icn_saml_idp 0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Gemfile +2 -0
- data/LICENSE +22 -0
- data/README.md +238 -0
- data/app/controllers/saml_idp/idp_controller.rb +53 -0
- data/app/views/saml_idp/idp/new.html.erb +22 -0
- data/app/views/saml_idp/idp/saml_post.html.erb +14 -0
- data/lib/saml_idp.rb +92 -0
- data/lib/saml_idp/algorithmable.rb +19 -0
- data/lib/saml_idp/assertion_builder.rb +172 -0
- data/lib/saml_idp/attribute_decorator.rb +27 -0
- data/lib/saml_idp/attributeable.rb +24 -0
- data/lib/saml_idp/configurator.rb +48 -0
- data/lib/saml_idp/controller.rb +128 -0
- data/lib/saml_idp/default.rb +49 -0
- data/lib/saml_idp/encryptor.rb +86 -0
- data/lib/saml_idp/engine.rb +5 -0
- data/lib/saml_idp/hashable.rb +26 -0
- data/lib/saml_idp/incoming_metadata.rb +144 -0
- data/lib/saml_idp/logout_builder.rb +42 -0
- data/lib/saml_idp/logout_request_builder.rb +34 -0
- data/lib/saml_idp/logout_response_builder.rb +35 -0
- data/lib/saml_idp/metadata_builder.rb +160 -0
- data/lib/saml_idp/name_id_formatter.rb +68 -0
- data/lib/saml_idp/persisted_metadata.rb +10 -0
- data/lib/saml_idp/request.rb +180 -0
- data/lib/saml_idp/response_builder.rb +62 -0
- data/lib/saml_idp/saml_response.rb +79 -0
- data/lib/saml_idp/service_provider.rb +76 -0
- data/lib/saml_idp/signable.rb +131 -0
- data/lib/saml_idp/signature_builder.rb +42 -0
- data/lib/saml_idp/signed_info_builder.rb +88 -0
- data/lib/saml_idp/version.rb +4 -0
- data/lib/saml_idp/xml_security.rb +181 -0
- data/saml_idp.gemspec +65 -0
- data/spec/acceptance/acceptance_helper.rb +9 -0
- data/spec/acceptance/idp_controller_spec.rb +16 -0
- data/spec/lib/saml_idp/algorithmable_spec.rb +48 -0
- data/spec/lib/saml_idp/assertion_builder_spec.rb +106 -0
- data/spec/lib/saml_idp/attribute_decorator_spec.rb +53 -0
- data/spec/lib/saml_idp/configurator_spec.rb +43 -0
- data/spec/lib/saml_idp/controller_spec.rb +94 -0
- data/spec/lib/saml_idp/encryptor_spec.rb +27 -0
- data/spec/lib/saml_idp/logout_request_builder_spec.rb +41 -0
- data/spec/lib/saml_idp/logout_response_builder_spec.rb +41 -0
- data/spec/lib/saml_idp/metadata_builder_spec.rb +19 -0
- data/spec/lib/saml_idp/name_id_formatter_spec.rb +42 -0
- data/spec/lib/saml_idp/request_spec.rb +106 -0
- data/spec/lib/saml_idp/response_builder_spec.rb +42 -0
- data/spec/lib/saml_idp/saml_response_spec.rb +68 -0
- data/spec/lib/saml_idp/service_provider_spec.rb +27 -0
- data/spec/lib/saml_idp/signable_spec.rb +77 -0
- data/spec/lib/saml_idp/signature_builder_spec.rb +19 -0
- data/spec/lib/saml_idp/signed_info_builder_spec.rb +25 -0
- data/spec/rails_app/.gitignore +15 -0
- data/spec/rails_app/README.rdoc +261 -0
- data/spec/rails_app/Rakefile +7 -0
- data/spec/rails_app/app/assets/images/rails.png +0 -0
- data/spec/rails_app/app/assets/javascripts/application.js +15 -0
- data/spec/rails_app/app/assets/stylesheets/application.css +13 -0
- data/spec/rails_app/app/controllers/application_controller.rb +3 -0
- data/spec/rails_app/app/controllers/saml_controller.rb +8 -0
- data/spec/rails_app/app/controllers/saml_idp_controller.rb +11 -0
- data/spec/rails_app/app/helpers/application_helper.rb +2 -0
- data/spec/rails_app/app/mailers/.gitkeep +0 -0
- data/spec/rails_app/app/models/.gitkeep +0 -0
- data/spec/rails_app/app/views/layouts/application.html.erb +14 -0
- data/spec/rails_app/config.ru +4 -0
- data/spec/rails_app/config/application.rb +60 -0
- data/spec/rails_app/config/boot.rb +6 -0
- data/spec/rails_app/config/database.yml +25 -0
- data/spec/rails_app/config/environment.rb +5 -0
- data/spec/rails_app/config/environments/development.rb +37 -0
- data/spec/rails_app/config/environments/production.rb +67 -0
- data/spec/rails_app/config/environments/test.rb +37 -0
- data/spec/rails_app/config/initializers/backtrace_silencers.rb +7 -0
- data/spec/rails_app/config/initializers/inflections.rb +15 -0
- data/spec/rails_app/config/initializers/mime_types.rb +5 -0
- data/spec/rails_app/config/initializers/secret_token.rb +7 -0
- data/spec/rails_app/config/initializers/session_store.rb +8 -0
- data/spec/rails_app/config/initializers/wrap_parameters.rb +14 -0
- data/spec/rails_app/config/locales/en.yml +5 -0
- data/spec/rails_app/config/routes.rb +6 -0
- data/spec/rails_app/db/seeds.rb +7 -0
- data/spec/rails_app/doc/README_FOR_APP +2 -0
- data/spec/rails_app/lib/assets/.gitkeep +0 -0
- data/spec/rails_app/lib/tasks/.gitkeep +0 -0
- data/spec/rails_app/log/.gitkeep +0 -0
- data/spec/rails_app/public/404.html +26 -0
- data/spec/rails_app/public/422.html +26 -0
- data/spec/rails_app/public/500.html +25 -0
- data/spec/rails_app/public/favicon.ico +0 -0
- data/spec/rails_app/public/index.html +241 -0
- data/spec/rails_app/public/robots.txt +5 -0
- data/spec/rails_app/script/rails +6 -0
- data/spec/rails_app/test/fixtures/.gitkeep +0 -0
- data/spec/rails_app/test/functional/.gitkeep +0 -0
- data/spec/rails_app/test/integration/.gitkeep +0 -0
- data/spec/rails_app/test/performance/browsing_test.rb +12 -0
- data/spec/rails_app/test/test_helper.rb +13 -0
- data/spec/rails_app/test/unit/.gitkeep +0 -0
- data/spec/rails_app/vendor/assets/javascripts/.gitkeep +0 -0
- data/spec/rails_app/vendor/assets/stylesheets/.gitkeep +0 -0
- data/spec/rails_app/vendor/plugins/.gitkeep +0 -0
- data/spec/spec_helper.rb +49 -0
- data/spec/support/certificates/certificate1 +12 -0
- data/spec/support/certificates/r1_certificate2_base64 +1 -0
- data/spec/support/responses/adfs_response_sha1.xml +46 -0
- data/spec/support/responses/adfs_response_sha256.xml +46 -0
- data/spec/support/responses/adfs_response_sha384.xml +46 -0
- data/spec/support/responses/adfs_response_sha512.xml +46 -0
- data/spec/support/responses/logoutresponse_fixtures.rb +67 -0
- data/spec/support/responses/no_signature_ns.xml +48 -0
- data/spec/support/responses/open_saml_response.xml +56 -0
- data/spec/support/responses/r1_response6.xml.base64 +1 -0
- data/spec/support/responses/response1.xml.base64 +1 -0
- data/spec/support/responses/response2.xml.base64 +79 -0
- data/spec/support/responses/response3.xml.base64 +66 -0
- data/spec/support/responses/response4.xml.base64 +93 -0
- data/spec/support/responses/response5.xml.base64 +102 -0
- data/spec/support/responses/response_with_ampersands.xml +139 -0
- data/spec/support/responses/response_with_ampersands.xml.base64 +93 -0
- data/spec/support/responses/simple_saml_php.xml +71 -0
- data/spec/support/responses/starfield_response.xml.base64 +1 -0
- data/spec/support/responses/wrapped_response_2.xml.base64 +150 -0
- data/spec/support/saml_request_macros.rb +38 -0
- data/spec/support/security_helpers.rb +61 -0
- data/spec/xml_security_spec.rb +137 -0
- metadata +465 -0
data/saml_idp.gemspec
ADDED
@@ -0,0 +1,65 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
$:.push File.expand_path("../lib", __FILE__)
|
3
|
+
require "saml_idp/version"
|
4
|
+
|
5
|
+
Gem::Specification.new do |s|
|
6
|
+
s.name = %q{icn_saml_idp}
|
7
|
+
s.version = SamlIdp::VERSION
|
8
|
+
s.platform = Gem::Platform::RUBY
|
9
|
+
s.authors = ["Jon Phenow"]
|
10
|
+
s.email = %q{jon.phenow@sportngin.com}
|
11
|
+
s.homepage = %q{http://github.com/icapitalnetwork/saml_idp}
|
12
|
+
s.summary = %q{SAML Indentity Provider in ruby}
|
13
|
+
s.description = %q{SAML IdP (Identity Provider) library in ruby}
|
14
|
+
s.date = Time.now.utc.strftime("%Y-%m-%d")
|
15
|
+
s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
|
16
|
+
"LICENSE",
|
17
|
+
"README.md",
|
18
|
+
"Gemfile",
|
19
|
+
"saml_idp.gemspec"
|
20
|
+
]
|
21
|
+
s.required_ruby_version = '>= 2.2'
|
22
|
+
s.license = "LICENSE"
|
23
|
+
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
24
|
+
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
25
|
+
s.require_paths = ["lib"]
|
26
|
+
s.rdoc_options = ["--charset=UTF-8"]
|
27
|
+
|
28
|
+
s.post_install_message = <<-INST
|
29
|
+
If you're just recently updating saml_idp - please be aware we've changed the default
|
30
|
+
certificate. See the PR and a description of why we've done this here:
|
31
|
+
https://github.com/sportngin/saml_idp/pull/29
|
32
|
+
|
33
|
+
If you just need to see the certificate `bundle open saml_idp` and go to
|
34
|
+
`lib/saml_idp/default.rb`
|
35
|
+
|
36
|
+
Similarly, please see the README about certificates - you should avoid using the
|
37
|
+
defaults in a Production environment. Post any issues you to github.
|
38
|
+
|
39
|
+
** New in Version 0.3.0 **
|
40
|
+
|
41
|
+
Encrypted Assertions require the xmlenc gem. See the example in the Controller
|
42
|
+
section of the README.
|
43
|
+
|
44
|
+
** New in Version 0.4.1 **
|
45
|
+
|
46
|
+
Some standards were not being followed, so the repo was forked to increase compliance.
|
47
|
+
|
48
|
+
INST
|
49
|
+
|
50
|
+
s.add_dependency('activesupport', '>= 3.2')
|
51
|
+
s.add_dependency('uuid', '~> 2.3')
|
52
|
+
s.add_dependency('builder', '~> 3.0')
|
53
|
+
s.add_dependency('httparty', '~> 0.14')
|
54
|
+
s.add_dependency('nokogiri', '>= 1.6.2')
|
55
|
+
|
56
|
+
s.add_development_dependency('rake', '~> 10.4.2')
|
57
|
+
s.add_development_dependency('simplecov', '~> 0.12')
|
58
|
+
s.add_development_dependency('rspec', '~> 2.5')
|
59
|
+
s.add_development_dependency('ruby-saml', '~> 1.3')
|
60
|
+
s.add_development_dependency('rails', '~> 3.2')
|
61
|
+
s.add_development_dependency('capybara', '~> 2.11.0')
|
62
|
+
s.add_development_dependency('timecop', '~> 0.8')
|
63
|
+
s.add_development_dependency('xmlenc', '>= 0.6.4')
|
64
|
+
end
|
65
|
+
|
@@ -0,0 +1,9 @@
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + "/../spec_helper")
|
2
|
+
require 'capybara/rspec'
|
3
|
+
|
4
|
+
# Put your acceptance spec helpers inside /spec/acceptance/support
|
5
|
+
Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
|
6
|
+
|
7
|
+
RSpec.configure do |config|
|
8
|
+
config.include Rails.application.routes.url_helpers, :type => :request
|
9
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
|
2
|
+
|
3
|
+
feature 'IdpController' do
|
4
|
+
|
5
|
+
scenario 'Login via default signup page' do
|
6
|
+
saml_request = make_saml_request("http://foo.example.com/saml/consume")
|
7
|
+
visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
|
8
|
+
fill_in 'Email', :with => "foo@example.com"
|
9
|
+
fill_in 'Password', :with => "okidoki"
|
10
|
+
click_button 'Sign in'
|
11
|
+
click_button 'Submit' # simulating onload
|
12
|
+
current_url.should == 'http://foo.example.com/saml/consume'
|
13
|
+
page.should have_content "foo@example.com"
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
@@ -0,0 +1,48 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
module SamlIdp
|
3
|
+
describe "Algorithmable" do
|
4
|
+
include Algorithmable
|
5
|
+
|
6
|
+
describe "named raw algorithm" do
|
7
|
+
def raw_algorithm
|
8
|
+
:sha256
|
9
|
+
end
|
10
|
+
|
11
|
+
it "finds algorithm class" do
|
12
|
+
algorithm.should == OpenSSL::Digest::SHA256
|
13
|
+
end
|
14
|
+
|
15
|
+
it "finds the name" do
|
16
|
+
algorithm_name.should == "sha256"
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
describe "class raw algorithm" do
|
21
|
+
def raw_algorithm
|
22
|
+
OpenSSL::Digest::SHA512
|
23
|
+
end
|
24
|
+
|
25
|
+
it "finds algorithm class" do
|
26
|
+
algorithm.should == OpenSSL::Digest::SHA512
|
27
|
+
end
|
28
|
+
|
29
|
+
it "finds the name" do
|
30
|
+
algorithm_name.should == "sha512"
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe "nonexistent raw algorithm" do
|
35
|
+
def raw_algorithm
|
36
|
+
:sha1024
|
37
|
+
end
|
38
|
+
|
39
|
+
it "finds algorithm class" do
|
40
|
+
algorithm.should == OpenSSL::Digest::SHA1
|
41
|
+
end
|
42
|
+
|
43
|
+
it "finds the name" do
|
44
|
+
algorithm_name.should == "sha1"
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
@@ -0,0 +1,106 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
module SamlIdp
|
3
|
+
describe AssertionBuilder do
|
4
|
+
let(:reference_id) { "abc" }
|
5
|
+
let(:issuer_uri) { "http://sportngin.com" }
|
6
|
+
let(:name_id) { "jon.phenow@sportngin.com" }
|
7
|
+
let(:audience_uri) { "http://example.com" }
|
8
|
+
let(:saml_request_id) { "123" }
|
9
|
+
let(:saml_acs_url) { "http://saml.acs.url" }
|
10
|
+
let(:algorithm) { :sha256 }
|
11
|
+
let(:authn_context_classref) {
|
12
|
+
Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
|
13
|
+
}
|
14
|
+
let(:expiry) { 3*60*60 }
|
15
|
+
let (:encryption_opts) do
|
16
|
+
{
|
17
|
+
cert: Default::X509_CERTIFICATE,
|
18
|
+
block_encryption: 'aes256-cbc',
|
19
|
+
key_transport: 'rsa-oaep-mgf1p',
|
20
|
+
}
|
21
|
+
end
|
22
|
+
subject { described_class.new(
|
23
|
+
reference_id,
|
24
|
+
issuer_uri,
|
25
|
+
name_id,
|
26
|
+
audience_uri,
|
27
|
+
saml_request_id,
|
28
|
+
saml_acs_url,
|
29
|
+
algorithm,
|
30
|
+
authn_context_classref,
|
31
|
+
expiry
|
32
|
+
) }
|
33
|
+
|
34
|
+
context "No Request ID" do
|
35
|
+
let(:saml_request_id) { nil }
|
36
|
+
|
37
|
+
it "builds a legit raw XML file" do
|
38
|
+
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
39
|
+
subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
it "builds a legit raw XML file" do
|
45
|
+
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
46
|
+
subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
describe "without attributes" do
|
51
|
+
let(:config) { SamlIdp::Configurator.new }
|
52
|
+
before do
|
53
|
+
config.name_id.formats = {
|
54
|
+
"1.1" => {
|
55
|
+
email_address: ->(p) { "foo@example.com" }
|
56
|
+
}
|
57
|
+
}
|
58
|
+
SamlIdp.stub(config: config)
|
59
|
+
end
|
60
|
+
|
61
|
+
it "doesn't include attribute statement" do
|
62
|
+
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
63
|
+
subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
describe "with principal.asserted_attributes" do
|
69
|
+
it "delegates attributes to principal" do
|
70
|
+
Principal = Struct.new(:email, :asserted_attributes)
|
71
|
+
principal = Principal.new('foo@example.com', { emailAddress: { getter: :email } })
|
72
|
+
builder = described_class.new(
|
73
|
+
reference_id,
|
74
|
+
issuer_uri,
|
75
|
+
principal,
|
76
|
+
audience_uri,
|
77
|
+
saml_request_id,
|
78
|
+
saml_acs_url,
|
79
|
+
algorithm,
|
80
|
+
authn_context_classref,
|
81
|
+
expiry
|
82
|
+
)
|
83
|
+
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
84
|
+
builder.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
it "builds encrypted XML" do
|
90
|
+
builder = described_class.new(
|
91
|
+
reference_id,
|
92
|
+
issuer_uri,
|
93
|
+
name_id,
|
94
|
+
audience_uri,
|
95
|
+
saml_request_id,
|
96
|
+
saml_acs_url,
|
97
|
+
algorithm,
|
98
|
+
authn_context_classref,
|
99
|
+
expiry,
|
100
|
+
encryption_opts
|
101
|
+
)
|
102
|
+
encrypted_xml = builder.encrypt
|
103
|
+
encrypted_xml.should_not match(audience_uri)
|
104
|
+
end
|
105
|
+
end
|
106
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
module SamlIdp
|
3
|
+
describe AttributeDecorator do
|
4
|
+
subject { described_class.new name: name,
|
5
|
+
friendly_name: friendly_name,
|
6
|
+
name_format: name_format,
|
7
|
+
values: values
|
8
|
+
}
|
9
|
+
let(:name) { nil }
|
10
|
+
let(:friendly_name) { nil }
|
11
|
+
let(:name_format) { nil }
|
12
|
+
let(:values) { nil }
|
13
|
+
|
14
|
+
it "has a valid name" do
|
15
|
+
subject.name.should be_nil
|
16
|
+
end
|
17
|
+
|
18
|
+
it "has a valid friendly_name" do
|
19
|
+
subject.friendly_name.should be_nil
|
20
|
+
end
|
21
|
+
|
22
|
+
it "has a valid name_format" do
|
23
|
+
subject.name_format.should == Saml::XML::Namespaces::Formats::Attr::URI
|
24
|
+
end
|
25
|
+
|
26
|
+
it "has a valid values" do
|
27
|
+
subject.values.should == []
|
28
|
+
end
|
29
|
+
|
30
|
+
describe "with values set" do
|
31
|
+
let(:name) { "test" }
|
32
|
+
let(:friendly_name) { "test too" }
|
33
|
+
let(:name_format) { "some format" }
|
34
|
+
let(:values) { :val }
|
35
|
+
|
36
|
+
it "has a valid name" do
|
37
|
+
subject.name.should == name
|
38
|
+
end
|
39
|
+
|
40
|
+
it "has a valid friendly_name" do
|
41
|
+
subject.friendly_name.should == friendly_name
|
42
|
+
end
|
43
|
+
|
44
|
+
it "has a valid name_format" do
|
45
|
+
subject.name_format.should == name_format
|
46
|
+
end
|
47
|
+
|
48
|
+
it "has a valid values" do
|
49
|
+
subject.values.should == [values]
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
module SamlIdp
|
3
|
+
describe Configurator do
|
4
|
+
it { should respond_to :x509_certificate }
|
5
|
+
it { should respond_to :secret_key }
|
6
|
+
it { should respond_to :algorithm }
|
7
|
+
it { should respond_to :organization_name }
|
8
|
+
it { should respond_to :organization_url }
|
9
|
+
it { should respond_to :base_saml_location }
|
10
|
+
it { should respond_to :reference_id_generator }
|
11
|
+
it { should respond_to :attribute_service_location }
|
12
|
+
it { should respond_to :single_service_post_location }
|
13
|
+
it { should respond_to :single_logout_service_post_location }
|
14
|
+
it { should respond_to :name_id }
|
15
|
+
it { should respond_to :attributes }
|
16
|
+
it { should respond_to :service_provider }
|
17
|
+
|
18
|
+
it "has a valid x509_certificate" do
|
19
|
+
subject.x509_certificate.should == Default::X509_CERTIFICATE
|
20
|
+
end
|
21
|
+
|
22
|
+
it "has a valid secret_key" do
|
23
|
+
subject.secret_key.should == Default::SECRET_KEY
|
24
|
+
end
|
25
|
+
|
26
|
+
it "has a valid algorithm" do
|
27
|
+
subject.algorithm.should == :sha1
|
28
|
+
end
|
29
|
+
|
30
|
+
it "has a valid reference_id_generator" do
|
31
|
+
subject.reference_id_generator.should respond_to :call
|
32
|
+
end
|
33
|
+
|
34
|
+
|
35
|
+
it "can call service provider finder" do
|
36
|
+
subject.service_provider.finder.should respond_to :call
|
37
|
+
end
|
38
|
+
|
39
|
+
it "can call service provider metadata persister" do
|
40
|
+
subject.service_provider.metadata_persister.should respond_to :call
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
@@ -0,0 +1,94 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require 'spec_helper'
|
3
|
+
|
4
|
+
describe SamlIdp::Controller do
|
5
|
+
include SamlIdp::Controller
|
6
|
+
|
7
|
+
def render(*)
|
8
|
+
end
|
9
|
+
|
10
|
+
def params
|
11
|
+
@params ||= {}
|
12
|
+
end
|
13
|
+
|
14
|
+
it "should find the SAML ACS URL" do
|
15
|
+
requested_saml_acs_url = "https://example.com/saml/consume"
|
16
|
+
params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
|
17
|
+
validate_saml_request
|
18
|
+
saml_acs_url.should == requested_saml_acs_url
|
19
|
+
end
|
20
|
+
|
21
|
+
context "SAML Responses" do
|
22
|
+
let(:principal) { double email_address: "foo@example.com" }
|
23
|
+
let (:encryption_opts) do
|
24
|
+
{
|
25
|
+
cert: SamlIdp::Default::X509_CERTIFICATE,
|
26
|
+
block_encryption: 'aes256-cbc',
|
27
|
+
key_transport: 'rsa-oaep-mgf1p',
|
28
|
+
}
|
29
|
+
end
|
30
|
+
|
31
|
+
context "unsolicited Response" do
|
32
|
+
it "should create a SAML Response" do
|
33
|
+
saml_response = encode_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume' })
|
34
|
+
response = OneLogin::RubySaml::Response.new(saml_response)
|
35
|
+
response.name_id.should == "foo@example.com"
|
36
|
+
response.issuers.first.should == "http://example.com"
|
37
|
+
response.settings = saml_settings
|
38
|
+
response.is_valid?.should be_truthy
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
context "solicited Response" do
|
43
|
+
before(:each) do
|
44
|
+
params[:SAMLRequest] = make_saml_request
|
45
|
+
validate_saml_request
|
46
|
+
end
|
47
|
+
|
48
|
+
it "should create a SAML Response" do
|
49
|
+
saml_response = encode_response(principal)
|
50
|
+
response = OneLogin::RubySaml::Response.new(saml_response)
|
51
|
+
response.name_id.should == "foo@example.com"
|
52
|
+
response.issuers.first.should == "http://example.com"
|
53
|
+
response.settings = saml_settings
|
54
|
+
response.is_valid?.should be_truthy
|
55
|
+
end
|
56
|
+
|
57
|
+
it "should create a SAML Logout Response" do
|
58
|
+
params[:SAMLRequest] = make_saml_logout_request
|
59
|
+
validate_saml_request
|
60
|
+
expect(saml_request.logout_request?).to eq true
|
61
|
+
saml_response = encode_response(principal)
|
62
|
+
response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
|
63
|
+
response.validate.should == true
|
64
|
+
response.issuer.should == "http://example.com"
|
65
|
+
end
|
66
|
+
|
67
|
+
|
68
|
+
[:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
|
69
|
+
it "should create a SAML Response using the #{algorithm_name} algorithm" do
|
70
|
+
self.algorithm = algorithm_name
|
71
|
+
saml_response = encode_response(principal)
|
72
|
+
response = OneLogin::RubySaml::Response.new(saml_response)
|
73
|
+
response.name_id.should == "foo@example.com"
|
74
|
+
response.issuers.first.should == "http://example.com"
|
75
|
+
response.settings = saml_settings
|
76
|
+
response.is_valid?.should be_truthy
|
77
|
+
end
|
78
|
+
|
79
|
+
it "should encrypt SAML Response assertion" do
|
80
|
+
self.algorithm = algorithm_name
|
81
|
+
saml_response = encode_response(principal, encryption: encryption_opts)
|
82
|
+
resp_settings = saml_settings
|
83
|
+
resp_settings.private_key = SamlIdp::Default::SECRET_KEY
|
84
|
+
response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
|
85
|
+
response.document.to_s.should_not match("foo@example.com")
|
86
|
+
response.decrypted_document.to_s.should match("foo@example.com")
|
87
|
+
response.name_id.should == "foo@example.com"
|
88
|
+
response.issuers.first.should == "http://example.com"
|
89
|
+
response.is_valid?.should be_truthy
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
require 'saml_idp/encryptor'
|
4
|
+
|
5
|
+
module SamlIdp
|
6
|
+
describe Encryptor do
|
7
|
+
let (:encryption_opts) do
|
8
|
+
{
|
9
|
+
cert: Default::X509_CERTIFICATE,
|
10
|
+
block_encryption: 'aes256-cbc',
|
11
|
+
key_transport: 'rsa-oaep-mgf1p',
|
12
|
+
}
|
13
|
+
end
|
14
|
+
|
15
|
+
subject { described_class.new encryption_opts }
|
16
|
+
|
17
|
+
it "encrypts XML" do
|
18
|
+
raw_xml = '<foo>bar</foo>'
|
19
|
+
encrypted_xml = subject.encrypt(raw_xml)
|
20
|
+
encrypted_xml.should_not match 'bar'
|
21
|
+
encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
|
22
|
+
encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
|
23
|
+
decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
|
24
|
+
decrypted_xml.should == raw_xml
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|