Adapt test to the fact that unsigned SAML Responses now are invalid with strict is false

Author: pitbulk

tests/src/OneLogin/Saml2/AuthTest.php

@@ -92,6 +92,7 @@ public function testProcessNoResponse()
     * @covers OneLogin_Saml2_Auth::getNameId
     * @covers OneLogin_Saml2_Auth::getErrors
     * @covers OneLogin_Saml2_Auth::getSessionIndex
+    * @covers OneLogin_Saml2_Auth::getLastErrorReason    
     */
     public function testProcessResponseInvalid()
     {
@@ -106,6 +107,7 @@ public function testProcessResponseInvalid()
         $this->assertNull($this->_auth->getSessionIndex());
         $this->assertNull($this->_auth->getAttribute('uid'));
         $this->assertEquals($this->_auth->getErrors(), array('invalid_response'));
+        $this->assertEquals($this->_auth->getLastErrorReason(), "Reference validation failed");
     }
 
     /**
@@ -127,15 +129,15 @@ public function testProcessResponseInvalidRequestId()
         $requestId = 'invalid';
         $this->_auth->processResponse($requestId);
 
-        $this->assertEmpty($this->_auth->getErrors());
+        $this->assertEquals("No Signature found. SAML Response rejected", $this->_auth->getLastErrorReason());
 
         $this->_auth->setStrict(true);
         $this->_auth->processResponse($requestId);
-        $this->assertEquals($this->_auth->getErrors(), array('invalid_response'));
+        $this->assertEquals("The InResponseTo of the Response: _57bcbf70-7b1f-012e-c821-782bcb13bb38, does not match the ID of the AuthNRequest sent by the SP: invalid", $this->_auth->getLastErrorReason());
 
         $validRequestId = '_57bcbf70-7b1f-012e-c821-782bcb13bb38';
         $this->_auth->processResponse($validRequestId);
-        $this->assertEmpty($this->_auth->getErrors());
+        $this->assertEquals("No Signature found. SAML Response rejected", $this->_auth->getLastErrorReason());
     }
 
     /**
@@ -154,29 +156,18 @@ public function testProcessResponseInvalidRequestId()
     */
     public function testProcessResponseValid()
     {
-        $message = file_get_contents(TEST_ROOT . '/data/responses/unsigned_response.xml.base64');
-
-        $plainMessage = base64_decode($message);
-        $currentURL = OneLogin_Saml2_Utils::getSelfURLNoQuery();
-        $plainMessage = str_replace('http://stuff.com/endpoints/endpoints/acs.php', $currentURL, $plainMessage);
-
-        $_POST['SAMLResponse'] = base64_encode($plainMessage);
+        $message = file_get_contents(TEST_ROOT . '/data/responses/valid_response.xml.base64');
+        $_POST['SAMLResponse'] = $message;
 
         $this->_auth->processResponse();
-
         $this->assertTrue($this->_auth->isAuthenticated());
-        $this->assertEmpty($this->_auth->getErrors());
-        $this->assertEquals('[email protected]', $this->_auth->getNameId());
+        $this->assertEquals('492882615acf31c8096b627245d76ae53036c090', $this->_auth->getNameId());
         $attributes = $this->_auth->getAttributes();
         $this->assertNotEmpty($attributes);
         $this->assertEquals($this->_auth->getAttribute('mail'), $attributes['mail']);
         $sessionIndex = $this->_auth->getSessionIndex();
         $this->assertNotNull($sessionIndex);
-        $this->assertEquals('_51be37965feb5579d803141076936dc2e9d1d98ebf', $sessionIndex);
-
-        $this->_auth->setStrict(true);
-        $this->_auth->processResponse();
-        $this->assertEmpty($this->_auth->getErrors());
+        $this->assertEquals('_6273d77b8cde0c333ec79d22a9fa0003b9fe2d75cb', $sessionIndex);
     }
 
     /**

tests/src/OneLogin/Saml2/LogoutResponseTest.php

@@ -106,6 +106,12 @@ public function testQuery()
     */
     public function testGetError()
     {
+        $message = file_get_contents(TEST_ROOT . '/data/logout_responses/logout_response_deflated.xml.base64');
+        $requestId = 'invalid_request_id';
+        $response = new OneLogin_Saml2_LogoutResponse($this->_settings, $message);
+        $this->_settings->setStrict(true);
+        $this->assertFalse($response->isValid($requestId));
+        $this->assertEquals($response->getError(), 'The InResponseTo of the Logout Response: ONELOGIN_21584ccdfaca36a145ae990442dcd96bfe60151e, does not match the ID of the Logout request sent by the SP: invalid_request_id');
 
     }
 

tests/src/OneLogin/Saml2/ResponseTest.php

@@ -532,7 +532,8 @@ public function testIsInValidEncAttrs()
         $xml = file_get_contents(TEST_ROOT . '/data/responses/invalids/encrypted_attrs.xml.base64');
         $response = new OneLogin_Saml2_Response($this->_settings, $xml);
 
-        $this->assertTrue($response->isValid());
+        $this->assertFalse($response->isValid());
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $this->_settings->setStrict(true);
         $response2 = new OneLogin_Saml2_Response($this->_settings, $xml);
@@ -552,7 +553,8 @@ public function testIsInValidDestination()
         $xml = file_get_contents(TEST_ROOT . '/data/responses/unsigned_response.xml.base64');
 
         $response = new OneLogin_Saml2_Response($this->_settings, $xml);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $this->_settings->setStrict(true);
         $response2 = new OneLogin_Saml2_Response($this->_settings, $xml);
@@ -577,7 +579,8 @@ public function testIsInValidAudience()
         $message = base64_encode($plainMessage);
 
         $response = new OneLogin_Saml2_Response($this->_settings, $message);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $this->_settings->setStrict(true);
         $response2 = new OneLogin_Saml2_Response($this->_settings, $message);
@@ -609,10 +612,12 @@ public function testIsInValidIssuer()
         $message2 = base64_encode($plainMessage2);
 
         $response = new OneLogin_Saml2_Response($this->_settings, $message);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $response2 = new OneLogin_Saml2_Response($this->_settings, $message2);
-        $this->assertTrue($response2->isValid());
+        $response2->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response2->getError());
 
         $this->_settings->setStrict(true);
         $response3 = new OneLogin_Saml2_Response($this->_settings, $message);
@@ -642,7 +647,8 @@ public function testIsInValidSessionIndex()
         $message = base64_encode($plainMessage);
 
         $response = new OneLogin_Saml2_Response($this->_settings, $message);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $this->_settings->setStrict(true);
         $response2 = new OneLogin_Saml2_Response($this->_settings, $message);
@@ -692,22 +698,28 @@ public function testIsInValidSubjectConfirmation()
         $message6 = base64_encode($plainMessage6);
 
         $response = new OneLogin_Saml2_Response($this->_settings, $message);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $response2 = new OneLogin_Saml2_Response($this->_settings, $message2);
-        $this->assertTrue($response2->isValid());
+        $response2->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response2->getError());
 
         $response3 = new OneLogin_Saml2_Response($this->_settings, $message3);
-        $this->assertTrue($response3->isValid());
+        $response3->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response3->getError());
 
         $response4 = new OneLogin_Saml2_Response($this->_settings, $message4);
-        $this->assertTrue($response4->isValid());
+        $response3->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response3->getError());
 
         $response5 = new OneLogin_Saml2_Response($this->_settings, $message5);
-        $this->assertTrue($response5->isValid());
+        $response5->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response3->getError());
 
         $response6 = new OneLogin_Saml2_Response($this->_settings, $message6);
-        $this->assertTrue($response6->isValid());
+        $response6->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response3->getError());
 
         $this->_settings->setStrict(true);
 
@@ -746,7 +758,8 @@ public function testDatetimeWithMiliseconds()
     {
         $xml = file_get_contents(TEST_ROOT . '/data/responses/unsigned_response_with_miliseconds.xm.base64');
         $response = new OneLogin_Saml2_Response($this->_settings, $xml);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $this->_settings->setStrict(true);
 
@@ -757,7 +770,8 @@ public function testDatetimeWithMiliseconds()
 
         $response2 = new OneLogin_Saml2_Response($this->_settings, $message);
 
-        $this->assertTrue($response2->isValid());
+        $response2->isValid();
+        $this->assertEquals('No Signature found. SAML Response rejected', $response2->getError());
     }
 
     /**
@@ -778,15 +792,18 @@ public function testIsInValidRequestId()
         $response = new OneLogin_Saml2_Response($this->_settings, $message);
 
         $requestId = 'invalid';
-        $this->assertTrue($response->isValid($requestId));
+        $response->isValid($requestId);
+        $this->assertEquals('No Signature found. SAML Response rejected', $response->getError());
 
         $this->_settings->setStrict(true);
 
-        $this->assertFalse($response->isValid($requestId));
-        $this->assertContains('The InResponseTo of the Response', $response->getError());
+        $response2 = new OneLogin_Saml2_Response($this->_settings, $message);
+        $response2->isValid($requestId);
+        $this->assertContains('The InResponseTo of the Response', $response2->getError());
 
         $validRequestId = '_57bcbf70-7b1f-012e-c821-782bcb13bb38';
-        $this->assertTrue($response->isValid($validRequestId));
+        $response2->isValid($validRequestId);
+        $this->assertContains('No Signature found. SAML Response rejected', $response2->getError());
     }
 
 
@@ -810,18 +827,21 @@ public function testIsInValidSignIssues()
         $settingsInfo['security']['wantAssertionsSigned'] = false;
         $settings = new OneLogin_Saml2_Settings($settingsInfo);
         $response = new OneLogin_Saml2_Response($settings, $message);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response->getError());
 
         $settingsInfo['security']['wantAssertionsSigned'] = true;
         $settings2 = new OneLogin_Saml2_Settings($settingsInfo);
         $response2 = new OneLogin_Saml2_Response($settings2, $message);
-        $this->assertTrue($response2->isValid());
+        $response2->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response2->getError());
 
         $settingsInfo['strict'] = true;
         $settingsInfo['security']['wantAssertionsSigned'] = false;
         $settings3 = new OneLogin_Saml2_Settings($settingsInfo);
         $response3 = new OneLogin_Saml2_Response($settings3, $message);
-        $this->assertTrue($response3->isValid());
+        $response3->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response3->getError());
 
         $settingsInfo['security']['wantAssertionsSigned'] = true;
         $settings4 = new OneLogin_Saml2_Settings($settingsInfo);
@@ -836,18 +856,21 @@ public function testIsInValidSignIssues()
         $settingsInfo['security']['wantMessagesSigned'] = false;
         $settings5 = new OneLogin_Saml2_Settings($settingsInfo);
         $response5 = new OneLogin_Saml2_Response($settings5, $message);
-        $this->assertTrue($response5->isValid());
+        $response5->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response5->getError());
 
         $settingsInfo['security']['wantMessagesSigned'] = true;
         $settings6 = new OneLogin_Saml2_Settings($settingsInfo);
         $response6 = new OneLogin_Saml2_Response($settings6, $message);
-        $this->assertTrue($response6->isValid());
+        $response6->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response6->getError());
 
         $settingsInfo['strict'] = true;
         $settingsInfo['security']['wantMessagesSigned'] = false;
         $settings7 = new OneLogin_Saml2_Settings($settingsInfo);
         $response7 = new OneLogin_Saml2_Response($settings7, $message);
-        $this->assertTrue($response7->isValid());
+        $response7->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response7->getError());
 
         $settingsInfo['security']['wantMessagesSigned'] = true;
         $settings8 = new OneLogin_Saml2_Settings($settingsInfo);
@@ -877,13 +900,15 @@ public function testIsInValidEncIssues()
         $settingsInfo['security']['wantAssertionsEncrypted'] = true;
         $settings = new OneLogin_Saml2_Settings($settingsInfo);
         $response = new OneLogin_Saml2_Response($settings, $message);
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response->getError());
 
         $settingsInfo['strict'] = true;
         $settingsInfo['security']['wantAssertionsEncrypted'] = false;
         $settings = new OneLogin_Saml2_Settings($settingsInfo);
         $response2 = new OneLogin_Saml2_Response($settings, $message);
-        $this->assertTrue($response2->isValid());
+        $response2->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response2->getError());
 
         $settingsInfo['security']['wantAssertionsEncrypted'] = true;
         $settings = new OneLogin_Saml2_Settings($settingsInfo);
@@ -897,13 +922,14 @@ public function testIsInValidEncIssues()
         $settingsInfo['strict'] = false;
         $settings = new OneLogin_Saml2_Settings($settingsInfo);
         $response4 = new OneLogin_Saml2_Response($settings, $message);
-        $this->assertTrue($response4->isValid());
+        $response4->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response4->getError());
 
         $settingsInfo['strict'] = true;
         $settings = new OneLogin_Saml2_Settings($settingsInfo);
-        $response4 = new OneLogin_Saml2_Response($settings, $message);
-        $this->assertFalse($response4->isValid());
-        $this->assertEquals('The NameID of the Response is not encrypted and the SP requires it', $response4->getError());
+        $response5 = new OneLogin_Saml2_Response($settings, $message);
+        $this->assertFalse($response5->isValid());
+        $this->assertEquals('The NameID of the Response is not encrypted and the SP requires it', $response5->getError());
     }
 
     /**
@@ -959,7 +985,8 @@ public function testNamespaceIsValid()
         $xml = file_get_contents(TEST_ROOT . '/data/responses/response_namespaces.xml.base64');
         $response = new OneLogin_Saml2_Response($this->_settings, $xml);
 
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response->getError());
     }
 
     /**
@@ -973,7 +1000,8 @@ public function testADFSValid()
         $xml = file_get_contents(TEST_ROOT . '/data/responses/response_adfs1.xml.base64');
         $response = new OneLogin_Saml2_Response($this->_settings, $xml);
 
-        $this->assertTrue($response->isValid());
+        $response->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response->getError());
     }
 
 
@@ -1049,7 +1077,8 @@ public function testIsValidEnc()
 
         $response4 = new OneLogin_Saml2_Response($settings, $message4);
 
-        $this->assertTrue($response4->isValid());
+        $response4->isValid();
+        $this->assertContains('No Signature found. SAML Response rejected', $response4->getError());
     }
 
     /**

tests/src/OneLogin/Saml2/SettingsTest.php

@@ -75,6 +75,7 @@ public function testLoadSettingsFromFile()
     /**
     * Tests getCertPath method of the OneLogin_Saml2_Settings
     *
+    * @covers OneLogin_Saml2_Settings::getBasePath
     * @covers OneLogin_Saml2_Settings::getCertPath
     */
     public function testGetCertPath()
@@ -392,6 +393,33 @@ public function testGetSPMetadataSignedNoMetadataCert()
         }
     }
 
+
+    /**
+    * Tests the setIdPCert method of the OneLogin_Saml2_Settings
+    *
+    * @covers OneLogin_Saml2_Settings::setIdPCert
+    */
+    public function testSetIdPCert()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $cert = $settingsInfo['idp']['x509cert'];
+        unset($settingsInfo['idp']['x509cert']);
+
+        $settings = new OneLogin_Saml2_Settings($settingsInfo);
+        $idpData = $settings->getIdPData();
+        $this->assertEquals($idpData['x509cert'], '');
+
+        $settings->setIdPCert($cert);
+        $idpData2 = $settings->getIdPData();
+        $this->assertNotEquals($idpData2['x509cert'], '');
+        $this->assertNotEquals($idpData2['x509cert'], $cert);
+
+        $formatedCert = OneLogin_Saml2_Utils::formatCert($cert);
+        $this->assertEquals($idpData2['x509cert'], $formatedCert);
+    }
+
     /**
     * Tests the validateMetadata method of the OneLogin_Saml2_Settings
     * Case valid metadata