Commit aa8efca
Changed files (5)
lib
lib/saml/kit/metadata.rb
@@ -93,9 +93,7 @@ module Saml
end
def must_contain_descriptor
- unless metadata
- errors[:metadata] << error_message('invalid')
- end
+ errors[:metadata] << error_message(:invalid) unless metadata
end
def must_match_xsd
@@ -111,7 +109,7 @@ module Saml
return if to_xml.blank?
unless valid_signature?
- errors[:metadata] << error_message('invalid_signature')
+ errors[:metadata] << error_message(:invalid_signature)
end
end
lib/saml/kit/service_provider_metadata.rb
@@ -39,29 +39,24 @@ module Saml
signature = Signature.new(id)
xml = ::Builder::XmlMarkup.new
xml.instruct!
- xml.tag! 'md:EntityDescriptor', entity_descriptor_options do
+ xml.EntityDescriptor entity_descriptor_options do
signature.template(xml)
- xml.tag! "md:SPSSODescriptor", descriptor_options do
- name_id_formats.each do |format|
- xml.tag! "md:NameIDFormat", format
- end
- acs_urls.each_with_index do |item, index|
- xml.tag! "md:AssertionConsumerService", {
- Binding: item[:binding],
- Location: item[:location],
- index: index,
- isDefault: index == 0 ? true : false,
- }
+ xml.SPSSODescriptor descriptor_options do
+ xml.KeyDescriptor use: "signing" do
+ xml.KeyInfo "xmlns": Saml::Kit::Signature::XMLDSIG do
+ xml.X509Data do
+ xml.X509Certificate @configuration.stripped_signing_certificate
+ end
+ end
end
logout_urls.each do |item|
- xml.tag! "md:SingleLogoutService", Binding: item[:binding], Location: item[:location]
+ xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
end
- xml.tag! "md:KeyDescriptor", use: "signing" do
- xml.tag! "ds:KeyInfo", "xmlns:ds": Saml::Kit::Signature::XMLDSIG do
- xml.tag! "ds:X509Data" do
- xml.tag! "ds:X509Certificate", @configuration.stripped_signing_certificate
- end
- end
+ name_id_formats.each do |format|
+ xml.NameIDFormat format
+ end
+ acs_urls.each_with_index do |item, index|
+ xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
end
end
end
@@ -76,7 +71,7 @@ module Saml
def entity_descriptor_options
{
- 'xmlns:md': Namespaces::METADATA,
+ 'xmlns': Namespaces::METADATA,
ID: "_#{id}",
entityID: entity_id,
}
lib/saml/kit/signature.rb
@@ -25,23 +25,23 @@ module Saml
end
def template(xml = ::Builder::XmlMarkup.new)
- xml.tag! "ds:Signature", "xmlns:ds" => XMLDSIG do
- xml.tag! "ds:SignedInfo", "xmlns:ds" => XMLDSIG do
- xml.tag! "ds:CanonicalizationMethod", Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
- xml.tag! "ds:SignatureMethod", Algorithm: SIGNATURE_METHODS[configuration.signature_method]
- xml.tag! "ds:Reference", URI: "#_#{reference_id}" do
- xml.tag! "ds:Transforms" do
- xml.tag! "ds:Transform", Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
- xml.tag! "ds:Transform", Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
+ xml.Signature "xmlns" => XMLDSIG do
+ xml.SignedInfo do
+ xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
+ xml.SignatureMethod Algorithm: SIGNATURE_METHODS[configuration.signature_method]
+ xml.Reference URI: "#_#{reference_id}" do
+ xml.Transforms do
+ xml.Transform Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+ xml.Transform Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
end
- xml.tag! "ds:DigestMethod", Algorithm: DIGEST_METHODS[configuration.digest_method]
- xml.tag! "ds:DigestValue", ""
+ xml.DigestMethod Algorithm: DIGEST_METHODS[configuration.digest_method]
+ xml.DigestValue ""
end
end
- xml.tag! "ds:SignatureValue", ""
- xml.tag! "ds:KeyInfo" do
- xml.tag! "ds:X509Data" do
- xml.tag! "ds:X509Certificate", configuration.stripped_signing_certificate
+ xml.SignatureValue ""
+ xml.KeyInfo do
+ xml.X509Data do
+ xml.X509Certificate configuration.stripped_signing_certificate
end
end
end
spec/saml/service_provider_metadata_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe Saml::Kit::ServiceProviderMetadata do
subject.add_assertion_consumer_service(acs_url, binding: :post)
result = Hash.from_xml(subject.build.to_xml)
- expect(result['EntityDescriptor']['xmlns:md']).to eql("urn:oasis:names:tc:SAML:2.0:metadata")
+ expect(result['EntityDescriptor']['xmlns']).to eql("urn:oasis:names:tc:SAML:2.0:metadata")
expect(result['EntityDescriptor']['ID']).to be_present
expect(result['EntityDescriptor']['entityID']).to eql(entity_id)
expect(result['EntityDescriptor']['SPSSODescriptor']['AuthnRequestsSigned']).to eql('true')
@@ -94,7 +94,6 @@ RSpec.describe Saml::Kit::ServiceProviderMetadata do
end
describe "#validate" do
- let(:errors) { [] }
let(:service_provider_metadata) do
builder = described_class::Builder.new
builder.entity_id = entity_id
@@ -105,22 +104,19 @@ RSpec.describe Saml::Kit::ServiceProviderMetadata do
builder.to_xml
end
- let(:identity_provider_metadata) { IO.read("spec/fixtures/metadata/okta.xml") }
-
it 'valid when given valid service provider metadata' do
- subject = described_class.new(service_provider_metadata)
- expect(subject).to be_valid
+ expect(described_class.new(service_provider_metadata)).to be_valid
end
it 'is invalid, when given identity provider metadata' do
- subject = described_class.new(identity_provider_metadata)
- expect(subject).to_not be_valid
+ subject = described_class.new(IO.read("spec/fixtures/metadata/okta.xml"))
+ expect(subject).to be_invalid
expect(subject.errors[:metadata]).to include(I18n.translate("saml/kit.errors.SPSSODescriptor.invalid"))
end
it 'is invalid, when the metadata is nil' do
subject = described_class.new(nil)
- expect(subject).to_not be_valid
+ expect(subject).to be_invalid
expect(subject.errors[:metadata]).to include("can't be blank")
end
@@ -137,19 +133,12 @@ RSpec.describe Saml::Kit::ServiceProviderMetadata do
expect(subject.errors[:metadata][0]).to include("1:0: ERROR: Element '{urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor'")
end
- context "signature validation" do
- it 'is invalid, when the signature is invalid' do
- new_url = 'https://myserver.com/hacked'
- metadata_xml = service_provider_metadata.gsub(acs_post_url, new_url)
- subject = described_class.new(metadata_xml)
- expect(subject).to be_invalid
- expect(subject.errors[:metadata]).to include("invalid signature.")
- end
-
- it 'is valid, when the content has not been tampered with' do
- subject = described_class.new(service_provider_metadata)
- expect(subject).to be_valid
- end
+ it 'is invalid, when the signature is invalid' do
+ new_url = 'https://myserver.com/hacked'
+ metadata_xml = service_provider_metadata.gsub(acs_post_url, new_url)
+ subject = described_class.new(metadata_xml)
+ expect(subject).to be_invalid
+ expect(subject.errors[:metadata]).to include("invalid signature.")
end
end
end
spec/saml/signature_spec.rb
@@ -45,8 +45,7 @@ RSpec.describe Saml::Kit::Signature do
result = Hash.from_xml(subject.finalize(xml))
signature = result["AuthnRequest"]["Signature"]
- expect(signature['xmlns:ds']).to eql("http://www.w3.org/2000/09/xmldsig#")
- expect(signature['SignedInfo']['xmlns:ds']).to eql("http://www.w3.org/2000/09/xmldsig#")
+ expect(signature['xmlns']).to eql("http://www.w3.org/2000/09/xmldsig#")
expect(signature['SignedInfo']['CanonicalizationMethod']['Algorithm']).to eql('http://www.w3.org/2001/10/xml-exc-c14n#')
expect(signature['SignedInfo']['SignatureMethod']['Algorithm']).to eql("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")