ruby-saml 1.13.0 → 1.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: ded4e8f9560644f26e90079ecf0021f81fb8fb90
-  data.tar.gz: 034e0d8ee8d11aa443435b20d071015dfbcf5161
+SHA256:
+  metadata.gz: 3ed3b0ab8cb9f9fd8b4e23b34f8ad06fd1e6c6a13d885d34c2f7b385297783b3
+  data.tar.gz: 757dccd6c1418f1128a69c7fdcd95cdd8d8bcac697ae750edb92f058aee50c7f
 SHA512:
-  metadata.gz: 957e2b7598309e9b770019902f28bdec07a28a19a77abfb7e72d503ab3c8b4c57138451d3bb0bced671aca4d454d6637821a3931e91e6f4d79ef4d5d1a91a25e
-  data.tar.gz: 74d06dcdc7ba3f3c0dc797ad3e329987f0bd32bfc5b0bdee62f9c081688dd97bb4892ef42de795c09c59b2c48487b673476a6dd12aedca0770b600c770e2c4b7
+  metadata.gz: 9cc12490c6b57281677f1db5a5a804c07a9b97f57a86d3b5676b79b36ca28bd7d9971ed3db893b730ff09ab6c03374600d87118949440c4271293bc48333b3d6
+  data.tar.gz: 4c330a53de476f479a22dbe07b18f51e0ebe1dcde834eac9cb65678b8767094e365a0ea043a5e4b09d1cabfa6a8f0c4287f29fffe6e53328b70572a64cefcd04

data/.github/workflows/test.yml

@@ -8,8 +8,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
-        ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1, jruby-9.1.17.0, jruby-9.2.17.0, truffleruby]
+        os: [ubuntu-20.04, macos-latest]
+        ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1, 3.1, 3.2, jruby-9.1.17.0, jruby-9.2.17.0, jruby-9.3.2.0, jruby-9.4.0.0, truffleruby]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v2
@@ -23,3 +23,21 @@ jobs:
 
       - name: Run tests
         run: bundle exec rake
+
+      - name: Coveralls
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.github_token }}
+          parallel: true
+          flag-name: run-${{ matrix.ruby-version }}
+
+  finish:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Coveralls Finished
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.github_token }}
+          flag-name: run-${{ matrix.ruby-version }}
+          parallel-finished: true

data/CHANGELOG.md

@@ -1,4 +1,17 @@
 # Ruby SAML Changelog
+### 1.15.0 (Jan 04, 2023)
+* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
+* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata 
+* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support idp cert multi with string keys
+* [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
+* Add info about new repo, new maintainer, new security contact
+* Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support
+
+### 1.14.0 (Feb 01, 2022)
+* [#627](https://github.com/onelogin/ruby-saml/pull/627) Support escape downcasing for validating SLO Signatures of ADFS/Azure
+* [#633](https://github.com/onelogin/ruby-saml/pull/633) Support ability to change ID prefix
+* Make the uuid editable on the SAML Messages generated by the toolkit
+* [#622](https://github.com/onelogin/ruby-saml/pull/622) Add security setting to more strictly enforce audience validation
 
 ### 1.13.0 (Sept 06, 2021)
 * [#611](https://github.com/onelogin/ruby-saml/pull/601) Replace MAX_BYTE_SIZE constant with setting: message_max_bytesize

data/LICENSE

@@ -1,4 +1,5 @@
-Copyright (c) 2010-2016 OneLogin, Inc.
+Copyright (c) 2010-2022 OneLogin, Inc.
+Copyright (c) 2023 IAM Digital Services, SL.
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation

data/README.md

@@ -14,7 +14,7 @@ requests from identity providers.
 SAML authorization is a two step process and you are expected to implement support for both.
 
 We created a demo project for Rails 4 that uses the latest version of this library:
-[ruby-saml-example](https://github.com/onelogin/ruby-saml-example)
+[ruby-saml-example](https://github.com/saml-toolkit/ruby-saml-example)
 
 ### Supported Ruby Versions
 
@@ -52,8 +52,7 @@ In addition, the following may work but are untested:
 ## Security Guidelines
 
 If you believe you have discovered a security vulnerability in this gem, please report it
-at https://www.onelogin.com/security with a description. We follow responsible disclosure
-guidelines, and will work with you to quickly find a resolution.
+by mail to the maintainer: sixto.martin.garcia+security@gmail.com
 
 ### Security Warning
 
@@ -66,7 +65,7 @@ However, ruby-saml never enables this dangerous Nokogiri configuration;
 ruby-saml never enables DTDLOAD, and it never disables NONET.
 
 The OneLogin::RubySaml::IdpMetadataParser class does not validate in any way the URL
-that is introduced in order to be parsed. 
+that is introduced in order to be parsed.
 
 Usually the same administrator that handles the Service Provider also sets the URL to
 the IdP, which should be a trusted resource.
@@ -87,7 +86,7 @@ Using `Gemfile`
 gem 'ruby-saml', '~> 1.11.0'
 
 # or track master for bleeding-edge
-gem 'ruby-saml', :github => 'onelogin/ruby-saml'
+gem 'ruby-saml', :github => 'saml-toolkit/ruby-saml'
 ```
 
 Using RubyGems
@@ -392,6 +391,51 @@ The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to
 Those return an Hash instead of a `Settings` object, which may be useful for configuring
 [omniauth-saml](https://github.com/omniauth/omniauth-saml), for instance.
 
+
+### Validating Signature of Metadata and retrieve settings
+
+Right now there is no method at ruby_saml to validate the signature of the metadata that gonna be parsed,
+but it can be done as follows:
+* Download the XML.
+* Validate the Signature, providing the cert.
+* Provide the XML to the parse method if the signature was validated
+
+```
+require "xml_security"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/idp_metadata_parser"
+
+url = "<url_to_the_metadata>"
+idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+uri = URI.parse(url)
+raise ArgumentError.new("url must begin with http or https") unless /^https?/ =~ uri.scheme
+http = Net::HTTP.new(uri.host, uri.port)
+if uri.scheme == "https"
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+end
+
+get = Net::HTTP::Get.new(uri.request_uri)
+get.basic_auth uri.user, uri.password if uri.user
+response = http.request(get)
+xml = response.body
+errors = []
+doc = XMLSecurity::SignedDocument.new(xml, errors)
+cert_str = "<include_cert_here>"
+cert = OneLogin::RubySaml::Utils.format_cert("cert_str")
+metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
+valid = doc.validate_document_with_cert(metadata_sign_cert, true)
+if valid
+  settings = idp_metadata_parser.parse(
+    xml,
+    entity_id: "<entity_id_of_the_entity_to_be_retrieved>"
+  )
+else
+  print "Metadata Signarture failed to be verified with the cert provided"
+end
+
+
 ## Retrieving Attributes
 
 If you are using `saml:AttributeStatement` to transfer data like the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
@@ -664,6 +708,29 @@ validation fails. You may disable such exceptions using the `settings.security[:
   settings.security[:soft] = true  # Do not raise error on failed signature/certificate validations
 ```
 
+#### Audience Validation
+
+A service provider should only consider a SAML response valid if the IdP includes an <AudienceRestriction>
+element containting an <Audience> element that uniquely identifies the service provider. Unless you specify
+the `skip_audience` option, Ruby SAML will validate that each SAML response includes an <Audience> element
+whose contents matches `settings.sp_entity_id`.
+
+By default, Ruby SAML considers an <AudienceRestriction> element containing only empty <Audience> elements
+to be valid. That means an otherwise valid SAML response with a condition like this would be valid:
+
+```xml
+<AudienceRestriction>
+  <Audience />
+</AudienceRestriction>
+```
+
+You may enforce that an <AudienceRestriction> element containing only empty <Audience> elements
+is invalid using the `settings.security[:strict_audience_validation]` parameter.
+
+```ruby
+settings.security[:strict_audience_validation] = true
+```
+
 #### Key Rollover
 
 To update the SP X.509 certificate and private key without disruption of service, you may define the parameter
@@ -767,7 +834,13 @@ Here is an example that we could add to our previous controller to process a SAM
 # Method to handle IdP initiated logouts
 def idp_logout_request
   settings = Account.get_saml_settings
-  logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest])
+  # ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
+  # uppercase. Turn it True for ADFS compatibility on signature verification
+  settings.security[:lowercase_url_encoding] = true
+
+  logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
+    params[:SAMLRequest], settings: settings
+  )
   if !logout_request.is_valid?
     logger.error "IdP initiated LogoutRequest was not valid!"
     return render :inline => logger.error

data/UPGRADING.md

@@ -1,6 +1,6 @@
 # Ruby SAML Migration Guide
 
-## Updating from 1.12.x to 1.13.0 (NOT YET RELEASED)
+## Updating from 1.12.x to 1.13.0
 
 Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
 deprecates `settings.security[:embed_sign]`. If specified, new binding parameters will be used in place of `:embed_sign`

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -15,7 +15,7 @@ module OneLogin
     class Authrequest < SamlMessage
 
       # AuthNRequest ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the AuthNRequest. An Authrequest Object that is an extension of the SamlMessage class.
       # Asigns an ID, a random uuid.
@@ -39,7 +39,7 @@ module OneLogin
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
-          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
         end
         raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
         @login_url = settings.idp_sso_service_url + request_params

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -442,7 +442,7 @@ module OneLogin
           priority = Array(priority)
           if priority.any?
             values = nodes.map(&:text)
-            Array(priority).detect { |candidate| values.include?(candidate) }
+            priority.detect { |candidate| values.include?(candidate) }
           else
             nodes.first.text
           end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -12,7 +12,7 @@ module OneLogin
     class Logoutrequest < SamlMessage
 
       # Logout Request ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the Logout Request. A Logoutrequest Object that is an extension of the SamlMessage class.
       # Asigns an ID, a random uuid.
@@ -36,7 +36,7 @@ module OneLogin
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
-          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
         end
         raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
         @logout_url = settings.idp_slo_service_url + request_params

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -212,7 +212,7 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
-        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params])
+        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
 
         if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
           options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])

data/lib/onelogin/ruby-saml/metadata.rb

@@ -49,7 +49,7 @@ module OneLogin
         root = meta_doc.add_element("md:EntityDescriptor", namespaces)
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
         root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
-        root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z') if valid_until
+        root.attributes["validUntil"] = valid_until.utc.strftime('%Y-%m-%dT%H:%M:%SZ') if valid_until
         root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
         root
       end

data/lib/onelogin/ruby-saml/response.rb

@@ -613,7 +613,12 @@ module OneLogin
       #
       def validate_audience
         return true if options[:skip_audience]
-        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+        return true if settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+
+        if audiences.empty?
+          return true unless settings.security[:strict_audience_validation]
+          return append_error("Invalid Audiences. The <AudienceRestriction> element contained only empty <Audience> elements. Expected audience #{settings.sp_entity_id}.")
+        end
 
         unless audiences.include? settings.sp_entity_id
           s = audiences.count > 1 ? 's' : '';
@@ -736,7 +741,7 @@ module OneLogin
       # @return [Boolean] True if the SessionNotOnOrAfter of the AuthnStatement is valid, otherwise (when expired) False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate_session_expiration(soft = true)
+      def validate_session_expiration
         return true if session_expires_at.nil?
 
         now = Time.now.utc

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -4,7 +4,6 @@ require 'base64'
 require 'nokogiri'
 require 'rexml/document'
 require 'rexml/xpath'
-require 'thread'
 require "onelogin/ruby-saml/error_handling"
 
 # Only supports SAML 2.0
@@ -69,14 +68,14 @@ module OneLogin
           xml = Nokogiri::XML(document.to_s) do |config|
             config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
           end
-        rescue Exception => error
+        rescue StandardError => error
           return false if soft
           raise ValidationError.new("XML load failed: #{error.message}")
         end
 
         SamlMessage.schema.validate(xml).map do |schema_error|
           return false if soft
-          raise ValidationError.new("#{schema_error.message}\n\n#{xml.to_s}")
+          raise ValidationError.new("#{schema_error.message}\n\n#{xml}")
         end
       end
 

data/lib/onelogin/ruby-saml/settings.rb

@@ -20,7 +20,7 @@ module OneLogin
         end
 
         config.each do |k,v|
-          acc = "#{k.to_s}=".to_sym
+          acc = "#{k}=".to_sym
           if respond_to? acc
             value = v.is_a?(Hash) ? v.dup : v
             send(acc, value)
@@ -195,17 +195,13 @@ module OneLogin
 
         certs = {:signing => [], :encryption => [] }
 
-        if idp_cert_multi.key?(:signing) and not idp_cert_multi[:signing].empty?
-          idp_cert_multi[:signing].each do |idp_cert|
-            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-            certs[:signing].push(OpenSSL::X509::Certificate.new(formatted_cert))
-          end
-        end
+        [:signing, :encryption].each do |type|
+          certs_for_type = idp_cert_multi[type] || idp_cert_multi[type.to_s]
+          next if !certs_for_type || certs_for_type.empty?
 
-        if idp_cert_multi.key?(:encryption) and not idp_cert_multi[:encryption].empty?
-          idp_cert_multi[:encryption].each do |idp_cert|
+          certs_for_type.each do |idp_cert|
             formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-            certs[:encryption].push(OpenSSL::X509::Certificate.new(formatted_cert))
+            certs[type].push(OpenSSL::X509::Certificate.new(formatted_cert))
           end
         end
 
@@ -247,7 +243,6 @@ module OneLogin
         OpenSSL::PKey::RSA.new(formatted_private_key)
       end
 
-      private
 
       def idp_binding_from_embed_sign
         security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
@@ -280,7 +275,9 @@ module OneLogin
           :digest_method              => XMLSecurity::Document::SHA1,
           :signature_method           => XMLSecurity::Document::RSA_SHA1,
           :check_idp_cert_expiration  => false,
-          :check_sp_cert_expiration   => false
+          :check_sp_cert_expiration   => false,
+          :strict_audience_validation => false,
+          :lowercase_url_encoding     => false
         }.freeze
       }.freeze
     end

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -248,32 +248,8 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
-        # SAML specifies that the signature should be derived from a concatenation
-        # of URI-encoded values _as sent by the IDP_:
-        #
-        # > Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given
-        # > value. The relying party MUST therefore perform the verification step using the original URL-encoded
-        # > values it received on the query string. It is not sufficient to re-encode the parameters after they have been
-        # > processed by software because the resulting encoding may not match the signer's encoding.
-        #
-        # <http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>
-        #
-        # If we don't have the original parts (for backward compatibility) required to correctly verify the signature,
-        # then fabricate them by re-encoding the parsed URI parameters, and hope that we're lucky enough to use
-        # the exact same URI-encoding as the IDP. (This is not the case if the IDP is ADFS!)
-        options[:raw_get_params] ||= {}
-        if options[:raw_get_params]['SAMLRequest'].nil? && !options[:get_params]['SAMLRequest'].nil?
-          options[:raw_get_params]['SAMLRequest'] = CGI.escape(options[:get_params]['SAMLRequest'])
-        end
-        if options[:raw_get_params]['RelayState'].nil? && !options[:get_params]['RelayState'].nil?
-          options[:raw_get_params]['RelayState'] = CGI.escape(options[:get_params]['RelayState'])
-        end
-        if options[:raw_get_params]['SigAlg'].nil? && !options[:get_params]['SigAlg'].nil?
-          options[:raw_get_params]['SigAlg'] = CGI.escape(options[:get_params]['SigAlg'])
-        end
+        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
 
-        # If we only received the raw version of SigAlg,
-        # then parse it back into the decoded params hash for convenience.
         if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
           options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
         end
@@ -335,7 +311,6 @@ module OneLogin
 
         true
       end
-
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -13,7 +13,7 @@ module OneLogin
     class SloLogoutresponse < SamlMessage
 
       # Logout Response ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the Logout Response. A SloLogoutresponse Object that is an extension of the SamlMessage class.
       # Asigns an ID, a random uuid.
@@ -41,7 +41,7 @@ module OneLogin
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
         params.each_pair do |key, value|
-          response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          response_params << "&#{key}=#{CGI.escape(value.to_s)}"
         end
 
         raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?

data/lib/onelogin/ruby-saml/utils.rb

@@ -32,6 +32,7 @@ module OneLogin
           (\d+)W                    # 8: Weeks
         )
       $)x.freeze
+      UUID_PREFIX = '_'
 
       # Checks if the x509 cert provided is expired
       #
@@ -166,27 +167,36 @@ module OneLogin
       #
       # @param rawparams [Hash] Raw GET Parameters
       # @param params [Hash] GET Parameters
+      # @param lowercase_url_encoding [bool] Lowercase URL Encoding  (For ADFS urlencode compatiblity)
       # @return [Hash] New raw parameters
       #
-      def self.prepare_raw_get_params(rawparams, params)
+      def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
         rawparams ||= {}
 
         if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
-          rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
+          rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
         end
         if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
-          rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
+          rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
         end
         if rawparams['RelayState'].nil? && !params['RelayState'].nil?
-          rawparams['RelayState'] = CGI.escape(params['RelayState'])
+          rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
         end
         if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
-          rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
+          rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
         end
 
         rawparams
       end
 
+      def self.escape_request_param(param, lowercase_url_encoding)
+        CGI.escape(param).tap do |escaped|
+          next unless lowercase_url_encoding
+
+          escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
+        end
+      end
+
       # Validate the Signature parameter sent on the HTTP-Redirect binding
       # @param params [Hash] Parameters to be used in the validation process
       # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
@@ -333,8 +343,12 @@ module OneLogin
         end
       end
 
+      def self.set_prefix(value)
+        UUID_PREFIX.replace value
+      end
+
       def self.uuid
-        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+        "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
       end
 
       # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.13.0'
+    VERSION = '1.15.0'
   end
 end

data/lib/xml_security.rb

@@ -177,7 +177,7 @@ module XMLSecurity
 
     def compute_digest(document, digest_algorithm)
       digest = digest_algorithm.digest(document)
-      Base64.encode64(digest).strip!
+      Base64.encode64(digest).strip
     end
 
   end
@@ -216,7 +216,7 @@ module XMLSecurity
         if options[:fingerprint_alg]
           fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
         else
-          fingerprint_alg = OpenSSL::Digest::SHA1.new
+          fingerprint_alg = OpenSSL::Digest.new('SHA1')
         end
         fingerprint = fingerprint_alg.hexdigest(cert.to_der)
 

data/ruby-saml.gemspec

@@ -6,17 +6,17 @@ Gem::Specification.new do |s|
   s.version = OneLogin::RubySaml::VERSION
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["OneLogin LLC"]
+  s.authors = ["SAML Toolkit", "Sixto Martin"]
+  s.email = ['contact@iamdigitalservices.com', 'sixto.martin.garcia@gmail.com']
   s.date = Time.now.strftime("%Y-%m-%d")
-  s.description = %q{SAML toolkit for Ruby on Rails}
-  s.email = %q{support@onelogin.com}
+  s.description = %q{SAML Ruby toolkit. Add SAML support to your Ruby software using this library}
   s.license = 'MIT'
   s.extra_rdoc_files = [
     "LICENSE",
     "README.md"
   ]
   s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  s.homepage = %q{https://github.com/onelogin/ruby-saml}
+  s.homepage = %q{https://github.com/saml-toolkit/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
@@ -27,12 +27,18 @@ Gem::Specification.new do |s|
   # Nokogiri's version dependent on the Ruby version, even though we would
   # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
   if defined?(JRUBY_VERSION)
-    if JRUBY_VERSION < '9.2.0.0'
+    if JRUBY_VERSION < '9.1.7.0'
       s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
       s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
       s.add_runtime_dependency('json', '< 2.3.0')
+    elsif JRUBY_VERSION < '9.2.0.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+    elsif JRUBY_VERSION < '9.3.2.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+      s.add_runtime_dependency('rexml')
     else
-      s.add_runtime_dependency('nokogiri', '>= 1.8.2')
+      s.add_runtime_dependency('nokogiri', '>= 1.13.10')
+      s.add_runtime_dependency('rexml')
     end
   elsif RUBY_VERSION < '1.9'
     s.add_runtime_dependency('uuid')
@@ -41,20 +47,42 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
     s.add_runtime_dependency('json', '< 2.3.0')
   elsif RUBY_VERSION < '2.3'
-    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
+    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+  elsif RUBY_VERSION < '2.5'
+    s.add_runtime_dependency('nokogiri', '>= 1.10.10', '< 1.11.0')
+    s.add_runtime_dependency('rexml')
+  elsif RUBY_VERSION < '2.6'
+    s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+    s.add_runtime_dependency('rexml')
   else
-    s.add_runtime_dependency('nokogiri', '>= 1.10.5')
+    s.add_runtime_dependency('nokogiri', '>= 1.13.10')
     s.add_runtime_dependency('rexml')
   end
 
-  s.add_development_dependency('coveralls')
+  s.add_development_dependency('simplecov', '<0.22.0')
+  if RUBY_VERSION < '2.4.1'
+    s.add_development_dependency('simplecov-lcov', '<0.8.0')
+  else
+    s.add_development_dependency('simplecov-lcov', '>0.7.0')
+  end
+
   s.add_development_dependency('minitest', '~> 5.5')
   s.add_development_dependency('mocha',    '~> 0.14')
-  s.add_development_dependency('rake',     '~> 10')
+
+  if RUBY_VERSION < '2.0'
+    s.add_development_dependency('rake',     '~> 10')
+  else
+    s.add_development_dependency('rake',     '>= 12.3.3')
+  end
+
   s.add_development_dependency('shoulda',  '~> 2.11')
-  s.add_development_dependency('simplecov')
   s.add_development_dependency('systemu',  '~> 2')
-  s.add_development_dependency('timecop',  '<= 0.6.0')
+
+  if RUBY_VERSION < '2.1'
+    s.add_development_dependency('timecop',  '<= 0.6.0')
+  else
+    s.add_development_dependency('timecop',  '~> 0.9')
+  end
 
   if defined?(JRUBY_VERSION)
     # All recent versions of JRuby play well with pry

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.15.0
 platform: ruby
 authors:
-- OneLogin LLC
-autorequire: 
+- SAML Toolkit
+- Sixto Martin
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-06 00:00:00.000000000 Z
+date: 2023-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -16,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -39,19 +40,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.22.0
+- !ruby/object:Gem::Dependency
+  name: simplecov-lcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -84,16 +99,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
@@ -108,20 +123,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.11'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: systemu
   requirement: !ruby/object:Gem::Requirement
@@ -140,16 +141,16 @@ dependencies:
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
@@ -164,8 +165,11 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: SAML toolkit for Ruby on Rails
-email: support@onelogin.com
+description: SAML Ruby toolkit. Add SAML support to your Ruby software using this
+  library
+email:
+- contact@iamdigitalservices.com
+- sixto.martin.garcia@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -217,11 +221,11 @@ files:
 - lib/schemas/xmldsig-core-schema.xsd
 - lib/xml_security.rb
 - ruby-saml.gemspec
-homepage: https://github.com/onelogin/ruby-saml
+homepage: https://github.com/saml-toolkit/ruby-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -237,9 +241,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2.1
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit
 test_files: []