RubyGems - saml2 - Versions diffs - 2.2.8 → 2.2.9 - Mend

saml2 2.2.8 → 2.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c16820ad8709894d30598abdc66c7258eaaa4bcce559a3f540e898226ecad9b7
-  data.tar.gz: cb81f7ca257db3e1aa45896749961cfb0ab63473499d70614931b02de5a975cd
+  metadata.gz: 85079eef2484ac29ff4b22303b10fa1a08afdeab25c22bd0b3c610324945dabd
+  data.tar.gz: bb93d0ef57206e8ec3b773b742625c4e5d60f76f696be91786528b5845bef188
 SHA512:
-  metadata.gz: 9aacff1311c151b1f8e53d9e63f519b5ff4d21c9c664c22ffcaff42519d9e22530445f8f287c8ab797f0ae7df12aee9d35e9ca9539e782262b2ff4c940a0626a
-  data.tar.gz: f7287daba3d0a8d5671f109c30deb9dabce202cbe5b0e7d821c50fb09afbc7cbd056dadf43f2d7ef16582a6bf46b271caf14e131b1f622520e48b1bdaa78d26d
+  metadata.gz: 4c064cf43d5bd7feb0ecbf1070da413fbf8dcf19e2b5130aa8965367fbb194abf5565000b210fb6a9406c7b49d96e6de4ed613cb94227428a21585c7a35172e1
+  data.tar.gz: 113b16ec4a20b0af0d60ee9e114e35d1b658ebc259de1ce196d8494269096b2d40bfe2ea9d5a875f03972eb548ac01fc9d3856bc92d9db34cfaf7140dc80c0e1

data/lib/saml2/base.rb CHANGED Viewed

@@ -33,18 +33,20 @@ module SAML2
     # Returns the XML of this object as a string.
     #
-    # If this object came from parsing XML, it will always return it with the
-    # same formatting as it was parsed.
-    #
     # @param pretty optional [true, false, nil]
     #   +true+ forces it to format it for easy reading. +nil+ will prefer to
     #   format it pretty, but won't if e.g. it has been signed, and pretty
-    #   formatting would break the signature.
+    #   formatting would break the signature. If this object came from parsing
+    #   XML, it will default to exactly what it was parsed as.
     # @return [String]
     def to_s(pretty: nil)
       pretty = @pretty if pretty.nil?
       if xml
-        xml.to_s
+        if pretty
+          xml.to_s
+        else
+          xml.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION)
+        end
       elsif pretty
         to_xml.to_s
       else

data/lib/saml2/entity.rb CHANGED Viewed

@@ -169,7 +169,8 @@ module SAML2
     def valid_response?(message,
                         identity_provider,
                         verification_time: Time.now.utc,
-                        allow_expired_certificate: false)
+                        allow_expired_certificate: false,
+                        verify_certificate: true)
       unless message.is_a?(Response)
         message.errors << "not a Response object"
         return false
@@ -178,7 +179,8 @@ module SAML2
       message.validate(service_provider: self,
                        identity_provider: identity_provider,
                        verification_time: verification_time,
-                       allow_expired_certificate: allow_expired_certificate).empty?
+                       allow_expired_certificate: allow_expired_certificate,
+                       verify_certificate: verify_certificate).empty?
     end
   end
 end

data/lib/saml2/message.rb CHANGED Viewed

@@ -125,12 +125,14 @@ module SAML2
     def validate_signature(fingerprint: nil,
                            cert: nil,
                            verification_time: issue_instant,
-                           allow_expired_certificate: false)
+                           allow_expired_certificate: false,
+                           verify_certificate: true)
       # verify the signature (certificate's validity) as of the time the message was generated
       super(fingerprint: fingerprint,
             cert: cert,
             verification_time: verification_time,
-            allow_expired_certificate: allow_expired_certificate)
+            allow_expired_certificate: allow_expired_certificate,
+            verify_certificate: verify_certificate)
     end
     # (see Signable#sign)

data/lib/saml2/response.rb CHANGED Viewed

@@ -92,7 +92,8 @@ module SAML2
     def validate(service_provider:,
                  identity_provider:,
                  verification_time: Time.now.utc,
-                 allow_expired_certificate: false)
+                 allow_expired_certificate: false,
+                 verify_certificate: true)
       raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
       raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
@@ -125,7 +126,8 @@ module SAML2
       if signed?
         unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
                                                       cert: certificates,
-                                                      allow_expired_certificate: allow_expired_certificate)).empty?
+                                                      allow_expired_certificate: allow_expired_certificate,
+                                                      verify_certificate: verify_certificate)).empty?
           return errors.concat(signature_errors)
         end
         response_signed = true
@@ -137,7 +139,8 @@ module SAML2
       if assertion&.signed?
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
                                                                 cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate)).empty?
+                                                                allow_expired_certificate: allow_expired_certificate,
+                                                                verify_certificate: verify_certificate)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true
@@ -194,7 +197,8 @@ module SAML2
       if assertion.signed? && !assertion_signed
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
                                                                 cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate)).empty?
+                                                                allow_expired_certificate: allow_expired_certificate,
+                                                                verify_certificate: verify_certificate)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true

data/lib/saml2/signable.rb CHANGED Viewed

@@ -50,7 +50,8 @@ module SAML2
     def validate_signature(fingerprint: nil,
                            cert: nil,
                            verification_time: nil,
-                           allow_expired_certificate: false)
+                           allow_expired_certificate: false,
+                           verify_certificate: true)
       return ["not signed"] unless signed?
       certs = Array(cert)
@@ -63,7 +64,10 @@ module SAML2
       certs = certs.uniq
       return ["no trusted certificate found"] if certs.empty?
-      verify_certificate = true
+      if verify_certificate == false && signing_key&.certificate
+        key = signing_key.certificate.public_key.to_s
+      end
       if signing_key
         signing_cert = signing_key.certificate
         if allow_expired_certificate
@@ -81,9 +85,11 @@ module SAML2
           verify_certificate = false
         end
       end
+      certs = nil if key # we're using a key explicitly, ignoring the certs
       begin
-        result = signature.verify_with(certs: certs,
+        result = signature.verify_with(key: key,
+                                       certs: certs,
                                        verification_time: verification_time,
                                        verify_certificates: verify_certificate)
         result ? [] : ["signature is invalid"]

data/lib/saml2/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module SAML2
-  VERSION = '2.2.8'
+  VERSION = '2.2.9'
 end

data/spec/lib/response_spec.rb CHANGED Viewed

@@ -278,6 +278,19 @@ module SAML2
         expect(response.errors).to eq []
       end
+      it "ignores invalid certificate when requested" do
+        response = Response.parse(fixture("test6-response.xml"))
+        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
+        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+        sp_entity.valid_response?(response, idp_entity,
+                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
+                                  verify_certificate: false)
+        expect(response.errors).to eq []
+      end
       it "doesn't break the signature by decrypting elements first" do
         response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.2.8
+  version: 2.2.9
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-06-12 00:00:00.000000000 Z
+date: 2018-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri