saml_idp 0.7.1 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/Gemfile +1 -1
- data/README.md +40 -12
- data/lib/saml_idp/configurator.rb +1 -0
- data/lib/saml_idp/controller.rb +6 -2
- data/lib/saml_idp/encryptor.rb +1 -1
- data/lib/saml_idp/incoming_metadata.rb +9 -1
- data/lib/saml_idp/request.rb +14 -0
- data/lib/saml_idp/response_builder.rb +19 -5
- data/lib/saml_idp/saml_response.rb +15 -3
- data/lib/saml_idp/service_provider.rb +14 -0
- data/lib/saml_idp/signable.rb +1 -2
- data/lib/saml_idp/version.rb +1 -1
- data/lib/saml_idp/xml_security.rb +1 -1
- data/saml_idp.gemspec +26 -23
- data/spec/acceptance/idp_controller_spec.rb +5 -4
- data/spec/lib/saml_idp/algorithmable_spec.rb +6 -6
- data/spec/lib/saml_idp/assertion_builder_spec.rb +8 -8
- data/spec/lib/saml_idp/attribute_decorator_spec.rb +8 -8
- data/spec/lib/saml_idp/configurator_spec.rb +7 -7
- data/spec/lib/saml_idp/controller_spec.rb +23 -20
- data/spec/lib/saml_idp/encryptor_spec.rb +4 -4
- data/spec/lib/saml_idp/incoming_metadata_spec.rb +46 -0
- data/spec/lib/saml_idp/metadata_builder_spec.rb +7 -17
- data/spec/lib/saml_idp/name_id_formatter_spec.rb +3 -3
- data/spec/lib/saml_idp/request_spec.rb +22 -22
- data/spec/lib/saml_idp/response_builder_spec.rb +5 -3
- data/spec/lib/saml_idp/saml_response_spec.rb +31 -8
- data/spec/lib/saml_idp/service_provider_spec.rb +2 -2
- data/spec/lib/saml_idp/signable_spec.rb +1 -1
- data/spec/lib/saml_idp/signature_builder_spec.rb +2 -2
- data/spec/lib/saml_idp/signed_info_builder_spec.rb +3 -3
- data/spec/rails_app/app/controllers/saml_controller.rb +5 -1
- data/spec/rails_app/config/application.rb +0 -6
- data/spec/rails_app/config/environments/development.rb +1 -6
- data/spec/rails_app/config/environments/production.rb +1 -0
- data/spec/rails_app/config/environments/test.rb +1 -0
- data/spec/spec_helper.rb +3 -0
- data/spec/support/saml_request_macros.rb +2 -1
- data/spec/xml_security_spec.rb +12 -12
- metadata +85 -40
- data/spec/lib/saml_idp/.assertion_builder_spec.rb.swp +0 -0
|
@@ -4,11 +4,12 @@ feature 'IdpController' do
|
|
|
4
4
|
scenario 'Login via default signup page' do
|
|
5
5
|
saml_request = make_saml_request("http://foo.example.com/saml/consume")
|
|
6
6
|
visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
|
|
7
|
-
|
|
8
|
-
fill_in '
|
|
7
|
+
expect(status_code).to eq(200)
|
|
8
|
+
fill_in 'email', :with => "foo@example.com"
|
|
9
|
+
fill_in 'password', :with => "okidoki"
|
|
9
10
|
click_button 'Sign in'
|
|
10
11
|
click_button 'Submit' # simulating onload
|
|
11
|
-
current_url.
|
|
12
|
-
page.
|
|
12
|
+
expect(current_url).to eq('http://foo.example.com/saml/consume')
|
|
13
|
+
expect(page).to have_content "foo@example.com"
|
|
13
14
|
end
|
|
14
15
|
end
|
|
@@ -9,11 +9,11 @@ module SamlIdp
|
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
it "finds algorithm class" do
|
|
12
|
-
algorithm.
|
|
12
|
+
expect(algorithm).to eq(OpenSSL::Digest::SHA256)
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
it "finds the name" do
|
|
16
|
-
algorithm_name.
|
|
16
|
+
expect(algorithm_name).to eq("sha256")
|
|
17
17
|
end
|
|
18
18
|
end
|
|
19
19
|
|
|
@@ -23,11 +23,11 @@ module SamlIdp
|
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
it "finds algorithm class" do
|
|
26
|
-
algorithm.
|
|
26
|
+
expect(algorithm).to eq(OpenSSL::Digest::SHA512)
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
it "finds the name" do
|
|
30
|
-
algorithm_name.
|
|
30
|
+
expect(algorithm_name).to eq("sha512")
|
|
31
31
|
end
|
|
32
32
|
end
|
|
33
33
|
|
|
@@ -37,11 +37,11 @@ module SamlIdp
|
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
it "finds algorithm class" do
|
|
40
|
-
algorithm.
|
|
40
|
+
expect(algorithm).to eq(OpenSSL::Digest::SHA1)
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
it "finds the name" do
|
|
44
|
-
algorithm_name.
|
|
44
|
+
expect(algorithm_name).to eq("sha1")
|
|
45
45
|
end
|
|
46
46
|
end
|
|
47
47
|
end
|
|
@@ -36,14 +36,14 @@ module SamlIdp
|
|
|
36
36
|
|
|
37
37
|
it "builds a legit raw XML file" do
|
|
38
38
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
39
|
-
subject.raw.
|
|
39
|
+
expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
|
|
40
40
|
end
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
it "builds a legit raw XML file" do
|
|
45
45
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
46
|
-
subject.raw.
|
|
46
|
+
expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
|
|
47
47
|
end
|
|
48
48
|
end
|
|
49
49
|
|
|
@@ -55,12 +55,12 @@ module SamlIdp
|
|
|
55
55
|
email_address: ->(p) { "foo@example.com" }
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
|
-
SamlIdp.
|
|
58
|
+
allow(SamlIdp).to receive(:config).and_return(config)
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
it "doesn't include attribute statement" do
|
|
62
62
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
63
|
-
subject.raw.
|
|
63
|
+
expect(subject.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>")
|
|
64
64
|
end
|
|
65
65
|
end
|
|
66
66
|
end
|
|
@@ -81,7 +81,7 @@ module SamlIdp
|
|
|
81
81
|
expiry
|
|
82
82
|
)
|
|
83
83
|
Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
|
|
84
|
-
builder.raw.
|
|
84
|
+
expect(builder.raw).to eq("<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement></Assertion>")
|
|
85
85
|
end
|
|
86
86
|
end
|
|
87
87
|
end
|
|
@@ -100,14 +100,14 @@ module SamlIdp
|
|
|
100
100
|
encryption_opts
|
|
101
101
|
)
|
|
102
102
|
encrypted_xml = builder.encrypt
|
|
103
|
-
encrypted_xml.
|
|
103
|
+
expect(encrypted_xml).to_not match(audience_uri)
|
|
104
104
|
end
|
|
105
105
|
|
|
106
106
|
describe "with custom session_expiry configuration" do
|
|
107
107
|
let(:config) { SamlIdp::Configurator.new }
|
|
108
108
|
before do
|
|
109
109
|
config.session_expiry = 8
|
|
110
|
-
SamlIdp.
|
|
110
|
+
allow(SamlIdp).to receive(:config).and_return(config)
|
|
111
111
|
end
|
|
112
112
|
|
|
113
113
|
it "sets default session_expiry from config" do
|
|
@@ -123,7 +123,7 @@ module SamlIdp
|
|
|
123
123
|
expiry,
|
|
124
124
|
encryption_opts
|
|
125
125
|
)
|
|
126
|
-
builder.session_expiry.
|
|
126
|
+
expect(builder.session_expiry).to eq(8)
|
|
127
127
|
end
|
|
128
128
|
end
|
|
129
129
|
end
|
|
@@ -12,19 +12,19 @@ module SamlIdp
|
|
|
12
12
|
let(:values) { nil }
|
|
13
13
|
|
|
14
14
|
it "has a valid name" do
|
|
15
|
-
subject.name.
|
|
15
|
+
expect(subject.name).to be_nil
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
it "has a valid friendly_name" do
|
|
19
|
-
subject.friendly_name.
|
|
19
|
+
expect(subject.friendly_name).to be_nil
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
it "has a valid name_format" do
|
|
23
|
-
subject.name_format.
|
|
23
|
+
expect(subject.name_format).to eq(Saml::XML::Namespaces::Formats::Attr::URI)
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
it "has a valid values" do
|
|
27
|
-
subject.values.
|
|
27
|
+
expect(subject.values).to eq []
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
describe "with values set" do
|
|
@@ -34,19 +34,19 @@ module SamlIdp
|
|
|
34
34
|
let(:values) { :val }
|
|
35
35
|
|
|
36
36
|
it "has a valid name" do
|
|
37
|
-
subject.name.
|
|
37
|
+
expect(subject.name).to eq(name)
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
it "has a valid friendly_name" do
|
|
41
|
-
subject.friendly_name.
|
|
41
|
+
expect(subject.friendly_name).to eq(friendly_name)
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
it "has a valid name_format" do
|
|
45
|
-
subject.name_format.
|
|
45
|
+
expect(subject.name_format).to eq(name_format)
|
|
46
46
|
end
|
|
47
47
|
|
|
48
48
|
it "has a valid values" do
|
|
49
|
-
subject.values.
|
|
49
|
+
expect(subject.values).to eq [values]
|
|
50
50
|
end
|
|
51
51
|
end
|
|
52
52
|
end
|
|
@@ -18,32 +18,32 @@ module SamlIdp
|
|
|
18
18
|
it { should respond_to :session_expiry }
|
|
19
19
|
|
|
20
20
|
it "has a valid x509_certificate" do
|
|
21
|
-
subject.x509_certificate.
|
|
21
|
+
expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
it "has a valid secret_key" do
|
|
25
|
-
subject.secret_key.
|
|
25
|
+
expect(subject.secret_key).to eq(Default::SECRET_KEY)
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
it "has a valid algorithm" do
|
|
29
|
-
subject.algorithm.
|
|
29
|
+
expect(subject.algorithm).to eq(:sha1)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
it "has a valid reference_id_generator" do
|
|
33
|
-
subject.reference_id_generator.
|
|
33
|
+
expect(subject.reference_id_generator).to respond_to :call
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
|
|
37
37
|
it "can call service provider finder" do
|
|
38
|
-
subject.service_provider.finder.
|
|
38
|
+
expect(subject.service_provider.finder).to respond_to :call
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
it "can call service provider metadata persister" do
|
|
42
|
-
subject.service_provider.metadata_persister.
|
|
42
|
+
expect(subject.service_provider.metadata_persister).to respond_to :call
|
|
43
43
|
end
|
|
44
44
|
|
|
45
45
|
it 'has a valid session_expiry' do
|
|
46
|
-
subject.session_expiry.
|
|
46
|
+
expect(subject.session_expiry).to eq(0)
|
|
47
47
|
end
|
|
48
48
|
end
|
|
49
49
|
end
|
|
@@ -7,6 +7,9 @@ describe SamlIdp::Controller do
|
|
|
7
7
|
def render(*)
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
+
def head(*)
|
|
11
|
+
end
|
|
12
|
+
|
|
10
13
|
def params
|
|
11
14
|
@params ||= {}
|
|
12
15
|
end
|
|
@@ -14,8 +17,8 @@ describe SamlIdp::Controller do
|
|
|
14
17
|
it "should find the SAML ACS URL" do
|
|
15
18
|
requested_saml_acs_url = "https://example.com/saml/consume"
|
|
16
19
|
params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
|
|
17
|
-
validate_saml_request
|
|
18
|
-
saml_acs_url.
|
|
20
|
+
expect(validate_saml_request).to eq(true)
|
|
21
|
+
expect(saml_acs_url).to eq(requested_saml_acs_url)
|
|
19
22
|
end
|
|
20
23
|
|
|
21
24
|
context "SAML Responses" do
|
|
@@ -32,36 +35,36 @@ describe SamlIdp::Controller do
|
|
|
32
35
|
it "should create a SAML Response" do
|
|
33
36
|
saml_response = encode_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume' })
|
|
34
37
|
response = OneLogin::RubySaml::Response.new(saml_response)
|
|
35
|
-
response.name_id.
|
|
36
|
-
response.issuers.first.
|
|
38
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
39
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
37
40
|
response.settings = saml_settings
|
|
38
|
-
response.is_valid
|
|
41
|
+
expect(response.is_valid?).to be_truthy
|
|
39
42
|
end
|
|
40
43
|
end
|
|
41
44
|
|
|
42
45
|
context "solicited Response" do
|
|
43
46
|
before(:each) do
|
|
44
47
|
params[:SAMLRequest] = make_saml_request
|
|
45
|
-
validate_saml_request
|
|
48
|
+
expect(validate_saml_request).to eq(true)
|
|
46
49
|
end
|
|
47
50
|
|
|
48
51
|
it "should create a SAML Response" do
|
|
49
52
|
saml_response = encode_response(principal)
|
|
50
53
|
response = OneLogin::RubySaml::Response.new(saml_response)
|
|
51
|
-
response.name_id.
|
|
52
|
-
response.issuers.first.
|
|
54
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
55
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
53
56
|
response.settings = saml_settings
|
|
54
|
-
response.is_valid
|
|
57
|
+
expect(response.is_valid?).to be_truthy
|
|
55
58
|
end
|
|
56
59
|
|
|
57
60
|
it "should create a SAML Logout Response" do
|
|
58
61
|
params[:SAMLRequest] = make_saml_logout_request
|
|
59
|
-
validate_saml_request
|
|
62
|
+
expect(validate_saml_request).to eq(true)
|
|
60
63
|
expect(saml_request.logout_request?).to eq true
|
|
61
64
|
saml_response = encode_response(principal)
|
|
62
65
|
response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
|
|
63
|
-
response.validate.
|
|
64
|
-
response.issuer.
|
|
66
|
+
expect(response.validate).to eq(true)
|
|
67
|
+
expect(response.issuer).to eq("http://example.com")
|
|
65
68
|
end
|
|
66
69
|
|
|
67
70
|
|
|
@@ -70,10 +73,10 @@ describe SamlIdp::Controller do
|
|
|
70
73
|
self.algorithm = algorithm_name
|
|
71
74
|
saml_response = encode_response(principal)
|
|
72
75
|
response = OneLogin::RubySaml::Response.new(saml_response)
|
|
73
|
-
response.name_id.
|
|
74
|
-
response.issuers.first.
|
|
76
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
77
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
75
78
|
response.settings = saml_settings
|
|
76
|
-
response.is_valid
|
|
79
|
+
expect(response.is_valid?).to be_truthy
|
|
77
80
|
end
|
|
78
81
|
|
|
79
82
|
it "should encrypt SAML Response assertion" do
|
|
@@ -82,11 +85,11 @@ describe SamlIdp::Controller do
|
|
|
82
85
|
resp_settings = saml_settings
|
|
83
86
|
resp_settings.private_key = SamlIdp::Default::SECRET_KEY
|
|
84
87
|
response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
|
|
85
|
-
response.document.to_s.
|
|
86
|
-
response.decrypted_document.to_s.
|
|
87
|
-
response.name_id.
|
|
88
|
-
response.issuers.first.
|
|
89
|
-
response.is_valid
|
|
88
|
+
expect(response.document.to_s).to_not match("foo@example.com")
|
|
89
|
+
expect(response.decrypted_document.to_s).to match("foo@example.com")
|
|
90
|
+
expect(response.name_id).to eq("foo@example.com")
|
|
91
|
+
expect(response.issuers.first).to eq("http://example.com")
|
|
92
|
+
expect(response.is_valid?).to be_truthy
|
|
90
93
|
end
|
|
91
94
|
end
|
|
92
95
|
end
|
|
@@ -5,11 +5,11 @@ require 'saml_idp/encryptor'
|
|
|
5
5
|
module SamlIdp
|
|
6
6
|
describe Encryptor do
|
|
7
7
|
let (:encryption_opts) do
|
|
8
|
-
{
|
|
8
|
+
{
|
|
9
9
|
cert: Default::X509_CERTIFICATE,
|
|
10
10
|
block_encryption: 'aes256-cbc',
|
|
11
11
|
key_transport: 'rsa-oaep-mgf1p',
|
|
12
|
-
}
|
|
12
|
+
}
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
subject { described_class.new encryption_opts }
|
|
@@ -17,11 +17,11 @@ module SamlIdp
|
|
|
17
17
|
it "encrypts XML" do
|
|
18
18
|
raw_xml = '<foo>bar</foo>'
|
|
19
19
|
encrypted_xml = subject.encrypt(raw_xml)
|
|
20
|
-
encrypted_xml.
|
|
20
|
+
expect(encrypted_xml).to_not match raw_xml
|
|
21
21
|
encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
|
|
22
22
|
encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
|
|
23
23
|
decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
|
|
24
|
-
decrypted_xml.
|
|
24
|
+
expect(decrypted_xml).to eq(raw_xml)
|
|
25
25
|
end
|
|
26
26
|
end
|
|
27
27
|
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
module SamlIdp
|
|
3
|
+
|
|
4
|
+
metadata_1 = <<-eos
|
|
5
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
|
|
6
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="false">
|
|
7
|
+
</md:SPSSODescriptor>
|
|
8
|
+
</md:EntityDescriptor>
|
|
9
|
+
eos
|
|
10
|
+
|
|
11
|
+
metadata_2 = <<-eos
|
|
12
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
|
|
13
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true">
|
|
14
|
+
</md:SPSSODescriptor>
|
|
15
|
+
</md:EntityDescriptor>
|
|
16
|
+
eos
|
|
17
|
+
|
|
18
|
+
metadata_3 = <<-eos
|
|
19
|
+
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="test" entityID="https://test-saml.com/saml">
|
|
20
|
+
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true">
|
|
21
|
+
</md:SPSSODescriptor>
|
|
22
|
+
</md:EntityDescriptor>
|
|
23
|
+
eos
|
|
24
|
+
|
|
25
|
+
describe IncomingMetadata do
|
|
26
|
+
it 'should properly set sign_assertions to false' do
|
|
27
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_1)
|
|
28
|
+
expect(metadata.sign_assertions).to eq(false)
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it 'should properly set entity_id as https://test-saml.com/saml' do
|
|
32
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_1)
|
|
33
|
+
expect(metadata.entity_id).to eq('https://test-saml.com/saml')
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it 'should properly set sign_assertions to true' do
|
|
37
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_2)
|
|
38
|
+
expect(metadata.sign_assertions).to eq(true)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
it 'should properly set sign_assertions to false when WantAssertionsSigned is not included' do
|
|
42
|
+
metadata = SamlIdp::IncomingMetadata.new(metadata_3)
|
|
43
|
+
expect(metadata.sign_assertions).to eq(false)
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
@@ -2,18 +2,16 @@ require 'spec_helper'
|
|
|
2
2
|
module SamlIdp
|
|
3
3
|
describe MetadataBuilder do
|
|
4
4
|
it "has a valid fresh" do
|
|
5
|
-
subject.fresh.
|
|
5
|
+
expect(subject.fresh).to_not be_empty
|
|
6
6
|
end
|
|
7
7
|
|
|
8
8
|
it "signs valid xml" do
|
|
9
|
-
Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).
|
|
9
|
+
expect(Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT)).to be_truthy
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
it "includes logout element" do
|
|
13
13
|
subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
|
|
14
|
-
subject.fresh.
|
|
15
|
-
'<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>'
|
|
16
|
-
)
|
|
14
|
+
expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>')
|
|
17
15
|
end
|
|
18
16
|
|
|
19
17
|
context "technical contact" do
|
|
@@ -32,31 +30,23 @@ module SamlIdp
|
|
|
32
30
|
subject.configurator.technical_contact.telephone = "1-800-555-5555"
|
|
33
31
|
subject.configurator.technical_contact.email_address = "acme@example.com"
|
|
34
32
|
|
|
35
|
-
subject.fresh.
|
|
36
|
-
'<ContactPerson contactType="technical"><Company>ACME Corporation</Company><GivenName>Road</GivenName><SurName>Runner</SurName><EmailAddress>mailto:acme@example.com</EmailAddress><TelephoneNumber>1-800-555-5555</TelephoneNumber></ContactPerson>'
|
|
37
|
-
)
|
|
33
|
+
expect(subject.fresh).to match('<ContactPerson contactType="technical"><Company>ACME Corporation</Company><GivenName>Road</GivenName><SurName>Runner</SurName><EmailAddress>mailto:acme@example.com</EmailAddress><TelephoneNumber>1-800-555-5555</TelephoneNumber></ContactPerson>')
|
|
38
34
|
end
|
|
39
35
|
|
|
40
36
|
it "no fields" do
|
|
41
|
-
subject.fresh.
|
|
42
|
-
'<ContactPerson contactType="technical"></ContactPerson>'
|
|
43
|
-
)
|
|
37
|
+
expect(subject.fresh).to match('<ContactPerson contactType="technical"></ContactPerson>')
|
|
44
38
|
end
|
|
45
39
|
|
|
46
40
|
it "just email" do
|
|
47
41
|
subject.configurator.technical_contact.email_address = "acme@example.com"
|
|
48
|
-
subject.fresh.
|
|
49
|
-
'<ContactPerson contactType="technical"><EmailAddress>mailto:acme@example.com</EmailAddress></ContactPerson>'
|
|
50
|
-
)
|
|
42
|
+
expect(subject.fresh).to match('<ContactPerson contactType="technical"><EmailAddress>mailto:acme@example.com</EmailAddress></ContactPerson>')
|
|
51
43
|
end
|
|
52
44
|
|
|
53
45
|
end
|
|
54
46
|
|
|
55
47
|
it "includes logout element as HTTP Redirect" do
|
|
56
48
|
subject.configurator.single_logout_service_redirect_location = 'https://example.com/saml/logout'
|
|
57
|
-
subject.fresh.
|
|
58
|
-
'<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>'
|
|
59
|
-
)
|
|
49
|
+
expect(subject.fresh).to match('<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/saml/logout"/>')
|
|
60
50
|
end
|
|
61
51
|
end
|
|
62
52
|
end
|
|
@@ -7,7 +7,7 @@ module SamlIdp
|
|
|
7
7
|
let(:list) { { email_address: ->() { "foo@example.com" } } }
|
|
8
8
|
|
|
9
9
|
it "has a valid all" do
|
|
10
|
-
subject.all.
|
|
10
|
+
expect(subject.all).to eq ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"]
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
end
|
|
@@ -21,7 +21,7 @@ module SamlIdp
|
|
|
21
21
|
}
|
|
22
22
|
|
|
23
23
|
it "has a valid all" do
|
|
24
|
-
subject.all.
|
|
24
|
+
expect(subject.all).to eq [
|
|
25
25
|
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
26
26
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
|
|
27
27
|
]
|
|
@@ -32,7 +32,7 @@ module SamlIdp
|
|
|
32
32
|
let(:list) { [:email_address, :undefined] }
|
|
33
33
|
|
|
34
34
|
it "has a valid all" do
|
|
35
|
-
subject.all.
|
|
35
|
+
expect(subject.all).to eq [
|
|
36
36
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
|
|
37
37
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
|
|
38
38
|
]
|