ruby-saml 0.4.1 → 0.4.2

data/VERSION

@@ -1 +1 @@
-0.4.1
+0.4.2

data/lib/onelogin/saml/response.rb

@@ -8,18 +8,20 @@ module Onelogin::Saml
     DSIG      = "http://www.w3.org/2000/09/xmldsig#"
 
     attr_accessor :response, :document, :logger, :settings, :original
+    attr_accessor :bypass_conditions_check # for testing only
 
     def initialize(response)
       raise ArgumentError.new("Response cannot be nil") if response.nil?
-      self.response = response
-      self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
-      self.original = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+      self.bypass_conditions_check  = false
+      self.response                 = response
+      self.document                 = XMLSecurity::SignedDocument.new(Base64.decode64(response))
     end
 
     def is_valid?
       return false if response.empty?
       return false if settings.nil?
       return false if settings.idp_cert_fingerprint.nil?
+      return false if !check_conditions
 
       document.validate(settings.idp_cert_fingerprint, logger)
     end
@@ -27,12 +29,21 @@ module Onelogin::Saml
     # The value of the user identifier as designated by the initialization request response
     def name_id
       @name_id ||= begin
-        uri   = REXML::XPath.first(original, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG}).attribute("URI").value
-        node  = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{uri[1,uri.size]}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+        node  = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
         node.text
       end
     end
 
+    def check_conditions
+      return true if self.bypass_conditions_check
+
+      cond_element = REXML::XPath.first(document,"/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Conditions", { "p" => PROTOCOL, "a" => ASSERTION })
+      return false unless cond_element
+      return false unless parseXsDateTime(cond_element.attribute('NotBefore').to_s) < Time.now.utc
+      return false unless parseXsDateTime(cond_element.attribute('NotOnOrAfter').to_s) >= Time.now.utc
+      true
+    end
+
     # A hash of alle the attributes with the response. Assuming there is only one value for each key
     def attributes
       @attr_statements ||= begin
@@ -62,5 +73,11 @@ module Onelogin::Saml
       end
     end
 
+    private
+
+    def parseXsDateTime(xsDatetime)
+      return nil unless xsDatetime =~ /^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z$/
+      Time.utc($1, $2, $3, $4, $5, $6)
+    end
   end
 end

data/lib/xml_security.rb

@@ -32,6 +32,14 @@ require "digest/sha1"
 module XMLSecurity
 
   class SignedDocument < REXML::Document
+    DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+    attr_accessor :signed_element_id
+
+    def initialize(response)
+      super(response)
+      extract_signed_element_id
+    end
 
     def validate (idp_cert_fingerprint, logger = nil)
       # get cert from response
@@ -87,5 +95,11 @@ module XMLSecurity
       return valid_flag
     end
 
+    private
+
+    def extract_signed_element_id
+      reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+      self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+    end
   end
 end

data/ruby-saml.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml}
-  s.version = "0.4.1"
+  s.version = "0.4.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["OneLogin LLC"]
-  s.date = %q{2011-06-03}
+  s.date = %q{2011-06-04}
   s.description = %q{SAML toolkit for Ruby on Rails}
   s.email = %q{support@onelogin.com}
   s.extra_rdoc_files = [

data/test/ruby-saml_test.rb

@@ -39,13 +39,11 @@ class RubySamlTest < Test::Unit::TestCase
       assert !response.name_id.nil?
     end
     
-    should "not allow signature wrapping attack" do 
-      response = Onelogin::Saml::Response.new(response_document_4)
-      settings = Onelogin::Saml::Settings.new
-      response.settings = settings
-      settings.idp_cert_fingerprint = signature_fingerprint_1
-      assert response.is_valid?
-      assert response.name_id == "test@onelogin.com"
+    should "check time conditions" do
+      response = Onelogin::Saml::Response.new(response_document)
+      assert !response.check_conditions
+      response = Onelogin::Saml::Response.new(response_document_5)
+      assert response.check_conditions
     end
 
     context "#is_valid?" do
@@ -60,15 +58,25 @@ class RubySamlTest < Test::Unit::TestCase
       end
 
       should "return true when the response is initialized with valid data" do
-        response = Onelogin::Saml::Response.new(response_document)
+        response = Onelogin::Saml::Response.new(response_document_4)
+        response.bypass_conditions_check = true
+        assert !response.is_valid?
         settings = Onelogin::Saml::Settings.new
-        settings.idp_cert_fingerprint = 'hello'
+        assert !response.is_valid?
         response.settings = settings
         assert !response.is_valid?
-        document = stub()
-        document.stubs(:validate).returns(true)
-        response.document = document
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        assert response.is_valid?
+      end
+
+      should "not allow signature wrapping attack" do
+        response = Onelogin::Saml::Response.new(response_document_4)
+        response.bypass_conditions_check = true
+        settings = Onelogin::Saml::Settings.new
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response.settings = settings
         assert response.is_valid?
+        assert response.name_id == "test@onelogin.com"
       end
     end
 

data/test/test_helper.rb

@@ -24,6 +24,13 @@ class Test::Unit::TestCase
     @response_document4 ||= File.read(File.join(File.dirname(__FILE__), 'responses', 'response4.xml.base64'))
   end
   
+  def response_document_5
+    doc = Base64.decode64(response_document)
+    doc.gsub!(/NotBefore=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotBefore=\"#{(Time.now-300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    doc.gsub!(/NotOnOrAfter=\"(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z\"/, "NotOnOrAfter=\"#{(Time.now+300).getutc.strftime("%Y-%m-%dT%XZ")}\"")
+    Base64.encode64(doc)
+  end
+  
   def signature_fingerprint_1
     @signature_fingerprint1 ||= "C5:19:85:D9:47:F1:BE:57:08:20:25:05:08:46:EB:27:F6:CA:B7:83"
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: ruby-saml
 version: !ruby/object:Gem::Version 
-  hash: 13
+  hash: 11
   prerelease: false
   segments: 
   - 0
   - 4
-  - 1
-  version: 0.4.1
+  - 2
+  version: 0.4.2
 platform: ruby
 authors: 
 - OneLogin LLC
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-03 00:00:00 -06:00
+date: 2011-06-04 00:00:00 -06:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency