saml2 2.2.11 → 2.2.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/saml2/attribute.rb +7 -3
- data/lib/saml2/conditions.rb +5 -3
- data/lib/saml2/entity.rb +2 -6
- data/lib/saml2/response.rb +19 -3
- data/lib/saml2/version.rb +1 -1
- data/spec/lib/attribute_spec.rb +5 -2
- data/spec/lib/conditions_spec.rb +4 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 630f03aeb419e5d7ebae94ab4b809bf460be88903fdfdfe981d96dda990fbb5d
|
|
4
|
+
data.tar.gz: 2f17e8e081522cf5c7b2e8b5705bf600fd33fbc68e404203f865c442ffeea85c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cad2fd1128ddfa7d8522ca592f8a72b717554ef0d8cddd55b160183e0656df306bebadd0f19e3b131267f8100f1a80ca0956c2c9a78a7eb0e9ad195eb4b72edc
|
|
7
|
+
data.tar.gz: d38744fc8b083257306a25b7d3f2e1538313f7791e2667debac3e915499153699ee8af484d6aed2769dc51baffa35e03694759af7e5b32407b77e973b7c66bef
|
data/lib/saml2/attribute.rb
CHANGED
|
@@ -174,9 +174,13 @@ module SAML2
|
|
|
174
174
|
#
|
|
175
175
|
# Repeated attributes become an array.
|
|
176
176
|
#
|
|
177
|
-
# @param name optional [:name, :friendly_name]
|
|
178
|
-
# Which name field to use as keys to the hash
|
|
179
|
-
|
|
177
|
+
# @param name optional [:name, :friendly_name, :both]
|
|
178
|
+
# Which name field to use as keys to the hash. If :both
|
|
179
|
+
# is specified, attributes may be duplicated under both
|
|
180
|
+
# names.
|
|
181
|
+
def to_h(name = :both)
|
|
182
|
+
return to_h(:friendly_name).merge(to_h(:name)) if name == :both
|
|
183
|
+
|
|
180
184
|
result = {}
|
|
181
185
|
attributes.each do |attribute|
|
|
182
186
|
key = attribute.send(name)
|
data/lib/saml2/conditions.rb
CHANGED
|
@@ -46,10 +46,10 @@ module SAML2
|
|
|
46
46
|
def validate(verification_time: Time.now.utc, **options)
|
|
47
47
|
options[:verification_time] ||= verification_time
|
|
48
48
|
errors = []
|
|
49
|
-
if not_before && verification_time < not_before
|
|
49
|
+
if not_before && verification_time < not_before
|
|
50
50
|
errors << "not_before #{not_before} is later than now (#{verification_time})"
|
|
51
51
|
end
|
|
52
|
-
if not_on_or_after && verification_time >= not_on_or_after
|
|
52
|
+
if not_on_or_after && verification_time >= not_on_or_after
|
|
53
53
|
errors << "not_on_or_after #{not_on_or_after} is earlier than now (#{verification_time})"
|
|
54
54
|
end
|
|
55
55
|
|
|
@@ -109,7 +109,9 @@ module SAML2
|
|
|
109
109
|
end
|
|
110
110
|
|
|
111
111
|
# @param audience [String]
|
|
112
|
-
def validate(audience: nil, **_)
|
|
112
|
+
def validate(audience: nil, ignore_audience_condition: false, **_)
|
|
113
|
+
return [] if ignore_audience_condition
|
|
114
|
+
|
|
113
115
|
unless Array.wrap(self.audience).include?(audience)
|
|
114
116
|
return ["audience #{audience} not in allowed list of #{Array.wrap(self.audience).join(', ')}"]
|
|
115
117
|
end
|
data/lib/saml2/entity.rb
CHANGED
|
@@ -168,9 +168,7 @@ module SAML2
|
|
|
168
168
|
# @param identity_provider [Entity]
|
|
169
169
|
def valid_response?(message,
|
|
170
170
|
identity_provider,
|
|
171
|
-
|
|
172
|
-
allow_expired_certificate: false,
|
|
173
|
-
verify_certificate: true)
|
|
171
|
+
**opts)
|
|
174
172
|
unless message.is_a?(Response)
|
|
175
173
|
message.errors << "not a Response object"
|
|
176
174
|
return false
|
|
@@ -178,9 +176,7 @@ module SAML2
|
|
|
178
176
|
|
|
179
177
|
message.validate(service_provider: self,
|
|
180
178
|
identity_provider: identity_provider,
|
|
181
|
-
|
|
182
|
-
allow_expired_certificate: allow_expired_certificate,
|
|
183
|
-
verify_certificate: verify_certificate).empty?
|
|
179
|
+
**opts).empty?
|
|
184
180
|
end
|
|
185
181
|
end
|
|
186
182
|
end
|
data/lib/saml2/response.rb
CHANGED
|
@@ -89,11 +89,19 @@ module SAML2
|
|
|
89
89
|
# @param verification_time optional [DateTime]
|
|
90
90
|
# Validate timestamps (signing certificate validity, issued at, etc.) as of
|
|
91
91
|
# this point in time.
|
|
92
|
+
# @param allow_expired_certificate optional [true, false]
|
|
93
|
+
# Allow signing certificate to be expired.
|
|
94
|
+
# @param verify_certificate optional [true, false]
|
|
95
|
+
# Don't validate the trust chain or validity dates of the signing
|
|
96
|
+
# certificate.
|
|
97
|
+
# @param ignore_audience_condition optional [true, false]
|
|
98
|
+
# Don't validate any Audience conditions.
|
|
92
99
|
def validate(service_provider:,
|
|
93
100
|
identity_provider:,
|
|
94
|
-
verification_time:
|
|
101
|
+
verification_time: nil,
|
|
95
102
|
allow_expired_certificate: false,
|
|
96
|
-
verify_certificate: true
|
|
103
|
+
verify_certificate: true,
|
|
104
|
+
ignore_audience_condition: false)
|
|
97
105
|
raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
|
|
98
106
|
raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
|
|
99
107
|
|
|
@@ -101,6 +109,13 @@ module SAML2
|
|
|
101
109
|
super()
|
|
102
110
|
return errors unless errors.empty?
|
|
103
111
|
|
|
112
|
+
if verification_time.nil?
|
|
113
|
+
verification_time = Time.now.utc
|
|
114
|
+
# they issued it in the (near) future according to our clock;
|
|
115
|
+
# use their clock instead
|
|
116
|
+
verification_time = issue_instant if issue_instant > verification_time && issue_instant < verification_time + 5 * 60
|
|
117
|
+
end
|
|
118
|
+
|
|
104
119
|
# not finding the issuer is not exceptional
|
|
105
120
|
if identity_provider.nil?
|
|
106
121
|
errors << "could not find issuer of response"
|
|
@@ -216,7 +231,8 @@ module SAML2
|
|
|
216
231
|
|
|
217
232
|
if assertion.conditions &&
|
|
218
233
|
!(condition_errors = assertion.conditions.validate(verification_time: verification_time,
|
|
219
|
-
audience: service_provider.entity_id
|
|
234
|
+
audience: service_provider.entity_id,
|
|
235
|
+
ignore_audience_condition: ignore_audience_condition)).empty?
|
|
220
236
|
return errors.concat(condition_errors)
|
|
221
237
|
end
|
|
222
238
|
|
data/lib/saml2/version.rb
CHANGED
data/spec/lib/attribute_spec.rb
CHANGED
|
@@ -111,13 +111,16 @@ XML
|
|
|
111
111
|
describe "#to_h" do
|
|
112
112
|
it "works" do
|
|
113
113
|
attr_statement = Response.parse(fixture("response_with_attribute_signed.xml")).assertions.first.attribute_statements.first
|
|
114
|
-
expect(attr_statement.to_h).to eq('givenName' => 'cody')
|
|
114
|
+
expect(attr_statement.to_h(:friendly_name)).to eq('givenName' => 'cody')
|
|
115
115
|
expect(attr_statement.to_h(:name)).to eq("urn:oid:2.5.4.42" => 'cody')
|
|
116
|
+
expect(attr_statement.to_h(:both)).to eq('givenName' => 'cody', "urn:oid:2.5.4.42" => 'cody')
|
|
116
117
|
end
|
|
117
118
|
|
|
118
119
|
it "infers friendly names if possible" do
|
|
119
120
|
attr_statement = Response.parse(fixture("test3-response.xml")).assertions.first.attribute_statements.first
|
|
120
121
|
expect(attr_statement.to_h).to eq({
|
|
122
|
+
'urn:oid:1.3.6.1.4.1.5923.1.1.1.1' => 'member',
|
|
123
|
+
'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'student@example.edu',
|
|
121
124
|
'eduPersonAffiliation' => 'member',
|
|
122
125
|
'eduPersonPrincipalName' => 'student@example.edu'})
|
|
123
126
|
end
|
|
@@ -135,7 +138,7 @@ XML
|
|
|
135
138
|
</saml2:AttributeStatement>
|
|
136
139
|
XML
|
|
137
140
|
|
|
138
|
-
expect(attr_statement.to_h).to eq({
|
|
141
|
+
expect(attr_statement.to_h(:friendly_name)).to eq({
|
|
139
142
|
'eduPersonScopedAffiliation' => ['02', 'employee@school.edu', 'students@school.edu']
|
|
140
143
|
})
|
|
141
144
|
end
|
data/spec/lib/conditions_spec.rb
CHANGED
|
@@ -64,5 +64,9 @@ module SAML2
|
|
|
64
64
|
it "should be valid with an array" do
|
|
65
65
|
expect(Conditions::AudienceRestriction.new(['expected', 'actual']).valid?(audience: 'actual')).to eq true
|
|
66
66
|
end
|
|
67
|
+
|
|
68
|
+
it "is valid when ignored" do
|
|
69
|
+
expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual', ignore_audience_condition: true)).to eq true
|
|
70
|
+
end
|
|
67
71
|
end
|
|
68
72
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: saml2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.12
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cody Cutrer
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-06-
|
|
11
|
+
date: 2018-06-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: nokogiri
|