Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: d3a57bc5c7
Branches Tags
zammad
/
spec
/
models
/
setting
/
validation
/
saml
/
security_spec.rb

security_spec.rb 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156 
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. require 'rails_helper'
    4. 

  4. 

  5. RSpec.describe Setting::Validation::Saml::Security do
    6. 

  6.   let(:setting_name) { 'auth_saml_credentials' }
    7. 

  7. 

  8.   let(:setting_value) do
    9. 

  9.     {
    10. 

  10.       idp_sso_target_url:     'https://self-signed.badssl.com/',
    11. 

  11.       idp_slo_service_url:    'https://example.com',
    12. 

  12.       name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
    13. 

  13.       idp_cert:               '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----',
    14. 

  14.       ssl_verify:             false,
    15. 

  15.       security:               security,
    16. 

  16.       private_key:            private_key_pem,
    17. 

  17.       private_key_secret:     private_key_secret,
    18. 

  18.       certificate:            certificate,
    19. 

  19.     }
    20. 

  20.   end
    21. 

  21. 

  22.   let(:security)           { 'on' }
    23. 

  23.   let(:private_key_pem)    { OpenSSL::PKey::RSA.generate('2048').to_pem }
    24. 

  24.   let(:private_key_secret) { '' }
    25. 

  25. 

  26.   let(:certificate) do
    27. 

  27.     private_key = private_key_pem.blank? ? OpenSSL::PKey::RSA.generate('2048') : OpenSSL::PKey.read(private_key_pem)
    28. 

  28.     create_certificate(private_key)
    29. 

  29.   end
    30. 

  30. 

  31.   def create_certificate(private_key, expired: false, ca_cert: false, usable: true)
    32. 

  32.     cert = OpenSSL::X509::Certificate.new
    33. 

  33.     cert.subject    = cert.issuer = OpenSSL::X509::Name.parse('/CN=Acme')
    34. 

  34.     cert.not_before = Time.zone.now
    35. 

  35.     cert.not_after  = Time.zone.now + (365 * 24 * 60 * 60)
    36. 

  36.     cert.public_key = private_key.public_key if private_key.respond_to?(:public_key)
    37. 

  37.     cert.serial     = 0x0
    38. 

  38.     cert.version    = 2
    39. 

  39. 

  40.     cert.not_after = Time.zone.now - (365 * 24 * 60 * 60) if expired
    41. 

  41. 

  42.     ef                     = OpenSSL::X509::ExtensionFactory.new
    43. 

  43.     ef.subject_certificate = cert
    44. 

  44.     ef.issuer_certificate  = cert
    45. 

  45. 

  46.     certificate_extensions(cert, ef, ca_cert:, usable:)
    47. 

  47. 

  48.     cert.sign(private_key, OpenSSL::Digest.new('SHA256'))
    49. 

  49. 

  50.     cert.to_pem
    51. 

  51.   end
    52. 

  52. 

  53.   def certificate_extensions(cert, extension_factory, ca_cert: false, usable: true)
    54. 

  54.     cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true)) if ca_cert
    55. 

  55.     cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash', false))
    56. 

  56.     cert.add_extension(extension_factory.create_extension('keyUsage', usable ? 'digitalSignature,keyEncipherment' : 'cRLSign', true))
    57. 

  57. 

  58.     cert.add_extension(extension_factory.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always', false))
    59. 

  59.   end
    60. 

  60. 

  61.   context 'with blank settings' do
    62. 

  62.     it 'does not raise an error' do
    63. 

  63.       expect { Setting.set(setting_name, {}) }.not_to raise_error
    64. 

  64.     end
    65. 

  65.   end
    66. 

  66. 

  67.   context 'with no security' do
    68. 

  68.     let(:security) { 'off' }
    69. 

  69. 

  70.     it 'does not raise an error' do
    71. 

  71.       expect { Setting.set(setting_name, {}) }.not_to raise_error
    72. 

  72.     end
    73. 

  73.   end
    74. 

  74. 

  75.   context 'with missing prerequisites' do
    76. 

  76.     context 'when certificate is missing' do
    77. 

  77.       let(:certificate) { '' }
    78. 

  78. 

  79.       it 'raises an error' do
    80. 

  80.         expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: No certificate found.')
    81. 

  81.       end
    82. 

  82.     end
    83. 

  83. 

  84.     context 'when private key is missing' do
    85. 

  85.       let(:private_key_pem) { '' }
    86. 

  86. 

  87.       it 'raises an error' do
    88. 

  88.         expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: No private key found.')
    89. 

  89.       end
    90. 

  90.     end
    91. 

  91.   end
    92. 

  92. 

  93.   context 'when private key has wrong type' do
    94. 

  94.     let(:certificate)     { create_certificate(OpenSSL::PKey::RSA.generate('2048')) }
    95. 

  95.     let(:private_key_pem) { OpenSSL::PKey::EC.generate('prime256v1').to_pem }
    96. 

  96. 

  97.     it 'raises an error' do
    98. 

  98.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The type of the private key is wrong.')
    99. 

  99.     end
    100. 

  100.   end
    101. 

  101. 

  102.   context 'when private key has wrong length' do
    103. 

  103.     let(:private_key_pem) { OpenSSL::PKey::RSA.generate('1024').to_pem }
    104. 

  104. 

  105.     it 'raises an error' do
    106. 

  106.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The length of the private key is too short.')
    107. 

  107.     end
    108. 

  108.   end
    109. 

  109. 

  110.   context 'when certificate contains non-parsable content' do
    111. 

  111.     let(:certificate) { 'dummy' }
    112. 

  112. 

  113.     it 'raises an error' do
    114. 

  114.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The certificate could not be parsed.')
    115. 

  115.     end
    116. 

  116.   end
    117. 

  117. 

  118.   context 'when certificate is a CA certificate' do
    119. 

  119.     let(:certificate) { create_certificate(OpenSSL::PKey.read(private_key_pem), ca_cert: true) }
    120. 

  120. 

  121.     it 'raises an error' do
    122. 

  122.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The certificate is not usable due to being a CA certificate.')
    123. 

  123.     end
    124. 

  124.   end
    125. 

  125. 

  126.   context 'when certificate is not usable (e.g. expired)' do
    127. 

  127.     let(:certificate) { create_certificate(OpenSSL::PKey.read(private_key_pem), expired: true) }
    128. 

  128. 

  129.     it 'raises an error' do
    130. 

  130.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The certificate is not usable (e.g. expired).')
    131. 

  131.     end
    132. 

  132.   end
    133. 

  133. 

  134.   context 'when certificate is not usable for signing/encrypting' do
    135. 

  135.     let(:certificate) { create_certificate(OpenSSL::PKey.read(private_key_pem), usable: false) }
    136. 

  136. 

  137.     it 'raises an error' do
    138. 

  138.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The certificate is not usable for signing and encryption.')
    139. 

  139.     end
    140. 

  140.   end
    141. 

  141. 

  142.   context 'when certificate does not match the private key' do
    143. 

  143.     let(:private_key_pem) { OpenSSL::PKey::RSA.generate('2048').to_pem }
    144. 

  144.     let(:certificate)     { create_certificate(OpenSSL::PKey::RSA.generate('2048')) }
    145. 

  145. 

  146.     it 'raises an error' do
    147. 

  147.       expect { Setting.set(setting_name, setting_value) }.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: The certificate does not match the given private key.')
    148. 

  148.     end
    149. 

  149.   end
    150. 

  150. 

  151.   context 'with a valid certificate and private key' do
    152. 

  152.     it 'does not raise an error' do
    153. 

  153.       expect { Setting.set(setting_name, setting_value) }.not_to raise_error
    154. 

  154.     end
    155. 

  155.   end
    156. 

  156. end
    157.