samlr 2.0.0 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of samlr might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/samlr/assertion.rb +4 -4
- data/lib/samlr/condition.rb +25 -3
- data/samlr.gemspec +1 -1
- data/test/unit/test_assertion.rb +9 -1
- data/test/unit/test_condition.rb +60 -6
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ebafb5a38e98da6ac77fe1aef9f75fe152260465
|
4
|
+
data.tar.gz: 4b5f0a93da346dcab298769f5d58e9b3b3672cc8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ea4b4676ccd2a16afc7b4748ecdd9a4ce0cc7f09ca7d452221256ad4f00d3eae39751c57c48e225f8a219c0ee7b390a1cc7a278c049df24a5f0eaf78622ffd86
|
7
|
+
data.tar.gz: f6f9f274dd8cef36ab5b7058dfe0f60eaa0a3453397f03ed5392002b13e789e759a60bdb2cf9489c5d37b3832f5ae65e6b9188ad551615ef4ca955364a83d569
|
data/lib/samlr/assertion.rb
CHANGED
@@ -51,6 +51,10 @@ module Samlr
|
|
51
51
|
@name_id ||= assertion.at("./saml:Subject/saml:NameID", NS_MAP).text
|
52
52
|
end
|
53
53
|
|
54
|
+
def conditions
|
55
|
+
@conditions ||= Condition.new(assertion.at("./saml:Conditions", NS_MAP), options)
|
56
|
+
end
|
57
|
+
|
54
58
|
private
|
55
59
|
|
56
60
|
def assertion
|
@@ -68,10 +72,6 @@ module Samlr
|
|
68
72
|
!!options[:skip_conditions]
|
69
73
|
end
|
70
74
|
|
71
|
-
def conditions
|
72
|
-
@conditions ||= Condition.new(assertion.at("./saml:Conditions", NS_MAP))
|
73
|
-
end
|
74
|
-
|
75
75
|
def verify_conditions!
|
76
76
|
conditions.verify!
|
77
77
|
end
|
data/lib/samlr/condition.rb
CHANGED
@@ -1,10 +1,12 @@
|
|
1
1
|
module Samlr
|
2
2
|
class Condition
|
3
|
-
attr_reader :not_before, :not_on_or_after
|
3
|
+
attr_reader :audience, :not_before, :not_on_or_after, :options
|
4
4
|
|
5
|
-
def initialize(condition)
|
5
|
+
def initialize(condition, options)
|
6
|
+
@options = options
|
6
7
|
@not_before = (condition || {})["NotBefore"]
|
7
8
|
@not_on_or_after = (condition || {})["NotOnOrAfter"]
|
9
|
+
@audience = extract_audience(condition)
|
8
10
|
end
|
9
11
|
|
10
12
|
def verify!
|
@@ -16,6 +18,10 @@ module Samlr
|
|
16
18
|
raise Samlr::ConditionsError.new("Not on or after violation, now #{Samlr::Tools::Timestamp.stamp} vs. at latest #{not_on_or_after}")
|
17
19
|
end
|
18
20
|
|
21
|
+
unless audience_satisfied?
|
22
|
+
raise Samlr::ConditionsError.new("Audience violation, expected #{options[:audience]} vs. #{audience}")
|
23
|
+
end
|
24
|
+
|
19
25
|
true
|
20
26
|
end
|
21
27
|
|
@@ -26,6 +32,22 @@ module Samlr
|
|
26
32
|
def not_on_or_after_satisfied?
|
27
33
|
not_on_or_after.nil? || Samlr::Tools::Timestamp.not_on_or_after?(Samlr::Tools::Timestamp.parse(not_on_or_after))
|
28
34
|
end
|
29
|
-
end
|
30
35
|
|
36
|
+
def audience_satisfied?
|
37
|
+
audience.nil? || options[:audience].nil? ||
|
38
|
+
audience == options[:audience]
|
39
|
+
end
|
40
|
+
|
41
|
+
private
|
42
|
+
|
43
|
+
def extract_audience(condition)
|
44
|
+
return unless condition
|
45
|
+
|
46
|
+
audience_node = condition.at("./saml:AudienceRestriction/saml:Audience", NS_MAP)
|
47
|
+
|
48
|
+
return unless audience_node
|
49
|
+
|
50
|
+
audience_node.text
|
51
|
+
end
|
52
|
+
end
|
31
53
|
end
|
data/samlr.gemspec
CHANGED
data/test/unit/test_assertion.rb
CHANGED
@@ -29,8 +29,16 @@ describe Samlr::Assertion do
|
|
29
29
|
end
|
30
30
|
|
31
31
|
describe "#verify!" do
|
32
|
+
let(:condition) do
|
33
|
+
Class.new do
|
34
|
+
def verify!
|
35
|
+
raise Samlr::ConditionsError, 'error'
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
32
40
|
before do
|
33
|
-
@unsatisfied_condition =
|
41
|
+
@unsatisfied_condition = condition.new
|
34
42
|
end
|
35
43
|
|
36
44
|
describe "when conditions are not met" do
|
data/test/unit/test_condition.rb
CHANGED
@@ -1,10 +1,11 @@
|
|
1
1
|
require File.expand_path("test/test_helper")
|
2
2
|
|
3
3
|
def condition(before, after)
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
4
|
+
element = Nokogiri::XML::Element.new('saml:Condition', Nokogiri::XML(''))
|
5
|
+
element["NotBefore"] = before.utc.iso8601 if before
|
6
|
+
element["NotOnOrAfter"] = after.utc.iso8601 if after
|
7
|
+
|
8
|
+
Samlr::Condition.new(element, {})
|
8
9
|
end
|
9
10
|
|
10
11
|
describe Samlr::Condition do
|
@@ -14,6 +15,44 @@ describe Samlr::Condition do
|
|
14
15
|
end
|
15
16
|
|
16
17
|
describe "verify!" do
|
18
|
+
describe "audience verification" do
|
19
|
+
let(:response) { fixed_saml_response }
|
20
|
+
subject { response.assertion.conditions }
|
21
|
+
|
22
|
+
describe "when it is wrong" do
|
23
|
+
before do
|
24
|
+
response.options[:audience] = 'example.com'
|
25
|
+
end
|
26
|
+
|
27
|
+
it "raises an exception" do
|
28
|
+
Time.stub(:now, Time.at(1344379365)) do
|
29
|
+
assert subject.not_on_or_after_satisfied?
|
30
|
+
assert subject.not_before_satisfied?
|
31
|
+
refute subject.audience_satisfied?
|
32
|
+
|
33
|
+
begin
|
34
|
+
subject.verify!
|
35
|
+
flunk "Expected exception"
|
36
|
+
rescue Samlr::ConditionsError => e
|
37
|
+
assert_match /Audience/, e.message
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
describe "when it is right" do
|
44
|
+
before do
|
45
|
+
response.options[:audience] = 'example.org'
|
46
|
+
end
|
47
|
+
|
48
|
+
it "does not raise an exception" do
|
49
|
+
Time.stub(:now, Time.at(1344379365)) do
|
50
|
+
assert subject.verify!
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
17
56
|
describe "when the lower time has not been met" do
|
18
57
|
before { @not_before = (Time.now + 5*60) }
|
19
58
|
subject { condition(@not_before, @not_after) }
|
@@ -57,15 +96,30 @@ describe Samlr::Condition do
|
|
57
96
|
end
|
58
97
|
end
|
59
98
|
|
99
|
+
describe "#audience_satisfied?" do
|
100
|
+
it "returns true when audience is a nil value" do
|
101
|
+
element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
|
102
|
+
assert Samlr::Condition.new(element, {}).audience_satisfied?
|
103
|
+
end
|
104
|
+
|
105
|
+
it "returns true when passed a nil audience" do
|
106
|
+
condition = fixed_saml_response.assertion.conditions
|
107
|
+
assert_equal 'example.org', condition.audience
|
108
|
+
assert condition.audience_satisfied?
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
60
112
|
describe "#not_before_satisfied?" do
|
61
113
|
it "returns true when passed a nil value" do
|
62
|
-
|
114
|
+
element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
|
115
|
+
assert Samlr::Condition.new(element, {}).not_before_satisfied?
|
63
116
|
end
|
64
117
|
end
|
65
118
|
|
66
119
|
describe "#not_on_or_after_satisfied?" do
|
67
120
|
it "returns true when passed a nil value" do
|
68
|
-
|
121
|
+
element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
|
122
|
+
assert Samlr::Condition.new(element, {}).not_on_or_after_satisfied?
|
69
123
|
end
|
70
124
|
end
|
71
125
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: samlr
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Morten Primdahl
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2014-
|
11
|
+
date: 2014-05-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|