RubyGems - ruby-saml - Versions diffs - 1.9.0 → 1.12.0 - Mend

ruby-saml 1.9.0 → 1.12.0

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (157) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d36c7827c8bb0a1ab808a352ecb85bb925aca401
-  data.tar.gz: e823dc21a31d81901cad0bdcdc2c5f737ed37d42
+SHA256:
+  metadata.gz: 43bc92cf8a14835577d9bb32d1bdcef71fd5ffccb351dd41ac9b56863fb173c7
+  data.tar.gz: e7975fcf413d9c64801f7b5190246685548205034dc74315bc169738697e1006
 SHA512:
-  metadata.gz: d2a444bfe39a2236b37ff979015dd1b7e82f06d06f23abf38251bebdc33b64ca91b76c128811a7636335b00bfa1609ef0a7a450ff99be8613ea6f0d4f2aea22d
-  data.tar.gz: 974a863b07f77aaef63393a23d825a1af3bfd3acc4e5d8ad00902d5efd556cf7d2062dac80e44f06c5a5cbe42154ffe2632351d897f18bcc7210fa0582b24d7e
+  metadata.gz: 0a09fcb8777969eb6d54b29d20520c7e17e3f7dc128cfc81475eba8c9b31f5926f2b64d308b18268762b43fb60cf7956f6e266c1f5343d2b9d58e545be0c3392
+  data.tar.gz: 8e9008647a610935764b2f578b76c5eb72d09be482d76b5f4d8ab51fd29d4569a3ba2e2db61f63fbdde27bd1be14bf4afdeffe1c7f699afc0b7d5e1c85d0fe09

data/.travis.yml CHANGED Viewed

@@ -1,32 +1,48 @@
-sudo: false
 language: ruby
 rvm:
-  - 1.8.7
   - 1.9.3
   - 2.0.0
-  - 2.1.5
-  - 2.2.0
-  - 2.3.0
-  - 2.4.0
-  - 2.5.0
-  - ree
+  - 2.1.10
+  - 2.2.10
+  - 2.3.8
+  - 2.4.6
+  - 2.5.8
+  - 2.6.6
+  - 2.7.2
+  - 3.0.0
   - jruby-1.7.27
   - jruby-9.1.17.0
-  - jruby-9.2.0.0
+  - jruby-9.2.13.0
 gemfile:
   - Gemfile
   - gemfiles/nokogiri-1.5.gemfile
+before_install:
+  - gem update bundler
 matrix:
   exclude:
-    - rvm: 1.8.7
-      gemfile: Gemfile
-    - rvm: ree
-      gemfile: Gemfile
     - rvm: jruby-1.7.27
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: jruby-9.1.17.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.0.0
+    - rvm: jruby-9.2.13.0
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.1.5
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.1.10
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.2.10
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.3.8
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.4.6
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.5.8
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.6.6
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 2.7.2
+      gemfile: gemfiles/nokogiri-1.5.gemfile
+    - rvm: 3.0.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
 env:
   - JRUBY_OPTS="--debug"

data/README.md CHANGED Viewed

@@ -1,4 +1,22 @@
-# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master)](https://coveralls.io/r/onelogin/ruby-saml?branch=master)
+## Updating from 1.11.x to 1.12.0
+Version `1.12.0` adds support for gcm algorithm and
+change/adds specific error messages for signature validations
+## Updating from 1.10.x to 1.11.0
+Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
+There are two new security settings: `settings.security[:check_idp_cert_expiration]` and `settings.security[:check_sp_cert_expiration]` (both false by default) that check if the IdP or SP X.509 certificate has expired, respectively.
+Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
+Version `1.10.1` improves Ruby 1.8.7 support.
+## Updating from 1.9.0 to 1.10.0
+Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor, Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated and updates the format_cert method to accept certs with /\x0d/
+## Updating from 1.8.0 to 1.9.0
+Version `1.9.0` better supports Ruby 2.4+ and JRuby 9.2.0.0. `Settings` initialization now has a second parameter, `keep_security_settings` (default: false), which saves security settings attributes that are not explicitly overridden, if set to true.
 ## Updating from 1.7.X to 1.8.0
 On Version `1.8.0`, creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState param will not generate a URL with an empty RelayState parameter anymore. It also changes the invalid audience error message.
@@ -99,8 +117,12 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * 2.2.x
 * 2.3.x
 * 2.4.x
+* 2.5.x
+* 2.6.x
+* 2.7.x
 * JRuby 1.7.19
 * JRuby 9.0.0.0
+* JRuby 9.2.0.0
 ## Adding Features, Pull Requests
 * Fork the repository
@@ -114,6 +136,17 @@ We created a demo project for Rails4 that uses the latest version of this librar
 If you believe you have discovered a security vulnerability in this gem, please report it at https://www.onelogin.com/security with a description. We follow responsible disclosure guidelines, and will work with you to quickly find a resolution.
+### Security warning
+Some tools may incorrectly report ruby-saml is a potential security vulnerability.
+ruby-saml depends on Nokogiri, and it's possible to use Nokogiri in a dangerous way
+(by enabling its DTDLOAD option and disabling its NONET option).
+This dangerous Nokogiri configuration, which is sometimes used by other components,
+can create an XML External Entity (XXE) vulnerability if the XML data is not trusted.
+However, ruby-saml never enables this dangerous Nokogiri configuration;
+ruby-saml never enables DTDLOAD, and it never disables NONET.
 ## Getting Started
 In order to use the toolkit you will need to install the gem (either manually or using Bundler), and require the library in your Ruby application:
@@ -121,7 +154,7 @@ Using `Gemfile`
 ```ruby
 # latest stable
-gem 'ruby-saml', '~> 1.8.0'
+gem 'ruby-saml', '~> 1.11.0'
 # or track master for bleeding-edge
 gem 'ruby-saml', :github => 'onelogin/ruby-saml'
@@ -170,7 +203,7 @@ To override the default behavior and control the destination of log messages, pr
 a ruby Logger object to the gem's logging singleton:
 ```ruby
-OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w'))
+OneLogin::RubySaml::Logging.logger = Logger.new('/var/log/ruby-saml.log')
 ```
 ## The Initialization Phase
@@ -184,6 +217,17 @@ def init
 end
 ```
+If the SP knows who should be authenticated in the IdP, then can provide that info as follows:
+```ruby
+def init
+  request = OneLogin::RubySaml::Authrequest.new
+  saml_settings.name_identifier_value_requested = "testuser@example.com"
+  saml_settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+  redirect_to(request.create(saml_settings))
+end
+```
 Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption. This can look something like this (the `authorize_success` and `authorize_failure` methods are specific to your application):
 ```ruby
@@ -197,6 +241,7 @@ def consume
      session[:attributes] = response.attributes
   else
     authorize_failure  # This method shows an error message
+    # List of errors is available in response.errors array
   end
 end
 ```
@@ -218,10 +263,10 @@ def saml_settings
   settings = OneLogin::RubySaml::Settings.new
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
-  settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
-  settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
+  settings.idp_sso_service_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
+  settings.idp_slo_service_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
   settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -242,6 +287,8 @@ def saml_settings
 end
 ```
+The use of settings.issuer is deprecated in favour of settings.sp_entity_id since version 1.11.0
 Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 ```ruby
@@ -249,6 +296,7 @@ response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_authnst
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_audience: true}) # skips audience check
 ```
 All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:
@@ -272,6 +320,7 @@ class SamlController < ApplicationController
        session[:attributes] = response.attributes
     else
       authorize_failure  # This method shows an error message
+      # List of errors is available in response.errors array
     end
   end
@@ -281,8 +330,8 @@ class SamlController < ApplicationController
     settings = OneLogin::RubySaml::Settings.new
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.issuer                         = "http://#{request.host}/saml/metadata"
-    settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+    settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
+    settings.idp_sso_service_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -344,7 +393,7 @@ def saml_settings
   settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
   # Optional for most SAML IdPs
   settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
@@ -355,11 +404,11 @@ end
 The following attributes are set:
   * idp_entity_id
   * name_identifier_format
-  * idp_sso_target_url
-  * idp_slo_target_url
+  * idp_sso_service_url
+  * idp_slo_service_url
   * idp_attribute_names
-  * idp_cert
-  * idp_cert_fingerprint
+  * idp_cert
+  * idp_cert_fingerprint
   * idp_cert_multi
 ### Retrieve one Entity Descriptor when many exist in Metadata
@@ -422,6 +471,9 @@ Imagine this `saml:AttributeStatement`
       <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
       <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
     </saml:Attribute>
+    <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
+      <saml:AttributeValue>usersName</saml:AttributeValue>
+    </saml:Attribute>
   </saml:AttributeStatement>
 ```
@@ -432,7 +484,8 @@ pp(response.attributes)   # is an OneLogin::RubySaml::Attributes object
    "another_value"=>["value1", "value2"],
    "role"=>["role1", "role2", "role3"],
    "attribute_with_nil_value"=>[nil],
-   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]}>
+   "attribute_with_nils_and_empty_strings"=>["", "valuePresent", nil, nil]
+   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"=>["usersName"]}>
 # Active single_value_compatibility
 OneLogin::RubySaml::Attributes.single_value_compatibility = true
@@ -449,6 +502,9 @@ pp(response.attributes.single(:role))
 pp(response.attributes.multi(:role))
 # => ["role1", "role2", "role3"]
+pp(response.attributes.fetch(:role))
+# => "role1"
 pp(response.attributes[:attribute_with_nil_value])
 # => nil
@@ -464,6 +520,9 @@ pp(response.attributes.single(:not_exists))
 pp(response.attributes.multi(:not_exists))
 # => nil
+pp(response.attributes.fetch(/givenname/))
+# => "usersName"
 # Deactive single_value_compatibility
 OneLogin::RubySaml::Attributes.single_value_compatibility = false
@@ -479,6 +538,9 @@ pp(response.attributes.single(:role))
 pp(response.attributes.multi(:role))
 # => ["role1", "role2", "role3"]
+pp(response.attributes.fetch(:role))
+# => ["role1", "role2", "role3"]
 pp(response.attributes[:attribute_with_nil_value])
 # => [nil]
@@ -493,11 +555,17 @@ pp(response.attributes.single(:not_exists))
 pp(response.attributes.multi(:not_exists))
 # => nil
+pp(response.attributes.fetch(/givenname/))
+# => ["usersName"]
 ```
 The `saml:AuthnContextClassRef` of the AuthNRequest can be provided by `settings.authn_context`; possible values are described at [SAMLAuthnCxt]. The comparison method can be set using `settings.authn_context_comparison` parameter. Possible values include: 'exact', 'better', 'maximum' and 'minimum' (default value is 'exact').
 To add a `saml:AuthnContextDeclRef`, define `settings.authn_context_decl_ref`.
+In a SP-initiated flow, the SP can indicate to the IdP the subject that should be authenticated. This is done by defining the `settings.name_identifier_value_requested` before
+building the authrequest object.
 ## Signing
@@ -525,6 +593,8 @@ The settings related to sign are stored in the `security` attribute of the setti
   # Embeded signature or HTTP GET parameter signature
   # Note that metadata signature is always embedded regardless of this value.
   settings.security[:embed_sign] = false
+  settings.security[:check_idp_cert_expiration] = false   # Enable or not IdP x509 cert expiration check
+  settings.security[:check_sp_cert_expiration] = false   # Enable or not SP x509 cert expiration check
 ```
 Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding.
@@ -532,7 +602,7 @@ Remember to provide it to the Signature builder if you are sending a `GET RelayS
 signature validation process will fail at the Identity Provider.
 The Service Provider will sign the request/responses with its private key.
-The Identity Provider will validate the sign of the received request/responses with the public x500 cert of the
+The Identity Provider will validate the sign of the received request/responses with the public x509 cert of the
 Service Provider.
 Notice that this toolkit uses 'settings.certificate' and 'settings.private_key' for the sign and decrypt processes.
@@ -573,21 +643,27 @@ def sp_logout_request
   # LogoutRequest accepts plain browser requests w/o paramters
   settings = saml_settings
-  if settings.idp_slo_target_url.nil?
+  if settings.idp_slo_service_url.nil?
     logger.info "SLO IdP Endpoint not found in settings, executing then a normal logout'"
     delete_session
   else
-    # Since we created a new SAML request, save the transaction_id
-    # to compare it with the response we get back
     logout_request = OneLogin::RubySaml::Logoutrequest.new()
-    session[:transaction_id] = logout_request.uuid
-    logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{session[:transaction_id]}'"
+    logger.info "New SP SLO for userid '#{session[:userid]}' transactionid '#{logout_request.uuid}'"
     if settings.name_identifier_value.nil?
       settings.name_identifier_value = session[:userid]
     end
+    # Ensure user is logged out before redirect to IdP, in case anything goes wrong during single logout process (as recommended by saml2int [SDP-SP34])
+    logged_user = session[:userid]
+    logger.info "Delete session for '#{session[:userid]}'"
+    delete_session
+    # Save the transaction_id to compare it with the response we get back
+    session[:transaction_id] = logout_request.uuid
+    session[:logged_out_user] = logged_user
     relayState =  url_for controller: 'saml', action: 'index'
     redirect_to(logout_request.create(settings, :RelayState => relayState))
   end
@@ -615,7 +691,7 @@ def process_logout_response
     logger.error "The SAML Logout Response is invalid"
   else
     # Actually log out this session
-    logger.info "Delete session for '#{session[:userid]}'"
+    logger.info "SLO completed for '#{session[:logged_out_user]}'"
     delete_session
   end
 end
@@ -624,6 +700,8 @@ end
 def delete_session
   session[:userid] = nil
   session[:attributes] = nil
+  session[:transaction_id] = nil
+  session[:logged_out_user] = nil
 end
 ```
@@ -636,7 +714,7 @@ def idp_logout_request
   logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest])
   if !logout_request.is_valid?
     logger.error "IdP initiated LogoutRequest was not valid!"
-    render :inline => logger.error
+    return render :inline => logger.error
   end
   logger.info "IdP initiated Logout for #{logout_request.name_id}"
@@ -691,6 +769,14 @@ class SamlController < ApplicationController
 end
 ```
+You can add ValidUntil and CacheDuration to the XML Metadata using instead
+```ruby
+  # Valid until => 2 days from now
+  # Cache duration = 604800s = 1 week
+  valid_until = Time.now + 172800
+  cache_duration = 604800
+  meta.generate(settings, false, valid_until, cache_duration)
+```
 ## Clock Drift

data/changelog.md CHANGED Viewed

@@ -1,5 +1,43 @@
 # RubySaml Changelog
+### 1.12.0 (Feb 18, 2021)
+* Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
+* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
+* Adding idp_sso_service_url and idp_slo_service_url settings
+* [#536](https://github.com/onelogin/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
+* Reduce size of built gem by excluding the test folder
+* Improve protection on Zlib deflate decompression bomb attack.
+* Add ValidUntil and cacheDuration support on Metadata generator
+* Add support for cacheDuration at the IdpMetadataParser
+* Support customizable statusCode on generated LogoutResponse
+* [#545](https://github.com/onelogin/ruby-saml/pull/545) More specific error messages for signature validation
+* Support Process Transform
+* Raise SettingError if invoking an action with no endpoint defined on the settings
+* Made IdpMetadataParser more extensible for subclasses
+*[#548](https://github.com/onelogin/ruby-saml/pull/548) Add :skip_audience option
+* [#555](https://github.com/onelogin/ruby-saml/pull/555) Define 'soft' variable to prevent exception when doc cert is invalid
+* Improve documentation
+### 1.11.0 (Jul 24, 2019)
+* Deprecate settings.issuer in favor of settings.sp_entity_id
+* Add support for certification expiration
+### 1.10.2 (Apr 29, 2019)
+* Add valid until, accessor
+* Fix Rubygem metadata that requested nokogiri <= 1.5.11
+### 1.10.1 (Apr 08, 2019)
+* Fix ruby 1.8.7 incompatibilities
+### 1.10.0 (Mar 21, 2019)
+* Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user to be authenticated
+* Improves IdpMetadataParser to allow parse multiple IDPSSODescriptors
+* Improves format_cert method to accept certs with /\x0d/
+* Forces nokogiri >= 1.8.2 when possible
 ### 1.9.0 (Sept 03, 2018)
 * [#458](https://github.com/onelogin/ruby-saml/pull/458) Remove ruby 2.4+ warnings
 * Improve JRuby support

data/lib/onelogin/ruby-saml/attributes.rb CHANGED Viewed

@@ -79,7 +79,7 @@ module OneLogin
         self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
       end
-      # @return [Array] Return all attributes as an array
+      # @return [Hash] Return all attributes as a hash
       #
       def all
         attributes
@@ -113,6 +113,29 @@ module OneLogin
         end
       end
+      # Fetch attribute value using name or regex
+      # @param name [String|Regexp] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def fetch(name)
+        attributes.each_key do |attribute_key|
+          if name.is_a?(Regexp)
+            if name.method_exists? :match?
+              return self[attribute_key] if name.match?(attribute_key)
+            else
+              return self[attribute_key] if name.match(attribute_key)
+            end
+          elsif canonize_name(name) == canonize_name(attribute_key)
+            return self[attribute_key]
+          end
+        end
+        nil
+      end
       protected
       # stringifies all names so both 'email' and :email return the same result