From 19003c25d4d81f559cbe71f11bfe5f78897b6336 Mon Sep 17 00:00:00 2001 From: Johan Kromhout Date: Mon, 4 May 2026 15:27:43 +0200 Subject: [PATCH] Add key rollover test Prior to this change, there was no specific test that asserted using the key:rollover URL results in a response that is signed with the rollover certificate. This change asserts the response contains the rollover certificate. Resolves #1759 --- .../Application/FunctionalTestDiContainer.php | 4 ++++ .../Features/Context/EngineBlockContext.php | 15 +++++++++++++++ .../Features/Context/MinkContext.php | 4 ++++ .../Features/UnsolicitedSingleSignOn.feature | 11 +++++++++++ 4 files changed, 34 insertions(+) diff --git a/library/EngineBlock/Application/FunctionalTestDiContainer.php b/library/EngineBlock/Application/FunctionalTestDiContainer.php index 933bef68fd..7f8f06407b 100644 --- a/library/EngineBlock/Application/FunctionalTestDiContainer.php +++ b/library/EngineBlock/Application/FunctionalTestDiContainer.php @@ -79,6 +79,10 @@ public function getEncryptionKeysConfiguration() 'publicFile' => '/config/engine/engineblock.crt', 'privateFile' => $basePath . '/ci/qa-config/files/engineblock.pem', ], + 'rollover' => [ + 'publicFile' => $basePath . '/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/keys/rolled-over.crt', + 'privateFile' => $basePath . '/src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/keys/rolled-over.key', + ], ]; } } diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/EngineBlockContext.php b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/EngineBlockContext.php index 27e952568e..7e94d564b0 100644 --- a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/EngineBlockContext.php +++ b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/EngineBlockContext.php @@ -47,6 +47,7 @@ * @SuppressWarnings(PHPMD.CouplingBetweenObjects) Due to all integration specific features * @SuppressWarnings(PHPMD.ExcessivePublicCount) Both set up and tasks can be a lot... * @SuppressWarnings(PHPMD.TooManyFields) Both set up and tasks can be a lot... + * @SuppressWarnings(PHPMD.ExcessiveClassLength) Both set up and tasks can be a lot... */ class EngineBlockContext extends AbstractSubContext { @@ -323,6 +324,20 @@ public function anIdpInitiatedSingleSignOnForSpIsTriggeredByIdPWithInvalidSignin ); } + /** + * @Given /^An IdP initiated Single Sign on for SP "([^"]*)" is triggered by IdP "([^"]*)" and specifies the "([^"]*)" signing key$/ + */ + public function anIdpInitiatedSingleSignOnForSpIsTriggeredByIdPWithNamedSigningKey($spName, $idpName, $keyId) + { + $mockSp = $this->mockSpRegistry->get($spName); + $mockIdP = $this->mockIdpRegistry->get($idpName); + + $mink = $this->getMinkContext(); + $mink->visit( + $this->engineBlock->unsolicitedLocation($mockIdP->entityId(), $mockSp->entityId(), $keyId) + ); + } + /** * @Given /^An IdP initiated Single Sign on for SP "([^"]*)" is incorrectly triggered by IdP "([^"]*)"$/ */ diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/MinkContext.php b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/MinkContext.php index 06c584c386..aeda6334f6 100644 --- a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/MinkContext.php +++ b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/MinkContext.php @@ -70,6 +70,8 @@ public function theResponseShouldMatchXpath($xpath) $xpathObj->registerNamespace('md', 'urn:oasis:names:tc:SAML:2.0:metadata'); $xpathObj->registerNamespace('mdui', Common::NS); $xpathObj->registerNamespace('shibmd', Scope::NS); + $xpathObj->registerNamespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol'); + $xpathObj->registerNamespace('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); $nodeList = $xpathObj->query($xpath); if (!$nodeList || $nodeList->length === 0) { @@ -205,6 +207,8 @@ public function theResponseShouldNotMatchXpath($xpath) $xpathObj->registerNamespace('ds', XMLSecurityDSig::XMLDSIGNS); $xpathObj->registerNamespace('md', 'urn:oasis:names:tc:SAML:2.0:metadata'); $xpathObj->registerNamespace('mdui', Common::NS); + $xpathObj->registerNamespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol'); + $xpathObj->registerNamespace('saml', 'urn:oasis:names:tc:SAML:2.0:assertion'); $nodeList = $xpathObj->query($xpath); if ($nodeList && $nodeList->length > 0) { diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOn.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOn.feature index 49cfebe50e..986459f2ae 100644 --- a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOn.feature +++ b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/UnsolicitedSingleSignOn.feature @@ -25,6 +25,17 @@ Feature: And I give my consent And I pass through EngineBlock Then the url should match "functional-testing/Dummy%20SP/acs" + And the response should match xpath '//ds:X509Certificate[starts-with(.,"MIIDuDCCAqCgAwIBAgIJAPdqJ9JQKN6vMA0GCSqGSIb3DQEBBQUAMEYxDzANBgNVBAMT")]' + + Scenario: An IdP initiates a login with the rollover signing key + When An IdP initiated Single Sign on for SP "Dummy SP" is triggered by IdP "Dummy IdP" and specifies the "rollover" signing key + And I pass through EngineBlock + And I pass through the IdP + And I give my consent + And I pass through EngineBlock + Then the url should match "functional-testing/Dummy%20SP/acs" + # See src/OpenConext/EngineBlockFunctionalTestingBundle/Resources/keys/rolled-over.crt + And the response should match xpath '//ds:X509Certificate[starts-with(.,"MIIDhTCCAm2gAwIBAgIJALJlbT5u9cXzMA0GCSqG")]' # Should result in a generic 500 error, the logs specify the problem in greater detail. Scenario: An IdP initiates a login with an SP identity id query parameter