saml2 3.0.5 → 3.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 281913c0149f1051be91edbe8ee1dae6cbf35d27b08d71f3e802ae1944c566e6
-  data.tar.gz: 79c15ce8ef3a7bda96dffb2a8a6f849f206d6ec2ab4bf7ecb1e39d4c11717ba0
+  metadata.gz: f8a576418f7f1f50885a3b7b24eb90789173ecd0513317d2955a93c58c97af83
+  data.tar.gz: 24af83ef0d14f9bb8402e7d23f56efc396b10fec4e292c118a3e80ab7059a02b
 SHA512:
-  metadata.gz: b28b2a704598f754c19876118bb3e13da7f653a64b12ec57b57a80444aa925dcfb9aad0489a2744d662c96397b6995288040846552327deba4ba1a6b6397145d
-  data.tar.gz: '095963d2ff38b0511d4ef782888ada845cd6f7fc8f1ae5983c68c6f6aaea6d85ca73bdf17211f61cb4049cb0a0f903936d0e5b8d77b5729651228fcac740d4e3'
+  metadata.gz: f3a143f0d36923d557f532d02129a4464ea896d87acf8abb3435f410cd1eab7b99ee93959582bf493d1df2c6788d4a31d85464177fc102514847fd253486b8d3
+  data.tar.gz: c36bfc6219fbf03457bf38801adff7685866e4ea1223adfe80b5dfe8466ffde6927ea5f87a00dc0e9c243120a9dd1a761186c8acf24e8c2515ac7e6c3a7c235a

data/lib/saml2/entity.rb

@@ -65,7 +65,7 @@ module SAML2
 
       # (see Message#valid_schema?)
       def valid_schema?
-        Schemas.federation.valid?(xml.document)
+        Schemas.metadata.valid?(xml.document)
       end
 
       # (see Message#id)
@@ -101,7 +101,7 @@ module SAML2
 
     # (see Message#valid_schema?)
     def valid_schema?
-      Schemas.federation.valid?(xml.document)
+      Schemas.metadata.valid?(xml.document)
     end
 
     # @return [String]

data/lib/saml2/response.rb

@@ -13,6 +13,8 @@ module SAML2
     attr_reader :assertions
 
     # Respond to an {AuthnRequest}
+    #
+    # {AuthnRequest#resolve} needs to have been previously called on the {AuthnRequest}.
     # @param authn_request [AuthnRequest]
     # @param issuer [NameID]
     # @param name_id [NameID] The Subject

data/lib/saml2/schemas.rb

@@ -2,12 +2,8 @@
 
 module SAML2
   module Schemas
-    def self.federation
-      @federation ||= schema('ws-federation.xsd')
-    end
-
     def self.metadata
-      @metadata ||= schema('saml-schema-metadata-2.0.xsd')
+      @metadata ||= schema('metadata_combined.xsd')
     end
 
     def self.protocol

data/lib/saml2/service_provider.rb

@@ -20,6 +20,8 @@ module SAML2
     # (see Base#from_xml)
     def from_xml(node)
       super
+      remove_instance_variable(:@authn_requests_signed)
+      remove_instance_variable(:@want_assertions_signed)
       @assertion_consumer_services = nil
       @attribute_consuming_services = nil
     end

data/lib/saml2/signable.rb

@@ -7,16 +7,16 @@ module SAML2
     # @return [Nokogiri::XML::Element, nil]
     def signature
       unless instance_variable_defined?(:@signature)
-        @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
-        if @signature
-          signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
+        @signature = xml.xpath('//dsig:Signature', Namespaces::ALL).find do |signature|
+          signed_node = signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
           if signed_node == ''
-            @signature = nil unless xml == xml.document.root
+            true if xml == xml.document.root
           elsif signed_node != "##{xml['ID']}"
-            @signature = nil
+            false
           else
             # validating the schema will automatically add ID attributes, so check that first
             xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
+            true
           end
         end
       end
@@ -25,7 +25,11 @@ module SAML2
 
     # @return [KeyInfo, nil]
     def signing_key
-      @signing_key ||= KeyInfo.from_xml(signature)
+      unless instance_variable_defined?(:@signing_key)
+        # don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
+        @signing_key = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL) ? KeyInfo.from_xml(signature) : nil
+      end
+      @signing_key
     end
 
     def signed?
@@ -70,6 +74,11 @@ module SAML2
       if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
         key ||= signing_key.certificate.public_key.to_s
       end
+      # signature doesn't say who signed it. hope and pray it's with the only certificate
+      # we know about
+      if signing_key.nil? && key.nil? && trusted_keys.length == 1
+        key = trusted_keys.first
+      end
 
       return ["no trusted signing key found"] if key.nil?
 

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '3.0.5'
+  VERSION = '3.0.10'
 end

data/schemas/metadata_combined.xsd

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<schema
+        targetNamespace="https://www.instructure.com/ruby-saml2/metadata-combined"
+        xmlns="http://www.w3.org/2001/XMLSchema"
+        version="2.0">
+
+  <import namespace="http://docs.oasis-open.org/wsfed/federation/200706"
+          schemaLocation="ws-federation.xsd"/>
+  <import namespace="urn:oasis:names:tc:SAML:metadata:ext:query"
+          schemaLocation="sstc-saml-metadata-ext-query.xsd"/>
+
+</schema>

data/schemas/sstc-saml-metadata-ext-query.xsd

@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<schema 
+  targetNamespace="urn:oasis:names:tc:SAML:metadata:ext:query"
+  xmlns="http://www.w3.org/2001/XMLSchema"
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
+  elementFormDefault="unqualified"
+  attributeFormDefault="unqualified"
+  blockDefault="substitution"
+  version="2.0">
+
+  <annotation>
+    <documentation>
+      Document title: SAML Metadata Extension Schema for SAML V2.0 and V1.x Query Requesters
+      Document identifier: sstc-saml-metadata-ext-query.xsd
+      Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+      Revision history:
+      V1.0 (May 2007):
+        Initial version.
+    </documentation>
+  </annotation>
+
+  <import namespace="urn:oasis:names:tc:SAML:2.0:metadata"
+    schemaLocation="saml-schema-metadata-2.0.xsd"/>
+
+  <complexType name="QueryDescriptorType" abstract="true">
+    <complexContent>
+      <extension base="md:RoleDescriptorType">
+        <sequence>
+          <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+        <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <complexType name="AuthnQueryDescriptorType">
+    <complexContent>
+      <extension base="query:QueryDescriptorType"/>
+    </complexContent>
+  </complexType>
+
+  <complexType name="AttributeQueryDescriptorType">
+    <complexContent>
+      <extension base="query:QueryDescriptorType">
+        <sequence>
+          <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+
+  <element name="ActionNamespace" type="anyURI"/>
+    
+  <complexType name="AuthzDecisionQueryDescriptorType">
+    <complexContent>
+      <extension base="query:QueryDescriptorType">
+        <sequence>
+          <element ref="query:ActionNamespace" minOccurs="0" maxOccurs="unbounded"/>
+        </sequence>
+      </extension>
+    </complexContent>
+  </complexType>
+
+</schema>

data/spec/fixtures/identity_provider.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.school.edu/idp/shibboleth">
-  <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+  <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
     <KeyDescriptor use="signing">
       <ds:KeyInfo>
         <ds:X509Data>

data/spec/fixtures/response_assertion_signed_reffed_from_response.xml

@@ -0,0 +1,6 @@
+<samlp:Response ID="eppcgfbmldefddomokfgiljnkflhppmoflakahld" IssueInstant="2020-08-11T18:19:49Z" Destination="https://wscc.instructure.com/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>cyBkaF5MxEOSX9hLm0g/BWMJpQA=</DigestValue></Reference></SignedInfo><SignatureValue>BqXuyorfBboZI3sSSi4PC3GnJMKyLSQ/897M1RYmgVHx8Pbg1ANy75mpjRQQxGOIz/nSTh6eTPkkFEAT34nhxBSd+JfHof0RfLl/lBI1klSmpi/YoHCKLdVt+iwAemmBNw5Rxw59EepgrbcVtgjsjWISdvMyY7Wqb3nyJDwTGWw=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>yPxoJ9DLOTzn9j91xlqGTX/8Hs5hxjImPalS9qTOc6BYJgXSC7HtxBLMc0usJG58/OaHgWFlaDi4HSBlZe2vLzecaWL1HYxJtW6s+UpD5i+uoxGTPM1ITNlZudGQblh3XTUESrPUZVwSt1N+Vqd4AUHux0E078meTqj9+EMcgsk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue><X509Data><X509Certificate>MIIB4TCCAU6gAwIBAgIQhv64tDcg/45BI6qmDbJfKDAJBgUrDgMCHQUAMA8xDTALBgNVBAMTBFRFU1QwIBcNMjAwMTI3MTkxNzMxWhgPMjA4MDEyMzEwNTAwMDBaMA8xDTALBgNVBAMTBFRFU1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMj8aCfQyzk85/Y/dcZahk1//B7OYcYyJj2pUvakznOgWCYF0gux7cQSzHNLrCRufPzmh4FhZWg4uB0gZWXtry83nGli9R2MSbVurPlKQ+YvrqMRkzzNSEzZWbnRkG5Yd101BEqz1GVcErdTflaneAFB7sdBNO/Jnk6o/fhDHILJAgMBAAGjRDBCMEAGA1UdAQQ5MDeAEFm8dl7/zBigioh82gZb6WGhETAPMQ0wCwYDVQQDEwRURVNUghCG/ri0NyD/jkEjqqYNsl8oMAkGBSsOAwIdBQADgYEAotOROUrAiZr7oA3iaZLxq+B6sN+JdWSBquvDUzaMgIWRvUBZPqmOKpXK0+XSLXChgklpVXBXAo78Juy0zza/ZAMyGPbYlSZSME6GlApjp8hi6wi0ti/usi/D8SQSJ9ephwz2JAvI5WP16PzIruYUlf3uI72hKT0NW8Pl3PhT8z8=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc" IssueInstant="2020-08-11T18:19:49Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>
+      https://my.wscc.edu/idp
+    </Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">narnold@wscc.edu</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="" NotOnOrAfter="2020-08-11T18:29:49Z" InResponseTo="_bd878908-34c0-4e6e-b429-90cc8bfae27c" /></SubjectConfirmation></Subject><Conditions NotBefore="2020-08-11T18:14:49Z" NotOnOrAfter="2020-08-11T18:29:49Z"><AudienceRestriction><Audience>http://wscc.instructure.com/saml2</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="email"><AttributeValue>narnold@wscc.edu</AttributeValue></Attribute><Attribute Name="display_name"><AttributeValue>Nicholas Arnold</AttributeValue></Attribute><Attribute Name="given_name"><AttributeValue>Nicholas</AttributeValue></Attribute><Attribute Name="integration_id"><AttributeValue>Ed18RSTYO0ivqnZuzQPehQ==</AttributeValue></Attribute><Attribute Name="sis_user_id"><AttributeValue>0097365</AttributeValue></Attribute><Attribute Name="sortable_name"><AttributeValue>Arnold, Nicholas</AttributeValue></Attribute><Attribute Name="surname"><AttributeValue>Arnold</AttributeValue></Attribute><Attribute Name="time_zone"><AttributeValue>US/Eastern</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2020-08-11T18:19:49Z"><AuthnContext><AuthnContextClassRef>
+          urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+        </AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
+

data/spec/fixtures/response_without_keyinfo.xml

@@ -0,0 +1 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://unimelb-dev.instructure.com/login/saml" ID="id-J6KP4S6zcZo--edsB5AoLxEH5D4Cg-HOmMyXoKfS" InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>RI8Jkujs/MZXzrxDB7di3623VF8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hb2bSG3yiS2Bcp6/NM4ecK1cr74wJZJePhVlDjj65u/KpVCtohSBQESFKGupvzZhqQQuytMAaf+LpiL/5CW5CoC4XGpIIXhPE1dKXbE4IdoGplKyvp8ErpggmWuPS+HgU71p2sU9yGOv+WsWLMe/TdJMeWhyr8lnbJgKpUAD+Yo=</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" NotOnOrAfter="2019-04-16T01:01:03Z" Recipient="https://unimelb-dev.instructure.com/login/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2019-04-16T00:56:03Z" NotOnOrAfter="2019-04-16T01:01:03Z"><saml:AudienceRestriction><saml:Audience>http://unimelb-dev.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2019-04-16T00:49:28Z" SessionIndex="id-Bp2VqFk32RxqG9IDwQakoI-Oei-vWPxk8uZppqIU" SessionNotOnOrAfter="2019-04-16T01:56:03Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Test User Int</saml:AttributeValue></saml:Attribute><saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">sso</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>

data/spec/fixtures/service_provider.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2" ID="unique">
-  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+  <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 
     <KeyDescriptor use="encryption">
       <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

data/spec/lib/attribute_consuming_service_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/attribute_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/authn_request_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/bindings/http_redirect_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../../spec_helper'
 
 require 'openssl'
@@ -86,10 +88,10 @@ module SAML2
         end
 
         it "raises on unsupported signature algorithm" do
-          x = url
+          x = url.dup
           # SigAlg is now sha10
           x << "0"
-          expect { Bindings::HTTPRedirect.decode(url, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
+          expect { Bindings::HTTPRedirect.decode(x, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
         end
 
         it "allows the caller to detect an unsigned message" do

data/spec/lib/conditions_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/entity_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/identity_provider_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2
@@ -32,6 +34,10 @@ module SAML2
       it "should find the signing certificate" do
         expect(idp.keys.first.x509).to match(/MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD/)
       end
+
+      it "loads identity provider attributes" do
+        expect(idp.want_authn_requests_signed?).to be_truthy
+      end
     end
   end
 end

data/spec/lib/indexed_object_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/key_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/logout_request_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/logout_response_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/message_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2

data/spec/lib/response_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2
@@ -258,6 +260,34 @@ module SAML2
         expect(response.errors).to eq []
         expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
       end
+
+      it "allows signatures that don't include KeyInfo, if we have a full cert" do
+        response = Response.parse(fixture("response_without_keyinfo.xml"))
+        sp_entity.entity_id = 'http://unimelb-dev.instructure.com/saml2'
+        idp_entity.entity_id = 'https://authidm3tst.unimelb.edu.au:443/oam/fed'
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.keys << KeyDescriptor.new(<<-CERTIFICATE)
+MIIB/jCCAWegAwIBAgIBCjANBgkqhkiG9w0BAQQFADAkMSIwIAYDVQQDExlhZGRlcjEuaXRzLnVuaW1lbGIuZWR1LmF1MB4XDTE3MDUyMjA2MzQzOFoXDTI3MDUyMDA2MzQzOFowJDEiMCAGA1UEAxMZYWRkZXIxLml0cy51bmltZWxiLmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjJgoa5bPS+Jukq2vNaMwZ39L3IhAg6oOytz+bgOhmF+o5zYARbFqC67faa/rMSkfQwYIpp/MdsC8XHtHeR6HCJjbuPkH/EooHiREOClTI0EKZvI2Xv/DqexxEegRPxXiwPUEPozGGT1yWtSwkQTvRvA9tMpZl3yLg1LhDOP6s6MCAwEAAaNAMD4wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB9gAMB0GA1UdDgQWBBRukBh7J1okLMIfSRpzF5opuj0LizANBgkqhkiG9w0BAQQFAAOBgQB0zySVaypIGRksTwpmjaQhMvNrYWGvj74Rs1iuqOdsEQkpgk5dQKRFiAFEr+6b7WN4k+IAH5S++l1R0bUG6k9HFSn7uy7AD+qZcdoUm9a39brtH2kefs0D3bQfrwkqggAtWKwqfU4r7nAcdtVE+CT3cny5QU2/mJav9W9bzFPMXQ==
+        CERTIFICATE
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2019-04-16T00:56:03Z'))
+        expect(response.errors).to eq []
+        expect(response.assertions.first.subject.name_id.id).to eq 'testuserint.sso@staff.oimtest.unimelb.edu.au'
+      end
+
+      it "finds signatures the sign the assertion, not inside the assertion" do
+        response = Response.parse(fixture("response_assertion_signed_reffed_from_response.xml"))
+        sp_entity.entity_id = 'http://wscc.instructure.com/saml2'
+        idp_entity.entity_id = 'https://my.wscc.edu/idp'
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "c4f473274116a3cbc295c3abf77c7ed1ade9b904"
+
+        sp_entity.valid_response?(response, idp_entity, verification_time: response.issue_instant)
+        expect(response.errors).to eq []
+        expect(response.assertions.first.subject.name_id.id).to eq 'narnold@wscc.edu'
+        expect(response).not_to be_signed
+        expect(response.assertions.first).to be_signed
+      end
     end
   end
 end

data/spec/lib/service_provider_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../spec_helper'
 
 module SAML2
@@ -64,6 +66,11 @@ module SAML2
         expect(sp.keys.first.encryption_methods.first.algorithm).to eq KeyDescriptor::EncryptionMethod::Algorithm::AES128_CBC
         expect(sp.keys.first.encryption_methods.first.key_size).to eq 128
       end
+
+      it "loads service provider attributes" do
+        expect(sp.authn_requests_signed?).to be_truthy
+        expect(sp.want_assertions_signed?).to be_truthy
+      end
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'saml2'
 
 def fixture(name)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 3.0.5
+  version: 3.0.10
 platform: ruby
 authors:
 - Cody Cutrer
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-14 00:00:00.000000000 Z
+date: 2020-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -59,7 +59,7 @@ dependencies:
         version: '3.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.3'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -69,21 +69,21 @@ dependencies:
         version: '3.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '5.3'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '9.0'
+        version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '9.0'
+        version: '10.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -168,11 +168,13 @@ files:
 - lib/saml2/subject.rb
 - lib/saml2/version.rb
 - schemas/MetadataExchange.xsd
+- schemas/metadata_combined.xsd
 - schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd
 - schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd
 - schemas/saml-schema-assertion-2.0.xsd
 - schemas/saml-schema-metadata-2.0.xsd
 - schemas/saml-schema-protocol-2.0.xsd
+- schemas/sstc-saml-metadata-ext-query.xsd
 - schemas/ws-addr.xsd
 - schemas/ws-authorization.xsd
 - schemas/ws-federation.xsd
@@ -189,12 +191,14 @@ files:
 - spec/fixtures/noconditions_response.xml
 - spec/fixtures/othercertificate.pem
 - spec/fixtures/privatekey.key
+- spec/fixtures/response_assertion_signed_reffed_from_response.xml
 - spec/fixtures/response_signed.xml
 - spec/fixtures/response_tampered_certificate.xml
 - spec/fixtures/response_tampered_signature.xml
 - spec/fixtures/response_with_attribute_signed.xml
 - spec/fixtures/response_with_encrypted_assertion.xml
 - spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
+- spec/fixtures/response_without_keyinfo.xml
 - spec/fixtures/service_provider.xml
 - spec/fixtures/test3-response.xml
 - spec/fixtures/test6-response.xml
@@ -223,7 +227,7 @@ homepage: https://github.com/instructure/ruby-saml2
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -238,8 +242,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: SAML 2.0 Library
 test_files:
@@ -268,7 +272,9 @@ test_files:
 - spec/fixtures/certificate.pem
 - spec/fixtures/noconditions_response.xml
 - spec/fixtures/entities.xml
+- spec/fixtures/response_assertion_signed_reffed_from_response.xml
 - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
+- spec/fixtures/response_without_keyinfo.xml
 - spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
 - spec/fixtures/othercertificate.pem
 - spec/fixtures/xslt-transform-response.xml