ruby-saml-nechotech 0.7.21

data/test/xml_security_test.rb

@@ -0,0 +1,160 @@
+require 'test_helper'
+require 'xml_security'
+
+class XmlSecurityTest < Test::Unit::TestCase
+  include XMLSecurity
+
+  context "XmlSecurity" do
+    setup do
+      @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
+      @base64cert = @document.elements["//ds:X509Certificate"].text
+    end
+
+    should "should run validate without throwing NS related exceptions" do
+      assert !@document.validate_doc(@base64cert, true)
+    end
+
+    should "should run validate with throwing NS related exceptions" do
+      assert_raise(Onelogin::Saml::ValidationError) do
+        @document.validate_doc(@base64cert, false)
+      end
+    end
+    
+    should "not raise an error when softly validating the document multiple times" do
+      assert_nothing_raised do
+        2.times { @document.validate_doc(@base64cert, true) }
+      end
+    end
+
+    should "should raise Fingerprint mismatch" do
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        @document.validate("no:fi:ng:er:pr:in:t", false)
+      end
+      assert_equal("Fingerprint mismatch", exception.message)
+    end
+
+    should "should raise Digest mismatch" do
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        @document.validate_doc(@base64cert, false)
+      end
+      assert_equal("Digest mismatch", exception.message)
+    end
+
+    should "should raise Key validation error" do
+      response = Base64.decode64(response_document)
+      response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
+                    "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
+      document = XMLSecurity::SignedDocument.new(response)
+      base64cert = document.elements["//ds:X509Certificate"].text
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        document.validate_doc(base64cert, false)
+      end
+      assert_equal("Key validation error", exception.message)
+    end
+
+    should "raise validation error when the X509Certificate is missing" do
+      response = Base64.decode64(response_document)
+      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      document = XMLSecurity::SignedDocument.new(response)
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        document.validate("a fingerprint", false) # The fingerprint isn't relevant to this test
+      end
+      assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
+    end
+  end
+
+  context "Algorithms" do
+    should "validate using SHA1" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    should "validate using SHA256" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
+      assert @document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+    end
+
+    should "validate using SHA384" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    should "validate using SHA512" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+  end
+  
+  context "XmlSecurity::SignedDocument" do
+    
+    context "#extract_inclusive_namespaces" do
+      should "support explicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:open_saml_response, false)
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert_equal %w[ xs ], inclusive_namespaces
+      end
+      
+      should "support implicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:no_signature_ns, false)
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
+      end
+
+      should_eventually 'support inclusive canonicalization' do
+
+        response = Onelogin::Saml::Response.new(fixture("tdnf_response.xml"))
+        response.stubs(:conditions).returns(nil)
+        assert !response.is_valid?
+        settings = Onelogin::Saml::Settings.new
+        assert !response.is_valid?
+        response.settings = settings
+        assert !response.is_valid?
+        settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
+        assert response.validate!
+      end
+
+      should "return an empty list when inclusive namespace element is missing" do
+        response = fixture(:no_signature_ns, false)
+        response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
+        
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert inclusive_namespaces.empty?
+      end
+    end
+
+    context "StarfieldTMS" do
+      setup do
+        @response = Onelogin::Saml::Response.new(fixture(:starfield_response))
+        @response.settings = Onelogin::Saml::Settings.new(
+                                                          :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
+                                                          )
+      end
+
+      should "be able to validate a good response" do
+        Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
+          assert @response.validate!
+        end
+      end
+
+      should "fail before response is valid" do
+        Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
+          assert ! @response.is_valid?
+        end
+      end
+
+      should "fail after response expires" do
+        Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
+          assert ! @response.is_valid?
+        end
+      end
+    end
+
+  end
+  
+end

metadata

@@ -0,0 +1,189 @@
+--- !ruby/object:Gem::Specification 
+name: ruby-saml-nechotech
+version: !ruby/object:Gem::Version 
+  hash: 41
+  prerelease: false
+  segments: 
+  - 0
+  - 7
+  - 21
+  version: 0.7.21
+platform: ruby
+authors: 
+- OneLogin LLC, beekermememe
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-04-05 00:00:00 -06:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: canonix
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 1
+        - 1
+        version: 0.1.1
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: uuid
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 2
+        - 3
+        version: "2.3"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: nokogiri
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 1
+        - 5
+        - 0
+        version: 1.5.0
+  type: :runtime
+  version_requirements: *id003
+description: SAML toolkit for Ruby on Rails forked and modified by beekermememe
+email: nechotech@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.md
+files: 
+- .document
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/onelogin/ruby-saml/authrequest.rb
+- lib/onelogin/ruby-saml/logging.rb
+- lib/onelogin/ruby-saml/logoutrequest.rb
+- lib/onelogin/ruby-saml/logoutresponse.rb
+- lib/onelogin/ruby-saml/metadata.rb
+- lib/onelogin/ruby-saml/response.rb
+- lib/onelogin/ruby-saml/settings.rb
+- lib/onelogin/ruby-saml/validation_error.rb
+- lib/onelogin/ruby-saml/version.rb
+- lib/ruby-saml.rb
+- lib/schemas/saml20assertion_schema.xsd
+- lib/schemas/saml20protocol_schema.xsd
+- lib/schemas/xenc_schema.xsd
+- lib/schemas/xmldsig_schema.xsd
+- lib/xml_security.rb
+- ruby-saml-nechotech.gemspec
+- test/certificates/certificate1
+- test/certificates/r1_certificate2_base64
+- test/logoutrequest_test.rb
+- test/logoutresponse_test.rb
+- test/request_test.rb
+- test/response_test.rb
+- test/responses/adfs_response_sha1.xml
+- test/responses/adfs_response_sha256.xml
+- test/responses/adfs_response_sha384.xml
+- test/responses/adfs_response_sha512.xml
+- test/responses/logoutresponse_fixtures.rb
+- test/responses/no_signature_ns.xml
+- test/responses/open_saml_response.xml
+- test/responses/r1_response6.xml.base64
+- test/responses/response1.xml.base64
+- test/responses/response2.xml.base64
+- test/responses/response3.xml.base64
+- test/responses/response4.xml.base64
+- test/responses/response5.xml.base64
+- test/responses/response_with_ampersands.xml
+- test/responses/response_with_ampersands.xml.base64
+- test/responses/simple_saml_php.xml
+- test/responses/starfield_response.xml.base64
+- test/responses/wrapped_response_2.xml.base64
+- test/settings_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb
+has_rdoc: true
+homepage: http://github.com/onelogin/ruby-saml
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: http://www.rubygems.org/gems/ruby-saml-nechotech
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: SAML Ruby Tookit
+test_files: 
+- test/certificates/certificate1
+- test/certificates/r1_certificate2_base64
+- test/logoutrequest_test.rb
+- test/logoutresponse_test.rb
+- test/request_test.rb
+- test/response_test.rb
+- test/responses/adfs_response_sha1.xml
+- test/responses/adfs_response_sha256.xml
+- test/responses/adfs_response_sha384.xml
+- test/responses/adfs_response_sha512.xml
+- test/responses/logoutresponse_fixtures.rb
+- test/responses/no_signature_ns.xml
+- test/responses/open_saml_response.xml
+- test/responses/r1_response6.xml.base64
+- test/responses/response1.xml.base64
+- test/responses/response2.xml.base64
+- test/responses/response3.xml.base64
+- test/responses/response4.xml.base64
+- test/responses/response5.xml.base64
+- test/responses/response_with_ampersands.xml
+- test/responses/response_with_ampersands.xml.base64
+- test/responses/simple_saml_php.xml
+- test/responses/starfield_response.xml.base64
+- test/responses/wrapped_response_2.xml.base64
+- test/settings_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb