ruby-saml-mod 0.3.6 → 0.3.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/onelogin/saml/response.rb +22 -4
- data/spec/response_spec.rb +26 -14
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b1b242e9ff3858681e80c4091494d480e2611088
|
|
4
|
+
data.tar.gz: 1dc877f9a2879b6e37687b78ab439da852f408bf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 05a823a73ff85abcccc37895b2d4fbbfe94f87963c892a3e3ddf4281e28ec023cc6ea50625ffc23788ad3cd9b353df7190823e10ae4752f6412fb9e2df2ec1b7
|
|
7
|
+
data.tar.gz: 76e7c832f85e0e1e47a14484c3a55af32ab437b77b07a386f403ddb30ec2503f3fff5f293df0ff17b41b22fbce27372f0c3d2c7f98a2cb841c8d439f38f56a87
|
|
@@ -8,7 +8,7 @@ module Onelogin::Saml
|
|
|
8
8
|
attr_reader :in_response_to, :destination, :issuer
|
|
9
9
|
attr_reader :validation_error, :used_key
|
|
10
10
|
|
|
11
|
-
def initialize(response, settings=nil)
|
|
11
|
+
def initialize(response, settings=nil, as_of: Time.now)
|
|
12
12
|
@response = response
|
|
13
13
|
|
|
14
14
|
begin
|
|
@@ -25,10 +25,10 @@ module Onelogin::Saml
|
|
|
25
25
|
@issuer ||= document.at_xpath("/samlp:Response/saml:Assertion/saml:Issuer", Onelogin::NAMESPACES).content.strip rescue nil
|
|
26
26
|
@status_code = document.at_xpath("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)["Value"] rescue nil
|
|
27
27
|
|
|
28
|
-
process(settings) if settings
|
|
28
|
+
process(settings, as_of: as_of) if settings
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
def process(settings)
|
|
31
|
+
def process(settings, as_of: Time.now)
|
|
32
32
|
@settings = settings
|
|
33
33
|
@logger = settings.logger
|
|
34
34
|
return unless @response
|
|
@@ -42,12 +42,27 @@ module Onelogin::Saml
|
|
|
42
42
|
@name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
|
|
43
43
|
@sp_name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["SPNameQualifier"] rescue nil
|
|
44
44
|
@session_index = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
|
|
45
|
+
@issue_instant = trusted_find_first("saml:Assertion")["IssueInstant"] rescue nil
|
|
45
46
|
|
|
46
47
|
@saml_attributes = {}
|
|
47
48
|
trusted_find("saml:Attribute").each do |attr|
|
|
48
49
|
attrname = attr['FriendlyName'] || Onelogin::ATTRIBUTES[attr['Name']] || attr['Name']
|
|
49
50
|
@saml_attributes[attrname] = attr.content.strip rescue nil
|
|
50
51
|
end
|
|
52
|
+
|
|
53
|
+
if @is_valid
|
|
54
|
+
@issue_instant = Time.parse(@issue_instant) if @issue_instant
|
|
55
|
+
if !@issue_instant
|
|
56
|
+
@is_valid = false
|
|
57
|
+
@validation_error = "No timestamp in message"
|
|
58
|
+
elsif @issue_instant + 5 * 60 < as_of
|
|
59
|
+
@is_valid = false
|
|
60
|
+
@validation_error = "Assertion expired"
|
|
61
|
+
elsif @issue_instant - 5 * 60 > as_of
|
|
62
|
+
@is_valid = false
|
|
63
|
+
@validation_error = "Assertion not yet valid"
|
|
64
|
+
end
|
|
65
|
+
end
|
|
51
66
|
end
|
|
52
67
|
|
|
53
68
|
def disable_signature_validation!(settings)
|
|
@@ -79,7 +94,10 @@ module Onelogin::Saml
|
|
|
79
94
|
end
|
|
80
95
|
|
|
81
96
|
def is_valid?
|
|
82
|
-
|
|
97
|
+
if !instance_variable_defined?(:@is_valid)
|
|
98
|
+
@is_valid = validate
|
|
99
|
+
end
|
|
100
|
+
@is_valid
|
|
83
101
|
end
|
|
84
102
|
|
|
85
103
|
def validate
|
data/spec/response_spec.rb
CHANGED
|
@@ -12,7 +12,7 @@ describe Onelogin::Saml::Response do
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
it "should find the right attributes from an encrypted assertion" do
|
|
15
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
15
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
16
16
|
@response.should be_is_valid
|
|
17
17
|
|
|
18
18
|
@response.used_key.should == fixture_path("test1-key.pem")
|
|
@@ -23,15 +23,27 @@ describe Onelogin::Saml::Response do
|
|
|
23
23
|
@response.status_message.strip.should == ""
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
+
it "rejects assertions older than 5 minutes" do
|
|
27
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:58:58Z"))
|
|
28
|
+
@response.should_not be_is_valid
|
|
29
|
+
@response.validation_error.should eq "Assertion expired"
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
it "rejects assertions from the future" do
|
|
33
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2010-11-05T15:58:58Z"))
|
|
34
|
+
@response.should_not be_is_valid
|
|
35
|
+
@response.validation_error.should eq "Assertion not yet valid"
|
|
36
|
+
end
|
|
37
|
+
|
|
26
38
|
it "support multiple valid certs" do
|
|
27
39
|
@settings.idp_cert_fingerprint = ['somethingold', 'def18dbed547cdf3d52b627f41637c443045fe33']
|
|
28
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
40
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
29
41
|
@response.should be_is_valid
|
|
30
42
|
end
|
|
31
43
|
|
|
32
44
|
it "gives a decent error for a fingerprint problem" do
|
|
33
45
|
@settings.idp_cert_fingerprint = ['somethingold']
|
|
34
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
46
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
35
47
|
@response.should_not be_is_valid
|
|
36
48
|
@response.validation_error.should match(/somethingold/)
|
|
37
49
|
end
|
|
@@ -39,7 +51,7 @@ describe Onelogin::Saml::Response do
|
|
|
39
51
|
it "should not be able to decrypt without the proper key" do
|
|
40
52
|
@settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
|
|
41
53
|
XMLSecurity.mute do
|
|
42
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
54
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
43
55
|
end
|
|
44
56
|
document = REXML::Document.new(@response.decrypted_document.to_s)
|
|
45
57
|
REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should be_nil
|
|
@@ -50,7 +62,7 @@ describe Onelogin::Saml::Response do
|
|
|
50
62
|
@settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
|
|
51
63
|
@settings.xmlsec_additional_privatekeys = [fixture_path("test1-key.pem")]
|
|
52
64
|
XMLSecurity.mute do
|
|
53
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
65
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2011-11-05T15:51:58Z"))
|
|
54
66
|
end
|
|
55
67
|
document = REXML::Document.new(@response.decrypted_document.to_s)
|
|
56
68
|
REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should_not be_nil
|
|
@@ -65,7 +77,7 @@ describe Onelogin::Saml::Response do
|
|
|
65
77
|
it "should not verify when XSLT transforms are being used" do
|
|
66
78
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test4-response.xml")))
|
|
67
79
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
|
|
68
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
80
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-06-03T12:43:56Z"))
|
|
69
81
|
|
|
70
82
|
XMLSecurity.mute do
|
|
71
83
|
@response.should_not be_is_valid
|
|
@@ -77,7 +89,7 @@ describe Onelogin::Saml::Response do
|
|
|
77
89
|
it "should not allow external reference URIs" do
|
|
78
90
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test5-response.xml")))
|
|
79
91
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
|
|
80
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
92
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-06-03T12:43:56Z"))
|
|
81
93
|
|
|
82
94
|
XMLSecurity.mute do
|
|
83
95
|
@response.should_not be_is_valid
|
|
@@ -91,7 +103,7 @@ describe Onelogin::Saml::Response do
|
|
|
91
103
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33')
|
|
92
104
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
93
105
|
@response.disable_signature_validation!(@settings)
|
|
94
|
-
@response.process(@settings)
|
|
106
|
+
@response.process(@settings, as_of: Time.parse('2011-11-05T15:51:58Z'))
|
|
95
107
|
@response.name_id.should == "zach@example.com"
|
|
96
108
|
@response.name_qualifier.should == "http://saml.example.com:8080/opensso"
|
|
97
109
|
@response.session_index.should == "s2c57ee92b5ca08e93d751987d591c58acc68d2501"
|
|
@@ -107,7 +119,7 @@ describe Onelogin::Saml::Response do
|
|
|
107
119
|
@xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_nameid.xml")))
|
|
108
120
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
109
121
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
110
|
-
@response.process(@settings)
|
|
122
|
+
@response.process(@settings, as_of: Time.parse('2012-08-03T20:07:16Z'))
|
|
111
123
|
@response.should be_is_valid
|
|
112
124
|
@response.name_id.should == "_3b3e7714b72e29dc4290321a075fa0b73333a4f25f"
|
|
113
125
|
end
|
|
@@ -116,7 +128,7 @@ describe Onelogin::Saml::Response do
|
|
|
116
128
|
@xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_attributes.xml")))
|
|
117
129
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
118
130
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
119
|
-
@response.process(@settings)
|
|
131
|
+
@response.process(@settings, as_of: Time.parse('2012-08-03T20:07:16Z'))
|
|
120
132
|
@response.should be_is_valid
|
|
121
133
|
@response.saml_attributes['eduPersonAffiliation'].should == 'member'
|
|
122
134
|
@response.saml_attributes['eduPersonPrincipalName'].should == 'student@example.edu'
|
|
@@ -126,7 +138,7 @@ describe Onelogin::Saml::Response do
|
|
|
126
138
|
@xmlb64 = Base64.encode64(File.read(fixture_path('xml_signature_wrapping_attack_duplicate_ids.xml')))
|
|
127
139
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => '7292914fc5bffa6f3fe1e43fd47c205395fecfa2')
|
|
128
140
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
129
|
-
@response.process(@settings)
|
|
141
|
+
@response.process(@settings, as_of: Time.parse('2014-02-01T13:48:10.831Z'))
|
|
130
142
|
@response.should_not be_is_valid
|
|
131
143
|
end
|
|
132
144
|
|
|
@@ -134,7 +146,7 @@ describe Onelogin::Saml::Response do
|
|
|
134
146
|
@xmlb64 = Base64.encode64(File.read(fixture_path('xml_missigned_assertion.xml')))
|
|
135
147
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'c38e789fcfbbd4727bd8ff7fc365b44fc3596bda')
|
|
136
148
|
@response = Onelogin::Saml::Response.new(@xmlb64)
|
|
137
|
-
@response.process(@settings)
|
|
149
|
+
@response.process(@settings, as_of: Time.parse("2015-02-27T19:12:52Z"))
|
|
138
150
|
@response.should be_is_valid
|
|
139
151
|
@response.saml_attributes['eduPersonPrincipalName'].should == 'cody'
|
|
140
152
|
end
|
|
@@ -142,7 +154,7 @@ describe Onelogin::Saml::Response do
|
|
|
142
154
|
it "should allow non-ascii characters in attributes" do
|
|
143
155
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
|
|
144
156
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
145
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
157
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2014-09-16T22:15:53Z"))
|
|
146
158
|
@response.should be_is_valid
|
|
147
159
|
@response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
|
|
148
160
|
@response.saml_attributes['eduPersonAffiliation'].should == 'member'
|
|
@@ -154,7 +166,7 @@ describe Onelogin::Saml::Response do
|
|
|
154
166
|
it "should map OIDs to known attributes" do
|
|
155
167
|
@xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
|
|
156
168
|
@settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
|
|
157
|
-
@response = Onelogin::Saml::Response.new(@xmlb64, @settings)
|
|
169
|
+
@response = Onelogin::Saml::Response.new(@xmlb64, @settings, as_of: Time.parse("2012-08-03T20:07:15Z"))
|
|
158
170
|
@response.should be_is_valid
|
|
159
171
|
@response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
|
|
160
172
|
@response.saml_attributes['eduPersonAffiliation'].should == 'member'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml-mod
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2017-
|
|
17
|
+
date: 2017-10-28 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: nokogiri
|
|
@@ -138,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
138
|
version: '0'
|
|
139
139
|
requirements: []
|
|
140
140
|
rubyforge_project:
|
|
141
|
-
rubygems_version: 2.6.
|
|
141
|
+
rubygems_version: 2.6.13
|
|
142
142
|
signing_key:
|
|
143
143
|
specification_version: 4
|
|
144
144
|
summary: Ruby library for SAML service providers
|