saml_idp 0.7.1 → 0.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Gemfile +1 -1
- data/README.md +40 -12
- data/lib/saml_idp/configurator.rb +1 -0
- data/lib/saml_idp/controller.rb +6 -2
- data/lib/saml_idp/encryptor.rb +1 -1
- data/lib/saml_idp/incoming_metadata.rb +9 -1
- data/lib/saml_idp/request.rb +14 -0
- data/lib/saml_idp/response_builder.rb +19 -5
- data/lib/saml_idp/saml_response.rb +15 -3
- data/lib/saml_idp/service_provider.rb +14 -0
- data/lib/saml_idp/signable.rb +1 -2
- data/lib/saml_idp/version.rb +1 -1
- data/lib/saml_idp/xml_security.rb +1 -1
- data/saml_idp.gemspec +26 -23
- data/spec/acceptance/idp_controller_spec.rb +5 -4
- data/spec/lib/saml_idp/algorithmable_spec.rb +6 -6
- data/spec/lib/saml_idp/assertion_builder_spec.rb +8 -8
- data/spec/lib/saml_idp/attribute_decorator_spec.rb +8 -8
- data/spec/lib/saml_idp/configurator_spec.rb +7 -7
- data/spec/lib/saml_idp/controller_spec.rb +23 -20
- data/spec/lib/saml_idp/encryptor_spec.rb +4 -4
- data/spec/lib/saml_idp/incoming_metadata_spec.rb +46 -0
- data/spec/lib/saml_idp/metadata_builder_spec.rb +7 -17
- data/spec/lib/saml_idp/name_id_formatter_spec.rb +3 -3
- data/spec/lib/saml_idp/request_spec.rb +22 -22
- data/spec/lib/saml_idp/response_builder_spec.rb +5 -3
- data/spec/lib/saml_idp/saml_response_spec.rb +31 -8
- data/spec/lib/saml_idp/service_provider_spec.rb +2 -2
- data/spec/lib/saml_idp/signable_spec.rb +1 -1
- data/spec/lib/saml_idp/signature_builder_spec.rb +2 -2
- data/spec/lib/saml_idp/signed_info_builder_spec.rb +3 -3
- data/spec/rails_app/app/controllers/saml_controller.rb +5 -1
- data/spec/rails_app/config/application.rb +0 -6
- data/spec/rails_app/config/environments/development.rb +1 -6
- data/spec/rails_app/config/environments/production.rb +1 -0
- data/spec/rails_app/config/environments/test.rb +1 -0
- data/spec/spec_helper.rb +3 -0
- data/spec/support/saml_request_macros.rb +2 -1
- data/spec/xml_security_spec.rb +12 -12
- metadata +85 -40
- data/spec/lib/saml_idp/.assertion_builder_spec.rb.swp +0 -0
|
@@ -4,11 +4,12 @@ feature 'IdpController' do
|
|
|
4
4
|
scenario 'Login via default signup page' do
|
|
5
5
|
saml_request = make_saml_request("http://foo.example.com/saml/consume")
|
|
6
6
|
visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
|
|
7
|
-
|
|
8
|
-
fill_in '
|
|
7
|
+
expect(status_code).to eq(200)
|
|
8
|
+
fill_in 'email', :with => "foo@example.com"
|
|
9
|
+
fill_in 'password', :with => "okidoki"
|
|
9
10
|
click_button 'Sign in'
|
|
10
11
|
click_button 'Submit' # simulating onload
|
|
11
|
-
current_url.
|
|
12
|
-
page.
|
|
12
|
+
expect(current_url).to eq('http://foo.example.com/saml/consume')
|
|
13
|
+
expect(page).to have_content "foo@example.com"
|
|
13
14
|
end
|
|
14
15
|
end
|
|
@@ -9,11 +9,11 @@ module SamlIdp
|
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
it "finds algorithm class" do
|
|
12
|
-
algorithm.
|
|
12
|
+
expect(algorithm).to eq(OpenSSL::Digest::SHA256)
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
it "finds the name" do
|
|
16
|
-
algorithm_name.
|
|
16
|
+
expect(algorithm_name).to eq("sha256")
|
|
17
17
|
end
|
|
18
18
|
end
|
|
19
19
|
|
|
@@ -23,11 +23,11 @@ module SamlIdp
|
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
it "finds algorithm class" do
|
|
26
|
-
algorithm.
|
|
26
|
+
expect(algorithm).to eq(OpenSSL::Digest::SHA512)
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
it "finds the name" do
|
|
30
|
-
algorithm_name.
|
|
30
|
+
expect(algorithm_name).to eq("sha512")
|
|
31
31
|
end
|
|
32
32
|
end
|
|
33
33
|
|
|
@@ -37,11 +37,11 @@ module SamlIdp
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
it "finds algorithm class" do
|
|
40
|
-
algorithm.
|
|
40
|
+
expect(algorithm).to eq(OpenSSL::Digest::SHA1)
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
it "finds the name" do
|
|
44
|
-
algorithm_name.
|
|
44
|
+
expect(algorithm_name).to eq("sha1")
|
|
45
45
|
end
|
|
46
46
|
end
|
|
47
47
|
end
|
|
@@ -36,14 +36,14 @@ module SamlIdp
|
|
|
36
36
|
|
|
37
37
|
it "builds a legit raw XML file" do
|
|
38
38
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
39
|
-
subject.raw.
|
|
39
|
+
expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
|
|
40
40
|
end
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
it "builds a legit raw XML file" do
|
|
45
45
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
46
|
-
subject.raw.
|
|
46
|
+
expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
|
|
47
47
|
end
|
|
48
48
|
end
|
|
49
49
|
|
|
@@ -55,12 +55,12 @@ module SamlIdp
|
|
|
55
55
|
email_address: ->(p) { "foo@example.com" }
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
|
-
SamlIdp.
|
|
58
|
+
allow(SamlIdp).to receive(:config).and_return(config)
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
it "doesn't include attribute statement" do
|
|
62
62
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
63
|
-
subject.raw.
|
|
63
|
+
expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>")
|
|
64
64
|
end
|
|
65
65
|
end
|
|
66
66
|
end
|
|
@@ -81,7 +81,7 @@ module SamlIdp
|
|
|
81
81
|
expiry
|
|
82
82
|
)
|
|
83
83
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
84
|
-
builder.raw.
|
|
84
|
+
expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
|
|
85
85
|
end
|
|
86
86
|
end
|
|
87
87
|
end
|
|
@@ -100,14 +100,14 @@ module SamlIdp
|
|
|
100
100
|
encryption_opts
|
|
101
101
|
)
|
|
102
102
|
encrypted_xml = builder.encrypt
|
|
103
|
-
encrypted_xml.
|
|
103
|
+
expect(encrypted_xml).to_not match(audience_uri)
|
|
104
104
|
end
|
|
105
105
|
|
|
106
106
|
describe "with custom session_expiry configuration" do
|
|
107
107
|
let(:config) { SamlIdp::Configurator.new }
|
|
108
108
|
before do
|
|
109
109
|
config.session_expiry = 8
|
|
110
|
-
SamlIdp.
|
|
110
|
+
allow(SamlIdp).to receive(:config).and_return(config)
|
|
111
111
|
end
|
|
112
112
|
|
|
113
113
|
it "sets default session_expiry from config" do
|
|
@@ -123,7 +123,7 @@ module SamlIdp
|
|
|
123
123
|
expiry,
|
|
124
124
|
encryption_opts
|
|
125
125
|
)
|
|
126
|
-
builder.session_expiry.
|
|
126
|
+
expect(builder.session_expiry).to eq(8)
|
|
127
127
|
end
|
|
128
128
|
end
|
|
129
129
|
end
|
|
@@ -12,19 +12,19 @@ module SamlIdp
|
|
|
12
12
|
let(:values) { nil }
|
|
13
13
|
|
|
14
14
|
it "has a valid name" do
|
|
15
|
-
subject.name.
|
|
15
|
+
expect(subject.name).to be_nil
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
it "has a valid friendly_name" do
|
|
19
|
-
subject.friendly_name.
|
|
19
|
+
expect(subject.friendly_name).to be_nil
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
it "has a valid name_format" do
|
|
23
|
-
subject.name_format.
|
|
23
|
+
expect(subject.name_format).to eq(Saml::XML::Namespaces::Formats::Attr::URI)
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
it "has a valid values" do
|
|
27
|
-
subject.values.
|
|
27
|
+
expect(subject.values).to eq []
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
describe "with values set" do
|
|
@@ -34,19 +34,19 @@ module SamlIdp
|
|
|
34
34
|
let(:values) { :val }
|
|
35
35
|
|
|
36
36
|
it "has a valid name" do
|
|
37
|
-
subject.name.
|
|
37
|
+
expect(subject.name).to eq(name)
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
it "has a valid friendly_name" do
|
|
41
|
-
subject.friendly_name.
|
|
41
|
+
expect(subject.friendly_name).to eq(friendly_name)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
it "has a valid name_format" do
|
|
45
|
-
subject.name_format.
|
|
45
|
+
expect(subject.name_format).to eq(name_format)
|
|
46
46
|
end
|
|
47
47
|
|
|
48
48
|
it "has a valid values" do
|
|
49
|
-
subject.values.
|
|
49
|
+
expect(subject.values).to eq [values]
|
|
50
50
|
end
|
|
51
51
|
end
|
|
52
52
|
end
|
|
@@ -18,32 +18,32 @@ module SamlIdp
|
|
|
18
18
|
it { should respond_to :session_expiry }
|
|
19
19
|
|
|
20
20
|
it "has a valid x509_certificate" do
|
|
21
|
-
subject.x509_certificate.
|
|
21
|
+
expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
it "has a valid secret_key" do
|
|
25
|
-
subject.secret_key.
|
|
25
|
+
expect(subject.secret_key).to eq(Default::SECRET_KEY)
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
it "has a valid algorithm" do
|
|
29
|
-
subject.algorithm.
|
|
29
|
+
expect(subject.algorithm).to eq(:sha1)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
it "has a valid reference_id_generator" do
|
|
33
|
-
subject.reference_id_generator.
|
|
33
|
+
expect(subject.reference_id_generator).to respond_to :call
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
|
|
37
37
|
it "can call service provider finder" do
|
|
38
|
-
subject.service_provider.finder.
|
|
38
|
+
expect(subject.service_provider.finder).to respond_to :call
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
it "can call service provider metadata persister" do
|
|
42
|
-
subject.service_provider.metadata_persister.
|
|
42
|
+
expect(subject.service_provider.metadata_persister).to respond_to :call
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
it 'has a valid session_expiry' do
|
|
46
|
-
subject.session_expiry.
|
|
46
|
+
expect(subject.session_expiry).to eq(0)
|
|
47
47
|
end
|
|
48
48
|
end
|
|
49
49
|
end
|
|
@@ -7,6 +7,9 @@ describe SamlIdp::Controller do
|
|
|
7
7
|
def render(*)
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
+
def head(*)
|
|
11
|
+
end
|
|
12
|
+
|
|
10
13
|
def params
|
|
11
14
|
@params ||= {}
|
|
12
15
|
end
|
|
@@ -14,8 +17,8 @@ describe SamlIdp::Controller do
|
|
|
14
17
|
it "should find the SAML ACS URL" do
|
|
15
18
|
requested_saml_acs_url = "https://example.com/saml/consume"
|
|
16
19
|
params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
|
|
17
|
-
validate_saml_request
|
|
18
|
-
saml_acs_url.
|
|
20
|
+
expect(validate_saml_request).to eq(true)
|
|
21
|
+
expect(saml_acs_url).to eq(requested_saml_acs_url)
|
|
19
22
|
end
|
|
20
23
|
|
|
21
24
|
context "SAML Responses" do
|
|
@@ -32,36 +35,36 @@ describe SamlIdp::Controller do
|
|
|
32
35
|
it "should create a SAML Response" do
|
|
33
36
|
saml_response = encode_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume' })
|
|
34
37
|
response = OneLogin::RubySaml::Response.new(saml_response)
|
|
35
|
-
response.name_id.
|
|
36
|
-
response.issuers.first.
|
|
38
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
39
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
37
40
|
response.settings = saml_settings
|
|
38
|
-
response.is_valid
|
|
41
|
+
expect(response.is_valid?).to be_truthy
|
|
39
42
|
end
|
|
40
43
|
end
|
|
41
44
|
|
|
42
45
|
context "solicited Response" do
|
|
43
46
|
before(:each) do
|
|
44
47
|
params[:SAMLRequest] = make_saml_request
|
|
45
|
-
validate_saml_request
|
|
48
|
+
expect(validate_saml_request).to eq(true)
|
|
46
49
|
end
|
|
47
50
|
|
|
48
51
|
it "should create a SAML Response" do
|
|
49
52
|
saml_response = encode_response(principal)
|
|
50
53
|
response = OneLogin::RubySaml::Response.new(saml_response)
|
|
51
|
-
response.name_id.
|
|
52
|
-
response.issuers.first.
|
|
54
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
55
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
53
56
|
response.settings = saml_settings
|
|
54
|
-
response.is_valid
|
|
57
|
+
expect(response.is_valid?).to be_truthy
|
|
55
58
|
end
|
|
56
59
|
|
|
57
60
|
it "should create a SAML Logout Response" do
|
|
58
61
|
params[:SAMLRequest] = make_saml_logout_request
|
|
59
|
-
validate_saml_request
|
|
62
|
+
expect(validate_saml_request).to eq(true)
|
|
60
63
|
expect(saml_request.logout_request?).to eq true
|
|
61
64
|
saml_response = encode_response(principal)
|
|
62
65
|
response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
|
|
63
|
-
response.validate.
|
|
64
|
-
response.issuer.
|
|
66
|
+
expect(response.validate).to eq(true)
|
|
67
|
+
expect(response.issuer).to eq("http://example.com")
|
|
65
68
|
end
|
|
66
69
|
|
|
67
70
|
|
|
@@ -70,10 +73,10 @@ describe SamlIdp::Controller do
|
|
|
70
73
|
self.algorithm = algorithm_name
|
|
71
74
|
saml_response = encode_response(principal)
|
|
72
75
|
response = OneLogin::RubySaml::Response.new(saml_response)
|
|
73
|
-
response.name_id.
|
|
74
|
-
response.issuers.first.
|
|
76
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
77
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
75
78
|
response.settings = saml_settings
|
|
76
|
-
response.is_valid
|
|
79
|
+
expect(response.is_valid?).to be_truthy
|
|
77
80
|
end
|
|
78
81
|
|
|
79
82
|
it "should encrypt SAML Response assertion" do
|
|
@@ -82,11 +85,11 @@ describe SamlIdp::Controller do
|
|
|
82
85
|
resp_settings = saml_settings
|
|
83
86
|
resp_settings.private_key = SamlIdp::Default::SECRET_KEY
|
|
84
87
|
response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
|
|
85
|
-
response.document.to_s.
|
|
86
|
-
response.decrypted_document.to_s.
|
|
87
|
-
response.name_id.
|
|
88
|
-
response.issuers.first.
|
|
89
|
-
response.is_valid
|
|
88
|
+
expect(response.document.to_s).to_not match("foo@example.com")
|
|
89
|
+
expect(response.decrypted_document.to_s).to match("foo@example.com")
|
|
90
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
91
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
92
|
+
expect(response.is_valid?).to be_truthy
|
|
90
93
|
end
|
|
91
94
|
end
|
|
92
95
|
end
|
|
@@ -5,11 +5,11 @@ require 'saml_idp/encryptor'
|
|
|
5
5
|
module SamlIdp
|
|
6
6
|
describe Encryptor do
|
|
7
7
|
let (:encryption_opts) do
|
|
8
|
-
{
|
|
8
|
+
{
|
|
9
9
|
cert: Default::X509_CERTIFICATE,
|
|
10
10
|
block_encryption: 'aes256-cbc',
|
|
11
11
|
key_transport: 'rsa-oaep-mgf1p',
|
|
12
|
-
}
|
|
12
|
+
}
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
subject { described_class.new encryption_opts }
|
|
@@ -17,11 +17,11 @@ module SamlIdp
|
|
|
17
17
|
it "encrypts XML" do
|
|
18
18
|
raw_xml = '<foo>bar</foo>'
|
|
19
19
|
encrypted_xml = subject.encrypt(raw_xml)
|
|
20
|
-
encrypted_xml.
|
|
20
|
+
expect(encrypted_xml).to_not match raw_xml
|
|
21
21
|
encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
|
|
22
22
|
encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
|
|
23
23
|
decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
|
|
24
|
-
decrypted_xml.
|
|
24
|
+
expect(decrypted_xml).to eq(raw_xml)
|
|
25
25
|
end
|
|
26
26
|
end
|
|
27
27
|
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
module SamlIdp
|
|
3
|
+
|
|
4
|
+
metadata_1 = <<-eos
|
|
5
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
|
|
6
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
|
|
7
|
+
</md:SPSSODescriptor>
|
|
8
|
+
</md:EntityDescriptor>
|
|
9
|
+
eos
|
|
10
|
+
|
|
11
|
+
metadata_2 = <<-eos
|
|
12
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
|
|
13
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
|
|
14
|
+
</md:SPSSODescriptor>
|
|
15
|
+
</md:EntityDescriptor>
|
|
16
|
+
eos
|
|
17
|
+
|
|
18
|
+
metadata_3 = <<-eos
|
|
19
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
|
|
20
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
|
|
21
|
+
</md:SPSSODescriptor>
|
|
22
|
+
</md:EntityDescriptor>
|
|
23
|
+
eos
|
|
24
|
+
|
|
25
|
+
describe IncomingMetadata do
|
|
26
|
+
it 'should properly set sign_assertions to false' do
|
|
27
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_1)
|
|
28
|
+
expect(metadata.sign_assertions).to eq(false)
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it 'should properly set entity_id as https://test-saml.com/saml' do
|
|
32
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_1)
|
|
33
|
+
expect(metadata.entity_id).to eq('https://test-saml.com/saml')
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it 'should properly set sign_assertions to true' do
|
|
37
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_2)
|
|
38
|
+
expect(metadata.sign_assertions).to eq(true)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
|
|
42
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_3)
|
|
43
|
+
expect(metadata.sign_assertions).to eq(false)
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
@@ -2,18 +2,16 @@ require 'spec_helper'
|
|
|
2
2
|
module SamlIdp
|
|
3
3
|
describe MetadataBuilder do
|
|
4
4
|
it "has a valid fresh" do
|
|
5
|
-
subject.fresh.
|
|
5
|
+
expect(subject.fresh).to_not be_empty
|
|
6
6
|
end
|
|
7
7
|
|
|
8
8
|
it "signs valid xml" do
|
|
9
|
-
Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).
|
|
9
|
+
expect(Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT)).to be_truthy
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
it "includes logout element" do
|
|
13
13
|
subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
|
|
14
|
-
subject.fresh.
|
|
15
|
-
'<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>'
|
|
16
|
-
)
|
|
14
|
+
expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>')
|
|
17
15
|
end
|
|
18
16
|
|
|
19
17
|
context "technical contact" do
|
|
@@ -32,31 +30,23 @@ module SamlIdp
|
|
|
32
30
|
subject.configurator.technical_contact.telephone = "1-800-555-5555"
|
|
33
31
|
subject.configurator.technical_contact.email_address = "acme@example.com"
|
|
34
32
|
|
|
35
|
-
subject.fresh.
|
|
36
|
-
'<ContactPerson contactType="technical"><Company>ACME Corporation</Company><GivenName>Road</GivenName><SurName>Runner</SurName><EmailAddress>mailto:acme@example.com</EmailAddress><TelephoneNumber>1-800-555-5555</TelephoneNumber></ContactPerson>'
|
|
37
|
-
)
|
|
33
|
+
expect(subject.fresh).to match('<ContactPerson contactType="technical"><Company>ACME Corporation</Company><GivenName>Road</GivenName><SurName>Runner</SurName><EmailAddress>mailto:acme@example.com</EmailAddress><TelephoneNumber>1-800-555-5555</TelephoneNumber></ContactPerson>')
|
|
38
34
|
end
|
|
39
35
|
|
|
40
36
|
it "no fields" do
|
|
41
|
-
subject.fresh.
|
|
42
|
-
'<ContactPerson contactType="technical"></ContactPerson>'
|
|
43
|
-
)
|
|
37
|
+
expect(subject.fresh).to match('<ContactPerson contactType="technical"></ContactPerson>')
|
|
44
38
|
end
|
|
45
39
|
|
|
46
40
|
it "just email" do
|
|
47
41
|
subject.configurator.technical_contact.email_address = "acme@example.com"
|
|
48
|
-
subject.fresh.
|
|
49
|
-
'<ContactPerson contactType="technical"><EmailAddress>mailto:acme@example.com</EmailAddress></ContactPerson>'
|
|
50
|
-
)
|
|
42
|
+
expect(subject.fresh).to match('<ContactPerson contactType="technical"><EmailAddress>mailto:acme@example.com</EmailAddress></ContactPerson>')
|
|
51
43
|
end
|
|
52
44
|
|
|
53
45
|
end
|
|
54
46
|
|
|
55
47
|
it "includes logout element as HTTP Redirect" do
|
|
56
48
|
subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
|
|
57
|
-
subject.fresh.
|
|
58
|
-
'<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>'
|
|
59
|
-
)
|
|
49
|
+
expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
|
|
60
50
|
end
|
|
61
51
|
end
|
|
62
52
|
end
|
|
@@ -7,7 +7,7 @@ module SamlIdp
|
|
|
7
7
|
let(:list) { { email_address: ->() { "foo@example.com" } } }
|
|
8
8
|
|
|
9
9
|
it "has a valid all" do
|
|
10
|
-
subject.all.
|
|
10
|
+
expect(subject.all).to eq ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"]
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
end
|
|
@@ -21,7 +21,7 @@ module SamlIdp
|
|
|
21
21
|
}
|
|
22
22
|
|
|
23
23
|
it "has a valid all" do
|
|
24
|
-
subject.all.
|
|
24
|
+
expect(subject.all).to eq [
|
|
25
25
|
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
26
26
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
|
|
27
27
|
]
|
|
@@ -32,7 +32,7 @@ module SamlIdp
|
|
|
32
32
|
let(:list) { [:email_address, :undefined] }
|
|
33
33
|
|
|
34
34
|
it "has a valid all" do
|
|
35
|
-
subject.all.
|
|
35
|
+
expect(subject.all).to eq [
|
|
36
36
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
|
|
37
37
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
|
|
38
38
|
]
|