ruby-saml 1.14.0 → 1.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 045af020626d4568d7d509d0c076f826de5cd57a729816676bd1624980714000
-  data.tar.gz: 74c3609fc7882d772aca5dc47b8baa7edbdae0ecdcfb9ca9502ad0b743b7ac8e
+  metadata.gz: 3ed3b0ab8cb9f9fd8b4e23b34f8ad06fd1e6c6a13d885d34c2f7b385297783b3
+  data.tar.gz: 757dccd6c1418f1128a69c7fdcd95cdd8d8bcac697ae750edb92f058aee50c7f
 SHA512:
-  metadata.gz: eddf856fb0e603d48046306999ad9f0574dfc5155068e047cb0eba3e2a2afbdc120a55ca975382d48093d39be54427ff4e961cacdca7e6fc4b5ab62bfd69c657
-  data.tar.gz: e0b5449786268ea5a058f607d7ad44c6c96856a99c4e027b7c9db7671ebda83e9304c1438b49b030cc3030af3d24d33b0f242ce06ca4963a5a42e95e441982c2
+  metadata.gz: 9cc12490c6b57281677f1db5a5a804c07a9b97f57a86d3b5676b79b36ca28bd7d9971ed3db893b730ff09ab6c03374600d87118949440c4271293bc48333b3d6
+  data.tar.gz: 4c330a53de476f479a22dbe07b18f51e0ebe1dcde834eac9cb65678b8767094e365a0ea043a5e4b09d1cabfa6a8f0c4287f29fffe6e53328b70572a64cefcd04

data/.github/workflows/test.yml

@@ -8,8 +8,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
-        ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1, '3.1', jruby-9.1.17.0, jruby-9.2.17.0, truffleruby]
+        os: [ubuntu-20.04, macos-latest]
+        ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1, 3.1, 3.2, jruby-9.1.17.0, jruby-9.2.17.0, jruby-9.3.2.0, jruby-9.4.0.0, truffleruby]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v2
@@ -23,3 +23,21 @@ jobs:
 
       - name: Run tests
         run: bundle exec rake
+
+      - name: Coveralls
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.github_token }}
+          parallel: true
+          flag-name: run-${{ matrix.ruby-version }}
+
+  finish:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Coveralls Finished
+        uses: coverallsapp/github-action@master
+        with:
+          github-token: ${{ secrets.github_token }}
+          flag-name: run-${{ matrix.ruby-version }}
+          parallel-finished: true

data/CHANGELOG.md

@@ -1,4 +1,12 @@
 # Ruby SAML Changelog
+### 1.15.0 (Jan 04, 2023)
+* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
+* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata 
+* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support idp cert multi with string keys
+* [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
+* Add info about new repo, new maintainer, new security contact
+* Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support
+
 ### 1.14.0 (Feb 01, 2022)
 * [#627](https://github.com/onelogin/ruby-saml/pull/627) Support escape downcasing for validating SLO Signatures of ADFS/Azure
 * [#633](https://github.com/onelogin/ruby-saml/pull/633) Support ability to change ID prefix

data/LICENSE

@@ -1,4 +1,5 @@
-Copyright (c) 2010-2016 OneLogin, Inc.
+Copyright (c) 2010-2022 OneLogin, Inc.
+Copyright (c) 2023 IAM Digital Services, SL.
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation

data/README.md

@@ -14,7 +14,7 @@ requests from identity providers.
 SAML authorization is a two step process and you are expected to implement support for both.
 
 We created a demo project for Rails 4 that uses the latest version of this library:
-[ruby-saml-example](https://github.com/onelogin/ruby-saml-example)
+[ruby-saml-example](https://github.com/saml-toolkit/ruby-saml-example)
 
 ### Supported Ruby Versions
 
@@ -52,8 +52,7 @@ In addition, the following may work but are untested:
 ## Security Guidelines
 
 If you believe you have discovered a security vulnerability in this gem, please report it
-at https://www.onelogin.com/security with a description. We follow responsible disclosure
-guidelines, and will work with you to quickly find a resolution.
+by mail to the maintainer: sixto.martin.garcia+security@gmail.com
 
 ### Security Warning
 
@@ -87,7 +86,7 @@ Using `Gemfile`
 gem 'ruby-saml', '~> 1.11.0'
 
 # or track master for bleeding-edge
-gem 'ruby-saml', :github => 'onelogin/ruby-saml'
+gem 'ruby-saml', :github => 'saml-toolkit/ruby-saml'
 ```
 
 Using RubyGems
@@ -392,6 +391,51 @@ The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to
 Those return an Hash instead of a `Settings` object, which may be useful for configuring
 [omniauth-saml](https://github.com/omniauth/omniauth-saml), for instance.
 
+
+### Validating Signature of Metadata and retrieve settings
+
+Right now there is no method at ruby_saml to validate the signature of the metadata that gonna be parsed,
+but it can be done as follows:
+* Download the XML.
+* Validate the Signature, providing the cert.
+* Provide the XML to the parse method if the signature was validated
+
+```
+require "xml_security"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/idp_metadata_parser"
+
+url = "<url_to_the_metadata>"
+idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+uri = URI.parse(url)
+raise ArgumentError.new("url must begin with http or https") unless /^https?/ =~ uri.scheme
+http = Net::HTTP.new(uri.host, uri.port)
+if uri.scheme == "https"
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+end
+
+get = Net::HTTP::Get.new(uri.request_uri)
+get.basic_auth uri.user, uri.password if uri.user
+response = http.request(get)
+xml = response.body
+errors = []
+doc = XMLSecurity::SignedDocument.new(xml, errors)
+cert_str = "<include_cert_here>"
+cert = OneLogin::RubySaml::Utils.format_cert("cert_str")
+metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
+valid = doc.validate_document_with_cert(metadata_sign_cert, true)
+if valid
+  settings = idp_metadata_parser.parse(
+    xml,
+    entity_id: "<entity_id_of_the_entity_to_be_retrieved>"
+  )
+else
+  print "Metadata Signarture failed to be verified with the cert provided"
+end
+
+
 ## Retrieving Attributes
 
 If you are using `saml:AttributeStatement` to transfer data like the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -39,7 +39,7 @@ module OneLogin
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
-          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
         end
         raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
         @login_url = settings.idp_sso_service_url + request_params

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -36,7 +36,7 @@ module OneLogin
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
-          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
         end
         raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
         @logout_url = settings.idp_slo_service_url + request_params

data/lib/onelogin/ruby-saml/metadata.rb

@@ -49,7 +49,7 @@ module OneLogin
         root = meta_doc.add_element("md:EntityDescriptor", namespaces)
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
         root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
-        root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z') if valid_until
+        root.attributes["validUntil"] = valid_until.utc.strftime('%Y-%m-%dT%H:%M:%SZ') if valid_until
         root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
         root
       end

data/lib/onelogin/ruby-saml/response.rb

@@ -741,7 +741,7 @@ module OneLogin
       # @return [Boolean] True if the SessionNotOnOrAfter of the AuthnStatement is valid, otherwise (when expired) False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate_session_expiration(soft = true)
+      def validate_session_expiration
         return true if session_expires_at.nil?
 
         now = Time.now.utc

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -4,7 +4,6 @@ require 'base64'
 require 'nokogiri'
 require 'rexml/document'
 require 'rexml/xpath'
-require 'thread'
 require "onelogin/ruby-saml/error_handling"
 
 # Only supports SAML 2.0
@@ -69,14 +68,14 @@ module OneLogin
           xml = Nokogiri::XML(document.to_s) do |config|
             config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
           end
-        rescue Exception => error
+        rescue StandardError => error
           return false if soft
           raise ValidationError.new("XML load failed: #{error.message}")
         end
 
         SamlMessage.schema.validate(xml).map do |schema_error|
           return false if soft
-          raise ValidationError.new("#{schema_error.message}\n\n#{xml.to_s}")
+          raise ValidationError.new("#{schema_error.message}\n\n#{xml}")
         end
       end
 

data/lib/onelogin/ruby-saml/settings.rb

@@ -20,7 +20,7 @@ module OneLogin
         end
 
         config.each do |k,v|
-          acc = "#{k.to_s}=".to_sym
+          acc = "#{k}=".to_sym
           if respond_to? acc
             value = v.is_a?(Hash) ? v.dup : v
             send(acc, value)
@@ -195,17 +195,13 @@ module OneLogin
 
         certs = {:signing => [], :encryption => [] }
 
-        if idp_cert_multi.key?(:signing) and not idp_cert_multi[:signing].empty?
-          idp_cert_multi[:signing].each do |idp_cert|
-            formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-            certs[:signing].push(OpenSSL::X509::Certificate.new(formatted_cert))
-          end
-        end
+        [:signing, :encryption].each do |type|
+          certs_for_type = idp_cert_multi[type] || idp_cert_multi[type.to_s]
+          next if !certs_for_type || certs_for_type.empty?
 
-        if idp_cert_multi.key?(:encryption) and not idp_cert_multi[:encryption].empty?
-          idp_cert_multi[:encryption].each do |idp_cert|
+          certs_for_type.each do |idp_cert|
             formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-            certs[:encryption].push(OpenSSL::X509::Certificate.new(formatted_cert))
+            certs[type].push(OpenSSL::X509::Certificate.new(formatted_cert))
           end
         end
 
@@ -247,7 +243,6 @@ module OneLogin
         OpenSSL::PKey::RSA.new(formatted_private_key)
       end
 
-      private
 
       def idp_binding_from_embed_sign
         security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -41,7 +41,7 @@ module OneLogin
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
         params.each_pair do |key, value|
-          response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          response_params << "&#{key}=#{CGI.escape(value.to_s)}"
         end
 
         raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.14.0'
+    VERSION = '1.15.0'
   end
 end

data/lib/xml_security.rb

@@ -177,7 +177,7 @@ module XMLSecurity
 
     def compute_digest(document, digest_algorithm)
       digest = digest_algorithm.digest(document)
-      Base64.encode64(digest).strip!
+      Base64.encode64(digest).strip
     end
 
   end
@@ -216,7 +216,7 @@ module XMLSecurity
         if options[:fingerprint_alg]
           fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
         else
-          fingerprint_alg = OpenSSL::Digest::SHA1.new
+          fingerprint_alg = OpenSSL::Digest.new('SHA1')
         end
         fingerprint = fingerprint_alg.hexdigest(cert.to_der)
 

data/ruby-saml.gemspec

@@ -6,17 +6,17 @@ Gem::Specification.new do |s|
   s.version = OneLogin::RubySaml::VERSION
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["OneLogin LLC"]
+  s.authors = ["SAML Toolkit", "Sixto Martin"]
+  s.email = ['contact@iamdigitalservices.com', 'sixto.martin.garcia@gmail.com']
   s.date = Time.now.strftime("%Y-%m-%d")
-  s.description = %q{SAML toolkit for Ruby on Rails}
-  s.email = %q{support@onelogin.com}
+  s.description = %q{SAML Ruby toolkit. Add SAML support to your Ruby software using this library}
   s.license = 'MIT'
   s.extra_rdoc_files = [
     "LICENSE",
     "README.md"
   ]
   s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  s.homepage = %q{https://github.com/onelogin/ruby-saml}
+  s.homepage = %q{https://github.com/saml-toolkit/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
@@ -27,12 +27,18 @@ Gem::Specification.new do |s|
   # Nokogiri's version dependent on the Ruby version, even though we would
   # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
   if defined?(JRUBY_VERSION)
-    if JRUBY_VERSION < '9.2.0.0'
+    if JRUBY_VERSION < '9.1.7.0'
       s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
       s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
       s.add_runtime_dependency('json', '< 2.3.0')
+    elsif JRUBY_VERSION < '9.2.0.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+    elsif JRUBY_VERSION < '9.3.2.0'
+      s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+      s.add_runtime_dependency('rexml')
     else
-      s.add_runtime_dependency('nokogiri', '>= 1.8.2')
+      s.add_runtime_dependency('nokogiri', '>= 1.13.10')
+      s.add_runtime_dependency('rexml')
     end
   elsif RUBY_VERSION < '1.9'
     s.add_runtime_dependency('uuid')
@@ -42,17 +48,34 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('json', '< 2.3.0')
   elsif RUBY_VERSION < '2.3'
     s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
+  elsif RUBY_VERSION < '2.5'
+    s.add_runtime_dependency('nokogiri', '>= 1.10.10', '< 1.11.0')
+    s.add_runtime_dependency('rexml')
+  elsif RUBY_VERSION < '2.6'
+    s.add_runtime_dependency('nokogiri', '>= 1.11.4')
+    s.add_runtime_dependency('rexml')
   else
-    s.add_runtime_dependency('nokogiri', '>= 1.10.5')
+    s.add_runtime_dependency('nokogiri', '>= 1.13.10')
     s.add_runtime_dependency('rexml')
   end
 
-  s.add_development_dependency('coveralls')
+  s.add_development_dependency('simplecov', '<0.22.0')
+  if RUBY_VERSION < '2.4.1'
+    s.add_development_dependency('simplecov-lcov', '<0.8.0')
+  else
+    s.add_development_dependency('simplecov-lcov', '>0.7.0')
+  end
+
   s.add_development_dependency('minitest', '~> 5.5')
   s.add_development_dependency('mocha',    '~> 0.14')
-  s.add_development_dependency('rake',     '~> 10')
+
+  if RUBY_VERSION < '2.0'
+    s.add_development_dependency('rake',     '~> 10')
+  else
+    s.add_development_dependency('rake',     '>= 12.3.3')
+  end
+
   s.add_development_dependency('shoulda',  '~> 2.11')
-  s.add_development_dependency('simplecov')
   s.add_development_dependency('systemu',  '~> 2')
 
   if RUBY_VERSION < '2.1'

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 1.15.0
 platform: ruby
 authors:
-- OneLogin LLC
-autorequire: 
+- SAML Toolkit
+- Sixto Martin
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-01 00:00:00.000000000 Z
+date: 2023-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -16,14 +17,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.5
+        version: 1.13.10
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -39,19 +40,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.22.0
+- !ruby/object:Gem::Dependency
+  name: simplecov-lcov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -84,16 +99,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: shoulda
   requirement: !ruby/object:Gem::Requirement
@@ -108,20 +123,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.11'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: systemu
   requirement: !ruby/object:Gem::Requirement
@@ -164,8 +165,11 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: SAML toolkit for Ruby on Rails
-email: support@onelogin.com
+description: SAML Ruby toolkit. Add SAML support to your Ruby software using this
+  library
+email:
+- contact@iamdigitalservices.com
+- sixto.martin.garcia@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -217,11 +221,11 @@ files:
 - lib/schemas/xmldsig-core-schema.xsd
 - lib/xml_security.rb
 - ruby-saml.gemspec
-homepage: https://github.com/onelogin/ruby-saml
+homepage: https://github.com/saml-toolkit/ruby-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -237,8 +241,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
-signing_key: 
+rubygems_version: 3.3.26
+signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit
 test_files: []