(t *tst.T)
| 20 | const samlTestNextKey = "MIIEowIBAAKCAQEAt7dS8iM5MsQ+1mVkNpoaUnL8BCdxSrSx8jsSnvqN/GIJ4ipqbdrTgLpFVklVTqfaa5CykGVEV577l6AWkpkm2p7SvSkCQglmyAMMjY9glmztytAnfBpm+cQ6ZVTHC4XKlUG1aJigEuXPcZUU3FiBHWEuV2huYy2bLOtIY1v9N0i2v61QCdG+SM/Yb5t86KzApRl7VyHqquge6vvRuchfF0msv/2LW32hwxg3Gt4zkAF0SJqCCcfAPZ9pQwmbdUhoX16dRFU98nyIvuR8LH/wONZe/YyywFFHDEwkFa4XEzjCEm+AD+xvK7eEu55w21xB8JKMLEBy8uRuI3bIEG4pawIDAQABAoIBADw4IT4xgYw8e4R3U7P6K2qfOjB6ZU5hkHqgFmh6JJR35ll2IdDEi9OEOzofa5EOwC/GDGH8b7xw5nM7DGsdPHko2lca3BydTE1/glvchYKJTiDOvkKVvO9d/O4+Lch/IHpwQXB5pu7K2YaXoXDgqeHhevk3yAdGabj9norDGmtGIeU/x1hialKbw6L080CdbxpjeAsM/w+G/VtwvyOKYFBYxBflRW+sS8UeclVqKRAvaXKd1JGleWzH3hFZyFI54x5LyyjPI1JyVXRjNbf8xcS6eRaN849grL1+wBxEs/lQFn4JLhAcNi912iJ3lhxvkNleXZw7B7JAM8x4wUbK7zECgYEA6SYmu3YH8XuLUfT8MMCp+ETjPkNMOJGQmTXOkW6zuXP3J8iCPIxtuz09cGIro+yJU23yPUzOVCDZMmnMWBmkoTKAFoFL9TX0Eyqn/t1MD77i3NdkMp16yI5fwOO6yX1bZgLiG00W2E5/IGgNfTtEafU/mre95JBnTgxS3sAvz8UCgYEAybjfBVt+1X0vSVAGKYHI9wtzoSx3dIGE8G5LIchPTdNDZ0ke0QCRffhyCGKy6bPos0P2z5nLgWSePBPZQowpwZiQVXdWE05ID641E2zGULdYL1yVHDt6tVTpSzTAy89BiS1G8HvgpQyaBTmvmF11Fyd/YbrDxEIHN+qQdDkM928CgYEA4lJ4ksz21QF6sqpADQtZc3lbplspqFgVp8RFq4Nsz3+00lefpSskcff2phuGBXBdtjEqTzs5pwzkCj4NcRAjcZ9WG4KTu4sOTXTA83TamwZPrtUfnMqmH/2lEdd+wI0BpjryRlJE9ODuIwUe4wwfU0QQ5B2tJizPO0JXR4gEYYkCgYBzqidm4QGm1DLq7JG79wkObmiMv/x2t1VMr1ExO7QNQdfiP1EGMjc6bdyk5kMEMf5527yHaP4BYXpBpHfs6oV+1kXcW6LlSvuS0iboznQgECDmd0WgfJJtqxRh5QuvUVWYnHeSqNU0jjc6S8tdqCjdb+5gUUCzJdERxNOzcIr4zQKBgAqcBQwlWy0PdlZ06JhJUYlwX1pOU8mWPz9LIF0wrSm9LEtAl37zZJaD3uscvk/fCixAGHOktkDGVO7aUYIAlX9iD49huGkeRTn9tz7Wanw6am04Xj0y7H1oPPV7k5nJ4s9AOWq/gkZEhrRIis2anAczsx1YHSjq/M05+AbuRzvs" |
| 21 | |
| 22 | func TestSAMLMetadataWithAPI(t *tst.T) { |
| 23 | config, err := confload.LoadGlobal(apiTestConfig) |
| 24 | require.NoError(t, err) |
| 25 | config.API.ExternalURL = "https://projectref.supabase.co/auth/v1/" |
| 26 | config.SAML.Enabled = true |
| 27 | config.SAML.PrivateKey = samlTestPrimaryKey |
| 28 | config.API.MaxRequestDuration = 5 * time.Second |
| 29 | |
| 30 | require.NoError(t, config.ApplyDefaults()) |
| 31 | require.NoError(t, config.SAML.PopulateFields(config.API.ExternalURL)) |
| 32 | |
| 33 | require.NotNil(t, config.SAML.Certificate) |
| 34 | |
| 35 | api := NewAPI(config, nil) |
| 36 | |
| 37 | // Setup request |
| 38 | req := httptest.NewRequest(http.MethodGet, "http://localhost/sso/saml/metadata", nil) |
| 39 | |
| 40 | w := httptest.NewRecorder() |
| 41 | api.handler.ServeHTTP(w, req) |
| 42 | require.Equal(t, w.Code, http.StatusOK) |
| 43 | |
| 44 | metadata := saml.EntityDescriptor{} |
| 45 | require.NoError(t, xml.Unmarshal(w.Body.Bytes(), &metadata)) |
| 46 | |
| 47 | require.Equal(t, metadata.EntityID, "https://projectref.supabase.co/auth/v1/sso/saml/metadata") |
| 48 | require.Equal(t, len(metadata.SPSSODescriptors), 1) |
| 49 | |
| 50 | require.Nil(t, metadata.SPSSODescriptors[0].AuthnRequestsSigned) |
| 51 | require.True(t, *(metadata.SPSSODescriptors[0].WantAssertionsSigned)) |
| 52 | |
| 53 | require.Equal(t, len(metadata.SPSSODescriptors[0].AssertionConsumerServices), 2) |
| 54 | require.Equal(t, metadata.SPSSODescriptors[0].AssertionConsumerServices[0].Location, "https://projectref.supabase.co/auth/v1/sso/saml/acs") |
| 55 | require.Equal(t, metadata.SPSSODescriptors[0].AssertionConsumerServices[1].Location, "https://projectref.supabase.co/auth/v1/sso/saml/acs") |
| 56 | require.Equal(t, len(metadata.SPSSODescriptors[0].SingleLogoutServices), 1) |
| 57 | require.Equal(t, metadata.SPSSODescriptors[0].SingleLogoutServices[0].Location, "https://projectref.supabase.co/auth/v1/sso/saml/slo") |
| 58 | |
| 59 | require.Equal(t, len(metadata.SPSSODescriptors[0].KeyDescriptors), 1) |
| 60 | require.Equal(t, metadata.SPSSODescriptors[0].KeyDescriptors[0].Use, "signing") |
| 61 | |
| 62 | require.Equal(t, len(metadata.SPSSODescriptors[0].NameIDFormats), 2) |
| 63 | require.Equal(t, metadata.SPSSODescriptors[0].NameIDFormats[0], saml.EmailAddressNameIDFormat) |
| 64 | require.Equal(t, metadata.SPSSODescriptors[0].NameIDFormats[1], saml.PersistentNameIDFormat) |
| 65 | } |
| 66 | |
| 67 | // newSAMLTestAPI builds a minimal API with SAML enabled using the given key(s). |
| 68 | func newSAMLTestAPI(t *tst.T, primaryKey, nextKey string, allowEncrypted bool) (*API, error) { |
nothing calls this directly
no test coverage detected