ruby-saml-nechotech 0.7.21
Sign up to get free protection for your applications and to get access to all the features.
- data/.document +5 -0
- data/.gitignore +11 -0
- data/.travis.yml +5 -0
- data/Gemfile +13 -0
- data/LICENSE +19 -0
- data/README.md +128 -0
- data/Rakefile +41 -0
- data/lib/onelogin/ruby-saml/authrequest.rb +84 -0
- data/lib/onelogin/ruby-saml/logging.rb +26 -0
- data/lib/onelogin/ruby-saml/logoutrequest.rb +82 -0
- data/lib/onelogin/ruby-saml/logoutresponse.rb +154 -0
- data/lib/onelogin/ruby-saml/metadata.rb +66 -0
- data/lib/onelogin/ruby-saml/response.rb +186 -0
- data/lib/onelogin/ruby-saml/settings.rb +27 -0
- data/lib/onelogin/ruby-saml/validation_error.rb +7 -0
- data/lib/onelogin/ruby-saml/version.rb +5 -0
- data/lib/ruby-saml.rb +9 -0
- data/lib/schemas/saml20assertion_schema.xsd +283 -0
- data/lib/schemas/saml20protocol_schema.xsd +302 -0
- data/lib/schemas/xenc_schema.xsd +146 -0
- data/lib/schemas/xmldsig_schema.xsd +318 -0
- data/lib/xml_security.rb +169 -0
- data/ruby-saml-nechotech.gemspec +29 -0
- data/test/certificates/certificate1 +12 -0
- data/test/certificates/r1_certificate2_base64 +1 -0
- data/test/logoutrequest_test.rb +111 -0
- data/test/logoutresponse_test.rb +116 -0
- data/test/request_test.rb +97 -0
- data/test/response_test.rb +247 -0
- data/test/responses/adfs_response_sha1.xml +46 -0
- data/test/responses/adfs_response_sha256.xml +46 -0
- data/test/responses/adfs_response_sha384.xml +46 -0
- data/test/responses/adfs_response_sha512.xml +46 -0
- data/test/responses/logoutresponse_fixtures.rb +67 -0
- data/test/responses/no_signature_ns.xml +48 -0
- data/test/responses/open_saml_response.xml +56 -0
- data/test/responses/r1_response6.xml.base64 +1 -0
- data/test/responses/response1.xml.base64 +1 -0
- data/test/responses/response2.xml.base64 +79 -0
- data/test/responses/response3.xml.base64 +66 -0
- data/test/responses/response4.xml.base64 +93 -0
- data/test/responses/response5.xml.base64 +102 -0
- data/test/responses/response_with_ampersands.xml +139 -0
- data/test/responses/response_with_ampersands.xml.base64 +93 -0
- data/test/responses/simple_saml_php.xml +71 -0
- data/test/responses/starfield_response.xml.base64 +1 -0
- data/test/responses/wrapped_response_2.xml.base64 +150 -0
- data/test/settings_test.rb +46 -0
- data/test/test_helper.rb +75 -0
- data/test/xml_security_test.rb +160 -0
- metadata +189 -0
@@ -0,0 +1,318 @@
|
|
1
|
+
<?xml version="1.0" encoding="utf-8"?>
|
2
|
+
<!DOCTYPE schema
|
3
|
+
PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
|
4
|
+
[
|
5
|
+
<!ATTLIST schema
|
6
|
+
xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
|
7
|
+
<!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
|
8
|
+
<!ENTITY % p ''>
|
9
|
+
<!ENTITY % s ''>
|
10
|
+
]>
|
11
|
+
|
12
|
+
<!-- Schema for XML Signatures
|
13
|
+
http://www.w3.org/2000/09/xmldsig#
|
14
|
+
$Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
|
15
|
+
|
16
|
+
Copyright 2001 The Internet Society and W3C (Massachusetts Institute
|
17
|
+
of Technology, Institut National de Recherche en Informatique et en
|
18
|
+
Automatique, Keio University). All Rights Reserved.
|
19
|
+
http://www.w3.org/Consortium/Legal/
|
20
|
+
|
21
|
+
This document is governed by the W3C Software License [1] as described
|
22
|
+
in the FAQ [2].
|
23
|
+
|
24
|
+
[1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
|
25
|
+
[2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
|
26
|
+
-->
|
27
|
+
|
28
|
+
|
29
|
+
<schema xmlns="http://www.w3.org/2001/XMLSchema"
|
30
|
+
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
|
31
|
+
targetNamespace="http://www.w3.org/2000/09/xmldsig#"
|
32
|
+
version="0.1" elementFormDefault="qualified">
|
33
|
+
|
34
|
+
<!-- Basic Types Defined for Signatures -->
|
35
|
+
|
36
|
+
<simpleType name="CryptoBinary">
|
37
|
+
<restriction base="base64Binary">
|
38
|
+
</restriction>
|
39
|
+
</simpleType>
|
40
|
+
|
41
|
+
<!-- Start Signature -->
|
42
|
+
|
43
|
+
<element name="Signature" type="ds:SignatureType"/>
|
44
|
+
<complexType name="SignatureType">
|
45
|
+
<sequence>
|
46
|
+
<element ref="ds:SignedInfo"/>
|
47
|
+
<element ref="ds:SignatureValue"/>
|
48
|
+
<element ref="ds:KeyInfo" minOccurs="0"/>
|
49
|
+
<element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
|
50
|
+
</sequence>
|
51
|
+
<attribute name="Id" type="ID" use="optional"/>
|
52
|
+
</complexType>
|
53
|
+
|
54
|
+
<element name="SignatureValue" type="ds:SignatureValueType"/>
|
55
|
+
<complexType name="SignatureValueType">
|
56
|
+
<simpleContent>
|
57
|
+
<extension base="base64Binary">
|
58
|
+
<attribute name="Id" type="ID" use="optional"/>
|
59
|
+
</extension>
|
60
|
+
</simpleContent>
|
61
|
+
</complexType>
|
62
|
+
|
63
|
+
<!-- Start SignedInfo -->
|
64
|
+
|
65
|
+
<element name="SignedInfo" type="ds:SignedInfoType"/>
|
66
|
+
<complexType name="SignedInfoType">
|
67
|
+
<sequence>
|
68
|
+
<element ref="ds:CanonicalizationMethod"/>
|
69
|
+
<element ref="ds:SignatureMethod"/>
|
70
|
+
<element ref="ds:Reference" maxOccurs="unbounded"/>
|
71
|
+
</sequence>
|
72
|
+
<attribute name="Id" type="ID" use="optional"/>
|
73
|
+
</complexType>
|
74
|
+
|
75
|
+
<element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
|
76
|
+
<complexType name="CanonicalizationMethodType" mixed="true">
|
77
|
+
<sequence>
|
78
|
+
<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
|
79
|
+
<!-- (0,unbounded) elements from (1,1) namespace -->
|
80
|
+
</sequence>
|
81
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
82
|
+
</complexType>
|
83
|
+
|
84
|
+
<element name="SignatureMethod" type="ds:SignatureMethodType"/>
|
85
|
+
<complexType name="SignatureMethodType" mixed="true">
|
86
|
+
<sequence>
|
87
|
+
<element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
|
88
|
+
<any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
|
89
|
+
<!-- (0,unbounded) elements from (1,1) external namespace -->
|
90
|
+
</sequence>
|
91
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
92
|
+
</complexType>
|
93
|
+
|
94
|
+
<!-- Start Reference -->
|
95
|
+
|
96
|
+
<element name="Reference" type="ds:ReferenceType"/>
|
97
|
+
<complexType name="ReferenceType">
|
98
|
+
<sequence>
|
99
|
+
<element ref="ds:Transforms" minOccurs="0"/>
|
100
|
+
<element ref="ds:DigestMethod"/>
|
101
|
+
<element ref="ds:DigestValue"/>
|
102
|
+
</sequence>
|
103
|
+
<attribute name="Id" type="ID" use="optional"/>
|
104
|
+
<attribute name="URI" type="anyURI" use="optional"/>
|
105
|
+
<attribute name="Type" type="anyURI" use="optional"/>
|
106
|
+
</complexType>
|
107
|
+
|
108
|
+
<element name="Transforms" type="ds:TransformsType"/>
|
109
|
+
<complexType name="TransformsType">
|
110
|
+
<sequence>
|
111
|
+
<element ref="ds:Transform" maxOccurs="unbounded"/>
|
112
|
+
</sequence>
|
113
|
+
</complexType>
|
114
|
+
|
115
|
+
<element name="Transform" type="ds:TransformType"/>
|
116
|
+
<complexType name="TransformType" mixed="true">
|
117
|
+
<choice minOccurs="0" maxOccurs="unbounded">
|
118
|
+
<any namespace="##other" processContents="lax"/>
|
119
|
+
<!-- (1,1) elements from (0,unbounded) namespaces -->
|
120
|
+
<element name="XPath" type="string"/>
|
121
|
+
</choice>
|
122
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
123
|
+
</complexType>
|
124
|
+
|
125
|
+
<!-- End Reference -->
|
126
|
+
|
127
|
+
<element name="DigestMethod" type="ds:DigestMethodType"/>
|
128
|
+
<complexType name="DigestMethodType" mixed="true">
|
129
|
+
<sequence>
|
130
|
+
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
|
131
|
+
</sequence>
|
132
|
+
<attribute name="Algorithm" type="anyURI" use="required"/>
|
133
|
+
</complexType>
|
134
|
+
|
135
|
+
<element name="DigestValue" type="ds:DigestValueType"/>
|
136
|
+
<simpleType name="DigestValueType">
|
137
|
+
<restriction base="base64Binary"/>
|
138
|
+
</simpleType>
|
139
|
+
|
140
|
+
<!-- End SignedInfo -->
|
141
|
+
|
142
|
+
<!-- Start KeyInfo -->
|
143
|
+
|
144
|
+
<element name="KeyInfo" type="ds:KeyInfoType"/>
|
145
|
+
<complexType name="KeyInfoType" mixed="true">
|
146
|
+
<choice maxOccurs="unbounded">
|
147
|
+
<element ref="ds:KeyName"/>
|
148
|
+
<element ref="ds:KeyValue"/>
|
149
|
+
<element ref="ds:RetrievalMethod"/>
|
150
|
+
<element ref="ds:X509Data"/>
|
151
|
+
<element ref="ds:PGPData"/>
|
152
|
+
<element ref="ds:SPKIData"/>
|
153
|
+
<element ref="ds:MgmtData"/>
|
154
|
+
<any processContents="lax" namespace="##other"/>
|
155
|
+
<!-- (1,1) elements from (0,unbounded) namespaces -->
|
156
|
+
</choice>
|
157
|
+
<attribute name="Id" type="ID" use="optional"/>
|
158
|
+
</complexType>
|
159
|
+
|
160
|
+
<element name="KeyName" type="string"/>
|
161
|
+
<element name="MgmtData" type="string"/>
|
162
|
+
|
163
|
+
<element name="KeyValue" type="ds:KeyValueType"/>
|
164
|
+
<complexType name="KeyValueType" mixed="true">
|
165
|
+
<choice>
|
166
|
+
<element ref="ds:DSAKeyValue"/>
|
167
|
+
<element ref="ds:RSAKeyValue"/>
|
168
|
+
<any namespace="##other" processContents="lax"/>
|
169
|
+
</choice>
|
170
|
+
</complexType>
|
171
|
+
|
172
|
+
<element name="RetrievalMethod" type="ds:RetrievalMethodType"/>
|
173
|
+
<complexType name="RetrievalMethodType">
|
174
|
+
<sequence>
|
175
|
+
<element ref="ds:Transforms" minOccurs="0"/>
|
176
|
+
</sequence>
|
177
|
+
<attribute name="URI" type="anyURI"/>
|
178
|
+
<attribute name="Type" type="anyURI" use="optional"/>
|
179
|
+
</complexType>
|
180
|
+
|
181
|
+
<!-- Start X509Data -->
|
182
|
+
|
183
|
+
<element name="X509Data" type="ds:X509DataType"/>
|
184
|
+
<complexType name="X509DataType">
|
185
|
+
<sequence maxOccurs="unbounded">
|
186
|
+
<choice>
|
187
|
+
<element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
|
188
|
+
<element name="X509SKI" type="base64Binary"/>
|
189
|
+
<element name="X509SubjectName" type="string"/>
|
190
|
+
<element name="X509Certificate" type="base64Binary"/>
|
191
|
+
<element name="X509CRL" type="base64Binary"/>
|
192
|
+
<any namespace="##other" processContents="lax"/>
|
193
|
+
</choice>
|
194
|
+
</sequence>
|
195
|
+
</complexType>
|
196
|
+
|
197
|
+
<complexType name="X509IssuerSerialType">
|
198
|
+
<sequence>
|
199
|
+
<element name="X509IssuerName" type="string"/>
|
200
|
+
<element name="X509SerialNumber" type="integer"/>
|
201
|
+
</sequence>
|
202
|
+
</complexType>
|
203
|
+
|
204
|
+
<!-- End X509Data -->
|
205
|
+
|
206
|
+
<!-- Begin PGPData -->
|
207
|
+
|
208
|
+
<element name="PGPData" type="ds:PGPDataType"/>
|
209
|
+
<complexType name="PGPDataType">
|
210
|
+
<choice>
|
211
|
+
<sequence>
|
212
|
+
<element name="PGPKeyID" type="base64Binary"/>
|
213
|
+
<element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/>
|
214
|
+
<any namespace="##other" processContents="lax" minOccurs="0"
|
215
|
+
maxOccurs="unbounded"/>
|
216
|
+
</sequence>
|
217
|
+
<sequence>
|
218
|
+
<element name="PGPKeyPacket" type="base64Binary"/>
|
219
|
+
<any namespace="##other" processContents="lax" minOccurs="0"
|
220
|
+
maxOccurs="unbounded"/>
|
221
|
+
</sequence>
|
222
|
+
</choice>
|
223
|
+
</complexType>
|
224
|
+
|
225
|
+
<!-- End PGPData -->
|
226
|
+
|
227
|
+
<!-- Begin SPKIData -->
|
228
|
+
|
229
|
+
<element name="SPKIData" type="ds:SPKIDataType"/>
|
230
|
+
<complexType name="SPKIDataType">
|
231
|
+
<sequence maxOccurs="unbounded">
|
232
|
+
<element name="SPKISexp" type="base64Binary"/>
|
233
|
+
<any namespace="##other" processContents="lax" minOccurs="0"/>
|
234
|
+
</sequence>
|
235
|
+
</complexType>
|
236
|
+
|
237
|
+
<!-- End SPKIData -->
|
238
|
+
|
239
|
+
<!-- End KeyInfo -->
|
240
|
+
|
241
|
+
<!-- Start Object (Manifest, SignatureProperty) -->
|
242
|
+
|
243
|
+
<element name="Object" type="ds:ObjectType"/>
|
244
|
+
<complexType name="ObjectType" mixed="true">
|
245
|
+
<sequence minOccurs="0" maxOccurs="unbounded">
|
246
|
+
<any namespace="##any" processContents="lax"/>
|
247
|
+
</sequence>
|
248
|
+
<attribute name="Id" type="ID" use="optional"/>
|
249
|
+
<attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
|
250
|
+
<attribute name="Encoding" type="anyURI" use="optional"/>
|
251
|
+
</complexType>
|
252
|
+
|
253
|
+
<element name="Manifest" type="ds:ManifestType"/>
|
254
|
+
<complexType name="ManifestType">
|
255
|
+
<sequence>
|
256
|
+
<element ref="ds:Reference" maxOccurs="unbounded"/>
|
257
|
+
</sequence>
|
258
|
+
<attribute name="Id" type="ID" use="optional"/>
|
259
|
+
</complexType>
|
260
|
+
|
261
|
+
<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
|
262
|
+
<complexType name="SignaturePropertiesType">
|
263
|
+
<sequence>
|
264
|
+
<element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
|
265
|
+
</sequence>
|
266
|
+
<attribute name="Id" type="ID" use="optional"/>
|
267
|
+
</complexType>
|
268
|
+
|
269
|
+
<element name="SignatureProperty" type="ds:SignaturePropertyType"/>
|
270
|
+
<complexType name="SignaturePropertyType" mixed="true">
|
271
|
+
<choice maxOccurs="unbounded">
|
272
|
+
<any namespace="##other" processContents="lax"/>
|
273
|
+
<!-- (1,1) elements from (1,unbounded) namespaces -->
|
274
|
+
</choice>
|
275
|
+
<attribute name="Target" type="anyURI" use="required"/>
|
276
|
+
<attribute name="Id" type="ID" use="optional"/>
|
277
|
+
</complexType>
|
278
|
+
|
279
|
+
<!-- End Object (Manifest, SignatureProperty) -->
|
280
|
+
|
281
|
+
<!-- Start Algorithm Parameters -->
|
282
|
+
|
283
|
+
<simpleType name="HMACOutputLengthType">
|
284
|
+
<restriction base="integer"/>
|
285
|
+
</simpleType>
|
286
|
+
|
287
|
+
<!-- Start KeyValue Element-types -->
|
288
|
+
|
289
|
+
<element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
|
290
|
+
<complexType name="DSAKeyValueType">
|
291
|
+
<sequence>
|
292
|
+
<sequence minOccurs="0">
|
293
|
+
<element name="P" type="ds:CryptoBinary"/>
|
294
|
+
<element name="Q" type="ds:CryptoBinary"/>
|
295
|
+
</sequence>
|
296
|
+
<element name="G" type="ds:CryptoBinary" minOccurs="0"/>
|
297
|
+
<element name="Y" type="ds:CryptoBinary"/>
|
298
|
+
<element name="J" type="ds:CryptoBinary" minOccurs="0"/>
|
299
|
+
<sequence minOccurs="0">
|
300
|
+
<element name="Seed" type="ds:CryptoBinary"/>
|
301
|
+
<element name="PgenCounter" type="ds:CryptoBinary"/>
|
302
|
+
</sequence>
|
303
|
+
</sequence>
|
304
|
+
</complexType>
|
305
|
+
|
306
|
+
<element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
|
307
|
+
<complexType name="RSAKeyValueType">
|
308
|
+
<sequence>
|
309
|
+
<element name="Modulus" type="ds:CryptoBinary"/>
|
310
|
+
<element name="Exponent" type="ds:CryptoBinary"/>
|
311
|
+
</sequence>
|
312
|
+
</complexType>
|
313
|
+
|
314
|
+
<!-- End KeyValue Element-types -->
|
315
|
+
|
316
|
+
<!-- End Signature -->
|
317
|
+
|
318
|
+
</schema>
|
data/lib/xml_security.rb
ADDED
@@ -0,0 +1,169 @@
|
|
1
|
+
# The contents of this file are subject to the terms
|
2
|
+
# of the Common Development and Distribution License
|
3
|
+
# (the License). You may not use this file except in
|
4
|
+
# compliance with the License.
|
5
|
+
#
|
6
|
+
# You can obtain a copy of the License at
|
7
|
+
# https://opensso.dev.java.net/public/CDDLv1.0.html or
|
8
|
+
# opensso/legal/CDDLv1.0.txt
|
9
|
+
# See the License for the specific language governing
|
10
|
+
# permission and limitations under the License.
|
11
|
+
#
|
12
|
+
# When distributing Covered Code, include this CDDL
|
13
|
+
# Header Notice in each file and include the License file
|
14
|
+
# at opensso/legal/CDDLv1.0.txt.
|
15
|
+
# If applicable, add the following below the CDDL Header,
|
16
|
+
# with the fields enclosed by brackets [] replaced by
|
17
|
+
# your own identifying information:
|
18
|
+
# "Portions Copyrighted [year] [name of copyright owner]"
|
19
|
+
#
|
20
|
+
# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
|
21
|
+
#
|
22
|
+
# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
|
23
|
+
# Portions Copyrighted 2007 Todd W Saxton.
|
24
|
+
|
25
|
+
require 'rubygems'
|
26
|
+
require "rexml/document"
|
27
|
+
require "rexml/xpath"
|
28
|
+
require "openssl"
|
29
|
+
require 'nokogiri'
|
30
|
+
require "digest/sha1"
|
31
|
+
require "digest/sha2"
|
32
|
+
require "onelogin/ruby-saml/validation_error"
|
33
|
+
|
34
|
+
module XMLSecurity
|
35
|
+
|
36
|
+
class SignedDocument < REXML::Document
|
37
|
+
C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
|
38
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#"
|
39
|
+
|
40
|
+
attr_accessor :signed_element_id
|
41
|
+
|
42
|
+
def initialize(response)
|
43
|
+
super(response)
|
44
|
+
extract_signed_element_id
|
45
|
+
end
|
46
|
+
|
47
|
+
def validate(idp_cert_fingerprint, soft = true)
|
48
|
+
# get cert from response
|
49
|
+
cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
|
50
|
+
raise Onelogin::Saml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
|
51
|
+
base64_cert = cert_element.text
|
52
|
+
cert_text = Base64.decode64(base64_cert)
|
53
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
54
|
+
|
55
|
+
# check cert matches registered idp cert
|
56
|
+
fingerprint = Digest::SHA1.hexdigest(cert.to_der)
|
57
|
+
|
58
|
+
if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
|
59
|
+
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Fingerprint mismatch"))
|
60
|
+
end
|
61
|
+
|
62
|
+
validate_doc(base64_cert, soft)
|
63
|
+
end
|
64
|
+
|
65
|
+
def validate_doc(base64_cert, soft = true)
|
66
|
+
# validate references
|
67
|
+
|
68
|
+
# check for inclusive namespaces
|
69
|
+
inclusive_namespaces = extract_inclusive_namespaces
|
70
|
+
|
71
|
+
document = Nokogiri.parse(self.to_s)
|
72
|
+
|
73
|
+
# create a working copy so we don't modify the original
|
74
|
+
@working_copy ||= REXML::Document.new(self.to_s).root
|
75
|
+
|
76
|
+
# store and remove signature node
|
77
|
+
@sig_element ||= begin
|
78
|
+
element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
|
79
|
+
element.remove
|
80
|
+
end
|
81
|
+
|
82
|
+
|
83
|
+
# verify signature
|
84
|
+
signed_info_element = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
|
85
|
+
noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
|
86
|
+
noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
|
87
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
|
88
|
+
canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
|
89
|
+
noko_sig_element.remove
|
90
|
+
|
91
|
+
# check digests
|
92
|
+
REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
|
93
|
+
uri = ref.attributes.get_attribute("URI").value
|
94
|
+
|
95
|
+
hashed_element = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
|
96
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
|
97
|
+
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
|
98
|
+
|
99
|
+
digest_algorithm = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
|
100
|
+
|
101
|
+
hash = digest_algorithm.digest(canon_hashed_element)
|
102
|
+
digest_value = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
|
103
|
+
|
104
|
+
unless digests_match?(hash, digest_value)
|
105
|
+
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))
|
106
|
+
end
|
107
|
+
end
|
108
|
+
|
109
|
+
base64_signature = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
|
110
|
+
signature = Base64.decode64(base64_signature)
|
111
|
+
|
112
|
+
# get certificate object
|
113
|
+
cert_text = Base64.decode64(base64_cert)
|
114
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
115
|
+
|
116
|
+
# signature method
|
117
|
+
signature_algorithm = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
|
118
|
+
|
119
|
+
unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
|
120
|
+
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Key validation error"))
|
121
|
+
end
|
122
|
+
|
123
|
+
return true
|
124
|
+
end
|
125
|
+
|
126
|
+
private
|
127
|
+
|
128
|
+
def digests_match?(hash, digest_value)
|
129
|
+
hash == digest_value
|
130
|
+
end
|
131
|
+
|
132
|
+
def extract_signed_element_id
|
133
|
+
reference_element = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
|
134
|
+
self.signed_element_id = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
|
135
|
+
end
|
136
|
+
|
137
|
+
def canon_algorithm(element)
|
138
|
+
algorithm = element.attribute('Algorithm').value if element
|
139
|
+
case algorithm
|
140
|
+
when "http://www.w3.org/2001/10/xml-exc-c14n#" then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
141
|
+
when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
|
142
|
+
when "http://www.w3.org/2006/12/xml-c14n11" then Nokogiri::XML::XML_C14N_1_1
|
143
|
+
else Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
def algorithm(element)
|
148
|
+
algorithm = element.attribute("Algorithm").value if element
|
149
|
+
algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
|
150
|
+
case algorithm
|
151
|
+
when 256 then OpenSSL::Digest::SHA256
|
152
|
+
when 384 then OpenSSL::Digest::SHA384
|
153
|
+
when 512 then OpenSSL::Digest::SHA512
|
154
|
+
else
|
155
|
+
OpenSSL::Digest::SHA1
|
156
|
+
end
|
157
|
+
end
|
158
|
+
|
159
|
+
def extract_inclusive_namespaces
|
160
|
+
if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
|
161
|
+
prefix_list = element.attributes.get_attribute("PrefixList").value
|
162
|
+
prefix_list.split(" ")
|
163
|
+
else
|
164
|
+
[]
|
165
|
+
end
|
166
|
+
end
|
167
|
+
|
168
|
+
end
|
169
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
$LOAD_PATH.push File.expand_path('../lib', __FILE__)
|
2
|
+
require 'onelogin/ruby-saml/version'
|
3
|
+
|
4
|
+
Gem::Specification.new do |s|
|
5
|
+
s.name = 'ruby-saml-nechotech'
|
6
|
+
s.version = Onelogin::Saml::VERSION
|
7
|
+
|
8
|
+
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
9
|
+
s.authors = ["OneLogin LLC, beekermememe"]
|
10
|
+
s.date = Time.now.strftime("%Y-%m-%d")
|
11
|
+
s.description = %q{SAML toolkit for Ruby on Rails forked and modified by beekermememe}
|
12
|
+
s.email = %q{nechotech@gmail.com}
|
13
|
+
s.extra_rdoc_files = [
|
14
|
+
"LICENSE",
|
15
|
+
"README.md"
|
16
|
+
]
|
17
|
+
s.files = `git ls-files`.split("\n")
|
18
|
+
s.homepage = %q{http://github.com/onelogin/ruby-saml}
|
19
|
+
s.rubyforge_project = %q{http://www.rubygems.org/gems/ruby-saml-nechotech}
|
20
|
+
s.rdoc_options = ["--charset=UTF-8"]
|
21
|
+
s.require_paths = ["lib"]
|
22
|
+
s.rubygems_version = %q{1.3.7}
|
23
|
+
s.summary = %q{SAML Ruby Tookit}
|
24
|
+
s.test_files = `git ls-files test/*`.split("\n")
|
25
|
+
|
26
|
+
s.add_runtime_dependency("canonix", ["0.1.1"])
|
27
|
+
s.add_runtime_dependency("uuid", ["~> 2.3"])
|
28
|
+
s.add_runtime_dependency("nokogiri", [">= 1.5.0"])
|
29
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
|
3
|
+
YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
|
4
|
+
Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloX
|
5
|
+
DTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
|
6
|
+
aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAX
|
7
|
+
BgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
|
8
|
+
AoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDug
|
9
|
+
MK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0ed
|
10
|
+
MOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMB
|
11
|
+
AA==
|
12
|
+
-----END CERTIFICATE-----
|
@@ -0,0 +1 @@
|
|
1
|
+
MIIEYTCCA0mgAwIBAgIJAMax+2BoUJmCMA0GCSqGSIb3DQEBBQUAMIHGMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xIzAhBgNVBAoMGldlbGxzcHJpbmcgV29ybGR3aWRlLCBJbmMuMRwwGgYDVQQLDBNTeXN0ZW1zIEVuZ2luZWVyaW5nMSQwIgYDVQQDDBtzc28ud2VsbHNwcmluZ3dvcmxkd2lkZS5jb20xKTAnBgkqhkiG9w0BCQEWGml0QHdlbGxzcHJpbmd3b3JsZHdpZGUuY29tMB4XDTEzMDIyNzIzNTUwOFoXDTIzMDIyNzIzNTUwOFowgcYxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhJbGxpbm9pczEQMA4GA1UEBwwHQ2hpY2FnbzEjMCEGA1UECgwaV2VsbHNwcmluZyBXb3JsZHdpZGUsIEluYy4xHDAaBgNVBAsME1N5c3RlbXMgRW5naW5lZXJpbmcxJDAiBgNVBAMMG3Nzby53ZWxsc3ByaW5nd29ybGR3aWRlLmNvbTEpMCcGCSqGSIb3DQEJARYaaXRAd2VsbHNwcmluZ3dvcmxkd2lkZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzNhrDaXa00JAIRaxEyDrK/Zjj8bBTQD5dPgugDndYf1AOpzSGpGFU+lPu0QRv0o66K64HrF24FATWI18Q6aZ+xX8QbuBrfia6hOFef29Sk5paS9+DcDCmisuNpl84kbbiazy6S6cFtcdrG9/cr2iXtYmIzz7EfUcP/UVAp24ZW7dWhcvxoqxF9n6Fj94N+rA0dmUFUGz6glm7us3p36xbkiUMpgr3feD/9P34H+2YFsQ2b2DblDI5Z7YULHxBsl5nuhPLFuPN1olcWQBsJYO6iHElFRH+487L2yZ1mLVXKI0LFb/w1rAJpPeUc8E5s1MATAjNx3wPwwqgw30sKtoXAgMBAAGjUDBOMB0GA1UdDgQWBBSrGGV9w3hGXTafkJLUaWBsWiDGaTAfBgNVHSMEGDAWgBSrGGV9w3hGXTafkJLUaWBsWiDGaTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCcvZV0VIwIRD4C5CItFwfNRF2LRBmYiNh4FJbo0wESbH0cWT9vXNdcjcx6PHrIj7ICErSCR5eZmIrSgLEBEkptjVsiFsHWSvMHv37WaHwyhZWnhutss32aP9+ifxQ1lzwm54jZWZsVVVFQH155BDsVeU1UwEhvcCExFa7RNjyvqQrZmyQwMFSzL1cQp0humu0hHLtAI7E32lp5itw6kTOfyhjB8d1bzBVZe6RY64RxOPEcx+9hkrHmfCohdt644jRtPdLTvqqxpscYGD+L2QOt1HpbGgAdcgUZeUHo/eosqpwDOoyuFepz7JzqMncxFN//NmjnFGVZdGR+6bTxKUKq
|
@@ -0,0 +1,111 @@
|
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
2
|
+
|
3
|
+
class RequestTest < Test::Unit::TestCase
|
4
|
+
|
5
|
+
context "Logoutrequest" do
|
6
|
+
settings = Onelogin::Saml::Settings.new
|
7
|
+
|
8
|
+
should "create the deflated SAMLRequest URL parameter" do
|
9
|
+
settings.idp_slo_target_url = "http://unauth.com/logout"
|
10
|
+
settings.name_identifier_value = "f00f00"
|
11
|
+
|
12
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
|
13
|
+
assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLRequest=/
|
14
|
+
|
15
|
+
inflated = decode_saml_request_payload(unauth_url)
|
16
|
+
|
17
|
+
assert_match /^<samlp:LogoutRequest/, inflated
|
18
|
+
end
|
19
|
+
|
20
|
+
should "support additional params" do
|
21
|
+
|
22
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :hello => nil })
|
23
|
+
assert unauth_url =~ /&hello=$/
|
24
|
+
|
25
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :foo => "bar" })
|
26
|
+
assert unauth_url =~ /&foo=bar$/
|
27
|
+
end
|
28
|
+
|
29
|
+
should "set sessionindex" do
|
30
|
+
settings.idp_slo_target_url = "http://example.com"
|
31
|
+
sessionidx = UUID.new.generate
|
32
|
+
settings.sessionindex = sessionidx
|
33
|
+
|
34
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
|
35
|
+
inflated = decode_saml_request_payload(unauth_url)
|
36
|
+
|
37
|
+
assert_match /<samlp:SessionIndex/, inflated
|
38
|
+
assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
|
39
|
+
end
|
40
|
+
|
41
|
+
should "set name_identifier_value" do
|
42
|
+
settings = Onelogin::Saml::Settings.new
|
43
|
+
settings.idp_slo_target_url = "http://example.com"
|
44
|
+
settings.name_identifier_format = "transient"
|
45
|
+
name_identifier_value = "abc123"
|
46
|
+
settings.name_identifier_value = name_identifier_value
|
47
|
+
|
48
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings, { :name_id => "there" })
|
49
|
+
inflated = decode_saml_request_payload(unauth_url)
|
50
|
+
|
51
|
+
assert_match /<saml:NameID/, inflated
|
52
|
+
assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
|
53
|
+
end
|
54
|
+
|
55
|
+
should "require name_identifier_value" do
|
56
|
+
settings = Onelogin::Saml::Settings.new
|
57
|
+
settings.idp_slo_target_url = "http://example.com"
|
58
|
+
settings.name_identifier_format = nil
|
59
|
+
|
60
|
+
assert_raises(Onelogin::Saml::ValidationError) { Onelogin::Saml::Logoutrequest.new.create(settings) }
|
61
|
+
end
|
62
|
+
|
63
|
+
context "when the target url doesn't contain a query string" do
|
64
|
+
should "create the SAMLRequest parameter correctly" do
|
65
|
+
settings = Onelogin::Saml::Settings.new
|
66
|
+
settings.idp_slo_target_url = "http://example.com"
|
67
|
+
settings.name_identifier_value = "f00f00"
|
68
|
+
|
69
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
|
70
|
+
assert unauth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
context "when the target url contains a query string" do
|
75
|
+
should "create the SAMLRequest parameter correctly" do
|
76
|
+
settings = Onelogin::Saml::Settings.new
|
77
|
+
settings.idp_slo_target_url = "http://example.com?field=value"
|
78
|
+
settings.name_identifier_value = "f00f00"
|
79
|
+
|
80
|
+
unauth_url = Onelogin::Saml::Logoutrequest.new.create(settings)
|
81
|
+
assert unauth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
82
|
+
end
|
83
|
+
end
|
84
|
+
|
85
|
+
context "consumation of logout may need to track the transaction" do
|
86
|
+
should "have access to the request uuid" do
|
87
|
+
settings = Onelogin::Saml::Settings.new
|
88
|
+
settings.idp_slo_target_url = "http://example.com?field=value"
|
89
|
+
settings.name_identifier_value = "f00f00"
|
90
|
+
|
91
|
+
unauth_req = Onelogin::Saml::Logoutrequest.new
|
92
|
+
unauth_url = unauth_req.create(settings)
|
93
|
+
|
94
|
+
inflated = decode_saml_request_payload(unauth_url)
|
95
|
+
assert_match %r[ID='#{unauth_req.uuid}'], inflated
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
def decode_saml_request_payload(unauth_url)
|
101
|
+
payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
|
102
|
+
decoded = Base64.decode64(payload)
|
103
|
+
|
104
|
+
zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
105
|
+
inflated = zstream.inflate(decoded)
|
106
|
+
zstream.finish
|
107
|
+
zstream.close
|
108
|
+
inflated
|
109
|
+
end
|
110
|
+
|
111
|
+
end
|