saml_idp 0.1.1 → 0.2.0.pre
Sign up to get free protection for your applications and to get access to all the features.
- data/app/controllers/saml_idp/idp_controller.rb +1 -1
- data/lib/saml_idp.rb +1 -1
- data/lib/saml_idp/assertion_builder.rb +1 -1
- data/lib/saml_idp/configurator.rb +1 -0
- data/lib/saml_idp/metadata_builder.rb +5 -6
- data/lib/saml_idp/version.rb +1 -1
- data/saml_idp.gemspec +2 -2
- data/spec/lib/saml_idp/attribute_decorator_spec.rb +30 -8
- data/spec/lib/saml_idp/configurator_spec.rb +16 -4
- data/spec/lib/saml_idp/controller_spec.rb +4 -4
- data/spec/lib/saml_idp/metadata_builder_spec.rb +5 -2
- data/spec/lib/saml_idp/name_id_formatter_spec.rb +10 -7
- data/spec/lib/saml_idp/request_spec.rb +24 -6
- data/spec/lib/saml_idp/saml_response_spec.rb +3 -1
- data/spec/lib/saml_idp/service_provider_spec.rb +8 -2
- data/spec/lib/saml_idp/signable_spec.rb +4 -1
- data/spec/rails_app/app/controllers/saml_controller.rb +2 -2
- data/spec/support/saml_request_macros.rb +3 -3
- data/spec/xml_security_spec.rb +8 -8
- metadata +15 -18
data/lib/saml_idp.rb
CHANGED
@@ -58,7 +58,7 @@ module SamlIdp
|
|
58
58
|
end
|
59
59
|
end
|
60
60
|
end
|
61
|
-
end
|
61
|
+
end unless config.attributes.nil? || config.attributes.empty?
|
62
62
|
assertion.AuthnStatement AuthnInstant: now_iso, SessionIndex: reference_string do |statement|
|
63
63
|
statement.AuthnContext do |context|
|
64
64
|
context.AuthnContextClassRef Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
|
@@ -9,6 +9,7 @@ module SamlIdp
|
|
9
9
|
attr_accessor :organization_name
|
10
10
|
attr_accessor :organization_url
|
11
11
|
attr_accessor :base_saml_location
|
12
|
+
attr_accessor :entity_id
|
12
13
|
attr_accessor :reference_id_generator
|
13
14
|
attr_accessor :attribute_service_location
|
14
15
|
attr_accessor :single_service_post_location
|
@@ -90,11 +90,10 @@ module SamlIdp
|
|
90
90
|
|
91
91
|
def build_contact(el)
|
92
92
|
el.ContactPerson contactType: "technical" do |contact|
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
contact.EmailAddress technical_contact.mail_to_string if technical_contact.mail_to_string.present?
|
93
|
+
%w[company given_name sur_name telephone mail_to_string].each do |section|
|
94
|
+
section_value = technical_contact.public_send(section)
|
95
|
+
contact.Company section_value if section_value.present?
|
96
|
+
end
|
98
97
|
end
|
99
98
|
end
|
100
99
|
private :build_contact
|
@@ -105,7 +104,7 @@ module SamlIdp
|
|
105
104
|
private :reference_string
|
106
105
|
|
107
106
|
def entity_id
|
108
|
-
configurator.base_saml_location
|
107
|
+
configurator.entity_id.presence || configurator.base_saml_location
|
109
108
|
end
|
110
109
|
private :entity_id
|
111
110
|
|
data/lib/saml_idp/version.rb
CHANGED
data/saml_idp.gemspec
CHANGED
@@ -31,8 +31,8 @@ Gem::Specification.new do |s|
|
|
31
31
|
|
32
32
|
s.add_development_dependency "rake"
|
33
33
|
s.add_development_dependency "simplecov"
|
34
|
-
s.add_development_dependency "rspec"
|
35
|
-
s.add_development_dependency "ruby-saml"
|
34
|
+
s.add_development_dependency "rspec", "~> 2.5"
|
35
|
+
s.add_development_dependency "ruby-saml", "~> 0.8"
|
36
36
|
s.add_development_dependency("rails", "~> 3.2")
|
37
37
|
s.add_development_dependency("capybara")
|
38
38
|
s.add_development_dependency("timecop")
|
@@ -11,10 +11,21 @@ module SamlIdp
|
|
11
11
|
let(:name_format) { nil }
|
12
12
|
let(:values) { nil }
|
13
13
|
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
14
|
+
it "has a valid name" do
|
15
|
+
subject.name.should be_nil
|
16
|
+
end
|
17
|
+
|
18
|
+
it "has a valid friendly_name" do
|
19
|
+
subject.friendly_name.should be_nil
|
20
|
+
end
|
21
|
+
|
22
|
+
it "has a valid name_format" do
|
23
|
+
subject.name_format.should == Saml::XML::Namespaces::Formats::Attr::URI
|
24
|
+
end
|
25
|
+
|
26
|
+
it "has a valid values" do
|
27
|
+
subject.values.should == []
|
28
|
+
end
|
18
29
|
|
19
30
|
describe "with values set" do
|
20
31
|
let(:name) { "test" }
|
@@ -22,10 +33,21 @@ module SamlIdp
|
|
22
33
|
let(:name_format) { "some format" }
|
23
34
|
let(:values) { :val }
|
24
35
|
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
36
|
+
it "has a valid name" do
|
37
|
+
subject.name.should == name
|
38
|
+
end
|
39
|
+
|
40
|
+
it "has a valid friendly_name" do
|
41
|
+
subject.friendly_name.should == friendly_name
|
42
|
+
end
|
43
|
+
|
44
|
+
it "has a valid name_format" do
|
45
|
+
subject.name_format.should == name_format
|
46
|
+
end
|
47
|
+
|
48
|
+
it "has a valid values" do
|
49
|
+
subject.values.should == [values]
|
50
|
+
end
|
29
51
|
end
|
30
52
|
end
|
31
53
|
end
|
@@ -14,10 +14,22 @@ module SamlIdp
|
|
14
14
|
it { should respond_to :attributes }
|
15
15
|
it { should respond_to :service_provider }
|
16
16
|
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
17
|
+
it "has a valid x509_certificate" do
|
18
|
+
subject.x509_certificate.should == Default::X509_CERTIFICATE
|
19
|
+
end
|
20
|
+
|
21
|
+
it "has a valid secret_key" do
|
22
|
+
subject.secret_key.should == Default::SECRET_KEY
|
23
|
+
end
|
24
|
+
|
25
|
+
it "has a valid algorithm" do
|
26
|
+
subject.algorithm.should == :sha1
|
27
|
+
end
|
28
|
+
|
29
|
+
it "has a valid reference_id_generator" do
|
30
|
+
subject.reference_id_generator.should respond_to :call
|
31
|
+
end
|
32
|
+
|
21
33
|
|
22
34
|
it "can call service provider finder" do
|
23
35
|
subject.service_provider.finder.should respond_to :call
|
@@ -28,22 +28,22 @@ describe SamlIdp::Controller do
|
|
28
28
|
|
29
29
|
it "should create a SAML Response" do
|
30
30
|
saml_response = encode_response(principal)
|
31
|
-
response =
|
31
|
+
response = OneLogin::RubySaml::Response.new(saml_response)
|
32
32
|
response.name_id.should == "foo@example.com"
|
33
33
|
response.issuer.should == "http://example.com"
|
34
34
|
response.settings = saml_settings
|
35
|
-
response.is_valid?.should
|
35
|
+
response.is_valid?.should be_truthy
|
36
36
|
end
|
37
37
|
|
38
38
|
[:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
|
39
39
|
it "should create a SAML Response using the #{algorithm_name} algorithm" do
|
40
40
|
self.algorithm = algorithm_name
|
41
41
|
saml_response = encode_response(principal)
|
42
|
-
response =
|
42
|
+
response = OneLogin::RubySaml::Response.new(saml_response)
|
43
43
|
response.name_id.should == "foo@example.com"
|
44
44
|
response.issuer.should == "http://example.com"
|
45
45
|
response.settings = saml_settings
|
46
|
-
response.is_valid?.should
|
46
|
+
response.is_valid?.should be_truthy
|
47
47
|
end
|
48
48
|
end
|
49
49
|
end
|
@@ -1,9 +1,12 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
module SamlIdp
|
3
3
|
describe MetadataBuilder do
|
4
|
-
|
4
|
+
it "has a valid fresh" do
|
5
|
+
subject.fresh.should_not be_empty
|
6
|
+
end
|
7
|
+
|
5
8
|
it "signs valid xml" do
|
6
|
-
Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).should
|
9
|
+
Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).should be_truthy
|
7
10
|
end
|
8
11
|
end
|
9
12
|
end
|
@@ -6,7 +6,10 @@ module SamlIdp
|
|
6
6
|
describe "with one item" do
|
7
7
|
let(:list) { { email_address: ->() { "foo@example.com" } } }
|
8
8
|
|
9
|
-
|
9
|
+
it "has a valid all" do
|
10
|
+
subject.all.should == ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"]
|
11
|
+
end
|
12
|
+
|
10
13
|
end
|
11
14
|
|
12
15
|
describe "with hash describing versions" do
|
@@ -17,23 +20,23 @@ module SamlIdp
|
|
17
20
|
}
|
18
21
|
}
|
19
22
|
|
20
|
-
|
21
|
-
should == [
|
23
|
+
it "has a valid all" do
|
24
|
+
subject.all.should == [
|
22
25
|
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
23
26
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
|
24
27
|
]
|
25
|
-
|
28
|
+
end
|
26
29
|
end
|
27
30
|
|
28
31
|
describe "with actual list" do
|
29
32
|
let(:list) { [:email_address, :undefined] }
|
30
33
|
|
31
|
-
|
32
|
-
should == [
|
34
|
+
it "has a valid all" do
|
35
|
+
subject.all.should == [
|
33
36
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
|
34
37
|
"urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
|
35
38
|
]
|
36
|
-
|
39
|
+
end
|
37
40
|
end
|
38
41
|
end
|
39
42
|
end
|
@@ -4,11 +4,29 @@ module SamlIdp
|
|
4
4
|
let(:raw_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/></samlp:AuthnRequest>" }
|
5
5
|
subject { described_class.new raw_request }
|
6
6
|
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
7
|
+
it "has a valid request_id" do
|
8
|
+
subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
|
9
|
+
end
|
10
|
+
|
11
|
+
it "has a valid acs_url" do
|
12
|
+
subject.acs_url.should == "http://localhost:3000/saml/consume"
|
13
|
+
end
|
14
|
+
|
15
|
+
it "has a valid service_provider" do
|
16
|
+
subject.service_provider.should be_a ServiceProvider
|
17
|
+
end
|
18
|
+
|
19
|
+
it "has a valid service_provider" do
|
20
|
+
subject.service_provider.should be_truthy
|
21
|
+
end
|
22
|
+
|
23
|
+
it "has a valid issuer" do
|
24
|
+
subject.issuer.should == "localhost:3000"
|
25
|
+
end
|
26
|
+
|
27
|
+
it "has a valid valid_signature" do
|
28
|
+
subject.valid_signature?.should be_truthy
|
29
|
+
end
|
30
|
+
|
13
31
|
end
|
14
32
|
end
|
@@ -13,8 +13,14 @@ module SamlIdp
|
|
13
13
|
let(:fingerprint) { Default::FINGERPRINT }
|
14
14
|
let(:metadata_url) { "http://localhost:3000/metadata" }
|
15
15
|
|
16
|
-
|
17
|
-
|
16
|
+
it "has a valid fingerprint" do
|
17
|
+
subject.fingerprint.should == fingerprint
|
18
|
+
end
|
19
|
+
|
20
|
+
it "has a valid metadata_url" do
|
21
|
+
subject.metadata_url.should == metadata_url
|
22
|
+
end
|
23
|
+
|
18
24
|
it { should be_valid }
|
19
25
|
end
|
20
26
|
end
|
@@ -1,13 +1,13 @@
|
|
1
1
|
module SamlRequestMacros
|
2
2
|
|
3
3
|
def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume")
|
4
|
-
auth_request =
|
4
|
+
auth_request = OneLogin::RubySaml::Authrequest.new
|
5
5
|
auth_url = auth_request.create(saml_settings(requested_saml_acs_url))
|
6
6
|
CGI.unescape(auth_url.split("=").last)
|
7
7
|
end
|
8
8
|
|
9
9
|
def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume")
|
10
|
-
settings =
|
10
|
+
settings = OneLogin::RubySaml::Settings.new
|
11
11
|
settings.assertion_consumer_service_url = saml_acs_url
|
12
12
|
settings.issuer = "http://example.com/issuer"
|
13
13
|
settings.idp_sso_target_url = "http://idp.com/saml/idp"
|
@@ -16,4 +16,4 @@ module SamlRequestMacros
|
|
16
16
|
settings
|
17
17
|
end
|
18
18
|
|
19
|
-
end
|
19
|
+
end
|
data/spec/xml_security_spec.rb
CHANGED
@@ -7,7 +7,7 @@ module SamlIdp
|
|
7
7
|
let(:base64cert) { document.elements["//ds:X509Certificate"].text }
|
8
8
|
|
9
9
|
it "it run validate without throwing NS related exceptions" do
|
10
|
-
document.validate_doc(base64cert, true).should
|
10
|
+
document.validate_doc(base64cert, true).should be_falsey
|
11
11
|
end
|
12
12
|
|
13
13
|
it "it run validate with throwing NS related exceptions" do
|
@@ -57,22 +57,22 @@ module SamlIdp
|
|
57
57
|
describe "Algorithms" do
|
58
58
|
it "validate using SHA1" do
|
59
59
|
document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha1, false))
|
60
|
-
document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should
|
60
|
+
document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should be_truthy
|
61
61
|
end
|
62
62
|
|
63
63
|
it "validate using SHA256" do
|
64
64
|
document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha256, false))
|
65
|
-
document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA").should
|
65
|
+
document.validate("28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA").should be_truthy
|
66
66
|
end
|
67
67
|
|
68
68
|
it "validate using SHA384" do
|
69
69
|
document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha384, false))
|
70
|
-
document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should
|
70
|
+
document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should be_truthy
|
71
71
|
end
|
72
72
|
|
73
73
|
it "validate using SHA512" do
|
74
74
|
document = XMLSecurity::SignedDocument.new(fixture(:adfs_response_sha512, false))
|
75
|
-
document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should
|
75
|
+
document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72").should be_truthy
|
76
76
|
end
|
77
77
|
end
|
78
78
|
|
@@ -106,17 +106,17 @@ module SamlIdp
|
|
106
106
|
end
|
107
107
|
|
108
108
|
describe "StarfieldTMS" do
|
109
|
-
let(:response) {
|
109
|
+
let(:response) { ::OneLogin::RubySaml::Response.new(fixture(:starfield_response)) }
|
110
110
|
|
111
111
|
before do
|
112
|
-
response.settings =
|
112
|
+
response.settings = ::OneLogin::RubySaml::Settings.new(
|
113
113
|
:idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D"
|
114
114
|
)
|
115
115
|
end
|
116
116
|
|
117
117
|
it "be able to validate a good response" do
|
118
118
|
Timecop.freeze Time.parse('2012-11-28 17:55:00 UTC') do
|
119
|
-
response.validate!.should
|
119
|
+
response.validate!.should be_truthy
|
120
120
|
end
|
121
121
|
end
|
122
122
|
|
metadata
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: saml_idp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
5
|
-
prerelease:
|
4
|
+
version: 0.2.0.pre
|
5
|
+
prerelease: 6
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Jon Phenow
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2014-08-08 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: activesupport
|
@@ -128,33 +128,33 @@ dependencies:
|
|
128
128
|
requirement: !ruby/object:Gem::Requirement
|
129
129
|
none: false
|
130
130
|
requirements:
|
131
|
-
- -
|
131
|
+
- - ~>
|
132
132
|
- !ruby/object:Gem::Version
|
133
|
-
version: '
|
133
|
+
version: '2.5'
|
134
134
|
type: :development
|
135
135
|
prerelease: false
|
136
136
|
version_requirements: !ruby/object:Gem::Requirement
|
137
137
|
none: false
|
138
138
|
requirements:
|
139
|
-
- -
|
139
|
+
- - ~>
|
140
140
|
- !ruby/object:Gem::Version
|
141
|
-
version: '
|
141
|
+
version: '2.5'
|
142
142
|
- !ruby/object:Gem::Dependency
|
143
143
|
name: ruby-saml
|
144
144
|
requirement: !ruby/object:Gem::Requirement
|
145
145
|
none: false
|
146
146
|
requirements:
|
147
|
-
- -
|
147
|
+
- - ~>
|
148
148
|
- !ruby/object:Gem::Version
|
149
|
-
version: '0'
|
149
|
+
version: '0.8'
|
150
150
|
type: :development
|
151
151
|
prerelease: false
|
152
152
|
version_requirements: !ruby/object:Gem::Requirement
|
153
153
|
none: false
|
154
154
|
requirements:
|
155
|
-
- -
|
155
|
+
- - ~>
|
156
156
|
- !ruby/object:Gem::Version
|
157
|
-
version: '0'
|
157
|
+
version: '0.8'
|
158
158
|
- !ruby/object:Gem::Dependency
|
159
159
|
name: rails
|
160
160
|
requirement: !ruby/object:Gem::Requirement
|
@@ -345,19 +345,16 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
345
345
|
version: '0'
|
346
346
|
segments:
|
347
347
|
- 0
|
348
|
-
hash:
|
348
|
+
hash: 557942331411013025
|
349
349
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
350
350
|
none: false
|
351
351
|
requirements:
|
352
|
-
- - ! '
|
352
|
+
- - ! '>'
|
353
353
|
- !ruby/object:Gem::Version
|
354
|
-
version:
|
355
|
-
segments:
|
356
|
-
- 0
|
357
|
-
hash: -3584084846075043775
|
354
|
+
version: 1.3.1
|
358
355
|
requirements: []
|
359
356
|
rubyforge_project:
|
360
|
-
rubygems_version: 1.8.
|
357
|
+
rubygems_version: 1.8.23
|
361
358
|
signing_key:
|
362
359
|
specification_version: 3
|
363
360
|
summary: SAML Indentity Provider in ruby
|