samlr 2.0.4 → 2.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of samlr might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/README.md +1 -0
- data/lib/samlr/response.rb +1 -1
- data/lib/samlr/signature.rb +8 -4
- data/lib/samlr/tools/response_builder.rb +4 -2
- data/samlr.gemspec +1 -1
- data/test/unit/test_response_scenarios.rb +16 -1
- data/test/unit/test_signature.rb +3 -3
- metadata +2 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: aa55b3484fd8e8dd43b93e1143b624040e15f0c3
|
4
|
+
data.tar.gz: 3696af964c60dbe42ed471ad8b815784e8ff5fc9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7d2197f6871a43e2d2b494710b6e728ac2da02f40581be76a1e661662b3dcb912ba80db082d42b81dda2a8d83eb0200d958863caba0243587532b73cd62df69a
|
7
|
+
data.tar.gz: 0f96bf4a8c71de4372005b7f13fb054ea6c63cd6e4a9e913f8b10aaaa8e81cd0fa38ef76d24e12a00072ac4530e1e66e1265eefcb417b4f572d52ae93e965a32
|
data/README.md
CHANGED
data/lib/samlr/response.rb
CHANGED
@@ -19,7 +19,7 @@ module Samlr
|
|
19
19
|
# is destructive the document needs to verify itself first, and then any signed assertions
|
20
20
|
def verify!
|
21
21
|
if signature.missing? && assertion.signature.missing?
|
22
|
-
raise Samlr::SignatureError.new("Neither response nor assertion signed")
|
22
|
+
raise Samlr::SignatureError.new("Neither response nor assertion signed with a certificate")
|
23
23
|
end
|
24
24
|
|
25
25
|
signature.verify! unless signature.missing?
|
data/lib/samlr/signature.rb
CHANGED
@@ -32,7 +32,7 @@ module Samlr
|
|
32
32
|
end
|
33
33
|
|
34
34
|
def missing?
|
35
|
-
signature.nil?
|
35
|
+
signature.nil? || certificate.nil?
|
36
36
|
end
|
37
37
|
|
38
38
|
def verify!
|
@@ -56,12 +56,12 @@ module Samlr
|
|
56
56
|
private
|
57
57
|
|
58
58
|
def x509
|
59
|
-
@x509 ||= certificate
|
59
|
+
@x509 ||= certificate!.x509
|
60
60
|
end
|
61
61
|
|
62
62
|
# Establishes trust that the remote party is who you think
|
63
63
|
def verify_fingerprint!
|
64
|
-
fingerprint.compare!(certificate
|
64
|
+
fingerprint.compare!(certificate!.fingerprint)
|
65
65
|
end
|
66
66
|
|
67
67
|
# Tests that the document content has not been edited
|
@@ -117,11 +117,15 @@ module Samlr
|
|
117
117
|
elsif cert = options[:certificate]
|
118
118
|
Certificate.new(cert)
|
119
119
|
else
|
120
|
-
|
120
|
+
nil
|
121
121
|
end
|
122
122
|
end
|
123
123
|
end
|
124
124
|
|
125
|
+
def certificate!
|
126
|
+
certificate || raise(SignatureError.new("No X509Certificate element in response signature. Cannot validate signature."))
|
127
|
+
end
|
128
|
+
|
125
129
|
def certificate_node
|
126
130
|
signature.at("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NS_MAP)
|
127
131
|
end
|
@@ -95,9 +95,11 @@ module Samlr
|
|
95
95
|
|
96
96
|
# The core response is ready, not on to signing
|
97
97
|
response = builder.doc
|
98
|
+
assertion_options = options.merge(:skip_keyinfo => options[:skip_assertion_keyinfo])
|
99
|
+
response = sign(response, assertion_id, assertion_options) if sign_assertion
|
98
100
|
|
99
|
-
|
100
|
-
response = sign(response, response_id,
|
101
|
+
response_options = options.merge(:skip_keyinfo => options[:skip_response_keyinfo])
|
102
|
+
response = sign(response, response_id, response_options) if sign_response
|
101
103
|
|
102
104
|
response.to_xml(COMPACT)
|
103
105
|
end
|
data/samlr.gemspec
CHANGED
@@ -71,7 +71,7 @@ describe Samlr do
|
|
71
71
|
end
|
72
72
|
|
73
73
|
describe "when there is no keyinfo" do
|
74
|
-
subject { saml_response(:certificate => TEST_CERTIFICATE, :
|
74
|
+
subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_response_keyinfo => true, :skip_assertion_keyinfo => true) }
|
75
75
|
|
76
76
|
it "fails" do
|
77
77
|
assert_raises(Samlr::SignatureError) { subject.verify! }
|
@@ -108,4 +108,19 @@ describe Samlr do
|
|
108
108
|
end
|
109
109
|
end
|
110
110
|
|
111
|
+
describe "when only the response signature is missing a certificate" do
|
112
|
+
subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_response_keyinfo => true) }
|
113
|
+
|
114
|
+
it "verifies" do
|
115
|
+
assert subject.verify!
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
describe "when only the assertion signature is missing a certificate" do
|
120
|
+
subject { saml_response(:certificate => TEST_CERTIFICATE, :skip_assertion_keyinfo => true) }
|
121
|
+
|
122
|
+
it "verifies" do
|
123
|
+
assert subject.verify!
|
124
|
+
end
|
125
|
+
end
|
111
126
|
end
|
data/test/unit/test_signature.rb
CHANGED
@@ -21,15 +21,15 @@ describe Samlr::Signature do
|
|
21
21
|
end
|
22
22
|
end
|
23
23
|
|
24
|
-
describe "#certificate" do
|
24
|
+
describe "#certificate!" do
|
25
25
|
it "should extract the certificate" do
|
26
|
-
assert_equal TEST_CERTIFICATE.to_certificate, @signature.send(:certificate)
|
26
|
+
assert_equal TEST_CERTIFICATE.to_certificate, @signature.send(:certificate!)
|
27
27
|
end
|
28
28
|
|
29
29
|
describe "when there is no X509 certificate" do
|
30
30
|
it "should raise a signature error" do
|
31
31
|
@signature.stub(:certificate_node, nil) do
|
32
|
-
assert_raises(Samlr::SignatureError) { @signature.send(:certificate) }
|
32
|
+
assert_raises(Samlr::SignatureError) { @signature.send(:certificate!) }
|
33
33
|
end
|
34
34
|
end
|
35
35
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: samlr
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0
|
4
|
+
version: 2.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Morten Primdahl
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2015-06-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -182,4 +182,3 @@ signing_key:
|
|
182
182
|
specification_version: 4
|
183
183
|
summary: Ruby tools for SAML
|
184
184
|
test_files: []
|
185
|
-
has_rdoc:
|