ruby-saml 1.14.0 → 1.16.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/test.yml +20 -2
- data/CHANGELOG.md +12 -1
- data/LICENSE +2 -1
- data/README.md +78 -7
- data/lib/onelogin/ruby-saml/authrequest.rb +1 -1
- data/lib/onelogin/ruby-saml/logoutrequest.rb +1 -1
- data/lib/onelogin/ruby-saml/metadata.rb +1 -1
- data/lib/onelogin/ruby-saml/response.rb +1 -1
- data/lib/onelogin/ruby-saml/saml_message.rb +2 -3
- data/lib/onelogin/ruby-saml/settings.rb +6 -11
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +38 -7
- data/lib/onelogin/ruby-saml/slo_logoutresponse.rb +1 -1
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/lib/xml_security.rb +2 -2
- data/ruby-saml.gemspec +34 -11
- metadata +45 -35
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e3094dc9c1e3692dddfc40adc2a4c305fae0be74bcd28b296f231ece4fe89334
|
|
4
|
+
data.tar.gz: 1f47dcbd970af95d58049bdd7f8bfed6a5bf8a72a90c1938b2b8ef2a0d5dd05f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 52ea3c1013e7b42b2e30c42bfbfd38bee0457d7bd630df94fcb9e9bc7db126e6981308af877a9b4c475e563a10159a0612d38d79458f289341730a496adeb77a
|
|
7
|
+
data.tar.gz: e85c81f6fb8610793707c70c6dee09b4fe2053f307a7a2827df08038bc54b6250b77dfa3cf30d33d0029899aff1b82740347292df691a5e8757c3966058e842b
|
data/.github/workflows/test.yml
CHANGED
|
@@ -8,8 +8,8 @@ jobs:
|
|
|
8
8
|
strategy:
|
|
9
9
|
fail-fast: false
|
|
10
10
|
matrix:
|
|
11
|
-
os: [ubuntu-
|
|
12
|
-
ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1,
|
|
11
|
+
os: [ubuntu-20.04, macos-latest]
|
|
12
|
+
ruby-version: [2.1.9, 2.2.10, 2.3.8, 2.4.6, 2.5.8, 2.6.6, 2.7.2, 3.0.1, 3.1, 3.2, jruby-9.1.17.0, jruby-9.2.17.0, jruby-9.3.2.0, jruby-9.4.0.0, truffleruby]
|
|
13
13
|
runs-on: ${{ matrix.os }}
|
|
14
14
|
steps:
|
|
15
15
|
- uses: actions/checkout@v2
|
|
@@ -23,3 +23,21 @@ jobs:
|
|
|
23
23
|
|
|
24
24
|
- name: Run tests
|
|
25
25
|
run: bundle exec rake
|
|
26
|
+
|
|
27
|
+
- name: Coveralls
|
|
28
|
+
uses: coverallsapp/github-action@master
|
|
29
|
+
with:
|
|
30
|
+
github-token: ${{ secrets.github_token }}
|
|
31
|
+
parallel: true
|
|
32
|
+
flag-name: run-${{ matrix.ruby-version }}
|
|
33
|
+
|
|
34
|
+
finish:
|
|
35
|
+
needs: test
|
|
36
|
+
runs-on: ubuntu-latest
|
|
37
|
+
steps:
|
|
38
|
+
- name: Coveralls Finished
|
|
39
|
+
uses: coverallsapp/github-action@master
|
|
40
|
+
with:
|
|
41
|
+
github-token: ${{ secrets.github_token }}
|
|
42
|
+
flag-name: run-${{ matrix.ruby-version }}
|
|
43
|
+
parallel-finished: true
|
data/CHANGELOG.md
CHANGED
|
@@ -1,4 +1,15 @@
|
|
|
1
1
|
# Ruby SAML Changelog
|
|
2
|
+
### 1.16.0 (Oct 09, 2023)
|
|
3
|
+
* [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
|
|
4
|
+
|
|
5
|
+
### 1.15.0 (Jan 04, 2023)
|
|
6
|
+
* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
|
|
7
|
+
* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
|
|
8
|
+
* [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support idp cert multi with string keys
|
|
9
|
+
* [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
|
|
10
|
+
* Add info about new repo, new maintainer, new security contact
|
|
11
|
+
* Fix tests, Adjust dependencies, Add ruby 3.2 and new jruby versions tests to the CI. Add coveralls support
|
|
12
|
+
|
|
2
13
|
### 1.14.0 (Feb 01, 2022)
|
|
3
14
|
* [#627](https://github.com/onelogin/ruby-saml/pull/627) Support escape downcasing for validating SLO Signatures of ADFS/Azure
|
|
4
15
|
* [#633](https://github.com/onelogin/ruby-saml/pull/633) Support ability to change ID prefix
|
|
@@ -39,7 +50,7 @@
|
|
|
39
50
|
* Support Process Transform
|
|
40
51
|
* Raise SettingError if invoking an action with no endpoint defined on the settings
|
|
41
52
|
* Made IdpMetadataParser more extensible for subclasses
|
|
42
|
-
*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
53
|
+
* [#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
43
54
|
* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
|
|
44
55
|
* Improve documentation
|
|
45
56
|
|
data/LICENSE
CHANGED
data/README.md
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# Ruby SAML
|
|
2
|
-
[](https://github.com/SAML-Toolkits/ruby-saml/actions/workflows/test.yml)
|
|
3
|
+
[](https://coveralls.io/github/SAML-Toolkits/ruby-saml?branch=master)
|
|
4
|
+
[](https://badge.fury.io/rb/ruby-saml)
|
|
5
|
+
[](https://badge.fury.io/gh/SAML-Toolkits%2Fruby-saml)   
|
|
4
6
|
|
|
5
7
|
Ruby SAML minor and tiny versions may introduce breaking changes. Please read
|
|
6
8
|
[UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
|
|
@@ -14,7 +16,7 @@ requests from identity providers.
|
|
|
14
16
|
SAML authorization is a two step process and you are expected to implement support for both.
|
|
15
17
|
|
|
16
18
|
We created a demo project for Rails 4 that uses the latest version of this library:
|
|
17
|
-
[ruby-saml-example](https://github.com/
|
|
19
|
+
[ruby-saml-example](https://github.com/saml-toolkits/ruby-saml-example)
|
|
18
20
|
|
|
19
21
|
### Supported Ruby Versions
|
|
20
22
|
|
|
@@ -28,8 +30,12 @@ The following Ruby versions are covered by CI testing:
|
|
|
28
30
|
* 2.6.x
|
|
29
31
|
* 2.7.x
|
|
30
32
|
* 3.0.x
|
|
33
|
+
* 3.1
|
|
34
|
+
* 3.2
|
|
31
35
|
* JRuby 9.1.x
|
|
32
36
|
* JRuby 9.2.x
|
|
37
|
+
* JRuby 9.3.X
|
|
38
|
+
* JRuby 9.4.0
|
|
33
39
|
* TruffleRuby (latest)
|
|
34
40
|
|
|
35
41
|
In addition, the following may work but are untested:
|
|
@@ -52,8 +58,7 @@ In addition, the following may work but are untested:
|
|
|
52
58
|
## Security Guidelines
|
|
53
59
|
|
|
54
60
|
If you believe you have discovered a security vulnerability in this gem, please report it
|
|
55
|
-
|
|
56
|
-
guidelines, and will work with you to quickly find a resolution.
|
|
61
|
+
by mail to the maintainer: sixto.martin.garcia+security@gmail.com
|
|
57
62
|
|
|
58
63
|
### Security Warning
|
|
59
64
|
|
|
@@ -87,7 +92,7 @@ Using `Gemfile`
|
|
|
87
92
|
gem 'ruby-saml', '~> 1.11.0'
|
|
88
93
|
|
|
89
94
|
# or track master for bleeding-edge
|
|
90
|
-
gem 'ruby-saml', :github => '
|
|
95
|
+
gem 'ruby-saml', :github => 'saml-toolkit/ruby-saml'
|
|
91
96
|
```
|
|
92
97
|
|
|
93
98
|
Using RubyGems
|
|
@@ -386,12 +391,78 @@ IdpMetadataParser by its Entity Id value:
|
|
|
386
391
|
)
|
|
387
392
|
```
|
|
388
393
|
|
|
394
|
+
### Retrieve one Entity Descriptor with an specific binding and nameid format when several are available
|
|
395
|
+
|
|
396
|
+
If the Metadata contains several bindings and nameids, the relevant ones
|
|
397
|
+
also can be specified when retrieving the settings from the IdpMetadataParser
|
|
398
|
+
by the values of binding and nameid:
|
|
399
|
+
|
|
400
|
+
```ruby
|
|
401
|
+
validate_cert = true
|
|
402
|
+
options = {
|
|
403
|
+
entity_id: "http//example.com/target/entity",
|
|
404
|
+
name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
405
|
+
sso_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
|
|
406
|
+
slo_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
407
|
+
}
|
|
408
|
+
settings = idp_metadata_parser.parse_remote(
|
|
409
|
+
"https://example.com/auth/saml2/idp/metadata",
|
|
410
|
+
validate_cert,
|
|
411
|
+
options
|
|
412
|
+
)
|
|
413
|
+
```
|
|
414
|
+
|
|
389
415
|
### Parsing Metadata into an Hash
|
|
390
416
|
|
|
391
417
|
The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to_hash` and `#parse_remote_to_hash`.
|
|
392
418
|
Those return an Hash instead of a `Settings` object, which may be useful for configuring
|
|
393
419
|
[omniauth-saml](https://github.com/omniauth/omniauth-saml), for instance.
|
|
394
420
|
|
|
421
|
+
|
|
422
|
+
### Validating Signature of Metadata and retrieve settings
|
|
423
|
+
|
|
424
|
+
Right now there is no method at ruby_saml to validate the signature of the metadata that gonna be parsed,
|
|
425
|
+
but it can be done as follows:
|
|
426
|
+
* Download the XML.
|
|
427
|
+
* Validate the Signature, providing the cert.
|
|
428
|
+
* Provide the XML to the parse method if the signature was validated
|
|
429
|
+
|
|
430
|
+
```ruby
|
|
431
|
+
require "xml_security"
|
|
432
|
+
require "onelogin/ruby-saml/utils"
|
|
433
|
+
require "onelogin/ruby-saml/idp_metadata_parser"
|
|
434
|
+
|
|
435
|
+
url = "<url_to_the_metadata>"
|
|
436
|
+
idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
|
|
437
|
+
|
|
438
|
+
uri = URI.parse(url)
|
|
439
|
+
raise ArgumentError.new("url must begin with http or https") unless /^https?/ =~ uri.scheme
|
|
440
|
+
http = Net::HTTP.new(uri.host, uri.port)
|
|
441
|
+
if uri.scheme == "https"
|
|
442
|
+
http.use_ssl = true
|
|
443
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
|
|
444
|
+
end
|
|
445
|
+
|
|
446
|
+
get = Net::HTTP::Get.new(uri.request_uri)
|
|
447
|
+
get.basic_auth uri.user, uri.password if uri.user
|
|
448
|
+
response = http.request(get)
|
|
449
|
+
xml = response.body
|
|
450
|
+
errors = []
|
|
451
|
+
doc = XMLSecurity::SignedDocument.new(xml, errors)
|
|
452
|
+
cert_str = "<include_cert_here>"
|
|
453
|
+
cert = OneLogin::RubySaml::Utils.format_cert("cert_str")
|
|
454
|
+
metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
|
|
455
|
+
valid = doc.validate_document_with_cert(metadata_sign_cert, true)
|
|
456
|
+
if valid
|
|
457
|
+
settings = idp_metadata_parser.parse(
|
|
458
|
+
xml,
|
|
459
|
+
entity_id: "<entity_id_of_the_entity_to_be_retrieved>"
|
|
460
|
+
)
|
|
461
|
+
else
|
|
462
|
+
print "Metadata Signarture failed to be verified with the cert provided"
|
|
463
|
+
end
|
|
464
|
+
```
|
|
465
|
+
|
|
395
466
|
## Retrieving Attributes
|
|
396
467
|
|
|
397
468
|
If you are using `saml:AttributeStatement` to transfer data like the username, you can access all the attributes through `response.attributes`. It contains all the `saml:AttributeStatement`s with its 'Name' as an indifferent key and one or more `saml:AttributeValue`s as values. The value returned depends on the value of the
|
|
@@ -627,7 +698,7 @@ signature validation process will fail at the Identity Provider.
|
|
|
627
698
|
Ruby SAML supports EncryptedAssertion. The Identity Provider will encrypt the Assertion with the
|
|
628
699
|
public cert of the Service Provider. The Service Provider will decrypt the EncryptedAssertion with its private key.
|
|
629
700
|
|
|
630
|
-
You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="
|
|
701
|
+
You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="encryption">` to your
|
|
631
702
|
SP Metadata XML, to be read by the IdP.
|
|
632
703
|
|
|
633
704
|
```ruby
|
|
@@ -39,7 +39,7 @@ module OneLogin
|
|
|
39
39
|
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
|
40
40
|
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
|
41
41
|
params.each_pair do |key, value|
|
|
42
|
-
request_params << "&#{key
|
|
42
|
+
request_params << "&#{key}=#{CGI.escape(value.to_s)}"
|
|
43
43
|
end
|
|
44
44
|
raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
|
|
45
45
|
@login_url = settings.idp_sso_service_url + request_params
|
|
@@ -36,7 +36,7 @@ module OneLogin
|
|
|
36
36
|
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
|
37
37
|
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
|
38
38
|
params.each_pair do |key, value|
|
|
39
|
-
request_params << "&#{key
|
|
39
|
+
request_params << "&#{key}=#{CGI.escape(value.to_s)}"
|
|
40
40
|
end
|
|
41
41
|
raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
|
|
42
42
|
@logout_url = settings.idp_slo_service_url + request_params
|
|
@@ -49,7 +49,7 @@ module OneLogin
|
|
|
49
49
|
root = meta_doc.add_element("md:EntityDescriptor", namespaces)
|
|
50
50
|
root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
|
|
51
51
|
root.attributes["entityID"] = settings.sp_entity_id if settings.sp_entity_id
|
|
52
|
-
root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%
|
|
52
|
+
root.attributes["validUntil"] = valid_until.utc.strftime('%Y-%m-%dT%H:%M:%SZ') if valid_until
|
|
53
53
|
root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S" if cache_duration
|
|
54
54
|
root
|
|
55
55
|
end
|
|
@@ -741,7 +741,7 @@ module OneLogin
|
|
|
741
741
|
# @return [Boolean] True if the SessionNotOnOrAfter of the AuthnStatement is valid, otherwise (when expired) False if soft=True
|
|
742
742
|
# @raise [ValidationError] if soft == false and validation fails
|
|
743
743
|
#
|
|
744
|
-
def validate_session_expiration
|
|
744
|
+
def validate_session_expiration
|
|
745
745
|
return true if session_expires_at.nil?
|
|
746
746
|
|
|
747
747
|
now = Time.now.utc
|
|
@@ -4,7 +4,6 @@ require 'base64'
|
|
|
4
4
|
require 'nokogiri'
|
|
5
5
|
require 'rexml/document'
|
|
6
6
|
require 'rexml/xpath'
|
|
7
|
-
require 'thread'
|
|
8
7
|
require "onelogin/ruby-saml/error_handling"
|
|
9
8
|
|
|
10
9
|
# Only supports SAML 2.0
|
|
@@ -69,14 +68,14 @@ module OneLogin
|
|
|
69
68
|
xml = Nokogiri::XML(document.to_s) do |config|
|
|
70
69
|
config.options = XMLSecurity::BaseDocument::NOKOGIRI_OPTIONS
|
|
71
70
|
end
|
|
72
|
-
rescue
|
|
71
|
+
rescue StandardError => error
|
|
73
72
|
return false if soft
|
|
74
73
|
raise ValidationError.new("XML load failed: #{error.message}")
|
|
75
74
|
end
|
|
76
75
|
|
|
77
76
|
SamlMessage.schema.validate(xml).map do |schema_error|
|
|
78
77
|
return false if soft
|
|
79
|
-
raise ValidationError.new("#{schema_error.message}\n\n#{xml
|
|
78
|
+
raise ValidationError.new("#{schema_error.message}\n\n#{xml}")
|
|
80
79
|
end
|
|
81
80
|
end
|
|
82
81
|
|
|
@@ -20,7 +20,7 @@ module OneLogin
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
config.each do |k,v|
|
|
23
|
-
acc = "#{k
|
|
23
|
+
acc = "#{k}=".to_sym
|
|
24
24
|
if respond_to? acc
|
|
25
25
|
value = v.is_a?(Hash) ? v.dup : v
|
|
26
26
|
send(acc, value)
|
|
@@ -195,17 +195,13 @@ module OneLogin
|
|
|
195
195
|
|
|
196
196
|
certs = {:signing => [], :encryption => [] }
|
|
197
197
|
|
|
198
|
-
|
|
199
|
-
idp_cert_multi[
|
|
200
|
-
|
|
201
|
-
certs[:signing].push(OpenSSL::X509::Certificate.new(formatted_cert))
|
|
202
|
-
end
|
|
203
|
-
end
|
|
198
|
+
[:signing, :encryption].each do |type|
|
|
199
|
+
certs_for_type = idp_cert_multi[type] || idp_cert_multi[type.to_s]
|
|
200
|
+
next if !certs_for_type || certs_for_type.empty?
|
|
204
201
|
|
|
205
|
-
|
|
206
|
-
idp_cert_multi[:encryption].each do |idp_cert|
|
|
202
|
+
certs_for_type.each do |idp_cert|
|
|
207
203
|
formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
|
|
208
|
-
certs[
|
|
204
|
+
certs[type].push(OpenSSL::X509::Certificate.new(formatted_cert))
|
|
209
205
|
end
|
|
210
206
|
end
|
|
211
207
|
|
|
@@ -247,7 +243,6 @@ module OneLogin
|
|
|
247
243
|
OpenSSL::PKey::RSA.new(formatted_private_key)
|
|
248
244
|
end
|
|
249
245
|
|
|
250
|
-
private
|
|
251
246
|
|
|
252
247
|
def idp_binding_from_embed_sign
|
|
253
248
|
security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
|
|
@@ -62,10 +62,7 @@ module OneLogin
|
|
|
62
62
|
# @return [String] Gets the NameID of the Logout Request.
|
|
63
63
|
#
|
|
64
64
|
def name_id
|
|
65
|
-
@name_id ||=
|
|
66
|
-
node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
67
|
-
Utils.element_text(node)
|
|
68
|
-
end
|
|
65
|
+
@name_id ||= Utils.element_text(name_id_node)
|
|
69
66
|
end
|
|
70
67
|
|
|
71
68
|
alias_method :nameid, :name_id
|
|
@@ -73,15 +70,49 @@ module OneLogin
|
|
|
73
70
|
# @return [String] Gets the NameID Format of the Logout Request.
|
|
74
71
|
#
|
|
75
72
|
def name_id_format
|
|
76
|
-
@name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
77
73
|
@name_id_format ||=
|
|
78
|
-
if
|
|
79
|
-
|
|
74
|
+
if name_id_node && name_id_node.attribute("Format")
|
|
75
|
+
name_id_node.attribute("Format").value
|
|
80
76
|
end
|
|
81
77
|
end
|
|
82
78
|
|
|
83
79
|
alias_method :nameid_format, :name_id_format
|
|
84
80
|
|
|
81
|
+
def name_id_node
|
|
82
|
+
@name_id_node ||=
|
|
83
|
+
begin
|
|
84
|
+
encrypted_node = REXML::XPath.first(document, "/p:LogoutRequest/a:EncryptedID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
85
|
+
if encrypted_node
|
|
86
|
+
node = decrypt_nameid(encrypted_node)
|
|
87
|
+
else
|
|
88
|
+
node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
# Decrypts an EncryptedID element
|
|
94
|
+
# @param encryptedid_node [REXML::Element] The EncryptedID element
|
|
95
|
+
# @return [REXML::Document] The decrypted EncrypedtID element
|
|
96
|
+
#
|
|
97
|
+
def decrypt_nameid(encrypt_node)
|
|
98
|
+
|
|
99
|
+
if settings.nil? || !settings.get_sp_key
|
|
100
|
+
raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
|
|
104
|
+
# If we get some problematic noise in the plaintext after decrypting.
|
|
105
|
+
# This quick regexp parse will grab only the Element and discard the noise.
|
|
106
|
+
elem_plaintext = elem_plaintext.match(/(.*<\/(\w+:)?NameID>)/m)[0]
|
|
107
|
+
|
|
108
|
+
# To avoid namespace errors if saml namespace is not defined
|
|
109
|
+
# create a parent node first with the namespace defined
|
|
110
|
+
node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
|
|
111
|
+
elem_plaintext = node_header + elem_plaintext + '</node>'
|
|
112
|
+
doc = REXML::Document.new(elem_plaintext)
|
|
113
|
+
doc.root[0]
|
|
114
|
+
end
|
|
115
|
+
|
|
85
116
|
# @return [String|nil] Gets the ID attribute from the Logout Request. if exists.
|
|
86
117
|
#
|
|
87
118
|
def id
|
|
@@ -41,7 +41,7 @@ module OneLogin
|
|
|
41
41
|
saml_response = CGI.escape(params.delete("SAMLResponse"))
|
|
42
42
|
response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
|
|
43
43
|
params.each_pair do |key, value|
|
|
44
|
-
response_params << "&#{key
|
|
44
|
+
response_params << "&#{key}=#{CGI.escape(value.to_s)}"
|
|
45
45
|
end
|
|
46
46
|
|
|
47
47
|
raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
|
data/lib/xml_security.rb
CHANGED
|
@@ -177,7 +177,7 @@ module XMLSecurity
|
|
|
177
177
|
|
|
178
178
|
def compute_digest(document, digest_algorithm)
|
|
179
179
|
digest = digest_algorithm.digest(document)
|
|
180
|
-
Base64.encode64(digest).strip
|
|
180
|
+
Base64.encode64(digest).strip
|
|
181
181
|
end
|
|
182
182
|
|
|
183
183
|
end
|
|
@@ -216,7 +216,7 @@ module XMLSecurity
|
|
|
216
216
|
if options[:fingerprint_alg]
|
|
217
217
|
fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
|
|
218
218
|
else
|
|
219
|
-
fingerprint_alg = OpenSSL::Digest
|
|
219
|
+
fingerprint_alg = OpenSSL::Digest.new('SHA1')
|
|
220
220
|
end
|
|
221
221
|
fingerprint = fingerprint_alg.hexdigest(cert.to_der)
|
|
222
222
|
|
data/ruby-saml.gemspec
CHANGED
|
@@ -6,17 +6,17 @@ Gem::Specification.new do |s|
|
|
|
6
6
|
s.version = OneLogin::RubySaml::VERSION
|
|
7
7
|
|
|
8
8
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
9
|
-
s.authors = ["
|
|
9
|
+
s.authors = ["SAML Toolkit", "Sixto Martin"]
|
|
10
|
+
s.email = ['contact@iamdigitalservices.com', 'sixto.martin.garcia@gmail.com']
|
|
10
11
|
s.date = Time.now.strftime("%Y-%m-%d")
|
|
11
|
-
s.description = %q{SAML toolkit
|
|
12
|
-
s.email = %q{support@onelogin.com}
|
|
12
|
+
s.description = %q{SAML Ruby toolkit. Add SAML support to your Ruby software using this library}
|
|
13
13
|
s.license = 'MIT'
|
|
14
14
|
s.extra_rdoc_files = [
|
|
15
15
|
"LICENSE",
|
|
16
16
|
"README.md"
|
|
17
17
|
]
|
|
18
18
|
s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
|
19
|
-
s.homepage = %q{https://github.com/
|
|
19
|
+
s.homepage = %q{https://github.com/saml-toolkits/ruby-saml}
|
|
20
20
|
s.rdoc_options = ["--charset=UTF-8"]
|
|
21
21
|
s.require_paths = ["lib"]
|
|
22
22
|
s.rubygems_version = %q{1.3.7}
|
|
@@ -27,12 +27,18 @@ Gem::Specification.new do |s|
|
|
|
27
27
|
# Nokogiri's version dependent on the Ruby version, even though we would
|
|
28
28
|
# have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
|
|
29
29
|
if defined?(JRUBY_VERSION)
|
|
30
|
-
if JRUBY_VERSION < '9.
|
|
30
|
+
if JRUBY_VERSION < '9.1.7.0'
|
|
31
31
|
s.add_runtime_dependency('nokogiri', '>= 1.8.2', '<= 1.8.5')
|
|
32
32
|
s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
|
|
33
33
|
s.add_runtime_dependency('json', '< 2.3.0')
|
|
34
|
+
elsif JRUBY_VERSION < '9.2.0.0'
|
|
35
|
+
s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
|
|
36
|
+
elsif JRUBY_VERSION < '9.3.2.0'
|
|
37
|
+
s.add_runtime_dependency('nokogiri', '>= 1.11.4')
|
|
38
|
+
s.add_runtime_dependency('rexml')
|
|
34
39
|
else
|
|
35
|
-
s.add_runtime_dependency('nokogiri', '>= 1.
|
|
40
|
+
s.add_runtime_dependency('nokogiri', '>= 1.13.10')
|
|
41
|
+
s.add_runtime_dependency('rexml')
|
|
36
42
|
end
|
|
37
43
|
elsif RUBY_VERSION < '1.9'
|
|
38
44
|
s.add_runtime_dependency('uuid')
|
|
@@ -42,17 +48,34 @@ Gem::Specification.new do |s|
|
|
|
42
48
|
s.add_runtime_dependency('json', '< 2.3.0')
|
|
43
49
|
elsif RUBY_VERSION < '2.3'
|
|
44
50
|
s.add_runtime_dependency('nokogiri', '>= 1.9.1', '< 1.10.0')
|
|
51
|
+
elsif RUBY_VERSION < '2.5'
|
|
52
|
+
s.add_runtime_dependency('nokogiri', '>= 1.10.10', '< 1.11.0')
|
|
53
|
+
s.add_runtime_dependency('rexml')
|
|
54
|
+
elsif RUBY_VERSION < '2.6'
|
|
55
|
+
s.add_runtime_dependency('nokogiri', '>= 1.11.4')
|
|
56
|
+
s.add_runtime_dependency('rexml')
|
|
45
57
|
else
|
|
46
|
-
s.add_runtime_dependency('nokogiri', '>= 1.10
|
|
58
|
+
s.add_runtime_dependency('nokogiri', '>= 1.13.10')
|
|
47
59
|
s.add_runtime_dependency('rexml')
|
|
48
60
|
end
|
|
49
61
|
|
|
50
|
-
s.add_development_dependency('
|
|
51
|
-
|
|
62
|
+
s.add_development_dependency('simplecov', '<0.22.0')
|
|
63
|
+
if RUBY_VERSION < '2.4.1'
|
|
64
|
+
s.add_development_dependency('simplecov-lcov', '<0.8.0')
|
|
65
|
+
else
|
|
66
|
+
s.add_development_dependency('simplecov-lcov', '>0.7.0')
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
s.add_development_dependency('minitest', '~> 5.5', '<5.19.0')
|
|
52
70
|
s.add_development_dependency('mocha', '~> 0.14')
|
|
53
|
-
|
|
71
|
+
|
|
72
|
+
if RUBY_VERSION < '2.0'
|
|
73
|
+
s.add_development_dependency('rake', '~> 10')
|
|
74
|
+
else
|
|
75
|
+
s.add_development_dependency('rake', '>= 12.3.3')
|
|
76
|
+
end
|
|
77
|
+
|
|
54
78
|
s.add_development_dependency('shoulda', '~> 2.11')
|
|
55
|
-
s.add_development_dependency('simplecov')
|
|
56
79
|
s.add_development_dependency('systemu', '~> 2')
|
|
57
80
|
|
|
58
81
|
if RUBY_VERSION < '2.1'
|
metadata
CHANGED
|
@@ -1,14 +1,15 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
-
|
|
8
|
-
|
|
7
|
+
- SAML Toolkit
|
|
8
|
+
- Sixto Martin
|
|
9
|
+
autorequire:
|
|
9
10
|
bindir: bin
|
|
10
11
|
cert_chain: []
|
|
11
|
-
date:
|
|
12
|
+
date: 2023-10-09 00:00:00.000000000 Z
|
|
12
13
|
dependencies:
|
|
13
14
|
- !ruby/object:Gem::Dependency
|
|
14
15
|
name: nokogiri
|
|
@@ -16,14 +17,14 @@ dependencies:
|
|
|
16
17
|
requirements:
|
|
17
18
|
- - ">="
|
|
18
19
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 1.10
|
|
20
|
+
version: 1.13.10
|
|
20
21
|
type: :runtime
|
|
21
22
|
prerelease: false
|
|
22
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
24
|
requirements:
|
|
24
25
|
- - ">="
|
|
25
26
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 1.10
|
|
27
|
+
version: 1.13.10
|
|
27
28
|
- !ruby/object:Gem::Dependency
|
|
28
29
|
name: rexml
|
|
29
30
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -39,19 +40,33 @@ dependencies:
|
|
|
39
40
|
- !ruby/object:Gem::Version
|
|
40
41
|
version: '0'
|
|
41
42
|
- !ruby/object:Gem::Dependency
|
|
42
|
-
name:
|
|
43
|
+
name: simplecov
|
|
43
44
|
requirement: !ruby/object:Gem::Requirement
|
|
44
45
|
requirements:
|
|
45
|
-
- - "
|
|
46
|
+
- - "<"
|
|
46
47
|
- !ruby/object:Gem::Version
|
|
47
|
-
version:
|
|
48
|
+
version: 0.22.0
|
|
48
49
|
type: :development
|
|
49
50
|
prerelease: false
|
|
50
51
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
52
|
requirements:
|
|
52
|
-
- - "
|
|
53
|
+
- - "<"
|
|
53
54
|
- !ruby/object:Gem::Version
|
|
54
|
-
version:
|
|
55
|
+
version: 0.22.0
|
|
56
|
+
- !ruby/object:Gem::Dependency
|
|
57
|
+
name: simplecov-lcov
|
|
58
|
+
requirement: !ruby/object:Gem::Requirement
|
|
59
|
+
requirements:
|
|
60
|
+
- - ">"
|
|
61
|
+
- !ruby/object:Gem::Version
|
|
62
|
+
version: 0.7.0
|
|
63
|
+
type: :development
|
|
64
|
+
prerelease: false
|
|
65
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
66
|
+
requirements:
|
|
67
|
+
- - ">"
|
|
68
|
+
- !ruby/object:Gem::Version
|
|
69
|
+
version: 0.7.0
|
|
55
70
|
- !ruby/object:Gem::Dependency
|
|
56
71
|
name: minitest
|
|
57
72
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -59,6 +74,9 @@ dependencies:
|
|
|
59
74
|
- - "~>"
|
|
60
75
|
- !ruby/object:Gem::Version
|
|
61
76
|
version: '5.5'
|
|
77
|
+
- - "<"
|
|
78
|
+
- !ruby/object:Gem::Version
|
|
79
|
+
version: 5.19.0
|
|
62
80
|
type: :development
|
|
63
81
|
prerelease: false
|
|
64
82
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -66,6 +84,9 @@ dependencies:
|
|
|
66
84
|
- - "~>"
|
|
67
85
|
- !ruby/object:Gem::Version
|
|
68
86
|
version: '5.5'
|
|
87
|
+
- - "<"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: 5.19.0
|
|
69
90
|
- !ruby/object:Gem::Dependency
|
|
70
91
|
name: mocha
|
|
71
92
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -84,16 +105,16 @@ dependencies:
|
|
|
84
105
|
name: rake
|
|
85
106
|
requirement: !ruby/object:Gem::Requirement
|
|
86
107
|
requirements:
|
|
87
|
-
- - "
|
|
108
|
+
- - ">="
|
|
88
109
|
- !ruby/object:Gem::Version
|
|
89
|
-
version:
|
|
110
|
+
version: 12.3.3
|
|
90
111
|
type: :development
|
|
91
112
|
prerelease: false
|
|
92
113
|
version_requirements: !ruby/object:Gem::Requirement
|
|
93
114
|
requirements:
|
|
94
|
-
- - "
|
|
115
|
+
- - ">="
|
|
95
116
|
- !ruby/object:Gem::Version
|
|
96
|
-
version:
|
|
117
|
+
version: 12.3.3
|
|
97
118
|
- !ruby/object:Gem::Dependency
|
|
98
119
|
name: shoulda
|
|
99
120
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -108,20 +129,6 @@ dependencies:
|
|
|
108
129
|
- - "~>"
|
|
109
130
|
- !ruby/object:Gem::Version
|
|
110
131
|
version: '2.11'
|
|
111
|
-
- !ruby/object:Gem::Dependency
|
|
112
|
-
name: simplecov
|
|
113
|
-
requirement: !ruby/object:Gem::Requirement
|
|
114
|
-
requirements:
|
|
115
|
-
- - ">="
|
|
116
|
-
- !ruby/object:Gem::Version
|
|
117
|
-
version: '0'
|
|
118
|
-
type: :development
|
|
119
|
-
prerelease: false
|
|
120
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
-
requirements:
|
|
122
|
-
- - ">="
|
|
123
|
-
- !ruby/object:Gem::Version
|
|
124
|
-
version: '0'
|
|
125
132
|
- !ruby/object:Gem::Dependency
|
|
126
133
|
name: systemu
|
|
127
134
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -164,8 +171,11 @@ dependencies:
|
|
|
164
171
|
- - ">="
|
|
165
172
|
- !ruby/object:Gem::Version
|
|
166
173
|
version: '0'
|
|
167
|
-
description: SAML toolkit
|
|
168
|
-
|
|
174
|
+
description: SAML Ruby toolkit. Add SAML support to your Ruby software using this
|
|
175
|
+
library
|
|
176
|
+
email:
|
|
177
|
+
- contact@iamdigitalservices.com
|
|
178
|
+
- sixto.martin.garcia@gmail.com
|
|
169
179
|
executables: []
|
|
170
180
|
extensions: []
|
|
171
181
|
extra_rdoc_files:
|
|
@@ -217,11 +227,11 @@ files:
|
|
|
217
227
|
- lib/schemas/xmldsig-core-schema.xsd
|
|
218
228
|
- lib/xml_security.rb
|
|
219
229
|
- ruby-saml.gemspec
|
|
220
|
-
homepage: https://github.com/
|
|
230
|
+
homepage: https://github.com/saml-toolkits/ruby-saml
|
|
221
231
|
licenses:
|
|
222
232
|
- MIT
|
|
223
233
|
metadata: {}
|
|
224
|
-
post_install_message:
|
|
234
|
+
post_install_message:
|
|
225
235
|
rdoc_options:
|
|
226
236
|
- "--charset=UTF-8"
|
|
227
237
|
require_paths:
|
|
@@ -237,8 +247,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
237
247
|
- !ruby/object:Gem::Version
|
|
238
248
|
version: '0'
|
|
239
249
|
requirements: []
|
|
240
|
-
rubygems_version: 3.
|
|
241
|
-
signing_key:
|
|
250
|
+
rubygems_version: 3.4.1
|
|
251
|
+
signing_key:
|
|
242
252
|
specification_version: 4
|
|
243
253
|
summary: SAML Ruby Tookit
|
|
244
254
|
test_files: []
|