ruby-saml 0.4.5 → 0.4.6

data/Rakefile

@@ -13,6 +13,7 @@ begin
     gem.add_dependency("canonix","~> 0.1")
     gem.add_dependency("uuid","~> 2.3")
     gem.add_development_dependency "shoulda"
+    gem.add_development_dependency "ruby-debug"
     gem.add_development_dependency "mocha"
     #gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
   end

data/VERSION

@@ -1 +1 @@
-0.4.5
+0.4.6

data/lib/onelogin/saml.rb

@@ -1,4 +1,5 @@
 require 'onelogin/saml/authrequest'
 require 'onelogin/saml/response'
 require 'onelogin/saml/settings'
+require 'onelogin/saml/validation_error'
 

data/lib/onelogin/saml/response.rb

@@ -2,48 +2,38 @@ require "xml_security"
 require "time"
 
 module Onelogin::Saml
+
   class Response
     ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
     PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
     DSIG      = "http://www.w3.org/2000/09/xmldsig#"
 
-    attr_accessor :response, :document, :logger, :settings, :original
+    attr_accessor :options, :response, :document, :settings
 
-    def initialize(response)
+    def initialize(response, options = {})
       raise ArgumentError.new("Response cannot be nil") if response.nil?
+      self.options  = options
       self.response = response
       self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
     end
 
     def is_valid?
-      return false if response.empty?
-      return false if settings.nil?
-      return false if settings.idp_cert_fingerprint.nil?
-      return false if !check_conditions
+      validate(soft = true)
+    end
 
-      document.validate(settings.idp_cert_fingerprint, logger)
+    def validate!
+      validate(soft = false)
     end
 
     # The value of the user identifier as designated by the initialization request response
     def name_id
       @name_id ||= begin
         node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+        node ||=  REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
         node.nil? ? nil : node.text
       end
     end
 
-    def check_conditions
-      return true if conditions.nil?
-
-      not_before = parse_time(conditions, "NotBefore")
-      return false if not_before && Time.now.utc < not_before
-
-      not_on_or_after = parse_time(conditions, "NotOnOrAfter")
-      return false if not_on_or_after && Time.now.utc >= not_on_or_after
-
-      true
-    end
-
     # A hash of alle the attributes with the response. Assuming there is only one value for each key
     def attributes
       @attr_statements ||= begin
@@ -84,6 +74,51 @@ module Onelogin::Saml
 
     private
 
+    def validation_error(message)
+      raise ValidationError.new(message)
+    end
+
+    def validate(soft = true)
+      validate_response_state(soft) &&
+      validate_conditions(soft)     &&
+      document.validate(settings.idp_cert_fingerprint, soft)
+    end
+
+    def validate_response_state(soft = true)
+      if response.empty?
+        return soft ? false : validation_error("Blank response")
+      end
+
+      if settings.nil?
+        return soft ? false : validation_error("No settings on response")
+      end
+
+      if settings.idp_cert_fingerprint.nil?
+        return soft ? false : validation_error("No fingerprint on settings")
+      end
+
+      true
+    end
+
+    def validate_conditions(soft = true)
+      return true if conditions.nil?
+      return true if options[:skip_conditions]
+
+      if not_before = parse_time(conditions, "NotBefore")
+        if Time.now.utc < not_before
+          return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+        end
+      end
+
+      if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+        if Time.now.utc >= not_on_or_after
+          return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+        end
+      end
+
+      true
+    end
+
     def parse_time(node, attribute)
       if node && node.attributes[attribute]
         Time.parse(node.attributes[attribute])

data/lib/onelogin/saml/validation_error.rb

@@ -0,0 +1,7 @@
+module Onelogin
+  module Saml
+    class ValidationError < Exception
+    end
+  end
+end
+

data/lib/xml_security.rb

@@ -28,11 +28,12 @@ require "rexml/xpath"
 require "openssl"
 require "xmlcanonicalizer"
 require "digest/sha1"
+require "onelogin/saml/validation_error"
 
 module XMLSecurity
 
   class SignedDocument < REXML::Document
-    DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+    DSIG = "http://www.w3.org/2000/09/xmldsig#"
 
     attr_accessor :signed_element_id
 
@@ -41,7 +42,7 @@ module XMLSecurity
       extract_signed_element_id
     end
 
-    def validate (idp_cert_fingerprint, logger = nil)
+    def validate(idp_cert_fingerprint, soft = true)
       # get cert from response
       base64_cert = self.elements["//ds:X509Certificate"].text
       cert_text   = Base64.decode64(base64_cert)
@@ -49,33 +50,44 @@ module XMLSecurity
 
       # check cert matches registered idp cert
       fingerprint = Digest::SHA1.hexdigest(cert.to_der)
-      valid_flag  = fingerprint == idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
 
-      return valid_flag if !valid_flag
+      if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+        return soft ? false : (raise Onelogin::Saml::ValidationError.new("Fingerprint mismatch"))
+      end
 
-      validate_doc(base64_cert, logger)
+      validate_doc(base64_cert, soft)
     end
 
-    def validate_doc(base64_cert, logger)
+    def validate_doc(base64_cert, soft = true)
       # validate references
+      
+      # check for inclusive namespaces
+      
+      inclusive_namespaces            = []
+      inclusive_namespace_element     = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
+      
+      if inclusive_namespace_element
+        prefix_list                   = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
+        inclusive_namespaces          = prefix_list.split(" ")
+      end
 
       # remove signature node
       sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
       sig_element.remove
 
-      #check digests
-      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |
-
-        uri                   = ref.attributes.get_attribute("URI").value
-        hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
-        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
-        canon_hashed_element  = canoner.canonicalize(hashed_element)
-        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
-        digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
-
-        valid_flag            = hash == digest_value
-
-        return valid_flag if !valid_flag
+      # check digests
+      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
+        uri                           = ref.attributes.get_attribute("URI").value
+        hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+        canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
+        canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
+        canon_hashed_element          = canoner.canonicalize(hashed_element)
+        hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+        digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+
+        if hash != digest_value
+          return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))
+        end
       end
 
       # verify signature
@@ -90,9 +102,11 @@ module XMLSecurity
       cert_text               = Base64.decode64(base64_cert)
       cert                    = OpenSSL::X509::Certificate.new(cert_text)
 
-      valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+      if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+        return soft ? false : (raise ValidationError.new("Key validation error"))
+      end
 
-      return valid_flag
+      return true
     end
 
     private

data/ruby-saml.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml}
-  s.version = "0.4.5"
+  s.version = "0.4.6"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["OneLogin LLC"]
-  s.date = %q{2011-06-17}
+  s.date = %q{2011-06-28}
   s.description = %q{SAML toolkit for Ruby on Rails}
   s.email = %q{support@onelogin.com}
   s.extra_rdoc_files = [
@@ -27,16 +27,22 @@ Gem::Specification.new do |s|
      "lib/onelogin/saml/authrequest.rb",
      "lib/onelogin/saml/response.rb",
      "lib/onelogin/saml/settings.rb",
+     "lib/onelogin/saml/validation_error.rb",
      "lib/ruby-saml.rb",
      "lib/xml_security.rb",
      "ruby-saml.gemspec",
+     "test/request_test.rb",
+     "test/response_test.rb",
+     "test/responses/adfs_response.xml.base64",
      "test/responses/certificate1",
+     "test/responses/open_saml_response.xml",
      "test/responses/response1.xml.base64",
      "test/responses/response2.xml.base64",
      "test/responses/response3.xml.base64",
      "test/responses/response4.xml.base64",
      "test/responses/response5.xml.base64",
-     "test/ruby-saml_test.rb",
+     "test/responses/simple_saml_php.xml",
+     "test/settings_test.rb",
      "test/test_helper.rb",
      "test/xml_security_test.rb"
   ]
@@ -46,7 +52,9 @@ Gem::Specification.new do |s|
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{SAML Ruby Tookit}
   s.test_files = [
-    "test/ruby-saml_test.rb",
+    "test/request_test.rb",
+     "test/response_test.rb",
+     "test/settings_test.rb",
      "test/test_helper.rb",
      "test/xml_security_test.rb"
   ]
@@ -59,17 +67,20 @@ Gem::Specification.new do |s|
       s.add_runtime_dependency(%q<canonix>, ["~> 0.1"])
       s.add_runtime_dependency(%q<uuid>, ["~> 2.3"])
       s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<ruby-debug>, [">= 0"])
       s.add_development_dependency(%q<mocha>, [">= 0"])
     else
       s.add_dependency(%q<canonix>, ["~> 0.1"])
       s.add_dependency(%q<uuid>, ["~> 2.3"])
       s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<ruby-debug>, [">= 0"])
       s.add_dependency(%q<mocha>, [">= 0"])
     end
   else
     s.add_dependency(%q<canonix>, ["~> 0.1"])
     s.add_dependency(%q<uuid>, ["~> 2.3"])
     s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<ruby-debug>, [">= 0"])
     s.add_dependency(%q<mocha>, [">= 0"])
   end
 end

data/test/request_test.rb

@@ -0,0 +1,33 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class RequestTest < Test::Unit::TestCase
+
+  context "Authrequest" do
+    should "create the deflated SAMLRequest URL parameter" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://stuff.com"
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings)
+      assert auth_url =~ /^http:\/\/stuff\.com\?SAMLRequest=/
+      payload  = CGI.unescape(auth_url.split("=").last)
+      decoded  = Base64.decode64(payload)
+
+      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = zstream.inflate(decoded)
+      zstream.finish
+      zstream.close
+
+      assert_match /^<samlp:AuthnRequest/, inflated
+    end
+
+    should "accept extra parameters" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://stuff.com"
+
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
+      assert auth_url =~ /&hello=there$/
+
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
+      assert auth_url =~ /&hello=$/
+    end
+  end
+end

data/test/{ruby-saml_test.rb → response_test.rb}

@@ -2,30 +2,7 @@ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 class RubySamlTest < Test::Unit::TestCase
 
-  context "Settings" do
-    setup do
-      @settings = Onelogin::Saml::Settings.new
-    end
-    should "should provide getters and settings" do
-      accessors = [
-        :assertion_consumer_service_url, :issuer, :sp_name_qualifier, :sp_name_qualifier,
-        :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format
-      ]
-
-      accessors.each do |accessor|
-        value = Kernel.rand
-        @settings.send("#{accessor}=".to_sym, value)
-        assert_equal value, @settings.send(accessor)
-      end
-    end
-  end
-
   context "Response" do
-    should "provide setter for a logger" do
-      response = Onelogin::Saml::Response.new('')
-      assert response.logger = 'hello'
-    end
-
     should "raise an exception when response is initialized with nil" do
       assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
     end
@@ -39,6 +16,15 @@ class RubySamlTest < Test::Unit::TestCase
       assert !response.name_id.nil?
     end
 
+    context "#validate!" do
+      should "raise when encountering a condition that prevents the document from being valid" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_raise(Onelogin::Saml::ValidationError) do
+          response.validate!
+        end
+      end
+    end
+
     context "#is_valid?" do
       should "return false when response is initialized with blank data" do
         response = Onelogin::Saml::Response.new('')
@@ -52,7 +38,7 @@ class RubySamlTest < Test::Unit::TestCase
 
       should "return true when the response is initialized with valid data" do
         response = Onelogin::Saml::Response.new(response_document_4)
-        response.expects(:check_conditions).returns(true)
+        response.stubs(:conditions).returns(nil)
         assert !response.is_valid?
         settings = Onelogin::Saml::Settings.new
         assert !response.is_valid?
@@ -64,13 +50,22 @@ class RubySamlTest < Test::Unit::TestCase
 
       should "not allow signature wrapping attack" do
         response = Onelogin::Saml::Response.new(response_document_4)
-        response.expects(:check_conditions).returns(true)
+        response.stubs(:conditions).returns(nil)
         settings = Onelogin::Saml::Settings.new
         settings.idp_cert_fingerprint = signature_fingerprint_1
         response.settings = settings
         assert response.is_valid?
         assert response.name_id == "test@onelogin.com"
       end
+
+      should_eventually "validate ADFS assertions" do
+        response = Onelogin::Saml::Response.new(fixture(:adfs_response))
+        response.stubs(:conditions).returns(nil)
+        settings = Onelogin::Saml::Settings.new
+        settings.idp_cert_fingerprint = "17:54:07:27:53:55:D1:93:67:A4:95:0A:6A:E4:D6:1E:FA:4A:94:1D"
+        response.settings = settings
+        assert response.validate!
+      end
     end
 
     context "#name_id" do
@@ -81,18 +76,28 @@ class RubySamlTest < Test::Unit::TestCase
         response = Onelogin::Saml::Response.new(response_document_3)
         assert_equal "someone@example.com", response.name_id
       end
+
+      should_eventually "be extractable from an OpenSAML response" do
+        response = Onelogin::Saml::Response.new(fixture(:open_saml))
+        assert_equal "someone@example.org", response.name_id
+      end
+
+      should_eventually "be extractable from a Simple SAML PHP response" do
+        response = Onelogin::Saml::Response.new(fixture(:simple_saml_php))
+        assert_equal "someone@example.com", response.name_id
+      end
     end
 
     context "#check_conditions" do
       should "check time conditions" do
         response = Onelogin::Saml::Response.new(response_document)
-        assert !response.check_conditions
+        assert !response.send(:validate_conditions, true)
         response = Onelogin::Saml::Response.new(response_document_6)
-        assert response.check_conditions
+        assert response.send(:validate_conditions, true)
         time     = Time.parse("2011-06-14T18:25:01.516Z")
         Time.stubs(:now).returns(time)
         response = Onelogin::Saml::Response.new(response_document_5)
-        assert response.check_conditions
+        assert response.send(:validate_conditions, true)
       end
     end
 
@@ -133,34 +138,7 @@ class RubySamlTest < Test::Unit::TestCase
         assert response.session_expires_at.nil?
       end
     end
-  end
-
-  context "Authrequest" do
-    should "create the deflated SAMLRequest URL parameter" do
-      settings = Onelogin::Saml::Settings.new
-      settings.idp_sso_target_url = "http://stuff.com"
-      auth_url = Onelogin::Saml::Authrequest.new.create(settings)
-      assert auth_url =~ /^http:\/\/stuff\.com\?SAMLRequest=/
-      payload  = CGI.unescape(auth_url.split("=").last)
-      decoded  = Base64.decode64(payload)
-
-      zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      inflated = zstream.inflate(decoded)
-      zstream.finish
-      zstream.close
-
-      assert_match /^<samlp:AuthnRequest/, inflated
-    end
-
-    should "accept extra parameters" do
-      settings = Onelogin::Saml::Settings.new
-      settings.idp_sso_target_url = "http://stuff.com"
 
-      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
-      assert auth_url =~ /&hello=there$/
-
-      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
-      assert auth_url =~ /&hello=$/
-    end
   end
+
 end

data/test/responses/adfs_response.xml.base64

@@ -0,0 +1,91 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpz
+YW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJ
+RD0iXzAyNjNhMDdiLTIwNWYtNDc5Yy05MGZjLTc0OTU3MTVlY2JiZiIgVmVy
+c2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMjJUMTI6NDk6MzAu
+MzQ4WiIgRGVzdGluYXRpb249Imh0dHBzOi8vc29tZW9uZS5leGFtcGxlLmNv
+bS9lbmRwb2ludCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6
+Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iX2ZjNGEz
+NGIwLTdlZmItMDEyZS1jYWFlLTc4MmJjYjEzYmIzOCI+CiAgPElzc3VlciB4
+bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+
+aHR0cDovL2xvZ2luLmV4YW1wbGUuY29tL2lzc3VlcjwvSXNzdWVyPgogIDxz
+YW1scDpTdGF0dXM+CiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJu
+Om9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+CiAg
+PC9zYW1scDpTdGF0dXM+CiAgPEFzc2VydGlvbiB4bWxucz0idXJuOm9hc2lz
+Om5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il83MjFiNGE1YS1k
+N2UxLTQ4NjEtOTc1NC1hOWIxOTdiNmY5YWIiIElzc3VlSW5zdGFudD0iMjAx
+MS0wNi0yMlQxMjo0OTozMC4zNDhaIiBWZXJzaW9uPSIyLjAiPgogICAgPElz
+c3Vlcj5odHRwOi8vbG9naW4uZXhhbXBsZS5jb20vaXNzdWVyPC9Jc3N1ZXI+
+CiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9y
+Zy8yMDAwLzA5L3htbGRzaWcjIj4KICAgICAgPGRzOlNpZ25lZEluZm8+CiAg
+ICAgICAgPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJo
+dHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAg
+ICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3
+dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPgog
+ICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjXzcyMWI0YTVhLWQ3ZTEtNDg2
+MS05NzU0LWE5YjE5N2I2ZjlhYiI+CiAgICAgICAgICA8ZHM6VHJhbnNmb3Jt
+cz4KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6
+Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0
+dXJlIi8+CiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJo
+dHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAg
+ICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4KICAgICAgICAgIDxkczpEaWdlc3RN
+ZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3ht
+bGVuYyNzaGEyNTYiLz4KICAgICAgICAgIDxkczpEaWdlc3RWYWx1ZT52NTN3
+cW80ZllESzhVY3JPVWNPV2cyemxKL2NIVnVtWVMwS2pycm5WdUprPTwvZHM6
+RGlnZXN0VmFsdWU+CiAgICAgICAgPC9kczpSZWZlcmVuY2U+CiAgICAgIDwv
+ZHM6U2lnbmVkSW5mbz4KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPlowOXBl
+d1k3ekZ2OTFobjkwbHgwRUVubE1HTkw5elVKWk14SVI2cW9mTFpPWk1sVG5Y
+TjV6RnNmKzFYUFBJWVpMdzVsQ0dqanRtZE5seGR2NzJ6TkZsTVROUnFaN0lp
+SXd2azVHUk0zenZBV3NOT1k2ZEI0YzVxamU0UkhxL2ZySkdCZ04vZ2VWeFZt
+bjNMWmQ1WmNrdWh1UzFzN0ZKQW9MVWNaRUxKL25jZ1JEZGdqQUUrcjhHdGFO
+a3U0VVRCUkdBZnRsMFBXbUFTMDdsbGU2bGFTVVBSQmRCRE5sVlN6R0FQT3lY
+UDE2ZUkxOWJvbllMaGpiOHVoY0N0bWdicnJhbkpVVGxZc1htcnhvaGNGdW4r
+eWZxVFdXd2l4OW1SUXRBdEFFOW5nSUUwVkRkTC9reFR0NktOb1B6d2tlajVW
+eFNMRkFncTJ1M3JaTWN1WUdadTFIUT09PC9kczpTaWduYXR1cmVWYWx1ZT4K
+ICAgICAgPEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv
+MDkveG1sZHNpZyMiPgogICAgICAgIDxkczpYNTA5RGF0YT4KICAgICAgICAg
+IDxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzVEQ0NBY3lnQXdJQkFnSVFOQlRr
+dDdxaWNhcEtOc0lYTWNrOHhUQU5CZ2txaGtpRzl3MEJBUXNGQURBdU1Td3dL
+Z1lEVlFRREV5TkJSRVpUSUZOcFoyNXBibWNnTFNCc2IyZHBiaTVrY21WemIz
+VnlZMlZ6TG1OdmJUQWVGdzB4TVRBMk1UQXhPRFUyTURGYUZ3MHhNakEyTURr
+eE9EVTJNREZhTUM0eExEQXFCZ05WQkFNVEkwRkVSbE1nVTJsbmJtbHVaeUF0
+SUd4dloybHVMbVJ5WlhOdmRYSmpaWE11WTI5dE1JSUJJakFOQmdrcWhraUc5
+dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcTdBTURHbkJISUd3dDlLUHRM
+RDBNMEVYR3VabldHQW1iNXAyRkRjRnp0SkhPSThXWVBxZVJwaHpWU0VrZ1h0
+UEloNUp4M2VsUzZoVm43SFZqMld2eklENmpwQjQ1bzhpRGs4UFdnaTE0ZnhH
+V0U1bzFQaUI4WHJlMWM1dnMySUc1YVBXSUQ1dUM2YkQwWGduTDk1TWdPOUhH
+UFBTUVJGbnVqS05xekZRZHRvQkpJSmF3QWVEL2kveHM3RmpGazl4MWZBMEV5
+TENuaCtlYWZmSXBvcmIrMXh4VzJENkQzbVJUZ2ZIeFhyV1I4VzRqSG5pZ2da
+aHFkRGhVeHZFYWlRRlRiSU4yRCt6eUI3YVF3UUNIU0ZwZXJCYytSNUZsbGdu
+R0FhK3NqYjZnMUZYYmVobUVHd1NheHdSWklEQWhqSVFtYTV3WDV5V0pEeEZ6
+UjRwc1RlRlJRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCekFQ
+QzJRUStVdHZrcVFZMm8vam9IR3RudUx5Zmt3ZDc2NERjR0RsY1lLVktFYURD
+dm5KeDNneXdSVU9ERVJoRGh1Zkpid3I3T29YVmRodzcwTnRURU11Z0pGcjI5
+U2d4bjNDaVRpeVBGU0RHang5MTFhYkt4dEpTQkludkkwMEFqWCtWbElaaG95
+ODNZWU9SWEZjeWIrVXZoMnIyU1pVM0FDTnA4TTNjWlI2SjFFREJoUEtZd0VF
+VWs4TlRNbVpMM3ZXanFMWldUeVRUaFRyUUYvbEg5UENsdzlPMjl1d2lmaXEy
+WHpTeVNyMy9QSHh6cE1Sa0w5YzRFaTQ1UURtYWdlckFVUndlcTVwVVc4QzNV
+QVVqTExWY1hrLzJwZXZaRU43MFlndDVwMmZBZ3M4NE9KaERSS2lIR3BhcmlF
+bWo0THNKR1pzcDdxRkpwbjErTWlqUmU8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4K
+ICAgICAgICA8L2RzOlg1MDlEYXRhPgogICAgICA8L0tleUluZm8+CiAgICA8
+L2RzOlNpZ25hdHVyZT4KICAgIDxTdWJqZWN0PgogICAgICA8TmFtZUlEIEZv
+cm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3Jt
+YXQ6ZW1haWxBZGRyZXNzIj5oZWxsb0BleGFtcGxlLmNvbTwvTmFtZUlEPgog
+ICAgICA8U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpu
+YW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPgogICAgICAgIDxTdWJqZWN0
+Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZi
+LTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiIE5vdE9uT3JBZnRlcj0iMjAxMS0w
+Ni0yMlQxMjo1NDozMC4zNDhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc29tZW9u
+ZS5leGFtcGxlLmNvbS9lbmRwb2ludCIvPgogICAgICA8L1N1YmplY3RDb25m
+aXJtYXRpb24+CiAgICA8L1N1YmplY3Q+CiAgICA8Q29uZGl0aW9ucyBOb3RC
+ZWZvcmU9IjIwMTEtMDYtMjJUMTI6NDk6MzAuMzMyWiIgTm90T25PckFmdGVy
+PSIyMDExLTA2LTIyVDEzOjQ5OjMwLjMzMloiPgogICAgICA8QXVkaWVuY2VS
+ZXN0cmljdGlvbj4KICAgICAgICA8QXVkaWVuY2U+ZXhhbXBsZS5jb208L0F1
+ZGllbmNlPgogICAgICA8L0F1ZGllbmNlUmVzdHJpY3Rpb24+CiAgICA8L0Nv
+bmRpdGlvbnM+CiAgICA8QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIy
+MDExLTA2LTIyVDEyOjQ5OjMwLjExMloiIFNlc3Npb25JbmRleD0iXzcyMWI0
+YTVhLWQ3ZTEtNDg2MS05NzU0LWE5YjE5N2I2ZjlhYiI+CiAgICAgIDxBdXRo
+bkNvbnRleHQ+CiAgICAgICAgPEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpv
+YXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJv
+dGVjdGVkVHJhbnNwb3J0PC9BdXRobkNvbnRleHRDbGFzc1JlZj4KICAgICAg
+PC9BdXRobkNvbnRleHQ+CiAgICA8L0F1dGhuU3RhdGVtZW50PgogIDwvQXNz
+ZXJ0aW9uPgo8L3NhbWxwOlJlc3BvbnNlPgo=

data/test/responses/open_saml_response.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://example.hello.com/access/saml" ID="jVFQbyEpSfUwqhZtJtarIaGoshwuAQMDwLoiMhzJXsv" InResponseTo="cfeooghajnhofcmogakmlhpkohnmikicnfhdnjlc" IssueInstant="2011-06-21T13:54:38.661Z" Version="2.0">
+  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idm.orademo.com</saml2:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#jVFQbyEpSfUwqhZtJtarIaGoshwuAQMDwLoiMhzJXsv">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>uHuSry39P16Yh7srS32xESmj4Lw=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>fdghdfggfd=</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>dfghjkl</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <saml2p:Status>
+    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </saml2p:Status>
+  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="emmCjammnYdAbMWDuMAJeZvQIMBayeeYqqwvQoDclKE" IssueInstant="2011-06-21T13:54:38.676Z" Version="2.0">
+    <saml2:Issuer>https://idm.orademo.com</saml2:Issuer>
+    <saml2:Subject>
+      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="idp.example.org">someone@example.org</saml2:NameID>
+      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml2:SubjectConfirmationData InResponseTo="cfeooghajnhofcmogakmlhpkohnmikicnfhdnjlc" NotOnOrAfter="2011-06-21T14:09:38.676Z" Recipient="https://example.hello.com/access/saml"/>
+      </saml2:SubjectConfirmation>
+    </saml2:Subject>
+    <saml2:Conditions NotBefore="2011-06-21T13:54:38.683Z" NotOnOrAfter="2011-06-21T14:09:38.683Z">
+      <saml2:AudienceRestriction>
+        <saml2:Audience>hello.com</saml2:Audience>
+      </saml2:AudienceRestriction>
+    </saml2:Conditions>
+    <saml2:AuthnStatement AuthnInstant="2011-06-21T13:54:38.685Z" SessionIndex="perdkjfskdjfksdiertusfsdfsddeurtherukjdfgkdffg">
+      <saml2:AuthnContext>
+        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
+      </saml2:AuthnContext>
+    </saml2:AuthnStatement>
+    <saml2:AttributeStatement>
+      <saml2:Attribute Name="FirstName">
+        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Someone</saml2:AttributeValue>
+      </saml2:Attribute>
+      <saml2:Attribute Name="LastName">
+        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Special</saml2:AttributeValue>
+      </saml2:Attribute>
+    </saml2:AttributeStatement>
+  </saml2:Assertion>
+</saml2p:Response>

data/test/responses/simple_saml_php.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc32aed67-820f-4296-0c20-205a10dd5787" Version="2.0" IssueInstant="2011-06-17T14:54:14Z" Destination="https://example.hello.com/access/saml" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
+  <saml:Issuer>https://federate.example.net/saml/saml2/idp/metadata.php</saml:Issuer>
+  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+      <ds:Reference URI="#pfxc32aed67-820f-4296-0c20-205a10dd5787">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+        <ds:DigestValue>dVJ592k5xPjCHBCMiJ8eZkPUiT8=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>LHNK1FJfcOIUuWVKJmGABQ+W98+pQ==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509Certificate>MIIQmS6WmmIht3k=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx7841991c-c73f-4035-e2ee-c170c0e1d3e4" Version="2.0" IssueInstant="2011-06-17T14:54:14Z">
+    <saml:Issuer>https://federate.example.net/saml/saml2/idp/metadata.php</saml:Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <ds:Reference URI="#pfx7841991c-c73f-4035-e2ee-c170c0e1d3e4">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <ds:DigestValue>mi0IAultZkpsZa1XxGx9X4iAPQg=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue>LqkW39SOYbttYxlGhIBw==</ds:SignatureValue>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIGmmIht3k=</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </ds:Signature>
+    <saml:Subject>
+      <saml:NameID SPNameQualifier="hello.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.com</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2011-06-17T14:59:14Z" Recipient="https://example.hello.com/access/saml" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38"/>
+      </saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2011-06-17T14:53:44Z" NotOnOrAfter="2011-06-17T14:59:14Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>hello.com</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2011-06-17T14:54:07Z" SessionNotOnOrAfter="2011-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue xsi:type="xs:string">someone@example.com</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>

data/test/settings_test.rb

@@ -0,0 +1,23 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class SettingsTest < Test::Unit::TestCase
+
+  context "Settings" do
+    setup do
+      @settings = Onelogin::Saml::Settings.new
+    end
+    should "should provide getters and settings" do
+      accessors = [
+        :assertion_consumer_service_url, :issuer, :sp_name_qualifier, :sp_name_qualifier,
+        :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format
+      ]
+
+      accessors.each do |accessor|
+        value = Kernel.rand
+        @settings.send("#{accessor}=".to_sym, value)
+        assert_equal value, @settings.send(accessor)
+      end
+    end
+  end
+
+end

data/test/test_helper.rb

@@ -2,12 +2,22 @@ require 'rubygems'
 require 'test/unit'
 require 'shoulda'
 require 'mocha'
+require 'ruby-debug'
 
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'ruby-saml'
 
 class Test::Unit::TestCase
+  def fixture(document, base64 = true)
+    response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
+    if base64 && response =~ /\.xml$/
+      Base64.encode64(File.read(response))
+    else
+      File.read(response)
+    end
+  end
+
   def response_document
     @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
   end

data/test/xml_security_test.rb

@@ -10,7 +10,7 @@ class XmlSecurityTest < Test::Unit::TestCase
 
     should "should run validate without throwing NS related exceptions" do
       base64cert = @document.elements["//ds:X509Certificate"].text
-      @document.validate_doc(base64cert, nil)
+      @document.validate_doc(base64cert, true)
     end
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: ruby-saml
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 3
   prerelease: false
   segments: 
   - 0
   - 4
-  - 5
-  version: 0.4.5
+  - 6
+  version: 0.4.6
 platform: ruby
 authors: 
 - OneLogin LLC
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-17 00:00:00 +02:00
+date: 2011-06-28 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -63,7 +63,7 @@ dependencies:
   type: :development
   version_requirements: *id003
 - !ruby/object:Gem::Dependency 
-  name: mocha
+  name: ruby-debug
   prerelease: false
   requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
@@ -76,6 +76,20 @@ dependencies:
         version: "0"
   type: :development
   version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: mocha
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
 description: SAML toolkit for Ruby on Rails
 email: support@onelogin.com
 executables: []
@@ -96,16 +110,22 @@ files:
 - lib/onelogin/saml/authrequest.rb
 - lib/onelogin/saml/response.rb
 - lib/onelogin/saml/settings.rb
+- lib/onelogin/saml/validation_error.rb
 - lib/ruby-saml.rb
 - lib/xml_security.rb
 - ruby-saml.gemspec
+- test/request_test.rb
+- test/response_test.rb
+- test/responses/adfs_response.xml.base64
 - test/responses/certificate1
+- test/responses/open_saml_response.xml
 - test/responses/response1.xml.base64
 - test/responses/response2.xml.base64
 - test/responses/response3.xml.base64
 - test/responses/response4.xml.base64
 - test/responses/response5.xml.base64
-- test/ruby-saml_test.rb
+- test/responses/simple_saml_php.xml
+- test/settings_test.rb
 - test/test_helper.rb
 - test/xml_security_test.rb
 has_rdoc: true
@@ -143,6 +163,8 @@ signing_key:
 specification_version: 3
 summary: SAML Ruby Tookit
 test_files: 
-- test/ruby-saml_test.rb
+- test/request_test.rb
+- test/response_test.rb
+- test/settings_test.rb
 - test/test_helper.rb
 - test/xml_security_test.rb