RubyGems - ruby-saml - Versions diffs - 1.11.0 → 1.12.1 - Mend

ruby-saml 1.11.0 → 1.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (158) hide show

data/test/logout_requests/slo_request.xml DELETED Viewed

@@ -1,4 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request.xml.base64 DELETED Viewed

@@ -1 +0,0 @@

- PHNhbWxwOkxvZ291dFJlcXVlc3QgVmVyc2lvbj0nMi4wJyBJRD0nX2MwMzQ4OTUwLTkzNWItMDEzMS0xMDYwLTc4MmJjYjU2ZmNhYScgeG1sbnM6c2FtbHA9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCcgSXNzdWVJbnN0YW50PScyMDE0LTAzLTIxVDE5OjIwOjEzJz4NCiAgPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24nPmh0dHBzOi8vYXBwLm9uZWxvZ2luLmNvbS9zYW1sL21ldGFkYXRhL1NPTUVBQ0NPVU5UPC9zYW1sOklzc3Vlcj4NCiAgPHNhbWw6TmFtZUlEIHhtbG5zOnNhbWw9J3VybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24nPnNvbWVvbmVAZXhhbXBsZS5vcmc8L3NhbWw6TmFtZUlEPg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg==

data/test/logout_requests/slo_request_deflated.xml.base64 DELETED Viewed

	@@ -1 +0,0 @@
1	- ndG7asMwFIDhvdB38KZJlmTHaSxs05B0COQCTdq1yKrqGqxLdWTI41dJOpgOHToKDv93DqpA6MHxre3sGJ7V16ggJK/KQ29NjbKUomSzrtGbpPlsURYUl3nRYspyhhmdU/ywyFrZFvMPKQRKznowwK/JGo3ecCugB26EVsCD5MflbstjlDtvg5V2iHWAUW0MBGFCBCmbYZrjjJ1YyTPKWY6a+7skqS5Rfh32E+ZvRQAoH+IlqPkMwQEnRDiXWqMG2/UmlVaTS4VoFcS7CIIcD7un5Wp1eNmfKjIhJzvsI7NZ/2cHsFpF+1GdhXaDSq3vfpBbMyK396//aL4B

data/test/logout_requests/slo_request_with_name_id_format.xml DELETED Viewed

@@ -1,4 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>someone@example.org</saml:NameID>
-</samlp:LogoutRequest>

data/test/logout_requests/slo_request_with_session_index.xml DELETED Viewed

@@ -1,5 +0,0 @@
-<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
-<saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
-<saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
-<samlp:SessionIndex>_ea853497-c58a-408a-bc23-c849752d9741</samlp:SessionIndex>
-</samlp:LogoutRequest>

data/test/logout_responses/logoutresponse_fixtures.rb DELETED Viewed

@@ -1,86 +0,0 @@
-#encoding: utf-8
-def default_logout_response_opts
-  {
-      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
-      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
-      :settings => settings
-  }
-end
-def valid_logout_response_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
-      </samlp:StatusCode>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-def unsuccessful_logout_response_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
-      </samlp:StatusCode>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-def unsuccessful_logout_response_with_message_document(opts = {})
-  opts = default_logout_response_opts.merge(opts)
-  "<samlp:LogoutResponse
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\"
-        IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].single_logout_service_url}\"
-        InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
-      <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
-      <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
-      </samlp:StatusCode>
-      <samlp:StatusMessage>Logoutrequest expired</samlp:StatusMessage>
-      </samlp:Status>
-      </samlp:LogoutResponse>"
-end
-def invalid_xml_logout_response_document
-  "<samlp:SomethingAwful
-        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
-        ID=\"#{random_id}\" Version=\"2.0\">
-      </samlp:SomethingAwful>"
-end
-def settings
-  @settings ||= OneLogin::RubySaml::Settings.new(
-      {
-          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
-          :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
-          :issuer => "http://app.muda.no",
-          :sp_name_qualifier => "http://sso.muda.no",
-          :idp_sso_target_url => "http://sso.muda.no/sso",
-          :idp_slo_target_url => "http://sso.muda.no/slo",
-          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
-          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-      }
-  )
-end

data/test/logoutrequest_test.rb DELETED Viewed

@@ -1,260 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
-require 'onelogin/ruby-saml/logoutrequest'
-class RequestTest < Minitest::Test
-  describe "Logoutrequest" do
-    let(:settings) { OneLogin::RubySaml::Settings.new }
-    before do
-      settings.idp_slo_target_url = "http://unauth.com/logout"
-      settings.name_identifier_value = "f00f00"
-    end
-    it "create the deflated SAMLRequest URL parameter" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-      assert_match /^http:\/\/unauth\.com\/logout\?SAMLRequest=/, unauth_url
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /^<samlp:LogoutRequest/, inflated
-    end
-    it "support additional params" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
-      assert_match /&hello=$/, unauth_url
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :foo => "bar" })
-      assert_match /&foo=bar$/, unauth_url
-    end
-    it "RelayState cases" do
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :RelayState => nil })
-      assert !unauth_url.include?('RelayState')
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :RelayState => "http://example.com" })
-      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { 'RelayState' => nil })
-      assert !unauth_url.include?('RelayState')
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { 'RelayState' => "http://example.com" })
-      assert unauth_url.include?('&RelayState=http%3A%2F%2Fexample.com')
-    end
-    it "set sessionindex" do
-      settings.idp_slo_target_url = "http://example.com"
-      sessionidx = OneLogin::RubySaml::Utils.uuid
-      settings.sessionindex = sessionidx
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /<samlp:SessionIndex/, inflated
-      assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
-    end
-    it "set name_identifier_value" do
-      settings.name_identifier_format = "transient"
-      name_identifier_value = "abc123"
-      settings.name_identifier_value = name_identifier_value
-      unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
-      inflated = decode_saml_request_payload(unauth_url)
-      assert_match /<saml:NameID/, inflated
-      assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
-    end
-    describe "when the target url doesn't contain a query string" do
-      it "create the SAMLRequest parameter correctly" do
-        unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-        assert_match /^http:\/\/unauth.com\/logout\?SAMLRequest/, unauth_url
-      end
-    end
-    describe "when the target url contains a query string" do
-      it "create the SAMLRequest parameter correctly" do
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
-        assert_match /^http:\/\/example.com\?field=value&SAMLRequest/, unauth_url
-      end
-    end
-    describe "consumation of logout may need to track the transaction" do
-      it "have access to the request uuid" do
-        settings.idp_slo_target_url = "http://example.com?field=value"
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_url = unauth_req.create(settings)
-        inflated = decode_saml_request_payload(unauth_url)
-        assert_match %r[ID='#{unauth_req.uuid}'], inflated
-      end
-    end
-    describe "when the settings indicate to sign (embedded) logout request" do
-      before do
-        # sign the logout request
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = true
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-      it "doesn't sign through create_xml_document" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_xml_document(settings).to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "sign unsigned request" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_req_doc = unauth_req.create_xml_document(settings)
-        inflated = unauth_req_doc.to_s
-        refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-        inflated = unauth_req.sign_document(unauth_req_doc, settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "signs through create_logout_request_xml_doc" do
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        inflated = unauth_req.create_logout_request_xml_doc(settings).to_s
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "created a signed logout request" do
-        settings.compress_request = true
-        unauth_req = OneLogin::RubySaml::Logoutrequest.new
-        unauth_url = unauth_req.create(settings)
-        inflated = decode_saml_request_payload(unauth_url)
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
-      end
-      it "create a signed logout request with 256 digest and signature method" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        settings.security[:digest_method] = XMLSecurity::Document::SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
-      end
-      it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
-        settings.compress_request = false
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-        settings.security[:digest_method] = XMLSecurity::Document::SHA512
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
-        request_xml = Base64.decode64(params["SAMLRequest"])
-        assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
-        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
-      end
-    end
-    describe "#create_params when the settings indicate to sign the logout request" do
-      let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
-      before do
-        # sign the logout request
-        settings.security[:logout_requests_signed] = true
-        settings.security[:embed_sign] = false
-        settings.certificate = ruby_saml_cert_text
-        settings.private_key = ruby_saml_key_text
-      end
-      it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['SAMLRequest']
-        assert params[:RelayState]
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA1
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA256
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA384
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-      it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
-        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
-        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
-        assert params['Signature']
-        assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
-        query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
-        query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
-        query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
-        signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
-        assert_equal signature_algorithm, OpenSSL::Digest::SHA512
-        assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
-      end
-    end
-  end
-end