ruby-saml 1.12.0 → 1.14.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.github/workflows/test.yml +25 -0
- data/{changelog.md → CHANGELOG.md} +26 -1
- data/README.md +321 -224
- data/UPGRADING.md +149 -0
- data/lib/onelogin/ruby-saml/attributes.rb +1 -1
- data/lib/onelogin/ruby-saml/authrequest.rb +3 -4
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +110 -77
- data/lib/onelogin/ruby-saml/logoutrequest.rb +8 -8
- data/lib/onelogin/ruby-saml/logoutresponse.rb +2 -2
- data/lib/onelogin/ruby-saml/metadata.rb +59 -22
- data/lib/onelogin/ruby-saml/response.rb +20 -17
- data/lib/onelogin/ruby-saml/saml_message.rb +6 -7
- data/lib/onelogin/ruby-saml/settings.rb +79 -69
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +13 -30
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +8 -7
- data/lib/onelogin/ruby-saml/utils.rb +50 -31
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +5 -7
- data/ruby-saml.gemspec +7 -2
- metadata +10 -9
- data/.travis.yml +0 -48
@@ -13,9 +13,26 @@ module OneLogin
|
|
13
13
|
class Utils
|
14
14
|
@@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
|
15
15
|
|
16
|
-
|
17
|
-
|
18
|
-
|
16
|
+
BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
|
17
|
+
:redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
|
18
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
|
19
|
+
XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
|
20
|
+
DURATION_FORMAT = %r(^
|
21
|
+
(-?)P # 1: Duration sign
|
22
|
+
(?:
|
23
|
+
(?:(\d+)Y)? # 2: Years
|
24
|
+
(?:(\d+)M)? # 3: Months
|
25
|
+
(?:(\d+)D)? # 4: Days
|
26
|
+
(?:T
|
27
|
+
(?:(\d+)H)? # 5: Hours
|
28
|
+
(?:(\d+)M)? # 6: Minutes
|
29
|
+
(?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
|
30
|
+
)?
|
31
|
+
|
|
32
|
+
(\d+)W # 8: Weeks
|
33
|
+
)
|
34
|
+
$)x.freeze
|
35
|
+
UUID_PREFIX = '_'
|
19
36
|
|
20
37
|
# Checks if the x509 cert provided is expired
|
21
38
|
#
|
@@ -37,31 +54,20 @@ module OneLogin
|
|
37
54
|
# current time.
|
38
55
|
#
|
39
56
|
# @return [Integer] The new timestamp, after the duration is applied.
|
40
|
-
#
|
57
|
+
#
|
41
58
|
def self.parse_duration(duration, timestamp=Time.now.utc)
|
59
|
+
return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported
|
60
|
+
|
42
61
|
matches = duration.match(DURATION_FORMAT)
|
43
|
-
|
62
|
+
|
44
63
|
if matches.nil?
|
45
64
|
raise Exception.new("Invalid ISO 8601 duration")
|
46
65
|
end
|
47
66
|
|
48
|
-
|
49
|
-
|
50
|
-
durDays =
|
51
|
-
|
52
|
-
durMinutes = matches[6].to_i
|
53
|
-
durSeconds = matches[7].to_f
|
54
|
-
durWeeks = matches[8].to_i
|
55
|
-
|
56
|
-
if matches[1] == "-"
|
57
|
-
durYears = -durYears
|
58
|
-
durMonths = -durMonths
|
59
|
-
durDays = -durDays
|
60
|
-
durHours = -durHours
|
61
|
-
durMinutes = -durMinutes
|
62
|
-
durSeconds = -durSeconds
|
63
|
-
durWeeks = -durWeeks
|
64
|
-
end
|
67
|
+
sign = matches[1] == '-' ? -1 : 1
|
68
|
+
|
69
|
+
durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
|
70
|
+
matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
|
65
71
|
|
66
72
|
initial_datetime = Time.at(timestamp).utc.to_datetime
|
67
73
|
final_datetime = initial_datetime.next_year(durYears)
|
@@ -161,27 +167,36 @@ module OneLogin
|
|
161
167
|
#
|
162
168
|
# @param rawparams [Hash] Raw GET Parameters
|
163
169
|
# @param params [Hash] GET Parameters
|
170
|
+
# @param lowercase_url_encoding [bool] Lowercase URL Encoding (For ADFS urlencode compatiblity)
|
164
171
|
# @return [Hash] New raw parameters
|
165
172
|
#
|
166
|
-
def self.prepare_raw_get_params(rawparams, params)
|
173
|
+
def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
|
167
174
|
rawparams ||= {}
|
168
175
|
|
169
176
|
if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
|
170
|
-
rawparams['SAMLRequest'] =
|
177
|
+
rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
|
171
178
|
end
|
172
179
|
if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
|
173
|
-
rawparams['SAMLResponse'] =
|
180
|
+
rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
|
174
181
|
end
|
175
182
|
if rawparams['RelayState'].nil? && !params['RelayState'].nil?
|
176
|
-
rawparams['RelayState'] =
|
183
|
+
rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
|
177
184
|
end
|
178
185
|
if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
|
179
|
-
rawparams['SigAlg'] =
|
186
|
+
rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
|
180
187
|
end
|
181
188
|
|
182
189
|
rawparams
|
183
190
|
end
|
184
191
|
|
192
|
+
def self.escape_request_param(param, lowercase_url_encoding)
|
193
|
+
CGI.escape(param).tap do |escaped|
|
194
|
+
next unless lowercase_url_encoding
|
195
|
+
|
196
|
+
escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
185
200
|
# Validate the Signature parameter sent on the HTTP-Redirect binding
|
186
201
|
# @param params [Hash] Parameters to be used in the validation process
|
187
202
|
# @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
|
@@ -296,9 +311,9 @@ module OneLogin
|
|
296
311
|
when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
|
297
312
|
when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
|
298
313
|
when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
|
299
|
-
when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new(
|
300
|
-
when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new(
|
301
|
-
when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new(
|
314
|
+
when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
|
315
|
+
when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
|
316
|
+
when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
|
302
317
|
when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
|
303
318
|
when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
|
304
319
|
end
|
@@ -328,8 +343,12 @@ module OneLogin
|
|
328
343
|
end
|
329
344
|
end
|
330
345
|
|
346
|
+
def self.set_prefix(value)
|
347
|
+
UUID_PREFIX.replace value
|
348
|
+
end
|
349
|
+
|
331
350
|
def self.uuid
|
332
|
-
RUBY_VERSION < '1.9' ? "
|
351
|
+
"#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
|
333
352
|
end
|
334
353
|
|
335
354
|
# Given two strings, attempt to match them as URIs using Rails' parse method. If they can be parsed,
|
data/lib/xml_security.rb
CHANGED
@@ -159,15 +159,13 @@ module XMLSecurity
|
|
159
159
|
x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
|
160
160
|
|
161
161
|
# add the signature
|
162
|
-
issuer_element =
|
162
|
+
issuer_element = elements["//saml:Issuer"]
|
163
163
|
if issuer_element
|
164
|
-
|
164
|
+
root.insert_after(issuer_element, signature_element)
|
165
|
+
elsif first_child = root.children[0]
|
166
|
+
root.insert_before(first_child, signature_element)
|
165
167
|
else
|
166
|
-
|
167
|
-
self.root.insert_before sp_sso_descriptor, signature_element
|
168
|
-
else
|
169
|
-
self.root.add_element(signature_element)
|
170
|
-
end
|
168
|
+
root.add_element(signature_element)
|
171
169
|
end
|
172
170
|
end
|
173
171
|
|
data/ruby-saml.gemspec
CHANGED
@@ -41,7 +41,7 @@ Gem::Specification.new do |s|
|
|
41
41
|
s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
|
42
42
|
s.add_runtime_dependency('json', '< 2.3.0')
|
43
43
|
elsif RUBY_VERSION < '2.3'
|
44
|
-
s.add_runtime_dependency('nokogiri', '>= 1.9.1', '
|
44
|
+
s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
|
45
45
|
else
|
46
46
|
s.add_runtime_dependency('nokogiri', '>= 1.10.5')
|
47
47
|
s.add_runtime_dependency('rexml')
|
@@ -54,7 +54,12 @@ Gem::Specification.new do |s|
|
|
54
54
|
s.add_development_dependency('shoulda', '~> 2.11')
|
55
55
|
s.add_development_dependency('simplecov')
|
56
56
|
s.add_development_dependency('systemu', '~> 2')
|
57
|
-
|
57
|
+
|
58
|
+
if RUBY_VERSION < '2.1'
|
59
|
+
s.add_development_dependency('timecop', '<= 0.6.0')
|
60
|
+
else
|
61
|
+
s.add_development_dependency('timecop', '~> 0.9')
|
62
|
+
end
|
58
63
|
|
59
64
|
if defined?(JRUBY_VERSION)
|
60
65
|
# All recent versions of JRuby play well with pry
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-saml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.14.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OneLogin LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -140,16 +140,16 @@ dependencies:
|
|
140
140
|
name: timecop
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
|
-
- - "
|
143
|
+
- - "~>"
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 0.
|
145
|
+
version: '0.9'
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
|
-
- - "
|
150
|
+
- - "~>"
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 0.
|
152
|
+
version: '0.9'
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
154
|
name: pry-byebug
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -173,13 +173,14 @@ extra_rdoc_files:
|
|
173
173
|
- README.md
|
174
174
|
files:
|
175
175
|
- ".document"
|
176
|
+
- ".github/workflows/test.yml"
|
176
177
|
- ".gitignore"
|
177
|
-
-
|
178
|
+
- CHANGELOG.md
|
178
179
|
- Gemfile
|
179
180
|
- LICENSE
|
180
181
|
- README.md
|
181
182
|
- Rakefile
|
182
|
-
-
|
183
|
+
- UPGRADING.md
|
183
184
|
- gemfiles/nokogiri-1.5.gemfile
|
184
185
|
- lib/onelogin/ruby-saml.rb
|
185
186
|
- lib/onelogin/ruby-saml/attribute_service.rb
|
@@ -236,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
236
237
|
- !ruby/object:Gem::Version
|
237
238
|
version: '0'
|
238
239
|
requirements: []
|
239
|
-
rubygems_version: 3.0.
|
240
|
+
rubygems_version: 3.0.6
|
240
241
|
signing_key:
|
241
242
|
specification_version: 4
|
242
243
|
summary: SAML Ruby Tookit
|
data/.travis.yml
DELETED
@@ -1,48 +0,0 @@
|
|
1
|
-
language: ruby
|
2
|
-
rvm:
|
3
|
-
- 1.9.3
|
4
|
-
- 2.0.0
|
5
|
-
- 2.1.10
|
6
|
-
- 2.2.10
|
7
|
-
- 2.3.8
|
8
|
-
- 2.4.6
|
9
|
-
- 2.5.8
|
10
|
-
- 2.6.6
|
11
|
-
- 2.7.2
|
12
|
-
- 3.0.0
|
13
|
-
- jruby-1.7.27
|
14
|
-
- jruby-9.1.17.0
|
15
|
-
- jruby-9.2.13.0
|
16
|
-
gemfile:
|
17
|
-
- Gemfile
|
18
|
-
- gemfiles/nokogiri-1.5.gemfile
|
19
|
-
before_install:
|
20
|
-
- gem update bundler
|
21
|
-
matrix:
|
22
|
-
exclude:
|
23
|
-
- rvm: jruby-1.7.27
|
24
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
25
|
-
- rvm: jruby-9.1.17.0
|
26
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
27
|
-
- rvm: jruby-9.2.13.0
|
28
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
29
|
-
- rvm: 2.1.5
|
30
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
31
|
-
- rvm: 2.1.10
|
32
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
33
|
-
- rvm: 2.2.10
|
34
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
35
|
-
- rvm: 2.3.8
|
36
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
37
|
-
- rvm: 2.4.6
|
38
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
39
|
-
- rvm: 2.5.8
|
40
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
41
|
-
- rvm: 2.6.6
|
42
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
43
|
-
- rvm: 2.7.2
|
44
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
45
|
-
- rvm: 3.0.0
|
46
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
47
|
-
env:
|
48
|
-
- JRUBY_OPTS="--debug"
|