ruby-saml-mod 0.2.7 → 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3171e108941b383ace094aa28a8fc377fc2385e1
4
- data.tar.gz: d5d36d364160f8bc2e246fba0a536415a3cac705
3
+ metadata.gz: 93bfa6aae98096c0f3de5695ba3fac7c0a743fd8
4
+ data.tar.gz: ed79e42522a0a88ea1baebbff261b6234fe7f95e
5
5
  SHA512:
6
- metadata.gz: eb0c7c03ea7c9b928e4caf072534a78aa6b2172eabb3f1f0796ad7856e3b7307e336b64e0a88026278ccc00e8fd917fed31c9e874e000366b3d12793c01d1ce2
7
- data.tar.gz: 040ddd5cfa64d0f326a4cb06532bdb0a4936b53be2419ceb1ba3050ed89e1f74fdfd92ed832719c0e78b7a040bab1e95e1bc0dcde1d4bcaf8dab181b16bd1593
6
+ metadata.gz: 8db250afccb39f56512ca96846e69c2745c9ee1bc18b9bf6f7f8113fc16a39d87ac47d391fc466e37dd5947ca1773af0c73fd415cce824998803c94269ecac82
7
+ data.tar.gz: dfb5339a232fd2ef26a9a5bb384307fb89271b8a0ebf1d03e8176c62eeaf6d99e2440d41d7dc5ecab3ff9a6e47a123d5c688b270a520324bef49827bbf703ee6
@@ -4,6 +4,7 @@ module Onelogin::Saml
4
4
  :session_index,
5
5
  :name_qualifier,
6
6
  :name_identifier_format
7
+ attr_accessor :sp_name_qualifier
7
8
 
8
9
  def name_id
9
10
  @name_id ||= node_content('saml:NameID')
@@ -21,21 +22,25 @@ module Onelogin::Saml
21
22
  @session_index ||= node_content('samlp:SessionIndex')
22
23
  end
23
24
 
24
- def self.generate(name_qualifier, name_id, session_index, settings)
25
+ def self.generate(name_qualifier, sp_name_qualifier, name_id, name_identifier_format, session_index, settings)
25
26
  super(settings, {
26
27
  destination: settings.idp_slo_target_url,
27
- name_identifier_format: settings.name_identifier_format,
28
+ name_identifier_format: name_identifier_format,
28
29
  name_id: name_id,
29
30
  name_qualifier: name_qualifier,
31
+ sp_name_qualifier: sp_name_qualifier,
30
32
  session_index: session_index
31
33
  })
32
34
  end
33
35
 
34
36
  def generate
37
+ name_qualifier = %{NameQualifier="#{self.name_qualifier}" } if self.name_qualifier
38
+ sp_name_qualifier = %{SPNameQualifier="#{self.sp_name_qualifier}" } if self.sp_name_qualifier
39
+ format = %{Format="#{self.name_identifier_format}" } if self.name_identifier_format
35
40
  <<-XML
36
41
  <samlp:LogoutRequest xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}" xmlns:saml="#{Onelogin::NAMESPACES['saml']}" ID="#{self.id}" Version="2.0" IssueInstant="#{self.issue_instant}" Destination="#{CGI.escapeHTML(self.destination)}">
37
42
  <saml:Issuer>#{self.issuer}</saml:Issuer>
38
- <saml:NameID NameQualifier="#{self.name_qualifier}" SPNameQualifier="#{self.issuer}" Format="#{self.name_identifier_format}">#{self.name_id}</saml:NameID>
43
+ <saml:NameID #{name_qualifier}#{sp_name_qualifier}#{format}>#{self.name_id}</saml:NameID>
39
44
  <samlp:SessionIndex>#{self.session_index}</samlp:SessionIndex>
40
45
  </samlp:LogoutRequest>
41
46
  XML
@@ -3,7 +3,7 @@ module Onelogin::Saml
3
3
 
4
4
  attr_accessor :settings
5
5
  attr_reader :document, :xml, :response
6
- attr_reader :name_id, :name_qualifier, :session_index, :saml_attributes
6
+ attr_reader :name_id, :name_identifier_format, :name_qualifier, :sp_name_qualifier, :session_index, :saml_attributes
7
7
  attr_reader :status_code, :status_message
8
8
  attr_reader :in_response_to, :destination, :issuer
9
9
  attr_reader :validation_error
@@ -38,7 +38,9 @@ module Onelogin::Saml
38
38
  @status_message = untrusted_find_first("/samlp:Response/samlp:Status/samlp:StatusCode").content rescue nil
39
39
 
40
40
  @name_id = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID").content rescue nil
41
+ @name_identifier_format = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["Format"] rescue nil
41
42
  @name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
43
+ @sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
42
44
  @session_index = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
43
45
 
44
46
  @saml_attributes = {}
data/lib/xml_sec.rb CHANGED
@@ -357,8 +357,8 @@ module XMLSecurity
357
357
  # check cert matches registered idp cert, unless we explicitly skip this check
358
358
  unless idp_cert_fingerprint == '*'
359
359
  fingerprint = Digest::SHA1.hexdigest(cert.to_der)
360
- expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
361
- if fingerprint != expected_fingerprint
360
+ expected_fingerprints = Array(idp_cert_fingerprint).map { |f| f.gsub(":", "").downcase }
361
+ unless expected_fingerprints.include?(fingerprint)
362
362
  @validation_error = "Invalid fingerprint (expected #{expected_fingerprint}, got #{fingerprint})"
363
363
  return false
364
364
  end
@@ -28,13 +28,17 @@ describe Onelogin::Saml::LogoutRequest do
28
28
  end
29
29
 
30
30
  let(:name_qualifier) { 'foo' }
31
+ let(:sp_name_qualifier) { 'foo' }
31
32
  let(:name_id) { 'bar'}
33
+ let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
32
34
  let(:session_index) { 'baz' }
33
35
 
34
36
  let(:logout_request) do
35
37
  Onelogin::Saml::LogoutRequest::generate(
36
38
  name_qualifier,
39
+ sp_name_qualifier,
37
40
  name_id,
41
+ name_identifier_format,
38
42
  session_index,
39
43
  settings
40
44
  )
@@ -52,13 +56,29 @@ describe Onelogin::Saml::LogoutRequest do
52
56
  logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)['Format'].should == Onelogin::Saml::NameIdentifiers::UNSPECIFIED
53
57
  end
54
58
 
59
+ it "does not include attribues when they are nil" do
60
+ logout_request = Onelogin::Saml::LogoutRequest::generate(
61
+ nil,
62
+ nil,
63
+ name_id,
64
+ nil,
65
+ session_index,
66
+ settings
67
+ )
68
+ logout_xml = Nokogiri::XML(logout_request.xml)
69
+ name_id_elem = logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)
70
+ name_id_elem['NameQualifier'].should == nil
71
+ name_id_elem['SPNameQualifier'].should == nil
72
+ name_id_elem['NameIdentifierFormat'].should == nil
73
+ end
74
+
55
75
  it "does not include the signature in the request xml" do
56
76
  logout_xml = Nokogiri::XML(logout_request.xml)
57
77
  logout_xml.at_xpath('/samlp:LogoutRequest/ds:Signature', Onelogin::NAMESPACES).should be_nil
58
78
  end
59
79
 
60
80
  it "can sign the generated query string" do
61
- expect(verify_query_string_signature(settings, forward_url)).to be_true
81
+ expect(verify_query_string_signature(settings, forward_url)).to eq true
62
82
  end
63
83
 
64
84
  it "properly signs when the IDP URL already contains a query string" do
@@ -69,9 +89,14 @@ describe Onelogin::Saml::LogoutRequest do
69
89
  :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33',
70
90
  :name_identifier_format => Onelogin::Saml::NameIdentifiers::UNSPECIFIED
71
91
  )
72
- request = Onelogin::Saml::LogoutRequest.generate(name_qualifier, name_id, session_index, settings)
92
+ request = Onelogin::Saml::LogoutRequest.generate(name_qualifier,
93
+ sp_name_qualifier,
94
+ name_id,
95
+ name_identifier_format,
96
+ session_index,
97
+ settings)
73
98
  expect(request.forward_url).to match(%r{^http://idp.example.com/saml2\?existing=param\&existing=param&})
74
- expect(verify_query_string_signature(settings, request.forward_url)).to be_true
99
+ expect(verify_query_string_signature(settings, request.forward_url)).to eq true
75
100
  end
76
101
 
77
102
  it "parses a logout request" do
@@ -22,6 +22,12 @@ describe Onelogin::Saml::Response do
22
22
  @response.status_message.strip.should == ""
23
23
  end
24
24
 
25
+ it "support multiple valid certs" do
26
+ @settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
27
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
28
+ @response.should be_is_valid
29
+ end
30
+
25
31
  it "should not be able to decrypt without the proper key" do
26
32
  @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
27
33
  XMLSecurity.mute do
@@ -162,7 +168,9 @@ describe Onelogin::Saml::Response do
162
168
 
163
169
  describe "forward_urls" do
164
170
  let(:name_qualifier) { 'foo' }
171
+ let(:sp_name_qualifier) { 'foo' }
165
172
  let(:name_id) { 'bar'}
173
+ let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
166
174
  let(:session_index) { 'baz' }
167
175
 
168
176
  it "should should append the saml request to a url" do
@@ -177,7 +185,11 @@ describe Onelogin::Saml::Response do
177
185
  prefix = "http://example.com/login.php?SAMLRequest="
178
186
  expect(forward_url[0...prefix.size]).to eql(prefix)
179
187
 
180
- request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
188
+ request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
189
+ sp_name_qualifier,
190
+ name_id,
191
+ name_identifier_format,
192
+ session_index, settings)
181
193
  prefix = "http://example.com/logout.php?SAMLRequest="
182
194
  expect(request.forward_url[0...prefix.size]).to eql(prefix)
183
195
  end
@@ -194,7 +206,12 @@ describe Onelogin::Saml::Response do
194
206
  prefix = "http://example.com/login.php?param=foo&SAMLRequest="
195
207
  expect(forward_url[0...prefix.size]).to eql(prefix)
196
208
 
197
- request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
209
+ request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
210
+ sp_name_qualifier,
211
+ name_id,
212
+ name_identifier_format,
213
+ session_index,
214
+ settings)
198
215
  prefix = "http://example.com/logout.php?param=foo&SAMLRequest="
199
216
  expect(request.forward_url[0...prefix.size]).to eql(prefix)
200
217
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.7
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2015-08-12 00:00:00.000000000 Z
17
+ date: 2016-04-28 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  name: nokogiri
@@ -132,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
132
132
  version: '0'
133
133
  requirements: []
134
134
  rubyforge_project:
135
- rubygems_version: 2.4.5
135
+ rubygems_version: 2.5.1
136
136
  signing_key:
137
137
  specification_version: 4
138
138
  summary: Ruby library for SAML service providers