saml2 3.2.3 → 3.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/saml2/response.rb +34 -35
  3. data/lib/saml2/version.rb +1 -1
  4. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0cc92864a26047c46a21c7294ece5009a8df5edbcc79694167b5dfe569a63530
4
- data.tar.gz: c411ec995c1a0a02454821e0f1ea8e0ace5ee0488f0db6394f39ffc3376c5c7e
3
+ metadata.gz: 05f37a8ab729b5a78b6b76c430ae6613d5852613b45980721510e60925b39872
4
+ data.tar.gz: 1e1ea950995d3deefa465c0fdb2c45c796327bf739633ec2e9b1d977931ee116
5
5
  SHA512:
6
- metadata.gz: 04770f4380d3cde93e2169e58923b051e2e70ed08e77c45b000d03ce7d398a28aa958f7e5ca109863a13f8fba1b0724e6679e6a82231509e5931e832890128d5
7
- data.tar.gz: 6a80a9275d319b7bf14fa3fd356500cf5a6d14df94263509a3f1a590d77870dff24eed65584991c0da68012576150eb8d1712c736e1742f12fa8ef0037d304f0
6
+ metadata.gz: 3f3f9d16794991653ebd7c779e5f325b4d0f48a94d90d08f225b82329ec448f09fb495a0028ab3b3b13bb7d9a797fc0c8a4ec0df8630822527e632303d54f408
7
+ data.tar.gz: 4e025a411a4dea50efa1377c3e2b09c1aa34f52db3ddb1e1e146041835dd392e9945e831751cc1f0b749c19e3c792af630d7b27dcbaaea3fe5544d8c15be4ccd
data/lib/saml2/response.rb CHANGED
@@ -158,17 +158,17 @@ module SAML2
158
158
  response_signed = true
159
159
  end
160
160
 
161
- assertion = assertions.first
161
+ signed_assertions = []
162
+ assertions.each do |assertion|
163
+ next unless assertion.signed?
162
164
 
163
- # this might be nil, if the assertion was encrypted
164
- if assertion&.signed?
165
165
  unless (signature_errors = assertion.validate_signature(key: keys,
166
166
  fingerprint: idp.fingerprints,
167
167
  cert: certificates)).empty?
168
168
  return errors.concat(signature_errors)
169
169
  end
170
170
 
171
- assertion_signed = true
171
+ signed_assertions << assertion.xml
172
172
  end
173
173
 
174
174
  find_decryption_key = lambda do |embedded_certificates|
@@ -213,46 +213,45 @@ module SAML2
213
213
  return errors
214
214
  end
215
215
 
216
- assertion ||= assertions.first
217
- unless assertion
216
+ if assertions.empty?
218
217
  errors << "no assertion found"
219
218
  return errors
220
219
  end
221
220
 
222
- # if we didn't previously check the assertion's signature (because it was encrypted)
223
- # check it now
224
- if assertion.signed? && !assertion_signed
225
- unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
226
- cert: certificates)).empty?
227
- return errors.concat(signature_errors)
221
+ assertions.each do |assertion|
222
+ assertion_signed = signed_assertions.include?(assertion.xml)
223
+ # if we didn't previously check the assertion's signature (because it was encrypted)
224
+ # check it now
225
+ if !response_signed && !assertion_signed
226
+ unless assertion.signed?
227
+ errors << "neither response nor assertion were signed"
228
+ return errors
229
+ end
230
+ unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
231
+ cert: certificates)).empty?
232
+ return errors.concat(signature_errors)
233
+ end
228
234
  end
229
235
 
230
- assertion_signed = true
231
- end
232
-
233
- # only do our own issue instant validation if the assertion
234
- # doesn't mandate any
235
- if !assertion.conditions&.not_on_or_after && (assertion.issue_instant + (5 * 60) < verification_time ||
236
- assertion.issue_instant - (5 * 60) > verification_time)
237
- errors << "assertion not recently issued"
238
- return errors
239
- end
236
+ # only do our own issue instant validation if the assertion
237
+ # doesn't mandate any
238
+ if !assertion.conditions&.not_on_or_after && (assertion.issue_instant + (5 * 60) < verification_time ||
239
+ assertion.issue_instant - (5 * 60) > verification_time)
240
+ errors << "assertion not recently issued"
241
+ return errors
242
+ end
240
243
 
241
- if assertion.conditions &&
242
- !(condition_errors = assertion.conditions.validate(
243
- verification_time:,
244
- audience: service_provider.entity_id,
245
- ignore_audience_condition:
246
- )).empty?
247
- return errors.concat(condition_errors)
248
- end
244
+ if assertion.conditions &&
245
+ !(condition_errors = assertion.conditions.validate(
246
+ verification_time:,
247
+ audience: service_provider.entity_id,
248
+ ignore_audience_condition:
249
+ )).empty?
250
+ return errors.concat(condition_errors)
251
+ end
249
252
 
250
- if !response_signed && !assertion_signed
251
- errors << "neither response nor assertion were signed"
252
- return errors
253
- end
253
+ next if sp.private_keys.empty?
254
254
 
255
- unless sp.private_keys.empty?
256
255
  begin
257
256
  decypted_anything = assertion.decrypt(&find_decryption_key)
258
257
  rescue XMLSec::DecryptionError
data/lib/saml2/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module SAML2
4
- VERSION = "3.2.3"
4
+ VERSION = "3.2.4"
5
5
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: saml2
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.3
4
+ version: 3.2.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Cody Cutrer
8
8
  bindir: exe
9
9
  cert_chain: []
10
- date: 2025-07-16 00:00:00.000000000 Z
10
+ date: 2025-10-13 00:00:00.000000000 Z
11
11
  dependencies:
12
12
  - !ruby/object:Gem::Dependency
13
13
  name: activesupport
@@ -158,7 +158,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
158
158
  - !ruby/object:Gem::Version
159
159
  version: '0'
160
160
  requirements: []
161
- rubygems_version: 3.6.2
161
+ rubygems_version: 3.6.3
162
162
  specification_version: 4
163
163
  summary: SAML 2.0 Library
164
164
  test_files: []