saml2 3.0.5 → 3.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/saml2/entity.rb +2 -2
- data/lib/saml2/response.rb +2 -0
- data/lib/saml2/schemas.rb +1 -5
- data/lib/saml2/service_provider.rb +2 -0
- data/lib/saml2/signable.rb +15 -6
- data/lib/saml2/version.rb +1 -1
- data/schemas/metadata_combined.xsd +13 -0
- data/schemas/sstc-saml-metadata-ext-query.xsd +66 -0
- data/spec/fixtures/identity_provider.xml +1 -1
- data/spec/fixtures/response_assertion_signed_reffed_from_response.xml +6 -0
- data/spec/fixtures/response_without_keyinfo.xml +1 -0
- data/spec/fixtures/service_provider.xml +1 -1
- data/spec/lib/attribute_consuming_service_spec.rb +2 -0
- data/spec/lib/attribute_spec.rb +2 -0
- data/spec/lib/authn_request_spec.rb +2 -0
- data/spec/lib/bindings/http_redirect_spec.rb +4 -2
- data/spec/lib/conditions_spec.rb +2 -0
- data/spec/lib/entity_spec.rb +2 -0
- data/spec/lib/identity_provider_spec.rb +6 -0
- data/spec/lib/indexed_object_spec.rb +2 -0
- data/spec/lib/key_spec.rb +2 -0
- data/spec/lib/logout_request_spec.rb +2 -0
- data/spec/lib/logout_response_spec.rb +2 -0
- data/spec/lib/message_spec.rb +2 -0
- data/spec/lib/response_spec.rb +30 -0
- data/spec/lib/service_provider_spec.rb +7 -0
- data/spec/spec_helper.rb +2 -0
- metadata +16 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f8a576418f7f1f50885a3b7b24eb90789173ecd0513317d2955a93c58c97af83
|
|
4
|
+
data.tar.gz: 24af83ef0d14f9bb8402e7d23f56efc396b10fec4e292c118a3e80ab7059a02b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f3a143f0d36923d557f532d02129a4464ea896d87acf8abb3435f410cd1eab7b99ee93959582bf493d1df2c6788d4a31d85464177fc102514847fd253486b8d3
|
|
7
|
+
data.tar.gz: c36bfc6219fbf03457bf38801adff7685866e4ea1223adfe80b5dfe8466ffde6927ea5f87a00dc0e9c243120a9dd1a761186c8acf24e8c2515ac7e6c3a7c235a
|
data/lib/saml2/entity.rb
CHANGED
|
@@ -65,7 +65,7 @@ module SAML2
|
|
|
65
65
|
|
|
66
66
|
# (see Message#valid_schema?)
|
|
67
67
|
def valid_schema?
|
|
68
|
-
Schemas.
|
|
68
|
+
Schemas.metadata.valid?(xml.document)
|
|
69
69
|
end
|
|
70
70
|
|
|
71
71
|
# (see Message#id)
|
|
@@ -101,7 +101,7 @@ module SAML2
|
|
|
101
101
|
|
|
102
102
|
# (see Message#valid_schema?)
|
|
103
103
|
def valid_schema?
|
|
104
|
-
Schemas.
|
|
104
|
+
Schemas.metadata.valid?(xml.document)
|
|
105
105
|
end
|
|
106
106
|
|
|
107
107
|
# @return [String]
|
data/lib/saml2/response.rb
CHANGED
|
@@ -13,6 +13,8 @@ module SAML2
|
|
|
13
13
|
attr_reader :assertions
|
|
14
14
|
|
|
15
15
|
# Respond to an {AuthnRequest}
|
|
16
|
+
#
|
|
17
|
+
# {AuthnRequest#resolve} needs to have been previously called on the {AuthnRequest}.
|
|
16
18
|
# @param authn_request [AuthnRequest]
|
|
17
19
|
# @param issuer [NameID]
|
|
18
20
|
# @param name_id [NameID] The Subject
|
data/lib/saml2/schemas.rb
CHANGED
|
@@ -2,12 +2,8 @@
|
|
|
2
2
|
|
|
3
3
|
module SAML2
|
|
4
4
|
module Schemas
|
|
5
|
-
def self.federation
|
|
6
|
-
@federation ||= schema('ws-federation.xsd')
|
|
7
|
-
end
|
|
8
|
-
|
|
9
5
|
def self.metadata
|
|
10
|
-
@metadata ||= schema('
|
|
6
|
+
@metadata ||= schema('metadata_combined.xsd')
|
|
11
7
|
end
|
|
12
8
|
|
|
13
9
|
def self.protocol
|
data/lib/saml2/signable.rb
CHANGED
|
@@ -7,16 +7,16 @@ module SAML2
|
|
|
7
7
|
# @return [Nokogiri::XML::Element, nil]
|
|
8
8
|
def signature
|
|
9
9
|
unless instance_variable_defined?(:@signature)
|
|
10
|
-
@signature = xml.
|
|
11
|
-
|
|
12
|
-
signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
|
|
10
|
+
@signature = xml.xpath('//dsig:Signature', Namespaces::ALL).find do |signature|
|
|
11
|
+
signed_node = signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
|
|
13
12
|
if signed_node == ''
|
|
14
|
-
|
|
13
|
+
true if xml == xml.document.root
|
|
15
14
|
elsif signed_node != "##{xml['ID']}"
|
|
16
|
-
|
|
15
|
+
false
|
|
17
16
|
else
|
|
18
17
|
# validating the schema will automatically add ID attributes, so check that first
|
|
19
18
|
xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
|
|
19
|
+
true
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
end
|
|
@@ -25,7 +25,11 @@ module SAML2
|
|
|
25
25
|
|
|
26
26
|
# @return [KeyInfo, nil]
|
|
27
27
|
def signing_key
|
|
28
|
-
|
|
28
|
+
unless instance_variable_defined?(:@signing_key)
|
|
29
|
+
# don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
|
|
30
|
+
@signing_key = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL) ? KeyInfo.from_xml(signature) : nil
|
|
31
|
+
end
|
|
32
|
+
@signing_key
|
|
29
33
|
end
|
|
30
34
|
|
|
31
35
|
def signed?
|
|
@@ -70,6 +74,11 @@ module SAML2
|
|
|
70
74
|
if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
|
|
71
75
|
key ||= signing_key.certificate.public_key.to_s
|
|
72
76
|
end
|
|
77
|
+
# signature doesn't say who signed it. hope and pray it's with the only certificate
|
|
78
|
+
# we know about
|
|
79
|
+
if signing_key.nil? && key.nil? && trusted_keys.length == 1
|
|
80
|
+
key = trusted_keys.first
|
|
81
|
+
end
|
|
73
82
|
|
|
74
83
|
return ["no trusted signing key found"] if key.nil?
|
|
75
84
|
|
data/lib/saml2/version.rb
CHANGED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
|
|
3
|
+
<schema
|
|
4
|
+
targetNamespace="https://www.instructure.com/ruby-saml2/metadata-combined"
|
|
5
|
+
xmlns="http://www.w3.org/2001/XMLSchema"
|
|
6
|
+
version="2.0">
|
|
7
|
+
|
|
8
|
+
<import namespace="http://docs.oasis-open.org/wsfed/federation/200706"
|
|
9
|
+
schemaLocation="ws-federation.xsd"/>
|
|
10
|
+
<import namespace="urn:oasis:names:tc:SAML:metadata:ext:query"
|
|
11
|
+
schemaLocation="sstc-saml-metadata-ext-query.xsd"/>
|
|
12
|
+
|
|
13
|
+
</schema>
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
|
|
3
|
+
<schema
|
|
4
|
+
targetNamespace="urn:oasis:names:tc:SAML:metadata:ext:query"
|
|
5
|
+
xmlns="http://www.w3.org/2001/XMLSchema"
|
|
6
|
+
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
|
|
7
|
+
xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query"
|
|
8
|
+
elementFormDefault="unqualified"
|
|
9
|
+
attributeFormDefault="unqualified"
|
|
10
|
+
blockDefault="substitution"
|
|
11
|
+
version="2.0">
|
|
12
|
+
|
|
13
|
+
<annotation>
|
|
14
|
+
<documentation>
|
|
15
|
+
Document title: SAML Metadata Extension Schema for SAML V2.0 and V1.x Query Requesters
|
|
16
|
+
Document identifier: sstc-saml-metadata-ext-query.xsd
|
|
17
|
+
Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
|
|
18
|
+
Revision history:
|
|
19
|
+
V1.0 (May 2007):
|
|
20
|
+
Initial version.
|
|
21
|
+
</documentation>
|
|
22
|
+
</annotation>
|
|
23
|
+
|
|
24
|
+
<import namespace="urn:oasis:names:tc:SAML:2.0:metadata"
|
|
25
|
+
schemaLocation="saml-schema-metadata-2.0.xsd"/>
|
|
26
|
+
|
|
27
|
+
<complexType name="QueryDescriptorType" abstract="true">
|
|
28
|
+
<complexContent>
|
|
29
|
+
<extension base="md:RoleDescriptorType">
|
|
30
|
+
<sequence>
|
|
31
|
+
<element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/>
|
|
32
|
+
</sequence>
|
|
33
|
+
<attribute name="WantAssertionsSigned" type="boolean" use="optional"/>
|
|
34
|
+
</extension>
|
|
35
|
+
</complexContent>
|
|
36
|
+
</complexType>
|
|
37
|
+
|
|
38
|
+
<complexType name="AuthnQueryDescriptorType">
|
|
39
|
+
<complexContent>
|
|
40
|
+
<extension base="query:QueryDescriptorType"/>
|
|
41
|
+
</complexContent>
|
|
42
|
+
</complexType>
|
|
43
|
+
|
|
44
|
+
<complexType name="AttributeQueryDescriptorType">
|
|
45
|
+
<complexContent>
|
|
46
|
+
<extension base="query:QueryDescriptorType">
|
|
47
|
+
<sequence>
|
|
48
|
+
<element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/>
|
|
49
|
+
</sequence>
|
|
50
|
+
</extension>
|
|
51
|
+
</complexContent>
|
|
52
|
+
</complexType>
|
|
53
|
+
|
|
54
|
+
<element name="ActionNamespace" type="anyURI"/>
|
|
55
|
+
|
|
56
|
+
<complexType name="AuthzDecisionQueryDescriptorType">
|
|
57
|
+
<complexContent>
|
|
58
|
+
<extension base="query:QueryDescriptorType">
|
|
59
|
+
<sequence>
|
|
60
|
+
<element ref="query:ActionNamespace" minOccurs="0" maxOccurs="unbounded"/>
|
|
61
|
+
</sequence>
|
|
62
|
+
</extension>
|
|
63
|
+
</complexContent>
|
|
64
|
+
</complexType>
|
|
65
|
+
|
|
66
|
+
</schema>
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<?xml version="1.0"?>
|
|
2
2
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.school.edu/idp/shibboleth">
|
|
3
|
-
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
|
|
3
|
+
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
|
|
4
4
|
<KeyDescriptor use="signing">
|
|
5
5
|
<ds:KeyInfo>
|
|
6
6
|
<ds:X509Data>
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
<samlp:Response ID="eppcgfbmldefddomokfgiljnkflhppmoflakahld" IssueInstant="2020-08-11T18:19:49Z" Destination="https://wscc.instructure.com/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>cyBkaF5MxEOSX9hLm0g/BWMJpQA=</DigestValue></Reference></SignedInfo><SignatureValue>BqXuyorfBboZI3sSSi4PC3GnJMKyLSQ/897M1RYmgVHx8Pbg1ANy75mpjRQQxGOIz/nSTh6eTPkkFEAT34nhxBSd+JfHof0RfLl/lBI1klSmpi/YoHCKLdVt+iwAemmBNw5Rxw59EepgrbcVtgjsjWISdvMyY7Wqb3nyJDwTGWw=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>yPxoJ9DLOTzn9j91xlqGTX/8Hs5hxjImPalS9qTOc6BYJgXSC7HtxBLMc0usJG58/OaHgWFlaDi4HSBlZe2vLzecaWL1HYxJtW6s+UpD5i+uoxGTPM1ITNlZudGQblh3XTUESrPUZVwSt1N+Vqd4AUHux0E078meTqj9+EMcgsk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue><X509Data><X509Certificate>MIIB4TCCAU6gAwIBAgIQhv64tDcg/45BI6qmDbJfKDAJBgUrDgMCHQUAMA8xDTALBgNVBAMTBFRFU1QwIBcNMjAwMTI3MTkxNzMxWhgPMjA4MDEyMzEwNTAwMDBaMA8xDTALBgNVBAMTBFRFU1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMj8aCfQyzk85/Y/dcZahk1//B7OYcYyJj2pUvakznOgWCYF0gux7cQSzHNLrCRufPzmh4FhZWg4uB0gZWXtry83nGli9R2MSbVurPlKQ+YvrqMRkzzNSEzZWbnRkG5Yd101BEqz1GVcErdTflaneAFB7sdBNO/Jnk6o/fhDHILJAgMBAAGjRDBCMEAGA1UdAQQ5MDeAEFm8dl7/zBigioh82gZb6WGhETAPMQ0wCwYDVQQDEwRURVNUghCG/ri0NyD/jkEjqqYNsl8oMAkGBSsOAwIdBQADgYEAotOROUrAiZr7oA3iaZLxq+B6sN+JdWSBquvDUzaMgIWRvUBZPqmOKpXK0+XSLXChgklpVXBXAo78Juy0zza/ZAMyGPbYlSZSME6GlApjp8hi6wi0ti/usi/D8SQSJ9ephwz2JAvI5WP16PzIruYUlf3uI72hKT0NW8Pl3PhT8z8=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc" IssueInstant="2020-08-11T18:19:49Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>
|
|
2
|
+
https://my.wscc.edu/idp
|
|
3
|
+
</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">narnold@wscc.edu</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="" NotOnOrAfter="2020-08-11T18:29:49Z" InResponseTo="_bd878908-34c0-4e6e-b429-90cc8bfae27c" /></SubjectConfirmation></Subject><Conditions NotBefore="2020-08-11T18:14:49Z" NotOnOrAfter="2020-08-11T18:29:49Z"><AudienceRestriction><Audience>http://wscc.instructure.com/saml2</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="email"><AttributeValue>narnold@wscc.edu</AttributeValue></Attribute><Attribute Name="display_name"><AttributeValue>Nicholas Arnold</AttributeValue></Attribute><Attribute Name="given_name"><AttributeValue>Nicholas</AttributeValue></Attribute><Attribute Name="integration_id"><AttributeValue>Ed18RSTYO0ivqnZuzQPehQ==</AttributeValue></Attribute><Attribute Name="sis_user_id"><AttributeValue>0097365</AttributeValue></Attribute><Attribute Name="sortable_name"><AttributeValue>Arnold, Nicholas</AttributeValue></Attribute><Attribute Name="surname"><AttributeValue>Arnold</AttributeValue></Attribute><Attribute Name="time_zone"><AttributeValue>US/Eastern</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2020-08-11T18:19:49Z"><AuthnContext><AuthnContextClassRef>
|
|
4
|
+
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
|
|
5
|
+
</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
|
|
6
|
+
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://unimelb-dev.instructure.com/login/saml" ID="id-J6KP4S6zcZo--edsB5AoLxEH5D4Cg-HOmMyXoKfS" InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>RI8Jkujs/MZXzrxDB7di3623VF8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hb2bSG3yiS2Bcp6/NM4ecK1cr74wJZJePhVlDjj65u/KpVCtohSBQESFKGupvzZhqQQuytMAaf+LpiL/5CW5CoC4XGpIIXhPE1dKXbE4IdoGplKyvp8ErpggmWuPS+HgU71p2sU9yGOv+WsWLMe/TdJMeWhyr8lnbJgKpUAD+Yo=</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" NotOnOrAfter="2019-04-16T01:01:03Z" Recipient="https://unimelb-dev.instructure.com/login/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2019-04-16T00:56:03Z" NotOnOrAfter="2019-04-16T01:01:03Z"><saml:AudienceRestriction><saml:Audience>http://unimelb-dev.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2019-04-16T00:49:28Z" SessionIndex="id-Bp2VqFk32RxqG9IDwQakoI-Oei-vWPxk8uZppqIU" SessionNotOnOrAfter="2019-04-16T01:56:03Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Test User Int</saml:AttributeValue></saml:Attribute><saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">sso</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<?xml version="1.0"?>
|
|
2
2
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2" ID="unique">
|
|
3
|
-
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
3
|
+
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
4
4
|
|
|
5
5
|
<KeyDescriptor use="encryption">
|
|
6
6
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
data/spec/lib/attribute_spec.rb
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
require_relative '../../spec_helper'
|
|
2
4
|
|
|
3
5
|
require 'openssl'
|
|
@@ -86,10 +88,10 @@ module SAML2
|
|
|
86
88
|
end
|
|
87
89
|
|
|
88
90
|
it "raises on unsupported signature algorithm" do
|
|
89
|
-
x = url
|
|
91
|
+
x = url.dup
|
|
90
92
|
# SigAlg is now sha10
|
|
91
93
|
x << "0"
|
|
92
|
-
expect { Bindings::HTTPRedirect.decode(
|
|
94
|
+
expect { Bindings::HTTPRedirect.decode(x, public_key: certificate) }.to raise_error(UnsupportedSignatureAlgorithm)
|
|
93
95
|
end
|
|
94
96
|
|
|
95
97
|
it "allows the caller to detect an unsigned message" do
|
data/spec/lib/conditions_spec.rb
CHANGED
data/spec/lib/entity_spec.rb
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
require_relative '../spec_helper'
|
|
2
4
|
|
|
3
5
|
module SAML2
|
|
@@ -32,6 +34,10 @@ module SAML2
|
|
|
32
34
|
it "should find the signing certificate" do
|
|
33
35
|
expect(idp.keys.first.x509).to match(/MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD/)
|
|
34
36
|
end
|
|
37
|
+
|
|
38
|
+
it "loads identity provider attributes" do
|
|
39
|
+
expect(idp.want_authn_requests_signed?).to be_truthy
|
|
40
|
+
end
|
|
35
41
|
end
|
|
36
42
|
end
|
|
37
43
|
end
|
data/spec/lib/key_spec.rb
CHANGED
data/spec/lib/message_spec.rb
CHANGED
data/spec/lib/response_spec.rb
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
require_relative '../spec_helper'
|
|
2
4
|
|
|
3
5
|
module SAML2
|
|
@@ -258,6 +260,34 @@ module SAML2
|
|
|
258
260
|
expect(response.errors).to eq []
|
|
259
261
|
expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
|
|
260
262
|
end
|
|
263
|
+
|
|
264
|
+
it "allows signatures that don't include KeyInfo, if we have a full cert" do
|
|
265
|
+
response = Response.parse(fixture("response_without_keyinfo.xml"))
|
|
266
|
+
sp_entity.entity_id = 'http://unimelb-dev.instructure.com/saml2'
|
|
267
|
+
idp_entity.entity_id = 'https://authidm3tst.unimelb.edu.au:443/oam/fed'
|
|
268
|
+
idp_entity.identity_providers.first.keys.clear
|
|
269
|
+
idp_entity.identity_providers.first.keys << KeyDescriptor.new(<<-CERTIFICATE)
|
|
270
|
+
MIIB/jCCAWegAwIBAgIBCjANBgkqhkiG9w0BAQQFADAkMSIwIAYDVQQDExlhZGRlcjEuaXRzLnVuaW1lbGIuZWR1LmF1MB4XDTE3MDUyMjA2MzQzOFoXDTI3MDUyMDA2MzQzOFowJDEiMCAGA1UEAxMZYWRkZXIxLml0cy51bmltZWxiLmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjJgoa5bPS+Jukq2vNaMwZ39L3IhAg6oOytz+bgOhmF+o5zYARbFqC67faa/rMSkfQwYIpp/MdsC8XHtHeR6HCJjbuPkH/EooHiREOClTI0EKZvI2Xv/DqexxEegRPxXiwPUEPozGGT1yWtSwkQTvRvA9tMpZl3yLg1LhDOP6s6MCAwEAAaNAMD4wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB9gAMB0GA1UdDgQWBBRukBh7J1okLMIfSRpzF5opuj0LizANBgkqhkiG9w0BAQQFAAOBgQB0zySVaypIGRksTwpmjaQhMvNrYWGvj74Rs1iuqOdsEQkpgk5dQKRFiAFEr+6b7WN4k+IAH5S++l1R0bUG6k9HFSn7uy7AD+qZcdoUm9a39brtH2kefs0D3bQfrwkqggAtWKwqfU4r7nAcdtVE+CT3cny5QU2/mJav9W9bzFPMXQ==
|
|
271
|
+
CERTIFICATE
|
|
272
|
+
|
|
273
|
+
sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2019-04-16T00:56:03Z'))
|
|
274
|
+
expect(response.errors).to eq []
|
|
275
|
+
expect(response.assertions.first.subject.name_id.id).to eq 'testuserint.sso@staff.oimtest.unimelb.edu.au'
|
|
276
|
+
end
|
|
277
|
+
|
|
278
|
+
it "finds signatures the sign the assertion, not inside the assertion" do
|
|
279
|
+
response = Response.parse(fixture("response_assertion_signed_reffed_from_response.xml"))
|
|
280
|
+
sp_entity.entity_id = 'http://wscc.instructure.com/saml2'
|
|
281
|
+
idp_entity.entity_id = 'https://my.wscc.edu/idp'
|
|
282
|
+
idp_entity.identity_providers.first.keys.clear
|
|
283
|
+
idp_entity.identity_providers.first.fingerprints << "c4f473274116a3cbc295c3abf77c7ed1ade9b904"
|
|
284
|
+
|
|
285
|
+
sp_entity.valid_response?(response, idp_entity, verification_time: response.issue_instant)
|
|
286
|
+
expect(response.errors).to eq []
|
|
287
|
+
expect(response.assertions.first.subject.name_id.id).to eq 'narnold@wscc.edu'
|
|
288
|
+
expect(response).not_to be_signed
|
|
289
|
+
expect(response.assertions.first).to be_signed
|
|
290
|
+
end
|
|
261
291
|
end
|
|
262
292
|
end
|
|
263
293
|
end
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
1
3
|
require_relative '../spec_helper'
|
|
2
4
|
|
|
3
5
|
module SAML2
|
|
@@ -64,6 +66,11 @@ module SAML2
|
|
|
64
66
|
expect(sp.keys.first.encryption_methods.first.algorithm).to eq KeyDescriptor::EncryptionMethod::Algorithm::AES128_CBC
|
|
65
67
|
expect(sp.keys.first.encryption_methods.first.key_size).to eq 128
|
|
66
68
|
end
|
|
69
|
+
|
|
70
|
+
it "loads service provider attributes" do
|
|
71
|
+
expect(sp.authn_requests_signed?).to be_truthy
|
|
72
|
+
expect(sp.want_assertions_signed?).to be_truthy
|
|
73
|
+
end
|
|
67
74
|
end
|
|
68
75
|
end
|
|
69
76
|
end
|
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: saml2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0.
|
|
4
|
+
version: 3.0.10
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cody Cutrer
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-12-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: nokogiri
|
|
@@ -59,7 +59,7 @@ dependencies:
|
|
|
59
59
|
version: '3.2'
|
|
60
60
|
- - "<"
|
|
61
61
|
- !ruby/object:Gem::Version
|
|
62
|
-
version: '
|
|
62
|
+
version: '6.2'
|
|
63
63
|
type: :runtime
|
|
64
64
|
prerelease: false
|
|
65
65
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -69,21 +69,21 @@ dependencies:
|
|
|
69
69
|
version: '3.2'
|
|
70
70
|
- - "<"
|
|
71
71
|
- !ruby/object:Gem::Version
|
|
72
|
-
version: '
|
|
72
|
+
version: '6.2'
|
|
73
73
|
- !ruby/object:Gem::Dependency
|
|
74
74
|
name: byebug
|
|
75
75
|
requirement: !ruby/object:Gem::Requirement
|
|
76
76
|
requirements:
|
|
77
77
|
- - "~>"
|
|
78
78
|
- !ruby/object:Gem::Version
|
|
79
|
-
version: '
|
|
79
|
+
version: '10.0'
|
|
80
80
|
type: :development
|
|
81
81
|
prerelease: false
|
|
82
82
|
version_requirements: !ruby/object:Gem::Requirement
|
|
83
83
|
requirements:
|
|
84
84
|
- - "~>"
|
|
85
85
|
- !ruby/object:Gem::Version
|
|
86
|
-
version: '
|
|
86
|
+
version: '10.0'
|
|
87
87
|
- !ruby/object:Gem::Dependency
|
|
88
88
|
name: rake
|
|
89
89
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -168,11 +168,13 @@ files:
|
|
|
168
168
|
- lib/saml2/subject.rb
|
|
169
169
|
- lib/saml2/version.rb
|
|
170
170
|
- schemas/MetadataExchange.xsd
|
|
171
|
+
- schemas/metadata_combined.xsd
|
|
171
172
|
- schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd
|
|
172
173
|
- schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd
|
|
173
174
|
- schemas/saml-schema-assertion-2.0.xsd
|
|
174
175
|
- schemas/saml-schema-metadata-2.0.xsd
|
|
175
176
|
- schemas/saml-schema-protocol-2.0.xsd
|
|
177
|
+
- schemas/sstc-saml-metadata-ext-query.xsd
|
|
176
178
|
- schemas/ws-addr.xsd
|
|
177
179
|
- schemas/ws-authorization.xsd
|
|
178
180
|
- schemas/ws-federation.xsd
|
|
@@ -189,12 +191,14 @@ files:
|
|
|
189
191
|
- spec/fixtures/noconditions_response.xml
|
|
190
192
|
- spec/fixtures/othercertificate.pem
|
|
191
193
|
- spec/fixtures/privatekey.key
|
|
194
|
+
- spec/fixtures/response_assertion_signed_reffed_from_response.xml
|
|
192
195
|
- spec/fixtures/response_signed.xml
|
|
193
196
|
- spec/fixtures/response_tampered_certificate.xml
|
|
194
197
|
- spec/fixtures/response_tampered_signature.xml
|
|
195
198
|
- spec/fixtures/response_with_attribute_signed.xml
|
|
196
199
|
- spec/fixtures/response_with_encrypted_assertion.xml
|
|
197
200
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|
|
201
|
+
- spec/fixtures/response_without_keyinfo.xml
|
|
198
202
|
- spec/fixtures/service_provider.xml
|
|
199
203
|
- spec/fixtures/test3-response.xml
|
|
200
204
|
- spec/fixtures/test6-response.xml
|
|
@@ -223,7 +227,7 @@ homepage: https://github.com/instructure/ruby-saml2
|
|
|
223
227
|
licenses:
|
|
224
228
|
- MIT
|
|
225
229
|
metadata: {}
|
|
226
|
-
post_install_message:
|
|
230
|
+
post_install_message:
|
|
227
231
|
rdoc_options: []
|
|
228
232
|
require_paths:
|
|
229
233
|
- lib
|
|
@@ -238,8 +242,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
238
242
|
- !ruby/object:Gem::Version
|
|
239
243
|
version: '0'
|
|
240
244
|
requirements: []
|
|
241
|
-
rubygems_version: 3.0.
|
|
242
|
-
signing_key:
|
|
245
|
+
rubygems_version: 3.0.3
|
|
246
|
+
signing_key:
|
|
243
247
|
specification_version: 4
|
|
244
248
|
summary: SAML 2.0 Library
|
|
245
249
|
test_files:
|
|
@@ -268,7 +272,9 @@ test_files:
|
|
|
268
272
|
- spec/fixtures/certificate.pem
|
|
269
273
|
- spec/fixtures/noconditions_response.xml
|
|
270
274
|
- spec/fixtures/entities.xml
|
|
275
|
+
- spec/fixtures/response_assertion_signed_reffed_from_response.xml
|
|
271
276
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
277
|
+
- spec/fixtures/response_without_keyinfo.xml
|
|
272
278
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|
|
273
279
|
- spec/fixtures/othercertificate.pem
|
|
274
280
|
- spec/fixtures/xslt-transform-response.xml
|