RubyGems - ruby-saml - Versions diffs - 0.9.4 → 1.0.0 - Mend

ruby-saml 0.9.4 → 1.0.0

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (101) hide show

data/test/slo_logoutresponse_test.rb CHANGED

@@ -6,125 +6,109 @@ class SloLogoutresponseTest < Minitest::Test
   describe "SloLogoutresponse" do
     let(:settings) { OneLogin::RubySaml::Settings.new }
+    let(:logout_request) { OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document) }
-    it "create the deflated SAMLResponse URL parameter" do
+    before do
+      settings.idp_entity_id = 'https://app.onelogin.com/saml/metadata/SOMEACCOUNT'
       settings.idp_slo_target_url = "http://unauth.com/logout"
       settings.name_identifier_value = "f00f00"
       settings.compress_request = true
+      settings.certificate = ruby_saml_cert_text
+      settings.private_key = ruby_saml_key_text
+      logout_request.settings = settings
+    end
-      request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
-      assert request.is_valid?
-      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, request.id)
-      assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLResponse=/
+    it "create the deflated SAMLResponse URL parameter" do
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id)
+      assert_match /^http:\/\/unauth\.com\/logout\?SAMLResponse=/, unauth_url
       inflated = decode_saml_response_payload(unauth_url)
       assert_match /^<samlp:LogoutResponse/, inflated
     end
     it "support additional params" do
-      settings.idp_slo_target_url = "http://unauth.com/logout"
-      settings.name_identifier_value = "f00f00"
-      settings.compress_request = true
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, { :hello => nil })
+      assert_match /&hello=$/, unauth_url
-      request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, { :foo => "bar" })
+      assert_match /&foo=bar$/, unauth_url
-      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, request.id, nil, { :hello => nil })
-      assert unauth_url =~ /&hello=$/
-      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, request.id, nil, { :foo => "bar" })
-      assert unauth_url =~ /&foo=bar$/
-      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, request.id, nil, { :RelayState => "http://idp.example.com" })
-      assert unauth_url =~ /&RelayState=http%3A%2F%2Fidp.example.com$/
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, { :RelayState => "http://idp.example.com" })
+      assert_match /&RelayState=http%3A%2F%2Fidp.example.com$/, unauth_url
     end
     it "set InResponseTo to the ID from the logout request" do
-      settings.idp_slo_target_url = "http://unauth.com/logout"
-      settings.name_identifier_value = "f00f00"
-      settings.compress_request = true
-      request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
-      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, request.id)
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id)
       inflated = decode_saml_response_payload(unauth_url)
       assert_match /InResponseTo='_c0348950-935b-0131-1060-782bcb56fcaa'/, inflated
     end
     it "set a custom successful logout message on the response" do
-      settings.idp_slo_target_url = "http://unauth.com/logout"
-      settings.name_identifier_value = "f00f00"
-      settings.compress_request = true
-      request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
-      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, request.id, "Custom Logout Message")
+      unauth_url = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, "Custom Logout Message")
       inflated = decode_saml_response_payload(unauth_url)
       assert_match /<samlp:StatusMessage>Custom Logout Message<\/samlp:StatusMessage>/, inflated
     end
     describe "when the settings indicate to sign (embedded) logout response" do
-      it "create a signed logout response" do
-        settings = OneLogin::RubySaml::Settings.new
+      before do
         settings.compress_response = false
-        settings.idp_slo_target_url = "http://example.com?field=value"
         settings.security[:logout_responses_signed] = true
         settings.security[:embed_sign] = true
-        settings.certificate  = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
+      end
-        request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
-        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, request.id, "Custom Logout Message")
+      it "create a signed logout response" do
+        logout_request.settings = settings
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
         response_xml = Base64.decode64(params["SAMLResponse"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
-        response_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
-        response_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1'\/>/
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1'\/>/, response_xml
       end
       it "create a signed logout response with 256 digest and signature methods" do
-        settings = OneLogin::RubySaml::Settings.new
-        settings.compress_response = false
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        settings.security[:logout_responses_signed] = true
-        settings.security[:embed_sign] = true
         settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+        settings.security[:digest_method] = XMLSecurity::Document::SHA256
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
+        response_xml = Base64.decode64(params["SAMLResponse"])
+        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#sha256'\/>/, response_xml
+      end
+      it "create a signed logout response with 512 digest and signature method RSA_SHA384" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
         settings.security[:digest_method] = XMLSecurity::Document::SHA512
-        settings.certificate  = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
+        logout_request.settings = settings
-        request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
-        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, request.id, "Custom Logout Message")
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message")
         response_xml = Base64.decode64(params["SAMLResponse"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], response_xml
-        response_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
-        response_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
+        assert_match /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha384'\/>/, response_xml
+        assert_match /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#sha512'\/>/, response_xml
       end
     end
     describe "#create_params when the settings indicate to sign the logout response" do
-      def setup
-        @settings = OneLogin::RubySaml::Settings.new
-        @settings.compress_response = false
-        @settings.idp_slo_target_url = "http://example.com?field=value"
-        @settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
-        @settings.security[:logout_responses_signed] = true
-        @settings.security[:embed_sign] = false
-        @settings.certificate  = ruby_saml_cert_text
-        @settings.private_key = ruby_saml_key_text
-        @cert = OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
-        @request = OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document)
+      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+      before do
+        settings.compress_response = false
+        settings.security[:logout_responses_signed] = true
+        settings.security[:embed_sign] = false
       end
       it "create a signature parameter with RSA_SHA1 and validate it" do
         settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(@settings, @request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
         assert params['SAMLResponse']
         assert params[:RelayState]
         assert params['Signature']
@@ -136,13 +120,13 @@ class SloLogoutresponseTest < Minitest::Test
         signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
         assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
       end
-      it "create a signature parameter with RSA_SHA256 and validate it" do
-        @settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+      it "create a signature parameter with RSA_SHA256 /SHA256 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(@settings, @request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
         assert params['SAMLResponse']
         assert params[:RelayState]
         assert params['Signature']
@@ -155,7 +139,45 @@ class SloLogoutresponseTest < Minitest::Test
         signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
         assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-        assert @cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
+      end
+      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
+        params = OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
+        assert params['SAMLResponse']
+        assert params[:RelayState]
+        assert params['Signature']
+        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
+        query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
+        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
+        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
+        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
+        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
       end
     end

data/test/test_helper.rb CHANGED

@@ -1,3 +1,11 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter "test/"
+  add_filter "lib/onelogin/ruby-saml/logging.rb"
+end
+require 'stringio'
 require 'rubygems'
 require 'bundler'
 require 'minitest/autorun'
@@ -8,7 +16,10 @@ Bundler.require :default, :test
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
-ENV["ruby-saml/testing"] = "1"
+require 'onelogin/ruby-saml/logging'
+TEST_LOGGER = Logger.new(StringIO.new)
+OneLogin::RubySaml::Logging.logger = TEST_LOGGER
 class Minitest::Test
   def fixture(document, base64 = true)
@@ -20,74 +31,141 @@ class Minitest::Test
     end
   end
-  def response_document
-    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
-  end
-  def response_document_2
-    @response_document2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response2.xml.base64'))
+  def read_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", response))
   end
-  def response_document_3
-    @response_document3 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response3.xml.base64'))
+  def read_invalid_response(response)
+    File.read(File.join(File.dirname(__FILE__), "responses", "invalids", response))
   end
-  def response_document_4
-    @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
+  def read_logout_request(request)
+    File.read(File.join(File.dirname(__FILE__), "logout_requests", request))
   end
-  def response_document_5
-    @response_document5 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response5.xml.base64'))
+  def read_certificate(certificate)
+    File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
   end
-  def r1_response_document_6
-    @response_document6 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'r1_response6.xml.base64'))
+  def response_document_valid_signed
+    @response_document_valid_signed ||= read_response("valid_response.xml.base64")
   end
-  def ampersands_response
-    @ampersands_response ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+  def response_document_without_recipient
+    @response_document_without_recipient ||= read_response("response_with_undefined_recipient.xml.base64")
   end
-  def response_document_6
-    doc = Base64.decode64(response_document)
+  def response_document_without_recipient_with_time_updated
+    doc = Base64.decode64(response_document_without_recipient)
     doc.gsub!(/NotBefore=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotBefore=\"#{(Time.now-300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
     doc.gsub!(/NotOnOrAfter=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotOnOrAfter=\"#{(Time.now+300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
     Base64.encode64(doc)
   end
-  def response_document_7
-    @response_document7 ||= Base64.encode64(File.read(File.join(File.dirname(__FILE__), 'responses', 'response_no_cert_and_encrypted_attrs.xml')))
+  def response_document_without_attributes
+    @response_document_without_attributes ||= read_response("response_without_attributes.xml.base64")
+  end
+  def response_document_with_signed_assertion
+    @response_document_with_signed_assertion ||= read_response("response_with_signed_assertion.xml.base64")
+  end
+  def response_document_with_signed_assertion_2
+    @response_document_with_signed_assertion_2 ||= read_response("response_with_signed_assertion_2.xml.base64")
+  end
+  def response_document_unsigned
+    @response_document_unsigned ||= read_response("response_unsigned_xml_base64")
+  end
+  def response_document_with_saml2_namespace
+    @response_document_with_saml2_namespace ||= read_response("response_with_saml2_namespace.xml.base64")
+  end
+  def ampersands_document
+    @ampersands_response ||= read_response("response_with_ampersands.xml.base64")
+  end
+  def response_document_no_cert_and_encrypted_attrs
+    @response_document_no_cert_and_encrypted_attrs ||= Base64.encode64(read_response("response_no_cert_and_encrypted_attrs.xml"))
+  end
+  def response_document_wrapped
+    @response_document_wrapped ||= read_response("response_wrapped.xml.base64")
+  end
+  def response_document_assertion_wrapped
+    @response_document_assertion_wrapped ||= read_response("response_assertion_wrapped.xml.base64")
+  end
+  def response_document_encrypted_nameid
+    @response_document_encrypted_nameid ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_encrypted_nameid.xml.base64'))
+  end
+  def signed_message_encrypted_unsigned_assertion
+    @signed_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'signed_message_encrypted_unsigned_assertion.xml.base64'))
+  end
+  def signed_message_encrypted_signed_assertion
+    @signed_message_encrypted_signed_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'signed_message_encrypted_signed_assertion.xml.base64'))
+  end
+  def unsigned_message_encrypted_signed_assertion
+    @unsigned_message_encrypted_signed_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_signed_assertion.xml.base64'))
   end
-  def wrapped_response_2
-    @wrapped_response_2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'wrapped_response_2.xml.base64'))
+  def unsigned_message_encrypted_unsigned_assertion
+    @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))
   end
   def signature_fingerprint_1
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
-  def signature_1
-    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+  # certificate used on response_with_undefined_recipient
+  def signature_1
+    @signature1 ||= read_certificate("certificate1")
   end
-  def r1_signature_2
-    @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
+  # certificate used on response_document_with_signed_assertion_2
+  def certificate_without_head_foot
+    @certificate_without_head_foot ||= read_certificate("certificate_without_head_foot")
   end
   def idp_metadata
-    @idp_metadata ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'idp_descriptor.xml'))
+    @idp_metadata ||= read_response("idp_descriptor.xml")
   end
   def logout_request_document
     unless @logout_request_document
-      xml = File.read(File.join(File.dirname(__FILE__), 'responses', 'slo_request.xml'))
+      xml = read_logout_request("slo_request.xml")
       deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
       @logout_request_document = Base64.encode64(deflated)
     end
     @logout_request_document
   end
+  def logout_request_xml_with_session_index
+    @logout_request_xml_with_session_index ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_with_session_index.xml'))
+  end
+  def invalid_logout_request_document
+    unless @invalid_logout_request_document
+      xml = File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'invalid_slo_request.xml'))
+      deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
+      @invalid_logout_request_document = Base64.encode64(deflated)
+    end
+    @invalid_logout_request_document
+  end
+  def logout_request_base64
+    @logout_request_base64 ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request.xml.base64'))
+  end
+  def logout_request_deflated_base64
+    @logout_request_deflated_base64 ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_deflated.xml.base64'))
+  end
   def ruby_saml_cert
     @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
   end
@@ -97,7 +175,7 @@ class Minitest::Test
   end
   def ruby_saml_cert_text
-    File.read(File.join(File.dirname(__FILE__), 'certificates', 'ruby-saml.crt'))
+    read_certificate("ruby-saml.crt")
   end
   def ruby_saml_key
@@ -105,7 +183,7 @@ class Minitest::Test
   end
   def ruby_saml_key_text
-    File.read(File.join(File.dirname(__FILE__), 'certificates', 'ruby-saml.key'))
+    read_certificate("ruby-saml.key")
   end
   #
@@ -142,4 +220,33 @@ class Minitest::Test
     zstream.close
     inflated
   end
+  SCHEMA_DIR = File.expand_path(File.join(__FILE__, '../../lib/schemas'))
+  #
+  # validate an xml document against the given schema
+  #
+  def validate_xml!(document, schema)
+    Dir.chdir(SCHEMA_DIR) do
+      xsd = if schema.is_a? Nokogiri::XML::Schema
+              schema
+            else
+              Nokogiri::XML::Schema(File.read(schema))
+            end
+      xml = if document.is_a? Nokogiri::XML::Document
+              document
+            else
+              Nokogiri::XML(document) { |c| c.strict }
+            end
+      result = xsd.validate(xml)
+      if result.length != 0
+        raise "Schema validation failed! XSD validation errors: #{result.join(", ")}"
+      else
+        true
+      end
+    end
+  end
 end