ruby-saml 0.8.8 → 0.8.9

checksums.yaml

@@ -1,7 +1,7 @@
---- 
-SHA512: 
-  metadata.gz: 4841fc584fcb21a2d195ca2a0a7a3835301b4888d6eb10a916db75aaae47baa2db3142ea816cced287cda13e0e94261e33096532888e0c4dbfb88f3e815a561c
-  data.tar.gz: e1c81d64bc9cd5d3c9930934b02bbbe0b974b6a2606aae95ac81a0934a445971692f5ee6d5575baa5ca118f113776d824c581829fbf6f493a93041c7c6f74752
-SHA256: 
-  metadata.gz: 660a02871864e652d4676233c6c3f9afb36b5584a30dc6c12db8d683a891f609
-  data.tar.gz: 317d540f0b08fc67e91d74e3d46f553a50634cf9b1d199084470d1f099b79b51
+---
+SHA1:
+  metadata.gz: 646f99f7f6a7590eb22b51fad5f183cfed8038be
+  data.tar.gz: 008e10e85a4aea26fdf2c067cc8f6112d18f55a7
+SHA512:
+  metadata.gz: 7d239d7038cf7041e4dab1dd27dd92e5bb1f53d777ace0aa0c4ed9f08b4a9b077555e7d1eeed2ed8a8e21767039267747b9194172148e74bac7703205b862a16
+  data.tar.gz: 151df4d9fc610fbef47e5c93c73b8f25f9297b0bd457106e6fcd427933eebbe164c415d807ca9f70749937d5df66a4e49fb5423a7be2de6b1cd24641a077f94e

data/README.md

@@ -1,5 +1,8 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml)
 
+# Updating from 0.8.8 to 0.8.9
+Version `0.8.9` deprecates the use of settings.issuer, use instead settings.sp_entity_id. Deprecates assertion_consumer_logout_service_url and assertion_consumer_logout_service_binding as well, use instead single_logout_service_url and single_logout_service_binding. Adds validate_audience.
+
 # Updating from 0.8.7 to 0.8.8
 Version `0.8.8` adds support for ForceAuthn and Subjects on AuthNRequests by the new name_identifier_value_requested setting
 
@@ -52,7 +55,7 @@ def saml_settings
   settings = OneLogin::RubySaml::Settings.new
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
-  settings.issuer                         = request.host
+  settings.sp_entity_id                   = request.host
   settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -90,7 +93,7 @@ class SamlController < ApplicationController
     settings = OneLogin::RubySaml::Settings.new
 
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.issuer                         = request.host
+    settings.sp_entity_id                   = request.host
     settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -56,9 +56,9 @@ module OneLogin
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         if settings.name_identifier_value_requested != nil

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -47,9 +47,9 @@ module OneLogin
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
 
-        if settings.issuer
+        if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         if settings.name_identifier_value

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -117,8 +117,8 @@ module OneLogin
           return soft ? false : validation_error("No settings on response")
         end
 
-        if settings.issuer.nil?
-          return soft ? false : validation_error("No issuer in settings")
+        if settings.sp_entity_id.nil?
+          return soft ? false : validation_error("No sp_entity_id in settings")
         end
 
         if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
@@ -139,8 +139,8 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        unless URI.parse(issuer) == URI.parse(self.settings.issuer)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
+        unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
         end
         true
       end

data/lib/onelogin/ruby-saml/metadata.rb

@@ -22,15 +22,15 @@ module OneLogin
             # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
             "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
         }
-        if settings.issuer != nil
-          root.attributes["entityID"] = settings.issuer
+        if settings.sp_entity_id != nil
+          root.attributes["entityID"] = settings.sp_entity_id
         end
-        if settings.assertion_consumer_logout_service_url != nil
+        if settings.single_logout_service_url != nil
           sp_sso.add_element "md:SingleLogoutService", {
               # Add this as a setting to create different bindings?
               "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-              "Location" => settings.assertion_consumer_logout_service_url,
-              "ResponseLocation" => settings.assertion_consumer_logout_service_url,
+              "Location" => settings.single_logout_service_url,
+              "ResponseLocation" => settings.single_logout_service_url,
               "isDefault" => true,
               "index" => 0
           }

data/lib/onelogin/ruby-saml/response.rb

@@ -131,6 +131,15 @@ module OneLogin
         end
       end
 
+      # @return [Array] The Audience elements from the Contitions of the SAML Response.
+      #
+      def audiences
+        @audiences ||= begin
+          nodes = xpath_from_signed_assertion('/a:Conditions/a:AudienceRestriction/a:Audience')
+          nodes.map { |node| Utils.element_text(node) }.reject(&:empty?)
+        end
+      end
+
       private
 
       def validation_error(message)
@@ -141,6 +150,7 @@ module OneLogin
         validate_structure(soft)      &&
         validate_response_state(soft) &&
         validate_conditions(soft)     &&
+        validate_audience(soft)       &&
         document.validate_document(get_fingerprint, soft) &&
         success?
       end
@@ -240,6 +250,23 @@ module OneLogin
           Time.parse(node.attributes[attribute])
         end
       end
+
+      # Validates the Audience, (If the Audience match the Service Provider EntityID)
+      # If fails, the error is added to the errors array
+      # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate_audience(soft = true)
+        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+
+        unless audiences.include? settings.sp_entity_id
+          s = audiences.count > 1 ? 's' : '';
+          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.sp_entity_id}"
+          return soft ? false : validation_error(error_msg)
+        end
+
+        true
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/settings.rb

@@ -8,7 +8,7 @@ module OneLogin
           self.send(acc, v) if self.respond_to? acc
         end
       end
-      attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
+      attr_accessor :assertion_consumer_service_url, :sp_entity_id, :sp_name_qualifier
       attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
       attr_accessor :authn_context
       attr_accessor :idp_slo_target_url
@@ -22,9 +22,84 @@ module OneLogin
       attr_accessor :passive
       attr_accessor :protocol_binding
 
+      # Compability
+      attr_accessor :issuer
+      attr_accessor :assertion_consumer_logout_service_url
+      attr_accessor :assertion_consumer_logout_service_binding
+
+      # @return [String] SP Entity ID
+      #
+      def sp_entity_id
+        val = nil
+        if @sp_entity_id.nil?
+          if @issuer
+            val = @issuer
+          end
+        else
+          val = @sp_entity_id
+        end
+        val
+      end
+
+       # Setter for SP Entity ID.
+      # @param val [String].
+      #
+      def sp_entity_id=(val)
+        @sp_entity_id = val
+      end
+
+      # @return [String] Single Logout Service URL.
+      #
+      def single_logout_service_url
+        val = nil
+        if @single_logout_service_url.nil?
+          if @assertion_consumer_logout_service_url
+            val = @assertion_consumer_logout_service_url
+          end
+        else
+          val = @single_logout_service_url
+        end
+        val
+      end
+
+      # Setter for the Single Logout Service URL.
+      # @param url [String].
+      #
+      def single_logout_service_url=(url)
+        @single_logout_service_url = url
+      end
+
+      # @return [String] Single Logout Service Binding.
+      #
+      def single_logout_service_binding
+        val = nil
+        if @single_logout_service_binding.nil?
+          if @assertion_consumer_logout_service_binding
+            val = @assertion_consumer_logout_service_binding
+          end
+        else
+          val = @single_logout_service_binding
+        end
+        val
+      end
+
+      # Setter for Single Logout Service Binding.
+      #
+      # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+      # @param url [String]
+      #
+      def single_logout_service_binding=(url)
+        @single_logout_service_binding = url
+      end
+
       private
 
-      DEFAULTS = {:compress_request => true, :double_quote_xml_attribute_values => false}
+      DEFAULTS = {
+        :compress_request => true,
+        :double_quote_xml_attribute_values => false,
+        :assertion_consumer_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze
+      }
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.8'
+    VERSION = '0.8.9'
   end
 end

data/test/logoutresponse_test.rb

@@ -36,7 +36,7 @@ class RubySamlTest < Test::Unit::TestCase
 
         assert logoutresponse.validate
 
-        assert_equal settings.issuer, logoutresponse.issuer
+        assert_equal settings.sp_entity_id, logoutresponse.issuer
         assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
         assert logoutresponse.success?
@@ -92,9 +92,10 @@ class RubySamlTest < Test::Unit::TestCase
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end
 
-      should "raise validation error when in lack of issuer setting" do
+      should "raise validation error when in lack of sp_entity_id setting" do
         bad_settings = settings
         bad_settings.issuer = nil
+        bad_settings.sp_entity_id = nil
         logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_response, bad_settings)
         assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate! }
       end

data/test/response_test.rb

@@ -159,6 +159,39 @@ class RubySamlTest < Test::Unit::TestCase
         assert_equal "support@onelogin.com", response.name_id
         assert_equal "smith", response.attributes["surname"]
       end
+
+      context '#validate_audience' do
+        should "return true when sp_entity_id not set or empty" do
+          response = OneLogin::RubySaml::Response.new(response_document_4)
+          response.stubs(:conditions).returns(nil)
+          settings = OneLogin::RubySaml::Settings.new
+          response.settings = settings
+          settings.idp_cert_fingerprint = signature_fingerprint_1
+          assert response.is_valid?
+          settings.sp_entity_id = ''
+          assert response.is_valid?
+        end
+
+        should "return false when sp_entity_id set to incorrectly" do
+          response = OneLogin::RubySaml::Response.new(response_document_4)
+          response.stubs(:conditions).returns(nil)
+          settings = OneLogin::RubySaml::Settings.new
+          response.settings = settings
+          settings.idp_cert_fingerprint = signature_fingerprint_1
+          settings.sp_entity_id = 'wrong_audience'
+          assert !response.is_valid?
+        end
+
+        should "return true when sp_entity_id set to correctly" do
+          response = OneLogin::RubySaml::Response.new(response_document_4)
+          response.stubs(:conditions).returns(nil)
+          settings = OneLogin::RubySaml::Settings.new
+          response.settings = settings
+          settings.idp_cert_fingerprint = signature_fingerprint_1
+          settings.sp_entity_id = 'audience'
+          assert response.is_valid?
+        end
+      end
     end
 
     context "#name_id" do

data/test/responses/logoutresponse_fixtures.rb

@@ -15,9 +15,9 @@ def valid_response(opts = {})
         xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
         ID=\"#{random_id}\" Version=\"2.0\"
         IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\"
+        Destination=\"#{opts[:settings].single_logout_service_url}\"
         InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].sp_entity_id}</saml:Issuer>
       <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
       <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
           Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\">
@@ -33,9 +33,9 @@ def unsuccessful_response(opts = {})
         xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
         ID=\"#{random_id}\" Version=\"2.0\"
         IssueInstant=\"#{opts[:issue_instant]}\"
-        Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\"
+        Destination=\"#{opts[:settings].single_logout_service_url}\"
         InResponseTo=\"#{opts[:uuid]}\">
-      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].sp_entity_id}</saml:Issuer>
       <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
       <samlp:StatusCode xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
           Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
@@ -55,8 +55,8 @@ def settings
   @settings ||= OneLogin::RubySaml::Settings.new(
       {
           :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
-          :assertion_consumer_logout_service_url => "http://app.muda.no/sso/consume_logout",
-          :issuer => "http://app.muda.no",
+          :single_logout_service_url => "http://app.muda.no/sso/consume_logout",
+          :sp_entity_id => "http://app.muda.no",
           :sp_name_qualifier => "http://sso.muda.no",
           :idp_sso_target_url => "http://sso.muda.no/sso",
           :idp_slo_target_url => "http://sso.muda.no/slo",

data/test/settings_test.rb

@@ -8,11 +8,11 @@ class SettingsTest < Test::Unit::TestCase
     end
     should "should provide getters and settings" do
       accessors = [
-        :assertion_consumer_service_url, :issuer, :sp_name_qualifier,
+        :assertion_consumer_service_url, :issuer, :sp_entity_id, :sp_name_qualifier,
         :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format,
         :idp_slo_target_url, :name_identifier_value, :name_identifier_value_requested,
         :sessionindex, :assertion_consumer_logout_service_url,
-        :passive, :force_authn, :protocol_binding
+        :passive, :force_authn, :protocol_binding, :single_logout_service_url, :single_logout_service_binding
       ]
 
       accessors.each do |accessor|

metadata

@@ -1,49 +1,54 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: ruby-saml
-version: !ruby/object:Gem::Version 
-  version: 0.8.8
+version: !ruby/object:Gem::Version
+  version: 0.8.9
 platform: ruby
-authors: 
+authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2019-03-21 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2019-05-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: uuid
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "2.3"
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: nokogiri
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
+      - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
-  version_requirements: *id002
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.0
 description: SAML toolkit for Ruby on Rails
 email: support@onelogin.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - LICENSE
 - README.md
-files: 
-- .document
-- .gitignore
-- .travis.yml
+files:
+- ".document"
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -101,31 +106,29 @@ files:
 - test/xml_security_test.rb
 homepage: http://github.com/onelogin/ruby-saml
 licenses: []
-
 metadata: {}
-
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
-require_paths: 
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - &id003 
-    - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - *id003
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.7.7
+rubygems_version: 2.5.2.1
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
-test_files: 
+test_files:
 - test/certificates/certificate1
 - test/certificates/r1_certificate2_base64
 - test/logoutrequest_test.rb