saml2 3.0.5 → 3.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/saml2/signable.rb +10 -1
- data/lib/saml2/version.rb +1 -1
- data/spec/fixtures/response_without_keyinfo.xml +1 -0
- data/spec/lib/response_spec.rb +14 -0
- metadata +7 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f16f668d04893f2d399e46312ead9237cc6cce6ed941d3155478750e71ef5b1e
|
4
|
+
data.tar.gz: 5a437fcdc952cfc1c3e42a15ddcfbb101dd6f5eb5b5a947ced98d6f6ecf5dc9d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 77229a603dc7ae1c8042670f787c443cbe9966a3be4bd91b6b415e4625a92e06118145f82c34627ae16b1959b407a014b7e4a2f592470b9f8283430242b5d49c
|
7
|
+
data.tar.gz: 5521fdac42cb4cd5207171a1164532fb203ac9b3f03bb22c7f703703296b75160535f9be4e74bfcd600f966b7055fba09ffe42e48d282e96fb55ac39ab1d1d5d
|
data/lib/saml2/signable.rb
CHANGED
@@ -25,7 +25,11 @@ module SAML2
|
|
25
25
|
|
26
26
|
# @return [KeyInfo, nil]
|
27
27
|
def signing_key
|
28
|
-
|
28
|
+
unless instance_variable_defined?(:@signing_key)
|
29
|
+
# don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
|
30
|
+
@signing_key = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL) ? KeyInfo.from_xml(signature) : nil
|
31
|
+
end
|
32
|
+
@signing_key
|
29
33
|
end
|
30
34
|
|
31
35
|
def signed?
|
@@ -70,6 +74,11 @@ module SAML2
|
|
70
74
|
if signing_key&.certificate && trusted_keys.include?(signing_key.certificate.public_key.to_s)
|
71
75
|
key ||= signing_key.certificate.public_key.to_s
|
72
76
|
end
|
77
|
+
# signature doesn't say who signed it. hope and pray it's with the only certificate
|
78
|
+
# we know about
|
79
|
+
if signing_key.nil? && key.nil? && trusted_keys.length == 1
|
80
|
+
key = trusted_keys.first
|
81
|
+
end
|
73
82
|
|
74
83
|
return ["no trusted signing key found"] if key.nil?
|
75
84
|
|
data/lib/saml2/version.rb
CHANGED
@@ -0,0 +1 @@
|
|
1
|
+
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://unimelb-dev.instructure.com/login/saml" ID="id-J6KP4S6zcZo--edsB5AoLxEH5D4Cg-HOmMyXoKfS" InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion ID="id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0" IssueInstant="2019-04-16T00:56:03Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://authidm3tst.unimelb.edu.au:443/oam/fed</saml:Issuer><dsig:Signature><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><dsig:Reference URI="#id-VblIU1IaOQeozLC8VrLuy7W69gPE6aiTyJ7RZY-0"><dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><dsig:DigestValue>RI8Jkujs/MZXzrxDB7di3623VF8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>hb2bSG3yiS2Bcp6/NM4ecK1cr74wJZJePhVlDjj65u/KpVCtohSBQESFKGupvzZhqQQuytMAaf+LpiL/5CW5CoC4XGpIIXhPE1dKXbE4IdoGplKyvp8ErpggmWuPS+HgU71p2sU9yGOv+WsWLMe/TdJMeWhyr8lnbJgKpUAD+Yo=</dsig:SignatureValue></dsig:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="_b29345d0-d7cb-4b22-a199-d32183fdc8c8" NotOnOrAfter="2019-04-16T01:01:03Z" Recipient="https://unimelb-dev.instructure.com/login/saml"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2019-04-16T00:56:03Z" NotOnOrAfter="2019-04-16T01:01:03Z"><saml:AudienceRestriction><saml:Audience>http://unimelb-dev.instructure.com/saml2</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2019-04-16T00:49:28Z" SessionIndex="id-Bp2VqFk32RxqG9IDwQakoI-Oei-vWPxk8uZppqIU" SessionNotOnOrAfter="2019-04-16T01:56:03Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">testuserint.sso@staff.oimtest.unimelb.edu.au</saml:AttributeValue></saml:Attribute><saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">Test User Int</saml:AttributeValue></saml:Attribute><saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">sso</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
|
data/spec/lib/response_spec.rb
CHANGED
@@ -258,6 +258,20 @@ module SAML2
|
|
258
258
|
expect(response.errors).to eq []
|
259
259
|
expect(response.assertions.first.subject.name_id.id).to eq 'jacob'
|
260
260
|
end
|
261
|
+
|
262
|
+
it "allows signatures that don't include KeyInfo, if we have a full cert" do
|
263
|
+
response = Response.parse(fixture("response_without_keyinfo.xml"))
|
264
|
+
sp_entity.entity_id = 'http://unimelb-dev.instructure.com/saml2'
|
265
|
+
idp_entity.entity_id = 'https://authidm3tst.unimelb.edu.au:443/oam/fed'
|
266
|
+
idp_entity.identity_providers.first.keys.clear
|
267
|
+
idp_entity.identity_providers.first.keys << KeyDescriptor.new(<<-CERTIFICATE)
|
268
|
+
MIIB/jCCAWegAwIBAgIBCjANBgkqhkiG9w0BAQQFADAkMSIwIAYDVQQDExlhZGRlcjEuaXRzLnVuaW1lbGIuZWR1LmF1MB4XDTE3MDUyMjA2MzQzOFoXDTI3MDUyMDA2MzQzOFowJDEiMCAGA1UEAxMZYWRkZXIxLml0cy51bmltZWxiLmVkdS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjJgoa5bPS+Jukq2vNaMwZ39L3IhAg6oOytz+bgOhmF+o5zYARbFqC67faa/rMSkfQwYIpp/MdsC8XHtHeR6HCJjbuPkH/EooHiREOClTI0EKZvI2Xv/DqexxEegRPxXiwPUEPozGGT1yWtSwkQTvRvA9tMpZl3yLg1LhDOP6s6MCAwEAAaNAMD4wDAYDVR0TAQH/BAIwADAPBgNVHQ8BAf8EBQMDB9gAMB0GA1UdDgQWBBRukBh7J1okLMIfSRpzF5opuj0LizANBgkqhkiG9w0BAQQFAAOBgQB0zySVaypIGRksTwpmjaQhMvNrYWGvj74Rs1iuqOdsEQkpgk5dQKRFiAFEr+6b7WN4k+IAH5S++l1R0bUG6k9HFSn7uy7AD+qZcdoUm9a39brtH2kefs0D3bQfrwkqggAtWKwqfU4r7nAcdtVE+CT3cny5QU2/mJav9W9bzFPMXQ==
|
269
|
+
CERTIFICATE
|
270
|
+
|
271
|
+
sp_entity.valid_response?(response, idp_entity, verification_time: Time.parse('2019-04-16T00:56:03Z'))
|
272
|
+
expect(response.errors).to eq []
|
273
|
+
expect(response.assertions.first.subject.name_id.id).to eq 'testuserint.sso@staff.oimtest.unimelb.edu.au'
|
274
|
+
end
|
261
275
|
end
|
262
276
|
end
|
263
277
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: saml2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.0.
|
4
|
+
version: 3.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Cody Cutrer
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-04-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -76,14 +76,14 @@ dependencies:
|
|
76
76
|
requirements:
|
77
77
|
- - "~>"
|
78
78
|
- !ruby/object:Gem::Version
|
79
|
-
version: '
|
79
|
+
version: '10.0'
|
80
80
|
type: :development
|
81
81
|
prerelease: false
|
82
82
|
version_requirements: !ruby/object:Gem::Requirement
|
83
83
|
requirements:
|
84
84
|
- - "~>"
|
85
85
|
- !ruby/object:Gem::Version
|
86
|
-
version: '
|
86
|
+
version: '10.0'
|
87
87
|
- !ruby/object:Gem::Dependency
|
88
88
|
name: rake
|
89
89
|
requirement: !ruby/object:Gem::Requirement
|
@@ -195,6 +195,7 @@ files:
|
|
195
195
|
- spec/fixtures/response_with_attribute_signed.xml
|
196
196
|
- spec/fixtures/response_with_encrypted_assertion.xml
|
197
197
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|
198
|
+
- spec/fixtures/response_without_keyinfo.xml
|
198
199
|
- spec/fixtures/service_provider.xml
|
199
200
|
- spec/fixtures/test3-response.xml
|
200
201
|
- spec/fixtures/test6-response.xml
|
@@ -238,7 +239,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
238
239
|
- !ruby/object:Gem::Version
|
239
240
|
version: '0'
|
240
241
|
requirements: []
|
241
|
-
rubygems_version: 3.0.
|
242
|
+
rubygems_version: 3.0.3
|
242
243
|
signing_key:
|
243
244
|
specification_version: 4
|
244
245
|
summary: SAML 2.0 Library
|
@@ -269,6 +270,7 @@ test_files:
|
|
269
270
|
- spec/fixtures/noconditions_response.xml
|
270
271
|
- spec/fixtures/entities.xml
|
271
272
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
273
|
+
- spec/fixtures/response_without_keyinfo.xml
|
272
274
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|
273
275
|
- spec/fixtures/othercertificate.pem
|
274
276
|
- spec/fixtures/xslt-transform-response.xml
|