RubyGems - saml2 - Versions diffs - 1.0.1 → 1.0.2 - Mend

saml2 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/saml2/assertion.rb +5 -1
data/lib/saml2/conditions.rb +74 -0
data/lib/saml2/response.rb +4 -0
data/lib/saml2/version.rb +1 -1
data/spec/fixtures/response_signed.xml +8 -8
data/spec/fixtures/response_with_attribute_signed.xml +8 -8
data/spec/lib/conditions_spec.rb +69 -0
data/spec/lib/response_spec.rb +2 -0
metadata +5 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5b7d46d26e196c43de38dbea14bf3be6bbd0e212
-  data.tar.gz: 4eb34e5bec906dff3f6ebb748ec13f4aeee113da
+  metadata.gz: 314105963831ad59d852c507bdd5a6d5e9144735
+  data.tar.gz: 6b913cac8cf8b4df318e3896a11f1ef583325a36
 SHA512:
-  metadata.gz: 22b0948988e9aa48b0919f9df1e1831e84bc6f15cedd8a820e3e844232302e1a7e538b4a576d067048c3bb5ba8ec314a6eec54422eb80d76c5c2aa050da7f311
-  data.tar.gz: 4564507cda91f5aea94e4b7102ac433c27b80de8b889416e0a8c5b9f94ed1c99aab5dc87880a6b289e84ba86249bb7d89d2d4669eae8ad7797175134c7d34f8d
+  metadata.gz: c8483963f3dde271d6a61dbfb812a1a91dc5054296eac2aa69369f6148b228b1283031fac1dc17e6131fecbd97ceade0e2a826a50b49a22a15b0dab47e83e4ea
+  data.tar.gz: 0602173e8d090329e2d9b950affde276c20e409914c99f7a0ddae878b25352682fa33b0538269897865fc765de668016036e104e4c8f2727f9fc7187f365a118

data/lib/saml2/assertion.rb CHANGED

@@ -1,12 +1,15 @@
+require 'saml2/conditions'
 module SAML2
   class Assertion
-    attr_reader :id, :issue_instant, :statements
+    attr_reader :id, :issue_instant, :conditions, :statements
     attr_accessor :issuer, :subject
     def initialize
       @id = "_#{SecureRandom.uuid}"
       @issue_instant = Time.now.utc
       @statements = []
+      @conditions = Conditions.new
     end
     def sign(x509_certificate, private_key, algorithm_name = :sha256)
@@ -33,6 +36,7 @@ module SAML2
           subject.build(builder)
+          conditions.build(builder)
           statements.each { |stmt| stmt.build(builder) }
         end
       end.doc.root

data/lib/saml2/conditions.rb ADDED

@@ -0,0 +1,74 @@
+module SAML2
+  class Conditions < Array
+    attr_accessor :not_before, :not_on_or_after
+    def valid?(options = {})
+      now = options[:now] || Time.now
+      return :invalid if not_before && now < not_before
+      return :invalid if not_on_or_after && now >= not_on_or_after
+      result = :valid
+      each do |condition|
+        this_result = condition.valid?(options)
+        case this_result
+        when :invalid
+          return :invalid
+        when :indeterminate
+          result = :indeterminate
+          when :valid
+        else
+          raise "unknown validity of #{condition}"
+        end
+      end
+      result
+    end
+    def build(builder)
+      builder['saml'].Conditions do |builder|
+        builder.parent['NotBefore'] = not_before.iso8601 if not_before
+        builder.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
+        each do |condition|
+          condition.build(builder)
+        end
+      end
+    end
+    # Any unknown condition
+    class Condition
+      def valid?(_)
+        :indeterminate
+      end
+    end
+    class AudienceRestriction < Condition
+      attr_accessor :audience
+      def initialize(audience)
+        @audience = audience
+      end
+      def valid?(options)
+        Array(audience).include?(options[:audience]) ? :valid : :invalid
+      end
+      def build(builder)
+        builder['saml'].AudienceRestriction do |builder|
+          Array(audience).each do |single_audience|
+            builder['saml'].Audience(single_audience)
+          end
+        end
+      end
+    end
+    class OneTimeUse < Condition
+      def valid?(_)
+        :valid
+      end
+      def build(builder)
+        builder['saml'].OneTimeUse
+      end
+    end
+  end
+end

data/lib/saml2/response.rb CHANGED

@@ -27,6 +27,8 @@ module SAML2
         statement = authn_request.attribute_consuming_service.create_statement(attributes)
         response.assertions.first.statements << statement if statement
       end
+      response.assertions.first.conditions << Conditions::AudienceRestriction.new(authn_request.issuer.id)
       response
     end
@@ -42,6 +44,8 @@ module SAML2
       assertion.subject.confirmation.not_on_or_after = Time.now.utc + 30
       assertion.subject.confirmation.recipient = response.destination if response.destination
       assertion.issuer = issuer
+      assertion.conditions.not_before = Time.now.utc - 5
+      assertion.conditions.not_on_or_after = Time.now.utc + 30
       authn_statement = AuthnStatement.new
       authn_statement.authn_instant = response.issue_instant
       authn_statement.authn_context_class_ref = AuthnStatement::Classes::UNSPECIFIED

data/lib/saml2/version.rb CHANGED

@@ -1,3 +1,3 @@
 module SAML2
-  VERSION = '1.0.1'
+  VERSION = '1.0.2'
 end

data/spec/fixtures/response_signed.xml CHANGED

@@ -9,15 +9,15 @@
 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </Transforms>
 <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-<DigestValue>dRjiJ4yQ4ujjWB87gOoYZ5sYaUVJc0SSH2YzWwH+Z4Y=</DigestValue>
+<DigestValue>HFJ1RMKtE+J23K/mQqdClLWsdjwboU9M+uTX+PcN/LU=</DigestValue>
 </Reference>
 </SignedInfo>
-<SignatureValue>jJYv2J8bXQSnDT48bb3/K2iV/gIUDGC5w+Q4HJ9MAPBuyhupHDTCb1XwrjJHurx0
-QLxo8RqgIeZKDj0bKiy8zdVn2+9SX6bHYOl4Ca0lNVHE0vum2nlZwsfLALf2oBpo
-fr11sln9SXlHbI+6tcd9j49uUjIj5jpPWdY6jEwoOTLMcsVdrxwpxAF1USDSGEpI
-omFtlxj0sdfo+0VwjPkdlDL3Cl66uTa2t1ZXJxY4dXqzyFyuRsfEBe4FtXYvo0g9
-GuAW2UCuMhXzGl+CJHAfIG9yYPe+YTE7HOy8t+OteHkN6ZalI5CW53zmGQs3oMWQ
-QOgTrVgJMSDhFZqpoIvVLg==</SignatureValue>
+<SignatureValue>oRUU3idevSgM2QCidYqLAL5Ki2H8qxvkIVw9yNrbv9Mg2D7126wPMerWyKeP+ops
+6ploHMV0MQRyEFA+4PJ3ZsBU1daVSt3plh+6Szm5zIhWUEc3HhvQirv5IP1lfcxQ
+IopKnpiZkH9QMLolCLMIfCbOIuIfmssmsEagU/S3aoRVgZLA/x15z2hNEiB+tMqr
+Elc7i5V81ztnEx47yJhf/mAiZcnLqpnbpJ9XN4NF43QSgkRNU4vCQsx0zA6gj9MB
+D5h/CKy7KMn+LtaLkHIfv6Y//xN+61PrQ7sr5FIsCGg9XBvXC3PrwEVdADx4/dZO
+JrJ/DBFeEc8K1KSMXm5qrQ==</SignatureValue>
 <KeyInfo>
 <X509Data>
 <X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
@@ -44,4 +44,4 @@ Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
 ZtltN+yN40INHGRWnHc=</X509Certificate>
 </X509Data>
 </KeyInfo>
-</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
+</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z"><saml:AudienceRestriction><saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/response_with_attribute_signed.xml CHANGED

@@ -9,15 +9,15 @@
 <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </Transforms>
 <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
-<DigestValue>cNsW8tqrcA6HB+H8gOA5bAswPLLyN8tH9j53exrhfjU=</DigestValue>
+<DigestValue>b9jIvyyPEhWc/kHYHUA8LTCz4pwYSRCE+CL+SNqmiEk=</DigestValue>
 </Reference>
 </SignedInfo>
-<SignatureValue>JuL8PNrAiqNODwMa94qvvJMPEpjFG0yAbd58Rj7iUTeiAYE+26k9xRvYTsF3z3Va
-Xt3yOBZFoOt40AwKiZ3sqPnCM5GrBtrApcRcBoxBYwr/2bSGfhoIxO1Y51VHBOTM
-SoBkLUNJAPI6YJtJF2CZJA1Gv92/n/PMvQFDK2LHN/0Jbcy8ebvg1q/Wu9vJIgcY
-TIan4wrByBQHX16CNR+JDrdBIxe/GKI+6GzGsRr+V9CgLRdyvpevFLYFmmn1gOx7
-gLypwLteGo0eX5nclwVD0N6GjqUpW8eYGPFUiErgZp36DZBXy9sCT8Pz1h35daXs
-8dfw7cO59iYT4vSDFqIE6A==</SignatureValue>
+<SignatureValue>eHHTFNYA1VNbzFOtsoTGn4A+BXdKFXHfJNvWWU52L1kBUfCyeFNVLby03yQRw+CO
+71JomuTy/jpWU50h27sOfXjWjPkiULRHNPWuDIglrOgnUpu2HeD+i9IoA69/vF9J
+Bmwm2IubzhBAxc70Dm/oXZ238bN0E+c2u4B9jp6MdVXSL7RDmfKAU19ABAZlYTmJ
+4xXlS0fjrGPOn+BszBR9BNLDvNST/MgaGmwAU0esP5dYzC0Pwi9lOGD5bO+MOxTp
+TBx9e0KY3BTEVVOxl8G6M8w9nx5mnKMgHpPq5P/uMHv7m8gUVdMQ8lDvPqyEibPw
+ABIureP4iKebJVl7JTeoYA==</SignatureValue>
 <KeyInfo>
 <X509Data>
 <X509Certificate>MIID+jCCAuKgAwIBAgIJAIz/He5UafnhMA0GCSqGSIb3DQEBBQUAMFsxCzAJBgNV
@@ -44,4 +44,4 @@ Cg8Yo62X9vWW6PaKXHs3N+g1Ig16NwjdVIYvcxLc2KY0vrqu/R5c8RbmCxMZyss9
 ZtltN+yN40INHGRWnHc=</X509Certificate>
 </X509Data>
 </KeyInfo>
-</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
+</Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">jacob</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2015-02-12T22:54:29Z" Recipient="https://siteadmin.test.instructure.com/saml_consume" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2015-02-12T22:51:24Z" NotOnOrAfter="2015-02-12T22:51:59Z"><saml:AudienceRestriction><saml:Audience>http://siteadmin.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2015-02-12T22:51:29Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" Name="urn:oid:2.5.4.42" FriendlyName="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP"><saml:AttributeValue xsi:type="xsd:string">cody</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/lib/conditions_spec.rb ADDED

@@ -0,0 +1,69 @@
+require_relative '../spec_helper'
+module SAML2
+  describe Conditions do
+    it "empty should be valid" do
+      Conditions.new.valid?.must_equal :valid
+    end
+    it "should be valid with unknown condition" do
+      conditions = Conditions.new
+      conditions << Conditions::Condition.new
+      conditions.valid?.must_equal :indeterminate
+    end
+    it "should be valid with timestamps" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now - 5
+      conditions.not_on_or_after = now + 30
+      conditions.valid?.must_equal :valid
+    end
+    it "should be invalid with out of range timestamps" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now - 35
+      conditions.not_on_or_after = now - 5
+      conditions.valid?.must_equal :invalid
+    end
+    it "should allow passing now" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now - 35
+      conditions.not_on_or_after = now - 5
+      conditions.valid?(now: now - 10).must_equal :valid
+    end
+    it "should be invalid before indeterminate" do
+      conditions = Conditions.new
+      now = Time.now.utc
+      conditions.not_before = now + 5
+      conditions << Conditions::Condition.new
+      conditions.valid?.must_equal :invalid
+    end
+    it "should be invalid before indeterminate (actual conditions)" do
+      conditions = Conditions.new
+      conditions << Conditions::Condition.new
+      conditions << Conditions::AudienceRestriction.new('audience')
+      conditions.valid?.must_equal :invalid
+    end
+  end
+  describe Conditions::AudienceRestriction do
+    it "should be invalid" do
+      Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual').must_equal :invalid
+    end
+    it "should be valid" do
+      Conditions::AudienceRestriction.new('expected').valid?(audience: 'expected').must_equal :valid
+    end
+    it "should be valid with an array" do
+      Conditions::AudienceRestriction.new(['expected', 'actual']).valid?(audience: 'actual').must_equal :valid
+    end
+  end
+end

data/spec/lib/response_spec.rb CHANGED

@@ -28,6 +28,8 @@ module SAML2
       assertion.instance_variable_set(:@id, "_cdfc3faf-90ad-462f-880d-677483210684")
       response.instance_variable_set(:@issue_instant, Time.parse("2015-02-12T22:51:29Z"))
       assertion.instance_variable_set(:@issue_instant, Time.parse("2015-02-12T22:51:29Z"))
+      assertion.conditions.not_before = Time.parse("2015-02-12T22:51:24Z")
+      assertion.conditions.not_on_or_after = Time.parse("2015-02-12T22:51:59Z")
       assertion.statements.first.authn_instant = Time.parse("2015-02-12T22:51:29Z")
       confirmation = assertion.subject.confirmation
       confirmation.not_on_or_after = Time.parse("2015-02-12T22:54:29Z")

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-03-24 00:00:00.000000000 Z
+date: 2015-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -102,6 +102,7 @@ files:
 - lib/saml2/authn_request.rb
 - lib/saml2/authn_statement.rb
 - lib/saml2/base.rb
+- lib/saml2/conditions.rb
 - lib/saml2/contact.rb
 - lib/saml2/endpoint.rb
 - lib/saml2/engine.rb
@@ -139,6 +140,7 @@ files:
 - spec/lib/attribute_consuming_service_spec.rb
 - spec/lib/attribute_spec.rb
 - spec/lib/authn_request_spec.rb
+- spec/lib/conditions_spec.rb
 - spec/lib/entity_spec.rb
 - spec/lib/identity_provider_spec.rb
 - spec/lib/indexed_object_spec.rb
@@ -182,6 +184,7 @@ test_files:
 - spec/lib/attribute_consuming_service_spec.rb
 - spec/lib/attribute_spec.rb
 - spec/lib/authn_request_spec.rb
+- spec/lib/conditions_spec.rb
 - spec/lib/entity_spec.rb
 - spec/lib/identity_provider_spec.rb
 - spec/lib/indexed_object_spec.rb