/boomhammer/vendor/gems/ruby-openid-2.1.4/test/test_server.rb
Ruby | 2457 lines | 1972 code | 322 blank | 163 comment | 26 complexity | 1c5d2f9de227427638e28300cb536adc MD5 | raw file
Possible License(s): GPL-2.0, Apache-2.0, GPL-3.0
Large files files are truncated, but you can click here to view the full file
- require 'openid/server'
- require 'openid/cryptutil'
- require 'openid/association'
- require 'openid/util'
- require 'openid/message'
- require 'openid/store/memory'
- require 'openid/dh'
- require 'openid/consumer/associationmanager'
- require 'util'
- require "testutil"
- require 'test/unit'
- require 'uri'
- # In general, if you edit or add tests here, try to move in the
- # direction of testing smaller units. For testing the external
- # interfaces, we'll be developing an implementation-agnostic testing
- # suite.
- # for more, see /etc/ssh/moduli
- module OpenID
- ALT_MODULUS = 0xCAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7AFFE86A7
- ALT_GEN = 5
- class CatchLogs
- def catchlogs_setup
- @old_logger = Util.logger
- Util.logger = self.method('got_log_message')
- @messages = []
- end
- def got_log_message(message)
- @messages << message
- end
- def teardown
- Util.logger = @old_logger
- end
- end
- class TestProtocolError < Test::Unit::TestCase
- def test_browserWithReturnTo
- return_to = "http://rp.unittest/consumer"
- # will be a ProtocolError raised by Decode or
- # CheckIDRequest.answer
- args = Message.from_post_args({
- 'openid.mode' => 'monkeydance',
- 'openid.identity' => 'http://wagu.unittest/',
- 'openid.return_to' => return_to,
- })
- e = Server::ProtocolError.new(args, "plucky")
- assert(e.has_return_to)
- expected_args = {
- 'openid.mode' => 'error',
- 'openid.error' => 'plucky',
- }
- rt_base, result_args = e.encode_to_url.split('?', 2)
- result_args = Util.parse_query(result_args)
- assert_equal(result_args, expected_args)
- end
- def test_browserWithReturnTo_OpenID2_GET
- return_to = "http://rp.unittest/consumer"
- # will be a ProtocolError raised by Decode or
- # CheckIDRequest.answer
- args = Message.from_post_args({
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'monkeydance',
- 'openid.identity' => 'http://wagu.unittest/',
- 'openid.claimed_id' => 'http://wagu.unittest/',
- 'openid.return_to' => return_to,
- })
- e = Server::ProtocolError.new(args, "plucky")
- assert(e.has_return_to)
- expected_args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'error',
- 'openid.error' => 'plucky',
- }
- rt_base, result_args = e.encode_to_url.split('?', 2)
- result_args = Util.parse_query(result_args)
- assert_equal(result_args, expected_args)
- end
- def test_browserWithReturnTo_OpenID2_POST
- return_to = "http://rp.unittest/consumer" + ('x' * OPENID1_URL_LIMIT)
- # will be a ProtocolError raised by Decode or
- # CheckIDRequest.answer
- args = Message.from_post_args({
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'monkeydance',
- 'openid.identity' => 'http://wagu.unittest/',
- 'openid.claimed_id' => 'http://wagu.unittest/',
- 'openid.return_to' => return_to,
- })
- e = Server::ProtocolError.new(args, "plucky")
- assert(e.has_return_to)
- expected_args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'error',
- 'openid.error' => 'plucky',
- }
- assert(e.which_encoding == Server::ENCODE_HTML_FORM)
- assert(e.to_form_markup == e.to_message.to_form_markup(
- args.get_arg(OPENID_NS, 'return_to')))
- end
- def test_browserWithReturnTo_OpenID1_exceeds_limit
- return_to = "http://rp.unittest/consumer" + ('x' * OPENID1_URL_LIMIT)
- # will be a ProtocolError raised by Decode or
- # CheckIDRequest.answer
- args = Message.from_post_args({
- 'openid.mode' => 'monkeydance',
- 'openid.identity' => 'http://wagu.unittest/',
- 'openid.return_to' => return_to,
- })
- e = Server::ProtocolError.new(args, "plucky")
- assert(e.has_return_to)
- expected_args = {
- 'openid.mode' => 'error',
- 'openid.error' => 'plucky',
- }
- assert(e.which_encoding == Server::ENCODE_URL)
- rt_base, result_args = e.encode_to_url.split('?', 2)
- result_args = Util.parse_query(result_args)
- assert_equal(result_args, expected_args)
- end
- def test_noReturnTo
- # will be a ProtocolError raised by Decode or
- # CheckIDRequest.answer
- args = Message.from_post_args({
- 'openid.mode' => 'zebradance',
- 'openid.identity' => 'http://wagu.unittest/',
- })
- e = Server::ProtocolError.new(args, "waffles")
- assert(!e.has_return_to)
- expected = "error:waffles\nmode:error\n"
- assert_equal(e.encode_to_kvform, expected)
- end
- def test_no_message
- e = Server::ProtocolError.new(nil, "no message")
- assert(e.get_return_to.nil?)
- assert_equal(e.which_encoding, nil)
- end
- def test_which_encoding_no_message
- e = Server::ProtocolError.new(nil, "no message")
- assert(e.which_encoding.nil?)
- end
- end
- class TestDecode < Test::Unit::TestCase
- def setup
- @claimed_id = 'http://de.legating.de.coder.unittest/'
- @id_url = "http://decoder.am.unittest/"
- @rt_url = "http://rp.unittest/foobot/?qux=zam"
- @tr_url = "http://rp.unittest/"
- @assoc_handle = "{assoc}{handle}"
- @op_endpoint = 'http://endpoint.unittest/encode'
- @store = Store::Memory.new()
- @server = Server::Server.new(@store, @op_endpoint)
- @decode = Server::Decoder.new(@server).method('decode')
- end
- def test_none
- args = {}
- r = @decode.call(args)
- assert_equal(r, nil)
- end
- def test_irrelevant
- args = {
- 'pony' => 'spotted',
- 'sreg.mutant_power' => 'decaffinator',
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_bad
- args = {
- 'openid.mode' => 'twos-compliment',
- 'openid.pants' => 'zippered',
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_dictOfLists
- args = {
- 'openid.mode' => ['checkid_setup'],
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.trust_root' => @tr_url,
- }
- begin
- result = @decode.call(args)
- rescue ArgumentError => err
- assert(!err.to_s.index('values').nil?, err)
- else
- flunk("Expected ArgumentError, but got result #{result}")
- end
- end
- def test_checkidImmediate
- args = {
- 'openid.mode' => 'checkid_immediate',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.trust_root' => @tr_url,
- # should be ignored
- 'openid.some.extension' => 'junk',
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::CheckIDRequest))
- assert_equal(r.mode, "checkid_immediate")
- assert_equal(r.immediate, true)
- assert_equal(r.identity, @id_url)
- assert_equal(r.trust_root, @tr_url)
- assert_equal(r.return_to, @rt_url)
- assert_equal(r.assoc_handle, @assoc_handle)
- end
- def test_checkidImmediate_constructor
- r = Server::CheckIDRequest.new(@id_url, @rt_url, nil,
- @rt_url, true, @assoc_handle)
- assert(r.mode == 'checkid_immediate')
- assert(r.immediate)
- end
- def test_checkid_missing_return_to_and_trust_root
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.claimed_id' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- }
- assert_raise(Server::ProtocolError) {
- m = Message.from_post_args(args)
- Server::CheckIDRequest.from_message(m, @op_endpoint)
- }
- end
- def test_checkid_id_select
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => IDENTIFIER_SELECT,
- 'openid.claimed_id' => IDENTIFIER_SELECT,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.realm' => @tr_url,
- }
- m = Message.from_post_args(args)
- req = Server::CheckIDRequest.from_message(m, @op_endpoint)
- assert(req.id_select)
- end
- def test_checkid_not_id_select
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.realm' => @tr_url,
- }
- id_args = [
- {'openid.claimed_id' => IDENTIFIER_SELECT,
- 'openid.identity' => 'http://bogus.com/'},
- {'openid.claimed_id' => 'http://bogus.com/',
- 'openid.identity' => 'http://bogus.com/'},
- ]
- id_args.each { |id|
- m = Message.from_post_args(args.merge(id))
- req = Server::CheckIDRequest.from_message(m, @op_endpoint)
- assert(!req.id_select)
- }
- end
- def test_checkidSetup
- args = {
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.trust_root' => @tr_url,
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::CheckIDRequest))
- assert_equal(r.mode, "checkid_setup")
- assert_equal(r.immediate, false)
- assert_equal(r.identity, @id_url)
- assert_equal(r.trust_root, @tr_url)
- assert_equal(r.return_to, @rt_url)
- end
- def test_checkidSetupOpenID2
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.claimed_id' => @claimed_id,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.realm' => @tr_url,
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::CheckIDRequest))
- assert_equal(r.mode, "checkid_setup")
- assert_equal(r.immediate, false)
- assert_equal(r.identity, @id_url)
- assert_equal(r.claimed_id, @claimed_id)
- assert_equal(r.trust_root, @tr_url)
- assert_equal(r.return_to, @rt_url)
- end
- def test_checkidSetupNoClaimedIDOpenID2
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.realm' => @tr_url,
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_checkidSetupNoIdentityOpenID2
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.realm' => @tr_url,
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::CheckIDRequest))
- assert_equal(r.mode, "checkid_setup")
- assert_equal(r.immediate, false)
- assert_equal(r.identity, nil)
- assert_equal(r.trust_root, @tr_url)
- assert_equal(r.return_to, @rt_url)
- end
- def test_checkidSetupNoReturnOpenID1
- # Make sure an OpenID 1 request cannot be decoded if it lacks a
- # return_to.
- args = {
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.trust_root' => @tr_url,
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_checkidSetupNoReturnOpenID2
- # Make sure an OpenID 2 request with no return_to can be decoded,
- # and make sure a response to such a request raises
- # NoReturnToError.
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.claimed_id' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.realm' => @tr_url,
- }
- req = @decode.call(args)
- assert(req.is_a?(Server::CheckIDRequest))
- assert_raise(Server::NoReturnToError) {
- req.answer(false)
- }
- assert_raise(Server::NoReturnToError) {
- req.encode_to_url('bogus')
- }
- assert_raise(Server::NoReturnToError) {
- req.cancel_url
- }
- end
- def test_checkidSetupRealmRequiredOpenID2
- # Make sure that an OpenID 2 request which lacks return_to cannot
- # be decoded if it lacks a realm. Spec => This value
- # (openid.realm) MUST be sent if openid.return_to is omitted.
- args = {
- 'openid.ns' => OPENID2_NS,
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_checkidSetupBadReturn
- args = {
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => 'not a url',
- }
- begin
- result = @decode.call(args)
- rescue Server::ProtocolError => err
- assert(err.openid_message)
- else
- flunk("Expected ProtocolError, instead returned with #{result}")
- end
- end
- def test_checkidSetupUntrustedReturn
- args = {
- 'openid.mode' => 'checkid_setup',
- 'openid.identity' => @id_url,
- 'openid.assoc_handle' => @assoc_handle,
- 'openid.return_to' => @rt_url,
- 'openid.trust_root' => 'http://not-the-return-place.unittest/',
- }
- begin
- result = @decode.call(args)
- rescue Server::UntrustedReturnURL => err
- assert(err.openid_message, err.to_s)
- else
- flunk("Expected UntrustedReturnURL, instead returned with #{result}")
- end
- end
- def test_checkidSetupUntrustedReturn_Constructor
- assert_raise(Server::UntrustedReturnURL) {
- Server::CheckIDRequest.new(@id_url, @rt_url, nil,
- 'http://not-the-return-place.unittest/',
- false, @assoc_handle)
- }
- end
- def test_checkidSetupMalformedReturnURL_Constructor
- assert_raise(Server::MalformedReturnURL) {
- Server::CheckIDRequest.new(@id_url, 'bogus://return.url', nil,
- 'http://trustroot.com/',
- false, @assoc_handle)
- }
- end
- def test_checkAuth
- args = {
- 'openid.mode' => 'check_authentication',
- 'openid.assoc_handle' => '{dumb}{handle}',
- 'openid.sig' => 'sigblob',
- 'openid.signed' => 'identity,return_to,response_nonce,mode',
- 'openid.identity' => 'signedval1',
- 'openid.return_to' => 'signedval2',
- 'openid.response_nonce' => 'signedval3',
- 'openid.baz' => 'unsigned',
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::CheckAuthRequest))
- assert_equal(r.mode, 'check_authentication')
- assert_equal(r.sig, 'sigblob')
- end
- def test_checkAuthMissingSignature
- args = {
- 'openid.mode' => 'check_authentication',
- 'openid.assoc_handle' => '{dumb}{handle}',
- 'openid.signed' => 'foo,bar,mode',
- 'openid.foo' => 'signedval1',
- 'openid.bar' => 'signedval2',
- 'openid.baz' => 'unsigned',
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_checkAuthAndInvalidate
- args = {
- 'openid.mode' => 'check_authentication',
- 'openid.assoc_handle' => '{dumb}{handle}',
- 'openid.invalidate_handle' => '[[SMART_handle]]',
- 'openid.sig' => 'sigblob',
- 'openid.signed' => 'identity,return_to,response_nonce,mode',
- 'openid.identity' => 'signedval1',
- 'openid.return_to' => 'signedval2',
- 'openid.response_nonce' => 'signedval3',
- 'openid.baz' => 'unsigned',
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::CheckAuthRequest))
- assert_equal(r.invalidate_handle, '[[SMART_handle]]')
- end
- def test_associateDH
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "Rzup9265tw==",
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::AssociateRequest))
- assert_equal(r.mode, "associate")
- assert_equal(r.session.session_type, "DH-SHA1")
- assert_equal(r.assoc_type, "HMAC-SHA1")
- assert(r.session.consumer_pubkey)
- end
- def test_associateDHMissingKey
- # Trying DH assoc w/o public key
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- }
- # Using DH-SHA1 without supplying dh_consumer_public is an error.
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_associateDHpubKeyNotB64
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "donkeydonkeydonkey",
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_associateDHModGen
- # test dh with non-default but valid values for dh_modulus and
- # dh_gen
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "Rzup9265tw==",
- 'openid.dh_modulus' => CryptUtil.num_to_base64(ALT_MODULUS),
- 'openid.dh_gen' => CryptUtil.num_to_base64(ALT_GEN) ,
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::AssociateRequest))
- assert_equal(r.mode, "associate")
- assert_equal(r.session.session_type, "DH-SHA1")
- assert_equal(r.assoc_type, "HMAC-SHA1")
- assert_equal(r.session.dh.modulus, ALT_MODULUS)
- assert_equal(r.session.dh.generator, ALT_GEN)
- assert(r.session.consumer_pubkey)
- end
- def test_associateDHCorruptModGen
- # test dh with non-default but valid values for dh_modulus and
- # dh_gen
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "Rzup9265tw==",
- 'openid.dh_modulus' => 'pizza',
- 'openid.dh_gen' => 'gnocchi',
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_associateDHMissingGen
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "Rzup9265tw==",
- 'openid.dh_modulus' => 'pizza',
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_associateDHMissingMod
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "Rzup9265tw==",
- 'openid.dh_gen' => 'pizza',
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- # def test_associateDHInvalidModGen(self):
- # # test dh with properly encoded values that are not a valid
- # # modulus/generator combination.
- # args = {
- # 'openid.mode': 'associate',
- # 'openid.session_type': 'DH-SHA1',
- # 'openid.dh_consumer_public': "Rzup9265tw==",
- # 'openid.dh_modulus': cryptutil.longToBase64(9),
- # 'openid.dh_gen': cryptutil.longToBase64(27) ,
- # }
- # self.failUnlessRaises(server.ProtocolError, self.decode, args)
- # test_associateDHInvalidModGen.todo = "low-priority feature"
- def test_associateWeirdSession
- args = {
- 'openid.mode' => 'associate',
- 'openid.session_type' => 'FLCL6',
- 'openid.dh_consumer_public' => "YQ==\n",
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_associatePlain
- args = {
- 'openid.mode' => 'associate',
- }
- r = @decode.call(args)
- assert(r.is_a?(Server::AssociateRequest))
- assert_equal(r.mode, "associate")
- assert_equal(r.session.session_type, "no-encryption")
- assert_equal(r.assoc_type, "HMAC-SHA1")
- end
- def test_nomode
- args = {
- 'openid.session_type' => 'DH-SHA1',
- 'openid.dh_consumer_public' => "my public keeey",
- }
- assert_raise(Server::ProtocolError) {
- @decode.call(args)
- }
- end
- def test_invalidns
- args = {'openid.ns' => 'Vegetables',
- 'openid.mode' => 'associate'}
- begin
- r = @decode.call(args)
- rescue Server::ProtocolError => err
- assert(err.openid_message)
- assert(err.to_s.index('Vegetables'))
- end
- end
- end
- class BogusEncoder < Server::Encoder
- def encode(response)
- return "BOGUS"
- end
- end
- class BogusDecoder < Server::Decoder
- def decode(query)
- return "BOGUS"
- end
- end
- class TestEncode < Test::Unit::TestCase
- def setup
- @encoder = Server::Encoder.new
- @encode = @encoder.method('encode')
- @op_endpoint = 'http://endpoint.unittest/encode'
- @store = Store::Memory.new
- @server = Server::Server.new(@store, @op_endpoint)
- end
- def test_id_res_OpenID2_GET
- # Check that when an OpenID 2 response does not exceed the OpenID
- # 1 message size, a GET response (i.e., redirect) is issued.
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false,
- nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'ns' => OPENID2_NS,
- 'mode' => 'id_res',
- 'identity' => request.identity,
- 'claimed_id' => request.identity,
- 'return_to' => request.return_to,
- })
- assert(!response.render_as_form)
- assert(response.which_encoding == Server::ENCODE_URL)
- webresponse = @encode.call(response)
- assert(webresponse.headers.member?('location'))
- end
- def test_id_res_OpenID2_POST
- # Check that when an OpenID 2 response exceeds the OpenID 1
- # message size, a POST response (i.e., an HTML form) is returned.
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false,
- nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'ns' => OPENID2_NS,
- 'mode' => 'id_res',
- 'identity' => request.identity,
- 'claimed_id' => request.identity,
- 'return_to' => 'x' * OPENID1_URL_LIMIT,
- })
- assert(response.render_as_form)
- assert(response.encode_to_url.length > OPENID1_URL_LIMIT)
- assert(response.which_encoding == Server::ENCODE_HTML_FORM)
- webresponse = @encode.call(response)
- assert_equal(webresponse.body, response.to_form_markup)
- end
- def test_to_form_markup
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false,
- nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'ns' => OPENID2_NS,
- 'mode' => 'id_res',
- 'identity' => request.identity,
- 'claimed_id' => request.identity,
- 'return_to' => 'x' * OPENID1_URL_LIMIT,
- })
- form_markup = response.to_form_markup({'foo'=>'bar'})
- assert(/ foo="bar"/ =~ form_markup, form_markup)
- end
- def test_to_html
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false,
- nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'ns' => OPENID2_NS,
- 'mode' => 'id_res',
- 'identity' => request.identity,
- 'claimed_id' => request.identity,
- 'return_to' => 'x' * OPENID1_URL_LIMIT,
- })
- html = response.to_html
- assert(html)
- end
- def test_id_res_OpenID1_exceeds_limit
- # Check that when an OpenID 1 response exceeds the OpenID 1
- # message size, a GET response is issued. Technically, this
- # shouldn't be permitted by the library, but this test is in place
- # to preserve the status quo for OpenID 1.
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false,
- nil)
- request.message = Message.new(OPENID1_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'mode' => 'id_res',
- 'identity' => request.identity,
- 'return_to' => 'x' * OPENID1_URL_LIMIT,
- })
- assert(!response.render_as_form)
- assert(response.encode_to_url.length > OPENID1_URL_LIMIT)
- assert(response.which_encoding == Server::ENCODE_URL)
- webresponse = @encode.call(response)
- assert_equal(webresponse.headers['location'], response.encode_to_url)
- end
- def test_id_res
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false, nil)
- request.message = Message.new(OPENID1_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'mode' => 'id_res',
- 'identity' => request.identity,
- 'return_to' => request.return_to,
- })
- webresponse = @encode.call(response)
- assert_equal(webresponse.code, Server::HTTP_REDIRECT)
- assert(webresponse.headers.member?('location'))
- location = webresponse.headers['location']
- assert(location.starts_with?(request.return_to),
- sprintf("%s does not start with %s",
- location, request.return_to))
- # argh.
- q2 = Util.parse_query(URI::parse(location).query)
- expected = response.fields.to_post_args
- assert_equal(q2, expected)
- end
- def test_cancel
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false, nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'mode' => 'cancel',
- })
- webresponse = @encode.call(response)
- assert_equal(webresponse.code, Server::HTTP_REDIRECT)
- assert(webresponse.headers.member?('location'))
- end
- def test_cancel_to_form
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false, nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'mode' => 'cancel',
- })
- form = response.to_form_markup
- assert(form.index(request.return_to))
- end
- def test_assocReply
- msg = Message.new(OPENID2_NS)
- msg.set_arg(OPENID2_NS, 'session_type', 'no-encryption')
- request = Server::AssociateRequest.from_message(msg)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_post_args(
- {'openid.assoc_handle' => "every-zig"})
- webresponse = @encode.call(response)
- body = "assoc_handle:every-zig\n"
- assert_equal(webresponse.code, Server::HTTP_OK)
- assert_equal(webresponse.headers, {})
- assert_equal(webresponse.body, body)
- end
- def test_checkauthReply
- request = Server::CheckAuthRequest.new('a_sock_monkey',
- 'siggggg',
- [])
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({
- 'is_valid' => 'true',
- 'invalidate_handle' => 'xXxX:xXXx'
- })
- body = "invalidate_handle:xXxX:xXXx\nis_valid:true\n"
- webresponse = @encode.call(response)
- assert_equal(webresponse.code, Server::HTTP_OK)
- assert_equal(webresponse.headers, {})
- assert_equal(webresponse.body, body)
- end
- def test_unencodableError
- args = Message.from_post_args({
- 'openid.identity' => 'http://limu.unittest/',
- })
- e = Server::ProtocolError.new(args, "wet paint")
- assert_raise(Server::EncodingError) {
- @encode.call(e)
- }
- end
- def test_encodableError
- args = Message.from_post_args({
- 'openid.mode' => 'associate',
- 'openid.identity' => 'http://limu.unittest/',
- })
- body="error:snoot\nmode:error\n"
- webresponse = @encode.call(Server::ProtocolError.new(args, "snoot"))
- assert_equal(webresponse.code, Server::HTTP_ERROR)
- assert_equal(webresponse.headers, {})
- assert_equal(webresponse.body, body)
- end
- end
- class TestSigningEncode < Test::Unit::TestCase
- def setup
- @_dumb_key = Server::Signatory._dumb_key
- @_normal_key = Server::Signatory._normal_key
- @store = Store::Memory.new()
- @server = Server::Server.new(@store, "http://signing.unittest/enc")
- @request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false, nil)
- @request.message = Message.new(OPENID2_NS)
- @response = Server::OpenIDResponse.new(@request)
- @response.fields = Message.from_openid_args({
- 'mode' => 'id_res',
- 'identity' => @request.identity,
- 'return_to' => @request.return_to,
- })
- @signatory = Server::Signatory.new(@store)
- @encoder = Server::SigningEncoder.new(@signatory)
- @encode = @encoder.method('encode')
- end
- def test_idres
- assoc_handle = '{bicycle}{shed}'
- @store.store_association(
- @_normal_key,
- Association.from_expires_in(60, assoc_handle,
- 'sekrit', 'HMAC-SHA1'))
- @request.assoc_handle = assoc_handle
- webresponse = @encode.call(@response)
- assert_equal(webresponse.code, Server::HTTP_REDIRECT)
- assert(webresponse.headers.member?('location'))
- location = webresponse.headers['location']
- query = Util.parse_query(URI::parse(location).query)
- assert(query.member?('openid.sig'))
- assert(query.member?('openid.assoc_handle'))
- assert(query.member?('openid.signed'))
- end
- def test_idresDumb
- webresponse = @encode.call(@response)
- assert_equal(webresponse.code, Server::HTTP_REDIRECT)
- assert(webresponse.headers.has_key?('location'))
- location = webresponse.headers['location']
- query = Util.parse_query(URI::parse(location).query)
- assert(query.member?('openid.sig'))
- assert(query.member?('openid.assoc_handle'))
- assert(query.member?('openid.signed'))
- end
- def test_forgotStore
- @encoder.signatory = nil
- assert_raise(ArgumentError) {
- @encode.call(@response)
- }
- end
- def test_cancel
- request = Server::CheckIDRequest.new(
- 'http://bombom.unittest/',
- 'http://burr.unittest/999',
- @server.op_endpoint,
- 'http://burr.unittest/',
- false, nil)
- request.message = Message.new(OPENID2_NS)
- response = Server::OpenIDResponse.new(request)
- response.fields.set_arg(OPENID_NS, 'mode', 'cancel')
- webresponse = @encode.call(response)
- assert_equal(webresponse.code, Server::HTTP_REDIRECT)
- assert(webresponse.headers.has_key?('location'))
- location = webresponse.headers['location']
- query = Util.parse_query(URI::parse(location).query)
- assert(!query.has_key?('openid.sig'), response.fields.to_post_args())
- end
- def test_assocReply
- msg = Message.new(OPENID2_NS)
- msg.set_arg(OPENID2_NS, 'session_type', 'no-encryption')
- request = Server::AssociateRequest.from_message(msg)
- response = Server::OpenIDResponse.new(request)
- response.fields = Message.from_openid_args({'assoc_handle' => "every-zig"})
- webresponse = @encode.call(response)
- body = "assoc_handle:every-zig\n"
- assert_equal(webresponse.code, Server::HTTP_OK)
- assert_equal(webresponse.headers, {})
- assert_equal(webresponse.body, body)
- end
- def test_alreadySigned
- @response.fields.set_arg(OPENID_NS, 'sig', 'priorSig==')
- assert_raise(Server::AlreadySigned) {
- @encode.call(@response)
- }
- end
- end
- class TestCheckID < Test::Unit::TestCase
- def setup
- @op_endpoint = 'http://endpoint.unittest/'
- @store = Store::Memory.new()
- @server = Server::Server.new(@store, @op_endpoint)
- @request = Server::CheckIDRequest.new(
- 'http://bambam.unittest/',
- 'http://bar.unittest/999',
- @server.op_endpoint,
- 'http://bar.unittest/',
- false)
- @request.message = Message.new(OPENID2_NS)
- end
- def test_trustRootInvalid
- @request.trust_root = "http://foo.unittest/17"
- @request.return_to = "http://foo.unittest/39"
- assert(!@request.trust_root_valid())
- end
- def test_trustRootInvalid_modified
- @request.trust_root = "does://not.parse/"
- @request.message = :sentinel
- begin
- result = @request.trust_root_valid
- rescue Server::MalformedTrustRoot => why
- assert_equal(:sentinel, why.openid_message)
- else
- flunk("Expected MalformedTrustRoot, got #{result.inspect}")
- end
- end
- def test_trustRootvalid_absent_trust_root
- @request.trust_root = nil
- assert(@request.trust_root_valid())
- end
- def test_trustRootValid
- @request.trust_root = "http://foo.unittest/"
- @request.return_to = "http://foo.unittest/39"
- assert(@request.trust_root_valid())
- end
- def test_trustRootValidNoReturnTo
- request = Server::CheckIDRequest.new(
- 'http://bambam.unittest/',
- nil,
- @server.op_endpoint,
- 'http://bar.unittest/',
- false)
- assert(request.trust_root_valid())
- end
- def test_returnToVerified_callsVerify
- # Make sure that verifyReturnTo is calling the trustroot
- # function verifyReturnTo
- # Ensure that exceptions are passed through
- sentinel = Exception.new()
- __req = @request
- tc = self
- vrfyExc = Proc.new { |trust_root, return_to|
- tc.assert_equal(__req.trust_root, trust_root)
- tc.assert_equal(__req.return_to, return_to)
- raise sentinel
- }
- TrustRoot.extend(OverrideMethodMixin)
- TrustRoot.with_method_overridden(:verify_return_to, vrfyExc) do
- begin
- @request.return_to_verified()
- flunk("Expected sentinel to be raised, got success")
- rescue Exception => e
- assert(e.equal?(sentinel), [e, sentinel].inspect)
- end
- end
- # Ensure that True and False are passed through unchanged
- constVerify = Proc.new { |val|
- verify = Proc.new { |trust_root, return_to|
- tc.assert_equal(__req.trust_root, trust_root)
- tc.assert_equal(__req.request.return_to, return_to)
- return val
- }
- return verify
- }
- [true, false].each { |val|
- verifier = constVerify.call(val)
- TrustRoot.with_method_overridden(:verify_return_to, verifier) do
- assert_equal(val, @request.return_to_verified())
- end
- }
- end
- def _expectAnswer(answer, identity=nil, claimed_id=nil)
- expected_list = [
- ['mode', 'id_res'],
- ['return_to', @request.return_to],
- ['op_endpoint', @op_endpoint],
- ]
- if identity
- expected_list << ['identity', identity]
- if claimed_id
- expected_list << ['claimed_id', claimed_id]
- else
- expected_list << ['claimed_id', identity]
- end
- end
- expected_list.each { |k, expected|
- actual = answer.fields.get_arg(OPENID_NS, k)
- assert_equal(expected, actual,
- sprintf("%s: expected %s, got %s",
- k, expected, actual))
- }
- assert(answer.fields.has_key?(OPENID_NS, 'response_nonce'))
- assert(answer.fields.get_openid_namespace() == OPENID2_NS)
- # One for nonce, one for ns
- assert_equal(answer.fields.to_post_args.length,
- expected_list.length + 2,
- answer.fields.to_post_args.inspect)
- end
- def test_answerAllow
- # Check the fields specified by "Positive Assertions"
- #
- # including mode=id_res, identity, claimed_id, op_endpoint,
- # return_to
- answer = @request.answer(true)
- assert_equal(answer.request, @request)
- _expectAnswer(answer, @request.identity)
- end
- def test_answerAllowDelegatedIdentity
- @request.claimed_id = 'http://delegating.unittest/'
- answer = @request.answer(true)
- _expectAnswer(answer, @request.identity,
- @request.claimed_id)
- end
- def test_answerAllowWithoutIdentityReally
- @request.identity = nil
- answer = @request.answer(true)
- assert_equal(answer.request, @request)
- _expectAnswer(answer)
- end
- def test_answerAllowAnonymousFail
- @request.identity = nil
- # XXX - Check on this, I think this behavior is legal in OpenID
- # 2.0?
- assert_raise(ArgumentError) {
- @request.answer(true, nil, "=V")
- }
- end
- def test_answerAllowWithIdentity
- @request.identity = IDENTIFIER_SELECT
- selected_id = 'http://anon.unittest/9861'
- answer = @request.answer(true, nil, selected_id)
- _expectAnswer(answer, selected_id)
- end
- def test_answerAllowWithNoIdentity
- @request.identity = IDENTIFIER_SELECT
- selected_id = 'http://anon.unittest/9861'
- assert_raise(ArgumentError) {
- answer = @request.answer(true, nil, nil)
- }
- end
- def test_immediate_openid1_no_identity
- @request.message = Message.new(OPENID1_NS)
- @request.immediate = true
- @request.mode = 'checkid_immediate'
- resp = @request.answer(false)
- assert(resp.fields.get_arg(OPENID_NS, 'mode') == 'id_res')
- end
- def test_checkid_setup_openid1_no_identity
- @request.message = Message.new(OPENID1_NS)
- @request.immediate = false
- @request.mode = 'checkid_setup'
- resp = @request.answer(false)
- assert(resp.fields.get_arg(OPENID_NS, 'mode') == 'cancel')
- end
- def test_immediate_openid1_no_server_url
- @request.message = Message.new(OPENID1_NS)
- @request.immediate = true
- @request.mode = 'checkid_immediate'
- @request.op_endpoint = nil
- assert_raise(ArgumentError) {
- resp = @request.answer(false)
- }
- end
- def test_immediate_encode_to_url
- @request.message = Message.new(OPENID1_NS)
- @request.immediate = true
- @request.mode = 'checkid_immediate'
- @request.trust_root = "BOGUS"
- @request.assoc_handle = "ASSOC"
- server_url = "http://server.com/server"
- url = @request.encode_to_url(server_url)
- assert(url.starts_with?(server_url))
- unused, query = url.split("?", 2)
- args = Util.parse_query(query)
- m = Message.from_post_args(args)
- assert(m.get_arg(OPENID_NS, 'trust_root') == "BOGUS")
- assert(m.get_arg(OPENID_NS, 'assoc_handle') == "ASSOC")
- assert(m.get_arg(OPENID_NS, 'mode'), "checkid_immediate")
- assert(m.get_arg(OPENID_NS, 'identity') == @request.identity)
- assert(m.get_arg(OPENID_NS, 'claimed_id') == @request.claimed_id)
- assert(m.get_arg(OPENID_NS, 'return_to') == @request.return_to)
- end
- def test_answerAllowWithDelegatedIdentityOpenID2
- # Answer an IDENTIFIER_SELECT case with a delegated identifier.
- # claimed_id delegates to selected_id here.
- @request.identity = IDENTIFIER_SELECT
- selected_id = 'http://anon.unittest/9861'
- claimed_id = 'http://monkeyhat.unittest/'
- answer = @request.answer(true, nil, selected_id, claimed_id)
- _expectAnswer(answer, selected_id, claimed_id)
- end
- def test_answerAllowWithDelegatedIdentityOpenID1
- # claimed_id parameter doesn't exist in OpenID 1.
- @request.message = Message.new(OPENID1_NS)
- # claimed_id delegates to selected_id here.
- @request.identity = IDENTIFIER_SELECT
- selected_id = 'http://anon.unittest/9861'
- claimed_id = 'http://monkeyhat.unittest/'
- assert_raise(Server::VersionError) {
- @request.answer(true, nil, selected_id, claimed_id)
- }
- end
- def test_answerAllowWithAnotherIdentity
- # XXX - Check on this, I think this behavior is legal in OpenID
- # 2.0?
- assert_raise(ArgumentError){
- @request.answer(true, nil, "http://pebbles.unittest/")
- }
- end
- def test_answerAllowNoIdentityOpenID1
- @request.message = Message.new(OPENID1_NS)
- @request.identity = nil
- assert_raise(ArgumentError) {
- @request.answer(true, nil, nil)
- }
- end
- def test_answerAllowForgotEndpoint
- @request.op_endpoint = nil
- assert_raise(RuntimeError) {
- @request.answer(true)
- }
- end
- def test_checkIDWithNoIdentityOpenID1
- msg = Message.new(OPENID1_NS)
- msg.set_arg(OPENID_NS, 'return_to', 'bogus')
- msg.set_arg(OPENID_NS, 'trust_root', 'bogus')
- msg.set_arg(OPENID_NS, 'mode', 'checkid_setup')
- msg.set_arg(OPENID_NS, 'assoc_handle', 'bogus')
- assert_raise(Server::ProtocolError) {
- Server::CheckIDRequest.from_message(msg, @server)
- }
- end
- def test_fromMessageClaimedIDWithoutIdentityOpenID2
- msg = Message.new(OPENID2_NS)
- msg.set_arg(OPENID_NS, 'mode', 'checkid_setup')
- msg.set_arg(OPENID_NS, 'return_to', 'http://invalid:8000/rt')
- msg.set_arg(OPENID_NS, 'claimed_id', 'https://example.myopenid.com')
- assert_raise(Server::ProtocolError) {
- Server::CheckIDRequest.from_message(msg, @server)
- }
- end
- def test_fromMessageIdentityWithoutClaimedIDOpenID2
- msg = Message.new(OPENID2_NS)
- msg.set_arg(OPENID_NS, 'mode', 'checkid_setup')
- msg.set_arg(OPENID_NS, 'return_to', 'http://invalid:8000/rt')
- msg.set_arg(OPENID_NS, 'identity', 'https://example.myopenid.com')
- assert_raise(Server::ProtocolError) {
- Server::CheckIDRequest.from_message(msg, @server)
- }
- end
- def test_fromMessageWithEmptyTrustRoot
- return_to = 'http://some.url/foo?bar=baz'
- msg = Message.from_post_args({
- 'openid.assoc_handle' => '{blah}{blah}{OZivdQ==}',
- 'openid.claimed_id' => 'http://delegated.invalid/',
- 'openid.identity' => 'http://op-local.example.com/',
- 'openid.mode' => 'checkid_setup',
- 'openid.ns' => 'http://openid.net/signon/1.0',
- 'openid.return_to' => return_to,
- 'openid.trust_root' => ''
- });
- result = Server::CheckIDRequest.from_message(msg, @server)
- assert_equal(return_to, result.trust_root)
- end
- def test_trustRootOpenID1
- # Ignore openid.realm in OpenID 1
- msg = Message.new(OPENID1_NS)
- msg.set_arg(OPENID_NS, 'mode', 'checkid_setup')
- msg.set_arg(OPENID_NS, 'trust_root', 'http://trustroot.com/')
- msg.set_arg(OPENID_NS, 'realm', 'http://fake_trust_root/')
- msg.set_arg(OPENID_NS, 'return_to', 'http://trustroot.com/foo')
- msg.set_arg(OPENID_NS, 'assoc_handle', 'bogus')
- msg.set_arg(OPENID_NS, 'identity', 'george')
- result = Server::CheckIDRequest.from_message(msg, @server.op_endpoint)
- assert(result.trust_root == 'http://trustroot.com/')
- end
- def test_trustRootOpenID2
- # Ignore openid.trust_root in OpenID 2
- msg = Message.new(OPENID2_NS)
- msg.set_arg(OPENID_NS, 'mode', 'checkid_setup')
- msg.set_arg(OPENID_NS, 'realm', 'http://trustroot.com/')
- msg.set_arg(OPENID_NS, 'trust_root', 'http://fake_trust_root/')
- msg.set_arg(OPENID_NS, 'return_to', 'http://trustroot.com/foo')
- msg.set_arg(OPENID_NS, 'assoc_handle', 'bogus')
- msg.set_arg(OPENID_NS, 'identity', 'george')
- msg.set_arg(OPENID_NS, 'claimed_id', 'george')
- result = Se…
Large files files are truncated, but you can click here to view the full file