ruby-saml 0.8.8 → 0.8.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +7 -7
- data/Gemfile +11 -1
- data/README.md +5 -2
- data/Rakefile +0 -14
- data/lib/onelogin/ruby-saml/authrequest.rb +86 -20
- data/lib/onelogin/ruby-saml/logoutrequest.rb +95 -20
- data/lib/onelogin/ruby-saml/logoutresponse.rb +5 -28
- data/lib/onelogin/ruby-saml/metadata.rb +5 -5
- data/lib/onelogin/ruby-saml/response.rb +187 -4
- data/lib/onelogin/ruby-saml/setting_error.rb +6 -0
- data/lib/onelogin/ruby-saml/settings.rb +146 -10
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +158 -0
- data/lib/onelogin/ruby-saml/utils.rb +169 -0
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/ruby-saml.rb +2 -1
- data/lib/xml_security.rb +330 -78
- data/test/certificates/ruby-saml-2.crt +15 -0
- data/test/certificates/ruby-saml.crt +14 -0
- data/test/certificates/ruby-saml.key +15 -0
- data/test/logoutrequest_test.rb +177 -44
- data/test/logoutresponse_test.rb +25 -29
- data/test/request_test.rb +100 -37
- data/test/response_test.rb +213 -111
- data/test/responses/adfs_response_xmlns.xml +45 -0
- data/test/responses/encrypted_new_attack.xml.base64 +1 -0
- data/test/responses/invalids/multiple_signed.xml.base64 +1 -0
- data/test/responses/invalids/no_signature.xml.base64 +1 -0
- data/test/responses/invalids/response_with_concealed_signed_assertion.xml +51 -0
- data/test/responses/invalids/response_with_doubled_signed_assertion.xml +49 -0
- data/test/responses/invalids/signature_wrapping_attack.xml.base64 +1 -0
- data/test/responses/logoutresponse_fixtures.rb +6 -6
- data/test/responses/response_with_concealed_signed_assertion.xml +51 -0
- data/test/responses/response_with_doubled_signed_assertion.xml +49 -0
- data/test/responses/response_with_signed_assertion_3.xml +30 -0
- data/test/responses/response_with_signed_message_and_assertion.xml +34 -0
- data/test/responses/response_with_undefined_recipient.xml.base64 +1 -0
- data/test/responses/response_wrapped.xml.base64 +150 -0
- data/test/responses/valid_response.xml.base64 +1 -0
- data/test/responses/valid_response_without_x509certificate.xml.base64 +1 -0
- data/test/settings_test.rb +7 -7
- data/test/slo_logoutresponse_test.rb +226 -0
- data/test/test_helper.rb +117 -12
- data/test/utils_test.rb +10 -10
- data/test/xml_security_test.rb +310 -68
- metadata +88 -45
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
|
-
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
5
|
-
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: c3f3a436bf74c3342e13ed40b9d6d7c71e8b25f1
|
4
|
+
data.tar.gz: c39cb2b2fa7844d97cd83e2d6a34f7a5ab68151e
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 38e6e375700d52f5bd4300dc5a1e7b9b20e5283b00371418730b1857ffc9b98857e72066a9ea67b504953eddaefc8683a0d40a29156f614dc18f9aaea7e7e0e5
|
7
|
+
data.tar.gz: a93d2f2c35bed0a8c44db64e3672aa8e811883d37b0386618dd51d0d7a9f19ddd37c59381dfa2c94cc04a361f3ecce8cd9677dc9ab6f44dee4eb653fefedba91
|
data/Gemfile
CHANGED
@@ -5,9 +5,19 @@ source 'http://rubygems.org'
|
|
5
5
|
|
6
6
|
gemspec
|
7
7
|
|
8
|
+
if RUBY_VERSION < '1.9'
|
9
|
+
gem 'nokogiri', '~> 1.5.0'
|
10
|
+
gem 'minitest', '~> 5.5', '<= 5.11.3'
|
11
|
+
elsif RUBY_VERSION < '2.1'
|
12
|
+
gem 'nokogiri', '>= 1.5.0', '<= 1.6.8.1'
|
13
|
+
gem 'minitest', '~> 5.5'
|
14
|
+
else
|
15
|
+
gem 'nokogiri', '>= 1.5.0'
|
16
|
+
gem 'minitest', '~> 5.5'
|
17
|
+
end
|
18
|
+
|
8
19
|
group :test do
|
9
20
|
if RUBY_VERSION < '1.9'
|
10
|
-
gem 'nokogiri', '~> 1.5.0'
|
11
21
|
gem 'ruby-debug', '~> 0.10.4'
|
12
22
|
elsif RUBY_VERSION < '2.0'
|
13
23
|
gem 'debugger-linecache', '~> 1.2.0'
|
data/README.md
CHANGED
@@ -1,5 +1,8 @@
|
|
1
1
|
# Ruby SAML [](http://travis-ci.org/onelogin/ruby-saml)
|
2
2
|
|
3
|
+
# Updating from 0.8.8 to 0.8.9
|
4
|
+
Version `0.8.9` deprecates the use of settings.issuer, use instead settings.sp_entity_id. Deprecates assertion_consumer_logout_service_url and assertion_consumer_logout_service_binding as well, use instead single_logout_service_url and single_logout_service_binding. Adds validate_audience.
|
5
|
+
|
3
6
|
# Updating from 0.8.7 to 0.8.8
|
4
7
|
Version `0.8.8` adds support for ForceAuthn and Subjects on AuthNRequests by the new name_identifier_value_requested setting
|
5
8
|
|
@@ -52,7 +55,7 @@ def saml_settings
|
|
52
55
|
settings = OneLogin::RubySaml::Settings.new
|
53
56
|
|
54
57
|
settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
|
55
|
-
settings.
|
58
|
+
settings.sp_entity_id = request.host
|
56
59
|
settings.idp_sso_target_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
|
57
60
|
settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
|
58
61
|
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
@@ -90,7 +93,7 @@ class SamlController < ApplicationController
|
|
90
93
|
settings = OneLogin::RubySaml::Settings.new
|
91
94
|
|
92
95
|
settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
|
93
|
-
settings.
|
96
|
+
settings.sp_entity_id = request.host
|
94
97
|
settings.idp_sso_target_url = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
|
95
98
|
settings.idp_cert_fingerprint = OneLoginAppCertFingerPrint
|
96
99
|
settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
data/Rakefile
CHANGED
@@ -25,17 +25,3 @@ end
|
|
25
25
|
task :test
|
26
26
|
|
27
27
|
task :default => :test
|
28
|
-
|
29
|
-
# require 'rake/rdoctask'
|
30
|
-
# Rake::RDocTask.new do |rdoc|
|
31
|
-
# if File.exist?('VERSION')
|
32
|
-
# version = File.read('VERSION')
|
33
|
-
# else
|
34
|
-
# version = ""
|
35
|
-
# end
|
36
|
-
|
37
|
-
# rdoc.rdoc_dir = 'rdoc'
|
38
|
-
# rdoc.title = "ruby-saml #{version}"
|
39
|
-
# rdoc.rdoc_files.include('README*')
|
40
|
-
# rdoc.rdoc_files.include('lib/**/*.rb')
|
41
|
-
#end
|
@@ -1,16 +1,50 @@
|
|
1
1
|
require "base64"
|
2
|
-
require "uuid"
|
3
2
|
require "zlib"
|
4
3
|
require "cgi"
|
5
|
-
require "
|
6
|
-
require "
|
4
|
+
require "onelogin/ruby-saml/utils"
|
5
|
+
require "onelogin/ruby-saml/setting_error"
|
7
6
|
|
8
7
|
module OneLogin
|
9
8
|
module RubySaml
|
10
|
-
|
9
|
+
|
11
10
|
class Authrequest
|
11
|
+
# AuthNRequest ID
|
12
|
+
attr_reader :uuid
|
13
|
+
|
14
|
+
# Initializes the AuthNRequest. An Authrequest Object.
|
15
|
+
# Asigns an ID, a random uuid.
|
16
|
+
#
|
17
|
+
def initialize
|
18
|
+
@uuid = OneLogin::RubySaml::Utils.uuid
|
19
|
+
end
|
20
|
+
|
12
21
|
def create(settings, params = {})
|
13
|
-
params =
|
22
|
+
params = create_params(settings, params)
|
23
|
+
params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
|
24
|
+
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
25
|
+
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
26
|
+
params.each_pair do |key, value|
|
27
|
+
request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
|
28
|
+
end
|
29
|
+
raise SettingError.new "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
|
30
|
+
@login_url = settings.idp_sso_target_url + request_params
|
31
|
+
end
|
32
|
+
|
33
|
+
# Creates the Get parameters for the request.
|
34
|
+
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
35
|
+
# @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
|
36
|
+
# @return [Hash] Parameters
|
37
|
+
#
|
38
|
+
def create_params(settings, params={})
|
39
|
+
# The method expects :RelayState but sometimes we get 'RelayState' instead.
|
40
|
+
# Based on the HashWithIndifferentAccess value in Rails we could experience
|
41
|
+
# conflicts so this line will solve them.
|
42
|
+
relay_state = params[:RelayState] || params['RelayState']
|
43
|
+
|
44
|
+
if relay_state.nil?
|
45
|
+
params.delete(:RelayState)
|
46
|
+
params.delete('RelayState')
|
47
|
+
end
|
14
48
|
|
15
49
|
request_doc = create_authentication_xml_doc(settings)
|
16
50
|
request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
|
@@ -20,34 +54,55 @@ module OneLogin
|
|
20
54
|
|
21
55
|
Logging.debug "Created AuthnRequest: #{request}"
|
22
56
|
|
23
|
-
request
|
57
|
+
request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
|
24
58
|
if Base64.respond_to?('strict_encode64')
|
25
|
-
|
59
|
+
base64_request = Base64.strict_encode64(request)
|
26
60
|
else
|
27
|
-
|
61
|
+
base64_request = Base64.encode64(request).gsub(/\n/, "")
|
62
|
+
end
|
63
|
+
|
64
|
+
request_params = {"SAMLRequest" => base64_request}
|
65
|
+
|
66
|
+
if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
|
67
|
+
params['SigAlg'] = settings.security[:signature_method]
|
68
|
+
url_string = OneLogin::RubySaml::Utils.build_query(
|
69
|
+
:type => 'SAMLRequest',
|
70
|
+
:data => base64_request,
|
71
|
+
:relay_state => relay_state,
|
72
|
+
:sig_alg => params['SigAlg']
|
73
|
+
)
|
74
|
+
sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
|
75
|
+
signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
|
76
|
+
if Base64.respond_to?('strict_encode64')
|
77
|
+
params['Signature'] = Base64.strict_encode64(signature)
|
78
|
+
else
|
79
|
+
params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
|
80
|
+
end
|
28
81
|
end
|
29
|
-
encoded_request = CGI.escape(base64_request)
|
30
|
-
params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
|
31
|
-
request_params = "#{params_prefix}SAMLRequest=#{encoded_request}"
|
32
82
|
|
33
83
|
params.each_pair do |key, value|
|
34
|
-
request_params
|
84
|
+
request_params[key] = value.to_s
|
35
85
|
end
|
36
86
|
|
37
|
-
|
87
|
+
request_params
|
38
88
|
end
|
39
89
|
|
40
90
|
def create_authentication_xml_doc(settings)
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
91
|
+
document = create_xml_document(settings)
|
92
|
+
sign_document(document, settings)
|
93
|
+
end
|
94
|
+
|
95
|
+
def create_xml_document(settings)
|
96
|
+
time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
|
97
|
+
|
98
|
+
request_doc = XMLSecurity::Document.new
|
99
|
+
request_doc.uuid = uuid
|
45
100
|
|
46
101
|
root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
47
102
|
root.attributes['ID'] = uuid
|
48
103
|
root.attributes['IssueInstant'] = time
|
49
104
|
root.attributes['Version'] = "2.0"
|
50
|
-
root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
|
105
|
+
root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
|
51
106
|
root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
|
52
107
|
root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
|
53
108
|
root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
|
@@ -56,9 +111,9 @@ module OneLogin
|
|
56
111
|
if settings.assertion_consumer_service_url != nil
|
57
112
|
root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
|
58
113
|
end
|
59
|
-
if settings.
|
114
|
+
if settings.sp_entity_id != nil
|
60
115
|
issuer = root.add_element "saml:Issuer"
|
61
|
-
issuer.text = settings.
|
116
|
+
issuer.text = settings.sp_entity_id
|
62
117
|
end
|
63
118
|
|
64
119
|
if settings.name_identifier_value_requested != nil
|
@@ -97,6 +152,17 @@ module OneLogin
|
|
97
152
|
request_doc
|
98
153
|
end
|
99
154
|
|
155
|
+
def sign_document(document, settings)
|
156
|
+
# embed signature
|
157
|
+
if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
|
158
|
+
private_key = settings.get_sp_key
|
159
|
+
cert = settings.get_sp_cert
|
160
|
+
document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
|
161
|
+
end
|
162
|
+
|
163
|
+
document
|
164
|
+
end
|
165
|
+
|
100
166
|
end
|
101
167
|
end
|
102
168
|
end
|
@@ -1,55 +1,115 @@
|
|
1
1
|
require "base64"
|
2
|
-
require "uuid"
|
3
2
|
require "zlib"
|
4
3
|
require "cgi"
|
4
|
+
require 'rexml/document'
|
5
|
+
require "onelogin/ruby-saml/utils"
|
6
|
+
require "onelogin/ruby-saml/setting_error"
|
5
7
|
|
6
8
|
module OneLogin
|
7
9
|
module RubySaml
|
8
|
-
|
10
|
+
|
9
11
|
class Logoutrequest
|
10
12
|
|
11
13
|
attr_reader :uuid # Can be obtained if neccessary
|
12
14
|
|
13
15
|
def initialize
|
14
|
-
@uuid =
|
16
|
+
@uuid = OneLogin::RubySaml::Utils.uuid
|
15
17
|
end
|
16
18
|
|
17
19
|
def create(settings, params={})
|
18
|
-
|
20
|
+
params = create_params(settings, params)
|
21
|
+
params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
|
22
|
+
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
23
|
+
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
24
|
+
params.each_pair do |key, value|
|
25
|
+
request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
|
26
|
+
end
|
27
|
+
raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
|
28
|
+
@logout_url = settings.idp_slo_target_url + request_params
|
29
|
+
end
|
30
|
+
|
31
|
+
# Creates the Get parameters for the logout request.
|
32
|
+
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
33
|
+
# @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
|
34
|
+
# @return [Hash] Parameters
|
35
|
+
#
|
36
|
+
def create_params(settings, params={})
|
37
|
+
# The method expects :RelayState but sometimes we get 'RelayState' instead.
|
38
|
+
# Based on the HashWithIndifferentAccess value in Rails we could experience
|
39
|
+
# conflicts so this line will solve them.
|
40
|
+
relay_state = params[:RelayState] || params['RelayState']
|
41
|
+
|
42
|
+
if relay_state.nil?
|
43
|
+
params.delete(:RelayState)
|
44
|
+
params.delete('RelayState')
|
45
|
+
end
|
46
|
+
|
47
|
+
request_doc = create_logout_request_xml_doc(settings)
|
48
|
+
request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
|
49
|
+
|
19
50
|
request = ""
|
20
51
|
request_doc.write(request)
|
21
52
|
|
22
|
-
|
53
|
+
Logging.debug "Created SLO Logout Request: #{request}"
|
54
|
+
|
55
|
+
request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
|
23
56
|
if Base64.respond_to?('strict_encode64')
|
24
|
-
|
57
|
+
base64_request = Base64.strict_encode64(request)
|
25
58
|
else
|
26
|
-
|
59
|
+
base64_request = Base64.encode64(request).gsub(/\n/, "")
|
27
60
|
end
|
28
|
-
|
61
|
+
request_params = {"SAMLRequest" => base64_request}
|
29
62
|
|
30
|
-
|
31
|
-
|
63
|
+
if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
|
64
|
+
params['SigAlg'] = settings.security[:signature_method]
|
65
|
+
url_string = OneLogin::RubySaml::Utils.build_query(
|
66
|
+
:type => 'SAMLRequest',
|
67
|
+
:data => base64_request,
|
68
|
+
:relay_state => relay_state,
|
69
|
+
:sig_alg => params['SigAlg']
|
70
|
+
)
|
71
|
+
sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
|
72
|
+
signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
|
73
|
+
if Base64.respond_to?('strict_encode64')
|
74
|
+
params['Signature'] = Base64.strict_encode64(signature)
|
75
|
+
else
|
76
|
+
params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
|
77
|
+
end
|
78
|
+
end
|
32
79
|
|
33
80
|
params.each_pair do |key, value|
|
34
|
-
request_params
|
81
|
+
request_params[key] = value.to_s
|
35
82
|
end
|
36
83
|
|
37
|
-
|
84
|
+
request_params
|
38
85
|
end
|
39
86
|
|
40
|
-
|
87
|
+
# Creates the SAMLRequest String.
|
88
|
+
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
89
|
+
# @return [String] The SAMLRequest String.
|
90
|
+
#
|
91
|
+
def create_logout_request_xml_doc(settings)
|
92
|
+
document = create_xml_document(settings)
|
93
|
+
sign_document(document, settings)
|
94
|
+
end
|
95
|
+
|
96
|
+
def create_xml_document(settings, request_doc=nil)
|
97
|
+
time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
|
41
98
|
|
42
|
-
|
99
|
+
if request_doc.nil?
|
100
|
+
request_doc = XMLSecurity::Document.new
|
101
|
+
request_doc.uuid = uuid
|
102
|
+
end
|
43
103
|
|
44
|
-
request_doc = REXML::Document.new
|
45
104
|
root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
|
46
|
-
root.attributes['ID'] =
|
105
|
+
root.attributes['ID'] = uuid
|
47
106
|
root.attributes['IssueInstant'] = time
|
48
107
|
root.attributes['Version'] = "2.0"
|
108
|
+
root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
|
49
109
|
|
50
|
-
if settings.
|
110
|
+
if settings.sp_entity_id
|
51
111
|
issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
52
|
-
issuer.text = settings.
|
112
|
+
issuer.text = settings.sp_entity_id
|
53
113
|
end
|
54
114
|
|
55
115
|
if settings.name_identifier_value
|
@@ -57,8 +117,6 @@ module OneLogin
|
|
57
117
|
name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
|
58
118
|
name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
|
59
119
|
name_id.text = settings.name_identifier_value
|
60
|
-
else
|
61
|
-
raise ValidationError.new("Missing required name identifier")
|
62
120
|
end
|
63
121
|
|
64
122
|
if settings.sessionindex
|
@@ -81,6 +139,23 @@ module OneLogin
|
|
81
139
|
end
|
82
140
|
request_doc
|
83
141
|
end
|
142
|
+
|
143
|
+
def sign_document(document, settings)
|
144
|
+
# embed signature
|
145
|
+
if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
|
146
|
+
private_key = settings.get_sp_key
|
147
|
+
cert = settings.get_sp_cert
|
148
|
+
document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
|
149
|
+
end
|
150
|
+
|
151
|
+
document
|
152
|
+
end
|
153
|
+
|
154
|
+
# Leave due compatibility
|
155
|
+
def create_unauth_xml_doc(settings, params)
|
156
|
+
request_doc = ReXML::Document.new
|
157
|
+
create_xml_document(settings, request_doc)
|
158
|
+
end
|
84
159
|
end
|
85
160
|
end
|
86
161
|
end
|
@@ -1,7 +1,5 @@
|
|
1
1
|
require "xml_security"
|
2
2
|
require "time"
|
3
|
-
require "base64"
|
4
|
-
require "zlib"
|
5
3
|
|
6
4
|
module OneLogin
|
7
5
|
module RubySaml
|
@@ -30,7 +28,7 @@ module OneLogin
|
|
30
28
|
self.settings = settings
|
31
29
|
|
32
30
|
@options = options
|
33
|
-
@response =
|
31
|
+
@response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
|
34
32
|
@document = XMLSecurity::SignedDocument.new(response)
|
35
33
|
end
|
36
34
|
|
@@ -75,27 +73,6 @@ module OneLogin
|
|
75
73
|
|
76
74
|
private
|
77
75
|
|
78
|
-
def decode(encoded)
|
79
|
-
Base64.decode64(encoded)
|
80
|
-
end
|
81
|
-
|
82
|
-
def inflate(deflated)
|
83
|
-
zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
|
84
|
-
zlib.inflate(deflated)
|
85
|
-
end
|
86
|
-
|
87
|
-
def decode_raw_response(response)
|
88
|
-
if response =~ /^</
|
89
|
-
return response
|
90
|
-
elsif (decoded = decode(response)) =~ /^</
|
91
|
-
return decoded
|
92
|
-
elsif (inflated = inflate(decoded)) =~ /^</
|
93
|
-
return inflated
|
94
|
-
end
|
95
|
-
|
96
|
-
raise "Couldn't decode SAMLResponse"
|
97
|
-
end
|
98
|
-
|
99
76
|
def valid_saml?(soft = true)
|
100
77
|
Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
|
101
78
|
@schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
|
@@ -117,8 +94,8 @@ module OneLogin
|
|
117
94
|
return soft ? false : validation_error("No settings on response")
|
118
95
|
end
|
119
96
|
|
120
|
-
if settings.
|
121
|
-
return soft ? false : validation_error("No
|
97
|
+
if settings.sp_entity_id.nil?
|
98
|
+
return soft ? false : validation_error("No sp_entity_id in settings")
|
122
99
|
end
|
123
100
|
|
124
101
|
if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
|
@@ -139,8 +116,8 @@ module OneLogin
|
|
139
116
|
end
|
140
117
|
|
141
118
|
def valid_issuer?(soft = true)
|
142
|
-
unless URI.parse(issuer) == URI.parse(self.settings.
|
143
|
-
return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.
|
119
|
+
unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
|
120
|
+
return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
|
144
121
|
end
|
145
122
|
true
|
146
123
|
end
|