libsaml 3.6.0 → 3.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9eea4c36aa9fc6f404ff5e6283c2ef39c1cb0e328652edc5e5fda2ceb7b21416
-  data.tar.gz: d76324210f3fe2863f82f89ac7b7317bc295798ec10982b903f2e3b2700dd62f
+  metadata.gz: 80a144ab0df42eeb447e74d6df3f3a19a7d89e72cf5527277403b229eb87216c
+  data.tar.gz: cd41e41d4f0492e98c52ea9c6865e958a0896c0522f987b58175c69e2d23eaac
 SHA512:
-  metadata.gz: 40a5e18247a43f3e215ce6045d51feeb2774a86e649b4702a64533555b4c5c98b83dad3927b3238929d141f0c49a1078903a278b2ccd76cdf6c29d6188f71839
-  data.tar.gz: 0eda4d5265000e0da3fc7d2650b69064cda9de9914a287cecb2974e077f42d4c76d05e30e7025a56f6ba7173128c63a652b185f0253424715e6e62227f5bdb45
+  metadata.gz: 258f442a035b8e06cb9896ed2faf0c5e88d4d58c63ddfcbcd19b14b937fed2de1482aa89bd92bf3b8bcff20f32e5c65b0f92355eefcb1abe0944f2c14a470b45
+  data.tar.gz: faa732f728819578d2e75a73129148da7e74eefca3d5ef7a033b7926d2266c417f9c52666dae8c0eef5f3c6fa06032b6da2bdf7eb5118ba4fb9758d127d8f626

data/README.md

@@ -94,10 +94,10 @@ Now you can make a SAML controller in `app/controllers/saml_controller.rb`:
 ```ruby
 class SamlController < ApplicationController
   extend Saml::Rails::ControllerHelper
-  current_provider "entity_id"
+  current_provider "<sp_entity_id>"
 
   def request_authentication
-    provider = Saml.provider("my:very:original:entityid")
+    provider = Saml.provider("<idp_enity_id>")
     destination = provider.single_sign_on_service_url(Saml::ProtocolBinding::HTTP_POST)
 
     authn_request = Saml::AuthnRequest.new(destination: destination)
@@ -153,7 +153,7 @@ Below is an example of a very primitive IDP Saml Controller
 ```ruby
 class SamlController < ActionController::Base
   extend Saml::Rails::ControllerHelper
-  current_provider "entity_id"
+  current_provider "<idp_entity_id>"
 
   def receive_authn_request
     authn_request = if request.get?
@@ -227,6 +227,10 @@ class SamlController < ActionController::Base
 end
 ```
 
+## Caveats
+
+- SAMLResponse and Assertions have to be signed as per the SAML security guidelines (Some IDP's don't do this by default and require special configuration)
+
 ## Contributing
 
 - Fork the project

data/lib/saml.rb

@@ -34,6 +34,8 @@ module Saml
     end
     class UnparseableMessage < SamlError
     end
+    class InvalidParams < SamlError
+    end
     class MetadataDownloadFailed < SamlError
     end
     class InvalidStore < SamlError

data/lib/saml/assertion.rb

@@ -46,7 +46,8 @@ module Saml
       @authn_statement = Saml::Elements::AuthnStatement.new(authn_instant: authn_instant,
                                                             address: options.delete(:address),
                                                             authn_context_class_ref: options.delete(:authn_context_class_ref),
-                                                            session_index: options.delete(:session_index))
+                                                            session_index: options.delete(:session_index),
+                                                            session_not_on_or_after: options.delete(:session_not_on_or_after))
       super(*(args << options))
       @_id           ||= Saml.generate_id
       @issue_instant ||= Time.now

data/lib/saml/bindings/http_post.rb

@@ -20,7 +20,12 @@ module Saml
         end
 
         def receive_message(request, type)
-          message             = Saml::Encoding.decode_64(request.params["SAMLRequest"] || request.params["SAMLResponse"])
+          receive_xml = request.params["SAMLRequest"] || request.params["SAMLResponse"]
+          if receive_xml.nil?
+            raise Saml::Errors::InvalidParams, 'require params `SAMLRequest` or `SAMLResponse`'
+          end
+
+          message             = Saml::Encoding.decode_64(receive_xml)
           notify('receive_message', message)
           request_or_response = Saml.parse_message(message, type)
 

data/lib/saml/bindings/http_redirect.rb

@@ -5,7 +5,7 @@ module Saml
 
       class << self
         def create_url(request_or_response, options = {})
-          options[:signature_algorithm] ||= 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+          options[:signature_algorithm] ||= 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' unless options[:exclude_signature]
           new(request_or_response, options).create_url
         end
 
@@ -42,13 +42,14 @@ module Saml
         end
       end
 
-      attr_accessor :request_or_response, :signature_algorithm, :relay_state, :signature
+      attr_accessor :request_or_response, :signature_algorithm, :relay_state, :signature, :exclude_signature
 
       def initialize(request_or_response, options = {})
         @request_or_response = request_or_response
         @signature_algorithm = options[:signature_algorithm]
         @relay_state         = options[:relay_state]
         @signature           = options[:signature]
+        @exclude_signature   = options[:exclude_signature]
       end
 
       def verify_signature(query)
@@ -61,7 +62,7 @@ module Saml
         url = request_or_response.destination
         delimiter = url.include?('?') ? '&' : '?'
 
-        [url, signed_params].join(delimiter)
+        [url, exclude_signature ? unsigned_params : signed_params].join(delimiter)
       end
 
       private
@@ -108,6 +109,10 @@ module Saml
 
         "#{encoded_params}&Signature=#{encoded_signature}"
       end
+
+      def unsigned_params
+        encoded_params.to_s
+      end
     end
   end
 end

data/lib/saml/elements/authn_statement.rb

@@ -8,6 +8,7 @@ module Saml
 
       attribute :authn_instant, Time, tag: "AuthnInstant", on_save: lambda { |val| val.utc.xmlschema }
       attribute :session_index, String, tag: "SessionIndex"
+      attribute :session_not_on_or_after, Time, tag: "SessionNotOnOrAfter", on_save: lambda { |val| val.utc.xmlschema if val.present?}
 
       has_one :subject_locality, Saml::Elements::SubjectLocality, tag: "SubjectLocality"
       has_one :authn_context, Saml::Elements::AuthnContext, tag: "AuthnContext"

data/lib/saml/elements/encrypted_attribute.rb

@@ -15,27 +15,9 @@ module Saml
       validates :encrypted_data, presence: true
 
       def encrypt(attribute, encrypted_key_data, encrypted_data_options = {})
-        self.encrypted_data = Xmlenc::Builder::EncryptedData.new(encrypted_data_options)
-        self.encrypted_data.set_encryption_method algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
-        self.encrypted_data.set_key_name key_name
-
-        encrypted_key_data.each do |key_descriptor, key_options|
-          encrypted_key = self.encrypted_data.encrypt Nokogiri::XML(attribute.to_xml).root.to_xml, key_options
-          encrypted_key.set_encryption_method algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
-          encrypted_key.set_key_name key_descriptor.key_info.key_name
-          encrypted_key.carried_key_name = key_name
-          encrypted_key.encrypt key_descriptor.certificate.public_key
-
-          self.encrypted_keys ||= []
-          self.encrypted_keys << encrypted_key
-        end
+        Saml::Util.encrypt_element(self, attribute, encrypted_key_data, encrypted_data_options)
       end
 
-      private
-
-      def key_name
-        @key_name ||= Saml.generate_id
-      end
     end
   end
 end

data/lib/saml/elements/encrypted_id.rb

@@ -28,16 +28,16 @@ module Saml
 
         if key_descriptors.any?
           if key_descriptors.one?
-            encrypt_for_one_recipient(key_descriptors.first, key_options)
+            encrypt_for_one_key_descriptor(key_descriptors.first, key_options)
           else
-            encrypt_for_multiple_recipients(key_descriptors, key_options)
+            encrypt_for_multiple_key_descriptors(key_descriptors, key_options)
           end
         end
       end
 
       private
 
-      def encrypt_for_one_recipient(key_descriptor, key_options = {})
+      def encrypt_for_one_key_descriptor(key_descriptor, key_options = {})
         self.encrypted_data = Xmlenc::Builder::EncryptedData.new
 
         self.encrypted_data.set_key_retrieval_method Xmlenc::Builder::RetrievalMethod.new(
@@ -47,7 +47,7 @@ module Saml
           algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
         )
 
-        encrypted_key = self.encrypted_data.encrypt(name_id_xml, key_options)
+        encrypted_key = self.encrypted_data.encrypt(Nokogiri::XML(name_id.to_xml).root.to_xml, key_options)
         encrypted_key.set_encryption_method(
           algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
           digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
@@ -60,39 +60,18 @@ module Saml
         self.name_id = nil
       end
 
-      def encrypt_for_multiple_recipients(key_descriptors, key_options = {})
-        key_name = key_options[:key_name]
-        encrypted_keys = []
-
-        self.encrypted_data = Xmlenc::Builder::EncryptedData.new
-        self.encrypted_data.set_key_name key_name
-        self.encrypted_data.set_encryption_method(
-          algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
-        )
-
-        key_descriptors.each do |key_descriptor|
-          encrypted_key = self.encrypted_data.encrypt(
-            name_id_xml,
-            key_options.merge(id: "_#{SecureRandom.uuid}", carried_key_name: key_name)
-          )
-          encrypted_key.set_encryption_method(
-            algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
-            digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
-          )
-
-          encrypted_key.set_key_name(key_descriptor.key_info.key_name)
-          encrypted_key.encrypt(key_descriptor.certificate.public_key)
-
-          encrypted_keys << encrypted_key
+      def encrypt_for_multiple_key_descriptors(encrypted_key_data, encrypted_data_options = {})
+        if encrypted_data_options[:recipient].present? && encrypted_key_data.first.is_a?(Saml::Elements::KeyDescriptor)
+          encrypted_key_data.map! do |key_descriptor|
+            [ key_descriptor, { recipient: encrypted_data_options[:recipient] } ]
+          end
         end
 
-        self.encrypted_keys = encrypted_keys
+        Saml::Util.encrypt_element(self, name_id, encrypted_key_data, encrypted_data_options)
+
         self.name_id = nil
       end
 
-      def name_id_xml
-        Nokogiri::XML(name_id.to_xml).root.to_xml
-      end
     end
   end
 end

data/lib/saml/response.rb

@@ -28,10 +28,14 @@ module Saml
       !success? && status.status_code.unknown_principal?
     end
 
-    def encrypt_assertions(certificate, include_certificate: false)
+    def encrypt_assertions(key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false)
       @encrypted_assertions = []
       assertions.each do |assertion|
-        @encrypted_assertions << Saml::Util.encrypt_assertion(assertion, certificate, include_certificate: include_certificate)
+        @encrypted_assertions << Saml::Util.encrypt_assertion(
+          assertion, key_descriptor_or_certificate,
+          include_certificate: include_certificate,
+          include_key_retrieval_method: include_key_retrieval_method
+        )
       end
       assertions.clear
     end

data/lib/saml/util.rb

@@ -60,7 +60,7 @@ module Saml
         end
       end
 
-      def encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false)
+      def encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false)
         case key_descriptor_or_certificate
         when OpenSSL::X509::Certificate
           certificate = key_descriptor_or_certificate
@@ -87,6 +87,11 @@ module Saml
         end
         encrypted_key.encrypt(certificate.public_key)
 
+        if include_key_retrieval_method
+          encrypted_key.id = '_' + SecureRandom.uuid
+          encrypted_data.set_key_retrieval_method (Xmlenc::Builder::RetrievalMethod.new(uri: "##{encrypted_key.id}"))
+        end
+
         Saml::Elements::EncryptedAssertion.new(encrypted_data: encrypted_data, encrypted_keys: encrypted_key)
       end
 
@@ -98,6 +103,32 @@ module Saml
         Saml::Assertion.parse(encrypted_document.decrypt(private_key), single: true)
       end
 
+      def encrypt_element(element, target_element, encrypted_key_data, encrypted_data_options)
+        key_name = encrypted_data_options.fetch(:key_name, Saml.generate_id)
+
+        element.encrypted_data = Xmlenc::Builder::EncryptedData.new(encrypted_data_options)
+        element.encrypted_data.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc')
+        element.encrypted_data.set_key_name key_name
+
+        original_encrypted_key = element.encrypted_data.encrypt(Nokogiri::XML(target_element.to_xml).root.to_xml, encrypted_data_options)
+
+        encrypted_key_data.each do |key_descriptor, key_options = {}|
+          encrypted_key_options = key_options.merge(id: Saml.generate_id, data: original_encrypted_key.data)
+
+          encrypted_key = Xmlenc::Builder::EncryptedKey.new(encrypted_key_options)
+          encrypted_key.add_data_reference(element.encrypted_data.id)
+          encrypted_key.set_key_name(key_descriptor.key_info.key_name)
+          encrypted_key.carried_key_name = key_name
+          encrypted_key.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1')
+          encrypted_key.encrypt(key_descriptor.certificate.public_key)
+
+          element.encrypted_keys ||= []
+          element.encrypted_keys << encrypted_key
+        end
+
+        element
+      end
+
       def encrypt_name_id(name_id, key_descriptor, key_options = {})
         encrypted_id = Saml::Elements::EncryptedID.new(name_id: name_id)
         encrypt_encrypted_id(encrypted_id, key_descriptor, key_options)

data/lib/saml/version.rb

@@ -1,3 +1,3 @@
 module Saml
-  VERSION = '3.6.0'
+  VERSION = '3.9.2'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libsaml
 version: !ruby/object:Gem::Version
-  version: 3.6.0
+  version: 3.9.2
 platform: ruby
 authors:
 - Benoist Claassen
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-10 00:00:00.000000000 Z
+date: 2021-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -240,7 +240,7 @@ homepage: https://www.digidentity.eu
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -256,7 +256,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.0.3
-signing_key: 
+signing_key:
 specification_version: 4
 summary: A gem to easily create SAML 2.0 messages.
 test_files: []