saml2 2.2.8 → 2.2.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c16820ad8709894d30598abdc66c7258eaaa4bcce559a3f540e898226ecad9b7
-  data.tar.gz: cb81f7ca257db3e1aa45896749961cfb0ab63473499d70614931b02de5a975cd
+  metadata.gz: 85079eef2484ac29ff4b22303b10fa1a08afdeab25c22bd0b3c610324945dabd
+  data.tar.gz: bb93d0ef57206e8ec3b773b742625c4e5d60f76f696be91786528b5845bef188
 SHA512:
-  metadata.gz: 9aacff1311c151b1f8e53d9e63f519b5ff4d21c9c664c22ffcaff42519d9e22530445f8f287c8ab797f0ae7df12aee9d35e9ca9539e782262b2ff4c940a0626a
-  data.tar.gz: f7287daba3d0a8d5671f109c30deb9dabce202cbe5b0e7d821c50fb09afbc7cbd056dadf43f2d7ef16582a6bf46b271caf14e131b1f622520e48b1bdaa78d26d
+  metadata.gz: 4c064cf43d5bd7feb0ecbf1070da413fbf8dcf19e2b5130aa8965367fbb194abf5565000b210fb6a9406c7b49d96e6de4ed613cb94227428a21585c7a35172e1
+  data.tar.gz: 113b16ec4a20b0af0d60ee9e114e35d1b658ebc259de1ce196d8494269096b2d40bfe2ea9d5a875f03972eb548ac01fc9d3856bc92d9db34cfaf7140dc80c0e1

data/lib/saml2/base.rb

@@ -33,18 +33,20 @@ module SAML2
 
     # Returns the XML of this object as a string.
     #
-    # If this object came from parsing XML, it will always return it with the
-    # same formatting as it was parsed.
-    #
     # @param pretty optional [true, false, nil]
     #   +true+ forces it to format it for easy reading. +nil+ will prefer to
     #   format it pretty, but won't if e.g. it has been signed, and pretty
-    #   formatting would break the signature.
+    #   formatting would break the signature. If this object came from parsing
+    #   XML, it will default to exactly what it was parsed as.
     # @return [String]
     def to_s(pretty: nil)
       pretty = @pretty if pretty.nil?
       if xml
-        xml.to_s
+        if pretty
+          xml.to_s
+        else
+          xml.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION)
+        end
       elsif pretty
         to_xml.to_s
       else

data/lib/saml2/entity.rb

@@ -169,7 +169,8 @@ module SAML2
     def valid_response?(message,
                         identity_provider,
                         verification_time: Time.now.utc,
-                        allow_expired_certificate: false)
+                        allow_expired_certificate: false,
+                        verify_certificate: true)
       unless message.is_a?(Response)
         message.errors << "not a Response object"
         return false
@@ -178,7 +179,8 @@ module SAML2
       message.validate(service_provider: self,
                        identity_provider: identity_provider,
                        verification_time: verification_time,
-                       allow_expired_certificate: allow_expired_certificate).empty?
+                       allow_expired_certificate: allow_expired_certificate,
+                       verify_certificate: verify_certificate).empty?
     end
   end
 end

data/lib/saml2/message.rb

@@ -125,12 +125,14 @@ module SAML2
     def validate_signature(fingerprint: nil,
                            cert: nil,
                            verification_time: issue_instant,
-                           allow_expired_certificate: false)
+                           allow_expired_certificate: false,
+                           verify_certificate: true)
       # verify the signature (certificate's validity) as of the time the message was generated
       super(fingerprint: fingerprint,
             cert: cert,
             verification_time: verification_time,
-            allow_expired_certificate: allow_expired_certificate)
+            allow_expired_certificate: allow_expired_certificate,
+            verify_certificate: verify_certificate)
     end
 
     # (see Signable#sign)

data/lib/saml2/response.rb

@@ -92,7 +92,8 @@ module SAML2
     def validate(service_provider:,
                  identity_provider:,
                  verification_time: Time.now.utc,
-                 allow_expired_certificate: false)
+                 allow_expired_certificate: false,
+                 verify_certificate: true)
       raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
       raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
 
@@ -125,7 +126,8 @@ module SAML2
       if signed?
         unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
                                                       cert: certificates,
-                                                      allow_expired_certificate: allow_expired_certificate)).empty?
+                                                      allow_expired_certificate: allow_expired_certificate,
+                                                      verify_certificate: verify_certificate)).empty?
           return errors.concat(signature_errors)
         end
         response_signed = true
@@ -137,7 +139,8 @@ module SAML2
       if assertion&.signed?
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
                                                                 cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate)).empty?
+                                                                allow_expired_certificate: allow_expired_certificate,
+                                                                verify_certificate: verify_certificate)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true
@@ -194,7 +197,8 @@ module SAML2
       if assertion.signed? && !assertion_signed
         unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
                                                                 cert: certificates,
-                                                                allow_expired_certificate: allow_expired_certificate)).empty?
+                                                                allow_expired_certificate: allow_expired_certificate,
+                                                                verify_certificate: verify_certificate)).empty?
           return errors.concat(signature_errors)
         end
         assertion_signed = true

data/lib/saml2/signable.rb

@@ -50,7 +50,8 @@ module SAML2
     def validate_signature(fingerprint: nil,
                            cert: nil,
                            verification_time: nil,
-                           allow_expired_certificate: false)
+                           allow_expired_certificate: false,
+                           verify_certificate: true)
       return ["not signed"] unless signed?
 
       certs = Array(cert)
@@ -63,7 +64,10 @@ module SAML2
       certs = certs.uniq
       return ["no trusted certificate found"] if certs.empty?
 
-      verify_certificate = true
+      if verify_certificate == false && signing_key&.certificate
+        key = signing_key.certificate.public_key.to_s
+      end
+
       if signing_key
         signing_cert = signing_key.certificate
         if allow_expired_certificate
@@ -81,9 +85,11 @@ module SAML2
           verify_certificate = false
         end
       end
+      certs = nil if key # we're using a key explicitly, ignoring the certs
 
       begin
-        result = signature.verify_with(certs: certs,
+        result = signature.verify_with(key: key,
+                                       certs: certs,
                                        verification_time: verification_time,
                                        verify_certificates: verify_certificate)
         result ? [] : ["signature is invalid"]

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '2.2.8'
+  VERSION = '2.2.9'
 end

data/spec/lib/response_spec.rb

@@ -278,6 +278,19 @@ module SAML2
         expect(response.errors).to eq []
       end
 
+      it "ignores invalid certificate when requested" do
+        response = Response.parse(fixture("test6-response.xml"))
+        sp_entity.entity_id = 'http://shard-2.canvas.dev/saml2'
+        idp_entity.entity_id = 'http://simplesamlphp.dev/simplesaml/saml2/idp/metadata.php'
+        idp_entity.identity_providers.first.keys.clear
+        idp_entity.identity_providers.first.fingerprints << "afe71c28ef740bc87425be13a2263d37971da1f9"
+
+        sp_entity.valid_response?(response, idp_entity,
+                                  verification_time: Time.parse("2014-09-16T22:15:53Z"),
+                                  verify_certificate: false)
+        expect(response.errors).to eq []
+      end
+
       it "doesn't break the signature by decrypting elements first" do
         response = Response.parse(fixture("response_with_signed_assertion_and_encrypted_subject.xml"))
         sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2015-02-12T22:51:30Z'))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.2.8
+  version: 2.2.9
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-12 00:00:00.000000000 Z
+date: 2018-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri