ruby-saml 1.12.0 → 1.14.0

data/lib/onelogin/ruby-saml/utils.rb

@@ -13,9 +13,26 @@ module OneLogin
     class Utils
       @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
 
-      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-      XENC      = "http://www.w3.org/2001/04/xmlenc#"
-      DURATION_FORMAT = %r(^(-?)P(?:(?:(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+)S)?)?)|(?:(\d+)W))$)
+      BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+                   :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
+      DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
+      XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
+      DURATION_FORMAT = %r(^
+        (-?)P                       # 1: Duration sign
+        (?:
+          (?:(\d+)Y)?               # 2: Years
+          (?:(\d+)M)?               # 3: Months
+          (?:(\d+)D)?               # 4: Days
+          (?:T
+            (?:(\d+)H)?             # 5: Hours
+            (?:(\d+)M)?             # 6: Minutes
+            (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
+          )?
+          |
+          (\d+)W                    # 8: Weeks
+        )
+      $)x.freeze
+      UUID_PREFIX = '_'
 
       # Checks if the x509 cert provided is expired
       #
@@ -37,31 +54,20 @@ module OneLogin
       #                            current time.
       #
       # @return [Integer] The new timestamp, after the duration is applied.
-      # 
+      #
       def self.parse_duration(duration, timestamp=Time.now.utc)
+        return nil if RUBY_VERSION < '1.9'  # 1.8.7 not supported
+
         matches = duration.match(DURATION_FORMAT)
-      
+
         if matches.nil?
           raise Exception.new("Invalid ISO 8601 duration")
         end
 
-        durYears = matches[2].to_i
-        durMonths = matches[3].to_i
-        durDays = matches[4].to_i
-        durHours = matches[5].to_i
-        durMinutes = matches[6].to_i
-        durSeconds = matches[7].to_f
-        durWeeks = matches[8].to_i
-
-        if matches[1] == "-"
-          durYears = -durYears
-          durMonths = -durMonths
-          durDays = -durDays
-          durHours = -durHours
-          durMinutes = -durMinutes
-          durSeconds = -durSeconds
-          durWeeks = -durWeeks
-        end
+        sign = matches[1] == '-' ? -1 : 1
+
+        durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
+          matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
 
         initial_datetime = Time.at(timestamp).utc.to_datetime
         final_datetime = initial_datetime.next_year(durYears)
@@ -161,27 +167,36 @@ module OneLogin
       #
       # @param rawparams [Hash] Raw GET Parameters
       # @param params [Hash] GET Parameters
+      # @param lowercase_url_encoding [bool] Lowercase URL Encoding  (For ADFS urlencode compatiblity)
       # @return [Hash] New raw parameters
       #
-      def self.prepare_raw_get_params(rawparams, params)
+      def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
         rawparams ||= {}
 
         if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
-          rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
+          rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
         end
         if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
-          rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
+          rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
         end
         if rawparams['RelayState'].nil? && !params['RelayState'].nil?
-          rawparams['RelayState'] = CGI.escape(params['RelayState'])
+          rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
         end
         if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
-          rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
+          rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
         end
 
         rawparams
       end
 
+      def self.escape_request_param(param, lowercase_url_encoding)
+        CGI.escape(param).tap do |escaped|
+          next unless lowercase_url_encoding
+
+          escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
+        end
+      end
+
       # Validate the Signature parameter sent on the HTTP-Redirect binding
       # @param params [Hash] Parameters to be used in the validation process
       # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
@@ -296,9 +311,9 @@ module OneLogin
           when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
           when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
           when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
-          when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
-          when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
-          when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
+          when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
+          when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
+          when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
           when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
           when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
         end
@@ -328,8 +343,12 @@ module OneLogin
         end
       end
 
+      def self.set_prefix(value)
+        UUID_PREFIX.replace value
+      end
+
       def self.uuid
-        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+        "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
       end
 
       # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.12.0'
+    VERSION = '1.14.0'
   end
 end

data/lib/xml_security.rb

@@ -159,15 +159,13 @@ module XMLSecurity
       x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
 
       # add the signature
-      issuer_element = self.elements["//saml:Issuer"]
+      issuer_element = elements["//saml:Issuer"]
       if issuer_element
-        self.root.insert_after issuer_element, signature_element
+        root.insert_after(issuer_element, signature_element)
+      elsif first_child = root.children[0]
+        root.insert_before(first_child, signature_element)
       else
-        if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
-          self.root.insert_before sp_sso_descriptor, signature_element
-        else
-          self.root.add_element(signature_element)
-        end
+        root.add_element(signature_element)
       end
     end
 

data/ruby-saml.gemspec

@@ -41,7 +41,7 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
     s.add_runtime_dependency('json', '< 2.3.0')
   elsif RUBY_VERSION < '2.3'
-    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
+    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
   else
     s.add_runtime_dependency('nokogiri', '>= 1.10.5')
     s.add_runtime_dependency('rexml')
@@ -54,7 +54,12 @@ Gem::Specification.new do |s|
   s.add_development_dependency('shoulda',  '~> 2.11')
   s.add_development_dependency('simplecov')
   s.add_development_dependency('systemu',  '~> 2')
-  s.add_development_dependency('timecop',  '<= 0.6.0')
+
+  if RUBY_VERSION < '2.1'
+    s.add_development_dependency('timecop',  '<= 0.6.0')
+  else
+    s.add_development_dependency('timecop',  '~> 0.9')
+  end
 
   if defined?(JRUBY_VERSION)
     # All recent versions of JRuby play well with pry

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.12.0
+  version: 1.14.0
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-19 00:00:00.000000000 Z
+date: 2022-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -140,16 +140,16 @@ dependencies:
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
@@ -173,13 +173,14 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/workflows/test.yml"
 - ".gitignore"
-- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
-- changelog.md
+- UPGRADING.md
 - gemfiles/nokogiri-1.5.gemfile
 - lib/onelogin/ruby-saml.rb
 - lib/onelogin/ruby-saml/attribute_service.rb
@@ -236,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit

data/.travis.yml

@@ -1,48 +0,0 @@
-language: ruby
-rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.10
-  - 2.2.10
-  - 2.3.8
-  - 2.4.6
-  - 2.5.8
-  - 2.6.6
-  - 2.7.2
-  - 3.0.0
-  - jruby-1.7.27
-  - jruby-9.1.17.0
-  - jruby-9.2.13.0
-gemfile:
-  - Gemfile
-  - gemfiles/nokogiri-1.5.gemfile
-before_install:
-  - gem update bundler
-matrix:
-  exclude:
-    - rvm: jruby-1.7.27
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.1.17.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.13.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.1.5
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.1.10
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.2.10
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.4.6
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.5.8
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.6.6
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.7.2
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 3.0.0
-      gemfile: gemfiles/nokogiri-1.5.gemfile
-env:
-  - JRUBY_OPTS="--debug"