RubyGems - spid-es - Versions diffs - 0.0.43 → 0.0.48 - Mend

spid-es 0.0.43 → 0.0.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/spid/ruby-saml/metadata.rb +29 -20
data/lib/spid/ruby-saml/response.rb +28 -11
data/lib/spid/xml_security_new.rb +6 -2
data/spid-es.gemspec +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eaf5a650af9277b2c8d6e155d7615b0bbf2a68ff496cc847e4994135908f28f0
-  data.tar.gz: 4a94569b9af662ed0ef5c741cef6b8da3d9a164105986e6e8dea0411843b319a
+  metadata.gz: '09b61bd5987c2c5b490a284f00b3a5044dcbaa9f8792bfbf5af12186c9f8db62'
+  data.tar.gz: 9a34254d76547ee688915dc81bf700416779e522268aeb1cadcfc007cb4e71c9
 SHA512:
-  metadata.gz: 37f5919ca120e1ad9ca46b6848aad7e5ee7fd58af5fdf974d28b44972ce267c0a4dd0f43c63ca53c9ba72d8169c12e64c7615d21b53c86bdbeddb9b77cdc53e1
-  data.tar.gz: 325d9c5bd0b521921014a1571e40b6ebb6f92b49c5ab528c186d61548eefefab7bbce6972d788844db909475b82a1b5972a344dcf620ae73a98e7529f3accb66
+  metadata.gz: d919dc970ad06c0771214915ffe505397f98907dba9de7969895431ed9825b04200c89851944fbf1065dfddce28e203d98e4606c0d887e142cab4bab583f1cf1
+  data.tar.gz: 99128f6efd205034c8018abd63ad45d268306b9e6117dc771d73357a90053be48fbe6a59187cc320342473de74981173fd879042114b932dde6245a4ffeca257

data/lib/spid/ruby-saml/metadata.rb CHANGED Viewed

@@ -21,6 +21,8 @@ module Spid
       attr_accessor :uuid
+      @@cache = {}
       def initialize(settings=nil)
         if settings
           @settings = settings
@@ -392,7 +394,6 @@ module Spid
         end
         meta_doc = get_idp_metadata
         return nil unless meta_doc
         # first try GET (REDIRECT)
         sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
@@ -449,20 +450,26 @@ module Spid
       # returns a REXML document of the metadata
       def get_idp_metadata
         return false if @settings.idp_metadata.nil?
         # Look up the metdata in cache first
         id = Digest::MD5.hexdigest(@settings.idp_metadata)
-        response = fetch(@settings.idp_metadata)
-        #meta_text = response.body
-        #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
-        #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
-        doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
-        doc_noko.remove_namespaces!
+        unless @@cache[id].blank?
+          Logging.debug "IdP metadata cache used for #{@settings.idp_metadata}"
+          doc_noko = @@cache[id]
+        else #save in cache
+          response = fetch(@settings.idp_metadata)
+          #meta_text = response.body
+          #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
+          #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
+          doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
+          doc_noko.remove_namespaces!
+          #save
+          @@cache[id] = doc_noko
+        end
         extract_certificate(doc_noko)
         doc_rexml = REXML::Document.new(doc_noko.to_xml)
         return doc_rexml
         # USE OF CACHE WITH CERTIFICATE
         # lookup = @cache.read(id)
         # if lookup != nil
@@ -504,18 +511,20 @@ module Spid
         #ricerco il certificato con nokogiri
         # pull out the x509 tag
         x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
-        #x509 = REXML::XPath.first(meta_doc, "/md:EntityDescriptor/md:IDPSSODescriptor"+"/md:KeyDescriptor"+"/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
-        # If the IdP didn't specify the use attribute
-        if x509.nil?
-          x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
-          # x509 = REXML::XPath.first(meta_doc,
-          #       "/EntityDescriptor/IDPSSODescriptor" +
-          #     "/KeyDescriptor" +
-          #     "/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
-          #   )
+        if !x509.nil?
+          if x509.length > 1
+            @settings.idp_cert = []
+            x509.children.each{|child_cert|
+              @settings.idp_cert << child_cert.to_s.gsub(/\n/, "").gsub(/\t/, "")
+            }
+          else #un array con un campo
+            @settings.idp_cert = [x509.children[0].to_s.gsub(/\n/, "").gsub(/\t/, "")]
+          end
+        else #se nil uso il certificato in keyinfo, non dovrebbe mai accadere
+          x509 = meta_doc.xpath("//EntityDescriptor//Signature//KeyInfo//X509Data//X509Certificate")
         end
-        @settings.idp_cert = x509.children.to_s.gsub(/\n/, "").gsub(/\t/, "")
+        #se ci sono n certificati ritorno array
+        @settings.idp_cert
       end
       # construct the parameter list on the URL and return

data/lib/spid/ruby-saml/response.rb CHANGED Viewed

@@ -235,6 +235,12 @@ module Spid
           return  node_cond_not_on_or_after.attributes["NotOnOrAfter"] unless node_cond_not_on_or_after.blank?
         end
+        #ricavo l'issue instant della request
+        def assertion_authninstant
+          node_authn_statement = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          return  node_authn_statement.attributes["AuthnInstant"] unless node_authn_statement.blank?
+        end
         private
         def validation_error(message)
@@ -508,11 +514,12 @@ module Spid
             return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
-            unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
-              # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
-              # return append_error(error_msg)
-              return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
-            end
+            #DA-RIPRISTINARE!
+            # unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
+            #   # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
+            #   # return append_error(error_msg)
+            #   return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
+            # end
             true
         end
@@ -609,15 +616,25 @@ module Spid
         def get_fingerprint
             idp_metadata = Spid::Saml::Metadata.new(settings).get_idp_metadata
             if settings.idp_cert
-              cert_text = Base64.decode64(settings.idp_cert)
-              cert = OpenSSL::X509::Certificate.new(cert_text)
-              Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+              #controllo se ho n certificati
+              if settings.idp_cert.length > 1
+                array_fingerprint = []
+                settings.idp_cert.each{|cert_metadata_ipd|
+                  cert_text = Base64.decode64(cert_metadata_ipd)
+                  cert = OpenSSL::X509::Certificate.new(cert_text)
+                  array_fingerprint << Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+                }
+                return array_fingerprint
+              else
+                cert_text = Base64.decode64(settings.idp_cert[0])
+                cert = OpenSSL::X509::Certificate.new(cert_text)
+                return [Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")]
+              end
             else
-              settings.idp_cert_fingerprint
+              return [settings.idp_cert_fingerprint]
             end
         end
         def validate_conditions(soft = true)

data/lib/spid/xml_security_new.rb CHANGED Viewed

@@ -200,7 +200,7 @@ module Spid
       def signed_element_id
         @signed_element_id ||= extract_signed_element_id
       end
+      #idp_cert_fingerprint e' un array di fingerprint
       def validate_document(idp_cert_fingerprint, soft = true, options = {})
         # get cert from response
         cert_element = REXML::XPath.first(
@@ -226,7 +226,11 @@ module Spid
           fingerprint = fingerprint_alg.hexdigest(cert.to_der)
           # check cert matches registered idp cert
-          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          trovato = false
+          idp_cert_fingerprint.each{|fingerprint_from_idp|
+            trovato = true if fingerprint_from_idp.gsub(/[^a-zA-Z0-9]/,"").downcase == fingerprint
+          }
+          if !trovato
             @errors << "Fingerprint mismatch"
             return append_error("Fingerprint mismatch", soft)
           end

data/spid-es.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 Gem::Specification.new do |s|
   s.name = 'spid-es'
-  s.version = '0.0.43'
+  s.version = '0.0.48'
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Fabiano Pavan"]

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid-es
 version: !ruby/object:Gem::Version
-  version: 0.0.43
+  version: 0.0.48
 platform: ruby
 authors:
 - Fabiano Pavan
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-28 00:00:00.000000000 Z
+date: 2021-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix