ruby-saml 1.11.0 → 1.13.0

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.11.0'
+    VERSION = '1.13.0'
   end
 end

data/lib/xml_security.rb

@@ -159,15 +159,13 @@ module XMLSecurity
       x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
 
       # add the signature
-      issuer_element = self.elements["//saml:Issuer"]
+      issuer_element = elements["//saml:Issuer"]
       if issuer_element
-        self.root.insert_after issuer_element, signature_element
+        root.insert_after(issuer_element, signature_element)
+      elsif first_child = root.children[0]
+        root.insert_before(first_child, signature_element)
       else
-        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
-          self.root.insert_before sp_sso_descriptor, signature_element
-        else
-          self.root.add_element(signature_element)
-        end
+        root.add_element(signature_element)
       end
     end
 
@@ -212,7 +210,7 @@ module XMLSecurity
         begin
           cert = OpenSSL::X509::Certificate.new(cert_text)
         rescue OpenSSL::X509::CertificateError => _e
-          return append_error("Certificate Error", soft)
+          return append_error("Document Certificate Error", soft)
         end
 
         if options[:fingerprint_alg]
@@ -224,7 +222,6 @@ module XMLSecurity
 
         # check cert matches registered idp cert
         if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-          @errors << "Fingerprint mismatch"
           return append_error("Fingerprint mismatch", soft)
         end
       else
@@ -241,7 +238,7 @@ module XMLSecurity
       validate_signature(base64_cert, soft)
     end
 
-    def validate_document_with_cert(idp_cert)
+    def validate_document_with_cert(idp_cert, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,
@@ -255,12 +252,12 @@ module XMLSecurity
         begin
           cert = OpenSSL::X509::Certificate.new(cert_text)
         rescue OpenSSL::X509::CertificateError => _e
-          return append_error("Certificate Error", soft)
+          return append_error("Document Certificate Error", soft)
         end
 
         # check saml response cert matches provided idp cert
         if idp_cert.to_pem != cert.to_pem
-          return false
+          return append_error("Certificate of the Signature element does not match provided certificate", soft)
         end
       else
         base64_cert = Base64.encode64(idp_cert.to_pem)
@@ -326,6 +323,9 @@ module XMLSecurity
         '//ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
+
+      canon_algorithm = process_transforms(ref, canon_algorithm)
+
       canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
 
       digest_algorithm = algorithm(REXML::XPath.first(
@@ -342,7 +342,6 @@ module XMLSecurity
       digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
 
       unless digests_match?(hash, digest_value)
-        @errors << "Digest mismatch"
         return append_error("Digest mismatch", soft)
       end
 
@@ -360,6 +359,33 @@ module XMLSecurity
 
     private
 
+    def process_transforms(ref, canon_algorithm)
+      transforms = REXML::XPath.match(
+        ref,
+        "//ds:Transforms/ds:Transform",
+        { "ds" => DSIG }
+      )
+
+      transforms.each do |transform_element|
+        if transform_element.attributes && transform_element.attributes["Algorithm"]
+          algorithm = transform_element.attributes["Algorithm"]
+          case algorithm
+            when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+                 "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+              canon_algorithm = Nokogiri::XML::XML_C14N_1_0
+            when "http://www.w3.org/2006/12/xml-c14n11",
+                 "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+              canon_algorithm = Nokogiri::XML::XML_C14N_1_1
+            when "http://www.w3.org/2001/10/xml-exc-c14n#",
+                 "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"
+              canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+          end
+        end
+      end
+
+      canon_algorithm
+    end
+
     def digests_match?(hash, digest_value)
       hash == digest_value
     end

data/ruby-saml.gemspec

@@ -15,14 +15,13 @@ Gem::Specification.new do |s|
     "LICENSE",
     "README.md"
   ]
-  s.files = `git ls-files`.split("\n")
-  s.homepage = %q{http://github.com/onelogin/ruby-saml}
+  s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  s.homepage = %q{https://github.com/onelogin/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
   s.required_ruby_version = '>= 1.8.7'
   s.summary = %q{SAML Ruby Tookit}
-  s.test_files = `git ls-files test/*`.split("\n")
 
   # Because runtime dependencies are determined at build time, we cannot make
   # Nokogiri's version dependent on the Ruby version, even though we would
@@ -31,6 +30,7 @@ Gem::Specification.new do |s|
     if JRUBY_VERSION < '9.2.0.0'
       s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
       s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
+      s.add_runtime_dependency('json', '< 2.3.0')
     else
       s.add_runtime_dependency('nokogiri', '>= 1.8.2')
     end
@@ -39,8 +39,12 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '<= 1.5.11')
   elsif RUBY_VERSION < '2.1'
     s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
+    s.add_runtime_dependency('json', '< 2.3.0')
+  elsif RUBY_VERSION < '2.3'
+    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
   else
-    s.add_runtime_dependency('nokogiri', '>= 1.5.10')
+    s.add_runtime_dependency('nokogiri', '>= 1.10.5')
+    s.add_runtime_dependency('rexml')
   end
 
   s.add_development_dependency('coveralls')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.11.0
+  version: 1.13.0
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-24 00:00:00.000000000 Z
+date: 2021-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -16,14 +16,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.10
+        version: 1.10.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.5.10
+        version: 1.10.5
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -159,13 +173,14 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/workflows/test.yml"
 - ".gitignore"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
-- changelog.md
+- UPGRADING.md
 - gemfiles/nokogiri-1.5.gemfile
 - lib/onelogin/ruby-saml.rb
 - lib/onelogin/ruby-saml/attribute_service.rb
@@ -180,6 +195,7 @@ files:
 - lib/onelogin/ruby-saml/metadata.rb
 - lib/onelogin/ruby-saml/response.rb
 - lib/onelogin/ruby-saml/saml_message.rb
+- lib/onelogin/ruby-saml/setting_error.rb
 - lib/onelogin/ruby-saml/settings.rb
 - lib/onelogin/ruby-saml/slo_logoutrequest.rb
 - lib/onelogin/ruby-saml/slo_logoutresponse.rb
@@ -201,144 +217,7 @@ files:
 - lib/schemas/xmldsig-core-schema.xsd
 - lib/xml_security.rb
 - ruby-saml.gemspec
-- test/certificates/certificate.der
-- test/certificates/certificate1
-- test/certificates/certificate_without_head_foot
-- test/certificates/formatted_certificate
-- test/certificates/formatted_chained_certificate
-- test/certificates/formatted_private_key
-- test/certificates/formatted_rsa_private_key
-- test/certificates/invalid_certificate1
-- test/certificates/invalid_certificate2
-- test/certificates/invalid_certificate3
-- test/certificates/invalid_chained_certificate1
-- test/certificates/invalid_private_key1
-- test/certificates/invalid_private_key2
-- test/certificates/invalid_private_key3
-- test/certificates/invalid_rsa_private_key1
-- test/certificates/invalid_rsa_private_key2
-- test/certificates/invalid_rsa_private_key3
-- test/certificates/ruby-saml-2.crt
-- test/certificates/ruby-saml.crt
-- test/certificates/ruby-saml.key
-- test/idp_metadata_parser_test.rb
-- test/logging_test.rb
-- test/logout_requests/invalid_slo_request.xml
-- test/logout_requests/slo_request.xml
-- test/logout_requests/slo_request.xml.base64
-- test/logout_requests/slo_request_deflated.xml.base64
-- test/logout_requests/slo_request_with_name_id_format.xml
-- test/logout_requests/slo_request_with_session_index.xml
-- test/logout_responses/logoutresponse_fixtures.rb
-- test/logoutrequest_test.rb
-- test/logoutresponse_test.rb
-- test/metadata/idp_descriptor.xml
-- test/metadata/idp_descriptor_2.xml
-- test/metadata/idp_descriptor_3.xml
-- test/metadata/idp_descriptor_4.xml
-- test/metadata/idp_metadata_different_sign_and_encrypt_cert.xml
-- test/metadata/idp_metadata_multi_certs.xml
-- test/metadata/idp_metadata_multi_signing_certs.xml
-- test/metadata/idp_metadata_same_sign_and_encrypt_cert.xml
-- test/metadata/idp_multiple_descriptors.xml
-- test/metadata/idp_multiple_descriptors_2.xml
-- test/metadata/no_idp_descriptor.xml
-- test/metadata_test.rb
-- test/request_test.rb
-- test/response_test.rb
-- test/responses/adfs_response_sha1.xml
-- test/responses/adfs_response_sha256.xml
-- test/responses/adfs_response_sha384.xml
-- test/responses/adfs_response_sha512.xml
-- test/responses/adfs_response_xmlns.xml
-- test/responses/attackxee.xml
-- test/responses/invalids/duplicated_attributes.xml.base64
-- test/responses/invalids/empty_destination.xml.base64
-- test/responses/invalids/empty_nameid.xml.base64
-- test/responses/invalids/encrypted_new_attack.xml.base64
-- test/responses/invalids/invalid_audience.xml.base64
-- test/responses/invalids/invalid_issuer_assertion.xml.base64
-- test/responses/invalids/invalid_issuer_message.xml.base64
-- test/responses/invalids/invalid_signature_position.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64
-- test/responses/invalids/multiple_assertions.xml.base64
-- test/responses/invalids/multiple_signed.xml.base64
-- test/responses/invalids/no_authnstatement.xml.base64
-- test/responses/invalids/no_conditions.xml.base64
-- test/responses/invalids/no_id.xml.base64
-- test/responses/invalids/no_issuer_assertion.xml.base64
-- test/responses/invalids/no_issuer_response.xml.base64
-- test/responses/invalids/no_nameid.xml.base64
-- test/responses/invalids/no_saml2.xml.base64
-- test/responses/invalids/no_signature.xml.base64
-- test/responses/invalids/no_status.xml.base64
-- test/responses/invalids/no_status_code.xml.base64
-- test/responses/invalids/no_subjectconfirmation_data.xml.base64
-- test/responses/invalids/no_subjectconfirmation_method.xml.base64
-- test/responses/invalids/response_invalid_signed_element.xml.base64
-- test/responses/invalids/response_with_concealed_signed_assertion.xml
-- test/responses/invalids/response_with_doubled_signed_assertion.xml
-- test/responses/invalids/signature_wrapping_attack.xml.base64
-- test/responses/invalids/status_code_responder.xml.base64
-- test/responses/invalids/status_code_responer_and_msg.xml.base64
-- test/responses/invalids/wrong_spnamequalifier.xml.base64
-- test/responses/no_signature_ns.xml
-- test/responses/open_saml_response.xml
-- test/responses/response_assertion_wrapped.xml.base64
-- test/responses/response_audience_self_closed_tag.xml.base64
-- test/responses/response_double_status_code.xml.base64
-- test/responses/response_encrypted_attrs.xml.base64
-- test/responses/response_encrypted_nameid.xml.base64
-- test/responses/response_eval.xml
-- test/responses/response_no_cert_and_encrypted_attrs.xml
-- test/responses/response_node_text_attack.xml.base64
-- test/responses/response_node_text_attack2.xml.base64
-- test/responses/response_node_text_attack3.xml.base64
-- test/responses/response_unsigned_xml_base64
-- test/responses/response_with_ampersands.xml
-- test/responses/response_with_ampersands.xml.base64
-- test/responses/response_with_ds_namespace_at_the_root.xml.base64
-- test/responses/response_with_multiple_attribute_statements.xml
-- test/responses/response_with_multiple_attribute_values.xml
-- test/responses/response_with_retrieval_method.xml
-- test/responses/response_with_saml2_namespace.xml.base64
-- test/responses/response_with_signed_assertion.xml.base64
-- test/responses/response_with_signed_assertion_2.xml.base64
-- test/responses/response_with_signed_assertion_3.xml
-- test/responses/response_with_signed_message_and_assertion.xml
-- test/responses/response_with_undefined_recipient.xml.base64
-- test/responses/response_without_attributes.xml.base64
-- test/responses/response_without_reference_uri.xml.base64
-- test/responses/response_wrapped.xml.base64
-- test/responses/signed_message_encrypted_signed_assertion.xml.base64
-- test/responses/signed_message_encrypted_unsigned_assertion.xml.base64
-- test/responses/signed_nameid_in_atts.xml
-- test/responses/signed_unqual_nameid_in_atts.xml
-- test/responses/simple_saml_php.xml
-- test/responses/starfield_response.xml.base64
-- test/responses/test_sign.xml
-- test/responses/unsigned_encrypted_adfs.xml
-- test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64
-- test/responses/unsigned_message_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64
-- test/responses/valid_response.xml.base64
-- test/responses/valid_response_with_formatted_x509certificate.xml.base64
-- test/responses/valid_response_without_x509certificate.xml.base64
-- test/saml_message_test.rb
-- test/settings_test.rb
-- test/slo_logoutrequest_test.rb
-- test/slo_logoutresponse_test.rb
-- test/test_helper.rb
-- test/utils_test.rb
-- test/xml_security_test.rb
-homepage: http://github.com/onelogin/ruby-saml
+homepage: https://github.com/onelogin/ruby-saml
 licenses:
 - MIT
 metadata: {}
@@ -363,141 +242,4 @@ rubygems_version: 2.5.2.1
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
-test_files:
-- test/certificates/certificate.der
-- test/certificates/certificate1
-- test/certificates/certificate_without_head_foot
-- test/certificates/formatted_certificate
-- test/certificates/formatted_chained_certificate
-- test/certificates/formatted_private_key
-- test/certificates/formatted_rsa_private_key
-- test/certificates/invalid_certificate1
-- test/certificates/invalid_certificate2
-- test/certificates/invalid_certificate3
-- test/certificates/invalid_chained_certificate1
-- test/certificates/invalid_private_key1
-- test/certificates/invalid_private_key2
-- test/certificates/invalid_private_key3
-- test/certificates/invalid_rsa_private_key1
-- test/certificates/invalid_rsa_private_key2
-- test/certificates/invalid_rsa_private_key3
-- test/certificates/ruby-saml-2.crt
-- test/certificates/ruby-saml.crt
-- test/certificates/ruby-saml.key
-- test/idp_metadata_parser_test.rb
-- test/logging_test.rb
-- test/logout_requests/invalid_slo_request.xml
-- test/logout_requests/slo_request.xml
-- test/logout_requests/slo_request.xml.base64
-- test/logout_requests/slo_request_deflated.xml.base64
-- test/logout_requests/slo_request_with_name_id_format.xml
-- test/logout_requests/slo_request_with_session_index.xml
-- test/logout_responses/logoutresponse_fixtures.rb
-- test/logoutrequest_test.rb
-- test/logoutresponse_test.rb
-- test/metadata/idp_descriptor.xml
-- test/metadata/idp_descriptor_2.xml
-- test/metadata/idp_descriptor_3.xml
-- test/metadata/idp_descriptor_4.xml
-- test/metadata/idp_metadata_different_sign_and_encrypt_cert.xml
-- test/metadata/idp_metadata_multi_certs.xml
-- test/metadata/idp_metadata_multi_signing_certs.xml
-- test/metadata/idp_metadata_same_sign_and_encrypt_cert.xml
-- test/metadata/idp_multiple_descriptors.xml
-- test/metadata/idp_multiple_descriptors_2.xml
-- test/metadata/no_idp_descriptor.xml
-- test/metadata_test.rb
-- test/request_test.rb
-- test/response_test.rb
-- test/responses/adfs_response_sha1.xml
-- test/responses/adfs_response_sha256.xml
-- test/responses/adfs_response_sha384.xml
-- test/responses/adfs_response_sha512.xml
-- test/responses/adfs_response_xmlns.xml
-- test/responses/attackxee.xml
-- test/responses/invalids/duplicated_attributes.xml.base64
-- test/responses/invalids/empty_destination.xml.base64
-- test/responses/invalids/empty_nameid.xml.base64
-- test/responses/invalids/encrypted_new_attack.xml.base64
-- test/responses/invalids/invalid_audience.xml.base64
-- test/responses/invalids/invalid_issuer_assertion.xml.base64
-- test/responses/invalids/invalid_issuer_message.xml.base64
-- test/responses/invalids/invalid_signature_position.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_inresponse.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_nb.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_noa.xml.base64
-- test/responses/invalids/invalid_subjectconfirmation_recipient.xml.base64
-- test/responses/invalids/multiple_assertions.xml.base64
-- test/responses/invalids/multiple_signed.xml.base64
-- test/responses/invalids/no_authnstatement.xml.base64
-- test/responses/invalids/no_conditions.xml.base64
-- test/responses/invalids/no_id.xml.base64
-- test/responses/invalids/no_issuer_assertion.xml.base64
-- test/responses/invalids/no_issuer_response.xml.base64
-- test/responses/invalids/no_nameid.xml.base64
-- test/responses/invalids/no_saml2.xml.base64
-- test/responses/invalids/no_signature.xml.base64
-- test/responses/invalids/no_status.xml.base64
-- test/responses/invalids/no_status_code.xml.base64
-- test/responses/invalids/no_subjectconfirmation_data.xml.base64
-- test/responses/invalids/no_subjectconfirmation_method.xml.base64
-- test/responses/invalids/response_invalid_signed_element.xml.base64
-- test/responses/invalids/response_with_concealed_signed_assertion.xml
-- test/responses/invalids/response_with_doubled_signed_assertion.xml
-- test/responses/invalids/signature_wrapping_attack.xml.base64
-- test/responses/invalids/status_code_responder.xml.base64
-- test/responses/invalids/status_code_responer_and_msg.xml.base64
-- test/responses/invalids/wrong_spnamequalifier.xml.base64
-- test/responses/no_signature_ns.xml
-- test/responses/open_saml_response.xml
-- test/responses/response_assertion_wrapped.xml.base64
-- test/responses/response_audience_self_closed_tag.xml.base64
-- test/responses/response_double_status_code.xml.base64
-- test/responses/response_encrypted_attrs.xml.base64
-- test/responses/response_encrypted_nameid.xml.base64
-- test/responses/response_eval.xml
-- test/responses/response_no_cert_and_encrypted_attrs.xml
-- test/responses/response_node_text_attack.xml.base64
-- test/responses/response_node_text_attack2.xml.base64
-- test/responses/response_node_text_attack3.xml.base64
-- test/responses/response_unsigned_xml_base64
-- test/responses/response_with_ampersands.xml
-- test/responses/response_with_ampersands.xml.base64
-- test/responses/response_with_ds_namespace_at_the_root.xml.base64
-- test/responses/response_with_multiple_attribute_statements.xml
-- test/responses/response_with_multiple_attribute_values.xml
-- test/responses/response_with_retrieval_method.xml
-- test/responses/response_with_saml2_namespace.xml.base64
-- test/responses/response_with_signed_assertion.xml.base64
-- test/responses/response_with_signed_assertion_2.xml.base64
-- test/responses/response_with_signed_assertion_3.xml
-- test/responses/response_with_signed_message_and_assertion.xml
-- test/responses/response_with_undefined_recipient.xml.base64
-- test/responses/response_without_attributes.xml.base64
-- test/responses/response_without_reference_uri.xml.base64
-- test/responses/response_wrapped.xml.base64
-- test/responses/signed_message_encrypted_signed_assertion.xml.base64
-- test/responses/signed_message_encrypted_unsigned_assertion.xml.base64
-- test/responses/signed_nameid_in_atts.xml
-- test/responses/signed_unqual_nameid_in_atts.xml
-- test/responses/simple_saml_php.xml
-- test/responses/starfield_response.xml.base64
-- test/responses/test_sign.xml
-- test/responses/unsigned_encrypted_adfs.xml
-- test/responses/unsigned_message_aes128_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_aes192_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_aes256_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_des192_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_encrypted_assertion_without_saml_namespace.xml.base64
-- test/responses/unsigned_message_encrypted_signed_assertion.xml.base64
-- test/responses/unsigned_message_encrypted_unsigned_assertion.xml.base64
-- test/responses/valid_response.xml.base64
-- test/responses/valid_response_with_formatted_x509certificate.xml.base64
-- test/responses/valid_response_without_x509certificate.xml.base64
-- test/saml_message_test.rb
-- test/settings_test.rb
-- test/slo_logoutrequest_test.rb
-- test/slo_logoutresponse_test.rb
-- test/test_helper.rb
-- test/utils_test.rb
-- test/xml_security_test.rb
+test_files: []