ruby-saml-mod 0.2.7 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3171e108941b383ace094aa28a8fc377fc2385e1
4
- data.tar.gz: d5d36d364160f8bc2e246fba0a536415a3cac705
3
+ metadata.gz: 93bfa6aae98096c0f3de5695ba3fac7c0a743fd8
4
+ data.tar.gz: ed79e42522a0a88ea1baebbff261b6234fe7f95e
5
5
  SHA512:
6
- metadata.gz: eb0c7c03ea7c9b928e4caf072534a78aa6b2172eabb3f1f0796ad7856e3b7307e336b64e0a88026278ccc00e8fd917fed31c9e874e000366b3d12793c01d1ce2
7
- data.tar.gz: 040ddd5cfa64d0f326a4cb06532bdb0a4936b53be2419ceb1ba3050ed89e1f74fdfd92ed832719c0e78b7a040bab1e95e1bc0dcde1d4bcaf8dab181b16bd1593
6
+ metadata.gz: 8db250afccb39f56512ca96846e69c2745c9ee1bc18b9bf6f7f8113fc16a39d87ac47d391fc466e37dd5947ca1773af0c73fd415cce824998803c94269ecac82
7
+ data.tar.gz: dfb5339a232fd2ef26a9a5bb384307fb89271b8a0ebf1d03e8176c62eeaf6d99e2440d41d7dc5ecab3ff9a6e47a123d5c688b270a520324bef49827bbf703ee6
@@ -4,6 +4,7 @@ module Onelogin::Saml
4
4
  :session_index,
5
5
  :name_qualifier,
6
6
  :name_identifier_format
7
+ attr_accessor :sp_name_qualifier
7
8
 
8
9
  def name_id
9
10
  @name_id ||= node_content('saml:NameID')
@@ -21,21 +22,25 @@ module Onelogin::Saml
21
22
  @session_index ||= node_content('samlp:SessionIndex')
22
23
  end
23
24
 
24
- def self.generate(name_qualifier, name_id, session_index, settings)
25
+ def self.generate(name_qualifier, sp_name_qualifier, name_id, name_identifier_format, session_index, settings)
25
26
  super(settings, {
26
27
  destination: settings.idp_slo_target_url,
27
- name_identifier_format: settings.name_identifier_format,
28
+ name_identifier_format: name_identifier_format,
28
29
  name_id: name_id,
29
30
  name_qualifier: name_qualifier,
31
+ sp_name_qualifier: sp_name_qualifier,
30
32
  session_index: session_index
31
33
  })
32
34
  end
33
35
 
34
36
  def generate
37
+ name_qualifier = %{NameQualifier="#{self.name_qualifier}" } if self.name_qualifier
38
+ sp_name_qualifier = %{SPNameQualifier="#{self.sp_name_qualifier}" } if self.sp_name_qualifier
39
+ format = %{Format="#{self.name_identifier_format}" } if self.name_identifier_format
35
40
  <<-XML
36
41
  <samlp:LogoutRequest xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}" xmlns:saml="#{Onelogin::NAMESPACES['saml']}" ID="#{self.id}" Version="2.0" IssueInstant="#{self.issue_instant}" Destination="#{CGI.escapeHTML(self.destination)}">
37
42
  <saml:Issuer>#{self.issuer}</saml:Issuer>
38
- <saml:NameID NameQualifier="#{self.name_qualifier}" SPNameQualifier="#{self.issuer}" Format="#{self.name_identifier_format}">#{self.name_id}</saml:NameID>
43
+ <saml:NameID #{name_qualifier}#{sp_name_qualifier}#{format}>#{self.name_id}</saml:NameID>
39
44
  <samlp:SessionIndex>#{self.session_index}</samlp:SessionIndex>
40
45
  </samlp:LogoutRequest>
41
46
  XML
@@ -3,7 +3,7 @@ module Onelogin::Saml
3
3
 
4
4
  attr_accessor :settings
5
5
  attr_reader :document, :xml, :response
6
- attr_reader :name_id, :name_qualifier, :session_index, :saml_attributes
6
+ attr_reader :name_id, :name_identifier_format, :name_qualifier, :sp_name_qualifier, :session_index, :saml_attributes
7
7
  attr_reader :status_code, :status_message
8
8
  attr_reader :in_response_to, :destination, :issuer
9
9
  attr_reader :validation_error
@@ -38,7 +38,9 @@ module Onelogin::Saml
38
38
  @status_message = untrusted_find_first("/samlp:Response/samlp:Status/samlp:StatusCode").content rescue nil
39
39
 
40
40
  @name_id = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID").content rescue nil
41
+ @name_identifier_format = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["Format"] rescue nil
41
42
  @name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
43
+ @sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
42
44
  @session_index = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
43
45
 
44
46
  @saml_attributes = {}
data/lib/xml_sec.rb CHANGED
@@ -357,8 +357,8 @@ module XMLSecurity
357
357
  # check cert matches registered idp cert, unless we explicitly skip this check
358
358
  unless idp_cert_fingerprint == '*'
359
359
  fingerprint = Digest::SHA1.hexdigest(cert.to_der)
360
- expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
361
- if fingerprint != expected_fingerprint
360
+ expected_fingerprints = Array(idp_cert_fingerprint).map { |f| f.gsub(":", "").downcase }
361
+ unless expected_fingerprints.include?(fingerprint)
362
362
  @validation_error = "Invalid fingerprint (expected #{expected_fingerprint}, got #{fingerprint})"
363
363
  return false
364
364
  end
@@ -28,13 +28,17 @@ describe Onelogin::Saml::LogoutRequest do
28
28
  end
29
29
 
30
30
  let(:name_qualifier) { 'foo' }
31
+ let(:sp_name_qualifier) { 'foo' }
31
32
  let(:name_id) { 'bar'}
33
+ let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
32
34
  let(:session_index) { 'baz' }
33
35
 
34
36
  let(:logout_request) do
35
37
  Onelogin::Saml::LogoutRequest::generate(
36
38
  name_qualifier,
39
+ sp_name_qualifier,
37
40
  name_id,
41
+ name_identifier_format,
38
42
  session_index,
39
43
  settings
40
44
  )
@@ -52,13 +56,29 @@ describe Onelogin::Saml::LogoutRequest do
52
56
  logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)['Format'].should == Onelogin::Saml::NameIdentifiers::UNSPECIFIED
53
57
  end
54
58
 
59
+ it "does not include attribues when they are nil" do
60
+ logout_request = Onelogin::Saml::LogoutRequest::generate(
61
+ nil,
62
+ nil,
63
+ name_id,
64
+ nil,
65
+ session_index,
66
+ settings
67
+ )
68
+ logout_xml = Nokogiri::XML(logout_request.xml)
69
+ name_id_elem = logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)
70
+ name_id_elem['NameQualifier'].should == nil
71
+ name_id_elem['SPNameQualifier'].should == nil
72
+ name_id_elem['NameIdentifierFormat'].should == nil
73
+ end
74
+
55
75
  it "does not include the signature in the request xml" do
56
76
  logout_xml = Nokogiri::XML(logout_request.xml)
57
77
  logout_xml.at_xpath('/samlp:LogoutRequest/ds:Signature', Onelogin::NAMESPACES).should be_nil
58
78
  end
59
79
 
60
80
  it "can sign the generated query string" do
61
- expect(verify_query_string_signature(settings, forward_url)).to be_true
81
+ expect(verify_query_string_signature(settings, forward_url)).to eq true
62
82
  end
63
83
 
64
84
  it "properly signs when the IDP URL already contains a query string" do
@@ -69,9 +89,14 @@ describe Onelogin::Saml::LogoutRequest do
69
89
  :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33',
70
90
  :name_identifier_format => Onelogin::Saml::NameIdentifiers::UNSPECIFIED
71
91
  )
72
- request = Onelogin::Saml::LogoutRequest.generate(name_qualifier, name_id, session_index, settings)
92
+ request = Onelogin::Saml::LogoutRequest.generate(name_qualifier,
93
+ sp_name_qualifier,
94
+ name_id,
95
+ name_identifier_format,
96
+ session_index,
97
+ settings)
73
98
  expect(request.forward_url).to match(%r{^http://idp.example.com/saml2\?existing=param\&existing=param&})
74
- expect(verify_query_string_signature(settings, request.forward_url)).to be_true
99
+ expect(verify_query_string_signature(settings, request.forward_url)).to eq true
75
100
  end
76
101
 
77
102
  it "parses a logout request" do
@@ -22,6 +22,12 @@ describe Onelogin::Saml::Response do
22
22
  @response.status_message.strip.should == ""
23
23
  end
24
24
 
25
+ it "support multiple valid certs" do
26
+ @settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
27
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
28
+ @response.should be_is_valid
29
+ end
30
+
25
31
  it "should not be able to decrypt without the proper key" do
26
32
  @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
27
33
  XMLSecurity.mute do
@@ -162,7 +168,9 @@ describe Onelogin::Saml::Response do
162
168
 
163
169
  describe "forward_urls" do
164
170
  let(:name_qualifier) { 'foo' }
171
+ let(:sp_name_qualifier) { 'foo' }
165
172
  let(:name_id) { 'bar'}
173
+ let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
166
174
  let(:session_index) { 'baz' }
167
175
 
168
176
  it "should should append the saml request to a url" do
@@ -177,7 +185,11 @@ describe Onelogin::Saml::Response do
177
185
  prefix = "http://example.com/login.php?SAMLRequest="
178
186
  expect(forward_url[0...prefix.size]).to eql(prefix)
179
187
 
180
- request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
188
+ request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
189
+ sp_name_qualifier,
190
+ name_id,
191
+ name_identifier_format,
192
+ session_index, settings)
181
193
  prefix = "http://example.com/logout.php?SAMLRequest="
182
194
  expect(request.forward_url[0...prefix.size]).to eql(prefix)
183
195
  end
@@ -194,7 +206,12 @@ describe Onelogin::Saml::Response do
194
206
  prefix = "http://example.com/login.php?param=foo&SAMLRequest="
195
207
  expect(forward_url[0...prefix.size]).to eql(prefix)
196
208
 
197
- request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
209
+ request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
210
+ sp_name_qualifier,
211
+ name_id,
212
+ name_identifier_format,
213
+ session_index,
214
+ settings)
198
215
  prefix = "http://example.com/logout.php?param=foo&SAMLRequest="
199
216
  expect(request.forward_url[0...prefix.size]).to eql(prefix)
200
217
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.7
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2015-08-12 00:00:00.000000000 Z
17
+ date: 2016-04-28 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  name: nokogiri
@@ -132,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
132
132
  version: '0'
133
133
  requirements: []
134
134
  rubyforge_project:
135
- rubygems_version: 2.4.5
135
+ rubygems_version: 2.5.1
136
136
  signing_key:
137
137
  specification_version: 4
138
138
  summary: Ruby library for SAML service providers