ruby-saml 1.12.0 → 1.14.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of ruby-saml might be problematic. Click here for more details.

@@ -13,9 +13,26 @@ module OneLogin
13
13
  class Utils
14
14
  @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
15
15
 
16
- DSIG = "http://www.w3.org/2000/09/xmldsig#"
17
- XENC = "http://www.w3.org/2001/04/xmlenc#"
18
- DURATION_FORMAT = %r(^(-?)P(?:(?:(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+)S)?)?)|(?:(\d+)W))$)
16
+ BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
17
+ :redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
18
+ DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
19
+ XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
20
+ DURATION_FORMAT = %r(^
21
+ (-?)P # 1: Duration sign
22
+ (?:
23
+ (?:(\d+)Y)? # 2: Years
24
+ (?:(\d+)M)? # 3: Months
25
+ (?:(\d+)D)? # 4: Days
26
+ (?:T
27
+ (?:(\d+)H)? # 5: Hours
28
+ (?:(\d+)M)? # 6: Minutes
29
+ (?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
30
+ )?
31
+ |
32
+ (\d+)W # 8: Weeks
33
+ )
34
+ $)x.freeze
35
+ UUID_PREFIX = '_'
19
36
 
20
37
  # Checks if the x509 cert provided is expired
21
38
  #
@@ -37,31 +54,20 @@ module OneLogin
37
54
  # current time.
38
55
  #
39
56
  # @return [Integer] The new timestamp, after the duration is applied.
40
- #
57
+ #
41
58
  def self.parse_duration(duration, timestamp=Time.now.utc)
59
+ return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported
60
+
42
61
  matches = duration.match(DURATION_FORMAT)
43
-
62
+
44
63
  if matches.nil?
45
64
  raise Exception.new("Invalid ISO 8601 duration")
46
65
  end
47
66
 
48
- durYears = matches[2].to_i
49
- durMonths = matches[3].to_i
50
- durDays = matches[4].to_i
51
- durHours = matches[5].to_i
52
- durMinutes = matches[6].to_i
53
- durSeconds = matches[7].to_f
54
- durWeeks = matches[8].to_i
55
-
56
- if matches[1] == "-"
57
- durYears = -durYears
58
- durMonths = -durMonths
59
- durDays = -durDays
60
- durHours = -durHours
61
- durMinutes = -durMinutes
62
- durSeconds = -durSeconds
63
- durWeeks = -durWeeks
64
- end
67
+ sign = matches[1] == '-' ? -1 : 1
68
+
69
+ durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
70
+ matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
65
71
 
66
72
  initial_datetime = Time.at(timestamp).utc.to_datetime
67
73
  final_datetime = initial_datetime.next_year(durYears)
@@ -161,27 +167,36 @@ module OneLogin
161
167
  #
162
168
  # @param rawparams [Hash] Raw GET Parameters
163
169
  # @param params [Hash] GET Parameters
170
+ # @param lowercase_url_encoding [bool] Lowercase URL Encoding (For ADFS urlencode compatiblity)
164
171
  # @return [Hash] New raw parameters
165
172
  #
166
- def self.prepare_raw_get_params(rawparams, params)
173
+ def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
167
174
  rawparams ||= {}
168
175
 
169
176
  if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
170
- rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
177
+ rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
171
178
  end
172
179
  if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
173
- rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
180
+ rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
174
181
  end
175
182
  if rawparams['RelayState'].nil? && !params['RelayState'].nil?
176
- rawparams['RelayState'] = CGI.escape(params['RelayState'])
183
+ rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
177
184
  end
178
185
  if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
179
- rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
186
+ rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
180
187
  end
181
188
 
182
189
  rawparams
183
190
  end
184
191
 
192
+ def self.escape_request_param(param, lowercase_url_encoding)
193
+ CGI.escape(param).tap do |escaped|
194
+ next unless lowercase_url_encoding
195
+
196
+ escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
197
+ end
198
+ end
199
+
185
200
  # Validate the Signature parameter sent on the HTTP-Redirect binding
186
201
  # @param params [Hash] Parameters to be used in the validation process
187
202
  # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
@@ -296,9 +311,9 @@ module OneLogin
296
311
  when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
297
312
  when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
298
313
  when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
299
- when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
300
- when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
301
- when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
314
+ when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
315
+ when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
316
+ when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
302
317
  when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
303
318
  when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
304
319
  end
@@ -328,8 +343,12 @@ module OneLogin
328
343
  end
329
344
  end
330
345
 
346
+ def self.set_prefix(value)
347
+ UUID_PREFIX.replace value
348
+ end
349
+
331
350
  def self.uuid
332
- RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
351
+ "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
333
352
  end
334
353
 
335
354
  # Given two strings, attempt to match them as URIs using Rails' parse method. If they can be parsed,
@@ -1,5 +1,5 @@
1
1
  module OneLogin
2
2
  module RubySaml
3
- VERSION = '1.12.0'
3
+ VERSION = '1.14.0'
4
4
  end
5
5
  end
data/lib/xml_security.rb CHANGED
@@ -159,15 +159,13 @@ module XMLSecurity
159
159
  x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
160
160
 
161
161
  # add the signature
162
- issuer_element = self.elements["//saml:Issuer"]
162
+ issuer_element = elements["//saml:Issuer"]
163
163
  if issuer_element
164
- self.root.insert_after issuer_element, signature_element
164
+ root.insert_after(issuer_element, signature_element)
165
+ elsif first_child = root.children[0]
166
+ root.insert_before(first_child, signature_element)
165
167
  else
166
- if sp_sso_descriptor = self.elements["/md:EntityDescriptor"]
167
- self.root.insert_before sp_sso_descriptor, signature_element
168
- else
169
- self.root.add_element(signature_element)
170
- end
168
+ root.add_element(signature_element)
171
169
  end
172
170
  end
173
171
 
data/ruby-saml.gemspec CHANGED
@@ -41,7 +41,7 @@ Gem::Specification.new do |s|
41
41
  s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
42
42
  s.add_runtime_dependency('json', '< 2.3.0')
43
43
  elsif RUBY_VERSION < '2.3'
44
- s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
44
+ s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
45
45
  else
46
46
  s.add_runtime_dependency('nokogiri', '>= 1.10.5')
47
47
  s.add_runtime_dependency('rexml')
@@ -54,7 +54,12 @@ Gem::Specification.new do |s|
54
54
  s.add_development_dependency('shoulda', '~> 2.11')
55
55
  s.add_development_dependency('simplecov')
56
56
  s.add_development_dependency('systemu', '~> 2')
57
- s.add_development_dependency('timecop', '<= 0.6.0')
57
+
58
+ if RUBY_VERSION < '2.1'
59
+ s.add_development_dependency('timecop', '<= 0.6.0')
60
+ else
61
+ s.add_development_dependency('timecop', '~> 0.9')
62
+ end
58
63
 
59
64
  if defined?(JRUBY_VERSION)
60
65
  # All recent versions of JRuby play well with pry
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.12.0
4
+ version: 1.14.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - OneLogin LLC
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-02-19 00:00:00.000000000 Z
11
+ date: 2022-02-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -140,16 +140,16 @@ dependencies:
140
140
  name: timecop
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
- - - "<="
143
+ - - "~>"
144
144
  - !ruby/object:Gem::Version
145
- version: 0.6.0
145
+ version: '0.9'
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
- - - "<="
150
+ - - "~>"
151
151
  - !ruby/object:Gem::Version
152
- version: 0.6.0
152
+ version: '0.9'
153
153
  - !ruby/object:Gem::Dependency
154
154
  name: pry-byebug
155
155
  requirement: !ruby/object:Gem::Requirement
@@ -173,13 +173,14 @@ extra_rdoc_files:
173
173
  - README.md
174
174
  files:
175
175
  - ".document"
176
+ - ".github/workflows/test.yml"
176
177
  - ".gitignore"
177
- - ".travis.yml"
178
+ - CHANGELOG.md
178
179
  - Gemfile
179
180
  - LICENSE
180
181
  - README.md
181
182
  - Rakefile
182
- - changelog.md
183
+ - UPGRADING.md
183
184
  - gemfiles/nokogiri-1.5.gemfile
184
185
  - lib/onelogin/ruby-saml.rb
185
186
  - lib/onelogin/ruby-saml/attribute_service.rb
@@ -236,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
236
237
  - !ruby/object:Gem::Version
237
238
  version: '0'
238
239
  requirements: []
239
- rubygems_version: 3.0.8
240
+ rubygems_version: 3.0.6
240
241
  signing_key:
241
242
  specification_version: 4
242
243
  summary: SAML Ruby Tookit
data/.travis.yml DELETED
@@ -1,48 +0,0 @@
1
- language: ruby
2
- rvm:
3
- - 1.9.3
4
- - 2.0.0
5
- - 2.1.10
6
- - 2.2.10
7
- - 2.3.8
8
- - 2.4.6
9
- - 2.5.8
10
- - 2.6.6
11
- - 2.7.2
12
- - 3.0.0
13
- - jruby-1.7.27
14
- - jruby-9.1.17.0
15
- - jruby-9.2.13.0
16
- gemfile:
17
- - Gemfile
18
- - gemfiles/nokogiri-1.5.gemfile
19
- before_install:
20
- - gem update bundler
21
- matrix:
22
- exclude:
23
- - rvm: jruby-1.7.27
24
- gemfile: gemfiles/nokogiri-1.5.gemfile
25
- - rvm: jruby-9.1.17.0
26
- gemfile: gemfiles/nokogiri-1.5.gemfile
27
- - rvm: jruby-9.2.13.0
28
- gemfile: gemfiles/nokogiri-1.5.gemfile
29
- - rvm: 2.1.5
30
- gemfile: gemfiles/nokogiri-1.5.gemfile
31
- - rvm: 2.1.10
32
- gemfile: gemfiles/nokogiri-1.5.gemfile
33
- - rvm: 2.2.10
34
- gemfile: gemfiles/nokogiri-1.5.gemfile
35
- - rvm: 2.3.8
36
- gemfile: gemfiles/nokogiri-1.5.gemfile
37
- - rvm: 2.4.6
38
- gemfile: gemfiles/nokogiri-1.5.gemfile
39
- - rvm: 2.5.8
40
- gemfile: gemfiles/nokogiri-1.5.gemfile
41
- - rvm: 2.6.6
42
- gemfile: gemfiles/nokogiri-1.5.gemfile
43
- - rvm: 2.7.2
44
- gemfile: gemfiles/nokogiri-1.5.gemfile
45
- - rvm: 3.0.0
46
- gemfile: gemfiles/nokogiri-1.5.gemfile
47
- env:
48
- - JRUBY_OPTS="--debug"