ruby-saml 0.8.11 → 0.8.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +7 -7
- data/Gemfile +3 -1
- data/Rakefile +0 -14
- data/lib/onelogin/ruby-saml/response.rb +24 -13
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +1 -2
- data/test/logoutrequest_test.rb +124 -126
- data/test/logoutresponse_test.rb +22 -28
- data/test/response_test.rb +171 -122
- data/test/responses/encrypted_new_attack.xml.base64 +1 -0
- data/test/responses/response_with_concealed_signed_assertion.xml +51 -0
- data/test/responses/response_with_doubled_signed_assertion.xml +49 -0
- data/test/responses/response_wrapped.xml.base64 +150 -0
- data/test/responses/valid_response.xml.base64 +1 -0
- data/test/settings_test.rb +5 -5
- data/test/test_helper.rb +48 -11
- data/test/utils_test.rb +10 -10
- data/test/xml_security_test.rb +34 -36
- metadata +55 -48
data/test/xml_security_test.rb
CHANGED
@@ -1,94 +1,91 @@
|
|
1
|
-
require
|
2
|
-
require 'xml_security'
|
1
|
+
require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
|
3
2
|
|
4
|
-
class XmlSecurityTest < Test
|
3
|
+
class XmlSecurityTest < Minitest::Test
|
5
4
|
include XMLSecurity
|
6
5
|
|
7
|
-
|
8
|
-
|
6
|
+
describe "XmlSecurity" do
|
7
|
+
before do
|
9
8
|
@document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
|
10
9
|
@base64cert = @document.elements["//ds:X509Certificate"].text
|
11
10
|
end
|
12
11
|
|
13
|
-
|
12
|
+
it "should run validate without throwing NS related exceptions" do
|
14
13
|
assert !@document.validate_signature(@base64cert, true)
|
15
14
|
end
|
16
15
|
|
17
|
-
|
18
|
-
|
16
|
+
it "should run validate with throwing NS related exceptions" do
|
17
|
+
assert_raises(OneLogin::RubySaml::ValidationError) do
|
19
18
|
@document.validate_signature(@base64cert, false)
|
20
19
|
end
|
21
20
|
end
|
22
21
|
|
23
|
-
|
24
|
-
|
25
|
-
2.times { @document.validate_signature(@base64cert, true) }
|
26
|
-
end
|
22
|
+
it "not raise an error when softly validating the document multiple times" do
|
23
|
+
2.times { @document.validate_signature(@base64cert, true) }
|
27
24
|
end
|
28
25
|
|
29
|
-
|
30
|
-
exception =
|
26
|
+
it "should raise Fingerprint mismatch" do
|
27
|
+
exception = assert_raises(OneLogin::RubySaml::ValidationError) do
|
31
28
|
@document.validate_document("no:fi:ng:er:pr:in:t", false)
|
32
29
|
end
|
33
30
|
assert_equal("Fingerprint mismatch", exception.message)
|
34
31
|
end
|
35
32
|
|
36
|
-
|
37
|
-
exception =
|
33
|
+
it "should raise Digest mismatch" do
|
34
|
+
exception = assert_raises(OneLogin::RubySaml::ValidationError) do
|
38
35
|
@document.validate_signature(@base64cert, false)
|
39
36
|
end
|
40
37
|
assert_equal("Digest mismatch", exception.message)
|
41
38
|
end
|
42
39
|
|
43
|
-
|
40
|
+
it "should raise Key validation error" do
|
44
41
|
response = Base64.decode64(response_document)
|
45
42
|
response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
|
46
43
|
"<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
|
47
44
|
document = XMLSecurity::SignedDocument.new(response)
|
48
45
|
base64cert = document.elements["//ds:X509Certificate"].text
|
49
|
-
exception =
|
46
|
+
exception = assert_raises(OneLogin::RubySaml::ValidationError) do
|
50
47
|
document.validate_signature(base64cert, false)
|
51
48
|
end
|
52
49
|
assert_equal("Key validation error", exception.message)
|
53
50
|
end
|
54
51
|
|
55
|
-
|
52
|
+
it "raise validation error when the X509Certificate is missing" do
|
56
53
|
response = Base64.decode64(response_document)
|
57
54
|
response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
|
58
55
|
document = XMLSecurity::SignedDocument.new(response)
|
59
|
-
exception =
|
56
|
+
exception = assert_raises(OneLogin::RubySaml::ValidationError) do
|
60
57
|
document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
|
61
58
|
end
|
62
59
|
assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
|
63
60
|
end
|
64
61
|
end
|
65
62
|
|
66
|
-
|
67
|
-
|
63
|
+
describe "Algorithms" do
|
64
|
+
it "validate using SHA1" do
|
68
65
|
@document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
|
69
66
|
assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
|
70
67
|
end
|
71
68
|
|
72
|
-
|
69
|
+
it "validate using SHA256" do
|
73
70
|
@document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
|
74
71
|
assert @document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
|
75
72
|
end
|
76
73
|
|
77
|
-
|
74
|
+
it "validate using SHA384" do
|
78
75
|
@document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
|
79
76
|
assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
|
80
77
|
end
|
81
78
|
|
82
|
-
|
79
|
+
it "validate using SHA512" do
|
83
80
|
@document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
|
84
81
|
assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
|
85
82
|
end
|
86
83
|
end
|
87
84
|
|
88
|
-
|
85
|
+
describe "XmlSecurity::SignedDocument" do
|
89
86
|
|
90
|
-
|
91
|
-
|
87
|
+
describe "#extract_inclusive_namespaces" do
|
88
|
+
it "support explicit namespace resolution for exclusive canonicalization" do
|
92
89
|
response = fixture(:open_saml_response, false)
|
93
90
|
document = XMLSecurity::SignedDocument.new(response)
|
94
91
|
inclusive_namespaces = document.send(:extract_inclusive_namespaces)
|
@@ -96,7 +93,7 @@ class XmlSecurityTest < Test::Unit::TestCase
|
|
96
93
|
assert_equal %w[ xs ], inclusive_namespaces
|
97
94
|
end
|
98
95
|
|
99
|
-
|
96
|
+
it "support implicit namespace resolution for exclusive canonicalization" do
|
100
97
|
response = fixture(:no_signature_ns, false)
|
101
98
|
document = XMLSecurity::SignedDocument.new(response)
|
102
99
|
inclusive_namespaces = document.send(:extract_inclusive_namespaces)
|
@@ -104,7 +101,8 @@ class XmlSecurityTest < Test::Unit::TestCase
|
|
104
101
|
assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
|
105
102
|
end
|
106
103
|
|
107
|
-
|
104
|
+
it 'support inclusive canonicalization' do
|
105
|
+
skip('test not yet implemented')
|
108
106
|
|
109
107
|
response = OneLogin::RubySaml::Response.new(fixture("tdnf_response.xml"))
|
110
108
|
response.stubs(:conditions).returns(nil)
|
@@ -117,7 +115,7 @@ class XmlSecurityTest < Test::Unit::TestCase
|
|
117
115
|
assert response.validate!
|
118
116
|
end
|
119
117
|
|
120
|
-
|
118
|
+
it "return an empty list when inclusive namespace element is missing" do
|
121
119
|
response = fixture(:no_signature_ns, false)
|
122
120
|
response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
|
123
121
|
|
@@ -128,27 +126,27 @@ class XmlSecurityTest < Test::Unit::TestCase
|
|
128
126
|
end
|
129
127
|
end
|
130
128
|
|
131
|
-
|
132
|
-
|
129
|
+
describe "StarfieldTMS" do
|
130
|
+
before do
|
133
131
|
@response = OneLogin::RubySaml::Response.new(fixture(:starfield_response))
|
134
132
|
@response.settings = OneLogin::RubySaml::Settings.new(
|
135
133
|
:idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
|
136
134
|
)
|
137
135
|
end
|
138
136
|
|
139
|
-
|
137
|
+
it "be able to validate a good response" do
|
140
138
|
Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
|
141
139
|
assert @response.validate!
|
142
140
|
end
|
143
141
|
end
|
144
142
|
|
145
|
-
|
143
|
+
it "fail before response is valid" do
|
146
144
|
Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
|
147
145
|
assert ! @response.is_valid?
|
148
146
|
end
|
149
147
|
end
|
150
148
|
|
151
|
-
|
149
|
+
it "fail after response expires" do
|
152
150
|
Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
|
153
151
|
assert ! @response.is_valid?
|
154
152
|
end
|
metadata
CHANGED
@@ -1,54 +1,49 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-saml
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.8.
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.8.12
|
5
5
|
platform: ruby
|
6
|
-
authors:
|
6
|
+
authors:
|
7
7
|
- OneLogin LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
|
12
|
-
|
13
|
-
|
11
|
+
|
12
|
+
date: 2020-05-08 00:00:00 Z
|
13
|
+
dependencies:
|
14
|
+
- !ruby/object:Gem::Dependency
|
14
15
|
name: uuid
|
15
|
-
requirement: !ruby/object:Gem::Requirement
|
16
|
-
requirements:
|
17
|
-
- - "~>"
|
18
|
-
- !ruby/object:Gem::Version
|
19
|
-
version: '2.3'
|
20
|
-
type: :runtime
|
21
16
|
prerelease: false
|
22
|
-
|
23
|
-
requirements:
|
24
|
-
- -
|
25
|
-
- !ruby/object:Gem::Version
|
26
|
-
version:
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
name: nokogiri
|
29
|
-
requirement: !ruby/object:Gem::Requirement
|
30
|
-
requirements:
|
31
|
-
- - ">="
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: 1.5.0
|
17
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
18
|
+
requirements:
|
19
|
+
- - ~>
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: "2.3"
|
34
22
|
type: :runtime
|
23
|
+
version_requirements: *id001
|
24
|
+
- !ruby/object:Gem::Dependency
|
25
|
+
name: nokogiri
|
35
26
|
prerelease: false
|
36
|
-
|
37
|
-
requirements:
|
27
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
28
|
+
requirements:
|
38
29
|
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
30
|
+
- !ruby/object:Gem::Version
|
40
31
|
version: 1.5.0
|
32
|
+
type: :runtime
|
33
|
+
version_requirements: *id002
|
41
34
|
description: SAML toolkit for Ruby on Rails
|
42
35
|
email: support@onelogin.com
|
43
36
|
executables: []
|
37
|
+
|
44
38
|
extensions: []
|
45
|
-
|
39
|
+
|
40
|
+
extra_rdoc_files:
|
46
41
|
- LICENSE
|
47
42
|
- README.md
|
48
|
-
files:
|
49
|
-
-
|
50
|
-
-
|
51
|
-
-
|
43
|
+
files:
|
44
|
+
- .document
|
45
|
+
- .gitignore
|
46
|
+
- .travis.yml
|
52
47
|
- Gemfile
|
53
48
|
- LICENSE
|
54
49
|
- README.md
|
@@ -86,6 +81,7 @@ files:
|
|
86
81
|
- test/responses/adfs_response_sha256.xml
|
87
82
|
- test/responses/adfs_response_sha384.xml
|
88
83
|
- test/responses/adfs_response_sha512.xml
|
84
|
+
- test/responses/encrypted_new_attack.xml.base64
|
89
85
|
- test/responses/logoutresponse_fixtures.rb
|
90
86
|
- test/responses/no_signature_ns.xml
|
91
87
|
- test/responses/open_saml_response.xml
|
@@ -99,10 +95,14 @@ files:
|
|
99
95
|
- test/responses/response_node_text_attack.xml.base64
|
100
96
|
- test/responses/response_with_ampersands.xml
|
101
97
|
- test/responses/response_with_ampersands.xml.base64
|
98
|
+
- test/responses/response_with_concealed_signed_assertion.xml
|
99
|
+
- test/responses/response_with_doubled_signed_assertion.xml
|
102
100
|
- test/responses/response_with_multiple_attribute_statements.xml
|
103
101
|
- test/responses/response_with_multiple_attribute_values.xml
|
102
|
+
- test/responses/response_wrapped.xml.base64
|
104
103
|
- test/responses/simple_saml_php.xml
|
105
104
|
- test/responses/starfield_response.xml.base64
|
105
|
+
- test/responses/valid_response.xml.base64
|
106
106
|
- test/responses/wrapped_response_2.xml.base64
|
107
107
|
- test/settings_test.rb
|
108
108
|
- test/slo_logoutresponse_test.rb
|
@@ -111,29 +111,31 @@ files:
|
|
111
111
|
- test/xml_security_test.rb
|
112
112
|
homepage: http://github.com/onelogin/ruby-saml
|
113
113
|
licenses: []
|
114
|
+
|
114
115
|
metadata: {}
|
116
|
+
|
115
117
|
post_install_message:
|
116
|
-
rdoc_options:
|
117
|
-
-
|
118
|
-
require_paths:
|
118
|
+
rdoc_options:
|
119
|
+
- --charset=UTF-8
|
120
|
+
require_paths:
|
119
121
|
- lib
|
120
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
121
|
-
requirements:
|
122
|
-
-
|
123
|
-
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
version: '0'
|
122
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
123
|
+
requirements:
|
124
|
+
- &id003
|
125
|
+
- ">="
|
126
|
+
- !ruby/object:Gem::Version
|
127
|
+
version: "0"
|
128
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
129
|
+
requirements:
|
130
|
+
- *id003
|
130
131
|
requirements: []
|
132
|
+
|
131
133
|
rubyforge_project: http://www.rubygems.org/gems/ruby-saml
|
132
|
-
rubygems_version: 2.
|
134
|
+
rubygems_version: 2.7.7
|
133
135
|
signing_key:
|
134
136
|
specification_version: 4
|
135
137
|
summary: SAML Ruby Tookit
|
136
|
-
test_files:
|
138
|
+
test_files:
|
137
139
|
- test/certificates/certificate1
|
138
140
|
- test/certificates/r1_certificate2_base64
|
139
141
|
- test/certificates/ruby-saml.crt
|
@@ -146,6 +148,7 @@ test_files:
|
|
146
148
|
- test/responses/adfs_response_sha256.xml
|
147
149
|
- test/responses/adfs_response_sha384.xml
|
148
150
|
- test/responses/adfs_response_sha512.xml
|
151
|
+
- test/responses/encrypted_new_attack.xml.base64
|
149
152
|
- test/responses/logoutresponse_fixtures.rb
|
150
153
|
- test/responses/no_signature_ns.xml
|
151
154
|
- test/responses/open_saml_response.xml
|
@@ -159,10 +162,14 @@ test_files:
|
|
159
162
|
- test/responses/response_node_text_attack.xml.base64
|
160
163
|
- test/responses/response_with_ampersands.xml
|
161
164
|
- test/responses/response_with_ampersands.xml.base64
|
165
|
+
- test/responses/response_with_concealed_signed_assertion.xml
|
166
|
+
- test/responses/response_with_doubled_signed_assertion.xml
|
162
167
|
- test/responses/response_with_multiple_attribute_statements.xml
|
163
168
|
- test/responses/response_with_multiple_attribute_values.xml
|
169
|
+
- test/responses/response_wrapped.xml.base64
|
164
170
|
- test/responses/simple_saml_php.xml
|
165
171
|
- test/responses/starfield_response.xml.base64
|
172
|
+
- test/responses/valid_response.xml.base64
|
166
173
|
- test/responses/wrapped_response_2.xml.base64
|
167
174
|
- test/settings_test.rb
|
168
175
|
- test/slo_logoutresponse_test.rb
|