saml2 2.2.3 → 2.2.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/saml2/assertion.rb +6 -3
- data/lib/saml2/conditions.rb +1 -0
- data/lib/saml2/response.rb +4 -3
- data/lib/saml2/version.rb +1 -1
- data/spec/fixtures/noconditions_response.xml +1 -0
- data/spec/lib/response_spec.rb +5 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9ddfa80997c8cd9e463d41bd14dfd213653d1b20b4b65ef9d65e4e01023d7d51
|
4
|
+
data.tar.gz: 0afbd8222cf2f7450983780c013892a46525f0bf1db118e7e6cc11f15675b4c0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0b69c37f7f9df28d7776a388dd6e3382868941d4d2130e0e0842feae7194dfad7e8bdf21c87130d23ac14baffdcb8662a56147eb82e8cf979fb3f4f1c255ce39
|
7
|
+
data.tar.gz: 31dd8a893d188aaed40b997f80a2298c22cceee3280907f158e92485a43c6aa487ec43643afb3e9c2c61835aeb849f2199924d37ad90b615b36eee62ec1b88d3
|
data/lib/saml2/assertion.rb
CHANGED
@@ -14,8 +14,8 @@ module SAML2
|
|
14
14
|
|
15
15
|
def from_xml(node)
|
16
16
|
super
|
17
|
-
@conditions = nil
|
18
17
|
@statements = nil
|
18
|
+
remove_instance_variable(:@conditions)
|
19
19
|
end
|
20
20
|
|
21
21
|
# @return [Subject, nil]
|
@@ -28,7 +28,10 @@ module SAML2
|
|
28
28
|
|
29
29
|
# @return [Conditions]
|
30
30
|
def conditions
|
31
|
-
|
31
|
+
if !instance_variable_defined?(:@conditions) && xml
|
32
|
+
@conditions = Conditions.from_xml(xml.at_xpath('saml:Conditions', Namespaces::ALL))
|
33
|
+
end
|
34
|
+
@conditions
|
32
35
|
end
|
33
36
|
|
34
37
|
# @return [Array<AuthnStatement]
|
@@ -55,7 +58,7 @@ module SAML2
|
|
55
58
|
|
56
59
|
subject.build(assertion)
|
57
60
|
|
58
|
-
conditions.build(assertion)
|
61
|
+
conditions.build(assertion) if conditions
|
59
62
|
|
60
63
|
statements.each { |stmt| stmt.build(assertion) }
|
61
64
|
end
|
data/lib/saml2/conditions.rb
CHANGED
data/lib/saml2/response.rb
CHANGED
@@ -185,7 +185,7 @@ module SAML2
|
|
185
185
|
|
186
186
|
# only do our own issue instant validation if the assertion
|
187
187
|
# doesn't mandate any
|
188
|
-
unless assertion.conditions
|
188
|
+
unless assertion.conditions&.not_on_or_after
|
189
189
|
if assertion.issue_instant + 5 * 60 < verification_time ||
|
190
190
|
assertion.issue_instant - 5 * 60 > verification_time
|
191
191
|
errors << "assertion not recently issued"
|
@@ -193,8 +193,9 @@ module SAML2
|
|
193
193
|
end
|
194
194
|
end
|
195
195
|
|
196
|
-
|
197
|
-
|
196
|
+
if assertion.conditions &&
|
197
|
+
!(condition_errors = assertion.conditions.validate(verification_time: verification_time,
|
198
|
+
audience: service_provider.entity_id)).empty?
|
198
199
|
return errors.concat(condition_errors)
|
199
200
|
end
|
200
201
|
|
data/lib/saml2/version.rb
CHANGED
@@ -0,0 +1 @@
|
|
1
|
+
<samlp:Response ID="_8BE49FED716A72AC7F522E48FB0AAD60" Version="2.0" IssueInstant="2018-06-02T17:10:55.181Z" Destination="https://school.instructure.com/login/saml" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://login.school.org:9000/SSO/CanvasIndex</saml:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_8BE49FED716A72AC7F522E48FB0AAD60"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces PrefixList="#default samlp saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>JLUChoHqec/YsCvAbA5IyZec+SI=</DigestValue></Reference></SignedInfo><SignatureValue>Zyz2cx4zwPXZrIJS0Tviio41F13yqRAlCGZQN6attC9w/vUf+l0dDinWP0cIpmKTSTxm0ZvwQsxb1hOhHNMVmgl1enKxAS51vSn1UDLLAwumlv3+hb0PBNkOrdfgxXXNUPJvJokBMGvEQl5Iy2YRQUlmpY49NfLIWfbgI55YqGg=</SignatureValue><KeyInfo><X509Data><X509Certificate></X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><saml:Assertion Version="2.0" ID="_7B628E4F6D162193D406C05E2BF19920" IssueInstant="2018-06-02T17:10:55.181Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:Issuer>https://login.school.org:9000/SSO/CanvasIndex</saml:Issuer><saml:Subject><saml:NameID>user@school.edu</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2028-06-02T10:10:55.181Z" Recipient="https://school.instructure.com/login/saml" /></saml:SubjectConfirmation></saml:Subject><saml:AuthnStatement AuthnInstant="2018-06-02T17:10:55.181Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>
|
data/spec/lib/response_spec.rb
CHANGED
@@ -109,6 +109,11 @@ module SAML2
|
|
109
109
|
expect(response.assertions.first.subject.name_id.id).to eq 'testuser@example.com'
|
110
110
|
end
|
111
111
|
|
112
|
+
it "doesn't choke on missing Conditions" do
|
113
|
+
response = Response.parse(fixture("noconditions_response.xml"))
|
114
|
+
expect(response.assertions.first.conditions).to eq nil
|
115
|
+
end
|
116
|
+
|
112
117
|
describe "#validate" do
|
113
118
|
let (:idp_entity) do
|
114
119
|
idp_entity = Entity.new("issuer")
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: saml2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.2.
|
4
|
+
version: 2.2.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Cody Cutrer
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-06-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -186,6 +186,7 @@ files:
|
|
186
186
|
- spec/fixtures/entities.xml
|
187
187
|
- spec/fixtures/external-uri-reference-response.xml
|
188
188
|
- spec/fixtures/identity_provider.xml
|
189
|
+
- spec/fixtures/noconditions_response.xml
|
189
190
|
- spec/fixtures/othercertificate.pem
|
190
191
|
- spec/fixtures/privatekey.key
|
191
192
|
- spec/fixtures/response_signed.xml
|
@@ -263,6 +264,7 @@ test_files:
|
|
263
264
|
- spec/fixtures/response_tampered_signature.xml
|
264
265
|
- spec/fixtures/xml_missigned_assertion.xml
|
265
266
|
- spec/fixtures/certificate.pem
|
267
|
+
- spec/fixtures/noconditions_response.xml
|
266
268
|
- spec/fixtures/entities.xml
|
267
269
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
268
270
|
- spec/fixtures/othercertificate.pem
|