ruby-saml 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0b01f4f740dfe49133d17e2bfbb42a470a6a0ecd
-  data.tar.gz: 00f47e3eaadebe97288df5daa096a9b0f26f92a7
+  metadata.gz: ebddaf61706d9ea22f5dfe8f8857d38633bd8b34
+  data.tar.gz: 17e92a96f7ad6fde5764d5238f6c7abe165b2f9d
 SHA512:
-  metadata.gz: d7dd26e1057a4d9e535debae7c91bfef6a34b9d46eb04557684bd53daed1dd00ab5cc52dbe1e4dc73114b2b28d49be8cb18c15b9cab04017aba97c5d1140df2f
-  data.tar.gz: 6aa8e7af6e43749954e8288002d2d7daef999109520888a7f5569dae32c9e0f3c09cece48687ac4e035e61ce14fa8d63a1f22e376a0a321b1775dc7718b94a94
+  metadata.gz: 340ffba316ae676dc6b12049f3e4936c74e6b296ab0fbbdc86906dcb322c5eb6430eabbe930bb3dc114bb0e8cfe7b0220e0c1ddbb31b98178a9f71318cfdf812
+  data.tar.gz: e690b29654a0d1389278f7feee2d65d6ebba3118a634e727486845607c46a9460a546935f4fc78f89c4ce6cc339af555f35aa447f3f74ebab62714de0f917693

data/LICENSE

@@ -1,19 +1,23 @@
-Copyright (c) 2010-2015 OneLogin, LLC
+Copyright (c) 2010-2016 OneLogin, Inc.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/README.md

@@ -56,6 +56,10 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * Do not change rakefile, version, or history.
 * Open a pull request, following [this template](https://gist.github.com/Lordnibbler/11002759).
 
+## Security Guidelines
+
+If you believe you have discovered a security vulnerability in this gem, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
+
 ## Getting Started
 In order to use the toolkit you will need to install the gem (either manually or using Bundler), and require the library in your Ruby application:
 

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -50,7 +50,6 @@ module OneLogin
           settings.idp_cert = certificate_base64
           settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
           settings.idp_attribute_names = attribute_names
-          settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
         end
       end
 
@@ -209,7 +208,7 @@ module OneLogin
 
       # @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
       #
-      def fingerprint(fingerprint_algorithm)
+      def fingerprint(fingerprint_algorithm = XMLSecurity::Document::SHA1)
         @fingerprint ||= begin
           if certificate
             cert = OpenSSL::X509::Certificate.new(certificate)

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.3.0'
+    VERSION = '1.3.1'
   end
 end

data/test/response_test.rb

@@ -1288,17 +1288,4 @@ class RubySamlTest < Minitest::Test
      assert_equal "ZdrjpwEdw22vKoxWAbZB78/gQ7s=", response.attributes.single('urn:oid:1.3.6.1.4.1.5923.1.1.1.10')
     end
   end
-
-  describe "attack" do
-    it "should not be valid" do
-      settings.private_key = ruby_saml_key_text
-      signature_wrapping_attack = read_invalid_response("encrypted_new_attack.xml.base64")
-      response_wrapped = OneLogin::RubySaml::Response.new(signature_wrapping_attack, :settings => settings)
-      response_wrapped.stubs(:conditions).returns(nil)
-      response_wrapped.stubs(:validate_subject_confirmation).returns(true)
-      settings.idp_cert_fingerprint = "385b1eec71143f00db6af936e2ea12a28771d72c"
-      assert !response_wrapped.is_valid?
-    end
-  end
-
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-24 00:00:00.000000000 Z
+date: 2016-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri