ruby-saml-mod 0.2.7 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3171e108941b383ace094aa28a8fc377fc2385e1
-  data.tar.gz: d5d36d364160f8bc2e246fba0a536415a3cac705
+  metadata.gz: 93bfa6aae98096c0f3de5695ba3fac7c0a743fd8
+  data.tar.gz: ed79e42522a0a88ea1baebbff261b6234fe7f95e
 SHA512:
-  metadata.gz: eb0c7c03ea7c9b928e4caf072534a78aa6b2172eabb3f1f0796ad7856e3b7307e336b64e0a88026278ccc00e8fd917fed31c9e874e000366b3d12793c01d1ce2
-  data.tar.gz: 040ddd5cfa64d0f326a4cb06532bdb0a4936b53be2419ceb1ba3050ed89e1f74fdfd92ed832719c0e78b7a040bab1e95e1bc0dcde1d4bcaf8dab181b16bd1593
+  metadata.gz: 8db250afccb39f56512ca96846e69c2745c9ee1bc18b9bf6f7f8113fc16a39d87ac47d391fc466e37dd5947ca1773af0c73fd415cce824998803c94269ecac82
+  data.tar.gz: dfb5339a232fd2ef26a9a5bb384307fb89271b8a0ebf1d03e8176c62eeaf6d99e2440d41d7dc5ecab3ff9a6e47a123d5c688b270a520324bef49827bbf703ee6

data/lib/onelogin/saml/logout_request.rb

@@ -4,6 +4,7 @@ module Onelogin::Saml
                 :session_index,
                 :name_qualifier,
                 :name_identifier_format
+    attr_accessor :sp_name_qualifier
 
     def name_id
       @name_id ||= node_content('saml:NameID')
@@ -21,21 +22,25 @@ module Onelogin::Saml
       @session_index ||= node_content('samlp:SessionIndex')
     end
 
-    def self.generate(name_qualifier, name_id, session_index, settings)
+    def self.generate(name_qualifier, sp_name_qualifier, name_id, name_identifier_format, session_index, settings)
       super(settings, {
         destination: settings.idp_slo_target_url,
-        name_identifier_format: settings.name_identifier_format,
+        name_identifier_format: name_identifier_format,
         name_id: name_id,
         name_qualifier: name_qualifier,
+        sp_name_qualifier: sp_name_qualifier,
         session_index: session_index
       })
     end
 
     def generate
+      name_qualifier = %{NameQualifier="#{self.name_qualifier}" } if self.name_qualifier
+      sp_name_qualifier = %{SPNameQualifier="#{self.sp_name_qualifier}" } if self.sp_name_qualifier
+      format = %{Format="#{self.name_identifier_format}" } if self.name_identifier_format
       <<-XML
         <samlp:LogoutRequest xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}" xmlns:saml="#{Onelogin::NAMESPACES['saml']}" ID="#{self.id}" Version="2.0" IssueInstant="#{self.issue_instant}" Destination="#{CGI.escapeHTML(self.destination)}">
           <saml:Issuer>#{self.issuer}</saml:Issuer>
-          <saml:NameID NameQualifier="#{self.name_qualifier}" SPNameQualifier="#{self.issuer}" Format="#{self.name_identifier_format}">#{self.name_id}</saml:NameID>
+          <saml:NameID #{name_qualifier}#{sp_name_qualifier}#{format}>#{self.name_id}</saml:NameID>
           <samlp:SessionIndex>#{self.session_index}</samlp:SessionIndex>
         </samlp:LogoutRequest>
       XML

data/lib/onelogin/saml/response.rb

@@ -3,7 +3,7 @@ module Onelogin::Saml
 
     attr_accessor :settings
     attr_reader :document, :xml, :response
-    attr_reader :name_id, :name_qualifier, :session_index, :saml_attributes
+    attr_reader :name_id, :name_identifier_format, :name_qualifier, :sp_name_qualifier, :session_index, :saml_attributes
     attr_reader :status_code, :status_message
     attr_reader :in_response_to, :destination, :issuer
     attr_reader :validation_error
@@ -38,7 +38,9 @@ module Onelogin::Saml
       @status_message = untrusted_find_first("/samlp:Response/samlp:Status/samlp:StatusCode").content rescue nil
 
       @name_id        = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID").content rescue nil
+      @name_identifier_format = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["Format"] rescue nil
       @name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
+      @sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
       @session_index  = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
 
       @saml_attributes = {}

data/lib/xml_sec.rb

@@ -357,8 +357,8 @@ module XMLSecurity
       # check cert matches registered idp cert, unless we explicitly skip this check
       unless idp_cert_fingerprint == '*'
         fingerprint = Digest::SHA1.hexdigest(cert.to_der)
-        expected_fingerprint = idp_cert_fingerprint.gsub(":", "").downcase
-        if fingerprint != expected_fingerprint
+        expected_fingerprints = Array(idp_cert_fingerprint).map { |f| f.gsub(":", "").downcase }
+        unless expected_fingerprints.include?(fingerprint)
           @validation_error = "Invalid fingerprint (expected #{expected_fingerprint}, got #{fingerprint})"
           return false
         end

data/spec/logout_request_spec.rb

@@ -28,13 +28,17 @@ describe Onelogin::Saml::LogoutRequest do
   end
 
   let(:name_qualifier) { 'foo' }
+  let(:sp_name_qualifier) { 'foo' }
   let(:name_id) { 'bar'}
+  let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
   let(:session_index) { 'baz' }
 
   let(:logout_request) do
     Onelogin::Saml::LogoutRequest::generate(
       name_qualifier,
+      sp_name_qualifier,
       name_id,
+      name_identifier_format,
       session_index,
       settings
     )
@@ -52,13 +56,29 @@ describe Onelogin::Saml::LogoutRequest do
     logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)['Format'].should == Onelogin::Saml::NameIdentifiers::UNSPECIFIED
   end
 
+  it "does not include attribues when they are nil" do
+    logout_request = Onelogin::Saml::LogoutRequest::generate(
+      nil,
+      nil,
+      name_id,
+      nil,
+      session_index,
+      settings
+    )
+    logout_xml = Nokogiri::XML(logout_request.xml)
+    name_id_elem = logout_xml.at_xpath('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES)
+    name_id_elem['NameQualifier'].should == nil
+    name_id_elem['SPNameQualifier'].should == nil
+    name_id_elem['NameIdentifierFormat'].should == nil
+  end
+
   it "does not include the signature in the request xml" do
     logout_xml = Nokogiri::XML(logout_request.xml)
     logout_xml.at_xpath('/samlp:LogoutRequest/ds:Signature', Onelogin::NAMESPACES).should be_nil
   end
 
   it "can sign the generated query string" do
-    expect(verify_query_string_signature(settings, forward_url)).to be_true
+    expect(verify_query_string_signature(settings, forward_url)).to eq true
   end
 
   it "properly signs when the IDP URL already contains a query string" do
@@ -69,9 +89,14 @@ describe Onelogin::Saml::LogoutRequest do
       :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33',
       :name_identifier_format => Onelogin::Saml::NameIdentifiers::UNSPECIFIED
     )
-    request = Onelogin::Saml::LogoutRequest.generate(name_qualifier, name_id, session_index, settings)
+    request = Onelogin::Saml::LogoutRequest.generate(name_qualifier,
+                                                     sp_name_qualifier,
+                                                     name_id,
+                                                     name_identifier_format,
+                                                     session_index,
+                                                     settings)
     expect(request.forward_url).to match(%r{^http://idp.example.com/saml2\?existing=param\&existing=param&})
-    expect(verify_query_string_signature(settings, request.forward_url)).to be_true
+    expect(verify_query_string_signature(settings, request.forward_url)).to eq true
   end
 
   it "parses a logout request" do

data/spec/response_spec.rb

@@ -22,6 +22,12 @@ describe Onelogin::Saml::Response do
       @response.status_message.strip.should == ""
     end
 
+    it "support multiple valid certs" do
+      @settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
+      @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+      @response.should be_is_valid
+    end
+
     it "should not be able to decrypt without the proper key" do
       @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
       XMLSecurity.mute do
@@ -162,7 +168,9 @@ describe Onelogin::Saml::Response do
 
   describe "forward_urls" do
     let(:name_qualifier) { 'foo' }
+    let(:sp_name_qualifier) { 'foo' }
     let(:name_id) { 'bar'}
+    let(:name_identifier_format) { Onelogin::Saml::NameIdentifiers::UNSPECIFIED }
     let(:session_index) { 'baz' }
 
     it "should should append the saml request to a url" do
@@ -177,7 +185,11 @@ describe Onelogin::Saml::Response do
       prefix = "http://example.com/login.php?SAMLRequest="
       expect(forward_url[0...prefix.size]).to eql(prefix)
 
-      request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
+      request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
+                                                        sp_name_qualifier,
+                                                        name_id,
+                                                        name_identifier_format,
+                                                        session_index, settings)
       prefix = "http://example.com/logout.php?SAMLRequest="
       expect(request.forward_url[0...prefix.size]).to eql(prefix)
     end
@@ -194,7 +206,12 @@ describe Onelogin::Saml::Response do
       prefix = "http://example.com/login.php?param=foo&SAMLRequest="
       expect(forward_url[0...prefix.size]).to eql(prefix)
 
-      request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
+      request = Onelogin::Saml::LogoutRequest::generate(name_qualifier,
+                                                        sp_name_qualifier,
+                                                        name_id,
+                                                        name_identifier_format,
+                                                        session_index,
+                                                        settings)
       prefix = "http://example.com/logout.php?param=foo&SAMLRequest="
       expect(request.forward_url[0...prefix.size]).to eql(prefix)
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml-mod
 version: !ruby/object:Gem::Version
-  version: 0.2.7
+  version: 0.3.0
 platform: ruby
 authors:
 - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-12 00:00:00.000000000 Z
+date: 2016-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -132,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: Ruby library for SAML service providers