ruby-saml-bm 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile +12 -0
- data/Gemfile.lock +51 -0
- data/LICENSE +19 -0
- data/README.md +126 -0
- data/Rakefile +41 -0
- data/lib/onelogin/ruby-saml-bm/authrequest.rb +79 -0
- data/lib/onelogin/ruby-saml-bm/logging.rb +26 -0
- data/lib/onelogin/ruby-saml-bm/logoutrequest.rb +80 -0
- data/lib/onelogin/ruby-saml-bm/metadata.rb +47 -0
- data/lib/onelogin/ruby-saml-bm/response.rb +180 -0
- data/lib/onelogin/ruby-saml-bm/settings.rb +18 -0
- data/lib/onelogin/ruby-saml-bm/validation_error.rb +7 -0
- data/lib/onelogin/ruby-saml-bm/version.rb +5 -0
- data/lib/ruby-saml.rb +8 -0
- data/lib/schemas/saml20assertion_schema.xsd +283 -0
- data/lib/schemas/saml20protocol_schema.xsd +302 -0
- data/lib/schemas/xenc_schema.xsd +146 -0
- data/lib/schemas/xmldsig_schema.xsd +318 -0
- data/lib/xml_security.rb +165 -0
- data/ruby-saml-bm.gemspec +29 -0
- data/test/certificates/certificate1 +12 -0
- data/test/logoutrequest_test.rb +98 -0
- data/test/request_test.rb +53 -0
- data/test/response_test.rb +219 -0
- data/test/responses/adfs_response_sha1.xml +46 -0
- data/test/responses/adfs_response_sha256.xml +46 -0
- data/test/responses/adfs_response_sha384.xml +46 -0
- data/test/responses/adfs_response_sha512.xml +46 -0
- data/test/responses/no_signature_ns.xml +48 -0
- data/test/responses/open_saml_response.xml +56 -0
- data/test/responses/response1.xml.base64 +1 -0
- data/test/responses/response2.xml.base64 +79 -0
- data/test/responses/response3.xml.base64 +66 -0
- data/test/responses/response4.xml.base64 +93 -0
- data/test/responses/response5.xml.base64 +102 -0
- data/test/responses/response_with_ampersands.xml +139 -0
- data/test/responses/response_with_ampersands.xml.base64 +93 -0
- data/test/responses/simple_saml_php.xml +71 -0
- data/test/responses/wrapped_response_2.xml.base64 +150 -0
- data/test/settings_test.rb +43 -0
- data/test/test_helper.rb +66 -0
- data/test/xml_security_test.rb +123 -0
- metadata +165 -0
data/lib/xml_security.rb
ADDED
@@ -0,0 +1,165 @@
|
|
1
|
+
# The contents of this file are subject to the terms
|
2
|
+
# of the Common Development and Distribution License
|
3
|
+
# (the License). You may not use this file except in
|
4
|
+
# compliance with the License.
|
5
|
+
#
|
6
|
+
# You can obtain a copy of the License at
|
7
|
+
# https://opensso.dev.java.net/public/CDDLv1.0.html or
|
8
|
+
# opensso/legal/CDDLv1.0.txt
|
9
|
+
# See the License for the specific language governing
|
10
|
+
# permission and limitations under the License.
|
11
|
+
#
|
12
|
+
# When distributing Covered Code, include this CDDL
|
13
|
+
# Header Notice in each file and include the License file
|
14
|
+
# at opensso/legal/CDDLv1.0.txt.
|
15
|
+
# If applicable, add the following below the CDDL Header,
|
16
|
+
# with the fields enclosed by brackets [] replaced by
|
17
|
+
# your own identifying information:
|
18
|
+
# "Portions Copyrighted [year] [name of copyright owner]"
|
19
|
+
#
|
20
|
+
# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
|
21
|
+
#
|
22
|
+
# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
|
23
|
+
# Portions Copyrighted 2007 Todd W Saxton.
|
24
|
+
|
25
|
+
require 'rubygems'
|
26
|
+
require "rexml/document"
|
27
|
+
require "rexml/xpath"
|
28
|
+
require "openssl"
|
29
|
+
require 'nokogiri'
|
30
|
+
require "digest/sha1"
|
31
|
+
require "digest/sha2"
|
32
|
+
require "onelogin/ruby-saml-bm/validation_error"
|
33
|
+
|
34
|
+
module XMLSecurity
|
35
|
+
|
36
|
+
class SignedDocument < REXML::Document
|
37
|
+
C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
|
38
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#"
|
39
|
+
|
40
|
+
attr_accessor :signed_element_id, :sig_element, :noko_sig_element
|
41
|
+
|
42
|
+
def initialize(response)
|
43
|
+
super(response)
|
44
|
+
extract_signed_element_id
|
45
|
+
end
|
46
|
+
|
47
|
+
def validate(idp_cert_fingerprint, soft = true)
|
48
|
+
# get cert from response
|
49
|
+
cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
|
50
|
+
base64_cert = cert_element.text
|
51
|
+
cert_text = Base64.decode64(base64_cert)
|
52
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
53
|
+
|
54
|
+
# check cert matches registered idp cert
|
55
|
+
fingerprint = Digest::SHA1.hexdigest(cert.to_der)
|
56
|
+
|
57
|
+
if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
|
58
|
+
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Fingerprint mismatch"))
|
59
|
+
end
|
60
|
+
|
61
|
+
validate_doc(base64_cert, soft)
|
62
|
+
end
|
63
|
+
|
64
|
+
def validate_doc(base64_cert, soft = true)
|
65
|
+
# validate references
|
66
|
+
|
67
|
+
# check for inclusive namespaces
|
68
|
+
inclusive_namespaces = extract_inclusive_namespaces
|
69
|
+
|
70
|
+
document = Nokogiri.parse(self.to_s)
|
71
|
+
|
72
|
+
# store and remove signature node
|
73
|
+
self.sig_element ||= begin
|
74
|
+
element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>DSIG})
|
75
|
+
element.remove
|
76
|
+
end
|
77
|
+
|
78
|
+
|
79
|
+
# verify signature
|
80
|
+
signed_info_element = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
|
81
|
+
self.noko_sig_element ||= document.at_xpath('//ds:Signature', 'ds' => DSIG)
|
82
|
+
noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
|
83
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(sig_element, '//ds:CanonicalizationMethod')
|
84
|
+
canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
|
85
|
+
noko_sig_element.remove
|
86
|
+
|
87
|
+
# check digests
|
88
|
+
REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
|
89
|
+
uri = ref.attributes.get_attribute("URI").value
|
90
|
+
|
91
|
+
hashed_element = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
|
92
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod')
|
93
|
+
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub('&','&')
|
94
|
+
|
95
|
+
digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
|
96
|
+
|
97
|
+
hash = digest_algorithm.digest(canon_hashed_element)
|
98
|
+
digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
|
99
|
+
|
100
|
+
unless digests_match?(hash, digest_value)
|
101
|
+
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
base64_signature = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
|
106
|
+
signature = Base64.decode64(base64_signature)
|
107
|
+
|
108
|
+
# get certificate object
|
109
|
+
cert_text = Base64.decode64(base64_cert)
|
110
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
111
|
+
|
112
|
+
# signature method
|
113
|
+
signature_algorithm = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
|
114
|
+
|
115
|
+
unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
|
116
|
+
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Key validation error"))
|
117
|
+
end
|
118
|
+
|
119
|
+
return true
|
120
|
+
end
|
121
|
+
|
122
|
+
private
|
123
|
+
|
124
|
+
def digests_match?(hash, digest_value)
|
125
|
+
hash == digest_value
|
126
|
+
end
|
127
|
+
|
128
|
+
def extract_signed_element_id
|
129
|
+
reference_element = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
|
130
|
+
self.signed_element_id = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
|
131
|
+
end
|
132
|
+
|
133
|
+
def canon_algorithm(element)
|
134
|
+
algorithm = element.attribute('Algorithm').value if element
|
135
|
+
case algorithm
|
136
|
+
when "http://www.w3.org/2001/10/xml-exc-c14n#" then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
137
|
+
when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
|
138
|
+
when "http://www.w3.org/2006/12/xml-c14n11" then Nokogiri::XML::XML_C14N_1_1
|
139
|
+
else Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
140
|
+
end
|
141
|
+
end
|
142
|
+
|
143
|
+
def algorithm(element)
|
144
|
+
algorithm = element.attribute("Algorithm").value if element
|
145
|
+
algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
|
146
|
+
case algorithm
|
147
|
+
when 256 then OpenSSL::Digest::SHA256
|
148
|
+
when 384 then OpenSSL::Digest::SHA384
|
149
|
+
when 512 then OpenSSL::Digest::SHA512
|
150
|
+
else
|
151
|
+
OpenSSL::Digest::SHA1
|
152
|
+
end
|
153
|
+
end
|
154
|
+
|
155
|
+
def extract_inclusive_namespaces
|
156
|
+
if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
|
157
|
+
prefix_list = element.attributes.get_attribute("PrefixList").value
|
158
|
+
prefix_list.split(" ")
|
159
|
+
else
|
160
|
+
[]
|
161
|
+
end
|
162
|
+
end
|
163
|
+
|
164
|
+
end
|
165
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
$LOAD_PATH.push File.expand_path('../lib', __FILE__)
|
2
|
+
require 'onelogin/ruby-saml-bm/version'
|
3
|
+
|
4
|
+
Gem::Specification.new do |s|
|
5
|
+
s.name = 'ruby-saml-bm'
|
6
|
+
s.version = Onelogin::Saml::VERSION
|
7
|
+
|
8
|
+
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
9
|
+
s.authors = ["WDS development"]
|
10
|
+
s.date = Time.now.strftime("%Y-%m-%d")
|
11
|
+
s.description = %q{SAML toolkit for Ruby on Rails adapted to work with ADFS server}
|
12
|
+
s.email = %q{support@onelogin.com}
|
13
|
+
s.extra_rdoc_files = [
|
14
|
+
"LICENSE",
|
15
|
+
"README.md"
|
16
|
+
]
|
17
|
+
s.files = `git ls-files`.split("\n")
|
18
|
+
s.homepage = %q{http://github.com/onelogin/ruby-saml-bm}
|
19
|
+
s.rubyforge_project = %q{http://www.rubygems.org/gems/ruby-saml-bm}
|
20
|
+
s.rdoc_options = ["--charset=UTF-8"]
|
21
|
+
s.require_paths = ["lib"]
|
22
|
+
s.rubygems_version = %q{1.3.7}
|
23
|
+
s.summary = %q{SAML Ruby Tookit}
|
24
|
+
s.test_files = `git ls-files test/*`.split("\n")
|
25
|
+
|
26
|
+
s.add_runtime_dependency("canonix", ["0.1.1"])
|
27
|
+
s.add_runtime_dependency("uuid", ["~> 2.3"])
|
28
|
+
s.add_runtime_dependency("nokogiri")
|
29
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
|
3
|
+
YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
|
4
|
+
Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloX
|
5
|
+
DTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
|
6
|
+
aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX
|
7
|
+
BgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
8
|
+
AoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDug
|
9
|
+
MK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0ed
|
10
|
+
MOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMB
|
11
|
+
AA==
|
12
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1,98 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Logoutrequest" do
|
6
|
+
settings = Onelogin::Saml::Settings.new
|
7
|
+
|
8
|
+
should "create the deflated SAMLRequest URL parameter" do
|
9
|
+
settings.idp_slo_target_url = "http://unauth.com/logout"
|
10
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
|
11
|
+
assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
|
12
|
+
|
13
|
+
inflated = decode_saml_request_payload(unauth_url)
|
14
|
+
|
15
|
+
assert_match /^<samlp:LogoutRequest/, inflated
|
16
|
+
end
|
17
|
+
|
18
|
+
should "support additional params" do
|
19
|
+
|
20
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :hello => nil })
|
21
|
+
assert unauth_url =~ /&hello=$/
|
22
|
+
|
23
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :foo => "bar" })
|
24
|
+
assert unauth_url =~ /&foo=bar$/
|
25
|
+
end
|
26
|
+
|
27
|
+
should "set sessionindex" do
|
28
|
+
settings.idp_slo_target_url = "http://example.com"
|
29
|
+
sessionidx = UUID.new.generate
|
30
|
+
settings.sessionindex = sessionidx
|
31
|
+
|
32
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
|
33
|
+
inflated = decode_saml_request_payload(unauth_url)
|
34
|
+
|
35
|
+
assert_match /<samlp:SessionIndex/, inflated
|
36
|
+
assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
|
37
|
+
end
|
38
|
+
|
39
|
+
should "set name_identifier_value" do
|
40
|
+
settings = Onelogin::Saml::Settings.new
|
41
|
+
settings.idp_slo_target_url = "http://example.com"
|
42
|
+
settings.name_identifier_format = "transient"
|
43
|
+
name_identifier_value = "abc123"
|
44
|
+
settings.name_identifier_value = name_identifier_value
|
45
|
+
|
46
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
|
47
|
+
inflated = decode_saml_request_payload(unauth_url)
|
48
|
+
|
49
|
+
assert_match /<saml:NameID/, inflated
|
50
|
+
assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
|
51
|
+
end
|
52
|
+
|
53
|
+
context "when the target url doesn't contain a query string" do
|
54
|
+
should "create the SAMLRequest parameter correctly" do
|
55
|
+
settings = Onelogin::Saml::Settings.new
|
56
|
+
settings.idp_slo_target_url = "http://example.com"
|
57
|
+
|
58
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
|
59
|
+
assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
context "when the target url contains a query string" do
|
64
|
+
should "create the SAMLRequest parameter correctly" do
|
65
|
+
settings = Onelogin::Saml::Settings.new
|
66
|
+
settings.idp_slo_target_url = "http://example.com?field=value"
|
67
|
+
|
68
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
|
69
|
+
assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
70
|
+
end
|
71
|
+
end
|
72
|
+
|
73
|
+
context "consumation of logout may need to track the transaction" do
|
74
|
+
should "have access to the request uuid" do
|
75
|
+
settings = Onelogin::Saml::Settings.new
|
76
|
+
settings.idp_slo_target_url = "http://example.com?field=value"
|
77
|
+
|
78
|
+
unauth_req = Onelogin::Saml::Logoutrequest.new
|
79
|
+
unauth_url = unauth_req.create(settings)
|
80
|
+
|
81
|
+
inflated = decode_saml_request_payload(unauth_url)
|
82
|
+
assert_match %r[ID='#{unauth_req.uuid}'], inflated
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
87
|
+
def decode_saml_request_payload(unauth_url)
|
88
|
+
payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
|
89
|
+
decoded = Base64.decode64(payload)
|
90
|
+
|
91
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
92
|
+
inflated = zstream.inflate(decoded)
|
93
|
+
zstream.finish
|
94
|
+
zstream.close
|
95
|
+
inflated
|
96
|
+
end
|
97
|
+
|
98
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Authrequest" do
|
6
|
+
should "create the deflated SAMLRequest URL parameter" do
|
7
|
+
settings = Onelogin::Saml::Settings.new
|
8
|
+
settings.idp_sso_target_url = "http://example.com"
|
9
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
10
|
+
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
11
|
+
payload = CGI.unescape(auth_url.split("=").last)
|
12
|
+
decoded = Base64.decode64(payload)
|
13
|
+
|
14
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
15
|
+
inflated = zstream.inflate(decoded)
|
16
|
+
zstream.finish
|
17
|
+
zstream.close
|
18
|
+
|
19
|
+
assert_match /^<samlp:AuthnRequest/, inflated
|
20
|
+
end
|
21
|
+
|
22
|
+
should "accept extra parameters" do
|
23
|
+
settings = Onelogin::Saml::Settings.new
|
24
|
+
settings.idp_sso_target_url = "http://example.com"
|
25
|
+
|
26
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
|
27
|
+
assert auth_url =~ /&hello=there$/
|
28
|
+
|
29
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
|
30
|
+
assert auth_url =~ /&hello=$/
|
31
|
+
end
|
32
|
+
|
33
|
+
context "when the target url doesn't contain a query string" do
|
34
|
+
should "create the SAMLRequest parameter correctly" do
|
35
|
+
settings = Onelogin::Saml::Settings.new
|
36
|
+
settings.idp_sso_target_url = "http://example.com"
|
37
|
+
|
38
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
39
|
+
assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
context "when the target url contains a query string" do
|
44
|
+
should "create the SAMLRequest parameter correctly" do
|
45
|
+
settings = Onelogin::Saml::Settings.new
|
46
|
+
settings.idp_sso_target_url = "http://example.com?field=value"
|
47
|
+
|
48
|
+
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
49
|
+
assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
@@ -0,0 +1,219 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RubySamlTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Response" do
|
6
|
+
should "raise an exception when response is initialized with nil" do
|
7
|
+
assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
|
8
|
+
end
|
9
|
+
|
10
|
+
should "be able to parse a document which contains ampersands" do
|
11
|
+
XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
|
12
|
+
Onelogin::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
|
13
|
+
|
14
|
+
response = Onelogin::Saml::Response.new(ampersands_response)
|
15
|
+
settings = Onelogin::Saml::Settings.new
|
16
|
+
settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
|
17
|
+
response.settings = settings
|
18
|
+
response.validate!
|
19
|
+
end
|
20
|
+
|
21
|
+
should "adapt namespace" do
|
22
|
+
response = Onelogin::Saml::Response.new(response_document)
|
23
|
+
assert !response.name_id.nil?
|
24
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
25
|
+
assert !response.name_id.nil?
|
26
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
27
|
+
assert !response.name_id.nil?
|
28
|
+
end
|
29
|
+
|
30
|
+
should "default to raw input when a response is not Base64 encoded" do
|
31
|
+
decoded = Base64.decode64(response_document_2)
|
32
|
+
response = Onelogin::Saml::Response.new(decoded)
|
33
|
+
assert response.document
|
34
|
+
end
|
35
|
+
|
36
|
+
context "Assertion" do
|
37
|
+
should "only retreive an assertion with an ID that matches the signature's reference URI" do
|
38
|
+
response = Onelogin::Saml::Response.new(wrapped_response_2)
|
39
|
+
response.stubs(:conditions).returns(nil)
|
40
|
+
settings = Onelogin::Saml::Settings.new
|
41
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
42
|
+
response.settings = settings
|
43
|
+
assert response.name_id.nil?
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
context "#validate!" do
|
48
|
+
should "raise when encountering a condition that prevents the document from being valid" do
|
49
|
+
response = Onelogin::Saml::Response.new(response_document)
|
50
|
+
assert_raise(Onelogin::Saml::ValidationError) do
|
51
|
+
response.validate!
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
context "#is_valid?" do
|
57
|
+
should "return false when response is initialized with blank data" do
|
58
|
+
response = Onelogin::Saml::Response.new('')
|
59
|
+
assert !response.is_valid?
|
60
|
+
end
|
61
|
+
|
62
|
+
should "return false if settings have not been set" do
|
63
|
+
response = Onelogin::Saml::Response.new(response_document)
|
64
|
+
assert !response.is_valid?
|
65
|
+
end
|
66
|
+
|
67
|
+
should "return true when the response is initialized with valid data" do
|
68
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
69
|
+
response.stubs(:conditions).returns(nil)
|
70
|
+
assert !response.is_valid?
|
71
|
+
settings = Onelogin::Saml::Settings.new
|
72
|
+
assert !response.is_valid?
|
73
|
+
response.settings = settings
|
74
|
+
assert !response.is_valid?
|
75
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
76
|
+
assert response.is_valid?
|
77
|
+
end
|
78
|
+
|
79
|
+
should "return true when using certificate instead of fingerprint" do
|
80
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
81
|
+
response.stubs(:conditions).returns(nil)
|
82
|
+
settings = Onelogin::Saml::Settings.new
|
83
|
+
response.settings = settings
|
84
|
+
settings.idp_cert = signature_1
|
85
|
+
assert response.is_valid?
|
86
|
+
end
|
87
|
+
|
88
|
+
should "not allow signature wrapping attack" do
|
89
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
90
|
+
response.stubs(:conditions).returns(nil)
|
91
|
+
settings = Onelogin::Saml::Settings.new
|
92
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
93
|
+
response.settings = settings
|
94
|
+
assert response.is_valid?
|
95
|
+
assert response.name_id == "test@onelogin.com"
|
96
|
+
end
|
97
|
+
|
98
|
+
should "support dynamic namespace resolution on signature elements" do
|
99
|
+
response = Onelogin::Saml::Response.new(fixture("no_signature_ns.xml"))
|
100
|
+
response.stubs(:conditions).returns(nil)
|
101
|
+
settings = Onelogin::Saml::Settings.new
|
102
|
+
response.settings = settings
|
103
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
104
|
+
XMLSecurity::SignedDocument.any_instance.expects(:validate_doc).returns(true)
|
105
|
+
assert response.validate!
|
106
|
+
end
|
107
|
+
|
108
|
+
should "validate ADFS assertions" do
|
109
|
+
response = Onelogin::Saml::Response.new(fixture(:adfs_response_sha256))
|
110
|
+
response.stubs(:conditions).returns(nil)
|
111
|
+
settings = Onelogin::Saml::Settings.new
|
112
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
113
|
+
response.settings = settings
|
114
|
+
assert response.validate!
|
115
|
+
end
|
116
|
+
|
117
|
+
should "validate SAML 2.0 XML structure" do
|
118
|
+
resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
|
119
|
+
response = Onelogin::Saml::Response.new(Base64.encode64(resp_xml))
|
120
|
+
response.stubs(:conditions).returns(nil)
|
121
|
+
settings = Onelogin::Saml::Settings.new
|
122
|
+
settings.idp_cert_fingerprint = signature_fingerprint_1
|
123
|
+
response.settings = settings
|
124
|
+
assert_raises(Onelogin::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
128
|
+
context "#name_id" do
|
129
|
+
should "extract the value of the name id element" do
|
130
|
+
response = Onelogin::Saml::Response.new(response_document)
|
131
|
+
assert_equal "support@onelogin.com", response.name_id
|
132
|
+
|
133
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
134
|
+
assert_equal "someone@example.com", response.name_id
|
135
|
+
end
|
136
|
+
|
137
|
+
should "be extractable from an OpenSAML response" do
|
138
|
+
response = Onelogin::Saml::Response.new(fixture(:open_saml))
|
139
|
+
assert_equal "someone@example.org", response.name_id
|
140
|
+
end
|
141
|
+
|
142
|
+
should "be extractable from a Simple SAML PHP response" do
|
143
|
+
response = Onelogin::Saml::Response.new(fixture(:simple_saml_php))
|
144
|
+
assert_equal "someone@example.com", response.name_id
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
context "#check_conditions" do
|
149
|
+
should "check time conditions" do
|
150
|
+
response = Onelogin::Saml::Response.new(response_document)
|
151
|
+
assert !response.send(:validate_conditions, true)
|
152
|
+
response = Onelogin::Saml::Response.new(response_document_6)
|
153
|
+
assert response.send(:validate_conditions, true)
|
154
|
+
time = Time.parse("2011-06-14T18:25:01.516Z")
|
155
|
+
Time.stubs(:now).returns(time)
|
156
|
+
response = Onelogin::Saml::Response.new(response_document_5)
|
157
|
+
assert response.send(:validate_conditions, true)
|
158
|
+
end
|
159
|
+
end
|
160
|
+
|
161
|
+
context "#attributes" do
|
162
|
+
should "extract the first attribute in a hash accessed via its symbol" do
|
163
|
+
response = Onelogin::Saml::Response.new(response_document)
|
164
|
+
assert_equal "demo", response.attributes[:uid]
|
165
|
+
end
|
166
|
+
|
167
|
+
should "extract the first attribute in a hash accessed via its name" do
|
168
|
+
response = Onelogin::Saml::Response.new(response_document)
|
169
|
+
assert_equal "demo", response.attributes["uid"]
|
170
|
+
end
|
171
|
+
|
172
|
+
should "extract all attributes" do
|
173
|
+
response = Onelogin::Saml::Response.new(response_document)
|
174
|
+
assert_equal "demo", response.attributes[:uid]
|
175
|
+
assert_equal "value", response.attributes[:another_value]
|
176
|
+
end
|
177
|
+
|
178
|
+
should "work for implicit namespaces" do
|
179
|
+
response = Onelogin::Saml::Response.new(response_document_3)
|
180
|
+
assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
|
181
|
+
end
|
182
|
+
|
183
|
+
should "not raise on responses without attributes" do
|
184
|
+
response = Onelogin::Saml::Response.new(response_document_4)
|
185
|
+
assert_equal Hash.new, response.attributes
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
189
|
+
context "#session_expires_at" do
|
190
|
+
should "extract the value of the SessionNotOnOrAfter attribute" do
|
191
|
+
response = Onelogin::Saml::Response.new(response_document)
|
192
|
+
assert response.session_expires_at.is_a?(Time)
|
193
|
+
|
194
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
195
|
+
assert response.session_expires_at.nil?
|
196
|
+
end
|
197
|
+
end
|
198
|
+
|
199
|
+
context "#issuer" do
|
200
|
+
should "return the issuer inside the response assertion" do
|
201
|
+
response = Onelogin::Saml::Response.new(response_document)
|
202
|
+
assert_equal "https://app.onelogin.com/saml/metadata/13590", response.issuer
|
203
|
+
end
|
204
|
+
|
205
|
+
should "return the issuer inside the response" do
|
206
|
+
response = Onelogin::Saml::Response.new(response_document_2)
|
207
|
+
assert_equal "wibble", response.issuer
|
208
|
+
end
|
209
|
+
end
|
210
|
+
|
211
|
+
context "#success" do
|
212
|
+
should "find a status code that says success" do
|
213
|
+
response = Onelogin::Saml::Response.new(response_document)
|
214
|
+
response.success?
|
215
|
+
end
|
216
|
+
end
|
217
|
+
|
218
|
+
end
|
219
|
+
end
|