ruby-saml 1.10.0 → 1.12.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

Files changed (159) hide show
  1. checksums.yaml +5 -5
  2. data/.travis.yml +28 -14
  3. data/README.md +96 -26
  4. data/changelog.md +37 -0
  5. data/lib/onelogin/ruby-saml/attributes.rb +24 -1
  6. data/lib/onelogin/ruby-saml/authrequest.rb +11 -6
  7. data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +71 -22
  8. data/lib/onelogin/ruby-saml/logging.rb +3 -3
  9. data/lib/onelogin/ruby-saml/logoutrequest.rb +9 -3
  10. data/lib/onelogin/ruby-saml/logoutresponse.rb +21 -2
  11. data/lib/onelogin/ruby-saml/metadata.rb +11 -3
  12. data/lib/onelogin/ruby-saml/response.rb +68 -22
  13. data/lib/onelogin/ruby-saml/saml_message.rb +6 -0
  14. data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
  15. data/lib/onelogin/ruby-saml/settings.rb +72 -7
  16. data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +20 -1
  17. data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +29 -16
  18. data/lib/onelogin/ruby-saml/utils.rb +74 -1
  19. data/lib/onelogin/ruby-saml/version.rb +1 -1
  20. data/lib/xml_security.rb +34 -6
  21. data/ruby-saml.gemspec +9 -5
  22. metadata +36 -282
  23. data/test/certificates/certificate.der +0 -0
  24. data/test/certificates/certificate1 +0 -12
  25. data/test/certificates/certificate_without_head_foot +0 -1
  26. data/test/certificates/formatted_certificate +0 -14
  27. data/test/certificates/formatted_chained_certificate +0 -42
  28. data/test/certificates/formatted_private_key +0 -12
  29. data/test/certificates/formatted_rsa_private_key +0 -12
  30. data/test/certificates/invalid_certificate1 +0 -1
  31. data/test/certificates/invalid_certificate2 +0 -1
  32. data/test/certificates/invalid_certificate3 +0 -12
  33. data/test/certificates/invalid_chained_certificate1 +0 -1
  34. data/test/certificates/invalid_private_key1 +0 -1
  35. data/test/certificates/invalid_private_key2 +0 -1
  36. data/test/certificates/invalid_private_key3 +0 -10
  37. data/test/certificates/invalid_rsa_private_key1 +0 -1
  38. data/test/certificates/invalid_rsa_private_key2 +0 -1
  39. data/test/certificates/invalid_rsa_private_key3 +0 -10
  40. data/test/certificates/ruby-saml-2.crt +0 -15
  41. data/test/certificates/ruby-saml.crt +0 -14
  42. data/test/certificates/ruby-saml.key +0 -15
  43. data/test/idp_metadata_parser_test.rb +0 -587
  44. data/test/logging_test.rb +0 -62
  45. data/test/logout_requests/invalid_slo_request.xml +0 -6
  46. data/test/logout_requests/slo_request.xml +0 -4
  47. data/test/logout_requests/slo_request.xml.base64 +0 -1
  48. data/test/logout_requests/slo_request_deflated.xml.base64 +0 -1
  49. data/test/logout_requests/slo_request_with_name_id_format.xml +0 -4
  50. data/test/logout_requests/slo_request_with_session_index.xml +0 -5
  51. data/test/logout_responses/logoutresponse_fixtures.rb +0 -86
  52. data/test/logoutrequest_test.rb +0 -260
  53. data/test/logoutresponse_test.rb +0 -409
  54. data/test/metadata/idp_descriptor.xml +0 -26
  55. data/test/metadata/idp_descriptor_2.xml +0 -56
  56. data/test/metadata/idp_descriptor_3.xml +0 -14
  57. data/test/metadata/idp_descriptor_4.xml +0 -72
  58. data/test/metadata/idp_metadata_different_sign_and_encrypt_cert.xml +0 -72
  59. data/test/metadata/idp_metadata_multi_certs.xml +0 -75
  60. data/test/metadata/idp_metadata_multi_signing_certs.xml +0 -52
  61. data/test/metadata/idp_metadata_same_sign_and_encrypt_cert.xml +0 -71
  62. data/test/metadata/idp_multiple_descriptors.xml +0 -59
  63. data/test/metadata/idp_multiple_descriptors_2.xml +0 -59
  64. data/test/metadata/no_idp_descriptor.xml +0 -21
  65. data/test/metadata_test.rb +0 -331
  66. data/test/request_test.rb +0 -340
  67. data/test/response_test.rb +0 -1619
  68. data/test/responses/adfs_response_sha1.xml +0 -46
  69. data/test/responses/adfs_response_sha256.xml +0 -46
  70. data/test/responses/adfs_response_sha384.xml +0 -46
  71. data/test/responses/adfs_response_sha512.xml +0 -46
  72. data/test/responses/adfs_response_xmlns.xml +0 -45
  73. data/test/responses/attackxee.xml +0 -13
  74. data/test/responses/invalids/duplicated_attributes.xml.base64 +0 -1
  75. data/test/responses/invalids/empty_destination.xml.base64 +0 -1
  76. data/test/responses/invalids/empty_nameid.xml.base64 +0 -1
  77. data/test/responses/invalids/encrypted_new_attack.xml.base64 +0 -1
  78. data/test/responses/invalids/invalid_audience.xml.base64 +0 -1
  79. data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
  80. data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
  81. data/test/responses/invalids/invalid_signature_position.xml.base64 +0 -1
  82. data/test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64 +0 -1
  83. data/test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64 +0 -1
  84. data/test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64 +0 -1
  85. data/test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64 +0 -1
  86. data/test/responses/invalids/multiple_assertions.xml.base64 +0 -2
  87. data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
  88. data/test/responses/invalids/no_authnstatement.xml.base64 +0 -1
  89. data/test/responses/invalids/no_conditions.xml.base64 +0 -1
  90. data/test/responses/invalids/no_id.xml.base64 +0 -1
  91. data/test/responses/invalids/no_issuer_assertion.xml.base64 +0 -1
  92. data/test/responses/invalids/no_issuer_response.xml.base64 +0 -1
  93. data/test/responses/invalids/no_nameid.xml.base64 +0 -1
  94. data/test/responses/invalids/no_saml2.xml.base64 +0 -1
  95. data/test/responses/invalids/no_signature.xml.base64 +0 -1
  96. data/test/responses/invalids/no_status.xml.base64 +0 -1
  97. data/test/responses/invalids/no_status_code.xml.base64 +0 -1
  98. data/test/responses/invalids/no_subjectconfirmation_data.xml.base64 +0 -1
  99. data/test/responses/invalids/no_subjectconfirmation_method.xml.base64 +0 -1
  100. data/test/responses/invalids/response_invalid_signed_element.xml.base64 +0 -1
  101. data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
  102. data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
  103. data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
  104. data/test/responses/invalids/status_code_responder.xml.base64 +0 -1
  105. data/test/responses/invalids/status_code_responer_and_msg.xml.base64 +0 -1
  106. data/test/responses/invalids/wrong_spnamequalifier.xml.base64 +0 -1
  107. data/test/responses/no_signature_ns.xml +0 -48
  108. data/test/responses/open_saml_response.xml +0 -56
  109. data/test/responses/response_assertion_wrapped.xml.base64 +0 -93
  110. data/test/responses/response_audience_self_closed_tag.xml.base64 +0 -1
  111. data/test/responses/response_double_status_code.xml.base64 +0 -1
  112. data/test/responses/response_encrypted_attrs.xml.base64 +0 -1
  113. data/test/responses/response_encrypted_nameid.xml.base64 +0 -1
  114. data/test/responses/response_eval.xml +0 -7
  115. data/test/responses/response_no_cert_and_encrypted_attrs.xml +0 -29
  116. data/test/responses/response_node_text_attack.xml.base64 +0 -1
  117. data/test/responses/response_node_text_attack2.xml.base64 +0 -1
  118. data/test/responses/response_node_text_attack3.xml.base64 +0 -1
  119. data/test/responses/response_unsigned_xml_base64 +0 -1
  120. data/test/responses/response_with_ampersands.xml +0 -139
  121. data/test/responses/response_with_ampersands.xml.base64 +0 -93
  122. data/test/responses/response_with_ds_namespace_at_the_root.xml.base64 +0 -1
  123. data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
  124. data/test/responses/response_with_multiple_attribute_values.xml +0 -67
  125. data/test/responses/response_with_retrieval_method.xml +0 -26
  126. data/test/responses/response_with_saml2_namespace.xml.base64 +0 -102
  127. data/test/responses/response_with_signed_assertion.xml.base64 +0 -66
  128. data/test/responses/response_with_signed_assertion_2.xml.base64 +0 -1
  129. data/test/responses/response_with_signed_assertion_3.xml +0 -30
  130. data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
  131. data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
  132. data/test/responses/response_without_attributes.xml.base64 +0 -79
  133. data/test/responses/response_without_reference_uri.xml.base64 +0 -1
  134. data/test/responses/response_wrapped.xml.base64 +0 -150
  135. data/test/responses/signed_message_encrypted_signed_assertion.xml.base64 +0 -1
  136. data/test/responses/signed_message_encrypted_unsigned_assertion.xml.base64 +0 -1
  137. data/test/responses/signed_nameid_in_atts.xml +0 -47
  138. data/test/responses/signed_unqual_nameid_in_atts.xml +0 -47
  139. data/test/responses/simple_saml_php.xml +0 -71
  140. data/test/responses/starfield_response.xml.base64 +0 -1
  141. data/test/responses/test_sign.xml +0 -43
  142. data/test/responses/unsigned_encrypted_adfs.xml +0 -23
  143. data/test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64 +0 -1
  144. data/test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64 +0 -1
  145. data/test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64 +0 -1
  146. data/test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64 +0 -1
  147. data/test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64 +0 -1
  148. data/test/responses/unsigned_message_encrypted_signed_assertion.xml.base64 +0 -1
  149. data/test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64 +0 -1
  150. data/test/responses/valid_response.xml.base64 +0 -1
  151. data/test/responses/valid_response_with_formatted_x509certificate.xml.base64 +0 -1
  152. data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
  153. data/test/saml_message_test.rb +0 -56
  154. data/test/settings_test.rb +0 -329
  155. data/test/slo_logoutrequest_test.rb +0 -448
  156. data/test/slo_logoutresponse_test.rb +0 -233
  157. data/test/test_helper.rb +0 -331
  158. data/test/utils_test.rb +0 -259
  159. data/test/xml_security_test.rb +0 -421
data/test/utils_test.rb DELETED
@@ -1,259 +0,0 @@
1
- require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
-
3
- class UtilsTest < Minitest::Test
4
- describe ".format_cert" do
5
- let(:formatted_certificate) {read_certificate("formatted_certificate")}
6
- let(:formatted_chained_certificate) {read_certificate("formatted_chained_certificate")}
7
-
8
- it "returns empty string when the cert is an empty string" do
9
- cert = ""
10
- assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
11
- end
12
-
13
- it "returns nil when the cert is nil" do
14
- cert = nil
15
- assert_nil OneLogin::RubySaml::Utils.format_cert(cert)
16
- end
17
-
18
- it "returns the certificate when it is valid" do
19
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
20
- end
21
-
22
- it "reformats the certificate when there are spaces and no line breaks" do
23
- invalid_certificate1 = read_certificate("invalid_certificate1")
24
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
25
- end
26
-
27
- it "reformats the certificate when there are spaces and no headers" do
28
- invalid_certificate2 = read_certificate("invalid_certificate2")
29
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
30
- end
31
-
32
- it "returns the cert when it's encoded" do
33
- encoded_certificate = read_certificate("certificate.der")
34
- assert_equal encoded_certificate, OneLogin::RubySaml::Utils.format_cert(encoded_certificate)
35
- end
36
-
37
- it "reformats the certificate when there line breaks and no headers" do
38
- invalid_certificate3 = read_certificate("invalid_certificate3")
39
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
40
- end
41
-
42
- it "returns the chained certificate when it is a valid chained certificate" do
43
- assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_chained_certificate)
44
- end
45
-
46
- it "reformats the chained certificate when there are spaces and no line breaks" do
47
- invalid_chained_certificate1 = read_certificate("invalid_chained_certificate1")
48
- assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_chained_certificate1)
49
- end
50
-
51
- end
52
-
53
- describe ".format_private_key" do
54
- let(:formatted_private_key) do
55
- read_certificate("formatted_private_key")
56
- end
57
-
58
- it "returns empty string when the private key is an empty string" do
59
- private_key = ""
60
- assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
61
- end
62
-
63
- it "returns nil when the private key is nil" do
64
- private_key = nil
65
- assert_nil OneLogin::RubySaml::Utils.format_private_key(private_key)
66
- end
67
-
68
- it "returns the private key when it is valid" do
69
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
70
- end
71
-
72
- it "reformats the private key when there are spaces and no line breaks" do
73
- invalid_private_key1 = read_certificate("invalid_private_key1")
74
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
75
- end
76
-
77
- it "reformats the private key when there are spaces and no headers" do
78
- invalid_private_key2 = read_certificate("invalid_private_key2")
79
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
80
- end
81
-
82
- it "reformats the private key when there line breaks and no headers" do
83
- invalid_private_key3 = read_certificate("invalid_private_key3")
84
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
85
- end
86
-
87
- describe "an RSA public key" do
88
- let(:formatted_rsa_private_key) do
89
- read_certificate("formatted_rsa_private_key")
90
- end
91
-
92
- it "returns the private key when it is valid" do
93
- assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
94
- end
95
-
96
- it "reformats the private key when there are spaces and no line breaks" do
97
- invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
98
- assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
99
- end
100
-
101
- it "reformats the private key when there are spaces and no headers" do
102
- invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
103
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
104
- end
105
-
106
- it "reformats the private key when there line breaks and no headers" do
107
- invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
108
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
109
- end
110
- end
111
- end
112
-
113
- describe "build_query" do
114
- it "returns the query string" do
115
- params = {}
116
- params[:type] = "SAMLRequest"
117
- params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
118
- params[:relay_state] = "http://example.com"
119
- params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
120
- query_string = OneLogin::RubySaml::Utils.build_query(params)
121
- assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
122
- end
123
- end
124
-
125
- describe "#verify_signature" do
126
- before do
127
- @params = {}
128
- @params[:cert] = ruby_saml_cert
129
- @params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
130
- @params[:query_string] = "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"
131
- end
132
-
133
- it "returns true when the signature is valid" do
134
- @params[:signature] = "uWJm/T4gKLYEsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
135
- assert OneLogin::RubySaml::Utils.verify_signature(@params)
136
- end
137
-
138
- it "returns false when the signature is invalid" do
139
- @params[:signature] = "uWJm/InVaLiDsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
140
- assert !OneLogin::RubySaml::Utils.verify_signature(@params)
141
- end
142
- end
143
-
144
- describe "#status_error_msg" do
145
- it "returns a error msg with a status message" do
146
- error_msg = "The status code of the Logout Response was not Success"
147
- status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
148
- status_message = "The request could not be performed due to an error on the part of the requester."
149
- status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
150
- assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
151
-
152
- status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
153
- assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
154
-
155
- status_error_msg3 = OneLogin::RubySaml::Utils.status_error_msg(error_msg)
156
- assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
157
- end
158
- end
159
-
160
- describe "Utils" do
161
-
162
- describe ".uuid" do
163
- it "returns a uuid starting with an underscore" do
164
- assert_match /^_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, OneLogin::RubySaml::Utils.uuid
165
- end
166
-
167
- it "doesn't return the same value twice" do
168
- refute_equal OneLogin::RubySaml::Utils.uuid, OneLogin::RubySaml::Utils.uuid
169
- end
170
- end
171
-
172
- describe 'uri_match' do
173
- it 'matches two urls' do
174
- destination = 'http://www.example.com/test?var=stuff'
175
- settings = 'http://www.example.com/test?var=stuff'
176
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
177
- end
178
-
179
- it 'fails to match two urls' do
180
- destination = 'http://www.example.com/test?var=stuff'
181
- settings = 'http://www.example.com/othertest?var=stuff'
182
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
183
- end
184
-
185
- it "matches two URLs if the scheme case doesn't match" do
186
- destination = 'http://www.example.com/test?var=stuff'
187
- settings = 'HTTP://www.example.com/test?var=stuff'
188
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
189
- end
190
-
191
- it "matches two URLs if the host case doesn't match" do
192
- destination = 'http://www.EXAMPLE.com/test?var=stuff'
193
- settings = 'http://www.example.com/test?var=stuff'
194
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
195
- end
196
-
197
- it "fails to match two URLs if the path case doesn't match" do
198
- destination = 'http://www.example.com/TEST?var=stuff'
199
- settings = 'http://www.example.com/test?var=stuff'
200
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
201
- end
202
-
203
- it "fails to match two URLs if the query case doesn't match" do
204
- destination = 'http://www.example.com/test?var=stuff'
205
- settings = 'http://www.example.com/test?var=STUFF'
206
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
207
- end
208
-
209
- it 'matches two non urls' do
210
- destination = 'stuff'
211
- settings = 'stuff'
212
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
213
- end
214
-
215
- it "fails to match two non urls" do
216
- destination = 'stuff'
217
- settings = 'not stuff'
218
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
219
- end
220
- end
221
-
222
- describe 'element_text' do
223
- it 'returns the element text' do
224
- element = REXML::Document.new('<element>element text</element>').elements.first
225
- assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
226
- end
227
-
228
- it 'returns all segments of the element text' do
229
- element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
230
- assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
231
- end
232
-
233
- it 'returns normalized element text' do
234
- element = REXML::Document.new('<element>element &amp; text</element>').elements.first
235
- assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
236
- end
237
-
238
- it 'returns the CDATA element text' do
239
- element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
240
- assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
241
- end
242
-
243
- it 'returns the element text with newlines and additional whitespace' do
244
- element = REXML::Document.new("<element> element \n text </element>").elements.first
245
- assert_equal " element \n text ", OneLogin::RubySaml::Utils.element_text(element)
246
- end
247
-
248
- it 'returns nil when element is nil' do
249
- assert_nil OneLogin::RubySaml::Utils.element_text(nil)
250
- end
251
-
252
- it 'returns empty string when element has no text' do
253
- element = REXML::Document.new('<element></element>').elements.first
254
- assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
255
- end
256
-
257
- end
258
- end
259
- end
@@ -1,421 +0,0 @@
1
- require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
- require 'xml_security'
3
-
4
- class XmlSecurityTest < Minitest::Test
5
- include XMLSecurity
6
-
7
- describe "XmlSecurity" do
8
-
9
- let(:decoded_response) { Base64.decode64(response_document_without_recipient) }
10
- let(:document) { XMLSecurity::SignedDocument.new(decoded_response) }
11
- let(:settings) { OneLogin::RubySaml::Settings.new() }
12
-
13
- before do
14
- @base64cert = document.elements["//ds:X509Certificate"].text
15
- end
16
-
17
- it "should run validate without throwing NS related exceptions" do
18
- assert !document.validate_signature(@base64cert, true)
19
- end
20
-
21
- it "should run validate with throwing NS related exceptions" do
22
- assert_raises(OneLogin::RubySaml::ValidationError) do
23
- document.validate_signature(@base64cert, false)
24
- end
25
- end
26
-
27
- it "not raise an error when softly validating the document multiple times" do
28
- 2.times { assert_equal document.validate_signature(@base64cert, true), false }
29
- end
30
-
31
- it "not raise an error when softly validating the document and the X509Certificate is missing" do
32
- decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
33
- mod_document = XMLSecurity::SignedDocument.new(decoded_response)
34
- assert !mod_document.validate_document("a fingerprint", true) # The fingerprint isn't relevant to this test
35
- end
36
-
37
- it "should raise Fingerprint mismatch" do
38
- exception = assert_raises(OneLogin::RubySaml::ValidationError) do
39
- document.validate_document("no:fi:ng:er:pr:in:t", false)
40
- end
41
- assert_equal("Fingerprint mismatch", exception.message)
42
- assert_includes document.errors, "Fingerprint mismatch"
43
- end
44
-
45
- it "should raise Digest mismatch" do
46
- exception = assert_raises(OneLogin::RubySaml::ValidationError) do
47
- document.validate_signature(@base64cert, false)
48
- end
49
- assert_equal("Digest mismatch", exception.message)
50
- assert_includes document.errors, "Digest mismatch"
51
- end
52
-
53
- it "should raise Key validation error" do
54
- decoded_response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
55
- "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
56
- mod_document = XMLSecurity::SignedDocument.new(decoded_response)
57
- base64cert = mod_document.elements["//ds:X509Certificate"].text
58
- exception = assert_raises(OneLogin::RubySaml::ValidationError) do
59
- mod_document.validate_signature(base64cert, false)
60
- end
61
- assert_equal("Key validation error", exception.message)
62
- assert_includes mod_document.errors, "Key validation error"
63
- end
64
-
65
- it "correctly obtain the digest method with alternate namespace declaration" do
66
- adfs_document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_xmlns, false))
67
- base64cert = adfs_document.elements["//X509Certificate"].text
68
- assert adfs_document.validate_signature(base64cert, false)
69
- end
70
-
71
- it "raise validation error when the X509Certificate is missing and no cert provided" do
72
- decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
73
- mod_document = XMLSecurity::SignedDocument.new(decoded_response)
74
- exception = assert_raises(OneLogin::RubySaml::ValidationError) do
75
- mod_document.validate_document("a fingerprint", false) # The fingerprint isn't relevant to this test
76
- end
77
- assert_equal("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", exception.message)
78
- end
79
-
80
- it "invalidaties when the X509Certificate is missing and the cert is provided but mismatches" do
81
- decoded_response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
82
- mod_document = XMLSecurity::SignedDocument.new(decoded_response)
83
- cert = OpenSSL::X509::Certificate.new(ruby_saml_cert)
84
- assert !mod_document.validate_document("a fingerprint", true, :cert => cert) # The fingerprint isn't relevant to this test
85
- end
86
- end
87
-
88
- describe "#canon_algorithm" do
89
- it "C14N_EXCLUSIVE_1_0" do
90
- canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
91
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#")
92
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2001/10/xml-exc-c14n#WithComments")
93
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("other")
94
- end
95
-
96
- it "C14N_1_0" do
97
- canon_algorithm = Nokogiri::XML::XML_C14N_1_0
98
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
99
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments")
100
- end
101
-
102
- it "XML_C14N_1_1" do
103
- canon_algorithm = Nokogiri::XML::XML_C14N_1_1
104
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11")
105
- assert_equal canon_algorithm, XMLSecurity::BaseDocument.new.canon_algorithm("http://www.w3.org/2006/12/xml-c14n11#WithComments")
106
- end
107
- end
108
-
109
- describe "#algorithm" do
110
- it "SHA1" do
111
- alg = OpenSSL::Digest::SHA1
112
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1")
113
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2000/09/xmldsig#sha1")
114
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("other")
115
- end
116
-
117
- it "SHA256" do
118
- alg = OpenSSL::Digest::SHA256
119
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
120
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha256")
121
- end
122
-
123
- it "SHA384" do
124
- alg = OpenSSL::Digest::SHA384
125
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha384")
126
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha384")
127
- end
128
-
129
- it "SHA512" do
130
- alg = OpenSSL::Digest::SHA512
131
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512")
132
- assert_equal alg, XMLSecurity::BaseDocument.new.algorithm("http://www.w3.org/2001/04/xmldsig-more#sha512")
133
- end
134
- end
135
-
136
- describe "Fingerprint Algorithms" do
137
- let(:response_fingerprint_test) { OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha1, false)) }
138
-
139
- it "validate using SHA1" do
140
- sha1_fingerprint = "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72"
141
- sha1_fingerprint_downcase = "f13c6b80905a030e6c913e5d15faddb016454872"
142
-
143
- assert response_fingerprint_test.document.validate_document(sha1_fingerprint)
144
- assert response_fingerprint_test.document.validate_document(sha1_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA1)
145
-
146
- assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase)
147
- assert response_fingerprint_test.document.validate_document(sha1_fingerprint_downcase, true, :fingerprint_alg => XMLSecurity::Document::SHA1)
148
- end
149
-
150
- it "validate using SHA256" do
151
- sha256_fingerprint = "C4:C6:BD:41:EC:AD:57:97:CE:7B:7D:80:06:C3:E4:30:53:29:02:0B:DD:2D:47:02:9E:BD:85:AD:93:02:45:21"
152
-
153
- assert !response_fingerprint_test.document.validate_document(sha256_fingerprint)
154
- assert response_fingerprint_test.document.validate_document(sha256_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA256)
155
- end
156
-
157
- it "validate using SHA384" do
158
- sha384_fingerprint = "98:FE:17:90:31:E7:68:18:8A:65:4D:DA:F5:76:E2:09:97:BE:8B:E3:7E:AA:8D:63:64:7C:0C:38:23:9A:AC:A2:EC:CE:48:A6:74:4D:E0:4C:50:80:40:B4:8D:55:14:14"
159
-
160
- assert !response_fingerprint_test.document.validate_document(sha384_fingerprint)
161
- assert response_fingerprint_test.document.validate_document(sha384_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA384)
162
- end
163
-
164
- it "validate using SHA512" do
165
- sha512_fingerprint = "5A:AE:BA:D0:BA:9D:1E:25:05:01:1E:1A:C9:E9:FF:DB:ED:FA:6E:F7:52:EB:45:49:BD:DB:06:D8:A3:7E:CC:63:3A:04:A2:DD:DF:EE:61:05:D9:58:95:2A:77:17:30:4B:EB:4A:9F:48:4A:44:1C:D0:9E:0B:1E:04:77:FD:A3:D2"
166
-
167
- assert !response_fingerprint_test.document.validate_document(sha512_fingerprint)
168
- assert response_fingerprint_test.document.validate_document(sha512_fingerprint, true, :fingerprint_alg => XMLSecurity::Document::SHA512)
169
- end
170
-
171
- end
172
-
173
- describe "Signature Algorithms" do
174
- it "validate using SHA1" do
175
- document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
176
- assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
177
- end
178
-
179
- it "validate using SHA256" do
180
- document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
181
- assert document.validate_document("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
182
- end
183
-
184
- it "validate using SHA384" do
185
- document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
186
- assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
187
- end
188
-
189
- it "validate using SHA512" do
190
- document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
191
- assert document.validate_document("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
192
- end
193
- end
194
-
195
- describe "XmlSecurity::SignedDocument" do
196
-
197
- describe "#extract_inclusive_namespaces" do
198
- it "support explicit namespace resolution for exclusive canonicalization" do
199
- response = fixture(:open_saml_response, false)
200
- document = XMLSecurity::SignedDocument.new(response)
201
- inclusive_namespaces = document.send(:extract_inclusive_namespaces)
202
-
203
- assert_equal %w[ xs ], inclusive_namespaces
204
- end
205
-
206
- it "support implicit namespace resolution for exclusive canonicalization" do
207
- response = fixture(:no_signature_ns, false)
208
- document = XMLSecurity::SignedDocument.new(response)
209
- inclusive_namespaces = document.send(:extract_inclusive_namespaces)
210
-
211
- assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
212
- end
213
-
214
- it 'support inclusive canonicalization' do
215
- skip('test not yet implemented')
216
- response = OneLogin::RubySaml::Response.new(fixture("tdnf_response.xml"))
217
- response.stubs(:conditions).returns(nil)
218
- assert !response.is_valid?
219
- assert !response.is_valid?
220
- response.settings = settings
221
- assert !response.is_valid?
222
- settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
223
- assert response.is_valid?
224
- end
225
-
226
- it "return nil when inclusive namespace element is missing" do
227
- response = fixture(:no_signature_ns, false)
228
- response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
229
-
230
- document = XMLSecurity::SignedDocument.new(response)
231
- inclusive_namespaces = document.send(:extract_inclusive_namespaces)
232
-
233
- assert inclusive_namespaces.nil?
234
- end
235
- end
236
-
237
- describe "XMLSecurity::DSIG" do
238
- before do
239
- settings.idp_sso_target_url = "https://idp.example.com/sso"
240
- settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
241
- settings.idp_slo_target_url = "https://idp.example.com/slo",
242
- settings.issuer = "https://sp.example.com/saml2"
243
- settings.assertion_consumer_service_url = "https://sp.example.com/acs"
244
- settings.single_logout_service_url = "https://sp.example.com/sls"
245
- end
246
-
247
- it "sign an AuthNRequest" do
248
- request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
249
- request.sign_document(ruby_saml_key, ruby_saml_cert)
250
- # verify our signature
251
- signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
252
- assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
253
-
254
- request2 = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
255
- request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
256
- # verify our signature
257
- signed_doc2 = XMLSecurity::SignedDocument.new(request2.to_s)
258
- assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
259
- end
260
-
261
- it "sign an AuthNRequest with certificate as text" do
262
- request = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
263
- request.sign_document(ruby_saml_key, ruby_saml_cert_text)
264
-
265
- # verify our signature
266
- signed_doc = XMLSecurity::SignedDocument.new(request.to_s)
267
- assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
268
- end
269
-
270
- it "sign a LogoutRequest" do
271
- logout_request = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
272
- logout_request.sign_document(ruby_saml_key, ruby_saml_cert)
273
- # verify our signature
274
- signed_doc = XMLSecurity::SignedDocument.new(logout_request.to_s)
275
- assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
276
-
277
- logout_request2 = OneLogin::RubySaml::Logoutrequest.new.create_logout_request_xml_doc(settings)
278
- logout_request2.sign_document(ruby_saml_key, ruby_saml_cert_text)
279
- # verify our signature
280
- signed_doc2 = XMLSecurity::SignedDocument.new(logout_request2.to_s)
281
- signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
282
- assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
283
- end
284
-
285
- it "sign a LogoutResponse" do
286
- logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
287
- logout_response.sign_document(ruby_saml_key, ruby_saml_cert)
288
- # verify our signature
289
- signed_doc = XMLSecurity::SignedDocument.new(logout_response.to_s)
290
- assert signed_doc.validate_document(ruby_saml_cert_fingerprint, false)
291
-
292
- logout_response2 = OneLogin::RubySaml::SloLogoutresponse.new.create_logout_response_xml_doc(settings, 'request_id_example', "Custom Logout Message")
293
- logout_response2.sign_document(ruby_saml_key, ruby_saml_cert_text)
294
- # verify our signature
295
- signed_doc2 = XMLSecurity::SignedDocument.new(logout_response2.to_s)
296
- signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
297
- assert signed_doc2.validate_document(ruby_saml_cert_fingerprint, false)
298
- end
299
- end
300
-
301
- describe "StarfieldTMS" do
302
- let (:response) { OneLogin::RubySaml::Response.new(fixture(:starfield_response)) }
303
-
304
- before do
305
- response.settings = OneLogin::RubySaml::Settings.new( :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D")
306
- end
307
-
308
- it "be able to validate a good response" do
309
- Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
310
- response.stubs(:validate_subject_confirmation).returns(true)
311
- assert response.is_valid?
312
- end
313
- end
314
-
315
- it "fail before response is valid" do
316
- Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
317
- assert !response.is_valid?
318
-
319
- time_1 = '2012-11-20 17:55:00 UTC < 2012-11-28 17:53:45 UTC'
320
- time_2 = 'Tue Nov 20 17:55:00 UTC 2012 < Wed Nov 28 17:53:45 UTC 2012'
321
-
322
- errors = [time_1, time_2].map do |time|
323
- "Current time is earlier than NotBefore condition (#{time})"
324
- end
325
-
326
- assert_predicate response.errors & errors, :any?
327
- end
328
- end
329
-
330
- it "fail after response expires" do
331
- Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
332
- assert !response.is_valid?
333
-
334
- contains_expected_error = response.errors.include? "Current time is on or after NotOnOrAfter condition (2012-11-30 17:55:00 UTC >= 2012-11-28 18:33:45 UTC)"
335
- contains_expected_error ||= response.errors.include? "Current time is on or after NotOnOrAfter condition (Fri Nov 30 17:55:00 UTC 2012 >= Wed Nov 28 18:33:45 UTC 2012)"
336
- assert contains_expected_error
337
- end
338
- end
339
- end
340
-
341
- describe '#validate_document' do
342
- describe 'with valid document' do
343
- describe 'when response has signed message and assertion' do
344
- let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
345
- let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
346
- let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
347
-
348
- it 'is valid' do
349
- assert document.validate_document(fingerprint, true), 'Document should be valid'
350
- end
351
- end
352
-
353
- describe 'when response has signed assertion' do
354
- let(:document_data) { read_response('response_with_signed_assertion_3.xml') }
355
- let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
356
- let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
357
-
358
- it 'is valid' do
359
- assert document.validate_document(fingerprint, true), 'Document should be valid'
360
- end
361
- end
362
- end
363
-
364
- describe 'signature_wrapping_attack' do
365
- let(:document_data) { read_invalid_response("signature_wrapping_attack.xml.base64") }
366
- let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
367
- let(:fingerprint) { 'afe71c28ef740bc87425be13a2263d37971da1f9' }
368
-
369
- it 'is invalid' do
370
- assert !document.validate_document(fingerprint, true), 'Document should be invalid'
371
- end
372
- end
373
-
374
- describe 'signature wrapping attack - doubled SAML response body' do
375
- let(:document_data) { read_invalid_response("response_with_doubled_signed_assertion.xml") }
376
- let(:document) { OneLogin::RubySaml::Response.new(document_data) }
377
- let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
378
-
379
- it 'is valid, but the unsigned information is ignored in favour of the signed information' do
380
- assert document.document.validate_document(fingerprint, true), 'Document should be valid'
381
- assert_equal 'someone@example.org', document.name_id, 'Document should expose only signed, valid details'
382
- end
383
- end
384
-
385
- describe 'signature wrapping attack - concealed SAML response body' do
386
- let(:document_data) { read_invalid_response("response_with_concealed_signed_assertion.xml") }
387
- let(:document) { OneLogin::RubySaml::Response.new(document_data) }
388
- let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
389
-
390
- it 'is valid, but fails to retrieve information' do
391
- assert document.document.validate_document(fingerprint, true), 'Document should be valid'
392
- assert document.name_id.nil?, 'Document should expose only signed, valid details'
393
- end
394
- end
395
- end
396
-
397
- describe '#validate_document_with_cert' do
398
- describe 'with valid document ' do
399
- describe 'when response has cert' do
400
- let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }
401
- let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
402
- let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
403
- let(:fingerprint) { '4b68c453c7d994aad9025c99d5efcf566287fe8d' }
404
-
405
- it 'is valid' do
406
- assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
407
- end
408
- end
409
-
410
- describe 'when response has no cert but you have local cert' do
411
- let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
412
- let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
413
-
414
- it 'is valid' do
415
- assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
416
- end
417
- end
418
- end
419
- end
420
- end
421
- end