ruby-saml 1.9.0 → 1.15.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

Files changed (160) hide show
  1. checksums.yaml +5 -5
  2. data/.github/workflows/test.yml +43 -0
  3. data/{changelog.md → CHANGELOG.md} +72 -1
  4. data/LICENSE +2 -1
  5. data/README.md +439 -212
  6. data/UPGRADING.md +149 -0
  7. data/lib/onelogin/ruby-saml/attributes.rb +24 -1
  8. data/lib/onelogin/ruby-saml/authrequest.rb +27 -11
  9. data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +285 -184
  10. data/lib/onelogin/ruby-saml/logging.rb +3 -3
  11. data/lib/onelogin/ruby-saml/logoutrequest.rb +27 -12
  12. data/lib/onelogin/ruby-saml/logoutresponse.rb +27 -11
  13. data/lib/onelogin/ruby-saml/metadata.rb +62 -17
  14. data/lib/onelogin/ruby-saml/response.rb +87 -38
  15. data/lib/onelogin/ruby-saml/saml_message.rb +16 -8
  16. data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
  17. data/lib/onelogin/ruby-saml/settings.rb +123 -52
  18. data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +33 -31
  19. data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +44 -21
  20. data/lib/onelogin/ruby-saml/utils.rb +101 -9
  21. data/lib/onelogin/ruby-saml/version.rb +1 -1
  22. data/lib/xml_security.rb +41 -15
  23. data/ruby-saml.gemspec +49 -13
  24. metadata +71 -308
  25. data/.travis.yml +0 -32
  26. data/test/certificates/certificate1 +0 -12
  27. data/test/certificates/certificate_without_head_foot +0 -1
  28. data/test/certificates/formatted_certificate +0 -14
  29. data/test/certificates/formatted_chained_certificate +0 -42
  30. data/test/certificates/formatted_private_key +0 -12
  31. data/test/certificates/formatted_rsa_private_key +0 -12
  32. data/test/certificates/invalid_certificate1 +0 -1
  33. data/test/certificates/invalid_certificate2 +0 -1
  34. data/test/certificates/invalid_certificate3 +0 -12
  35. data/test/certificates/invalid_chained_certificate1 +0 -1
  36. data/test/certificates/invalid_private_key1 +0 -1
  37. data/test/certificates/invalid_private_key2 +0 -1
  38. data/test/certificates/invalid_private_key3 +0 -10
  39. data/test/certificates/invalid_rsa_private_key1 +0 -1
  40. data/test/certificates/invalid_rsa_private_key2 +0 -1
  41. data/test/certificates/invalid_rsa_private_key3 +0 -10
  42. data/test/certificates/ruby-saml-2.crt +0 -15
  43. data/test/certificates/ruby-saml.crt +0 -14
  44. data/test/certificates/ruby-saml.key +0 -15
  45. data/test/idp_metadata_parser_test.rb +0 -579
  46. data/test/logging_test.rb +0 -62
  47. data/test/logout_requests/invalid_slo_request.xml +0 -6
  48. data/test/logout_requests/slo_request.xml +0 -4
  49. data/test/logout_requests/slo_request.xml.base64 +0 -1
  50. data/test/logout_requests/slo_request_deflated.xml.base64 +0 -1
  51. data/test/logout_requests/slo_request_with_name_id_format.xml +0 -4
  52. data/test/logout_requests/slo_request_with_session_index.xml +0 -5
  53. data/test/logout_responses/logoutresponse_fixtures.rb +0 -67
  54. data/test/logoutrequest_test.rb +0 -226
  55. data/test/logoutresponse_test.rb +0 -402
  56. data/test/metadata/idp_descriptor.xml +0 -26
  57. data/test/metadata/idp_descriptor_2.xml +0 -56
  58. data/test/metadata/idp_descriptor_3.xml +0 -14
  59. data/test/metadata/idp_descriptor_4.xml +0 -72
  60. data/test/metadata/idp_metadata_different_sign_and_encrypt_cert.xml +0 -72
  61. data/test/metadata/idp_metadata_multi_certs.xml +0 -75
  62. data/test/metadata/idp_metadata_multi_signing_certs.xml +0 -52
  63. data/test/metadata/idp_metadata_same_sign_and_encrypt_cert.xml +0 -71
  64. data/test/metadata/idp_multiple_descriptors.xml +0 -53
  65. data/test/metadata/no_idp_descriptor.xml +0 -21
  66. data/test/metadata_test.rb +0 -331
  67. data/test/request_test.rb +0 -323
  68. data/test/response_test.rb +0 -1619
  69. data/test/responses/adfs_response_sha1.xml +0 -46
  70. data/test/responses/adfs_response_sha256.xml +0 -46
  71. data/test/responses/adfs_response_sha384.xml +0 -46
  72. data/test/responses/adfs_response_sha512.xml +0 -46
  73. data/test/responses/adfs_response_xmlns.xml +0 -45
  74. data/test/responses/attackxee.xml +0 -13
  75. data/test/responses/invalids/duplicated_attributes.xml.base64 +0 -1
  76. data/test/responses/invalids/empty_destination.xml.base64 +0 -1
  77. data/test/responses/invalids/empty_nameid.xml.base64 +0 -1
  78. data/test/responses/invalids/encrypted_new_attack.xml.base64 +0 -1
  79. data/test/responses/invalids/invalid_audience.xml.base64 +0 -1
  80. data/test/responses/invalids/invalid_issuer_assertion.xml.base64 +0 -1
  81. data/test/responses/invalids/invalid_issuer_message.xml.base64 +0 -1
  82. data/test/responses/invalids/invalid_signature_position.xml.base64 +0 -1
  83. data/test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64 +0 -1
  84. data/test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64 +0 -1
  85. data/test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64 +0 -1
  86. data/test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64 +0 -1
  87. data/test/responses/invalids/multiple_assertions.xml.base64 +0 -2
  88. data/test/responses/invalids/multiple_signed.xml.base64 +0 -1
  89. data/test/responses/invalids/no_authnstatement.xml.base64 +0 -1
  90. data/test/responses/invalids/no_conditions.xml.base64 +0 -1
  91. data/test/responses/invalids/no_id.xml.base64 +0 -1
  92. data/test/responses/invalids/no_issuer_assertion.xml.base64 +0 -1
  93. data/test/responses/invalids/no_issuer_response.xml.base64 +0 -1
  94. data/test/responses/invalids/no_nameid.xml.base64 +0 -1
  95. data/test/responses/invalids/no_saml2.xml.base64 +0 -1
  96. data/test/responses/invalids/no_signature.xml.base64 +0 -1
  97. data/test/responses/invalids/no_status.xml.base64 +0 -1
  98. data/test/responses/invalids/no_status_code.xml.base64 +0 -1
  99. data/test/responses/invalids/no_subjectconfirmation_data.xml.base64 +0 -1
  100. data/test/responses/invalids/no_subjectconfirmation_method.xml.base64 +0 -1
  101. data/test/responses/invalids/response_invalid_signed_element.xml.base64 +0 -1
  102. data/test/responses/invalids/response_with_concealed_signed_assertion.xml +0 -51
  103. data/test/responses/invalids/response_with_doubled_signed_assertion.xml +0 -49
  104. data/test/responses/invalids/signature_wrapping_attack.xml.base64 +0 -1
  105. data/test/responses/invalids/status_code_responder.xml.base64 +0 -1
  106. data/test/responses/invalids/status_code_responer_and_msg.xml.base64 +0 -1
  107. data/test/responses/invalids/wrong_spnamequalifier.xml.base64 +0 -1
  108. data/test/responses/no_signature_ns.xml +0 -48
  109. data/test/responses/open_saml_response.xml +0 -56
  110. data/test/responses/response_assertion_wrapped.xml.base64 +0 -93
  111. data/test/responses/response_audience_self_closed_tag.xml.base64 +0 -1
  112. data/test/responses/response_double_status_code.xml.base64 +0 -1
  113. data/test/responses/response_encrypted_attrs.xml.base64 +0 -1
  114. data/test/responses/response_encrypted_nameid.xml.base64 +0 -1
  115. data/test/responses/response_eval.xml +0 -7
  116. data/test/responses/response_no_cert_and_encrypted_attrs.xml +0 -29
  117. data/test/responses/response_node_text_attack.xml.base64 +0 -1
  118. data/test/responses/response_node_text_attack2.xml.base64 +0 -1
  119. data/test/responses/response_node_text_attack3.xml.base64 +0 -1
  120. data/test/responses/response_unsigned_xml_base64 +0 -1
  121. data/test/responses/response_with_ampersands.xml +0 -139
  122. data/test/responses/response_with_ampersands.xml.base64 +0 -93
  123. data/test/responses/response_with_ds_namespace_at_the_root.xml.base64 +0 -1
  124. data/test/responses/response_with_multiple_attribute_statements.xml +0 -72
  125. data/test/responses/response_with_multiple_attribute_values.xml +0 -67
  126. data/test/responses/response_with_retrieval_method.xml +0 -26
  127. data/test/responses/response_with_saml2_namespace.xml.base64 +0 -102
  128. data/test/responses/response_with_signed_assertion.xml.base64 +0 -66
  129. data/test/responses/response_with_signed_assertion_2.xml.base64 +0 -1
  130. data/test/responses/response_with_signed_assertion_3.xml +0 -30
  131. data/test/responses/response_with_signed_message_and_assertion.xml +0 -34
  132. data/test/responses/response_with_undefined_recipient.xml.base64 +0 -1
  133. data/test/responses/response_without_attributes.xml.base64 +0 -79
  134. data/test/responses/response_without_reference_uri.xml.base64 +0 -1
  135. data/test/responses/response_wrapped.xml.base64 +0 -150
  136. data/test/responses/signed_message_encrypted_signed_assertion.xml.base64 +0 -1
  137. data/test/responses/signed_message_encrypted_unsigned_assertion.xml.base64 +0 -1
  138. data/test/responses/signed_nameid_in_atts.xml +0 -47
  139. data/test/responses/signed_unqual_nameid_in_atts.xml +0 -47
  140. data/test/responses/simple_saml_php.xml +0 -71
  141. data/test/responses/starfield_response.xml.base64 +0 -1
  142. data/test/responses/test_sign.xml +0 -43
  143. data/test/responses/unsigned_encrypted_adfs.xml +0 -23
  144. data/test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64 +0 -1
  145. data/test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64 +0 -1
  146. data/test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64 +0 -1
  147. data/test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64 +0 -1
  148. data/test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64 +0 -1
  149. data/test/responses/unsigned_message_encrypted_signed_assertion.xml.base64 +0 -1
  150. data/test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64 +0 -1
  151. data/test/responses/valid_response.xml.base64 +0 -1
  152. data/test/responses/valid_response_with_formatted_x509certificate.xml.base64 +0 -1
  153. data/test/responses/valid_response_without_x509certificate.xml.base64 +0 -1
  154. data/test/saml_message_test.rb +0 -56
  155. data/test/settings_test.rb +0 -329
  156. data/test/slo_logoutrequest_test.rb +0 -448
  157. data/test/slo_logoutresponse_test.rb +0 -199
  158. data/test/test_helper.rb +0 -327
  159. data/test/utils_test.rb +0 -254
  160. data/test/xml_security_test.rb +0 -421
data/test/test_helper.rb DELETED
@@ -1,327 +0,0 @@
1
- require 'simplecov'
2
-
3
- SimpleCov.start do
4
- add_filter "test/"
5
- add_filter "vendor/"
6
- add_filter "lib/onelogin/ruby-saml/logging.rb"
7
- end
8
-
9
- require 'stringio'
10
- require 'rubygems'
11
- require 'bundler'
12
- require 'minitest/autorun'
13
- require 'mocha/setup'
14
- require 'timecop'
15
-
16
- Bundler.require :default, :test
17
-
18
- $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
19
- $LOAD_PATH.unshift(File.dirname(__FILE__))
20
-
21
- require 'onelogin/ruby-saml/logging'
22
-
23
- TEST_LOGGER = Logger.new(StringIO.new)
24
- OneLogin::RubySaml::Logging.logger = TEST_LOGGER
25
-
26
- class Minitest::Test
27
- def fixture(document, base64 = true)
28
- response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
29
- if base64 && response =~ /\.xml$/
30
- Base64.encode64(File.read(response))
31
- else
32
- File.read(response)
33
- end
34
- end
35
-
36
- def read_response(response)
37
- File.read(File.join(File.dirname(__FILE__), "responses", response))
38
- end
39
-
40
- def read_invalid_response(response)
41
- File.read(File.join(File.dirname(__FILE__), "responses", "invalids", response))
42
- end
43
-
44
- def read_logout_request(request)
45
- File.read(File.join(File.dirname(__FILE__), "logout_requests", request))
46
- end
47
-
48
- def read_certificate(certificate)
49
- File.read(File.join(File.dirname(__FILE__), "certificates", certificate))
50
- end
51
-
52
- def response_document_valid_signed
53
- @response_document_valid_signed ||= read_response("valid_response.xml.base64")
54
- end
55
-
56
- def response_document_valid_signed_without_x509certificate
57
- @response_document_valid_signed_without_x509certificate ||= read_response("valid_response_without_x509certificate.xml.base64")
58
- end
59
-
60
- def response_document_without_recipient
61
- @response_document_without_recipient ||= read_response("response_with_undefined_recipient.xml.base64")
62
- end
63
-
64
- def response_document_without_recipient_with_time_updated
65
- doc = Base64.decode64(response_document_without_recipient)
66
- doc.gsub!(/NotBefore=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotBefore=\"#{(Time.now-300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
67
- doc.gsub!(/NotOnOrAfter=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotOnOrAfter=\"#{(Time.now+300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
68
- Base64.encode64(doc)
69
- end
70
-
71
- def response_document_without_attributes
72
- @response_document_without_attributes ||= read_response("response_without_attributes.xml.base64")
73
- end
74
-
75
- def response_document_without_reference_uri
76
- @response_document_without_reference_uri ||= read_response("response_without_reference_uri.xml.base64")
77
- end
78
-
79
- def response_document_with_signed_assertion
80
- @response_document_with_signed_assertion ||= read_response("response_with_signed_assertion.xml.base64")
81
- end
82
-
83
- def response_document_with_signed_assertion_2
84
- @response_document_with_signed_assertion_2 ||= read_response("response_with_signed_assertion_2.xml.base64")
85
- end
86
-
87
- def response_document_with_ds_namespace_at_the_root
88
- @response_document_with_ds_namespace_at_the_root ||= read_response("response_with_ds_namespace_at_the_root.xml.base64")
89
- end
90
-
91
- def response_document_unsigned
92
- @response_document_unsigned ||= read_response("response_unsigned_xml_base64")
93
- end
94
-
95
- def response_document_with_saml2_namespace
96
- @response_document_with_saml2_namespace ||= read_response("response_with_saml2_namespace.xml.base64")
97
- end
98
-
99
- def ampersands_document
100
- @ampersands_response ||= read_response("response_with_ampersands.xml.base64")
101
- end
102
-
103
- def response_document_no_cert_and_encrypted_attrs
104
- @response_document_no_cert_and_encrypted_attrs ||= Base64.encode64(read_response("response_no_cert_and_encrypted_attrs.xml"))
105
- end
106
-
107
- def response_document_wrapped
108
- @response_document_wrapped ||= read_response("response_wrapped.xml.base64")
109
- end
110
-
111
- def response_document_assertion_wrapped
112
- @response_document_assertion_wrapped ||= read_response("response_assertion_wrapped.xml.base64")
113
- end
114
-
115
- def response_document_encrypted_nameid
116
- @response_document_encrypted_nameid ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_encrypted_nameid.xml.base64'))
117
- end
118
-
119
- def signed_message_encrypted_unsigned_assertion
120
- @signed_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'signed_message_encrypted_unsigned_assertion.xml.base64'))
121
- end
122
-
123
- def signed_message_encrypted_signed_assertion
124
- @signed_message_encrypted_signed_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'signed_message_encrypted_signed_assertion.xml.base64'))
125
- end
126
-
127
- def unsigned_message_encrypted_signed_assertion
128
- @unsigned_message_encrypted_signed_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_signed_assertion.xml.base64'))
129
- end
130
-
131
- def unsigned_message_encrypted_unsigned_assertion
132
- @unsigned_message_encrypted_unsigned_assertion ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'unsigned_message_encrypted_unsigned_assertion.xml.base64'))
133
- end
134
-
135
- def response_document_encrypted_attrs
136
- @response_document_encrypted_attrs ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_encrypted_attrs.xml.base64'))
137
- end
138
-
139
- def response_document_double_status_code
140
- @response_document_double_status_code ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_double_status_code.xml.base64'))
141
- end
142
-
143
- def signature_fingerprint_1
144
- @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
145
- end
146
-
147
- # certificate used on response_with_undefined_recipient
148
- def signature_1
149
- @signature1 ||= read_certificate("certificate1")
150
- end
151
-
152
- # certificate used on response_document_with_signed_assertion_2
153
- def certificate_without_head_foot
154
- @certificate_without_head_foot ||= read_certificate("certificate_without_head_foot")
155
- end
156
-
157
- def idp_metadata_descriptor
158
- @idp_metadata_descriptor ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor.xml'))
159
- end
160
-
161
- def idp_metadata_descriptor2
162
- @idp_metadata_descriptor2 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_2.xml'))
163
- end
164
-
165
- def idp_metadata_descriptor3
166
- @idp_metadata_descriptor3 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_3.xml'))
167
- end
168
-
169
- def idp_metadata_descriptor4
170
- @idp_metadata_descriptor4 ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_descriptor_4.xml'))
171
- end
172
-
173
- def no_idp_metadata_descriptor
174
- @no_idp_metadata_descriptor ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'no_idp_descriptor.xml'))
175
- end
176
-
177
- def idp_metadata_multiple_descriptors
178
- @idp_metadata_multiple_descriptors ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_multiple_descriptors.xml'))
179
- end
180
-
181
- def idp_metadata_multiple_certs
182
- @idp_metadata_multiple_descriptors ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_metadata_multi_certs.xml'))
183
- end
184
-
185
- def idp_metadata_multiple_signing_certs
186
- @idp_metadata_multiple_signing_certs ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_metadata_multi_signing_certs.xml'))
187
- end
188
-
189
- def idp_metadata_same_sign_and_encrypt_cert
190
- @idp_metadata_same_sign_and_encrypt_cert ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_metadata_same_sign_and_encrypt_cert.xml'))
191
- end
192
-
193
- def idp_metadata_different_sign_and_encrypt_cert
194
- @idp_metadata_different_sign_and_encrypt_cert ||= File.read(File.join(File.dirname(__FILE__), 'metadata', 'idp_metadata_different_sign_and_encrypt_cert.xml'))
195
- end
196
-
197
- def logout_request_document
198
- unless @logout_request_document
199
- xml = read_logout_request("slo_request.xml")
200
- deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
201
- @logout_request_document = Base64.encode64(deflated)
202
- end
203
- @logout_request_document
204
- end
205
-
206
- def logout_request_document_with_name_id_format
207
- unless @logout_request_document_with_name_id_format
208
- xml = read_logout_request("slo_request_with_name_id_format.xml")
209
- deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
210
- @logout_request_document_with_name_id_format = Base64.encode64(deflated)
211
- end
212
- @logout_request_document_with_name_id_format
213
- end
214
-
215
- def logout_request_xml_with_session_index
216
- @logout_request_xml_with_session_index ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_with_session_index.xml'))
217
- end
218
-
219
- def invalid_logout_request_document
220
- unless @invalid_logout_request_document
221
- xml = File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'invalid_slo_request.xml'))
222
- deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
223
- @invalid_logout_request_document = Base64.encode64(deflated)
224
- end
225
- @invalid_logout_request_document
226
- end
227
-
228
- def logout_request_base64
229
- @logout_request_base64 ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request.xml.base64'))
230
- end
231
-
232
- def logout_request_deflated_base64
233
- @logout_request_deflated_base64 ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_deflated.xml.base64'))
234
- end
235
-
236
- def ruby_saml_cert
237
- @ruby_saml_cert ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text)
238
- end
239
-
240
- def ruby_saml_cert2
241
- @ruby_saml_cert2 ||= OpenSSL::X509::Certificate.new(ruby_saml_cert_text2)
242
- end
243
-
244
- def ruby_saml_cert_fingerprint
245
- @ruby_saml_cert_fingerprint ||= Digest::SHA1.hexdigest(ruby_saml_cert.to_der).scan(/../).join(":")
246
- end
247
-
248
- def ruby_saml_cert_text
249
- read_certificate("ruby-saml.crt")
250
- end
251
-
252
- def ruby_saml_cert_text2
253
- read_certificate("ruby-saml-2.crt")
254
- end
255
-
256
- def ruby_saml_key
257
- @ruby_saml_key ||= OpenSSL::PKey::RSA.new(ruby_saml_key_text)
258
- end
259
-
260
- def ruby_saml_key_text
261
- read_certificate("ruby-saml.key")
262
- end
263
-
264
- #
265
- # logoutresponse fixtures
266
- #
267
- def random_id
268
- "_#{OneLogin::RubySaml::Utils.uuid}"
269
- end
270
-
271
- #
272
- # decodes a base64 encoded SAML response for use in SloLogoutresponse tests
273
- #
274
- def decode_saml_response_payload(unauth_url)
275
- payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
276
- decoded = Base64.decode64(payload)
277
-
278
- zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
279
- inflated = zstream.inflate(decoded)
280
- zstream.finish
281
- zstream.close
282
- inflated
283
- end
284
-
285
- #
286
- # decodes a base64 encoded SAML request for use in Logoutrequest tests
287
- #
288
- def decode_saml_request_payload(unauth_url)
289
- payload = CGI.unescape(unauth_url.split("SAMLRequest=").last)
290
- decoded = Base64.decode64(payload)
291
-
292
- zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
293
- inflated = zstream.inflate(decoded)
294
- zstream.finish
295
- zstream.close
296
- inflated
297
- end
298
-
299
- SCHEMA_DIR = File.expand_path(File.join(__FILE__, '../../lib/schemas'))
300
-
301
- #
302
- # validate an xml document against the given schema
303
- #
304
- def validate_xml!(document, schema)
305
- Dir.chdir(SCHEMA_DIR) do
306
- xsd = if schema.is_a? Nokogiri::XML::Schema
307
- schema
308
- else
309
- Nokogiri::XML::Schema(File.read(schema))
310
- end
311
-
312
- xml = if document.is_a? Nokogiri::XML::Document
313
- document
314
- else
315
- Nokogiri::XML(document) { |c| c.strict }
316
- end
317
-
318
- result = xsd.validate(xml)
319
-
320
- if result.length != 0
321
- raise "Schema validation failed! XSD validation errors: #{result.join(", ")}"
322
- else
323
- true
324
- end
325
- end
326
- end
327
- end
data/test/utils_test.rb DELETED
@@ -1,254 +0,0 @@
1
- require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
2
-
3
- class UtilsTest < Minitest::Test
4
- describe ".format_cert" do
5
- let(:formatted_certificate) {read_certificate("formatted_certificate")}
6
- let(:formatted_chained_certificate) {read_certificate("formatted_chained_certificate")}
7
-
8
- it "returns empty string when the cert is an empty string" do
9
- cert = ""
10
- assert_equal "", OneLogin::RubySaml::Utils.format_cert(cert)
11
- end
12
-
13
- it "returns nil when the cert is nil" do
14
- cert = nil
15
- assert_nil OneLogin::RubySaml::Utils.format_cert(cert)
16
- end
17
-
18
- it "returns the certificate when it is valid" do
19
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_certificate)
20
- end
21
-
22
- it "reformats the certificate when there are spaces and no line breaks" do
23
- invalid_certificate1 = read_certificate("invalid_certificate1")
24
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate1)
25
- end
26
-
27
- it "reformats the certificate when there are spaces and no headers" do
28
- invalid_certificate2 = read_certificate("invalid_certificate2")
29
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
30
- end
31
-
32
- it "reformats the certificate when there line breaks and no headers" do
33
- invalid_certificate3 = read_certificate("invalid_certificate3")
34
- assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
35
- end
36
-
37
- it "returns the chained certificate when it is a valid chained certificate" do
38
- assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_chained_certificate)
39
- end
40
-
41
- it "reformats the chained certificate when there are spaces and no line breaks" do
42
- invalid_chained_certificate1 = read_certificate("invalid_chained_certificate1")
43
- assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_chained_certificate1)
44
- end
45
-
46
- end
47
-
48
- describe ".format_private_key" do
49
- let(:formatted_private_key) do
50
- read_certificate("formatted_private_key")
51
- end
52
-
53
- it "returns empty string when the private key is an empty string" do
54
- private_key = ""
55
- assert_equal "", OneLogin::RubySaml::Utils.format_private_key(private_key)
56
- end
57
-
58
- it "returns nil when the private key is nil" do
59
- private_key = nil
60
- assert_nil OneLogin::RubySaml::Utils.format_private_key(private_key)
61
- end
62
-
63
- it "returns the private key when it is valid" do
64
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_private_key)
65
- end
66
-
67
- it "reformats the private key when there are spaces and no line breaks" do
68
- invalid_private_key1 = read_certificate("invalid_private_key1")
69
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key1)
70
- end
71
-
72
- it "reformats the private key when there are spaces and no headers" do
73
- invalid_private_key2 = read_certificate("invalid_private_key2")
74
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key2)
75
- end
76
-
77
- it "reformats the private key when there line breaks and no headers" do
78
- invalid_private_key3 = read_certificate("invalid_private_key3")
79
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_private_key3)
80
- end
81
-
82
- describe "an RSA public key" do
83
- let(:formatted_rsa_private_key) do
84
- read_certificate("formatted_rsa_private_key")
85
- end
86
-
87
- it "returns the private key when it is valid" do
88
- assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(formatted_rsa_private_key)
89
- end
90
-
91
- it "reformats the private key when there are spaces and no line breaks" do
92
- invalid_rsa_private_key1 = read_certificate("invalid_rsa_private_key1")
93
- assert_equal formatted_rsa_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key1)
94
- end
95
-
96
- it "reformats the private key when there are spaces and no headers" do
97
- invalid_rsa_private_key2 = read_certificate("invalid_rsa_private_key2")
98
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key2)
99
- end
100
-
101
- it "reformats the private key when there line breaks and no headers" do
102
- invalid_rsa_private_key3 = read_certificate("invalid_rsa_private_key3")
103
- assert_equal formatted_private_key, OneLogin::RubySaml::Utils.format_private_key(invalid_rsa_private_key3)
104
- end
105
- end
106
- end
107
-
108
- describe "build_query" do
109
- it "returns the query string" do
110
- params = {}
111
- params[:type] = "SAMLRequest"
112
- params[:data] = "PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8+"
113
- params[:relay_state] = "http://example.com"
114
- params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
115
- query_string = OneLogin::RubySaml::Utils.build_query(params)
116
- assert_equal "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1", query_string
117
- end
118
- end
119
-
120
- describe "#verify_signature" do
121
- before do
122
- @params = {}
123
- @params[:cert] = ruby_saml_cert
124
- @params[:sig_alg] = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
125
- @params[:query_string] = "SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCBEZXN0aW5hdGlvbj0naHR0cDovL2V4YW1wbGUuY29tP2ZpZWxkPXZhbHVlJyBJRD0nXzk4NmUxZDEwLWVhY2ItMDEzMi01MGRkLTAwOTBmNWRlZGQ3NycgSXNzdWVJbnN0YW50PScyMDE1LTA2LTAxVDIwOjM0OjU5WicgVmVyc2lvbj0nMi4wJyB4bWxuczpzYW1sPSd1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uJyB4bWxuczpzYW1scD0ndXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sJy8%2B&RelayState=http%3A%2F%2Fexample.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1"
126
- end
127
-
128
- it "returns true when the signature is valid" do
129
- @params[:signature] = "uWJm/T4gKLYEsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
130
- assert OneLogin::RubySaml::Utils.verify_signature(@params)
131
- end
132
-
133
- it "returns false when the signature is invalid" do
134
- @params[:signature] = "uWJm/InVaLiDsVu1j/ZmjDeHp9zYPXPXWTXHFJZf2KKnWg57fUw3x2l6KTyRQ+Xjigb+sfYdGnnwmIz6KngXYRnh7nO6inspRLWOwkqQFy9iR9LDlMcfpXV/0g3oAxBxO6tX8MUHqR2R62SYZRGd1rxC9apg4vQiP97+atOI8t4="
135
- assert !OneLogin::RubySaml::Utils.verify_signature(@params)
136
- end
137
- end
138
-
139
- describe "#status_error_msg" do
140
- it "returns a error msg with a status message" do
141
- error_msg = "The status code of the Logout Response was not Success"
142
- status_code = "urn:oasis:names:tc:SAML:2.0:status:Requester"
143
- status_message = "The request could not be performed due to an error on the part of the requester."
144
- status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
145
- assert_equal = "The status code of the Logout Response was not Success, was Requester -> The request could not be performed due to an error on the part of the requester.", status_error_msg
146
-
147
- status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
148
- assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
149
-
150
- status_error_msg3 = OneLogin::RubySaml::Utils.status_error_msg(error_msg)
151
- assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
152
- end
153
- end
154
-
155
- describe "Utils" do
156
-
157
- describe ".uuid" do
158
- it "returns a uuid starting with an underscore" do
159
- assert_match /^_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, OneLogin::RubySaml::Utils.uuid
160
- end
161
-
162
- it "doesn't return the same value twice" do
163
- refute_equal OneLogin::RubySaml::Utils.uuid, OneLogin::RubySaml::Utils.uuid
164
- end
165
- end
166
-
167
- describe 'uri_match' do
168
- it 'matches two urls' do
169
- destination = 'http://www.example.com/test?var=stuff'
170
- settings = 'http://www.example.com/test?var=stuff'
171
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
172
- end
173
-
174
- it 'fails to match two urls' do
175
- destination = 'http://www.example.com/test?var=stuff'
176
- settings = 'http://www.example.com/othertest?var=stuff'
177
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
178
- end
179
-
180
- it "matches two URLs if the scheme case doesn't match" do
181
- destination = 'http://www.example.com/test?var=stuff'
182
- settings = 'HTTP://www.example.com/test?var=stuff'
183
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
184
- end
185
-
186
- it "matches two URLs if the host case doesn't match" do
187
- destination = 'http://www.EXAMPLE.com/test?var=stuff'
188
- settings = 'http://www.example.com/test?var=stuff'
189
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
190
- end
191
-
192
- it "fails to match two URLs if the path case doesn't match" do
193
- destination = 'http://www.example.com/TEST?var=stuff'
194
- settings = 'http://www.example.com/test?var=stuff'
195
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
196
- end
197
-
198
- it "fails to match two URLs if the query case doesn't match" do
199
- destination = 'http://www.example.com/test?var=stuff'
200
- settings = 'http://www.example.com/test?var=STUFF'
201
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
202
- end
203
-
204
- it 'matches two non urls' do
205
- destination = 'stuff'
206
- settings = 'stuff'
207
- assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
208
- end
209
-
210
- it "fails to match two non urls" do
211
- destination = 'stuff'
212
- settings = 'not stuff'
213
- assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
214
- end
215
- end
216
-
217
- describe 'element_text' do
218
- it 'returns the element text' do
219
- element = REXML::Document.new('<element>element text</element>').elements.first
220
- assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
221
- end
222
-
223
- it 'returns all segments of the element text' do
224
- element = REXML::Document.new('<element>element <!-- comment -->text</element>').elements.first
225
- assert_equal 'element text', OneLogin::RubySaml::Utils.element_text(element)
226
- end
227
-
228
- it 'returns normalized element text' do
229
- element = REXML::Document.new('<element>element &amp; text</element>').elements.first
230
- assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
231
- end
232
-
233
- it 'returns the CDATA element text' do
234
- element = REXML::Document.new('<element><![CDATA[element & text]]></element>').elements.first
235
- assert_equal 'element & text', OneLogin::RubySaml::Utils.element_text(element)
236
- end
237
-
238
- it 'returns the element text with newlines and additional whitespace' do
239
- element = REXML::Document.new("<element> element \n text </element>").elements.first
240
- assert_equal " element \n text ", OneLogin::RubySaml::Utils.element_text(element)
241
- end
242
-
243
- it 'returns nil when element is nil' do
244
- assert_nil OneLogin::RubySaml::Utils.element_text(nil)
245
- end
246
-
247
- it 'returns empty string when element has no text' do
248
- element = REXML::Document.new('<element></element>').elements.first
249
- assert_equal '', OneLogin::RubySaml::Utils.element_text(element)
250
- end
251
-
252
- end
253
- end
254
- end