ruby-saml-mod 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. data/lib/onelogin/saml/response.rb +14 -1
  2. data/lib/xml_sec.rb +18 -0
  3. data/ruby-saml-mod.gemspec +2 -2
  4. metadata +4 -4
data/lib/onelogin/saml/response.rb CHANGED
@@ -5,6 +5,7 @@ module Onelogin::Saml
5
5
  attr_reader :name_id, :name_qualifier, :session_index
6
6
  attr_reader :status_code, :status_message
7
7
  attr_reader :in_response_to, :destination
8
+ attr_reader :validation_error
8
9
  def initialize(response, settings)
9
10
  @response = response
10
11
  @settings = settings
@@ -28,8 +29,20 @@ module Onelogin::Saml
28
29
 
29
30
  def is_valid?
30
31
  if !@response.blank? && @document.elements["//ds:X509Certificate"]
31
- @document.validate(@settings.idp_cert_fingerprint, @logger) unless !@settings.idp_cert_fingerprint
32
+ if !@settings.idp_cert_fingerprint
33
+ @validation_error = "No fingerprint configured in SAML settings"
34
+ false
35
+ elsif @document.validate(@settings.idp_cert_fingerprint, @logger)
36
+ true
37
+ else
38
+ @validation_error = @document.validation_error
39
+ false
40
+ end
41
+ elsif @response.blank?
42
+ @validation_error = "No response to validate"
43
+ false
32
44
  else
45
+ @validation_error = "No ds:X509Certificate element"
33
46
  false
34
47
  end
35
48
  end
data/lib/xml_sec.rb CHANGED
@@ -34,6 +34,8 @@ require "shellwords"
34
34
  module XMLSecurity
35
35
 
36
36
  class SignedDocument < REXML::Document
37
+
38
+ attr_reader :validation_error
37
39
 
38
40
  def validate (idp_cert_fingerprint, logger = nil)
39
41
  # get cert from response
@@ -44,6 +46,7 @@ module XMLSecurity
44
46
  # check cert matches registered idp cert
45
47
  fingerprint = Digest::SHA1.hexdigest(cert.to_der)
46
48
  valid_flag = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
49
+ @validation_error = "Invalid fingerprint" unless valid_flag
47
50
 
48
51
  return valid_flag if !valid_flag
49
52
 
@@ -69,6 +72,20 @@ module XMLSecurity
69
72
 
70
73
  valid_flag = hash == digest_value
71
74
 
75
+ if !valid_flag
76
+ @validation_error = <<-INFO
77
+ Invalid references digest.
78
+ Got digest of
79
+ #{hash}
80
+ but expected
81
+ #{digest_value}
82
+ XML from response:
83
+ #{hashed_element}
84
+ Canonized XML:
85
+ #{canon_hashed_element}
86
+ INFO
87
+ end
88
+
72
89
  return valid_flag if !valid_flag
73
90
  end
74
91
 
@@ -85,6 +102,7 @@ module XMLSecurity
85
102
  cert = OpenSSL::X509::Certificate.new(cert_text)
86
103
 
87
104
  valid_flag = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
105
+ @validation_error = "Invalid public key" unless valid_flag
88
106
 
89
107
  return valid_flag
90
108
  end
data/ruby-saml-mod.gemspec CHANGED
@@ -1,9 +1,9 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = %q{ruby-saml-mod}
3
- s.version = "0.1.6"
3
+ s.version = "0.1.7"
4
4
 
5
5
  s.authors = ["OneLogin LLC", "Bracken", "Zach"]
6
- s.date = %q{2012-01-26}
6
+ s.date = %q{2012-02-06}
7
7
  s.extra_rdoc_files = [
8
8
  "LICENSE"
9
9
  ]
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- hash: 23
4
+ hash: 21
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
8
  - 1
9
- - 6
10
- version: 0.1.6
9
+ - 7
10
+ version: 0.1.7
11
11
  platform: ruby
12
12
  authors:
13
13
  - OneLogin LLC
@@ -17,7 +17,7 @@ autorequire:
17
17
  bindir: bin
18
18
  cert_chain: []
19
19
 
20
- date: 2012-01-26 00:00:00 Z
20
+ date: 2012-02-06 00:00:00 Z
21
21
  dependencies: []
22
22
 
23
23
  description: "This is an early fork from https://github.com/onelogin/ruby-saml - I plan to \"rebase\" these changes ontop of their current version eventually. "