saml2 3.0.5 → 3.0.10
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/saml2/entity.rb +2 -2
- data/lib/saml2/response.rb +2 -0
- data/lib/saml2/schemas.rb +1 -5
- data/lib/saml2/service_provider.rb +2 -0
- data/lib/saml2/signable.rb +15 -6
- data/lib/saml2/version.rb +1 -1
- data/schemas/metadata_combined.xsd +13 -0
- data/schemas/sstc-saml-metadata-ext-query.xsd +66 -0
- data/spec/fixtures/identity_provider.xml +1 -1
- data/spec/fixtures/response_assertion_signed_reffed_from_response.xml +6 -0
- data/spec/fixtures/response_without_keyinfo.xml +1 -0
- data/spec/fixtures/service_provider.xml +1 -1
- data/spec/lib/attribute_consuming_service_spec.rb +2 -0
- data/spec/lib/attribute_spec.rb +2 -0
- data/spec/lib/authn_request_spec.rb +2 -0
- data/spec/lib/bindings/http_redirect_spec.rb +4 -2
- data/spec/lib/conditions_spec.rb +2 -0
- data/spec/lib/entity_spec.rb +2 -0
- data/spec/lib/identity_provider_spec.rb +6 -0
- data/spec/lib/indexed_object_spec.rb +2 -0
- data/spec/lib/key_spec.rb +2 -0
- data/spec/lib/logout_request_spec.rb +2 -0
- data/spec/lib/logout_response_spec.rb +2 -0
- data/spec/lib/message_spec.rb +2 -0
- data/spec/lib/response_spec.rb +30 -0
- data/spec/lib/service_provider_spec.rb +7 -0
- data/spec/spec_helper.rb +2 -0
- metadata +16 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f8a576418f7f1f50885a3b7b24eb90789173ecd0513317d2955a93c58c97af83
|
4
|
+
data.tar.gz: 24af83ef0d14f9bb8402e7d23f56efc396b10fec4e292c118a3e80ab7059a02b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f3a143f0d36923d557f532d02129a4464ea896d87acf8abb3435f410cd1eab7b99ee93959582bf493d1df2c6788d4a31d85464177fc102514847fd253486b8d3
|
7
|
+
data.tar.gz: c36bfc6219fbf03457bf38801adff7685866e4ea1223adfe80b5dfe8466ffde6927ea5f87a00dc0e9c243120a9dd1a761186c8acf24e8c2515ac7e6c3a7c235a
|
data/lib/saml2/entity.rb
CHANGED
@@ -65,7 +65,7 @@ module SAML2
|
|
65
65
|
|
66
66
|
# (see Message#valid_schema?)
|
67
67
|
def valid_schema?
|
68
|
-
Schemas.
|
68
|
+
Schemas.metadata.valid?(xml.document)
|
69
69
|
end
|
70
70
|
|
71
71
|
# (see Message#id)
|
@@ -101,7 +101,7 @@ module SAML2
|
|
101
101
|
|
102
102
|
# (see Message#valid_schema?)
|
103
103
|
def valid_schema?
|
104
|
-
Schemas.
|
104
|
+
Schemas.metadata.valid?(xml.document)
|
105
105
|
end
|
106
106
|
|
107
107
|
# @return [String]
|
data/lib/saml2/response.rb
CHANGED
@@ -13,6 +13,8 @@ module SAML2
|
|
13
13
|
attr_reader :assertions
|
14
14
|
|
15
15
|
# Respond to an {AuthnRequest}
|
16
|
+
#
|
17
|
+
# {AuthnRequest#resolve} needs to have been previously called on the {AuthnRequest}.
|
16
18
|
# @param authn_request [AuthnRequest]
|
17
19
|
# @param issuer [NameID]
|
18
20
|
# @param name_id [NameID] The Subject
|
data/lib/saml2/schemas.rb
CHANGED
@@ -2,12 +2,8 @@
|
|
2
2
|
|
3
3
|
module SAML2
|
4
4
|
module Schemas
|
5
|
-
def self.federation
|
6
|
-
@federation ||= schema('ws-federation.xsd')
|
7
|
-
end
|
8
|
-
|
9
5
|
def self.metadata
|
10
|
-
@metadata ||= schema('
|
6
|
+
@metadata ||= schema('metadata_combined.xsd')
|
11
7
|
end
|
12
8
|
|
13
9
|
def self.protocol
|
data/lib/saml2/signable.rb
CHANGED
@@ -7,16 +7,16 @@ module SAML2
|
|
7
7
|
# @return [Nokogiri::XML::Element, nil]
|
8
8
|
def signature
|
9
9
|
unless instance_variable_defined?(:@signature)
|
10
|
-
@signature = xml.
|
11
|
-
|
12
|
-
signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
|
10
|
+
@signature = xml.xpath('//dsig:Signature', Namespaces::ALL).find do |signature|
|
11
|
+
signed_node = signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
|
13
12
|
if signed_node == ''
|
14
|
-
|
13
|
+
true if xml == xml.document.root
|
15
14
|
elsif signed_node != "##{xml['ID']}"
|
16
|
-
|
15
|
+
false
|
17
16
|
else
|
18
17
|
# validating the schema will automatically add ID attributes, so check that first
|
19
18
|
xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
|
19
|
+
true
|
20
20
|
end
|
21
21
|
end
|
22
22
|
end
|
@@ -25,7 +25,11 @@ module SAML2
|
|
25
25
|
|
26
26
|
# @return [KeyInfo, nil]
|
27
27
|
def signing_key
|
28
|
-
|
28
|
+
unless instance_variable_defined?(:@signing_key)
|
29
|
+
# don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
|
30
|
+
@signing_key = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL) ? KeyInfo.from_xml(signature) : nil
|
31
|
+
end
|
32
|
+
@signing_key
|
29
33
|
end
|
30
34
|
|
31
35
|
def signed?
|
@@ -70,6 +74,11 @@ module SAML2
|
|
70
74
|
if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
|
71
75
|
key ||= signing_key.certificate.public_key.to_s
|
72
76
|
end
|
77
|
+
# signature doesn't say who signed it. hope and pray it's with the only certificate
|
78
|
+
# we know about
|
79
|
+
if signing_key.nil? && key.nil? && trusted_keys.length == 1
|
80
|
+
key = trusted_keys.first
|
81
|
+
end
|
73
82
|
|
74
83
|
return ["no trusted signing key found"] if key.nil?
|
75
84
|
|
data/lib/saml2/version.rb
CHANGED
@@ -0,0 +1,13 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
|
3
|
+
<schema
|
4
|
+
targetNamespace="https://www.instructure.com/ruby-saml2/metadata-combined"
|
5
|
+
xmlns="http://www.w3.org/2001/XMLSchema"
|
6
|
+
version="2.0">
|
7
|
+
|
8
|
+
<import namespace="http://docs.oasis-open.org/wsfed/federation/200706"
|
9
|
+
schemaLocation="ws-federation.xsd"/>
|
10
|
+
<import namespace="urn:oasis:names:tc:SAML:metadata:ext:query"
|
11
|
+
schemaLocation="sstc-saml-metadata-ext-query.xsd"/>
|
12
|
+
|
13
|
+
</schema>
|
@@ -0,0 +1,66 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
|
3
|
+
<schema
|
4
|
+
targetNamespace="urn:oasis:names:tc:SAML:metadata:ext:query"
|
5
|
+
xmlns="http://www.w3.org/2001/XMLSchema"
|
6
|
+
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
7
|
+
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
|
8
|
+
elementFormDefault="unqualified"
|
9
|
+
attributeFormDefault="unqualified"
|
10
|
+
blockDefault="substitution"
|
11
|
+
version="2.0">
|
12
|
+
|
13
|
+
<annotation>
|
14
|
+
<documentation>
|
15
|
+
Document title: SAML Metadata Extension Schema for SAML V2.0 and V1.x Query Requesters
|
16
|
+
Document identifier: sstc-saml-metadata-ext-query.xsd
|
17
|
+
Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
|
18
|
+
Revision history:
|
19
|
+
V1.0 (May 2007):
|
20
|
+
Initial version.
|
21
|
+
</documentation>
|
22
|
+
</annotation>
|
23
|
+
|
24
|
+
<import namespace="urn:oasis:names:tc:SAML:2.0:metadata"
|
25
|
+
schemaLocation="saml-schema-metadata-2.0.xsd"/>
|
26
|
+
|
27
|
+
<complexType name="QueryDescriptorType" abstract="true">
|
28
|
+
<complexContent>
|
29
|
+
<extension base="md:RoleDescriptorType">
|
30
|
+
<sequence>
|
31
|
+
<element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
|
32
|
+
</sequence>
|
33
|
+
<attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
|
34
|
+
</extension>
|
35
|
+
</complexContent>
|
36
|
+
</complexType>
|
37
|
+
|
38
|
+
<complexType name="AuthnQueryDescriptorType">
|
39
|
+
<complexContent>
|
40
|
+
<extension base="query:QueryDescriptorType"/>
|
41
|
+
</complexContent>
|
42
|
+
</complexType>
|
43
|
+
|
44
|
+
<complexType name="AttributeQueryDescriptorType">
|
45
|
+
<complexContent>
|
46
|
+
<extension base="query:QueryDescriptorType">
|
47
|
+
<sequence>
|
48
|
+
<element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
|
49
|
+
</sequence>
|
50
|
+
</extension>
|
51
|
+
</complexContent>
|
52
|
+
</complexType>
|
53
|
+
|
54
|
+
<element name="ActionNamespace" type="anyURI"/>
|
55
|
+
|
56
|
+
<complexType name="AuthzDecisionQueryDescriptorType">
|
57
|
+
<complexContent>
|
58
|
+
<extension base="query:QueryDescriptorType">
|
59
|
+
<sequence>
|
60
|
+
<element ref="query:ActionNamespace" minOccurs="0" maxOccurs="unbounded"/>
|
61
|
+
</sequence>
|
62
|
+
</extension>
|
63
|
+
</complexContent>
|
64
|
+
</complexType>
|
65
|
+
|
66
|
+
</schema>
|
@@ -1,6 +1,6 @@
|
|
1
1
|
<?xml version="1.0"?>
|
2
2
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.school.edu/idp/shibboleth">
|
3
|
-
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
|
3
|
+
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
|
4
4
|
<KeyDescriptor use="signing">
|
5
5
|
<ds:KeyInfo>
|
6
6
|
<ds:X509Data>
|
@@ -0,0 +1,6 @@
|
|
1
|
+
<samlp:Response ID="eppcgfbmldefddomokfgiljnkflhppmoflakahld" IssueInstant="2020-08-11T18:19:49Z" Destination="https://wscc.instructure.com/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>cyBkaF5MxEOSX9hLm0g/BWMJpQA=</DigestValue></Reference></SignedInfo><SignatureValue>BqXuyorfBboZI3sSSi4PC3GnJMKyLSQ/897M1RYmgVHx8Pbg1ANy75mpjRQQxGOIz/nSTh6eTPkkFEAT34nhxBSd+JfHof0RfLl/lBI1klSmpi/YoHCKLdVt+iwAemmBNw5Rxw59EepgrbcVtgjsjWISdvMyY7Wqb3nyJDwTGWw=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>yPxoJ9DLOTzn9j91xlqGTX/8Hs5hxjImPalS9qTOc6BYJgXSC7HtxBLMc0usJG58/OaHgWFlaDi4HSBlZe2vLzecaWL1HYxJtW6s+UpD5i+uoxGTPM1ITNlZudGQblh3XTUESrPUZVwSt1N+Vqd4AUHux0E078meTqj9+EMcgsk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue><X509Data><X509Certificate>MIIB4TCCAU6gAwIBAgIQhv64tDcg/45BI6qmDbJfKDAJBgUrDgMCHQUAMA8xDTALBgNVBAMTBFRFU1QwIBcNMjAwMTI3MTkxNzMxWhgPMjA4MDEyMzEwNTAwMDBaMA8xDTALBgNVBAMTBFRFU1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMj8aCfQyzk85/Y/dcZahk1//B7OYcYyJj2pUvakznOgWCYF0gux7cQSzHNLrCRufPzmh4FhZWg4uB0gZWXtry83nGli9R2MSbVurPlKQ+YvrqMRkzzNSEzZWbnRkG5Yd101BEqz1GVcErdTflaneAFB7sdBNO/Jnk6o/fhDHILJAgMBAAGjRDBCMEAGA1UdAQQ5MDeAEFm8dl7/zBigioh82gZb6WGhETAPMQ0wCwYDVQQDEwRURVNUghCG/ri0NyD/jkEjqqYNsl8oMAkGBSsOAwIdBQADgYEAotOROUrAiZr7oA3iaZLxq+B6sN+JdWSBquvDUzaMgIWRvUBZPqmOKpXK0+XSLXChgklpVXBXAo78Juy0zza/ZAMyGPbYlSZSME6GlApjp8hi6wi0ti/usi/D8SQSJ9ephwz2JAvI5WP16PzIruYUlf3uI72hKT0NW8Pl3PhT8z8=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc" IssueInstant="2020-08-11T18:19:49Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>
|
2
|
+
https://my.wscc.edu/idp
|
3
|
+
</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">narnold@wscc.edu</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="" NotOnOrAfter="2020-08-11T18:29:49Z" InResponseTo="_bd878908-34c0-4e6e-b429-90cc8bfae27c" /></SubjectConfirmation></Subject><Conditions NotBefore="2020-08-11T18:14:49Z" NotOnOrAfter="2020-08-11T18:29:49Z"><AudienceRestriction><Audience>http://wscc.instructure.com/saml2</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="email"><AttributeValue>narnold@wscc.edu</AttributeValue></Attribute><Attribute Name="display_name"><AttributeValue>Nicholas Arnold</AttributeValue></Attribute><Attribute Name="given_name"><AttributeValue>Nicholas</AttributeValue></Attribute><Attribute Name="integration_id"><AttributeValue>Ed18RSTYO0ivqnZuzQPehQ==</AttributeValue></Attribute><Attribute Name="sis_user_id"><AttributeValue>0097365</AttributeValue></Attribute><Attribute Name="sortable_name"><AttributeValue>Arnold, Nicholas</AttributeValue></Attribute><Attribute Name="surname"><AttributeValue>Arnold</AttributeValue></Attribute><Attribute Name="time_zone"><AttributeValue>US/Eastern</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2020-08-11T18:19:49Z"><AuthnContext><AuthnContextClassRef>
|
4
|
+
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
|
5
|
+
</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
|
6
|
+
|
@@ -0,0 +1 @@
|
|
1
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://unimelb-dev.instructure.com/login/saml" ID="id-J6KP4S6zcZo--edsB5AoLxEH5D4Cg-HOmMyXoKfS" InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>RI8Jkujs/MZXzrxDB7di3623VF8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hb2bSG3yiS2Bcp6/NM4ecK1cr74wJZJePhVlDjj65u/KpVCtohSBQESFKGupvzZhqQQuytMAaf+LpiL/5CW5CoC4XGpIIXhPE1dKXbE4IdoGplKyvp8ErpggmWuPS+HgU71p2sU9yGOv+WsWLMe/TdJMeWhyr8lnbJgKpUAD+Yo=</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" NotOnOrAfter="2019-04-16T01:01:03Z" Recipient="https://unimelb-dev.instructure.com/login/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2019-04-16T00:56:03Z" NotOnOrAfter="2019-04-16T01:01:03Z"><saml:AudienceRestriction><saml:Audience>http://unimelb-dev.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2019-04-16T00:49:28Z" SessionIndex="id-Bp2VqFk32RxqG9IDwQakoI-Oei-vWPxk8uZppqIU" SessionNotOnOrAfter="2019-04-16T01:56:03Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Test User Int</saml:AttributeValue></saml:Attribute><saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">sso</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
|
@@ -1,6 +1,6 @@
|
|
1
1
|
<?xml version="1.0"?>
|
2
2
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2" ID="unique">
|
3
|
-
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
3
|
+
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
4
4
|
|
5
5
|
<KeyDescriptor use="encryption">
|
6
6
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
data/spec/lib/attribute_spec.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require_relative '../../spec_helper'
|
2
4
|
|
3
5
|
require 'openssl'
|
@@ -86,10 +88,10 @@ module SAML2
|
|
86
88
|
end
|
87
89
|
|
88
90
|
it "raises on unsupported signature algorithm" do
|
89
|
-
x = url
|
91
|
+
x = url.dup
|
90
92
|
# SigAlg is now sha10
|
91
93
|
x << "0"
|
92
|
-
expect { Bindings::HTTPRedirect.decode(
|
94
|
+
expect { Bindings::HTTPRedirect.decode(x, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
|
93
95
|
end
|
94
96
|
|
95
97
|
it "allows the caller to detect an unsigned message" do
|
data/spec/lib/conditions_spec.rb
CHANGED
data/spec/lib/entity_spec.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require_relative '../spec_helper'
|
2
4
|
|
3
5
|
module SAML2
|
@@ -32,6 +34,10 @@ module SAML2
|
|
32
34
|
it "should find the signing certificate" do
|
33
35
|
expect(idp.keys.first.x509).to match(/MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD/)
|
34
36
|
end
|
37
|
+
|
38
|
+
it "loads identity provider attributes" do
|
39
|
+
expect(idp.want_authn_requests_signed?).to be_truthy
|
40
|
+
end
|
35
41
|
end
|
36
42
|
end
|
37
43
|
end
|
data/spec/lib/key_spec.rb
CHANGED
data/spec/lib/message_spec.rb
CHANGED
data/spec/lib/response_spec.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require_relative '../spec_helper'
|
2
4
|
|
3
5
|
module SAML2
|
@@ -258,6 +260,34 @@ module SAML2
|
|
258
260
|
expect(response.errors).to eq []
|
259
261
|
expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
|
260
262
|
end
|
263
|
+
|
264
|
+
it "allows signatures that don't include KeyInfo, if we have a full cert" do
|
265
|
+
response = Response.parse(fixture("response_without_keyinfo.xml"))
|
266
|
+
sp_entity.entity_id = 'http://unimelb-dev.instructure.com/saml2'
|
267
|
+
idp_entity.entity_id = 'https://authidm3tst.unimelb.edu.au:443/oam/fed'
|
268
|
+
idp_entity.identity_providers.first.keys.clear
|
269
|
+
idp_entity.identity_providers.first.keys << KeyDescriptor.new(<<-CERTIFICATE)
|
270
|
+
MIIB/jCCAWegAwIBAgIBCjANBgkqhkiG9w0BAQQFADAkMSIwIAYDVQQDExlhZGRlcjEuaXRzLnVuaW1lbGIuZWR1LmF1MB4XDTE3MDUyMjA2MzQzOFoXDTI3MDUyMDA2MzQzOFowJDEiMCAGA1UEAxMZYWRkZXIxLml0cy51bmltZWxiLmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjJgoa5bPS+Jukq2vNaMwZ39L3IhAg6oOytz+bgOhmF+o5zYARbFqC67faa/rMSkfQwYIpp/MdsC8XHtHeR6HCJjbuPkH/EooHiREOClTI0EKZvI2Xv/DqexxEegRPxXiwPUEPozGGT1yWtSwkQTvRvA9tMpZl3yLg1LhDOP6s6MCAwEAAaNAMD4wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB9gAMB0GA1UdDgQWBBRukBh7J1okLMIfSRpzF5opuj0LizANBgkqhkiG9w0BAQQFAAOBgQB0zySVaypIGRksTwpmjaQhMvNrYWGvj74Rs1iuqOdsEQkpgk5dQKRFiAFEr+6b7WN4k+IAH5S++l1R0bUG6k9HFSn7uy7AD+qZcdoUm9a39brtH2kefs0D3bQfrwkqggAtWKwqfU4r7nAcdtVE+CT3cny5QU2/mJav9W9bzFPMXQ==
|
271
|
+
CERTIFICATE
|
272
|
+
|
273
|
+
sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2019-04-16T00:56:03Z'))
|
274
|
+
expect(response.errors).to eq []
|
275
|
+
expect(response.assertions.first.subject.name_id.id).to eq 'testuserint.sso@staff.oimtest.unimelb.edu.au'
|
276
|
+
end
|
277
|
+
|
278
|
+
it "finds signatures the sign the assertion, not inside the assertion" do
|
279
|
+
response = Response.parse(fixture("response_assertion_signed_reffed_from_response.xml"))
|
280
|
+
sp_entity.entity_id = 'http://wscc.instructure.com/saml2'
|
281
|
+
idp_entity.entity_id = 'https://my.wscc.edu/idp'
|
282
|
+
idp_entity.identity_providers.first.keys.clear
|
283
|
+
idp_entity.identity_providers.first.fingerprints << "c4f473274116a3cbc295c3abf77c7ed1ade9b904"
|
284
|
+
|
285
|
+
sp_entity.valid_response?(response, idp_entity, verification_time: response.issue_instant)
|
286
|
+
expect(response.errors).to eq []
|
287
|
+
expect(response.assertions.first.subject.name_id.id).to eq 'narnold@wscc.edu'
|
288
|
+
expect(response).not_to be_signed
|
289
|
+
expect(response.assertions.first).to be_signed
|
290
|
+
end
|
261
291
|
end
|
262
292
|
end
|
263
293
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require_relative '../spec_helper'
|
2
4
|
|
3
5
|
module SAML2
|
@@ -64,6 +66,11 @@ module SAML2
|
|
64
66
|
expect(sp.keys.first.encryption_methods.first.algorithm).to eq KeyDescriptor::EncryptionMethod::Algorithm::AES128_CBC
|
65
67
|
expect(sp.keys.first.encryption_methods.first.key_size).to eq 128
|
66
68
|
end
|
69
|
+
|
70
|
+
it "loads service provider attributes" do
|
71
|
+
expect(sp.authn_requests_signed?).to be_truthy
|
72
|
+
expect(sp.want_assertions_signed?).to be_truthy
|
73
|
+
end
|
67
74
|
end
|
68
75
|
end
|
69
76
|
end
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: saml2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Cody Cutrer
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-12-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -59,7 +59,7 @@ dependencies:
|
|
59
59
|
version: '3.2'
|
60
60
|
- - "<"
|
61
61
|
- !ruby/object:Gem::Version
|
62
|
-
version: '
|
62
|
+
version: '6.2'
|
63
63
|
type: :runtime
|
64
64
|
prerelease: false
|
65
65
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -69,21 +69,21 @@ dependencies:
|
|
69
69
|
version: '3.2'
|
70
70
|
- - "<"
|
71
71
|
- !ruby/object:Gem::Version
|
72
|
-
version: '
|
72
|
+
version: '6.2'
|
73
73
|
- !ruby/object:Gem::Dependency
|
74
74
|
name: byebug
|
75
75
|
requirement: !ruby/object:Gem::Requirement
|
76
76
|
requirements:
|
77
77
|
- - "~>"
|
78
78
|
- !ruby/object:Gem::Version
|
79
|
-
version: '
|
79
|
+
version: '10.0'
|
80
80
|
type: :development
|
81
81
|
prerelease: false
|
82
82
|
version_requirements: !ruby/object:Gem::Requirement
|
83
83
|
requirements:
|
84
84
|
- - "~>"
|
85
85
|
- !ruby/object:Gem::Version
|
86
|
-
version: '
|
86
|
+
version: '10.0'
|
87
87
|
- !ruby/object:Gem::Dependency
|
88
88
|
name: rake
|
89
89
|
requirement: !ruby/object:Gem::Requirement
|
@@ -168,11 +168,13 @@ files:
|
|
168
168
|
- lib/saml2/subject.rb
|
169
169
|
- lib/saml2/version.rb
|
170
170
|
- schemas/MetadataExchange.xsd
|
171
|
+
- schemas/metadata_combined.xsd
|
171
172
|
- schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd
|
172
173
|
- schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd
|
173
174
|
- schemas/saml-schema-assertion-2.0.xsd
|
174
175
|
- schemas/saml-schema-metadata-2.0.xsd
|
175
176
|
- schemas/saml-schema-protocol-2.0.xsd
|
177
|
+
- schemas/sstc-saml-metadata-ext-query.xsd
|
176
178
|
- schemas/ws-addr.xsd
|
177
179
|
- schemas/ws-authorization.xsd
|
178
180
|
- schemas/ws-federation.xsd
|
@@ -189,12 +191,14 @@ files:
|
|
189
191
|
- spec/fixtures/noconditions_response.xml
|
190
192
|
- spec/fixtures/othercertificate.pem
|
191
193
|
- spec/fixtures/privatekey.key
|
194
|
+
- spec/fixtures/response_assertion_signed_reffed_from_response.xml
|
192
195
|
- spec/fixtures/response_signed.xml
|
193
196
|
- spec/fixtures/response_tampered_certificate.xml
|
194
197
|
- spec/fixtures/response_tampered_signature.xml
|
195
198
|
- spec/fixtures/response_with_attribute_signed.xml
|
196
199
|
- spec/fixtures/response_with_encrypted_assertion.xml
|
197
200
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|
201
|
+
- spec/fixtures/response_without_keyinfo.xml
|
198
202
|
- spec/fixtures/service_provider.xml
|
199
203
|
- spec/fixtures/test3-response.xml
|
200
204
|
- spec/fixtures/test6-response.xml
|
@@ -223,7 +227,7 @@ homepage: https://github.com/instructure/ruby-saml2
|
|
223
227
|
licenses:
|
224
228
|
- MIT
|
225
229
|
metadata: {}
|
226
|
-
post_install_message:
|
230
|
+
post_install_message:
|
227
231
|
rdoc_options: []
|
228
232
|
require_paths:
|
229
233
|
- lib
|
@@ -238,8 +242,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
238
242
|
- !ruby/object:Gem::Version
|
239
243
|
version: '0'
|
240
244
|
requirements: []
|
241
|
-
rubygems_version: 3.0.
|
242
|
-
signing_key:
|
245
|
+
rubygems_version: 3.0.3
|
246
|
+
signing_key:
|
243
247
|
specification_version: 4
|
244
248
|
summary: SAML 2.0 Library
|
245
249
|
test_files:
|
@@ -268,7 +272,9 @@ test_files:
|
|
268
272
|
- spec/fixtures/certificate.pem
|
269
273
|
- spec/fixtures/noconditions_response.xml
|
270
274
|
- spec/fixtures/entities.xml
|
275
|
+
- spec/fixtures/response_assertion_signed_reffed_from_response.xml
|
271
276
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
277
|
+
- spec/fixtures/response_without_keyinfo.xml
|
272
278
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|
273
279
|
- spec/fixtures/othercertificate.pem
|
274
280
|
- spec/fixtures/xslt-transform-response.xml
|