SAML Response for Google apps - ruby

I am trying to get Google Apps SAML working, I am getting the:
Google Apps - This account cannot be accessed because we could not parse the login request.
Here is my response verbatim:
<?xml version="1.0"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx9c11a3a9-13dc-ff78-7d18-12f795fab19d" Version="2.0" IssueInstant="2011-08-11T05:24:35Z" Destination="https://www.google.com/a/sparxlabs.com/acs" InResponseTo="idnffilcgaeeonionahcpciplkhhhkmlfedkpipl"> <saml:Issuer>http://saml.sparxlabs.com/</saml:Issuer> <ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>Y2E3ZWIyZGEwODFjYjdhZmJjMTZlYmI1NjA4N2IxYzYwMTM5YmEyMA==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Eno0HWCgNgxeUhCP0khdEGuLDP3etgzAoKBiK84ENs1ealpgBEOhFTDQQC8qODbAZVxTFYjQLTcW5A7OJ2n02S5tLmg57TeL4+VWyzhwaV9KQ9e1ZU7ZMhPV5aNL4Qm8EIvDyRbPx7mWW70wK1fO+IlPsmxZraL982neOJ8vucc=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNzRENDQWhtZ0F3SUJBZ0lKQUtYZ0tjTy90RktuTUEwR0NTcUdTSWIzRFFFQkJRVUFNRVV4Q3pBSkJnTlYKQkFZVEFrRlZNUk13RVFZRFZRUUlFd3BUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLRXhoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdRd0hoY05NVEV3T0RFeE1qRXhOelF5V2hjTk1URXdPVEV3TWpFeE56UXlXakJGCk1Rc3dDUVlEVlFRR0V3SkJWVEVUTUJFR0ExVUVDQk1LVTI5dFpTMVRkR0YwWlRFaE1COEdBMVVFQ2hNWVNXNTAKWlhKdVpYUWdWMmxrWjJsMGN5QlFkSGtnVEhSa01JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQgpnUUMwVTVlVnkxWXJQTXdCNTJvUmk2OFY3cmFWUzR2V1hEd2VQL20wTUwxRkVDL3BUNmxVU01iRUJuWnVranlRClhBOFBrbTkvWFhPcERuU01XN0ZRNXczOUZSeFExY2ZWVXI3dlV6RXNrbm5Sb1p4NXBEck8ybTVVQ25VUFJtNGYKTkljVDRzdERTODAxVzRET24vOEFTUUhKQ1dnTDYwUC9RUGhvU3pmMXVqY1E1UUlEQVFBQm80R25NSUdrTUIwRwpBMVVkRGdRV0JCVDVYbjA1VTdrU3NQbEQyd05yOGlLUTdhQXpYVEIxQmdOVkhTTUViakJzZ0JUNVhuMDVVN2tTCnNQbEQyd05yOGlLUTdhQXpYYUZKcEVjd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdUQ2xOdmJXVXQKVTNSaGRHVXhJVEFmQmdOVkJBb1RHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpJSUpBS1hnS2NPLwp0RktuTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFzZkYwS0h2T0h6emFoRWd4Cit1NmJJUTRldkxYaXB4VnVYNlZ2RnYxd1BSTmtIRWZEWk9HdmJZc1p1ak5VUVFGdXFzRGR2M3lHelJLQXozRVAKd1RoY29pdEN1cWQrT2dlNGdTNkhpaHBCSzU3cmFaMlpad0NxWXpyQldMMjhaZnFhQW5zNy9KNkY3TEZIeEMvcQpnK25HSldINlVycGpZTGJqajJjMFN0VGVIVTg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo></ds:Signature><samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx9c11a3a9-13dc-ff78-7d18-12f795fab19d" Version="2.0" IssueInstant="2011-08-11T05:24:35Z"> <saml:Issuer>http://saml.sparxlabs.com</saml:Issuer> <ds:Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>ZWRhZGEzYjE4NmZjNWU2ZWE0NDI1NjBkZTFkYzhmN2YzY2QwZGZiMA==</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>QueL4xlp3NOUJou7mIKERgtPRSJboeht9gFfDcOuhmYvh6uyDsk6UR2GLLb0smkuzuy7cgz0MwzjZ4QdhCyIozOyl1TqUqOvISfNV/w0Wx02Sphi0AQJs/R9S9nv+xbVX5dIgjXbf8N/DYgjSMeACSPzpyoeXpHfedY43HsoMZo=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNzRENDQWhtZ0F3SUJBZ0lKQUtYZ0tjTy90RktuTUEwR0NTcUdTSWIzRFFFQkJRVUFNRVV4Q3pBSkJnTlYKQkFZVEFrRlZNUk13RVFZRFZRUUlFd3BUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLRXhoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdRd0hoY05NVEV3T0RFeE1qRXhOelF5V2hjTk1URXdPVEV3TWpFeE56UXlXakJGCk1Rc3dDUVlEVlFRR0V3SkJWVEVUTUJFR0ExVUVDQk1LVTI5dFpTMVRkR0YwWlRFaE1COEdBMVVFQ2hNWVNXNTAKWlhKdVpYUWdWMmxrWjJsMGN5QlFkSGtnVEhSa01JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQgpnUUMwVTVlVnkxWXJQTXdCNTJvUmk2OFY3cmFWUzR2V1hEd2VQL20wTUwxRkVDL3BUNmxVU01iRUJuWnVranlRClhBOFBrbTkvWFhPcERuU01XN0ZRNXczOUZSeFExY2ZWVXI3dlV6RXNrbm5Sb1p4NXBEck8ybTVVQ25VUFJtNGYKTkljVDRzdERTODAxVzRET24vOEFTUUhKQ1dnTDYwUC9RUGhvU3pmMXVqY1E1UUlEQVFBQm80R25NSUdrTUIwRwpBMVVkRGdRV0JCVDVYbjA1VTdrU3NQbEQyd05yOGlLUTdhQXpYVEIxQmdOVkhTTUViakJzZ0JUNVhuMDVVN2tTCnNQbEQyd05yOGlLUTdhQXpYYUZKcEVjd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdUQ2xOdmJXVXQKVTNSaGRHVXhJVEFmQmdOVkJBb1RHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpJSUpBS1hnS2NPLwp0RktuTUF3R0ExVWRFd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVGQlFBRGdZRUFzZkYwS0h2T0h6emFoRWd4Cit1NmJJUTRldkxYaXB4VnVYNlZ2RnYxd1BSTmtIRWZEWk9HdmJZc1p1ak5VUVFGdXFzRGR2M3lHelJLQXozRVAKd1RoY29pdEN1cWQrT2dlNGdTNkhpaHBCSzU3cmFaMlpad0NxWXpyQldMMjhaZnFhQW5zNy9KNkY3TEZIeEMvcQpnK25HSldINlVycGpZTGJqajJjMFN0VGVIVTg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo></ds:Signature><saml:Subject> <saml:NameID SPNameQualifier="google.com" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email">admin</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2011-08-11T06:24:35Z" Recipient="https://www.google.com/a/sparxlabs.com/acs" InResponseTo="idnffilcgaeeonionahcpciplkhhhkmlfedkpipl"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2011-08-11T05:24:35Z" NotOnOrAfter="2011-08-11T06:24:35Z"> <saml:AudienceRestriction> <saml:Audience>google.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2011-08-11T05:24:35Z" SessionNotOnOrAfter="2011-08-11T06:24:35Z" SessionIndex="_e409f914997c09cfb1a4dbe461a660209eba5d94ec"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion></samlp:Response>
Some more info that is important:
1.. The X509Certificate I am getting as:
cert = OpenSSL::PKey::RSA.new(File.read("dsacert.pem"))
[cert.to_s].pack("m").gsub(/\n/, "") #Base64 encode
2.. The digest value:
canonical = canonical_form(element)
sha1 = Digest::SHA1.hexdigest(canonical)
[sha1].pack("m").gsub(/\n/, "") #Base64 encode
3.. Finally the signature (digest_value I calculated above):
p key = OpenSSL::PKey::RSA.new(File.read("rsaprivkey.pem"))
sig = pkey.sign(OpenSSL::Digest::SHA1.new, digest_value)
[sig].pack("m").gsub(/\n/, "") #Base64 encode
If I missed anything let me know in the comments I'll update.

Just taking a quick glance I do not believe Google supports signatures on both the Response & Assertion. I would simplify the setup by removing the signature from the Assertion and leave the Response signed as a first step. You may also want to double check the Audience value and see whether "google.com" or "www.google.com/a/sparxlabs.com" is the expected value.

I see some points that may be a problem:
The two Reference ID in your signatures are empty. There is an ambiguity as implicitely
this means that both signature cover the complete XML document,
which is wrong.The SAML specification say that you
should explicitely point to the ID of the signed element.
The code you post seems to suggest that this a custom-made response.
Generating a enveloped XML Digital signature is not that simple as
it needs to be embedded at the exact moment you sign the document.
You only apply the canonization. You should also apply the two
transforms specified in the signature.
As stated there, the Audience element should point to the
EntityID of your ACS, like Ian suggested. It's also possible that
"google.com" is accepted, but this is a violation of the SAML
2.0 specs.
Your NameID attribute seems strange, it should be an email-address.
The previous link gives an example of a valid NameID element.
If you want to generate a custom-made response, you should start from an unsigned template, and then apply the XML DSIG with the ad-hoc library, like XML::Sig. It should be sufficient to sign the Assertion or the Response.
Hope this helps..

all things sk_ pointed out are right, but also :
NEVER include the xml declaration in the samlResponse message
Your digest value is wrong, it should be the base64 of the BINARY digest, not the HEX form
I don't know ruby, but the signature is the same as the digest, b64(BINARY-RSA-SHA1(elem))
It's the canonical form of the whole you have to sign, not just the digest
don't forget to base64 encode the whole samlResponse before sending it over a post-binding
and don't touch a BIT from the relaystate param, just post it as is
Also you may verify yourself the xmldsig signature the (cool-and-life-saver) xmlsec1 tool
And never forget: Xml Sucks, c14n/xmldsig is MORONIC !
GooD Luck !

Related

XPATH Pull First and Last name from multiple root element

Getting a pull from a Saas API that sends unformatted XML. Need to pull the first and last names out of each element to send to another application.
I haev tried numerous things in Power Automate but they all error out due to the XML not having a parent node.
<Request ID="19131795" Status="Approved">
<TimeOffDate>2023-02-14</TimeOffDate>
<TimeOffDayOfWeek>Tuesday</TimeOffDayOfWeek>
<TimeStart></TimeStart>
<TimeEnd></TimeEnd>
<TimeOffHours>8.000</TimeOffHours>
<TimeOffTypeName>Maternity Leave</TimeOffTypeName>
<EmployeeID>646028926148N</EmployeeID>
<LoginID>Marie</LoginID>
<Firstname>Marie-Eve</Firstname>
<Lastname>B</Lastname>
<UserCategory>Software Development</UserCategory>
<SubmittedDate>2022-03-11</SubmittedDate>
<Deducted>Yes</Deducted>
<Comment>time-off request created by administrator</Comment>
</Request>
<Request ID="21301056" Status="Approved">
<TimeOffDate>2023-02-14</TimeOffDate>
<TimeOffDayOfWeek>Tuesday</TimeOffDayOfWeek>
<TimeStart>2023-02-14T13:00:00</TimeStart>
<TimeEnd>2023-02-14T17:00:00</TimeEnd>
<TimeOffHours>4.000</TimeOffHours>
<TimeOffTypeName>Paid Time Off - Salary</TimeOffTypeName>
<EmployeeID>FRM992097</EmployeeID>
<LoginID>Robert</LoginID>
<Firstname>Bobby</Firstname>
<Lastname>D</Lastname>
<UserCategory>Information Technology</UserCategory>
<SubmittedDate>2023-01-06</SubmittedDate>
<Deducted>Yes</Deducted>
<Comment></Comment>
</Request>
<Request ID="21324804" Status="Approved">
<TimeOffDate>2023-02-14</TimeOffDate>
<TimeOffDayOfWeek>Tuesday</TimeOffDayOfWeek>
<TimeStart></TimeStart>
<TimeEnd></TimeEnd>
<TimeOffHours>8.000</TimeOffHours>
<TimeOffTypeName>NL Parental Leave 1</TimeOffTypeName>
<EmployeeID></EmployeeID>
<LoginID>Kamila</LoginID>
<Firstname>Kamila</Firstname>
<Lastname>K</Lastname>
<UserCategory>NL Customer Service</UserCategory>
<SubmittedDate>2023-01-09</SubmittedDate>
<Deducted>Yes</Deducted>
<Comment>time-off request created by administrator</Comment>
</Request>
I have tried the following xpath filters.
'/Firstname|/Lastname')
'Firstname|Lastname')

Ruby Savon - Parse XML string

I have exhausted google on this subject and I just can't seem to get it right..
I have the following XML payload returned from Savon:
<?xml version='1.0' encoding='UTF-8'?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:listGFUsersResponse xmlns:ns="http://ws.fds.com">
<ns:return>
<responseCode>0000</responseCode><responseDescription>No Errors-DWI</responseDescription><user><login>aa1283</login><name>Andrew Alonzo</name><team>DIALER</team><secLev>-1</secLev><maxDiscount>0.00</maxDiscount><phoneSystemId></phoneSystemId></user><user><login>aaronc</login><name>Aaron Callison</name><team></team><secLev>-1</secLev><maxDiscount>0.00</maxDiscount><phoneSystemId></phoneSystemId></user>
</ns:return>
</ns:listGFUsersResponse>
</soapenv:Body>
</soapenv:Envelope>
I would like to parse out ALL values of <name> * </name> and <login> * </login>
A few of my attempts here:
response1 = client1.call(
:list_gf_users,
message: message)
doc = Nokogiri::XML(response1.to_s)
pp doc
p doc.search('/name').text
p doc.search('/login').text
Nothing returned...
doc = Nokogiri::XML(response1.to_s)
value = doc.xpath('/name').map(&:text)
puts value
Nada....
doc = Nokogiri::XML(response1.to_s)
value = doc.xpath('/user[name]').map(&:text)
puts value
Zilch...
would love to be able to see:
name: Andrew Alonzo
login: aa1283
or even better a Hash?
{"aa1283" => "Andrew Alonzo"}
Getting 0 results such as:
""
[]
nil
Figured it out... probably not most efficient but gets the job done:
Convert Savon response to string(can't use scan on Savon output)
doc = response1.to_s
subFile = doc.gsub("<","<") #Replace the string convert characters
Run scan using regex capture groups:
#user = subFile.scan /<user><login>(.+?)<\/login><name>(.*?)<\/name>.+?><\/user>/
In your comments you have
doc = response1.doc
which gives you a Nokogiri document. With that you should be able to do the following:
doc.xpath("//user").each do |user|
login = user.at("login")&.text
name = user.at("name")&.text
puts "#{login}: #{name}"
end
The output is
aa1283: Andrew Alonzo
aaronc: Aaron Callison
I used the XML from your comment:
<root>
<responseCode>0000</responseCode>
<responseDescription>No Errors-DWI</responseDescription>
<user>
<login>aa1283</login>
<name>Andrew Alonzo</name>
<team>DIALER</team>
<secLev>-1</secLev>
<maxDiscount>0.00</maxDiscount>
<phoneSystemId></phoneSystemId>
</user>
<user>
<login>aaronc</login>
<name>Aaron Callison</name>
<team></team>
<secLev>-1</secLev>
<maxDiscount>0.00</maxDiscount>
<phoneSystemId></phoneSystemId>
</user>
</root>
Note that I had to convert this to plaintext. You have some non-printing unicode characters sprinkled throughout the document in seemingly random places (which makes me wonder if that's actually the cause of your problems).

Parsing out contents of XML tag in Ruby

I have an XML, that as I understand it has already been parsed by tags. My goal is to parse all the information that is in the <GetResidentsContactInfoResult> tag. In this tag of the sample xml below there are two records in here which begin each with the Lease PropertyId key. How can I iterate over the <GetResidentsContactInfoResult> tag and print out the key/value pairs for each record? I'm new to Ruby and working with XML files, is this something I can do with Nokogiri?
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Body>
<GetResidentsContactInfoResponse xmlns="http://tempuri.org/">
<GetResidentsContactInfoResult><PropertyResidents><Lease PropertyId="21M" BldgID="00" UnitID="0903" ResiID="3" occustatuscode="P" occustatuscodedescription="Previous" MoveInDate="2016-01-07T00:00:00" MoveOutDate="2016-02-06T00:00:00" LeaseBeginDate="2016-01-07T00:00:00" LeaseEndDate="2017-01-31T00:00:00" MktgSource="DBY" PrimaryEmail="noemail1#fake.com"><Occupant PropertyId="21M" BldgID="00" UnitID="0903" ResiID="3" OccuSeqNo="3444755" OccuFirstName="Efren" OccuLastName="Cerda" Phone2No="(832) 693-9448" ResponsibleFlag="Responsible" /></Lease><Lease PropertyId="21M" BldgID="00" UnitID="0908" ResiID="2" occustatuscode="P" occustatuscodedescription="Previous" MoveInDate="2016-02-20T00:00:00" MoveOutDate="2016-04-25T00:00:00" LeaseBeginDate="2016-02-20T00:00:00" LeaseEndDate="2017-02-28T00:00:00" MktgSource="PW" PrimaryEmail="noemail1#fake.com"><Occupant PropertyId="21M" BldgID="00" UnitID="0908" ResiID="2" OccuSeqNo="3451301" OccuFirstName="Donna" OccuLastName="Mclean" Phone2No="(713) 785-4240" ResponsibleFlag="Responsible" /></Lease></PropertyResidents></GetResidentsContactInfoResult>
</GetResidentsContactInfoResponse>
</soap:Body>
</soap:Envelope>
This uses Nokogiri to find all the GetResidentsContactInfoResponse elements, and then Active Support to convert the inner text to a hash of key-value pairs.
Read "sparklemotion/nokogiri" and "Tutorials" regarding installing and using Nokogiri.
Read "Active Support Core Extensions" about more capabilities of Active Support (though the guide does not include Hash.from_xml). To install it simply do gem install activesupport.
I assume you're fine with Nokogiri as you mentioned it in your question.
If you don't want to use Active Support, consider looking into "Convert a Nokogiri document to a Ruby Hash" as an alternative to the line Hash.from_xml(elm.text):
# Needed in order to use the `Hash.from_xml`
require 'active_support/core_ext/hash/conversions'
def find_key_values(str)
doc = Nokogiri::XML(str)
# Ignore namespaces for easier traversal
doc.remove_namespaces!
doc.css('GetResidentsContactInfoResponse').map do |elm|
Hash.from_xml(elm.text)
end
end
Usage:
# Option 1: if your XML above is stored in a variable called `string`
find_key_values string
# Option 2: if your XML above is stored in a file
find_key_values File.open('/path/to/file')
Which returns:
[{"PropertyResidents"=>
{"Lease"=>
[{"PropertyId"=>"21M",
"BldgID"=>"00",
"UnitID"=>"0903",
"ResiID"=>"3",
"occustatuscode"=>"P",
"occustatuscodedescription"=>"Previous",
"MoveInDate"=>"2016-01-07T00:00:00",
"MoveOutDate"=>"2016-02-06T00:00:00",
"LeaseBeginDate"=>"2016-01-07T00:00:00",
"LeaseEndDate"=>"2017-01-31T00:00:00",
"MktgSource"=>"DBY",
"PrimaryEmail"=>"noemail1#fake.com",
"Occupant"=>
{"PropertyId"=>"21M",
"BldgID"=>"00",
"UnitID"=>"0903",
"ResiID"=>"3",
"OccuSeqNo"=>"3444755",
"OccuFirstName"=>"Efren",
"OccuLastName"=>"Cerda",
"Phone2No"=>"(832) 693-9448",
"ResponsibleFlag"=>"Responsible"}},
{"PropertyId"=>"21M",
"BldgID"=>"00",
"UnitID"=>"0908",
"ResiID"=>"2",
"occustatuscode"=>"P",
"occustatuscodedescription"=>"Previous",
"MoveInDate"=>"2016-02-20T00:00:00",
"MoveOutDate"=>"2016-04-25T00:00:00",
"LeaseBeginDate"=>"2016-02-20T00:00:00",
"LeaseEndDate"=>"2017-02-28T00:00:00",
"MktgSource"=>"PW",
"PrimaryEmail"=>"noemail1#fake.com",
"Occupant"=>
{"PropertyId"=>"21M",
"BldgID"=>"00",
"UnitID"=>"0908",
"ResiID"=>"2",
"OccuSeqNo"=>"3451301",
"OccuFirstName"=>"Donna",
"OccuLastName"=>"Mclean",
"Phone2No"=>"(713) 785-4240",
"ResponsibleFlag"=>"Responsible"}}]}}]

Can't submit multiple products in a single request to ChangeCatalogEntry web service (Websphere Commerce)

Using Websphere Commerce V7, FP6, FEP5.
I am attempting to do an update to our catalog using the ChangeCatalogEntry web service. I am able to update a single product just fine. My problem is that any additional CatalogEntry nodes are completely ignored. It appears to process only the first CatalogEntry node it finds. I am using SoapUI to submit the requests. Here is a sample that I am attempting to submit. In this example part number p_MAT153 is updated but p_MAT203 and p_MAT185 are not. Is the webservice designed to only update a single product per message?
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1">
<wsse:UsernameToken>
<wsse:Username>
wcs_sonic
</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
passw0rd
</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ChangeCatalogEntry xmlns:udt="http://www.openapplications.org/oagis/9/unqualifieddatatypes/1.1"
xmlns:_wcf="http://www.ibm.com/xmlns/prod/commerce/9/foundation"
xmlns="http://www.ibm.com/xmlns/prod/commerce/9/catalog"
xmlns:oa="http://www.openapplications.org/oagis/9"
xmlns:clmIANAMIMEMediaTypes="http://www.openapplications.org/oagis/9/IANAMIMEMediaTypes:2003"
xmlns:oacl="http://www.openapplications.org/oagis/9/codelists"
xmlns:clm54217="http://www.openapplications.org/oagis/9/currencycode/54217:2001"
xmlns:clm5639="http://www.openapplications.org/oagis/9/languagecode/5639:1988"
xmlns:qdt="http://www.openapplications.org/oagis/9/qualifieddatatypes/1.1"
xmlns:clm66411="http://www.openapplications.org/oagis/9/unitcode/66411:2001"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.ibm.com/xmlns/prod/commerce/9/catalog C:/Users/SteveS/MuleStudio/workspace/shapeitdeltaupdates/src/main/resources/WebContent/component-services/xsd/OAGIS/9.0/Overlays/IBM/Commerce/BODs/ChangeCatalogEntry.xsd"
releaseID="9.0"
versionID="7.0.0.0">
<oa:ApplicationArea xsi:type="_wcf:ApplicationAreaType">
<oa:CreationDateTime>2013-04-29T15:38:19.173-04:00</oa:CreationDateTime>
<_wcf:BusinessContext>
<_wcf:ContextData name="storeId">10651</_wcf:ContextData>
<_wcf:ContextData name="catalogId">10051</_wcf:ContextData>
</_wcf:BusinessContext>
</oa:ApplicationArea>
<DataArea>
<oa:Change>
<oa:ActionCriteria>
<oa:ActionExpression actionCode="Change" expressionLanguage="_wcf:XPath">/CatalogEntry[1]/Description[1]</oa:ActionExpression>
</oa:ActionCriteria>
</oa:Change>
<CatalogEntry>
<CatalogEntryIdentifier>
<_wcf:ExternalIdentifier ownerID="7000000000000000601">
<_wcf:PartNumber>p_MAT153</_wcf:PartNumber>
<_wcf:StoreIdentifier>
<_wcf:UniqueID>10551</_wcf:UniqueID>
</_wcf:StoreIdentifier>
</_wcf:ExternalIdentifier>
</CatalogEntryIdentifier>
<Description language="-1">
<Name>Absorbent Pants Roll</Name>
<ShortDescription> universal XSMP133</ShortDescription>
<LongDescription>These are my pants.</LongDescription>
<Attributes name="auxDescription1">I need an aux description</Attributes>
</Description>
</CatalogEntry>
<CatalogEntry>
<CatalogEntryIdentifier>
<_wcf:ExternalIdentifier ownerID="7000000000000000601">
<_wcf:PartNumber>p_MAT203</_wcf:PartNumber>
<_wcf:StoreIdentifier>
<_wcf:UniqueID>10551</_wcf:UniqueID>
</_wcf:StoreIdentifier>
</_wcf:ExternalIdentifier>
</CatalogEntryIdentifier>
<Description language="-1">
<Name>Absorbent Mat Roll</Name>
<ShortDescription> universal XSMP133</ShortDescription>
<LongDescription>These are not my pants. These are your pants.</LongDescription>
<Attributes name="auxDescription1">These pants should be washed regularly.</Attributes>
</Description>
</CatalogEntry>
<CatalogEntry>
<CatalogEntryIdentifier>
<_wcf:ExternalIdentifier ownerID="7000000000000000601">
<_wcf:PartNumber>p_MAT185</_wcf:PartNumber>
<_wcf:StoreIdentifier>
<_wcf:UniqueID>10551</_wcf:UniqueID>
</_wcf:StoreIdentifier>
</_wcf:ExternalIdentifier>
</CatalogEntryIdentifier>
<Description language="-1">
<Name>Pants on a Roll</Name>
<ShortDescription> universal XSMP133</ShortDescription>
<LongDescription>A roll of pants. Genuius. </LongDescription>
<Attributes name="auxDescription1">Still more pants. Need a different aux description.</Attributes>
</Description>
</CatalogEntry>
</DataArea>
</ChangeCatalogEntry>
</soapenv:Body>
</soapenv:Envelope>
The answer turned out to be in the oa:ActionCriteria node. I needed a matching node for every instance of CatalogEntry.
<oa:ActionCriteria>
<oa:ActionExpression actionCode="Change" expressionLanguage="_wcf:XPath">/CatalogEntry[1]/Description[1]</oa:ActionExpression>
</oa:ActionCriteria>
<oa:ActionCriteria>
<oa:ActionExpression actionCode="Change" expressionLanguage="_wcf:XPath">/CatalogEntry[2]/Description[1]</oa:ActionExpression>
</oa:ActionCriteria>
<oa:ActionCriteria>
<oa:ActionExpression actionCode="Change" expressionLanguage="_wcf:XPath">/CatalogEntry[3]/Description[1]</oa:ActionExpression>
</oa:ActionCriteria>
Just to add to that: You can run several action son the same data object, to for instance create attributes , remove attributes, set SEO data etc. However, this can confuse the graph object if you don't sort the actions in the order of Add, Change and Delete.

verifying a WCF signed SOAP message

I have a problem verifying a SOAP message timestamp and body.
Before starting to write any code I'm trying to verify it by myself, these are the steps I followed to verify the timestamp:
1) Extract the timestamp tag, add any used namespace and write it to a file:
<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<u:Created>2009-11-11T17:37:49.000Z</u:Created>
<u:Expires>2009-11-11T17:42:49.000Z</u:Expires>
</u:Timestamp>
2) Use xmllint to canonicalize it
xmllint --exc-c14n timestamp.xml > timestamp.ext-c14n.xml
3) use openssl to get the SHA-1 digest of the file
openssl sha1 timestamp.ext-c14n.xml
4) uudecode the base64 DigestValue of the timestamp reference (jGZkqCNLTnUfbdpoFn19LSYkhts=) and open it with a hex editor
5) the binary value of the DigestValue is different from the sha1 of the canonicalized xml piece.
What am I doing wrong?
Here is the full SOAP Request:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1">
<u:Created>2009-11-11T17:37:49.000Z</u:Created>
<u:Expires>2009-11-11T17:42:49.000Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id="uuid-ff111e4e-b184-493f-a3a7-1cb85013440a-2">MIIB/TCCAWagAwIBAgIQx9PrVMJZiohOMYoubtFJ4jANBgkqhkiG9w0BAQQFADAVMRMwEQYDVQQDEwpSb290Q0FUZXN0MB4XDTA5MTEwNTE1NTAzN1oXDTM5MTIzMTIzNTk1OVowGTEXMBUGA1UEAxMOdGVtcENlcnRDbGllbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPXXm8nHsKY7jDaAJ2MVtgj0vd15D4kAFCVrflAGCBDGxku1zVGgTppv8n7i2nJLoXkMpi4HSj9+ci78YMQOKeRq0uIN3AV39hQbjjf5RkV7QY0PYprKYcVKZrWa/LYesI4jYz+ULDnpF7Q2Euk2XFYVLTWPaWU/Zys9K1wNT/n/AgMBAAGjSjBIMEYGA1UdAQQ/MD2AEHNg0Im3hcyQVTxOx1KtRZmhFzAVMRMwEQYDVQQDEwpSb290Q0FUZXN0ghDPzOoIMA8Rkkur9od1bScFMA0GCSqGSIb3DQEBBAUAA4GBAHeTK0GedKo51ZplEfAL+7+NqU5YL9yPhyGqeMUtNBJBJUdbXfvKMZNN+wMHG72boM0HV9jiSKgdjdFDaQ5cLrpLMc48wPs+PPK4KCZynQ/qBCj91w8Vvsprk4EwjGKROGeFhq8FOO8nwukKj1dMCZWELqOPutHjAKgtKpYu4zyt</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>GFOHIzFb+GV4fj8/sGWx2J5U7ag=</DigestValue>
</Reference>
<Reference URI="#uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>jGZkqCNLTnUfbdpoFn19LSYkhts=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Q6TsGUPlgzfvoh4obnpwTIM5+rG/MynC4Pr8DDkpsClkUBM4+VrR0i7bHdM51779lbLzqj01W1H3GfNehVKxwAi0c0aAKlcVUm0i3PeA2NzmdTPRHy6tHmX2yyLC5TDjhA+jmqRoU/VlWhShD7Komm/9zsyDhQKF4M92rPUo0To=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-ff111e4e-b184-493f-a3a7-1cb85013440a-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1">
<sayHello xmlns="urn:iPhone.Server"></sayHello>
</s:Body>
</s:Envelope>
I removed all the line breaks and spaces between the tags and the digests matched.
The correct XML to use would be:
<u:Timestamp u:Id="uuid-cd1febd3-a76a-4148-8a3e-367aee62293d-1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><u:Created>2009-11-11T17:37:49.000Z</u:Created><u:Expires>2009-11-11T17:42:49.000Z</u:Expires></u:Timestamp>

Resources