ruby-saml-mod 0.1.6 → 0.1.7

data/lib/onelogin/saml/response.rb

@@ -5,6 +5,7 @@ module Onelogin::Saml
     attr_reader :name_id, :name_qualifier, :session_index
     attr_reader :status_code, :status_message
     attr_reader :in_response_to, :destination
+    attr_reader :validation_error
     def initialize(response, settings)
       @response = response
       @settings = settings
@@ -28,8 +29,20 @@ module Onelogin::Saml
     
     def is_valid?
       if !@response.blank? && @document.elements["//ds:X509Certificate"]
-        @document.validate(@settings.idp_cert_fingerprint, @logger) unless !@settings.idp_cert_fingerprint
+        if !@settings.idp_cert_fingerprint
+          @validation_error = "No fingerprint configured in SAML settings"
+          false
+        elsif @document.validate(@settings.idp_cert_fingerprint, @logger)
+          true
+        else
+          @validation_error = @document.validation_error
+          false
+        end
+      elsif @response.blank?
+        @validation_error = "No response to validate"
+        false
       else
+        @validation_error = "No ds:X509Certificate element"
         false
       end
     end

data/lib/xml_sec.rb

@@ -34,6 +34,8 @@ require "shellwords"
 module XMLSecurity
 
   class SignedDocument < REXML::Document
+    
+    attr_reader :validation_error
 
     def validate (idp_cert_fingerprint, logger = nil)
       # get cert from response
@@ -44,6 +46,7 @@ module XMLSecurity
       # check cert matches registered idp cert
       fingerprint             = Digest::SHA1.hexdigest(cert.to_der)
       valid_flag              = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
+      @validation_error       = "Invalid fingerprint" unless valid_flag
       
       return valid_flag if !valid_flag 
       
@@ -69,6 +72,20 @@ module XMLSecurity
         
         valid_flag            = hash == digest_value 
         
+        if !valid_flag
+          @validation_error   = <<-INFO
+Invalid references digest. 
+Got digest of 
+#{hash} 
+but expected 
+#{digest_value}
+XML from response:
+#{hashed_element}
+Canonized XML:
+#{canon_hashed_element}
+INFO
+        end
+        
         return valid_flag if !valid_flag
       end
  
@@ -85,6 +102,7 @@ module XMLSecurity
       cert                    = OpenSSL::X509::Certificate.new(cert_text)
       
       valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+      @validation_error       = "Invalid public key" unless valid_flag
         
       return valid_flag
     end

data/ruby-saml-mod.gemspec

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml-mod}
-  s.version = "0.1.6"
+  s.version = "0.1.7"
 
   s.authors = ["OneLogin LLC", "Bracken", "Zach"]
-  s.date = %q{2012-01-26}
+  s.date = %q{2012-02-06}
   s.extra_rdoc_files = [
     "LICENSE"
   ]

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: ruby-saml-mod
 version: !ruby/object:Gem::Version 
-  hash: 23
+  hash: 21
   prerelease: 
   segments: 
   - 0
   - 1
-  - 6
-  version: 0.1.6
+  - 7
+  version: 0.1.7
 platform: ruby
 authors: 
 - OneLogin LLC
@@ -17,7 +17,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-01-26 00:00:00 Z
+date: 2012-02-06 00:00:00 Z
 dependencies: []
 
 description: "This is an early fork from https://github.com/onelogin/ruby-saml - I plan to \"rebase\" these changes ontop of their current version eventually. "