Merge pull request SAML-Toolkits#38 from drywheattoast/inclusive_name…

…spaces_query Fixes dynamic NS bug in InclusiveNamespaces element query
orslumen · Sep 17, 2012 · 2d3d46c · 2d3d46c
2 parents 0df0438 + 8e33c02
commit 2d3d46c
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 9 deletions.
diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -34,6 +34,7 @@
 module XMLSecurity
 
   class SignedDocument < REXML::Document
+    C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
     DSIG = "http://www.w3.org/2000/09/xmldsig#"
 
     attr_accessor :signed_element_id, :sig_element
@@ -64,14 +65,7 @@ def validate_doc(base64_cert, soft = true)
       # validate references
 
       # check for inclusive namespaces
-
-      inclusive_namespaces            = []
-      inclusive_namespace_element     = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
-
-      if inclusive_namespace_element
-        prefix_list                   = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
-        inclusive_namespaces          = prefix_list.split(" ")
-      end
+      inclusive_namespaces = extract_inclusive_namespaces
 
       # store and remove signature node
       self.sig_element ||= begin
@@ -139,6 +133,15 @@ def algorithm(element)
         OpenSSL::Digest::SHA1
       end
     end
+
+    def extract_inclusive_namespaces
+      if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+        prefix_list = element.attributes.get_attribute("PrefixList").value
+        prefix_list.split(" ")
+      else
+        []
+      end
+    end
 
   end
 end
diff --git a/test/xml_security_test.rb b/test/xml_security_test.rb
@@ -74,5 +74,37 @@ class XmlSecurityTest < Test::Unit::TestCase
       assert @document.validate("F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72")
     end
   end
-
+
+  context "XmlSecurity::SignedDocument" do
+
+    context "#extract_inclusive_namespaces" do
+      should "support explicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:open_saml_response, false)
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+
+        assert_equal %w[ xs ], inclusive_namespaces
+      end
+
+      should "support implicit namespace resolution for exclusive canonicalization" do
+        response = fixture(:no_signature_ns, false)
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+
+        assert_equal %w[ #default saml ds xs xsi ], inclusive_namespaces
+      end
+
+      should "return an empty list when inclusive namespace element is missing" do
+        response = fixture(:no_signature_ns, false)
+        response.slice! %r{<InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="#default saml ds xs xsi"/>}
+
+        document = XMLSecurity::SignedDocument.new(response)
+        inclusive_namespaces = document.send(:extract_inclusive_namespaces)
+
+        assert inclusive_namespaces.empty?
+      end
+    end
+
+  end
+
 end