ruby-saml 0.5.2 → 0.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- data/Gemfile +8 -0
- data/Gemfile.lock +38 -0
- data/lib/onelogin/ruby-saml/response.rb +3 -3
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +38 -12
- data/test/request_test.rb +7 -7
- data/test/response_test.rb +2 -2
- data/test/responses/adfs_response.xml +46 -0
- data/test/xml_security_test.rb +8 -0
- metadata +24 -7
- data/test/responses/adfs_response.xml.base64 +0 -91
data/Gemfile
ADDED
data/Gemfile.lock
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
GEM
|
|
2
|
+
remote: http://rubygems.org/
|
|
3
|
+
specs:
|
|
4
|
+
columnize (0.3.6)
|
|
5
|
+
linecache (0.46)
|
|
6
|
+
rbx-require-relative (> 0.0.4)
|
|
7
|
+
macaddr (1.5.0)
|
|
8
|
+
systemu (>= 2.4.0)
|
|
9
|
+
metaclass (0.0.1)
|
|
10
|
+
mocha (0.10.5)
|
|
11
|
+
metaclass (~> 0.0.1)
|
|
12
|
+
rake (0.8.7)
|
|
13
|
+
rbx-require-relative (0.0.9)
|
|
14
|
+
ruby-debug (0.10.4)
|
|
15
|
+
columnize (>= 0.1)
|
|
16
|
+
ruby-debug-base (~> 0.10.4.0)
|
|
17
|
+
ruby-debug-base (0.10.4)
|
|
18
|
+
linecache (>= 0.3)
|
|
19
|
+
shoulda (3.0.1)
|
|
20
|
+
shoulda-context (~> 1.0.0)
|
|
21
|
+
shoulda-matchers (~> 1.0.0)
|
|
22
|
+
shoulda-context (1.0.0)
|
|
23
|
+
shoulda-matchers (1.0.0)
|
|
24
|
+
systemu (2.5.0)
|
|
25
|
+
uuid (2.3.5)
|
|
26
|
+
macaddr (~> 1.0)
|
|
27
|
+
xmlcanonicalizer (0.1.1)
|
|
28
|
+
|
|
29
|
+
PLATFORMS
|
|
30
|
+
ruby
|
|
31
|
+
|
|
32
|
+
DEPENDENCIES
|
|
33
|
+
mocha (~> 0.10.5)
|
|
34
|
+
rake
|
|
35
|
+
ruby-debug (~> 0.10.4)
|
|
36
|
+
shoulda (~> 3.0.1)
|
|
37
|
+
uuid (~> 2.3.5)
|
|
38
|
+
xmlcanonicalizer (~> 0.1.1)
|
|
@@ -29,8 +29,8 @@ module Onelogin
|
|
|
29
29
|
# The value of the user identifier as designated by the initialization request response
|
|
30
30
|
def name_id
|
|
31
31
|
@name_id ||= begin
|
|
32
|
-
node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id
|
|
33
|
-
node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id
|
|
32
|
+
node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
33
|
+
node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
34
34
|
node.nil? ? nil : node.text
|
|
35
35
|
end
|
|
36
36
|
end
|
|
@@ -69,7 +69,7 @@ module Onelogin
|
|
|
69
69
|
# Conditions (if any) for the assertion to run
|
|
70
70
|
def conditions
|
|
71
71
|
@conditions ||= begin
|
|
72
|
-
REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id
|
|
72
|
+
REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']/a:Conditions", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
73
73
|
end
|
|
74
74
|
end
|
|
75
75
|
|
data/lib/xml_security.rb
CHANGED
|
@@ -28,6 +28,7 @@ require "rexml/xpath"
|
|
|
28
28
|
require "openssl"
|
|
29
29
|
require "xmlcanonicalizer"
|
|
30
30
|
require "digest/sha1"
|
|
31
|
+
require "digest/sha2"
|
|
31
32
|
require "onelogin/ruby-saml/validation_error"
|
|
32
33
|
|
|
33
34
|
module XMLSecurity
|
|
@@ -60,30 +61,31 @@ module XMLSecurity
|
|
|
60
61
|
|
|
61
62
|
def validate_doc(base64_cert, soft = true)
|
|
62
63
|
# validate references
|
|
63
|
-
|
|
64
|
+
|
|
64
65
|
# check for inclusive namespaces
|
|
65
|
-
|
|
66
|
+
|
|
66
67
|
inclusive_namespaces = []
|
|
67
68
|
inclusive_namespace_element = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
|
|
68
|
-
|
|
69
|
+
|
|
69
70
|
if inclusive_namespace_element
|
|
70
71
|
prefix_list = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
|
|
71
72
|
inclusive_namespaces = prefix_list.split(" ")
|
|
72
73
|
end
|
|
73
74
|
|
|
74
75
|
# remove signature node
|
|
75
|
-
sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>
|
|
76
|
+
sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>DSIG})
|
|
76
77
|
sig_element.remove
|
|
77
78
|
|
|
78
79
|
# check digests
|
|
79
|
-
REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>
|
|
80
|
+
REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
|
|
80
81
|
uri = ref.attributes.get_attribute("URI").value
|
|
81
|
-
hashed_element = REXML::XPath.first(self, "//[@ID='#{uri[1
|
|
82
|
+
hashed_element = REXML::XPath.first(self, "//[@ID='#{uri[1..-1]}']")
|
|
82
83
|
canoner = XML::Util::XmlCanonicalizer.new(false, true)
|
|
83
84
|
canoner.inclusive_namespaces = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
|
|
84
85
|
canon_hashed_element = canoner.canonicalize(hashed_element).gsub('&','&')
|
|
85
|
-
|
|
86
|
-
|
|
86
|
+
algorithm = digest_algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
|
|
87
|
+
hash = Base64.encode64(algorithm.digest(canon_hashed_element)).chomp
|
|
88
|
+
digest_value = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text
|
|
87
89
|
|
|
88
90
|
unless digests_match?(hash, digest_value)
|
|
89
91
|
return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))
|
|
@@ -92,17 +94,20 @@ module XMLSecurity
|
|
|
92
94
|
|
|
93
95
|
# verify signature
|
|
94
96
|
canoner = XML::Util::XmlCanonicalizer.new(false, true)
|
|
95
|
-
signed_info_element = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>
|
|
97
|
+
signed_info_element = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
|
|
96
98
|
canon_string = canoner.canonicalize(signed_info_element)
|
|
97
99
|
|
|
98
|
-
base64_signature = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>
|
|
100
|
+
base64_signature = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
|
|
99
101
|
signature = Base64.decode64(base64_signature)
|
|
100
102
|
|
|
101
103
|
# get certificate object
|
|
102
104
|
cert_text = Base64.decode64(base64_cert)
|
|
103
105
|
cert = OpenSSL::X509::Certificate.new(cert_text)
|
|
104
106
|
|
|
105
|
-
|
|
107
|
+
# signature method
|
|
108
|
+
algorithm = signature_algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod"))
|
|
109
|
+
|
|
110
|
+
if !cert.public_key.verify(algorithm.new, signature, canon_string)
|
|
106
111
|
return soft ? false : (raise ValidationError.new("Key validation error"))
|
|
107
112
|
end
|
|
108
113
|
|
|
@@ -117,7 +122,28 @@ module XMLSecurity
|
|
|
117
122
|
|
|
118
123
|
def extract_signed_element_id
|
|
119
124
|
reference_element = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
|
|
120
|
-
self.signed_element_id = reference_element.attribute("URI").value unless reference_element.nil?
|
|
125
|
+
self.signed_element_id = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
def digest_algorithm(element)
|
|
129
|
+
algorithm = element.attribute("Algorithm").value if element
|
|
130
|
+
algorithm && algorithm =~ /sha(256|384|512)$/ ? Digest::SHA2 : Digest::SHA1
|
|
121
131
|
end
|
|
132
|
+
|
|
133
|
+
def signature_algorithm(element)
|
|
134
|
+
algorithm = element.attribute("Algorithm").value if element
|
|
135
|
+
if algorithm
|
|
136
|
+
algorithm =~ /sha(.*?)$/i
|
|
137
|
+
algorithm = $1.to_i
|
|
138
|
+
end
|
|
139
|
+
case algorithm
|
|
140
|
+
when 256 then OpenSSL::Digest::SHA256
|
|
141
|
+
when 384 then OpenSSL::Digest::SHA384
|
|
142
|
+
when 512 then OpenSSL::Digest::SHA512
|
|
143
|
+
else
|
|
144
|
+
OpenSSL::Digest::SHA1
|
|
145
|
+
end
|
|
146
|
+
end
|
|
147
|
+
|
|
122
148
|
end
|
|
123
149
|
end
|
data/test/request_test.rb
CHANGED
|
@@ -5,9 +5,9 @@ class RequestTest < Test::Unit::TestCase
|
|
|
5
5
|
context "Authrequest" do
|
|
6
6
|
should "create the deflated SAMLRequest URL parameter" do
|
|
7
7
|
settings = Onelogin::Saml::Settings.new
|
|
8
|
-
settings.idp_sso_target_url = "http://
|
|
8
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
9
9
|
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
10
|
-
assert auth_url =~ /^http:\/\/
|
|
10
|
+
assert auth_url =~ /^http:\/\/example\.com\?SAMLRequest=/
|
|
11
11
|
payload = CGI.unescape(auth_url.split("=").last)
|
|
12
12
|
decoded = Base64.decode64(payload)
|
|
13
13
|
|
|
@@ -21,7 +21,7 @@ class RequestTest < Test::Unit::TestCase
|
|
|
21
21
|
|
|
22
22
|
should "accept extra parameters" do
|
|
23
23
|
settings = Onelogin::Saml::Settings.new
|
|
24
|
-
settings.idp_sso_target_url = "http://
|
|
24
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
25
25
|
|
|
26
26
|
auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
|
|
27
27
|
assert auth_url =~ /&hello=there$/
|
|
@@ -33,20 +33,20 @@ class RequestTest < Test::Unit::TestCase
|
|
|
33
33
|
context "when the target url doesn't contain a query string" do
|
|
34
34
|
should "create the SAMLRequest parameter correctly" do
|
|
35
35
|
settings = Onelogin::Saml::Settings.new
|
|
36
|
-
settings.idp_sso_target_url = "http://
|
|
36
|
+
settings.idp_sso_target_url = "http://example.com"
|
|
37
37
|
|
|
38
38
|
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
39
|
-
assert auth_url =~ /^http:\/\/
|
|
39
|
+
assert auth_url =~ /^http:\/\/example.com\?SAMLRequest/
|
|
40
40
|
end
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
context "when the target url contains a query string" do
|
|
44
44
|
should "create the SAMLRequest parameter correctly" do
|
|
45
45
|
settings = Onelogin::Saml::Settings.new
|
|
46
|
-
settings.idp_sso_target_url = "http://
|
|
46
|
+
settings.idp_sso_target_url = "http://example.com?field=value"
|
|
47
47
|
|
|
48
48
|
auth_url = Onelogin::Saml::Authrequest.new.create(settings)
|
|
49
|
-
assert auth_url =~ /^http:\/\/
|
|
49
|
+
assert auth_url =~ /^http:\/\/example.com\?field=value&SAMLRequest/
|
|
50
50
|
end
|
|
51
51
|
end
|
|
52
52
|
end
|
data/test/response_test.rb
CHANGED
|
@@ -89,11 +89,11 @@ class RubySamlTest < Test::Unit::TestCase
|
|
|
89
89
|
assert response.name_id == "test@onelogin.com"
|
|
90
90
|
end
|
|
91
91
|
|
|
92
|
-
|
|
92
|
+
should "validate ADFS assertions" do
|
|
93
93
|
response = Onelogin::Saml::Response.new(fixture(:adfs_response))
|
|
94
94
|
response.stubs(:conditions).returns(nil)
|
|
95
95
|
settings = Onelogin::Saml::Settings.new
|
|
96
|
-
settings.idp_cert_fingerprint = "
|
|
96
|
+
settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
|
|
97
97
|
response.settings = settings
|
|
98
98
|
assert response.validate!
|
|
99
99
|
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0263a07b-205f-479c-90fc-7495715ecbbf" Version="2.0" IssueInstant="2011-06-22T12:49:30.348Z" Destination="https://someone.example.com/endpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38">
|
|
3
|
+
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.example.com/issuer</Issuer>
|
|
4
|
+
<samlp:Status>
|
|
5
|
+
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
|
|
6
|
+
</samlp:Status>
|
|
7
|
+
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab" IssueInstant="2011-06-22T12:49:30.348Z" Version="2.0">
|
|
8
|
+
<Issuer>http://login.example.com/issuer</Issuer>
|
|
9
|
+
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
|
|
10
|
+
<ds:SignedInfo>
|
|
11
|
+
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
12
|
+
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
|
|
13
|
+
<ds:Reference URI="#_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
14
|
+
<ds:Transforms>
|
|
15
|
+
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
16
|
+
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
17
|
+
</ds:Transforms>
|
|
18
|
+
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
|
|
19
|
+
<ds:DigestValue>5mUndDm7OQSGNYVTevsJw3JRVZiwvlDnR2nprJ+6Mhc=</ds:DigestValue>
|
|
20
|
+
</ds:Reference>
|
|
21
|
+
</ds:SignedInfo>
|
|
22
|
+
<ds:SignatureValue>MmuXQdjutiuP7soIaB7nk9wSR8OGkmyH5n9aelMTOrV7gTVNDazgQ/GXMmYXTTrhdvGN65duLO0oYdsYGxwNIjlA1lYhoGeBgYuIB/4iKZ6oLSDgjMcQxHkSW1OJ8pIEuUa/3MPUUjaSlTg0me4WRxVdXp34A9Mtlj0DgrK9m0A=</ds:SignatureValue>
|
|
23
|
+
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
24
|
+
<ds:X509Data>
|
|
25
|
+
<ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXptZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRVUZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF4T0RBMU1qVTFPVm9YRFRNeU1EUXgKTXpBMU1qVTFPVm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQW9mR3p4NFZvQzZDSENYdFJPdkVLSFRzRAppNkFBWCtoVWpiSVloeERsZUxMZUNVemZDaVVXOFkwbTVrWkVKbjJXSmt5Si8wRFdPZmE5b0c1ZUg1eXNKSWpVCnpTUjVkMGJldmJZMEV1OHJDTmh3S001UzdYaXltTzBGc09mcnh6TkJxbVRBblE2VFJYT25nY1BYTitXRWd4cmQKZDVoV1V5ZXh2dkQ2d05McWdVRUNBd0VBQWFPQ0FVb3dnZ0ZHTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRMk1xTFZwRnlyVmNNaGFXMzRHanFkTVF6c3dqQVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRCQ0JnbGdoa2dCaHZoQ0FRMEVOUll6VkdWemRDQllOVEE1SUdObGNuUWdZM0psWVhSbFpDQm0KYjNJZ1QyNWxURzluYVc0Z1lua2dUR0YzY21WdVkyVWdVR2wwTUlHekJnTlZIU01FZ2Fzd2dhaUFGRFl5b3RXawpYS3RWd3lGcGJmZ2FPcDB4RE96Q29ZR01wSUdKTUlHR01Rc3dDUVlEVlFRR0V3SkJWVEVNTUFvR0ExVUVDQk1EClRsTlhNUTh3RFFZRFZRUUhFd1pUZVdSdVpYa3hEREFLQmdOVkJBb01BMUJKVkRFSk1BY0dBMVVFQ3d3QU1SZ3cKRmdZRFZRUUREQTlzWVhkeVpXNWpaWEJwZEM1amIyMHhKVEFqQmdrcWhraUc5dzBCQ1FFTUZteGhkM0psYm1ObApMbkJwZEVCbmJXRnBiQzVqYjIyQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFOM2VRMUM5T0JJbVgvdWZGClNIUC9FeUxPQjJPQ1dqdlNpSytNbndQRWsralRRdDZZYXIxMkRacWVnRGhrWC92OGplTWh4VnpwaStBcHA4M0YKYWFmUE54UFJYc01FTFRCblhDQUJ1YzZEakxBaFlvNGQ4TDhCWUovVjlxLzZRMzdNYVZmc0ZKWVVKNmFBQUppWQpwd1RMUWJidFpqaytZc0s5TzZFR1U4ZjE5djg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate>
|
|
26
|
+
</ds:X509Data>
|
|
27
|
+
</KeyInfo>
|
|
28
|
+
</ds:Signature>
|
|
29
|
+
<Subject>
|
|
30
|
+
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">hello@example.com</NameID>
|
|
31
|
+
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
|
|
32
|
+
<SubjectConfirmationData InResponseTo="_fc4a34b0-7efb-012e-caae-782bcb13bb38" NotOnOrAfter="2011-06-22T12:54:30.348Z" Recipient="https://someone.example.com/endpoint"/>
|
|
33
|
+
</SubjectConfirmation>
|
|
34
|
+
</Subject>
|
|
35
|
+
<Conditions NotBefore="2011-06-22T12:49:30.332Z" NotOnOrAfter="2011-06-22T13:49:30.332Z">
|
|
36
|
+
<AudienceRestriction>
|
|
37
|
+
<Audience>example.com</Audience>
|
|
38
|
+
</AudienceRestriction>
|
|
39
|
+
</Conditions>
|
|
40
|
+
<AuthnStatement AuthnInstant="2011-06-22T12:49:30.112Z" SessionIndex="_721b4a5a-d7e1-4861-9754-a9b197b6f9ab">
|
|
41
|
+
<AuthnContext>
|
|
42
|
+
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
|
|
43
|
+
</AuthnContext>
|
|
44
|
+
</AuthnStatement>
|
|
45
|
+
</Assertion>
|
|
46
|
+
</samlp:Response>
|
data/test/xml_security_test.rb
CHANGED
|
@@ -13,4 +13,12 @@ class XmlSecurityTest < Test::Unit::TestCase
|
|
|
13
13
|
@document.validate_doc(base64cert, true)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
16
|
+
|
|
17
|
+
context "Digest" do
|
|
18
|
+
should "validate using SHA256" do
|
|
19
|
+
@document = XMLSecurity::SignedDocument.new(fixture(:adfs_response, false))
|
|
20
|
+
assert @document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
16
24
|
end
|
metadata
CHANGED
|
@@ -1,12 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
|
|
4
|
+
hash: 13
|
|
5
|
+
prerelease:
|
|
5
6
|
segments:
|
|
6
7
|
- 0
|
|
7
8
|
- 5
|
|
8
|
-
-
|
|
9
|
-
version: 0.5.
|
|
9
|
+
- 3
|
|
10
|
+
version: 0.5.3
|
|
10
11
|
platform: ruby
|
|
11
12
|
authors:
|
|
12
13
|
- OneLogin LLC
|
|
@@ -14,16 +15,18 @@ autorequire:
|
|
|
14
15
|
bindir: bin
|
|
15
16
|
cert_chain: []
|
|
16
17
|
|
|
17
|
-
date: 2012-04-
|
|
18
|
+
date: 2012-04-18 00:00:00 -07:00
|
|
18
19
|
default_executable:
|
|
19
20
|
dependencies:
|
|
20
21
|
- !ruby/object:Gem::Dependency
|
|
21
22
|
name: canonix
|
|
22
23
|
prerelease: false
|
|
23
24
|
requirement: &id001 !ruby/object:Gem::Requirement
|
|
25
|
+
none: false
|
|
24
26
|
requirements:
|
|
25
27
|
- - ~>
|
|
26
28
|
- !ruby/object:Gem::Version
|
|
29
|
+
hash: 9
|
|
27
30
|
segments:
|
|
28
31
|
- 0
|
|
29
32
|
- 1
|
|
@@ -34,9 +37,11 @@ dependencies:
|
|
|
34
37
|
name: uuid
|
|
35
38
|
prerelease: false
|
|
36
39
|
requirement: &id002 !ruby/object:Gem::Requirement
|
|
40
|
+
none: false
|
|
37
41
|
requirements:
|
|
38
42
|
- - ~>
|
|
39
43
|
- !ruby/object:Gem::Version
|
|
44
|
+
hash: 5
|
|
40
45
|
segments:
|
|
41
46
|
- 2
|
|
42
47
|
- 3
|
|
@@ -47,9 +52,11 @@ dependencies:
|
|
|
47
52
|
name: shoulda
|
|
48
53
|
prerelease: false
|
|
49
54
|
requirement: &id003 !ruby/object:Gem::Requirement
|
|
55
|
+
none: false
|
|
50
56
|
requirements:
|
|
51
57
|
- - ">="
|
|
52
58
|
- !ruby/object:Gem::Version
|
|
59
|
+
hash: 3
|
|
53
60
|
segments:
|
|
54
61
|
- 0
|
|
55
62
|
version: "0"
|
|
@@ -59,9 +66,11 @@ dependencies:
|
|
|
59
66
|
name: ruby-debug
|
|
60
67
|
prerelease: false
|
|
61
68
|
requirement: &id004 !ruby/object:Gem::Requirement
|
|
69
|
+
none: false
|
|
62
70
|
requirements:
|
|
63
71
|
- - ">="
|
|
64
72
|
- !ruby/object:Gem::Version
|
|
73
|
+
hash: 3
|
|
65
74
|
segments:
|
|
66
75
|
- 0
|
|
67
76
|
version: "0"
|
|
@@ -71,9 +80,11 @@ dependencies:
|
|
|
71
80
|
name: mocha
|
|
72
81
|
prerelease: false
|
|
73
82
|
requirement: &id005 !ruby/object:Gem::Requirement
|
|
83
|
+
none: false
|
|
74
84
|
requirements:
|
|
75
85
|
- - ">="
|
|
76
86
|
- !ruby/object:Gem::Version
|
|
87
|
+
hash: 3
|
|
77
88
|
segments:
|
|
78
89
|
- 0
|
|
79
90
|
version: "0"
|
|
@@ -91,6 +102,8 @@ extra_rdoc_files:
|
|
|
91
102
|
files:
|
|
92
103
|
- .document
|
|
93
104
|
- .gitignore
|
|
105
|
+
- Gemfile
|
|
106
|
+
- Gemfile.lock
|
|
94
107
|
- LICENSE
|
|
95
108
|
- README.rdoc
|
|
96
109
|
- Rakefile
|
|
@@ -107,7 +120,7 @@ files:
|
|
|
107
120
|
- test/certificates/certificate1
|
|
108
121
|
- test/request_test.rb
|
|
109
122
|
- test/response_test.rb
|
|
110
|
-
- test/responses/adfs_response.xml
|
|
123
|
+
- test/responses/adfs_response.xml
|
|
111
124
|
- test/responses/open_saml_response.xml
|
|
112
125
|
- test/responses/response1.xml.base64
|
|
113
126
|
- test/responses/response2.xml.base64
|
|
@@ -131,23 +144,27 @@ rdoc_options:
|
|
|
131
144
|
require_paths:
|
|
132
145
|
- lib
|
|
133
146
|
required_ruby_version: !ruby/object:Gem::Requirement
|
|
147
|
+
none: false
|
|
134
148
|
requirements:
|
|
135
149
|
- - ">="
|
|
136
150
|
- !ruby/object:Gem::Version
|
|
151
|
+
hash: 3
|
|
137
152
|
segments:
|
|
138
153
|
- 0
|
|
139
154
|
version: "0"
|
|
140
155
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
156
|
+
none: false
|
|
141
157
|
requirements:
|
|
142
158
|
- - ">="
|
|
143
159
|
- !ruby/object:Gem::Version
|
|
160
|
+
hash: 3
|
|
144
161
|
segments:
|
|
145
162
|
- 0
|
|
146
163
|
version: "0"
|
|
147
164
|
requirements: []
|
|
148
165
|
|
|
149
166
|
rubyforge_project: http://www.rubygems.org/gems/ruby-saml
|
|
150
|
-
rubygems_version: 1.3
|
|
167
|
+
rubygems_version: 1.5.3
|
|
151
168
|
signing_key:
|
|
152
169
|
specification_version: 3
|
|
153
170
|
summary: SAML Ruby Tookit
|
|
@@ -155,7 +172,7 @@ test_files:
|
|
|
155
172
|
- test/certificates/certificate1
|
|
156
173
|
- test/request_test.rb
|
|
157
174
|
- test/response_test.rb
|
|
158
|
-
- test/responses/adfs_response.xml
|
|
175
|
+
- test/responses/adfs_response.xml
|
|
159
176
|
- test/responses/open_saml_response.xml
|
|
160
177
|
- test/responses/response1.xml.base64
|
|
161
178
|
- test/responses/response2.xml.base64
|
|
@@ -1,91 +0,0 @@
|
|
|
1
|
-
PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzYW1scDpSZXNwb25zZSB4bWxuczpz
|
|
2
|
-
YW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBJ
|
|
3
|
-
RD0iXzAyNjNhMDdiLTIwNWYtNDc5Yy05MGZjLTc0OTU3MTVlY2JiZiIgVmVy
|
|
4
|
-
c2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDYtMjJUMTI6NDk6MzAu
|
|
5
|
-
MzQ4WiIgRGVzdGluYXRpb249Imh0dHBzOi8vc29tZW9uZS5leGFtcGxlLmNv
|
|
6
|
-
bS9lbmRwb2ludCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6
|
|
7
|
-
Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIEluUmVzcG9uc2VUbz0iX2ZjNGEz
|
|
8
|
-
NGIwLTdlZmItMDEyZS1jYWFlLTc4MmJjYjEzYmIzOCI+CiAgPElzc3VlciB4
|
|
9
|
-
bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+
|
|
10
|
-
aHR0cDovL2xvZ2luLmV4YW1wbGUuY29tL2lzc3VlcjwvSXNzdWVyPgogIDxz
|
|
11
|
-
YW1scDpTdGF0dXM+CiAgICA8c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJu
|
|
12
|
-
Om9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+CiAg
|
|
13
|
-
PC9zYW1scDpTdGF0dXM+CiAgPEFzc2VydGlvbiB4bWxucz0idXJuOm9hc2lz
|
|
14
|
-
Om5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il83MjFiNGE1YS1k
|
|
15
|
-
N2UxLTQ4NjEtOTc1NC1hOWIxOTdiNmY5YWIiIElzc3VlSW5zdGFudD0iMjAx
|
|
16
|
-
MS0wNi0yMlQxMjo0OTozMC4zNDhaIiBWZXJzaW9uPSIyLjAiPgogICAgPElz
|
|
17
|
-
c3Vlcj5odHRwOi8vbG9naW4uZXhhbXBsZS5jb20vaXNzdWVyPC9Jc3N1ZXI+
|
|
18
|
-
CiAgICA8ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9y
|
|
19
|
-
Zy8yMDAwLzA5L3htbGRzaWcjIj4KICAgICAgPGRzOlNpZ25lZEluZm8+CiAg
|
|
20
|
-
ICAgICAgPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJo
|
|
21
|
-
dHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAg
|
|
22
|
-
ICAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3
|
|
23
|
-
dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPgog
|
|
24
|
-
ICAgICAgIDxkczpSZWZlcmVuY2UgVVJJPSIjXzcyMWI0YTVhLWQ3ZTEtNDg2
|
|
25
|
-
MS05NzU0LWE5YjE5N2I2ZjlhYiI+CiAgICAgICAgICA8ZHM6VHJhbnNmb3Jt
|
|
26
|
-
cz4KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6
|
|
27
|
-
Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0
|
|
28
|
-
dXJlIi8+CiAgICAgICAgICAgIDxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJo
|
|
29
|
-
dHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KICAg
|
|
30
|
-
ICAgICAgIDwvZHM6VHJhbnNmb3Jtcz4KICAgICAgICAgIDxkczpEaWdlc3RN
|
|
31
|
-
ZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3ht
|
|
32
|
-
bGVuYyNzaGEyNTYiLz4KICAgICAgICAgIDxkczpEaWdlc3RWYWx1ZT52NTN3
|
|
33
|
-
cW80ZllESzhVY3JPVWNPV2cyemxKL2NIVnVtWVMwS2pycm5WdUprPTwvZHM6
|
|
34
|
-
RGlnZXN0VmFsdWU+CiAgICAgICAgPC9kczpSZWZlcmVuY2U+CiAgICAgIDwv
|
|
35
|
-
ZHM6U2lnbmVkSW5mbz4KICAgICAgPGRzOlNpZ25hdHVyZVZhbHVlPlowOXBl
|
|
36
|
-
d1k3ekZ2OTFobjkwbHgwRUVubE1HTkw5elVKWk14SVI2cW9mTFpPWk1sVG5Y
|
|
37
|
-
TjV6RnNmKzFYUFBJWVpMdzVsQ0dqanRtZE5seGR2NzJ6TkZsTVROUnFaN0lp
|
|
38
|
-
SXd2azVHUk0zenZBV3NOT1k2ZEI0YzVxamU0UkhxL2ZySkdCZ04vZ2VWeFZt
|
|
39
|
-
bjNMWmQ1WmNrdWh1UzFzN0ZKQW9MVWNaRUxKL25jZ1JEZGdqQUUrcjhHdGFO
|
|
40
|
-
a3U0VVRCUkdBZnRsMFBXbUFTMDdsbGU2bGFTVVBSQmRCRE5sVlN6R0FQT3lY
|
|
41
|
-
UDE2ZUkxOWJvbllMaGpiOHVoY0N0bWdicnJhbkpVVGxZc1htcnhvaGNGdW4r
|
|
42
|
-
eWZxVFdXd2l4OW1SUXRBdEFFOW5nSUUwVkRkTC9reFR0NktOb1B6d2tlajVW
|
|
43
|
-
eFNMRkFncTJ1M3JaTWN1WUdadTFIUT09PC9kczpTaWduYXR1cmVWYWx1ZT4K
|
|
44
|
-
ICAgICAgPEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv
|
|
45
|
-
MDkveG1sZHNpZyMiPgogICAgICAgIDxkczpYNTA5RGF0YT4KICAgICAgICAg
|
|
46
|
-
IDxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQzVEQ0NBY3lnQXdJQkFnSVFOQlRr
|
|
47
|
-
dDdxaWNhcEtOc0lYTWNrOHhUQU5CZ2txaGtpRzl3MEJBUXNGQURBdU1Td3dL
|
|
48
|
-
Z1lEVlFRREV5TkJSRVpUSUZOcFoyNXBibWNnTFNCc2IyZHBiaTVrY21WemIz
|
|
49
|
-
VnlZMlZ6TG1OdmJUQWVGdzB4TVRBMk1UQXhPRFUyTURGYUZ3MHhNakEyTURr
|
|
50
|
-
eE9EVTJNREZhTUM0eExEQXFCZ05WQkFNVEkwRkVSbE1nVTJsbmJtbHVaeUF0
|
|
51
|
-
SUd4dloybHVMbVJ5WlhOdmRYSmpaWE11WTI5dE1JSUJJakFOQmdrcWhraUc5
|
|
52
|
-
dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcTdBTURHbkJISUd3dDlLUHRM
|
|
53
|
-
RDBNMEVYR3VabldHQW1iNXAyRkRjRnp0SkhPSThXWVBxZVJwaHpWU0VrZ1h0
|
|
54
|
-
UEloNUp4M2VsUzZoVm43SFZqMld2eklENmpwQjQ1bzhpRGs4UFdnaTE0ZnhH
|
|
55
|
-
V0U1bzFQaUI4WHJlMWM1dnMySUc1YVBXSUQ1dUM2YkQwWGduTDk1TWdPOUhH
|
|
56
|
-
UFBTUVJGbnVqS05xekZRZHRvQkpJSmF3QWVEL2kveHM3RmpGazl4MWZBMEV5
|
|
57
|
-
TENuaCtlYWZmSXBvcmIrMXh4VzJENkQzbVJUZ2ZIeFhyV1I4VzRqSG5pZ2da
|
|
58
|
-
aHFkRGhVeHZFYWlRRlRiSU4yRCt6eUI3YVF3UUNIU0ZwZXJCYytSNUZsbGdu
|
|
59
|
-
R0FhK3NqYjZnMUZYYmVobUVHd1NheHdSWklEQWhqSVFtYTV3WDV5V0pEeEZ6
|
|
60
|
-
UjRwc1RlRlJRSURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCekFQ
|
|
61
|
-
QzJRUStVdHZrcVFZMm8vam9IR3RudUx5Zmt3ZDc2NERjR0RsY1lLVktFYURD
|
|
62
|
-
dm5KeDNneXdSVU9ERVJoRGh1Zkpid3I3T29YVmRodzcwTnRURU11Z0pGcjI5
|
|
63
|
-
U2d4bjNDaVRpeVBGU0RHang5MTFhYkt4dEpTQkludkkwMEFqWCtWbElaaG95
|
|
64
|
-
ODNZWU9SWEZjeWIrVXZoMnIyU1pVM0FDTnA4TTNjWlI2SjFFREJoUEtZd0VF
|
|
65
|
-
VWs4TlRNbVpMM3ZXanFMWldUeVRUaFRyUUYvbEg5UENsdzlPMjl1d2lmaXEy
|
|
66
|
-
WHpTeVNyMy9QSHh6cE1Sa0w5YzRFaTQ1UURtYWdlckFVUndlcTVwVVc4QzNV
|
|
67
|
-
QVVqTExWY1hrLzJwZXZaRU43MFlndDVwMmZBZ3M4NE9KaERSS2lIR3BhcmlF
|
|
68
|
-
bWo0THNKR1pzcDdxRkpwbjErTWlqUmU8L2RzOlg1MDlDZXJ0aWZpY2F0ZT4K
|
|
69
|
-
ICAgICAgICA8L2RzOlg1MDlEYXRhPgogICAgICA8L0tleUluZm8+CiAgICA8
|
|
70
|
-
L2RzOlNpZ25hdHVyZT4KICAgIDxTdWJqZWN0PgogICAgICA8TmFtZUlEIEZv
|
|
71
|
-
cm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3Jt
|
|
72
|
-
YXQ6ZW1haWxBZGRyZXNzIj5oZWxsb0BleGFtcGxlLmNvbTwvTmFtZUlEPgog
|
|
73
|
-
ICAgICA8U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpu
|
|
74
|
-
YW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPgogICAgICAgIDxTdWJqZWN0
|
|
75
|
-
Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Il9mYzRhMzRiMC03ZWZi
|
|
76
|
-
LTAxMmUtY2FhZS03ODJiY2IxM2JiMzgiIE5vdE9uT3JBZnRlcj0iMjAxMS0w
|
|
77
|
-
Ni0yMlQxMjo1NDozMC4zNDhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc29tZW9u
|
|
78
|
-
ZS5leGFtcGxlLmNvbS9lbmRwb2ludCIvPgogICAgICA8L1N1YmplY3RDb25m
|
|
79
|
-
aXJtYXRpb24+CiAgICA8L1N1YmplY3Q+CiAgICA8Q29uZGl0aW9ucyBOb3RC
|
|
80
|
-
ZWZvcmU9IjIwMTEtMDYtMjJUMTI6NDk6MzAuMzMyWiIgTm90T25PckFmdGVy
|
|
81
|
-
PSIyMDExLTA2LTIyVDEzOjQ5OjMwLjMzMloiPgogICAgICA8QXVkaWVuY2VS
|
|
82
|
-
ZXN0cmljdGlvbj4KICAgICAgICA8QXVkaWVuY2U+ZXhhbXBsZS5jb208L0F1
|
|
83
|
-
ZGllbmNlPgogICAgICA8L0F1ZGllbmNlUmVzdHJpY3Rpb24+CiAgICA8L0Nv
|
|
84
|
-
bmRpdGlvbnM+CiAgICA8QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIy
|
|
85
|
-
MDExLTA2LTIyVDEyOjQ5OjMwLjExMloiIFNlc3Npb25JbmRleD0iXzcyMWI0
|
|
86
|
-
YTVhLWQ3ZTEtNDg2MS05NzU0LWE5YjE5N2I2ZjlhYiI+CiAgICAgIDxBdXRo
|
|
87
|
-
bkNvbnRleHQ+CiAgICAgICAgPEF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpv
|
|
88
|
-
YXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJv
|
|
89
|
-
dGVjdGVkVHJhbnNwb3J0PC9BdXRobkNvbnRleHRDbGFzc1JlZj4KICAgICAg
|
|
90
|
-
PC9BdXRobkNvbnRleHQ+CiAgICA8L0F1dGhuU3RhdGVtZW50PgogIDwvQXNz
|
|
91
|
-
ZXJ0aW9uPgo8L3NhbWxwOlJlc3BvbnNlPgo=
|