ruby-saml-mod 0.3.6 → 0.3.7

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 22e420102cc676f675057d83f7ece4056c974951
4
- data.tar.gz: d91e11eb1c0ee8c4ac8588b4178f72b33bb50d41
3
+ metadata.gz: b1b242e9ff3858681e80c4091494d480e2611088
4
+ data.tar.gz: 1dc877f9a2879b6e37687b78ab439da852f408bf
5
5
  SHA512:
6
- metadata.gz: ca3fe26451163cfb0c08e367f8f6507ad7bee9eea5efbdb8c91c45d9ab644008b64439adbd9c4cf364ce5c9719a912c7cfcf0a723c4ec08ee3fe449ac0154f3c
7
- data.tar.gz: 0af012fa8a33546831375fc4cba9ce4808c9bd37a9fdaccfca7edb86347a35c4e551e2709a93af52ca2f70beb2cc6a1e930322fee03b64fcfd8966f367063813
6
+ metadata.gz: 05a823a73ff85abcccc37895b2d4fbbfe94f87963c892a3e3ddf4281e28ec023cc6ea50625ffc23788ad3cd9b353df7190823e10ae4752f6412fb9e2df2ec1b7
7
+ data.tar.gz: 76e7c832f85e0e1e47a14484c3a55af32ab437b77b07a386f403ddb30ec2503f3fff5f293df0ff17b41b22fbce27372f0c3d2c7f98a2cb841c8d439f38f56a87
@@ -8,7 +8,7 @@ module Onelogin::Saml
8
8
  attr_reader :in_response_to, :destination, :issuer
9
9
  attr_reader :validation_error, :used_key
10
10
 
11
- def initialize(response, settings=nil)
11
+ def initialize(response, settings=nil, as_of: Time.now)
12
12
  @response = response
13
13
 
14
14
  begin
@@ -25,10 +25,10 @@ module Onelogin::Saml
25
25
  @issuer ||= document.at_xpath("/samlp:Response/saml:Assertion/saml:Issuer", Onelogin::NAMESPACES).content.strip rescue nil
26
26
  @status_code = document.at_xpath("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)["Value"] rescue nil
27
27
 
28
- process(settings) if settings
28
+ process(settings, as_of: as_of) if settings
29
29
  end
30
30
 
31
- def process(settings)
31
+ def process(settings, as_of: Time.now)
32
32
  @settings = settings
33
33
  @logger = settings.logger
34
34
  return unless @response
@@ -42,12 +42,27 @@ module Onelogin::Saml
42
42
  @name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
43
43
  @sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
44
44
  @session_index = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
45
+ @issue_instant = trusted_find_first("saml:Assertion")["IssueInstant"] rescue nil
45
46
 
46
47
  @saml_attributes = {}
47
48
  trusted_find("saml:Attribute").each do |attr|
48
49
  attrname = attr['FriendlyName'] || Onelogin::ATTRIBUTES[attr['Name']] || attr['Name']
49
50
  @saml_attributes[attrname] = attr.content.strip rescue nil
50
51
  end
52
+
53
+ if @is_valid
54
+ @issue_instant = Time.parse(@issue_instant) if @issue_instant
55
+ if !@issue_instant
56
+ @is_valid = false
57
+ @validation_error = "No timestamp in message"
58
+ elsif @issue_instant + 5 * 60 < as_of
59
+ @is_valid = false
60
+ @validation_error = "Assertion expired"
61
+ elsif @issue_instant - 5 * 60 > as_of
62
+ @is_valid = false
63
+ @validation_error = "Assertion not yet valid"
64
+ end
65
+ end
51
66
  end
52
67
 
53
68
  def disable_signature_validation!(settings)
@@ -79,7 +94,10 @@ module Onelogin::Saml
79
94
  end
80
95
 
81
96
  def is_valid?
82
- @is_valid ||= validate
97
+ if !instance_variable_defined?(:@is_valid)
98
+ @is_valid = validate
99
+ end
100
+ @is_valid
83
101
  end
84
102
 
85
103
  def validate
@@ -12,7 +12,7 @@ describe Onelogin::Saml::Response do
12
12
  end
13
13
 
14
14
  it "should find the right attributes from an encrypted assertion" do
15
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
15
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
16
16
  @response.should be_is_valid
17
17
 
18
18
  @response.used_key.should == fixture_path("test1-key.pem")
@@ -23,15 +23,27 @@ describe Onelogin::Saml::Response do
23
23
  @response.status_message.strip.should == ""
24
24
  end
25
25
 
26
+ it "rejects assertions older than 5 minutes" do
27
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:58:58Z"))
28
+ @response.should_not be_is_valid
29
+ @response.validation_error.should eq "Assertion expired"
30
+ end
31
+
32
+ it "rejects assertions from the future" do
33
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2010-11-05T15:58:58Z"))
34
+ @response.should_not be_is_valid
35
+ @response.validation_error.should eq "Assertion not yet valid"
36
+ end
37
+
26
38
  it "support multiple valid certs" do
27
39
  @settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
28
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
40
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
29
41
  @response.should be_is_valid
30
42
  end
31
43
 
32
44
  it "gives a decent error for a fingerprint problem" do
33
45
  @settings.idp_cert_fingerprint = ['somethingold']
34
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
46
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
35
47
  @response.should_not be_is_valid
36
48
  @response.validation_error.should match(/somethingold/)
37
49
  end
@@ -39,7 +51,7 @@ describe Onelogin::Saml::Response do
39
51
  it "should not be able to decrypt without the proper key" do
40
52
  @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
41
53
  XMLSecurity.mute do
42
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
54
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
43
55
  end
44
56
  document = REXML::Document.new(@response.decrypted_document.to_s)
45
57
  REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should be_nil
@@ -50,7 +62,7 @@ describe Onelogin::Saml::Response do
50
62
  @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
51
63
  @settings.xmlsec_additional_privatekeys = [fixture_path("test1-key.pem")]
52
64
  XMLSecurity.mute do
53
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
65
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
54
66
  end
55
67
  document = REXML::Document.new(@response.decrypted_document.to_s)
56
68
  REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should_not be_nil
@@ -65,7 +77,7 @@ describe Onelogin::Saml::Response do
65
77
  it "should not verify when XSLT transforms are being used" do
66
78
  @xmlb64 = Base64.encode64(File.read(fixture_path("test4-response.xml")))
67
79
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
68
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
80
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-06-03T12:43:56Z"))
69
81
 
70
82
  XMLSecurity.mute do
71
83
  @response.should_not be_is_valid
@@ -77,7 +89,7 @@ describe Onelogin::Saml::Response do
77
89
  it "should not allow external reference URIs" do
78
90
  @xmlb64 = Base64.encode64(File.read(fixture_path("test5-response.xml")))
79
91
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
80
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
92
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-06-03T12:43:56Z"))
81
93
 
82
94
  XMLSecurity.mute do
83
95
  @response.should_not be_is_valid
@@ -91,7 +103,7 @@ describe Onelogin::Saml::Response do
91
103
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33')
92
104
  @response = Onelogin::Saml::Response.new(@xmlb64)
93
105
  @response.disable_signature_validation!(@settings)
94
- @response.process(@settings)
106
+ @response.process(@settings, as_of: Time.parse('2011-11-05T15:51:58Z'))
95
107
  @response.name_id.should == "zach@example.com"
96
108
  @response.name_qualifier.should == "http://saml.example.com:8080/opensso"
97
109
  @response.session_index.should == "s2c57ee92b5ca08e93d751987d591c58acc68d2501"
@@ -107,7 +119,7 @@ describe Onelogin::Saml::Response do
107
119
  @xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_nameid.xml")))
108
120
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
109
121
  @response = Onelogin::Saml::Response.new(@xmlb64)
110
- @response.process(@settings)
122
+ @response.process(@settings, as_of: Time.parse('2012-08-03T20:07:16Z'))
111
123
  @response.should be_is_valid
112
124
  @response.name_id.should == "_3b3e7714b72e29dc4290321a075fa0b73333a4f25f"
113
125
  end
@@ -116,7 +128,7 @@ describe Onelogin::Saml::Response do
116
128
  @xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_attributes.xml")))
117
129
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
118
130
  @response = Onelogin::Saml::Response.new(@xmlb64)
119
- @response.process(@settings)
131
+ @response.process(@settings, as_of: Time.parse('2012-08-03T20:07:16Z'))
120
132
  @response.should be_is_valid
121
133
  @response.saml_attributes['eduPersonAffiliation'].should == 'member'
122
134
  @response.saml_attributes['eduPersonPrincipalName'].should == 'student@example.edu'
@@ -126,7 +138,7 @@ describe Onelogin::Saml::Response do
126
138
  @xmlb64 = Base64.encode64(File.read(fixture_path('xml_signature_wrapping_attack_duplicate_ids.xml')))
127
139
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => '7292914fc5bffa6f3fe1e43fd47c205395fecfa2')
128
140
  @response = Onelogin::Saml::Response.new(@xmlb64)
129
- @response.process(@settings)
141
+ @response.process(@settings, as_of: Time.parse('2014-02-01T13:48:10.831Z'))
130
142
  @response.should_not be_is_valid
131
143
  end
132
144
 
@@ -134,7 +146,7 @@ describe Onelogin::Saml::Response do
134
146
  @xmlb64 = Base64.encode64(File.read(fixture_path('xml_missigned_assertion.xml')))
135
147
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'c38e789fcfbbd4727bd8ff7fc365b44fc3596bda')
136
148
  @response = Onelogin::Saml::Response.new(@xmlb64)
137
- @response.process(@settings)
149
+ @response.process(@settings, as_of: Time.parse("2015-02-27T19:12:52Z"))
138
150
  @response.should be_is_valid
139
151
  @response.saml_attributes['eduPersonPrincipalName'].should == 'cody'
140
152
  end
@@ -142,7 +154,7 @@ describe Onelogin::Saml::Response do
142
154
  it "should allow non-ascii characters in attributes" do
143
155
  @xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
144
156
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
145
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
157
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-09-16T22:15:53Z"))
146
158
  @response.should be_is_valid
147
159
  @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
148
160
  @response.saml_attributes['eduPersonAffiliation'].should == 'member'
@@ -154,7 +166,7 @@ describe Onelogin::Saml::Response do
154
166
  it "should map OIDs to known attributes" do
155
167
  @xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
156
168
  @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
157
- @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
169
+ @response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2012-08-03T20:07:15Z"))
158
170
  @response.should be_is_valid
159
171
  @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
160
172
  @response.saml_attributes['eduPersonAffiliation'].should == 'member'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml-mod
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.6
4
+ version: 0.3.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
@@ -14,7 +14,7 @@ authors:
14
14
  autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
- date: 2017-07-18 00:00:00.000000000 Z
17
+ date: 2017-10-28 00:00:00.000000000 Z
18
18
  dependencies:
19
19
  - !ruby/object:Gem::Dependency
20
20
  name: nokogiri
@@ -138,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
138
138
  version: '0'
139
139
  requirements: []
140
140
  rubyforge_project:
141
- rubygems_version: 2.6.11
141
+ rubygems_version: 2.6.13
142
142
  signing_key:
143
143
  specification_version: 4
144
144
  summary: Ruby library for SAML service providers