Add tests

ioigoume · ioigoume · commit 59df6c4932b2 · 2025-09-19T10:29:16.000+03:00
diff --git a/src/SimpleSAML/Utils/HTTP.php b/src/SimpleSAML/Utils/HTTP.php
@@ -265,7 +265,9 @@ private function redirect(string $url, array $parameters = []): void
         echo '</html>';
 
         // end script execution
-        exit;
+        if (!defined('SIMPLESAMLPHP_TEST_NOEXIT')) {
+            exit;
+        }
     }
 
 
@@ -360,7 +362,8 @@ public function checkSessionCookie(?string $retryURL = null): void
      * Check if a URL is valid and is in our list of allowed URLs.
      *
      * @param string $url The URL to check.
-     * @param string[]|null $trustedSites An optional white list of domains. If none specified, the 'trusted.url.domains'
+     * @param string[]|null $trustedSites An optional white list of domains.
+     *                                    If none specified, the 'trusted.url.domains'
      * configuration directive will be used.
      *
      * @return string The normalized URL itself if it is allowed. An empty string if the $url parameter is empty as
@@ -1096,7 +1099,9 @@ public function setCookie(string $name, ?string $value, ?array $params = null, b
                     Error\CannotSetCookie::SECURE_COOKIE,
                 );
             }
-            Logger::warning('Error setting cookie: setting secure cookie on plain HTTP (except on localhost) is not allowed.');
+            Logger::warning(
+                'Error setting cookie: setting secure cookie on plain HTTP (except on localhost) is not allowed.',
+            );
             return;
         }
 
@@ -1187,6 +1192,7 @@ public function submitPOSTData(string $destination, array $data): void
         if ($allowed && preg_match("#^http:#", $destination) && $this->isHTTPS()) {
             // we need to post the data to HTTP
             $this->redirect($this->getSecurePOSTRedirectURL($destination, $data));
+            return;
         }
 
         $p = new Template($config, 'post.twig');
@@ -1201,6 +1207,8 @@ public function submitPOSTData(string $destination, array $data): void
         $p->data['slow_post_delay_ms'] = $delay;
 
         $p->send();
-        exit(0);
+        if (!defined('SIMPLESAMLPHP_TEST_NOEXIT')) {
+            exit(0);
+        }
     }
 }
diff --git a/tests/src/SimpleSAML/Utils/HTTPTest.php b/tests/src/SimpleSAML/Utils/HTTPTest.php
@@ -18,6 +18,17 @@
 #[CoversClass(Utils\HTTP::class)]
 class HTTPTest extends ClearStateTestCase
 {
+    /**
+     * Set up the test.
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+        if (!defined('SIMPLESAMLPHP_TEST_NOEXIT')) {
+            define('SIMPLESAMLPHP_TEST_NOEXIT', true);
+        }
+    }
+
     /**
      * Set up the environment ($_SERVER) populating the typical variables from a given URL.
      *
@@ -620,4 +631,122 @@ public static function detectSameSiteProvider(): array
         ];
         // @codingStandardsIgnoreEnd
     }
+
+    /**
+     * submitPOSTData() should throw Error\Exception for an invalid destination URL.
+     */
+    public function testSubmitPOSTDataThrowsOnInvalidURL(): void
+    {
+        $httpUtils = new Utils\HTTP();
+
+        // Minimal configuration to satisfy internals; won’t be used since we fail early.
+        Configuration::loadFromArray([
+            'baseurlpath' => 'https://example.com/simplesaml/',
+        ], '[ARRAY]', 'simplesaml');
+
+        $this->expectException(Error\Exception::class);
+        $this->expectExceptionMessage('Invalid destination URL: not-a-url');
+
+        $httpUtils->submitPOSTData('not-a-url', ['a' => 'b']);
+    }
+
+
+    /**
+     * When enable.http_post = true, destination is http:// and current request is HTTPS, we must redirect.
+     * We assert a Location header is sent pointing to a postredirect URL.
+     */
+    #[Depends('testXdebugMode')]
+    #[RunInSeparateProcess]
+    public function testSubmitPOSTDataRedirectsFromHttpsToHttp(): void
+    {
+        $httpUtils = new Utils\HTTP();
+
+        // Configure base URL and allow http post.
+        Configuration::loadFromArray([
+            'baseurlpath'      => 'https://idp.example.org/simplesaml/',
+            'enable.http_post' => true,
+            'secretsalt' => 'abc',
+        ], '[ARRAY]', 'simplesaml');
+
+        // Simulate the current request being HTTPS
+        $this->setupEnvFromURL('https://idp.example.org/simplesaml/module.php/core/someaction?x=1');
+
+        // Destination is explicitly http://
+        $destination = 'http://sp.example.com/acs';
+        $post = ['SAMLResponse' => 'abc', 'RelayState' => 'xyz'];
+
+        try {
+            $httpUtils->submitPOSTData($destination, $post);
+        } catch (\Throwable $e) {
+        }
+
+        $headers = function_exists('xdebug_get_headers') ? xdebug_get_headers() : [];
+
+        // Find the Location header
+        $locationHeader = null;
+        foreach ($headers as $h) {
+            if (stripos($h, 'Location: ') === 0) {
+                $locationHeader = substr($h, 10);
+                break;
+            }
+        }
+
+        $this->assertNotNull($locationHeader, 'Expected a Location header to be sent');
+        $this->assertStringStartsWith('http://', $locationHeader, 'Location should be http://');
+        $this->assertStringContainsString('/core/postredirect', $locationHeader);
+        $this->assertTrue(
+            (str_contains($locationHeader, 'RedirInfo=')),
+            'Location should contain RedirInfo parameter',
+        );
+    }
+
+
+    /**
+     * submitPOSTData() should pass slow_post_delay_ms to the template:
+     * - default 30000 when config key missing
+     * - default 30000 when config value < 0
+     * - exact value when config value is 10000
+     */
+    #[DataProvider('slowPostDelayProvider')]
+    #[RunInSeparateProcess]
+    public function testSubmitPOSTDataSlowPostDelay(?int $configured, int $expected): void
+    {
+        $httpUtils = new Utils\HTTP();
+
+        // Base config
+        $config = [
+            'baseurlpath' => 'https://idp.example.org/simplesaml/',
+            'enable.http_post' => false,
+        ];
+        if ($configured !== null) {
+            $config['slow_post_delay_ms'] = $configured;
+        }
+        Configuration::loadFromArray($config, '[ARRAY]', 'simplesaml');
+
+        // Use https destination to bypass the http-redirect branch entirely
+        $destination = 'https://sp.example.com/acs';
+        $post = ['k' => 'v'];
+
+        // Capture output
+        ob_start();
+        try {
+            $httpUtils->submitPOSTData($destination, $post);
+        } catch (\Throwable $e) {
+        }
+        $html = ob_get_clean();
+
+        // The template writes the delay into data-slow-post-delay attribute
+        $needle = 'data-slow-post-delay="' . $expected . '"';
+        $this->assertStringContainsString($needle, $html);
+    }
+
+    public static function slowPostDelayProvider(): array
+    {
+        return [
+            // [configured, expected]
+            'missing config => default' => [null, 30000],
+            'negative config => default' => [-5, 30000],
+            'positive config 10000 => 10000' => [10000, 10000],
+        ];
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,9 @@ private function redirect(string $url, array $parameters = []): void`
`265`	`265`	`echo '</html>';`
`266`	`266`
`267`	`267`	`// end script execution`
`268`		`- exit;`
	`268`	`+ if (!defined('SIMPLESAMLPHP_TEST_NOEXIT')) {`
	`269`	`+ exit;`
	`270`	`+ }`
`269`	`271`	`}`
`270`	`272`
`271`	`273`
`@@ -360,7 +362,8 @@ public function checkSessionCookie(?string $retryURL = null): void`
`360`	`362`	`* Check if a URL is valid and is in our list of allowed URLs.`
`361`	`363`	`*`
`362`	`364`	`* @param string $url The URL to check.`
`363`		`- * @param string[]\|null $trustedSites An optional white list of domains. If none specified, the 'trusted.url.domains'`
	`365`	`+ * @param string[]\|null $trustedSites An optional white list of domains.`
	`366`	`+ * If none specified, the 'trusted.url.domains'`
`364`	`367`	`* configuration directive will be used.`
`365`	`368`	`*`
`366`	`369`	`* @return string The normalized URL itself if it is allowed. An empty string if the $url parameter is empty as`
`@@ -1096,7 +1099,9 @@ public function setCookie(string $name, ?string $value, ?array $params = null, b`
`1096`	`1099`	`Error\CannotSetCookie::SECURE_COOKIE,`
`1097`	`1100`	`);`
`1098`	`1101`	`}`
`1099`		`- Logger::warning('Error setting cookie: setting secure cookie on plain HTTP (except on localhost) is not allowed.');`
	`1102`	`+ Logger::warning(`
	`1103`	`+ 'Error setting cookie: setting secure cookie on plain HTTP (except on localhost) is not allowed.',`
	`1104`	`+ );`
`1100`	`1105`	`return;`
`1101`	`1106`	`}`
`1102`	`1107`
`@@ -1187,6 +1192,7 @@ public function submitPOSTData(string $destination, array $data): void`
`1187`	`1192`	`if ($allowed && preg_match("#^http:#", $destination) && $this->isHTTPS()) {`
`1188`	`1193`	`// we need to post the data to HTTP`
`1189`	`1194`	`$this->redirect($this->getSecurePOSTRedirectURL($destination, $data));`
	`1195`	`+ return;`
`1190`	`1196`	`}`
`1191`	`1197`
`1192`	`1198`	`$p = new Template($config, 'post.twig');`
`@@ -1201,6 +1207,8 @@ public function submitPOSTData(string $destination, array $data): void`
`1201`	`1207`	`$p->data['slow_post_delay_ms'] = $delay;`
`1202`	`1208`
`1203`	`1209`	`$p->send();`
`1204`		`- exit(0);`
	`1210`	`+ if (!defined('SIMPLESAMLPHP_TEST_NOEXIT')) {`
	`1211`	`+ exit(0);`
	`1212`	`+ }`
`1205`	`1213`	`}`
`1206`	`1214`	`}`