ruby-saml 1.12.2 → 1.13.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/workflows/test.yml +25 -0
- data/{changelog.md → CHANGELOG.md} +19 -6
- data/README.md +288 -226
- data/UPGRADING.md +149 -0
- data/lib/onelogin/ruby-saml/authrequest.rb +2 -3
- data/lib/onelogin/ruby-saml/idp_metadata_parser.rb +110 -77
- data/lib/onelogin/ruby-saml/logoutrequest.rb +3 -3
- data/lib/onelogin/ruby-saml/logoutresponse.rb +1 -1
- data/lib/onelogin/ruby-saml/metadata.rb +59 -22
- data/lib/onelogin/ruby-saml/response.rb +13 -15
- data/lib/onelogin/ruby-saml/saml_message.rb +6 -7
- data/lib/onelogin/ruby-saml/settings.rb +76 -68
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +12 -4
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +2 -2
- data/lib/onelogin/ruby-saml/utils.rb +27 -22
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +5 -7
- metadata +7 -5
- data/.travis.yml +0 -48
|
@@ -43,7 +43,7 @@ module OneLogin
|
|
|
43
43
|
end
|
|
44
44
|
end
|
|
45
45
|
|
|
46
|
-
@request = decode_raw_saml(request)
|
|
46
|
+
@request = decode_raw_saml(request, settings)
|
|
47
47
|
@document = REXML::Document.new(@request)
|
|
48
48
|
end
|
|
49
49
|
|
|
@@ -130,6 +130,12 @@ module OneLogin
|
|
|
130
130
|
|
|
131
131
|
private
|
|
132
132
|
|
|
133
|
+
# returns the allowed clock drift on timing validation
|
|
134
|
+
# @return [Float]
|
|
135
|
+
def allowed_clock_drift
|
|
136
|
+
options[:allowed_clock_drift].to_f.abs + Float::EPSILON
|
|
137
|
+
end
|
|
138
|
+
|
|
133
139
|
# Hard aux function to validate the Logout Request
|
|
134
140
|
# @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
|
|
135
141
|
# @return [Boolean] TRUE if the Logout Request is valid
|
|
@@ -180,15 +186,17 @@ module OneLogin
|
|
|
180
186
|
true
|
|
181
187
|
end
|
|
182
188
|
|
|
183
|
-
# Validates the time. (If the logout request was initialized with the :allowed_clock_drift
|
|
189
|
+
# Validates the time. (If the logout request was initialized with the :allowed_clock_drift
|
|
190
|
+
# option, the timing validations are relaxed by the allowed_clock_drift value)
|
|
184
191
|
# If fails, the error is added to the errors array
|
|
185
192
|
# @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
|
|
186
193
|
# @raise [ValidationError] if soft == false and validation fails
|
|
187
194
|
#
|
|
188
195
|
def validate_not_on_or_after
|
|
189
196
|
now = Time.now.utc
|
|
190
|
-
|
|
191
|
-
|
|
197
|
+
|
|
198
|
+
if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
|
|
199
|
+
return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})")
|
|
192
200
|
end
|
|
193
201
|
|
|
194
202
|
true
|
|
@@ -79,7 +79,7 @@ module OneLogin
|
|
|
79
79
|
base64_response = encode(response)
|
|
80
80
|
response_params = {"SAMLResponse" => base64_response}
|
|
81
81
|
|
|
82
|
-
if settings.
|
|
82
|
+
if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && settings.private_key
|
|
83
83
|
params['SigAlg'] = settings.security[:signature_method]
|
|
84
84
|
url_string = OneLogin::RubySaml::Utils.build_query(
|
|
85
85
|
:type => 'SAMLResponse',
|
|
@@ -150,7 +150,7 @@ module OneLogin
|
|
|
150
150
|
|
|
151
151
|
def sign_document(document, settings)
|
|
152
152
|
# embed signature
|
|
153
|
-
if settings.
|
|
153
|
+
if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.private_key && settings.certificate
|
|
154
154
|
private_key = settings.get_sp_key
|
|
155
155
|
cert = settings.get_sp_cert
|
|
156
156
|
document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
|
|
@@ -13,9 +13,25 @@ module OneLogin
|
|
|
13
13
|
class Utils
|
|
14
14
|
@@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
|
|
15
15
|
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
16
|
+
BINDINGS = { :post => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
|
|
17
|
+
:redirect => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze }.freeze
|
|
18
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#".freeze
|
|
19
|
+
XENC = "http://www.w3.org/2001/04/xmlenc#".freeze
|
|
20
|
+
DURATION_FORMAT = %r(^
|
|
21
|
+
(-?)P # 1: Duration sign
|
|
22
|
+
(?:
|
|
23
|
+
(?:(\d+)Y)? # 2: Years
|
|
24
|
+
(?:(\d+)M)? # 3: Months
|
|
25
|
+
(?:(\d+)D)? # 4: Days
|
|
26
|
+
(?:T
|
|
27
|
+
(?:(\d+)H)? # 5: Hours
|
|
28
|
+
(?:(\d+)M)? # 6: Minutes
|
|
29
|
+
(?:(\d+(?:[.,]\d+)?)S)? # 7: Seconds
|
|
30
|
+
)?
|
|
31
|
+
|
|
|
32
|
+
(\d+)W # 8: Weeks
|
|
33
|
+
)
|
|
34
|
+
$)x.freeze
|
|
19
35
|
|
|
20
36
|
# Checks if the x509 cert provided is expired
|
|
21
37
|
#
|
|
@@ -37,31 +53,20 @@ module OneLogin
|
|
|
37
53
|
# current time.
|
|
38
54
|
#
|
|
39
55
|
# @return [Integer] The new timestamp, after the duration is applied.
|
|
40
|
-
#
|
|
56
|
+
#
|
|
41
57
|
def self.parse_duration(duration, timestamp=Time.now.utc)
|
|
58
|
+
return nil if RUBY_VERSION < '1.9' # 1.8.7 not supported
|
|
59
|
+
|
|
42
60
|
matches = duration.match(DURATION_FORMAT)
|
|
43
|
-
|
|
61
|
+
|
|
44
62
|
if matches.nil?
|
|
45
63
|
raise Exception.new("Invalid ISO 8601 duration")
|
|
46
64
|
end
|
|
47
65
|
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
durDays =
|
|
51
|
-
|
|
52
|
-
durMinutes = matches[6].to_i
|
|
53
|
-
durSeconds = matches[7].to_f
|
|
54
|
-
durWeeks = matches[8].to_i
|
|
55
|
-
|
|
56
|
-
if matches[1] == "-"
|
|
57
|
-
durYears = -durYears
|
|
58
|
-
durMonths = -durMonths
|
|
59
|
-
durDays = -durDays
|
|
60
|
-
durHours = -durHours
|
|
61
|
-
durMinutes = -durMinutes
|
|
62
|
-
durSeconds = -durSeconds
|
|
63
|
-
durWeeks = -durWeeks
|
|
64
|
-
end
|
|
66
|
+
sign = matches[1] == '-' ? -1 : 1
|
|
67
|
+
|
|
68
|
+
durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
|
|
69
|
+
matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
|
|
65
70
|
|
|
66
71
|
initial_datetime = Time.at(timestamp).utc.to_datetime
|
|
67
72
|
final_datetime = initial_datetime.next_year(durYears)
|
data/lib/xml_security.rb
CHANGED
|
@@ -159,15 +159,13 @@ module XMLSecurity
|
|
|
159
159
|
x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, "")
|
|
160
160
|
|
|
161
161
|
# add the signature
|
|
162
|
-
issuer_element =
|
|
162
|
+
issuer_element = elements["//saml:Issuer"]
|
|
163
163
|
if issuer_element
|
|
164
|
-
|
|
164
|
+
root.insert_after(issuer_element, signature_element)
|
|
165
|
+
elsif first_child = root.children[0]
|
|
166
|
+
root.insert_before(first_child, signature_element)
|
|
165
167
|
else
|
|
166
|
-
|
|
167
|
-
self.root.insert_before sp_sso_descriptor, signature_element
|
|
168
|
-
else
|
|
169
|
-
self.root.add_element(signature_element)
|
|
170
|
-
end
|
|
168
|
+
root.add_element(signature_element)
|
|
171
169
|
end
|
|
172
170
|
end
|
|
173
171
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.13.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OneLogin LLC
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-09-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: nokogiri
|
|
@@ -173,13 +173,14 @@ extra_rdoc_files:
|
|
|
173
173
|
- README.md
|
|
174
174
|
files:
|
|
175
175
|
- ".document"
|
|
176
|
+
- ".github/workflows/test.yml"
|
|
176
177
|
- ".gitignore"
|
|
177
|
-
-
|
|
178
|
+
- CHANGELOG.md
|
|
178
179
|
- Gemfile
|
|
179
180
|
- LICENSE
|
|
180
181
|
- README.md
|
|
181
182
|
- Rakefile
|
|
182
|
-
-
|
|
183
|
+
- UPGRADING.md
|
|
183
184
|
- gemfiles/nokogiri-1.5.gemfile
|
|
184
185
|
- lib/onelogin/ruby-saml.rb
|
|
185
186
|
- lib/onelogin/ruby-saml/attribute_service.rb
|
|
@@ -236,7 +237,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
236
237
|
- !ruby/object:Gem::Version
|
|
237
238
|
version: '0'
|
|
238
239
|
requirements: []
|
|
239
|
-
|
|
240
|
+
rubyforge_project:
|
|
241
|
+
rubygems_version: 2.5.2.1
|
|
240
242
|
signing_key:
|
|
241
243
|
specification_version: 4
|
|
242
244
|
summary: SAML Ruby Tookit
|
data/.travis.yml
DELETED
|
@@ -1,48 +0,0 @@
|
|
|
1
|
-
language: ruby
|
|
2
|
-
rvm:
|
|
3
|
-
- 1.9.3
|
|
4
|
-
- 2.0.0
|
|
5
|
-
- 2.1.10
|
|
6
|
-
- 2.2.10
|
|
7
|
-
- 2.3.8
|
|
8
|
-
- 2.4.6
|
|
9
|
-
- 2.5.8
|
|
10
|
-
- 2.6.6
|
|
11
|
-
- 2.7.2
|
|
12
|
-
- 3.0.0
|
|
13
|
-
- jruby-1.7.27
|
|
14
|
-
- jruby-9.1.17.0
|
|
15
|
-
- jruby-9.2.13.0
|
|
16
|
-
gemfile:
|
|
17
|
-
- Gemfile
|
|
18
|
-
- gemfiles/nokogiri-1.5.gemfile
|
|
19
|
-
before_install:
|
|
20
|
-
- gem update bundler
|
|
21
|
-
matrix:
|
|
22
|
-
exclude:
|
|
23
|
-
- rvm: jruby-1.7.27
|
|
24
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
25
|
-
- rvm: jruby-9.1.17.0
|
|
26
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
27
|
-
- rvm: jruby-9.2.13.0
|
|
28
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
29
|
-
- rvm: 2.1.5
|
|
30
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
31
|
-
- rvm: 2.1.10
|
|
32
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
33
|
-
- rvm: 2.2.10
|
|
34
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
35
|
-
- rvm: 2.3.8
|
|
36
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
37
|
-
- rvm: 2.4.6
|
|
38
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
39
|
-
- rvm: 2.5.8
|
|
40
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
41
|
-
- rvm: 2.6.6
|
|
42
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
43
|
-
- rvm: 2.7.2
|
|
44
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
45
|
-
- rvm: 3.0.0
|
|
46
|
-
gemfile: gemfiles/nokogiri-1.5.gemfile
|
|
47
|
-
env:
|
|
48
|
-
- JRUBY_OPTS="--debug"
|