ruby-saml 1.1.1 → 1.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- data/README.md +3 -3
- data/changelog.md +9 -0
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +16 -6
- data/lib/onelogin/ruby-saml/response.rb +53 -11
- data/lib/onelogin/ruby-saml/settings.rb +4 -4
- data/lib/onelogin/ruby-saml/utils.rb +1 -1
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/test/response_test.rb +30 -4
- data/test/responses/invalids/signature_wrapping_attack.xml.base64 +1 -0
- data/test/xml_security_test.rb +9 -0
- metadata +177 -142
- checksums.yaml +0 -7
data/README.md
CHANGED
@@ -102,7 +102,7 @@ To override the default behavior and control the destination of log messages, pr
|
|
102
102
|
a ruby Logger object to the gem's logging singleton:
|
103
103
|
|
104
104
|
```ruby
|
105
|
-
OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w')
|
105
|
+
OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w'))
|
106
106
|
```
|
107
107
|
|
108
108
|
## The Initialization Phase
|
@@ -252,9 +252,9 @@ def saml_settings
|
|
252
252
|
end
|
253
253
|
```
|
254
254
|
The following attributes are set:
|
255
|
-
*
|
255
|
+
* idp_sso_target_url
|
256
256
|
* idp_slo_target_url
|
257
|
-
*
|
257
|
+
* idp_cert_fingerpint
|
258
258
|
|
259
259
|
If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
|
260
260
|
`single_value_compatibility` (when activate, only one value returned, the first one)
|
data/changelog.md
CHANGED
@@ -1,5 +1,14 @@
|
|
1
1
|
# RubySaml Changelog
|
2
2
|
|
3
|
+
### 1.1.2 (February 15, 2015)
|
4
|
+
* Improve signature validation. Add tests.
|
5
|
+
[#302](https://github.com/onelogin/ruby-saml/pull/302) Add Destination validation.
|
6
|
+
* [#292](https://github.com/onelogin/ruby-saml/pull/292) Improve the error message when validating the audience.
|
7
|
+
* [#287](https://github.com/onelogin/ruby-saml/pull/287) Keep the extracted certificate when parsing IdP metadata.
|
8
|
+
|
9
|
+
### 1.1.1 (November 10, 2015)
|
10
|
+
* [#275](https://github.com/onelogin/ruby-saml/pull/275) Fix a bug on signature validations that invalidates valid SAML messages.
|
11
|
+
|
3
12
|
### 1.1.0 (October 27, 2015)
|
4
13
|
* [#273](https://github.com/onelogin/ruby-saml/pull/273) Support SAMLResponse without ds:x509certificate
|
5
14
|
* [#270](https://github.com/onelogin/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
|
@@ -44,6 +44,7 @@ module OneLogin
|
|
44
44
|
settings.name_identifier_format = idp_name_id_format
|
45
45
|
settings.idp_sso_target_url = single_signon_service_url
|
46
46
|
settings.idp_slo_target_url = single_logout_service_url
|
47
|
+
settings.idp_cert = certificate_base64
|
47
48
|
settings.idp_cert_fingerprint = fingerprint
|
48
49
|
end
|
49
50
|
end
|
@@ -133,19 +134,28 @@ module OneLogin
|
|
133
134
|
node.value if node
|
134
135
|
end
|
135
136
|
|
137
|
+
# @return [String|nil] Unformatted Certificate if exists
|
138
|
+
#
|
139
|
+
def certificate_base64
|
140
|
+
@certificate_base64 ||= begin
|
141
|
+
node = REXML::XPath.first(
|
142
|
+
document,
|
143
|
+
"/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
|
144
|
+
{ "md" => METADATA, "ds" => DSIG }
|
145
|
+
)
|
146
|
+
node.text if node
|
147
|
+
end
|
148
|
+
end
|
149
|
+
|
136
150
|
# @return [String|nil] X509Certificate if exists
|
137
151
|
#
|
138
152
|
def certificate
|
139
153
|
@certificate ||= begin
|
140
|
-
|
141
|
-
document,
|
142
|
-
"/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
|
143
|
-
{ "md" => METADATA, "ds" => DSIG }
|
144
|
-
)
|
145
|
-
Base64.decode64(node.text) if node
|
154
|
+
Base64.decode64(certificate_base64) if certificate_base64
|
146
155
|
end
|
147
156
|
end
|
148
157
|
|
158
|
+
|
149
159
|
# @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
|
150
160
|
#
|
151
161
|
def fingerprint
|
@@ -254,6 +254,19 @@ module OneLogin
|
|
254
254
|
end
|
255
255
|
end
|
256
256
|
|
257
|
+
# @return [String|nil] Destination attribute from the SAML Response.
|
258
|
+
#
|
259
|
+
def destination
|
260
|
+
@destination ||= begin
|
261
|
+
node = REXML::XPath.first(
|
262
|
+
document,
|
263
|
+
"/p:Response",
|
264
|
+
{ "p" => PROTOCOL }
|
265
|
+
)
|
266
|
+
node.nil? ? nil : node.attributes['Destination']
|
267
|
+
end
|
268
|
+
end
|
269
|
+
|
257
270
|
# @return [Array] The Audience elements from the Contitions of the SAML Response.
|
258
271
|
#
|
259
272
|
def audiences
|
@@ -295,6 +308,7 @@ module OneLogin
|
|
295
308
|
validate_in_response_to &&
|
296
309
|
validate_conditions &&
|
297
310
|
validate_audience &&
|
311
|
+
validate_destination &&
|
298
312
|
validate_issuer &&
|
299
313
|
validate_session_expiration &&
|
300
314
|
validate_subject_confirmation &&
|
@@ -454,7 +468,22 @@ module OneLogin
|
|
454
468
|
return true if audiences.empty? || settings.issuer.nil? || settings.issuer.empty?
|
455
469
|
|
456
470
|
unless audiences.include? settings.issuer
|
457
|
-
error_msg = "#{settings.issuer} is not a valid audience for this Response"
|
471
|
+
error_msg = "#{settings.issuer} is not a valid audience for this Response - Valid audiences: #{audiences.join(',')}"
|
472
|
+
return append_error(error_msg)
|
473
|
+
end
|
474
|
+
|
475
|
+
true
|
476
|
+
end
|
477
|
+
|
478
|
+
# Validates the Destination, (If the SAML Response is received where expected)
|
479
|
+
# If fails, the error is added to the errors array
|
480
|
+
# @return [Boolean] True if there is a Destination element that matches the Consumer Service URL, otherwise False
|
481
|
+
#
|
482
|
+
def validate_destination
|
483
|
+
return true if destination.nil? || destination.empty? || settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
|
484
|
+
|
485
|
+
unless destination == settings.assertion_consumer_service_url
|
486
|
+
error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
|
458
487
|
return append_error(error_msg)
|
459
488
|
end
|
460
489
|
|
@@ -571,25 +600,38 @@ module OneLogin
|
|
571
600
|
# @raise [ValidationError] if soft == false and validation fails
|
572
601
|
#
|
573
602
|
def validate_signature
|
574
|
-
|
575
|
-
idp_cert = settings.get_idp_cert
|
603
|
+
error_msg = "Invalid Signature on SAML Response"
|
576
604
|
|
577
605
|
# If the response contains the signature, and the assertion was encrypted, validate the original SAML Response
|
578
606
|
# otherwise, review if the decrypted assertion contains a signature
|
579
|
-
|
607
|
+
sig_elements = REXML::XPath.match(
|
580
608
|
document,
|
581
|
-
"/p:Response
|
582
|
-
{ "p" => PROTOCOL, "ds" => DSIG }
|
583
|
-
{ 'id' => document.signed_element_id }
|
609
|
+
"/p:Response/ds:Signature]",
|
610
|
+
{ "p" => PROTOCOL, "ds" => DSIG }
|
584
611
|
)
|
585
|
-
|
612
|
+
|
613
|
+
use_original = sig_elements.size == 1 || decrypted_document.nil?
|
614
|
+
doc = use_original ? document : decrypted_document
|
615
|
+
|
616
|
+
# Check signature nodes
|
617
|
+
if sig_elements.nil? || sig_elements.size == 0
|
618
|
+
sig_elements = REXML::XPath.match(
|
619
|
+
doc,
|
620
|
+
"/p:Response/a:Assertion/ds:Signature",
|
621
|
+
{"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG}
|
622
|
+
)
|
623
|
+
end
|
624
|
+
|
625
|
+
if sig_elements.size != 1
|
626
|
+
return append_error(error_msg)
|
627
|
+
end
|
586
628
|
|
587
629
|
opts = {}
|
588
630
|
opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
|
589
|
-
opts[:cert] =
|
631
|
+
opts[:cert] = settings.get_idp_cert
|
632
|
+
fingerprint = settings.get_fingerprint
|
590
633
|
|
591
|
-
unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
|
592
|
-
error_msg = "Invalid Signature on SAML Response"
|
634
|
+
unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
|
593
635
|
return append_error(error_msg)
|
594
636
|
end
|
595
637
|
|
@@ -118,8 +118,8 @@ module OneLogin
|
|
118
118
|
def get_idp_cert
|
119
119
|
return nil if idp_cert.nil? || idp_cert.empty?
|
120
120
|
|
121
|
-
|
122
|
-
OpenSSL::X509::Certificate.new(
|
121
|
+
formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
|
122
|
+
OpenSSL::X509::Certificate.new(formatted_cert)
|
123
123
|
end
|
124
124
|
|
125
125
|
# @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
|
@@ -127,8 +127,8 @@ module OneLogin
|
|
127
127
|
def get_sp_cert
|
128
128
|
return nil if certificate.nil? || certificate.empty?
|
129
129
|
|
130
|
-
|
131
|
-
OpenSSL::X509::Certificate.new(
|
130
|
+
formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
|
131
|
+
OpenSSL::X509::Certificate.new(formatted_cert)
|
132
132
|
end
|
133
133
|
|
134
134
|
# @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
|
@@ -65,7 +65,7 @@ module OneLogin
|
|
65
65
|
# @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
|
66
66
|
# @option params [String] sig_alg The SigAlg parameter
|
67
67
|
# @option params [String] signature The Signature parameter (base64 encoded)
|
68
|
-
# @option params [String] query_string The
|
68
|
+
# @option params [String] query_string The full GET Query String to be compared
|
69
69
|
# @return [Boolean] True if the Signature is valid, False otherwise
|
70
70
|
#
|
71
71
|
def self.verify_signature(params)
|
data/test/response_test.rb
CHANGED
@@ -204,7 +204,7 @@ class RubySamlTest < Minitest::Test
|
|
204
204
|
settings.issuer = 'invalid'
|
205
205
|
response_valid_signed.settings = settings
|
206
206
|
response_valid_signed.soft = false
|
207
|
-
error_msg = "#{response_valid_signed.settings.issuer} is not a valid audience for this Response"
|
207
|
+
error_msg = "#{response_valid_signed.settings.issuer} is not a valid audience for this Response - Valid audiences: https://someone.example.com/audience"
|
208
208
|
assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
|
209
209
|
response_valid_signed.is_valid?
|
210
210
|
end
|
@@ -368,7 +368,7 @@ class RubySamlTest < Minitest::Test
|
|
368
368
|
settings.issuer = 'invalid'
|
369
369
|
response_valid_signed.settings = settings
|
370
370
|
response_valid_signed.is_valid?
|
371
|
-
assert_includes response_valid_signed.errors, "#{response_valid_signed.settings.issuer} is not a valid audience for this Response"
|
371
|
+
assert_includes response_valid_signed.errors, "#{response_valid_signed.settings.issuer} is not a valid audience for this Response - Valid audiences: https://someone.example.com/audience"
|
372
372
|
end
|
373
373
|
|
374
374
|
it "return false when no ID present in the SAML Response" do
|
@@ -411,7 +411,22 @@ class RubySamlTest < Minitest::Test
|
|
411
411
|
response.settings = settings
|
412
412
|
response.settings.issuer = 'invalid_audience'
|
413
413
|
assert !response.send(:validate_audience)
|
414
|
-
assert_includes response.errors, "#{response.settings.issuer} is not a valid audience for this Response"
|
414
|
+
assert_includes response.errors, "#{response.settings.issuer} is not a valid audience for this Response - Valid audiences: {audience}"
|
415
|
+
end
|
416
|
+
end
|
417
|
+
|
418
|
+
describe "#validate_destination" do
|
419
|
+
it "return true when the destination of the SAML Response matches the assertion consumer service url" do
|
420
|
+
response.settings = settings
|
421
|
+
assert response.send(:validate_destination)
|
422
|
+
assert_empty response.errors
|
423
|
+
end
|
424
|
+
|
425
|
+
it "return false when the destination of the SAML Response does not match the assertion consumer service url" do
|
426
|
+
response.settings = settings
|
427
|
+
response.settings.assertion_consumer_service_url = 'invalid_acs'
|
428
|
+
assert !response.send(:validate_destination)
|
429
|
+
assert_includes response.errors, "The response was received at #{response.destination} instead of #{response.settings.assertion_consumer_service_url}"
|
415
430
|
end
|
416
431
|
end
|
417
432
|
|
@@ -551,7 +566,7 @@ class RubySamlTest < Minitest::Test
|
|
551
566
|
response_invalid_audience.settings = settings
|
552
567
|
response_invalid_audience.settings.issuer = "https://invalid.example.com/audience"
|
553
568
|
assert !response_invalid_audience.send(:validate_audience)
|
554
|
-
assert_includes response_invalid_audience.errors, "#{response_invalid_audience.settings.issuer} is not a valid audience for this Response"
|
569
|
+
assert_includes response_invalid_audience.errors, "#{response_invalid_audience.settings.issuer} is not a valid audience for this Response - Valid audiences: http://invalid.audience.com"
|
555
570
|
end
|
556
571
|
end
|
557
572
|
|
@@ -729,6 +744,17 @@ class RubySamlTest < Minitest::Test
|
|
729
744
|
assert response_valid_signed_without_x509certificate.send(:validate_signature)
|
730
745
|
assert_empty response_valid_signed_without_x509certificate.errors
|
731
746
|
end
|
747
|
+
|
748
|
+
it "return false when signature wrapping attack" do
|
749
|
+
signature_wrapping_attack = read_invalid_response("signature_wrapping_attack.xml.base64")
|
750
|
+
response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack)
|
751
|
+
response_wrapped.stubs(:conditions).returns(nil)
|
752
|
+
response_wrapped.stubs(:validate_subject_confirmation).returns(true)
|
753
|
+
settings.idp_cert_fingerprint = "afe71c28ef740bc87425be13a2263d37971da1f9"
|
754
|
+
response_wrapped.settings = settings
|
755
|
+
assert !response_wrapped.send(:validate_signature)
|
756
|
+
assert_includes response_wrapped.errors, "Invalid Signature on SAML Response"
|
757
|
+
end
|
732
758
|
end
|
733
759
|
|
734
760
|
describe "#nameid" do
|
@@ -0,0 +1 @@
|
|
1
|
+
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJwZnhjM2QyYjU0Mi0wZjdlLTg3NjctOGU4Ny01YjBkYzY5MTMzNzUiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgRGVzdGluYXRpb249Imh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvbmV3b25lbG9naW4vZGVtbzEvaW5kZXgucGhwP2FjcyIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl81ZDllMzE5YzFiOGE2N2RhNDgyMjc5NjRjMjhkMjgwZTc4NjBmODA0Ij48c2FtbDpJc3N1ZXI+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9zaW1wbGVzYW1sL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxzYW1scDpTdGF0dXM+PHNhbWxwOlN0YXR1c0RldGFpbD48c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeGMzZDJiNTQyLTBmN2UtODc2Ny04ZTg3LTViMGRjNjkxMzM3NSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDMtMjFUMTM6NDE6MDlaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVkOWUzMTljMWI4YTY3ZGE0ODIyNzk2NGMyOGQyODBlNzg2MGY4MDQiPjxzYW1sOklzc3Vlcj5odHRwczovL3BpdGJ1bGsubm8taXAub3JnL3NpbXBsZXNhbWwvc2FtbDIvaWRwL21ldGFkYXRhLnBocDwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeGMzZDJiNTQyLTBmN2UtODc2Ny04ZTg3LTViMGRjNjkxMzM3NSI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+MWRRRmlZVTBvMk9GN2MvUlZWOEdwZ2I0dTNJPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT53UmdCWE9xL0ZpTFpjMm11cmVUQy9qNnpZNzA5T2lrSjVIZVVTcnVIVGRZakVnOWFaeTFSYnhsS0lZRUlmWHBuWDdOQm9LeGZBTW0rTzBmc3JxT2pnY1l4VFZrcVpqT3I3MXFpWE5idHdqZUFrZFlTcGs1YnJzQWNuZmNQZHY4UVJlWXIzRDd0NVpWQ2dZdXZYUStkTkVMS2VhZzdlMUFTT3pWcU9kcDVaOVk9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9jY2NkNjAyNDExNjY0MWZlNDhlMGFlMmM1MTIyMGQwMjc1NWY5NmM5OGQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvc2ltcGxlc2FtbC9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+X2I5OGY5OGJiMWFiNTEyY2VkNjUzYjU4YmFhZmY1NDM0NDhkYWVkNTM1ZDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVkOWUzMTljMWI4YTY3ZGE0ODIyNzk2NGMyOGQyODBlNzg2MGY4MDQiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMy0yMVQxMzo0MDozOVoiIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxNC0wMy0yMVQyMTo0MTowOVoiIFNlc3Npb25JbmRleD0iXzlmZTBjOGRjZDMzMDJlNzM2NGZjYWIyMmE1Mjc0OGViZjIyMjRkZjBhYSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj50ZXN0PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Im1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3RAZXhhbXBsZS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iY24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnRlc3Q8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ic24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndhYTI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+YWRtaW48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT48L3NhbWxwOlN0YXR1c0RldGFpbD48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgSUQ9Il9jY2NkNjAyNDExNjY0MWZlNDhlMGFlMmM1MTIyMGQwMjc1NWY5NmM5OGQiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiI+PHNhbWw6SXNzdWVyPmh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvc2ltcGxlc2FtbC9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBTUE5hbWVRdWFsaWZpZXI9Imh0dHBzOi8vcGl0YnVsay5uby1pcC5vcmcvbmV3b25lbG9naW4vZGVtbzEvbWV0YWRhdGEucGhwIiBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnRyYW5zaWVudCI+X2I5OGY5OGJiMWFiNTEyY2VkNjUzYjU4YmFhZmY1NDM0NDhkYWVkNTM1ZDwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVkOWUzMTljMWI4YTY3ZGE0ODIyNzk2NGMyOGQyODBlNzg2MGY4MDQiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxNC0wMy0yMVQxMzo0MDozOVoiIE5vdE9uT3JBZnRlcj0iMjAyMy0wOS0yMlQxOTowMTowOVoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9tZXRhZGF0YS5waHA8L3NhbWw6QXVkaWVuY2U+PC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PC9zYW1sOkNvbmRpdGlvbnM+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE0LTAzLTIxVDEzOjQxOjA5WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAyMy0wMy0yMVQyMTo0MTowOVoiIFNlc3Npb25JbmRleD0iXzlmZTBjOGRjZDMzMDJlNzM2NGZjYWIyMmE1Mjc0OGViZjIyMjRkZjBhYSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5oYWNrZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ibWFpbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+aGFja2VyQGV4YW1wbGUuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9ImNuIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5oYWNrZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0ic24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPndhYTI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iZWR1UGVyc29uQWZmaWxpYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnVzZXI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+YWRtaW48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
|
data/test/xml_security_test.rb
CHANGED
@@ -343,6 +343,15 @@ class XmlSecurityTest < Minitest::Test
|
|
343
343
|
end
|
344
344
|
end
|
345
345
|
end
|
346
|
+
describe 'signature_wrapping_attack' do
|
347
|
+
let(:document_data) { read_invalid_response("signature_wrapping_attack.xml.base64") }
|
348
|
+
let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
|
349
|
+
let(:fingerprint) { 'afe71c28ef740bc87425be13a2263d37971da1f9' }
|
350
|
+
|
351
|
+
it 'is invalid' do
|
352
|
+
assert !document.validate_document(fingerprint, true), 'Document should be invalid'
|
353
|
+
end
|
354
|
+
end
|
346
355
|
end
|
347
356
|
end
|
348
357
|
end
|
metadata
CHANGED
@@ -1,166 +1,188 @@
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-saml
|
3
|
-
version: !ruby/object:Gem::Version
|
4
|
-
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 23
|
5
|
+
prerelease: false
|
6
|
+
segments:
|
7
|
+
- 1
|
8
|
+
- 1
|
9
|
+
- 2
|
10
|
+
version: 1.1.2
|
5
11
|
platform: ruby
|
6
|
-
authors:
|
12
|
+
authors:
|
7
13
|
- OneLogin LLC
|
8
14
|
autorequire:
|
9
15
|
bindir: bin
|
10
16
|
cert_chain: []
|
11
|
-
|
12
|
-
|
13
|
-
|
17
|
+
|
18
|
+
date: 2016-02-15 00:00:00 +01:00
|
19
|
+
default_executable:
|
20
|
+
dependencies:
|
21
|
+
- !ruby/object:Gem::Dependency
|
14
22
|
name: uuid
|
15
|
-
requirement: !ruby/object:Gem::Requirement
|
16
|
-
requirements:
|
17
|
-
- - "~>"
|
18
|
-
- !ruby/object:Gem::Version
|
19
|
-
version: '2.3'
|
20
|
-
type: :runtime
|
21
23
|
prerelease: false
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: 1.5.10
|
24
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
26
|
+
requirements:
|
27
|
+
- - ~>
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
hash: 5
|
30
|
+
segments:
|
31
|
+
- 2
|
32
|
+
- 3
|
33
|
+
version: "2.3"
|
34
34
|
type: :runtime
|
35
|
+
version_requirements: *id001
|
36
|
+
- !ruby/object:Gem::Dependency
|
37
|
+
name: nokogiri
|
35
38
|
prerelease: false
|
36
|
-
|
37
|
-
|
39
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
41
|
+
requirements:
|
38
42
|
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
43
|
+
- !ruby/object:Gem::Version
|
44
|
+
hash: 23
|
45
|
+
segments:
|
46
|
+
- 1
|
47
|
+
- 5
|
48
|
+
- 10
|
40
49
|
version: 1.5.10
|
41
|
-
|
50
|
+
type: :runtime
|
51
|
+
version_requirements: *id002
|
52
|
+
- !ruby/object:Gem::Dependency
|
42
53
|
name: minitest
|
43
|
-
requirement: !ruby/object:Gem::Requirement
|
44
|
-
requirements:
|
45
|
-
- - "~>"
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: '5.5'
|
48
|
-
type: :development
|
49
54
|
prerelease: false
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
- !ruby/object:Gem::Version
|
61
|
-
version: '0.14'
|
55
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
56
|
+
none: false
|
57
|
+
requirements:
|
58
|
+
- - ~>
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
hash: 21
|
61
|
+
segments:
|
62
|
+
- 5
|
63
|
+
- 5
|
64
|
+
version: "5.5"
|
62
65
|
type: :development
|
66
|
+
version_requirements: *id003
|
67
|
+
- !ruby/object:Gem::Dependency
|
68
|
+
name: mocha
|
63
69
|
prerelease: false
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
- !ruby/object:Gem::Version
|
75
|
-
version: '10'
|
70
|
+
requirement: &id004 !ruby/object:Gem::Requirement
|
71
|
+
none: false
|
72
|
+
requirements:
|
73
|
+
- - ~>
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
hash: 23
|
76
|
+
segments:
|
77
|
+
- 0
|
78
|
+
- 14
|
79
|
+
version: "0.14"
|
76
80
|
type: :development
|
81
|
+
version_requirements: *id004
|
82
|
+
- !ruby/object:Gem::Dependency
|
83
|
+
name: rake
|
77
84
|
prerelease: false
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
- - "~>"
|
88
|
-
- !ruby/object:Gem::Version
|
89
|
-
version: '2.11'
|
85
|
+
requirement: &id005 !ruby/object:Gem::Requirement
|
86
|
+
none: false
|
87
|
+
requirements:
|
88
|
+
- - ~>
|
89
|
+
- !ruby/object:Gem::Version
|
90
|
+
hash: 23
|
91
|
+
segments:
|
92
|
+
- 10
|
93
|
+
version: "10"
|
90
94
|
type: :development
|
95
|
+
version_requirements: *id005
|
96
|
+
- !ruby/object:Gem::Dependency
|
97
|
+
name: shoulda
|
91
98
|
prerelease: false
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
- !ruby/object:Gem::Version
|
103
|
-
version: 0.9.0
|
99
|
+
requirement: &id006 !ruby/object:Gem::Requirement
|
100
|
+
none: false
|
101
|
+
requirements:
|
102
|
+
- - ~>
|
103
|
+
- !ruby/object:Gem::Version
|
104
|
+
hash: 21
|
105
|
+
segments:
|
106
|
+
- 2
|
107
|
+
- 11
|
108
|
+
version: "2.11"
|
104
109
|
type: :development
|
110
|
+
version_requirements: *id006
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: simplecov
|
105
113
|
prerelease: false
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
114
|
+
requirement: &id007 !ruby/object:Gem::Requirement
|
115
|
+
none: false
|
116
|
+
requirements:
|
117
|
+
- - ~>
|
118
|
+
- !ruby/object:Gem::Version
|
119
|
+
hash: 59
|
120
|
+
segments:
|
121
|
+
- 0
|
122
|
+
- 9
|
123
|
+
- 0
|
110
124
|
version: 0.9.0
|
111
|
-
- !ruby/object:Gem::Dependency
|
112
|
-
name: systemu
|
113
|
-
requirement: !ruby/object:Gem::Requirement
|
114
|
-
requirements:
|
115
|
-
- - "~>"
|
116
|
-
- !ruby/object:Gem::Version
|
117
|
-
version: '2'
|
118
125
|
type: :development
|
126
|
+
version_requirements: *id007
|
127
|
+
- !ruby/object:Gem::Dependency
|
128
|
+
name: systemu
|
119
129
|
prerelease: false
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
- - "<="
|
130
|
-
- !ruby/object:Gem::Version
|
131
|
-
version: 0.6.0
|
130
|
+
requirement: &id008 !ruby/object:Gem::Requirement
|
131
|
+
none: false
|
132
|
+
requirements:
|
133
|
+
- - ~>
|
134
|
+
- !ruby/object:Gem::Version
|
135
|
+
hash: 7
|
136
|
+
segments:
|
137
|
+
- 2
|
138
|
+
version: "2"
|
132
139
|
type: :development
|
140
|
+
version_requirements: *id008
|
141
|
+
- !ruby/object:Gem::Dependency
|
142
|
+
name: timecop
|
133
143
|
prerelease: false
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
144
|
+
requirement: &id009 !ruby/object:Gem::Requirement
|
145
|
+
none: false
|
146
|
+
requirements:
|
147
|
+
- - <=
|
148
|
+
- !ruby/object:Gem::Version
|
149
|
+
hash: 7
|
150
|
+
segments:
|
151
|
+
- 0
|
152
|
+
- 6
|
153
|
+
- 0
|
138
154
|
version: 0.6.0
|
139
|
-
- !ruby/object:Gem::Dependency
|
140
|
-
name: pry-byebug
|
141
|
-
requirement: !ruby/object:Gem::Requirement
|
142
|
-
requirements:
|
143
|
-
- - ">="
|
144
|
-
- !ruby/object:Gem::Version
|
145
|
-
version: '0'
|
146
155
|
type: :development
|
156
|
+
version_requirements: *id009
|
157
|
+
- !ruby/object:Gem::Dependency
|
158
|
+
name: ruby-debug
|
147
159
|
prerelease: false
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
160
|
+
requirement: &id010 !ruby/object:Gem::Requirement
|
161
|
+
none: false
|
162
|
+
requirements:
|
163
|
+
- - ~>
|
164
|
+
- !ruby/object:Gem::Version
|
165
|
+
hash: 63
|
166
|
+
segments:
|
167
|
+
- 0
|
168
|
+
- 10
|
169
|
+
- 4
|
170
|
+
version: 0.10.4
|
171
|
+
type: :development
|
172
|
+
version_requirements: *id010
|
153
173
|
description: SAML toolkit for Ruby on Rails
|
154
174
|
email: support@onelogin.com
|
155
175
|
executables: []
|
176
|
+
|
156
177
|
extensions: []
|
157
|
-
|
178
|
+
|
179
|
+
extra_rdoc_files:
|
158
180
|
- LICENSE
|
159
181
|
- README.md
|
160
|
-
files:
|
161
|
-
-
|
162
|
-
-
|
163
|
-
-
|
182
|
+
files:
|
183
|
+
- .document
|
184
|
+
- .gitignore
|
185
|
+
- .travis.yml
|
164
186
|
- Gemfile
|
165
187
|
- LICENSE
|
166
188
|
- README.md
|
@@ -255,6 +277,7 @@ files:
|
|
255
277
|
- test/responses/invalids/no_subjectconfirmation_method.xml.base64
|
256
278
|
- test/responses/invalids/response_encrypted_attrs.xml.base64
|
257
279
|
- test/responses/invalids/response_invalid_signed_element.xml.base64
|
280
|
+
- test/responses/invalids/signature_wrapping_attack.xml.base64
|
258
281
|
- test/responses/invalids/status_code_responder.xml.base64
|
259
282
|
- test/responses/invalids/status_code_responer_and_msg.xml.base64
|
260
283
|
- test/responses/no_signature_ns.xml
|
@@ -299,32 +322,43 @@ files:
|
|
299
322
|
- test/test_helper.rb
|
300
323
|
- test/utils_test.rb
|
301
324
|
- test/xml_security_test.rb
|
325
|
+
has_rdoc: true
|
302
326
|
homepage: http://github.com/onelogin/ruby-saml
|
303
|
-
licenses:
|
327
|
+
licenses:
|
304
328
|
- MIT
|
305
|
-
metadata: {}
|
306
329
|
post_install_message:
|
307
|
-
rdoc_options:
|
308
|
-
-
|
309
|
-
require_paths:
|
330
|
+
rdoc_options:
|
331
|
+
- --charset=UTF-8
|
332
|
+
require_paths:
|
310
333
|
- lib
|
311
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
312
|
-
|
334
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
335
|
+
none: false
|
336
|
+
requirements:
|
313
337
|
- - ">="
|
314
|
-
- !ruby/object:Gem::Version
|
338
|
+
- !ruby/object:Gem::Version
|
339
|
+
hash: 57
|
340
|
+
segments:
|
341
|
+
- 1
|
342
|
+
- 8
|
343
|
+
- 7
|
315
344
|
version: 1.8.7
|
316
|
-
required_rubygems_version: !ruby/object:Gem::Requirement
|
317
|
-
|
345
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
346
|
+
none: false
|
347
|
+
requirements:
|
318
348
|
- - ">="
|
319
|
-
- !ruby/object:Gem::Version
|
320
|
-
|
349
|
+
- !ruby/object:Gem::Version
|
350
|
+
hash: 3
|
351
|
+
segments:
|
352
|
+
- 0
|
353
|
+
version: "0"
|
321
354
|
requirements: []
|
355
|
+
|
322
356
|
rubyforge_project: http://www.rubygems.org/gems/ruby-saml
|
323
|
-
rubygems_version:
|
357
|
+
rubygems_version: 1.3.7
|
324
358
|
signing_key:
|
325
|
-
specification_version:
|
359
|
+
specification_version: 3
|
326
360
|
summary: SAML Ruby Tookit
|
327
|
-
test_files:
|
361
|
+
test_files:
|
328
362
|
- test/certificates/certificate1
|
329
363
|
- test/certificates/certificate_without_head_foot
|
330
364
|
- test/certificates/formatted_certificate
|
@@ -380,6 +414,7 @@ test_files:
|
|
380
414
|
- test/responses/invalids/no_subjectconfirmation_method.xml.base64
|
381
415
|
- test/responses/invalids/response_encrypted_attrs.xml.base64
|
382
416
|
- test/responses/invalids/response_invalid_signed_element.xml.base64
|
417
|
+
- test/responses/invalids/signature_wrapping_attack.xml.base64
|
383
418
|
- test/responses/invalids/status_code_responder.xml.base64
|
384
419
|
- test/responses/invalids/status_code_responer_and_msg.xml.base64
|
385
420
|
- test/responses/no_signature_ns.xml
|
checksums.yaml
DELETED
@@ -1,7 +0,0 @@
|
|
1
|
-
---
|
2
|
-
SHA1:
|
3
|
-
metadata.gz: 6fb3836e492ba5fa2faa139d8985ff83e87fc8f4
|
4
|
-
data.tar.gz: 0fd231fd67a7a1bd5cfcf2e7413813e465b0fa54
|
5
|
-
SHA512:
|
6
|
-
metadata.gz: a931f544427ae080827ba9a21a2f14115ccd36588a5bd32cbf9017c6989b22878f8f21c87f8cd1c17451f67d8f162a2887b1f50810aba0806e33d15d0d1b61c5
|
7
|
-
data.tar.gz: 79639d6aa3edd230d080e24a3ce57bda7609ecb9ad460578b7a4ee79b9d904993918a7d5a68d94b1fea13566e625b0c3f386c2626354d658cac09fc5003f79f8
|