RubyGems - saml2 - Versions diffs - 1.0.1 → 1.0.2 - Mend

saml2 1.0.1 → 1.0.2

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/saml2/assertion.rb +5 -1
data/lib/saml2/conditions.rb +74 -0
data/lib/saml2/response.rb +4 -0
data/lib/saml2/version.rb +1 -1
data/spec/fixtures/response_signed.xml +8 -8
data/spec/fixtures/response_with_attribute_signed.xml +8 -8
data/spec/lib/conditions_spec.rb +69 -0
data/spec/lib/response_spec.rb +2 -0
metadata +5 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5b7d46d26e196c43de38dbea14bf3be6bbd0e212
-  data.tar.gz: 4eb34e5bec906dff3f6ebb748ec13f4aeee113da
+  metadata.gz: 314105963831ad59d852c507bdd5a6d5e9144735
+  data.tar.gz: 6b913cac8cf8b4df318e3896a11f1ef583325a36
 SHA512:
-  metadata.gz: 22b0948988e9aa48b0919f9df1e1831e84bc6f15cedd8a820e3e844232302e1a7e538b4a576d067048c3bb5ba8ec314a6eec54422eb80d76c5c2aa050da7f311
-  data.tar.gz: 4564507cda91f5aea94e4b7102ac433c27b80de8b889416e0a8c5b9f94ed1c99aab5dc87880a6b289e84ba86249bb7d89d2d4669eae8ad7797175134c7d34f8d
+  metadata.gz: c8483963f3dde271d6a61dbfb812a1a91dc5054296eac2aa69369f6148b228b1283031fac1dc17e6131fecbd97ceade0e2a826a50b49a22a15b0dab47e83e4ea
+  data.tar.gz: 0602173e8d090329e2d9b950affde276c20e409914c99f7a0ddae878b25352682fa33b0538269897865fc765de668016036e104e4c8f2727f9fc7187f365a118

data/lib/saml2/assertion.rb CHANGED

@@ -1,12 +1,15 @@
+require 'saml2/conditions'
 module SAML2
   class Assertion
-    attr_reader :id, :issue_instant, :statements
+    attr_reader :id, :issue_instant, :conditions, :statements
     attr_accessor :issuer, :subject
     def initialize
       @id = "_#{SecureRandom.uuid}"
       @issue_instant = Time.now.utc
       @statements = []
+      @conditions = Conditions.new
     end
     def sign(x509_certificate, private_key, algorithm_name = :sha256)
@@ -33,6 +36,7 @@ module SAML2
           subject.build(builder)
+          conditions.build(builder)
           statements.each { |stmt| stmt.build(builder) }
         end
       end.doc.root

data/lib/saml2/conditions.rb ADDED

@@ -0,0 +1,74 @@
+module SAML2
+  class Conditions < Array
+    attr_accessor :not_before, :not_on_or_after
+    def valid?(options = {})
+      now = options[:now] || Time.now
+      return :invalid if not_before && now < not_before
+      return :invalid if not_on_or_after && now >= not_on_or_after
+      result = :valid
+      each do |condition|
+        this_result = condition.valid?(options)
+        case this_result
+        when :invalid
+          return :invalid
+        when :indeterminate
+          result = :indeterminate
+          when :valid
+        else
+          raise "unknown validity of #{condition}"
+        end
+      end
+      result
+    end
+    def build(builder)
+      builder['saml'].Conditions do |builder|
+        builder.parent['NotBefore'] = not_before.iso8601 if not_before
+        builder.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
+        each do |condition|
+          condition.build(builder)
+        end
+      end
+    end
+    # Any unknown condition
+    class Condition
+      def valid?(_)
+        :indeterminate
+      end
+    end
+    class AudienceRestriction < Condition
+      attr_accessor :audience
+      def initialize(audience)
+        @audience = audience
+      end
+      def valid?(options)
+        Array(audience).include?(options[:audience]) ? :valid : :invalid
+      end
+      def build(builder)
+        builder['saml'].AudienceRestriction do |builder|
+          Array(audience).each do |single_audience|
+            builder['saml'].Audience(single_audience)
+          end
+        end
+      end
+    end
+    class OneTimeUse < Condition
+      def valid?(_)
+        :valid
+      end
+      def build(builder)
+        builder['saml'].OneTimeUse
+      end
+    end
+  end
+end

data/lib/saml2/response.rb CHANGED

@@ -27,6 +27,8 @@ module SAML2
         statement = authn_request.attribute_consuming_service.create_statement(attributes)
         response.assertions.first.statements << statement if statement
       end
+      response.assertions.first.conditions << Conditions::AudienceRestriction.new(authn_request.issuer.id)
       response
     end
@@ -42,6 +44,8 @@ module SAML2
       assertion.subject.confirmation.not_on_or_after = Time.now.utc + 30
       assertion.subject.confirmation.recipient = response.destination if response.destination
       assertion.issuer = issuer
+      assertion.conditions.not_before = Time.now.utc - 5
+      assertion.conditions.not_on_or_after = Time.now.utc + 30
       authn_statement = AuthnStatement.new
       authn_statement.authn_instant = response.issue_instant
       authn_statement.authn_context_class_ref = AuthnStatement::Classes::UNSPECIFIED

data/lib/saml2/version.rb CHANGED

@@ -1,3 +1,3 @@
 module SAML2
-  VERSION = '1.0.1'
+  VERSION = '1.0.2'
 end

data/spec/fixtures/response_signed.xml CHANGED

@@ -9,15 +9,15 @@
 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </Transforms>
 <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-<DigestValue>dRjiJ4yQ4ujjWB87gOoYZ5sYaUVJc0SSH2YzWwH+Z4Y=</DigestValue>
+<DigestValue>HFJ1RMKtE+J23K/mQqdClLWsdjwboU9M+uTX+PcN/LU=</DigestValue>
 </Reference>
 </SignedInfo>
-<SignatureValue>jJYv2J8bXQSnDT48bb3/K2iV/gIUDGC5w+Q4HJ9MAPBuyhupHDTCb1XwrjJHurx0
-QLxo8RqgIeZKDj0bKiy8zdVn2+9SX6bHYOl4Ca0lNVHE0vum2nlZwsfLALf2oBpo
-fr11sln9SXlHbI+6tcd9j49uUjIj5jpPWdY6jEwoOTLMcsVdrxwpxAF1USDSGEpI
-omFtlxj0sdfo+0VwjPkdlDL3Cl66uTa2t1ZXJxY4dXqzyFyuRsfEBe4FtXYvo0g9
-GuAW2UCuMhXzGl+CJHAfIG9yYPe+YTE7HOy8t+OteHkN6ZalI5CW53zmGQs3oMWQ
-QOgTrVgJMSDhFZqpoIvVLg==</SignatureValue>
+<SignatureValue>oRUU3idevSgM2QCidYqLAL5Ki2H8qxvkIVw9yNrbv9Mg2D7126wPMerWyKeP+ops
+6ploHMV0MQRyEFA+4PJ3ZsBU1daVSt3plh+6Szm5zIhWUEc3HhvQirv5IP1lfcxQ
+IopKnpiZkH9QMLolCLMIfCbOIuIfmssmsEagU/S3aoRVgZLA/x15z2hNEiB+tMqr
+Elc7i5V81ztnEx47yJhf/mAiZcnLqpnbpJ9XN4NF43QSgkRNU4vCQsx0zA6gj9MB
+D5h/CKy7KMn+LtaLkHIfv6Y//xN+61PrQ7sr5FIsCGg9XBvXC3PrwEVdADx4/dZO
+JrJ/DBFeEc8K1KSMXm5qrQ==</SignatureValue>
 <KeyInfo>
 <X509Data>
 <X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
@@ -44,4 +44,4 @@ Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
 ZtltN+yN40INHGRWnHc=</X509Certificate>
 </X509Data>
 </KeyInfo>
-</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
+</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z"><saml:AudienceRestriction><saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/response_with_attribute_signed.xml CHANGED

@@ -9,15 +9,15 @@
 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </Transforms>
 <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-<DigestValue>cNsW8tqrcA6HB+H8gOA5bAswPLLyN8tH9j53exrhfjU=</DigestValue>
+<DigestValue>b9jIvyyPEhWc/kHYHUA8LTCz4pwYSRCE+CL+SNqmiEk=</DigestValue>
 </Reference>
 </SignedInfo>
-<SignatureValue>JuL8PNrAiqNODwMa94qvvJMPEpjFG0yAbd58Rj7iUTeiAYE+26k9xRvYTsF3z3Va
-Xt3yOBZFoOt40AwKiZ3sqPnCM5GrBtrApcRcBoxBYwr/2bSGfhoIxO1Y51VHBOTM
-SoBkLUNJAPI6YJtJF2CZJA1Gv92/n/PMvQFDK2LHN/0Jbcy8ebvg1q/Wu9vJIgcY
-TIan4wrByBQHX16CNR+JDrdBIxe/GKI+6GzGsRr+V9CgLRdyvpevFLYFmmn1gOx7
-gLypwLteGo0eX5nclwVD0N6GjqUpW8eYGPFUiErgZp36DZBXy9sCT8Pz1h35daXs
-8dfw7cO59iYT4vSDFqIE6A==</SignatureValue>
+<SignatureValue>eHHTFNYA1VNbzFOtsoTGn4A+BXdKFXHfJNvWWU52L1kBUfCyeFNVLby03yQRw+CO
+71JomuTy/jpWU50h27sOfXjWjPkiULRHNPWuDIglrOgnUpu2HeD+i9IoA69/vF9J
+Bmwm2IubzhBAxc70Dm/oXZ238bN0E+c2u4B9jp6MdVXSL7RDmfKAU19ABAZlYTmJ
+4xXlS0fjrGPOn+BszBR9BNLDvNST/MgaGmwAU0esP5dYzC0Pwi9lOGD5bO+MOxTp
+TBx9e0KY3BTEVVOxl8G6M8w9nx5mnKMgHpPq5P/uMHv7m8gUVdMQ8lDvPqyEibPw
+ABIureP4iKebJVl7JTeoYA==</SignatureValue>
 <KeyInfo>
 <X509Data>
 <X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
@@ -44,4 +44,4 @@ Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
 ZtltN+yN40INHGRWnHc=</X509Certificate>
 </X509Data>
 </KeyInfo>
-</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
+</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z"><saml:AudienceRestriction><saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/lib/conditions_spec.rb ADDED

@@ -0,0 +1,69 @@
+require_relative '../spec_helper'
+module SAML2
+  describe Conditions do
+    it "empty should be valid" do
+      Conditions.new.valid?.must_equal :valid
+    end
+    it "should be valid with unknown condition" do
+      conditions = Conditions.new
+      conditions << Conditions::Condition.new
+      conditions.valid?.must_equal :indeterminate
+    end
+    it "should be valid with timestamps" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now - 5
+      conditions.not_on_or_after = now + 30
+      conditions.valid?.must_equal :valid
+    end
+    it "should be invalid with out of range timestamps" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now - 35
+      conditions.not_on_or_after = now - 5
+      conditions.valid?.must_equal :invalid
+    end
+    it "should allow passing now" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now - 35
+      conditions.not_on_or_after = now - 5
+      conditions.valid?(now: now - 10).must_equal :valid
+    end
+    it "should be invalid before indeterminate" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now + 5
+      conditions << Conditions::Condition.new
+      conditions.valid?.must_equal :invalid
+    end
+    it "should be invalid before indeterminate (actual conditions)" do
+      conditions = Conditions.new
+      conditions << Conditions::Condition.new
+      conditions << Conditions::AudienceRestriction.new('audience')
+      conditions.valid?.must_equal :invalid
+    end
+  end
+  describe Conditions::AudienceRestriction do
+    it "should be invalid" do
+      Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual').must_equal :invalid
+    end
+    it "should be valid" do
+      Conditions::AudienceRestriction.new('expected').valid?(audience: 'expected').must_equal :valid
+    end
+    it "should be valid with an array" do
+      Conditions::AudienceRestriction.new(['expected', 'actual']).valid?(audience: 'actual').must_equal :valid
+    end
+  end
+end

data/spec/lib/response_spec.rb CHANGED

@@ -28,6 +28,8 @@ module SAML2
       assertion.instance_variable_set(:@id, "_cdfc3faf-90ad-462f-880d-677483210684")
       response.instance_variable_set(:@issue_instant, Time.parse("2015-02-12T22:51:29Z"))
       assertion.instance_variable_set(:@issue_instant, Time.parse("2015-02-12T22:51:29Z"))
+      assertion.conditions.not_before = Time.parse("2015-02-12T22:51:24Z")
+      assertion.conditions.not_on_or_after = Time.parse("2015-02-12T22:51:59Z")
       assertion.statements.first.authn_instant = Time.parse("2015-02-12T22:51:29Z")
       confirmation = assertion.subject.confirmation
       confirmation.not_on_or_after = Time.parse("2015-02-12T22:54:29Z")

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-03-24 00:00:00.000000000 Z
+date: 2015-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -102,6 +102,7 @@ files:
 - lib/saml2/authn_request.rb
 - lib/saml2/authn_statement.rb
 - lib/saml2/base.rb
+- lib/saml2/conditions.rb
 - lib/saml2/contact.rb
 - lib/saml2/endpoint.rb
 - lib/saml2/engine.rb
@@ -139,6 +140,7 @@ files:
 - spec/lib/attribute_consuming_service_spec.rb
 - spec/lib/attribute_spec.rb
 - spec/lib/authn_request_spec.rb
+- spec/lib/conditions_spec.rb
 - spec/lib/entity_spec.rb
 - spec/lib/identity_provider_spec.rb
 - spec/lib/indexed_object_spec.rb
@@ -182,6 +184,7 @@ test_files:
 - spec/lib/attribute_consuming_service_spec.rb
 - spec/lib/attribute_spec.rb
 - spec/lib/authn_request_spec.rb
+- spec/lib/conditions_spec.rb
 - spec/lib/entity_spec.rb
 - spec/lib/identity_provider_spec.rb
 - spec/lib/indexed_object_spec.rb