ruby-saml 0.8.12

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (70) hide show
  1. checksums.yaml +7 -0
  2. data/.document +5 -0
  3. data/.gitignore +12 -0
  4. data/.travis.yml +11 -0
  5. data/Gemfile +37 -0
  6. data/LICENSE +19 -0
  7. data/README.md +160 -0
  8. data/Rakefile +27 -0
  9. data/changelog.md +24 -0
  10. data/lib/onelogin/ruby-saml/attributes.rb +147 -0
  11. data/lib/onelogin/ruby-saml/authrequest.rb +168 -0
  12. data/lib/onelogin/ruby-saml/logging.rb +26 -0
  13. data/lib/onelogin/ruby-saml/logoutrequest.rb +161 -0
  14. data/lib/onelogin/ruby-saml/logoutresponse.rb +153 -0
  15. data/lib/onelogin/ruby-saml/metadata.rb +66 -0
  16. data/lib/onelogin/ruby-saml/response.rb +426 -0
  17. data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
  18. data/lib/onelogin/ruby-saml/settings.rb +166 -0
  19. data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +158 -0
  20. data/lib/onelogin/ruby-saml/utils.rb +119 -0
  21. data/lib/onelogin/ruby-saml/validation_error.rb +7 -0
  22. data/lib/onelogin/ruby-saml/version.rb +5 -0
  23. data/lib/ruby-saml.rb +12 -0
  24. data/lib/schemas/saml20assertion_schema.xsd +283 -0
  25. data/lib/schemas/saml20protocol_schema.xsd +302 -0
  26. data/lib/schemas/xenc_schema.xsd +146 -0
  27. data/lib/schemas/xmldsig_schema.xsd +318 -0
  28. data/lib/xml_security.rb +292 -0
  29. data/ruby-saml.gemspec +28 -0
  30. data/test/certificates/certificate1 +12 -0
  31. data/test/certificates/r1_certificate2_base64 +1 -0
  32. data/test/certificates/ruby-saml.crt +14 -0
  33. data/test/certificates/ruby-saml.key +15 -0
  34. data/test/logoutrequest_test.rb +244 -0
  35. data/test/logoutresponse_test.rb +112 -0
  36. data/test/request_test.rb +229 -0
  37. data/test/response_test.rb +475 -0
  38. data/test/responses/adfs_response_sha1.xml +46 -0
  39. data/test/responses/adfs_response_sha256.xml +46 -0
  40. data/test/responses/adfs_response_sha384.xml +46 -0
  41. data/test/responses/adfs_response_sha512.xml +46 -0
  42. data/test/responses/encrypted_new_attack.xml.base64 +1 -0
  43. data/test/responses/logoutresponse_fixtures.rb +67 -0
  44. data/test/responses/no_signature_ns.xml +48 -0
  45. data/test/responses/open_saml_response.xml +56 -0
  46. data/test/responses/r1_response6.xml.base64 +1 -0
  47. data/test/responses/response1.xml.base64 +1 -0
  48. data/test/responses/response2.xml.base64 +79 -0
  49. data/test/responses/response3.xml.base64 +66 -0
  50. data/test/responses/response4.xml.base64 +93 -0
  51. data/test/responses/response5.xml.base64 +102 -0
  52. data/test/responses/response_eval.xml +7 -0
  53. data/test/responses/response_node_text_attack.xml.base64 +1 -0
  54. data/test/responses/response_with_ampersands.xml +139 -0
  55. data/test/responses/response_with_ampersands.xml.base64 +93 -0
  56. data/test/responses/response_with_concealed_signed_assertion.xml +51 -0
  57. data/test/responses/response_with_doubled_signed_assertion.xml +49 -0
  58. data/test/responses/response_with_multiple_attribute_statements.xml +72 -0
  59. data/test/responses/response_with_multiple_attribute_values.xml +67 -0
  60. data/test/responses/response_wrapped.xml.base64 +150 -0
  61. data/test/responses/simple_saml_php.xml +71 -0
  62. data/test/responses/starfield_response.xml.base64 +1 -0
  63. data/test/responses/valid_response.xml.base64 +1 -0
  64. data/test/responses/wrapped_response_2.xml.base64 +150 -0
  65. data/test/settings_test.rb +47 -0
  66. data/test/slo_logoutresponse_test.rb +226 -0
  67. data/test/test_helper.rb +155 -0
  68. data/test/utils_test.rb +41 -0
  69. data/test/xml_security_test.rb +158 -0
  70. metadata +178 -0
data/test/utils_test.rb ADDED
@@ -0,0 +1,41 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class UtilsTest < Minitest::Test
4
+ describe "Utils" do
5
+ describe 'element_text' do
6
+ it 'returns the element text' do
7
+ element = REXML::Document.new('<element>element text</element>').elements.first
8
+ assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
9
+ end
10
+
11
+ it 'returns all segments of the element text' do
12
+ element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
13
+ assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
14
+ end
15
+
16
+ it 'returns normalized element text' do
17
+ element = REXML::Document.new('<element>element &amp; text</element>').elements.first
18
+ assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
19
+ end
20
+
21
+ it 'returns the CDATA element text' do
22
+ element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
23
+ assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
24
+ end
25
+
26
+ it 'returns the element text with newlines and additional whitespace' do
27
+ element = REXML::Document.new("<element> element \n text </element>").elements.first
28
+ assert_equal " element \n text ", OneLogin::RubySaml::Utils.element_text(element)
29
+ end
30
+
31
+ it 'returns nil when element is nil' do
32
+ assert_nil OneLogin::RubySaml::Utils.element_text(nil)
33
+ end
34
+
35
+ it 'returns empty string when element has no text' do
36
+ element = REXML::Document.new('<element></element>').elements.first
37
+ assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
38
+ end
39
+ end
40
+ end
41
+ end
data/test/xml_security_test.rb ADDED
@@ -0,0 +1,158 @@
1
+ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
+
3
+ class XmlSecurityTest < Minitest::Test
4
+ include XMLSecurity
5
+
6
+ describe "XmlSecurity" do
7
+ before do
8
+ @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
9
+ @base64cert = @document.elements["//ds:X509Certificate"].text
10
+ end
11
+
12
+ it "should run validate without throwing NS related exceptions" do
13
+ assert !@document.validate_signature(@base64cert, true)
14
+ end
15
+
16
+ it "should run validate with throwing NS related exceptions" do
17
+ assert_raises(OneLogin::RubySaml::ValidationError) do
18
+ @document.validate_signature(@base64cert, false)
19
+ end
20
+ end
21
+
22
+ it "not raise an error when softly validating the document multiple times" do
23
+ 2.times { @document.validate_signature(@base64cert, true) }
24
+ end
25
+
26
+ it "should raise Fingerprint mismatch" do
27
+ exception = assert_raises(OneLogin::RubySaml::ValidationError) do
28
+ @document.validate_document("no:fi:ng:er:pr:in:t", false)
29
+ end
30
+ assert_equal("Fingerprint mismatch", exception.message)
31
+ end
32
+
33
+ it "should raise Digest mismatch" do
34
+ exception = assert_raises(OneLogin::RubySaml::ValidationError) do
35
+ @document.validate_signature(@base64cert, false)
36
+ end
37
+ assert_equal("Digest mismatch", exception.message)
38
+ end
39
+
40
+ it "should raise Key validation error" do
41
+ response = Base64.decode64(response_document)
42
+ response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
43
+ "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
44
+ document = XMLSecurity::SignedDocument.new(response)
45
+ base64cert = document.elements["//ds:X509Certificate"].text
46
+ exception = assert_raises(OneLogin::RubySaml::ValidationError) do
47
+ document.validate_signature(base64cert, false)
48
+ end
49
+ assert_equal("Key validation error", exception.message)
50
+ end
51
+
52
+ it "raise validation error when the X509Certificate is missing" do
53
+ response = Base64.decode64(response_document)
54
+ response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
55
+ document = XMLSecurity::SignedDocument.new(response)
56
+ exception = assert_raises(OneLogin::RubySaml::ValidationError) do
57
+ document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
58
+ end
59
+ assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
60
+ end
61
+ end
62
+
63
+ describe "Algorithms" do
64
+ it "validate using SHA1" do
65
+ @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
66
+ assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
67
+ end
68
+
69
+ it "validate using SHA256" do
70
+ @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
71
+ assert @document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
72
+ end
73
+
74
+ it "validate using SHA384" do
75
+ @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
76
+ assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
77
+ end
78
+
79
+ it "validate using SHA512" do
80
+ @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
81
+ assert @document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
82
+ end
83
+ end
84
+
85
+ describe "XmlSecurity::SignedDocument" do
86
+
87
+ describe "#extract_inclusive_namespaces" do
88
+ it "support explicit namespace resolution for exclusive canonicalization" do
89
+ response = fixture(:open_saml_response, false)
90
+ document = XMLSecurity::SignedDocument.new(response)
91
+ inclusive_namespaces = document.send(:extract_inclusive_namespaces)
92
+
93
+ assert_equal %w[ xs ], inclusive_namespaces
94
+ end
95
+
96
+ it "support implicit namespace resolution for exclusive canonicalization" do
97
+ response = fixture(:no_signature_ns, false)
98
+ document = XMLSecurity::SignedDocument.new(response)
99
+ inclusive_namespaces = document.send(:extract_inclusive_namespaces)
100
+
101
+ assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
102
+ end
103
+
104
+ it 'support inclusive canonicalization' do
105
+ skip('test not yet implemented')
106
+
107
+ response = OneLogin::RubySaml::Response.new(fixture("tdnf_response.xml"))
108
+ response.stubs(:conditions).returns(nil)
109
+ assert !response.is_valid?
110
+ settings = OneLogin::RubySaml::Settings.new
111
+ assert !response.is_valid?
112
+ response.settings = settings
113
+ assert !response.is_valid?
114
+ settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
115
+ assert response.validate!
116
+ end
117
+
118
+ it "return an empty list when inclusive namespace element is missing" do
119
+ response = fixture(:no_signature_ns, false)
120
+ response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
121
+
122
+ document = XMLSecurity::SignedDocument.new(response)
123
+ inclusive_namespaces = document.send(:extract_inclusive_namespaces)
124
+
125
+ assert inclusive_namespaces.empty?
126
+ end
127
+ end
128
+
129
+ describe "StarfieldTMS" do
130
+ before do
131
+ @response = OneLogin::RubySaml::Response.new(fixture(:starfield_response))
132
+ @response.settings = OneLogin::RubySaml::Settings.new(
133
+ :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
134
+ )
135
+ end
136
+
137
+ it "be able to validate a good response" do
138
+ Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
139
+ assert @response.validate!
140
+ end
141
+ end
142
+
143
+ it "fail before response is valid" do
144
+ Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
145
+ assert ! @response.is_valid?
146
+ end
147
+ end
148
+
149
+ it "fail after response expires" do
150
+ Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
151
+ assert ! @response.is_valid?
152
+ end
153
+ end
154
+ end
155
+
156
+ end
157
+
158
+ end
metadata ADDED
@@ -0,0 +1,178 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: ruby-saml
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.8.12
5
+ platform: ruby
6
+ authors:
7
+ - OneLogin LLC
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+
12
+ date: 2020-05-08 00:00:00 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: uuid
16
+ prerelease: false
17
+ requirement: &id001 !ruby/object:Gem::Requirement
18
+ requirements:
19
+ - - ~>
20
+ - !ruby/object:Gem::Version
21
+ version: "2.3"
22
+ type: :runtime
23
+ version_requirements: *id001
24
+ - !ruby/object:Gem::Dependency
25
+ name: nokogiri
26
+ prerelease: false
27
+ requirement: &id002 !ruby/object:Gem::Requirement
28
+ requirements:
29
+ - - ">="
30
+ - !ruby/object:Gem::Version
31
+ version: 1.5.0
32
+ type: :runtime
33
+ version_requirements: *id002
34
+ description: SAML toolkit for Ruby on Rails
35
+ email: support@onelogin.com
36
+ executables: []
37
+
38
+ extensions: []
39
+
40
+ extra_rdoc_files:
41
+ - LICENSE
42
+ - README.md
43
+ files:
44
+ - .document
45
+ - .gitignore
46
+ - .travis.yml
47
+ - Gemfile
48
+ - LICENSE
49
+ - README.md
50
+ - Rakefile
51
+ - changelog.md
52
+ - lib/onelogin/ruby-saml/attributes.rb
53
+ - lib/onelogin/ruby-saml/authrequest.rb
54
+ - lib/onelogin/ruby-saml/logging.rb
55
+ - lib/onelogin/ruby-saml/logoutrequest.rb
56
+ - lib/onelogin/ruby-saml/logoutresponse.rb
57
+ - lib/onelogin/ruby-saml/metadata.rb
58
+ - lib/onelogin/ruby-saml/response.rb
59
+ - lib/onelogin/ruby-saml/setting_error.rb
60
+ - lib/onelogin/ruby-saml/settings.rb
61
+ - lib/onelogin/ruby-saml/slo_logoutresponse.rb
62
+ - lib/onelogin/ruby-saml/utils.rb
63
+ - lib/onelogin/ruby-saml/validation_error.rb
64
+ - lib/onelogin/ruby-saml/version.rb
65
+ - lib/ruby-saml.rb
66
+ - lib/schemas/saml20assertion_schema.xsd
67
+ - lib/schemas/saml20protocol_schema.xsd
68
+ - lib/schemas/xenc_schema.xsd
69
+ - lib/schemas/xmldsig_schema.xsd
70
+ - lib/xml_security.rb
71
+ - ruby-saml.gemspec
72
+ - test/certificates/certificate1
73
+ - test/certificates/r1_certificate2_base64
74
+ - test/certificates/ruby-saml.crt
75
+ - test/certificates/ruby-saml.key
76
+ - test/logoutrequest_test.rb
77
+ - test/logoutresponse_test.rb
78
+ - test/request_test.rb
79
+ - test/response_test.rb
80
+ - test/responses/adfs_response_sha1.xml
81
+ - test/responses/adfs_response_sha256.xml
82
+ - test/responses/adfs_response_sha384.xml
83
+ - test/responses/adfs_response_sha512.xml
84
+ - test/responses/encrypted_new_attack.xml.base64
85
+ - test/responses/logoutresponse_fixtures.rb
86
+ - test/responses/no_signature_ns.xml
87
+ - test/responses/open_saml_response.xml
88
+ - test/responses/r1_response6.xml.base64
89
+ - test/responses/response1.xml.base64
90
+ - test/responses/response2.xml.base64
91
+ - test/responses/response3.xml.base64
92
+ - test/responses/response4.xml.base64
93
+ - test/responses/response5.xml.base64
94
+ - test/responses/response_eval.xml
95
+ - test/responses/response_node_text_attack.xml.base64
96
+ - test/responses/response_with_ampersands.xml
97
+ - test/responses/response_with_ampersands.xml.base64
98
+ - test/responses/response_with_concealed_signed_assertion.xml
99
+ - test/responses/response_with_doubled_signed_assertion.xml
100
+ - test/responses/response_with_multiple_attribute_statements.xml
101
+ - test/responses/response_with_multiple_attribute_values.xml
102
+ - test/responses/response_wrapped.xml.base64
103
+ - test/responses/simple_saml_php.xml
104
+ - test/responses/starfield_response.xml.base64
105
+ - test/responses/valid_response.xml.base64
106
+ - test/responses/wrapped_response_2.xml.base64
107
+ - test/settings_test.rb
108
+ - test/slo_logoutresponse_test.rb
109
+ - test/test_helper.rb
110
+ - test/utils_test.rb
111
+ - test/xml_security_test.rb
112
+ homepage: http://github.com/onelogin/ruby-saml
113
+ licenses: []
114
+
115
+ metadata: {}
116
+
117
+ post_install_message:
118
+ rdoc_options:
119
+ - --charset=UTF-8
120
+ require_paths:
121
+ - lib
122
+ required_ruby_version: !ruby/object:Gem::Requirement
123
+ requirements:
124
+ - &id003
125
+ - ">="
126
+ - !ruby/object:Gem::Version
127
+ version: "0"
128
+ required_rubygems_version: !ruby/object:Gem::Requirement
129
+ requirements:
130
+ - *id003
131
+ requirements: []
132
+
133
+ rubyforge_project: http://www.rubygems.org/gems/ruby-saml
134
+ rubygems_version: 2.7.7
135
+ signing_key:
136
+ specification_version: 4
137
+ summary: SAML Ruby Tookit
138
+ test_files:
139
+ - test/certificates/certificate1
140
+ - test/certificates/r1_certificate2_base64
141
+ - test/certificates/ruby-saml.crt
142
+ - test/certificates/ruby-saml.key
143
+ - test/logoutrequest_test.rb
144
+ - test/logoutresponse_test.rb
145
+ - test/request_test.rb
146
+ - test/response_test.rb
147
+ - test/responses/adfs_response_sha1.xml
148
+ - test/responses/adfs_response_sha256.xml
149
+ - test/responses/adfs_response_sha384.xml
150
+ - test/responses/adfs_response_sha512.xml
151
+ - test/responses/encrypted_new_attack.xml.base64
152
+ - test/responses/logoutresponse_fixtures.rb
153
+ - test/responses/no_signature_ns.xml
154
+ - test/responses/open_saml_response.xml
155
+ - test/responses/r1_response6.xml.base64
156
+ - test/responses/response1.xml.base64
157
+ - test/responses/response2.xml.base64
158
+ - test/responses/response3.xml.base64
159
+ - test/responses/response4.xml.base64
160
+ - test/responses/response5.xml.base64
161
+ - test/responses/response_eval.xml
162
+ - test/responses/response_node_text_attack.xml.base64
163
+ - test/responses/response_with_ampersands.xml
164
+ - test/responses/response_with_ampersands.xml.base64
165
+ - test/responses/response_with_concealed_signed_assertion.xml
166
+ - test/responses/response_with_doubled_signed_assertion.xml
167
+ - test/responses/response_with_multiple_attribute_statements.xml
168
+ - test/responses/response_with_multiple_attribute_values.xml
169
+ - test/responses/response_wrapped.xml.base64
170
+ - test/responses/simple_saml_php.xml
171
+ - test/responses/starfield_response.xml.base64
172
+ - test/responses/valid_response.xml.base64
173
+ - test/responses/wrapped_response_2.xml.base64
174
+ - test/settings_test.rb
175
+ - test/slo_logoutresponse_test.rb
176
+ - test/test_helper.rb
177
+ - test/utils_test.rb
178
+ - test/xml_security_test.rb