Skip to content

Commit

Permalink
Fix generateNameID tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@pitbulk
pitbulk committed Sep 29, 2023
1 parent 071dcfc commit ba61295
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 20 deletions.
30 changes: 17 additions & 13 deletions tests/src/OneLogin/Saml2/ResponseTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
use OneLogin\Saml2\ValidationError;

use DOMDocument;
use Exception;

/**
* Unit tests for Response messages
Expand Down Expand Up @@ -136,7 +137,7 @@ public function testReturnNameId()
$xml3 = file_get_contents(TEST_ROOT . '/data/responses/valid_encrypted_assertion.xml.base64');
$response3 = new Response($this->_settings, $xml3);
$this->assertEquals('_68392312d490db6d355555cfbbd8ec95d746516f60', $response3->getNameId());

$xml4 = file_get_contents(TEST_ROOT . '/data/responses/invalids/no_nameid.xml.base64');
$response4 = new Response($this->_settings, $xml4);

Expand Down Expand Up @@ -225,7 +226,7 @@ public function testGetNameIdFormat()
$xml2 = file_get_contents(TEST_ROOT . '/data/responses/response_encrypted_nameid.xml.base64');
$response2 = new Response($this->_settings, $xml2);
$this->assertEquals('urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', $response2->getNameIdFormat());

$xml3 = file_get_contents(TEST_ROOT . '/data/responses/valid_encrypted_assertion.xml.base64');
$response3 = new Response($this->_settings, $xml3);
$this->assertEquals('urn:oasis:names:tc:SAML:2.0:nameid-format:transient', $response3->getNameIdFormat());
Expand Down Expand Up @@ -462,7 +463,7 @@ public function testCheckStatus()

$xmlEnc = file_get_contents(TEST_ROOT . '/data/responses/valid_encrypted_assertion.xml.base64');
$responseEnc = new Response($this->_settings, $xmlEnc);

$response->checkStatus();

$xml2 = file_get_contents(TEST_ROOT . '/data/responses/invalids/status_code_responder.xml.base64');
Expand Down Expand Up @@ -773,11 +774,14 @@ public function testDoesNotAllowSignatureWrappingAttack2()
$settings = new Settings($settingsInfo);

$xml = file_get_contents(TEST_ROOT . '/data/responses/wrapped_response_3.xml.base64');
$response = new Response($settings, $xml);

$valid = $response->isValid();

$this->assertFalse($valid);
try {
$response = new Response($settings, $xml);
$valid = $response->isValid();
$this->assertFalse($valid);
$this->assertEquals('Found an invalid Signed Element. SAML Response rejected', $response->getError());
} catch (Exception $e) {
$this->assertEquals('DOMDocument::loadXML(): Namespace prefix saml on Assertion is not defined in Entity, line: 1', $e->getMessage());
}
}

/**
Expand Down Expand Up @@ -811,7 +815,7 @@ public function testGetSessionNotOnOrAfter()
$response = new Response($this->_settings, $xml);

$this->assertEquals(1290203857, $response->getSessionNotOnOrAfter());

// An assertion that do not specified Session timeout should return NULL
$xml2 = file_get_contents(TEST_ROOT . '/data/responses/response2.xml.base64');
$response2 = new Response($this->_settings, $xml2);
Expand Down Expand Up @@ -1330,7 +1334,7 @@ public function testIsInValidRequestId()
$response2 = new Response($this->_settings, $message);
$response2->isValid($requestId);
$this->assertContains('The InResponseTo of the Response', $response2->getError());

$validRequestId = '_57bcbf70-7b1f-012e-c821-782bcb13bb38';
$response2->isValid($validRequestId);
$this->assertContains('No Signature found. SAML Response rejected', $response2->getError());
Expand Down Expand Up @@ -1500,7 +1504,7 @@ public function testIsInValidEncIssues()

$this->assertFalse($response3->isValid());
$this->assertEquals('The assertion of the Response is not encrypted and the SP requires it', $response3->getError());

$settingsInfo['security']['wantAssertionsEncrypted'] = false;
$settingsInfo['security']['wantNameIdEncrypted'] = true;
$settingsInfo['strict'] = false;
Expand Down Expand Up @@ -1679,7 +1683,7 @@ public function testIsValidSign()
$xml = file_get_contents(TEST_ROOT . '/data/responses/signed_message_response.xml.base64');
$response = new Response($this->_settings, $xml);
$this->assertTrue($response->isValid());

$xml2 = file_get_contents(TEST_ROOT . '/data/responses/signed_assertion_response.xml.base64');
$response2 = new Response($this->_settings, $xml2);
$this->assertTrue($response2->isValid());
Expand Down Expand Up @@ -1738,7 +1742,7 @@ public function testIsValidSignUsingX509certMulti()
{
$settingsDir = TEST_ROOT .'/settings/';
include $settingsDir.'settings6.php';

$settings = new Settings($settingsInfo);

$xml = file_get_contents(TEST_ROOT . '/data/responses/signed_message_response.xml.base64');
Expand Down
22 changes: 15 additions & 7 deletions tests/src/OneLogin/Saml2/UtilsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,12 @@ public function testLoadXML()
$dom = new DOMDocument();

$metadataUnloaded = '<xml><EntityDescriptor>';
$res1 = Utils::loadXML($dom, $metadataUnloaded);
$this->assertFalse($res1);
try {
$res1 = Utils::loadXML($dom, $metadataUnloaded);
$this->assertFalse($res1);
} catch (Exception $e) {
$this->assertEquals('DOMDocument::loadXML(): Premature end of data in tag EntityDescriptor line 1 in Entity, line: 1', $e->getMessage());
}

$metadataInvalid = file_get_contents(TEST_ROOT .'/data/metadata/noentity_metadata_settings1.xml');
$res2 = Utils::loadXML($dom, $metadataInvalid);
Expand All @@ -53,7 +57,7 @@ public function testXMLAttacks()
$dom = new DOMDocument();

$attackXXE = '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>';
try {
Expand Down Expand Up @@ -851,12 +855,15 @@ public function testGenerateNameIdWithSPNameQualifier()
$key
);

$nameidExpectedEnc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>';
$this->assertContains($nameidExpectedEnc, $nameIdEnc);
$nameidExpectedEncId = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"';
$nameidExpectedEncData = '<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>';

$this->assertContains($nameidExpectedEncId, $nameIdEnc);
$this->assertContains($nameidExpectedEncData, $nameIdEnc);

// Check AES128_GCM support
if (version_compare(phpversion(), '7.1.0', '>=') && in_array("aes-128-gcm", openssl_get_cipher_methods())) {
$nameidExpectedEnc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>';
$nameidExpectedEncData = '<xenc:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><xenc:CipherData><xenc:CipherValue>';

$nameIdEnc = Utils::generateNameId(
$nameIdValue,
Expand All @@ -866,7 +873,8 @@ public function testGenerateNameIdWithSPNameQualifier()
null,
XMLSecurityKey::AES128_GCM
);
$this->assertContains($nameidExpectedEnc, $nameIdEnc);
$this->assertContains($nameidExpectedEncId, $nameIdEnc);
$this->assertContains($nameidExpectedEncData, $nameIdEnc);
}
}

Expand Down

0 comments on commit ba61295

Please sign in to comment.