ruby-saml 0.8.12

checksums.yaml

@@ -0,0 +1,7 @@
+--- 
+SHA512: 
+  metadata.gz: 8a2479b6725a5a9e7fdc76a4bec612e2f0c66cf53cbb79ff7c1dc0343d1cc56c09e9fd3b2d3490bdacbb09b16b473702d42fa42fdb6fedff6e7fa5a44fa421a2
+  data.tar.gz: 43b1cfb12dc3fc14a2cbc139430e3ad15b975dca0d95d0d8c14363f362833de181a52ca10b8b607215c4b5aa23ffa62f2d8f3a3b2c9b5541e9387c635ca77150
+SHA256: 
+  metadata.gz: 694ade703ed05cc38aa2ca98cbfee57cc16223991ae6539422c136164cf29608
+  data.tar.gz: ee07b69a9391b26c9af95d0cfdbaa57c8991fa187b869660e15c549fcbbe47e3

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,12 @@
+*.sw?
+.DS_Store
+coverage
+rdoc
+pkg
+Gemfile.lock
+.idea/*
+lib/Lib.iml
+test/Test.iml
+.rvmrc
+*.gem
+.bundle

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - ree
+
+before_install:
+  - gem update --system 2.1.11
+  - gem install bundler -v 1.11.2

data/Gemfile

@@ -0,0 +1,37 @@
+#
+# Please keep this file alphabetized and organized
+#
+source 'http://rubygems.org'
+
+gemspec
+
+if RUBY_VERSION < '1.9'
+  gem 'nokogiri',   '~> 1.5.0'
+  gem 'minitest',  '~> 5.5', '<= 5.11.3'
+elsif RUBY_VERSION < '2.1'
+  gem 'nokogiri',   '>= 1.5.0', '<= 1.6.8.1'
+  gem 'minitest',  '~> 5.5'
+else
+  gem 'nokogiri',   '>= 1.5.0'
+  gem 'minitest',  '~> 5.5'
+end
+
+group :test do
+  if RUBY_VERSION < '1.9'
+    gem 'ruby-debug', '~> 0.10.4'
+  elsif RUBY_VERSION < '2.0'
+    gem 'debugger-linecache', '~> 1.2.0'
+    gem 'debugger', '~> 1.6.4'
+  elsif RUBY_VERSION < '2.1'
+    gem 'byebug',   '~> 2.1.1'
+  else
+    gem 'pry-byebug'
+  end
+
+  gem 'mocha',     '~> 0.14',  :require => false
+  gem 'rake',      '~> 10'
+  gem 'shoulda',   '~> 2.11'
+  gem 'systemu',   '~> 2'
+  gem 'test-unit', '~> 3.0.9'
+  gem 'timecop',   '<= 0.6.0'
+end

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,160 @@
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml)
+
+# Updating from 0.8.8 to 0.8.9
+Version `0.8.9` deprecates the use of settings.issuer, use instead settings.sp_entity_id. Deprecates assertion_consumer_logout_service_url and assertion_consumer_logout_service_binding as well, use instead single_logout_service_url and single_logout_service_binding. Adds validate_audience.
+
+# Updating from 0.8.7 to 0.8.8
+Version `0.8.8` adds support for ForceAuthn and Subjects on AuthNRequests by the new name_identifier_value_requested setting
+
+## Note on versions 0.8.6 and 0.8.7
+Version `0.8.6` introduced an incompatibility with regards to manipulating the `OneLogin::RubySaml::Response#attributes` property; in this version 
+the `#attributes` property is a class (`OneLogin::RubySaml::Attributes`) which implements the `Enumerator` module, thus any non-overriden Hash method
+will throw a NoMethodError.
+Version `0.8.7` overrides the behavior of class `OneLogin::RubySaml::Attributes` by making any method not found on the class be tested on the 
+internal hash structure, thus all methods available in the `Hash` class are now available in `OneLogin::RubySaml::Response#attributes`.
+
+## Updating from 0.7.x to 0.8.x
+Version `0.8.x` changes the namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+
+## Overview
+
+The Ruby SAML library is for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.
+
+SAML authorization is a two step process and you are expected to implement support for both.
+
+## The initialization phase
+
+This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
+
+```ruby
+def init
+  request = OneLogin::RubySaml::Authrequest.new
+  redirect_to(request.create(saml_settings))
+end
+```
+
+Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
+
+```ruby
+def consume
+  response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+  response.settings = saml_settings
+
+  if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+    authorize_success(user)
+  else
+    authorize_failure(user)
+  end
+end
+```
+
+In the above there are a few assumptions in place, one being that the response.name_id is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
+
+```ruby
+def saml_settings
+  settings = OneLogin::RubySaml::Settings.new
+
+  settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
+  settings.sp_entity_id                   = request.host
+  settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+  settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+  settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  # Optional for most SAML IdPs
+  settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+  settings
+end
+```
+
+What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this:
+
+```ruby
+# This controller expects you to use the URLs /saml/init and /saml/consume in your OneLogin application.
+class SamlController < ApplicationController
+  def init
+    request = OneLogin::RubySaml::Authrequest.new
+    redirect_to(request.create(saml_settings))
+  end
+
+  def consume
+    response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+    response.settings = saml_settings
+
+    if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+      authorize_success(user)
+    else
+      authorize_failure(user)
+    end
+  end
+
+  private
+
+  def saml_settings
+    settings = OneLogin::RubySaml::Settings.new
+
+    settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+    settings.sp_entity_id                   = request.host
+    settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+    settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+    settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    # Optional for most SAML IdPs
+    settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+    settings
+  end
+end
+```
+
+If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through response.attributes. It
+contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
+
+```ruby
+response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+response.settings = saml_settings
+
+response.attributes[:username]
+```
+
+## Service Provider Metadata
+
+To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
+to the IdP for various good reasons.  (Caching, certificate lookups, relaying party permissions, etc)
+
+The class OneLogin::RubySaml::Metadata takes care of this by reading the Settings and returning XML.  All
+you have to do is add a controller to return the data, then give this URL to the IdP administrator.
+The metdata will be polled by the IdP every few minutes, so updating your settings should propagate
+to the IdP settings.
+
+```ruby
+class SamlController < ApplicationController
+  # ... the rest of your controller definitions ...
+  def metadata
+    settings = Account.get_saml_settings
+    meta = OneLogin::RubySaml::Metadata.new
+    render :xml => meta.generate(settings)
+  end
+end
+```
+
+## Clock Drift
+
+Server clocks tend to drift naturally. If during validation of the response you get the error "Current time is earlier than NotBefore condition" then this may be due to clock differences between your system and that of the Identity Provider.
+
+First, ensure that both systems synchronize their clocks, using for example the industry standard [Network Time Protocol (NTP)](http://en.wikipedia.org/wiki/Network_Time_Protocol).
+
+Even then you may experience intermittent issues though, because the clock of the Identity Provider may drift slightly ahead of your system clocks. To allow for a small amount of clock drift you can initialize the response passing in an option named `:allowed_clock_drift`. Its value must be given in a number (and/or fraction) of seconds. The value given is added to the current time at which the response is validated before it's tested against the `NotBefore` assertion. For example:
+
+```ruby
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :allowed_clock_drift => 1)
+```
+
+Make sure to keep the value as comfortably small as possible to keep security risks to a minimum.
+
+## Note on Patches/Pull Requests
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.

data/Rakefile

@@ -0,0 +1,27 @@
+require 'rubygems'
+require 'rake'
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test
+
+task :default => :test

data/changelog.md

@@ -0,0 +1,24 @@
+# RubySaml Changelog
+
+### 0.8.4 (March 5, 2018)
+* Improve the fix for CVE-2017-11428 to parse CDATA properly
+
+### 0.8.3 (Feb 27, 2018)
+* Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
+* Fix DigestMethod lookup bug #144
+
+### 0.8.2 (Jan 26, 2014)
+* [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
+
+### 0.8.0 (Feb 21, 2014)
+**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+
+* [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
+* [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
+
+
+### 0.7.3 (Feb 20, 2014)
+Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
+
+* [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
+* [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision

data/lib/onelogin/ruby-saml/attributes.rb

@@ -0,0 +1,147 @@
+module OneLogin
+  module RubySaml
+
+    # SAML2 Attributes. Parse the Attributes from the AttributeStatement of the SAML Response. 
+    #
+    class Attributes
+      include Enumerable
+
+      attr_reader :attributes
+
+      # By default Attributes#[] is backwards compatible and
+      # returns only the first value for the attribute
+      # Setting this to `false` returns all values for an attribute
+      @@single_value_compatibility = true
+
+      # @return [Boolean] Get current status of backwards compatibility mode.
+      #
+      def self.single_value_compatibility
+        @@single_value_compatibility
+      end
+
+      # Sets the backwards compatibility mode on/off.
+      # @param value [Boolean]
+      #
+      def self.single_value_compatibility=(value)
+        @@single_value_compatibility = value
+      end
+
+      # @param attrs [Hash] The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
+      #    Attributes.new({
+      #      'name' => ['value1', 'value2'],
+      #      'mail' => ['value1'],
+      #    })
+      #
+      def initialize(attrs = {})
+        @attributes = attrs
+      end
+
+
+      # Iterate over all attributes
+      #
+      def each
+        attributes.each{|name, values| yield name, values}
+      end
+
+      
+      # Test attribute presence by name
+      # @param name [String] The attribute name to be checked
+      #
+      def include?(name)
+        attributes.has_key?(canonize_name(name)) || attributes.has_key?(name)
+      end
+      
+      # Return first value for an attribute
+      # @param name [String] The attribute name
+      # @return [String] The value (First occurrence)
+      #
+      def single(name)
+        multi(name).first if include?(name)
+      end
+
+      # Return all values for an attribute
+      # @param name [String] The attribute name
+      # @return [Array] Values of the attribute
+      #
+      def multi(name)
+        values = attributes[canonize_name(name)] || attributes[name]
+        
+        if values.is_a?(Array)
+          values
+        elsif !values.nil?
+          Array(values)
+        else
+          nil
+        end
+      end
+
+      # Retrieve attribute value(s)
+      # @param name [String] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def [](name)
+        self.class.single_value_compatibility ? single(name) : multi(name)
+      end
+
+      # @return [Array] Return all attributes as an array
+      #
+      def all
+        attributes
+      end
+
+      # @param name [String] The attribute name
+      # @param values [Array] The values
+      #
+      def set(name, values)
+        attributes[canonize_name(name)] = values
+      end
+      alias_method :[]=, :set
+
+      # @param name [String] The attribute name
+      # @param values [Array] The values
+      #
+      def add(name, values = [])
+        attributes[canonize_name(name)] ||= []
+        attributes[canonize_name(name)] += Array(values)
+      end
+
+      # Make comparable to another Attributes collection based on attributes
+      # @param other [Attributes] An Attributes object to compare with
+      # @return [Boolean] True if are contains the same attributes and values
+      #
+      def ==(other)
+        if other.is_a?(Attributes)
+          all == other.all
+        else
+          super
+        end
+      end
+
+      def respond_to?(name)
+        attributes.respond_to?(name) || super
+      end
+
+      protected
+
+      # stringifies all names so both 'email' and :email return the same result
+      # @param name [String] The attribute name
+      # @return [String] stringified name
+      #
+      def canonize_name(name)
+        name.to_s
+      end
+
+      def method_missing(name, *args, &block)
+        if attributes.respond_to?(name)
+          attributes.send(name, *args, &block)
+        else
+          super
+        end
+      end
+    end
+  end
+end