samlr 2.1.0 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of samlr might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/bin/samlr +20 -16
- data/lib/samlr/version.rb +3 -0
- metadata +12 -38
- data/.gitignore +0 -3
- data/.travis.yml +0 -5
- data/Gemfile +0 -8
- data/Rakefile +0 -12
- data/samlr.gemspec +0 -19
- data/test/fixtures/default_samlr_certificate.pem +0 -11
- data/test/fixtures/default_samlr_private_key.pem +0 -9
- data/test/fixtures/no_cert_response.xml +0 -2
- data/test/fixtures/sample_metadata.xml +0 -7
- data/test/fixtures/sample_response.xml +0 -2
- data/test/test_helper.rb +0 -55
- data/test/unit/test_assertion.rb +0 -71
- data/test/unit/test_condition.rb +0 -154
- data/test/unit/test_fingerprint.rb +0 -45
- data/test/unit/test_logout_request.rb +0 -73
- data/test/unit/test_reference.rb +0 -32
- data/test/unit/test_request.rb +0 -34
- data/test/unit/test_response.rb +0 -94
- data/test/unit/test_response_scenarios.rb +0 -126
- data/test/unit/test_signature.rb +0 -54
- data/test/unit/test_timestamp.rb +0 -58
- data/test/unit/test_tools.rb +0 -100
- data/test/unit/tools/test_certificate_builder.rb +0 -41
- data/test/unit/tools/test_logout_request_builder.rb +0 -26
- data/test/unit/tools/test_metadata_builder.rb +0 -26
- data/test/unit/tools/test_request_builder.rb +0 -35
- data/test/unit/tools/test_response_builder.rb +0 -19
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0852aa5599b1b20def86254089762f655d8c94f3
|
4
|
+
data.tar.gz: da955b9cbe77bf644dbfba9a55dc3b2e1404e570
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 838a2bc524572107e674137f34fe76ed60133bab454f063e5b27459cb9379019e71ed539e7c4ca7421f03191c92ca3072e4e948fdbe369e184901cec55df3398
|
7
|
+
data.tar.gz: 401beca2ecbefa2b58db24fea53060065a946f8b17247c718859c04678238359b2f95ee6b71b569d500f807f2f537c9bafcd55821a20ad4cae85b5adc510525f
|
data/bin/samlr
CHANGED
@@ -1,19 +1,21 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
2
|
|
3
3
|
require "samlr"
|
4
|
+
require "samlr/version"
|
4
5
|
require "samlr/command"
|
5
6
|
|
6
|
-
require "
|
7
|
+
require "optparse"
|
7
8
|
|
8
9
|
ARGV << "--help" if ARGV.empty?
|
9
10
|
|
10
|
-
|
11
|
-
|
11
|
+
options = {}
|
12
|
+
OptionParser.new do |opt|
|
13
|
+
opt.banner = <<-EOS
|
12
14
|
SAML response command line tool.
|
13
15
|
|
14
16
|
Usage examples:
|
15
17
|
samlr --verify --fingerprint ab:23:cd --skip-conditions <response.xml|directory of responses>
|
16
|
-
samlr --verify --certificate <x509_certificate.crt> --skip-conditions <response.xml|directory of responses>
|
18
|
+
samlr --verify --certificate <x509_certificate.crt> --skip-conditions <response.xml|directory of responses>
|
17
19
|
samlr --verify --skip-fingerprint --skip-conditions <response.xml|directory of responses>
|
18
20
|
samlr --schema-validate response.xml
|
19
21
|
samlr --print response.xml[.base64]
|
@@ -25,22 +27,24 @@ Try it with the gem examples:
|
|
25
27
|
Full list of options:
|
26
28
|
EOS
|
27
29
|
|
28
|
-
opt
|
29
|
-
opt
|
30
|
-
opt
|
31
|
-
opt
|
32
|
-
opt
|
33
|
-
opt
|
34
|
-
opt
|
35
|
-
opt
|
36
|
-
opt
|
37
|
-
|
30
|
+
opt.on("-v", "--verify", "Verify a SAML response document") { options[:verify] = true }
|
31
|
+
opt.on("-f", "--fingerprint FINGERPRINT", "The fingerprint to verify the certificate against") { |c| options[:fingerprint] = c }
|
32
|
+
opt.on("-c", "--certificate FILE", "A certificate (PEM or DER) to validate the signature against (assuming no certificate embedded in the response)") { |c| options[:certificate] = File.open(c) }
|
33
|
+
opt.on("--skip-conditions", "Skip conditions check") { options[:skip_conditions] = true }
|
34
|
+
opt.on("--skip-validation", "Skip schema validation rejection") { options[:skip_validation] = true }
|
35
|
+
opt.on("--skip-fingerprint", "Skip certificate fingerprint check") { options[:skip_fingerprint] = true }
|
36
|
+
opt.on("--verbose", "Log to STDOUT") { options[:verbose] = true }
|
37
|
+
opt.on("--schema-validate", "Perform a schema validation against the input") { options[:schema_validate] = true }
|
38
|
+
opt.on("--print", "Pretty prints the XML") { options[:print] = true }
|
39
|
+
opt.on("-h", "--help", "Show this.") { puts opt; exit }
|
40
|
+
opt.on("--version", "Show Version"){ puts Samlr::VERSION; exit}
|
41
|
+
end.parse!
|
38
42
|
|
39
43
|
if ARGV.empty? || !File.exist?(ARGV[0])
|
40
44
|
puts "Input file not given or does not exist"
|
41
45
|
exit 1
|
42
46
|
end
|
43
47
|
|
44
|
-
|
48
|
+
options[:certificate] &&= options[:certificate].read
|
45
49
|
|
46
|
-
puts Samlr::Command.execute(
|
50
|
+
puts Samlr::Command.execute(options, ARGV[0])
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: samlr
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Morten Primdahl
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-10-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -39,21 +39,21 @@ dependencies:
|
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: 2.1.3
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
|
-
name:
|
42
|
+
name: rake
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
45
|
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version:
|
48
|
-
type: :
|
47
|
+
version: '0'
|
48
|
+
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version:
|
54
|
+
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
|
-
name:
|
56
|
+
name: bundler
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
59
|
- - ">="
|
@@ -67,7 +67,7 @@ dependencies:
|
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: '0'
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
|
-
name:
|
70
|
+
name: minitest
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
73
|
- - ">="
|
@@ -81,7 +81,7 @@ dependencies:
|
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: '0'
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
|
-
name:
|
84
|
+
name: bump
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
86
86
|
requirements:
|
87
87
|
- - ">="
|
@@ -101,12 +101,8 @@ executables:
|
|
101
101
|
extensions: []
|
102
102
|
extra_rdoc_files: []
|
103
103
|
files:
|
104
|
-
- ".gitignore"
|
105
|
-
- ".travis.yml"
|
106
|
-
- Gemfile
|
107
104
|
- LICENSE
|
108
105
|
- README.md
|
109
|
-
- Rakefile
|
110
106
|
- bin/samlr
|
111
107
|
- config/schemas/XMLSchema.xsd
|
112
108
|
- config/schemas/saml-schema-assertion-2.0.xsd
|
@@ -134,30 +130,8 @@ files:
|
|
134
130
|
- lib/samlr/tools/request_builder.rb
|
135
131
|
- lib/samlr/tools/response_builder.rb
|
136
132
|
- lib/samlr/tools/timestamp.rb
|
137
|
-
- samlr.
|
138
|
-
|
139
|
-
- test/fixtures/default_samlr_private_key.pem
|
140
|
-
- test/fixtures/no_cert_response.xml
|
141
|
-
- test/fixtures/sample_metadata.xml
|
142
|
-
- test/fixtures/sample_response.xml
|
143
|
-
- test/test_helper.rb
|
144
|
-
- test/unit/test_assertion.rb
|
145
|
-
- test/unit/test_condition.rb
|
146
|
-
- test/unit/test_fingerprint.rb
|
147
|
-
- test/unit/test_logout_request.rb
|
148
|
-
- test/unit/test_reference.rb
|
149
|
-
- test/unit/test_request.rb
|
150
|
-
- test/unit/test_response.rb
|
151
|
-
- test/unit/test_response_scenarios.rb
|
152
|
-
- test/unit/test_signature.rb
|
153
|
-
- test/unit/test_timestamp.rb
|
154
|
-
- test/unit/test_tools.rb
|
155
|
-
- test/unit/tools/test_certificate_builder.rb
|
156
|
-
- test/unit/tools/test_logout_request_builder.rb
|
157
|
-
- test/unit/tools/test_metadata_builder.rb
|
158
|
-
- test/unit/tools/test_request_builder.rb
|
159
|
-
- test/unit/tools/test_response_builder.rb
|
160
|
-
homepage: http://github.com/zendesk/samlr
|
133
|
+
- lib/samlr/version.rb
|
134
|
+
homepage: https://github.com/zendesk/samlr
|
161
135
|
licenses:
|
162
136
|
- Apache License Version 2.0
|
163
137
|
metadata: {}
|
@@ -169,7 +143,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
169
143
|
requirements:
|
170
144
|
- - ">="
|
171
145
|
- !ruby/object:Gem::Version
|
172
|
-
version:
|
146
|
+
version: 1.9.3
|
173
147
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
174
148
|
requirements:
|
175
149
|
- - ">="
|
data/.gitignore
DELETED
data/.travis.yml
DELETED
data/Gemfile
DELETED
data/Rakefile
DELETED
data/samlr.gemspec
DELETED
@@ -1,19 +0,0 @@
|
|
1
|
-
Gem::Specification.new "samlr", "2.1.0" do |s|
|
2
|
-
s.summary = "Ruby tools for SAML"
|
3
|
-
s.description = "Helps you implement a SAML SP"
|
4
|
-
s.authors = ["Morten Primdahl"]
|
5
|
-
s.email = "primdahl@me.com"
|
6
|
-
s.homepage = "http://github.com/zendesk/samlr"
|
7
|
-
s.files = `git ls-files`.split("\n")
|
8
|
-
s.license = "Apache License Version 2.0"
|
9
|
-
|
10
|
-
s.add_runtime_dependency("nokogiri", ">= 1.5.5")
|
11
|
-
s.add_runtime_dependency("uuidtools", ">= 2.1.3")
|
12
|
-
s.add_runtime_dependency("trollop", ">= 1.16.2")
|
13
|
-
|
14
|
-
s.add_development_dependency("rake")
|
15
|
-
s.add_development_dependency("bundler")
|
16
|
-
s.add_development_dependency("minitest")
|
17
|
-
|
18
|
-
s.executables << "samlr"
|
19
|
-
end
|
@@ -1,11 +0,0 @@
|
|
1
|
-
-----BEGIN CERTIFICATE-----
|
2
|
-
MIIBjTCCATegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEU
|
3
|
-
MBIGA1UECgwLZXhhbXBsZS5vcmcxHTAbBgNVBAsMFFphbWwgUmVzcG9uc2VCdWls
|
4
|
-
ZGVyMQswCQYDVQQDDAJDQTAeFw0xMjA4MDgwMjAxMDlaFw0zMjA4MDMwMjAxMTRa
|
5
|
-
ME8xCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtleGFtcGxlLm9yZzEdMBsGA1UECwwU
|
6
|
-
WmFtbCBSZXNwb25zZUJ1aWxkZXIxCzAJBgNVBAMMAkNBMFwwDQYJKoZIhvcNAQEB
|
7
|
-
BQADSwAwSAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZ
|
8
|
-
FAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAATANBgkqhkiG9w0BAQUFAANB
|
9
|
-
AKU10RznL2p7xRhO9vOh0CY+gWYmT2kbkLTVRYLApghQFAW8EzIHC/NggfEHM554
|
10
|
-
ykzbbPwjSvM7cRBBDHYuWoY=
|
11
|
-
-----END CERTIFICATE-----
|
@@ -1,9 +0,0 @@
|
|
1
|
-
-----BEGIN RSA PRIVATE KEY-----
|
2
|
-
MIIBOwIBAAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZ
|
3
|
-
FAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAAQJADZ4QgdhkerzsBEDaf6YN
|
4
|
-
KQzw7pB79SjKmRnJSB+C9oVo8SE5cDyaomwCCnnYFJm8ACJzCVXhA0eElTtWvkqT
|
5
|
-
wQIhAN+rx2zckCPEBH+pxJ6HOkmDG28EUOP3J2llTUA/zArxAiEA0XCgPzCnWdcH
|
6
|
-
eJN8z7QLLEGJ/JFTZpgr959RQYuBBpUCIEhrEsehZh3eYmJ/MgTt3aZdh61bJWGZ
|
7
|
-
7S3HucpanZLRAiEAzucLd8Fx4f/aYpSZXXtI+lx4m6lZkeXMsaCTHkRZn40CIQDX
|
8
|
-
fYUO1wQNBw/mXihtz+jal+kCP7xu0zrOhTQR+UXL9A==
|
9
|
-
-----END RSA PRIVATE KEY-----
|
@@ -1,2 +0,0 @@
|
|
1
|
-
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
-
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-a61f02dc-c4df-11e2-ac02-a4b197fffe98" InResponseTo="samlr-a61c3746-c4df-11e2-ac02-a4b197fffe98" Version="2.0" IssueInstant="2013-05-25T02:06:01Z" Destination="https://example.org/saml/endpoint"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-a61f02dc-c4df-11e2-ac02-a4b197fffe98"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>4Eqkol24EsDrPhY9crTX+TJ8SNM=</DigestValue></Reference></SignedInfo><SignatureValue>hXwitIsw2ZY9/vQCY9feMYf0jn22VdSBDS6ai7F9Ay8QbWQ+R6WI9+k3WatAXMzxnz8lrF3XhL8HoQPac4RCeA==</SignatureValue></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="samlr-a61f0872-c4df-11e2-ac02-a4b197fffe98" IssueInstant="2013-05-25T02:06:01Z" Version="2.0"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-a61f0872-c4df-11e2-ac02-a4b197fffe98"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>3Hd1NIIArmJNLnxjTYG9YY5T1Bw=</DigestValue></Reference></SignedInfo><SignatureValue>NFL3r1Fu0PnKQVUsG6o0l+qjYydGlxTR9w5h06ef+85EjFR4YnJJ7p5p0vSeFuOyvoJZ8OmfbJy9h+1Vbmveig==</SignatureValue></Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.org</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="samlr-a61c3746-c4df-11e2-ac02-a4b197fffe98" NotOnOrAfter="2013-05-25T02:07:01Z" Recipient="https://example.org/saml/endpoint"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-05-25T02:05:01Z" NotOnOrAfter="2013-05-25T02:07:01Z"><saml:AudienceRestriction><saml:Audience>example.org</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2013-05-25T02:06:01Z" SessionIndex="samlr-a61f0872-c4df-11e2-ac02-a4b197fffe98"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
|
@@ -1,7 +0,0 @@
|
|
1
|
-
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
-
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sp.example.com/saml2">
|
3
|
-
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
4
|
-
<md:NameIDFormat>identity_format</md:NameIDFormat>
|
5
|
-
<md:AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://support.sp.example.com/"/>
|
6
|
-
</md:SPSSODescriptor>
|
7
|
-
</md:EntityDescriptor>
|
@@ -1,2 +0,0 @@
|
|
1
|
-
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
-
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-26a4eb6c-e271-11e1-a29c-000a27020041" InResponseTo="samlr-26a4e82e-e271-11e1-a29c-000a27020041" Version="2.0" IssueInstant="2012-08-09T22:25:40Z" Destination="https://example.org/saml/endpoint"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-26a4eb6c-e271-11e1-a29c-000a27020041"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>n4k8S7PsriEcj2en2fXnMwgWruU=</DigestValue></Reference></SignedInfo><SignatureValue>pNUUwVRL92E5tFk1+p77geJqV62PuaG5x27Dn+Xi4ff18NSMLb/XmbL2PJIakYOtwMuwQiNX9qioY3Pt1o/CMw==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIBjTCCATegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLZXhhbXBsZS5vcmcxHTAbBgNVBAsMFFphbWwgUmVzcG9uc2VCdWlsZGVyMQswCQYDVQQDDAJDQTAeFw0xMjA4MDgwMjAxMDlaFw0zMjA4MDMwMjAxMTRaME8xCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtleGFtcGxlLm9yZzEdMBsGA1UECwwUWmFtbCBSZXNwb25zZUJ1aWxkZXIxCzAJBgNVBAMMAkNBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZFAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAATANBgkqhkiG9w0BAQUFAANBAKU10RznL2p7xRhO9vOh0CY+gWYmT2kbkLTVRYLApghQFAW8EzIHC/NggfEHM554ykzbbPwjSvM7cRBBDHYuWoY=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="samlr-26a4ed1a-e271-11e1-a29c-000a27020041" IssueInstant="2012-08-09T22:25:40Z" Version="2.0"><saml:Issuer>ResponseBuilder IdP</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference URI="#samlr-26a4ed1a-e271-11e1-a29c-000a27020041"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default samlp saml ds xs xsi"/></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>f6uCnv1PdZqKp/0dz6YtfSFaiHQ=</DigestValue></Reference></SignedInfo><SignatureValue>VqW1I4hlWN3ciKjZ1WUaouvita1e7CldZB0UQKtVrnIdO+6XI7R3i12jfDAKmclQ1E6VrNIdV4/D5eGTRjdTjQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIBjTCCATegAwIBAgIBATANBgkqhkiG9w0BAQUFADBPMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLZXhhbXBsZS5vcmcxHTAbBgNVBAsMFFphbWwgUmVzcG9uc2VCdWlsZGVyMQswCQYDVQQDDAJDQTAeFw0xMjA4MDgwMjAxMDlaFw0zMjA4MDMwMjAxMTRaME8xCzAJBgNVBAYTAlVTMRQwEgYDVQQKDAtleGFtcGxlLm9yZzEdMBsGA1UECwwUWmFtbCBSZXNwb25zZUJ1aWxkZXIxCzAJBgNVBAMMAkNBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALb9pPmyHrbZJMDLLkVsHzzXvP7DFcPiYdaNU50l5znRr8ZGhwRZFAwKroOxXwhK5e9lz06C+kGqnL1v10h1BEUCAwEAATANBgkqhkiG9w0BAQUFAANBAKU10RznL2p7xRhO9vOh0CY+gWYmT2kbkLTVRYLApghQFAW8EzIHC/NggfEHM554ykzbbPwjSvM7cRBBDHYuWoY=</X509Certificate></X509Data></KeyInfo></Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.org</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="samlr-26a4e82e-e271-11e1-a29c-000a27020041" NotOnOrAfter="2012-08-09T22:26:40Z" Recipient="https://example.org/saml/endpoint"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2012-08-09T22:24:40Z" NotOnOrAfter="2012-08-09T22:26:40Z"><saml:AudienceRestriction><saml:Audience>example.org</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2012-08-09T22:25:40Z" SessionIndex="samlr-26a4ed1a-e271-11e1-a29c-000a27020041"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
|
data/test/test_helper.rb
DELETED
@@ -1,55 +0,0 @@
|
|
1
|
-
require "bundler"
|
2
|
-
require "minitest/autorun"
|
3
|
-
|
4
|
-
Bundler.require
|
5
|
-
|
6
|
-
require "time"
|
7
|
-
require "base64"
|
8
|
-
require "tmpdir"
|
9
|
-
|
10
|
-
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
|
11
|
-
|
12
|
-
require "samlr"
|
13
|
-
require "samlr/tools/response_builder"
|
14
|
-
require "samlr/tools/certificate_builder"
|
15
|
-
|
16
|
-
FIXTURE_PATH = File.join(File.dirname(__FILE__), "fixtures")
|
17
|
-
TEST_CERTIFICATE = Samlr::Tools::CertificateBuilder.load(FIXTURE_PATH, "default_samlr")
|
18
|
-
|
19
|
-
def saml_response_document(options = {})
|
20
|
-
# Test defaults
|
21
|
-
options = {
|
22
|
-
:destination => "https://example.org/saml/endpoint",
|
23
|
-
:in_response_to => Samlr::Tools.uuid,
|
24
|
-
:name_id => "someone@example.org",
|
25
|
-
:audience => "example.org",
|
26
|
-
:not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.now + 60),
|
27
|
-
:not_before => Samlr::Tools::Timestamp.stamp(Time.now - 60),
|
28
|
-
:response_id => Samlr::Tools.uuid
|
29
|
-
}.merge(options)
|
30
|
-
|
31
|
-
Samlr::Tools::ResponseBuilder.build(options)
|
32
|
-
end
|
33
|
-
|
34
|
-
def saml_response(options = {})
|
35
|
-
fingerprint = options[:fingerprint]
|
36
|
-
fingerprint ||= options[:certificate] ? Samlr::Fingerprint.x509(options[:certificate].x509) : nil
|
37
|
-
|
38
|
-
Samlr::Response.new(saml_response_document(options), :fingerprint => fingerprint)
|
39
|
-
end
|
40
|
-
|
41
|
-
# A response that never changes. Useful for digest checks etc.
|
42
|
-
def fixed_saml_response(options = {})
|
43
|
-
options = {
|
44
|
-
:certificate => TEST_CERTIFICATE,
|
45
|
-
:issue_instant => Samlr::Tools::Timestamp.stamp(Time.at(1344379365)),
|
46
|
-
:response_id => "samlr123",
|
47
|
-
:assertion_id => "samlr456",
|
48
|
-
:in_response_to => "samlr789",
|
49
|
-
:attributes => { "tags" => "mean horse", "things" => [ "one", "two", "three" ] },
|
50
|
-
:not_on_or_after => Samlr::Tools::Timestamp.stamp(Time.at(1344379365 + 60)),
|
51
|
-
:not_before => Samlr::Tools::Timestamp.stamp(Time.at(1344379365 - 60))
|
52
|
-
}.merge(options)
|
53
|
-
|
54
|
-
saml_response(options)
|
55
|
-
end
|
data/test/unit/test_assertion.rb
DELETED
@@ -1,71 +0,0 @@
|
|
1
|
-
require File.expand_path("test/test_helper")
|
2
|
-
require "time"
|
3
|
-
|
4
|
-
describe Samlr::Assertion do
|
5
|
-
subject { fixed_saml_response.assertion }
|
6
|
-
|
7
|
-
describe "#skip_conditions?" do
|
8
|
-
it "reflects the passed options" do
|
9
|
-
assert Samlr::Assertion.new(nil, :skip_conditions => true).send(:skip_conditions?)
|
10
|
-
refute Samlr::Assertion.new(nil, :skip_conditions => false).send(:skip_conditions?)
|
11
|
-
end
|
12
|
-
end
|
13
|
-
|
14
|
-
describe "#attributes" do
|
15
|
-
it "returns a hash of assertion attributes" do
|
16
|
-
assert_equal subject.attributes[:tags], "mean horse"
|
17
|
-
assert_equal subject.attributes["tags"], "mean horse"
|
18
|
-
end
|
19
|
-
|
20
|
-
it "turns multiple attribute values into an array" do
|
21
|
-
assert_equal subject.attributes["things"].sort, [ "one", "two", "three" ].sort
|
22
|
-
end
|
23
|
-
end
|
24
|
-
|
25
|
-
describe "#name_id" do
|
26
|
-
it "returns the body of the NameID element" do
|
27
|
-
assert_equal "someone@example.org", subject.name_id
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
describe "#name_id_options" do
|
32
|
-
subject { fixed_saml_response(:name_qualifier => 'portal-happyservice-idp', :sp_name_qualifier => 'happyservice.zendesk.com').assertion }
|
33
|
-
|
34
|
-
it "returns the options for the NameID element" do
|
35
|
-
expected = {"Format"=>"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "NameQualifier"=>"portal-happyservice-idp", "SPNameQualifier"=>"happyservice.zendesk.com"}
|
36
|
-
assert_equal expected, subject.name_id_options
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
|
-
describe "#verify!" do
|
41
|
-
let(:condition) do
|
42
|
-
Class.new do
|
43
|
-
def verify!
|
44
|
-
raise Samlr::ConditionsError, 'error'
|
45
|
-
end
|
46
|
-
end
|
47
|
-
end
|
48
|
-
|
49
|
-
before do
|
50
|
-
@unsatisfied_condition = condition.new
|
51
|
-
end
|
52
|
-
|
53
|
-
describe "when conditions are not met" do
|
54
|
-
it "should raise" do
|
55
|
-
subject.stub(:conditions, @unsatisfied_condition) do
|
56
|
-
assert_raises(Samlr::ConditionsError) { subject.verify! }
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
describe "and conditions are to be skipped" do
|
61
|
-
it "should pass" do
|
62
|
-
subject.stub(:skip_conditions?, true) do
|
63
|
-
subject.stub(:conditions, @unsatisfied_condition) do
|
64
|
-
assert subject.verify!
|
65
|
-
end
|
66
|
-
end
|
67
|
-
end
|
68
|
-
end
|
69
|
-
end
|
70
|
-
end
|
71
|
-
end
|
data/test/unit/test_condition.rb
DELETED
@@ -1,154 +0,0 @@
|
|
1
|
-
require File.expand_path("test/test_helper")
|
2
|
-
|
3
|
-
def condition(before, after)
|
4
|
-
element = Nokogiri::XML::Element.new('saml:Condition', Nokogiri::XML(''))
|
5
|
-
element["NotBefore"] = before.utc.iso8601 if before
|
6
|
-
element["NotOnOrAfter"] = after.utc.iso8601 if after
|
7
|
-
|
8
|
-
Samlr::Condition.new(element, {})
|
9
|
-
end
|
10
|
-
|
11
|
-
def verify!
|
12
|
-
Time.stub(:now, Time.at(1344379365)) do
|
13
|
-
subject.verify!
|
14
|
-
end
|
15
|
-
end
|
16
|
-
|
17
|
-
describe Samlr::Condition do
|
18
|
-
before do
|
19
|
-
@not_before = (Time.now - 10*60)
|
20
|
-
@not_after = (Time.now + 10*60)
|
21
|
-
end
|
22
|
-
|
23
|
-
describe "verify!" do
|
24
|
-
describe "audience verification" do
|
25
|
-
let(:response) { fixed_saml_response }
|
26
|
-
subject { response.assertion.conditions }
|
27
|
-
|
28
|
-
describe "when it is wrong" do
|
29
|
-
before do
|
30
|
-
response.options[:audience] = 'example.com'
|
31
|
-
end
|
32
|
-
|
33
|
-
it "raises an exception" do
|
34
|
-
refute subject.audience_satisfied?
|
35
|
-
|
36
|
-
begin
|
37
|
-
verify!
|
38
|
-
flunk "Expected exception"
|
39
|
-
rescue Samlr::ConditionsError => e
|
40
|
-
assert_match /Audience/, e.message
|
41
|
-
end
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
describe "when it is right" do
|
46
|
-
before do
|
47
|
-
response.options[:audience] = 'example.org'
|
48
|
-
end
|
49
|
-
|
50
|
-
it "does not raise an exception" do
|
51
|
-
assert verify!
|
52
|
-
end
|
53
|
-
end
|
54
|
-
|
55
|
-
describe "using a regex" do
|
56
|
-
describe "valid regex" do
|
57
|
-
before do
|
58
|
-
response.options[:audience] = /example\.(org|com)/
|
59
|
-
end
|
60
|
-
|
61
|
-
it "does not raise an exception" do
|
62
|
-
assert verify!
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
|
-
describe "invalid regex" do
|
67
|
-
before do
|
68
|
-
response.options[:audience] = /\A[a-z]\z/
|
69
|
-
end
|
70
|
-
|
71
|
-
it "raises an exception" do
|
72
|
-
refute subject.audience_satisfied?
|
73
|
-
|
74
|
-
begin
|
75
|
-
verify!
|
76
|
-
flunk "Expected exception"
|
77
|
-
rescue Samlr::ConditionsError => e
|
78
|
-
assert_match /Audience/, e.message
|
79
|
-
end
|
80
|
-
end
|
81
|
-
end
|
82
|
-
end
|
83
|
-
end
|
84
|
-
|
85
|
-
describe "when the lower time has not been met" do
|
86
|
-
before { @not_before = (Time.now + 5*60) }
|
87
|
-
subject { condition(@not_before, @not_after) }
|
88
|
-
|
89
|
-
it "raises an exception" do
|
90
|
-
assert subject.not_on_or_after_satisfied?
|
91
|
-
refute subject.not_before_satisfied?
|
92
|
-
|
93
|
-
begin
|
94
|
-
subject.verify!
|
95
|
-
flunk "Expected exception"
|
96
|
-
rescue Samlr::ConditionsError => e
|
97
|
-
assert_match /Not before/, e.message
|
98
|
-
end
|
99
|
-
end
|
100
|
-
end
|
101
|
-
|
102
|
-
describe "when the upper time has been exceeded" do
|
103
|
-
before { @not_after = (Time.now - 5*60) }
|
104
|
-
subject { condition(@not_before, @not_after) }
|
105
|
-
|
106
|
-
it "raises an exception" do
|
107
|
-
refute subject.not_on_or_after_satisfied?
|
108
|
-
assert subject.not_before_satisfied?
|
109
|
-
|
110
|
-
begin
|
111
|
-
subject.verify!
|
112
|
-
flunk "Expected exception"
|
113
|
-
rescue Samlr::ConditionsError => e
|
114
|
-
assert_match /Not on or after/, e.message
|
115
|
-
end
|
116
|
-
end
|
117
|
-
end
|
118
|
-
|
119
|
-
describe "when no time boundary has been exeeded" do
|
120
|
-
subject { condition(@not_before, @not_after) }
|
121
|
-
|
122
|
-
it "returns true" do
|
123
|
-
assert subject.verify!
|
124
|
-
end
|
125
|
-
end
|
126
|
-
end
|
127
|
-
|
128
|
-
describe "#audience_satisfied?" do
|
129
|
-
it "returns true when audience is a nil value" do
|
130
|
-
element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
|
131
|
-
assert Samlr::Condition.new(element, {}).audience_satisfied?
|
132
|
-
end
|
133
|
-
|
134
|
-
it "returns true when passed a nil audience" do
|
135
|
-
condition = fixed_saml_response.assertion.conditions
|
136
|
-
assert_equal 'example.org', condition.audience
|
137
|
-
assert condition.audience_satisfied?
|
138
|
-
end
|
139
|
-
end
|
140
|
-
|
141
|
-
describe "#not_before_satisfied?" do
|
142
|
-
it "returns true when passed a nil value" do
|
143
|
-
element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
|
144
|
-
assert Samlr::Condition.new(element, {}).not_before_satisfied?
|
145
|
-
end
|
146
|
-
end
|
147
|
-
|
148
|
-
describe "#not_on_or_after_satisfied?" do
|
149
|
-
it "returns true when passed a nil value" do
|
150
|
-
element = Nokogiri::XML::Node.new('saml:Condition', Nokogiri::XML(''))
|
151
|
-
assert Samlr::Condition.new(element, {}).not_on_or_after_satisfied?
|
152
|
-
end
|
153
|
-
end
|
154
|
-
end
|