RubyGems - ruby-saml - Versions diffs - 0.8.13 → 0.8.14 - Mend

ruby-saml 0.8.13 → 0.8.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (7) hide show

data/lib/onelogin/ruby-saml/response.rb +46 -7
data/lib/onelogin/ruby-saml/version.rb +1 -1
data/lib/xml_security.rb +2 -0
data/test/response_test.rb +174 -35
data/test/xml_security_test.rb +47 -3
metadata +24 -18
checksums.yaml +0 -7

data/lib/onelogin/ruby-saml/response.rb CHANGED

@@ -157,7 +157,7 @@ module OneLogin
         validate_response_state(soft)  &&
         validate_conditions(soft)      &&
         validate_audience(soft)        &&
-        document.validate_document(get_fingerprint, soft) &&
+        validate_signature(soft)       &&
         success?
       end
@@ -225,7 +225,6 @@ module OneLogin
               if verified_seis.include?(sei)
                 return soft ? false : validation_error("Duplicated Reference URI. SAML Response rejected")
-                return append_error("Duplicated Reference URI. SAML Response rejected")
               end
               verified_seis.push(sei)
@@ -400,17 +399,57 @@ module OneLogin
         true
       end
+      def validate_signature(soft = true)
+        error_msg = "Invalid Signature on SAML Response"
+        sig_elements = REXML::XPath.match(
+          document,
+          "/p:Response[@ID=$id]/ds:Signature]",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
+        )
+        # Check signature nodes
+        if sig_elements.nil? || sig_elements.size == 0
+          sig_elements = REXML::XPath.match(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
+            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            { 'id' => document.signed_element_id }
+          )
+        end
+        if sig_elements.size != 1
+          if  sig_elements.size == 0
+             error_msg += ". Signed element id ##{doc.signed_element_id} is not found"
+          else
+             error_msg += ". Signed element id ##{doc.signed_element_id} is found more than once"
+          end
+          return soft ? false : validation_error(error_msg)
+        end
+        opts = {}
+        opts[:fingerprint_alg] = OpenSSL::Digest::SHA1.new
+        opts[:cert] = settings.idp_cert
+        fingerprint = get_fingerprint
+        unless fingerprint
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+        unless document.validate_document(fingerprint, soft, opts)
+          return soft ? false : validation_error(error_msg)
+        end
+        true
+      end
       def parse_time(node, attribute)
         if node && node.attributes[attribute]
           Time.parse(node.attributes[attribute])
         end
       end
-      # Validates the Audience, (If the Audience match the Service Provider EntityID)
-      # If fails, the error is added to the errors array
-      # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails
-      #
       def validate_audience(soft = true)
         return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?

data/lib/onelogin/ruby-saml/version.rb CHANGED

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.13'
+    VERSION = '0.8.14'
   end
 end

data/lib/xml_security.rb CHANGED

@@ -251,6 +251,8 @@ module XMLSecurity
         if idp_cert.to_pem != cert.to_pem
           return false
         end
+      elsif not idp_cert
+        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings"))
       else
         base64_cert = Base64.encode64(idp_cert.to_pem)
       end

data/test/response_test.rb CHANGED

@@ -4,7 +4,10 @@ class ResponseTest <  Minitest::Test
   describe "Response" do
     it "raise an exception when response is initialized with nil" do
-      assert_raises(ArgumentError) { OneLogin::RubySaml::Response.new(nil) }
+      err = assert_raises(ArgumentError) do
+        OneLogin::RubySaml::Response.new(nil)
+      end
+      assert_equal "Response cannot be nil", err.message
     end
     it "be able to parse a document which contains ampersands" do
@@ -45,12 +48,71 @@ class ResponseTest <  Minitest::Test
     end
     describe "#validate!" do
+      it "raise when settings not initialized" do
+        response = OneLogin::RubySaml::Response.new(response_document)
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "No settings on response", err.message
+      end
       it "raise when encountering a condition that prevents the document from being valid" do
         response = OneLogin::RubySaml::Response.new(response_document)
-        assert_raises(OneLogin::RubySaml::ValidationError) do
+        response.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
           response.validate!
         end
+        assert_equal "Current time is on or after NotOnOrAfter condition", err.message
       end
+      it "raises an exception when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "No fingerprint or certificate on settings", err.message
+      end
+      it "raise when no signature" do
+        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_no_signed_elements.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_no_signed_elements.validate!
+        end
+        assert_equal "Found an unexpected number of Signature Element. SAML Response rejected", err.message
+      end
+      it "raise when multiple signatures" do
+        response_multiple_signed = OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_multiple_signed.settings = settings
+        response_multiple_signed.stubs(:validate_structure).returns(true)
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_multiple_signed.validate!
+        end
+        assert_equal "Duplicated ID. SAML Response rejected", err.message
+      end
+      it "raise when fingerprint missmatch" do
+        resp_xml = Base64.decode64(response_document_valid_signed)
+        response = OneLogin::RubySaml::Response.new(Base64.encode64(resp_xml))
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal 'Fingerprint mismatch', err.message
+      end
     end
     describe "#is_valid?" do
@@ -64,6 +126,16 @@ class ResponseTest <  Minitest::Test
         assert !response.is_valid?
       end
+      it "return false when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        assert !response.is_valid?
+      end
       it "return true when the response is initialized with valid data" do
         response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
@@ -80,7 +152,7 @@ class ResponseTest <  Minitest::Test
         response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
-        response.settings = settings
+        response.settings = settings
         assert !response.is_valid?
         assert !response.is_valid?
       end
@@ -95,7 +167,17 @@ class ResponseTest <  Minitest::Test
         assert response.is_valid?
       end
-      it "return true when using certificate instead of fingerprint" do
+      it "return true when valid response and using fingerprint" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "4B:68:C4:53:C7:D9:94:AA:D9:02:5C:99:D5:EF:CF:56:62:87:FE:8D"
+        assert response.is_valid?
+      end
+      it "return true when valid response using certificate" do
         response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
         response.stubs(:conditions).returns(nil)
         settings = OneLogin::RubySaml::Settings.new
@@ -126,26 +208,6 @@ class ResponseTest <  Minitest::Test
         assert_nil response_wrapped.name_id
       end
-      it "raise when no signature" do
-        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        response_no_signed_elements.settings = settings
-        error_msg = "Found an unexpected number of Signature Element. SAML Response rejected"
-        assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
-          response_no_signed_elements.validate!
-        end
-      end
-      it "raise when multiple signatures" do
-        response_multiple_signed = OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64"))
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        response_multiple_signed.settings = settings
-        error_msg = "Duplicated ID. SAML Response rejected"
-        assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
-          response_multiple_signed.validate!
-        end
-      end
       it "support dynamic namespace resolution on signature elements" do
         response = OneLogin::RubySaml::Response.new(fixture("no_signature_ns.xml"))
         response.stubs(:conditions).returns(nil)
@@ -156,6 +218,40 @@ class ResponseTest <  Minitest::Test
         assert response.validate!
       end
+      it "support signature elements with no KeyInfo if cert provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = ruby_saml_cert
+        settings.idp_cert_fingerprint = nil
+        XMLSecurity::SignedDocument.any_instance.expects(:validate_signature).returns(true)
+        assert response.validate!
+      end
+      it "returns an error if the signature contains no KeyInfo, cert is not provided and soft" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        assert !response.is_valid?
+      end
+      it "raises an exception if the signature contains no KeyInfo, cert is not provided and no soft" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate)
+        response.stubs(:conditions).returns(nil)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.validate!
+        end
+        assert_equal "Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", err.message
+      end
       it "validate ADFS assertions" do
         response = OneLogin::RubySaml::Response.new(fixture(:adfs_response_sha256))
         response.stubs(:conditions).returns(nil)
@@ -174,16 +270,6 @@ class ResponseTest <  Minitest::Test
         assert response.validate!
       end
-      it "validate SAML 2.0 XML structure" do
-        resp_xml = Base64.decode64(response_document_valid_signed).gsub(/emailAddress/,'test')
-        response = OneLogin::RubySaml::Response.new(Base64.encode64(resp_xml))
-        response.stubs(:conditions).returns(nil)
-        settings = OneLogin::RubySaml::Settings.new
-        settings.idp_cert_fingerprint = signature_fingerprint_1
-        response.settings = settings
-        assert_raises(OneLogin::RubySaml::ValidationError, 'Digest mismatch'){ response.validate! }
-      end
       it "Prevent node text with comment (VU#475445) attack" do
         response_doc = File.read(File.join(File.dirname(__FILE__), "responses", 'response_node_text_attack.xml.base64'))
         response = OneLogin::RubySaml::Response.new(response_doc)
@@ -272,6 +358,54 @@ class ResponseTest <  Minitest::Test
       end
     end
+    describe "validate_signature" do
+      it "raises an exception when no cert or fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "No fingerprint or certificate on settings", err.message
+      end
+      it "raises an exception when wrong cert provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = ruby_saml_cert2
+        settings.idp_cert_fingerprint = nil
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "Fingerprint mismatch", err.message
+      end
+      it "raises an exception when wrong fingerprint provided" do
+        response = OneLogin::RubySaml::Response.new(response_document_valid_signed)
+        settings = OneLogin::RubySaml::Settings.new
+        response.settings = settings
+        settings.idp_cert = nil
+        settings.idp_cert_fingerprint = "28:74:9B:E8:1F:E8:10:9C:A8:7C:A9:C3:E3:C5:01:6C:92:1C:B4:BA"
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response.send(:validate_signature, false)
+        end
+        assert_equal "Fingerprint mismatch", err.message
+      end
+      it "raises an exception when no signature" do
+        response_no_signed_elements = OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64"))
+        settings.idp_cert_fingerprint = signature_fingerprint_1
+        response_no_signed_elements.settings = settings
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_no_signed_elements.validate!
+        end
+        assert_equal "Found an unexpected number of Signature Element. SAML Response rejected", err.message
+      end
+    end
     describe "#attributes" do
       before do
         @response = OneLogin::RubySaml::Response.new(response_document)
@@ -464,6 +598,10 @@ class ResponseTest <  Minitest::Test
         response_wrapped.stubs(:validate_subject_confirmation).returns(true)
         settings.idp_cert_fingerprint = "385b1eec71143f00db6af936e2ea12a28771d72c"
         assert !response_wrapped.is_valid?
+        err = assert_raises(OneLogin::RubySaml::ValidationError) do
+          response_wrapped.validate!
+        end
+        assert_equal "Found an invalid Signed Element. SAML Response rejected", err.message
       end
     end
@@ -475,8 +613,9 @@ class ResponseTest <  Minitest::Test
         settings.idp_cert_fingerprint = '4b68c453c7d994aad9025c99d5efcf566287fe8d'
         response_wrapped.stubs(:conditions).returns(nil)
         response_wrapped.stubs(:validate_subject_confirmation).returns(true)
+        response_wrapped.stubs(:validate_structure).returns(true)
         assert !response_wrapped.is_valid?
-        assert_raises(OneLogin::RubySaml::ValidationError, "SAML Response must contain 1 assertion"){ response_wrapped.validate! }
+        assert !response_wrapped.validate!
       end
     end

data/test/xml_security_test.rb CHANGED

@@ -295,7 +295,7 @@ class XmlSecurityTest < Minitest::Test
     end
     describe "StarfieldTMS" do
-      before do
+      before do
         @response = OneLogin::RubySaml::Response.new(fixture(:starfield_response))
         @response.settings = OneLogin::RubySaml::Settings.new( :idp_cert_fingerprint => "8D:BA:53:8E:A3:B6:F9:F1:69:6C:BB:D9:D8:BD:41:B3:AC:4F:9D:4D")
       end
@@ -373,6 +373,35 @@ class XmlSecurityTest < Minitest::Test
           assert document.name_id.nil?, 'Document should expose only signed, valid details'
         end
       end
+      describe 'when response has no cert and you provide cert' do
+        let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+        let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+        let(:options) { {} }
+        it 'is valid' do
+          options[:cert] = idp_cert
+          assert document.document.validate_document(idp_cert, true, options), 'Document should be valid'
+        end
+      end
+      describe 'when response has no cert and you dont provide cert' do
+        let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+        let(:options) { {} }
+        let(:idp_cert) { nil }
+        it 'is invalid' do
+          options[:cert] = idp_cert
+          assert !document.document.validate_document(idp_cert, true, options), 'Document should not be valid'
+        end
+        it 'is invalid and error raised' do
+          options[:cert] = idp_cert
+          assert_raises(OneLogin::RubySaml::ValidationError) do
+            document.document.validate_document(idp_cert, false, options)
+          end
+        end
+      end
     end
     describe '#validate_document_with_cert' do
@@ -387,8 +416,8 @@ class XmlSecurityTest < Minitest::Test
             assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
           end
         end
-        describe 'when response has no cert but you have local cert' do
+        describe 'when response has no cert and you provide cert' do
           let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
           let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
@@ -396,6 +425,21 @@ class XmlSecurityTest < Minitest::Test
             assert document.validate_document_with_cert(idp_cert), 'Document should be valid'
           end
         end
+        describe 'when response has no cert and you dont provide cert' do
+          let(:document) { OneLogin::RubySaml::Response.new(response_document_valid_signed_without_x509certificate).document }
+          let(:idp_cert) { nil }
+          it 'is invalid' do
+            assert !document.validate_document_with_cert(idp_cert), 'Document should not be valid'
+          end
+          it 'is invalid and error raised' do
+            assert_raises(OneLogin::RubySaml::ValidationError) do
+              document.validate_document_with_cert(idp_cert, false)
+            end
+          end
+        end
       end
     end
   end

metadata CHANGED

@@ -1,41 +1,46 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 0.8.13
+  version: 0.8.14
+  prerelease:
 platform: ruby
 authors:
 - OneLogin LLC
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-23 00:00:00.000000000 Z
+date: 2020-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: uuid
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2.3'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
 description: SAML toolkit for Ruby on Rails
@@ -46,9 +51,9 @@ extra_rdoc_files:
 - LICENSE
 - README.md
 files:
-- ".document"
-- ".gitignore"
-- ".travis.yml"
+- .document
+- .gitignore
+- .travis.yml
 - Gemfile
 - LICENSE
 - README.md
@@ -127,27 +132,28 @@ files:
 - test/xml_security_test.rb
 homepage: http://github.com/onelogin/ruby-saml
 licenses: []
-metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options:
-- "--charset=UTF-8"
+- --charset=UTF-8
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.4.8
-signing_key:
-specification_version: 4
+rubygems_version: 1.8.23.2
+signing_key:
+specification_version: 3
 summary: SAML Ruby Tookit
 test_files:
 - test/certificates/certificate1

checksums.yaml DELETED

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: c3f3a436bf74c3342e13ed40b9d6d7c71e8b25f1
-  data.tar.gz: c39cb2b2fa7844d97cd83e2d6a34f7a5ab68151e
-SHA512:
-  metadata.gz: 38e6e375700d52f5bd4300dc5a1e7b9b20e5283b00371418730b1857ffc9b98857e72066a9ea67b504953eddaefc8683a0d40a29156f614dc18f9aaea7e7e0e5
-  data.tar.gz: a93d2f2c35bed0a8c44db64e3672aa8e811883d37b0386618dd51d0d7a9f19ddd37c59381dfa2c94cc04a361f3ecce8cd9677dc9ab6f44dee4eb653fefedba91