ruby-saml-mod 0.3.6 → 0.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/onelogin/saml/response.rb +22 -4
- data/spec/response_spec.rb +26 -14
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b1b242e9ff3858681e80c4091494d480e2611088
|
|
4
|
+
data.tar.gz: 1dc877f9a2879b6e37687b78ab439da852f408bf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 05a823a73ff85abcccc37895b2d4fbbfe94f87963c892a3e3ddf4281e28ec023cc6ea50625ffc23788ad3cd9b353df7190823e10ae4752f6412fb9e2df2ec1b7
|
|
7
|
+
data.tar.gz: 76e7c832f85e0e1e47a14484c3a55af32ab437b77b07a386f403ddb30ec2503f3fff5f293df0ff17b41b22fbce27372f0c3d2c7f98a2cb841c8d439f38f56a87
|
|
@@ -8,7 +8,7 @@ module Onelogin::Saml
|
|
|
8
8
|
attr_reader :in_response_to, :destination, :issuer
|
|
9
9
|
attr_reader :validation_error, :used_key
|
|
10
10
|
|
|
11
|
-
def initialize(response, settings=nil)
|
|
11
|
+
def initialize(response, settings=nil, as_of: Time.now)
|
|
12
12
|
@response = response
|
|
13
13
|
|
|
14
14
|
begin
|
|
@@ -25,10 +25,10 @@ module Onelogin::Saml
|
|
|
25
25
|
@issuer ||= document.at_xpath("/samlp:Response/saml:Assertion/saml:Issuer", Onelogin::NAMESPACES).content.strip rescue nil
|
|
26
26
|
@status_code = document.at_xpath("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)["Value"] rescue nil
|
|
27
27
|
|
|
28
|
-
process(settings) if settings
|
|
28
|
+
process(settings, as_of: as_of) if settings
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
def process(settings)
|
|
31
|
+
def process(settings, as_of: Time.now)
|
|
32
32
|
@settings = settings
|
|
33
33
|
@logger = settings.logger
|
|
34
34
|
return unless @response
|
|
@@ -42,12 +42,27 @@ module Onelogin::Saml
|
|
|
42
42
|
@name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
|
|
43
43
|
@sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
|
|
44
44
|
@session_index = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
|
|
45
|
+
@issue_instant = trusted_find_first("saml:Assertion")["IssueInstant"] rescue nil
|
|
45
46
|
|
|
46
47
|
@saml_attributes = {}
|
|
47
48
|
trusted_find("saml:Attribute").each do |attr|
|
|
48
49
|
attrname = attr['FriendlyName'] || Onelogin::ATTRIBUTES[attr['Name']] || attr['Name']
|
|
49
50
|
@saml_attributes[attrname] = attr.content.strip rescue nil
|
|
50
51
|
end
|
|
52
|
+
|
|
53
|
+
if @is_valid
|
|
54
|
+
@issue_instant = Time.parse(@issue_instant) if @issue_instant
|
|
55
|
+
if !@issue_instant
|
|
56
|
+
@is_valid = false
|
|
57
|
+
@validation_error = "No timestamp in message"
|
|
58
|
+
elsif @issue_instant + 5 * 60 < as_of
|
|
59
|
+
@is_valid = false
|
|
60
|
+
@validation_error = "Assertion expired"
|
|
61
|
+
elsif @issue_instant - 5 * 60 > as_of
|
|
62
|
+
@is_valid = false
|
|
63
|
+
@validation_error = "Assertion not yet valid"
|
|
64
|
+
end
|
|
65
|
+
end
|
|
51
66
|
end
|
|
52
67
|
|
|
53
68
|
def disable_signature_validation!(settings)
|
|
@@ -79,7 +94,10 @@ module Onelogin::Saml
|
|
|
79
94
|
end
|
|
80
95
|
|
|
81
96
|
def is_valid?
|
|
82
|
-
|
|
97
|
+
if !instance_variable_defined?(:@is_valid)
|
|
98
|
+
@is_valid = validate
|
|
99
|
+
end
|
|
100
|
+
@is_valid
|
|
83
101
|
end
|
|
84
102
|
|
|
85
103
|
def validate
|
data/spec/response_spec.rb
CHANGED
|
@@ -12,7 +12,7 @@ describe Onelogin::Saml::Response do
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
it "should find the right attributes from an encrypted assertion" do
|
|
15
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
15
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
16
16
|
@response.should be_is_valid
|
|
17
17
|
|
|
18
18
|
@response.used_key.should == fixture_path("test1-key.pem")
|
|
@@ -23,15 +23,27 @@ describe Onelogin::Saml::Response do
|
|
|
23
23
|
@response.status_message.strip.should == ""
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
+
it "rejects assertions older than 5 minutes" do
|
|
27
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:58:58Z"))
|
|
28
|
+
@response.should_not be_is_valid
|
|
29
|
+
@response.validation_error.should eq "Assertion expired"
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
it "rejects assertions from the future" do
|
|
33
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2010-11-05T15:58:58Z"))
|
|
34
|
+
@response.should_not be_is_valid
|
|
35
|
+
@response.validation_error.should eq "Assertion not yet valid"
|
|
36
|
+
end
|
|
37
|
+
|
|
26
38
|
it "support multiple valid certs" do
|
|
27
39
|
@settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
|
|
28
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
40
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
29
41
|
@response.should be_is_valid
|
|
30
42
|
end
|
|
31
43
|
|
|
32
44
|
it "gives a decent error for a fingerprint problem" do
|
|
33
45
|
@settings.idp_cert_fingerprint = ['somethingold']
|
|
34
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
46
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
35
47
|
@response.should_not be_is_valid
|
|
36
48
|
@response.validation_error.should match(/somethingold/)
|
|
37
49
|
end
|
|
@@ -39,7 +51,7 @@ describe Onelogin::Saml::Response do
|
|
|
39
51
|
it "should not be able to decrypt without the proper key" do
|
|
40
52
|
@settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
|
|
41
53
|
XMLSecurity.mute do
|
|
42
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
54
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
43
55
|
end
|
|
44
56
|
document = REXML::Document.new(@response.decrypted_document.to_s)
|
|
45
57
|
REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should be_nil
|
|
@@ -50,7 +62,7 @@ describe Onelogin::Saml::Response do
|
|
|
50
62
|
@settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
|
|
51
63
|
@settings.xmlsec_additional_privatekeys = [fixture_path("test1-key.pem")]
|
|
52
64
|
XMLSecurity.mute do
|
|
53
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
65
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
54
66
|
end
|
|
55
67
|
document = REXML::Document.new(@response.decrypted_document.to_s)
|
|
56
68
|
REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should_not be_nil
|
|
@@ -65,7 +77,7 @@ describe Onelogin::Saml::Response do
|
|
|
65
77
|
it "should not verify when XSLT transforms are being used" do
|
|
66
78
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test4-response.xml")))
|
|
67
79
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
|
|
68
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
80
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-06-03T12:43:56Z"))
|
|
69
81
|
|
|
70
82
|
XMLSecurity.mute do
|
|
71
83
|
@response.should_not be_is_valid
|
|
@@ -77,7 +89,7 @@ describe Onelogin::Saml::Response do
|
|
|
77
89
|
it "should not allow external reference URIs" do
|
|
78
90
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test5-response.xml")))
|
|
79
91
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
|
|
80
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
92
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-06-03T12:43:56Z"))
|
|
81
93
|
|
|
82
94
|
XMLSecurity.mute do
|
|
83
95
|
@response.should_not be_is_valid
|
|
@@ -91,7 +103,7 @@ describe Onelogin::Saml::Response do
|
|
|
91
103
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33')
|
|
92
104
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
93
105
|
@response.disable_signature_validation!(@settings)
|
|
94
|
-
@response.process(@settings)
|
|
106
|
+
@response.process(@settings, as_of: Time.parse('2011-11-05T15:51:58Z'))
|
|
95
107
|
@response.name_id.should == "zach@example.com"
|
|
96
108
|
@response.name_qualifier.should == "http://saml.example.com:8080/opensso"
|
|
97
109
|
@response.session_index.should == "s2c57ee92b5ca08e93d751987d591c58acc68d2501"
|
|
@@ -107,7 +119,7 @@ describe Onelogin::Saml::Response do
|
|
|
107
119
|
@xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_nameid.xml")))
|
|
108
120
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
109
121
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
110
|
-
@response.process(@settings)
|
|
122
|
+
@response.process(@settings, as_of: Time.parse('2012-08-03T20:07:16Z'))
|
|
111
123
|
@response.should be_is_valid
|
|
112
124
|
@response.name_id.should == "_3b3e7714b72e29dc4290321a075fa0b73333a4f25f"
|
|
113
125
|
end
|
|
@@ -116,7 +128,7 @@ describe Onelogin::Saml::Response do
|
|
|
116
128
|
@xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_attributes.xml")))
|
|
117
129
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
118
130
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
119
|
-
@response.process(@settings)
|
|
131
|
+
@response.process(@settings, as_of: Time.parse('2012-08-03T20:07:16Z'))
|
|
120
132
|
@response.should be_is_valid
|
|
121
133
|
@response.saml_attributes['eduPersonAffiliation'].should == 'member'
|
|
122
134
|
@response.saml_attributes['eduPersonPrincipalName'].should == 'student@example.edu'
|
|
@@ -126,7 +138,7 @@ describe Onelogin::Saml::Response do
|
|
|
126
138
|
@xmlb64 = Base64.encode64(File.read(fixture_path('xml_signature_wrapping_attack_duplicate_ids.xml')))
|
|
127
139
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => '7292914fc5bffa6f3fe1e43fd47c205395fecfa2')
|
|
128
140
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
129
|
-
@response.process(@settings)
|
|
141
|
+
@response.process(@settings, as_of: Time.parse('2014-02-01T13:48:10.831Z'))
|
|
130
142
|
@response.should_not be_is_valid
|
|
131
143
|
end
|
|
132
144
|
|
|
@@ -134,7 +146,7 @@ describe Onelogin::Saml::Response do
|
|
|
134
146
|
@xmlb64 = Base64.encode64(File.read(fixture_path('xml_missigned_assertion.xml')))
|
|
135
147
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'c38e789fcfbbd4727bd8ff7fc365b44fc3596bda')
|
|
136
148
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
137
|
-
@response.process(@settings)
|
|
149
|
+
@response.process(@settings, as_of: Time.parse("2015-02-27T19:12:52Z"))
|
|
138
150
|
@response.should be_is_valid
|
|
139
151
|
@response.saml_attributes['eduPersonPrincipalName'].should == 'cody'
|
|
140
152
|
end
|
|
@@ -142,7 +154,7 @@ describe Onelogin::Saml::Response do
|
|
|
142
154
|
it "should allow non-ascii characters in attributes" do
|
|
143
155
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
|
|
144
156
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
145
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
157
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-09-16T22:15:53Z"))
|
|
146
158
|
@response.should be_is_valid
|
|
147
159
|
@response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
|
|
148
160
|
@response.saml_attributes['eduPersonAffiliation'].should == 'member'
|
|
@@ -154,7 +166,7 @@ describe Onelogin::Saml::Response do
|
|
|
154
166
|
it "should map OIDs to known attributes" do
|
|
155
167
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
|
|
156
168
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
157
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
169
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2012-08-03T20:07:15Z"))
|
|
158
170
|
@response.should be_is_valid
|
|
159
171
|
@response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
|
|
160
172
|
@response.saml_attributes['eduPersonAffiliation'].should == 'member'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2017-
|
|
17
|
+
date: 2017-10-28 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: nokogiri
|
|
@@ -138,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
138
|
version: '0'
|
|
139
139
|
requirements: []
|
|
140
140
|
rubyforge_project:
|
|
141
|
-
rubygems_version: 2.6.
|
|
141
|
+
rubygems_version: 2.6.13
|
|
142
142
|
signing_key:
|
|
143
143
|
specification_version: 4
|
|
144
144
|
summary: Ruby library for SAML service providers
|