ruby-saml 1.10.2 → 1.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d41dad289f19495a49ad8be046bfc6c37fdcddb5
-  data.tar.gz: 461bc5c8000ea0124e59cc5782b997c445591e75
+  metadata.gz: afcd8a95f66ec94e3bb68b5a5264a651ae623923
+  data.tar.gz: eb05bc60959fde11ac20b0af0d14c07b7c5c1b38
 SHA512:
-  metadata.gz: 677d7efd58ec482570901bec9ec0c1ef1e234715f2df3ba8983e9202c6af7d50a7dc9b58e4adf2bcb6ac88ba90190866bd16624308f6ce14205f3047587dc38e
-  data.tar.gz: 084285a2d56ae772430587a3e748e017c1a50cb6090ed1d4990545c0c5e46a8ecf8c20d5de04b284897e81a35f7da33a2e437686fc181a5ea7085af1121244fd
+  metadata.gz: e85dc90f8f4bd5433f0078a6b5e316109dc7bbbe1ba60d5f8075d1f5047a71c208144d1da51157cf7220f2c56fb8b421e7b70ac5c828bea713146fc6bc774a29
+  data.tar.gz: 7cce3fd10ff5d7753d518b847b7f0ff0976b4ef5a1b7cc39c6e6cd3c8b32df7649e95ab929631b9838df5a4fb3eb3f3c50479f54253094b457a484710381b8f1

data/.travis.yml

@@ -1,19 +1,18 @@
-sudo: false
 language: ruby
 rvm:
   - 1.8.7
   - 1.9.3
   - 2.0.0
-  - 2.1.5
-  - 2.2.0
-  - 2.3.0
-  - 2.4.0
-  - 2.5.0
-  - 2.6.0
+  - 2.1.10
+  - 2.2.10
+  - 2.3.8
+  - 2.4.6
+  - 2.5.5
+  - 2.6.3
   - ree
   - jruby-1.7.27
   - jruby-9.1.17.0
-  - jruby-9.2.0.0
+  - jruby-9.2.7.0
 gemfile:
   - Gemfile
   - gemfiles/nokogiri-1.5.gemfile
@@ -29,19 +28,19 @@ matrix:
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: jruby-9.1.17.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.0.0
+    - rvm: jruby-9.2.7.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.1.5
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.2.0
+    - rvm: 2.2.10
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.3.0
+    - rvm: 2.3.8
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.4.0
+    - rvm: 2.4.6
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.5.0
+    - rvm: 2.5.5
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.6.0
+    - rvm: 2.6.3
       gemfile: gemfiles/nokogiri-1.5.gemfile
 env:
   - JRUBY_OPTS="--debug"

data/README.md

@@ -123,6 +123,17 @@ We created a demo project for Rails4 that uses the latest version of this librar
 
 If you believe you have discovered a security vulnerability in this gem, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
 
+### Security warning
+
+Some tools may incorrectly report ruby-saml is a potential security vulnerability.
+ruby-saml depends on Nokogiri, and it's possible to use Nokogiri in a dangerous way
+(by enabling its DTDLOAD option and disabling its NONET option).
+This dangerous Nokogiri configuration, which is sometimes used by other components,
+can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
+However, ruby-saml never enables this dangerous Nokogiri configuration;
+ruby-saml never enables DTDLOAD, and it never disables NONET.
+
+
 ## Getting Started
 In order to use the toolkit you will need to install the gem (either manually or using Bundler), and require the library in your Ruby application:
 
@@ -238,7 +249,7 @@ def saml_settings
   settings = OneLogin::RubySaml::Settings.new
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
   settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
   settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
@@ -262,6 +273,8 @@ def saml_settings
 end
 ```
 
+The use of settings.issuer is deprecated in favour of settings.sp_entity_id
+
 Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 
 ```ruby
@@ -301,7 +314,7 @@ class SamlController < ApplicationController
     settings = OneLogin::RubySaml::Settings.new
 
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.issuer                         = "http://#{request.host}/saml/metadata"
+    settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
     settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -364,7 +377,7 @@ def saml_settings
   settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
   # Optional for most SAML IdPs
   settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
@@ -378,8 +391,8 @@ The following attributes are set:
   * idp_sso_target_url
   * idp_slo_target_url
   * idp_attribute_names
-  * idp_cert 
-  * idp_cert_fingerprint 
+  * idp_cert
+  * idp_cert_fingerprint
   * idp_cert_multi
 
 ### Retrieve one Entity Descriptor when many exist in Metadata
@@ -548,6 +561,8 @@ The settings related to sign are stored in the `security` attribute of the setti
   # Embeded signature or HTTP GET parameter signature
   # Note that metadata signature is always embedded regardless of this value.
   settings.security[:embed_sign] = false
+  settings.security[:check_idp_cert_expiration] = false   # Enable or not IdP x509 cert expiration check
+  settings.security[:check_sp_cert_expiration] = false   # Enable or not SP x509 cert expiration check
 ```
 
 Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding.

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -117,9 +117,9 @@ module OneLogin
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         if settings.name_identifier_value_requested != nil

data/lib/onelogin/ruby-saml/logging.rb

@@ -8,9 +8,9 @@ module OneLogin
 
       def self.logger
         @logger ||= begin
-                      (defined?(::Rails) && Rails.respond_to?(:logger) && Rails.logger) ||
-                        DEFAULT_LOGGER
-                    end
+          (defined?(::Rails) && Rails.respond_to?(:logger) && Rails.logger) ||
+            DEFAULT_LOGGER
+        end
       end
 
       def self.logger=(logger)

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -105,9 +105,9 @@ module OneLogin
         root.attributes['Version'] = "2.0"
         root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
 
-        if settings.issuer
+        if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         nameid = root.add_element "saml:NameID"

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -163,7 +163,7 @@ module OneLogin
 
         return append_error("No settings on logout response") if settings.nil?
 
-        return append_error("No issuer in settings of the logout response") if settings.issuer.nil?
+        return append_error("No sp_entity_id in settings of the logout response") if settings.sp_entity_id.nil?
 
         if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
           return append_error("No fingerprint or certificate on settings of the logout response")
@@ -228,13 +228,19 @@ module OneLogin
           :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
 
+        expired = false
         if idp_certs.nil? || idp_certs[:signing].empty?
           valid = OneLogin::RubySaml::Utils.verify_signature(
-            :cert         => settings.get_idp_cert,
+            :cert         => idp_cert,
             :sig_alg      => options[:get_params]['SigAlg'],
             :signature    => options[:get_params]['Signature'],
             :query_string => query_string
           )
+          if valid && settings.security[:check_idp_cert_expiration]
+            if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+              expired = true
+            end
+          end
         else
           valid = false
           idp_certs[:signing].each do |signing_idp_cert|
@@ -245,11 +251,20 @@ module OneLogin
               :query_string => query_string
             )
             if valid
+              if settings.security[:check_idp_cert_expiration]
+                if OneLogin::RubySaml::Utils.is_cert_expired(signing_idp_cert)
+                  expired = true
+                end
+              end
               break
             end
           end
         end
 
+        if expired
+          error_msg = "IdP x509 certificate expired"
+          return append_error(error_msg)
+        end
         unless valid
           error_msg = "Invalid Signature on Logout Response"
           return append_error(error_msg)

data/lib/onelogin/ruby-saml/metadata.rb

@@ -57,8 +57,8 @@ module OneLogin
         end
 
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
-        if settings.issuer
-          root.attributes["entityID"] = settings.issuer
+        if settings.sp_entity_id
+          root.attributes["entityID"] = settings.sp_entity_id
         end
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {

data/lib/onelogin/ruby-saml/response.rb

@@ -589,11 +589,11 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_audience
-        return true if audiences.empty? || settings.issuer.nil? || settings.issuer.empty?
+        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
-        unless audiences.include? settings.issuer
+        unless audiences.include? settings.sp_entity_id
           s = audiences.count > 1 ? 's' : '';
-          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.issuer}"
+          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.sp_entity_id}"
           return append_error(error_msg)
         end
 
@@ -781,8 +781,8 @@ module OneLogin
             return append_error("An empty NameID value found")
           end
 
-          unless settings.issuer.nil? || settings.issuer.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
-            if name_id_spnamequalifier != settings.issuer
+          unless settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
+            if name_id_spnamequalifier != settings.sp_entity_id
               return append_error("The SPNameQualifier value mistmatch the SP entityID value.")
             end
           end
@@ -829,24 +829,43 @@ module OneLogin
           return append_error(error_msg)
         end
 
+
         idp_certs = settings.get_idp_cert_multi
         if idp_certs.nil? || idp_certs[:signing].empty?
           opts = {}
           opts[:fingerprint_alg] = settings.idp_cert_fingerprint_algorithm
-          opts[:cert] = settings.get_idp_cert
+          idp_cert = settings.get_idp_cert
           fingerprint = settings.get_fingerprint
+          opts[:cert] = idp_cert
 
-          unless fingerprint && doc.validate_document(fingerprint, @soft, opts)
+          if fingerprint && doc.validate_document(fingerprint, @soft, opts)
+            if settings.security[:check_idp_cert_expiration]
+              if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+                error_msg = "IdP x509 certificate expired"
+                return append_error(error_msg)
+              end
+            end
+          else
             return append_error(error_msg)
           end
         else
           valid = false
+          expired = false
           idp_certs[:signing].each do |idp_cert|
             valid = doc.validate_document_with_cert(idp_cert)
             if valid
+              if settings.security[:check_idp_cert_expiration]
+                if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+                  expired = true
+                end
+              end
               break
             end
           end
+          if expired
+            error_msg = "IdP x509 certificate expired"
+            return append_error(error_msg)
+          end
           unless valid
             return append_error(error_msg)
           end

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,6 +1,7 @@
 require "xml_security"
 require "onelogin/ruby-saml/attribute_service"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/validation_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -40,7 +41,6 @@ module OneLogin
       attr_accessor :idp_name_qualifier
       attr_accessor :valid_until
       # SP Data
-      attr_accessor :issuer
       attr_accessor :assertion_consumer_service_url
       attr_accessor :assertion_consumer_service_binding
       attr_accessor :sp_name_qualifier
@@ -68,6 +68,28 @@ module OneLogin
       # Compability
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :assertion_consumer_logout_service_binding
+      attr_accessor :issuer
+
+      # @return [String] SP Entity ID
+      #
+      def sp_entity_id
+        val = nil
+        if @sp_entity_id.nil?
+          if @issuer
+            val = @issuer
+          end
+        else
+          val = @sp_entity_id
+        end
+        val
+      end
+
+      # Setter for SP Entity ID.
+      # @param val [String].
+      #
+      def sp_entity_id=(val)
+        @sp_entity_id = val
+      end
 
       # @return [String] Single Logout Service URL.
       #
@@ -167,7 +189,15 @@ module OneLogin
         return nil if certificate.nil? || certificate.empty?
 
         formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+        cert = OpenSSL::X509::Certificate.new(formatted_cert)
+
+        if security[:check_sp_cert_expiration]
+          if OneLogin::RubySaml::Utils.is_cert_expired(cert)
+            raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.")
+          end
+        end
+
+        cert
       end
 
       # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
@@ -197,6 +227,7 @@ module OneLogin
         :compress_request                          => true,
         :compress_response                         => true,
         :soft                                      => true,
+        :double_quote_xml_attribute_values         => false,
         :security                                  => {
           :authn_requests_signed      => false,
           :logout_requests_signed     => false,
@@ -207,9 +238,10 @@ module OneLogin
           :metadata_signed            => false,
           :embed_sign                 => false,
           :digest_method              => XMLSecurity::Document::SHA1,
-          :signature_method           => XMLSecurity::Document::RSA_SHA1
-        }.freeze,
-        :double_quote_xml_attribute_values         => false,
+          :signature_method           => XMLSecurity::Document::RSA_SHA1,
+          :check_idp_cert_expiration  => false,
+          :check_sp_cert_expiration   => false
+        }.freeze
       }.freeze
     end
   end

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -280,13 +280,19 @@ module OneLogin
           :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
 
+        expired = false
         if idp_certs.nil? || idp_certs[:signing].empty?
           valid = OneLogin::RubySaml::Utils.verify_signature(
-            :cert         => settings.get_idp_cert,
+            :cert         => idp_cert,
             :sig_alg      => options[:get_params]['SigAlg'],
             :signature    => options[:get_params]['Signature'],
             :query_string => query_string
           )
+          if valid && settings.security[:check_idp_cert_expiration]
+            if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+              expired = true
+            end
+          end
         else
           valid = false
           idp_certs[:signing].each do |signing_idp_cert|
@@ -297,11 +303,20 @@ module OneLogin
               :query_string => query_string
             )
             if valid
+              if settings.security[:check_idp_cert_expiration]
+                if OneLogin::RubySaml::Utils.is_cert_expired(signing_idp_cert)
+                  expired = true
+                end
+              end
               break
             end
           end
         end
 
+        if expired
+          error_msg = "IdP x509 certificate expired"
+          return append_error(error_msg)
+        end
         unless valid
           return append_error("Invalid Signature on Logout Request")
         end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -114,9 +114,9 @@ module OneLogin
         root.attributes['InResponseTo'] = request_id unless request_id.nil?
         root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
 
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         # add success message

data/lib/onelogin/ruby-saml/utils.rb

@@ -3,6 +3,7 @@ if RUBY_VERSION < '1.9'
 else
   require 'securerandom'
 end
+require "openssl"
 
 module OneLogin
   module RubySaml
@@ -15,6 +16,18 @@ module OneLogin
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
       XENC      = "http://www.w3.org/2001/04/xmlenc#"
 
+      # Checks if the x509 cert provided is expired
+      #
+      # @param cert [Certificate] The x509 certificate
+      #
+      def self.is_cert_expired(cert)
+        if cert.is_a?(String)
+          cert = OpenSSL::X509::Certificate.new(cert)
+        end
+
+        return cert.not_after < Time.now
+      end
+
       # Return a properly formatted x509 certificate
       #
       # @param cert [String] The original certificate

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.10.2'
+    VERSION = '1.11.0'
   end
 end

data/ruby-saml.gemspec

@@ -17,7 +17,6 @@ Gem::Specification.new do |s|
   ]
   s.files = `git ls-files`.split("\n")
   s.homepage = %q{http://github.com/onelogin/ruby-saml}
-  s.rubyforge_project = %q{http://www.rubygems.org/gems/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
@@ -44,6 +43,7 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '>= 1.5.10')
   end
 
+  s.add_development_dependency('coveralls')
   s.add_development_dependency('minitest', '~> 5.5')
   s.add_development_dependency('mocha',    '~> 0.14')
   s.add_development_dependency('rake',     '~> 10')

data/test/logoutresponse_test.rb

@@ -62,7 +62,7 @@ class RubySamlTest < Minitest::Test
 
           assert logoutresponse.validate
 
-          assert_equal settings.issuer, logoutresponse.issuer
+          assert_equal settings.sp_entity_id, logoutresponse.issuer
           assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
           assert logoutresponse.success?
@@ -123,12 +123,13 @@ class RubySamlTest < Minitest::Test
           assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester -> Logoutrequest expired"
         end
 
-        it "invalidate logout response when in lack of issuer setting" do
+        it "invalidate logout response when in lack of sp_entity_id setting" do
           bad_settings = settings
           bad_settings.issuer = nil
+          bad_settings.sp_entity_id = nil
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, bad_settings)
           assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
+          assert_includes logoutresponse.errors, "No sp_entity_id in settings of the logout response"
         end
 
         it "invalidate logout response with wrong issuer" do
@@ -139,7 +140,7 @@ class RubySamlTest < Minitest::Test
           assert_includes logoutresponse.errors, "Doesn't match the issuer, expected: <#{logoutresponse.settings.idp_entity_id}>, but was: <http://app.muda.no>"
         end
 
-        it "collect errors when collect_errors=true" do          
+        it "collect errors when collect_errors=true" do
           settings.idp_entity_id = 'http://invalid.issuer.example.com/'
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
           collect_errors = true
@@ -184,7 +185,7 @@ class RubySamlTest < Minitest::Test
           opts = { :matches_request_id => expected_request_id}
 
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(valid_logout_response_document, settings, opts)
-          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }          
+          assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
           assert_includes logoutresponse.errors, "The InResponseTo of the Logout Response: #{logoutresponse.in_response_to}, does not match the ID of the Logout Request sent by the SP: #{expected_request_id}"
         end
 
@@ -202,11 +203,12 @@ class RubySamlTest < Minitest::Test
           assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
         end
 
-        it "raise validation error when in lack of issuer setting" do
+        it "raise validation error when in lack of sp_entity_id setting" do
           settings.issuer = nil
+          settings.sp_entity_id = nil
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
           assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
+          assert_includes logoutresponse.errors, "No sp_entity_id in settings of the logout response"
         end
 
         it "raise validation error when logout response with wrong issuer" do
@@ -392,6 +394,21 @@ class RubySamlTest < Minitest::Test
           assert logoutresponse_sign_test.send(:validate_signature)
         end
 
+        it "return false when cert expired and check_idp_cert_expiration expired" do
+          params['RelayState'] = params[:RelayState]
+          options = {}
+          options[:get_params] = params
+          settings.security[:check_idp_cert_expiration] = true
+          settings.idp_cert = nil
+          settings.idp_cert_multi = {
+            :signing => [ruby_saml_cert_text],
+            :encryption => []
+          }
+          logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert !logoutresponse_sign_test.send(:validate_signature)
+          assert_includes logoutresponse_sign_test.errors, "IdP x509 certificate expired"
+        end
+
         it "return false when none cert on idp_cert_multi is valid" do
           params['RelayState'] = params[:RelayState]
           options = {}
@@ -402,6 +419,7 @@ class RubySamlTest < Minitest::Test
           }
           logoutresponse_sign_test = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
           assert !logoutresponse_sign_test.send(:validate_signature)
+          assert_includes logoutresponse_sign_test.errors, "Invalid Signature on Logout Response"
         end
       end
     end

data/test/metadata_test.rb

@@ -12,7 +12,7 @@ class MetadataTest < Minitest::Test
     let(:acs)               { REXML::XPath.first(xml_doc, "//md:AssertionConsumerService") }
 
     before do
-      settings.issuer = "https://example.com"
+      settings.sp_entity_id = "https://example.com"
       settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
       settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
     end

data/test/response_test.rb

@@ -259,10 +259,10 @@ class RubySamlTest < Minitest::Test
 
         it "raise when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
-          settings.issuer = 'invalid'
+          settings.sp_entity_id = 'invalid'
           response_valid_signed.settings = settings
           response_valid_signed.soft = false
-          error_msg = generate_audience_error(response_valid_signed.settings.issuer, ['https://someone.example.com/audience'])
+          error_msg = generate_audience_error(response_valid_signed.settings.sp_entity_id, ['https://someone.example.com/audience'])
           assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
             response_valid_signed.is_valid?
           end
@@ -415,11 +415,11 @@ class RubySamlTest < Minitest::Test
 
         it "return false when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
-          settings.issuer = 'invalid'
+          settings.sp_entity_id = 'invalid'
           response_valid_signed.settings = settings
           response_valid_signed.is_valid?
 
-          assert_includes response_valid_signed.errors, generate_audience_error(response_valid_signed.settings.issuer, ['https://someone.example.com/audience'])
+          assert_includes response_valid_signed.errors, generate_audience_error(response_valid_signed.settings.sp_entity_id, ['https://someone.example.com/audience'])
         end
 
         it "return false when no ID present in the SAML Response" do
@@ -451,7 +451,7 @@ class RubySamlTest < Minitest::Test
 
         it "collect errors when collect_errors=true" do
           settings.idp_cert = ruby_saml_cert_text
-          settings.issuer = 'invalid'
+          settings.sp_entity_id = 'invalid'
           response_invalid_subjectconfirmation_recipient.settings = settings
           collect_errors = true
           response_invalid_subjectconfirmation_recipient.is_valid?(collect_errors)
@@ -464,23 +464,23 @@ class RubySamlTest < Minitest::Test
     describe "#validate_audience" do
       it "return true when the audience is valid" do
         response.settings = settings
-        response.settings.issuer = '{audience}'
+        response.settings.sp_entity_id = '{audience}'
         assert response.send(:validate_audience)
         assert_empty response.errors
       end
 
       it "return true when the audience is self closing" do
         response_audience_self_closed.settings = settings
-        response_audience_self_closed.settings.issuer = '{audience}'
+        response_audience_self_closed.settings.sp_entity_id = '{audience}'
         assert response_audience_self_closed.send(:validate_audience)
         assert_empty response_audience_self_closed.errors
       end
 
       it "return false when the audience is valid" do
         response.settings = settings
-        response.settings.issuer = 'invalid_audience'
+        response.settings.sp_entity_id = 'invalid_audience'
         assert !response.send(:validate_audience)
-        assert_includes response.errors, generate_audience_error(response.settings.issuer, ['{audience}'])
+        assert_includes response.errors, generate_audience_error(response.settings.sp_entity_id, ['{audience}'])
       end
     end
 
@@ -665,23 +665,23 @@ class RubySamlTest < Minitest::Test
     describe "#validate_audience" do
       it "return true when the audience is valid" do
         response_valid_signed.settings = settings
-        response_valid_signed.settings.issuer = "https://someone.example.com/audience"
+        response_valid_signed.settings.sp_entity_id = "https://someone.example.com/audience"
         assert response_valid_signed.send(:validate_audience)
         assert_empty response_valid_signed.errors
       end
 
-      it "return true when there is not issuer defined" do
+      it "return true when there is not sp_entity_id defined" do
         response_valid_signed.settings = settings
-        response_valid_signed.settings.issuer = nil
+        response_valid_signed.settings.sp_entity_id = nil
         assert response_valid_signed.send(:validate_audience)
         assert_empty response_valid_signed.errors
       end
 
       it "return false when there is no valid audience" do
         response_invalid_audience.settings = settings
-        response_invalid_audience.settings.issuer = "https://invalid.example.com/audience"
+        response_invalid_audience.settings.sp_entity_id = "https://invalid.example.com/audience"
         assert !response_invalid_audience.send(:validate_audience)
-        assert_includes response_invalid_audience.errors, generate_audience_error(response_invalid_audience.settings.issuer, ['http://invalid.audience.com'])
+        assert_includes response_invalid_audience.errors, generate_audience_error(response_invalid_audience.settings.sp_entity_id, ['http://invalid.audience.com'])
       end
     end
 
@@ -880,6 +880,15 @@ class RubySamlTest < Minitest::Test
         assert_includes response_valid_signed_without_x509certificate.errors, "Invalid Signature on SAML Response"
       end
 
+      it "return false when cert expired and check_idp_cert_expiration enabled" do
+        settings.idp_cert_fingerprint = nil
+        settings.idp_cert = ruby_saml_cert_text
+        settings.security[:check_idp_cert_expiration] = true
+        response_valid_signed.settings = settings
+        assert !response_valid_signed.send(:validate_signature)
+        assert_includes response_valid_signed.errors, "IdP x509 certificate expired"
+      end
+
       it "return false when no X509Certificate and the cert provided at settings mismatches" do
         settings.idp_cert_fingerprint = nil
         settings.idp_cert = signature_1
@@ -953,7 +962,7 @@ class RubySamlTest < Minitest::Test
       end
 
       it "return false when wrong_spnamequalifier" do
-        settings.issuer = 'sp_entity_id'
+        settings.sp_entity_id = 'sp_entity_id'
         response_wrong_spnamequalifier.settings = settings
         assert !response_wrong_spnamequalifier.send(:validate_name_id)
         assert_includes response_wrong_spnamequalifier.errors, "The SPNameQualifier value mistmatch the SP entityID value."
@@ -966,7 +975,7 @@ class RubySamlTest < Minitest::Test
       end
 
       it "return true when nameid is valid and response_wrong_spnamequalifier matches the SP issuer" do
-        settings.issuer = 'wrong-sp-entityid'
+        settings.sp_entity_id = 'wrong-sp-entityid'
         response_wrong_spnamequalifier.settings = settings
         assert response_wrong_spnamequalifier.send(:validate_name_id)
       end
@@ -1398,7 +1407,7 @@ class RubySamlTest < Minitest::Test
 
       before do
         settings.idp_cert_fingerprint = 'EE:17:4E:FB:A8:81:71:12:0D:2A:78:43:BC:E7:0C:07:58:79:F4:F4'
-        settings.issuer = 'http://rubysaml.com:3000/saml/metadata'
+        settings.sp_entity_id = 'http://rubysaml.com:3000/saml/metadata'
         settings.assertion_consumer_service_url = 'http://rubysaml.com:3000/saml/acs'
         settings.certificate = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text

data/test/settings_test.rb

@@ -1,6 +1,7 @@
 require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/validation_error'
 
 class SettingsTest < Minitest::Test
 
@@ -243,6 +244,13 @@ class SettingsTest < Minitest::Test
         }
       end
 
+      it "raises an error if SP certificate expired and check_sp_cert_expiration enabled" do
+        @settings.certificate = ruby_saml_cert_text
+        @settings.security[:check_sp_cert_expiration] = true
+        assert_raises(OneLogin::RubySaml::ValidationError) {
+          settings.get_sp_cert
+        }
+      end
     end
 
     describe "#get_sp_cert_new" do

data/test/slo_logoutrequest_test.rb

@@ -429,6 +429,23 @@ class RubySamlTest < Minitest::Test
         assert logout_request_sign_test.send(:validate_signature)
       end
 
+      it "return false when cert expired and check_idp_cert_expiration expired" do
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
+        params['RelayState'] = params[:RelayState]
+        options = {}
+        options[:get_params] = params
+        settings.security[:check_idp_cert_expiration] = true
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        settings.idp_cert = nil
+        settings.idp_cert_multi = {
+          :signing => [ruby_saml_cert_text],
+          :encryption => []
+        }
+        logout_request_sign_test.settings = settings
+        assert !logout_request_sign_test.send(:validate_signature)
+        assert_includes logout_request_sign_test.errors, "IdP x509 certificate expired"
+      end
+
       it "return false when none cert on idp_cert_multi is valid" do
         params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
         params['RelayState'] = params[:RelayState]
@@ -442,6 +459,8 @@ class RubySamlTest < Minitest::Test
         }
         logout_request_sign_test.settings = settings
         assert !logout_request_sign_test.send(:validate_signature)
+        assert_includes logout_request_sign_test.errors, "Invalid Signature on Logout Request"
+
       end
     end
   end

data/test/test_helper.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'coveralls'
 
+SimpleCov.formatter = Coveralls::SimpleCov::Formatter
 SimpleCov.start do
   add_filter "test/"
   add_filter "vendor/"

data/test/xml_security_test.rb

@@ -239,7 +239,7 @@ class XmlSecurityTest < Minitest::Test
         settings.idp_sso_target_url = "https://idp.example.com/sso"
         settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         settings.idp_slo_target_url = "https://idp.example.com/slo",
-        settings.issuer = "https://sp.example.com/saml2"
+        settings.sp_entity_id = "https://sp.example.com/saml2"
         settings.assertion_consumer_service_url = "https://sp.example.com/acs"
         settings.single_logout_service_url = "https://sp.example.com/sls"
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.10.2
+  version: 1.11.0
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-29 00:00:00.000000000 Z
+date: 2019-07-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.10
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -344,8 +358,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.4.8
+rubyforge_project: 
+rubygems_version: 2.5.2.1
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit