RubyGems - saml_idp - Versions diffs - 0.7.2 → 1.0.0 - Mend

saml_idp 0.7.2 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

checksums.yaml +5 -5
data/Gemfile +1 -1
data/README.md +71 -55
data/lib/saml_idp/assertion_builder.rb +28 -3
data/lib/saml_idp/configurator.rb +9 -3
data/lib/saml_idp/controller.rb +27 -16
data/lib/saml_idp/encryptor.rb +0 -1
data/lib/saml_idp/fingerprint.rb +19 -0
data/lib/saml_idp/incoming_metadata.rb +31 -1
data/lib/saml_idp/metadata_builder.rb +25 -9
data/lib/saml_idp/persisted_metadata.rb +4 -0
data/lib/saml_idp/request.rb +103 -13
data/lib/saml_idp/response_builder.rb +26 -6
data/lib/saml_idp/saml_response.rb +62 -28
data/lib/saml_idp/service_provider.rb +16 -6
data/lib/saml_idp/signable.rb +1 -2
data/lib/saml_idp/signature_builder.rb +2 -1
data/lib/saml_idp/signed_info_builder.rb +2 -2
data/lib/saml_idp/version.rb +1 -1
data/lib/saml_idp/xml_security.rb +20 -15
data/lib/saml_idp.rb +4 -3
data/saml_idp.gemspec +46 -42
data/spec/acceptance/idp_controller_spec.rb +5 -4
data/spec/lib/saml_idp/algorithmable_spec.rb +6 -6
data/spec/lib/saml_idp/assertion_builder_spec.rb +151 -8
data/spec/lib/saml_idp/attribute_decorator_spec.rb +8 -8
data/spec/lib/saml_idp/configurator_spec.rb +45 -7
data/spec/lib/saml_idp/controller_spec.rb +86 -25
data/spec/lib/saml_idp/encryptor_spec.rb +4 -4
data/spec/lib/saml_idp/fingerprint_spec.rb +14 -0
data/spec/lib/saml_idp/incoming_metadata_spec.rb +134 -0
data/spec/lib/saml_idp/metadata_builder_spec.rb +30 -17
data/spec/lib/saml_idp/name_id_formatter_spec.rb +3 -3
data/spec/lib/saml_idp/request_spec.rb +153 -64
data/spec/lib/saml_idp/response_builder_spec.rb +5 -3
data/spec/lib/saml_idp/saml_response_spec.rb +146 -12
data/spec/lib/saml_idp/service_provider_spec.rb +2 -2
data/spec/lib/saml_idp/signable_spec.rb +1 -1
data/spec/lib/saml_idp/signature_builder_spec.rb +2 -2
data/spec/lib/saml_idp/signed_info_builder_spec.rb +3 -3
data/spec/rails_app/app/controllers/saml_controller.rb +1 -1
data/spec/rails_app/app/controllers/saml_idp_controller.rb +55 -3
data/{app → spec/rails_app/app}/views/saml_idp/idp/new.html.erb +3 -4
data/{app → spec/rails_app/app}/views/saml_idp/idp/saml_post.html.erb +1 -1
data/spec/rails_app/config/application.rb +1 -6
data/spec/rails_app/config/boot.rb +1 -1
data/spec/rails_app/config/environments/development.rb +2 -5
data/spec/rails_app/config/environments/production.rb +1 -0
data/spec/rails_app/config/environments/test.rb +1 -0
data/spec/spec_helper.rb +23 -1
data/spec/support/certificates/sp_cert_req.csr +12 -0
data/spec/support/certificates/sp_private_key.pem +16 -0
data/spec/support/certificates/sp_x509_cert.crt +18 -0
data/spec/support/saml_request_macros.rb +107 -5
data/spec/support/security_helpers.rb +12 -2
data/spec/xml_security_spec.rb +19 -15
metadata +146 -80
data/app/controllers/saml_idp/idp_controller.rb +0 -59
data/spec/lib/saml_idp/.assertion_builder_spec.rb.swp +0 -0

data/spec/support/saml_request_macros.rb CHANGED Viewed

@@ -1,10 +1,10 @@
 require 'saml_idp/logout_request_builder'
 module SamlRequestMacros
-  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume")
+  def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
     auth_request = OneLogin::RubySaml::Authrequest.new
-    auth_url = auth_request.create(saml_settings(requested_saml_acs_url))
-    CGI.unescape(auth_url.split("=").last)
+    auth_url = auth_request.create_params(saml_settings(requested_saml_acs_url, enable_secure_options))
+    auth_url['SAMLRequest']
   end
   def make_saml_logout_request(requested_saml_logout_url = 'https://foo.example.com/saml/logout')
@@ -15,23 +15,125 @@ module SamlRequestMacros
       'some_name_id',
       OpenSSL::Digest::SHA256
     )
-    request_builder.encoded
+    Base64.strict_encode64(request_builder.signed)
   end
-  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume")
+  def make_saml_sp_slo_request(param_type: true, security_options: {})
+    logout_request = OneLogin::RubySaml::Logoutrequest.new
+    saml_sp_setting = saml_settings("https://foo.example.com/saml/consume", true, security_options: security_options)
+    if param_type
+      logout_request.create_params(saml_sp_setting, 'RelayState' => 'https://foo.example.com/home')
+    else
+      logout_request.create(saml_sp_setting, 'RelayState' => 'https://foo.example.com/home')
+    end
+  end
+  def generate_sp_metadata(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    sp_metadata = OneLogin::RubySaml::Metadata.new
+    sp_metadata.generate(saml_settings(saml_acs_url, enable_secure_options), true)
+  end
+  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false, security_options: {})
     settings = OneLogin::RubySaml::Settings.new
     settings.assertion_consumer_service_url = saml_acs_url
     settings.issuer = "http://example.com/issuer"
     settings.idp_sso_target_url = "http://idp.com/saml/idp"
+    settings.idp_slo_target_url = "http://idp.com/saml/slo"
+    settings.assertion_consumer_logout_service_url = 'https://foo.example.com/saml/logout'
     settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
     settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
+    add_securty_options(settings, default_sp_security_options.merge!(security_options)) if enable_secure_options
     settings
   end
+  def add_securty_options(settings, options = default_sp_security_options)
+    # Security section
+    settings.idp_cert = SamlIdp::Default::X509_CERTIFICATE
+    # Signed embedded singature
+    settings.security[:authn_requests_signed] = options[:authn_requests_signed]
+    settings.security[:embed_sign] = options[:embed_sign]
+    settings.security[:logout_requests_signed] = options[:logout_requests_signed]
+    settings.security[:logout_responses_signed] = options[:logout_responses_signed]
+    settings.security[:metadata_signed] = options[:digest_method]
+    settings.security[:digest_method] = options[:digest_method]
+    settings.security[:signature_method] = options[:signature_method]
+    settings.security[:want_assertions_signed] = options[:assertions_signed]
+    settings.private_key = sp_pv_key
+    settings.certificate = sp_x509_cert
+  end
+  def idp_configure(saml_acs_url = "https://foo.example.com/saml/consume", enable_secure_options = false)
+    SamlIdp.configure do |config|
+      config.x509_certificate = SamlIdp::Default::X509_CERTIFICATE
+      config.secret_key = SamlIdp::Default::SECRET_KEY
+      config.password = nil
+      config.algorithm = :sha256
+      config.organization_name = 'idp.com'
+      config.organization_url = 'http://idp.com'
+      config.base_saml_location = 'http://idp.com/saml/idp'
+      config.single_logout_service_post_location = 'http://idp.com/saml/idp/logout'
+      config.single_logout_service_redirect_location = 'http://idp.com/saml/idp/logout'
+      config.attribute_service_location = 'http://idp.com/saml/idp/attribute'
+      config.single_service_post_location = 'http://idp.com/saml/idp/sso'
+      config.name_id.formats = SamlIdp::Default::NAME_ID_FORMAT
+      config.service_provider.metadata_persister = lambda { |_identifier, _service_provider|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.persisted_metadata_getter = lambda { |_identifier, _settings|
+        raw_metadata = generate_sp_metadata(saml_acs_url, enable_secure_options)
+        SamlIdp::IncomingMetadata.new(raw_metadata).to_h
+      }
+      config.service_provider.finder = lambda { |_issuer_or_entity_id|
+        {
+          response_hosts: [URI(saml_acs_url).host],
+          acs_url: saml_acs_url,
+          cert: sp_x509_cert,
+          fingerprint: SamlIdp::Fingerprint.certificate_digest(sp_x509_cert),
+          assertion_consumer_logout_service_url: 'https://foo.example.com/saml/logout'
+        }
+      }
+    end
+  end
+  def decode_saml_request(saml_request)
+    decoded_request = Base64.decode64(saml_request)
+    begin
+      # Try to decompress, since SAMLRequest might be compressed
+      Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(decoded_request)
+    rescue Zlib::DataError
+      # If it's not compressed, just return the decoded request
+      decoded_request
+    end
+  end
   def print_pretty_xml(xml_string)
     doc = REXML::Document.new xml_string
     outbuf = ""
     doc.write(outbuf, 1)
     puts outbuf
   end
+  def decode_saml_request(saml_request)
+    decoded_request = Base64.decode64(saml_request)
+    begin
+      # Try to decompress, since SAMLRequest might be compressed
+      Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(decoded_request)
+    rescue Zlib::DataError
+      # If it's not compressed, just return the decoded request
+      decoded_request
+    end
+  end
+  def default_sp_security_options
+    {
+      authn_requests_signed: true,
+      embed_sign: true,
+      logout_requests_signed: true,
+      logout_responses_signed: true,
+      digest_method: XMLSecurity::Document::SHA256,
+      signature_method: XMLSecurity::Document::RSA_SHA256,
+      assertions_signed: true
+    }
+  end
 end

data/spec/support/security_helpers.rb CHANGED Viewed

@@ -51,11 +51,21 @@ module SecurityHelpers
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end
-  def signature_1
-    @signature1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
+  def certificate_1
+    @certificate_1 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'certificate1'))
   end
   def r1_signature_2
     @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
   end
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php
+  def sp_pv_key
+    @sp_pv_key ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_private_key.pem'))
+  end
+  # Generated by SAML tool https://www.samltool.com/self_signed_certs.php, expired date is 9999
+  def sp_x509_cert
+    @sp_x509_cert ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'sp_x509_cert.crt'))
+  end
 end

data/spec/xml_security_spec.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module SamlIdp
     let(:base64cert) { document.elements["//ds:X509Certificate"].text }
     it "it run validate without throwing NS related exceptions" do
-      document.validate_doc(base64cert, true).should be_falsey
+      expect(document.validate_doc(base64cert, true)).to be_falsey
     end
     it "it run validate with throwing NS related exceptions" do
@@ -19,7 +19,7 @@ module SamlIdp
     end
     it "it raise Fingerprint mismatch" do
-      expect { document.validate("no:fi:ng:er:pr:in:t", false) }.to(
+      expect { document.validate("", "no:fi:ng:er:pr:in:t", false) }.to(
         raise_error(SamlIdp::XMLSecurity::SignedDocument::ValidationError, "Fingerprint mismatch")
       )
     end
@@ -45,10 +45,10 @@ module SamlIdp
       response = Base64.decode64(response_document)
       response.sub!(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "")
       document = XMLSecurity::SignedDocument.new(response)
-      expect { document.validate("a fingerprint", false) }.to(
+      expect { document.validate("", "a fingerprint", false) }.to(
         raise_error(
           SamlIdp::XMLSecurity::SignedDocument::ValidationError,
-          "Certificate element missing in response (ds:X509Certificate)"
+          "Certificate validation is required, but it doesn't exist."
         )
       )
     end
@@ -57,22 +57,26 @@ module SamlIdp
   describe "Algorithms" do
     it "validate using SHA1" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
-      document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
     end
     it "validate using SHA256" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
-      document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA").should be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA")).to be_truthy
     end
     it "validate using SHA384" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
-      document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
     end
     it "validate using SHA512" do
       document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
-      document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should be_truthy
+      base64cert = document.elements["//ds:X509Certificate"].text
+      expect(document.validate(base64cert, "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")).to be_truthy
     end
   end
@@ -83,7 +87,7 @@ module SamlIdp
         document = XMLSecurity::SignedDocument.new(response)
         inclusive_namespaces = document.send(:extract_inclusive_namespaces)
-        inclusive_namespaces.should == %w[xs]
+        expect(inclusive_namespaces).to eq %w[xs]
       end
       it "support implicit namespace resolution for exclusive canonicalization" do
@@ -91,7 +95,7 @@ module SamlIdp
         document = XMLSecurity::SignedDocument.new(response)
         inclusive_namespaces = document.send(:extract_inclusive_namespaces)
-        inclusive_namespaces.should == %w[#default saml ds xs xsi]
+        expect(inclusive_namespaces).to eq %w[#default saml ds xs xsi]
       end
       it "return an empty list when inclusive namespace element is missing" do
@@ -101,7 +105,7 @@ module SamlIdp
         document = XMLSecurity::SignedDocument.new(response)
         inclusive_namespaces = document.send(:extract_inclusive_namespaces)
-        inclusive_namespaces.should be_empty
+        expect(inclusive_namespaces).to be_empty
       end
     end
@@ -116,20 +120,20 @@ module SamlIdp
       it "be able to validate a good response" do
         Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
-          response.stub(:validate_subject_confirmation).and_return(true)
-          response.should be_is_valid
+          allow(response).to receive(:validate_subject_confirmation).and_return(true)
+          expect(response).to be_is_valid
         end
       end
       it "fail before response is valid" do
         Timecop.freeze Time.parse('2012-11-20 17:55:00 UTC') do
-          response.should_not be_is_valid
+          expect(response).to_not be_is_valid
         end
       end
       it "fail after response expires" do
         Timecop.freeze Time.parse('2012-11-30 17:55:00 UTC') do
-          response.should_not be_is_valid
+          expect(response).to_not be_is_valid
         end
       end
     end