omniauth-saml-rstr 0.1.0

data/README.md

@@ -0,0 +1,109 @@
+# OmniAuth SAML-RSTR
+
+An XML & SAML strategy for OmniAuth integration with ADFS 2.0.
+
+https://github.com/highgroove/omniauth-saml-rstr
+
+## Requirements
+
+* [OmniAuth](http://www.omniauth.org/) 1.0+
+* nokogiri 1.5
+* Ruby 1.9.2
+
+## Usage
+
+Use the SAML strategy as a middleware in your application:
+
+```ruby
+require 'omniauth'
+use OmniAuth::Strategies::SAML_RSTR,
+  :assertion_consumer_service_url => "consumer_service_url",
+  :issuer                         => "issuer",
+  :idp_sso_target_url             => "idp_sso_target_url",
+  :idp_cert                       => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+  :idp_cert_fingerprint           => "E7:91:B2:E1:...",
+  :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+```
+
+or in your Rails application:
+
+in `Gemfile`:
+
+```ruby
+gem 'omniauth-saml-rstr'
+```
+
+and in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :saml_rstr,
+    :assertion_consumer_service_url => "consumer_service_url",
+    :issuer                         => "rails-application",
+    :idp_sso_target_url             => "idp_sso_target_url",
+    :idp_cert                       => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+    :idp_cert_fingerprint           => "E7:91:B2:E1:...",
+    :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+end
+```
+
+## Options
+
+* `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
+  received. With OmniAuth this is typically `http://example.com/auth/callback`.
+  **Required**.
+
+* `:issuer` - The name of your application. Some identity providers might need this
+  to establish the identity of the service provider requesting the login. **Required**.
+
+* `:idp_sso_target_url` - The URL to which the authentication request should be sent.
+  This would be on the identity provider. **Required**.
+
+* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
+  over the fingerprint option below. This option or `:idp_cert_fingerprint` must
+  be present.
+
+* `:idp_cert_fingerprint` - The SHA256 fingerprint of the certificate, e.g.
+  "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
+  the relationship. This option or `:idp_cert` must be present.
+
+* `:name_identifier_format` - Describes the format of the username required by this
+  application. If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
+  See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
+  other options. Note that the identity provider might not support all options.
+  Optional.
+
+## Authors
+
+Authored by Josh Skeen [www.joshskeen.com]. 
+Based on the work of Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, and Steven Anderson.
+
+<!-- Maintained by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/). -->
+
+## License
+
+Copyright (c) 2012 Apangea [http://www.apangea.com/]
+Developed at Highgroove Studios [http://www.highgroove.com]
+
+Copyright (c) 2011-2012 [Practically Green, Inc.](http://www.practicallygreen.com/).  
+All rights reserved. Released under the MIT license.
+
+Portions Copyright (c) 2007 Sun Microsystems Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/lib/omniauth-saml-rstr.rb

@@ -0,0 +1 @@
+require 'omniauth/strategies/saml-rstr'

data/lib/omniauth-saml-rstr/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module SAML_RSTR
+    VERSION = "0.1.0"
+  end
+end

data/lib/omniauth/strategies/saml-rstr.rb

@@ -0,0 +1,52 @@
+require 'omniauth'
+
+module OmniAuth
+  module Strategies
+    class SAML_RSTR
+      include OmniAuth::Strategy
+
+      autoload :AuthRequest,      'omniauth/strategies/saml-rstr/auth_request'
+      autoload :AuthResponse,     'omniauth/strategies/saml-rstr/auth_response'
+      autoload :ValidationError,  'omniauth/strategies/saml-rstr/validation_error'
+      autoload :XMLSecurity,      'omniauth/strategies/saml-rstr/xml_security'
+
+      option :name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+      def request_phase
+        request = OmniAuth::Strategies::SAML_RSTR::AuthRequest.new
+        req = request.create(options)
+        redirect(req)
+      end
+
+      def callback_phase
+
+        begin
+          response = OmniAuth::Strategies::SAML_RSTR::AuthResponse.new(request.params['wresult'])
+          response.settings = options
+          
+          @name_id  = response.name_id
+          @attributes = response.attributes
+
+          return fail!(:invalid_ticket, OmniAuth::Error.new('Invalid SAML_RSTR Ticket')) if @name_id.nil? || @name_id.empty? || !response.valid?
+          super
+        rescue ArgumentError => e   
+          fail!(:invalid_ticket, OmniAuth::Error.new('Invalid SAML_RSTR Response'))
+        end
+      end
+
+      uid { @name_id }
+
+      info do
+        {
+          :name  => @name_id
+        }
+      end
+
+      extra { { :raw_info => @attributes } }
+
+    end
+  end
+end
+
+# OmniAuth.config.add_camelization 'saml', 'SAML'
+OmniAuth.config.add_camelization 'saml_rstr', 'SAML_RSTR'

data/lib/omniauth/strategies/saml-rstr/auth_request.rb

@@ -0,0 +1,38 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+
+module OmniAuth
+  module Strategies
+    class SAML_RSTR
+      class AuthRequest
+
+        def create(settings, params = {})
+          uuid = "_" + UUID.new.generate
+          time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+          request =
+            "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{uuid}\" Version=\"2.0\" IssueInstant=\"#{time}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings[:assertion_consumer_service_url]}\">" +
+            "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings[:issuer]}</saml:Issuer>\n" +
+            "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings[:name_identifier_format]}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
+            "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
+            "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
+            "</samlp:AuthnRequest>"
+
+          deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+          base64_request    = Base64.encode64(deflated_request)
+          encoded_request   = CGI.escape(base64_request)
+          request_params    = "?SAMLRequest=" + encoded_request
+
+          params.each_pair do |key, value|
+            request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+          end
+
+          settings[:idp_sso_target_url] + request_params
+        end
+
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/saml-rstr/auth_response.rb

@@ -0,0 +1,128 @@
+require "time"
+
+module OmniAuth
+  module Strategies
+    class SAML_RSTR
+      class AuthResponse
+
+        ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+        PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+        DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+        attr_accessor :options, :response, :security_token_content, :settings
+
+        def initialize(response, options = {})
+          raise ArgumentError.new("Response cannot be nil") if response.nil?
+          self.options  = options
+          self.response = response
+          self.security_token_content = OmniAuth::Strategies::SAML_RSTR::XMLSecurity::SecurityTokenResponseContent.new(response)
+        end
+
+        def valid?
+          validate(soft = true)
+        end
+
+        def validate!
+          validate(soft = false)
+        end
+
+        # The value of the user identifier as designated by the initialization request response
+        def name_id
+          @security_token_content.name_identifier
+        end
+
+        # A hash of all the attributes with the response. Assuming there is only one value for each key
+        def attributes
+          { :userEmailID => @security_token_content.name_identifier}
+        end
+
+        # When this user session should expire at latest
+        def session_expires_at
+           @expires_at ||= begin
+             parse_time(security_token_content.conditions_not_on_or_after)
+           end
+        end
+
+        # Conditions (if any) for the assertion to run
+        def conditions
+          @conditions ||= begin
+             {
+              :before =>  security_token_content.conditions_before,
+              :not_on_or_after => security_token_content.conditions_not_on_or_after
+             }
+          end
+        end
+
+        private
+
+        def validation_error(message)
+          raise OmniAuth::Strategies::SAML_RSTR::ValidationError.new(message)
+        end
+
+        def validate(soft = true)
+           status = validate_response_state(soft) && security_token_content.validate(get_fingerprint, soft)
+           return status
+        end
+
+        def validate_response_state(soft = true)
+          if response.empty?
+            return soft ? false : validation_error("Blank response")
+          end
+
+          if settings.nil?
+            return soft ? false : validation_error("No settings on response")
+          end
+
+          if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+            return soft ? false : validation_error("No fingerprint or certificate on settings")
+          end
+          true
+        end
+
+        def get_fingerprint
+          if settings.idp_cert
+            cert = OpenSSL::X509::Certificate.new(settings.idp_cert.gsub(/^ +/, ''))
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          else
+            settings.idp_cert_fingerprint
+          end
+        end
+
+        def validate_conditions(soft = true)
+          return true if conditions.nil?
+          return true if options[:skip_conditions]
+
+          if not_before = parse_time(security_token_content.conditions_before)
+            if Time.now.utc < not_before
+              return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+            end
+          end
+
+          if not_on_or_after = parse_time(security_token_content.conditions_not_on_or_after)
+            if Time.now.utc >= not_on_or_after
+              return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+            end
+          end
+
+          true
+        end
+        
+        private
+
+        def parse_time(attribute)
+            Time.parse(attribute)
+        end
+
+        def strip(string)
+          return string unless string
+          string.gsub(/^\s+/, '').gsub(/\s+$/, '')
+        end
+
+        def signed_element_id
+          doc_id = security_token_content.signed_element_id
+          doc_id[1, doc_id.size]
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/saml-rstr/validation_error.rb

@@ -0,0 +1,8 @@
+module OmniAuth
+  module Strategies
+    class SAML_RSTR
+      class ValidationError < Exception
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/saml-rstr/xml_security.rb

@@ -0,0 +1,119 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights responseerved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+require "nokogiri"
+
+module OmniAuth
+  module Strategies
+    class SAML_RSTR
+
+      module XMLSecurity
+
+        class SecurityTokenResponseContent
+
+          #plugging these namespaces in was required in order to get nokogiri to use them. eg @xml.at_xpath("//ds:SignatureValue", {"ds" => DSIG}).text. Any way to avoid this?
+          DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+          SAML      = "urn:oasis:names:tc:SAML:1.0:assertion"
+          WSP       = "http://schemas.xmlsoap.org/ws/2004/09/policy"
+          WSA       = "http://www.w3.org/2005/08/addressing"
+          WSU       = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+          TRUST     = "http://schemas.xmlsoap.org/ws/2005/02/trust"
+
+          attr_accessor :name_identifier, :xml, :xml_unnamespaced, :name_identifier_test, :x509_cert, :conditions_not_on_or_after, :conditions_before, :info_element
+
+          def initialize(response)
+            self.xml_unnamespaced = Nokogiri::XML::Document.parse(response).remove_namespaces!()
+            self.xml = Nokogiri::XML::Document.parse(response)
+          end
+
+          def signature
+            @xml.at_xpath("//ds:SignatureValue", {"ds" => DSIG}).text
+          end
+
+          def info_element
+            @xml.at_xpath("//ds:SignedInfo", {"ds" => DSIG})
+          end
+
+          def name_identifier
+            @xml_unnamespaced.css("NameIdentifier").text
+          end
+
+          def conditions_before
+            if !conditions.nil?
+              conditions.attribute("NotBefore").value
+            end
+          end
+
+          def conditions_not_on_or_after
+            if !conditions.nil?
+              conditions.attribute("NotOnOrAfter").value
+            end
+          end
+
+          def x509_cert
+            @xml_unnamespaced.css("X509Certificate").text
+          end
+
+          #validate the response fingerprint matches the plugin fingerprint
+          #validate the certificate signature matches the signature generated from signing the certificate's SignedInfo node
+          def validate(idp_cert_fingerprint, soft = true)
+
+            cert_text   = Base64.decode64(x509_cert)
+
+            certificate = OpenSSL::X509::Certificate.new(cert_text)
+            fingerprint = Digest::SHA1.hexdigest(certificate.to_der)
+
+            if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+              raise OmniAuth::Strategies::SAML_RSTR::ValidationError.new("Fingerprint validation error")
+            end
+
+            canon_string =  info_element.canonicalize(Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0)
+            sig  = Base64.decode64(signature)
+
+            if !certificate.public_key.verify(OpenSSL::Digest::SHA256.new, sig, canon_string)
+              return soft ? false : (raise OmniAuth::Strategies::SAML_RSTR::ValidationError.new("Key validation error"))
+            end
+
+            return true
+          end
+
+          private
+
+          def conditions
+            @xml.at_xpath("//saml:Conditions", {"saml" => SAML})
+          end
+
+        end
+
+      end
+
+    end
+  end
+end

data/spec/omniauth/strategies/saml-rstr/auth_request_spec.rb

@@ -0,0 +1,75 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::SAML_RSTR::AuthRequest do
+  describe :create do
+    let(:url) do
+      described_class.new.create(
+        {
+          :idp_sso_target_url => 'example.com',
+          :assertion_consumer_service_url => 'http://example.com/auth/saml-rstr/callback',
+          :issuer => 'This is an issuer',
+          :name_identifier_format => 'Some Policy'
+        },
+        {
+          :some_param => 'foo',
+          :some_other => 'bar'
+        }
+      )
+    end
+    let(:saml_request) { url.match(/SAMLRequest=(.*)/)[1] }
+
+    describe "the url" do
+      subject { url }
+
+      it "should contain a SAMLRequest query string param" do
+        subject.should match /^example\.com\?SAMLRequest=/
+      end
+
+      it "should contain any other parameters passed through" do
+        subject.should match /^example\.com\?SAMLRequest=(.*)&some_param=foo&some_other=bar/
+      end
+    end
+
+    describe "the saml request" do
+      subject { saml_request }
+
+      let(:decoded) do
+        cgi_unescaped = CGI.unescape(subject)
+        base64_decoded = Base64.decode64(cgi_unescaped)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(base64_decoded)
+      end
+
+      let(:xml) { REXML::Document.new(decoded) }
+      let(:root_element) { REXML::XPath.first(xml, '//samlp:AuthnRequest') }
+
+      it "should contain base64 encoded and zlib deflated xml" do
+        decoded.should match /^<samlp:AuthnRequest/
+      end
+
+      it "should contain a uuid with an underscore in front" do
+        UUID.any_instance.stub(:generate).and_return('MY_UUID')
+
+        root_element.attributes['ID'].should == '_MY_UUID'
+      end
+
+      it "should contain the current time as the IssueInstant" do
+        t = Time.now
+        Time.stub(:now).and_return(t)
+
+        root_element.attributes['IssueInstant'].should == t.utc.iso8601
+      end
+
+      it "should contain the callback url in the settings" do
+        root_element.attributes['AssertionConsumerServiceURL'].should == 'http://example.com/auth/saml-rstr/callback'
+      end
+
+      it "should contain the issuer" do
+        REXML::XPath.first(xml, '//saml:Issuer').text.should == 'This is an issuer'
+      end
+
+      it "should contain the name identifier format" do
+        REXML::XPath.first(xml, '//samlp:NameIDPolicy').attributes['Format'].should == 'Some Policy'
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/saml-rstr/auth_response_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::SAML_RSTR::AuthResponse do
+  let(:xml) { :rstr_response }
+  subject { described_class.new(load_xml(xml)) }
+
+  describe :initialize do
+    context "when the response is nil" do
+      it "should raise an exception" do
+        expect { described_class.new(nil) }.to raise_error ArgumentError
+      end
+    end
+  end
+# 2012-07-25T21:16:34.271Z
+ describe :session_expires_at do
+    it "should return the SessionNotOnOrAfter as a Ruby date" do
+      subject.session_expires_at.to_i.should == Time.new(2012, 07, 25, 21, 16, 34, 0).to_i
+    end
+  end
+
+  describe :name_id do
+    it "should load the name id from the assertion" do
+      subject.name_id.should == 'highgroove@thinkthroughmath.com'
+    end
+  end
+
+  describe :valid? do
+    it_should_behave_like 'a validating method', true
+  end
+
+  describe :validate! do
+    it_should_behave_like 'a validating method', false
+  end
+  
+end

data/spec/omniauth/strategies/saml-rstr/validation_error_spec.rb

@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::SAML_RSTR::ValidationError do
+  it { should be_a Exception }
+end

data/spec/omniauth/strategies/saml_rstr_spec.rb

@@ -0,0 +1,122 @@
+require 'spec_helper'
+
+RSpec::Matchers.define :fail_with do |message|
+  match do |actual|
+    actual.redirect? && actual.location.include?("/auth/failure?message")
+  end
+end
+
+def post_xml(xml=:rstr_response)
+  post "/auth/saml_rstr/callback", {'wresult' => load_xml(xml)}
+end
+
+describe OmniAuth::Strategies::SAML_RSTR, :type => :strategy do
+  include OmniAuth::Test::StrategyTestCase
+  let(:invalid_ticket){ OmniAuth::Error.new }
+  let(:auth_hash){ last_request.env['omniauth.auth'] }
+  let(:saml_options) do
+    {
+      :assertion_consumer_service_url => "http://localhost:3000/auth/saml_rstr/callback",
+      :issuer                         => "https://saml.issuer.url/issuers/29490",
+      :idp_sso_target_url             => "https://idp.sso.target_url/signon/29490",
+      :idp_cert_fingerprint           => "76:C5:6A:64:E0:D8:81:44:11:24:F2:9C:1B:41:56:27:6E:3B:FB:8C",
+      :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    }
+  end
+  let(:strategy) { [OmniAuth::Strategies::SAML_RSTR, saml_options] }
+
+  describe 'GET /auth/saml_rstr' do
+    before do
+      get '/auth/saml_rstr'
+    end
+
+    it 'should get authentication page' do
+      last_response.should be_redirect
+    end
+  end
+
+  describe 'POST /auth/saml_rstr/callback' do
+    subject { last_response }
+    let(:xml) { :rstr_response }
+    before :each do
+      Time.stub(:now).and_return(Time.new(2012, 3, 8, 16, 25, 00, 0))
+    end
+    
+    context "when the response is valid" do
+      puts "when the response is valid"
+      before :each do
+        post_xml
+      end
+
+      it "should set the uid to the nameID in the SAML response" do
+        auth_hash['uid'].should == 'highgroove@thinkthroughmath.com'
+      end
+
+      it "should set the raw info to all attributes" do
+        auth_hash['extra']['raw_info'].to_hash.should == {
+          'userEmailID' => 'highgroove@thinkthroughmath.com'
+        }
+      end
+    end
+
+    context "when there is no wresult parameter" do
+      before :each do
+        post '/auth/saml_rstr/callback'
+      end
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when there is no name id in the XML" do
+      before :each do
+        post_xml :rstr_no_name
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the fingerprint is invalid" do
+      before :each do
+        saml_options[:idp_cert_fingerprint] = "E6:87:89:FB:F2:5F:CD:B0:31:32:7E:05:44:84:53:B1:EC:4E:3F:gg"
+        post_xml
+      end
+      it { should fail_with(:invalid_ticket) }
+      # it {should raise_error(OmniAuth::Strategies::SAML_RSTR::ValidationError, "Fingerprint validation error")}
+    end
+
+    context "when the digest is invalid" do
+      before :each do
+        post_xml :digest_mismatch
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the signature is invalid" do
+      before :each do
+        post_xml :rstr_invalid_signature
+        puts "invalid signature"
+      end
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the time is before the NotBefore date" do
+      before :each do
+        Time.stub(:now).and_return(Time.new(2000, 3, 8, 16, 25, 00, 0))
+        post_xml
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the time is after the NotOnOrAfter date" do
+      before :each do
+        Time.stub(:now).and_return(Time.new(3000, 3, 8, 16, 25, 00, 0))
+        post_xml
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+
+  end
+end

data/spec/shared/validating_method.rb

@@ -0,0 +1,128 @@
+def assert_is_valid(soft)
+  if soft
+    it { should be_valid }
+  else
+    it "should be valid" do
+      expect { subject.validate! }.not_to raise_error
+    end
+  end
+end
+
+def assert_is_not_valid(soft)
+  if soft
+    it { should_not be_valid }
+  else
+    it "should be invalid" do
+      expect { subject.validate! }.to raise_error
+    end
+  end
+end
+
+def stub_validate_to_fail(soft)
+  if soft
+    subject.security_token_content.stub(:validate).and_return(false)
+  else
+    subject.security_token_content.stub(:validate).and_raise(Exception)
+  end
+end
+
+shared_examples_for 'a validating method' do |soft|
+  before :each do
+    subject.settings = mock(Object, :idp_cert_fingerprint => 'FINGERPRINT', :idp_cert => nil)
+    subject.security_token_content.stub(:validate).and_return(true)
+  end
+
+  context "when the response is empty" do
+    subject { described_class.new('') }
+
+    assert_is_not_valid(soft)
+  end
+
+  context "when the settings are nil" do
+    before :each do
+      subject.settings = nil
+    end
+
+    assert_is_not_valid(soft)
+  end
+
+  context "when there is no idp_cert_fingerprint and idp_cert" do
+    before :each do
+      subject.settings = mock(Object, :idp_cert_fingerprint => nil, :idp_cert => nil)
+    end
+
+    assert_is_not_valid(soft)
+  end
+
+  context "when conditions are not given" do
+    let(:xml) { :rstr_response_no_conditions }
+    assert_is_valid(soft)
+  end
+
+  context "when the current time is before the NotBefore time" do
+    before :each do
+      Time.stub(:now).and_return(Time.new(2000, 01, 01, 10, 00, 00, 0))
+    end
+
+    assert_is_not_valid(soft)
+  end
+
+  context "when the current time is after the NotOnOrAfter time" do
+    before :each do
+      # We're assuming here that this code will be out of use in 1000 years...
+      Time.stub(:now).and_return(Time.new(3012, 01, 01, 10, 00, 00, 0))
+    end
+
+    assert_is_not_valid(soft)
+  end
+
+  context "when the current time is between the NotBefore and NotOnOrAfter times" do
+    before :each do
+      Time.stub(:now).and_return(Time.new(2012, 3, 8, 16, 25, 00, 0))
+    end
+
+    assert_is_valid(soft)
+  end
+
+  context "when skip_conditions option is given" do
+    before :each do
+      subject.options[:skip_conditions] = true
+    end
+
+    assert_is_valid(soft)
+  end
+
+  context "when the SAML document is valid" do
+    before :each do
+      subject.document.should_receive(:validate).with('FINGERPRINT', soft).and_return(true)
+      subject.options[:skip_conditions] = true
+    end
+
+    assert_is_valid(soft)
+  end
+
+  context "when the SAML document is valid and the idp_cert is given" do
+    let(:cert) do
+      filename = File.expand_path(File.join('..', '..', 'support', "example_cert.pem"), __FILE__)
+      IO.read(filename)
+    end
+    let(:expected) { 'E6:87:89:FB:F2:5F:CD:B0:31:32:7E:05:44:84:53:B1:EC:4E:3F:FA' }
+
+    before :each do
+      subject.settings.stub(:idp_cert).and_return(cert)
+      subject.document.should_receive(:validate).with(expected, soft).and_return(true)
+      subject.options[:skip_conditions] = true
+    end
+
+    assert_is_valid(soft)
+  end
+
+  context "when the SAML document is invalid" do
+    before :each do
+      stub_validate_to_fail(soft)
+      subject.options[:skip_conditions] = true
+    end
+
+    assert_is_not_valid(soft)
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+require 'simplecov'
+SimpleCov.start
+require 'omniauth-saml-rstr'
+require 'rack/test'
+require 'rexml/document'
+require 'rexml/xpath'
+require 'base64'
+require File.expand_path('../shared/validating_method.rb', __FILE__)
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+end
+
+def load_xml(filename=:rstr_response)
+  filename = File.expand_path(File.join('..', 'support', "#{filename.to_s}.xml"), __FILE__)
+  result = IO.read(filename)
+end

metadata

@@ -0,0 +1,208 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-saml-rstr
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Josh Skeen
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: xmlcanonicalizer
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: uuid
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.5
+description: A RequestSecurityTokenResponse for ADFS strategy based on https://github.com/PracticallyGreen/omniauth-saml.
+email: josh@highgroove.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/omniauth/strategies/saml-rstr/auth_request.rb
+- lib/omniauth/strategies/saml-rstr/auth_response.rb
+- lib/omniauth/strategies/saml-rstr/validation_error.rb
+- lib/omniauth/strategies/saml-rstr/xml_security.rb
+- lib/omniauth/strategies/saml-rstr.rb
+- lib/omniauth-saml-rstr/version.rb
+- lib/omniauth-saml-rstr.rb
+- spec/omniauth/strategies/saml-rstr/auth_request_spec.rb
+- spec/omniauth/strategies/saml-rstr/auth_response_spec.rb
+- spec/omniauth/strategies/saml-rstr/validation_error_spec.rb
+- spec/omniauth/strategies/saml_rstr_spec.rb
+- spec/shared/validating_method.rb
+- spec/spec_helper.rb
+homepage: https://github.com/mutexkid/omniauth-saml-rstr
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: A RequestSecurityTokenResponse for ADFS strategy based on https://github.com/PracticallyGreen/omniauth-saml.
+test_files:
+- spec/omniauth/strategies/saml-rstr/auth_request_spec.rb
+- spec/omniauth/strategies/saml-rstr/auth_response_spec.rb
+- spec/omniauth/strategies/saml-rstr/validation_error_spec.rb
+- spec/omniauth/strategies/saml_rstr_spec.rb
+- spec/shared/validating_method.rb
+- spec/spec_helper.rb