RubyGems - ruby-saml - Versions diffs - 1.10.1 → 1.12.2 - Mend

ruby-saml 1.10.1 → 1.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (159) hide show

data/test/logging_test.rb DELETED Viewed

@@ -1,62 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'onelogin/ruby-saml/logging'
-class LoggingTest < Minitest::Test
-  describe "Logging" do
-    before do
-      OneLogin::RubySaml::Logging.logger = nil
-    end
-    after do
-      OneLogin::RubySaml::Logging.logger = ::TEST_LOGGER
-    end
-    describe "given no specific logging setup" do
-      it "prints to stdout" do
-        OneLogin::RubySaml::Logging::DEFAULT_LOGGER.expects(:debug).with('hi mom')
-        OneLogin::RubySaml::Logging.debug('hi mom')
-      end
-    end
-    describe "given a Rails app" do
-      let(:logger) { mock('Logger') }
-      before do
-        ::Rails = mock('Rails module')
-        ::Rails.stubs(:logger).returns(logger)
-      end
-      after do
-        Object.instance_eval { remove_const(:Rails) }
-      end
-      it "delegates to Rails" do
-        logger.expects(:debug).with('hi mom')
-        logger.expects(:info).with('sup?')
-        OneLogin::RubySaml::Logging.debug('hi mom')
-        OneLogin::RubySaml::Logging.info('sup?')
-      end
-    end
-    describe "given a specific Logger" do
-      let(:logger) { mock('Logger') }
-      before { OneLogin::RubySaml::Logging.logger = logger }
-      after do
-        OneLogin::RubySaml::Logging.logger = ::TEST_LOGGER
-      end
-      it "delegates to the object" do
-        logger.expects(:debug).with('hi mom')
-        logger.expects(:info).with('sup?')
-        OneLogin::RubySaml::Logging.debug('hi mom')
-        OneLogin::RubySaml::Logging.info('sup?')
-      end
-    end
-  end
-end

data/test/logout_requests/invalid_slo_request.xml DELETED Viewed

@@ -1,6 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone2@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request.xml DELETED Viewed

@@ -1,4 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request.xml.base64 DELETED Viewed

@@ -1 +0,0 @@

- PHNhbWxwOkxvZ291dFJlcXVlc3QgVmVyc2lvbj0nMi4wJyBJRD0nX2MwMzQ4OTUwLTkzNWItMDEzMS0xMDYwLTc4MmJjYjU2ZmNhYScgeG1sbnM6c2FtbHA9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCcgSXNzdWVJbnN0YW50PScyMDE0LTAzLTIxVDE5OjIwOjEzJz4NCiAgPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24nPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhL1NPTUVBQ0NPVU5UPC9zYW1sOklzc3Vlcj4NCiAgPHNhbWw6TmFtZUlEIHhtbG5zOnNhbWw9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24nPnNvbWVvbmVAZXhhbXBsZS5vcmc8L3NhbWw6TmFtZUlEPg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg==

data/test/logout_requests/slo_request_deflated.xml.base64 DELETED Viewed

	@@ -1 +0,0 @@
1	- ndG7asMwFIDhvdB38KZJlmTHaSxs05B0COQCTdq1yKrqGqxLdWTI41dJOpgOHToKDv93DqpA6MHxre3sGJ7V16ggJK/KQ29NjbKUomSzrtGbpPlsURYUl3nRYspyhhmdU/ywyFrZFvMPKQRKznowwK/JGo3ecCugB26EVsCD5MflbstjlDtvg5V2iHWAUW0MBGFCBCmbYZrjjJ1YyTPKWY6a+7skqS5Rfh32E+ZvRQAoH+IlqPkMwQEnRDiXWqMG2/UmlVaTS4VoFcS7CIIcD7un5Wp1eNmfKjIhJzvsI7NZ/2cHsFpF+1GdhXaDSq3vfpBbMyK396//aL4B

data/test/logout_requests/slo_request_with_name_id_format.xml DELETED Viewed

@@ -1,4 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>someone@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request_with_session_index.xml DELETED Viewed

@@ -1,5 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-<samlp:SessionIndex>_ea853497-c58a-408a-bc23-c849752d9741</samlp:SessionIndex>
-</samlp:LogoutRequest>

data/test/logout_responses/logoutresponse_fixtures.rb DELETED Viewed

@@ -1,86 +0,0 @@
-#encoding: utf-8
-def default_logout_response_opts
-  {
-      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
-      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
-      :settings => settings
-  }
-end
-def valid_logout_response_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
-      </samlp:StatusCode>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-def unsuccessful_logout_response_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
-      </samlp:StatusCode>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-def unsuccessful_logout_response_with_message_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
-      </samlp:StatusCode>
-      <samlp:StatusMessage>Logoutrequest expired</samlp:StatusMessage>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-def invalid_xml_logout_response_document
-  "<samlp:SomethingAwful
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\">
-      </samlp:SomethingAwful>"
-end
-def settings
-  @settings ||= OneLogin::RubySaml::Settings.new(
-      {
-          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
-          :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
-          :issuer => "http://app.muda.no",
-          :sp_name_qualifier => "http://sso.muda.no",
-          :idp_sso_target_url => "http://sso.muda.no/sso",
-          :idp_slo_target_url => "http://sso.muda.no/slo",
-          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
-          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-      }
-  )
-end

data/test/logoutrequest_test.rb DELETED Viewed

@@ -1,260 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'onelogin/ruby-saml/logoutrequest'
-class RequestTest < Minitest::Test
-  describe "Logoutrequest" do
-    let(:settings) { OneLogin::RubySaml::Settings.new }
-    before do
-      settings.idp_slo_target_url = "http://unauth.com/logout"
-      settings.name_identifier_value = "f00f00"
-    end
-    it "create the deflated SAMLRequest URL parameter" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-      assert_match /^http:\/\/unauth\.com\/logout\?SAMLRequest=/, unauth_url
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /^<samlp:LogoutRequest/, inflated
-    end
-    it "support additional params" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
-      assert_match /&hello=$/, unauth_url
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :foo => "bar" })
-      assert_match /&foo=bar$/, unauth_url
-    end
-    it "RelayState cases" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :RelayState => nil })
-      assert !unauth_url.include?('RelayState')
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :RelayState => "http://example.com" })
-      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { 'RelayState' => nil })
-      assert !unauth_url.include?('RelayState')
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { 'RelayState' => "http://example.com" })
-      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
-    end
-    it "set sessionindex" do
-      settings.idp_slo_target_url = "http://example.com"
-      sessionidx = OneLogin::RubySaml::Utils.uuid
-      settings.sessionindex = sessionidx
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /<samlp:SessionIndex/, inflated
-      assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
-    end
-    it "set name_identifier_value" do
-      settings.name_identifier_format = "transient"
-      name_identifier_value = "abc123"
-      settings.name_identifier_value = name_identifier_value
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /<saml:NameID/, inflated
-      assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
-    end
-    describe "when the target url doesn't contain a query string" do
-      it "create the SAMLRequest parameter correctly" do
-        unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-        assert_match /^http:\/\/unauth.com\/logout\?SAMLRequest/, unauth_url
-      end
-    end
-    describe "when the target url contains a query string" do
-      it "create the SAMLRequest parameter correctly" do
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-        assert_match /^http:\/\/example.com\?field=value&SAMLRequest/, unauth_url
-      end
-    end
-    describe "consumation of logout may need to track the transaction" do
-      it "have access to the request uuid" do
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_url = unauth_req.create(settings)
-        inflated = decode_saml_request_payload(unauth_url)
-        assert_match %r[ID='#{unauth_req.uuid}'], inflated
-      end
-    end
-    describe "when the settings indicate to sign (embedded) logout request" do
-      before do
-        # sign the logout request
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = true
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-      it "doesn't sign through create_xml_document" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_xml_document(settings).to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "sign unsigned request" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_req_doc = unauth_req.create_xml_document(settings)
-        inflated = unauth_req_doc.to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "signs through create_logout_request_xml_doc" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "created a signed logout request" do
-        settings.compress_request = true
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_url = unauth_req.create(settings)
-        inflated = decode_saml_request_payload(unauth_url)
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "create a signed logout request with 256 digest and signature method" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        settings.security[:digest_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-      end
-      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-        settings.security[:digest_method] = XMLSecurity::Document::SHA512
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
-      end
-    end
-    describe "#create_params when the settings indicate to sign the logout request" do
-      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
-      before do
-        # sign the logout request
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = false
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['SAMLRequest']
-        assert params[:RelayState]
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-    end
-  end
-end

data/test/logoutresponse_test.rb DELETED Viewed

@@ -1,409 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'onelogin/ruby-saml/logoutresponse'
-require 'logout_responses/logoutresponse_fixtures'
-class RubySamlTest < Minitest::Test
-  describe "Logoutresponse" do
-    let(:valid_logout_response_without_settings) { OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document) }
-    let(:valid_logout_response) { OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings) }
-    describe "#new" do
-      it "raise an exception when response is initialized with nil" do
-        assert_raises(ArgumentError) { OneLogin::RubySaml::Logoutresponse.new(nil) }
-      end
-      it "default to empty settings" do
-        assert_nil valid_logout_response_without_settings.settings
-      end
-      it "accept constructor-injected settings" do
-        refute_nil valid_logout_response.settings
-      end
-      it "accept constructor-injected options" do
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, nil, { :foo => :bar} )
-        assert !logoutresponse.options.empty?
-      end
-      it "support base64 encoded responses" do
-        generated_logout_response = valid_logout_response_document
-        logoutresponse = OneLogin::RubySaml::Logoutresponse.new(Base64.encode64(generated_logout_response), settings)
-        assert_equal generated_logout_response, logoutresponse.response
-      end
-    end
-    describe "#validate_structure" do
-        it "invalidates when the logout response has an invalid xml" do
-          settings.soft = true
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_logout_response_document, settings)
-          assert !logoutresponse.send(:validate_structure)
-          assert_includes logoutresponse.errors, "Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd"
-        end
-        it "raise when the logout response has an invalid xml" do
-          settings.soft = false
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(invalid_xml_logout_response_document, settings)
-          assert_raises OneLogin::RubySaml::ValidationError do
-            logoutresponse.send(:validate_structure)
-          end
-        end
-    end
-    describe "#validate" do
-      describe "when soft=true" do
-        before do
-          settings.soft = true
-        end
-        it "validate the logout response" do
-          in_relation_to_request_id = random_id
-          opts = { :matches_request_id => in_relation_to_request_id}
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings, opts)
-          assert logoutresponse.validate
-          assert_equal settings.issuer, logoutresponse.issuer
-          assert_equal in_relation_to_request_id, logoutresponse.in_response_to
-          assert logoutresponse.success?
-          assert_empty logoutresponse.errors
-        end
-        it "validate the logout response extended" do
-          in_relation_to_request_id = random_id
-          settings.idp_entity_id = 'http://app.muda.no'
-          opts = { :matches_request_id => in_relation_to_request_id}
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings, opts)
-          assert logoutresponse.validate
-          assert_equal in_relation_to_request_id, logoutresponse.in_response_to
-          assert logoutresponse.success?
-          assert_empty logoutresponse.errors
-        end
-        it "invalidate logout response when initiated with blank" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new("", settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "Blank logout response"
-        end
-        it "invalidate logout response when initiated with no idp cert or fingerprint" do
-          settings.idp_cert_fingerprint = nil
-          settings.idp_cert = nil
-          settings.idp_cert_multi = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"
-        end
-        it "invalidate logout response with wrong id when given option :matches_request_id" do
-          expected_request_id = "_some_other_expected_uuid"
-          opts = { :matches_request_id => expected_request_id}
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
-          assert !logoutresponse.validate
-          refute_equal expected_request_id, logoutresponse.in_response_to
-          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
-        end
-        it "invalidate logout response with unexpected request status" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          assert !logoutresponse.success?
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
-        end
-        it "invalidate logout response with unexpected request status and status message" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_with_message_document, settings)
-          assert !logoutresponse.success?
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester -> Logoutrequest expired"
-        end
-        it "invalidate logout response when in lack of issuer setting" do
-          bad_settings = settings
-          bad_settings.issuer = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, bad_settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
-        end
-        it "invalidate logout response with wrong issuer" do
-          in_relation_to_request_id = random_id
-          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
-          assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
-        end
-        it "collect errors when collect_errors=true" do
-          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          collect_errors = true
-          assert !logoutresponse.validate(collect_errors)
-          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
-          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
-        end
-      end
-      describe "when soft=false" do
-        before do
-          settings.soft = false
-        end
-        it "validates good logout response" do
-          in_relation_to_request_id = random_id
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
-          assert logoutresponse.validate
-          assert_empty logoutresponse.errors
-        end
-        it "raises validation error when response initiated with blank" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new("", settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "Blank logout response"
-        end
-        it "raises validation error when initiated with no idp cert or fingerprint" do
-          settings.idp_cert_fingerprint = nil
-          settings.idp_cert = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "No fingerprint or certificate on settings of the logout response"
-        end
-        it "raises validation error when matching for wrong request id" do
-          expected_request_id = "_some_other_expected_id"
-          opts = { :matches_request_id => expected_request_id}
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
-        end
-        it "raise validation error for wrong request status" do
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
-        end
-        it "raise validation error when in bad state" do
-          # no settings
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
-        end
-        it "raise validation error when in lack of issuer setting" do
-          settings.issuer = nil
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
-        end
-        it "raise validation error when logout response with wrong issuer" do
-          in_relation_to_request_id = random_id
-          settings.idp_entity_id = 'http://invalid.issuer.example.com/'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document({:uuid => in_relation_to_request_id}), settings)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
-        end
-      end
-      describe "#validate_signature" do
-        let (:params) { OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, random_id, "Custom Logout Message", :RelayState => 'http://example.com') }
-        before do
-          settings.soft = true
-          settings.idp_slo_target_url = "http://example.com?field=value"
-          settings.security[:logout_responses_signed] = true
-          settings.security[:embed_sign] = false
-          settings.certificate = ruby_saml_cert_text
-          settings.private_key = ruby_saml_key_text
-          settings.idp_cert = ruby_saml_cert_text
-        end
-        it "return true when no idp_cert is provided and option :relax_signature_validation is present" do
-          settings.idp_cert = nil
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          options[:relax_signature_validation] = true
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse_sign_test.send(:validate_signature)
-        end
-        it "return false when no idp_cert is provided and no option :relax_signature_validation is present" do
-          settings.idp_cert = nil
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert !logoutresponse_sign_test.send(:validate_signature)
-        end
-        it "return true when valid RSA_SHA1 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse_sign_test.send(:validate_signature)
-        end
-        it "return true when valid RSA_SHA256 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse.send(:validate_signature)
-        end
-        it "return false when invalid RSA_SHA1 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          params['RelayState'] = 'http://invalid.example.com'
-          options = {}
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert !logoutresponse.send(:validate_signature)
-        end
-        it "raise when invalid RSA_SHA1 Signature" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.soft = false
-          params['RelayState'] = 'http://invalid.example.com'
-          options = {}
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.send(:validate_signature) }
-          assert logoutresponse.errors.include? "Invalid Signature on Logout Response"
-        end
-        it "raise when get_params encoding differs from what this library generates" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.soft = false
-          options = {}
-          options[:get_params] = params
-          options[:get_params]['RelayState'] = 'http://example.com'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          # Assemble query string.
-          query = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLResponse',
-            :data => params['SAMLResponse'],
-            :relay_state => params['RelayState'],
-            :sig_alg => params['SigAlg']
-          )
-          # Modify the query string so that it encodes the same values,
-          # but with different percent-encoding. Sanity-check that they
-          # really are equialent before moving on.
-          original_query = query.dup
-          query.gsub!("example", "ex%61mple")
-          refute_equal(query, original_query)
-          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
-          # Make normalised signature based on our modified params.
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
-          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          # Re-create the Logoutresponse based on these modified parameters,
-          # and ask it to validate the signature. It will do it incorrectly,
-          # because it will compute it based on re-encoded query parameters,
-          # rather than their original encodings.
-          options[:get_params] = params
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do
-            logoutresponse.send(:validate_signature)
-          end
-        end
-        it "return true even if raw_get_params encoding differs from what this library generates" do
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.soft = false
-          options = {}
-          options[:get_params] = params
-          options[:get_params]['RelayState'] = 'http://example.com'
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          # Assemble query string.
-          query = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLResponse',
-            :data => params['SAMLResponse'],
-            :relay_state => params['RelayState'],
-            :sig_alg => params['SigAlg']
-          )
-          # Modify the query string so that it encodes the same values,
-          # but with different percent-encoding. Sanity-check that they
-          # really are equialent before moving on.
-          original_query = query.dup
-          query.gsub!("example", "ex%61mple")
-          refute_equal(query, original_query)
-          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
-          # Make normalised signature based on our modified params.
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
-          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          # Re-create the Logoutresponse based on these modified parameters,
-          # and ask it to validate the signature. Provide the altered parameter
-          # in its raw URI-encoded form, so that we don't have to guess the value
-          # that contributed to the signature.
-          options[:get_params] = params
-          options[:get_params].delete("RelayState")
-          options[:raw_get_params] = {
-            "RelayState" => "http%3A%2F%2Fex%61mple.com",
-          }
-          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse.send(:validate_signature)
-        end
-      end
-      describe "#validate_signature" do
-        let (:params) { OneLogin::RubySaml::SloLogoutresponse.new.create_params(settings, random_id, "Custom Logout Message", :RelayState => 'http://example.com') }
-        before do
-          settings.soft = true
-          settings.idp_slo_target_url = "http://example.com?field=value"
-          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-          settings.security[:logout_responses_signed] = true
-          settings.security[:embed_sign] = false
-          settings.certificate = ruby_saml_cert_text
-          settings.private_key = ruby_saml_key_text
-          settings.idp_cert = nil
-        end
-        it "return true when at least a idp_cert is valid" do
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          settings.idp_cert_multi = {
-            :signing => [ruby_saml_cert_text2, ruby_saml_cert_text],
-            :encryption => []
-          }
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert logoutresponse_sign_test.send(:validate_signature)
-        end
-        it "return false when none cert on idp_cert_multi is valid" do
-          params['RelayState'] = params[:RelayState]
-          options = {}
-          options[:get_params] = params
-          settings.idp_cert_multi = {
-            :signing => [ruby_saml_cert_text2, ruby_saml_cert_text2],
-            :encryption => []
-          }
-          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
-          assert !logoutresponse_sign_test.send(:validate_signature)
-        end
-      end
-    end
-  end
-end