Update test for Net::SAML2::Protocol::AuthnRequest

waterkip · waterkip · commit af3b27119e4f · 2023-07-05T14:44:19.000-04:00
Signed-off-by: Wesley Schwengle &lt;waterkip@cpan.org&gt;
diff --git a/lib/Net/SAML2/Protocol/AuthnRequest.pm b/lib/Net/SAML2/Protocol/AuthnRequest.pm
@@ -132,7 +132,6 @@ has 'provider_name' => (
     predicate => 'has_provider_name',
 );
 
-# RequestedAuthnContext:
 has 'AuthnContextClassRef' => (
     isa => 'ArrayRef[Str]',
     is => 'rw',
@@ -154,14 +153,12 @@ has 'RequestedAuthnContext_Comparison' => (
 has 'force_authn' => (
     isa     => 'Bool',
     is      => 'ro',
-    required => 0,
     predicate => 'has_force_authn',
 );
 
 has 'is_passive' => (
     isa     => 'Bool',
     is      => 'ro',
-    required => 0,
     predicate => 'has_is_passive',
 );
 
@@ -226,21 +223,17 @@ sub as_xml {
     my @opts = qw(
         assertion_url assertion_index protocol_binding
         attribute_index provider_name destination
-        issuer_namequalifier issuer_format force_authn
-        is_passive
+        force_authn is_passive
     );
 
     foreach my $opt (@opts) {
         my $predicate = 'has_' . $opt;
-        next unless $self->$predicate;
+        next if !$self->can($predicate) || !$self->$predicate;
 
         my $val = $self->$opt;
         if ($opt eq 'protocol_binding') {
             $req_atts{ $att_map{$opt} } = $protocol_bindings{$val};
         }
-        elsif (any { $opt eq $_ } qw(issuer_namequalifier issuer_format)) {
-            $issuer_attrs{ $att_map{$opt} } = $val;
-        }
         elsif (any { $opt eq $_ } qw(force_authn is_passive)) {
             $req_atts{ $att_map{$opt} } = ( $val ? 'true' : 'false' );
         }
@@ -249,6 +242,14 @@ sub as_xml {
         }
     }
 
+    foreach my $opt (qw(issuer_namequalifier issuer_format)) {
+        my $predicate = 'has_' . $opt;
+        next if !$self->can($predicate) || !$self->$predicate;
+
+        my $val = $self->$opt;
+        $issuer_attrs{ $att_map{$opt} } = $val;
+    }
+
     $x->startTag([$samlp, 'AuthnRequest'], %req_atts);
     $x->dataElement([$saml, 'Issuer'], $self->issuer, %issuer_attrs);
 
diff --git a/t/09-authn-request.t b/t/09-authn-request.t
@@ -6,145 +6,182 @@ use Test::Net::SAML2;
 use Net::SAML2::Protocol::AuthnRequest;
 use Net::SAML2::XML::Sig;
 
-my $ar = Net::SAML2::Protocol::AuthnRequest->new(
-    issuer        => 'http://some/sp',
-    destination   => 'http://some/idp',
-    nameid_format => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-    nameid_allow_create => 1,
-);
-
-isa_ok($ar, "Net::SAML2::Protocol::AuthnRequest");
-
 my $override
     = Sub::Override->override(
     'Net::SAML2::Protocol::AuthnRequest::issue_instant' =>
         sub { return 'myissueinstant' });
 
-my $xml = $ar->as_xml;
-
-my $xp = get_xpath(
-    $xml,
-    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
-    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
-);
-
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ID', qr/^NETSAML2_/);
-
-test_xml_attribute_ok($xp,
-    '/samlp:AuthnRequest/@IssueInstant',
-    'myissueinstant'
-);
-
-test_xml_attribute_ok(
-    $xp,
-    '/samlp:AuthnRequest/samlp:NameIDPolicy/@Format',
-    'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
-);
-
-test_xml_attribute_ok($xp,
-    '/samlp:AuthnRequest/samlp:NameIDPolicy/@AllowCreate', '1');
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 0);
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 0);
-
-my $signer = Net::SAML2::XML::Sig->new({
-    key => 't/sign-nopw-cert.pem',
-    cert => 't/sign-nopw-cert.pem',
-});
-
-isa_ok($signer, "Net::SAML2::XML::Sig");
-
-my $signed = $signer->sign($xml);
-ok($signed);
-
-my $verify = $signer->verify($signed);
-ok($verify);
-
-$ar = Net::SAML2::Protocol::AuthnRequest->new(
-    issuer        => 'http://some/sp',
-    destination   => 'http://some/idp',
-    nameid_format => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-    nameid_allow_create => 1,
-    force_authn   => '1',
-    is_passive    => '1'
-
-);
-
-isa_ok($ar, "Net::SAML2::Protocol::AuthnRequest");
-
-$xml = $ar->as_xml;
-
-$xp = get_xpath(
-    $xml,
-    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
-    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
-);
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 1);
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ForceAuthn', 'true');
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 1);
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@IsPassive', 'true');
-
-$ar = Net::SAML2::Protocol::AuthnRequest->new(
-    issuer        => 'http://some/sp',
-    destination   => 'http://some/idp',
-    nameid_format => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-    nameid_allow_create => 1,
-    force_authn   => '0',
-    is_passive    => '0'
-
-);
-
-isa_ok($ar, "Net::SAML2::Protocol::AuthnRequest");
-
-$xml = $ar->as_xml;
-
-$xp = get_xpath(
-    $xml,
-    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
-    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
-);
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 1);
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ForceAuthn', 'false');
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 1);
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@IsPassive', 'false');
-
-my $sp = net_saml2_sp(
-    authnreq_signed        => 0,
-    want_assertions_signed => 0,
-    slo_url_post           => '/sls-post-response',
-    slo_url_soap           => '/slo-soap',
-);
-
-my %params = (
-    force_authn => 1,
-    is_passive => 0,
-);
-
-my $req = $sp->authn_request(
-    $sp->id,
-    '',
-    %params,
-);
-
-$xml = $req->as_xml;
-
-$xp = get_xpath(
-    $xml,
-    samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
-    saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
-);
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@ForceAuthn', 1);
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@ForceAuthn', 'true');
-
-test_xml_attribute_exists($xp, '/samlp:AuthnRequest/@IsPassive', 1);
-test_xml_attribute_ok($xp, '/samlp:AuthnRequest/@IsPassive', 'false');
+$override->override('Net::SAML2::Protocol::AuthnRequest::_build_id' =>
+        sub { return 'NETSAML2_fake_id' });
+
+{
+    my ($ar, $xp) = net_saml2_authnreq(
+        nameid        => 'mynameid',
+        nameid_format =>
+            'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+        nameid_allow_create  => 1,
+        issuer_namequalifier => 'bar',
+        issuer_format        => 'foo',
+    );
+
+    my %attributes = (
+        Destination  => 'http://some/idp',
+        ID           => 'NETSAML2_fake_id',
+        IssueInstant => 'myissueinstant',
+        Version      => '2.0',
+    );
+
+    test_node_attributes_ok($xp, '/samlp:AuthnRequest', \%attributes);
+
+    my $node = get_single_node_ok($xp, '/samlp:AuthnRequest/saml:Issuer');
+    is($node->textContent, 'http://some/sp', '... and has the correct value');
+    is($node->getAttribute('Format'), 'foo', '.. and Format attribute is ok');
+    is($node->getAttribute('NameQualifier'),
+        'bar', ".. and NameQualifier attribute is ok");
+
+    test_xml_attribute_ok($xp,
+        '/samlp:AuthnRequest/saml:Subject/saml:NameID/@NameQualifier',
+        'mynameid');
+
+    %attributes = (
+        Format      => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+        AllowCreate => 1,
+    );
+
+    test_node_attributes_ok($xp, '/samlp:AuthnRequest/samlp:NameIDPolicy',
+        \%attributes);
+
+    ok(!$xp->exists('/samlp:AuthnRequest/samlp:RequestedAuthnContext'),
+        "We don't have RequestedAuthnContext");
+
+    ### TODO: Does this really belong here?
+    my $signer = Net::SAML2::XML::Sig->new(
+        {
+            key  => 't/sign-nopw-cert.pem',
+            cert => 't/sign-nopw-cert.pem',
+        }
+    );
+
+    isa_ok($signer, "Net::SAML2::XML::Sig");
+
+    my $signed = $signer->sign($xp->getContextNode->toString);
+    ok($signed, "Signed with XML::Sig");
+
+    my $verify = $signer->verify($signed);
+    ok($verify, "Verified with XML::Sig");
+    ### END TODO
+}
+
+
+{
+    my ($ar, $xp) = net_saml2_authnreq(
+        force_authn => '1',
+        is_passive  => '1'
+    );
+    my %attributes = (
+        Destination  => ignore(),
+        ForceAuthn   => 'true',
+        ID           => ignore(),
+        IsPassive    => 'true',
+        IssueInstant => 'myissueinstant',
+        Version      => '2.0',
+    );
+    test_node_attributes_ok($xp, '/samlp:AuthnRequest', \%attributes);
+}
+
+{
+    my ($ar, $xp) = net_saml2_authnreq(
+        force_authn => '0',
+        is_passive  => '0'
+    );
+
+    my %attributes = (
+        Destination  => ignore(),
+        ID           => ignore(),
+        IssueInstant => ignore(),
+        Version      => ignore(),
+        ForceAuthn   => 'false',
+        IsPassive    => 'false',
+    );
+    test_node_attributes_ok($xp, '/samlp:AuthnRequest', \%attributes);
+}
+
+{
+
+    my ($ar, $xp) = net_saml2_authnreq(
+        assertion_url    => 'https://foo.bar/assertion',
+        assertion_index  => 1,
+        attribute_index  => 42,
+        protocol_binding => 'HTTP-POST',
+    );
+
+    my %attributes = (
+        Destination                    => ignore(),
+        ID                             => ignore(),
+        IssueInstant                   => ignore(),
+        Version                        => ignore(),
+        AssertionConsumerServiceURL    => 'https://foo.bar/assertion',
+        AssertionConsumerServiceIndex  => 1,
+        AttributeConsumingServiceIndex => 42,
+        ProtocolBinding => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+    );
+
+    test_node_attributes_ok($xp, '/samlp:AuthnRequest', \%attributes);
+
+}
+
+{
+    my ($ar, $xp) = net_saml2_authnreq(AuthnContextClassRef => [qw(foo bar)],);
+
+    my @nodes
+        = $xp->findnodes(
+        '/samlp:AuthnRequest/samlp:RequestedAuthnContext/saml:AuthnContextClassRef'
+        );
+    is(@nodes, 2, "and has two AuthnContextClassRef nodes");
+
+    is($nodes[0]->textContent(),
+        "foo", "... and the correct content for node 1");
+    is($nodes[1]->textContent(),
+        "bar", "... and the correct content for node 2");
+}
+
+{
+    my ($ar, $xp) = net_saml2_authnreq(AuthnContextDeclRef => [qw(foo bar)],);
+
+    my @nodes
+        = $xp->findnodes(
+        '/samlp:AuthnRequest/samlp:RequestedAuthnContext/saml:AuthnContextDeclRef'
+        );
+    is(@nodes, 2, "and has two AuthnContextDeclRef nodes");
+
+    is($nodes[0]->textContent(),
+        "foo", "... and the correct content for node 1");
+    is($nodes[1]->textContent(),
+        "bar", "... and the correct content for node 2");
+}
+
+{
+
+    my $sp = net_saml2_sp(
+        authnreq_signed        => 0,
+        want_assertions_signed => 0,
+        slo_url_post           => '/sls-post-response',
+        slo_url_soap           => '/slo-soap',
+    );
+
+    my %params = (
+        force_authn => 1,
+        is_passive  => 0,
+    );
+
+    my $req = $sp->authn_request($sp->id, '', %params,);
+
+    my $xp = get_xpath(
+        $req->as_xml,
+        samlp => 'urn:oasis:names:tc:SAML:2.0:protocol',
+        saml  => 'urn:oasis:names:tc:SAML:2.0:assertion',
+    );
+}
 
-$xml = $ar->as_xml;
 
 done_testing;
diff --git a/t/lib/Test/Net/SAML2/Util.pm b/t/lib/Test/Net/SAML2/Util.pm
