ruby-saml 1.12.0 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.github/workflows/test.yml +25 -0
- data/{changelog.md → CHANGELOG.md} +26 -1
- data/README.md +321 -224
- data/UPGRADING.md +149 -0
- data/lib/onelogin/ruby-saml/attributes.rb +1 -1
- data/lib/onelogin/ruby-saml/authrequest.rb +3 -4
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +110 -77
- data/lib/onelogin/ruby-saml/logoutrequest.rb +8 -8
- data/lib/onelogin/ruby-saml/logoutresponse.rb +2 -2
- data/lib/onelogin/ruby-saml/metadata.rb +59 -22
- data/lib/onelogin/ruby-saml/response.rb +20 -17
- data/lib/onelogin/ruby-saml/saml_message.rb +6 -7
- data/lib/onelogin/ruby-saml/settings.rb +79 -69
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +13 -30
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +8 -7
- data/lib/onelogin/ruby-saml/utils.rb +50 -31
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +5 -7
- data/ruby-saml.gemspec +7 -2
- metadata +10 -9
- data/.travis.yml +0 -48
@@ -13,9 +13,26 @@ module OneLogin
|
|
13
13
|
class Utils
|
14
14
|
@@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
|
15
15
|
|
16
|
-
|
17
|
-
|
18
|
-
|
16
|
+
BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
|
17
|
+
:redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
|
18
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
|
19
|
+
XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
|
20
|
+
DURATION_FORMAT = %r(^
|
21
|
+
(-?)P # 1: Duration sign
|
22
|
+
(?:
|
23
|
+
(?:(\d+)Y)? # 2: Years
|
24
|
+
(?:(\d+)M)? # 3: Months
|
25
|
+
(?:(\d+)D)? # 4: Days
|
26
|
+
(?:T
|
27
|
+
(?:(\d+)H)? # 5: Hours
|
28
|
+
(?:(\d+)M)? # 6: Minutes
|
29
|
+
(?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
|
30
|
+
)?
|
31
|
+
|
|
32
|
+
(\d+)W # 8: Weeks
|
33
|
+
)
|
34
|
+
$)x.freeze
|
35
|
+
UUID_PREFIX = '_'
|
19
36
|
|
20
37
|
# Checks if the x509 cert provided is expired
|
21
38
|
#
|
@@ -37,31 +54,20 @@ module OneLogin
|
|
37
54
|
# current time.
|
38
55
|
#
|
39
56
|
# @return [Integer] The new timestamp, after the duration is applied.
|
40
|
-
#
|
57
|
+
#
|
41
58
|
def self.parse_duration(duration, timestamp=Time.now.utc)
|
59
|
+
return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported
|
60
|
+
|
42
61
|
matches = duration.match(DURATION_FORMAT)
|
43
|
-
|
62
|
+
|
44
63
|
if matches.nil?
|
45
64
|
raise Exception.new("Invalid ISO 8601 duration")
|
46
65
|
end
|
47
66
|
|
48
|
-
|
49
|
-
|
50
|
-
durDays =
|
51
|
-
|
52
|
-
durMinutes = matches[6].to_i
|
53
|
-
durSeconds = matches[7].to_f
|
54
|
-
durWeeks = matches[8].to_i
|
55
|
-
|
56
|
-
if matches[1] == "-"
|
57
|
-
durYears = -durYears
|
58
|
-
durMonths = -durMonths
|
59
|
-
durDays = -durDays
|
60
|
-
durHours = -durHours
|
61
|
-
durMinutes = -durMinutes
|
62
|
-
durSeconds = -durSeconds
|
63
|
-
durWeeks = -durWeeks
|
64
|
-
end
|
67
|
+
sign = matches[1] == '-' ? -1 : 1
|
68
|
+
|
69
|
+
durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
|
70
|
+
matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
|
65
71
|
|
66
72
|
initial_datetime = Time.at(timestamp).utc.to_datetime
|
67
73
|
final_datetime = initial_datetime.next_year(durYears)
|
@@ -161,27 +167,36 @@ module OneLogin
|
|
161
167
|
#
|
162
168
|
# @param rawparams [Hash] Raw GET Parameters
|
163
169
|
# @param params [Hash] GET Parameters
|
170
|
+
# @param lowercase_url_encoding [bool] Lowercase URL Encoding (For ADFS urlencode compatiblity)
|
164
171
|
# @return [Hash] New raw parameters
|
165
172
|
#
|
166
|
-
def self.prepare_raw_get_params(rawparams, params)
|
173
|
+
def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
|
167
174
|
rawparams ||= {}
|
168
175
|
|
169
176
|
if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
|
170
|
-
rawparams['SAMLRequest'] =
|
177
|
+
rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
|
171
178
|
end
|
172
179
|
if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
|
173
|
-
rawparams['SAMLResponse'] =
|
180
|
+
rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
|
174
181
|
end
|
175
182
|
if rawparams['RelayState'].nil? && !params['RelayState'].nil?
|
176
|
-
rawparams['RelayState'] =
|
183
|
+
rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
|
177
184
|
end
|
178
185
|
if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
|
179
|
-
rawparams['SigAlg'] =
|
186
|
+
rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
|
180
187
|
end
|
181
188
|
|
182
189
|
rawparams
|
183
190
|
end
|
184
191
|
|
192
|
+
def self.escape_request_param(param, lowercase_url_encoding)
|
193
|
+
CGI.escape(param).tap do |escaped|
|
194
|
+
next unless lowercase_url_encoding
|
195
|
+
|
196
|
+
escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
185
200
|
# Validate the Signature parameter sent on the HTTP-Redirect binding
|
186
201
|
# @param params [Hash] Parameters to be used in the validation process
|
187
202
|
# @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
|
@@ -296,9 +311,9 @@ module OneLogin
|
|
296
311
|
when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
|
297
312
|
when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
|
298
313
|
when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
|
299
|
-
when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new(
|
300
|
-
when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new(
|
301
|
-
when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new(
|
314
|
+
when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
|
315
|
+
when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
|
316
|
+
when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
|
302
317
|
when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
|
303
318
|
when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
|
304
319
|
end
|
@@ -328,8 +343,12 @@ module OneLogin
|
|
328
343
|
end
|
329
344
|
end
|
330
345
|
|
346
|
+
def self.set_prefix(value)
|
347
|
+
UUID_PREFIX.replace value
|
348
|
+
end
|
349
|
+
|
331
350
|
def self.uuid
|
332
|
-
RUBY_VERSION < '1.9' ? "
|
351
|
+
"#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
|
333
352
|
end
|
334
353
|
|
335
354
|
# Given two strings, attempt to match them as URIs using Rails' parse method. If they can be parsed,
|
data/lib/xml_security.rb
CHANGED
@@ -159,15 +159,13 @@ module XMLSecurity
|
|
159
159
|
x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
|
160
160
|
|
161
161
|
# add the signature
|
162
|
-
issuer_element =
|
162
|
+
issuer_element = elements["//saml:Issuer"]
|
163
163
|
if issuer_element
|
164
|
-
|
164
|
+
root.insert_after(issuer_element, signature_element)
|
165
|
+
elsif first_child = root.children[0]
|
166
|
+
root.insert_before(first_child, signature_element)
|
165
167
|
else
|
166
|
-
|
167
|
-
self.root.insert_before sp_sso_descriptor, signature_element
|
168
|
-
else
|
169
|
-
self.root.add_element(signature_element)
|
170
|
-
end
|
168
|
+
root.add_element(signature_element)
|
171
169
|
end
|
172
170
|
end
|
173
171
|
|
data/ruby-saml.gemspec
CHANGED
@@ -41,7 +41,7 @@ Gem::Specification.new do |s|
|
|
41
41
|
s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
|
42
42
|
s.add_runtime_dependency('json', '< 2.3.0')
|
43
43
|
elsif RUBY_VERSION < '2.3'
|
44
|
-
s.add_runtime_dependency('nokogiri', '>= 1.9.1', '
|
44
|
+
s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
|
45
45
|
else
|
46
46
|
s.add_runtime_dependency('nokogiri', '>= 1.10.5')
|
47
47
|
s.add_runtime_dependency('rexml')
|
@@ -54,7 +54,12 @@ Gem::Specification.new do |s|
|
|
54
54
|
s.add_development_dependency('shoulda', '~> 2.11')
|
55
55
|
s.add_development_dependency('simplecov')
|
56
56
|
s.add_development_dependency('systemu', '~> 2')
|
57
|
-
|
57
|
+
|
58
|
+
if RUBY_VERSION < '2.1'
|
59
|
+
s.add_development_dependency('timecop', '<= 0.6.0')
|
60
|
+
else
|
61
|
+
s.add_development_dependency('timecop', '~> 0.9')
|
62
|
+
end
|
58
63
|
|
59
64
|
if defined?(JRUBY_VERSION)
|
60
65
|
# All recent versions of JRuby play well with pry
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-saml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.14.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- OneLogin LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-02-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -140,16 +140,16 @@ dependencies:
|
|
140
140
|
name: timecop
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
|
-
- - "
|
143
|
+
- - "~>"
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 0.
|
145
|
+
version: '0.9'
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
|
-
- - "
|
150
|
+
- - "~>"
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 0.
|
152
|
+
version: '0.9'
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
154
|
name: pry-byebug
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -173,13 +173,14 @@ extra_rdoc_files:
|
|
173
173
|
- README.md
|
174
174
|
files:
|
175
175
|
- ".document"
|
176
|
+
- ".github/workflows/test.yml"
|
176
177
|
- ".gitignore"
|
177
|
-
-
|
178
|
+
- CHANGELOG.md
|
178
179
|
- Gemfile
|
179
180
|
- LICENSE
|
180
181
|
- README.md
|
181
182
|
- Rakefile
|
182
|
-
-
|
183
|
+
- UPGRADING.md
|
183
184
|
- gemfiles/nokogiri-1.5.gemfile
|
184
185
|
- lib/onelogin/ruby-saml.rb
|
185
186
|
- lib/onelogin/ruby-saml/attribute_service.rb
|
@@ -236,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
236
237
|
- !ruby/object:Gem::Version
|
237
238
|
version: '0'
|
238
239
|
requirements: []
|
239
|
-
rubygems_version: 3.0.
|
240
|
+
rubygems_version: 3.0.6
|
240
241
|
signing_key:
|
241
242
|
specification_version: 4
|
242
243
|
summary: SAML Ruby Tookit
|
data/.travis.yml
DELETED
@@ -1,48 +0,0 @@
|
|
1
|
-
language: ruby
|
2
|
-
rvm:
|
3
|
-
- 1.9.3
|
4
|
-
- 2.0.0
|
5
|
-
- 2.1.10
|
6
|
-
- 2.2.10
|
7
|
-
- 2.3.8
|
8
|
-
- 2.4.6
|
9
|
-
- 2.5.8
|
10
|
-
- 2.6.6
|
11
|
-
- 2.7.2
|
12
|
-
- 3.0.0
|
13
|
-
- jruby-1.7.27
|
14
|
-
- jruby-9.1.17.0
|
15
|
-
- jruby-9.2.13.0
|
16
|
-
gemfile:
|
17
|
-
- Gemfile
|
18
|
-
- gemfiles/nokogiri-1.5.gemfile
|
19
|
-
before_install:
|
20
|
-
- gem update bundler
|
21
|
-
matrix:
|
22
|
-
exclude:
|
23
|
-
- rvm: jruby-1.7.27
|
24
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
25
|
-
- rvm: jruby-9.1.17.0
|
26
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
27
|
-
- rvm: jruby-9.2.13.0
|
28
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
29
|
-
- rvm: 2.1.5
|
30
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
31
|
-
- rvm: 2.1.10
|
32
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
33
|
-
- rvm: 2.2.10
|
34
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
35
|
-
- rvm: 2.3.8
|
36
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
37
|
-
- rvm: 2.4.6
|
38
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
39
|
-
- rvm: 2.5.8
|
40
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
41
|
-
- rvm: 2.6.6
|
42
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
43
|
-
- rvm: 2.7.2
|
44
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
45
|
-
- rvm: 3.0.0
|
46
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
47
|
-
env:
|
48
|
-
- JRUBY_OPTS="--debug"
|