Commit aaff27b

mo <mo.khan@gmail.com>
2018-02-15 17:34:41
validate individual signatures.
main
1 parent fcd5607
Changed files (4)
lib
saml
kit
document.rb
signature.rb
spec
saml
signature_spec.rb
saml-kit.gemspec
lib/saml/kit/document.rb
@@ -66,13 +66,17 @@ module Saml
       # Returns the SAML document as an XHTML string. 
       # This is useful for rendering in a web page.
       def to_xhtml
-        Nokogiri::XML(content, &:noblanks).to_xhtml
+        Nokogiri::XML(to_xml, &:noblanks).to_xhtml
       end
 
       def to_nokogiri
         @nokogiri ||= Nokogiri::XML(content)
       end
 
+      def at_xpath(xpath)
+        to_nokogiri.at_xpath(xpath, NAMESPACES)
+      end
+
       def to_s
         to_xml
       end
lib/saml/kit/signature.rb
@@ -48,8 +48,8 @@ module Saml
         end
       end
 
-      def validate_certificate(now = Time.current)
-        if certificate.present? && certificate.expired?(now)
+      def validate_certificate(now = Time.now.utc)
+        if certificate.present? && !certificate.active?(now)
           error_message = "Not valid before #{certificate.not_before}. Not valid after #{certificate.not_after}."
           errors.add(:certificate, error_message)
         end
spec/saml/signature_spec.rb
@@ -1,21 +1,19 @@
 RSpec.describe Saml::Kit::Signature do
   describe "#valid?" do
     let(:key_pair) { ::Xml::Kit::KeyPair.generate(use: :signing) }
-
-    it 'returns true when the signature is valid' do
-      signed_document = Saml::Kit::AuthenticationRequest.build do |x|
+    let(:signed_document) do
+      Saml::Kit::AuthenticationRequest.build do |x|
         x.sign_with(key_pair)
       end
-      subject = described_class.new(Hash.from_xml(signed_document.to_xml))
+    end
+    subject { described_class.new(signed_document.at_xpath('//ds:Signature')) }
+
+    it 'returns true when the signature is valid' do
       expect(subject).to be_valid
     end
 
     it 'is invalid when the xml has been tampered' do
-      signed_document = Saml::Kit::AuthenticationRequest.build do |x|
-        x.sign_with(key_pair)
-      end
-      tampered_xml = signed_document.to_xml.gsub("Issuer", "Hacked")
-      subject = described_class.new(Hash.from_xml(tampered_xml))
+      signed_document.at_xpath('//saml:Issuer').content = "INVALID"
       expect(subject).to_not be_valid
     end
saml-kit.gemspec
@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "activemodel", ">= 4.2.0"
-  spec.add_dependency "xml-kit", ">= 0.1.5", "<= 1.0.0"
+  spec.add_dependency "xml-kit", ">= 0.1.6", "<= 1.0.0"
   spec.add_development_dependency "bundler", "~> 1.15"
   spec.add_development_dependency "ffaker", "~> 2.7"
   spec.add_development_dependency "rake", "~> 10.0"