ruby-saml 1.12.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

@@ -13,9 +13,26 @@ module OneLogin
13
13
  class Utils
14
14
  @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
15
15
 
16
- DSIG = "http://www.w3.org/2000/09/xmldsig#"
17
- XENC = "http://www.w3.org/2001/04/xmlenc#"
18
- DURATION_FORMAT = %r(^(-?)P(?:(?:(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+)S)?)?)|(?:(\d+)W))$)
16
+ BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
17
+ :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
18
+ DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
19
+ XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
20
+ DURATION_FORMAT = %r(^
21
+ (-?)P # 1: Duration sign
22
+ (?:
23
+ (?:(\d+)Y)? # 2: Years
24
+ (?:(\d+)M)? # 3: Months
25
+ (?:(\d+)D)? # 4: Days
26
+ (?:T
27
+ (?:(\d+)H)? # 5: Hours
28
+ (?:(\d+)M)? # 6: Minutes
29
+ (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
30
+ )?
31
+ |
32
+ (\d+)W # 8: Weeks
33
+ )
34
+ $)x.freeze
35
+ UUID_PREFIX = '_'
19
36
 
20
37
  # Checks if the x509 cert provided is expired
21
38
  #
@@ -37,31 +54,20 @@ module OneLogin
37
54
  # current time.
38
55
  #
39
56
  # @return [Integer] The new timestamp, after the duration is applied.
40
- #
57
+ #
41
58
  def self.parse_duration(duration, timestamp=Time.now.utc)
59
+ return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported
60
+
42
61
  matches = duration.match(DURATION_FORMAT)
43
-
62
+
44
63
  if matches.nil?
45
64
  raise Exception.new("Invalid ISO 8601 duration")
46
65
  end
47
66
 
48
- durYears = matches[2].to_i
49
- durMonths = matches[3].to_i
50
- durDays = matches[4].to_i
51
- durHours = matches[5].to_i
52
- durMinutes = matches[6].to_i
53
- durSeconds = matches[7].to_f
54
- durWeeks = matches[8].to_i
55
-
56
- if matches[1] == "-"
57
- durYears = -durYears
58
- durMonths = -durMonths
59
- durDays = -durDays
60
- durHours = -durHours
61
- durMinutes = -durMinutes
62
- durSeconds = -durSeconds
63
- durWeeks = -durWeeks
64
- end
67
+ sign = matches[1] == '-' ? -1 : 1
68
+
69
+ durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
70
+ matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
65
71
 
66
72
  initial_datetime = Time.at(timestamp).utc.to_datetime
67
73
  final_datetime = initial_datetime.next_year(durYears)
@@ -161,27 +167,36 @@ module OneLogin
161
167
  #
162
168
  # @param rawparams [Hash] Raw GET Parameters
163
169
  # @param params [Hash] GET Parameters
170
+ # @param lowercase_url_encoding [bool] Lowercase URL Encoding (For ADFS urlencode compatiblity)
164
171
  # @return [Hash] New raw parameters
165
172
  #
166
- def self.prepare_raw_get_params(rawparams, params)
173
+ def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
167
174
  rawparams ||= {}
168
175
 
169
176
  if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
170
- rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
177
+ rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
171
178
  end
172
179
  if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
173
- rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
180
+ rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
174
181
  end
175
182
  if rawparams['RelayState'].nil? && !params['RelayState'].nil?
176
- rawparams['RelayState'] = CGI.escape(params['RelayState'])
183
+ rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
177
184
  end
178
185
  if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
179
- rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
186
+ rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
180
187
  end
181
188
 
182
189
  rawparams
183
190
  end
184
191
 
192
+ def self.escape_request_param(param, lowercase_url_encoding)
193
+ CGI.escape(param).tap do |escaped|
194
+ next unless lowercase_url_encoding
195
+
196
+ escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
197
+ end
198
+ end
199
+
185
200
  # Validate the Signature parameter sent on the HTTP-Redirect binding
186
201
  # @param params [Hash] Parameters to be used in the validation process
187
202
  # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
@@ -296,9 +311,9 @@ module OneLogin
296
311
  when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
297
312
  when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
298
313
  when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
299
- when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
300
- when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
301
- when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
314
+ when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
315
+ when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
316
+ when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
302
317
  when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
303
318
  when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
304
319
  end
@@ -328,8 +343,12 @@ module OneLogin
328
343
  end
329
344
  end
330
345
 
346
+ def self.set_prefix(value)
347
+ UUID_PREFIX.replace value
348
+ end
349
+
331
350
  def self.uuid
332
- RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
351
+ "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
333
352
  end
334
353
 
335
354
  # Given two strings, attempt to match them as URIs using Rails' parse method. If they can be parsed,
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.12.0'
3
+ VERSION = '1.14.0'
4
4
  end
5
5
  end
data/lib/xml_security.rb CHANGED
@@ -159,15 +159,13 @@ module XMLSecurity
159
159
  x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
160
160
 
161
161
  # add the signature
162
- issuer_element = self.elements["//saml:Issuer"]
162
+ issuer_element = elements["//saml:Issuer"]
163
163
  if issuer_element
164
- self.root.insert_after issuer_element, signature_element
164
+ root.insert_after(issuer_element, signature_element)
165
+ elsif first_child = root.children[0]
166
+ root.insert_before(first_child, signature_element)
165
167
  else
166
- if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
167
- self.root.insert_before sp_sso_descriptor, signature_element
168
- else
169
- self.root.add_element(signature_element)
170
- end
168
+ root.add_element(signature_element)
171
169
  end
172
170
  end
173
171
 
data/ruby-saml.gemspec CHANGED
@@ -41,7 +41,7 @@ Gem::Specification.new do |s|
41
41
  s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
42
42
  s.add_runtime_dependency('json', '< 2.3.0')
43
43
  elsif RUBY_VERSION < '2.3'
44
- s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
44
+ s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
45
45
  else
46
46
  s.add_runtime_dependency('nokogiri', '>= 1.10.5')
47
47
  s.add_runtime_dependency('rexml')
@@ -54,7 +54,12 @@ Gem::Specification.new do |s|
54
54
  s.add_development_dependency('shoulda', '~> 2.11')
55
55
  s.add_development_dependency('simplecov')
56
56
  s.add_development_dependency('systemu', '~> 2')
57
- s.add_development_dependency('timecop', '<= 0.6.0')
57
+
58
+ if RUBY_VERSION < '2.1'
59
+ s.add_development_dependency('timecop', '<= 0.6.0')
60
+ else
61
+ s.add_development_dependency('timecop', '~> 0.9')
62
+ end
58
63
 
59
64
  if defined?(JRUBY_VERSION)
60
65
  # All recent versions of JRuby play well with pry
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.12.0
4
+ version: 1.14.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-19 00:00:00.000000000 Z
11
+ date: 2022-02-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -140,16 +140,16 @@ dependencies:
140
140
  name: timecop
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
- - - "<="
143
+ - - "~>"
144
144
  - !ruby/object:Gem::Version
145
- version: 0.6.0
145
+ version: '0.9'
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
- - - "<="
150
+ - - "~>"
151
151
  - !ruby/object:Gem::Version
152
- version: 0.6.0
152
+ version: '0.9'
153
153
  - !ruby/object:Gem::Dependency
154
154
  name: pry-byebug
155
155
  requirement: !ruby/object:Gem::Requirement
@@ -173,13 +173,14 @@ extra_rdoc_files:
173
173
  - README.md
174
174
  files:
175
175
  - ".document"
176
+ - ".github/workflows/test.yml"
176
177
  - ".gitignore"
177
- - ".travis.yml"
178
+ - CHANGELOG.md
178
179
  - Gemfile
179
180
  - LICENSE
180
181
  - README.md
181
182
  - Rakefile
182
- - changelog.md
183
+ - UPGRADING.md
183
184
  - gemfiles/nokogiri-1.5.gemfile
184
185
  - lib/onelogin/ruby-saml.rb
185
186
  - lib/onelogin/ruby-saml/attribute_service.rb
@@ -236,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
236
237
  - !ruby/object:Gem::Version
237
238
  version: '0'
238
239
  requirements: []
239
- rubygems_version: 3.0.8
240
+ rubygems_version: 3.0.6
240
241
  signing_key:
241
242
  specification_version: 4
242
243
  summary: SAML Ruby Tookit
data/.travis.yml DELETED
@@ -1,48 +0,0 @@
1
- language: ruby
2
- rvm:
3
- - 1.9.3
4
- - 2.0.0
5
- - 2.1.10
6
- - 2.2.10
7
- - 2.3.8
8
- - 2.4.6
9
- - 2.5.8
10
- - 2.6.6
11
- - 2.7.2
12
- - 3.0.0
13
- - jruby-1.7.27
14
- - jruby-9.1.17.0
15
- - jruby-9.2.13.0
16
- gemfile:
17
- - Gemfile
18
- - gemfiles/nokogiri-1.5.gemfile
19
- before_install:
20
- - gem update bundler
21
- matrix:
22
- exclude:
23
- - rvm: jruby-1.7.27
24
- gemfile: gemfiles/nokogiri-1.5.gemfile
25
- - rvm: jruby-9.1.17.0
26
- gemfile: gemfiles/nokogiri-1.5.gemfile
27
- - rvm: jruby-9.2.13.0
28
- gemfile: gemfiles/nokogiri-1.5.gemfile
29
- - rvm: 2.1.5
30
- gemfile: gemfiles/nokogiri-1.5.gemfile
31
- - rvm: 2.1.10
32
- gemfile: gemfiles/nokogiri-1.5.gemfile
33
- - rvm: 2.2.10
34
- gemfile: gemfiles/nokogiri-1.5.gemfile
35
- - rvm: 2.3.8
36
- gemfile: gemfiles/nokogiri-1.5.gemfile
37
- - rvm: 2.4.6
38
- gemfile: gemfiles/nokogiri-1.5.gemfile
39
- - rvm: 2.5.8
40
- gemfile: gemfiles/nokogiri-1.5.gemfile
41
- - rvm: 2.6.6
42
- gemfile: gemfiles/nokogiri-1.5.gemfile
43
- - rvm: 2.7.2
44
- gemfile: gemfiles/nokogiri-1.5.gemfile
45
- - rvm: 3.0.0
46
- gemfile: gemfiles/nokogiri-1.5.gemfile
47
- env:
48
- - JRUBY_OPTS="--debug"