ruby-saml 1.7.2 → 1.12.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

Files changed (154) hide show
  1. checksums.yaml +5 -5
  2. data/.travis.yml +37 -15
  3. data/README.md +127 -25
  4. data/changelog.md +61 -0
  5. data/lib/onelogin/ruby-saml/attribute_service.rb +1 -1
  6. data/lib/onelogin/ruby-saml/attributes.rb +24 -1
  7. data/lib/onelogin/ruby-saml/authrequest.rb +29 -6
  8. data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +239 -169
  9. data/lib/onelogin/ruby-saml/logging.rb +4 -1
  10. data/lib/onelogin/ruby-saml/logoutrequest.rb +27 -7
  11. data/lib/onelogin/ruby-saml/logoutresponse.rb +32 -16
  12. data/lib/onelogin/ruby-saml/metadata.rb +11 -3
  13. data/lib/onelogin/ruby-saml/response.rb +91 -30
  14. data/lib/onelogin/ruby-saml/saml_message.rb +15 -5
  15. data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
  16. data/lib/onelogin/ruby-saml/settings.rb +82 -9
  17. data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +26 -7
  18. data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +46 -18
  19. data/lib/onelogin/ruby-saml/utils.rb +87 -10
  20. data/lib/onelogin/ruby-saml/version.rb +1 -1
  21. data/lib/xml_security.rb +39 -12
  22. data/ruby-saml.gemspec +16 -8
  23. metadata +40 -274
  24. data/test/certificates/certificate1 +0 -12
  25. data/test/certificates/certificate_without_head_foot +0 -1
  26. data/test/certificates/formatted_certificate +0 -14
  27. data/test/certificates/formatted_chained_certificate +0 -42
  28. data/test/certificates/formatted_private_key +0 -12
  29. data/test/certificates/formatted_rsa_private_key +0 -12
  30. data/test/certificates/invalid_certificate1 +0 -1
  31. data/test/certificates/invalid_certificate2 +0 -1
  32. data/test/certificates/invalid_certificate3 +0 -12
  33. data/test/certificates/invalid_chained_certificate1 +0 -1
  34. data/test/certificates/invalid_private_key1 +0 -1
  35. data/test/certificates/invalid_private_key2 +0 -1
  36. data/test/certificates/invalid_private_key3 +0 -10
  37. data/test/certificates/invalid_rsa_private_key1 +0 -1
  38. data/test/certificates/invalid_rsa_private_key2 +0 -1
  39. data/test/certificates/invalid_rsa_private_key3 +0 -10
  40. data/test/certificates/ruby-saml-2.crt +0 -15
  41. data/test/certificates/ruby-saml.crt +0 -14
  42. data/test/certificates/ruby-saml.key +0 -15
  43. data/test/idp_metadata_parser_test.rb +0 -568
  44. data/test/logging_test.rb +0 -62
  45. data/test/logout_requests/invalid_slo_request.xml +0 -6
  46. data/test/logout_requests/slo_request.xml +0 -4
  47. data/test/logout_requests/slo_request.xml.base64 +0 -1
  48. data/test/logout_requests/slo_request_deflated.xml.base64 +0 -1
  49. data/test/logout_requests/slo_request_with_name_id_format.xml +0 -4
  50. data/test/logout_requests/slo_request_with_session_index.xml +0 -5
  51. data/test/logout_responses/logoutresponse_fixtures.rb +0 -67
  52. data/test/logoutrequest_test.rb +0 -212
  53. data/test/logoutresponse_test.rb +0 -402
  54. data/test/metadata/idp_descriptor.xml +0 -26
  55. data/test/metadata/idp_descriptor_2.xml +0 -56
  56. data/test/metadata/idp_descriptor_3.xml +0 -14
  57. data/test/metadata/idp_metadata_different_sign_and_encrypt_cert.xml +0 -72
  58. data/test/metadata/idp_metadata_multi_certs.xml +0 -75
  59. data/test/metadata/idp_metadata_multi_signing_certs.xml +0 -52
  60. data/test/metadata/idp_metadata_same_sign_and_encrypt_cert.xml +0 -71
  61. data/test/metadata/idp_multiple_descriptors.xml +0 -53
  62. data/test/metadata/no_idp_descriptor.xml +0 -21
  63. data/test/metadata_test.rb +0 -331
  64. data/test/request_test.rb +0 -296
  65. data/test/response_test.rb +0 -1535
  66. data/test/responses/adfs_response_sha1.xml +0 -46
  67. data/test/responses/adfs_response_sha256.xml +0 -46
  68. data/test/responses/adfs_response_sha384.xml +0 -46
  69. data/test/responses/adfs_response_sha512.xml +0 -46
  70. data/test/responses/adfs_response_xmlns.xml +0 -45
  71. data/test/responses/attackxee.xml +0 -13
  72. data/test/responses/invalids/duplicated_attributes.xml.base64 +0 -1
  73. data/test/responses/invalids/empty_destination.xml.base64 +0 -1
  74. data/test/responses/invalids/empty_nameid.xml.base64 +0 -1
  75. data/test/responses/invalids/encrypted_new_attack.xml.base64 +0 -1
  76. data/test/responses/invalids/invalid_audience.xml.base64 +0 -1
  77. data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
  78. data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
  79. data/test/responses/invalids/invalid_signature_position.xml.base64 +0 -1
  80. data/test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64 +0 -1
  81. data/test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64 +0 -1
  82. data/test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64 +0 -1
  83. data/test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64 +0 -1
  84. data/test/responses/invalids/multiple_assertions.xml.base64 +0 -2
  85. data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
  86. data/test/responses/invalids/no_authnstatement.xml.base64 +0 -1
  87. data/test/responses/invalids/no_conditions.xml.base64 +0 -1
  88. data/test/responses/invalids/no_id.xml.base64 +0 -1
  89. data/test/responses/invalids/no_issuer_assertion.xml.base64 +0 -1
  90. data/test/responses/invalids/no_issuer_response.xml.base64 +0 -1
  91. data/test/responses/invalids/no_nameid.xml.base64 +0 -1
  92. data/test/responses/invalids/no_saml2.xml.base64 +0 -1
  93. data/test/responses/invalids/no_signature.xml.base64 +0 -1
  94. data/test/responses/invalids/no_status.xml.base64 +0 -1
  95. data/test/responses/invalids/no_status_code.xml.base64 +0 -1
  96. data/test/responses/invalids/no_subjectconfirmation_data.xml.base64 +0 -1
  97. data/test/responses/invalids/no_subjectconfirmation_method.xml.base64 +0 -1
  98. data/test/responses/invalids/response_invalid_signed_element.xml.base64 +0 -1
  99. data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
  100. data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
  101. data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
  102. data/test/responses/invalids/status_code_responder.xml.base64 +0 -1
  103. data/test/responses/invalids/status_code_responer_and_msg.xml.base64 +0 -1
  104. data/test/responses/invalids/wrong_spnamequalifier.xml.base64 +0 -1
  105. data/test/responses/no_signature_ns.xml +0 -48
  106. data/test/responses/open_saml_response.xml +0 -56
  107. data/test/responses/response_assertion_wrapped.xml.base64 +0 -93
  108. data/test/responses/response_audience_self_closed_tag.xml.base64 +0 -1
  109. data/test/responses/response_double_status_code.xml.base64 +0 -1
  110. data/test/responses/response_encrypted_attrs.xml.base64 +0 -1
  111. data/test/responses/response_encrypted_nameid.xml.base64 +0 -1
  112. data/test/responses/response_eval.xml +0 -7
  113. data/test/responses/response_no_cert_and_encrypted_attrs.xml +0 -29
  114. data/test/responses/response_node_text_attack.xml.base64 +0 -1
  115. data/test/responses/response_unsigned_xml_base64 +0 -1
  116. data/test/responses/response_with_ampersands.xml +0 -139
  117. data/test/responses/response_with_ampersands.xml.base64 +0 -93
  118. data/test/responses/response_with_ds_namespace_at_the_root.xml.base64 +0 -1
  119. data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
  120. data/test/responses/response_with_multiple_attribute_values.xml +0 -67
  121. data/test/responses/response_with_retrieval_method.xml +0 -26
  122. data/test/responses/response_with_saml2_namespace.xml.base64 +0 -102
  123. data/test/responses/response_with_signed_assertion.xml.base64 +0 -66
  124. data/test/responses/response_with_signed_assertion_2.xml.base64 +0 -1
  125. data/test/responses/response_with_signed_assertion_3.xml +0 -30
  126. data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
  127. data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
  128. data/test/responses/response_without_attributes.xml.base64 +0 -79
  129. data/test/responses/response_without_reference_uri.xml.base64 +0 -1
  130. data/test/responses/response_wrapped.xml.base64 +0 -150
  131. data/test/responses/signed_message_encrypted_signed_assertion.xml.base64 +0 -1
  132. data/test/responses/signed_message_encrypted_unsigned_assertion.xml.base64 +0 -1
  133. data/test/responses/signed_nameid_in_atts.xml +0 -47
  134. data/test/responses/signed_unqual_nameid_in_atts.xml +0 -47
  135. data/test/responses/simple_saml_php.xml +0 -71
  136. data/test/responses/starfield_response.xml.base64 +0 -1
  137. data/test/responses/test_sign.xml +0 -43
  138. data/test/responses/unsigned_encrypted_adfs.xml +0 -23
  139. data/test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64 +0 -1
  140. data/test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64 +0 -1
  141. data/test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64 +0 -1
  142. data/test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64 +0 -1
  143. data/test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64 +0 -1
  144. data/test/responses/unsigned_message_encrypted_signed_assertion.xml.base64 +0 -1
  145. data/test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64 +0 -1
  146. data/test/responses/valid_response.xml.base64 +0 -1
  147. data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
  148. data/test/saml_message_test.rb +0 -56
  149. data/test/settings_test.rb +0 -301
  150. data/test/slo_logoutrequest_test.rb +0 -448
  151. data/test/slo_logoutresponse_test.rb +0 -185
  152. data/test/test_helper.rb +0 -323
  153. data/test/utils_test.rb +0 -254
  154. data/test/xml_security_test.rb +0 -421
@@ -1,5 +0,0 @@
1
- <samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
2
- <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
3
- <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>someone@example.org</saml:NameID>
4
- <samlp:SessionIndex>_ea853497-c58a-408a-bc23-c849752d9741</samlp:SessionIndex>
5
- </samlp:LogoutRequest>
@@ -1,67 +0,0 @@
1
- #encoding: utf-8
2
-
3
- def default_logout_response_opts
4
- {
5
- :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
6
- :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
7
- :settings => settings
8
- }
9
- end
10
-
11
- def valid_logout_response_document(opts = {})
12
- opts = default_logout_response_opts.merge(opts)
13
-
14
- "<samlp:LogoutResponse
15
- xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
16
- ID=\"#{random_id}\" Version=\"2.0\"
17
- IssueInstant=\"#{opts[:issue_instant]}\"
18
- Destination=\"#{opts[:settings].single_logout_service_url}\"
19
- InResponseTo=\"#{opts[:uuid]}\">
20
- <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
21
- <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
22
- <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
23
- Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
24
- </samlp:StatusCode>
25
- </samlp:Status>
26
- </samlp:LogoutResponse>"
27
- end
28
-
29
- def unsuccessful_logout_response_document(opts = {})
30
- opts = default_logout_response_opts.merge(opts)
31
-
32
- "<samlp:LogoutResponse
33
- xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
34
- ID=\"#{random_id}\" Version=\"2.0\"
35
- IssueInstant=\"#{opts[:issue_instant]}\"
36
- Destination=\"#{opts[:settings].single_logout_service_url}\"
37
- InResponseTo=\"#{opts[:uuid]}\">
38
- <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
39
- <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
40
- <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
41
- Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
42
- </samlp:StatusCode>
43
- </samlp:Status>
44
- </samlp:LogoutResponse>"
45
- end
46
-
47
- def invalid_xml_logout_response_document
48
- "<samlp:SomethingAwful
49
- xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
50
- ID=\"#{random_id}\" Version=\"2.0\">
51
- </samlp:SomethingAwful>"
52
- end
53
-
54
- def settings
55
- @settings ||= OneLogin::RubySaml::Settings.new(
56
- {
57
- :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
58
- :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
59
- :issuer => "http://app.muda.no",
60
- :sp_name_qualifier => "http://sso.muda.no",
61
- :idp_sso_target_url => "http://sso.muda.no/sso",
62
- :idp_slo_target_url => "http://sso.muda.no/slo",
63
- :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
64
- :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
65
- }
66
- )
67
- end
@@ -1,212 +0,0 @@
1
- require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
-
3
- require 'onelogin/ruby-saml/logoutrequest'
4
-
5
- class RequestTest < Minitest::Test
6
-
7
- describe "Logoutrequest" do
8
- let(:settings) { OneLogin::RubySaml::Settings.new }
9
-
10
- before do
11
- settings.idp_slo_target_url = "http://unauth.com/logout"
12
- settings.name_identifier_value = "f00f00"
13
- end
14
-
15
- it "create the deflated SAMLRequest URL parameter" do
16
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
17
- assert_match /^http:\/\/unauth\.com\/logout\?SAMLRequest=/, unauth_url
18
-
19
- inflated = decode_saml_request_payload(unauth_url)
20
- assert_match /^<samlp:LogoutRequest/, inflated
21
- end
22
-
23
- it "support additional params" do
24
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :hello => nil })
25
- assert_match /&hello=$/, unauth_url
26
-
27
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :foo => "bar" })
28
- assert_match /&foo=bar$/, unauth_url
29
- end
30
-
31
- it "set sessionindex" do
32
- settings.idp_slo_target_url = "http://example.com"
33
- sessionidx = OneLogin::RubySaml::Utils.uuid
34
- settings.sessionindex = sessionidx
35
-
36
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
37
- inflated = decode_saml_request_payload(unauth_url)
38
-
39
- assert_match /<samlp:SessionIndex/, inflated
40
- assert_match %r(#{sessionidx}</samlp:SessionIndex>), inflated
41
- end
42
-
43
- it "set name_identifier_value" do
44
- settings.name_identifier_format = "transient"
45
- name_identifier_value = "abc123"
46
- settings.name_identifier_value = name_identifier_value
47
-
48
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
49
- inflated = decode_saml_request_payload(unauth_url)
50
-
51
- assert_match /<saml:NameID/, inflated
52
- assert_match %r(#{name_identifier_value}</saml:NameID>), inflated
53
- end
54
-
55
- describe "when the target url doesn't contain a query string" do
56
- it "create the SAMLRequest parameter correctly" do
57
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
58
- assert_match /^http:\/\/unauth.com\/logout\?SAMLRequest/, unauth_url
59
- end
60
- end
61
-
62
- describe "when the target url contains a query string" do
63
- it "create the SAMLRequest parameter correctly" do
64
- settings.idp_slo_target_url = "http://example.com?field=value"
65
-
66
- unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings)
67
- assert_match /^http:\/\/example.com\?field=value&SAMLRequest/, unauth_url
68
- end
69
- end
70
-
71
- describe "consumation of logout may need to track the transaction" do
72
- it "have access to the request uuid" do
73
- settings.idp_slo_target_url = "http://example.com?field=value"
74
-
75
- unauth_req = OneLogin::RubySaml::Logoutrequest.new
76
- unauth_url = unauth_req.create(settings)
77
-
78
- inflated = decode_saml_request_payload(unauth_url)
79
- assert_match %r[ID='#{unauth_req.uuid}'], inflated
80
- end
81
- end
82
-
83
- describe "when the settings indicate to sign (embedded) logout request" do
84
-
85
- before do
86
- # sign the logout request
87
- settings.security[:logout_requests_signed] = true
88
- settings.security[:embed_sign] = true
89
- settings.certificate = ruby_saml_cert_text
90
- settings.private_key = ruby_saml_key_text
91
- end
92
-
93
- it "created a signed logout request" do
94
- settings.compress_request = true
95
-
96
- unauth_req = OneLogin::RubySaml::Logoutrequest.new
97
- unauth_url = unauth_req.create(settings)
98
-
99
- inflated = decode_saml_request_payload(unauth_url)
100
- assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
101
- assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
102
- assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
103
- end
104
-
105
- it "create a signed logout request with 256 digest and signature method" do
106
- settings.compress_request = false
107
- settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
108
- settings.security[:digest_method] = XMLSecurity::Document::SHA256
109
-
110
- params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
111
- request_xml = Base64.decode64(params["SAMLRequest"])
112
-
113
- assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
114
- assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
115
- assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha256'/>], request_xml
116
- end
117
-
118
- it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
119
- settings.compress_request = false
120
- settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
121
- settings.security[:digest_method] = XMLSecurity::Document::SHA512
122
-
123
- params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings)
124
- request_xml = Base64.decode64(params["SAMLRequest"])
125
-
126
- assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
127
- assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'/>], request_xml
128
- assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmlenc#sha512'/>], request_xml
129
- end
130
- end
131
-
132
- describe "#create_params when the settings indicate to sign the logout request" do
133
-
134
- let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
135
-
136
- before do
137
- # sign the logout request
138
- settings.security[:logout_requests_signed] = true
139
- settings.security[:embed_sign] = false
140
- settings.certificate = ruby_saml_cert_text
141
- settings.private_key = ruby_saml_key_text
142
- end
143
-
144
- it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
145
- settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
146
-
147
- params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
148
- assert params['SAMLRequest']
149
- assert params[:RelayState]
150
- assert params['Signature']
151
- assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1
152
-
153
- query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
154
- query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
155
- query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
156
-
157
- signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
158
- assert_equal signature_algorithm, OpenSSL::Digest::SHA1
159
- assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
160
- end
161
-
162
- it "create a signature parameter with RSA_SHA256 / SHA256 and validate it" do
163
- settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
164
-
165
- params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
166
- assert params['Signature']
167
- assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA256
168
-
169
- query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
170
- query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
171
- query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
172
-
173
- signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
174
- assert_equal signature_algorithm, OpenSSL::Digest::SHA256
175
- assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
176
- end
177
-
178
- it "create a signature parameter with RSA_SHA384 / SHA384 and validate it" do
179
- settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
180
-
181
- params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
182
- assert params['Signature']
183
- assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA384
184
-
185
- query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
186
- query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
187
- query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
188
-
189
- signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
190
- assert_equal signature_algorithm, OpenSSL::Digest::SHA384
191
- assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
192
- end
193
-
194
- it "create a signature parameter with RSA_SHA512 / SHA512 and validate it" do
195
- settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA512
196
-
197
- params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
198
- assert params['Signature']
199
- assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA512
200
-
201
- query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
202
- query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
203
- query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
204
-
205
- signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
206
- assert_equal signature_algorithm, OpenSSL::Digest::SHA512
207
- assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
208
- end
209
-
210
- end
211
- end
212
- end