spid-es 0.0.43 → 0.0.48
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/spid/ruby-saml/metadata.rb +29 -20
- data/lib/spid/ruby-saml/response.rb +28 -11
- data/lib/spid/xml_security_new.rb +6 -2
- data/spid-es.gemspec +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '09b61bd5987c2c5b490a284f00b3a5044dcbaa9f8792bfbf5af12186c9f8db62'
|
4
|
+
data.tar.gz: 9a34254d76547ee688915dc81bf700416779e522268aeb1cadcfc007cb4e71c9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d919dc970ad06c0771214915ffe505397f98907dba9de7969895431ed9825b04200c89851944fbf1065dfddce28e203d98e4606c0d887e142cab4bab583f1cf1
|
7
|
+
data.tar.gz: 99128f6efd205034c8018abd63ad45d268306b9e6117dc771d73357a90053be48fbe6a59187cc320342473de74981173fd879042114b932dde6245a4ffeca257
|
@@ -21,6 +21,8 @@ module Spid
|
|
21
21
|
|
22
22
|
attr_accessor :uuid
|
23
23
|
|
24
|
+
@@cache = {}
|
25
|
+
|
24
26
|
def initialize(settings=nil)
|
25
27
|
if settings
|
26
28
|
@settings = settings
|
@@ -392,7 +394,6 @@ module Spid
|
|
392
394
|
end
|
393
395
|
|
394
396
|
meta_doc = get_idp_metadata
|
395
|
-
|
396
397
|
return nil unless meta_doc
|
397
398
|
# first try GET (REDIRECT)
|
398
399
|
sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
|
@@ -449,20 +450,26 @@ module Spid
|
|
449
450
|
# returns a REXML document of the metadata
|
450
451
|
def get_idp_metadata
|
451
452
|
return false if @settings.idp_metadata.nil?
|
452
|
-
|
453
453
|
# Look up the metdata in cache first
|
454
454
|
id = Digest::MD5.hexdigest(@settings.idp_metadata)
|
455
|
-
|
456
|
-
|
457
|
-
|
458
|
-
#
|
459
|
-
|
460
|
-
|
455
|
+
unless @@cache[id].blank?
|
456
|
+
Logging.debug "IdP metadata cache used for #{@settings.idp_metadata}"
|
457
|
+
doc_noko = @@cache[id]
|
458
|
+
else #save in cache
|
459
|
+
response = fetch(@settings.idp_metadata)
|
460
|
+
#meta_text = response.body
|
461
|
+
#testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
|
462
|
+
#uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
|
463
|
+
doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
|
464
|
+
doc_noko.remove_namespaces!
|
465
|
+
#save
|
466
|
+
@@cache[id] = doc_noko
|
467
|
+
end
|
461
468
|
extract_certificate(doc_noko)
|
462
469
|
doc_rexml = REXML::Document.new(doc_noko.to_xml)
|
463
|
-
|
464
470
|
return doc_rexml
|
465
471
|
|
472
|
+
|
466
473
|
# USE OF CACHE WITH CERTIFICATE
|
467
474
|
# lookup = @cache.read(id)
|
468
475
|
# if lookup != nil
|
@@ -504,18 +511,20 @@ module Spid
|
|
504
511
|
#ricerco il certificato con nokogiri
|
505
512
|
# pull out the x509 tag
|
506
513
|
x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
|
507
|
-
|
508
|
-
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
|
513
|
-
#
|
514
|
-
|
515
|
-
|
516
|
-
|
514
|
+
if !x509.nil?
|
515
|
+
if x509.length > 1
|
516
|
+
@settings.idp_cert = []
|
517
|
+
x509.children.each{|child_cert|
|
518
|
+
@settings.idp_cert << child_cert.to_s.gsub(/\n/, "").gsub(/\t/, "")
|
519
|
+
}
|
520
|
+
else #un array con un campo
|
521
|
+
@settings.idp_cert = [x509.children[0].to_s.gsub(/\n/, "").gsub(/\t/, "")]
|
522
|
+
end
|
523
|
+
else #se nil uso il certificato in keyinfo, non dovrebbe mai accadere
|
524
|
+
x509 = meta_doc.xpath("//EntityDescriptor//Signature//KeyInfo//X509Data//X509Certificate")
|
517
525
|
end
|
518
|
-
|
526
|
+
#se ci sono n certificati ritorno array
|
527
|
+
@settings.idp_cert
|
519
528
|
end
|
520
529
|
|
521
530
|
# construct the parameter list on the URL and return
|
@@ -235,6 +235,12 @@ module Spid
|
|
235
235
|
return node_cond_not_on_or_after.attributes["NotOnOrAfter"] unless node_cond_not_on_or_after.blank?
|
236
236
|
end
|
237
237
|
|
238
|
+
#ricavo l'issue instant della request
|
239
|
+
def assertion_authninstant
|
240
|
+
node_authn_statement = xpath_first_from_signed_assertion('/a:AuthnStatement')
|
241
|
+
return node_authn_statement.attributes["AuthnInstant"] unless node_authn_statement.blank?
|
242
|
+
end
|
243
|
+
|
238
244
|
private
|
239
245
|
|
240
246
|
def validation_error(message)
|
@@ -508,11 +514,12 @@ module Spid
|
|
508
514
|
|
509
515
|
return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
|
510
516
|
|
511
|
-
|
512
|
-
|
513
|
-
|
514
|
-
|
515
|
-
|
517
|
+
#DA-RIPRISTINARE!
|
518
|
+
# unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
|
519
|
+
# # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
|
520
|
+
# # return append_error(error_msg)
|
521
|
+
# return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
|
522
|
+
# end
|
516
523
|
|
517
524
|
true
|
518
525
|
end
|
@@ -609,15 +616,25 @@ module Spid
|
|
609
616
|
|
610
617
|
def get_fingerprint
|
611
618
|
idp_metadata = Spid::Saml::Metadata.new(settings).get_idp_metadata
|
612
|
-
|
613
619
|
if settings.idp_cert
|
614
|
-
|
615
|
-
|
616
|
-
|
620
|
+
#controllo se ho n certificati
|
621
|
+
if settings.idp_cert.length > 1
|
622
|
+
array_fingerprint = []
|
623
|
+
settings.idp_cert.each{|cert_metadata_ipd|
|
624
|
+
cert_text = Base64.decode64(cert_metadata_ipd)
|
625
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
626
|
+
array_fingerprint << Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
|
627
|
+
}
|
628
|
+
return array_fingerprint
|
629
|
+
else
|
630
|
+
cert_text = Base64.decode64(settings.idp_cert[0])
|
631
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
632
|
+
return [Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")]
|
633
|
+
end
|
634
|
+
|
617
635
|
else
|
618
|
-
settings.idp_cert_fingerprint
|
636
|
+
return [settings.idp_cert_fingerprint]
|
619
637
|
end
|
620
|
-
|
621
638
|
end
|
622
639
|
|
623
640
|
def validate_conditions(soft = true)
|
@@ -200,7 +200,7 @@ module Spid
|
|
200
200
|
def signed_element_id
|
201
201
|
@signed_element_id ||= extract_signed_element_id
|
202
202
|
end
|
203
|
-
|
203
|
+
#idp_cert_fingerprint e' un array di fingerprint
|
204
204
|
def validate_document(idp_cert_fingerprint, soft = true, options = {})
|
205
205
|
# get cert from response
|
206
206
|
cert_element = REXML::XPath.first(
|
@@ -226,7 +226,11 @@ module Spid
|
|
226
226
|
fingerprint = fingerprint_alg.hexdigest(cert.to_der)
|
227
227
|
|
228
228
|
# check cert matches registered idp cert
|
229
|
-
|
229
|
+
trovato = false
|
230
|
+
idp_cert_fingerprint.each{|fingerprint_from_idp|
|
231
|
+
trovato = true if fingerprint_from_idp.gsub(/[^a-zA-Z0-9]/,"").downcase == fingerprint
|
232
|
+
}
|
233
|
+
if !trovato
|
230
234
|
@errors << "Fingerprint mismatch"
|
231
235
|
return append_error("Fingerprint mismatch", soft)
|
232
236
|
end
|
data/spid-es.gemspec
CHANGED
@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
|
|
2
2
|
|
3
3
|
Gem::Specification.new do |s|
|
4
4
|
s.name = 'spid-es'
|
5
|
-
s.version = '0.0.
|
5
|
+
s.version = '0.0.48'
|
6
6
|
|
7
7
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
8
8
|
s.authors = ["Fabiano Pavan"]
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: spid-es
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.48
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Fabiano Pavan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-02-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: canonix
|