ruby-saml 1.1.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +28 -29
- data/test/response_test.rb +9 -0
- data/test/responses/response_with_signed_message_and_assertion.xml +34 -0
- data/test/xml_security_test.rb +15 -2
- metadata +36 -72
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 6fb3836e492ba5fa2faa139d8985ff83e87fc8f4
|
|
4
|
+
data.tar.gz: 0fd231fd67a7a1bd5cfcf2e7413813e465b0fa54
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: a931f544427ae080827ba9a21a2f14115ccd36588a5bd32cbf9017c6989b22878f8f21c87f8cd1c17451f67d8f162a2887b1f50810aba0806e33d15d0d1b61c5
|
|
7
|
+
data.tar.gz: 79639d6aa3edd230d080e24a3ce57bda7609ecb9ad460578b7a4ee79b9d904993918a7d5a68d94b1fea13566e625b0c3f386c2626354d658cac09fc5003f79f8
|
data/lib/xml_security.rb
CHANGED
|
@@ -286,35 +286,34 @@ module XMLSecurity
|
|
|
286
286
|
inclusive_namespaces = extract_inclusive_namespaces
|
|
287
287
|
|
|
288
288
|
# check digests
|
|
289
|
-
REXML::XPath.
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
|
|
317
|
-
end
|
|
289
|
+
ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
|
|
290
|
+
uri = ref.attributes.get_attribute("URI").value
|
|
291
|
+
|
|
292
|
+
hashed_element = uri.empty? ? document : document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
|
|
293
|
+
# hashed_element = document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
|
|
294
|
+
canon_algorithm = canon_algorithm REXML::XPath.first(
|
|
295
|
+
ref,
|
|
296
|
+
'//ds:CanonicalizationMethod',
|
|
297
|
+
{ "ds" => DSIG }
|
|
298
|
+
)
|
|
299
|
+
canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
|
|
300
|
+
|
|
301
|
+
digest_algorithm = algorithm(REXML::XPath.first(
|
|
302
|
+
ref,
|
|
303
|
+
"//ds:DigestMethod",
|
|
304
|
+
{ "ds" => DSIG }
|
|
305
|
+
))
|
|
306
|
+
hash = digest_algorithm.digest(canon_hashed_element)
|
|
307
|
+
encoded_digest_value = REXML::XPath.first(
|
|
308
|
+
ref,
|
|
309
|
+
"//ds:DigestValue",
|
|
310
|
+
{ "ds" => DSIG }
|
|
311
|
+
).text
|
|
312
|
+
digest_value = Base64.decode64(encoded_digest_value)
|
|
313
|
+
|
|
314
|
+
unless digests_match?(hash, digest_value)
|
|
315
|
+
@errors << "Digest mismatch"
|
|
316
|
+
return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
|
|
318
317
|
end
|
|
319
318
|
|
|
320
319
|
# get certificate object
|
data/test/response_test.rb
CHANGED
|
@@ -682,6 +682,15 @@ class RubySamlTest < Minitest::Test
|
|
|
682
682
|
assert_empty response_with_ds_namespace_at_the_root.errors
|
|
683
683
|
end
|
|
684
684
|
|
|
685
|
+
it "return true when the signature is valid and fingerprint provided" do
|
|
686
|
+
settings.idp_cert_fingerprint = '49:EC:3F:A4:71:8A:1E:C9:DB:70:A7:CC:33:36:96:F0:48:8C:4E:DA'
|
|
687
|
+
xml = 'PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL2NvZGVycGFkLmlvL3NhbWwvYWNzIiBJRD0iXzEwOGE1ZTg0MDllYzRjZjlhY2QxYzQ2OWU5ZDcxNGFkIiBJblJlc3BvbnNlVG89Il80ZmZmYWE2MC02OTZiLTAxMzMtMzg4Ni0wMjQxZjY1YzA2OTMiIElzc3VlSW5zdGFudD0iMjAxNS0xMS0wOVQyMzo1NTo0M1oiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vbG9naW4uaHVsdS5jb208L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOkNhbm9uaWNhbGl6YXRpb25NZXRob2Q+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSI+PC9kczpTaWduYXR1cmVNZXRob2Q+PGRzOlJlZmVyZW5jZSBVUkk9IiNfMTA4YTVlODQwOWVjNGNmOWFjZDFjNDY5ZTlkNzE0YWQiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI+PC9kczpUcmFuc2Zvcm0+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PC9kczpUcmFuc2Zvcm0+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSI+PC9kczpEaWdlc3RNZXRob2Q+PGRzOkRpZ2VzdFZhbHVlPm9sQllXbTQyRi9oZm0xdHJYTHk2a3V6MXlMUT08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+dXNRTmY5WGpKTDRlOXVucnVCdWViSnQ3R0tXM2hJUk9teWVqTm1NMHM4WFhlWHN3WHc4U3ZCZi8zeDNNWEpkWnpNV0pOM3ExN2tGWHN2bTVna1JzbkE9PTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ1FEQ0NBZXFnQXdJQkFnSUpBSVZOdzVLRzR1aTFNQTBHQ1NxR1NJYjNEUUVCQlFVQU1Fd3hDekFKQmdOVkJBWVRBa2RDTVJJd0VBWURWUVFJRXdsQ1pYSnJjMmhwY21VeEVEQU9CZ05WQkFjVEIwNWxkMkoxY25reEZ6QVZCZ05WQkFvVERrMTVJRU52YlhCaGJua2dUSFJrTUI0WERURXlNVEF5TlRBMk1qY3pORm9YRFRJeU1UQXlNekEyTWpjek5Gb3dUREVMTUFrR0ExVUVCaE1DUjBJeEVqQVFCZ05WQkFnVENVSmxjbXR6YUdseVpURVFNQTRHQTFVRUJ4TUhUbVYzWW5WeWVURVhNQlVHQTFVRUNoTU9UWGtnUTI5dGNHRnVlU0JNZEdRd1hEQU5CZ2txaGtpRzl3MEJBUUVGQUFOTEFEQklBa0VBd1NOL2dpMzNSbXBBUW9MUWo3UDZ6QW5OVDBSbjdiakMzMjNuM3ExT25mdm52UjBmUWp2TnQ3ckRrQTVBdjVRbk02VjRZVU5Vbk1mYk9RcTBXTGJMU3dJREFRQUJvNEd1TUlHck1CMEdBMVVkRGdRV0JCUWZJSDFvZkJWcHNSQWNJTUsyaGJsN25nTVRZREI4QmdOVkhTTUVkVEJ6Z0JRZklIMW9mQlZwc1JBY0lNSzJoYmw3bmdNVFlLRlFwRTR3VERFTE1Ba0dBMVVFQmhNQ1IwSXhFakFRQmdOVkJBZ1RDVUpsY210emFHbHlaVEVRTUE0R0ExVUVCeE1IVG1WM1luVnllVEVYTUJVR0ExVUVDaE1PVFhrZ1EyOXRjR0Z1ZVNCTWRHU0NDUUNGVGNPU2h1TG90VEFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJCUVVBQTBFQXFvZ1YzdVBjbEtYRG1EWk1UN3ZsUFl4TEFxQ0dIWnRsQ3h6NGhNNEtTdGxEMi9HTmMxWGlMYjFoL0swQ0pMRG9zckVJYm0zd2lPMk12VEVSclZZU01RPT08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiPjwvc2FtbHA6U3RhdHVzQ29kZT48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il8wMTg4MmRhOTM2OTQ0ZDFlYTZlZmY0NDA2NTc2MzFiNSIgSXNzdWVJbnN0YW50PSIyMDE1LTExLTA5VDIzOjU1OjQzWiIgVmVyc2lvbj0iMi4wIj48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9sb2dpbi5odWx1LmNvbTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlNpZ25lZEluZm8+PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIj48L2RzOlNpZ25hdHVyZU1ldGhvZD48ZHM6UmVmZXJlbmNlIFVSST0iI18wMTg4MmRhOTM2OTQ0ZDFlYTZlZmY0NDA2NTc2MzFiNSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIj48L2RzOlRyYW5zZm9ybT48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIj48L2RzOkRpZ2VzdE1ldGhvZD48ZHM6RGlnZXN0VmFsdWU+cmo2YzhucC9BUmV0ZkJ1dWVOSzNPS0xDYnowPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5hR05FemZHM1dLcExKc2ZLRGJSNmpva2d6OEFnZ0FIRVVESEZyd0dsTHVQeWpyNEl3M09NcFNkV2gyL01YK1F3M1dPTk5mNHJNalh5TGVZSFJIVGpMQT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDUURDQ0FlcWdBd0lCQWdJSkFJVk53NUtHNHVpMU1BMEdDU3FHU0liM0RRRUJCUVVBTUV3eEN6QUpCZ05WQkFZVEFrZENNUkl3RUFZRFZRUUlFd2xDWlhKcmMyaHBjbVV4RURBT0JnTlZCQWNUQjA1bGQySjFjbmt4RnpBVkJnTlZCQW9URGsxNUlFTnZiWEJoYm5rZ1RIUmtNQjRYRFRFeU1UQXlOVEEyTWpjek5Gb1hEVEl5TVRBeU16QTJNamN6TkZvd1RERUxNQWtHQTFVRUJoTUNSMEl4RWpBUUJnTlZCQWdUQ1VKbGNtdHphR2x5WlRFUU1BNEdBMVVFQnhNSFRtVjNZblZ5ZVRFWE1CVUdBMVVFQ2hNT1RYa2dRMjl0Y0dGdWVTQk1kR1F3WERBTkJna3Foa2lHOXcwQkFRRUZBQU5MQURCSUFrRUF3U04vZ2kzM1JtcEFRb0xRajdQNnpBbk5UMFJuN2JqQzMyM24zcTFPbmZ2bnZSMGZRanZOdDdyRGtBNUF2NVFuTTZWNFlVTlVuTWZiT1FxMFdMYkxTd0lEQVFBQm80R3VNSUdyTUIwR0ExVWREZ1FXQkJRZklIMW9mQlZwc1JBY0lNSzJoYmw3bmdNVFlEQjhCZ05WSFNNRWRUQnpnQlFmSUgxb2ZCVnBzUkFjSU1LMmhibDduZ01UWUtGUXBFNHdUREVMTUFrR0ExVUVCaE1DUjBJeEVqQVFCZ05WQkFnVENVSmxjbXR6YUdseVpURVFNQTRHQTFVRUJ4TUhUbVYzWW5WeWVURVhNQlVHQTFVRUNoTU9UWGtnUTI5dGNHRnVlU0JNZEdTQ0NRQ0ZUY09TaHVMb3RUQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBMEVBcW9nVjN1UGNsS1hEbURaTVQ3dmxQWXhMQXFDR0hadGxDeHo0aE00S1N0bEQyL0dOYzFYaUxiMWgvSzBDSkxEb3NyRUlibTN3aU8yTXZURVJyVllTTVE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIiBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vY29kZXJwYWQuaW8iPm1hdHQuanVyaWtAaHVsdS5jb208L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il80ZmZmYWE2MC02OTZiLTAxMzMtMzg4Ni0wMjQxZjY1YzA2OTMiIE5vdE9uT3JBZnRlcj0iMjAxNS0xMS0xMFQwMDoxMDo0M1oiIFJlY2lwaWVudD0iaHR0cHM6Ly9jb2RlcnBhZC5pby9zYW1sL2FjcyI+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTExLTA5VDIyOjU1OjQzWiIgTm90T25PckFmdGVyPSIyMDE1LTExLTEwVDAwOjEwOjQzWiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL2NvZGVycGFkLmlvPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNS0xMS0wOVQyMzo1NTo0M1oiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9IkdpdmVuLW5hbWUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPk1hdHQ8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iU3VybmFtZSI+PHNhbWw6QXR0cmlidXRlVmFsdWU+SnVyaWs8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iRW1haWwiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPm1hdHQuanVyaWtAaHVsdS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4='
|
|
688
|
+
response_x = OneLogin::RubySaml::Response.new(xml)
|
|
689
|
+
response_x.settings = settings
|
|
690
|
+
assert response_x.send(:validate_signature)
|
|
691
|
+
assert_empty response_x.errors
|
|
692
|
+
end
|
|
693
|
+
|
|
685
694
|
it "return false when no fingerprint" do
|
|
686
695
|
settings.idp_cert_fingerprint = nil
|
|
687
696
|
settings.idp_cert = nil
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="pfx0a3cfa31-f178-71f2-9b94-ad4047591acc" Version="2.0" IssueInstant="2012-04-04T07:33:10.921Z" Destination="https://example.com/endpoint">
|
|
3
|
+
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp.example.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
4
|
+
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
5
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
6
|
+
<ds:Reference URI="#pfx0a3cfa31-f178-71f2-9b94-ad4047591acc"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hi2Ouec0ovl90Cz+OXAP6FD5X70=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>tJiaa5aZNzLFbBiIsyc0MBI4G1caG+gOW0joGlbMAyY86ERaDwDi1sz98+vykZOgjwkfZLT7K/AScdmp27PsaN4+NpLFRv/fUDyzKwjnDKMEzMBLi5nxDXVlYk1q5RCZbsV0W0He28Kl/+xwHP722CI/eWByU3rmR2H2wej8zZY=</ds:SignatureValue>
|
|
7
|
+
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMIT25lTG9naW4xDDAKBgNVBAsTA0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMxODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTjEVMBMGA1UEBxMMSW5kaWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UECxMDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5PckwsNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MPdyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zdqHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZFhdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUSXxnzQxwcm/9PwAqrQaA3QpQkH57ybF/OoryPe+2h</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
|
|
8
|
+
<samlp:Status>
|
|
9
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
|
10
|
+
</samlp:Status>
|
|
11
|
+
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2012-04-04T07:33:10.923Z" ID="pfx7fca52d6-8991-5d99-3147-4f9d7c278d78">
|
|
12
|
+
<saml:Issuer>idp.myexample.org</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
13
|
+
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
14
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
15
|
+
<ds:Reference URI="#pfx7fca52d6-8991-5d99-3147-4f9d7c278d78"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>FA0AbR4w9oYdx7MFjERARVJAHps=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>GDH5jhCNX9PFxW+71SOJPyusAOwzECwmd57NDhvA/VKWHnV3PpvpNkOLyamoBNdZ4qxponnobg2zneLESrFnLJdJ1cgs51YvtBJTxKoA7oZMMNKReZFST8g7pDdrBC82n5rTdzxclaJkpwz1yjcho3K3TjxK+gU1svVrEKMUwyo=</ds:SignatureValue>
|
|
16
|
+
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMIT25lTG9naW4xDDAKBgNVBAsTA0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMxODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTjEVMBMGA1UEBxMMSW5kaWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UECxMDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5PckwsNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MPdyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zdqHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZFhdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUSXxnzQxwcm/9PwAqrQaA3QpQkH57ybF/OoryPe+2h</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
|
|
17
|
+
<saml:Subject>
|
|
18
|
+
<saml:NameID NameQualifier="idp.example.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.org</saml:NameID>
|
|
19
|
+
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
20
|
+
<saml:SubjectConfirmationData Recipient="https://example.com/endpoint" InResponseTo="_f7201940-6055-012f-3bc1-782bcb13c426"/>
|
|
21
|
+
</saml:SubjectConfirmation>
|
|
22
|
+
</saml:Subject>
|
|
23
|
+
<saml:Conditions NotBefore="2012-04-04T07:28:11.442Z" NotOnOrAfter="2012-04-04T07:38:11.442Z">
|
|
24
|
+
<saml:AudienceRestriction>
|
|
25
|
+
<saml:Audience>example.com</saml:Audience>
|
|
26
|
+
</saml:AudienceRestriction>
|
|
27
|
+
</saml:Conditions>
|
|
28
|
+
<saml:AuthnStatement AuthnInstant="2012-04-04T07:33:11.442Z">
|
|
29
|
+
<saml:AuthnContext>
|
|
30
|
+
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
|
|
31
|
+
</saml:AuthnContext>
|
|
32
|
+
</saml:AuthnStatement>
|
|
33
|
+
</saml:Assertion>
|
|
34
|
+
</samlp:Response>
|
data/test/xml_security_test.rb
CHANGED
|
@@ -240,8 +240,7 @@ class XmlSecurityTest < Minitest::Test
|
|
|
240
240
|
settings.issuer = "https://sp.example.com/saml2"
|
|
241
241
|
settings.assertion_consumer_service_url = "https://sp.example.com/acs"
|
|
242
242
|
settings.single_logout_service_url = "https://sp.example.com/sls"
|
|
243
|
-
end
|
|
244
|
-
|
|
243
|
+
end
|
|
245
244
|
|
|
246
245
|
it "sign an AuthNRequest" do
|
|
247
246
|
request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
@@ -331,5 +330,19 @@ class XmlSecurityTest < Minitest::Test
|
|
|
331
330
|
end
|
|
332
331
|
end
|
|
333
332
|
end
|
|
333
|
+
|
|
334
|
+
describe '#validate_document' do
|
|
335
|
+
describe 'with valid document' do
|
|
336
|
+
describe 'when response has signed message and assertion' do
|
|
337
|
+
let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
|
|
338
|
+
let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
|
|
339
|
+
let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
|
|
340
|
+
|
|
341
|
+
it 'is valid' do
|
|
342
|
+
assert document.validate_document(fingerprint, true), 'Document should be valid'
|
|
343
|
+
end
|
|
344
|
+
end
|
|
345
|
+
end
|
|
346
|
+
end
|
|
334
347
|
end
|
|
335
348
|
end
|
metadata
CHANGED
|
@@ -1,192 +1,155 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1.
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 1.1.1
|
|
6
5
|
platform: ruby
|
|
7
6
|
authors:
|
|
8
7
|
- OneLogin LLC
|
|
9
8
|
autorequire:
|
|
10
9
|
bindir: bin
|
|
11
10
|
cert_chain: []
|
|
12
|
-
date: 2015-
|
|
11
|
+
date: 2015-11-11 00:00:00.000000000 Z
|
|
13
12
|
dependencies:
|
|
14
13
|
- !ruby/object:Gem::Dependency
|
|
15
14
|
name: uuid
|
|
16
15
|
requirement: !ruby/object:Gem::Requirement
|
|
17
|
-
none: false
|
|
18
16
|
requirements:
|
|
19
|
-
- - ~>
|
|
17
|
+
- - "~>"
|
|
20
18
|
- !ruby/object:Gem::Version
|
|
21
19
|
version: '2.3'
|
|
22
20
|
type: :runtime
|
|
23
21
|
prerelease: false
|
|
24
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
25
|
-
none: false
|
|
26
23
|
requirements:
|
|
27
|
-
- - ~>
|
|
24
|
+
- - "~>"
|
|
28
25
|
- !ruby/object:Gem::Version
|
|
29
26
|
version: '2.3'
|
|
30
27
|
- !ruby/object:Gem::Dependency
|
|
31
28
|
name: nokogiri
|
|
32
29
|
requirement: !ruby/object:Gem::Requirement
|
|
33
|
-
none: false
|
|
34
30
|
requirements:
|
|
35
|
-
- -
|
|
31
|
+
- - ">="
|
|
36
32
|
- !ruby/object:Gem::Version
|
|
37
33
|
version: 1.5.10
|
|
38
34
|
type: :runtime
|
|
39
35
|
prerelease: false
|
|
40
36
|
version_requirements: !ruby/object:Gem::Requirement
|
|
41
|
-
none: false
|
|
42
37
|
requirements:
|
|
43
|
-
- -
|
|
38
|
+
- - ">="
|
|
44
39
|
- !ruby/object:Gem::Version
|
|
45
40
|
version: 1.5.10
|
|
46
41
|
- !ruby/object:Gem::Dependency
|
|
47
42
|
name: minitest
|
|
48
43
|
requirement: !ruby/object:Gem::Requirement
|
|
49
|
-
none: false
|
|
50
44
|
requirements:
|
|
51
|
-
- - ~>
|
|
45
|
+
- - "~>"
|
|
52
46
|
- !ruby/object:Gem::Version
|
|
53
47
|
version: '5.5'
|
|
54
48
|
type: :development
|
|
55
49
|
prerelease: false
|
|
56
50
|
version_requirements: !ruby/object:Gem::Requirement
|
|
57
|
-
none: false
|
|
58
51
|
requirements:
|
|
59
|
-
- - ~>
|
|
52
|
+
- - "~>"
|
|
60
53
|
- !ruby/object:Gem::Version
|
|
61
54
|
version: '5.5'
|
|
62
55
|
- !ruby/object:Gem::Dependency
|
|
63
56
|
name: mocha
|
|
64
57
|
requirement: !ruby/object:Gem::Requirement
|
|
65
|
-
none: false
|
|
66
58
|
requirements:
|
|
67
|
-
- - ~>
|
|
59
|
+
- - "~>"
|
|
68
60
|
- !ruby/object:Gem::Version
|
|
69
61
|
version: '0.14'
|
|
70
62
|
type: :development
|
|
71
63
|
prerelease: false
|
|
72
64
|
version_requirements: !ruby/object:Gem::Requirement
|
|
73
|
-
none: false
|
|
74
65
|
requirements:
|
|
75
|
-
- - ~>
|
|
66
|
+
- - "~>"
|
|
76
67
|
- !ruby/object:Gem::Version
|
|
77
68
|
version: '0.14'
|
|
78
69
|
- !ruby/object:Gem::Dependency
|
|
79
70
|
name: rake
|
|
80
71
|
requirement: !ruby/object:Gem::Requirement
|
|
81
|
-
none: false
|
|
82
72
|
requirements:
|
|
83
|
-
- - ~>
|
|
73
|
+
- - "~>"
|
|
84
74
|
- !ruby/object:Gem::Version
|
|
85
75
|
version: '10'
|
|
86
76
|
type: :development
|
|
87
77
|
prerelease: false
|
|
88
78
|
version_requirements: !ruby/object:Gem::Requirement
|
|
89
|
-
none: false
|
|
90
79
|
requirements:
|
|
91
|
-
- - ~>
|
|
80
|
+
- - "~>"
|
|
92
81
|
- !ruby/object:Gem::Version
|
|
93
82
|
version: '10'
|
|
94
83
|
- !ruby/object:Gem::Dependency
|
|
95
84
|
name: shoulda
|
|
96
85
|
requirement: !ruby/object:Gem::Requirement
|
|
97
|
-
none: false
|
|
98
86
|
requirements:
|
|
99
|
-
- - ~>
|
|
87
|
+
- - "~>"
|
|
100
88
|
- !ruby/object:Gem::Version
|
|
101
89
|
version: '2.11'
|
|
102
90
|
type: :development
|
|
103
91
|
prerelease: false
|
|
104
92
|
version_requirements: !ruby/object:Gem::Requirement
|
|
105
|
-
none: false
|
|
106
93
|
requirements:
|
|
107
|
-
- - ~>
|
|
94
|
+
- - "~>"
|
|
108
95
|
- !ruby/object:Gem::Version
|
|
109
96
|
version: '2.11'
|
|
110
97
|
- !ruby/object:Gem::Dependency
|
|
111
98
|
name: simplecov
|
|
112
99
|
requirement: !ruby/object:Gem::Requirement
|
|
113
|
-
none: false
|
|
114
100
|
requirements:
|
|
115
|
-
- - ~>
|
|
101
|
+
- - "~>"
|
|
116
102
|
- !ruby/object:Gem::Version
|
|
117
103
|
version: 0.9.0
|
|
118
104
|
type: :development
|
|
119
105
|
prerelease: false
|
|
120
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
-
none: false
|
|
122
107
|
requirements:
|
|
123
|
-
- - ~>
|
|
108
|
+
- - "~>"
|
|
124
109
|
- !ruby/object:Gem::Version
|
|
125
110
|
version: 0.9.0
|
|
126
111
|
- !ruby/object:Gem::Dependency
|
|
127
112
|
name: systemu
|
|
128
113
|
requirement: !ruby/object:Gem::Requirement
|
|
129
|
-
none: false
|
|
130
114
|
requirements:
|
|
131
|
-
- - ~>
|
|
115
|
+
- - "~>"
|
|
132
116
|
- !ruby/object:Gem::Version
|
|
133
117
|
version: '2'
|
|
134
118
|
type: :development
|
|
135
119
|
prerelease: false
|
|
136
120
|
version_requirements: !ruby/object:Gem::Requirement
|
|
137
|
-
none: false
|
|
138
121
|
requirements:
|
|
139
|
-
- - ~>
|
|
122
|
+
- - "~>"
|
|
140
123
|
- !ruby/object:Gem::Version
|
|
141
124
|
version: '2'
|
|
142
125
|
- !ruby/object:Gem::Dependency
|
|
143
126
|
name: timecop
|
|
144
127
|
requirement: !ruby/object:Gem::Requirement
|
|
145
|
-
none: false
|
|
146
128
|
requirements:
|
|
147
|
-
- - <=
|
|
129
|
+
- - "<="
|
|
148
130
|
- !ruby/object:Gem::Version
|
|
149
131
|
version: 0.6.0
|
|
150
132
|
type: :development
|
|
151
133
|
prerelease: false
|
|
152
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
153
|
-
none: false
|
|
154
135
|
requirements:
|
|
155
|
-
- - <=
|
|
136
|
+
- - "<="
|
|
156
137
|
- !ruby/object:Gem::Version
|
|
157
138
|
version: 0.6.0
|
|
158
139
|
- !ruby/object:Gem::Dependency
|
|
159
|
-
name:
|
|
140
|
+
name: pry-byebug
|
|
160
141
|
requirement: !ruby/object:Gem::Requirement
|
|
161
|
-
none: false
|
|
162
142
|
requirements:
|
|
163
|
-
- -
|
|
143
|
+
- - ">="
|
|
164
144
|
- !ruby/object:Gem::Version
|
|
165
|
-
version:
|
|
145
|
+
version: '0'
|
|
166
146
|
type: :development
|
|
167
147
|
prerelease: false
|
|
168
148
|
version_requirements: !ruby/object:Gem::Requirement
|
|
169
|
-
none: false
|
|
170
149
|
requirements:
|
|
171
|
-
- -
|
|
150
|
+
- - ">="
|
|
172
151
|
- !ruby/object:Gem::Version
|
|
173
|
-
version:
|
|
174
|
-
- !ruby/object:Gem::Dependency
|
|
175
|
-
name: debugger
|
|
176
|
-
requirement: !ruby/object:Gem::Requirement
|
|
177
|
-
none: false
|
|
178
|
-
requirements:
|
|
179
|
-
- - ~>
|
|
180
|
-
- !ruby/object:Gem::Version
|
|
181
|
-
version: 1.6.4
|
|
182
|
-
type: :development
|
|
183
|
-
prerelease: false
|
|
184
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
185
|
-
none: false
|
|
186
|
-
requirements:
|
|
187
|
-
- - ~>
|
|
188
|
-
- !ruby/object:Gem::Version
|
|
189
|
-
version: 1.6.4
|
|
152
|
+
version: '0'
|
|
190
153
|
description: SAML toolkit for Ruby on Rails
|
|
191
154
|
email: support@onelogin.com
|
|
192
155
|
executables: []
|
|
@@ -195,9 +158,9 @@ extra_rdoc_files:
|
|
|
195
158
|
- LICENSE
|
|
196
159
|
- README.md
|
|
197
160
|
files:
|
|
198
|
-
- .document
|
|
199
|
-
- .gitignore
|
|
200
|
-
- .travis.yml
|
|
161
|
+
- ".document"
|
|
162
|
+
- ".gitignore"
|
|
163
|
+
- ".travis.yml"
|
|
201
164
|
- Gemfile
|
|
202
165
|
- LICENSE
|
|
203
166
|
- README.md
|
|
@@ -308,6 +271,7 @@ files:
|
|
|
308
271
|
- test/responses/response_with_saml2_namespace.xml.base64
|
|
309
272
|
- test/responses/response_with_signed_assertion.xml.base64
|
|
310
273
|
- test/responses/response_with_signed_assertion_2.xml.base64
|
|
274
|
+
- test/responses/response_with_signed_message_and_assertion.xml
|
|
311
275
|
- test/responses/response_with_undefined_recipient.xml.base64
|
|
312
276
|
- test/responses/response_without_attributes.xml.base64
|
|
313
277
|
- test/responses/response_without_reference_uri.xml.base64
|
|
@@ -338,28 +302,27 @@ files:
|
|
|
338
302
|
homepage: http://github.com/onelogin/ruby-saml
|
|
339
303
|
licenses:
|
|
340
304
|
- MIT
|
|
305
|
+
metadata: {}
|
|
341
306
|
post_install_message:
|
|
342
307
|
rdoc_options:
|
|
343
|
-
- --charset=UTF-8
|
|
308
|
+
- "--charset=UTF-8"
|
|
344
309
|
require_paths:
|
|
345
310
|
- lib
|
|
346
311
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
347
|
-
none: false
|
|
348
312
|
requirements:
|
|
349
|
-
- -
|
|
313
|
+
- - ">="
|
|
350
314
|
- !ruby/object:Gem::Version
|
|
351
315
|
version: 1.8.7
|
|
352
316
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
353
|
-
none: false
|
|
354
317
|
requirements:
|
|
355
|
-
- -
|
|
318
|
+
- - ">="
|
|
356
319
|
- !ruby/object:Gem::Version
|
|
357
320
|
version: '0'
|
|
358
321
|
requirements: []
|
|
359
322
|
rubyforge_project: http://www.rubygems.org/gems/ruby-saml
|
|
360
|
-
rubygems_version:
|
|
323
|
+
rubygems_version: 2.2.2
|
|
361
324
|
signing_key:
|
|
362
|
-
specification_version:
|
|
325
|
+
specification_version: 4
|
|
363
326
|
summary: SAML Ruby Tookit
|
|
364
327
|
test_files:
|
|
365
328
|
- test/certificates/certificate1
|
|
@@ -433,6 +396,7 @@ test_files:
|
|
|
433
396
|
- test/responses/response_with_saml2_namespace.xml.base64
|
|
434
397
|
- test/responses/response_with_signed_assertion.xml.base64
|
|
435
398
|
- test/responses/response_with_signed_assertion_2.xml.base64
|
|
399
|
+
- test/responses/response_with_signed_message_and_assertion.xml
|
|
436
400
|
- test/responses/response_with_undefined_recipient.xml.base64
|
|
437
401
|
- test/responses/response_without_attributes.xml.base64
|
|
438
402
|
- test/responses/response_without_reference_uri.xml.base64
|