Commit b44eeff
Changed files (15)
lib
saml
kit
bindings
builders
spec
xml-kit
lib
xml
kit
lib/saml/kit/bindings/url_builder.rb
@@ -34,7 +34,7 @@ module Saml
to_query_string(
saml_document.query_string_parameter => serialize(saml_document.to_xml),
'RelayState' => relay_state,
- 'SigAlg' => Saml::Kit::Namespaces::SHA256,
+ 'SigAlg' => ::Xml::Kit::Namespaces::SHA256,
)
end
lib/saml/kit/builders/templates/certificate.builder
@@ -1,5 +1,5 @@
xml.KeyDescriptor use: use do
- xml.KeyInfo "xmlns": Saml::Kit::Namespaces::XMLDSIG do
+ xml.KeyInfo "xmlns": ::Xml::Kit::Namespaces::XMLDSIG do
xml.X509Data do
xml.X509Certificate stripped
end
lib/saml/kit/builders/templates/xml_encryption.builder
@@ -1,8 +1,8 @@
xml.EncryptedAssertion xmlns: Saml::Kit::Namespaces::ASSERTION do
- xml.EncryptedData xmlns: Saml::Kit::Namespaces::XMLENC do
+ xml.EncryptedData xmlns: ::Xml::Kit::Namespaces::XMLENC do
xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
- xml.KeyInfo xmlns: Saml::Kit::Namespaces::XMLDSIG do
- xml.EncryptedKey xmlns: Saml::Kit::Namespaces::XMLENC do
+ xml.KeyInfo xmlns: ::Xml::Kit::Namespaces::XMLDSIG do
+ xml.EncryptedKey xmlns: ::Xml::Kit::Namespaces::XMLENC do
xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
xml.CipherData do
xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
lib/saml/kit/builders/templates/xml_signature.builder
@@ -1,4 +1,4 @@
-xml.Signature "xmlns" => Saml::Kit::Namespaces::XMLDSIG do
+xml.Signature "xmlns" => ::Xml::Kit::Namespaces::XMLDSIG do
xml.SignedInfo do
xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
xml.SignatureMethod Algorithm: signature_method
lib/saml/kit/builders/identity_provider_metadata.rb
@@ -42,7 +42,7 @@ module Saml
def entity_descriptor_options
{
'xmlns': Namespaces::METADATA,
- 'xmlns:ds': Namespaces::XMLDSIG,
+ 'xmlns:ds': ::Xml::Kit::Namespaces::XMLDSIG,
'xmlns:saml': Namespaces::ASSERTION,
ID: id,
entityID: entity_id,
lib/saml/kit/builders/metadata.rb
@@ -39,7 +39,7 @@ module Saml
def entity_descriptor_options
{
'xmlns': Namespaces::METADATA,
- 'xmlns:ds': Namespaces::XMLDSIG,
+ 'xmlns:ds': ::Xml::Kit::Namespaces::XMLDSIG,
'xmlns:saml': Namespaces::ASSERTION,
ID: id,
entityID: entity_id,
lib/saml/kit/namespaces.rb
@@ -0,0 +1,24 @@
+module Saml
+ module Kit
+ module Namespaces
+ ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+ ATTR_SPLAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
+ BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+ BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+ EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+ METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+ PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+ PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+ PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+ PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
+ REQUESTER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+ RESPONDER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Responder"
+ SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+ TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+ UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+ UNSPECIFIED_NAMEID = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+ URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+ VERSION_MISMATCH_ERROR = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
+ end
+ end
+end
lib/saml/kit/xml.rb
@@ -5,7 +5,7 @@ module Saml
include ActiveModel::Validations
NAMESPACES = {
"NameFormat": Namespaces::ATTR_SPLAT,
- "ds": Namespaces::XMLDSIG,
+ "ds": ::Xml::Kit::Namespaces::XMLDSIG,
"md": Namespaces::METADATA,
"saml": Namespaces::ASSERTION,
"samlp": Namespaces::PROTOCOL,
lib/saml/kit.rb
@@ -19,6 +19,7 @@ require "xml/kit"
require "saml/kit/buildable"
require "saml/kit/templatable"
require "saml/kit/builders"
+require "saml/kit/namespaces"
require "saml/kit/serializable"
require "saml/kit/xsd_validatable"
require "saml/kit/respondable"
spec/saml/bindings/url_builder_spec.rb
@@ -54,7 +54,7 @@ RSpec.describe Saml::Kit::Bindings::UrlBuilder do
it 'includes a signature' do
result = subject.build(response, relay_state: relay_state)
query_params = to_query_params(result)
- expect(query_params['SigAlg']).to eql(CGI.escape(Saml::Kit::Namespaces::SHA256))
+ expect(query_params['SigAlg']).to eql(CGI.escape(::Xml::Kit::Namespaces::SHA256))
payload = "#{query_string_parameter}=#{query_params[query_string_parameter]}"
payload << "&RelayState=#{query_params['RelayState']}"
@@ -67,7 +67,7 @@ RSpec.describe Saml::Kit::Bindings::UrlBuilder do
it 'generates the signature correctly when the relay state is absent' do
result = subject.build(response)
query_params = to_query_params(result)
- expect(query_params['SigAlg']).to eql(CGI.escape(Saml::Kit::Namespaces::SHA256))
+ expect(query_params['SigAlg']).to eql(CGI.escape(::Xml::Kit::Namespaces::SHA256))
payload = "#{query_string_parameter}=#{query_params[query_string_parameter]}"
payload << "&SigAlg=#{query_params['SigAlg']}"
spec/saml/composite_metadata_spec.rb
@@ -13,17 +13,17 @@ RSpec.describe Saml::Kit::CompositeMetadata do
let(:idp_encryption_certificate) { Saml::Kit::KeyPair.generate(use: :encryption).certificate }
let(:xml) do
<<-XML
-<EntityDescriptor xmlns="#{Saml::Kit::Namespaces::METADATA}" ID="#{Xml::Kit::Id.generate}" entityID="#{entity_id}">
+<EntityDescriptor xmlns="#{Saml::Kit::Namespaces::METADATA}" ID="#{::Xml::Kit::Id.generate}" entityID="#{entity_id}">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="#{Saml::Kit::Namespaces::PROTOCOL}">
<KeyDescriptor use="signing">
- <KeyInfo xmlns="#{Saml::Kit::Namespaces::XMLDSIG}">
+ <KeyInfo xmlns="#{::Xml::Kit::Namespaces::XMLDSIG}">
<X509Data>
<X509Certificate>#{sp_signing_certificate.stripped}</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
- <KeyInfo xmlns="#{Saml::Kit::Namespaces::XMLDSIG}">
+ <KeyInfo xmlns="#{::Xml::Kit::Namespaces::XMLDSIG}">
<X509Data>
<X509Certificate>#{sp_encryption_certificate.stripped}</X509Certificate>
</X509Data>
@@ -35,14 +35,14 @@ RSpec.describe Saml::Kit::CompositeMetadata do
</SPSSODescriptor>
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="#{Saml::Kit::Namespaces::PROTOCOL}">
<KeyDescriptor use="signing">
- <KeyInfo xmlns="#{Saml::Kit::Namespaces::XMLDSIG}">
+ <KeyInfo xmlns="#{::Xml::Kit::Namespaces::XMLDSIG}">
<X509Data>
<X509Certificate>#{idp_signing_certificate.stripped}</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
- <KeyInfo xmlns="#{Saml::Kit::Namespaces::XMLDSIG}">
+ <KeyInfo xmlns="#{::Xml::Kit::Namespaces::XMLDSIG}">
<X509Data>
<X509Certificate>#{idp_encryption_certificate.stripped}</X509Certificate>
</X509Data>
spec/saml/default_registry_spec.rb
@@ -44,7 +44,7 @@ RSpec.describe Saml::Kit::DefaultRegistry do
it 'registers metadata that serves as both an IDP and SP' do
xml = <<-XML
-<EntityDescriptor xmlns="#{Saml::Kit::Namespaces::METADATA}" ID="#{Xml::Kit::Id.generate}" entityID="#{entity_id}">
+<EntityDescriptor xmlns="#{Saml::Kit::Namespaces::METADATA}" ID="#{::Xml::Kit::Id.generate}" entityID="#{entity_id}">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="#{Saml::Kit::Namespaces::PROTOCOL}">
<SingleLogoutService Binding="#{Saml::Kit::Bindings::HTTP_POST}" Location="#{FFaker::Internet.uri("https")}"/>
<NameIDFormat>#{Saml::Kit::Namespaces::PERSISTENT}</NameIDFormat>
spec/saml/response_spec.rb
@@ -1,6 +1,6 @@
RSpec.describe Saml::Kit::Response do
describe "#valid?" do
- let(:request) { instance_double(Saml::Kit::AuthenticationRequest, id: Xml::Kit::Id.generate, issuer: FFaker::Internet.http_url, assertion_consumer_service_url: FFaker::Internet.http_url, name_id_format: Saml::Kit::Namespaces::PERSISTENT, provider: nil, signed?: true, trusted?: true) }
+ let(:request) { instance_double(Saml::Kit::AuthenticationRequest, id: ::Xml::Kit::Id.generate, issuer: FFaker::Internet.http_url, assertion_consumer_service_url: FFaker::Internet.http_url, name_id_format: Saml::Kit::Namespaces::PERSISTENT, provider: nil, signed?: true, trusted?: true) }
let(:user) { double(:user, name_id_for: SecureRandom.uuid, assertion_attributes_for: { id: SecureRandom.uuid }) }
let(:registry) { instance_double(Saml::Kit::DefaultRegistry) }
let(:metadata) { instance_double(Saml::Kit::IdentityProviderMetadata) }
spec/saml/service_provider_metadata_spec.rb
@@ -104,7 +104,7 @@ RSpec.describe Saml::Kit::ServiceProviderMetadata do
it 'is invalid when 0 ACS endpoints are specified' do
xml = <<-XML
<?xml version="1.0" encoding="UTF-8"?>
-<EntityDescriptor xmlns="#{Saml::Kit::Namespaces::METADATA}" ID="#{Xml::Kit::Id.generate}" entityID="#{entity_id}">
+<EntityDescriptor xmlns="#{Saml::Kit::Namespaces::METADATA}" ID="#{::Xml::Kit::Id.generate}" entityID="#{entity_id}">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="#{Saml::Kit::Namespaces::PROTOCOL}">
<SingleLogoutService Binding="#{Saml::Kit::Bindings::HTTP_POST}" Location="#{FFaker::Internet.uri("https")}"/>
<NameIDFormat>#{Saml::Kit::Namespaces::PERSISTENT}</NameIDFormat>
xml-kit/lib/xml/kit/namespaces.rb
@@ -1,19 +1,7 @@
-module XML
+module Xml
module Kit
module Namespaces
- ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
- ATTR_SPLAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
- BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
- BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
- EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
- METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
- PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
- PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
- PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
- PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
- REQUESTER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Requester"
- RESPONDER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Responder"
RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
@@ -22,12 +10,6 @@ module XML
SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
- SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
- TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"
- UNSPECIFIED_NAMEID = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
- URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- VERSION_MISMATCH_ERROR = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
XMLDSIG = "http://www.w3.org/2000/09/xmldsig#"
XMLENC = "http://www.w3.org/2001/04/xmlenc#"
end