ciam-es 0.0.1

data/test/settings_test.rb

@@ -0,0 +1,43 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class SettingsTest < Test::Unit::TestCase
+
+  context "Settings" do
+    setup do
+      @settings = Ciam::Saml::Settings.new
+    end
+    should "should provide getters and settings" do
+      accessors = [
+        :assertion_consumer_service_url, :issuer, :sp_name_qualifier,
+        :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
+        :idp_slo_target_url, :name_identifier_value, :sessionindex
+      ]
+
+      accessors.each do |accessor|
+        value = Kernel.rand
+        @settings.send("#{accessor}=".to_sym, value)
+        assert_equal value, @settings.send(accessor)
+      end
+    end
+
+    should "create settings from hash" do
+
+      config = {
+          :assertion_consumer_service_url => "http://app.muda.no/sso",
+          :issuer => "http://muda.no",
+          :sp_name_qualifier => "http://sso.muda.no",
+          :idp_sso_target_url => "http://sso.muda.no/sso",
+          :idp_slo_target_url => "http://sso.muda.no/slo",
+          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+      }
+      @settings = Ciam::Saml::Settings.new(config)
+
+      config.each do |k,v|
+        assert_equal v, @settings.send(k)
+      end
+    end
+
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,65 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'mocha'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'ruby-saml'
+
+ENV["ruby-saml/testing"] = "1"
+
+class Test::Unit::TestCase
+  def fixture(document, base64 = true)
+    response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
+    if base64 && response =~ /\.xml$/
+      Base64.encode64(File.read(response))
+    else
+      File.read(response)
+    end
+  end
+
+  def response_document
+    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
+  end
+
+  def response_document_2
+    @response_document2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response2.xml.base64'))
+  end
+
+  def response_document_3
+    @response_document3 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response3.xml.base64'))
+  end
+
+  def response_document_4
+    @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
+  end
+
+  def response_document_5
+    @response_document5 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response5.xml.base64'))
+  end
+
+  def ampersands_response
+    @ampersands_resposne ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+  end
+
+  def response_document_6
+    doc = Base64.decode64(response_document)
+    doc.gsub!(/NotBefore=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotBefore=\"#{(Time.now-300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    doc.gsub!(/NotOnOrAfter=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotOnOrAfter=\"#{(Time.now+300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    Base64.encode64(doc)
+  end
+
+  def wrapped_response_2
+    @wrapped_response_2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'wrapped_response_2.xml.base64'))
+  end
+
+  def signature_fingerprint_1
+    @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
+  end
+  
+  def signature_1
+    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+  end
+
+end

data/test/xml_security_test.rb

@@ -0,0 +1,123 @@
+require 'test_helper'
+require 'xml_security'
+
+class XmlSecurityTest < Test::Unit::TestCase
+  include XMLSecurity
+
+  context "XmlSecurity" do
+    setup do
+      @document = Ciam::XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
+      @base64cert = @document.elements["//ds:X509Certificate"].text
+    end
+
+    should "should run validate without throwing NS related exceptions" do
+      assert !@document.validate_doc(@base64cert, true)
+    end
+
+    should "should run validate with throwing NS related exceptions" do
+      assert_raise(Ciam::Saml::ValidationError) do
+        @document.validate_doc(@base64cert, false)
+      end
+    end
+    
+    should "not raise an error when softly validating the document multiple times" do
+      assert_nothing_raised do
+        2.times { @document.validate_doc(@base64cert, true) }
+      end
+    end
+
+    should "should raise Fingerprint mismatch" do
+      exception = assert_raise(Ciam::Saml::ValidationError) do
+        @document.validate("no:fi:ng:er:pr:in:t", false)
+      end
+      assert_equal("Fingerprint mismatch", exception.message)
+    end
+
+    should "should raise Digest mismatch" do
+      exception = assert_raise(Ciam::Saml::ValidationError) do
+        @document.validate_doc(@base64cert, false)
+      end
+      assert_equal("Digest mismatch", exception.message)
+    end
+
+    should "should raise Key validation error" do
+      response = Base64.decode64(response_document)
+      response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
+                    "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
+      document = Ciam::XMLSecurity::SignedDocument.new(response)
+      base64cert = document.elements["//ds:X509Certificate"].text
+      exception = assert_raise(Ciam::Saml::ValidationError) do
+        document.validate_doc(base64cert, false)
+      end
+      assert_equal("Key validation error", exception.message)
+    end
+  end
+
+  context "Algorithms" do
+    should "validate using SHA1" do
+      @document = Ciam::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    should "validate using SHA256" do
+      @document = Ciam::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
+      assert @document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+    end
+
+    should "validate using SHA384" do
+      @document = Ciam::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    should "validate using SHA512" do
+      @document = Ciam::XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+  end
+  
+  context "Ciam::XmlSecurity::SignedDocument" do
+    
+    context "#extract_inclusive_namespaces" do
+      should "support explicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:open_saml_response, false)
+        document = Ciam::XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert_equal %w[ xs ], inclusive_namespaces
+      end
+      
+      should "support implicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:no_signature_ns, false)
+        document = Ciam::XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
+      end
+
+      should_eventually 'support inclusive canonicalization' do
+
+        response = Ciam::Saml::Response.new(fixture("tdnf_response.xml"))
+        response.stubs(:conditions).returns(nil)
+        assert !response.is_valid?
+        settings = Ciam::Saml::Settings.new
+        assert !response.is_valid?
+        response.settings = settings
+        assert !response.is_valid?
+        settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
+        assert response.validate!
+      end
+
+      should "return an empty list when inclusive namespace element is missing" do
+        response = fixture(:no_signature_ns, false)
+        response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
+        
+        document = Ciam::XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert inclusive_namespaces.empty?
+      end
+    end
+    
+  end
+  
+end

metadata

@@ -0,0 +1,145 @@
+--- !ruby/object:Gem::Specification
+name: ciam-es
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Fabiano Pavan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-07-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: canonix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: uuid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.7.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.7.2
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.7.0
+description: 'SAML toolkit for Ruby programs to integrate with CIAM Milano '
+email: fabiano.pavan@soluzionipa.it
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".document"
+- Gemfile
+- README.md
+- ciam-es.gemspec
+- lib/ciam-es.rb
+- lib/ciam/ruby-saml/authrequest.rb
+- lib/ciam/ruby-saml/coding.rb
+- lib/ciam/ruby-saml/error_handling.rb
+- lib/ciam/ruby-saml/logging.rb
+- lib/ciam/ruby-saml/logout_request.rb
+- lib/ciam/ruby-saml/logout_response.rb
+- lib/ciam/ruby-saml/metadata.rb
+- lib/ciam/ruby-saml/request.rb
+- lib/ciam/ruby-saml/response.rb
+- lib/ciam/ruby-saml/settings.rb
+- lib/ciam/ruby-saml/utils.rb
+- lib/ciam/ruby-saml/validation_error.rb
+- lib/ciam/ruby-saml/version.rb
+- lib/ciam/xml_security.rb
+- lib/ciam/xml_security_new.rb
+- lib/schemas/saml20assertion_schema.xsd
+- lib/schemas/saml20protocol_schema.xsd
+- lib/schemas/xenc_schema.xsd
+- lib/schemas/xmldsig_schema.xsd
+- test/certificates/certificate1
+- test/logoutrequest_test.rb
+- test/request_test.rb
+- test/response_test.rb
+- test/responses/adfs_response_sha1.xml
+- test/responses/adfs_response_sha256.xml
+- test/responses/adfs_response_sha384.xml
+- test/responses/adfs_response_sha512.xml
+- test/responses/no_signature_ns.xml
+- test/responses/open_saml_response.xml
+- test/responses/response1.xml.base64
+- test/responses/response2.xml.base64
+- test/responses/response3.xml.base64
+- test/responses/response4.xml.base64
+- test/responses/response5.xml.base64
+- test/responses/response_with_ampersands.xml
+- test/responses/response_with_ampersands.xml.base64
+- test/responses/simple_saml_php.xml
+- test/responses/wrapped_response_2.xml.base64
+- test/settings_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb
+homepage: https://github.com/EuroServizi/ciam-es
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key: 
+specification_version: 4
+summary: SAML Ruby Tookit CIAM
+test_files: []