saml2 3.0.5 → 3.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 281913c0149f1051be91edbe8ee1dae6cbf35d27b08d71f3e802ae1944c566e6
4
- data.tar.gz: 79c15ce8ef3a7bda96dffb2a8a6f849f206d6ec2ab4bf7ecb1e39d4c11717ba0
3
+ metadata.gz: f8a576418f7f1f50885a3b7b24eb90789173ecd0513317d2955a93c58c97af83
4
+ data.tar.gz: 24af83ef0d14f9bb8402e7d23f56efc396b10fec4e292c118a3e80ab7059a02b
5
5
  SHA512:
6
- metadata.gz: b28b2a704598f754c19876118bb3e13da7f653a64b12ec57b57a80444aa925dcfb9aad0489a2744d662c96397b6995288040846552327deba4ba1a6b6397145d
7
- data.tar.gz: '095963d2ff38b0511d4ef782888ada845cd6f7fc8f1ae5983c68c6f6aaea6d85ca73bdf17211f61cb4049cb0a0f903936d0e5b8d77b5729651228fcac740d4e3'
6
+ metadata.gz: f3a143f0d36923d557f532d02129a4464ea896d87acf8abb3435f410cd1eab7b99ee93959582bf493d1df2c6788d4a31d85464177fc102514847fd253486b8d3
7
+ data.tar.gz: c36bfc6219fbf03457bf38801adff7685866e4ea1223adfe80b5dfe8466ffde6927ea5f87a00dc0e9c243120a9dd1a761186c8acf24e8c2515ac7e6c3a7c235a
@@ -65,7 +65,7 @@ module SAML2
65
65
 
66
66
  # (see Message#valid_schema?)
67
67
  def valid_schema?
68
- Schemas.federation.valid?(xml.document)
68
+ Schemas.metadata.valid?(xml.document)
69
69
  end
70
70
 
71
71
  # (see Message#id)
@@ -101,7 +101,7 @@ module SAML2
101
101
 
102
102
  # (see Message#valid_schema?)
103
103
  def valid_schema?
104
- Schemas.federation.valid?(xml.document)
104
+ Schemas.metadata.valid?(xml.document)
105
105
  end
106
106
 
107
107
  # @return [String]
@@ -13,6 +13,8 @@ module SAML2
13
13
  attr_reader :assertions
14
14
 
15
15
  # Respond to an {AuthnRequest}
16
+ #
17
+ # {AuthnRequest#resolve} needs to have been previously called on the {AuthnRequest}.
16
18
  # @param authn_request [AuthnRequest]
17
19
  # @param issuer [NameID]
18
20
  # @param name_id [NameID] The Subject
@@ -2,12 +2,8 @@
2
2
 
3
3
  module SAML2
4
4
  module Schemas
5
- def self.federation
6
- @federation ||= schema('ws-federation.xsd')
7
- end
8
-
9
5
  def self.metadata
10
- @metadata ||= schema('saml-schema-metadata-2.0.xsd')
6
+ @metadata ||= schema('metadata_combined.xsd')
11
7
  end
12
8
 
13
9
  def self.protocol
@@ -20,6 +20,8 @@ module SAML2
20
20
  # (see Base#from_xml)
21
21
  def from_xml(node)
22
22
  super
23
+ remove_instance_variable(:@authn_requests_signed)
24
+ remove_instance_variable(:@want_assertions_signed)
23
25
  @assertion_consumer_services = nil
24
26
  @attribute_consuming_services = nil
25
27
  end
@@ -7,16 +7,16 @@ module SAML2
7
7
  # @return [Nokogiri::XML::Element, nil]
8
8
  def signature
9
9
  unless instance_variable_defined?(:@signature)
10
- @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
11
- if @signature
12
- signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
10
+ @signature = xml.xpath('//dsig:Signature', Namespaces::ALL).find do |signature|
11
+ signed_node = signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
13
12
  if signed_node == ''
14
- @signature = nil unless xml == xml.document.root
13
+ true if xml == xml.document.root
15
14
  elsif signed_node != "##{xml['ID']}"
16
- @signature = nil
15
+ false
17
16
  else
18
17
  # validating the schema will automatically add ID attributes, so check that first
19
18
  xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
19
+ true
20
20
  end
21
21
  end
22
22
  end
@@ -25,7 +25,11 @@ module SAML2
25
25
 
26
26
  # @return [KeyInfo, nil]
27
27
  def signing_key
28
- @signing_key ||= KeyInfo.from_xml(signature)
28
+ unless instance_variable_defined?(:@signing_key)
29
+ # don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
30
+ @signing_key = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL) ? KeyInfo.from_xml(signature) : nil
31
+ end
32
+ @signing_key
29
33
  end
30
34
 
31
35
  def signed?
@@ -70,6 +74,11 @@ module SAML2
70
74
  if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
71
75
  key ||= signing_key.certificate.public_key.to_s
72
76
  end
77
+ # signature doesn't say who signed it. hope and pray it's with the only certificate
78
+ # we know about
79
+ if signing_key.nil? && key.nil? && trusted_keys.length == 1
80
+ key = trusted_keys.first
81
+ end
73
82
 
74
83
  return ["no trusted signing key found"] if key.nil?
75
84
 
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SAML2
4
- VERSION = '3.0.5'
4
+ VERSION = '3.0.10'
5
5
  end
@@ -0,0 +1,13 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+
3
+ <schema
4
+ targetNamespace="https://www.instructure.com/ruby-saml2/metadata-combined"
5
+ xmlns="http://www.w3.org/2001/XMLSchema"
6
+ version="2.0">
7
+
8
+ <import namespace="http://docs.oasis-open.org/wsfed/federation/200706"
9
+ schemaLocation="ws-federation.xsd"/>
10
+ <import namespace="urn:oasis:names:tc:SAML:metadata:ext:query"
11
+ schemaLocation="sstc-saml-metadata-ext-query.xsd"/>
12
+
13
+ </schema>
@@ -0,0 +1,66 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+
3
+ <schema
4
+ targetNamespace="urn:oasis:names:tc:SAML:metadata:ext:query"
5
+ xmlns="http://www.w3.org/2001/XMLSchema"
6
+ xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
7
+ xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
8
+ elementFormDefault="unqualified"
9
+ attributeFormDefault="unqualified"
10
+ blockDefault="substitution"
11
+ version="2.0">
12
+
13
+ <annotation>
14
+ <documentation>
15
+ Document title: SAML Metadata Extension Schema for SAML V2.0 and V1.x Query Requesters
16
+ Document identifier: sstc-saml-metadata-ext-query.xsd
17
+ Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
18
+ Revision history:
19
+ V1.0 (May 2007):
20
+ Initial version.
21
+ </documentation>
22
+ </annotation>
23
+
24
+ <import namespace="urn:oasis:names:tc:SAML:2.0:metadata"
25
+ schemaLocation="saml-schema-metadata-2.0.xsd"/>
26
+
27
+ <complexType name="QueryDescriptorType" abstract="true">
28
+ <complexContent>
29
+ <extension base="md:RoleDescriptorType">
30
+ <sequence>
31
+ <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
32
+ </sequence>
33
+ <attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
34
+ </extension>
35
+ </complexContent>
36
+ </complexType>
37
+
38
+ <complexType name="AuthnQueryDescriptorType">
39
+ <complexContent>
40
+ <extension base="query:QueryDescriptorType"/>
41
+ </complexContent>
42
+ </complexType>
43
+
44
+ <complexType name="AttributeQueryDescriptorType">
45
+ <complexContent>
46
+ <extension base="query:QueryDescriptorType">
47
+ <sequence>
48
+ <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
49
+ </sequence>
50
+ </extension>
51
+ </complexContent>
52
+ </complexType>
53
+
54
+ <element name="ActionNamespace" type="anyURI"/>
55
+
56
+ <complexType name="AuthzDecisionQueryDescriptorType">
57
+ <complexContent>
58
+ <extension base="query:QueryDescriptorType">
59
+ <sequence>
60
+ <element ref="query:ActionNamespace" minOccurs="0" maxOccurs="unbounded"/>
61
+ </sequence>
62
+ </extension>
63
+ </complexContent>
64
+ </complexType>
65
+
66
+ </schema>
@@ -1,6 +1,6 @@
1
1
  <?xml version="1.0"?>
2
2
  <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.school.edu/idp/shibboleth">
3
- <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
3
+ <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
4
4
  <KeyDescriptor use="signing">
5
5
  <ds:KeyInfo>
6
6
  <ds:X509Data>
@@ -0,0 +1,6 @@
1
+ <samlp:Response ID="eppcgfbmldefddomokfgiljnkflhppmoflakahld" IssueInstant="2020-08-11T18:19:49Z" Destination="https://wscc.instructure.com/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>cyBkaF5MxEOSX9hLm0g/BWMJpQA=</DigestValue></Reference></SignedInfo><SignatureValue>BqXuyorfBboZI3sSSi4PC3GnJMKyLSQ/897M1RYmgVHx8Pbg1ANy75mpjRQQxGOIz/nSTh6eTPkkFEAT34nhxBSd+JfHof0RfLl/lBI1klSmpi/YoHCKLdVt+iwAemmBNw5Rxw59EepgrbcVtgjsjWISdvMyY7Wqb3nyJDwTGWw=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>yPxoJ9DLOTzn9j91xlqGTX/8Hs5hxjImPalS9qTOc6BYJgXSC7HtxBLMc0usJG58/OaHgWFlaDi4HSBlZe2vLzecaWL1HYxJtW6s+UpD5i+uoxGTPM1ITNlZudGQblh3XTUESrPUZVwSt1N+Vqd4AUHux0E078meTqj9+EMcgsk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue><X509Data><X509Certificate>MIIB4TCCAU6gAwIBAgIQhv64tDcg/45BI6qmDbJfKDAJBgUrDgMCHQUAMA8xDTALBgNVBAMTBFRFU1QwIBcNMjAwMTI3MTkxNzMxWhgPMjA4MDEyMzEwNTAwMDBaMA8xDTALBgNVBAMTBFRFU1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMj8aCfQyzk85/Y/dcZahk1//B7OYcYyJj2pUvakznOgWCYF0gux7cQSzHNLrCRufPzmh4FhZWg4uB0gZWXtry83nGli9R2MSbVurPlKQ+YvrqMRkzzNSEzZWbnRkG5Yd101BEqz1GVcErdTflaneAFB7sdBNO/Jnk6o/fhDHILJAgMBAAGjRDBCMEAGA1UdAQQ5MDeAEFm8dl7/zBigioh82gZb6WGhETAPMQ0wCwYDVQQDEwRURVNUghCG/ri0NyD/jkEjqqYNsl8oMAkGBSsOAwIdBQADgYEAotOROUrAiZr7oA3iaZLxq+B6sN+JdWSBquvDUzaMgIWRvUBZPqmOKpXK0+XSLXChgklpVXBXAo78Juy0zza/ZAMyGPbYlSZSME6GlApjp8hi6wi0ti/usi/D8SQSJ9ephwz2JAvI5WP16PzIruYUlf3uI72hKT0NW8Pl3PhT8z8=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc" IssueInstant="2020-08-11T18:19:49Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>
2
+ https://my.wscc.edu/idp
3
+ </Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">narnold@wscc.edu</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="" NotOnOrAfter="2020-08-11T18:29:49Z" InResponseTo="_bd878908-34c0-4e6e-b429-90cc8bfae27c" /></SubjectConfirmation></Subject><Conditions NotBefore="2020-08-11T18:14:49Z" NotOnOrAfter="2020-08-11T18:29:49Z"><AudienceRestriction><Audience>http://wscc.instructure.com/saml2</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="email"><AttributeValue>narnold@wscc.edu</AttributeValue></Attribute><Attribute Name="display_name"><AttributeValue>Nicholas Arnold</AttributeValue></Attribute><Attribute Name="given_name"><AttributeValue>Nicholas</AttributeValue></Attribute><Attribute Name="integration_id"><AttributeValue>Ed18RSTYO0ivqnZuzQPehQ==</AttributeValue></Attribute><Attribute Name="sis_user_id"><AttributeValue>0097365</AttributeValue></Attribute><Attribute Name="sortable_name"><AttributeValue>Arnold, Nicholas</AttributeValue></Attribute><Attribute Name="surname"><AttributeValue>Arnold</AttributeValue></Attribute><Attribute Name="time_zone"><AttributeValue>US/Eastern</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2020-08-11T18:19:49Z"><AuthnContext><AuthnContextClassRef>
4
+ urn:oasis:names:tc:SAML:2.0:ac:classes:Password
5
+ </AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
6
+
@@ -0,0 +1 @@
1
+ <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://unimelb-dev.instructure.com/login/saml" ID="id-J6KP4S6zcZo--edsB5AoLxEH5D4Cg-HOmMyXoKfS" InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>RI8Jkujs/MZXzrxDB7di3623VF8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hb2bSG3yiS2Bcp6/NM4ecK1cr74wJZJePhVlDjj65u/KpVCtohSBQESFKGupvzZhqQQuytMAaf+LpiL/5CW5CoC4XGpIIXhPE1dKXbE4IdoGplKyvp8ErpggmWuPS+HgU71p2sU9yGOv+WsWLMe/TdJMeWhyr8lnbJgKpUAD+Yo=</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" NotOnOrAfter="2019-04-16T01:01:03Z" Recipient="https://unimelb-dev.instructure.com/login/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2019-04-16T00:56:03Z" NotOnOrAfter="2019-04-16T01:01:03Z"><saml:AudienceRestriction><saml:Audience>http://unimelb-dev.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2019-04-16T00:49:28Z" SessionIndex="id-Bp2VqFk32RxqG9IDwQakoI-Oei-vWPxk8uZppqIU" SessionNotOnOrAfter="2019-04-16T01:56:03Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Test User Int</saml:AttributeValue></saml:Attribute><saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">sso</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
@@ -1,6 +1,6 @@
1
1
  <?xml version="1.0"?>
2
2
  <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2" ID="unique">
3
- <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
3
+ <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
4
4
 
5
5
  <KeyDescriptor use="encryption">
6
6
  <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../../spec_helper'
2
4
 
3
5
  require 'openssl'
@@ -86,10 +88,10 @@ module SAML2
86
88
  end
87
89
 
88
90
  it "raises on unsupported signature algorithm" do
89
- x = url
91
+ x = url.dup
90
92
  # SigAlg is now sha10
91
93
  x << "0"
92
- expect { Bindings::HTTPRedirect.decode(url, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
94
+ expect { Bindings::HTTPRedirect.decode(x, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
93
95
  end
94
96
 
95
97
  it "allows the caller to detect an unsigned message" do
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -32,6 +34,10 @@ module SAML2
32
34
  it "should find the signing certificate" do
33
35
  expect(idp.keys.first.x509).to match(/MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD/)
34
36
  end
37
+
38
+ it "loads identity provider attributes" do
39
+ expect(idp.want_authn_requests_signed?).to be_truthy
40
+ end
35
41
  end
36
42
  end
37
43
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -258,6 +260,34 @@ module SAML2
258
260
  expect(response.errors).to eq []
259
261
  expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
260
262
  end
263
+
264
+ it "allows signatures that don't include KeyInfo, if we have a full cert" do
265
+ response = Response.parse(fixture("response_without_keyinfo.xml"))
266
+ sp_entity.entity_id = 'http://unimelb-dev.instructure.com/saml2'
267
+ idp_entity.entity_id = 'https://authidm3tst.unimelb.edu.au:443/oam/fed'
268
+ idp_entity.identity_providers.first.keys.clear
269
+ idp_entity.identity_providers.first.keys << KeyDescriptor.new(<<-CERTIFICATE)
270
+ MIIB/jCCAWegAwIBAgIBCjANBgkqhkiG9w0BAQQFADAkMSIwIAYDVQQDExlhZGRlcjEuaXRzLnVuaW1lbGIuZWR1LmF1MB4XDTE3MDUyMjA2MzQzOFoXDTI3MDUyMDA2MzQzOFowJDEiMCAGA1UEAxMZYWRkZXIxLml0cy51bmltZWxiLmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjJgoa5bPS+Jukq2vNaMwZ39L3IhAg6oOytz+bgOhmF+o5zYARbFqC67faa/rMSkfQwYIpp/MdsC8XHtHeR6HCJjbuPkH/EooHiREOClTI0EKZvI2Xv/DqexxEegRPxXiwPUEPozGGT1yWtSwkQTvRvA9tMpZl3yLg1LhDOP6s6MCAwEAAaNAMD4wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB9gAMB0GA1UdDgQWBBRukBh7J1okLMIfSRpzF5opuj0LizANBgkqhkiG9w0BAQQFAAOBgQB0zySVaypIGRksTwpmjaQhMvNrYWGvj74Rs1iuqOdsEQkpgk5dQKRFiAFEr+6b7WN4k+IAH5S++l1R0bUG6k9HFSn7uy7AD+qZcdoUm9a39brtH2kefs0D3bQfrwkqggAtWKwqfU4r7nAcdtVE+CT3cny5QU2/mJav9W9bzFPMXQ==
271
+ CERTIFICATE
272
+
273
+ sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2019-04-16T00:56:03Z'))
274
+ expect(response.errors).to eq []
275
+ expect(response.assertions.first.subject.name_id.id).to eq 'testuserint.sso@staff.oimtest.unimelb.edu.au'
276
+ end
277
+
278
+ it "finds signatures the sign the assertion, not inside the assertion" do
279
+ response = Response.parse(fixture("response_assertion_signed_reffed_from_response.xml"))
280
+ sp_entity.entity_id = 'http://wscc.instructure.com/saml2'
281
+ idp_entity.entity_id = 'https://my.wscc.edu/idp'
282
+ idp_entity.identity_providers.first.keys.clear
283
+ idp_entity.identity_providers.first.fingerprints << "c4f473274116a3cbc295c3abf77c7ed1ade9b904"
284
+
285
+ sp_entity.valid_response?(response, idp_entity, verification_time: response.issue_instant)
286
+ expect(response.errors).to eq []
287
+ expect(response.assertions.first.subject.name_id.id).to eq 'narnold@wscc.edu'
288
+ expect(response).not_to be_signed
289
+ expect(response.assertions.first).to be_signed
290
+ end
261
291
  end
262
292
  end
263
293
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require_relative '../spec_helper'
2
4
 
3
5
  module SAML2
@@ -64,6 +66,11 @@ module SAML2
64
66
  expect(sp.keys.first.encryption_methods.first.algorithm).to eq KeyDescriptor::EncryptionMethod::Algorithm::AES128_CBC
65
67
  expect(sp.keys.first.encryption_methods.first.key_size).to eq 128
66
68
  end
69
+
70
+ it "loads service provider attributes" do
71
+ expect(sp.authn_requests_signed?).to be_truthy
72
+ expect(sp.want_assertions_signed?).to be_truthy
73
+ end
67
74
  end
68
75
  end
69
76
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'saml2'
2
4
 
3
5
  def fixture(name)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: saml2
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.5
4
+ version: 3.0.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - Cody Cutrer
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-01-14 00:00:00.000000000 Z
11
+ date: 2020-12-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -59,7 +59,7 @@ dependencies:
59
59
  version: '3.2'
60
60
  - - "<"
61
61
  - !ruby/object:Gem::Version
62
- version: '5.3'
62
+ version: '6.2'
63
63
  type: :runtime
64
64
  prerelease: false
65
65
  version_requirements: !ruby/object:Gem::Requirement
@@ -69,21 +69,21 @@ dependencies:
69
69
  version: '3.2'
70
70
  - - "<"
71
71
  - !ruby/object:Gem::Version
72
- version: '5.3'
72
+ version: '6.2'
73
73
  - !ruby/object:Gem::Dependency
74
74
  name: byebug
75
75
  requirement: !ruby/object:Gem::Requirement
76
76
  requirements:
77
77
  - - "~>"
78
78
  - !ruby/object:Gem::Version
79
- version: '9.0'
79
+ version: '10.0'
80
80
  type: :development
81
81
  prerelease: false
82
82
  version_requirements: !ruby/object:Gem::Requirement
83
83
  requirements:
84
84
  - - "~>"
85
85
  - !ruby/object:Gem::Version
86
- version: '9.0'
86
+ version: '10.0'
87
87
  - !ruby/object:Gem::Dependency
88
88
  name: rake
89
89
  requirement: !ruby/object:Gem::Requirement
@@ -168,11 +168,13 @@ files:
168
168
  - lib/saml2/subject.rb
169
169
  - lib/saml2/version.rb
170
170
  - schemas/MetadataExchange.xsd
171
+ - schemas/metadata_combined.xsd
171
172
  - schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd
172
173
  - schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd
173
174
  - schemas/saml-schema-assertion-2.0.xsd
174
175
  - schemas/saml-schema-metadata-2.0.xsd
175
176
  - schemas/saml-schema-protocol-2.0.xsd
177
+ - schemas/sstc-saml-metadata-ext-query.xsd
176
178
  - schemas/ws-addr.xsd
177
179
  - schemas/ws-authorization.xsd
178
180
  - schemas/ws-federation.xsd
@@ -189,12 +191,14 @@ files:
189
191
  - spec/fixtures/noconditions_response.xml
190
192
  - spec/fixtures/othercertificate.pem
191
193
  - spec/fixtures/privatekey.key
194
+ - spec/fixtures/response_assertion_signed_reffed_from_response.xml
192
195
  - spec/fixtures/response_signed.xml
193
196
  - spec/fixtures/response_tampered_certificate.xml
194
197
  - spec/fixtures/response_tampered_signature.xml
195
198
  - spec/fixtures/response_with_attribute_signed.xml
196
199
  - spec/fixtures/response_with_encrypted_assertion.xml
197
200
  - spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
201
+ - spec/fixtures/response_without_keyinfo.xml
198
202
  - spec/fixtures/service_provider.xml
199
203
  - spec/fixtures/test3-response.xml
200
204
  - spec/fixtures/test6-response.xml
@@ -223,7 +227,7 @@ homepage: https://github.com/instructure/ruby-saml2
223
227
  licenses:
224
228
  - MIT
225
229
  metadata: {}
226
- post_install_message:
230
+ post_install_message:
227
231
  rdoc_options: []
228
232
  require_paths:
229
233
  - lib
@@ -238,8 +242,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
238
242
  - !ruby/object:Gem::Version
239
243
  version: '0'
240
244
  requirements: []
241
- rubygems_version: 3.0.1
242
- signing_key:
245
+ rubygems_version: 3.0.3
246
+ signing_key:
243
247
  specification_version: 4
244
248
  summary: SAML 2.0 Library
245
249
  test_files:
@@ -268,7 +272,9 @@ test_files:
268
272
  - spec/fixtures/certificate.pem
269
273
  - spec/fixtures/noconditions_response.xml
270
274
  - spec/fixtures/entities.xml
275
+ - spec/fixtures/response_assertion_signed_reffed_from_response.xml
271
276
  - spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
277
+ - spec/fixtures/response_without_keyinfo.xml
272
278
  - spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
273
279
  - spec/fixtures/othercertificate.pem
274
280
  - spec/fixtures/xslt-transform-response.xml