ruby-saml-mod 0.2.3 → 0.2.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: ff4a7cff2b6929e092a51654385e19efc754e7f8
4
- data.tar.gz: e7e8a6914befec4887246f9c35fe2d0a0f2a3901
3
+ metadata.gz: 7770e817d19d3dd3b26a161a3d1c81d09de8bfe1
4
+ data.tar.gz: c9fc53f57bf54347f9f4b9e8ae76a2195ae239f9
5
5
  SHA512:
6
- metadata.gz: 54dce33e79adf20a5ebf0c78a6498d347a64ee2db6658456229ccd92f5461ea4b4c6c9f851d468e1593f10e380e2976707452abd5a82f880b4925af55c89f68c
7
- data.tar.gz: 1640b00cc3c0b3fd287909b041582b89f1cfed97979be5f95a7b71b1c1a6de319601c69fbc123d21aa6d79b4e9bd3567444250a6a040b9bd371fec9f05716048
6
+ metadata.gz: 488908ad982d9a8f1859d753243e4ff5f0c9718bb8fc9b2d59ae76b175104484353f02bd4390404a99fd5f5b62965db4015c638c094f90dccf7aff89c0566552
7
+ data.tar.gz: 37ad288d7e2f6665a288e43dc4bd383b91209c226e67042e0a44f72b87925e85e5e619194a2062d203b704e19c711b405363d4cdc27bdd6f22724cffec025e1c
data/lib/xml_sec.rb CHANGED
@@ -330,7 +330,7 @@ module XMLSecurity
330
330
 
331
331
  def signed_roots
332
332
  signatures.map do |sig|
333
- ref = sig.find('.//ds:Reference', Onelogin::NAMESPACES).first
333
+ ref = sig.find('./ds:SignedInfo/ds:Reference', Onelogin::NAMESPACES).first
334
334
  signed_element_id = ref['URI'].sub(/^#/, '')
335
335
 
336
336
  if signed_element_id.empty?
@@ -344,7 +344,8 @@ module XMLSecurity
344
344
  end
345
345
 
346
346
  def signatures
347
- @signatures ||= self.find("//ds:Signature", Onelogin::NAMESPACES)
347
+ # we only return the first, cause our signature validation only checks the first
348
+ @signatures ||= [self.find_first("//ds:Signature", Onelogin::NAMESPACES)]
348
349
  end
349
350
 
350
351
  def validate(idp_cert_fingerprint, logger = nil)
@@ -0,0 +1,84 @@
1
+ <?xml version="1.0"?>
2
+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e5d6a82d-17b4-4bbb-9875-d76ba51fd4d6" Version="2.0" IssueInstant="2015-02-27T19:12:52Z" Destination=""><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe4" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
3
+ <SignedInfo>
4
+ <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
5
+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
6
+ <Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe4">
7
+ <Transforms>
8
+ <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
9
+ <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
10
+ </Transforms>
11
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
12
+ <DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
13
+ </Reference>
14
+ </SignedInfo>
15
+ <SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
16
+ kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
17
+ kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
18
+ <KeyInfo>
19
+ <X509Data>
20
+ <X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
21
+ BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
22
+ cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
23
+ CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
24
+ MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
25
+ QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
26
+ T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
27
+ SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
28
+ EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
29
+ +q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
30
+ tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
31
+ sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
32
+ VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
33
+ dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
34
+ AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
35
+ /zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
36
+ 7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
37
+ hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
38
+ 3CcHYg==</X509Certificate>
39
+ </X509Data>
40
+ </KeyInfo>
41
+ </Signature></saml:Assertion>
42
+
43
+ <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe5" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>admin</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
44
+ <SignedInfo>
45
+ <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
46
+ <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
47
+ <Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe5">
48
+ <Transforms>
49
+ <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
50
+ <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
51
+ </Transforms>
52
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
53
+ <DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
54
+ </Reference>
55
+ </SignedInfo>
56
+ <SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
57
+ kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
58
+ kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
59
+ <KeyInfo>
60
+ <X509Data>
61
+ <X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
62
+ BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
63
+ cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
64
+ CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
65
+ MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
66
+ QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
67
+ T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
68
+ SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
69
+ EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
70
+ +q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
71
+ tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
72
+ sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
73
+ VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
74
+ dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
75
+ AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
76
+ /zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
77
+ 7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
78
+ hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
79
+ 3CcHYg==</X509Certificate>
80
+ </X509Data>
81
+ </KeyInfo>
82
+ </Signature></saml:Assertion>
83
+
84
+ </samlp:Response>
@@ -116,6 +116,15 @@ describe Onelogin::Saml::Response do
116
116
  @response.should_not be_is_valid
117
117
  end
118
118
 
119
+ it "should protect against additional mis-signed assertions" do
120
+ @xmlb64 = Base64.encode64(File.read(fixture_path('xml_missigned_assertion.xml')))
121
+ @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'c38e789fcfbbd4727bd8ff7fc365b44fc3596bda')
122
+ @response = Onelogin::Saml::Response.new(@xmlb64)
123
+ @response.process(@settings)
124
+ @response.should be_is_valid
125
+ @response.saml_attributes['eduPersonPrincipalName'].should == 'cody'
126
+ end
127
+
119
128
  it "should allow non-ascii characters in attributes" do
120
129
  @xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
121
130
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.3
4
+ version: 0.2.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2015-01-28 00:00:00.000000000 Z
17
+ date: 2015-03-06 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  name: libxml-ruby
@@ -103,6 +103,7 @@ files:
103
103
  - spec/fixtures/test5-response.xml
104
104
  - spec/fixtures/test6-response.xml
105
105
  - spec/fixtures/wrong-key.pem
106
+ - spec/fixtures/xml_missigned_assertion.xml
106
107
  - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
107
108
  - spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
108
109
  - spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
@@ -131,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
131
132
  version: '0'
132
133
  requirements: []
133
134
  rubyforge_project:
134
- rubygems_version: 2.2.2
135
+ rubygems_version: 2.4.5
135
136
  signing_key:
136
137
  specification_version: 4
137
138
  summary: Ruby library for SAML service providers
@@ -148,6 +149,7 @@ test_files:
148
149
  - spec/fixtures/test5-response.xml
149
150
  - spec/fixtures/test6-response.xml
150
151
  - spec/fixtures/wrong-key.pem
152
+ - spec/fixtures/xml_missigned_assertion.xml
151
153
  - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
152
154
  - spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
153
155
  - spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml