ruby-saml 1.4.0 → 1.4.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/changelog.md +6 -0
- data/lib/onelogin/ruby-saml/authrequest.rb +9 -6
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +8 -3
- data/lib/onelogin/ruby-saml/response.rb +76 -54
- data/lib/onelogin/ruby-saml/utils.rb +15 -5
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/test/idp_metadata_parser_test.rb +16 -0
- data/test/request_test.rb +7 -0
- data/test/response_test.rb +20 -39
- data/test/responses/response_encrypted_attrs.xml.base64 +1 -0
- data/test/test_helper.rb +5 -0
- metadata +4 -4
- data/test/responses/invalids/response_encrypted_attrs.xml.base64 +0 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 785edd651b4a713d7a01a4841676034300a5465b
|
|
4
|
+
data.tar.gz: 33e3be90b834541836dad199a3843f0f50dc1d73
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7f0297c376b1b4ae225cd8b93a5541ff06829e89dcb8ee796b1ad1256a401532f1bf96ae257a8e63114f18de72333769d89f83bb4ac188e2659710dd75c9d3d0
|
|
7
|
+
data.tar.gz: ca1e2d0aefbdf122c4c214736c3c3d704184387f5becff71f4f1ebfdb1dc6b4d83a63dd1b267c12decdd69b1a8ada3db5886f4c6b64d46904a254e9dca85f260
|
data/changelog.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# RubySaml Changelog
|
|
2
2
|
|
|
3
|
+
### 1.4.1 (October 19, 2016)
|
|
4
|
+
* [#357](https://github.com/onelogin/ruby-saml/pull/357) Add EncryptedAttribute support. Improve decrypt method
|
|
5
|
+
* Allow multiple authn_context_decl_ref in settings
|
|
6
|
+
* Allow options[:settings] to be an hash for Settings overrides in IdpMetadataParser#parse
|
|
7
|
+
* Recover issuers method
|
|
8
|
+
|
|
3
9
|
### 1.4.0 (October 13, 2016)
|
|
4
10
|
* Several security improvements:
|
|
5
11
|
* Conditions element required and unique.
|
|
@@ -136,16 +136,19 @@ module OneLogin
|
|
|
136
136
|
}
|
|
137
137
|
|
|
138
138
|
if settings.authn_context != nil
|
|
139
|
-
|
|
140
|
-
|
|
139
|
+
authn_contexts_class_ref = settings.authn_context.is_a?(Array) ? settings.authn_context : [settings.authn_context]
|
|
140
|
+
authn_contexts_class_ref.each do |authn_context_class_ref|
|
|
141
141
|
class_ref = requested_context.add_element "saml:AuthnContextClassRef"
|
|
142
|
-
class_ref.text =
|
|
142
|
+
class_ref.text = authn_context_class_ref
|
|
143
143
|
end
|
|
144
144
|
end
|
|
145
|
-
|
|
145
|
+
|
|
146
146
|
if settings.authn_context_decl_ref != nil
|
|
147
|
-
|
|
148
|
-
|
|
147
|
+
authn_contexts_decl_refs = settings.authn_context_decl_ref.is_a?(Array) ? settings.authn_context_decl_ref : [settings.authn_context_decl_ref]
|
|
148
|
+
authn_contexts_decl_refs.each do |authn_context_decl_ref|
|
|
149
|
+
decl_ref = requested_context.add_element "saml:AuthnContextDeclRef"
|
|
150
|
+
decl_ref.text = authn_context_decl_ref
|
|
151
|
+
end
|
|
149
152
|
end
|
|
150
153
|
end
|
|
151
154
|
|
|
@@ -27,7 +27,7 @@ module OneLogin
|
|
|
27
27
|
# IdP values
|
|
28
28
|
#
|
|
29
29
|
# @param (see IdpMetadataParser#get_idp_metadata)
|
|
30
|
-
# @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object
|
|
30
|
+
# @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
|
|
31
31
|
# @return (see IdpMetadataParser#get_idp_metadata)
|
|
32
32
|
# @raise (see IdpMetadataParser#get_idp_metadata)
|
|
33
33
|
def parse_remote(url, validate_cert = true, options = {})
|
|
@@ -37,12 +37,17 @@ module OneLogin
|
|
|
37
37
|
|
|
38
38
|
# Parse the Identity Provider metadata and update the settings with the IdP values
|
|
39
39
|
# @param idp_metadata [String]
|
|
40
|
-
# @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object
|
|
40
|
+
# @param options [Hash] :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
|
|
41
41
|
#
|
|
42
42
|
def parse(idp_metadata, options = {})
|
|
43
43
|
@document = REXML::Document.new(idp_metadata)
|
|
44
44
|
|
|
45
|
-
|
|
45
|
+
settings = options[:settings]
|
|
46
|
+
if settings.nil? || settings.is_a?(Hash)
|
|
47
|
+
settings = OneLogin::RubySaml::Settings.new(settings || {})
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
settings.tap do |settings|
|
|
46
51
|
settings.idp_entity_id = idp_entity_id
|
|
47
52
|
settings.name_identifier_format = idp_name_id_format
|
|
48
53
|
settings.idp_sso_target_url = single_signon_service_url(options)
|
|
@@ -132,6 +132,7 @@ module OneLogin
|
|
|
132
132
|
# attributes['name']
|
|
133
133
|
#
|
|
134
134
|
# @return [Attributes] OneLogin::RubySaml::Attributes enumerable collection.
|
|
135
|
+
# @raise [ValidationError] if there are 2+ Attribute with the same Name
|
|
135
136
|
#
|
|
136
137
|
def attributes
|
|
137
138
|
@attr_statements ||= begin
|
|
@@ -140,8 +141,19 @@ module OneLogin
|
|
|
140
141
|
stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
|
|
141
142
|
stmt_elements.each do |stmt_element|
|
|
142
143
|
stmt_element.elements.each do |attr_element|
|
|
143
|
-
name
|
|
144
|
-
|
|
144
|
+
if attr_element.name == "EncryptedAttribute"
|
|
145
|
+
node = decrypt_attribute(attr_element.dup)
|
|
146
|
+
else
|
|
147
|
+
node = attr_element
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
name = node.attributes["Name"]
|
|
151
|
+
|
|
152
|
+
if options[:check_duplicated_attributes] && attributes.include?(name)
|
|
153
|
+
raise ValidationError.new("Found an Attribute element with duplicated Name")
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
values = node.elements.collect{|e|
|
|
145
157
|
if (e.elements.nil? || e.elements.size == 0)
|
|
146
158
|
# SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
|
|
147
159
|
# otherwise the value is to be regarded as empty.
|
|
@@ -236,6 +248,39 @@ module OneLogin
|
|
|
236
248
|
@not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
|
|
237
249
|
end
|
|
238
250
|
|
|
251
|
+
# Gets the Issuers (from Response and Assertion).
|
|
252
|
+
# (returns the first node that matches the supplied xpath from the Response and from the Assertion)
|
|
253
|
+
# @return [Array] Array with the Issuers (REXML::Element)
|
|
254
|
+
#
|
|
255
|
+
def issuers
|
|
256
|
+
@issuers ||= begin
|
|
257
|
+
issuers = []
|
|
258
|
+
issuer_response_nodes = REXML::XPath.match(
|
|
259
|
+
document,
|
|
260
|
+
"/p:Response/a:Issuer",
|
|
261
|
+
{ "p" => PROTOCOL, "a" => ASSERTION }
|
|
262
|
+
)
|
|
263
|
+
|
|
264
|
+
unless issuer_response_nodes.size == 1
|
|
265
|
+
error_msg = "Issuer of the Response not found or multiple."
|
|
266
|
+
raise ValidationError.new(error_msg)
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
doc = decrypted_document.nil? ? document : decrypted_document
|
|
270
|
+
issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
|
|
271
|
+
unless issuer_assertion_nodes.size == 1
|
|
272
|
+
error_msg = "Issuer of the Assertion not found or multiple."
|
|
273
|
+
raise ValidationError.new(error_msg)
|
|
274
|
+
end
|
|
275
|
+
|
|
276
|
+
nodes = issuer_response_nodes + issuer_assertion_nodes
|
|
277
|
+
nodes.each do |node|
|
|
278
|
+
issuers << node.text if node.text
|
|
279
|
+
end
|
|
280
|
+
issuers.uniq
|
|
281
|
+
end
|
|
282
|
+
end
|
|
283
|
+
|
|
239
284
|
# @return [String|nil] The InResponseTo attribute from the SAML Response.
|
|
240
285
|
#
|
|
241
286
|
def in_response_to
|
|
@@ -300,7 +345,6 @@ module OneLogin
|
|
|
300
345
|
:validate_id,
|
|
301
346
|
:validate_success_status,
|
|
302
347
|
:validate_num_assertion,
|
|
303
|
-
:validate_no_encrypted_attributes,
|
|
304
348
|
:validate_no_duplicated_attributes,
|
|
305
349
|
:validate_signed_elements,
|
|
306
350
|
:validate_structure,
|
|
@@ -432,20 +476,6 @@ module OneLogin
|
|
|
432
476
|
true
|
|
433
477
|
end
|
|
434
478
|
|
|
435
|
-
# Validates that there are not EncryptedAttribute (not supported)
|
|
436
|
-
# If fails, the error is added to the errors array
|
|
437
|
-
# @return [Boolean] True if there are no EncryptedAttribute elements, otherwise False if soft=True
|
|
438
|
-
# @raise [ValidationError] if soft == false and validation fails
|
|
439
|
-
#
|
|
440
|
-
def validate_no_encrypted_attributes
|
|
441
|
-
nodes = xpath_from_signed_assertion("/a:AttributeStatement/a:EncryptedAttribute")
|
|
442
|
-
if nodes && nodes.length > 0
|
|
443
|
-
return append_error("There is an EncryptedAttribute in the Response and this SP not support them")
|
|
444
|
-
end
|
|
445
|
-
|
|
446
|
-
true
|
|
447
|
-
end
|
|
448
|
-
|
|
449
479
|
# Validates that there are not duplicated attributes
|
|
450
480
|
# If fails, the error is added to the errors array
|
|
451
481
|
# @return [Boolean] True if there are no duplicated attribute elements, otherwise False if soft=True
|
|
@@ -453,16 +483,10 @@ module OneLogin
|
|
|
453
483
|
#
|
|
454
484
|
def validate_no_duplicated_attributes
|
|
455
485
|
if options[:check_duplicated_attributes]
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
name = attr_element.attributes["Name"]
|
|
461
|
-
if attributes.include?(name)
|
|
462
|
-
return append_error("Found an Attribute element with duplicated Name")
|
|
463
|
-
end
|
|
464
|
-
processed_names.add(name)
|
|
465
|
-
end
|
|
486
|
+
begin
|
|
487
|
+
attributes
|
|
488
|
+
rescue ValidationError => e
|
|
489
|
+
return append_error(e.message)
|
|
466
490
|
end
|
|
467
491
|
end
|
|
468
492
|
|
|
@@ -644,32 +668,13 @@ module OneLogin
|
|
|
644
668
|
def validate_issuer
|
|
645
669
|
return true if settings.idp_entity_id.nil?
|
|
646
670
|
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
|
|
650
|
-
|
|
651
|
-
{ "p" => PROTOCOL, "a" => ASSERTION }
|
|
652
|
-
)
|
|
653
|
-
|
|
654
|
-
unless issuer_response_nodes.size == 1
|
|
655
|
-
error_msg = "Issuer of the Response not found or multiple."
|
|
656
|
-
return append_error(error_msg)
|
|
657
|
-
end
|
|
658
|
-
|
|
659
|
-
doc = decrypted_document.nil? ? document : decrypted_document
|
|
660
|
-
issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
|
|
661
|
-
unless issuer_assertion_nodes.size == 1
|
|
662
|
-
error_msg = "Issuer of the Assertion not found or multiple."
|
|
663
|
-
return append_error(error_msg)
|
|
671
|
+
begin
|
|
672
|
+
obtained_issuers = issuers
|
|
673
|
+
rescue ValidationError => e
|
|
674
|
+
return append_error(e.message)
|
|
664
675
|
end
|
|
665
676
|
|
|
666
|
-
|
|
667
|
-
nodes.each do |node|
|
|
668
|
-
issuers << node.text if node.text
|
|
669
|
-
end
|
|
670
|
-
issuers.uniq
|
|
671
|
-
|
|
672
|
-
issuers.each do |issuer|
|
|
677
|
+
obtained_issuers.each do |issuer|
|
|
673
678
|
unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
|
|
674
679
|
error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
|
|
675
680
|
return append_error(error_msg)
|
|
@@ -928,8 +933,17 @@ module OneLogin
|
|
|
928
933
|
decrypt_element(encryptedid_node, /(.*<\/(\w+:)?NameID>)/m)
|
|
929
934
|
end
|
|
930
935
|
|
|
936
|
+
# Decrypts an EncryptedID element
|
|
937
|
+
# @param encryptedid_node [REXML::Element] The EncryptedID element
|
|
938
|
+
# @return [REXML::Document] The decrypted EncrypedtID element
|
|
939
|
+
#
|
|
940
|
+
def decrypt_attribute(encryptedattribute_node)
|
|
941
|
+
decrypt_element(encryptedattribute_node, /(.*<\/(\w+:)?Attribute>)/m)
|
|
942
|
+
end
|
|
943
|
+
|
|
931
944
|
# Decrypt an element
|
|
932
945
|
# @param encryptedid_node [REXML::Element] The encrypted element
|
|
946
|
+
# @param rgrex string Regex
|
|
933
947
|
# @return [REXML::Document] The decrypted element
|
|
934
948
|
#
|
|
935
949
|
def decrypt_element(encrypt_node, rgrex)
|
|
@@ -937,13 +951,21 @@ module OneLogin
|
|
|
937
951
|
raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
|
|
938
952
|
end
|
|
939
953
|
|
|
954
|
+
|
|
955
|
+
if encrypt_node.name == 'EncryptedAttribute'
|
|
956
|
+
node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
|
|
957
|
+
else
|
|
958
|
+
node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
|
|
959
|
+
end
|
|
960
|
+
|
|
940
961
|
elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
|
|
941
962
|
# If we get some problematic noise in the plaintext after decrypting.
|
|
942
963
|
# This quick regexp parse will grab only the Element and discard the noise.
|
|
943
964
|
elem_plaintext = elem_plaintext.match(rgrex)[0]
|
|
944
|
-
|
|
945
|
-
#
|
|
946
|
-
|
|
965
|
+
|
|
966
|
+
# To avoid namespace errors if saml namespace is not defined
|
|
967
|
+
# create a parent node first with the namespace defined
|
|
968
|
+
elem_plaintext = node_header + elem_plaintext + '</node>'
|
|
947
969
|
doc = REXML::Document.new(elem_plaintext)
|
|
948
970
|
doc.root[0]
|
|
949
971
|
end
|
|
@@ -111,13 +111,13 @@ module OneLogin
|
|
|
111
111
|
symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
|
|
112
112
|
cipher_value = REXML::XPath.first(
|
|
113
113
|
encrypt_data,
|
|
114
|
-
"
|
|
114
|
+
"./xenc:CipherData/xenc:CipherValue",
|
|
115
115
|
{ 'xenc' => XENC }
|
|
116
116
|
)
|
|
117
117
|
node = Base64.decode64(cipher_value.text)
|
|
118
118
|
encrypt_method = REXML::XPath.first(
|
|
119
119
|
encrypt_data,
|
|
120
|
-
"
|
|
120
|
+
"./xenc:EncryptionMethod",
|
|
121
121
|
{ 'xenc' => XENC }
|
|
122
122
|
)
|
|
123
123
|
algorithm = encrypt_method.attributes['Algorithm']
|
|
@@ -131,10 +131,12 @@ module OneLogin
|
|
|
131
131
|
def self.retrieve_symmetric_key(encrypt_data, private_key)
|
|
132
132
|
encrypted_key = REXML::XPath.first(
|
|
133
133
|
encrypt_data,
|
|
134
|
-
"
|
|
135
|
-
//xenc:EncryptedKey[@Id
|
|
136
|
-
{ "ds" => DSIG, "xenc" => XENC }
|
|
134
|
+
"./ds:KeyInfo/xenc:EncryptedKey or \
|
|
135
|
+
//xenc:EncryptedKey[@Id=$id]",
|
|
136
|
+
{ "ds" => DSIG, "xenc" => XENC },
|
|
137
|
+
{ "id" => self.retrieve_symetric_key_reference(encrypt_data) }
|
|
137
138
|
)
|
|
139
|
+
|
|
138
140
|
encrypted_symmetric_key_element = REXML::XPath.first(
|
|
139
141
|
encrypted_key,
|
|
140
142
|
"./xenc:CipherData/xenc:CipherValue",
|
|
@@ -150,6 +152,14 @@ module OneLogin
|
|
|
150
152
|
retrieve_plaintext(cipher_text, private_key, algorithm)
|
|
151
153
|
end
|
|
152
154
|
|
|
155
|
+
def self.retrieve_symetric_key_reference(encrypt_data)
|
|
156
|
+
REXML::XPath.first(
|
|
157
|
+
encrypt_data,
|
|
158
|
+
"substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')",
|
|
159
|
+
{ "ds" => DSIG }
|
|
160
|
+
)
|
|
161
|
+
end
|
|
162
|
+
|
|
153
163
|
# Obtains the deciphered text
|
|
154
164
|
# @param cipher_text [String] The ciphered text
|
|
155
165
|
# @param symmetric_key [String] The symetric key used to encrypt the text
|
|
@@ -56,6 +56,22 @@ class IdpMetadataParserTest < Minitest::Test
|
|
|
56
56
|
assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
|
|
57
57
|
end
|
|
58
58
|
|
|
59
|
+
it "uses settings options as hash for overrides" do
|
|
60
|
+
idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
|
|
61
|
+
idp_metadata = read_response("idp_descriptor.xml")
|
|
62
|
+
settings = idp_metadata_parser.parse(idp_metadata, {
|
|
63
|
+
:settings => {
|
|
64
|
+
:security => {
|
|
65
|
+
:digest_method => XMLSecurity::Document::SHA256,
|
|
66
|
+
:signature_method => XMLSecurity::Document::RSA_SHA256
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
})
|
|
70
|
+
assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
|
|
71
|
+
assert_equal XMLSecurity::Document::SHA256, settings.security[:digest_method]
|
|
72
|
+
assert_equal XMLSecurity::Document::RSA_SHA256, settings.security[:signature_method]
|
|
73
|
+
end
|
|
74
|
+
|
|
59
75
|
end
|
|
60
76
|
|
|
61
77
|
describe "download and parse IdP descriptor file" do
|
data/test/request_test.rb
CHANGED
|
@@ -285,5 +285,12 @@ class RequestTest < Minitest::Test
|
|
|
285
285
|
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
286
286
|
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
|
|
287
287
|
end
|
|
288
|
+
|
|
289
|
+
it "create multiple saml:AuthnContextDeclRef elements correctly " do
|
|
290
|
+
settings.authn_context_decl_ref = ['name/password/uri', 'example/decl/ref']
|
|
291
|
+
auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
|
|
292
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>name\/password\/uri<\/saml:AuthnContextDeclRef>/
|
|
293
|
+
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>example\/decl\/ref<\/saml:AuthnContextDeclRef>/
|
|
294
|
+
end
|
|
288
295
|
end
|
|
289
296
|
end
|
data/test/response_test.rb
CHANGED
|
@@ -28,7 +28,7 @@ class RubySamlTest < Minitest::Test
|
|
|
28
28
|
let(:response_no_statuscode) { OneLogin::RubySaml::Response.new(read_invalid_response("no_status_code.xml.base64")) }
|
|
29
29
|
let(:response_statuscode_responder) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responder.xml.base64")) }
|
|
30
30
|
let(:response_statuscode_responder_and_msg) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responer_and_msg.xml.base64")) }
|
|
31
|
-
let(:response_encrypted_attrs) { OneLogin::RubySaml::Response.new(
|
|
31
|
+
let(:response_encrypted_attrs) { OneLogin::RubySaml::Response.new(response_document_encrypted_attrs) }
|
|
32
32
|
let(:response_no_signed_elements) { OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64")) }
|
|
33
33
|
let(:response_multiple_signed) { OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64")) }
|
|
34
34
|
let(:response_invalid_audience) { OneLogin::RubySaml::Response.new(read_invalid_response("invalid_audience.xml.base64")) }
|
|
@@ -198,17 +198,6 @@ class RubySamlTest < Minitest::Test
|
|
|
198
198
|
assert_includes response_valid_signed.errors, error_msg
|
|
199
199
|
end
|
|
200
200
|
|
|
201
|
-
it "raise when the assertion contains encrypted attributes" do
|
|
202
|
-
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
203
|
-
response_encrypted_attrs.settings = settings
|
|
204
|
-
response_encrypted_attrs.soft = false
|
|
205
|
-
error_msg = "There is an EncryptedAttribute in the Response and this SP not support them"
|
|
206
|
-
assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
|
|
207
|
-
response_encrypted_attrs.is_valid?
|
|
208
|
-
end
|
|
209
|
-
assert_includes response_encrypted_attrs.errors, error_msg
|
|
210
|
-
end
|
|
211
|
-
|
|
212
201
|
it "raise when there is no valid audience" do
|
|
213
202
|
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
214
203
|
settings.issuer = 'invalid'
|
|
@@ -365,14 +354,6 @@ class RubySamlTest < Minitest::Test
|
|
|
365
354
|
assert_includes response_valid_signed.errors, "The InResponseTo of the Response: _fc4a34b0-7efb-012e-caae-782bcb13bb38, does not match the ID of the AuthNRequest sent by the SP: invalid_request_id"
|
|
366
355
|
end
|
|
367
356
|
|
|
368
|
-
it "return false when the assertion contains encrypted attributes" do
|
|
369
|
-
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
370
|
-
response_encrypted_attrs.settings = settings
|
|
371
|
-
response_encrypted_attrs.soft = true
|
|
372
|
-
response_encrypted_attrs.is_valid?
|
|
373
|
-
assert_includes response_encrypted_attrs.errors, "There is an EncryptedAttribute in the Response and this SP not support them"
|
|
374
|
-
end
|
|
375
|
-
|
|
376
357
|
it "return false when there is no valid audience" do
|
|
377
358
|
settings.idp_cert_fingerprint = signature_fingerprint_1
|
|
378
359
|
settings.issuer = 'invalid'
|
|
@@ -559,20 +540,6 @@ class RubySamlTest < Minitest::Test
|
|
|
559
540
|
end
|
|
560
541
|
end
|
|
561
542
|
|
|
562
|
-
describe "#validate_no_encrypted_attributes" do
|
|
563
|
-
it "return true when the assertion does not contain encrypted attributes" do
|
|
564
|
-
response_valid_signed.settings = settings
|
|
565
|
-
assert response_valid_signed.send(:validate_no_encrypted_attributes)
|
|
566
|
-
assert_empty response_valid_signed.errors
|
|
567
|
-
end
|
|
568
|
-
|
|
569
|
-
it "return false when the assertion contains encrypted attributes" do
|
|
570
|
-
response_encrypted_attrs.settings = settings
|
|
571
|
-
assert !response_encrypted_attrs.send(:validate_no_encrypted_attributes)
|
|
572
|
-
assert_includes response_encrypted_attrs.errors, "There is an EncryptedAttribute in the Response and this SP not support them"
|
|
573
|
-
end
|
|
574
|
-
end
|
|
575
|
-
|
|
576
543
|
describe "#validate_audience" do
|
|
577
544
|
it "return true when the audience is valid" do
|
|
578
545
|
response_valid_signed.settings = settings
|
|
@@ -953,15 +920,29 @@ class RubySamlTest < Minitest::Test
|
|
|
953
920
|
assert_equal "bob", response_with_multiple_attribute_statements.attributes[:firstname]
|
|
954
921
|
end
|
|
955
922
|
|
|
956
|
-
it "not raise errors about nil/empty attributes for EncryptedAttributes" do
|
|
957
|
-
response_no_cert_and_encrypted_attrs = OneLogin::RubySaml::Response.new(response_document_no_cert_and_encrypted_attrs)
|
|
958
|
-
assert_equal 'Demo', response_no_cert_and_encrypted_attrs.attributes["first_name"]
|
|
959
|
-
end
|
|
960
|
-
|
|
961
923
|
it "not raise on responses without attributes" do
|
|
962
924
|
assert_equal OneLogin::RubySaml::Attributes.new, response_unsigned.attributes
|
|
963
925
|
end
|
|
964
926
|
|
|
927
|
+
describe "#encrypted attributes" do
|
|
928
|
+
it "raise error when the assertion contains encrypted attributes but no private key to decrypt" do
|
|
929
|
+
settings.private_key = nil
|
|
930
|
+
response_encrypted_attrs.settings = settings
|
|
931
|
+
assert_raises(OneLogin::RubySaml::ValidationError, "An EncryptedAttribute found and no SP private key found on the settings to decrypt it") do
|
|
932
|
+
attrs = response_encrypted_attrs.attributes
|
|
933
|
+
end
|
|
934
|
+
end
|
|
935
|
+
|
|
936
|
+
it "extract attributes when the assertion contains encrypted attributes and the private key is provided" do
|
|
937
|
+
settings.certificate = ruby_saml_cert_text
|
|
938
|
+
settings.private_key = ruby_saml_key_text
|
|
939
|
+
response_encrypted_attrs.settings = settings
|
|
940
|
+
attributes = response_encrypted_attrs.attributes
|
|
941
|
+
assert_equal "test", attributes[:uid]
|
|
942
|
+
assert_equal "test@example.com", attributes[:mail]
|
|
943
|
+
end
|
|
944
|
+
end
|
|
945
|
+
|
|
965
946
|
it "return false when validating a response with duplicate attributes" do
|
|
966
947
|
response_duplicated_attributes.settings = settings
|
|
967
948
|
response_duplicated_attributes.options[:check_duplicated_attributes] = true
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHA6Ly9zdHVmZi5jb20vZW5kcG9pbnRzL2VuZHBvaW50cy9hY3MucGhwIiBJRD0icGZ4ODM2M2M2YTctZmQ1MC0yNjA0LTdmZTctZTZhNjgxYWE3ZmMxIiBJblJlc3BvbnNlVG89Il81N2JjYmY3MC03YjFmLTAxMmUtYzgyMS03ODJiY2IxM2JiMzgiIElzc3VlSW5zdGFudD0iMjAxMS0wNi0xN1QxNDo1NDoxNFoiIFZlcnNpb249IjIuMCI+DQogIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDgzNjNjNmE3LWZkNTAtMjYwNC03ZmU3LWU2YTY4MWFhN2ZjMSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+cEJ6cTlYdzBMeFBoK0x0M3VuTmdaQ081UzJjPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5wcmZlQWRzRE9mUUZUTEwwYk01WEFOQXh3cmNZZE9RTjF3U1g2eEtoSkRHU2I5V2NPUE1Pa3ZOczdRSUZyaE1nNEZpdXJtc0VnMlE1OTFRYkRVUStoNW5SbFo1NHRVcFh1eDBTOHFYSmxnd0JHWjJUWCtKeDk3TTB4NkJBS3I0cm05K0RuOGk1QW1zdU5QRUVieFhBdm5JRWJVOTNVem5wd3IyNG1OUllpdFU9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNHekNDQVlRQ0NRQ05OY1FYb20zMlZEQU5CZ2txaGtpRzl3MEJBUVVGQURCU01Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQk1DU1U0eEZUQVRCZ05WQkFjVERFbHVaR2xoYm1Gd2IyeHBjekVSTUE4R0ExVUVDaE1JVDI1bFRHOW5hVzR4RERBS0JnTlZCQXNUQTBWdVp6QWVGdzB4TkRBME1qTXhPRFF4TURGYUZ3MHhOVEEwTWpNeE9EUXhNREZhTUZJeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pKVGpFVk1CTUdBMVVFQnhNTVNXNWthV0Z1WVhCdmJHbHpNUkV3RHdZRFZRUUtFd2hQYm1WTWIyZHBiakVNTUFvR0ExVUVDeE1EUlc1bk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRG82bStRWnZZUS94TDBFbExndXBLMVFEY1lMNGY1UGNrd3NOZ1M5cFV2VjdmelRxQ0hrOFRoTHhUazQyTVEyTWNKc09lVUpWUDcyOEtoeW1qRkNxeGdQNFZ1d1JrOXJwQWwwK21oeTZNUGR5anlBNkcxNGpyRFdTNjV5c0xjaEs0dC92d3BFRHowU1FsRW9HMWtNemxsU203elpTM1hyZWdBN0RqTmFVWVFxd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRHQkFMTTJ2R0NpUS92bSthNnY0MCtWWDJ6ZHFIQTJRLzF2RjFpYlF6SjU0TUpDT1ZXdnMrdlFYZlpGaGRtME9QTTJJckRVN29xdktQcVA2eE9BZUpLNkgweVA3TTRZTDNmYXRTdklZbW1meVhDOWt0M1N2ei9OeXJIelBoVW5KMHllL3NVU1h4bnpReHdjbS85UHdBcXJRYUEzUXBRa0g1N3liRi9Pb3J5UGUrMmg8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT4NCiAgPHNhbWxwOlN0YXR1cz4NCiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+DQogIDwvc2FtbHA6U3RhdHVzPg0KICA8c2FtbDpBc3NlcnRpb24geG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBJRD0icGZ4Nzg0MTk5MWMtYzczZi00MDM1LWUyZWUtYzE3MGMwZTFkM2U0IiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MTRaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+ICAgIA0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiIFNQTmFtZVF1YWxpZmllcj0iaGVsbG8uY29tIj5zb21lb25lQGV4YW1wbGUuY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJfNTdiY2JmNzAtN2IxZi0wMTJlLWM4MjEtNzgyYmNiMTNiYjM4IiBOb3RPbk9yQWZ0ZXI9IjIwNTEtMDYtMTdUMTQ6NTk6MTRaIiBSZWNpcGllbnQ9ImhodHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHAiLz4NCiAgICAgIDwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTA2LTE3VDE0OjUzOjQ0WiIgTm90T25PckFmdGVyPSIyMDUxLTA2LTE3VDE0OjU5OjE0WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT5odHRwOi8vc3R1ZmYuY29tL2VuZHBvaW50cy9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+DQogICAgICA8L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj4NCiAgICA8L3NhbWw6Q29uZGl0aW9ucz4NCiAgICA8c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTEtMDYtMTdUMTQ6NTQ6MDdaIiBTZXNzaW9uSW5kZXg9Il81MWJlMzc5NjVmZWI1NTc5ZDgwMzE0MTA3NjkzNmRjMmU5ZDFkOThlYmYiIFNlc3Npb25Ob3RPbk9yQWZ0ZXI9IjIwNTEtMDYtMTdUMjI6NTQ6MTRaIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICANCiAgICA8c2FtbDpFbmNyeXB0ZWRBdHRyaWJ1dGU+PHhlbmM6RW5jcnlwdGVkRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VsZW1lbnQiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNhZXMxMjgtY2JjIi8+PGRzaWc6S2V5SW5mbyB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXk+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS0xXzUiLz48eGVuYzpDaXBoZXJEYXRhPjx4ZW5jOkNpcGhlclZhbHVlPmdZYnoxVm5Bcml1bXpqTnoweGNwc0o2QnRkOGtxNzlnb0dqNm5pcWlHY3dMV1NYTTBwaTRQNUd1K2tPejFubWRtSHlnUGlXN3RqalFOTWxBYVFvN1IvNVFURjh6a3F6SXltdGY3a0VpMkhQN29FbHMya1VoOWJ5WkR0akhqdTlueVY4ajlacXlydnZyaFVXNS90RmJHZkJ5UXdYOGhiVGl1TXV5eXcxeTltVT08L3hlbmM6Q2lwaGVyVmFsdWU+PC94ZW5jOkNpcGhlckRhdGE+PC94ZW5jOkVuY3J5cHRlZEtleT48L2RzaWc6S2V5SW5mbz4NCiAgIDx4ZW5jOkNpcGhlckRhdGE+DQogICAgICA8eGVuYzpDaXBoZXJWYWx1ZT5YWVhaQzNwUDArekFsazZYSGM4aERqQTk4R3MxNWRCaU5SZC9nU3U2MEw1blkzS3NpSkd0c0gzcGlmU2dLN2ZIWisyTzJrYUV3SmszY0djSThYc0VEcnk1YWp0NnRQT0RIRkZGeDFmV1o1SEQ5L1I4RG01U3pQSG9QMmxET2lBZWgwd3pUQjVWdUdrbU5nUmYyNjBkNkpDVndxY0RVc3FrZWJkMWkvTzd6V3VoUjFDRmZZK0l3c1l2bUdXMUlqdUQxcXVJUmdzNnFTSEt1SnhrWlM1NGp0RHhFaUR0VGN0aXhVaytlMHhHRXZUVUxKVFA5eDN5anZEV09FNGJpelZsSFJpVnVmMzRaVWJuV2hURlFiKzBIUT09PC94ZW5jOkNpcGhlclZhbHVlPg0KICAgPC94ZW5jOkNpcGhlckRhdGE+DQo8L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXR0cmlidXRlPg0KICAgICAgDQo8c2FtbDpFbmNyeXB0ZWRBdHRyaWJ1dGU+PHhlbmM6RW5jcnlwdGVkRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VsZW1lbnQiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNhZXMxMjgtY2JjIi8+PGRzaWc6S2V5SW5mbyB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXk+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS0xXzUiLz48eGVuYzpDaXBoZXJEYXRhPjx4ZW5jOkNpcGhlclZhbHVlPndqOVRBbTE4aGNkTGpqdnZ6bzdnbFF0djI3ME5FWS9wR1NpeVhIN0dXNGFWRllWWG5EbEVhSFRadFlmUnFXVXFJMCtENG5FZ1l2dzZzMEIxNzZpcWtNME1QS0ZUdUx5cDBxU2tuVDhYVmVJSmVHQ0xON1NPRFFBTE8ySlNCVk15aFNhM0MrSDN2MExITWhOVzdRMU5VeDA2WEFMYXRnTFBqc3RFaVhqYU41ST08L3hlbmM6Q2lwaGVyVmFsdWU+PC94ZW5jOkNpcGhlckRhdGE+PC94ZW5jOkVuY3J5cHRlZEtleT48L2RzaWc6S2V5SW5mbz4NCiAgIDx4ZW5jOkNpcGhlckRhdGE+DQogICAgICA8eGVuYzpDaXBoZXJWYWx1ZT4xSy9SSHFjMHN1ekc5ZUo2ditHUXljTjh5RWtTc2lFdHFFRGZvYnZ6Qkx2UFQrYno4SVRNaDlCL3FJZno2TnhUREdPejQ1WW12WC92aHhoclZiYVcwRUpLemFsQXVRN0ZpMTlOSEl1NkllcW16a29JMGlQMzNsamZjRy91N1lPNmhJeDl5OU1qeWF5MjNFcEh5akIvcVNLaTF1emJzV2JLV21rWU8yUS9TM0NVZ242Mm40b01UQkowcFdKdEY5Y0NzcWxhZ0owZXBpYkl6VksrWDFJRm1aOE85cjF2d040ZzdZNmovNUZGbjNBQnhKT0hhZVNucU95dUU2N1RhSzdmdk9tMHNNU1RBVkV1NWlqWk9Fdk5LRVB0enRHZituNlFiSXF2bmxSTllNST08L3hlbmM6Q2lwaGVyVmFsdWU+DQogICA8L3hlbmM6Q2lwaGVyRGF0YT4NCjwveGVuYzpFbmNyeXB0ZWREYXRhPjwvc2FtbDpFbmNyeXB0ZWRBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+
|
data/test/test_helper.rb
CHANGED
|
@@ -2,6 +2,7 @@ require 'simplecov'
|
|
|
2
2
|
|
|
3
3
|
SimpleCov.start do
|
|
4
4
|
add_filter "test/"
|
|
5
|
+
add_filter "vendor/"
|
|
5
6
|
add_filter "lib/onelogin/ruby-saml/logging.rb"
|
|
6
7
|
end
|
|
7
8
|
|
|
@@ -131,6 +132,10 @@ class Minitest::Test
|
|
|
131
132
|
@unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))
|
|
132
133
|
end
|
|
133
134
|
|
|
135
|
+
def response_document_encrypted_attrs
|
|
136
|
+
@response_document_encrypted_attrs ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_encrypted_attrs.xml.base64'))
|
|
137
|
+
end
|
|
138
|
+
|
|
134
139
|
def signature_fingerprint_1
|
|
135
140
|
@signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
|
|
136
141
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.4.
|
|
4
|
+
version: 1.4.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-10-
|
|
11
|
+
date: 2016-10-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: nokogiri
|
|
@@ -249,7 +249,6 @@ files:
|
|
|
249
249
|
- test/responses/invalids/no_status_code.xml.base64
|
|
250
250
|
- test/responses/invalids/no_subjectconfirmation_data.xml.base64
|
|
251
251
|
- test/responses/invalids/no_subjectconfirmation_method.xml.base64
|
|
252
|
-
- test/responses/invalids/response_encrypted_attrs.xml.base64
|
|
253
252
|
- test/responses/invalids/response_invalid_signed_element.xml.base64
|
|
254
253
|
- test/responses/invalids/response_with_concealed_signed_assertion.xml
|
|
255
254
|
- test/responses/invalids/response_with_doubled_signed_assertion.xml
|
|
@@ -260,6 +259,7 @@ files:
|
|
|
260
259
|
- test/responses/no_signature_ns.xml
|
|
261
260
|
- test/responses/open_saml_response.xml
|
|
262
261
|
- test/responses/response_assertion_wrapped.xml.base64
|
|
262
|
+
- test/responses/response_encrypted_attrs.xml.base64
|
|
263
263
|
- test/responses/response_encrypted_nameid.xml.base64
|
|
264
264
|
- test/responses/response_eval.xml
|
|
265
265
|
- test/responses/response_no_cert_and_encrypted_attrs.xml
|
|
@@ -390,7 +390,6 @@ test_files:
|
|
|
390
390
|
- test/responses/invalids/no_status_code.xml.base64
|
|
391
391
|
- test/responses/invalids/no_subjectconfirmation_data.xml.base64
|
|
392
392
|
- test/responses/invalids/no_subjectconfirmation_method.xml.base64
|
|
393
|
-
- test/responses/invalids/response_encrypted_attrs.xml.base64
|
|
394
393
|
- test/responses/invalids/response_invalid_signed_element.xml.base64
|
|
395
394
|
- test/responses/invalids/response_with_concealed_signed_assertion.xml
|
|
396
395
|
- test/responses/invalids/response_with_doubled_signed_assertion.xml
|
|
@@ -401,6 +400,7 @@ test_files:
|
|
|
401
400
|
- test/responses/no_signature_ns.xml
|
|
402
401
|
- test/responses/open_saml_response.xml
|
|
403
402
|
- test/responses/response_assertion_wrapped.xml.base64
|
|
403
|
+
- test/responses/response_encrypted_attrs.xml.base64
|
|
404
404
|
- test/responses/response_encrypted_nameid.xml.base64
|
|
405
405
|
- test/responses/response_eval.xml
|
|
406
406
|
- test/responses/response_no_cert_and_encrypted_attrs.xml
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
rVhXk+LKDn6/Vfc/UOwjxTgnamfOdQCTjDEmzssphzY2OOFsfv1pwjBM3D1b92nGakn96ZO6pebnX1XgNwqQpF4UPjaxB7T519N///MzNQI/7sxAGkdhChpQKUw7J+FjM0/CTmSkXtoJjQCknczq6Lwy7uAPaMdIU5Bk0FXzziT+3iZOoiyyIr/ZkECaeaGRnaG4WRZ3ECTNcsd5sKIAAaEdR16YpXf/GVb6ELtxszGQHpuxU9EUypo4TbcJB6XbLIZhbQwlnbblkMC2bdNhOBoqhy+BzaPH5t8UY1pwBW0zJua0UQwHbYvFsTbD4nABI0yTYKFRmuZgEKaZEWaPTRyFruEWGDPHyA5FdjDyudlYvvAI42pCGhuNM5Gds23ydA3Js+MHUBlB7INzYD+Re6WfdtrRvS2kIU9eiLfTGx9lWT6UxEOUbBEcRVEE5RCoY6fe9sd1x6s9sAehE53diUYYhZ5l+N7xTK4CMjeyG7y/jRIvc4MvnGMIhp6ct0FltS2MDH80kfMWr5ucQf6muzdYk9Rop66BXT2e/M2AAxIQWqCxmA0emz9+N53nEOeJEaZOlATp289/hwqEBfCjGNjt9CU4CPDfOfyUtZ/IR4ySt4X1/ifkXYl7dbI0/Bw8cQ6p9+kDpUn6ftIN66WwzV2ZibFk83gGcK98Ftwov3y+K5tbgi8WmKuqo03fVvS8iz3vi8VuS6K6Y4qYWgAjUJ0UoHNQ9GheTEOXSLiWpuBDttpjXQzhPCvrI1JckbN4NqKSgDoG87209riKZ+wQG+4hA1OWmsldR/USKzmYq72lOAbN7liplDk0s0xZyo+k2JpwQZnK+zqIDIp1yP4Bj7JD5fqRbvqBigzJxeMtnDv88FaDwhGobwGuKZSTjMy4fYiny8uBJyUDT8pgIMpHUeQ3mihq4mRiaesoIPClxE+E7f7g7j2ZK1GB1xY9XhJ0RUtLUdtIS02Tu+VwuTh2xwq/l3ls0RUFRdQXZNWb83NhO1kKvDWXun7+LPuuGfRKE69i69idKTx70XeVwRyn/LnMhcaKrCSJH13s0jmPLvPnIw96JVpNJB5VdkqlSlqlSD3jLJu/lSm9QSUe+eHFfjPn/eX8DusAYh3Od92lIijnvYVKUfQVtTdWvXyzFgpT9o/KrFtK5Vl/1C3dqRksFRO3Y3PXVRQ+umCGu81WVKgMZEfhUVnUD7I+MAlJ65444nlSnvCSKHgaDEWTIjpoac/FRkOqMdr1x9s8HmGaZG3GpENNrX2ZTrY6Fy+KJeMc5wexv2fn7ria70lc0XDFGqYqWAyXUwZnR24d7HriodpOyWVezvZcEvM+2grcmlamdr2reVrGyF0irXSaqtOx5Y7IDCnKuCsdUV3zu5GM7ZWj7+sBc3zWiXUCtjwj7SbGYqMdyoHEa7zwPibhEpPAjxW8kEVPQ4qgZdAFibaWa/xoH/o8riFY0cM8UzsOKVIZiupyVaStQls7zz3XDlB1quCDRFow0aEYTQ9TulJ5MBzRfbSeMgq5GROOkenFYBMETr0WuX1G6MURmdRJ/zh1F+EQrQGSLvR1FR61qrQChJuW/CHRDJ7QYm3fp5ja7CFqlNRT0MLd87F4X+g34eUoIPeH5M0xem1ocUfPoCh96Qb3MjGyQeN84r5v++lZu6PnlgXS9KUPIB/cXzoo/zJYXDti9VVHxJC1MtYtFwRG86br/Vq57Z1buwVuswTDkhjHYfASZwinTaIE1QY4gLMBxqAWCjCbAOSfjgV/MhicrO5t9dzcASu7+nuRTiDRA6nRg23GyL7OAPaAnSWe3XbOqh3Igefztp2cstHQpydHWg5nBscDCeQP+H50QtV8SqMARCH43x3UK9LL5u8QXXGKUeh4p51OSbx0ve8LxAo6JjASkDRvDr9xeSrePxvsJlGmhmrCO9kpThzF0bsMcpcMzoDlxR44pdj9ZjANQGbYEMh5JkVeeUC+Qv1SDMgnGb2ECrVt76SanoAKAGYLnOvsHiXRIU8oP0SCfYjkXW743PZO/R/SliWwRb9C+qjz9JuBX4O5mb1j4estrwqvEb8hgs8zNzzdCyCAeWicP78+dygD+dBhKUM/g9AG1akcMBMQcGKkHGBSFMPZLEpgJIYyNEfQtoUDzsZsjgWmczP9klEcfzndHxiFuGAIGaiyT6h8XRR9+FiCA9jTt+8pq2Od9KB4Cv+UUWLfaPzE1QeqP2C5X7mR+ZbnDKbFzDPwZvmy1g2tpI4zYN+U/uBleMcK3LOCtfDq93yKr7c2XPjy2kbJ0zAMNX7AGxjeI3/3CI7GKb5HswLZE1GGFUWGYnEJZyWUkjix2ZjXMfgNf13/HPNblO9w/psn1KtnA6Q4Rbct07q7Gq7eX3vuH7z4vsQJbOj0g8r/JZjT+y0yQNwOtg4Wfwjoq6C87Z+Fdefv1GOeaJygKMe0MYfGSQolLMriaIYhURxYloGiwDmtMMzLNHM2+gTi/bDzFU+iF7sgOQ9Hn8K6U7o8NEZoIIwrZ3z0RsvFqMurG8BIdL7UxWnNFvVq6RKwn4TTrt5itT3vqvkMPqmQsRb3EtTNB4gndmsutgGmbXcbaZzt+la+G3l4JR9W9G6/XiHdfBQFh9V0yuPVJsWcWMDSnDTWC1UTaHXIoEgkWWpaswS5dXuGsPL8LuscaklYCMWqhQ8KQ1k8G2Y5QVIuWO5XR4VICDTz9+54xHhqYsq8bw/6ZW9BHZnpdEbPVGJDOINq11+QqBqO06FFVIODPe4TzjoW0f3WoxZpPLYPGAkoNVrvxtFUJgSVOJYqPxiy64mw2lC5Fjn0KBmZVpE96xvUUYrpxt04k10269VsTXJRMeaccifO5pI/p1pG/5CKcyEpH+Gj7gPVn6X0V0m7anxzRr4pi1+WxMdyeD6KOW1U8pbfPPeXDsNM1qwRP48ERB5KIF/SZk+oBR3lB1tvvS+kBR+Mxdgw5/xKUFr1EeMin6eTpM5VJ2FxUODmcTpZzIqA1DeV4Rb5mJx6ZkiVw32NCj5FLg+BtWjxhx1q84W6PchYTazJUuVCzpyl84LmcCxAwWHG92KX3Y/YMed6yQgTqo2w2eGzuidGPWlaLZ+psk4M4kAegi6JdE8VOqUDZ8GO1yaaR6vhYicvgK/jvMGYz17KHrtxGRWkWGb+ZOdnmueSQcFkmcg7m4OlDXpHYS60JN5AW+vtthLHli0QrUDzZhZ8JDtlvz9ktrMgzIXuFqzmhCiPDGJiMrKyVp286o16VDwA7mobEXt7oo0NP0rY2XJFD9gpMmAdjSB6oDVJ+8twCAtP5xHE+GXZfF8y78vlncK1oX7sjO8a7qdd9bb60hxPP1Igb397ffoH
|