RubyGems - libsaml - Versions diffs - 3.5.0 → 3.9.1 - Mend

libsaml 3.5.0 → 3.9.1

Files changed (13) hide show

checksums.yaml +4 -4
data/README.md +7 -3
data/lib/saml.rb +2 -0
data/lib/saml/assertion.rb +2 -1
data/lib/saml/bindings/http_post.rb +6 -1
data/lib/saml/bindings/http_redirect.rb +8 -3
data/lib/saml/elements/authn_statement.rb +1 -0
data/lib/saml/elements/encrypted_attribute.rb +1 -19
data/lib/saml/elements/encrypted_id.rb +11 -32
data/lib/saml/response.rb +2 -2
data/lib/saml/util.rb +32 -2
data/lib/saml/version.rb +1 -1
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: abb53b0d4b821345d7c6a788457f25b4d70c321544bf4f865657d98e92e51373
-  data.tar.gz: e6232eca89ec113e397fac83520309051fc110cbd9fd7f2d25a967e53e84a90d
+  metadata.gz: a6d2ed00b846de2e5bc324dfbcc6cb0128911b2d7d083db22ad6faf700120968
+  data.tar.gz: 41f666637953e2d440518c4435b434026d2c42d74d6ed8963a7677e0fb9156fd
 SHA512:
-  metadata.gz: 04d10429a91597ac66db5cbadbd1d340a7caff52582bf77e2323351e9462bc663a6fea2a82d3c9797d6c42023af80e8f96c53763bb92928c89c118fad2acb85d
-  data.tar.gz: 68179407ec64d23b23b061a90b1e04ed7b9c0b6d991e860ed5d5a479fc441bf0b1619dff5409f51bf4a74c07501f990b42a6bf218e5700590b7e4158fe04e0c9
+  metadata.gz: fa7bcd81253a4b7052ca0b897f7b8217dd6c6fe6c6fa51fb93abd39f36dbc5f3de16ccfd9f7eacad7f067b0b0ff4ea55f70b77d0a9b0c3a71819c7a93d2f4d48
+  data.tar.gz: 820fb5b35797152e6d2d4981befab82e9eb916abaddd4c80e746639d1d810a620dc2072d116d1a7a6c4ec36c72d868a29428f2c05bab4969203e11dd38111d73

data/README.md CHANGED

@@ -94,10 +94,10 @@ Now you can make a SAML controller in `app/controllers/saml_controller.rb`:
 ```ruby
 class SamlController < ApplicationController
   extend Saml::Rails::ControllerHelper
-  current_provider "entity_id"
+  current_provider "<sp_entity_id>"
   def request_authentication
-    provider = Saml.provider("my:very:original:entityid")
+    provider = Saml.provider("<idp_enity_id>")
     destination = provider.single_sign_on_service_url(Saml::ProtocolBinding::HTTP_POST)
     authn_request = Saml::AuthnRequest.new(destination: destination)
@@ -153,7 +153,7 @@ Below is an example of a very primitive IDP Saml Controller
 ```ruby
 class SamlController < ActionController::Base
   extend Saml::Rails::ControllerHelper
-  current_provider "entity_id"
+  current_provider "<idp_entity_id>"
   def receive_authn_request
     authn_request = if request.get?
@@ -227,6 +227,10 @@ class SamlController < ActionController::Base
 end
 ```
+## Caveats
+- SAMLResponse and Assertions have to be signed as per the SAML security guidelines (Some IDP's don't do this by default and require special configuration)
 ## Contributing
 - Fork the project

data/lib/saml.rb CHANGED

@@ -34,6 +34,8 @@ module Saml
     end
     class UnparseableMessage < SamlError
     end
+    class InvalidParams < SamlError
+    end
     class MetadataDownloadFailed < SamlError
     end
     class InvalidStore < SamlError

data/lib/saml/assertion.rb CHANGED

@@ -46,7 +46,8 @@ module Saml
       @authn_statement = Saml::Elements::AuthnStatement.new(authn_instant: authn_instant,
                                                             address: options.delete(:address),
                                                             authn_context_class_ref: options.delete(:authn_context_class_ref),
-                                                            session_index: options.delete(:session_index))
+                                                            session_index: options.delete(:session_index),
+                                                            session_not_on_or_after: options.delete(:session_not_on_or_after))
       super(*(args << options))
       @_id           ||= Saml.generate_id
       @issue_instant ||= Time.now

data/lib/saml/bindings/http_post.rb CHANGED

@@ -20,7 +20,12 @@ module Saml
         end
         def receive_message(request, type)
-          message             = Saml::Encoding.decode_64(request.params["SAMLRequest"] || request.params["SAMLResponse"])
+          receive_xml = request.params["SAMLRequest"] || request.params["SAMLResponse"]
+          if receive_xml.nil?
+            raise Saml::Errors::InvalidParams, 'require params `SAMLRequest` or `SAMLResponse`'
+          end
+          message             = Saml::Encoding.decode_64(receive_xml)
           notify('receive_message', message)
           request_or_response = Saml.parse_message(message, type)

data/lib/saml/bindings/http_redirect.rb CHANGED

@@ -5,7 +5,7 @@ module Saml
       class << self
         def create_url(request_or_response, options = {})
-          options[:signature_algorithm] ||= 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+          options[:signature_algorithm] ||= 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' unless options[:exclude_signature]
           new(request_or_response, options).create_url
         end
@@ -42,13 +42,14 @@ module Saml
         end
       end
-      attr_accessor :request_or_response, :signature_algorithm, :relay_state, :signature
+      attr_accessor :request_or_response, :signature_algorithm, :relay_state, :signature, :exclude_signature
       def initialize(request_or_response, options = {})
         @request_or_response = request_or_response
         @signature_algorithm = options[:signature_algorithm]
         @relay_state         = options[:relay_state]
         @signature           = options[:signature]
+        @exclude_signature   = options[:exclude_signature]
       end
       def verify_signature(query)
@@ -61,7 +62,7 @@ module Saml
         url = request_or_response.destination
         delimiter = url.include?('?') ? '&' : '?'
-        [url, signed_params].join(delimiter)
+        [url, exclude_signature ? unsigned_params : signed_params].join(delimiter)
       end
       private
@@ -108,6 +109,10 @@ module Saml
         "#{encoded_params}&Signature=#{encoded_signature}"
       end
+      def unsigned_params
+        encoded_params.to_s
+      end
     end
   end
 end

data/lib/saml/elements/authn_statement.rb CHANGED

@@ -8,6 +8,7 @@ module Saml
       attribute :authn_instant, Time, tag: "AuthnInstant", on_save: lambda { |val| val.utc.xmlschema }
       attribute :session_index, String, tag: "SessionIndex"
+      attribute :session_not_on_or_after, Time, tag: "SessionNotOnOrAfter", on_save: lambda { |val| val.utc.xmlschema if val.present?}
       has_one :subject_locality, Saml::Elements::SubjectLocality, tag: "SubjectLocality"
       has_one :authn_context, Saml::Elements::AuthnContext, tag: "AuthnContext"

data/lib/saml/elements/encrypted_attribute.rb CHANGED

@@ -15,27 +15,9 @@ module Saml
       validates :encrypted_data, presence: true
       def encrypt(attribute, encrypted_key_data, encrypted_data_options = {})
-        self.encrypted_data = Xmlenc::Builder::EncryptedData.new(encrypted_data_options)
-        self.encrypted_data.set_encryption_method algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
-        self.encrypted_data.set_key_name key_name
-        encrypted_key_data.each do |key_descriptor, key_options|
-          encrypted_key = self.encrypted_data.encrypt Nokogiri::XML(attribute.to_xml).root.to_xml, key_options
-          encrypted_key.set_encryption_method algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
-          encrypted_key.set_key_name key_descriptor.key_info.key_name
-          encrypted_key.carried_key_name = key_name
-          encrypted_key.encrypt key_descriptor.certificate.public_key
-          self.encrypted_keys ||= []
-          self.encrypted_keys << encrypted_key
-        end
+        Saml::Util.encrypt_element(self, attribute, encrypted_key_data, encrypted_data_options)
       end
-      private
-      def key_name
-        @key_name ||= Saml.generate_id
-      end
     end
   end
 end

data/lib/saml/elements/encrypted_id.rb CHANGED

@@ -28,16 +28,16 @@ module Saml
         if key_descriptors.any?
           if key_descriptors.one?
-            encrypt_for_one_recipient(key_descriptors.first, key_options)
+            encrypt_for_one_key_descriptor(key_descriptors.first, key_options)
           else
-            encrypt_for_multiple_recipients(key_descriptors, key_options)
+            encrypt_for_multiple_key_descriptors(key_descriptors, key_options)
           end
         end
       end
       private
-      def encrypt_for_one_recipient(key_descriptor, key_options = {})
+      def encrypt_for_one_key_descriptor(key_descriptor, key_options = {})
         self.encrypted_data = Xmlenc::Builder::EncryptedData.new
         self.encrypted_data.set_key_retrieval_method Xmlenc::Builder::RetrievalMethod.new(
@@ -47,7 +47,7 @@ module Saml
           algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
         )
-        encrypted_key = self.encrypted_data.encrypt(name_id_xml, key_options)
+        encrypted_key = self.encrypted_data.encrypt(Nokogiri::XML(name_id.to_xml).root.to_xml, key_options)
         encrypted_key.set_encryption_method(
           algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
           digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
@@ -60,39 +60,18 @@ module Saml
         self.name_id = nil
       end
-      def encrypt_for_multiple_recipients(key_descriptors, key_options = {})
-        key_name = key_options[:key_name]
-        encrypted_keys = []
-        self.encrypted_data = Xmlenc::Builder::EncryptedData.new
-        self.encrypted_data.set_key_name key_name
-        self.encrypted_data.set_encryption_method(
-          algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
-        )
-        key_descriptors.each do |key_descriptor|
-          encrypted_key = self.encrypted_data.encrypt(
-            name_id_xml,
-            key_options.merge(id: "_#{SecureRandom.uuid}", carried_key_name: key_name)
-          )
-          encrypted_key.set_encryption_method(
-            algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
-            digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
-          )
-          encrypted_key.set_key_name(key_descriptor.key_info.key_name)
-          encrypted_key.encrypt(key_descriptor.certificate.public_key)
-          encrypted_keys << encrypted_key
+      def encrypt_for_multiple_key_descriptors(encrypted_key_data, encrypted_data_options = {})
+        if encrypted_data_options[:recipient].present? && encrypted_key_data.first.is_a?(Saml::Elements::KeyDescriptor)
+          encrypted_key_data.map! do |key_descriptor|
+            [ key_descriptor, { recipient: encrypted_data_options[:recipient] } ]
+          end
         end
-        self.encrypted_keys = encrypted_keys
+        Saml::Util.encrypt_element(self, name_id, encrypted_key_data, encrypted_data_options)
         self.name_id = nil
       end
-      def name_id_xml
-        Nokogiri::XML(name_id.to_xml).root.to_xml
-      end
     end
   end
 end

data/lib/saml/response.rb CHANGED

@@ -28,10 +28,10 @@ module Saml
       !success? && status.status_code.unknown_principal?
     end
-    def encrypt_assertions(certificate)
+    def encrypt_assertions(certificate, include_certificate: false)
       @encrypted_assertions = []
       assertions.each do |assertion|
-        @encrypted_assertions << Saml::Util.encrypt_assertion(assertion, certificate)
+        @encrypted_assertions << Saml::Util.encrypt_assertion(assertion, certificate, include_certificate: include_certificate)
       end
       assertions.clear
     end

data/lib/saml/util.rb CHANGED

@@ -60,7 +60,7 @@ module Saml
         end
       end
-      def encrypt_assertion(assertion, key_descriptor_or_certificate)
+      def encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false)
         case key_descriptor_or_certificate
         when OpenSSL::X509::Certificate
           certificate = key_descriptor_or_certificate
@@ -80,7 +80,11 @@ module Saml
         encrypted_key = encrypted_data.encrypt(assertion.to_s)
         encrypted_key.set_encryption_method(algorithm:               'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
                                             digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1')
-        encrypted_key.set_key_name(key_name)
+        encrypted_key.key_info = if include_certificate || key_name
+          key_info = Saml::Elements::KeyInfo.new(include_certificate ? certificate.to_pem : nil)
+          key_info.key_name = key_name
+          key_info
+        end
         encrypted_key.encrypt(certificate.public_key)
         Saml::Elements::EncryptedAssertion.new(encrypted_data: encrypted_data, encrypted_keys: encrypted_key)
@@ -94,6 +98,32 @@ module Saml
         Saml::Assertion.parse(encrypted_document.decrypt(private_key), single: true)
       end
+      def encrypt_element(element, target_element, encrypted_key_data, encrypted_data_options)
+        key_name = encrypted_data_options.fetch(:key_name, Saml.generate_id)
+        element.encrypted_data = Xmlenc::Builder::EncryptedData.new(encrypted_data_options)
+        element.encrypted_data.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc')
+        element.encrypted_data.set_key_name key_name
+        original_encrypted_key = element.encrypted_data.encrypt(Nokogiri::XML(target_element.to_xml).root.to_xml, encrypted_data_options)
+        encrypted_key_data.each do |key_descriptor, key_options = {}|
+          encrypted_key_options = key_options.merge(id: Saml.generate_id, data: original_encrypted_key.data)
+          encrypted_key = Xmlenc::Builder::EncryptedKey.new(encrypted_key_options)
+          encrypted_key.add_data_reference(element.encrypted_data.id)
+          encrypted_key.set_key_name(key_descriptor.key_info.key_name)
+          encrypted_key.carried_key_name = key_name
+          encrypted_key.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1')
+          encrypted_key.encrypt(key_descriptor.certificate.public_key)
+          element.encrypted_keys ||= []
+          element.encrypted_keys << encrypted_key
+        end
+        element
+      end
       def encrypt_name_id(name_id, key_descriptor, key_options = {})
         encrypted_id = Saml::Elements::EncryptedID.new(name_id: name_id)
         encrypt_encrypted_id(encrypted_id, key_descriptor, key_options)

data/lib/saml/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Saml
-  VERSION = '3.5.0'
+  VERSION = '3.9.1'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libsaml
 version: !ruby/object:Gem::Version
-  version: 3.5.0
+  version: 3.9.1
 platform: ruby
 authors:
 - Benoist Claassen
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-09 00:00:00.000000000 Z
+date: 2021-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -240,7 +240,7 @@ homepage: https://www.digidentity.eu
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -256,7 +256,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.0.3
-signing_key:
+signing_key:
 specification_version: 4
 summary: A gem to easily create SAML 2.0 messages.
 test_files: []