ruby-saml 1.15.0 → 1.16.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -1
- data/README.md +33 -6
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +38 -7
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/ruby-saml.gemspec +2 -2
- metadata +10 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e3094dc9c1e3692dddfc40adc2a4c305fae0be74bcd28b296f231ece4fe89334
|
|
4
|
+
data.tar.gz: 1f47dcbd970af95d58049bdd7f8bfed6a5bf8a72a90c1938b2b8ef2a0d5dd05f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 52ea3c1013e7b42b2e30c42bfbfd38bee0457d7bd630df94fcb9e9bc7db126e6981308af877a9b4c475e563a10159a0612d38d79458f289341730a496adeb77a
|
|
7
|
+
data.tar.gz: e85c81f6fb8610793707c70c6dee09b4fe2053f307a7a2827df08038bc54b6250b77dfa3cf30d33d0029899aff1b82740347292df691a5e8757c3966058e842b
|
data/CHANGELOG.md
CHANGED
|
@@ -1,4 +1,7 @@
|
|
|
1
1
|
# Ruby SAML Changelog
|
|
2
|
+
### 1.16.0 (Oct 09, 2023)
|
|
3
|
+
* [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
|
|
4
|
+
|
|
2
5
|
### 1.15.0 (Jan 04, 2023)
|
|
3
6
|
* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
|
|
4
7
|
* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
|
|
@@ -47,7 +50,7 @@
|
|
|
47
50
|
* Support Process Transform
|
|
48
51
|
* Raise SettingError if invoking an action with no endpoint defined on the settings
|
|
49
52
|
* Made IdpMetadataParser more extensible for subclasses
|
|
50
|
-
*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
53
|
+
* [#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
51
54
|
* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
|
|
52
55
|
* Improve documentation
|
|
53
56
|
|
data/README.md
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# Ruby SAML
|
|
2
|
-
[](https://github.com/SAML-Toolkits/ruby-saml/actions/workflows/test.yml)
|
|
3
|
+
[](https://coveralls.io/github/SAML-Toolkits/ruby-saml?branch=master)
|
|
4
|
+
[](https://badge.fury.io/rb/ruby-saml)
|
|
5
|
+
[](https://badge.fury.io/gh/SAML-Toolkits%2Fruby-saml)   
|
|
4
6
|
|
|
5
7
|
Ruby SAML minor and tiny versions may introduce breaking changes. Please read
|
|
6
8
|
[UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
|
|
@@ -14,7 +16,7 @@ requests from identity providers.
|
|
|
14
16
|
SAML authorization is a two step process and you are expected to implement support for both.
|
|
15
17
|
|
|
16
18
|
We created a demo project for Rails 4 that uses the latest version of this library:
|
|
17
|
-
[ruby-saml-example](https://github.com/saml-
|
|
19
|
+
[ruby-saml-example](https://github.com/saml-toolkits/ruby-saml-example)
|
|
18
20
|
|
|
19
21
|
### Supported Ruby Versions
|
|
20
22
|
|
|
@@ -28,8 +30,12 @@ The following Ruby versions are covered by CI testing:
|
|
|
28
30
|
* 2.6.x
|
|
29
31
|
* 2.7.x
|
|
30
32
|
* 3.0.x
|
|
33
|
+
* 3.1
|
|
34
|
+
* 3.2
|
|
31
35
|
* JRuby 9.1.x
|
|
32
36
|
* JRuby 9.2.x
|
|
37
|
+
* JRuby 9.3.X
|
|
38
|
+
* JRuby 9.4.0
|
|
33
39
|
* TruffleRuby (latest)
|
|
34
40
|
|
|
35
41
|
In addition, the following may work but are untested:
|
|
@@ -385,6 +391,27 @@ IdpMetadataParser by its Entity Id value:
|
|
|
385
391
|
)
|
|
386
392
|
```
|
|
387
393
|
|
|
394
|
+
### Retrieve one Entity Descriptor with an specific binding and nameid format when several are available
|
|
395
|
+
|
|
396
|
+
If the Metadata contains several bindings and nameids, the relevant ones
|
|
397
|
+
also can be specified when retrieving the settings from the IdpMetadataParser
|
|
398
|
+
by the values of binding and nameid:
|
|
399
|
+
|
|
400
|
+
```ruby
|
|
401
|
+
validate_cert = true
|
|
402
|
+
options = {
|
|
403
|
+
entity_id: "http//example.com/target/entity",
|
|
404
|
+
name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
405
|
+
sso_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
|
|
406
|
+
slo_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
407
|
+
}
|
|
408
|
+
settings = idp_metadata_parser.parse_remote(
|
|
409
|
+
"https://example.com/auth/saml2/idp/metadata",
|
|
410
|
+
validate_cert,
|
|
411
|
+
options
|
|
412
|
+
)
|
|
413
|
+
```
|
|
414
|
+
|
|
388
415
|
### Parsing Metadata into an Hash
|
|
389
416
|
|
|
390
417
|
The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to_hash` and `#parse_remote_to_hash`.
|
|
@@ -400,7 +427,7 @@ but it can be done as follows:
|
|
|
400
427
|
* Validate the Signature, providing the cert.
|
|
401
428
|
* Provide the XML to the parse method if the signature was validated
|
|
402
429
|
|
|
403
|
-
```
|
|
430
|
+
```ruby
|
|
404
431
|
require "xml_security"
|
|
405
432
|
require "onelogin/ruby-saml/utils"
|
|
406
433
|
require "onelogin/ruby-saml/idp_metadata_parser"
|
|
@@ -434,7 +461,7 @@ if valid
|
|
|
434
461
|
else
|
|
435
462
|
print "Metadata Signarture failed to be verified with the cert provided"
|
|
436
463
|
end
|
|
437
|
-
|
|
464
|
+
```
|
|
438
465
|
|
|
439
466
|
## Retrieving Attributes
|
|
440
467
|
|
|
@@ -671,7 +698,7 @@ signature validation process will fail at the Identity Provider.
|
|
|
671
698
|
Ruby SAML supports EncryptedAssertion. The Identity Provider will encrypt the Assertion with the
|
|
672
699
|
public cert of the Service Provider. The Service Provider will decrypt the EncryptedAssertion with its private key.
|
|
673
700
|
|
|
674
|
-
You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="
|
|
701
|
+
You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="encryption">` to your
|
|
675
702
|
SP Metadata XML, to be read by the IdP.
|
|
676
703
|
|
|
677
704
|
```ruby
|
|
@@ -62,10 +62,7 @@ module OneLogin
|
|
|
62
62
|
# @return [String] Gets the NameID of the Logout Request.
|
|
63
63
|
#
|
|
64
64
|
def name_id
|
|
65
|
-
@name_id ||=
|
|
66
|
-
node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
67
|
-
Utils.element_text(node)
|
|
68
|
-
end
|
|
65
|
+
@name_id ||= Utils.element_text(name_id_node)
|
|
69
66
|
end
|
|
70
67
|
|
|
71
68
|
alias_method :nameid, :name_id
|
|
@@ -73,15 +70,49 @@ module OneLogin
|
|
|
73
70
|
# @return [String] Gets the NameID Format of the Logout Request.
|
|
74
71
|
#
|
|
75
72
|
def name_id_format
|
|
76
|
-
@name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
77
73
|
@name_id_format ||=
|
|
78
|
-
if
|
|
79
|
-
|
|
74
|
+
if name_id_node && name_id_node.attribute("Format")
|
|
75
|
+
name_id_node.attribute("Format").value
|
|
80
76
|
end
|
|
81
77
|
end
|
|
82
78
|
|
|
83
79
|
alias_method :nameid_format, :name_id_format
|
|
84
80
|
|
|
81
|
+
def name_id_node
|
|
82
|
+
@name_id_node ||=
|
|
83
|
+
begin
|
|
84
|
+
encrypted_node = REXML::XPath.first(document, "/p:LogoutRequest/a:EncryptedID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
85
|
+
if encrypted_node
|
|
86
|
+
node = decrypt_nameid(encrypted_node)
|
|
87
|
+
else
|
|
88
|
+
node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
# Decrypts an EncryptedID element
|
|
94
|
+
# @param encryptedid_node [REXML::Element] The EncryptedID element
|
|
95
|
+
# @return [REXML::Document] The decrypted EncrypedtID element
|
|
96
|
+
#
|
|
97
|
+
def decrypt_nameid(encrypt_node)
|
|
98
|
+
|
|
99
|
+
if settings.nil? || !settings.get_sp_key
|
|
100
|
+
raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
|
|
104
|
+
# If we get some problematic noise in the plaintext after decrypting.
|
|
105
|
+
# This quick regexp parse will grab only the Element and discard the noise.
|
|
106
|
+
elem_plaintext = elem_plaintext.match(/(.*<\/(\w+:)?NameID>)/m)[0]
|
|
107
|
+
|
|
108
|
+
# To avoid namespace errors if saml namespace is not defined
|
|
109
|
+
# create a parent node first with the namespace defined
|
|
110
|
+
node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
|
|
111
|
+
elem_plaintext = node_header + elem_plaintext + '</node>'
|
|
112
|
+
doc = REXML::Document.new(elem_plaintext)
|
|
113
|
+
doc.root[0]
|
|
114
|
+
end
|
|
115
|
+
|
|
85
116
|
# @return [String|nil] Gets the ID attribute from the Logout Request. if exists.
|
|
86
117
|
#
|
|
87
118
|
def id
|
data/ruby-saml.gemspec
CHANGED
|
@@ -16,7 +16,7 @@ Gem::Specification.new do |s|
|
|
|
16
16
|
"README.md"
|
|
17
17
|
]
|
|
18
18
|
s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
|
19
|
-
s.homepage = %q{https://github.com/saml-
|
|
19
|
+
s.homepage = %q{https://github.com/saml-toolkits/ruby-saml}
|
|
20
20
|
s.rdoc_options = ["--charset=UTF-8"]
|
|
21
21
|
s.require_paths = ["lib"]
|
|
22
22
|
s.rubygems_version = %q{1.3.7}
|
|
@@ -66,7 +66,7 @@ Gem::Specification.new do |s|
|
|
|
66
66
|
s.add_development_dependency('simplecov-lcov', '>0.7.0')
|
|
67
67
|
end
|
|
68
68
|
|
|
69
|
-
s.add_development_dependency('minitest', '~> 5.5')
|
|
69
|
+
s.add_development_dependency('minitest', '~> 5.5', '<5.19.0')
|
|
70
70
|
s.add_development_dependency('mocha', '~> 0.14')
|
|
71
71
|
|
|
72
72
|
if RUBY_VERSION < '2.0'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- SAML Toolkit
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2023-
|
|
12
|
+
date: 2023-10-09 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: nokogiri
|
|
@@ -74,6 +74,9 @@ dependencies:
|
|
|
74
74
|
- - "~>"
|
|
75
75
|
- !ruby/object:Gem::Version
|
|
76
76
|
version: '5.5'
|
|
77
|
+
- - "<"
|
|
78
|
+
- !ruby/object:Gem::Version
|
|
79
|
+
version: 5.19.0
|
|
77
80
|
type: :development
|
|
78
81
|
prerelease: false
|
|
79
82
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -81,6 +84,9 @@ dependencies:
|
|
|
81
84
|
- - "~>"
|
|
82
85
|
- !ruby/object:Gem::Version
|
|
83
86
|
version: '5.5'
|
|
87
|
+
- - "<"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: 5.19.0
|
|
84
90
|
- !ruby/object:Gem::Dependency
|
|
85
91
|
name: mocha
|
|
86
92
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -221,7 +227,7 @@ files:
|
|
|
221
227
|
- lib/schemas/xmldsig-core-schema.xsd
|
|
222
228
|
- lib/xml_security.rb
|
|
223
229
|
- ruby-saml.gemspec
|
|
224
|
-
homepage: https://github.com/saml-
|
|
230
|
+
homepage: https://github.com/saml-toolkits/ruby-saml
|
|
225
231
|
licenses:
|
|
226
232
|
- MIT
|
|
227
233
|
metadata: {}
|
|
@@ -241,7 +247,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
241
247
|
- !ruby/object:Gem::Version
|
|
242
248
|
version: '0'
|
|
243
249
|
requirements: []
|
|
244
|
-
rubygems_version: 3.
|
|
250
|
+
rubygems_version: 3.4.1
|
|
245
251
|
signing_key:
|
|
246
252
|
specification_version: 4
|
|
247
253
|
summary: SAML Ruby Tookit
|