RubyGems - spid-es - Versions diffs - 0.0.43 → 0.0.48 - Mend

spid-es 0.0.43 → 0.0.48

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/spid/ruby-saml/metadata.rb +29 -20
data/lib/spid/ruby-saml/response.rb +28 -11
data/lib/spid/xml_security_new.rb +6 -2
data/spid-es.gemspec +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eaf5a650af9277b2c8d6e155d7615b0bbf2a68ff496cc847e4994135908f28f0
-  data.tar.gz: 4a94569b9af662ed0ef5c741cef6b8da3d9a164105986e6e8dea0411843b319a
+  metadata.gz: '09b61bd5987c2c5b490a284f00b3a5044dcbaa9f8792bfbf5af12186c9f8db62'
+  data.tar.gz: 9a34254d76547ee688915dc81bf700416779e522268aeb1cadcfc007cb4e71c9
 SHA512:
-  metadata.gz: 37f5919ca120e1ad9ca46b6848aad7e5ee7fd58af5fdf974d28b44972ce267c0a4dd0f43c63ca53c9ba72d8169c12e64c7615d21b53c86bdbeddb9b77cdc53e1
-  data.tar.gz: 325d9c5bd0b521921014a1571e40b6ebb6f92b49c5ab528c186d61548eefefab7bbce6972d788844db909475b82a1b5972a344dcf620ae73a98e7529f3accb66
+  metadata.gz: d919dc970ad06c0771214915ffe505397f98907dba9de7969895431ed9825b04200c89851944fbf1065dfddce28e203d98e4606c0d887e142cab4bab583f1cf1
+  data.tar.gz: 99128f6efd205034c8018abd63ad45d268306b9e6117dc771d73357a90053be48fbe6a59187cc320342473de74981173fd879042114b932dde6245a4ffeca257

data/lib/spid/ruby-saml/metadata.rb CHANGED Viewed

@@ -21,6 +21,8 @@ module Spid
       attr_accessor :uuid
+      @@cache = {}
       def initialize(settings=nil)
         if settings
           @settings = settings
@@ -392,7 +394,6 @@ module Spid
         end
         meta_doc = get_idp_metadata
         return nil unless meta_doc
         # first try GET (REDIRECT)
         sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
@@ -449,20 +450,26 @@ module Spid
       # returns a REXML document of the metadata
       def get_idp_metadata
         return false if @settings.idp_metadata.nil?
         # Look up the metdata in cache first
         id = Digest::MD5.hexdigest(@settings.idp_metadata)
-        response = fetch(@settings.idp_metadata)
-        #meta_text = response.body
-        #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
-        #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
-        doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
-        doc_noko.remove_namespaces!
+        unless @@cache[id].blank?
+          Logging.debug "IdP metadata cache used for #{@settings.idp_metadata}"
+          doc_noko = @@cache[id]
+        else #save in cache
+          response = fetch(@settings.idp_metadata)
+          #meta_text = response.body
+          #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
+          #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
+          doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
+          doc_noko.remove_namespaces!
+          #save
+          @@cache[id] = doc_noko
+        end
         extract_certificate(doc_noko)
         doc_rexml = REXML::Document.new(doc_noko.to_xml)
         return doc_rexml
         # USE OF CACHE WITH CERTIFICATE
         # lookup = @cache.read(id)
         # if lookup != nil
@@ -504,18 +511,20 @@ module Spid
         #ricerco il certificato con nokogiri
         # pull out the x509 tag
         x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
-        #x509 = REXML::XPath.first(meta_doc, "/md:EntityDescriptor/md:IDPSSODescriptor"+"/md:KeyDescriptor"+"/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
-        # If the IdP didn't specify the use attribute
-        if x509.nil?
-          x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
-          # x509 = REXML::XPath.first(meta_doc,
-          #       "/EntityDescriptor/IDPSSODescriptor" +
-          #     "/KeyDescriptor" +
-          #     "/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
-          #   )
+        if !x509.nil?
+          if x509.length > 1
+            @settings.idp_cert = []
+            x509.children.each{|child_cert|
+              @settings.idp_cert << child_cert.to_s.gsub(/\n/, "").gsub(/\t/, "")
+            }
+          else #un array con un campo
+            @settings.idp_cert = [x509.children[0].to_s.gsub(/\n/, "").gsub(/\t/, "")]
+          end
+        else #se nil uso il certificato in keyinfo, non dovrebbe mai accadere
+          x509 = meta_doc.xpath("//EntityDescriptor//Signature//KeyInfo//X509Data//X509Certificate")
         end
-        @settings.idp_cert = x509.children.to_s.gsub(/\n/, "").gsub(/\t/, "")
+        #se ci sono n certificati ritorno array
+        @settings.idp_cert
       end
       # construct the parameter list on the URL and return

data/lib/spid/ruby-saml/response.rb CHANGED Viewed

@@ -235,6 +235,12 @@ module Spid
           return  node_cond_not_on_or_after.attributes["NotOnOrAfter"] unless node_cond_not_on_or_after.blank?
         end
+        #ricavo l'issue instant della request
+        def assertion_authninstant
+          node_authn_statement = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          return  node_authn_statement.attributes["AuthnInstant"] unless node_authn_statement.blank?
+        end
         private
         def validation_error(message)
@@ -508,11 +514,12 @@ module Spid
             return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
-            unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
-              # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
-              # return append_error(error_msg)
-              return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
-            end
+            #DA-RIPRISTINARE!
+            # unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
+            #   # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
+            #   # return append_error(error_msg)
+            #   return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
+            # end
             true
         end
@@ -609,15 +616,25 @@ module Spid
         def get_fingerprint
             idp_metadata = Spid::Saml::Metadata.new(settings).get_idp_metadata
             if settings.idp_cert
-              cert_text = Base64.decode64(settings.idp_cert)
-              cert = OpenSSL::X509::Certificate.new(cert_text)
-              Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+              #controllo se ho n certificati
+              if settings.idp_cert.length > 1
+                array_fingerprint = []
+                settings.idp_cert.each{|cert_metadata_ipd|
+                  cert_text = Base64.decode64(cert_metadata_ipd)
+                  cert = OpenSSL::X509::Certificate.new(cert_text)
+                  array_fingerprint << Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+                }
+                return array_fingerprint
+              else
+                cert_text = Base64.decode64(settings.idp_cert[0])
+                cert = OpenSSL::X509::Certificate.new(cert_text)
+                return [Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")]
+              end
             else
-              settings.idp_cert_fingerprint
+              return [settings.idp_cert_fingerprint]
             end
         end
         def validate_conditions(soft = true)

data/lib/spid/xml_security_new.rb CHANGED Viewed

@@ -200,7 +200,7 @@ module Spid
       def signed_element_id
         @signed_element_id ||= extract_signed_element_id
       end
+      #idp_cert_fingerprint e' un array di fingerprint
       def validate_document(idp_cert_fingerprint, soft = true, options = {})
         # get cert from response
         cert_element = REXML::XPath.first(
@@ -226,7 +226,11 @@ module Spid
           fingerprint = fingerprint_alg.hexdigest(cert.to_der)
           # check cert matches registered idp cert
-          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          trovato = false
+          idp_cert_fingerprint.each{|fingerprint_from_idp|
+            trovato = true if fingerprint_from_idp.gsub(/[^a-zA-Z0-9]/,"").downcase == fingerprint
+          }
+          if !trovato
             @errors << "Fingerprint mismatch"
             return append_error("Fingerprint mismatch", soft)
           end

data/spid-es.gemspec CHANGED Viewed

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 Gem::Specification.new do |s|
   s.name = 'spid-es'
-  s.version = '0.0.43'
+  s.version = '0.0.48'
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Fabiano Pavan"]

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid-es
 version: !ruby/object:Gem::Version
-  version: 0.0.43
+  version: 0.0.48
 platform: ruby
 authors:
 - Fabiano Pavan
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-28 00:00:00.000000000 Z
+date: 2021-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix