ruby-saml 0.8.13 → 0.8.14

data/lib/onelogin/ruby-saml/response.rb

@@ -157,7 +157,7 @@ module OneLogin
         validate_response_state(soft)  &&
         validate_conditions(soft)      &&
         validate_audience(soft)        &&
-        document.validate_document(get_fingerprint, soft) &&
+        validate_signature(soft)       &&
         success?
       end
 
@@ -225,7 +225,6 @@ module OneLogin
 
               if verified_seis.include?(sei)
                 return soft ? false : validation_error("Duplicated Reference URI. SAML Response rejected")
-                return append_error("Duplicated Reference URI. SAML Response rejected")
               end
 
               verified_seis.push(sei)
@@ -400,17 +399,57 @@ module OneLogin
         true
       end
 
+      def validate_signature(soft = true)
+        error_msg = "Invalid Signature on SAML Response"
+
+        sig_elements = REXML::XPath.match(
+          document,
+          "/p:Response[@ID=$id]/ds:Signature]",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
+        )
+
+        # Check signature nodes
+        if sig_elements.nil? || sig_elements.size == 0
+          sig_elements = REXML::XPath.match(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
+            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            { 'id' => document.signed_element_id }
+          )
+        end
+
+        if sig_elements.size != 1
+          if  sig_elements.size == 0
+             error_msg += ". Signed element id ##{doc.signed_element_id} is not found"
+          else
+             error_msg += ". Signed element id ##{doc.signed_element_id} is found more than once"
+          end
+          return soft ? false : validation_error(error_msg)
+        end
+
+        opts = {}
+        opts[:fingerprint_alg] = OpenSSL::Digest::SHA1.new
+        opts[:cert] = settings.idp_cert
+        fingerprint = get_fingerprint
+
+        unless fingerprint
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        unless document.validate_document(fingerprint, soft, opts)
+          return soft ? false : validation_error(error_msg)
+        end
+
+        true
+      end
+
       def parse_time(node, attribute)
         if node && node.attributes[attribute]
           Time.parse(node.attributes[attribute])
         end
       end
 
-      # Validates the Audience, (If the Audience match the Service Provider EntityID)
-      # If fails, the error is added to the errors array
-      # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails
-      #
       def validate_audience(soft = true)
         return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.13'
+    VERSION = '0.8.14'
   end
 end

data/lib/xml_security.rb

@@ -251,6 +251,8 @@ module XMLSecurity
         if idp_cert.to_pem != cert.to_pem
           return false
         end
+      elsif not idp_cert
+        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings"))
       else
         base64_cert = Base64.encode64(idp_cert.to_pem)
       end

data/test/response_test.rb

@@ -4,7 +4,10 @@ class ResponseTest <  Minitest::Test
 
   describe "Response" do
     it "raise an exception when response is initialized with nil" do
-      assert_raises(ArgumentError) { OneLogin::RubySaml::Response.new(nil) }
+      err = assert_raises(ArgumentError) do
+        OneLogin::RubySaml::Response.new(nil)
+      end
+      assert_equal "Response cannot be nil", err.message
     end
 
     it "be able to parse a document which contains ampersands" do
@@ -45,12 +48,71 @@ class ResponseTest <  Minitest::Test
     end
 
     describe "#validate!" do
+      it "raise when settings not initialized" do
+        response = OneLogin::RubySaml::Response.new(response_document)
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "No settings on response", err.message
+      end
+
       it "raise when encountering a condition that prevents the document from being valid" do
         response = OneLogin::RubySaml::Response.new(response_document)
-        assert_raises(OneLogin::RubySaml::ValidationError) do
+        response.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
           response.validate!
         end
+        assert_equal "Current time is on or after NotOnOrAfter condition", err.message
       end
+
+      it "raises an exception when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "No fingerprint or certificate on settings", err.message
+      end
+
+      it "raise when no signature" do
+        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_no_signed_elements.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_no_signed_elements.validate!
+        end
+        assert_equal "Found an unexpected number of Signature Element. SAML Response rejected", err.message
+      end
+
+      it "raise when multiple signatures" do
+        response_multiple_signed = OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_multiple_signed.settings = settings
+        response_multiple_signed.stubs(:validate_structure).returns(true)
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_multiple_signed.validate!
+        end
+        assert_equal "Duplicated ID. SAML Response rejected", err.message
+      end
+
+      it "raise when fingerprint missmatch" do
+        resp_xml = Base64.decode64(response_document_valid_signed)
+        response = OneLogin::RubySaml::Response.new(Base64.encode64(resp_xml))
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response.settings = settings
+
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal 'Fingerprint mismatch', err.message
+      end
+
     end
 
     describe "#is_valid?" do
@@ -64,6 +126,16 @@ class ResponseTest <  Minitest::Test
         assert !response.is_valid?
       end
 
+      it "return false when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        assert !response.is_valid?
+      end
+
       it "return true when the response is initialized with valid data" do
         response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
@@ -80,7 +152,7 @@ class ResponseTest <  Minitest::Test
         response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
-        response.settings = settings        
+        response.settings = settings
         assert !response.is_valid?
         assert !response.is_valid?
       end
@@ -95,7 +167,17 @@ class ResponseTest <  Minitest::Test
         assert response.is_valid?
       end
 
-      it "return true when using certificate instead of fingerprint" do
+      it "return true when valid response and using fingerprint" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "4B:68:C4:53:C7:D9:94:AA:D9:02:5C:99:D5:EF:CF:56:62:87:FE:8D"
+        assert response.is_valid?
+      end
+
+      it "return true when valid response using certificate" do
         response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
@@ -126,26 +208,6 @@ class ResponseTest <  Minitest::Test
         assert_nil response_wrapped.name_id
       end
 
-      it "raise when no signature" do
-        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        response_no_signed_elements.settings = settings
-        error_msg = "Found an unexpected number of Signature Element. SAML Response rejected"
-        assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
-          response_no_signed_elements.validate!
-        end
-      end
-
-      it "raise when multiple signatures" do
-        response_multiple_signed = OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64"))
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        response_multiple_signed.settings = settings
-        error_msg = "Duplicated ID. SAML Response rejected"
-        assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
-          response_multiple_signed.validate!
-        end
-      end
-
       it "support dynamic namespace resolution on signature elements" do
         response = OneLogin::RubySaml::Response.new(fixture("no_signature_ns.xml"))
         response.stubs(:conditions).returns(nil)
@@ -156,6 +218,40 @@ class ResponseTest <  Minitest::Test
         assert response.validate!
       end
 
+      it "support signature elements with no KeyInfo if cert provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = ruby_saml_cert
+        settings.idp_cert_fingerprint = nil
+        XMLSecurity::SignedDocument.any_instance.expects(:validate_signature).returns(true)
+        assert response.validate!
+      end
+
+      it "returns an error if the signature contains no KeyInfo, cert is not provided and soft" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        assert !response.is_valid?
+      end
+
+      it "raises an exception if the signature contains no KeyInfo, cert is not provided and no soft" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", err.message
+      end
+
       it "validate ADFS assertions" do
         response = OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha256))
         response.stubs(:conditions).returns(nil)
@@ -174,16 +270,6 @@ class ResponseTest <  Minitest::Test
         assert response.validate!
       end
 
-      it "validate SAML 2.0 XML structure" do
-        resp_xml = Base64.decode64(response_document_valid_signed).gsub(/emailAddress/,'test')
-        response = OneLogin::RubySaml::Response.new(Base64.encode64(resp_xml))
-        response.stubs(:conditions).returns(nil)
-        settings = OneLogin::RubySaml::Settings.new
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        response.settings = settings
-        assert_raises(OneLogin::RubySaml::ValidationError, 'Digest mismatch'){ response.validate! }
-      end
-
       it "Prevent node text with comment (VU#475445) attack" do
         response_doc = File.read(File.join(File.dirname(__FILE__), "responses", 'response_node_text_attack.xml.base64'))
         response = OneLogin::RubySaml::Response.new(response_doc)
@@ -272,6 +358,54 @@ class ResponseTest <  Minitest::Test
       end
     end
 
+    describe "validate_signature" do
+      it "raises an exception when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "No fingerprint or certificate on settings", err.message
+      end
+
+      it "raises an exception when wrong cert provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = ruby_saml_cert2
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "Fingerprint mismatch", err.message
+      end
+
+      it "raises an exception when wrong fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "Fingerprint mismatch", err.message
+      end
+
+      it "raises an exception when no signature" do
+        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_no_signed_elements.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_no_signed_elements.validate!
+        end
+        assert_equal "Found an unexpected number of Signature Element. SAML Response rejected", err.message
+      end
+    end
+
     describe "#attributes" do
       before do
         @response = OneLogin::RubySaml::Response.new(response_document)
@@ -464,6 +598,10 @@ class ResponseTest <  Minitest::Test
         response_wrapped.stubs(:validate_subject_confirmation).returns(true)
         settings.idp_cert_fingerprint = "385b1eec71143f00db6af936e2ea12a28771d72c"
         assert !response_wrapped.is_valid?
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_wrapped.validate!
+        end
+        assert_equal "Found an invalid Signed Element. SAML Response rejected", err.message
       end
     end
 
@@ -475,8 +613,9 @@ class ResponseTest <  Minitest::Test
         settings.idp_cert_fingerprint = '4b68c453c7d994aad9025c99d5efcf566287fe8d'
         response_wrapped.stubs(:conditions).returns(nil)
         response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        response_wrapped.stubs(:validate_structure).returns(true)
         assert !response_wrapped.is_valid?
-        assert_raises(OneLogin::RubySaml::ValidationError, "SAML Response must contain 1 assertion"){ response_wrapped.validate! }
+        assert !response_wrapped.validate!
       end
     end
 

data/test/xml_security_test.rb

@@ -295,7 +295,7 @@ class XmlSecurityTest < Minitest::Test
     end
 
     describe "StarfieldTMS" do
-      before do        
+      before do
         @response = OneLogin::RubySaml::Response.new(fixture(:starfield_response))
         @response.settings = OneLogin::RubySaml::Settings.new( :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D")
       end
@@ -373,6 +373,35 @@ class XmlSecurityTest < Minitest::Test
           assert document.name_id.nil?, 'Document should expose only signed, valid details'
         end
       end
+
+      describe 'when response has no cert and you provide cert' do
+        let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+        let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+        let(:options) { {} }
+
+        it 'is valid' do
+          options[:cert] = idp_cert
+          assert document.document.validate_document(idp_cert, true, options), 'Document should be valid'
+        end
+      end
+
+      describe 'when response has no cert and you dont provide cert' do
+        let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+        let(:options) { {} }
+        let(:idp_cert) { nil }
+
+        it 'is invalid' do
+          options[:cert] = idp_cert
+          assert !document.document.validate_document(idp_cert, true, options), 'Document should not be valid'
+        end
+
+        it 'is invalid and error raised' do
+          options[:cert] = idp_cert
+          assert_raises(OneLogin::RubySaml::ValidationError) do
+            document.document.validate_document(idp_cert, false, options)
+          end
+        end
+      end
     end
 
     describe '#validate_document_with_cert' do
@@ -387,8 +416,8 @@ class XmlSecurityTest < Minitest::Test
             assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
           end
         end
-        
-        describe 'when response has no cert but you have local cert' do
+
+        describe 'when response has no cert and you provide cert' do
           let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
           let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
 
@@ -396,6 +425,21 @@ class XmlSecurityTest < Minitest::Test
             assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
           end
         end
+
+        describe 'when response has no cert and you dont provide cert' do
+          let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+          let(:idp_cert) { nil }
+
+          it 'is invalid' do
+            assert !document.validate_document_with_cert(idp_cert), 'Document should not be valid'
+          end
+
+          it 'is invalid and error raised' do
+            assert_raises(OneLogin::RubySaml::ValidationError) do
+              document.validate_document_with_cert(idp_cert, false)
+            end
+          end
+        end
       end
     end
   end

metadata

@@ -1,41 +1,46 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 0.8.13
+  version: 0.8.14
+  prerelease:
 platform: ruby
 authors:
 - OneLogin LLC
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-23 00:00:00.000000000 Z
+date: 2020-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: uuid
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.3'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
 description: SAML toolkit for Ruby on Rails
@@ -46,9 +51,9 @@ extra_rdoc_files:
 - LICENSE
 - README.md
 files:
-- ".document"
-- ".gitignore"
-- ".travis.yml"
+- .document
+- .gitignore
+- .travis.yml
 - Gemfile
 - LICENSE
 - README.md
@@ -127,27 +132,28 @@ files:
 - test/xml_security_test.rb
 homepage: http://github.com/onelogin/ruby-saml
 licenses: []
-metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
-- "--charset=UTF-8"
+- --charset=UTF-8
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.4.8
-signing_key: 
-specification_version: 4
+rubygems_version: 1.8.23.2
+signing_key:
+specification_version: 3
 summary: SAML Ruby Tookit
 test_files:
 - test/certificates/certificate1

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: c3f3a436bf74c3342e13ed40b9d6d7c71e8b25f1
-  data.tar.gz: c39cb2b2fa7844d97cd83e2d6a34f7a5ab68151e
-SHA512:
-  metadata.gz: 38e6e375700d52f5bd4300dc5a1e7b9b20e5283b00371418730b1857ffc9b98857e72066a9ea67b504953eddaefc8683a0d40a29156f614dc18f9aaea7e7e0e5
-  data.tar.gz: a93d2f2c35bed0a8c44db64e3672aa8e811883d37b0386618dd51d0d7a9f19ddd37c59381dfa2c94cc04a361f3ecce8cd9677dc9ab6f44dee4eb653fefedba91