kl-ruby-saml 0.0.4 → 0.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/README.md +2 -2
- data/lib/{xml_security.rb → kl_xml_security.rb} +5 -5
- data/lib/onelogin/kl-ruby-saml/authrequest.rb +2 -2
- data/lib/onelogin/kl-ruby-saml/logoutrequest.rb +2 -2
- data/lib/onelogin/kl-ruby-saml/logoutresponse.rb +2 -2
- data/lib/onelogin/kl-ruby-saml/metadata.rb +1 -1
- data/lib/onelogin/kl-ruby-saml/response.rb +7 -7
- data/lib/onelogin/kl-ruby-saml/saml_message.rb +1 -1
- data/lib/onelogin/kl-ruby-saml/settings.rb +5 -5
- data/lib/onelogin/kl-ruby-saml/slo_logoutresponse.rb +2 -2
- data/lib/onelogin/kl-ruby-saml/utils.rb +1 -1
- data/lib/onelogin/kl-ruby-saml/version.rb +1 -1
- data/test/logoutrequest_test.rb +16 -16
- data/test/logoutresponse_test.rb +4 -4
- data/test/metadata_test.rb +4 -4
- data/test/request_test.rb +8 -8
- data/test/response_test.rb +3 -3
- data/test/settings_test.rb +4 -4
- data/test/slo_logoutrequest_test.rb +4 -4
- data/test/slo_logoutresponse_test.rb +16 -16
- data/test/xml_security_test.rb +41 -41
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f44b4e601309171d6735398f138704b4ff54cea2
|
4
|
+
data.tar.gz: 525052e90ee9d5aa368972a8e1921a609f5aca2d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5094f8cd2198ebc0d0914c84325b2f13aa54ea51e766fc59ce66d5c03438b677998014d5559b5598a58467876ac7fbf95549932c802484eb7fc7729c24009230
|
7
|
+
data.tar.gz: f3c2aa6a89a0af160d3087f86106a16d651103cae3cc2503cdfab66cec4bc1db238948abebd156b28c52827ad13a06d044fda3e2be51e63d32c0a61a81205c52
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -376,8 +376,8 @@ The settings related to sign are stored in the `security` attribute of the setti
|
|
376
376
|
settings.security[:logout_responses_signed] = true # Enable or not signature on Logout Response
|
377
377
|
settings.security[:metadata_signed] = true # Enable or not signature on Metadata
|
378
378
|
|
379
|
-
settings.security[:digest_method] =
|
380
|
-
settings.security[:signature_method] =
|
379
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA1
|
380
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
381
381
|
|
382
382
|
# Embeded signature or HTTP GET parameter signature
|
383
383
|
# Note that metadata signature is always embedded regardless of this value.
|
@@ -31,7 +31,7 @@ require "digest/sha1"
|
|
31
31
|
require "digest/sha2"
|
32
32
|
require "onelogin/kl-ruby-saml/validation_error"
|
33
33
|
|
34
|
-
module
|
34
|
+
module KlXMLSecurity
|
35
35
|
|
36
36
|
class BaseDocument < REXML::Document
|
37
37
|
REXML::Document::entity_expansion_limit = 0
|
@@ -110,7 +110,7 @@ module XMLSecurity
|
|
110
110
|
#</Signature>
|
111
111
|
def sign_document(private_key, certificate, signature_method = RSA_SHA1, digest_method = SHA1)
|
112
112
|
noko = Nokogiri.parse(self.to_s) do |options|
|
113
|
-
options =
|
113
|
+
options = KlXMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
|
114
114
|
end
|
115
115
|
|
116
116
|
signature_element = REXML::Element.new("ds:Signature").add_namespace('ds', DSIG)
|
@@ -134,7 +134,7 @@ module XMLSecurity
|
|
134
134
|
|
135
135
|
# add SignatureValue
|
136
136
|
noko_sig_element = Nokogiri.parse(signature_element.to_s) do |options|
|
137
|
-
options =
|
137
|
+
options = KlXMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
|
138
138
|
end
|
139
139
|
|
140
140
|
noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => DSIG)
|
@@ -211,7 +211,7 @@ module XMLSecurity
|
|
211
211
|
cert = OpenSSL::X509::Certificate.new(cert_text)
|
212
212
|
|
213
213
|
if options[:fingerprint_alg]
|
214
|
-
fingerprint_alg =
|
214
|
+
fingerprint_alg = KlXMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
|
215
215
|
else
|
216
216
|
fingerprint_alg = OpenSSL::Digest::SHA1.new
|
217
217
|
end
|
@@ -233,7 +233,7 @@ module XMLSecurity
|
|
233
233
|
inclusive_namespaces = extract_inclusive_namespaces
|
234
234
|
|
235
235
|
document = Nokogiri.parse(self.to_s) do |options|
|
236
|
-
options =
|
236
|
+
options = KlXMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
|
237
237
|
end
|
238
238
|
|
239
239
|
# create a working copy so we don't modify the original
|
@@ -70,7 +70,7 @@ module OneLogin
|
|
70
70
|
:relay_state => relay_state,
|
71
71
|
:sig_alg => params['SigAlg']
|
72
72
|
)
|
73
|
-
sign_algorithm =
|
73
|
+
sign_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
|
74
74
|
signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
|
75
75
|
params['Signature'] = encode(signature)
|
76
76
|
end
|
@@ -89,7 +89,7 @@ module OneLogin
|
|
89
89
|
def create_authentication_xml_doc(settings)
|
90
90
|
time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
91
91
|
|
92
|
-
request_doc =
|
92
|
+
request_doc = KlXMLSecurity::Document.new
|
93
93
|
request_doc.uuid = uuid
|
94
94
|
|
95
95
|
root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
@@ -68,7 +68,7 @@ module OneLogin
|
|
68
68
|
:relay_state => relay_state,
|
69
69
|
:sig_alg => params['SigAlg']
|
70
70
|
)
|
71
|
-
sign_algorithm =
|
71
|
+
sign_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
|
72
72
|
signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
|
73
73
|
params['Signature'] = encode(signature)
|
74
74
|
end
|
@@ -87,7 +87,7 @@ module OneLogin
|
|
87
87
|
def create_logout_request_xml_doc(settings)
|
88
88
|
time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
89
89
|
|
90
|
-
request_doc =
|
90
|
+
request_doc = KlXMLSecurity::Document.new
|
91
91
|
request_doc.uuid = uuid
|
92
92
|
|
93
93
|
root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require "
|
1
|
+
require "kl_xml_security"
|
2
2
|
require "onelogin/kl-ruby-saml/saml_message"
|
3
3
|
|
4
4
|
require "time"
|
@@ -44,7 +44,7 @@ module OneLogin
|
|
44
44
|
|
45
45
|
@options = options
|
46
46
|
@response = decode_raw_saml(response)
|
47
|
-
@document =
|
47
|
+
@document = KlXMLSecurity::SignedDocument.new(@response)
|
48
48
|
end
|
49
49
|
|
50
50
|
# Append the cause to the errors array, and based on the value of soft, return false or raise
|
@@ -18,7 +18,7 @@ module OneLogin
|
|
18
18
|
# @return [String] XML Metadata of the Service Provider
|
19
19
|
#
|
20
20
|
def generate(settings, pretty_print=false)
|
21
|
-
meta_doc =
|
21
|
+
meta_doc = KlXMLSecurity::Document.new
|
22
22
|
namespaces = {
|
23
23
|
"xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
|
24
24
|
}
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require "
|
1
|
+
require "kl_xml_security"
|
2
2
|
require "onelogin/kl-ruby-saml/attributes"
|
3
3
|
|
4
4
|
require "time"
|
@@ -52,7 +52,7 @@ module OneLogin
|
|
52
52
|
end
|
53
53
|
|
54
54
|
@response = decode_raw_saml(response)
|
55
|
-
@document =
|
55
|
+
@document = KlXMLSecurity::SignedDocument.new(@response, @errors)
|
56
56
|
|
57
57
|
if assertion_encrypted?
|
58
58
|
@decrypted_document = generate_decrypted_document
|
@@ -623,7 +623,7 @@ module OneLogin
|
|
623
623
|
end
|
624
624
|
|
625
625
|
# Generates the decrypted_document
|
626
|
-
# @return [
|
626
|
+
# @return [KlXMLSecurity::SignedDocument] The SAML Response with the assertion decrypted
|
627
627
|
#
|
628
628
|
def generate_decrypted_document
|
629
629
|
if settings.nil? || !settings.get_sp_key
|
@@ -632,7 +632,7 @@ module OneLogin
|
|
632
632
|
|
633
633
|
# Marshal at Ruby 1.8.7 throw an Exception
|
634
634
|
if RUBY_VERSION < "1.9"
|
635
|
-
document_copy =
|
635
|
+
document_copy = KlXMLSecurity::SignedDocument.new(response, errors)
|
636
636
|
else
|
637
637
|
document_copy = Marshal.load(Marshal.dump(document))
|
638
638
|
end
|
@@ -641,8 +641,8 @@ module OneLogin
|
|
641
641
|
end
|
642
642
|
|
643
643
|
# Obtains a SAML Response with the EncryptedAssertion element decrypted
|
644
|
-
# @param document_copy [
|
645
|
-
# @return [
|
644
|
+
# @param document_copy [KlXMLSecurity::SignedDocument] A copy of the original SAML Response with the encrypted assertion
|
645
|
+
# @return [KlXMLSecurity::SignedDocument] The SAML Response with the assertion decrypted
|
646
646
|
#
|
647
647
|
def decrypt_assertion_from_document(document_copy)
|
648
648
|
response_node = REXML::XPath.first(
|
@@ -657,7 +657,7 @@ module OneLogin
|
|
657
657
|
)
|
658
658
|
response_node.add(decrypt_assertion(encrypted_assertion_node))
|
659
659
|
encrypted_assertion_node.remove
|
660
|
-
|
660
|
+
KlXMLSecurity::SignedDocument.new(response_node.to_s)
|
661
661
|
end
|
662
662
|
|
663
663
|
# Checks if the SAML Response contains or not an EncryptedAssertion element
|
@@ -65,7 +65,7 @@ module OneLogin
|
|
65
65
|
def valid_saml?(document, soft = true)
|
66
66
|
begin
|
67
67
|
xml = Nokogiri::XML(document.to_s) do |config|
|
68
|
-
config.options =
|
68
|
+
config.options = KlXMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
|
69
69
|
end
|
70
70
|
rescue Exception => error
|
71
71
|
return false if soft
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require "
|
1
|
+
require "kl_xml_security"
|
2
2
|
require "onelogin/kl-ruby-saml/attribute_service"
|
3
3
|
require "onelogin/kl-ruby-saml/utils"
|
4
4
|
|
@@ -107,7 +107,7 @@ module OneLogin
|
|
107
107
|
idp_cert_fingerprint || begin
|
108
108
|
idp_cert = get_idp_cert
|
109
109
|
if idp_cert
|
110
|
-
fingerprint_alg =
|
110
|
+
fingerprint_alg = KlXMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
|
111
111
|
fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
|
112
112
|
end
|
113
113
|
end
|
@@ -145,7 +145,7 @@ module OneLogin
|
|
145
145
|
DEFAULTS = {
|
146
146
|
:assertion_consumer_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
|
147
147
|
:single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
|
148
|
-
:idp_cert_fingerprint_algorithm =>
|
148
|
+
:idp_cert_fingerprint_algorithm => KlXMLSecurity::Document::SHA1,
|
149
149
|
:compress_request => true,
|
150
150
|
:compress_response => true,
|
151
151
|
:soft => true,
|
@@ -155,8 +155,8 @@ module OneLogin
|
|
155
155
|
:logout_responses_signed => false,
|
156
156
|
:metadata_signed => false,
|
157
157
|
:embed_sign => false,
|
158
|
-
:digest_method =>
|
159
|
-
:signature_method =>
|
158
|
+
:digest_method => KlXMLSecurity::Document::SHA1,
|
159
|
+
:signature_method => KlXMLSecurity::Document::RSA_SHA1
|
160
160
|
}.freeze,
|
161
161
|
:double_quote_xml_attribute_values => false,
|
162
162
|
}.freeze
|
@@ -73,7 +73,7 @@ module OneLogin
|
|
73
73
|
:relay_state => relay_state,
|
74
74
|
:sig_alg => params['SigAlg']
|
75
75
|
)
|
76
|
-
sign_algorithm =
|
76
|
+
sign_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
|
77
77
|
signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
|
78
78
|
params['Signature'] = encode(signature)
|
79
79
|
end
|
@@ -94,7 +94,7 @@ module OneLogin
|
|
94
94
|
def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
|
95
95
|
time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
|
96
96
|
|
97
|
-
response_doc =
|
97
|
+
response_doc = KlXMLSecurity::Document.new
|
98
98
|
response_doc.uuid = uuid
|
99
99
|
|
100
100
|
root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
@@ -70,7 +70,7 @@ module OneLogin
|
|
70
70
|
#
|
71
71
|
def self.verify_signature(params)
|
72
72
|
cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
|
73
|
-
signature_algorithm =
|
73
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(sig_alg)
|
74
74
|
return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
|
75
75
|
end
|
76
76
|
|
data/test/logoutrequest_test.rb
CHANGED
@@ -103,8 +103,8 @@ class RequestTest < Minitest::Test
|
|
103
103
|
|
104
104
|
it "create a signed logout request with 256 digest and signature method" do
|
105
105
|
settings.compress_request = false
|
106
|
-
settings.security[:signature_method] =
|
107
|
-
settings.security[:digest_method] =
|
106
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
107
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA256
|
108
108
|
|
109
109
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings)
|
110
110
|
request_xml = Base64.decode64(params["SAMLRequest"])
|
@@ -116,8 +116,8 @@ class RequestTest < Minitest::Test
|
|
116
116
|
|
117
117
|
it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
|
118
118
|
settings.compress_request = false
|
119
|
-
settings.security[:signature_method] =
|
120
|
-
settings.security[:digest_method] =
|
119
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA384
|
120
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA512
|
121
121
|
|
122
122
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings)
|
123
123
|
request_xml = Base64.decode64(params["SAMLRequest"])
|
@@ -141,67 +141,67 @@ class RequestTest < Minitest::Test
|
|
141
141
|
end
|
142
142
|
|
143
143
|
it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
|
144
|
-
settings.security[:signature_method] =
|
144
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
145
145
|
|
146
146
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
147
147
|
assert params['SAMLRequest']
|
148
148
|
assert params[:RelayState]
|
149
149
|
assert params['Signature']
|
150
|
-
assert_equal params['SigAlg'],
|
150
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA1
|
151
151
|
|
152
152
|
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
|
153
153
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
154
154
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
155
155
|
|
156
|
-
signature_algorithm =
|
156
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
157
157
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
|
158
158
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
159
159
|
end
|
160
160
|
|
161
161
|
it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
|
162
|
-
settings.security[:signature_method] =
|
162
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
163
163
|
|
164
164
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
165
165
|
assert params['Signature']
|
166
|
-
assert_equal params['SigAlg'],
|
166
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA256
|
167
167
|
|
168
168
|
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
|
169
169
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
170
170
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
171
171
|
|
172
|
-
signature_algorithm =
|
172
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
173
173
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA256
|
174
174
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
175
175
|
end
|
176
176
|
|
177
177
|
it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
|
178
|
-
settings.security[:signature_method] =
|
178
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA384
|
179
179
|
|
180
180
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
181
181
|
assert params['Signature']
|
182
|
-
assert_equal params['SigAlg'],
|
182
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA384
|
183
183
|
|
184
184
|
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
|
185
185
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
186
186
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
187
187
|
|
188
|
-
signature_algorithm =
|
188
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
189
189
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA384
|
190
190
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
191
191
|
end
|
192
192
|
|
193
193
|
it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
|
194
|
-
settings.security[:signature_method] =
|
194
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA512
|
195
195
|
|
196
196
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
197
197
|
assert params['Signature']
|
198
|
-
assert_equal params['SigAlg'],
|
198
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA512
|
199
199
|
|
200
200
|
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
|
201
201
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
202
202
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
203
203
|
|
204
|
-
signature_algorithm =
|
204
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
205
205
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA512
|
206
206
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
207
207
|
end
|
data/test/logoutresponse_test.rb
CHANGED
@@ -215,7 +215,7 @@ class KlRubySamlTest < Minitest::Test
|
|
215
215
|
end
|
216
216
|
|
217
217
|
it "return true when valid RSA_SHA1 Signature" do
|
218
|
-
settings.security[:signature_method] =
|
218
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
219
219
|
params['RelayState'] = params[:RelayState]
|
220
220
|
options = {}
|
221
221
|
options[:get_params] = params
|
@@ -224,7 +224,7 @@ class KlRubySamlTest < Minitest::Test
|
|
224
224
|
end
|
225
225
|
|
226
226
|
it "return true when valid RSA_SHA256 Signature" do
|
227
|
-
settings.security[:signature_method] =
|
227
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
228
228
|
params['RelayState'] = params[:RelayState]
|
229
229
|
options = {}
|
230
230
|
options[:get_params] = params
|
@@ -233,7 +233,7 @@ class KlRubySamlTest < Minitest::Test
|
|
233
233
|
end
|
234
234
|
|
235
235
|
it "return false when invalid RSA_SHA1 Signature" do
|
236
|
-
settings.security[:signature_method] =
|
236
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
237
237
|
params['RelayState'] = 'http://invalid.example.com'
|
238
238
|
options = {}
|
239
239
|
options[:get_params] = params
|
@@ -242,7 +242,7 @@ class KlRubySamlTest < Minitest::Test
|
|
242
242
|
end
|
243
243
|
|
244
244
|
it "raise when invalid RSA_SHA1 Signature" do
|
245
|
-
settings.security[:signature_method] =
|
245
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
246
246
|
settings.soft = false
|
247
247
|
params['RelayState'] = 'http://invalid.example.com'
|
248
248
|
options = {}
|
data/test/metadata_test.rb
CHANGED
@@ -174,7 +174,7 @@ class MetadataTest < Minitest::Test
|
|
174
174
|
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>]m, xml_text
|
175
175
|
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
|
176
176
|
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], xml_text
|
177
|
-
signed_metadata =
|
177
|
+
signed_metadata = KlXMLSecurity::SignedDocument.new(xml_text)
|
178
178
|
assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)
|
179
179
|
|
180
180
|
assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
|
@@ -182,8 +182,8 @@ class MetadataTest < Minitest::Test
|
|
182
182
|
|
183
183
|
describe "when digest and signature methods are specified" do
|
184
184
|
before do
|
185
|
-
settings.security[:signature_method] =
|
186
|
-
settings.security[:digest_method] =
|
185
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
186
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA512
|
187
187
|
end
|
188
188
|
|
189
189
|
it "creates a signed metadata with specified digest and signature methods" do
|
@@ -191,7 +191,7 @@ class MetadataTest < Minitest::Test
|
|
191
191
|
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], xml_text
|
192
192
|
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha512'/>], xml_text
|
193
193
|
|
194
|
-
signed_metadata_2 =
|
194
|
+
signed_metadata_2 = KlXMLSecurity::SignedDocument.new(xml_text)
|
195
195
|
|
196
196
|
assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)
|
197
197
|
|
data/test/request_test.rb
CHANGED
@@ -191,8 +191,8 @@ class RequestTest < Minitest::Test
|
|
191
191
|
end
|
192
192
|
|
193
193
|
it "create a signed request with 256 digest and signature methods" do
|
194
|
-
settings.security[:signature_method] =
|
195
|
-
settings.security[:digest_method] =
|
194
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
195
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA512
|
196
196
|
|
197
197
|
params = OneLogin::KlRubySaml::Authrequest.new.create_params(settings)
|
198
198
|
|
@@ -217,36 +217,36 @@ class RequestTest < Minitest::Test
|
|
217
217
|
end
|
218
218
|
|
219
219
|
it "create a signature parameter with RSA_SHA1 and validate it" do
|
220
|
-
settings.security[:signature_method] =
|
220
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
221
221
|
|
222
222
|
params = OneLogin::KlRubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
223
223
|
assert params['SAMLRequest']
|
224
224
|
assert params[:RelayState]
|
225
225
|
assert params['Signature']
|
226
|
-
assert_equal params['SigAlg'],
|
226
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA1
|
227
227
|
|
228
228
|
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
|
229
229
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
230
230
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
231
231
|
|
232
|
-
signature_algorithm =
|
232
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
233
233
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
|
234
234
|
|
235
235
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
236
236
|
end
|
237
237
|
|
238
238
|
it "create a signature parameter with RSA_SHA256 and validate it" do
|
239
|
-
settings.security[:signature_method] =
|
239
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
240
240
|
|
241
241
|
params = OneLogin::KlRubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
242
242
|
assert params['Signature']
|
243
|
-
assert_equal params['SigAlg'],
|
243
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA256
|
244
244
|
|
245
245
|
query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
|
246
246
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
247
247
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
248
248
|
|
249
|
-
signature_algorithm =
|
249
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
250
250
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA256
|
251
251
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
252
252
|
end
|
data/test/response_test.rb
CHANGED
@@ -43,7 +43,7 @@ class KlRubySamlTest < Minitest::Test
|
|
43
43
|
end
|
44
44
|
|
45
45
|
it "be able to parse a document which contains ampersands" do
|
46
|
-
|
46
|
+
KlXMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
|
47
47
|
OneLogin::KlRubySaml::Response.any_instance.stubs(:validate_conditions).returns(true)
|
48
48
|
|
49
49
|
ampersands_response = OneLogin::KlRubySaml::Response.new(ampersands_document)
|
@@ -301,7 +301,7 @@ class KlRubySamlTest < Minitest::Test
|
|
301
301
|
no_signature_response.stubs(:validate_subject_confirmation).returns(true)
|
302
302
|
no_signature_response.settings = settings
|
303
303
|
no_signature_response.settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
304
|
-
|
304
|
+
KlXMLSecurity::SignedDocument.any_instance.expects(:validate_signature).returns(true)
|
305
305
|
assert no_signature_response.is_valid?
|
306
306
|
end
|
307
307
|
|
@@ -870,7 +870,7 @@ class KlRubySamlTest < Minitest::Test
|
|
870
870
|
it 'Sign an unsigned SAML Response XML and initiate the SAML object with it' do
|
871
871
|
xml = Base64.decode64(fixture("test_sign.xml"))
|
872
872
|
|
873
|
-
document =
|
873
|
+
document = KlXMLSecurity::Document.new(xml)
|
874
874
|
|
875
875
|
formated_cert = OneLogin::KlRubySaml::Utils.format_cert(ruby_saml_cert_text)
|
876
876
|
cert = OpenSSL::X509::Certificate.new(formated_cert)
|
data/test/settings_test.rb
CHANGED
@@ -67,14 +67,14 @@ class SettingsTest < Minitest::Test
|
|
67
67
|
settings = OneLogin::KlRubySaml::Settings.new
|
68
68
|
settings.security[:authn_requests_signed] = true
|
69
69
|
settings.security[:embed_sign] = true
|
70
|
-
settings.security[:digest_method] =
|
71
|
-
settings.security[:signature_method] =
|
70
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA256
|
71
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
72
72
|
|
73
73
|
new_settings = OneLogin::KlRubySaml::Settings.new
|
74
74
|
assert_equal new_settings.security[:authn_requests_signed], false
|
75
75
|
assert_equal new_settings.security[:embed_sign], false
|
76
|
-
assert_equal new_settings.security[:digest_method],
|
77
|
-
assert_equal new_settings.security[:signature_method],
|
76
|
+
assert_equal new_settings.security[:digest_method], KlXMLSecurity::Document::SHA1
|
77
|
+
assert_equal new_settings.security[:signature_method], KlXMLSecurity::Document::RSA_SHA1
|
78
78
|
end
|
79
79
|
|
80
80
|
describe "#single_logout_service_url" do
|
@@ -221,7 +221,7 @@ class KlRubySamlTest < Minitest::Test
|
|
221
221
|
end
|
222
222
|
|
223
223
|
it "return true when valid RSA_SHA1 Signature" do
|
224
|
-
settings.security[:signature_method] =
|
224
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
225
225
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
226
226
|
params['RelayState'] = params[:RelayState]
|
227
227
|
options = {}
|
@@ -232,7 +232,7 @@ class KlRubySamlTest < Minitest::Test
|
|
232
232
|
end
|
233
233
|
|
234
234
|
it "return true when valid RSA_SHA256 Signature" do
|
235
|
-
settings.security[:signature_method] =
|
235
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
236
236
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
237
237
|
options = {}
|
238
238
|
options[:get_params] = params
|
@@ -243,7 +243,7 @@ class KlRubySamlTest < Minitest::Test
|
|
243
243
|
end
|
244
244
|
|
245
245
|
it "return false when invalid RSA_SHA1 Signature" do
|
246
|
-
settings.security[:signature_method] =
|
246
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
247
247
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
248
248
|
params['RelayState'] = 'http://invalid.exampcle.com'
|
249
249
|
params[:RelayState] = params['RelayState']
|
@@ -256,7 +256,7 @@ class KlRubySamlTest < Minitest::Test
|
|
256
256
|
end
|
257
257
|
|
258
258
|
it "raise when invalid RSA_SHA1 Signature" do
|
259
|
-
settings.security[:signature_method] =
|
259
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
260
260
|
settings.soft = false
|
261
261
|
params = OneLogin::KlRubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
|
262
262
|
params['RelayState'] = 'http://invalid.exampcle.com'
|
@@ -70,8 +70,8 @@ class SloLogoutresponseTest < Minitest::Test
|
|
70
70
|
end
|
71
71
|
|
72
72
|
it "create a signed logout response with 256 digest and signature methods" do
|
73
|
-
settings.security[:signature_method] =
|
74
|
-
settings.security[:digest_method] =
|
73
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
74
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA256
|
75
75
|
|
76
76
|
params = OneLogin::KlRubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
|
77
77
|
|
@@ -82,8 +82,8 @@ class SloLogoutresponseTest < Minitest::Test
|
|
82
82
|
end
|
83
83
|
|
84
84
|
it "create a signed logout response with 512 digest and signature method RSA_SHA384" do
|
85
|
-
settings.security[:signature_method] =
|
86
|
-
settings.security[:digest_method] =
|
85
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA384
|
86
|
+
settings.security[:digest_method] = KlXMLSecurity::Document::SHA512
|
87
87
|
logout_request.settings = settings
|
88
88
|
|
89
89
|
params = OneLogin::KlRubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
|
@@ -106,76 +106,76 @@ class SloLogoutresponseTest < Minitest::Test
|
|
106
106
|
end
|
107
107
|
|
108
108
|
it "create a signature parameter with RSA_SHA1 and validate it" do
|
109
|
-
settings.security[:signature_method] =
|
109
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA1
|
110
110
|
|
111
111
|
params = OneLogin::KlRubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
|
112
112
|
assert params['SAMLResponse']
|
113
113
|
assert params[:RelayState]
|
114
114
|
assert params['Signature']
|
115
|
-
assert_equal params['SigAlg'],
|
115
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA1
|
116
116
|
|
117
117
|
query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
|
118
118
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
119
119
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
120
120
|
|
121
|
-
signature_algorithm =
|
121
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
122
122
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
|
123
123
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
124
124
|
end
|
125
125
|
|
126
126
|
it "create a signature parameter with RSA_SHA256 /SHA256 and validate it" do
|
127
|
-
settings.security[:signature_method] =
|
127
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA256
|
128
128
|
|
129
129
|
params = OneLogin::KlRubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
|
130
130
|
assert params['SAMLResponse']
|
131
131
|
assert params[:RelayState]
|
132
132
|
assert params['Signature']
|
133
133
|
|
134
|
-
assert_equal params['SigAlg'],
|
134
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA256
|
135
135
|
|
136
136
|
query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
|
137
137
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
138
138
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
139
139
|
|
140
|
-
signature_algorithm =
|
140
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
141
141
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA256
|
142
142
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
143
143
|
end
|
144
144
|
|
145
145
|
it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
|
146
|
-
settings.security[:signature_method] =
|
146
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA384
|
147
147
|
|
148
148
|
params = OneLogin::KlRubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
|
149
149
|
assert params['SAMLResponse']
|
150
150
|
assert params[:RelayState]
|
151
151
|
assert params['Signature']
|
152
152
|
|
153
|
-
assert_equal params['SigAlg'],
|
153
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA384
|
154
154
|
|
155
155
|
query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
|
156
156
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
157
157
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
158
158
|
|
159
|
-
signature_algorithm =
|
159
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
160
160
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA384
|
161
161
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
162
162
|
end
|
163
163
|
|
164
164
|
it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
|
165
|
-
settings.security[:signature_method] =
|
165
|
+
settings.security[:signature_method] = KlXMLSecurity::Document::RSA_SHA512
|
166
166
|
|
167
167
|
params = OneLogin::KlRubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
|
168
168
|
assert params['SAMLResponse']
|
169
169
|
assert params[:RelayState]
|
170
170
|
assert params['Signature']
|
171
171
|
|
172
|
-
assert_equal params['SigAlg'],
|
172
|
+
assert_equal params['SigAlg'], KlXMLSecurity::Document::RSA_SHA512
|
173
173
|
|
174
174
|
query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
|
175
175
|
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
|
176
176
|
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
|
177
177
|
|
178
|
-
signature_algorithm =
|
178
|
+
signature_algorithm = KlXMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
|
179
179
|
assert_equal signature_algorithm, OpenSSL::Digest::SHA512
|
180
180
|
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
|
181
181
|
end
|
data/test/xml_security_test.rb
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
-
require '
|
2
|
+
require 'kl_xml_security'
|
3
3
|
require 'timecop'
|
4
4
|
|
5
5
|
class XmlSecurityTest < Minitest::Test
|
6
|
-
include
|
6
|
+
include KlXMLSecurity
|
7
7
|
|
8
8
|
describe "XmlSecurity" do
|
9
9
|
|
10
10
|
let(:decoded_response) { Base64.decode64(response_document_without_recipient) }
|
11
|
-
let(:document) {
|
11
|
+
let(:document) { KlXMLSecurity::SignedDocument.new(decoded_response) }
|
12
12
|
let(:settings) { OneLogin::KlRubySaml::Settings.new() }
|
13
13
|
|
14
14
|
before do
|
@@ -31,7 +31,7 @@ class XmlSecurityTest < Minitest::Test
|
|
31
31
|
|
32
32
|
it "not raise an error when softly validating the document and the X509Certificate is missing" do
|
33
33
|
decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
|
34
|
-
mod_document =
|
34
|
+
mod_document = KlXMLSecurity::SignedDocument.new(decoded_response)
|
35
35
|
assert !mod_document.validate_document("a fingerprint", true) # The fingerprint isn't relevant to this test
|
36
36
|
end
|
37
37
|
|
@@ -54,7 +54,7 @@ class XmlSecurityTest < Minitest::Test
|
|
54
54
|
it "should raise Key validation error" do
|
55
55
|
decoded_response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
|
56
56
|
"<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
|
57
|
-
mod_document =
|
57
|
+
mod_document = KlXMLSecurity::SignedDocument.new(decoded_response)
|
58
58
|
base64cert = mod_document.elements["//ds:X509Certificate"].text
|
59
59
|
exception = assert_raises(OneLogin::KlRubySaml::ValidationError) do
|
60
60
|
mod_document.validate_signature(base64cert, false)
|
@@ -64,14 +64,14 @@ class XmlSecurityTest < Minitest::Test
|
|
64
64
|
end
|
65
65
|
|
66
66
|
it "correctly obtain the digest method with alternate namespace declaration" do
|
67
|
-
adfs_document =
|
67
|
+
adfs_document = KlXMLSecurity::SignedDocument.new(fixture(:adfs_response_xmlns, false))
|
68
68
|
base64cert = adfs_document.elements["//X509Certificate"].text
|
69
69
|
assert adfs_document.validate_signature(base64cert, false)
|
70
70
|
end
|
71
71
|
|
72
72
|
it "raise validation error when the X509Certificate is missing" do
|
73
73
|
decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
|
74
|
-
mod_document =
|
74
|
+
mod_document = KlXMLSecurity::SignedDocument.new(decoded_response)
|
75
75
|
exception = assert_raises(OneLogin::KlRubySaml::ValidationError) do
|
76
76
|
mod_document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
|
77
77
|
end
|
@@ -82,46 +82,46 @@ class XmlSecurityTest < Minitest::Test
|
|
82
82
|
describe "#canon_algorithm" do
|
83
83
|
it "C14N_EXCLUSIVE_1_0" do
|
84
84
|
canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
85
|
-
assert_equal canon_algorithm,
|
86
|
-
assert_equal canon_algorithm,
|
87
|
-
assert_equal canon_algorithm,
|
85
|
+
assert_equal canon_algorithm, KlXMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#")
|
86
|
+
assert_equal canon_algorithm, KlXMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#WithComments")
|
87
|
+
assert_equal canon_algorithm, KlXMLSecurity::BaseDocument.new.canon_algorithm("other")
|
88
88
|
end
|
89
89
|
|
90
90
|
it "C14N_1_0" do
|
91
91
|
canon_algorithm = Nokogiri::XML::XML_C14N_1_0
|
92
|
-
assert_equal canon_algorithm,
|
92
|
+
assert_equal canon_algorithm, KlXMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
|
93
93
|
end
|
94
94
|
|
95
95
|
it "XML_C14N_1_1" do
|
96
96
|
canon_algorithm = Nokogiri::XML::XML_C14N_1_1
|
97
|
-
assert_equal canon_algorithm,
|
97
|
+
assert_equal canon_algorithm, KlXMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11")
|
98
98
|
end
|
99
99
|
end
|
100
100
|
|
101
101
|
describe "#algorithm" do
|
102
102
|
it "SHA1" do
|
103
103
|
alg = OpenSSL::Digest::SHA1
|
104
|
-
assert_equal alg,
|
105
|
-
assert_equal alg,
|
106
|
-
assert_equal alg,
|
104
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1")
|
105
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#sha1")
|
106
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("other")
|
107
107
|
end
|
108
108
|
|
109
109
|
it "SHA256" do
|
110
110
|
alg = OpenSSL::Digest::SHA256
|
111
|
-
assert_equal alg,
|
112
|
-
assert_equal alg,
|
111
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
|
112
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha256")
|
113
113
|
end
|
114
114
|
|
115
115
|
it "SHA384" do
|
116
116
|
alg = OpenSSL::Digest::SHA384
|
117
|
-
assert_equal alg,
|
118
|
-
assert_equal alg,
|
117
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384")
|
118
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha384")
|
119
119
|
end
|
120
120
|
|
121
121
|
it "SHA512" do
|
122
122
|
alg = OpenSSL::Digest::SHA512
|
123
|
-
assert_equal alg,
|
124
|
-
assert_equal alg,
|
123
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512")
|
124
|
+
assert_equal alg, KlXMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha512")
|
125
125
|
end
|
126
126
|
end
|
127
127
|
|
@@ -133,53 +133,53 @@ class XmlSecurityTest < Minitest::Test
|
|
133
133
|
sha1_fingerprint_downcase = "f13c6b80905a030e6c913e5d15faddb016454872"
|
134
134
|
|
135
135
|
assert response_fingerprint_test.document.validate_document(sha1_fingerprint)
|
136
|
-
assert response_fingerprint_test.document.validate_document(sha1_fingerprint, true, :fingerprint_alg =>
|
136
|
+
assert response_fingerprint_test.document.validate_document(sha1_fingerprint, true, :fingerprint_alg => KlXMLSecurity::Document::SHA1)
|
137
137
|
|
138
138
|
assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase)
|
139
|
-
assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase, true, :fingerprint_alg =>
|
139
|
+
assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase, true, :fingerprint_alg => KlXMLSecurity::Document::SHA1)
|
140
140
|
end
|
141
141
|
|
142
142
|
it "validate using SHA256" do
|
143
143
|
sha256_fingerprint = "C4:C6:BD:41:EC:AD:57:97:CE:7B:7D:80:06:C3:E4:30:53:29:02:0B:DD:2D:47:02:9E:BD:85:AD:93:02:45:21"
|
144
144
|
|
145
145
|
assert !response_fingerprint_test.document.validate_document(sha256_fingerprint)
|
146
|
-
assert response_fingerprint_test.document.validate_document(sha256_fingerprint, true, :fingerprint_alg =>
|
146
|
+
assert response_fingerprint_test.document.validate_document(sha256_fingerprint, true, :fingerprint_alg => KlXMLSecurity::Document::SHA256)
|
147
147
|
end
|
148
148
|
|
149
149
|
it "validate using SHA384" do
|
150
150
|
sha384_fingerprint = "98:FE:17:90:31:E7:68:18:8A:65:4D:DA:F5:76:E2:09:97:BE:8B:E3:7E:AA:8D:63:64:7C:0C:38:23:9A:AC:A2:EC:CE:48:A6:74:4D:E0:4C:50:80:40:B4:8D:55:14:14"
|
151
151
|
|
152
152
|
assert !response_fingerprint_test.document.validate_document(sha384_fingerprint)
|
153
|
-
assert response_fingerprint_test.document.validate_document(sha384_fingerprint, true, :fingerprint_alg =>
|
153
|
+
assert response_fingerprint_test.document.validate_document(sha384_fingerprint, true, :fingerprint_alg => KlXMLSecurity::Document::SHA384)
|
154
154
|
end
|
155
155
|
|
156
156
|
it "validate using SHA512" do
|
157
157
|
sha512_fingerprint = "5A:AE:BA:D0:BA:9D:1E:25:05:01:1E:1A:C9:E9:FF:DB:ED:FA:6E:F7:52:EB:45:49:BD:DB:06:D8:A3:7E:CC:63:3A:04:A2:DD:DF:EE:61:05:D9:58:95:2A:77:17:30:4B:EB:4A:9F:48:4A:44:1C:D0:9E:0B:1E:04:77:FD:A3:D2"
|
158
158
|
|
159
159
|
assert !response_fingerprint_test.document.validate_document(sha512_fingerprint)
|
160
|
-
assert response_fingerprint_test.document.validate_document(sha512_fingerprint, true, :fingerprint_alg =>
|
160
|
+
assert response_fingerprint_test.document.validate_document(sha512_fingerprint, true, :fingerprint_alg => KlXMLSecurity::Document::SHA512)
|
161
161
|
end
|
162
162
|
|
163
163
|
end
|
164
164
|
|
165
165
|
describe "Signature Algorithms" do
|
166
166
|
it "validate using SHA1" do
|
167
|
-
document =
|
167
|
+
document = KlXMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
|
168
168
|
assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
|
169
169
|
end
|
170
170
|
|
171
171
|
it "validate using SHA256" do
|
172
|
-
document =
|
172
|
+
document = KlXMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
|
173
173
|
assert document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
|
174
174
|
end
|
175
175
|
|
176
176
|
it "validate using SHA384" do
|
177
|
-
document =
|
177
|
+
document = KlXMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
|
178
178
|
assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
|
179
179
|
end
|
180
180
|
|
181
181
|
it "validate using SHA512" do
|
182
|
-
document =
|
182
|
+
document = KlXMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
|
183
183
|
assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
|
184
184
|
end
|
185
185
|
end
|
@@ -189,7 +189,7 @@ class XmlSecurityTest < Minitest::Test
|
|
189
189
|
describe "#extract_inclusive_namespaces" do
|
190
190
|
it "support explicit namespace resolution for exclusive canonicalization" do
|
191
191
|
response = fixture(:open_saml_response, false)
|
192
|
-
document =
|
192
|
+
document = KlXMLSecurity::SignedDocument.new(response)
|
193
193
|
inclusive_namespaces = document.send(:extract_inclusive_namespaces)
|
194
194
|
|
195
195
|
assert_equal %w[ xs ], inclusive_namespaces
|
@@ -197,7 +197,7 @@ class XmlSecurityTest < Minitest::Test
|
|
197
197
|
|
198
198
|
it "support implicit namespace resolution for exclusive canonicalization" do
|
199
199
|
response = fixture(:no_signature_ns, false)
|
200
|
-
document =
|
200
|
+
document = KlXMLSecurity::SignedDocument.new(response)
|
201
201
|
inclusive_namespaces = document.send(:extract_inclusive_namespaces)
|
202
202
|
|
203
203
|
assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
|
@@ -219,14 +219,14 @@ class XmlSecurityTest < Minitest::Test
|
|
219
219
|
response = fixture(:no_signature_ns, false)
|
220
220
|
response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
|
221
221
|
|
222
|
-
document =
|
222
|
+
document = KlXMLSecurity::SignedDocument.new(response)
|
223
223
|
inclusive_namespaces = document.send(:extract_inclusive_namespaces)
|
224
224
|
|
225
225
|
assert inclusive_namespaces.empty?
|
226
226
|
end
|
227
227
|
end
|
228
228
|
|
229
|
-
describe "
|
229
|
+
describe "KlXMLSecurity::DSIG" do
|
230
230
|
before do
|
231
231
|
settings.idp_sso_target_url = "https://idp.example.com/sso"
|
232
232
|
settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
@@ -241,13 +241,13 @@ class XmlSecurityTest < Minitest::Test
|
|
241
241
|
request = OneLogin::KlRubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
242
242
|
request.sign_document(ruby_saml_key, ruby_saml_cert)
|
243
243
|
# verify our signature
|
244
|
-
signed_doc =
|
244
|
+
signed_doc = KlXMLSecurity::SignedDocument.new(request.to_s)
|
245
245
|
assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
|
246
246
|
|
247
247
|
request2 = OneLogin::KlRubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
248
248
|
request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
|
249
249
|
# verify our signature
|
250
|
-
signed_doc2 =
|
250
|
+
signed_doc2 = KlXMLSecurity::SignedDocument.new(request2.to_s)
|
251
251
|
assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
|
252
252
|
end
|
253
253
|
|
@@ -256,7 +256,7 @@ class XmlSecurityTest < Minitest::Test
|
|
256
256
|
request.sign_document(ruby_saml_key, ruby_saml_cert_text)
|
257
257
|
|
258
258
|
# verify our signature
|
259
|
-
signed_doc =
|
259
|
+
signed_doc = KlXMLSecurity::SignedDocument.new(request.to_s)
|
260
260
|
assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
|
261
261
|
end
|
262
262
|
|
@@ -264,13 +264,13 @@ class XmlSecurityTest < Minitest::Test
|
|
264
264
|
logout_request = OneLogin::KlRubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
|
265
265
|
logout_request.sign_document(ruby_saml_key, ruby_saml_cert)
|
266
266
|
# verify our signature
|
267
|
-
signed_doc =
|
267
|
+
signed_doc = KlXMLSecurity::SignedDocument.new(logout_request.to_s)
|
268
268
|
assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
|
269
269
|
|
270
270
|
logout_request2 = OneLogin::KlRubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
|
271
271
|
logout_request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
|
272
272
|
# verify our signature
|
273
|
-
signed_doc2 =
|
273
|
+
signed_doc2 = KlXMLSecurity::SignedDocument.new(logout_request2.to_s)
|
274
274
|
signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
|
275
275
|
assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
|
276
276
|
end
|
@@ -279,13 +279,13 @@ class XmlSecurityTest < Minitest::Test
|
|
279
279
|
logout_response = OneLogin::KlRubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
|
280
280
|
logout_response.sign_document(ruby_saml_key, ruby_saml_cert)
|
281
281
|
# verify our signature
|
282
|
-
signed_doc =
|
282
|
+
signed_doc = KlXMLSecurity::SignedDocument.new(logout_response.to_s)
|
283
283
|
assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
|
284
284
|
|
285
285
|
logout_response2 = OneLogin::KlRubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
|
286
286
|
logout_response2.sign_document(ruby_saml_key, ruby_saml_cert_text)
|
287
287
|
# verify our signature
|
288
|
-
signed_doc2 =
|
288
|
+
signed_doc2 = KlXMLSecurity::SignedDocument.new(logout_response2.to_s)
|
289
289
|
signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
|
290
290
|
assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
|
291
291
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kl-ruby-saml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OneLogin LLC
|
@@ -170,6 +170,7 @@ files:
|
|
170
170
|
- gemfiles/nokogiri-1.5.gemfile
|
171
171
|
- kl-ruby-saml.gemspec
|
172
172
|
- lib/kl-ruby-saml.rb
|
173
|
+
- lib/kl_xml_security.rb
|
173
174
|
- lib/onelogin/kl-ruby-saml.rb
|
174
175
|
- lib/onelogin/kl-ruby-saml/attribute_service.rb
|
175
176
|
- lib/onelogin/kl-ruby-saml/attributes.rb
|
@@ -200,7 +201,6 @@ files:
|
|
200
201
|
- lib/schemas/xenc-schema.xsd
|
201
202
|
- lib/schemas/xml.xsd
|
202
203
|
- lib/schemas/xmldsig-core-schema.xsd
|
203
|
-
- lib/xml_security.rb
|
204
204
|
- test/certificates/certificate1
|
205
205
|
- test/certificates/certificate_without_head_foot
|
206
206
|
- test/certificates/formatted_certificate
|