ruby-saml 1.15.0 → 1.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ruby-saml might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -1
- data/README.md +33 -6
- data/lib/onelogin/ruby-saml/slo_logoutrequest.rb +38 -7
- data/lib/onelogin/ruby-saml/version.rb +1 -1
- data/ruby-saml.gemspec +2 -2
- metadata +10 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e3094dc9c1e3692dddfc40adc2a4c305fae0be74bcd28b296f231ece4fe89334
|
|
4
|
+
data.tar.gz: 1f47dcbd970af95d58049bdd7f8bfed6a5bf8a72a90c1938b2b8ef2a0d5dd05f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 52ea3c1013e7b42b2e30c42bfbfd38bee0457d7bd630df94fcb9e9bc7db126e6981308af877a9b4c475e563a10159a0612d38d79458f289341730a496adeb77a
|
|
7
|
+
data.tar.gz: e85c81f6fb8610793707c70c6dee09b4fe2053f307a7a2827df08038bc54b6250b77dfa3cf30d33d0029899aff1b82740347292df691a5e8757c3966058e842b
|
data/CHANGELOG.md
CHANGED
|
@@ -1,4 +1,7 @@
|
|
|
1
1
|
# Ruby SAML Changelog
|
|
2
|
+
### 1.16.0 (Oct 09, 2023)
|
|
3
|
+
* [#671](https://github.com/SAML-Toolkits/ruby-saml/pull/671) Add support on LogoutRequest with Encrypted NameID
|
|
4
|
+
|
|
2
5
|
### 1.15.0 (Jan 04, 2023)
|
|
3
6
|
* [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
|
|
4
7
|
* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
|
|
@@ -47,7 +50,7 @@
|
|
|
47
50
|
* Support Process Transform
|
|
48
51
|
* Raise SettingError if invoking an action with no endpoint defined on the settings
|
|
49
52
|
* Made IdpMetadataParser more extensible for subclasses
|
|
50
|
-
*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
53
|
+
* [#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
|
|
51
54
|
* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
|
|
52
55
|
* Improve documentation
|
|
53
56
|
|
data/README.md
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# Ruby SAML
|
|
2
|
-
[](https://github.com/SAML-Toolkits/ruby-saml/actions/workflows/test.yml)
|
|
3
|
+
[](https://coveralls.io/github/SAML-Toolkits/ruby-saml?branch=master)
|
|
4
|
+
[](https://badge.fury.io/rb/ruby-saml)
|
|
5
|
+
[](https://badge.fury.io/gh/SAML-Toolkits%2Fruby-saml)   
|
|
4
6
|
|
|
5
7
|
Ruby SAML minor and tiny versions may introduce breaking changes. Please read
|
|
6
8
|
[UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
|
|
@@ -14,7 +16,7 @@ requests from identity providers.
|
|
|
14
16
|
SAML authorization is a two step process and you are expected to implement support for both.
|
|
15
17
|
|
|
16
18
|
We created a demo project for Rails 4 that uses the latest version of this library:
|
|
17
|
-
[ruby-saml-example](https://github.com/saml-
|
|
19
|
+
[ruby-saml-example](https://github.com/saml-toolkits/ruby-saml-example)
|
|
18
20
|
|
|
19
21
|
### Supported Ruby Versions
|
|
20
22
|
|
|
@@ -28,8 +30,12 @@ The following Ruby versions are covered by CI testing:
|
|
|
28
30
|
* 2.6.x
|
|
29
31
|
* 2.7.x
|
|
30
32
|
* 3.0.x
|
|
33
|
+
* 3.1
|
|
34
|
+
* 3.2
|
|
31
35
|
* JRuby 9.1.x
|
|
32
36
|
* JRuby 9.2.x
|
|
37
|
+
* JRuby 9.3.X
|
|
38
|
+
* JRuby 9.4.0
|
|
33
39
|
* TruffleRuby (latest)
|
|
34
40
|
|
|
35
41
|
In addition, the following may work but are untested:
|
|
@@ -385,6 +391,27 @@ IdpMetadataParser by its Entity Id value:
|
|
|
385
391
|
)
|
|
386
392
|
```
|
|
387
393
|
|
|
394
|
+
### Retrieve one Entity Descriptor with an specific binding and nameid format when several are available
|
|
395
|
+
|
|
396
|
+
If the Metadata contains several bindings and nameids, the relevant ones
|
|
397
|
+
also can be specified when retrieving the settings from the IdpMetadataParser
|
|
398
|
+
by the values of binding and nameid:
|
|
399
|
+
|
|
400
|
+
```ruby
|
|
401
|
+
validate_cert = true
|
|
402
|
+
options = {
|
|
403
|
+
entity_id: "http//example.com/target/entity",
|
|
404
|
+
name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
|
|
405
|
+
sso_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
|
|
406
|
+
slo_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
407
|
+
}
|
|
408
|
+
settings = idp_metadata_parser.parse_remote(
|
|
409
|
+
"https://example.com/auth/saml2/idp/metadata",
|
|
410
|
+
validate_cert,
|
|
411
|
+
options
|
|
412
|
+
)
|
|
413
|
+
```
|
|
414
|
+
|
|
388
415
|
### Parsing Metadata into an Hash
|
|
389
416
|
|
|
390
417
|
The `OneLogin::RubySaml::IdpMetadataParser` also provides the methods `#parse_to_hash` and `#parse_remote_to_hash`.
|
|
@@ -400,7 +427,7 @@ but it can be done as follows:
|
|
|
400
427
|
* Validate the Signature, providing the cert.
|
|
401
428
|
* Provide the XML to the parse method if the signature was validated
|
|
402
429
|
|
|
403
|
-
```
|
|
430
|
+
```ruby
|
|
404
431
|
require "xml_security"
|
|
405
432
|
require "onelogin/ruby-saml/utils"
|
|
406
433
|
require "onelogin/ruby-saml/idp_metadata_parser"
|
|
@@ -434,7 +461,7 @@ if valid
|
|
|
434
461
|
else
|
|
435
462
|
print "Metadata Signarture failed to be verified with the cert provided"
|
|
436
463
|
end
|
|
437
|
-
|
|
464
|
+
```
|
|
438
465
|
|
|
439
466
|
## Retrieving Attributes
|
|
440
467
|
|
|
@@ -671,7 +698,7 @@ signature validation process will fail at the Identity Provider.
|
|
|
671
698
|
Ruby SAML supports EncryptedAssertion. The Identity Provider will encrypt the Assertion with the
|
|
672
699
|
public cert of the Service Provider. The Service Provider will decrypt the EncryptedAssertion with its private key.
|
|
673
700
|
|
|
674
|
-
You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="
|
|
701
|
+
You may enable EncryptedAssertion as follows. This will add `<md:KeyDescriptor use="encryption">` to your
|
|
675
702
|
SP Metadata XML, to be read by the IdP.
|
|
676
703
|
|
|
677
704
|
```ruby
|
|
@@ -62,10 +62,7 @@ module OneLogin
|
|
|
62
62
|
# @return [String] Gets the NameID of the Logout Request.
|
|
63
63
|
#
|
|
64
64
|
def name_id
|
|
65
|
-
@name_id ||=
|
|
66
|
-
node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
67
|
-
Utils.element_text(node)
|
|
68
|
-
end
|
|
65
|
+
@name_id ||= Utils.element_text(name_id_node)
|
|
69
66
|
end
|
|
70
67
|
|
|
71
68
|
alias_method :nameid, :name_id
|
|
@@ -73,15 +70,49 @@ module OneLogin
|
|
|
73
70
|
# @return [String] Gets the NameID Format of the Logout Request.
|
|
74
71
|
#
|
|
75
72
|
def name_id_format
|
|
76
|
-
@name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
77
73
|
@name_id_format ||=
|
|
78
|
-
if
|
|
79
|
-
|
|
74
|
+
if name_id_node && name_id_node.attribute("Format")
|
|
75
|
+
name_id_node.attribute("Format").value
|
|
80
76
|
end
|
|
81
77
|
end
|
|
82
78
|
|
|
83
79
|
alias_method :nameid_format, :name_id_format
|
|
84
80
|
|
|
81
|
+
def name_id_node
|
|
82
|
+
@name_id_node ||=
|
|
83
|
+
begin
|
|
84
|
+
encrypted_node = REXML::XPath.first(document, "/p:LogoutRequest/a:EncryptedID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
85
|
+
if encrypted_node
|
|
86
|
+
node = decrypt_nameid(encrypted_node)
|
|
87
|
+
else
|
|
88
|
+
node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
# Decrypts an EncryptedID element
|
|
94
|
+
# @param encryptedid_node [REXML::Element] The EncryptedID element
|
|
95
|
+
# @return [REXML::Document] The decrypted EncrypedtID element
|
|
96
|
+
#
|
|
97
|
+
def decrypt_nameid(encrypt_node)
|
|
98
|
+
|
|
99
|
+
if settings.nil? || !settings.get_sp_key
|
|
100
|
+
raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
|
|
104
|
+
# If we get some problematic noise in the plaintext after decrypting.
|
|
105
|
+
# This quick regexp parse will grab only the Element and discard the noise.
|
|
106
|
+
elem_plaintext = elem_plaintext.match(/(.*<\/(\w+:)?NameID>)/m)[0]
|
|
107
|
+
|
|
108
|
+
# To avoid namespace errors if saml namespace is not defined
|
|
109
|
+
# create a parent node first with the namespace defined
|
|
110
|
+
node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
|
|
111
|
+
elem_plaintext = node_header + elem_plaintext + '</node>'
|
|
112
|
+
doc = REXML::Document.new(elem_plaintext)
|
|
113
|
+
doc.root[0]
|
|
114
|
+
end
|
|
115
|
+
|
|
85
116
|
# @return [String|nil] Gets the ID attribute from the Logout Request. if exists.
|
|
86
117
|
#
|
|
87
118
|
def id
|
data/ruby-saml.gemspec
CHANGED
|
@@ -16,7 +16,7 @@ Gem::Specification.new do |s|
|
|
|
16
16
|
"README.md"
|
|
17
17
|
]
|
|
18
18
|
s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
|
19
|
-
s.homepage = %q{https://github.com/saml-
|
|
19
|
+
s.homepage = %q{https://github.com/saml-toolkits/ruby-saml}
|
|
20
20
|
s.rdoc_options = ["--charset=UTF-8"]
|
|
21
21
|
s.require_paths = ["lib"]
|
|
22
22
|
s.rubygems_version = %q{1.3.7}
|
|
@@ -66,7 +66,7 @@ Gem::Specification.new do |s|
|
|
|
66
66
|
s.add_development_dependency('simplecov-lcov', '>0.7.0')
|
|
67
67
|
end
|
|
68
68
|
|
|
69
|
-
s.add_development_dependency('minitest', '~> 5.5')
|
|
69
|
+
s.add_development_dependency('minitest', '~> 5.5', '<5.19.0')
|
|
70
70
|
s.add_development_dependency('mocha', '~> 0.14')
|
|
71
71
|
|
|
72
72
|
if RUBY_VERSION < '2.0'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ruby-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.16.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- SAML Toolkit
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2023-
|
|
12
|
+
date: 2023-10-09 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: nokogiri
|
|
@@ -74,6 +74,9 @@ dependencies:
|
|
|
74
74
|
- - "~>"
|
|
75
75
|
- !ruby/object:Gem::Version
|
|
76
76
|
version: '5.5'
|
|
77
|
+
- - "<"
|
|
78
|
+
- !ruby/object:Gem::Version
|
|
79
|
+
version: 5.19.0
|
|
77
80
|
type: :development
|
|
78
81
|
prerelease: false
|
|
79
82
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -81,6 +84,9 @@ dependencies:
|
|
|
81
84
|
- - "~>"
|
|
82
85
|
- !ruby/object:Gem::Version
|
|
83
86
|
version: '5.5'
|
|
87
|
+
- - "<"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: 5.19.0
|
|
84
90
|
- !ruby/object:Gem::Dependency
|
|
85
91
|
name: mocha
|
|
86
92
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -221,7 +227,7 @@ files:
|
|
|
221
227
|
- lib/schemas/xmldsig-core-schema.xsd
|
|
222
228
|
- lib/xml_security.rb
|
|
223
229
|
- ruby-saml.gemspec
|
|
224
|
-
homepage: https://github.com/saml-
|
|
230
|
+
homepage: https://github.com/saml-toolkits/ruby-saml
|
|
225
231
|
licenses:
|
|
226
232
|
- MIT
|
|
227
233
|
metadata: {}
|
|
@@ -241,7 +247,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
241
247
|
- !ruby/object:Gem::Version
|
|
242
248
|
version: '0'
|
|
243
249
|
requirements: []
|
|
244
|
-
rubygems_version: 3.
|
|
250
|
+
rubygems_version: 3.4.1
|
|
245
251
|
signing_key:
|
|
246
252
|
specification_version: 4
|
|
247
253
|
summary: SAML Ruby Tookit
|