ruby-saml-mod 0.2.7 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/onelogin/saml/logout_request.rb +8 -3
- data/lib/onelogin/saml/response.rb +3 -1
- data/lib/xml_sec.rb +2 -2
- data/spec/logout_request_spec.rb +28 -3
- data/spec/response_spec.rb +19 -2
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 93bfa6aae98096c0f3de5695ba3fac7c0a743fd8
|
|
4
|
+
data.tar.gz: ed79e42522a0a88ea1baebbff261b6234fe7f95e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8db250afccb39f56512ca96846e69c2745c9ee1bc18b9bf6f7f8113fc16a39d87ac47d391fc466e37dd5947ca1773af0c73fd415cce824998803c94269ecac82
|
|
7
|
+
data.tar.gz: dfb5339a232fd2ef26a9a5bb384307fb89271b8a0ebf1d03e8176c62eeaf6d99e2440d41d7dc5ecab3ff9a6e47a123d5c688b270a520324bef49827bbf703ee6
|
|
@@ -4,6 +4,7 @@ module Onelogin::Saml
|
|
|
4
4
|
:session_index,
|
|
5
5
|
:name_qualifier,
|
|
6
6
|
:name_identifier_format
|
|
7
|
+
attr_accessor :sp_name_qualifier
|
|
7
8
|
|
|
8
9
|
def name_id
|
|
9
10
|
@name_id ||= node_content('saml:NameID')
|
|
@@ -21,21 +22,25 @@ module Onelogin::Saml
|
|
|
21
22
|
@session_index ||= node_content('samlp:SessionIndex')
|
|
22
23
|
end
|
|
23
24
|
|
|
24
|
-
def self.generate(name_qualifier, name_id, session_index, settings)
|
|
25
|
+
def self.generate(name_qualifier, sp_name_qualifier, name_id, name_identifier_format, session_index, settings)
|
|
25
26
|
super(settings, {
|
|
26
27
|
destination: settings.idp_slo_target_url,
|
|
27
|
-
name_identifier_format:
|
|
28
|
+
name_identifier_format: name_identifier_format,
|
|
28
29
|
name_id: name_id,
|
|
29
30
|
name_qualifier: name_qualifier,
|
|
31
|
+
sp_name_qualifier: sp_name_qualifier,
|
|
30
32
|
session_index: session_index
|
|
31
33
|
})
|
|
32
34
|
end
|
|
33
35
|
|
|
34
36
|
def generate
|
|
37
|
+
name_qualifier = %{NameQualifier="#{self.name_qualifier}" } if self.name_qualifier
|
|
38
|
+
sp_name_qualifier = %{SPNameQualifier="#{self.sp_name_qualifier}" } if self.sp_name_qualifier
|
|
39
|
+
format = %{Format="#{self.name_identifier_format}" } if self.name_identifier_format
|
|
35
40
|
<<-XML
|
|
36
41
|
<samlp:LogoutRequest xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}" xmlns:saml="#{Onelogin::NAMESPACES['saml']}" ID="#{self.id}" Version="2.0" IssueInstant="#{self.issue_instant}" Destination="#{CGI.escapeHTML(self.destination)}">
|
|
37
42
|
<saml:Issuer>#{self.issuer}</saml:Issuer>
|
|
38
|
-
<saml:NameID
|
|
43
|
+
<saml:NameID #{name_qualifier}#{sp_name_qualifier}#{format}>#{self.name_id}</saml:NameID>
|
|
39
44
|
<samlp:SessionIndex>#{self.session_index}</samlp:SessionIndex>
|
|
40
45
|
</samlp:LogoutRequest>
|
|
41
46
|
XML
|
|
@@ -3,7 +3,7 @@ module Onelogin::Saml
|
|
|
3
3
|
|
|
4
4
|
attr_accessor :settings
|
|
5
5
|
attr_reader :document, :xml, :response
|
|
6
|
-
attr_reader :name_id, :name_qualifier, :session_index, :saml_attributes
|
|
6
|
+
attr_reader :name_id, :name_identifier_format, :name_qualifier, :sp_name_qualifier, :session_index, :saml_attributes
|
|
7
7
|
attr_reader :status_code, :status_message
|
|
8
8
|
attr_reader :in_response_to, :destination, :issuer
|
|
9
9
|
attr_reader :validation_error
|
|
@@ -38,7 +38,9 @@ module Onelogin::Saml
|
|
|
38
38
|
@status_message = untrusted_find_first("/samlp:Response/samlp:Status/samlp:StatusCode").content rescue nil
|
|
39
39
|
|
|
40
40
|
@name_id = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID").content rescue nil
|
|
41
|
+
@name_identifier_format = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["Format"] rescue nil
|
|
41
42
|
@name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
|
|
43
|
+
@sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
|
|
42
44
|
@session_index = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
|
|
43
45
|
|
|
44
46
|
@saml_attributes = {}
|
data/lib/xml_sec.rb
CHANGED
|
@@ -357,8 +357,8 @@ module XMLSecurity
|
|
|
357
357
|
# check cert matches registered idp cert, unless we explicitly skip this check
|
|
358
358
|
unless idp_cert_fingerprint == '*'
|
|
359
359
|
fingerprint = Digest::SHA1.hexdigest(cert.to_der)
|
|
360
|
-
|
|
361
|
-
|
|
360
|
+
expected_fingerprints = Array(idp_cert_fingerprint).map { |f| f.gsub(":", "").downcase }
|
|
361
|
+
unless expected_fingerprints.include?(fingerprint)
|
|
362
362
|
@validation_error = "Invalid fingerprint (expected #{expected_fingerprint}, got #{fingerprint})"
|
|
363
363
|
return false
|
|
364
364
|
end
|
data/spec/logout_request_spec.rb
CHANGED
|
@@ -28,13 +28,17 @@ describe Onelogin::Saml::LogoutRequest do
|
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
let(:name_qualifier) { 'foo' }
|
|
31
|
+
let(:sp_name_qualifier) { 'foo' }
|
|
31
32
|
let(:name_id) { 'bar'}
|
|
33
|
+
let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
|
|
32
34
|
let(:session_index) { 'baz' }
|
|
33
35
|
|
|
34
36
|
let(:logout_request) do
|
|
35
37
|
Onelogin::Saml::LogoutRequest::generate(
|
|
36
38
|
name_qualifier,
|
|
39
|
+
sp_name_qualifier,
|
|
37
40
|
name_id,
|
|
41
|
+
name_identifier_format,
|
|
38
42
|
session_index,
|
|
39
43
|
settings
|
|
40
44
|
)
|
|
@@ -52,13 +56,29 @@ describe Onelogin::Saml::LogoutRequest do
|
|
|
52
56
|
logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)['Format'].should == Onelogin::Saml::NameIdentifiers::UNSPECIFIED
|
|
53
57
|
end
|
|
54
58
|
|
|
59
|
+
it "does not include attribues when they are nil" do
|
|
60
|
+
logout_request = Onelogin::Saml::LogoutRequest::generate(
|
|
61
|
+
nil,
|
|
62
|
+
nil,
|
|
63
|
+
name_id,
|
|
64
|
+
nil,
|
|
65
|
+
session_index,
|
|
66
|
+
settings
|
|
67
|
+
)
|
|
68
|
+
logout_xml = Nokogiri::XML(logout_request.xml)
|
|
69
|
+
name_id_elem = logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)
|
|
70
|
+
name_id_elem['NameQualifier'].should == nil
|
|
71
|
+
name_id_elem['SPNameQualifier'].should == nil
|
|
72
|
+
name_id_elem['NameIdentifierFormat'].should == nil
|
|
73
|
+
end
|
|
74
|
+
|
|
55
75
|
it "does not include the signature in the request xml" do
|
|
56
76
|
logout_xml = Nokogiri::XML(logout_request.xml)
|
|
57
77
|
logout_xml.at_xpath('/samlp:LogoutRequest/ds:Signature', Onelogin::NAMESPACES).should be_nil
|
|
58
78
|
end
|
|
59
79
|
|
|
60
80
|
it "can sign the generated query string" do
|
|
61
|
-
expect(verify_query_string_signature(settings, forward_url)).to
|
|
81
|
+
expect(verify_query_string_signature(settings, forward_url)).to eq true
|
|
62
82
|
end
|
|
63
83
|
|
|
64
84
|
it "properly signs when the IDP URL already contains a query string" do
|
|
@@ -69,9 +89,14 @@ describe Onelogin::Saml::LogoutRequest do
|
|
|
69
89
|
:idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33',
|
|
70
90
|
:name_identifier_format => Onelogin::Saml::NameIdentifiers::UNSPECIFIED
|
|
71
91
|
)
|
|
72
|
-
request = Onelogin::Saml::LogoutRequest.generate(name_qualifier,
|
|
92
|
+
request = Onelogin::Saml::LogoutRequest.generate(name_qualifier,
|
|
93
|
+
sp_name_qualifier,
|
|
94
|
+
name_id,
|
|
95
|
+
name_identifier_format,
|
|
96
|
+
session_index,
|
|
97
|
+
settings)
|
|
73
98
|
expect(request.forward_url).to match(%r{^http://idp.example.com/saml2\?existing=param\&existing=param&})
|
|
74
|
-
expect(verify_query_string_signature(settings, request.forward_url)).to
|
|
99
|
+
expect(verify_query_string_signature(settings, request.forward_url)).to eq true
|
|
75
100
|
end
|
|
76
101
|
|
|
77
102
|
it "parses a logout request" do
|
data/spec/response_spec.rb
CHANGED
|
@@ -22,6 +22,12 @@ describe Onelogin::Saml::Response do
|
|
|
22
22
|
@response.status_message.strip.should == ""
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
+
it "support multiple valid certs" do
|
|
26
|
+
@settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
|
|
27
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
28
|
+
@response.should be_is_valid
|
|
29
|
+
end
|
|
30
|
+
|
|
25
31
|
it "should not be able to decrypt without the proper key" do
|
|
26
32
|
@settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
|
|
27
33
|
XMLSecurity.mute do
|
|
@@ -162,7 +168,9 @@ describe Onelogin::Saml::Response do
|
|
|
162
168
|
|
|
163
169
|
describe "forward_urls" do
|
|
164
170
|
let(:name_qualifier) { 'foo' }
|
|
171
|
+
let(:sp_name_qualifier) { 'foo' }
|
|
165
172
|
let(:name_id) { 'bar'}
|
|
173
|
+
let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
|
|
166
174
|
let(:session_index) { 'baz' }
|
|
167
175
|
|
|
168
176
|
it "should should append the saml request to a url" do
|
|
@@ -177,7 +185,11 @@ describe Onelogin::Saml::Response do
|
|
|
177
185
|
prefix = "http://example.com/login.php?SAMLRequest="
|
|
178
186
|
expect(forward_url[0...prefix.size]).to eql(prefix)
|
|
179
187
|
|
|
180
|
-
request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
|
|
188
|
+
request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
|
|
189
|
+
sp_name_qualifier,
|
|
190
|
+
name_id,
|
|
191
|
+
name_identifier_format,
|
|
192
|
+
session_index, settings)
|
|
181
193
|
prefix = "http://example.com/logout.php?SAMLRequest="
|
|
182
194
|
expect(request.forward_url[0...prefix.size]).to eql(prefix)
|
|
183
195
|
end
|
|
@@ -194,7 +206,12 @@ describe Onelogin::Saml::Response do
|
|
|
194
206
|
prefix = "http://example.com/login.php?param=foo&SAMLRequest="
|
|
195
207
|
expect(forward_url[0...prefix.size]).to eql(prefix)
|
|
196
208
|
|
|
197
|
-
request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
|
|
209
|
+
request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
|
|
210
|
+
sp_name_qualifier,
|
|
211
|
+
name_id,
|
|
212
|
+
name_identifier_format,
|
|
213
|
+
session_index,
|
|
214
|
+
settings)
|
|
198
215
|
prefix = "http://example.com/logout.php?param=foo&SAMLRequest="
|
|
199
216
|
expect(request.forward_url[0...prefix.size]).to eql(prefix)
|
|
200
217
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2016-04-28 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: nokogiri
|
|
@@ -132,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
132
132
|
version: '0'
|
|
133
133
|
requirements: []
|
|
134
134
|
rubyforge_project:
|
|
135
|
-
rubygems_version: 2.
|
|
135
|
+
rubygems_version: 2.5.1
|
|
136
136
|
signing_key:
|
|
137
137
|
specification_version: 4
|
|
138
138
|
summary: Ruby library for SAML service providers
|