ruby-saml 1.1.1 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

data/README.md CHANGED
@@ -102,7 +102,7 @@ To override the default behavior and control the destination of log messages, pr
102
102
  a ruby Logger object to the gem's logging singleton:
103
103
 
104
104
  ```ruby
105
- OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w')
105
+ OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w'))
106
106
  ```
107
107
 
108
108
  ## The Initialization Phase
@@ -252,9 +252,9 @@ def saml_settings
252
252
  end
253
253
  ```
254
254
  The following attributes are set:
255
- * id_sso_target_url
255
+ * idp_sso_target_url
256
256
  * idp_slo_target_url
257
- * id_cert_fingerpint
257
+ * idp_cert_fingerpint
258
258
 
259
259
  If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
260
260
  `single_value_compatibility` (when activate, only one value returned, the first one)
@@ -1,5 +1,14 @@
1
1
  # RubySaml Changelog
2
2
 
3
+ ### 1.1.2 (February 15, 2015)
4
+ * Improve signature validation. Add tests.
5
+ [#302](https://github.com/onelogin/ruby-saml/pull/302) Add Destination validation.
6
+ * [#292](https://github.com/onelogin/ruby-saml/pull/292) Improve the error message when validating the audience.
7
+ * [#287](https://github.com/onelogin/ruby-saml/pull/287) Keep the extracted certificate when parsing IdP metadata.
8
+
9
+ ### 1.1.1 (November 10, 2015)
10
+ * [#275](https://github.com/onelogin/ruby-saml/pull/275) Fix a bug on signature validations that invalidates valid SAML messages.
11
+
3
12
  ### 1.1.0 (October 27, 2015)
4
13
  * [#273](https://github.com/onelogin/ruby-saml/pull/273) Support SAMLResponse without ds:x509certificate
5
14
  * [#270](https://github.com/onelogin/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
@@ -44,6 +44,7 @@ module OneLogin
44
44
  settings.name_identifier_format = idp_name_id_format
45
45
  settings.idp_sso_target_url = single_signon_service_url
46
46
  settings.idp_slo_target_url = single_logout_service_url
47
+ settings.idp_cert = certificate_base64
47
48
  settings.idp_cert_fingerprint = fingerprint
48
49
  end
49
50
  end
@@ -133,19 +134,28 @@ module OneLogin
133
134
  node.value if node
134
135
  end
135
136
 
137
+ # @return [String|nil] Unformatted Certificate if exists
138
+ #
139
+ def certificate_base64
140
+ @certificate_base64 ||= begin
141
+ node = REXML::XPath.first(
142
+ document,
143
+ "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
144
+ { "md" => METADATA, "ds" => DSIG }
145
+ )
146
+ node.text if node
147
+ end
148
+ end
149
+
136
150
  # @return [String|nil] X509Certificate if exists
137
151
  #
138
152
  def certificate
139
153
  @certificate ||= begin
140
- node = REXML::XPath.first(
141
- document,
142
- "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
143
- { "md" => METADATA, "ds" => DSIG }
144
- )
145
- Base64.decode64(node.text) if node
154
+ Base64.decode64(certificate_base64) if certificate_base64
146
155
  end
147
156
  end
148
157
 
158
+
149
159
  # @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
150
160
  #
151
161
  def fingerprint
@@ -254,6 +254,19 @@ module OneLogin
254
254
  end
255
255
  end
256
256
 
257
+ # @return [String|nil] Destination attribute from the SAML Response.
258
+ #
259
+ def destination
260
+ @destination ||= begin
261
+ node = REXML::XPath.first(
262
+ document,
263
+ "/p:Response",
264
+ { "p" => PROTOCOL }
265
+ )
266
+ node.nil? ? nil : node.attributes['Destination']
267
+ end
268
+ end
269
+
257
270
  # @return [Array] The Audience elements from the Contitions of the SAML Response.
258
271
  #
259
272
  def audiences
@@ -295,6 +308,7 @@ module OneLogin
295
308
  validate_in_response_to &&
296
309
  validate_conditions &&
297
310
  validate_audience &&
311
+ validate_destination &&
298
312
  validate_issuer &&
299
313
  validate_session_expiration &&
300
314
  validate_subject_confirmation &&
@@ -454,7 +468,22 @@ module OneLogin
454
468
  return true if audiences.empty? || settings.issuer.nil? || settings.issuer.empty?
455
469
 
456
470
  unless audiences.include? settings.issuer
457
- error_msg = "#{settings.issuer} is not a valid audience for this Response"
471
+ error_msg = "#{settings.issuer} is not a valid audience for this Response - Valid audiences: #{audiences.join(',')}"
472
+ return append_error(error_msg)
473
+ end
474
+
475
+ true
476
+ end
477
+
478
+ # Validates the Destination, (If the SAML Response is received where expected)
479
+ # If fails, the error is added to the errors array
480
+ # @return [Boolean] True if there is a Destination element that matches the Consumer Service URL, otherwise False
481
+ #
482
+ def validate_destination
483
+ return true if destination.nil? || destination.empty? || settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
484
+
485
+ unless destination == settings.assertion_consumer_service_url
486
+ error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
458
487
  return append_error(error_msg)
459
488
  end
460
489
 
@@ -571,25 +600,38 @@ module OneLogin
571
600
  # @raise [ValidationError] if soft == false and validation fails
572
601
  #
573
602
  def validate_signature
574
- fingerprint = settings.get_fingerprint
575
- idp_cert = settings.get_idp_cert
603
+ error_msg = "Invalid Signature on SAML Response"
576
604
 
577
605
  # If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
578
606
  # otherwise, review if the decrypted assertion contains a signature
579
- response_signed = REXML::XPath.first(
607
+ sig_elements = REXML::XPath.match(
580
608
  document,
581
- "/p:Response[@ID=$id]",
582
- { "p" => PROTOCOL, "ds" => DSIG },
583
- { 'id' => document.signed_element_id }
609
+ "/p:Response/ds:Signature]",
610
+ { "p" => PROTOCOL, "ds" => DSIG }
584
611
  )
585
- doc = (response_signed || decrypted_document.nil?) ? document : decrypted_document
612
+
613
+ use_original = sig_elements.size == 1 || decrypted_document.nil?
614
+ doc = use_original ? document : decrypted_document
615
+
616
+ # Check signature nodes
617
+ if sig_elements.nil? || sig_elements.size == 0
618
+ sig_elements = REXML::XPath.match(
619
+ doc,
620
+ "/p:Response/a:Assertion/ds:Signature",
621
+ {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG}
622
+ )
623
+ end
624
+
625
+ if sig_elements.size != 1
626
+ return append_error(error_msg)
627
+ end
586
628
 
587
629
  opts = {}
588
630
  opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
589
- opts[:cert] = idp_cert
631
+ opts[:cert] = settings.get_idp_cert
632
+ fingerprint = settings.get_fingerprint
590
633
 
591
- unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
592
- error_msg = "Invalid Signature on SAML Response"
634
+ unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
593
635
  return append_error(error_msg)
594
636
  end
595
637
 
@@ -118,8 +118,8 @@ module OneLogin
118
118
  def get_idp_cert
119
119
  return nil if idp_cert.nil? || idp_cert.empty?
120
120
 
121
- formated_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
122
- OpenSSL::X509::Certificate.new(formated_cert)
121
+ formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
122
+ OpenSSL::X509::Certificate.new(formatted_cert)
123
123
  end
124
124
 
125
125
  # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
@@ -127,8 +127,8 @@ module OneLogin
127
127
  def get_sp_cert
128
128
  return nil if certificate.nil? || certificate.empty?
129
129
 
130
- formated_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
131
- OpenSSL::X509::Certificate.new(formated_cert)
130
+ formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
131
+ OpenSSL::X509::Certificate.new(formatted_cert)
132
132
  end
133
133
 
134
134
  # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
@@ -65,7 +65,7 @@ module OneLogin
65
65
  # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
66
66
  # @option params [String] sig_alg The SigAlg parameter
67
67
  # @option params [String] signature The Signature parameter (base64 encoded)
68
- # @option params [String] query_string The SigAlg parameter
68
+ # @option params [String] query_string The full GET Query String to be compared
69
69
  # @return [Boolean] True if the Signature is valid, False otherwise
70
70
  #
71
71
  def self.verify_signature(params)
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.1.1'
3
+ VERSION = '1.1.2'
4
4
  end
5
5
  end
@@ -204,7 +204,7 @@ class RubySamlTest < Minitest::Test
204
204
  settings.issuer = 'invalid'
205
205
  response_valid_signed.settings = settings
206
206
  response_valid_signed.soft = false
207
- error_msg = "#{response_valid_signed.settings.issuer} is not a valid audience for this Response"
207
+ error_msg = "#{response_valid_signed.settings.issuer} is not a valid audience for this Response - Valid audiences: https://someone.example.com/audience"
208
208
  assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
209
209
  response_valid_signed.is_valid?
210
210
  end
@@ -368,7 +368,7 @@ class RubySamlTest < Minitest::Test
368
368
  settings.issuer = 'invalid'
369
369
  response_valid_signed.settings = settings
370
370
  response_valid_signed.is_valid?
371
- assert_includes response_valid_signed.errors, "#{response_valid_signed.settings.issuer} is not a valid audience for this Response"
371
+ assert_includes response_valid_signed.errors, "#{response_valid_signed.settings.issuer} is not a valid audience for this Response - Valid audiences: https://someone.example.com/audience"
372
372
  end
373
373
 
374
374
  it "return false when no ID present in the SAML Response" do
@@ -411,7 +411,22 @@ class RubySamlTest < Minitest::Test
411
411
  response.settings = settings
412
412
  response.settings.issuer = 'invalid_audience'
413
413
  assert !response.send(:validate_audience)
414
- assert_includes response.errors, "#{response.settings.issuer} is not a valid audience for this Response"
414
+ assert_includes response.errors, "#{response.settings.issuer} is not a valid audience for this Response - Valid audiences: {audience}"
415
+ end
416
+ end
417
+
418
+ describe "#validate_destination" do
419
+ it "return true when the destination of the SAML Response matches the assertion consumer service url" do
420
+ response.settings = settings
421
+ assert response.send(:validate_destination)
422
+ assert_empty response.errors
423
+ end
424
+
425
+ it "return false when the destination of the SAML Response does not match the assertion consumer service url" do
426
+ response.settings = settings
427
+ response.settings.assertion_consumer_service_url = 'invalid_acs'
428
+ assert !response.send(:validate_destination)
429
+ assert_includes response.errors, "The response was received at #{response.destination} instead of #{response.settings.assertion_consumer_service_url}"
415
430
  end
416
431
  end
417
432
 
@@ -551,7 +566,7 @@ class RubySamlTest < Minitest::Test
551
566
  response_invalid_audience.settings = settings
552
567
  response_invalid_audience.settings.issuer = "https://invalid.example.com/audience"
553
568
  assert !response_invalid_audience.send(:validate_audience)
554
- assert_includes response_invalid_audience.errors, "#{response_invalid_audience.settings.issuer} is not a valid audience for this Response"
569
+ assert_includes response_invalid_audience.errors, "#{response_invalid_audience.settings.issuer} is not a valid audience for this Response - Valid audiences: http://invalid.audience.com"
555
570
  end
556
571
  end
557
572
 
@@ -729,6 +744,17 @@ class RubySamlTest < Minitest::Test
729
744
  assert response_valid_signed_without_x509certificate.send(:validate_signature)
730
745
  assert_empty response_valid_signed_without_x509certificate.errors
731
746
  end
747
+
748
+ it "return false when signature wrapping attack" do
749
+ signature_wrapping_attack = read_invalid_response("signature_wrapping_attack.xml.base64")
750
+ response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack)
751
+ response_wrapped.stubs(:conditions).returns(nil)
752
+ response_wrapped.stubs(:validate_subject_confirmation).returns(true)
753
+ settings.idp_cert_fingerprint = "afe71c28ef740bc87425be13a2263d37971da1f9"
754
+ response_wrapped.settings = settings
755
+ assert !response_wrapped.send(:validate_signature)
756
+ assert_includes response_wrapped.errors, "Invalid Signature on SAML Response"
757
+ end
732
758
  end
733
759
 
734
760
  describe "#nameid" do
@@ -0,0 +1 @@
1
+ PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJwZnhjM2QyYjU0Mi0wZjdlLTg3NjctOGU4Ny01YjBkYzY5MTMzNzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgRGVzdGluYXRpb249Imh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvbmV3b25lbG9naW4vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl81ZDllMzE5YzFiOGE2N2RhNDgyMjc5NjRjMjhkMjgwZTc4NjBmODA0Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0RldGFpbD48c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzZDJiNTQyLTBmN2UtODc2Ny04ZTg3LTViMGRjNjkxMzM3NSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDMtMjFUMTM6NDE6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVkOWUzMTljMWI4YTY3ZGE0ODIyNzk2NGMyOGQyODBlNzg2MGY4MDQiPjxzYW1sOklzc3Vlcj5odHRwczovL3BpdGJ1bGsubm8taXAub3JnL3NpbXBsZXNhbWwvc2FtbDIvaWRwL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGMzZDJiNTQyLTBmN2UtODc2Ny04ZTg3LTViMGRjNjkxMzM3NSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+MWRRRmlZVTBvMk9GN2MvUlZWOEdwZ2I0dTNJPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT53UmdCWE9xL0ZpTFpjMm11cmVUQy9qNnpZNzA5T2lrSjVIZVVTcnVIVGRZakVnOWFaeTFSYnhsS0lZRUlmWHBuWDdOQm9LeGZBTW0rTzBmc3JxT2pnY1l4VFZrcVpqT3I3MXFpWE5idHdqZUFrZFlTcGs1YnJzQWNuZmNQZHY4UVJlWXIzRDd0NVpWQ2dZdXZYUStkTkVMS2VhZzdlMUFTT3pWcU9kcDVaOVk9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9jY2NkNjAyNDExNjY0MWZlNDhlMGFlMmM1MTIyMGQwMjc1NWY5NmM5OGQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvc2ltcGxlc2FtbC9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+X2I5OGY5OGJiMWFiNTEyY2VkNjUzYjU4YmFhZmY1NDM0NDhkYWVkNTM1ZDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVkOWUzMTljMWI4YTY3ZGE0ODIyNzk2NGMyOGQyODBlNzg2MGY4MDQiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMy0yMVQxMzo0MDozOVoiIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNC0wMy0yMVQyMTo0MTowOVoiIFNlc3Npb25JbmRleD0iXzlmZTBjOGRjZDMzMDJlNzM2NGZjYWIyMmE1Mjc0OGViZjIyMjRkZjBhYSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ic24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndhYTI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+YWRtaW48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT48L3NhbWxwOlN0YXR1c0RldGFpbD48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9jY2NkNjAyNDExNjY0MWZlNDhlMGFlMmM1MTIyMGQwMjc1NWY5NmM5OGQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvc2ltcGxlc2FtbC9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+X2I5OGY5OGJiMWFiNTEyY2VkNjUzYjU4YmFhZmY1NDM0NDhkYWVkNTM1ZDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVkOWUzMTljMWI4YTY3ZGE0ODIyNzk2NGMyOGQyODBlNzg2MGY4MDQiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMy0yMVQxMzo0MDozOVoiIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMy0wMy0yMVQyMTo0MTowOVoiIFNlc3Npb25JbmRleD0iXzlmZTBjOGRjZDMzMDJlNzM2NGZjYWIyMmE1Mjc0OGViZjIyMjRkZjBhYSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5oYWNrZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+aGFja2VyQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5oYWNrZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ic24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndhYTI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+YWRtaW48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
@@ -343,6 +343,15 @@ class XmlSecurityTest < Minitest::Test
343
343
  end
344
344
  end
345
345
  end
346
+ describe 'signature_wrapping_attack' do
347
+ let(:document_data) { read_invalid_response("signature_wrapping_attack.xml.base64") }
348
+ let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
349
+ let(:fingerprint) { 'afe71c28ef740bc87425be13a2263d37971da1f9' }
350
+
351
+ it 'is invalid' do
352
+ assert !document.validate_document(fingerprint, true), 'Document should be invalid'
353
+ end
354
+ end
346
355
  end
347
356
  end
348
357
  end
metadata CHANGED
@@ -1,166 +1,188 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
- version: !ruby/object:Gem::Version
4
- version: 1.1.1
3
+ version: !ruby/object:Gem::Version
4
+ hash: 23
5
+ prerelease: false
6
+ segments:
7
+ - 1
8
+ - 1
9
+ - 2
10
+ version: 1.1.2
5
11
  platform: ruby
6
- authors:
12
+ authors:
7
13
  - OneLogin LLC
8
14
  autorequire:
9
15
  bindir: bin
10
16
  cert_chain: []
11
- date: 2015-11-11 00:00:00.000000000 Z
12
- dependencies:
13
- - !ruby/object:Gem::Dependency
17
+
18
+ date: 2016-02-15 00:00:00 +01:00
19
+ default_executable:
20
+ dependencies:
21
+ - !ruby/object:Gem::Dependency
14
22
  name: uuid
15
- requirement: !ruby/object:Gem::Requirement
16
- requirements:
17
- - - "~>"
18
- - !ruby/object:Gem::Version
19
- version: '2.3'
20
- type: :runtime
21
23
  prerelease: false
22
- version_requirements: !ruby/object:Gem::Requirement
23
- requirements:
24
- - - "~>"
25
- - !ruby/object:Gem::Version
26
- version: '2.3'
27
- - !ruby/object:Gem::Dependency
28
- name: nokogiri
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - ">="
32
- - !ruby/object:Gem::Version
33
- version: 1.5.10
24
+ requirement: &id001 !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ~>
28
+ - !ruby/object:Gem::Version
29
+ hash: 5
30
+ segments:
31
+ - 2
32
+ - 3
33
+ version: "2.3"
34
34
  type: :runtime
35
+ version_requirements: *id001
36
+ - !ruby/object:Gem::Dependency
37
+ name: nokogiri
35
38
  prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
39
+ requirement: &id002 !ruby/object:Gem::Requirement
40
+ none: false
41
+ requirements:
38
42
  - - ">="
39
- - !ruby/object:Gem::Version
43
+ - !ruby/object:Gem::Version
44
+ hash: 23
45
+ segments:
46
+ - 1
47
+ - 5
48
+ - 10
40
49
  version: 1.5.10
41
- - !ruby/object:Gem::Dependency
50
+ type: :runtime
51
+ version_requirements: *id002
52
+ - !ruby/object:Gem::Dependency
42
53
  name: minitest
43
- requirement: !ruby/object:Gem::Requirement
44
- requirements:
45
- - - "~>"
46
- - !ruby/object:Gem::Version
47
- version: '5.5'
48
- type: :development
49
54
  prerelease: false
50
- version_requirements: !ruby/object:Gem::Requirement
51
- requirements:
52
- - - "~>"
53
- - !ruby/object:Gem::Version
54
- version: '5.5'
55
- - !ruby/object:Gem::Dependency
56
- name: mocha
57
- requirement: !ruby/object:Gem::Requirement
58
- requirements:
59
- - - "~>"
60
- - !ruby/object:Gem::Version
61
- version: '0.14'
55
+ requirement: &id003 !ruby/object:Gem::Requirement
56
+ none: false
57
+ requirements:
58
+ - - ~>
59
+ - !ruby/object:Gem::Version
60
+ hash: 21
61
+ segments:
62
+ - 5
63
+ - 5
64
+ version: "5.5"
62
65
  type: :development
66
+ version_requirements: *id003
67
+ - !ruby/object:Gem::Dependency
68
+ name: mocha
63
69
  prerelease: false
64
- version_requirements: !ruby/object:Gem::Requirement
65
- requirements:
66
- - - "~>"
67
- - !ruby/object:Gem::Version
68
- version: '0.14'
69
- - !ruby/object:Gem::Dependency
70
- name: rake
71
- requirement: !ruby/object:Gem::Requirement
72
- requirements:
73
- - - "~>"
74
- - !ruby/object:Gem::Version
75
- version: '10'
70
+ requirement: &id004 !ruby/object:Gem::Requirement
71
+ none: false
72
+ requirements:
73
+ - - ~>
74
+ - !ruby/object:Gem::Version
75
+ hash: 23
76
+ segments:
77
+ - 0
78
+ - 14
79
+ version: "0.14"
76
80
  type: :development
81
+ version_requirements: *id004
82
+ - !ruby/object:Gem::Dependency
83
+ name: rake
77
84
  prerelease: false
78
- version_requirements: !ruby/object:Gem::Requirement
79
- requirements:
80
- - - "~>"
81
- - !ruby/object:Gem::Version
82
- version: '10'
83
- - !ruby/object:Gem::Dependency
84
- name: shoulda
85
- requirement: !ruby/object:Gem::Requirement
86
- requirements:
87
- - - "~>"
88
- - !ruby/object:Gem::Version
89
- version: '2.11'
85
+ requirement: &id005 !ruby/object:Gem::Requirement
86
+ none: false
87
+ requirements:
88
+ - - ~>
89
+ - !ruby/object:Gem::Version
90
+ hash: 23
91
+ segments:
92
+ - 10
93
+ version: "10"
90
94
  type: :development
95
+ version_requirements: *id005
96
+ - !ruby/object:Gem::Dependency
97
+ name: shoulda
91
98
  prerelease: false
92
- version_requirements: !ruby/object:Gem::Requirement
93
- requirements:
94
- - - "~>"
95
- - !ruby/object:Gem::Version
96
- version: '2.11'
97
- - !ruby/object:Gem::Dependency
98
- name: simplecov
99
- requirement: !ruby/object:Gem::Requirement
100
- requirements:
101
- - - "~>"
102
- - !ruby/object:Gem::Version
103
- version: 0.9.0
99
+ requirement: &id006 !ruby/object:Gem::Requirement
100
+ none: false
101
+ requirements:
102
+ - - ~>
103
+ - !ruby/object:Gem::Version
104
+ hash: 21
105
+ segments:
106
+ - 2
107
+ - 11
108
+ version: "2.11"
104
109
  type: :development
110
+ version_requirements: *id006
111
+ - !ruby/object:Gem::Dependency
112
+ name: simplecov
105
113
  prerelease: false
106
- version_requirements: !ruby/object:Gem::Requirement
107
- requirements:
108
- - - "~>"
109
- - !ruby/object:Gem::Version
114
+ requirement: &id007 !ruby/object:Gem::Requirement
115
+ none: false
116
+ requirements:
117
+ - - ~>
118
+ - !ruby/object:Gem::Version
119
+ hash: 59
120
+ segments:
121
+ - 0
122
+ - 9
123
+ - 0
110
124
  version: 0.9.0
111
- - !ruby/object:Gem::Dependency
112
- name: systemu
113
- requirement: !ruby/object:Gem::Requirement
114
- requirements:
115
- - - "~>"
116
- - !ruby/object:Gem::Version
117
- version: '2'
118
125
  type: :development
126
+ version_requirements: *id007
127
+ - !ruby/object:Gem::Dependency
128
+ name: systemu
119
129
  prerelease: false
120
- version_requirements: !ruby/object:Gem::Requirement
121
- requirements:
122
- - - "~>"
123
- - !ruby/object:Gem::Version
124
- version: '2'
125
- - !ruby/object:Gem::Dependency
126
- name: timecop
127
- requirement: !ruby/object:Gem::Requirement
128
- requirements:
129
- - - "<="
130
- - !ruby/object:Gem::Version
131
- version: 0.6.0
130
+ requirement: &id008 !ruby/object:Gem::Requirement
131
+ none: false
132
+ requirements:
133
+ - - ~>
134
+ - !ruby/object:Gem::Version
135
+ hash: 7
136
+ segments:
137
+ - 2
138
+ version: "2"
132
139
  type: :development
140
+ version_requirements: *id008
141
+ - !ruby/object:Gem::Dependency
142
+ name: timecop
133
143
  prerelease: false
134
- version_requirements: !ruby/object:Gem::Requirement
135
- requirements:
136
- - - "<="
137
- - !ruby/object:Gem::Version
144
+ requirement: &id009 !ruby/object:Gem::Requirement
145
+ none: false
146
+ requirements:
147
+ - - <=
148
+ - !ruby/object:Gem::Version
149
+ hash: 7
150
+ segments:
151
+ - 0
152
+ - 6
153
+ - 0
138
154
  version: 0.6.0
139
- - !ruby/object:Gem::Dependency
140
- name: pry-byebug
141
- requirement: !ruby/object:Gem::Requirement
142
- requirements:
143
- - - ">="
144
- - !ruby/object:Gem::Version
145
- version: '0'
146
155
  type: :development
156
+ version_requirements: *id009
157
+ - !ruby/object:Gem::Dependency
158
+ name: ruby-debug
147
159
  prerelease: false
148
- version_requirements: !ruby/object:Gem::Requirement
149
- requirements:
150
- - - ">="
151
- - !ruby/object:Gem::Version
152
- version: '0'
160
+ requirement: &id010 !ruby/object:Gem::Requirement
161
+ none: false
162
+ requirements:
163
+ - - ~>
164
+ - !ruby/object:Gem::Version
165
+ hash: 63
166
+ segments:
167
+ - 0
168
+ - 10
169
+ - 4
170
+ version: 0.10.4
171
+ type: :development
172
+ version_requirements: *id010
153
173
  description: SAML toolkit for Ruby on Rails
154
174
  email: support@onelogin.com
155
175
  executables: []
176
+
156
177
  extensions: []
157
- extra_rdoc_files:
178
+
179
+ extra_rdoc_files:
158
180
  - LICENSE
159
181
  - README.md
160
- files:
161
- - ".document"
162
- - ".gitignore"
163
- - ".travis.yml"
182
+ files:
183
+ - .document
184
+ - .gitignore
185
+ - .travis.yml
164
186
  - Gemfile
165
187
  - LICENSE
166
188
  - README.md
@@ -255,6 +277,7 @@ files:
255
277
  - test/responses/invalids/no_subjectconfirmation_method.xml.base64
256
278
  - test/responses/invalids/response_encrypted_attrs.xml.base64
257
279
  - test/responses/invalids/response_invalid_signed_element.xml.base64
280
+ - test/responses/invalids/signature_wrapping_attack.xml.base64
258
281
  - test/responses/invalids/status_code_responder.xml.base64
259
282
  - test/responses/invalids/status_code_responer_and_msg.xml.base64
260
283
  - test/responses/no_signature_ns.xml
@@ -299,32 +322,43 @@ files:
299
322
  - test/test_helper.rb
300
323
  - test/utils_test.rb
301
324
  - test/xml_security_test.rb
325
+ has_rdoc: true
302
326
  homepage: http://github.com/onelogin/ruby-saml
303
- licenses:
327
+ licenses:
304
328
  - MIT
305
- metadata: {}
306
329
  post_install_message:
307
- rdoc_options:
308
- - "--charset=UTF-8"
309
- require_paths:
330
+ rdoc_options:
331
+ - --charset=UTF-8
332
+ require_paths:
310
333
  - lib
311
- required_ruby_version: !ruby/object:Gem::Requirement
312
- requirements:
334
+ required_ruby_version: !ruby/object:Gem::Requirement
335
+ none: false
336
+ requirements:
313
337
  - - ">="
314
- - !ruby/object:Gem::Version
338
+ - !ruby/object:Gem::Version
339
+ hash: 57
340
+ segments:
341
+ - 1
342
+ - 8
343
+ - 7
315
344
  version: 1.8.7
316
- required_rubygems_version: !ruby/object:Gem::Requirement
317
- requirements:
345
+ required_rubygems_version: !ruby/object:Gem::Requirement
346
+ none: false
347
+ requirements:
318
348
  - - ">="
319
- - !ruby/object:Gem::Version
320
- version: '0'
349
+ - !ruby/object:Gem::Version
350
+ hash: 3
351
+ segments:
352
+ - 0
353
+ version: "0"
321
354
  requirements: []
355
+
322
356
  rubyforge_project: http://www.rubygems.org/gems/ruby-saml
323
- rubygems_version: 2.2.2
357
+ rubygems_version: 1.3.7
324
358
  signing_key:
325
- specification_version: 4
359
+ specification_version: 3
326
360
  summary: SAML Ruby Tookit
327
- test_files:
361
+ test_files:
328
362
  - test/certificates/certificate1
329
363
  - test/certificates/certificate_without_head_foot
330
364
  - test/certificates/formatted_certificate
@@ -380,6 +414,7 @@ test_files:
380
414
  - test/responses/invalids/no_subjectconfirmation_method.xml.base64
381
415
  - test/responses/invalids/response_encrypted_attrs.xml.base64
382
416
  - test/responses/invalids/response_invalid_signed_element.xml.base64
417
+ - test/responses/invalids/signature_wrapping_attack.xml.base64
383
418
  - test/responses/invalids/status_code_responder.xml.base64
384
419
  - test/responses/invalids/status_code_responer_and_msg.xml.base64
385
420
  - test/responses/no_signature_ns.xml
checksums.yaml DELETED
@@ -1,7 +0,0 @@
1
- ---
2
- SHA1:
3
- metadata.gz: 6fb3836e492ba5fa2faa139d8985ff83e87fc8f4
4
- data.tar.gz: 0fd231fd67a7a1bd5cfcf2e7413813e465b0fa54
5
- SHA512:
6
- metadata.gz: a931f544427ae080827ba9a21a2f14115ccd36588a5bd32cbf9017c6989b22878f8f21c87f8cd1c17451f67d8f162a2887b1f50810aba0806e33d15d0d1b61c5
7
- data.tar.gz: 79639d6aa3edd230d080e24a3ce57bda7609ecb9ad460578b7a4ee79b9d904993918a7d5a68d94b1fea13566e625b0c3f386c2626354d658cac09fc5003f79f8