saml2 2.2.8 → 2.2.9

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c16820ad8709894d30598abdc66c7258eaaa4bcce559a3f540e898226ecad9b7
4
- data.tar.gz: cb81f7ca257db3e1aa45896749961cfb0ab63473499d70614931b02de5a975cd
3
+ metadata.gz: 85079eef2484ac29ff4b22303b10fa1a08afdeab25c22bd0b3c610324945dabd
4
+ data.tar.gz: bb93d0ef57206e8ec3b773b742625c4e5d60f76f696be91786528b5845bef188
5
5
  SHA512:
6
- metadata.gz: 9aacff1311c151b1f8e53d9e63f519b5ff4d21c9c664c22ffcaff42519d9e22530445f8f287c8ab797f0ae7df12aee9d35e9ca9539e782262b2ff4c940a0626a
7
- data.tar.gz: f7287daba3d0a8d5671f109c30deb9dabce202cbe5b0e7d821c50fb09afbc7cbd056dadf43f2d7ef16582a6bf46b271caf14e131b1f622520e48b1bdaa78d26d
6
+ metadata.gz: 4c064cf43d5bd7feb0ecbf1070da413fbf8dcf19e2b5130aa8965367fbb194abf5565000b210fb6a9406c7b49d96e6de4ed613cb94227428a21585c7a35172e1
7
+ data.tar.gz: 113b16ec4a20b0af0d60ee9e114e35d1b658ebc259de1ce196d8494269096b2d40bfe2ea9d5a875f03972eb548ac01fc9d3856bc92d9db34cfaf7140dc80c0e1
data/lib/saml2/base.rb CHANGED
@@ -33,18 +33,20 @@ module SAML2
33
33
 
34
34
  # Returns the XML of this object as a string.
35
35
  #
36
- # If this object came from parsing XML, it will always return it with the
37
- # same formatting as it was parsed.
38
- #
39
36
  # @param pretty optional [true, false, nil]
40
37
  # +true+ forces it to format it for easy reading. +nil+ will prefer to
41
38
  # format it pretty, but won't if e.g. it has been signed, and pretty
42
- # formatting would break the signature.
39
+ # formatting would break the signature. If this object came from parsing
40
+ # XML, it will default to exactly what it was parsed as.
43
41
  # @return [String]
44
42
  def to_s(pretty: nil)
45
43
  pretty = @pretty if pretty.nil?
46
44
  if xml
47
- xml.to_s
45
+ if pretty
46
+ xml.to_s
47
+ else
48
+ xml.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION)
49
+ end
48
50
  elsif pretty
49
51
  to_xml.to_s
50
52
  else
data/lib/saml2/entity.rb CHANGED
@@ -169,7 +169,8 @@ module SAML2
169
169
  def valid_response?(message,
170
170
  identity_provider,
171
171
  verification_time: Time.now.utc,
172
- allow_expired_certificate: false)
172
+ allow_expired_certificate: false,
173
+ verify_certificate: true)
173
174
  unless message.is_a?(Response)
174
175
  message.errors << "not a Response object"
175
176
  return false
@@ -178,7 +179,8 @@ module SAML2
178
179
  message.validate(service_provider: self,
179
180
  identity_provider: identity_provider,
180
181
  verification_time: verification_time,
181
- allow_expired_certificate: allow_expired_certificate).empty?
182
+ allow_expired_certificate: allow_expired_certificate,
183
+ verify_certificate: verify_certificate).empty?
182
184
  end
183
185
  end
184
186
  end
data/lib/saml2/message.rb CHANGED
@@ -125,12 +125,14 @@ module SAML2
125
125
  def validate_signature(fingerprint: nil,
126
126
  cert: nil,
127
127
  verification_time: issue_instant,
128
- allow_expired_certificate: false)
128
+ allow_expired_certificate: false,
129
+ verify_certificate: true)
129
130
  # verify the signature (certificate's validity) as of the time the message was generated
130
131
  super(fingerprint: fingerprint,
131
132
  cert: cert,
132
133
  verification_time: verification_time,
133
- allow_expired_certificate: allow_expired_certificate)
134
+ allow_expired_certificate: allow_expired_certificate,
135
+ verify_certificate: verify_certificate)
134
136
  end
135
137
 
136
138
  # (see Signable#sign)
@@ -92,7 +92,8 @@ module SAML2
92
92
  def validate(service_provider:,
93
93
  identity_provider:,
94
94
  verification_time: Time.now.utc,
95
- allow_expired_certificate: false)
95
+ allow_expired_certificate: false,
96
+ verify_certificate: true)
96
97
  raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
97
98
  raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
98
99
 
@@ -125,7 +126,8 @@ module SAML2
125
126
  if signed?
126
127
  unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
127
128
  cert: certificates,
128
- allow_expired_certificate: allow_expired_certificate)).empty?
129
+ allow_expired_certificate: allow_expired_certificate,
130
+ verify_certificate: verify_certificate)).empty?
129
131
  return errors.concat(signature_errors)
130
132
  end
131
133
  response_signed = true
@@ -137,7 +139,8 @@ module SAML2
137
139
  if assertion&.signed?
138
140
  unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
139
141
  cert: certificates,
140
- allow_expired_certificate: allow_expired_certificate)).empty?
142
+ allow_expired_certificate: allow_expired_certificate,
143
+ verify_certificate: verify_certificate)).empty?
141
144
  return errors.concat(signature_errors)
142
145
  end
143
146
  assertion_signed = true
@@ -194,7 +197,8 @@ module SAML2
194
197
  if assertion.signed? && !assertion_signed
195
198
  unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
196
199
  cert: certificates,
197
- allow_expired_certificate: allow_expired_certificate)).empty?
200
+ allow_expired_certificate: allow_expired_certificate,
201
+ verify_certificate: verify_certificate)).empty?
198
202
  return errors.concat(signature_errors)
199
203
  end
200
204
  assertion_signed = true
@@ -50,7 +50,8 @@ module SAML2
50
50
  def validate_signature(fingerprint: nil,
51
51
  cert: nil,
52
52
  verification_time: nil,
53
- allow_expired_certificate: false)
53
+ allow_expired_certificate: false,
54
+ verify_certificate: true)
54
55
  return ["not signed"] unless signed?
55
56
 
56
57
  certs = Array(cert)
@@ -63,7 +64,10 @@ module SAML2
63
64
  certs = certs.uniq
64
65
  return ["no trusted certificate found"] if certs.empty?
65
66
 
66
- verify_certificate = true
67
+ if verify_certificate == false && signing_key&.certificate
68
+ key = signing_key.certificate.public_key.to_s
69
+ end
70
+
67
71
  if signing_key
68
72
  signing_cert = signing_key.certificate
69
73
  if allow_expired_certificate
@@ -81,9 +85,11 @@ module SAML2
81
85
  verify_certificate = false
82
86
  end
83
87
  end
88
+ certs = nil if key # we're using a key explicitly, ignoring the certs
84
89
 
85
90
  begin
86
- result = signature.verify_with(certs: certs,
91
+ result = signature.verify_with(key: key,
92
+ certs: certs,
87
93
  verification_time: verification_time,
88
94
  verify_certificates: verify_certificate)
89
95
  result ? [] : ["signature is invalid"]
data/lib/saml2/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SAML2
4
- VERSION = '2.2.8'
4
+ VERSION = '2.2.9'
5
5
  end
@@ -278,6 +278,19 @@ module SAML2
278
278
  expect(response.errors).to eq []
279
279
  end
280
280
 
281
+ it "ignores invalid certificate when requested" do
282
+ response = Response.parse(fixture("test6-response.xml"))
283
+ sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
284
+ idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
285
+ idp_entity.identity_providers.first.keys.clear
286
+ idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
287
+
288
+ sp_entity.valid_response?(response, idp_entity,
289
+ verification_time: Time.parse("2014-09-16T22:15:53Z"),
290
+ verify_certificate: false)
291
+ expect(response.errors).to eq []
292
+ end
293
+
281
294
  it "doesn't break the signature by decrypting elements first" do
282
295
  response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
283
296
  sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: saml2
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.8
4
+ version: 2.2.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Cody Cutrer
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-06-12 00:00:00.000000000 Z
11
+ date: 2018-06-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri