Add tests for decode_saml_request

LauraBeatris · Mar 24, 2024 · 9d0a7e1 · 9d0a7e1
1 parent 317f969
commit 9d0a7e1
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 6 deletions.
diff --git a/lib/oidc.ex b/lib/oidc.ex
@@ -1,6 +1,8 @@
 defmodule ShinAuth.OIDC do
   @moduledoc """
   OpenID Connect utilities.
+
+  Performs decoding and validation based on the spec: https://openid.net/specs/openid-connect-discovery-1_0.html
   """
 
   import ShinAuth.OIDC.ProviderConfiguration.Client

diff --git a/lib/saml.ex b/lib/saml.ex
@@ -14,12 +14,18 @@ defmodule ShinAuth.SAML do
           {:ok, Request.t()}
           | {:error, Request.Error.t()}
 
-  def decode_saml_request(""), do: {:error, "Empty SAML request"}
+  def decode_saml_request(""),
+    do:
+      {:error,
+       %Request.Error{
+         tag: :malformed_saml_request,
+         message: "Verify if the SAML request is structured correctly by the Service Provider."
+       }}
 
   def decode_saml_request(saml_request) do
     error = %Request.Error{
       tag: :malformed_saml_request,
-      message: "Invalid SAML request"
+      message: "Verify if the SAML request is structured correctly by the Service Provider."
     }
 
     if valid_xml?(saml_request) do

diff --git a/lib/saml/request/request.ex b/lib/saml/request/request.ex
@@ -24,8 +24,8 @@ defmodule ShinAuth.SAML.Request do
       {:assertion_consumer_service_url, "/samlp:AuthnRequest/@AssertionConsumerServiceURL",
        &{:ok, Utils.maybe_to_string(&1)}, optional: false},
     field:
-      {:issuer, "/samlp:AuthnRequest/saml:Issuer/text()",
-       &{:ok, Utils.maybe_to_string(&1) |> String.trim()}, optional: false},
+      {:issuer, "/samlp:AuthnRequest/saml:Issuer/text()", &{:ok, Utils.maybe_to_string(&1)},
+       optional: false},
     field:
       {:issue_instant, "/samlp:AuthnRequest/@IssueInstant", &{:ok, Utils.maybe_to_string(&1)},
        optional: false}
@@ -37,5 +37,5 @@ defmodule ShinAuth.SAML.Request.Utils do
 
   def maybe_to_string(""), do: nil
   def maybe_to_string(nil), do: nil
-  def maybe_to_string(value), do: to_string(value)
+  def maybe_to_string(value), do: to_string(value) |> String.trim()
 end
diff --git a/test/oidc_test.exs b/test/oidc_test.exs
@@ -1,4 +1,4 @@
-defmodule ShinTest.OIDCTest do
+defmodule ShinAuth.OIDCTest do
   import Mox
 
   use ExSpec, async: true

diff --git a/test/saml/request_test.exs b/test/saml/request_test.exs
@@ -0,0 +1,68 @@
+defmodule ShinAuth.SAML.RequestTest do
+  use ExSpec, async: true
+
+  alias ShinAuth.SAML
+  alias ShinAuth.SAML.Request
+
+  describe "with malformed saml request" do
+    context "with empty xml" do
+      it "returns error" do
+        {:error,
+         %Request.Error{
+           tag: :malformed_saml_request,
+           message: "Verify if the SAML request is structured correctly by the Service Provider."
+         }} = SAML.decode_saml_request("")
+      end
+    end
+
+    context "with malformed xml element" do
+      it "returns error" do
+        {:error,
+         %Request.Error{
+           tag: :malformed_saml_request,
+           message: "Verify if the SAML request is structured correctly by the Service Provider."
+         }} =
+          SAML.decode_saml_request("""
+          <Invalid
+          """)
+      end
+    end
+
+    context "when missing saml request required element" do
+      saml_request_mock = """
+      <?xml version="1.0"?>
+      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_123" Version="2.0" IssueInstant="2023-09-27T17:20:42.746Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://accounts.google.com/o/saml2/idp?idpid=C03gu405z" AssertionConsumerServiceURL="https://auth.example.com/sso/saml/acs/123">
+      <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
+      </samlp:AuthnRequest>
+      """
+
+      {:error,
+       %DataSchema.Errors{
+         errors: [issuer: "Field was required but value supplied is considered empty"]
+       }} = SAML.decode_saml_request(saml_request_mock)
+    end
+  end
+
+  describe "with valid saml request" do
+    context "returns parsed request struct" do
+      saml_request_mock = """
+      <?xml version="1.0"?>
+      <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_123" Version="2.0" IssueInstant="2023-09-27T17:20:42.746Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://accounts.google.com/o/saml2/idp?idpid=C03gu405z" AssertionConsumerServiceURL="https://auth.example.com/sso/saml/acs/123">
+      <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
+        https://example.com/123
+      </saml:Issuer>
+      <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
+      </samlp:AuthnRequest>
+      """
+
+      {:ok,
+       %Request{
+         id: "_123",
+         version: "2.0",
+         issue_instant: "2023-09-27T17:20:42.746Z",
+         issuer: "https://example.com/123",
+         assertion_consumer_service_url: "https://auth.example.com/sso/saml/acs/123"
+       }} = SAML.decode_saml_request(saml_request_mock)
+    end
+  end
+end