ruby-saml-mod 0.2.3 → 0.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/xml_sec.rb +3 -2
- data/spec/fixtures/xml_missigned_assertion.xml +84 -0
- data/spec/response_spec.rb +9 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7770e817d19d3dd3b26a161a3d1c81d09de8bfe1
|
|
4
|
+
data.tar.gz: c9fc53f57bf54347f9f4b9e8ae76a2195ae239f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 488908ad982d9a8f1859d753243e4ff5f0c9718bb8fc9b2d59ae76b175104484353f02bd4390404a99fd5f5b62965db4015c638c094f90dccf7aff89c0566552
|
|
7
|
+
data.tar.gz: 37ad288d7e2f6665a288e43dc4bd383b91209c226e67042e0a44f72b87925e85e5e619194a2062d203b704e19c711b405363d4cdc27bdd6f22724cffec025e1c
|
data/lib/xml_sec.rb
CHANGED
|
@@ -330,7 +330,7 @@ module XMLSecurity
|
|
|
330
330
|
|
|
331
331
|
def signed_roots
|
|
332
332
|
signatures.map do |sig|
|
|
333
|
-
ref = sig.find('
|
|
333
|
+
ref = sig.find('./ds:SignedInfo/ds:Reference', Onelogin::NAMESPACES).first
|
|
334
334
|
signed_element_id = ref['URI'].sub(/^#/, '')
|
|
335
335
|
|
|
336
336
|
if signed_element_id.empty?
|
|
@@ -344,7 +344,8 @@ module XMLSecurity
|
|
|
344
344
|
end
|
|
345
345
|
|
|
346
346
|
def signatures
|
|
347
|
-
|
|
347
|
+
# we only return the first, cause our signature validation only checks the first
|
|
348
|
+
@signatures ||= [self.find_first("//ds:Signature", Onelogin::NAMESPACES)]
|
|
348
349
|
end
|
|
349
350
|
|
|
350
351
|
def validate(idp_cert_fingerprint, logger = nil)
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e5d6a82d-17b4-4bbb-9875-d76ba51fd4d6" Version="2.0" IssueInstant="2015-02-27T19:12:52Z" Destination=""><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe4" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
3
|
+
<SignedInfo>
|
|
4
|
+
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
5
|
+
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
6
|
+
<Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe4">
|
|
7
|
+
<Transforms>
|
|
8
|
+
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
9
|
+
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
10
|
+
</Transforms>
|
|
11
|
+
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
|
|
12
|
+
<DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
|
|
13
|
+
</Reference>
|
|
14
|
+
</SignedInfo>
|
|
15
|
+
<SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
|
|
16
|
+
kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
|
|
17
|
+
kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
|
|
18
|
+
<KeyInfo>
|
|
19
|
+
<X509Data>
|
|
20
|
+
<X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
|
|
21
|
+
BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
|
|
22
|
+
cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
|
|
23
|
+
CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
|
|
24
|
+
MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
|
|
25
|
+
QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
|
|
26
|
+
T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
|
|
27
|
+
SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
|
|
28
|
+
EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
|
|
29
|
+
+q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
|
|
30
|
+
tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
|
|
31
|
+
sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
|
|
32
|
+
VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
|
|
33
|
+
dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
|
|
34
|
+
AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
|
|
35
|
+
/zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
|
|
36
|
+
7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
|
|
37
|
+
hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
|
|
38
|
+
3CcHYg==</X509Certificate>
|
|
39
|
+
</X509Data>
|
|
40
|
+
</KeyInfo>
|
|
41
|
+
</Signature></saml:Assertion>
|
|
42
|
+
|
|
43
|
+
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe5" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>admin</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
44
|
+
<SignedInfo>
|
|
45
|
+
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
46
|
+
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
47
|
+
<Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe5">
|
|
48
|
+
<Transforms>
|
|
49
|
+
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
50
|
+
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
51
|
+
</Transforms>
|
|
52
|
+
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
|
|
53
|
+
<DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
|
|
54
|
+
</Reference>
|
|
55
|
+
</SignedInfo>
|
|
56
|
+
<SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
|
|
57
|
+
kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
|
|
58
|
+
kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
|
|
59
|
+
<KeyInfo>
|
|
60
|
+
<X509Data>
|
|
61
|
+
<X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
|
|
62
|
+
BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
|
|
63
|
+
cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
|
|
64
|
+
CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
|
|
65
|
+
MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
|
|
66
|
+
QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
|
|
67
|
+
T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
|
|
68
|
+
SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
|
|
69
|
+
EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
|
|
70
|
+
+q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
|
|
71
|
+
tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
|
|
72
|
+
sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
|
|
73
|
+
VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
|
|
74
|
+
dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
|
|
75
|
+
AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
|
|
76
|
+
/zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
|
|
77
|
+
7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
|
|
78
|
+
hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
|
|
79
|
+
3CcHYg==</X509Certificate>
|
|
80
|
+
</X509Data>
|
|
81
|
+
</KeyInfo>
|
|
82
|
+
</Signature></saml:Assertion>
|
|
83
|
+
|
|
84
|
+
</samlp:Response>
|
data/spec/response_spec.rb
CHANGED
|
@@ -116,6 +116,15 @@ describe Onelogin::Saml::Response do
|
|
|
116
116
|
@response.should_not be_is_valid
|
|
117
117
|
end
|
|
118
118
|
|
|
119
|
+
it "should protect against additional mis-signed assertions" do
|
|
120
|
+
@xmlb64 = Base64.encode64(File.read(fixture_path('xml_missigned_assertion.xml')))
|
|
121
|
+
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'c38e789fcfbbd4727bd8ff7fc365b44fc3596bda')
|
|
122
|
+
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
123
|
+
@response.process(@settings)
|
|
124
|
+
@response.should be_is_valid
|
|
125
|
+
@response.saml_attributes['eduPersonPrincipalName'].should == 'cody'
|
|
126
|
+
end
|
|
127
|
+
|
|
119
128
|
it "should allow non-ascii characters in attributes" do
|
|
120
129
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
|
|
121
130
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2015-
|
|
17
|
+
date: 2015-03-06 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: libxml-ruby
|
|
@@ -103,6 +103,7 @@ files:
|
|
|
103
103
|
- spec/fixtures/test5-response.xml
|
|
104
104
|
- spec/fixtures/test6-response.xml
|
|
105
105
|
- spec/fixtures/wrong-key.pem
|
|
106
|
+
- spec/fixtures/xml_missigned_assertion.xml
|
|
106
107
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
107
108
|
- spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
|
|
108
109
|
- spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
|
|
@@ -131,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
131
132
|
version: '0'
|
|
132
133
|
requirements: []
|
|
133
134
|
rubyforge_project:
|
|
134
|
-
rubygems_version: 2.
|
|
135
|
+
rubygems_version: 2.4.5
|
|
135
136
|
signing_key:
|
|
136
137
|
specification_version: 4
|
|
137
138
|
summary: Ruby library for SAML service providers
|
|
@@ -148,6 +149,7 @@ test_files:
|
|
|
148
149
|
- spec/fixtures/test5-response.xml
|
|
149
150
|
- spec/fixtures/test6-response.xml
|
|
150
151
|
- spec/fixtures/wrong-key.pem
|
|
152
|
+
- spec/fixtures/xml_missigned_assertion.xml
|
|
151
153
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
152
154
|
- spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
|
|
153
155
|
- spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
|