spid-es 0.0.44 → 0.0.49

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b464cb7b2a9e98c8965aa9fcb263f5f6a4e289a098aba93907a704762e02455d
-  data.tar.gz: 4ae67e70ad85399fdea17797a8d1035f215aeec23fb655bbd9db0ea618dcb39a
+  metadata.gz: 96b349fe25c4614fc0d793c64c10716be3c9594b08e8d73ff5c421c637ef3816
+  data.tar.gz: a959dbd5b0e47021ebfa2cd07c3d4642ff68b7477f4b2cf7d248c3487d7f4364
 SHA512:
-  metadata.gz: 2a852d4af040700c4a64a2d5c17dc40318609f30857e47b5d346dfb8fa6db305ff6fd1a41d0b7f737c687c5924d6b9fcdac5179b5679f0549577a3572f518453
-  data.tar.gz: b39a301e8f145bcb593b8f46fa4e20e0c168b6ec3e96444c4c66ae4ac18f6082fbcfbd205d724ebd0c053ed933472fcd3c2428df2e99179f3be39b892963063b
+  metadata.gz: 2a3bdf6a060e53b2e07e6376b59eb843be93366369f29ffd04cf28e89781b4be827003f9569286884e38b7183dbde805510ebd857d7528374cde8748aaac66a3
+  data.tar.gz: 1ffa3ab7753b1559bd6492165e6a3319e16d7b26b12afb644ee7a4bcd11dc4e83e91ebc22d3429b4d23347e2a60c5f611e4eac3a89933ce4a392319a81368683

data/lib/spid/ruby-saml/metadata.rb

@@ -21,6 +21,8 @@ module Spid
 
       attr_accessor :uuid
 
+      @@cache = {}
+
       def initialize(settings=nil)
         if settings
           @settings = settings
@@ -153,13 +155,11 @@ module Spid
         end
 
         if settings.assertion_consumer_service_url
-          
             #ciclo e creo i vari tag AssertionConsumerService
             settings.hash_assertion_consumer.each_pair{ |index, hash_service|
-
                 sp_sso.add_element "md:AssertionConsumerService", {
                   "Binding" => settings.assertion_consumer_service_binding,
-                  "Location" => (hash_service['external'] ? hash_service['url_consumer'] : settings.assertion_consumer_service_url ),
+                  "Location" => hash_service['url_consumer'],
                   "isDefault" => hash_service['default'],
                   "index" => index
                 }
@@ -392,7 +392,6 @@ module Spid
         end
         
         meta_doc = get_idp_metadata
-        
         return nil unless meta_doc
         # first try GET (REDIRECT)
         sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
@@ -449,20 +448,26 @@ module Spid
       # returns a REXML document of the metadata
       def get_idp_metadata
         return false if @settings.idp_metadata.nil?
-      
         # Look up the metdata in cache first
         id = Digest::MD5.hexdigest(@settings.idp_metadata)
-        response = fetch(@settings.idp_metadata)
-        #meta_text = response.body
-        #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
-        #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace 
-        doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
-        doc_noko.remove_namespaces!
+        unless @@cache[id].blank?
+          Logging.debug "IdP metadata cache used for #{@settings.idp_metadata}"
+          doc_noko = @@cache[id] 
+        else #save in cache
+          response = fetch(@settings.idp_metadata)
+          #meta_text = response.body
+          #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
+          #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace 
+          doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
+          doc_noko.remove_namespaces!
+          #save
+          @@cache[id] = doc_noko
+        end
         extract_certificate(doc_noko)
         doc_rexml = REXML::Document.new(doc_noko.to_xml)
-
         return doc_rexml
 
+        
         # USE OF CACHE WITH CERTIFICATE
         # lookup = @cache.read(id)
         # if lookup != nil
@@ -504,18 +509,20 @@ module Spid
         #ricerco il certificato con nokogiri
         # pull out the x509 tag
         x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
-
-        #x509 = REXML::XPath.first(meta_doc, "/md:EntityDescriptor/md:IDPSSODescriptor"+"/md:KeyDescriptor"+"/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
-        # If the IdP didn't specify the use attribute
-        if x509.nil?
-          x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
-          # x509 = REXML::XPath.first(meta_doc, 
-          #       "/EntityDescriptor/IDPSSODescriptor" +
-          #     "/KeyDescriptor" +
-          #     "/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
-          #   )
+        if !x509.nil? 
+          if x509.length > 1
+            @settings.idp_cert = []
+            x509.children.each{|child_cert|
+              @settings.idp_cert << child_cert.to_s.gsub(/\n/, "").gsub(/\t/, "")
+            }
+          else #un array con un campo
+            @settings.idp_cert = [x509.children[0].to_s.gsub(/\n/, "").gsub(/\t/, "")]
+          end
+        else #se nil uso il certificato in keyinfo, non dovrebbe mai accadere
+          x509 = meta_doc.xpath("//EntityDescriptor//Signature//KeyInfo//X509Data//X509Certificate") 
         end
-        @settings.idp_cert = x509.children.to_s.gsub(/\n/, "").gsub(/\t/, "")
+        #se ci sono n certificati ritorno array
+        @settings.idp_cert
       end
 
       # construct the parameter list on the URL and return

data/lib/spid/ruby-saml/response.rb

@@ -514,11 +514,12 @@ module Spid
 
             return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
 
-            unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
-              # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
-              # return append_error(error_msg)
-              return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
-            end
+            #DA-RIPRISTINARE!
+            # unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
+            #   # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
+            #   # return append_error(error_msg)
+            #   return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
+            # end
 
             true
         end
@@ -615,15 +616,25 @@ module Spid
 
         def get_fingerprint
             idp_metadata = Spid::Saml::Metadata.new(settings).get_idp_metadata
-            
             if settings.idp_cert
-              cert_text = Base64.decode64(settings.idp_cert)
-              cert = OpenSSL::X509::Certificate.new(cert_text)
-              Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+              #controllo se ho n certificati
+              if settings.idp_cert.length > 1
+                array_fingerprint = []
+                settings.idp_cert.each{|cert_metadata_ipd|
+                  cert_text = Base64.decode64(cert_metadata_ipd)
+                  cert = OpenSSL::X509::Certificate.new(cert_text)
+                  array_fingerprint << Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+                }
+                return array_fingerprint
+              else
+                cert_text = Base64.decode64(settings.idp_cert[0])
+                cert = OpenSSL::X509::Certificate.new(cert_text)
+                return [Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")]
+              end
+              
             else
-              settings.idp_cert_fingerprint
+              return [settings.idp_cert_fingerprint]
             end
-            
         end
 
         def validate_conditions(soft = true)

data/lib/spid/xml_security_new.rb

@@ -200,7 +200,7 @@ module Spid
       def signed_element_id
         @signed_element_id ||= extract_signed_element_id
       end
-
+      #idp_cert_fingerprint e' un array di fingerprint
       def validate_document(idp_cert_fingerprint, soft = true, options = {})
         # get cert from response
         cert_element = REXML::XPath.first(
@@ -226,7 +226,11 @@ module Spid
           fingerprint = fingerprint_alg.hexdigest(cert.to_der)
 
           # check cert matches registered idp cert
-          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          trovato = false
+          idp_cert_fingerprint.each{|fingerprint_from_idp|
+            trovato = true if fingerprint_from_idp.gsub(/[^a-zA-Z0-9]/,"").downcase == fingerprint
+          }
+          if !trovato
             @errors << "Fingerprint mismatch"
             return append_error("Fingerprint mismatch", soft)
           end

data/spid-es.gemspec

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |s|
   s.name = 'spid-es'
-  s.version = '0.0.44'
+  s.version = '0.0.49'
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Fabiano Pavan"]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid-es
 version: !ruby/object:Gem::Version
-  version: 0.0.44
+  version: 0.0.49
 platform: ruby
 authors:
 - Fabiano Pavan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-11 00:00:00.000000000 Z
+date: 2021-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix