Add test for samlidp

sword-jin · sword-jin · commit afaf2715b313 · 2025-03-17T02:12:56.000Z
diff --git a/identity_provider.go b/identity_provider.go
@@ -110,6 +110,7 @@ type IdentityProvider struct {
 	EntityIDConstructor     EntityIDConstructor
 }
 
+// EntityIDConstructor is a function that returns the entityID for customization.
 type EntityIDConstructor func() string
 
 // Metadata returns the metadata structure for this identity provider.
@@ -337,16 +338,9 @@ func (idp *IdentityProvider) ServeIDPInitiated(w http.ResponseWriter, r *http.Re
 	}
 }
 
-// createDefaultEntityIDConstructor creates a function to return entityID from metadataURL.
-func createDefaultEntityIDConstructor(metadataURL url.URL) func() string {
-	return func() string {
-		return metadataURL.String()
-	}
-}
-
 func (idp *IdentityProvider) getEntityID() string {
 	if idp.EntityIDConstructor == nil {
-		return createDefaultEntityIDConstructor(idp.MetadataURL)()
+		return idp.MetadataURL.String()
 	}
 	return idp.EntityIDConstructor()
 }
diff --git a/samlidp/samlidp.go b/samlidp/samlidp.go
@@ -18,12 +18,13 @@ import (
 
 // Options represent the parameters to New() for creating a new IDP server
 type Options struct {
-	URL         url.URL
-	Key         crypto.PrivateKey
-	Signer      crypto.Signer
-	Logger      logger.Interface
-	Certificate *x509.Certificate
-	Store       Store
+	URL                 url.URL
+	Key                 crypto.PrivateKey
+	Signer              crypto.Signer
+	Logger              logger.Interface
+	Certificate         *x509.Certificate
+	Store               Store
+	EntityIDConstructor saml.EntityIDConstructor
 }
 
 // Server represents an IDP server. The server provides the following URLs:
@@ -59,12 +60,13 @@ func New(opts Options) (*Server, error) {
 	s := &Server{
 		serviceProviders: map[string]*saml.EntityDescriptor{},
 		IDP: saml.IdentityProvider{
-			Key:         opts.Key,
-			Signer:      opts.Signer,
-			Logger:      logr,
-			Certificate: opts.Certificate,
-			MetadataURL: metadataURL,
-			SSOURL:      ssoURL,
+			Key:                 opts.Key,
+			Signer:              opts.Signer,
+			Logger:              logr,
+			Certificate:         opts.Certificate,
+			MetadataURL:         metadataURL,
+			SSOURL:              ssoURL,
+			EntityIDConstructor: opts.EntityIDConstructor,
 		},
 		logger: logr,
 		Store:  opts.Store,
diff --git a/samlidp/samlidp_test.go b/samlidp/samlidp_test.go
@@ -66,6 +66,15 @@ func mustParseCertificate(pemStr []byte) *x509.Certificate {
 	return cert
 }
 
+func setupTestVariables() {
+	saml.TimeNow = func() time.Time {
+		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
+		return rv
+	}
+	jwt.TimeFunc = saml.TimeNow
+	saml.RandReader = &testRandomReader{}
+}
+
 type ServerTest struct {
 	SPKey         *rsa.PrivateKey
 	SPCertificate *x509.Certificate
@@ -79,12 +88,7 @@ type ServerTest struct {
 
 func NewServerTest(t *testing.T) *ServerTest {
 	test := ServerTest{}
-	saml.TimeNow = func() time.Time {
-		rv, _ := time.Parse("Mon Jan 2 15:04:05 MST 2006", "Mon Dec 1 01:57:09 UTC 2015")
-		return rv
-	}
-	jwt.TimeFunc = saml.TimeNow
-	saml.RandReader = &testRandomReader{}
+	setupTestVariables()
 
 	test.SPKey = mustParsePrivateKey(golden.Get(t, "sp_key.pem")).(*rsa.PrivateKey)
 	test.SPCertificate = mustParseCertificate(golden.Get(t, "sp_cert.pem"))
@@ -143,3 +147,28 @@ func TestHTTPCanSSORequest(t *testing.T) {
 		w.Body.String())
 	golden.Assert(t, w.Body.String(), "http_sso_response.html")
 }
+
+func TestHTTPMetadataResponseWithCustomEntityID(t *testing.T) {
+	setupTestVariables()
+
+	server, err := New(Options{
+		Certificate: mustParseCertificate(golden.Get(t, "idp_cert.pem")),
+		Key:         mustParsePrivateKey(golden.Get(t, "idp_key.pem")).(*rsa.PrivateKey),
+		Logger:      logger.DefaultLogger,
+		URL:         url.URL{Scheme: "https", Host: "idp.example.com"},
+		Store:       &MemoryStore{},
+		EntityIDConstructor: func() string {
+			return "https://idp.example.com/idp-id"
+		},
+	})
+	assert.Check(t, err)
+
+	w := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "https://idp.example.com/metadata", nil)
+	server.ServeHTTP(w, r)
+	assert.Check(t, is.Equal(http.StatusOK, w.Code))
+	assert.Check(t,
+		strings.HasPrefix(w.Body.String(), "<EntityDescriptor"),
+		w.Body.String())
+	golden.Assert(t, w.Body.String(), "http_metadata_response_with_custom_entity_id.html")
+}
diff --git a/samlidp/testdata/http_metadata_response_with_custom_entity_id.html b/samlidp/testdata/http_metadata_response_with_custom_entity_id.html
@@ -0,0 +1,25 @@
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2015-12-03T01:57:09Z" cacheDuration="PT48H" entityID="https://idp.example.com/idp-id">
+  <IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
+          <X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+    </KeyDescriptor>
+    <KeyDescriptor use="encryption">
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <X509Data xmlns="http://www.w3.org/2000/09/xmldsig#">
+          <X509Certificate xmlns="http://www.w3.org/2000/09/xmldsig#">MIIB7zCCAVgCCQDFzbKIp7b3MTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzELMAkGA1UECAwCR0ExDDAKBgNVBAoMA2ZvbzESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTEzMTAwMjAwMDg1MVoXDTE0MTAwMjAwMDg1MVowPDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkdBMQwwCgYDVQQKDANmb28xEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1PMHYmhZj308kWLhZVT4vOulqx/9ibm5B86fPWwUKKQ2i12MYtz07tzukPymisTDhQaqyJ8Kqb/6JjhmeMnEOdTvSPmHO8m1ZVveJU6NoKRn/mP/BD7FW52WhbrUXLSeHVSKfWkNk6S4hk9MV9TswTvyRIKvRsw0X/gfnqkroJcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMMlIO+GNcGekevKgkakpMdAqJfs24maGb90DvTLbRZRD7Xvn1MnVBBS9hzlXiFLYOInXACMW5gcoRFfeTQLSouMM8o57h0uKjfTmuoWHLQLi6hnF+cvCsEFiJZ4AbF+DgmO6TarJ8O05t8zvnOwJlNCASPZRH/JmF8tX0hoHuAQ==</X509Certificate>
+        </X509Data>
+      </KeyInfo>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod>
+      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
+    </KeyDescriptor>
+    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/sso"></SingleSignOnService>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/sso"></SingleSignOnService>
+  </IDPSSODescriptor>
+</EntityDescriptor>

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ type IdentityProvider struct {`
`110`	`110`	`EntityIDConstructor EntityIDConstructor`
`111`	`111`	`}`
`112`	`112`
	`113`	`+// EntityIDConstructor is a function that returns the entityID for customization.`
`113`	`114`	`type EntityIDConstructor func() string`
`114`	`115`
`115`	`116`	`// Metadata returns the metadata structure for this identity provider.`
`@@ -337,16 +338,9 @@ func (idp IdentityProvider) ServeIDPInitiated(w http.ResponseWriter, r http.Re`
`337`	`338`	`}`
`338`	`339`	`}`
`339`	`340`
`340`		`-// createDefaultEntityIDConstructor creates a function to return entityID from metadataURL.`
`341`		`-func createDefaultEntityIDConstructor(metadataURL url.URL) func() string {`
`342`		`- return func() string {`
`343`		`- return metadataURL.String()`
`344`		`- }`
`345`		`-}`
`346`		`-`
`347`	`341`	`func (idp *IdentityProvider) getEntityID() string {`
`348`	`342`	`if idp.EntityIDConstructor == nil {`
`349`		`- return createDefaultEntityIDConstructor(idp.MetadataURL)()`
	`343`	`+ return idp.MetadataURL.String()`
`350`	`344`	`}`
`351`	`345`	`return idp.EntityIDConstructor()`
`352`	`346`	`}`