saml2 3.2.2 → 3.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/saml2/bindings/http_redirect.rb +2 -1
- data/lib/saml2/response.rb +34 -35
- data/lib/saml2/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 05f37a8ab729b5a78b6b76c430ae6613d5852613b45980721510e60925b39872
|
|
4
|
+
data.tar.gz: 1e1ea950995d3deefa465c0fdb2c45c796327bf739633ec2e9b1d977931ee116
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3f3f9d16794991653ebd7c779e5f325b4d0f48a94d90d08f225b82329ec448f09fb495a0028ab3b3b13bb7d9a797fc0c8a4ec0df8630822527e632303d54f408
|
|
7
|
+
data.tar.gz: 4e025a411a4dea50efa1377c3e2b09c1aa34f52db3ddb1e1e146041835dd392e9945e831751cc1f0b749c19e3c792af630d7b27dcbaaea3fe5544d8c15be4ccd
|
|
@@ -131,7 +131,7 @@ module SAML2
|
|
|
131
131
|
# @param message [Message]
|
|
132
132
|
# Note that the base URI is taken from {Message#destination}.
|
|
133
133
|
# @param relay_state optional [String]
|
|
134
|
-
# @param private_key optional [OpenSSL::PKey::RSA]
|
|
134
|
+
# @param private_key optional [OpenSSL::PKey::RSA, String]
|
|
135
135
|
# A key to use to sign the encoded message.
|
|
136
136
|
# @param sig_alg optional [String]
|
|
137
137
|
# The signing algorithm to use. Defaults to RSA-SHA1, as it's the
|
|
@@ -164,6 +164,7 @@ module SAML2
|
|
|
164
164
|
raise ArgumentError,
|
|
165
165
|
"Unsupported signature algorithm #{sig_alg}"
|
|
166
166
|
end
|
|
167
|
+
private_key = OpenSSL::PKey.read(private_key) if private_key.is_a?(String)
|
|
167
168
|
|
|
168
169
|
query << ["SigAlg", sig_alg]
|
|
169
170
|
base_string = URI.encode_www_form(query)
|
data/lib/saml2/response.rb
CHANGED
|
@@ -158,17 +158,17 @@ module SAML2
|
|
|
158
158
|
response_signed = true
|
|
159
159
|
end
|
|
160
160
|
|
|
161
|
-
|
|
161
|
+
signed_assertions = []
|
|
162
|
+
assertions.each do |assertion|
|
|
163
|
+
next unless assertion.signed?
|
|
162
164
|
|
|
163
|
-
# this might be nil, if the assertion was encrypted
|
|
164
|
-
if assertion&.signed?
|
|
165
165
|
unless (signature_errors = assertion.validate_signature(key: keys,
|
|
166
166
|
fingerprint: idp.fingerprints,
|
|
167
167
|
cert: certificates)).empty?
|
|
168
168
|
return errors.concat(signature_errors)
|
|
169
169
|
end
|
|
170
170
|
|
|
171
|
-
|
|
171
|
+
signed_assertions << assertion.xml
|
|
172
172
|
end
|
|
173
173
|
|
|
174
174
|
find_decryption_key = lambda do |embedded_certificates|
|
|
@@ -213,46 +213,45 @@ module SAML2
|
|
|
213
213
|
return errors
|
|
214
214
|
end
|
|
215
215
|
|
|
216
|
-
|
|
217
|
-
unless assertion
|
|
216
|
+
if assertions.empty?
|
|
218
217
|
errors << "no assertion found"
|
|
219
218
|
return errors
|
|
220
219
|
end
|
|
221
220
|
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
221
|
+
assertions.each do |assertion|
|
|
222
|
+
assertion_signed = signed_assertions.include?(assertion.xml)
|
|
223
|
+
# if we didn't previously check the assertion's signature (because it was encrypted)
|
|
224
|
+
# check it now
|
|
225
|
+
if !response_signed && !assertion_signed
|
|
226
|
+
unless assertion.signed?
|
|
227
|
+
errors << "neither response nor assertion were signed"
|
|
228
|
+
return errors
|
|
229
|
+
end
|
|
230
|
+
unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
|
|
231
|
+
cert: certificates)).empty?
|
|
232
|
+
return errors.concat(signature_errors)
|
|
233
|
+
end
|
|
228
234
|
end
|
|
229
235
|
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
errors << "assertion not recently issued"
|
|
238
|
-
return errors
|
|
239
|
-
end
|
|
236
|
+
# only do our own issue instant validation if the assertion
|
|
237
|
+
# doesn't mandate any
|
|
238
|
+
if !assertion.conditions&.not_on_or_after && (assertion.issue_instant + (5 * 60) < verification_time ||
|
|
239
|
+
assertion.issue_instant - (5 * 60) > verification_time)
|
|
240
|
+
errors << "assertion not recently issued"
|
|
241
|
+
return errors
|
|
242
|
+
end
|
|
240
243
|
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
244
|
+
if assertion.conditions &&
|
|
245
|
+
!(condition_errors = assertion.conditions.validate(
|
|
246
|
+
verification_time:,
|
|
247
|
+
audience: service_provider.entity_id,
|
|
248
|
+
ignore_audience_condition:
|
|
249
|
+
)).empty?
|
|
250
|
+
return errors.concat(condition_errors)
|
|
251
|
+
end
|
|
249
252
|
|
|
250
|
-
|
|
251
|
-
errors << "neither response nor assertion were signed"
|
|
252
|
-
return errors
|
|
253
|
-
end
|
|
253
|
+
next if sp.private_keys.empty?
|
|
254
254
|
|
|
255
|
-
unless sp.private_keys.empty?
|
|
256
255
|
begin
|
|
257
256
|
decypted_anything = assertion.decrypt(&find_decryption_key)
|
|
258
257
|
rescue XMLSec::DecryptionError
|
data/lib/saml2/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: saml2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.2.
|
|
4
|
+
version: 3.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cody Cutrer
|
|
8
8
|
bindir: exe
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-
|
|
10
|
+
date: 2025-10-13 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: activesupport
|
|
@@ -158,7 +158,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
158
158
|
- !ruby/object:Gem::Version
|
|
159
159
|
version: '0'
|
|
160
160
|
requirements: []
|
|
161
|
-
rubygems_version: 3.6.
|
|
161
|
+
rubygems_version: 3.6.3
|
|
162
162
|
specification_version: 4
|
|
163
163
|
summary: SAML 2.0 Library
|
|
164
164
|
test_files: []
|