ruby-saml-federazione-trentina 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (48) hide show
  1. data/.document +5 -0
  2. data/.gitignore +10 -0
  3. data/.travis.yml +5 -0
  4. data/Gemfile +12 -0
  5. data/LICENSE +19 -0
  6. data/README.md +126 -0
  7. data/Rakefile +41 -0
  8. data/lib/onelogin/ruby-saml/authrequest.rb +189 -0
  9. data/lib/onelogin/ruby-saml/coding.rb +34 -0
  10. data/lib/onelogin/ruby-saml/logging.rb +26 -0
  11. data/lib/onelogin/ruby-saml/logout_request.rb +126 -0
  12. data/lib/onelogin/ruby-saml/logout_response.rb +132 -0
  13. data/lib/onelogin/ruby-saml/metadata.rb +270 -0
  14. data/lib/onelogin/ruby-saml/request.rb +83 -0
  15. data/lib/onelogin/ruby-saml/response.rb +211 -0
  16. data/lib/onelogin/ruby-saml/settings.rb +29 -0
  17. data/lib/onelogin/ruby-saml/validation_error.rb +7 -0
  18. data/lib/onelogin/ruby-saml/version.rb +5 -0
  19. data/lib/ruby-saml.rb +11 -0
  20. data/lib/schemas/saml20assertion_schema.xsd +283 -0
  21. data/lib/schemas/saml20protocol_schema.xsd +302 -0
  22. data/lib/schemas/xenc_schema.xsd +146 -0
  23. data/lib/schemas/xmldsig_schema.xsd +318 -0
  24. data/lib/xml_security.rb +165 -0
  25. data/ruby-saml.gemspec +21 -0
  26. data/test/certificates/certificate1 +12 -0
  27. data/test/logoutrequest_test.rb +98 -0
  28. data/test/request_test.rb +53 -0
  29. data/test/response_test.rb +219 -0
  30. data/test/responses/adfs_response_sha1.xml +46 -0
  31. data/test/responses/adfs_response_sha256.xml +46 -0
  32. data/test/responses/adfs_response_sha384.xml +46 -0
  33. data/test/responses/adfs_response_sha512.xml +46 -0
  34. data/test/responses/no_signature_ns.xml +48 -0
  35. data/test/responses/open_saml_response.xml +56 -0
  36. data/test/responses/response1.xml.base64 +1 -0
  37. data/test/responses/response2.xml.base64 +79 -0
  38. data/test/responses/response3.xml.base64 +66 -0
  39. data/test/responses/response4.xml.base64 +93 -0
  40. data/test/responses/response5.xml.base64 +102 -0
  41. data/test/responses/response_with_ampersands.xml +139 -0
  42. data/test/responses/response_with_ampersands.xml.base64 +93 -0
  43. data/test/responses/simple_saml_php.xml +71 -0
  44. data/test/responses/wrapped_response_2.xml.base64 +150 -0
  45. data/test/settings_test.rb +43 -0
  46. data/test/test_helper.rb +66 -0
  47. data/test/xml_security_test.rb +123 -0
  48. metadata +155 -0
@@ -0,0 +1,165 @@
1
+ # The contents of this file are subject to the terms
2
+ # of the Common Development and Distribution License
3
+ # (the License). You may not use this file except in
4
+ # compliance with the License.
5
+ #
6
+ # You can obtain a copy of the License at
7
+ # https://opensso.dev.java.net/public/CDDLv1.0.html or
8
+ # opensso/legal/CDDLv1.0.txt
9
+ # See the License for the specific language governing
10
+ # permission and limitations under the License.
11
+ #
12
+ # When distributing Covered Code, include this CDDL
13
+ # Header Notice in each file and include the License file
14
+ # at opensso/legal/CDDLv1.0.txt.
15
+ # If applicable, add the following below the CDDL Header,
16
+ # with the fields enclosed by brackets [] replaced by
17
+ # your own identifying information:
18
+ # "Portions Copyrighted [year] [name of copyright owner]"
19
+ #
20
+ # $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
21
+ #
22
+ # Copyright 2007 Sun Microsystems Inc. All Rights Reserved
23
+ # Portions Copyrighted 2007 Todd W Saxton.
24
+
25
+ require 'rubygems'
26
+ require "rexml/document"
27
+ require "rexml/xpath"
28
+ require "openssl"
29
+ require 'nokogiri'
30
+ require "digest/sha1"
31
+ require "digest/sha2"
32
+ require "onelogin/ruby-saml/validation_error"
33
+
34
+ module XMLSecurity
35
+
36
+ class SignedDocument < REXML::Document
37
+ C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
38
+ DSIG = "http://www.w3.org/2000/09/xmldsig#"
39
+
40
+ attr_accessor :signed_element_id, :sig_element, :noko_sig_element
41
+
42
+ def initialize(response)
43
+ super(response)
44
+ extract_signed_element_id
45
+ end
46
+
47
+ def validate(idp_cert_fingerprint, soft = true)
48
+ # get cert from response
49
+ cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
50
+ base64_cert = cert_element.text
51
+ cert_text = Base64.decode64(base64_cert)
52
+ cert = OpenSSL::X509::Certificate.new(cert_text)
53
+
54
+ # check cert matches registered idp cert
55
+ fingerprint = Digest::SHA1.hexdigest(cert.to_der)
56
+
57
+ if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
58
+ return soft ? false : (raise Onelogin::Saml::ValidationError.new("Fingerprint mismatch"))
59
+ end
60
+
61
+ validate_doc(base64_cert, soft)
62
+ end
63
+
64
+ def validate_doc(base64_cert, soft = true)
65
+ # validate references
66
+
67
+ # check for inclusive namespaces
68
+ inclusive_namespaces = extract_inclusive_namespaces
69
+
70
+ document = Nokogiri.parse(self.to_s)
71
+
72
+ # store and remove signature node
73
+ self.sig_element ||= begin
74
+ element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>DSIG})
75
+ element.remove
76
+ end
77
+
78
+
79
+ # verify signature
80
+ signed_info_element = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
81
+ self.noko_sig_element ||= document.at_xpath('//ds:Signature', 'ds' => DSIG)
82
+ noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
83
+ canon_algorithm = canon_algorithm REXML::XPath.first(sig_element, '//ds:CanonicalizationMethod')
84
+ canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
85
+ noko_sig_element.remove
86
+
87
+ # check digests
88
+ REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
89
+ uri = ref.attributes.get_attribute("URI").value
90
+
91
+ hashed_element = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
92
+ canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod')
93
+ canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub('&','&amp;')
94
+
95
+ digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
96
+
97
+ hash = digest_algorithm.digest(canon_hashed_element)
98
+ digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
99
+
100
+ unless digests_match?(hash, digest_value)
101
+ return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))
102
+ end
103
+ end
104
+
105
+ base64_signature = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
106
+ signature = Base64.decode64(base64_signature)
107
+
108
+ # get certificate object
109
+ cert_text = Base64.decode64(base64_cert)
110
+ cert = OpenSSL::X509::Certificate.new(cert_text)
111
+
112
+ # signature method
113
+ signature_algorithm = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
114
+
115
+ unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
116
+ return soft ? false : (raise Onelogin::Saml::ValidationError.new("Key validation error"))
117
+ end
118
+
119
+ return true
120
+ end
121
+
122
+ private
123
+
124
+ def digests_match?(hash, digest_value)
125
+ hash == digest_value
126
+ end
127
+
128
+ def extract_signed_element_id
129
+ reference_element = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
130
+ self.signed_element_id = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
131
+ end
132
+
133
+ def canon_algorithm(element)
134
+ algorithm = element.attribute('Algorithm').value if element
135
+ case algorithm
136
+ when "http://www.w3.org/2001/10/xml-exc-c14n#" then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
137
+ when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
138
+ when "http://www.w3.org/2006/12/xml-c14n11" then Nokogiri::XML::XML_C14N_1_1
139
+ else Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
140
+ end
141
+ end
142
+
143
+ def algorithm(element)
144
+ algorithm = element.attribute("Algorithm").value if element
145
+ algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
146
+ case algorithm
147
+ when 256 then OpenSSL::Digest::SHA256
148
+ when 384 then OpenSSL::Digest::SHA384
149
+ when 512 then OpenSSL::Digest::SHA512
150
+ else
151
+ OpenSSL::Digest::SHA1
152
+ end
153
+ end
154
+
155
+ def extract_inclusive_namespaces
156
+ if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
157
+ prefix_list = element.attributes.get_attribute("PrefixList").value
158
+ prefix_list.split(" ")
159
+ else
160
+ []
161
+ end
162
+ end
163
+
164
+ end
165
+ end
data/ruby-saml.gemspec ADDED
@@ -0,0 +1,21 @@
1
+ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
2
+
3
+ Gem::Specification.new do |s|
4
+ s.name = 'ruby-saml-federazione-trentina'
5
+ s.version = '0.0.1'
6
+
7
+ s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
8
+ s.authors = ["Fabiano Pavan"]
9
+ s.date = Time.now.strftime("%Y-%m-%d")
10
+ s.description = %q{SAML toolkit for Ruby programs to integrate with federazione PAT trentina }
11
+ s.email = %q{fabiano.pavan@soluzionipa.it}
12
+ s.files = `git ls-files`.split("\n")
13
+ s.homepage = %q{https://github.com/fabianopavan/ruby-saml}
14
+ s.rdoc_options = ["--charset=UTF-8"]
15
+ s.require_paths = ["lib"]
16
+ s.summary = %q{SAML Ruby Tookit}
17
+
18
+ s.add_runtime_dependency("canonix", ["0.1.1"])
19
+ s.add_runtime_dependency("uuid", ["~> 2.3"])
20
+ s.add_runtime_dependency("nokogiri")
21
+ end
@@ -0,0 +1,12 @@
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
3
+ YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
4
+ Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloX
5
+ DTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
6
+ aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX
7
+ BgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
8
+ AoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDug
9
+ MK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0ed
10
+ MOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMB
11
+ AA==
12
+ -----END CERTIFICATE-----
@@ -0,0 +1,98 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class RequestTest < Test::Unit::TestCase
4
+
5
+ context "Logoutrequest" do
6
+ settings = Onelogin::Saml::Settings.new
7
+
8
+ should "create the deflated SAMLRequest URL parameter" do
9
+ settings.idp_slo_target_url = "http://unauth.com/logout"
10
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
11
+ assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
12
+
13
+ inflated = decode_saml_request_payload(unauth_url)
14
+
15
+ assert_match /^<samlp:LogoutRequest/, inflated
16
+ end
17
+
18
+ should "support additional params" do
19
+
20
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :hello => nil })
21
+ assert unauth_url =~ /&hello=$/
22
+
23
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :foo => "bar" })
24
+ assert unauth_url =~ /&foo=bar$/
25
+ end
26
+
27
+ should "set sessionindex" do
28
+ settings.idp_slo_target_url = "http://example.com"
29
+ sessionidx = UUID.new.generate
30
+ settings.sessionindex = sessionidx
31
+
32
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
33
+ inflated = decode_saml_request_payload(unauth_url)
34
+
35
+ assert_match /<samlp:SessionIndex/, inflated
36
+ assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
37
+ end
38
+
39
+ should "set name_identifier_value" do
40
+ settings = Onelogin::Saml::Settings.new
41
+ settings.idp_slo_target_url = "http://example.com"
42
+ settings.name_identifier_format = "transient"
43
+ name_identifier_value = "abc123"
44
+ settings.name_identifier_value = name_identifier_value
45
+
46
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
47
+ inflated = decode_saml_request_payload(unauth_url)
48
+
49
+ assert_match /<saml:NameID/, inflated
50
+ assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
51
+ end
52
+
53
+ context "when the target url doesn't contain a query string" do
54
+ should "create the SAMLRequest parameter correctly" do
55
+ settings = Onelogin::Saml::Settings.new
56
+ settings.idp_slo_target_url = "http://example.com"
57
+
58
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
59
+ assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
60
+ end
61
+ end
62
+
63
+ context "when the target url contains a query string" do
64
+ should "create the SAMLRequest parameter correctly" do
65
+ settings = Onelogin::Saml::Settings.new
66
+ settings.idp_slo_target_url = "http://example.com?field=value"
67
+
68
+ unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
69
+ assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
70
+ end
71
+ end
72
+
73
+ context "consumation of logout may need to track the transaction" do
74
+ should "have access to the request uuid" do
75
+ settings = Onelogin::Saml::Settings.new
76
+ settings.idp_slo_target_url = "http://example.com?field=value"
77
+
78
+ unauth_req = Onelogin::Saml::Logoutrequest.new
79
+ unauth_url = unauth_req.create(settings)
80
+
81
+ inflated = decode_saml_request_payload(unauth_url)
82
+ assert_match %r[ID='#{unauth_req.uuid}'], inflated
83
+ end
84
+ end
85
+ end
86
+
87
+ def decode_saml_request_payload(unauth_url)
88
+ payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
89
+ decoded = Base64.decode64(payload)
90
+
91
+ zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
92
+ inflated = zstream.inflate(decoded)
93
+ zstream.finish
94
+ zstream.close
95
+ inflated
96
+ end
97
+
98
+ end
@@ -0,0 +1,53 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class RequestTest < Test::Unit::TestCase
4
+
5
+ context "Authrequest" do
6
+ should "create the deflated SAMLRequest URL parameter" do
7
+ settings = Onelogin::Saml::Settings.new
8
+ settings.idp_sso_target_url = "http://example.com"
9
+ auth_url = Onelogin::Saml::Authrequest.new.create(settings)
10
+ assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
11
+ payload = CGI.unescape(auth_url.split("=").last)
12
+ decoded = Base64.decode64(payload)
13
+
14
+ zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
15
+ inflated = zstream.inflate(decoded)
16
+ zstream.finish
17
+ zstream.close
18
+
19
+ assert_match /^<samlp:AuthnRequest/, inflated
20
+ end
21
+
22
+ should "accept extra parameters" do
23
+ settings = Onelogin::Saml::Settings.new
24
+ settings.idp_sso_target_url = "http://example.com"
25
+
26
+ auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
27
+ assert auth_url =~ /&hello=there$/
28
+
29
+ auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
30
+ assert auth_url =~ /&hello=$/
31
+ end
32
+
33
+ context "when the target url doesn't contain a query string" do
34
+ should "create the SAMLRequest parameter correctly" do
35
+ settings = Onelogin::Saml::Settings.new
36
+ settings.idp_sso_target_url = "http://example.com"
37
+
38
+ auth_url = Onelogin::Saml::Authrequest.new.create(settings)
39
+ assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
40
+ end
41
+ end
42
+
43
+ context "when the target url contains a query string" do
44
+ should "create the SAMLRequest parameter correctly" do
45
+ settings = Onelogin::Saml::Settings.new
46
+ settings.idp_sso_target_url = "http://example.com?field=value"
47
+
48
+ auth_url = Onelogin::Saml::Authrequest.new.create(settings)
49
+ assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
50
+ end
51
+ end
52
+ end
53
+ end
@@ -0,0 +1,219 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class RubySamlTest < Test::Unit::TestCase
4
+
5
+ context "Response" do
6
+ should "raise an exception when response is initialized with nil" do
7
+ assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
8
+ end
9
+
10
+ should "be able to parse a document which contains ampersands" do
11
+ XMLSecurity::SignedDocument.any_instance.stubs(:digests_match?).returns(true)
12
+ Onelogin::Saml::Response.any_instance.stubs(:validate_conditions).returns(true)
13
+
14
+ response = Onelogin::Saml::Response.new(ampersands_response)
15
+ settings = Onelogin::Saml::Settings.new
16
+ settings.idp_cert_fingerprint = 'c51985d947f1be57082025050846eb27f6cab783'
17
+ response.settings = settings
18
+ response.validate!
19
+ end
20
+
21
+ should "adapt namespace" do
22
+ response = Onelogin::Saml::Response.new(response_document)
23
+ assert !response.name_id.nil?
24
+ response = Onelogin::Saml::Response.new(response_document_2)
25
+ assert !response.name_id.nil?
26
+ response = Onelogin::Saml::Response.new(response_document_3)
27
+ assert !response.name_id.nil?
28
+ end
29
+
30
+ should "default to raw input when a response is not Base64 encoded" do
31
+ decoded = Base64.decode64(response_document_2)
32
+ response = Onelogin::Saml::Response.new(decoded)
33
+ assert response.document
34
+ end
35
+
36
+ context "Assertion" do
37
+ should "only retreive an assertion with an ID that matches the signature's reference URI" do
38
+ response = Onelogin::Saml::Response.new(wrapped_response_2)
39
+ response.stubs(:conditions).returns(nil)
40
+ settings = Onelogin::Saml::Settings.new
41
+ settings.idp_cert_fingerprint = signature_fingerprint_1
42
+ response.settings = settings
43
+ assert response.name_id.nil?
44
+ end
45
+ end
46
+
47
+ context "#validate!" do
48
+ should "raise when encountering a condition that prevents the document from being valid" do
49
+ response = Onelogin::Saml::Response.new(response_document)
50
+ assert_raise(Onelogin::Saml::ValidationError) do
51
+ response.validate!
52
+ end
53
+ end
54
+ end
55
+
56
+ context "#is_valid?" do
57
+ should "return false when response is initialized with blank data" do
58
+ response = Onelogin::Saml::Response.new('')
59
+ assert !response.is_valid?
60
+ end
61
+
62
+ should "return false if settings have not been set" do
63
+ response = Onelogin::Saml::Response.new(response_document)
64
+ assert !response.is_valid?
65
+ end
66
+
67
+ should "return true when the response is initialized with valid data" do
68
+ response = Onelogin::Saml::Response.new(response_document_4)
69
+ response.stubs(:conditions).returns(nil)
70
+ assert !response.is_valid?
71
+ settings = Onelogin::Saml::Settings.new
72
+ assert !response.is_valid?
73
+ response.settings = settings
74
+ assert !response.is_valid?
75
+ settings.idp_cert_fingerprint = signature_fingerprint_1
76
+ assert response.is_valid?
77
+ end
78
+
79
+ should "return true when using certificate instead of fingerprint" do
80
+ response = Onelogin::Saml::Response.new(response_document_4)
81
+ response.stubs(:conditions).returns(nil)
82
+ settings = Onelogin::Saml::Settings.new
83
+ response.settings = settings
84
+ settings.idp_cert = signature_1
85
+ assert response.is_valid?
86
+ end
87
+
88
+ should "not allow signature wrapping attack" do
89
+ response = Onelogin::Saml::Response.new(response_document_4)
90
+ response.stubs(:conditions).returns(nil)
91
+ settings = Onelogin::Saml::Settings.new
92
+ settings.idp_cert_fingerprint = signature_fingerprint_1
93
+ response.settings = settings
94
+ assert response.is_valid?
95
+ assert response.name_id == "test@onelogin.com"
96
+ end
97
+
98
+ should "support dynamic namespace resolution on signature elements" do
99
+ response = Onelogin::Saml::Response.new(fixture("no_signature_ns.xml"))
100
+ response.stubs(:conditions).returns(nil)
101
+ settings = Onelogin::Saml::Settings.new
102
+ response.settings = settings
103
+ settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
104
+ XMLSecurity::SignedDocument.any_instance.expects(:validate_doc).returns(true)
105
+ assert response.validate!
106
+ end
107
+
108
+ should "validate ADFS assertions" do
109
+ response = Onelogin::Saml::Response.new(fixture(:adfs_response_sha256))
110
+ response.stubs(:conditions).returns(nil)
111
+ settings = Onelogin::Saml::Settings.new
112
+ settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
113
+ response.settings = settings
114
+ assert response.validate!
115
+ end
116
+
117
+ should "validate SAML 2.0 XML structure" do
118
+ resp_xml = Base64.decode64(response_document_4).gsub(/emailAddress/,'test')
119
+ response = Onelogin::Saml::Response.new(Base64.encode64(resp_xml))
120
+ response.stubs(:conditions).returns(nil)
121
+ settings = Onelogin::Saml::Settings.new
122
+ settings.idp_cert_fingerprint = signature_fingerprint_1
123
+ response.settings = settings
124
+ assert_raises(Onelogin::Saml::ValidationError, 'Digest mismatch'){ response.validate! }
125
+ end
126
+ end
127
+
128
+ context "#name_id" do
129
+ should "extract the value of the name id element" do
130
+ response = Onelogin::Saml::Response.new(response_document)
131
+ assert_equal "support@onelogin.com", response.name_id
132
+
133
+ response = Onelogin::Saml::Response.new(response_document_3)
134
+ assert_equal "someone@example.com", response.name_id
135
+ end
136
+
137
+ should "be extractable from an OpenSAML response" do
138
+ response = Onelogin::Saml::Response.new(fixture(:open_saml))
139
+ assert_equal "someone@example.org", response.name_id
140
+ end
141
+
142
+ should "be extractable from a Simple SAML PHP response" do
143
+ response = Onelogin::Saml::Response.new(fixture(:simple_saml_php))
144
+ assert_equal "someone@example.com", response.name_id
145
+ end
146
+ end
147
+
148
+ context "#check_conditions" do
149
+ should "check time conditions" do
150
+ response = Onelogin::Saml::Response.new(response_document)
151
+ assert !response.send(:validate_conditions, true)
152
+ response = Onelogin::Saml::Response.new(response_document_6)
153
+ assert response.send(:validate_conditions, true)
154
+ time = Time.parse("2011-06-14T18:25:01.516Z")
155
+ Time.stubs(:now).returns(time)
156
+ response = Onelogin::Saml::Response.new(response_document_5)
157
+ assert response.send(:validate_conditions, true)
158
+ end
159
+ end
160
+
161
+ context "#attributes" do
162
+ should "extract the first attribute in a hash accessed via its symbol" do
163
+ response = Onelogin::Saml::Response.new(response_document)
164
+ assert_equal "demo", response.attributes[:uid]
165
+ end
166
+
167
+ should "extract the first attribute in a hash accessed via its name" do
168
+ response = Onelogin::Saml::Response.new(response_document)
169
+ assert_equal "demo", response.attributes["uid"]
170
+ end
171
+
172
+ should "extract all attributes" do
173
+ response = Onelogin::Saml::Response.new(response_document)
174
+ assert_equal "demo", response.attributes[:uid]
175
+ assert_equal "value", response.attributes[:another_value]
176
+ end
177
+
178
+ should "work for implicit namespaces" do
179
+ response = Onelogin::Saml::Response.new(response_document_3)
180
+ assert_equal "someone@example.com", response.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
181
+ end
182
+
183
+ should "not raise on responses without attributes" do
184
+ response = Onelogin::Saml::Response.new(response_document_4)
185
+ assert_equal Hash.new, response.attributes
186
+ end
187
+ end
188
+
189
+ context "#session_expires_at" do
190
+ should "extract the value of the SessionNotOnOrAfter attribute" do
191
+ response = Onelogin::Saml::Response.new(response_document)
192
+ assert response.session_expires_at.is_a?(Time)
193
+
194
+ response = Onelogin::Saml::Response.new(response_document_2)
195
+ assert response.session_expires_at.nil?
196
+ end
197
+ end
198
+
199
+ context "#issuer" do
200
+ should "return the issuer inside the response assertion" do
201
+ response = Onelogin::Saml::Response.new(response_document)
202
+ assert_equal "https://app.onelogin.com/saml/metadata/13590", response.issuer
203
+ end
204
+
205
+ should "return the issuer inside the response" do
206
+ response = Onelogin::Saml::Response.new(response_document_2)
207
+ assert_equal "wibble", response.issuer
208
+ end
209
+ end
210
+
211
+ context "#success" do
212
+ should "find a status code that says success" do
213
+ response = Onelogin::Saml::Response.new(response_document)
214
+ response.success?
215
+ end
216
+ end
217
+
218
+ end
219
+ end