuthnContext = LASSO_LIB_AUTHN_CONTEXT(lasso_lib_authn_context_new());
stmt->AuthnContext->AuthnContextClassRef = g_strdup("urn:toto");
dump = lasso_node_dump(LASSO_NODE(assertion));
fail_unless(strstr(dump, "xsi:type=\"lib:AuthnContextType\"") == NULL,
"AuthnContext got a xsi:type");
g_free(dump);
dump = lasso_node_dump(LASSO_NODE(assertion));
fail_unless(strstr(dump, "xsi:type=\"lib:AuthenticationStatementType\"") != NULL,
"AuthenticationStatement didn't get a xsi:type");
g_free(dump);
g_object_unref(assertion);
}
END_TEST
START_TEST(test01_server_new)
{
LassoServer *server;
LassoProvider *provider;
char *dump;
char *content = NULL;
size_t len;
server = lasso_server_new(
TESTSDATADIR "/idp1-la/metadata.xml",
TESTSDATADIR "/idp1-la/private-key-raw.pem",
NULL, /* Secret key to unlock private key */
TESTSDATADIR "/idp1-la/certificate.pem");
fail_unless(LASSO_IS_SERVER(server));
provider = LASSO_PROVIDER(server);
fail_unless(server->private_key != NULL);
fail_unless(server->private_key_password == NULL);
fail_unless(server->certificate != NULL);
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
fail_unless(provider->ProviderID != NULL);
fail_unless(provider->role == 0);
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
fail_unless(strcmp(provider->metadata_filename, content) == 0);
g_free(content);
fail_unless(provider->public_key == NULL);
fail_unless(provider->ca_cert_chain == NULL);
dump = lasso_node_dump(LASSO_NODE(server));
fail_unless(dump != NULL);
g_object_unref(server);
server = lasso_server_new_from_dump(dump);
fail_unless(LASSO_IS_SERVER(server));
provider = LASSO_PROVIDER(server);
fail_unless(server->private_key != NULL);
fail_unless(server->private_key_password == NULL);
fail_unless(server->certificate != NULL);
fail_unless(server->signature_method == LASSO_SIGNATURE_METHOD_RSA_SHA1);
fail_unless(server->providers != NULL);
fail_unless(provider->ProviderID != NULL);
fail_unless(provider->role == 0, "provider->role != 0 => provider := %d", provider->role);
fail_unless(g_file_get_contents(TESTSDATADIR "/idp1-la/metadata.xml", &content, &len, NULL));
fail_unless(strcmp(provider->metadata_filename, content) == 0);
fail_unless(provider->public_key == NULL);
fail_unless(provider->ca_cert_chain == NULL);
g_object_unref(server);
lasso_release_string(dump);
lasso_release_string(content);
}
END_TEST
START_TEST(test02_provider_new_from_dump)
{
LassoProvider *provider1, *provider2;
char *dump;
provider1 = lasso_provider_new(LASSO_PROVIDER_ROLE_SP,
TESTSDATADIR "/sp1-la/metadata.xml",
TESTSDATADIR "/sp1-la/public-key.pem",
TESTSDATADIR "/ca1-la/certificate.pem");
fail_unless(LASSO_IS_PROVIDER(provider1));
dump = lasso_node_dump(LASSO_NODE(provider1));
fail_unless(dump != NULL);
provider2 = lasso_provider_new_from_dump(dump);
fail_unless(LASSO_IS_PROVIDER(provider2));
lasso_release_string(dump);
dump = lasso_node_dump(LASSO_NODE(provider2));
fail_unless(dump != NULL);
g_object_unref(provider1);
g_object_unref(provider2);
lasso_release_string(dump);
}
END_TEST
START_TEST(test02_serviceProviderLogin)
{
char *serviceProviderContextDump, *identityProviderContextDump;
LassoServer *spContext, *idpContext;
LassoLogin *spLoginContext, *idpLoginContext;
LassoLibAuthnRequest *request;
int rc = 0;
char *relayState;
char *authnRequestUrl, *authnRequestQuery;
char *responseUrl, *responseQuery;
char *idpIdentityContextDump, *idpSessionContextDump;
char *serviceProviderId, *soapRequestMsg, *soapResponseMsg;
char *spIdentityContextDump;
char *spSessionDump;
char *spLoginDump;
int requestType;
char *found;
serviceProviderContextDump = generateServiceProviderContextDump();
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new(spContext);
fail_unless(spLoginContext != NULL,
"lasso_login_new() shouldn't have returned NULL");
rc = lasso_login_init_authn_request(spLoginContext, "https://idp1/metadata",
LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_init_authn_request failed");
request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(spLoginContext)->request);
fail_unless(LASSO_IS_LIB_AUTHN_REQUEST(request), "request should be authn_request");
request->IsPassive = 0;
request->NameIDPolicy = g_strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED);
request->consent = g_strdup(LASSO_LIB_CONSENT_OBTAINED);
relayState = "fake[]";
request->RelayState = g_strdup(relayState);
rc = lasso_login_build_authn_request_msg(spLoginContext);
fail_unless(rc == 0, "lasso_login_build_authn_request_msg failed");
authnRequestUrl = LASSO_PROFILE(spLoginContext)->msg_url;
fail_unless(authnRequestUrl != NULL,
"authnRequestUrl shouldn't be NULL");
authnRequestQuery = strchr(authnRequestUrl, '?')+1;
fail_unless(strlen(authnRequestQuery) > 0,
"authnRequestQuery shouldn't be an empty string");
spLoginDump = lasso_node_dump(LASSO_NODE(spLoginContext));
fail_unless(strstr(authnRequestQuery, "RelayState") != NULL,
"authnRequestQuery should contain a RelayState parameter");
fail_unless(strstr(authnRequestQuery, "fake%5B%5D") != NULL,
"authnRequestQuery RelayState parameter should be encoded");
/* Identity provider singleSignOn, for a user having no federation. */
identityProviderContextDump = generateIdentityProviderContextDump();
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
fail_unless(idpLoginContext != NULL,
"lasso_login_new() shouldn't have returned NULL");
rc = lasso_login_process_authn_request_msg(idpLoginContext, authnRequestQuery);
fail_unless(rc == 0, "lasso_login_process_authn_request_msg failed");
fail_unless(lasso_login_must_authenticate(idpLoginContext),
"lasso_login_must_authenticate() should be TRUE");
fail_unless(idpLoginContext->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART,
"protocoleProfile should be ProfileBrwsArt");
fail_unless(! lasso_login_must_ask_for_consent(idpLoginContext),
"lasso_login_must_ask_for_consent() should be FALSE");
fail_unless(idpLoginContext->parent.msg_relayState != NULL,
"lasso_login_process_authn_request_msg should restore the RelayState parameter");
fail_unless(lasso_strisequal(idpLoginContext->parent.msg_relayState,relayState),
"lasso_login_process_authn_request_msg should restore the same RelayState thant sent in the request");
rc = lasso_login_validate_request_msg(idpLoginContext,
1, /* authentication_result */
0 /* is_consent_obtained */
);
rc = lasso_login_build_assertion(idpLoginContext,
LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
"FIXME: authenticationInstant",
"FIXME: reauthenticateOnOrAfter",
"FIXME: notBefore",
"FIXME: notOnOrAfter");
rc = lasso_login_build_artifact_msg(idpLoginContext, LASSO_HTTP_METHOD_REDIRECT);
fail_unless(rc == 0, "lasso_login_build_artifact_msg failed");
idpIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(idpLoginContext)->identity);
fail_unless(idpIdentityContextDump != NULL,
"lasso_identity_dump shouldn't return NULL");
idpSessionContextDump = lasso_session_dump(LASSO_PROFILE(idpLoginContext)->session);
fail_unless(idpSessionContextDump != NULL,
"lasso_session_dump shouldn't return NULL");
responseUrl = LASSO_PROFILE(idpLoginContext)->msg_url;
fail_unless(responseUrl != NULL, "responseUrl shouldn't be NULL");
responseQuery = strchr(responseUrl, '?')+1;
fail_unless(strlen(responseQuery) > 0,
"responseQuery shouldn't be an empty string");
fail_unless(strstr(responseQuery, "RelayState") != NULL,
"responseQuery should contain a RelayState parameter");
fail_unless(strstr(responseQuery, "fake%5B%5D") != NULL,
"responseQuery RelayState parameter should be encoded");
serviceProviderId = g_strdup(LASSO_PROFILE(idpLoginContext)->remote_providerID);
fail_unless(serviceProviderId != NULL,
"lasso_profile_get_remote_providerID shouldn't return NULL");
/* Service provider assertion consumer */
lasso_server_destroy(spContext);
lasso_login_destroy(spLoginContext);
spContext = lasso_server_new_from_dump(serviceProviderContextDump);
spLoginContext = lasso_login_new_from_dump(spContext, spLoginDump);
rc = lasso_login_init_request(spLoginContext,
responseQuery,
LASSO_HTTP_METHOD_REDIRECT);
fail_unless(spLoginContext->parent.msg_relayState != NULL,
"lasso_login_init_request should restore the RelayState parameter");
fail_unless(lasso_strisequal(spLoginContext->parent.msg_relayState,relayState),
"lasso_login_init_request should restore the same RelayState thant sent in the request");
fail_unless(rc == 0, "lasso_login_init_request failed");
rc = lasso_login_build_request_msg(spLoginContext);
fail_unless(rc == 0, "lasso_login_build_request_msg failed");
soapRequestMsg = LASSO_PROFILE(spLoginContext)->msg_body;
fail_unless(soapRequestMsg != NULL, "soapRequestMsg must not be NULL");
/* Identity provider SOAP endpoint */
lasso_server_destroy(idpContext);
lasso_login_destroy(idpLoginContext);
requestType = lasso_profile_get_request_type_from_soap_msg(soapRequestMsg);
fail_unless(requestType == LASSO_REQUEST_TYPE_LOGIN,
"requestType should be LASSO_REQUEST_TYPE_LOGIN");
idpContext = lasso_server_new_from_dump(identityProviderContextDump);
idpLoginContext = lasso_login_new(idpContext);
rc = lasso_login_process_request_msg(idpLoginContext, soapRequestMsg);
fail_unless(rc == 0, "lasso_login_process_request_msg failed");
rc = lasso_profile_set_session_from_dump(LASSO_PROFILE(idpLoginContext),
idpSessionContextDump);
fail_unless(rc == 0, "lasso_login_set_assertion_from_dump failed");
rc = lasso_login_build_response_msg(idpLoginContext, serviceProviderId);
fail_unless(rc == 0, "lasso_login_build_response_msg failed");
soapResponseMsg = LASSO_PROFILE(idpLoginContext)->msg_body;
fail_unless(soapResponseMsg != NULL, "soapResponseMsg must not be NULL");
/* Service provider assertion consumer (step 2: process SOAP response) */
rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg);
fail_unless(rc == 0, "lasso_login_process_response_msg failed");
rc = lasso_login_accept_sso(spLoginContext);
fail_unless(rc == 0, "lasso_login_accept_sso failed");
fail_unless(LASSO_PROFILE(spLoginContext)->identity != NULL,
"spLoginContext has no identity");
spIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(spLoginContext)->identity);
fail_unless(spIdentityContextDump != NULL, "lasso_identity_dump failed");
spSessionDump = lasso_session_dump(LASSO_PROFILE(spLoginContext)->session);
/* Test InResponseTo checking */
found = strstr(soapResponseMsg, "Assertion");
fail_unless(found != NULL, "We must find an Assertion");
found = strstr(found, "InResponseTo=\"");
fail_unless(found != NULL, "We must find an InResponseTo attribute");
found[sizeof("InResponseTo=\"")] = '?';
lasso_set_flag("no-verify-signature");
rc = lasso_login_process_response_msg(spLoginContext, soapResponseMsg);
lasso_set_flag("verify-signature");
fail_unless(rc != 0, "lasso_login_process_response_msg must fail");
rc = lasso_login_accept_sso(spLoginContext);
fail_unless(rc == 0, "lasso_login_accept_sso must fail");
g_free(spLoginDump);
g_free(serviceProviderId);
g_free(serviceProviderContextDump);
g_free(identityProviderContextDump);
g_free(idpSessionContextDump);
g_free(idpIdentityContextDump);
g_free(spIdentityContextDump);
g_free(spSessionDump);
g_object_unref(spContext);
g_object_unref(idpContext);
g_object_unref(spLoginContext);
g_object_unref(idpLoginContext);
}
/**
* lasso_identity_dump:
* @identity: a #LassoIdentity
*
* Dumps @identity content to an XML string.
*
* Return value:(transfer full): the dump string. It must be freed by the caller.
**/
gchar*
lasso_identity_dump(LassoIdentity *identity)
{
return lasso_node_dump(LASSO_NODE(identity));
}
/**
* lasso_server_dump:
* @server: a #LassoServer
*
* Dumps @server content to an XML string.
*
* Return value:(transfer full): the dump string. It must be freed by the caller.
**/
gchar*
lasso_server_dump(LassoServer *server)
{
return lasso_node_dump(LASSO_NODE(server));
}
