samltest/saml2/binding/SAML2POSTTest.h

   1 /**
   2  * Licensed to the University Corporation for Advanced Internet
   3  * Development, Inc. (UCAID) under one or more contributor license
   4  * agreements. See the NOTICE file distributed with this work for
   5  * additional information regarding copyright ownership.
   6  *
   7  * UCAID licenses this file to you under the Apache License,
   8  * Version 2.0 (the "License"); you may not use this file except
   9  * in compliance with the License. You may obtain a copy of the
  10  * License at
  11  *
  12  * http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
  17  * either express or implied. See the License for the specific
  18  * language governing permissions and limitations under the License.
  19  */
  20
  21 #include "binding.h"
  22
  23 #include <saml/saml2/core/Protocols.h>
  24
  25 using namespace opensaml::saml2p;
  26 using namespace opensaml::saml2;
  27
  28 class SAML2POSTTest : public CxxTest::TestSuite, public SAMLBindingBaseTestCase {
  29 public:
  30     void setUp() {
  31         SAMLBindingBaseTestCase::setUp();
  32     }
  33
  34     void tearDown() {
  35         SAMLBindingBaseTestCase::tearDown();
  36     }
  37
  38     void testSAML2POST() {
  39         try {
  40             xmltooling::QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME);
  41             SecurityPolicy policy(m_metadata, &idprole, m_trust, false);
  42             policy.getRules().assign(m_rules.begin(), m_rules.end());
  43
  44             // Read message to use from file.
  45             string path = data_path + "saml2/binding/SAML2Response.xml";
  46             ifstream in(path.c_str());
  47             DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
  48             XercesJanitor<DOMDocument> janitor(doc);
  49             auto_ptr<Response> toSend(
  50                 dynamic_cast<Response*>(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(),true))
  51                 );
  52             janitor.release();
  53
  54             CredentialCriteria cc;
  55             cc.setUsage(Credential::SIGNING_CREDENTIAL);
  56             Locker clocker(m_creds);
  57             const Credential* cred = m_creds->resolve(&cc);
  58             TSM_ASSERT("Retrieved credential was null", cred!=nullptr);
  59
  60             // Freshen timestamp and ID.
  61             toSend->setIssueInstant(time(nullptr));
  62             toSend->setID(nullptr);
  63
  64             // Encode message.
  65             auto_ptr_XMLCh lit1("MessageEncoder");
  66             auto_ptr_XMLCh lit2("template");
  67             path = data_path + "binding/template.html";
  68             auto_ptr_XMLCh lit3(path.c_str());
  69             DOMDocument* encoder_config = XMLToolingConfig::getConfig().getParser().newDocument();
  70             XercesJanitor<DOMDocument> janitor2(encoder_config);
  71             encoder_config->appendChild(encoder_config->createElementNS(nullptr,lit1.get()));
  72             encoder_config->getDocumentElement()->setAttributeNS(nullptr,lit2.get(),lit3.get());
  73             auto_ptr<MessageEncoder> encoder(
  74                 SAMLConfig::getConfig().MessageEncoderManager.newPlugin(
  75                     samlconstants::SAML20_BINDING_HTTP_POST, pair<const DOMElement*,const XMLCh*>(encoder_config->getDocumentElement(), nullptr)
  76                     )
  77                 );
  78             Locker locker(m_metadata);
  79             encoder->encode(
  80                 *this,
  81                 toSend.get(),
  82                 "https://sp.example.org/SAML/SSO",
  83                 m_metadata->getEntityDescriptor(MetadataProvider::Criteria("https://sp.example.org/")).first,
  84                 "state",
  85                 nullptr,
  86                 cred
  87                 );
  88             toSend.release();
  89
  90             // Decode message.
  91             string relayState;
  92             auto_ptr<MessageDecoder> decoder(
  93                 SAMLConfig::getConfig().MessageDecoderManager.newPlugin(
  94                     samlconstants::SAML20_BINDING_HTTP_POST, pair<const DOMElement*,const XMLCh*>(nullptr,nullptr)
  95                     )
  96                 );
  97             auto_ptr<Response> response(dynamic_cast<Response*>(decoder->decode(relayState,*this,policy)));
  98
  99             // Test the results.
 100             TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state");
 101             TSM_ASSERT("SAML Response not decoded successfully.", response.get());
 102             TSM_ASSERT("Message was not verified.", policy.isAuthenticated());
 103             auto_ptr_char entityID(policy.getIssuer()->getName());
 104             TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/"));
 105             TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1);
 106
 107             // Trigger a replay.
 108             policy.reset();
 109             TSM_ASSERT_THROWS("Did not catch the replay.", decoder->decode(relayState,*this,policy), SecurityPolicyException);
 110         }
 111         catch (XMLToolingException& ex) {
 112             TS_TRACE(ex.what());
 113             throw;
 114         }
 115     }
 116
 117     void testSAML2POSTSimpleSign() {
 118         try {
 119             xmltooling::QName idprole(samlconstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME);
 120             SecurityPolicy policy(m_metadata, &idprole, m_trust, false);
 121             policy.getRules().assign(m_rules.begin(), m_rules.end());
 122
 123             // Read message to use from file.
 124             string path = data_path + "saml2/binding/SAML2Response.xml";
 125             ifstream in(path.c_str());
 126             DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in);
 127             XercesJanitor<DOMDocument> janitor(doc);
 128             auto_ptr<Response> toSend(
 129                 dynamic_cast<Response*>(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(),true))
 130                 );
 131             janitor.release();
 132
 133             CredentialCriteria cc;
 134             cc.setUsage(Credential::SIGNING_CREDENTIAL);
 135             Locker clocker(m_creds);
 136             const Credential* cred = m_creds->resolve(&cc);
 137             TSM_ASSERT("Retrieved credential was null", cred!=nullptr);
 138
 139             // Freshen timestamp and ID.
 140             toSend->setIssueInstant(time(nullptr));
 141             toSend->setID(nullptr);
 142
 143             // Encode message.
 144             auto_ptr_XMLCh lit1("MessageEncoder");
 145             auto_ptr_XMLCh lit2("template");
 146             path = data_path + "binding/template.html";
 147             auto_ptr_XMLCh lit3(path.c_str());
 148             DOMDocument* encoder_config = XMLToolingConfig::getConfig().getParser().newDocument();
 149             XercesJanitor<DOMDocument> janitor2(encoder_config);
 150             encoder_config->appendChild(encoder_config->createElementNS(nullptr,lit1.get()));
 151             encoder_config->getDocumentElement()->setAttributeNS(nullptr,lit2.get(),lit3.get());
 152             auto_ptr<MessageEncoder> encoder(
 153                 SAMLConfig::getConfig().MessageEncoderManager.newPlugin(
 154                     samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN, pair<const DOMElement*,const XMLCh*>(encoder_config->getDocumentElement(),nullptr)
 155                     )
 156                 );
 157             Locker locker(m_metadata);
 158             encoder->encode(
 159                 *this,
 160                 toSend.get(),
 161                 "https://sp.example.org/SAML/SSO",
 162                 m_metadata->getEntityDescriptor(MetadataProvider::Criteria("https://sp.example.org/")).first,
 163                 "state",
 164                 nullptr,
 165                 cred
 166                 );
 167             toSend.release();
 168
 169             // Decode message.
 170             string relayState;
 171             auto_ptr<MessageDecoder> decoder(
 172                 SAMLConfig::getConfig().MessageDecoderManager.newPlugin(
 173                     samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN, pair<const DOMElement*,const XMLCh*>(nullptr,nullptr)
 174                     )
 175                 );
 176             auto_ptr<Response> response(dynamic_cast<Response*>(decoder->decode(relayState,*this,policy)));
 177
 178             // Test the results.
 179             TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state");
 180             TSM_ASSERT("SAML Response not decoded successfully.", response.get());
 181             TSM_ASSERT("Message was not verified.", policy.isAuthenticated());
 182             auto_ptr_char entityID(policy.getIssuer()->getName());
 183             TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/"));
 184             TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1);
 185
 186             // Trigger a replay.
 187             policy.reset();
 188             TSM_ASSERT_THROWS("Did not catch the replay.", decoder->decode(relayState,*this,policy), SecurityPolicyException);
 189         }
 190         catch (XMLToolingException& ex) {
 191             TS_TRACE(ex.what());
 192             throw;
 193         }
 194     }
 195 };