ruby-samlnechotech 0.7.23

data/test/settings_test.rb

@@ -0,0 +1,46 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+
+class SettingsTest < Test::Unit::TestCase
+
+  context "Settings" do
+    setup do
+      @settings = Onelogin::Saml::Settings.new
+    end
+    should "should provide getters and settings" do
+      accessors = [
+        :assertion_consumer_service_url, :issuer, :sp_name_qualifier,
+        :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
+        :idp_slo_target_url, :name_identifier_value, :sessionindex,
+        :assertion_consumer_logout_service_url,
+        :passive
+      ]
+
+      accessors.each do |accessor|
+        value = Kernel.rand
+        @settings.send("#{accessor}=".to_sym, value)
+        assert_equal value, @settings.send(accessor)
+      end
+    end
+
+    should "create settings from hash" do
+
+      config = {
+          :assertion_consumer_service_url => "http://app.muda.no/sso",
+          :issuer => "http://muda.no",
+          :sp_name_qualifier => "http://sso.muda.no",
+          :idp_sso_target_url => "http://sso.muda.no/sso",
+          :idp_slo_target_url => "http://sso.muda.no/slo",
+          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+          :passive => true,
+      }
+      @settings = Onelogin::Saml::Settings.new(config)
+
+      config.each do |k,v|
+        assert_equal v, @settings.send(k)
+      end
+    end
+
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,75 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'mocha'
+require 'ruby-debug'
+require 'timecop'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'ruby-samlnechotech'
+
+ENV["ruby-samlnechotech/testing"] = "1"
+
+class Test::Unit::TestCase
+  def fixture(document, base64 = true)
+    response = Dir.glob(File.join(File.dirname(__FILE__), "responses", "#{document}*")).first
+    if base64 && response =~ /\.xml$/
+      Base64.encode64(File.read(response))
+    else
+      File.read(response)
+    end
+  end
+
+  def response_document
+    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response1.xml.base64'))
+  end
+
+  def response_document_2
+    @response_document2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response2.xml.base64'))
+  end
+
+  def response_document_3
+    @response_document3 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response3.xml.base64'))
+  end
+
+  def response_document_4
+    @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
+  end
+
+  def response_document_5
+    @response_document5 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response5.xml.base64'))
+  end
+
+  def r1_response_document_6
+    @response_document6 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'r1_response6.xml.base64'))
+  end
+
+  def ampersands_response
+    @ampersands_resposne ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response_with_ampersands.xml.base64'))
+  end
+
+  def response_document_6
+    doc = Base64.decode64(response_document)
+    doc.gsub!(/NotBefore=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotBefore=\"#{(Time.now-300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    doc.gsub!(/NotOnOrAfter=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotOnOrAfter=\"#{(Time.now+300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    Base64.encode64(doc)
+  end
+
+  def wrapped_response_2
+    @wrapped_response_2 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'wrapped_response_2.xml.base64'))
+  end
+
+  def signature_fingerprint_1
+    @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
+  end
+  
+  def signature_1
+    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+  end
+
+  def r1_signature_2
+    @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
+  end
+
+end

data/test/xml_security_test.rb

@@ -0,0 +1,160 @@
+require 'test_helper'
+require 'xml_security'
+
+class XmlSecurityTest < Test::Unit::TestCase
+  include XMLSecurity
+
+  context "XmlSecurity" do
+    setup do
+      @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
+      @base64cert = @document.elements["//ds:X509Certificate"].text
+    end
+
+    should "should run validate without throwing NS related exceptions" do
+      assert !@document.validate_doc(@base64cert, true)
+    end
+
+    should "should run validate with throwing NS related exceptions" do
+      assert_raise(Onelogin::Saml::ValidationError) do
+        @document.validate_doc(@base64cert, false)
+      end
+    end
+    
+    should "not raise an error when softly validating the document multiple times" do
+      assert_nothing_raised do
+        2.times { @document.validate_doc(@base64cert, true) }
+      end
+    end
+
+    should "should raise Fingerprint mismatch" do
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        @document.validate("no:fi:ng:er:pr:in:t", false)
+      end
+      assert_equal("Fingerprint mismatch", exception.message)
+    end
+
+    should "should raise Digest mismatch" do
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        @document.validate_doc(@base64cert, false)
+      end
+      assert_equal("Digest mismatch", exception.message)
+    end
+
+    should "should raise Key validation error" do
+      response = Base64.decode64(response_document)
+      response.sub!("<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>",
+                    "<ds:DigestValue>b9xsAXLsynugg3Wc1CI3kpWku+0=</ds:DigestValue>")
+      document = XMLSecurity::SignedDocument.new(response)
+      base64cert = document.elements["//ds:X509Certificate"].text
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        document.validate_doc(base64cert, false)
+      end
+      assert_equal("Key validation error", exception.message)
+    end
+
+    should "raise validation error when the X509Certificate is missing" do
+      response = Base64.decode64(response_document)
+      response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
+      document = XMLSecurity::SignedDocument.new(response)
+      exception = assert_raise(Onelogin::Saml::ValidationError) do
+        document.validate("a fingerprint", false) # The fingerprint isn't relevant to this test
+      end
+      assert_equal("Certificate element missing in response (ds:X509Certificate)", exception.message)
+    end
+  end
+
+  context "Algorithms" do
+    should "validate using SHA1" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    should "validate using SHA256" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
+      assert @document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")
+    end
+
+    should "validate using SHA384" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+
+    should "validate using SHA512" do
+      @document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
+      assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
+    end
+  end
+  
+  context "XmlSecurity::SignedDocument" do
+    
+    context "#extract_inclusive_namespaces" do
+      should "support explicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:open_saml_response, false)
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert_equal %w[ xs ], inclusive_namespaces
+      end
+      
+      should "support implicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:no_signature_ns, false)
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
+      end
+
+      should_eventually 'support inclusive canonicalization' do
+
+        response = Onelogin::Saml::Response.new(fixture("tdnf_response.xml"))
+        response.stubs(:conditions).returns(nil)
+        assert !response.is_valid?
+        settings = Onelogin::Saml::Settings.new
+        assert !response.is_valid?
+        response.settings = settings
+        assert !response.is_valid?
+        settings.idp_cert_fingerprint = "e6 38 9a 20 b7 4f 13 db 6a bc b1 42 6a e7 52 1d d6 56 d4 1b".upcase.gsub(" ", ":")
+        assert response.validate!
+      end
+
+      should "return an empty list when inclusive namespace element is missing" do
+        response = fixture(:no_signature_ns, false)
+        response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
+        
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+        
+        assert inclusive_namespaces.empty?
+      end
+    end
+
+    context "StarfieldTMS" do
+      setup do
+        @response = Onelogin::Saml::Response.new(fixture(:starfield_response))
+        @response.settings = Onelogin::Saml::Settings.new(
+                                                          :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
+                                                          )
+      end
+
+      should "be able to validate a good response" do
+        Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
+          assert @response.validate!
+        end
+      end
+
+      should "fail before response is valid" do
+        Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
+          assert ! @response.is_valid?
+        end
+      end
+
+      should "fail after response expires" do
+        Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
+          assert ! @response.is_valid?
+        end
+      end
+    end
+
+  end
+  
+end

metadata

@@ -0,0 +1,172 @@
+--- !ruby/object:Gem::Specification
+name: ruby-samlnechotech
+version: !ruby/object:Gem::Version
+  version: 0.7.23
+  prerelease: 
+platform: ruby
+authors:
+- OneLogin LLC, beekermememe
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-04-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: canonix
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: uuid
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+description: SAML toolkit for Ruby on Rails forked and modified by beekermememe
+email: nechotech@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE
+- README.md
+files:
+- .document
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/onelogin/ruby-samlnechotech/authrequest.rb
+- lib/onelogin/ruby-samlnechotech/logging.rb
+- lib/onelogin/ruby-samlnechotech/logoutrequest.rb
+- lib/onelogin/ruby-samlnechotech/logoutresponse.rb
+- lib/onelogin/ruby-samlnechotech/metadata.rb
+- lib/onelogin/ruby-samlnechotech/response.rb
+- lib/onelogin/ruby-samlnechotech/settings.rb
+- lib/onelogin/ruby-samlnechotech/validation_error.rb
+- lib/onelogin/ruby-samlnechotech/version.rb
+- lib/ruby-samlnechotech.rb
+- lib/schemas/saml20assertion_schema.xsd
+- lib/schemas/saml20protocol_schema.xsd
+- lib/schemas/xenc_schema.xsd
+- lib/schemas/xmldsig_schema.xsd
+- lib/xml_security.rb
+- ruby-samlnechotech.gemspec
+- test/certificates/certificate1
+- test/certificates/r1_certificate2_base64
+- test/logoutrequest_test.rb
+- test/logoutresponse_test.rb
+- test/request_test.rb
+- test/response_test.rb
+- test/responses/adfs_response_sha1.xml
+- test/responses/adfs_response_sha256.xml
+- test/responses/adfs_response_sha384.xml
+- test/responses/adfs_response_sha512.xml
+- test/responses/logoutresponse_fixtures.rb
+- test/responses/no_signature_ns.xml
+- test/responses/open_saml_response.xml
+- test/responses/r1_response6.xml.base64
+- test/responses/response1.xml.base64
+- test/responses/response2.xml.base64
+- test/responses/response3.xml.base64
+- test/responses/response4.xml.base64
+- test/responses/response5.xml.base64
+- test/responses/response_with_ampersands.xml
+- test/responses/response_with_ampersands.xml.base64
+- test/responses/simple_saml_php.xml
+- test/responses/starfield_response.xml.base64
+- test/responses/wrapped_response_2.xml.base64
+- test/settings_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb
+homepage: https://github.com/beekermememe/ruby-saml
+licenses: []
+post_install_message: 
+rdoc_options:
+- --charset=UTF-8
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: http://www.rubygems.org/gems/ruby-samlnechotech
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: SAML Ruby Tookit
+test_files:
+- test/certificates/certificate1
+- test/certificates/r1_certificate2_base64
+- test/logoutrequest_test.rb
+- test/logoutresponse_test.rb
+- test/request_test.rb
+- test/response_test.rb
+- test/responses/adfs_response_sha1.xml
+- test/responses/adfs_response_sha256.xml
+- test/responses/adfs_response_sha384.xml
+- test/responses/adfs_response_sha512.xml
+- test/responses/logoutresponse_fixtures.rb
+- test/responses/no_signature_ns.xml
+- test/responses/open_saml_response.xml
+- test/responses/r1_response6.xml.base64
+- test/responses/response1.xml.base64
+- test/responses/response2.xml.base64
+- test/responses/response3.xml.base64
+- test/responses/response4.xml.base64
+- test/responses/response5.xml.base64
+- test/responses/response_with_ampersands.xml
+- test/responses/response_with_ampersands.xml.base64
+- test/responses/simple_saml_php.xml
+- test/responses/starfield_response.xml.base64
+- test/responses/wrapped_response_2.xml.base64
+- test/settings_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb