ruby-saml-mod 0.2.3 → 0.2.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/xml_sec.rb +3 -2
- data/spec/fixtures/xml_missigned_assertion.xml +84 -0
- data/spec/response_spec.rb +9 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7770e817d19d3dd3b26a161a3d1c81d09de8bfe1
|
|
4
|
+
data.tar.gz: c9fc53f57bf54347f9f4b9e8ae76a2195ae239f9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 488908ad982d9a8f1859d753243e4ff5f0c9718bb8fc9b2d59ae76b175104484353f02bd4390404a99fd5f5b62965db4015c638c094f90dccf7aff89c0566552
|
|
7
|
+
data.tar.gz: 37ad288d7e2f6665a288e43dc4bd383b91209c226e67042e0a44f72b87925e85e5e619194a2062d203b704e19c711b405363d4cdc27bdd6f22724cffec025e1c
|
data/lib/xml_sec.rb
CHANGED
|
@@ -330,7 +330,7 @@ module XMLSecurity
|
|
|
330
330
|
|
|
331
331
|
def signed_roots
|
|
332
332
|
signatures.map do |sig|
|
|
333
|
-
ref = sig.find('
|
|
333
|
+
ref = sig.find('./ds:SignedInfo/ds:Reference', Onelogin::NAMESPACES).first
|
|
334
334
|
signed_element_id = ref['URI'].sub(/^#/, '')
|
|
335
335
|
|
|
336
336
|
if signed_element_id.empty?
|
|
@@ -344,7 +344,8 @@ module XMLSecurity
|
|
|
344
344
|
end
|
|
345
345
|
|
|
346
346
|
def signatures
|
|
347
|
-
|
|
347
|
+
# we only return the first, cause our signature validation only checks the first
|
|
348
|
+
@signatures ||= [self.find_first("//ds:Signature", Onelogin::NAMESPACES)]
|
|
348
349
|
end
|
|
349
350
|
|
|
350
351
|
def validate(idp_cert_fingerprint, logger = nil)
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_e5d6a82d-17b4-4bbb-9875-d76ba51fd4d6" Version="2.0" IssueInstant="2015-02-27T19:12:52Z" Destination=""><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">issuer</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe4" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
3
|
+
<SignedInfo>
|
|
4
|
+
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
5
|
+
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
6
|
+
<Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe4">
|
|
7
|
+
<Transforms>
|
|
8
|
+
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
9
|
+
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
10
|
+
</Transforms>
|
|
11
|
+
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
|
|
12
|
+
<DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
|
|
13
|
+
</Reference>
|
|
14
|
+
</SignedInfo>
|
|
15
|
+
<SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
|
|
16
|
+
kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
|
|
17
|
+
kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
|
|
18
|
+
<KeyInfo>
|
|
19
|
+
<X509Data>
|
|
20
|
+
<X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
|
|
21
|
+
BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
|
|
22
|
+
cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
|
|
23
|
+
CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
|
|
24
|
+
MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
|
|
25
|
+
QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
|
|
26
|
+
T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
|
|
27
|
+
SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
|
|
28
|
+
EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
|
|
29
|
+
+q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
|
|
30
|
+
tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
|
|
31
|
+
sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
|
|
32
|
+
VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
|
|
33
|
+
dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
|
|
34
|
+
AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
|
|
35
|
+
/zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
|
|
36
|
+
7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
|
|
37
|
+
hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
|
|
38
|
+
3CcHYg==</X509Certificate>
|
|
39
|
+
</X509Data>
|
|
40
|
+
</KeyInfo>
|
|
41
|
+
</Signature></saml:Assertion>
|
|
42
|
+
|
|
43
|
+
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_57bea33f-2b75-4594-afd8-3ff6eddfafe5" Version="2.0" IssueInstant="2015-02-27T19:12:52Z"><saml:Issuer>issuer</saml:Issuer><saml:Subject><saml:NameID>subject</saml:NameID></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-27T19:12:52Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="eduPersonPrincipalName"><saml:AttributeValue>admin</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
44
|
+
<SignedInfo>
|
|
45
|
+
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
46
|
+
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
|
|
47
|
+
<Reference URI="#_57bea33f-2b75-4594-afd8-3ff6eddfafe5">
|
|
48
|
+
<Transforms>
|
|
49
|
+
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
|
|
50
|
+
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
|
|
51
|
+
</Transforms>
|
|
52
|
+
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
|
|
53
|
+
<DigestValue>oZBUEUDLHCTj6dYfHZGU2ilujLs=</DigestValue>
|
|
54
|
+
</Reference>
|
|
55
|
+
</SignedInfo>
|
|
56
|
+
<SignatureValue>QATC6nOEfT2cxOkARTwqGMqzL8t0HjcXZCR7MSSriORm0QjX8xYl6eHVKmM0Ia9p
|
|
57
|
+
kRVTXNrw9eYnAY6txOXLZJap11/DorP4lA6nad1qcai/fqHmScwd/mJsVS+1hTWV
|
|
58
|
+
kRyIZV59rcwAAdOAEJ8iE+lfKjSg0cVHVKDxehIlIg0=</SignatureValue>
|
|
59
|
+
<KeyInfo>
|
|
60
|
+
<X509Data>
|
|
61
|
+
<X509Certificate>MIIDYDCCAsmgAwIBAgIJAK4l0RpJVxtEMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNV
|
|
62
|
+
BAYTAlVTMQswCQYDVQQIEwJVVDEMMAoGA1UEBxMDU0xDMRQwEgYDVQQKEwtJbnN0
|
|
63
|
+
cnVjdHVyZTEMMAoGA1UECxMDT3BzMQwwCgYDVQQDEwNPcHMxIjAgBgkqhkiG9w0B
|
|
64
|
+
CQEWE29wc0BpbnN0cnVjdHVyZS5jb20wHhcNMTExMTA1MTU0OTA4WhcNMTMxMTA0
|
|
65
|
+
MTU0OTA4WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NM
|
|
66
|
+
QzEUMBIGA1UEChMLSW5zdHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMD
|
|
67
|
+
T3BzMSIwIAYJKoZIhvcNAQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tMIGfMA0GCSqG
|
|
68
|
+
SIb3DQEBAQUAA4GNADCBiQKBgQDNVWUJ89UARD2GBLow5+W1EW5LFgI2o4N0fAgJ
|
|
69
|
+
EFV6KPbEokdWrzHlLmfaxdDyIK+QilQqdtg3hU96zIFp8Dk9xnxJNYo1iIzZllrA
|
|
70
|
+
+q95Dwf5sDTioD3IHF2GL0CO1BhA6FX1d3ZuAaIwCI7G4Dw1PjBaUzHr99S9iwBJ
|
|
71
|
+
tHvD6QIDAQABo4HlMIHiMB0GA1UdDgQWBBTCgEaIGTcvWLIi26vv+hycCcYxBjCB
|
|
72
|
+
sgYDVR0jBIGqMIGngBTCgEaIGTcvWLIi26vv+hycCcYxBqGBg6SBgDB+MQswCQYD
|
|
73
|
+
VQQGEwJVUzELMAkGA1UECBMCVVQxDDAKBgNVBAcTA1NMQzEUMBIGA1UEChMLSW5z
|
|
74
|
+
dHJ1Y3R1cmUxDDAKBgNVBAsTA09wczEMMAoGA1UEAxMDT3BzMSIwIAYJKoZIhvcN
|
|
75
|
+
AQkBFhNvcHNAaW5zdHJ1Y3R1cmUuY29tggkAriXRGklXG0QwDAYDVR0TBAUwAwEB
|
|
76
|
+
/zANBgkqhkiG9w0BAQUFAAOBgQBWmVrGPhzKeyz7vkMdSSJZPnZa/KP9sOMzJikm
|
|
77
|
+
7S26qjMnPiqRavnEy1EkN21AEkyZ3HzqtHgaelvusuA95sdBBG/8EAhtN9y6i6j7
|
|
78
|
+
hTMo2gYwdIW/oW74ZjnuzGoHZUba3yPxV6aFoBB+rh2n22PCbfM1lgSwVPhsXz4G
|
|
79
|
+
3CcHYg==</X509Certificate>
|
|
80
|
+
</X509Data>
|
|
81
|
+
</KeyInfo>
|
|
82
|
+
</Signature></saml:Assertion>
|
|
83
|
+
|
|
84
|
+
</samlp:Response>
|
data/spec/response_spec.rb
CHANGED
|
@@ -116,6 +116,15 @@ describe Onelogin::Saml::Response do
|
|
|
116
116
|
@response.should_not be_is_valid
|
|
117
117
|
end
|
|
118
118
|
|
|
119
|
+
it "should protect against additional mis-signed assertions" do
|
|
120
|
+
@xmlb64 = Base64.encode64(File.read(fixture_path('xml_missigned_assertion.xml')))
|
|
121
|
+
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'c38e789fcfbbd4727bd8ff7fc365b44fc3596bda')
|
|
122
|
+
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
123
|
+
@response.process(@settings)
|
|
124
|
+
@response.should be_is_valid
|
|
125
|
+
@response.saml_attributes['eduPersonPrincipalName'].should == 'cody'
|
|
126
|
+
end
|
|
127
|
+
|
|
119
128
|
it "should allow non-ascii characters in attributes" do
|
|
120
129
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
|
|
121
130
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2015-
|
|
17
|
+
date: 2015-03-06 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: libxml-ruby
|
|
@@ -103,6 +103,7 @@ files:
|
|
|
103
103
|
- spec/fixtures/test5-response.xml
|
|
104
104
|
- spec/fixtures/test6-response.xml
|
|
105
105
|
- spec/fixtures/wrong-key.pem
|
|
106
|
+
- spec/fixtures/xml_missigned_assertion.xml
|
|
106
107
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
107
108
|
- spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
|
|
108
109
|
- spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
|
|
@@ -131,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
131
132
|
version: '0'
|
|
132
133
|
requirements: []
|
|
133
134
|
rubyforge_project:
|
|
134
|
-
rubygems_version: 2.
|
|
135
|
+
rubygems_version: 2.4.5
|
|
135
136
|
signing_key:
|
|
136
137
|
specification_version: 4
|
|
137
138
|
summary: Ruby library for SAML service providers
|
|
@@ -148,6 +149,7 @@ test_files:
|
|
|
148
149
|
- spec/fixtures/test5-response.xml
|
|
149
150
|
- spec/fixtures/test6-response.xml
|
|
150
151
|
- spec/fixtures/wrong-key.pem
|
|
152
|
+
- spec/fixtures/xml_missigned_assertion.xml
|
|
151
153
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
152
154
|
- spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml
|
|
153
155
|
- spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml
|