libsaml 3.7.0 → 3.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/saml.rb +2 -0
- data/lib/saml/assertion.rb +2 -1
- data/lib/saml/bindings/http_post.rb +6 -1
- data/lib/saml/bindings/http_redirect.rb +5 -0
- data/lib/saml/elements/authn_statement.rb +1 -0
- data/lib/saml/elements/encrypted_attribute.rb +1 -19
- data/lib/saml/elements/encrypted_id.rb +11 -32
- data/lib/saml/provider.rb +2 -0
- data/lib/saml/response.rb +6 -2
- data/lib/saml/util.rb +32 -1
- data/lib/saml/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 52056387172170f48159a403ea8ccd8adccdd4f3bf2f1dbdc104a8034f71d0c0
|
|
4
|
+
data.tar.gz: bc0f3ca0dd6b47297af36255f9309b1d5b636a322289825d6ac8556321ed2ad9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dd18ec249485cee4a1d71aceaa4ea9bd0acb248182fc53f9df7969bd6fcdccb161f5870187ce23bfb748f2879dc5ed17d7a1f14bd939136cf49669e1f6b73ca4
|
|
7
|
+
data.tar.gz: fb87df8c97c301ac2af52102242f47bd129e4f9bcc617634810f93efac6176dd37f39832cd4b0040fbf5ccf2f171636fcca3e9e1a2436ddbf5f106872469c93a
|
data/lib/saml.rb
CHANGED
data/lib/saml/assertion.rb
CHANGED
|
@@ -46,7 +46,8 @@ module Saml
|
|
|
46
46
|
@authn_statement = Saml::Elements::AuthnStatement.new(authn_instant: authn_instant,
|
|
47
47
|
address: options.delete(:address),
|
|
48
48
|
authn_context_class_ref: options.delete(:authn_context_class_ref),
|
|
49
|
-
session_index: options.delete(:session_index)
|
|
49
|
+
session_index: options.delete(:session_index),
|
|
50
|
+
session_not_on_or_after: options.delete(:session_not_on_or_after))
|
|
50
51
|
super(*(args << options))
|
|
51
52
|
@_id ||= Saml.generate_id
|
|
52
53
|
@issue_instant ||= Time.now
|
|
@@ -20,7 +20,12 @@ module Saml
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def receive_message(request, type)
|
|
23
|
-
|
|
23
|
+
receive_xml = request.params["SAMLRequest"] || request.params["SAMLResponse"]
|
|
24
|
+
if receive_xml.nil?
|
|
25
|
+
raise Saml::Errors::InvalidParams, 'require params `SAMLRequest` or `SAMLResponse`'
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
message = Saml::Encoding.decode_64(receive_xml)
|
|
24
29
|
notify('receive_message', message)
|
|
25
30
|
request_or_response = Saml.parse_message(message, type)
|
|
26
31
|
|
|
@@ -14,6 +14,11 @@ module Saml
|
|
|
14
14
|
options[:signature_algorithm] = http_request.params["SigAlg"]
|
|
15
15
|
options[:relay_state] = http_request.params["RelayState"]
|
|
16
16
|
|
|
17
|
+
receive_xml = http_request.params["SAMLRequest"] || http_request.params["SAMLResponse"]
|
|
18
|
+
if receive_xml.nil?
|
|
19
|
+
raise Saml::Errors::InvalidParams, 'require params `SAMLRequest` or `SAMLResponse`'
|
|
20
|
+
end
|
|
21
|
+
|
|
17
22
|
request_or_response = parse_request_or_response(options.delete(:type), http_request.params)
|
|
18
23
|
|
|
19
24
|
redirect_binding = new(request_or_response, options)
|
|
@@ -8,6 +8,7 @@ module Saml
|
|
|
8
8
|
|
|
9
9
|
attribute :authn_instant, Time, tag: "AuthnInstant", on_save: lambda { |val| val.utc.xmlschema }
|
|
10
10
|
attribute :session_index, String, tag: "SessionIndex"
|
|
11
|
+
attribute :session_not_on_or_after, Time, tag: "SessionNotOnOrAfter", on_save: lambda { |val| val.utc.xmlschema if val.present?}
|
|
11
12
|
|
|
12
13
|
has_one :subject_locality, Saml::Elements::SubjectLocality, tag: "SubjectLocality"
|
|
13
14
|
has_one :authn_context, Saml::Elements::AuthnContext, tag: "AuthnContext"
|
|
@@ -15,27 +15,9 @@ module Saml
|
|
|
15
15
|
validates :encrypted_data, presence: true
|
|
16
16
|
|
|
17
17
|
def encrypt(attribute, encrypted_key_data, encrypted_data_options = {})
|
|
18
|
-
self
|
|
19
|
-
self.encrypted_data.set_encryption_method algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
|
|
20
|
-
self.encrypted_data.set_key_name key_name
|
|
21
|
-
|
|
22
|
-
encrypted_key_data.each do |key_descriptor, key_options|
|
|
23
|
-
encrypted_key = self.encrypted_data.encrypt Nokogiri::XML(attribute.to_xml).root.to_xml, key_options
|
|
24
|
-
encrypted_key.set_encryption_method algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
|
|
25
|
-
encrypted_key.set_key_name key_descriptor.key_info.key_name
|
|
26
|
-
encrypted_key.carried_key_name = key_name
|
|
27
|
-
encrypted_key.encrypt key_descriptor.certificate.public_key
|
|
28
|
-
|
|
29
|
-
self.encrypted_keys ||= []
|
|
30
|
-
self.encrypted_keys << encrypted_key
|
|
31
|
-
end
|
|
18
|
+
Saml::Util.encrypt_element(self, attribute, encrypted_key_data, encrypted_data_options)
|
|
32
19
|
end
|
|
33
20
|
|
|
34
|
-
private
|
|
35
|
-
|
|
36
|
-
def key_name
|
|
37
|
-
@key_name ||= Saml.generate_id
|
|
38
|
-
end
|
|
39
21
|
end
|
|
40
22
|
end
|
|
41
23
|
end
|
|
@@ -28,16 +28,16 @@ module Saml
|
|
|
28
28
|
|
|
29
29
|
if key_descriptors.any?
|
|
30
30
|
if key_descriptors.one?
|
|
31
|
-
|
|
31
|
+
encrypt_for_one_key_descriptor(key_descriptors.first, key_options)
|
|
32
32
|
else
|
|
33
|
-
|
|
33
|
+
encrypt_for_multiple_key_descriptors(key_descriptors, key_options)
|
|
34
34
|
end
|
|
35
35
|
end
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
private
|
|
39
39
|
|
|
40
|
-
def
|
|
40
|
+
def encrypt_for_one_key_descriptor(key_descriptor, key_options = {})
|
|
41
41
|
self.encrypted_data = Xmlenc::Builder::EncryptedData.new
|
|
42
42
|
|
|
43
43
|
self.encrypted_data.set_key_retrieval_method Xmlenc::Builder::RetrievalMethod.new(
|
|
@@ -47,7 +47,7 @@ module Saml
|
|
|
47
47
|
algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
|
|
48
48
|
)
|
|
49
49
|
|
|
50
|
-
encrypted_key = self.encrypted_data.encrypt(
|
|
50
|
+
encrypted_key = self.encrypted_data.encrypt(Nokogiri::XML(name_id.to_xml).root.to_xml, key_options)
|
|
51
51
|
encrypted_key.set_encryption_method(
|
|
52
52
|
algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
|
|
53
53
|
digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
|
|
@@ -60,39 +60,18 @@ module Saml
|
|
|
60
60
|
self.name_id = nil
|
|
61
61
|
end
|
|
62
62
|
|
|
63
|
-
def
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
self.encrypted_data.set_key_name key_name
|
|
69
|
-
self.encrypted_data.set_encryption_method(
|
|
70
|
-
algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
|
|
71
|
-
)
|
|
72
|
-
|
|
73
|
-
key_descriptors.each do |key_descriptor|
|
|
74
|
-
encrypted_key = self.encrypted_data.encrypt(
|
|
75
|
-
name_id_xml,
|
|
76
|
-
key_options.merge(id: "_#{SecureRandom.uuid}", carried_key_name: key_name)
|
|
77
|
-
)
|
|
78
|
-
encrypted_key.set_encryption_method(
|
|
79
|
-
algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p',
|
|
80
|
-
digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
|
|
81
|
-
)
|
|
82
|
-
|
|
83
|
-
encrypted_key.set_key_name(key_descriptor.key_info.key_name)
|
|
84
|
-
encrypted_key.encrypt(key_descriptor.certificate.public_key)
|
|
85
|
-
|
|
86
|
-
encrypted_keys << encrypted_key
|
|
63
|
+
def encrypt_for_multiple_key_descriptors(encrypted_key_data, encrypted_data_options = {})
|
|
64
|
+
if encrypted_data_options[:recipient].present? && encrypted_key_data.first.is_a?(Saml::Elements::KeyDescriptor)
|
|
65
|
+
encrypted_key_data.map! do |key_descriptor|
|
|
66
|
+
[ key_descriptor, { recipient: encrypted_data_options[:recipient] } ]
|
|
67
|
+
end
|
|
87
68
|
end
|
|
88
69
|
|
|
89
|
-
self
|
|
70
|
+
Saml::Util.encrypt_element(self, name_id, encrypted_key_data, encrypted_data_options)
|
|
71
|
+
|
|
90
72
|
self.name_id = nil
|
|
91
73
|
end
|
|
92
74
|
|
|
93
|
-
def name_id_xml
|
|
94
|
-
Nokogiri::XML(name_id.to_xml).root.to_xml
|
|
95
|
-
end
|
|
96
75
|
end
|
|
97
76
|
end
|
|
98
77
|
end
|
data/lib/saml/provider.rb
CHANGED
|
@@ -105,6 +105,8 @@ module Saml
|
|
|
105
105
|
def digest_method(signature_algorithm)
|
|
106
106
|
digest = signature_algorithm && signature_algorithm =~ /sha(.*?)$/i && $1.to_i
|
|
107
107
|
case digest
|
|
108
|
+
when 512 then
|
|
109
|
+
OpenSSL::Digest::SHA512
|
|
108
110
|
when 256 then
|
|
109
111
|
OpenSSL::Digest::SHA256
|
|
110
112
|
else
|
data/lib/saml/response.rb
CHANGED
|
@@ -28,10 +28,14 @@ module Saml
|
|
|
28
28
|
!success? && status.status_code.unknown_principal?
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
def encrypt_assertions(
|
|
31
|
+
def encrypt_assertions(key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false)
|
|
32
32
|
@encrypted_assertions = []
|
|
33
33
|
assertions.each do |assertion|
|
|
34
|
-
@encrypted_assertions << Saml::Util.encrypt_assertion(
|
|
34
|
+
@encrypted_assertions << Saml::Util.encrypt_assertion(
|
|
35
|
+
assertion, key_descriptor_or_certificate,
|
|
36
|
+
include_certificate: include_certificate,
|
|
37
|
+
include_key_retrieval_method: include_key_retrieval_method
|
|
38
|
+
)
|
|
35
39
|
end
|
|
36
40
|
assertions.clear
|
|
37
41
|
end
|
data/lib/saml/util.rb
CHANGED
|
@@ -60,7 +60,7 @@ module Saml
|
|
|
60
60
|
end
|
|
61
61
|
end
|
|
62
62
|
|
|
63
|
-
def encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false)
|
|
63
|
+
def encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false)
|
|
64
64
|
case key_descriptor_or_certificate
|
|
65
65
|
when OpenSSL::X509::Certificate
|
|
66
66
|
certificate = key_descriptor_or_certificate
|
|
@@ -87,6 +87,11 @@ module Saml
|
|
|
87
87
|
end
|
|
88
88
|
encrypted_key.encrypt(certificate.public_key)
|
|
89
89
|
|
|
90
|
+
if include_key_retrieval_method
|
|
91
|
+
encrypted_key.id = '_' + SecureRandom.uuid
|
|
92
|
+
encrypted_data.set_key_retrieval_method (Xmlenc::Builder::RetrievalMethod.new(uri: "##{encrypted_key.id}"))
|
|
93
|
+
end
|
|
94
|
+
|
|
90
95
|
Saml::Elements::EncryptedAssertion.new(encrypted_data: encrypted_data, encrypted_keys: encrypted_key)
|
|
91
96
|
end
|
|
92
97
|
|
|
@@ -98,6 +103,32 @@ module Saml
|
|
|
98
103
|
Saml::Assertion.parse(encrypted_document.decrypt(private_key), single: true)
|
|
99
104
|
end
|
|
100
105
|
|
|
106
|
+
def encrypt_element(element, target_element, encrypted_key_data, encrypted_data_options)
|
|
107
|
+
key_name = encrypted_data_options.fetch(:key_name, Saml.generate_id)
|
|
108
|
+
|
|
109
|
+
element.encrypted_data = Xmlenc::Builder::EncryptedData.new(encrypted_data_options)
|
|
110
|
+
element.encrypted_data.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc')
|
|
111
|
+
element.encrypted_data.set_key_name key_name
|
|
112
|
+
|
|
113
|
+
original_encrypted_key = element.encrypted_data.encrypt(Nokogiri::XML(target_element.to_xml).root.to_xml, encrypted_data_options)
|
|
114
|
+
|
|
115
|
+
encrypted_key_data.each do |key_descriptor, key_options = {}|
|
|
116
|
+
encrypted_key_options = key_options.merge(id: Saml.generate_id, data: original_encrypted_key.data)
|
|
117
|
+
|
|
118
|
+
encrypted_key = Xmlenc::Builder::EncryptedKey.new(encrypted_key_options)
|
|
119
|
+
encrypted_key.add_data_reference(element.encrypted_data.id)
|
|
120
|
+
encrypted_key.set_key_name(key_descriptor.key_info.key_name)
|
|
121
|
+
encrypted_key.carried_key_name = key_name
|
|
122
|
+
encrypted_key.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1')
|
|
123
|
+
encrypted_key.encrypt(key_descriptor.certificate.public_key)
|
|
124
|
+
|
|
125
|
+
element.encrypted_keys ||= []
|
|
126
|
+
element.encrypted_keys << encrypted_key
|
|
127
|
+
end
|
|
128
|
+
|
|
129
|
+
element
|
|
130
|
+
end
|
|
131
|
+
|
|
101
132
|
def encrypt_name_id(name_id, key_descriptor, key_options = {})
|
|
102
133
|
encrypted_id = Saml::Elements::EncryptedID.new(name_id: name_id)
|
|
103
134
|
encrypt_encrypted_id(encrypted_id, key_descriptor, key_options)
|
data/lib/saml/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: libsaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.9.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Benoist Claassen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-06-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -255,7 +255,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
255
255
|
- !ruby/object:Gem::Version
|
|
256
256
|
version: '0'
|
|
257
257
|
requirements: []
|
|
258
|
-
rubygems_version: 3.
|
|
258
|
+
rubygems_version: 3.1.4
|
|
259
259
|
signing_key:
|
|
260
260
|
specification_version: 4
|
|
261
261
|
summary: A gem to easily create SAML 2.0 messages.
|