omniauth-saml 0.9.2 → 1.0.0

data/CHANGELOG.md

@@ -0,0 +1,30 @@
+# OmniAuth SAML Version History
+
+A generic SAML strategy for OmniAuth.
+
+https://github.com/PracticallyGreen/omniauth-saml
+
+## 1.0.0 (2012-11-12)
+
+* remove SAML code and port to ruby-saml gem
+* fix incompatibility with OmniAuth 1.1
+
+## 0.9.2 (2012-03-30)
+
+* validate the SAML response
+* 100% test coverage
+* now requires ruby 1.9.2+
+
+## 0.9.1 (2012-02-23)
+
+* return first and last name in the info hash
+* no longer use LDAP OIDs for name and email selection
+* return SAML attributes as the omniauth raw_info hash
+
+## 0.9.0 (2012-02-14)
+
+* initial release
+* extracts commits from omniauth 0-3-stable branch
+* port to omniauth 1.0 strategy format
+* update README with more documentation and license
+* package as the `omniauth-saml` gem

data/README.md

@@ -6,7 +6,7 @@ https://github.com/PracticallyGreen/omniauth-saml
 
 ## Requirements
 
-* [OmniAuth](http://www.omniauth.org/) 1.0+
+* [OmniAuth](http://www.omniauth.org/) 1.1+
 * Ruby 1.9.2
 
 ## Usage
@@ -46,6 +46,8 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set the `href` of your application's login link to the value of `idp_sso_target_url`. For SP-initiated SSO, link to `/auth/saml`.
+
 ## Options
 
 * `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
@@ -70,7 +72,9 @@ end
   application. If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".
   See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
   other options. Note that the identity provider might not support all options.
-  Optional.
+  Used during SP-initiated SSO. Optional.
+
+* See the `Onelogin::Saml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 
 ## Authors
 
@@ -80,7 +84,7 @@ Maintained by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/).
 
 ## License
 
-Copyright (c) 2011-2012 [Practically Green, Inc.](http://www.practicallygreen.com/).  
+Copyright (c) 2011-2012 [Practically Green, Inc.](http://www.practicallygreen.com/).
 All rights reserved. Released under the MIT license.
 
 Portions Copyright (c) 2007 Sun Microsystems Inc.

data/lib/omniauth-saml.rb

@@ -1 +1,2 @@
 require 'omniauth/strategies/saml'
+require 'omniauth/strategies/saml/validation_error'

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = "0.9.2"
+    VERSION = "1.0.0"
   end
 end

data/lib/omniauth/strategies/saml.rb

@@ -1,34 +1,42 @@
 require 'omniauth'
+require 'ruby-saml'
 
 module OmniAuth
   module Strategies
     class SAML
       include OmniAuth::Strategy
-      autoload :AuthRequest,      'omniauth/strategies/saml/auth_request'
-      autoload :AuthResponse,     'omniauth/strategies/saml/auth_response'
-      autoload :ValidationError,  'omniauth/strategies/saml/validation_error'
-      autoload :XMLSecurity,      'omniauth/strategies/saml/xml_security'
 
       option :name_identifier_format, "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 
       def request_phase
-        request = OmniAuth::Strategies::SAML::AuthRequest.new
-        redirect(request.create(options))
+        request = Onelogin::Saml::Authrequest.new
+        settings = Onelogin::Saml::Settings.new(options)
+
+        redirect(request.create(settings))
       end
 
       def callback_phase
-        begin
-          response = OmniAuth::Strategies::SAML::AuthResponse.new(request.params['SAMLResponse'])
-          response.settings = options
+        unless request.params['SAMLResponse']
+          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
+        end
+
+        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
+        response.settings = Onelogin::Saml::Settings.new(options)
 
-          @name_id  = response.name_id
-          @attributes = response.attributes
+        @name_id = response.name_id
+        @attributes = response.attributes
 
-          return fail!(:invalid_ticket, 'Invalid SAML Ticket') if @name_id.nil? || @name_id.empty? || !response.valid?
-          super
-        rescue ArgumentError => e
-          fail!(:invalid_ticket, 'Invalid SAML Response')
+        if @name_id.nil? || @name_id.empty?
+          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
         end
+
+        response.validate!
+
+        super
+      rescue OmniAuth::Strategies::SAML::ValidationError
+        fail!(:invalid_ticket, $!)
+      rescue Onelogin::Saml::ValidationError
+        fail!(:invalid_ticket, $!)
       end
 
       uid { @name_id }
@@ -43,7 +51,6 @@ module OmniAuth
       end
 
       extra { { :raw_info => @attributes } }
-
     end
   end
 end

data/spec/omniauth/strategies/saml_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 RSpec::Matchers.define :fail_with do |message|
   match do |actual|
-    actual.redirect? && actual.location == "/auth/failure?message=#{message}"
+    actual.redirect? && /\?.*message=#{message}/ === actual.location
   end
 end
 
@@ -19,7 +19,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       :assertion_consumer_service_url => "http://localhost:3000/auth/saml/callback",
       :issuer                         => "https://saml.issuer.url/issuers/29490",
       :idp_sso_target_url             => "https://idp.sso.target_url/signon/29490",
-      :idp_cert_fingerprint           => "E6:87:89:FB:F2:5F:CD:B0:31:32:7E:05:44:84:53:B1:EC:4E:3F:FA",
+      :idp_cert_fingerprint           => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
       :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
     }
   end
@@ -41,7 +41,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     let(:xml) { :example_response }
 
     before :each do
-      Time.stub(:now).and_return(Time.new(2012, 3, 8, 16, 25, 00, 0))
+      Time.stub(:now).and_return(Time.new(2012, 11, 8, 20, 40, 00, 0))
     end
 
     context "when the response is valid" do
@@ -50,23 +50,15 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
 
       it "should set the uid to the nameID in the SAML response" do
-        auth_hash['uid'].should == 'THISISANAMEID'
+        auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
       end
 
       it "should set the raw info to all attributes" do
         auth_hash['extra']['raw_info'].to_hash.should == {
-          'forename' => 'Steven',
-          'surname' => 'Anderson',
-          'address_1' => '24 Made Up Drive',
-          'address_2' => nil,
-          'companyName' => 'Test Company Ltd',
-          'postcode' => 'XX2 4XX',
-          'city' => 'Newcastle',
-          'country' => 'United Kingdom',
-          'userEmailID' => 'steve@example.com',
-          'county' => 'TYNESIDE',
-          'versionID' => '1',
-          'bundleID' => '1'
+          'first_name'   => 'Rajiv',
+          'last_name'    => 'Manglani',
+          'email'        => 'user@example.com',
+          'company_name' => 'Example Company'
         }
       end
     end
@@ -89,7 +81,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
     context "when the fingerprint is invalid" do
       before :each do
-        saml_options[:idp_cert_fingerprint] = "E6:87:89:FB:F2:5F:CD:B0:31:32:7E:05:44:84:53:B1:EC:4E:3F:FB"
+        saml_options[:idp_cert_fingerprint] = "00:00:00:00:00:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB"
         post_xml
       end
 
@@ -111,23 +103,5 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
       it { should fail_with(:invalid_ticket) }
     end
-
-    context "when the time is before the NotBefore date" do
-      before :each do
-        Time.stub(:now).and_return(Time.new(2000, 3, 8, 16, 25, 00, 0))
-        post_xml
-      end
-
-      it { should fail_with(:invalid_ticket) }
-    end
-
-    context "when the time is after the NotOnOrAfter date" do
-      before :each do
-        Time.stub(:now).and_return(Time.new(3000, 3, 8, 16, 25, 00, 0))
-        post_xml
-      end
-
-      it { should fail_with(:invalid_ticket) }
-    end
   end
 end

data/spec/spec_helper.rb

@@ -6,7 +6,6 @@ require 'rack/test'
 require 'rexml/document'
 require 'rexml/xpath'
 require 'base64'
-require File.expand_path('../shared/validating_method.rb', __FILE__)
 
 RSpec.configure do |config|
   config.include Rack::Test::Methods

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 0.9.2
+  version: 1.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -12,96 +12,120 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-30 00:00:00.000000000Z
+date: 2012-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
-  requirement: &70159259960020 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :runtime
   prerelease: false
-  version_requirements: *70159259960020
-- !ruby/object:Gem::Dependency
-  name: xmlcanonicalizer
-  requirement: &70159259959000 !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - =
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 0.1.1
-  type: :runtime
-  prerelease: false
-  version_requirements: *70159259959000
+        version: '1.1'
 - !ruby/object:Gem::Dependency
-  name: uuid
-  requirement: &70159259958260 !ruby/object:Gem::Requirement
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '0.6'
   type: :runtime
   prerelease: false
-  version_requirements: *70159259958260
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: guard
-  requirement: &70159259957340 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - =
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.0'
   type: :development
   prerelease: false
-  version_requirements: *70159259957340
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: guard-rspec
-  requirement: &70159259956340 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - =
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '2.1'
   type: :development
   prerelease: false
-  version_requirements: *70159259956340
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70159259955720 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - =
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.8'
   type: :development
   prerelease: false
-  version_requirements: *70159259955720
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &70159259954920 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - =
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: '0.6'
   type: :development
   prerelease: false
-  version_requirements: *70159259954920
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &70159259954240 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - =
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: '0.6'
   type: :development
   prerelease: false
-  version_requirements: *70159259954240
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
 description: A generic SAML strategy for OmniAuth.
 email: rajiv@alum.mit.edu
 executables: []
@@ -109,18 +133,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - README.md
-- lib/omniauth/strategies/saml/auth_request.rb
-- lib/omniauth/strategies/saml/auth_response.rb
+- CHANGELOG.md
 - lib/omniauth/strategies/saml/validation_error.rb
-- lib/omniauth/strategies/saml/xml_security.rb
 - lib/omniauth/strategies/saml.rb
 - lib/omniauth-saml/version.rb
 - lib/omniauth-saml.rb
-- spec/omniauth/strategies/saml/auth_request_spec.rb
-- spec/omniauth/strategies/saml/auth_response_spec.rb
-- spec/omniauth/strategies/saml/validation_error_spec.rb
 - spec/omniauth/strategies/saml_spec.rb
-- spec/shared/validating_method.rb
 - spec/spec_helper.rb
 homepage: https://github.com/PracticallyGreen/omniauth-saml
 licenses: []
@@ -142,14 +160,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: A generic SAML strategy for OmniAuth.
 test_files:
-- spec/omniauth/strategies/saml/auth_request_spec.rb
-- spec/omniauth/strategies/saml/auth_response_spec.rb
-- spec/omniauth/strategies/saml/validation_error_spec.rb
 - spec/omniauth/strategies/saml_spec.rb
-- spec/shared/validating_method.rb
 - spec/spec_helper.rb

data/lib/omniauth/strategies/saml/auth_request.rb

@@ -1,38 +0,0 @@
-require "base64"
-require "uuid"
-require "zlib"
-require "cgi"
-
-module OmniAuth
-  module Strategies
-    class SAML
-      class AuthRequest
-
-        def create(settings, params = {})
-          uuid = "_" + UUID.new.generate
-          time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-
-          request =
-            "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{uuid}\" Version=\"2.0\" IssueInstant=\"#{time}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings[:assertion_consumer_service_url]}\">" +
-            "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings[:issuer]}</saml:Issuer>\n" +
-            "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings[:name_identifier_format]}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
-            "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
-            "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
-            "</samlp:AuthnRequest>"
-
-          deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
-          base64_request    = Base64.encode64(deflated_request)
-          encoded_request   = CGI.escape(base64_request)
-          request_params    = "?SAMLRequest=" + encoded_request
-
-          params.each_pair do |key, value|
-            request_params << "&#{key}=#{CGI.escape(value.to_s)}"
-          end
-
-          settings[:idp_sso_target_url] + request_params
-        end
-
-      end
-    end
-  end
-end

data/lib/omniauth/strategies/saml/auth_response.rb

@@ -1,148 +0,0 @@
-require "time"
-
-module OmniAuth
-  module Strategies
-    class SAML
-      class AuthResponse
-
-        ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-        PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
-        DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-
-        attr_accessor :options, :response, :document, :settings
-
-        def initialize(response, options = {})
-          raise ArgumentError.new("Response cannot be nil") if response.nil?
-          self.options  = options
-          self.response = response
-          self.document = OmniAuth::Strategies::SAML::XMLSecurity::SignedDocument.new(Base64.decode64(response))
-        end
-
-        def valid?
-          validate(soft = true)
-        end
-
-        def validate!
-          validate(soft = false)
-        end
-
-        # The value of the user identifier as designated by the initialization request response
-        def name_id
-          @name_id ||= begin
-            node = xpath("/p:Response/a:Assertion[@ID='#{signed_element_id}']/a:Subject/a:NameID")
-            node ||=  xpath("/p:Response[@ID='#{signed_element_id}']/a:Assertion/a:Subject/a:NameID")
-            node.nil? ? nil : strip(node.text)
-          end
-        end
-
-        # A hash of all the attributes with the response. Assuming there is only one value for each key
-        def attributes
-          @attr_statements ||= begin
-            stmt_element = xpath("/p:Response/a:Assertion/a:AttributeStatement")
-            return {} if stmt_element.nil?
-
-            {}.tap do |result|
-              stmt_element.elements.each do |attr_element|
-                name  = attr_element.attributes["Name"]
-                value = strip(attr_element.elements.first.text)
-
-                result[name] = result[name.to_sym] =  value
-              end
-            end
-          end
-        end
-
-        # When this user session should expire at latest
-        def session_expires_at
-          @expires_at ||= begin
-            node = xpath("/p:Response/a:Assertion/a:AuthnStatement")
-            parse_time(node, "SessionNotOnOrAfter")
-          end
-        end
-
-        # Conditions (if any) for the assertion to run
-        def conditions
-          @conditions ||= begin
-            xpath("/p:Response/a:Assertion[@ID='#{signed_element_id}']/a:Conditions")
-          end
-        end
-
-        private
-
-        def validation_error(message)
-          raise OmniAuth::Strategies::SAML::ValidationError.new(message)
-        end
-
-        def validate(soft = true)
-          validate_response_state(soft) &&
-          validate_conditions(soft)     &&
-          document.validate(get_fingerprint, soft)
-        end
-
-        def validate_response_state(soft = true)
-          if response.empty?
-            return soft ? false : validation_error("Blank response")
-          end
-
-          if settings.nil?
-            return soft ? false : validation_error("No settings on response")
-          end
-
-          if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
-            return soft ? false : validation_error("No fingerprint or certificate on settings")
-          end
-
-          true
-        end
-
-        def get_fingerprint
-          if settings.idp_cert
-            cert = OpenSSL::X509::Certificate.new(settings.idp_cert.gsub(/^ +/, ''))
-            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-          else
-            settings.idp_cert_fingerprint
-          end
-        end
-
-        def validate_conditions(soft = true)
-          return true if conditions.nil?
-          return true if options[:skip_conditions]
-
-          if not_before = parse_time(conditions, "NotBefore")
-            if Time.now.utc < not_before
-              return soft ? false : validation_error("Current time is earlier than NotBefore condition")
-            end
-          end
-
-          if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
-            if Time.now.utc >= not_on_or_after
-              return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
-            end
-          end
-
-          true
-        end
-
-        def parse_time(node, attribute)
-          if node && node.attributes[attribute]
-            Time.parse(node.attributes[attribute])
-          end
-        end
-
-        def strip(string)
-          return string unless string
-          string.gsub(/^\s+/, '').gsub(/\s+$/, '')
-        end
-
-        def xpath(path)
-          REXML::XPath.first(document, path, { "p" => PROTOCOL, "a" => ASSERTION })
-        end
-
-        def signed_element_id
-          doc_id = document.signed_element_id
-          doc_id[1, doc_id.size]
-        end
-      end
-    end
-  end
-end

data/lib/omniauth/strategies/saml/xml_security.rb

@@ -1,126 +0,0 @@
-# The contents of this file are subject to the terms
-# of the Common Development and Distribution License
-# (the License). You may not use this file except in
-# compliance with the License.
-#
-# You can obtain a copy of the License at
-# https://opensso.dev.java.net/public/CDDLv1.0.html or
-# opensso/legal/CDDLv1.0.txt
-# See the License for the specific language governing
-# permission and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL
-# Header Notice in each file and include the License file
-# at opensso/legal/CDDLv1.0.txt.
-# If applicable, add the following below the CDDL Header,
-# with the fields enclosed by brackets [] replaced by
-# your own identifying information:
-# "Portions Copyrighted [year] [name of copyright owner]"
-#
-# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
-#
-# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
-# Portions Copyrighted 2007 Todd W Saxton.
-
-require 'rubygems'
-require "rexml/document"
-require "rexml/xpath"
-require "openssl"
-require "xmlcanonicalizer"
-require "digest/sha1"
-
-module OmniAuth
-  module Strategies
-    class SAML
-
-      module XMLSecurity
-
-        class SignedDocument < REXML::Document
-          DSIG = "http://www.w3.org/2000/09/xmldsig#"
-
-          attr_accessor :signed_element_id
-
-          def initialize(response)
-            super(response)
-            extract_signed_element_id
-          end
-
-          def validate(idp_cert_fingerprint, soft = true)
-            # get cert from response
-            base64_cert = self.elements["//ds:X509Certificate"].text
-            cert_text   = Base64.decode64(base64_cert)
-            cert        = OpenSSL::X509::Certificate.new(cert_text)
-
-            # check cert matches registered idp cert
-            fingerprint = Digest::SHA1.hexdigest(cert.to_der)
-
-            if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-              return soft ? false : (raise OmniAuth::Strategies::SAML::ValidationError.new("Fingerprint mismatch"))
-            end
-
-            validate_doc(base64_cert, soft)
-          end
-
-          def validate_doc(base64_cert, soft = true)
-            # validate references
-
-            # check for inclusive namespaces
-
-            inclusive_namespaces            = []
-            inclusive_namespace_element     = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
-
-            if inclusive_namespace_element
-              prefix_list                   = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
-              inclusive_namespaces          = prefix_list.split(" ")
-            end
-
-            # remove signature node
-            sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
-            sig_element.remove
-
-            # check digests
-            REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
-              uri                           = ref.attributes.get_attribute("URI").value
-              hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
-              canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
-              canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
-              canon_hashed_element          = canoner.canonicalize(hashed_element)
-              hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
-              digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
-
-              if hash != digest_value
-                return soft ? false : (raise OmniAuth::Strategies::SAML::ValidationError.new("Digest mismatch"))
-              end
-            end
-
-            # verify signature
-            canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
-            signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
-            canon_string            = canoner.canonicalize(signed_info_element)
-
-            base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
-            signature               = Base64.decode64(base64_signature)
-
-            # get certificate object
-            cert_text               = Base64.decode64(base64_cert)
-            cert                    = OpenSSL::X509::Certificate.new(cert_text)
-
-            if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
-              return soft ? false : (raise OmniAuth::Strategies::SAML::ValidationError.new("Key validation error"))
-            end
-
-            return true
-          end
-
-          private
-
-          def extract_signed_element_id
-            reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
-            self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
-          end
-        end
-      end
-
-    end
-  end
-end

data/spec/omniauth/strategies/saml/auth_request_spec.rb

@@ -1,75 +0,0 @@
-require 'spec_helper'
-
-describe OmniAuth::Strategies::SAML::AuthRequest do
-  describe :create do
-    let(:url) do
-      described_class.new.create(
-        {
-          :idp_sso_target_url => 'example.com',
-          :assertion_consumer_service_url => 'http://example.com/auth/saml/callback',
-          :issuer => 'This is an issuer',
-          :name_identifier_format => 'Some Policy'
-        },
-        {
-          :some_param => 'foo',
-          :some_other => 'bar'
-        }
-      )
-    end
-    let(:saml_request) { url.match(/SAMLRequest=(.*)/)[1] }
-
-    describe "the url" do
-      subject { url }
-
-      it "should contain a SAMLRequest query string param" do
-        subject.should match /^example\.com\?SAMLRequest=/
-      end
-
-      it "should contain any other parameters passed through" do
-        subject.should match /^example\.com\?SAMLRequest=(.*)&some_param=foo&some_other=bar/
-      end
-    end
-
-    describe "the saml request" do
-      subject { saml_request }
-
-      let(:decoded) do
-        cgi_unescaped = CGI.unescape(subject)
-        base64_decoded = Base64.decode64(cgi_unescaped)
-        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(base64_decoded)
-      end
-
-      let(:xml) { REXML::Document.new(decoded) }
-      let(:root_element) { REXML::XPath.first(xml, '//samlp:AuthnRequest') }
-
-      it "should contain base64 encoded and zlib deflated xml" do
-        decoded.should match /^<samlp:AuthnRequest/
-      end
-
-      it "should contain a uuid with an underscore in front" do
-        UUID.any_instance.stub(:generate).and_return('MY_UUID')
-
-        root_element.attributes['ID'].should == '_MY_UUID'
-      end
-
-      it "should contain the current time as the IssueInstant" do
-        t = Time.now
-        Time.stub(:now).and_return(t)
-
-        root_element.attributes['IssueInstant'].should == t.utc.iso8601
-      end
-
-      it "should contain the callback url in the settings" do
-        root_element.attributes['AssertionConsumerServiceURL'].should == 'http://example.com/auth/saml/callback'
-      end
-
-      it "should contain the issuer" do
-        REXML::XPath.first(xml, '//saml:Issuer').text.should == 'This is an issuer'
-      end
-
-      it "should contain the name identifier format" do
-        REXML::XPath.first(xml, '//samlp:NameIDPolicy').attributes['Format'].should == 'Some Policy'
-      end
-    end
-  end
-end

data/spec/omniauth/strategies/saml/auth_response_spec.rb

@@ -1,90 +0,0 @@
-require 'spec_helper'
-
-describe OmniAuth::Strategies::SAML::AuthResponse do
-  let(:xml) { :example_response }
-  subject { described_class.new(load_xml(xml)) }
-
-  describe :initialize do
-    context "when the response is nil" do
-      it "should raise an exception" do
-        expect { described_class.new(nil) }.to raise_error ArgumentError
-      end
-    end
-  end
-
-  describe :name_id do
-    it "should load the name id from the assertion" do
-      subject.name_id.should == 'THISISANAMEID'
-    end
-
-    context "when the response contains the signed_element_id" do
-      let(:xml) { :response_contains_signed_element }
-
-      it "should load the name id from the assertion" do
-        subject.name_id.should == 'THISISANAMEID'
-      end
-    end
-  end
-
-  describe :attributes do
-    it "should return all of the attributes as a hash" do
-      subject.attributes.should == {
-        :forename => 'Steven',
-        :surname => 'Anderson',
-        :address_1 => '24 Made Up Drive',
-        :address_2 => nil,
-        :companyName => 'Test Company Ltd',
-        :postcode => 'XX2 4XX',
-        :city => 'Newcastle',
-        :country => 'United Kingdom',
-        :userEmailID => 'steve@example.com',
-        :county => 'TYNESIDE',
-        :versionID => '1',
-        :bundleID => '1',
-
-        'forename' => 'Steven',
-        'surname' => 'Anderson',
-        'address_1' => '24 Made Up Drive',
-        'address_2' => nil,
-        'companyName' => 'Test Company Ltd',
-        'postcode' => 'XX2 4XX',
-        'city' => 'Newcastle',
-        'country' => 'United Kingdom',
-        'userEmailID' => 'steve@example.com',
-        'county' => 'TYNESIDE',
-        'versionID' => '1',
-        'bundleID' => '1'
-      }
-    end
-
-    context "when no attributes exist in the XML" do
-      let(:xml) { :no_attributes }
-
-      it "should return an empty hash" do
-        subject.attributes.should == {}
-      end
-    end
-  end
-
-  describe :session_expires_at do
-    it "should return the SessionNotOnOrAfter as a Ruby date" do
-      subject.session_expires_at.to_i.should == Time.new(2012, 04, 8, 12, 0, 24, 0).to_i
-    end
-  end
-
-  describe :conditions do
-    it "should return the conditions element from the XML" do
-      subject.conditions.attributes['NotOnOrAfter'].should == '2012-03-08T16:30:01.336Z'
-      subject.conditions.attributes['NotBefore'].should    == '2012-03-08T16:20:01.336Z'
-      REXML::XPath.first(subject.conditions, '//saml:Audience').text.should include 'AUDIENCE'
-    end
-  end
-
-  describe :valid? do
-    it_should_behave_like 'a validating method', true
-  end
-
-  describe :validate! do
-    it_should_behave_like 'a validating method', false
-  end
-end

data/spec/omniauth/strategies/saml/validation_error_spec.rb

@@ -1,5 +0,0 @@
-require 'spec_helper'
-
-describe OmniAuth::Strategies::SAML::ValidationError do
-  it { should be_a Exception }
-end

data/spec/shared/validating_method.rb

@@ -1,129 +0,0 @@
-def assert_is_valid(soft)
-  if soft
-    it { should be_valid }
-  else
-    it "should be valid" do
-      expect { subject.validate! }.not_to raise_error
-    end
-  end
-end
-
-def assert_is_not_valid(soft)
-  if soft
-    it { should_not be_valid }
-  else
-    it "should be invalid" do
-      expect { subject.validate! }.to raise_error
-    end
-  end
-end
-
-def stub_validate_to_fail(soft)
-  if soft
-    subject.document.stub(:validate).and_return(false)
-  else
-    subject.document.stub(:validate).and_raise(Exception)
-  end
-end
-
-shared_examples_for 'a validating method' do |soft|
-  before :each do
-    subject.settings = mock(Object, :idp_cert_fingerprint => 'FINGERPRINT', :idp_cert => nil)
-    subject.document.stub(:validate).and_return(true)
-  end
-
-  context "when the response is empty" do
-    subject { described_class.new('') }
-
-    assert_is_not_valid(soft)
-  end
-
-  context "when the settings are nil" do
-    before :each do
-      subject.settings = nil
-    end
-
-    assert_is_not_valid(soft)
-  end
-
-  context "when there is no idp_cert_fingerprint and idp_cert" do
-    before :each do
-      subject.settings = mock(Object, :idp_cert_fingerprint => nil, :idp_cert => nil)
-    end
-
-    assert_is_not_valid(soft)
-  end
-
-  context "when conditions are not given" do
-    let(:xml) { :no_conditions }
-
-    assert_is_valid(soft)
-  end
-
-  context "when the current time is before the NotBefore time" do
-    before :each do
-      Time.stub(:now).and_return(Time.new(2000, 01, 01, 10, 00, 00, 0))
-    end
-
-    assert_is_not_valid(soft)
-  end
-
-  context "when the current time is after the NotOnOrAfter time" do
-    before :each do
-      # We're assuming here that this code will be out of use in 1000 years...
-      Time.stub(:now).and_return(Time.new(3012, 01, 01, 10, 00, 00, 0))
-    end
-
-    assert_is_not_valid(soft)
-  end
-
-  context "when the current time is between the NotBefore and NotOnOrAfter times" do
-    before :each do
-      Time.stub(:now).and_return(Time.new(2012, 3, 8, 16, 25, 00, 0))
-    end
-
-    assert_is_valid(soft)
-  end
-
-  context "when skip_conditions option is given" do
-    before :each do
-      subject.options[:skip_conditions] = true
-    end
-
-    assert_is_valid(soft)
-  end
-
-  context "when the SAML document is valid" do
-    before :each do
-      subject.document.should_receive(:validate).with('FINGERPRINT', soft).and_return(true)
-      subject.options[:skip_conditions] = true
-    end
-
-    assert_is_valid(soft)
-  end
-
-  context "when the SAML document is valid and the idp_cert is given" do
-    let(:cert) do
-      filename = File.expand_path(File.join('..', '..', 'support', "example_cert.pem"), __FILE__)
-      IO.read(filename)
-    end
-    let(:expected) { 'E6:87:89:FB:F2:5F:CD:B0:31:32:7E:05:44:84:53:B1:EC:4E:3F:FA' }
-
-    before :each do
-      subject.settings.stub(:idp_cert).and_return(cert)
-      subject.document.should_receive(:validate).with(expected, soft).and_return(true)
-      subject.options[:skip_conditions] = true
-    end
-
-    assert_is_valid(soft)
-  end
-
-  context "when the SAML document is invalid" do
-    before :each do
-      stub_validate_to_fail(soft)
-      subject.options[:skip_conditions] = true
-    end
-
-    assert_is_not_valid(soft)
-  end
-end