saml2 3.0.8 → 3.0.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/saml2/response.rb +2 -0
- data/lib/saml2/service_provider.rb +2 -0
- data/lib/saml2/signable.rb +5 -5
- data/lib/saml2/version.rb +1 -1
- data/spec/fixtures/identity_provider.xml +1 -1
- data/spec/fixtures/response_assertion_signed_reffed_from_response.xml +6 -0
- data/spec/fixtures/service_provider.xml +1 -1
- data/spec/lib/identity_provider_spec.rb +4 -0
- data/spec/lib/response_spec.rb +14 -0
- data/spec/lib/service_provider_spec.rb +5 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e79b5758bcfa9266dee58f147e91dcf6293f42ff5221ac580b16bb3400711fa3
|
|
4
|
+
data.tar.gz: a666e3fd9f1907b57531d22508097ab586b769f88bf71c61e99649b0863dcca0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a5c8926ed6cbbfc076cab1f6456cdbab8bf3763b9e391e5baae1ad705aa2e67c5157440c0ec2953717f6bcf0498a5b12c1264d0246b28b35a4c49bcbafff66e1
|
|
7
|
+
data.tar.gz: 616681f8b76ba72127542516c34dde7505605b7ce88ea1dc783bc3ee3dc7e61c7be426d7680b3dedf071c300962387da796ea1d76c9039fd85cbe0367229a73e
|
data/lib/saml2/response.rb
CHANGED
|
@@ -13,6 +13,8 @@ module SAML2
|
|
|
13
13
|
attr_reader :assertions
|
|
14
14
|
|
|
15
15
|
# Respond to an {AuthnRequest}
|
|
16
|
+
#
|
|
17
|
+
# {AuthnRequest#resolve} needs to have been previously called on the {AuthnRequest}.
|
|
16
18
|
# @param authn_request [AuthnRequest]
|
|
17
19
|
# @param issuer [NameID]
|
|
18
20
|
# @param name_id [NameID] The Subject
|
data/lib/saml2/signable.rb
CHANGED
|
@@ -7,16 +7,16 @@ module SAML2
|
|
|
7
7
|
# @return [Nokogiri::XML::Element, nil]
|
|
8
8
|
def signature
|
|
9
9
|
unless instance_variable_defined?(:@signature)
|
|
10
|
-
@signature = xml.
|
|
11
|
-
|
|
12
|
-
signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
|
|
10
|
+
@signature = xml.xpath('//dsig:Signature', Namespaces::ALL).find do |signature|
|
|
11
|
+
signed_node = signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
|
|
13
12
|
if signed_node == ''
|
|
14
|
-
|
|
13
|
+
true if xml == xml.document.root
|
|
15
14
|
elsif signed_node != "##{xml['ID']}"
|
|
16
|
-
|
|
15
|
+
false
|
|
17
16
|
else
|
|
18
17
|
# validating the schema will automatically add ID attributes, so check that first
|
|
19
18
|
xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
|
|
19
|
+
true
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
22
|
end
|
data/lib/saml2/version.rb
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<?xml version="1.0"?>
|
|
2
2
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://sso.school.edu/idp/shibboleth">
|
|
3
|
-
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
|
|
3
|
+
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
|
|
4
4
|
<KeyDescriptor use="signing">
|
|
5
5
|
<ds:KeyInfo>
|
|
6
6
|
<ds:X509Data>
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
<samlp:Response ID="eppcgfbmldefddomokfgiljnkflhppmoflakahld" IssueInstant="2020-08-11T18:19:49Z" Destination="https://wscc.instructure.com/login/saml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>cyBkaF5MxEOSX9hLm0g/BWMJpQA=</DigestValue></Reference></SignedInfo><SignatureValue>BqXuyorfBboZI3sSSi4PC3GnJMKyLSQ/897M1RYmgVHx8Pbg1ANy75mpjRQQxGOIz/nSTh6eTPkkFEAT34nhxBSd+JfHof0RfLl/lBI1klSmpi/YoHCKLdVt+iwAemmBNw5Rxw59EepgrbcVtgjsjWISdvMyY7Wqb3nyJDwTGWw=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>yPxoJ9DLOTzn9j91xlqGTX/8Hs5hxjImPalS9qTOc6BYJgXSC7HtxBLMc0usJG58/OaHgWFlaDi4HSBlZe2vLzecaWL1HYxJtW6s+UpD5i+uoxGTPM1ITNlZudGQblh3XTUESrPUZVwSt1N+Vqd4AUHux0E078meTqj9+EMcgsk=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue><X509Data><X509Certificate>MIIB4TCCAU6gAwIBAgIQhv64tDcg/45BI6qmDbJfKDAJBgUrDgMCHQUAMA8xDTALBgNVBAMTBFRFU1QwIBcNMjAwMTI3MTkxNzMxWhgPMjA4MDEyMzEwNTAwMDBaMA8xDTALBgNVBAMTBFRFU1QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMj8aCfQyzk85/Y/dcZahk1//B7OYcYyJj2pUvakznOgWCYF0gux7cQSzHNLrCRufPzmh4FhZWg4uB0gZWXtry83nGli9R2MSbVurPlKQ+YvrqMRkzzNSEzZWbnRkG5Yd101BEqz1GVcErdTflaneAFB7sdBNO/Jnk6o/fhDHILJAgMBAAGjRDBCMEAGA1UdAQQ5MDeAEFm8dl7/zBigioh82gZb6WGhETAPMQ0wCwYDVQQDEwRURVNUghCG/ri0NyD/jkEjqqYNsl8oMAkGBSsOAwIdBQADgYEAotOROUrAiZr7oA3iaZLxq+B6sN+JdWSBquvDUzaMgIWRvUBZPqmOKpXK0+XSLXChgklpVXBXAo78Juy0zza/ZAMyGPbYlSZSME6GlApjp8hi6wi0ti/usi/D8SQSJ9ephwz2JAvI5WP16PzIruYUlf3uI72hKT0NW8Pl3PhT8z8=</X509Certificate></X509Data></KeyInfo></Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="enmnbnkdhfhnbjeifihomffcoanmnjdaocnhgnhc" IssueInstant="2020-08-11T18:19:49Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>
|
|
2
|
+
https://my.wscc.edu/idp
|
|
3
|
+
</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">narnold@wscc.edu</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData Recipient="" NotOnOrAfter="2020-08-11T18:29:49Z" InResponseTo="_bd878908-34c0-4e6e-b429-90cc8bfae27c" /></SubjectConfirmation></Subject><Conditions NotBefore="2020-08-11T18:14:49Z" NotOnOrAfter="2020-08-11T18:29:49Z"><AudienceRestriction><Audience>http://wscc.instructure.com/saml2</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="email"><AttributeValue>narnold@wscc.edu</AttributeValue></Attribute><Attribute Name="display_name"><AttributeValue>Nicholas Arnold</AttributeValue></Attribute><Attribute Name="given_name"><AttributeValue>Nicholas</AttributeValue></Attribute><Attribute Name="integration_id"><AttributeValue>Ed18RSTYO0ivqnZuzQPehQ==</AttributeValue></Attribute><Attribute Name="sis_user_id"><AttributeValue>0097365</AttributeValue></Attribute><Attribute Name="sortable_name"><AttributeValue>Arnold, Nicholas</AttributeValue></Attribute><Attribute Name="surname"><AttributeValue>Arnold</AttributeValue></Attribute><Attribute Name="time_zone"><AttributeValue>US/Eastern</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2020-08-11T18:19:49Z"><AuthnContext><AuthnContextClassRef>
|
|
4
|
+
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
|
|
5
|
+
</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
|
|
6
|
+
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<?xml version="1.0"?>
|
|
2
2
|
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2" ID="unique">
|
|
3
|
-
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
3
|
+
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
|
4
4
|
|
|
5
5
|
<KeyDescriptor use="encryption">
|
|
6
6
|
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
|
|
@@ -32,6 +32,10 @@ module SAML2
|
|
|
32
32
|
it "should find the signing certificate" do
|
|
33
33
|
expect(idp.keys.first.x509).to match(/MIIE8TCCA9mgAwIBAgIJAITusxON60cKMA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD/)
|
|
34
34
|
end
|
|
35
|
+
|
|
36
|
+
it "loads identity provider attributes" do
|
|
37
|
+
expect(idp.want_authn_requests_signed?).to be_truthy
|
|
38
|
+
end
|
|
35
39
|
end
|
|
36
40
|
end
|
|
37
41
|
end
|
data/spec/lib/response_spec.rb
CHANGED
|
@@ -272,6 +272,20 @@ MIIB/jCCAWegAwIBAgIBCjANBgkqhkiG9w0BAQQFADAkMSIwIAYDVQQDExlhZGRlcjEuaXRzLnVuaW1l
|
|
|
272
272
|
expect(response.errors).to eq []
|
|
273
273
|
expect(response.assertions.first.subject.name_id.id).to eq 'testuserint.sso@staff.oimtest.unimelb.edu.au'
|
|
274
274
|
end
|
|
275
|
+
|
|
276
|
+
it "finds signatures the sign the assertion, not inside the assertion" do
|
|
277
|
+
response = Response.parse(fixture("response_assertion_signed_reffed_from_response.xml"))
|
|
278
|
+
sp_entity.entity_id = 'http://wscc.instructure.com/saml2'
|
|
279
|
+
idp_entity.entity_id = 'https://my.wscc.edu/idp'
|
|
280
|
+
idp_entity.identity_providers.first.keys.clear
|
|
281
|
+
idp_entity.identity_providers.first.fingerprints << "c4f473274116a3cbc295c3abf77c7ed1ade9b904"
|
|
282
|
+
|
|
283
|
+
sp_entity.valid_response?(response, idp_entity, verification_time: response.issue_instant)
|
|
284
|
+
expect(response.errors).to eq []
|
|
285
|
+
expect(response.assertions.first.subject.name_id.id).to eq 'narnold@wscc.edu'
|
|
286
|
+
expect(response).not_to be_signed
|
|
287
|
+
expect(response.assertions.first).to be_signed
|
|
288
|
+
end
|
|
275
289
|
end
|
|
276
290
|
end
|
|
277
291
|
end
|
|
@@ -64,6 +64,11 @@ module SAML2
|
|
|
64
64
|
expect(sp.keys.first.encryption_methods.first.algorithm).to eq KeyDescriptor::EncryptionMethod::Algorithm::AES128_CBC
|
|
65
65
|
expect(sp.keys.first.encryption_methods.first.key_size).to eq 128
|
|
66
66
|
end
|
|
67
|
+
|
|
68
|
+
it "loads service provider attributes" do
|
|
69
|
+
expect(sp.authn_requests_signed?).to be_truthy
|
|
70
|
+
expect(sp.want_assertions_signed?).to be_truthy
|
|
71
|
+
end
|
|
67
72
|
end
|
|
68
73
|
end
|
|
69
74
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: saml2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.0.
|
|
4
|
+
version: 3.0.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Cody Cutrer
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-08-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: nokogiri
|
|
@@ -191,6 +191,7 @@ files:
|
|
|
191
191
|
- spec/fixtures/noconditions_response.xml
|
|
192
192
|
- spec/fixtures/othercertificate.pem
|
|
193
193
|
- spec/fixtures/privatekey.key
|
|
194
|
+
- spec/fixtures/response_assertion_signed_reffed_from_response.xml
|
|
194
195
|
- spec/fixtures/response_signed.xml
|
|
195
196
|
- spec/fixtures/response_tampered_certificate.xml
|
|
196
197
|
- spec/fixtures/response_tampered_signature.xml
|
|
@@ -271,6 +272,7 @@ test_files:
|
|
|
271
272
|
- spec/fixtures/certificate.pem
|
|
272
273
|
- spec/fixtures/noconditions_response.xml
|
|
273
274
|
- spec/fixtures/entities.xml
|
|
275
|
+
- spec/fixtures/response_assertion_signed_reffed_from_response.xml
|
|
274
276
|
- spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml
|
|
275
277
|
- spec/fixtures/response_without_keyinfo.xml
|
|
276
278
|
- spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml
|