ruby-saml 1.13.0 → 1.17.0

data/lib/onelogin/ruby-saml/utils.rb

@@ -32,17 +32,26 @@ module OneLogin
           (\d+)W                    # 8: Weeks
         )
       $)x.freeze
+      UUID_PREFIX = '_'
 
-      # Checks if the x509 cert provided is expired
-      #
-      # @param cert [Certificate] The x509 certificate
+      # Checks if the x509 cert provided is expired.
       #
+      # @param cert [OpenSSL::X509::Certificate|String] The x509 certificate.
+      # @return [true|false] Whether the certificate is expired.
       def self.is_cert_expired(cert)
-        if cert.is_a?(String)
-          cert = OpenSSL::X509::Certificate.new(cert)
-        end
+        cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
+
+        cert.not_after < Time.now
+      end
 
-        return cert.not_after < Time.now
+      # Checks if the x509 cert provided has both started and has not expired.
+      #
+      # @param cert [OpenSSL::X509::Certificate|String] The x509 certificate.
+      # @return [true|false] Whether the certificate is currently active.
+      def self.is_cert_active(cert)
+        cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
+        now = Time.now
+        cert.not_before <= now && cert.not_after >= now
       end
 
       # Interprets a ISO8601 duration value relative to a given timestamp.
@@ -60,20 +69,26 @@ module OneLogin
         matches = duration.match(DURATION_FORMAT)
 
         if matches.nil?
-          raise Exception.new("Invalid ISO 8601 duration")
+          raise StandardError.new("Invalid ISO 8601 duration")
         end
 
         sign = matches[1] == '-' ? -1 : 1
 
         durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
-          matches[2..8].map { |match| match ? sign * match.tr(',', '.').to_f : 0.0 }
-
-        initial_datetime = Time.at(timestamp).utc.to_datetime
-        final_datetime = initial_datetime.next_year(durYears)
-        final_datetime = final_datetime.next_month(durMonths)
-        final_datetime = final_datetime.next_day((7*durWeeks) + durDays)
-        final_timestamp = final_datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
-        return final_timestamp
+          matches[2..8].map do |match|
+            if match
+              match = match.tr(',', '.').gsub(/\.0*\z/, '')
+              sign * (match.include?('.') ? match.to_f : match.to_i)
+            else
+              0
+            end
+          end
+
+        datetime = Time.at(timestamp).utc.to_datetime
+        datetime = datetime.next_year(durYears)
+        datetime = datetime.next_month(durMonths)
+        datetime = datetime.next_day((7*durWeeks) + durDays)
+        datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
       end
 
       # Return a properly formatted x509 certificate
@@ -127,6 +142,28 @@ module OneLogin
         "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
       end
 
+      # Given a certificate string, return an OpenSSL::X509::Certificate object.
+      #
+      # @param cert [String] The original certificate
+      # @return [OpenSSL::X509::Certificate] The certificate object
+      #
+      def self.build_cert_object(cert)
+        return nil if cert.nil? || cert.empty?
+
+        OpenSSL::X509::Certificate.new(format_cert(cert))
+      end
+
+      # Given a private key string, return an OpenSSL::PKey::RSA object.
+      #
+      # @param cert [String] The original private key
+      # @return [OpenSSL::PKey::RSA] The private key object
+      #
+      def self.build_private_key_object(private_key)
+        return nil if private_key.nil? || private_key.empty?
+
+        OpenSSL::PKey::RSA.new(format_private_key(private_key))
+      end
+
       # Build the Query String signature that will be used in the HTTP-Redirect binding
       # to generate the Signature
       # @param params [Hash] Parameters to build the Query String
@@ -166,30 +203,39 @@ module OneLogin
       #
       # @param rawparams [Hash] Raw GET Parameters
       # @param params [Hash] GET Parameters
+      # @param lowercase_url_encoding [bool] Lowercase URL Encoding  (For ADFS urlencode compatiblity)
       # @return [Hash] New raw parameters
       #
-      def self.prepare_raw_get_params(rawparams, params)
+      def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
         rawparams ||= {}
 
         if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
-          rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
+          rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
         end
         if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
-          rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
+          rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
         end
         if rawparams['RelayState'].nil? && !params['RelayState'].nil?
-          rawparams['RelayState'] = CGI.escape(params['RelayState'])
+          rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
         end
         if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
-          rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
+          rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
         end
 
         rawparams
       end
 
+      def self.escape_request_param(param, lowercase_url_encoding)
+        CGI.escape(param).tap do |escaped|
+          next unless lowercase_url_encoding
+
+          escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
+        end
+      end
+
       # Validate the Signature parameter sent on the HTTP-Redirect binding
       # @param params [Hash] Parameters to be used in the validation process
-      # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
+      # @option params [OpenSSL::X509::Certificate] cert The IDP public certificate
       # @option params [String] sig_alg The SigAlg parameter
       # @option params [String] signature The Signature parameter (base64 encoded)
       # @option params [String] query_string The full GET Query String to be compared
@@ -226,9 +272,29 @@ module OneLogin
         error_msg
       end
 
+      # Obtains the decrypted string from an Encrypted node element in XML,
+      # given multiple private keys to try.
+      # @param encrypted_node [REXML::Element] The Encrypted element
+      # @param private_keys [Array<OpenSSL::PKey::RSA>] The Service provider private key
+      # @return [String] The decrypted data
+      def self.decrypt_multi(encrypted_node, private_keys)
+        raise ArgumentError.new('private_keys must be specified') if !private_keys || private_keys.empty?
+
+        error = nil
+        private_keys.each do |key|
+          begin
+            return decrypt_data(encrypted_node, key)
+          rescue OpenSSL::PKey::PKeyError => e
+            error ||= e
+          end
+        end
+
+        raise(error) if error
+      end
+
       # Obtains the decrypted string from an Encrypted node element in XML
-      # @param encrypted_node [REXML::Element]     The Encrypted element
-      # @param private_key    [OpenSSL::PKey::RSA] The Service provider private key
+      # @param encrypted_node [REXML::Element] The Encrypted element
+      # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
       # @return [String] The decrypted data
       def self.decrypt_data(encrypted_node, private_key)
         encrypt_data = REXML::XPath.first(
@@ -292,7 +358,7 @@ module OneLogin
 
       # Obtains the deciphered text
       # @param cipher_text [String]   The ciphered text
-      # @param symmetric_key [String] The symetric key used to encrypt the text
+      # @param symmetric_key [String] The symmetric key used to encrypt the text
       # @param algorithm [String]     The encrypted algorithm
       # @return [String] The deciphered text
       def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
@@ -333,8 +399,12 @@ module OneLogin
         end
       end
 
+      def self.set_prefix(value)
+        UUID_PREFIX.replace value
+      end
+
       def self.uuid
-        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+        "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
       end
 
       # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.13.0'
+    VERSION = '1.17.0'
   end
 end

data/lib/xml_security.rb

@@ -177,7 +177,7 @@ module XMLSecurity
 
     def compute_digest(document, digest_algorithm)
       digest = digest_algorithm.digest(document)
-      Base64.encode64(digest).strip!
+      Base64.encode64(digest).strip
     end
 
   end
@@ -216,7 +216,7 @@ module XMLSecurity
         if options[:fingerprint_alg]
           fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
         else
-          fingerprint_alg = OpenSSL::Digest::SHA1.new
+          fingerprint_alg = OpenSSL::Digest.new('SHA1')
         end
         fingerprint = fingerprint_alg.hexdigest(cert.to_der)
 
@@ -310,17 +310,30 @@ module XMLSecurity
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
+      # get signed info
+      signed_info_element = REXML::XPath.first(
+        sig_element,
+        "./ds:SignedInfo",
+        { "ds" => DSIG }
+      )
+
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
       # check digests
-      ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
+      ref = REXML::XPath.first(signed_info_element, "./ds:Reference", {"ds"=>DSIG})
 
-      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+
+      if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
+        return append_error("Digest mismatch. Duplicated ID found", soft)
+      end
+
+      hashed_element = reference_nodes[0]
 
       canon_algorithm = canon_algorithm REXML::XPath.first(
-        ref,
-        '//ds:CanonicalizationMethod',
+        signed_info_element,
+        './ds:CanonicalizationMethod',
         { "ds" => DSIG }
       )
 
@@ -330,13 +343,13 @@ module XMLSecurity
 
       digest_algorithm = algorithm(REXML::XPath.first(
         ref,
-        "//ds:DigestMethod",
+        "./ds:DigestMethod",
         { "ds" => DSIG }
       ))
       hash = digest_algorithm.digest(canon_hashed_element)
       encoded_digest_value = REXML::XPath.first(
         ref,
-        "//ds:DigestValue",
+        "./ds:DigestValue",
         { "ds" => DSIG }
       )
       digest_value = Base64.decode64(OneLogin::RubySaml::Utils.element_text(encoded_digest_value))
@@ -362,7 +375,7 @@ module XMLSecurity
     def process_transforms(ref, canon_algorithm)
       transforms = REXML::XPath.match(
         ref,
-        "//ds:Transforms/ds:Transform",
+        "./ds:Transforms/ds:Transform",
         { "ds" => DSIG }
       )
 

data/ruby-saml.gemspec

@@ -6,17 +6,17 @@ Gem::Specification.new do |s|
   s.version = OneLogin::RubySaml::VERSION
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["OneLogin LLC"]
+  s.authors = ["SAML Toolkit", "Sixto Martin"]
+  s.email = ['contact@iamdigitalservices.com', 'sixto.martin.garcia@gmail.com']
   s.date = Time.now.strftime("%Y-%m-%d")
-  s.description = %q{SAML toolkit for Ruby on Rails}
-  s.email = %q{support@onelogin.com}
+  s.description = %q{SAML Ruby toolkit. Add SAML support to your Ruby software using this library}
   s.license = 'MIT'
   s.extra_rdoc_files = [
     "LICENSE",
     "README.md"
   ]
   s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  s.homepage = %q{https://github.com/onelogin/ruby-saml}
+  s.homepage = %q{https://github.com/saml-toolkits/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
@@ -27,12 +27,18 @@ Gem::Specification.new do |s|
   # Nokogiri's version dependent on the Ruby version, even though we would
   # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
   if defined?(JRUBY_VERSION)
-    if JRUBY_VERSION < '9.2.0.0'
+    if JRUBY_VERSION < '9.1.7.0'
       s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
       s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
       s.add_runtime_dependency('json', '< 2.3.0')
+    elsif JRUBY_VERSION < '9.2.0.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+    elsif JRUBY_VERSION < '9.3.2.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+      s.add_runtime_dependency('rexml')
     else
-      s.add_runtime_dependency('nokogiri', '>= 1.8.2')
+      s.add_runtime_dependency('nokogiri', '>= 1.13.10')
+      s.add_runtime_dependency('rexml')
     end
   elsif RUBY_VERSION < '1.9'
     s.add_runtime_dependency('uuid')
@@ -41,20 +47,42 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
     s.add_runtime_dependency('json', '< 2.3.0')
   elsif RUBY_VERSION < '2.3'
-    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
+    s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+  elsif RUBY_VERSION < '2.5'
+    s.add_runtime_dependency('nokogiri', '>= 1.10.10', '< 1.11.0')
+    s.add_runtime_dependency('rexml')
+  elsif RUBY_VERSION < '2.6'
+    s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+    s.add_runtime_dependency('rexml')
   else
-    s.add_runtime_dependency('nokogiri', '>= 1.10.5')
+    s.add_runtime_dependency('nokogiri', '>= 1.13.10')
     s.add_runtime_dependency('rexml')
   end
 
-  s.add_development_dependency('coveralls')
-  s.add_development_dependency('minitest', '~> 5.5')
+  s.add_development_dependency('simplecov', '<0.22.0')
+  if RUBY_VERSION < '2.4.1'
+    s.add_development_dependency('simplecov-lcov', '<0.8.0')
+  else
+    s.add_development_dependency('simplecov-lcov', '>0.7.0')
+  end
+
+  s.add_development_dependency('minitest', '~> 5.5', '<5.19.0')
   s.add_development_dependency('mocha',    '~> 0.14')
-  s.add_development_dependency('rake',     '~> 10')
+
+  if RUBY_VERSION < '2.0'
+    s.add_development_dependency('rake',     '~> 10')
+  else
+    s.add_development_dependency('rake',     '>= 12.3.3')
+  end
+
   s.add_development_dependency('shoulda',  '~> 2.11')
-  s.add_development_dependency('simplecov')
   s.add_development_dependency('systemu',  '~> 2')
-  s.add_development_dependency('timecop',  '<= 0.6.0')
+
+  if RUBY_VERSION < '2.1'
+    s.add_development_dependency('timecop',  '<= 0.6.0')
+  else
+    s.add_development_dependency('timecop',  '~> 0.9')
+  end
 
   if defined?(JRUBY_VERSION)
     # All recent versions of JRuby play well with pry

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.17.0
 platform: ruby
 authors:
-- OneLogin LLC
-autorequire: 
+- SAML Toolkit
+- Sixto Martin
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-06 00:00:00.000000000 Z
+date: 2024-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -16,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -39,19 +40,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.22.0
+- !ruby/object:Gem::Dependency
+  name: simplecov-lcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -59,6 +74,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 5.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -66,6 +84,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 5.19.0
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -84,16 +105,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
@@ -108,20 +129,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.11'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: systemu
   requirement: !ruby/object:Gem::Requirement
@@ -140,16 +147,16 @@ dependencies:
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
@@ -164,8 +171,11 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: SAML toolkit for Ruby on Rails
-email: support@onelogin.com
+description: SAML Ruby toolkit. Add SAML support to your Ruby software using this
+  library
+email:
+- contact@iamdigitalservices.com
+- sixto.martin.garcia@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -173,6 +183,7 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/FUNDING.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
 - CHANGELOG.md
@@ -217,11 +228,11 @@ files:
 - lib/schemas/xmldsig-core-schema.xsd
 - lib/xml_security.rb
 - ruby-saml.gemspec
-homepage: https://github.com/onelogin/ruby-saml
+homepage: https://github.com/saml-toolkits/ruby-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -237,9 +248,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2.1
-signing_key: 
+rubygems_version: 3.5.18
+signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit
 test_files: []