spid-es 0.0.44 → 0.0.49

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/spid/ruby-saml/metadata.rb +30 -23
  3. data/lib/spid/ruby-saml/response.rb +22 -11
  4. data/lib/spid/xml_security_new.rb +6 -2
  5. data/spid-es.gemspec +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b464cb7b2a9e98c8965aa9fcb263f5f6a4e289a098aba93907a704762e02455d
4
- data.tar.gz: 4ae67e70ad85399fdea17797a8d1035f215aeec23fb655bbd9db0ea618dcb39a
3
+ metadata.gz: 96b349fe25c4614fc0d793c64c10716be3c9594b08e8d73ff5c421c637ef3816
4
+ data.tar.gz: a959dbd5b0e47021ebfa2cd07c3d4642ff68b7477f4b2cf7d248c3487d7f4364
5
5
  SHA512:
6
- metadata.gz: 2a852d4af040700c4a64a2d5c17dc40318609f30857e47b5d346dfb8fa6db305ff6fd1a41d0b7f737c687c5924d6b9fcdac5179b5679f0549577a3572f518453
7
- data.tar.gz: b39a301e8f145bcb593b8f46fa4e20e0c168b6ec3e96444c4c66ae4ac18f6082fbcfbd205d724ebd0c053ed933472fcd3c2428df2e99179f3be39b892963063b
6
+ metadata.gz: 2a3bdf6a060e53b2e07e6376b59eb843be93366369f29ffd04cf28e89781b4be827003f9569286884e38b7183dbde805510ebd857d7528374cde8748aaac66a3
7
+ data.tar.gz: 1ffa3ab7753b1559bd6492165e6a3319e16d7b26b12afb644ee7a4bcd11dc4e83e91ebc22d3429b4d23347e2a60c5f611e4eac3a89933ce4a392319a81368683
data/lib/spid/ruby-saml/metadata.rb CHANGED
@@ -21,6 +21,8 @@ module Spid
21
21
 
22
22
  attr_accessor :uuid
23
23
 
24
+ @@cache = {}
25
+
24
26
  def initialize(settings=nil)
25
27
  if settings
26
28
  @settings = settings
@@ -153,13 +155,11 @@ module Spid
153
155
  end
154
156
 
155
157
  if settings.assertion_consumer_service_url
156
-
157
158
  #ciclo e creo i vari tag AssertionConsumerService
158
159
  settings.hash_assertion_consumer.each_pair{ |index, hash_service|
159
-
160
160
  sp_sso.add_element "md:AssertionConsumerService", {
161
161
  "Binding" => settings.assertion_consumer_service_binding,
162
- "Location" => (hash_service['external'] ? hash_service['url_consumer'] : settings.assertion_consumer_service_url ),
162
+ "Location" => hash_service['url_consumer'],
163
163
  "isDefault" => hash_service['default'],
164
164
  "index" => index
165
165
  }
@@ -392,7 +392,6 @@ module Spid
392
392
  end
393
393
 
394
394
  meta_doc = get_idp_metadata
395
-
396
395
  return nil unless meta_doc
397
396
  # first try GET (REDIRECT)
398
397
  sso_element = REXML::XPath.first(meta_doc, "/EntityDescriptor/IDPSSODescriptor/#{service}[@Binding='#{HTTP_GET}']")
@@ -449,20 +448,26 @@ module Spid
449
448
  # returns a REXML document of the metadata
450
449
  def get_idp_metadata
451
450
  return false if @settings.idp_metadata.nil?
452
-
453
451
  # Look up the metdata in cache first
454
452
  id = Digest::MD5.hexdigest(@settings.idp_metadata)
455
- response = fetch(@settings.idp_metadata)
456
- #meta_text = response.body
457
- #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
458
- #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
459
- doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
460
- doc_noko.remove_namespaces!
453
+ unless @@cache[id].blank?
454
+ Logging.debug "IdP metadata cache used for #{@settings.idp_metadata}"
455
+ doc_noko = @@cache[id]
456
+ else #save in cache
457
+ response = fetch(@settings.idp_metadata)
458
+ #meta_text = response.body
459
+ #testo_response = meta_text.sub!(' xmlns:xml="http://www.w3.org/XML/1998/namespace"', '') da errori
460
+ #uso nokogiri per cercare il certificato, uso la funzione che rimuove tutti i namespace
461
+ doc_noko = Nokogiri::XML(response.body.gsub(/\n/, "").gsub(/\t/, "")) #modifica per poste
462
+ doc_noko.remove_namespaces!
463
+ #save
464
+ @@cache[id] = doc_noko
465
+ end
461
466
  extract_certificate(doc_noko)
462
467
  doc_rexml = REXML::Document.new(doc_noko.to_xml)
463
-
464
468
  return doc_rexml
465
469
 
470
+
466
471
  # USE OF CACHE WITH CERTIFICATE
467
472
  # lookup = @cache.read(id)
468
473
  # if lookup != nil
@@ -504,18 +509,20 @@ module Spid
504
509
  #ricerco il certificato con nokogiri
505
510
  # pull out the x509 tag
506
511
  x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
507
-
508
- #x509 = REXML::XPath.first(meta_doc, "/md:EntityDescriptor/md:IDPSSODescriptor"+"/md:KeyDescriptor"+"/ds:KeyInfo/ds:X509Data/ds:X509Certificate")
509
- # If the IdP didn't specify the use attribute
510
- if x509.nil?
511
- x509 = meta_doc.xpath("//EntityDescriptor//IDPSSODescriptor//KeyDescriptor//KeyInfo//X509Data//X509Certificate")
512
- # x509 = REXML::XPath.first(meta_doc,
513
- # "/EntityDescriptor/IDPSSODescriptor" +
514
- # "/KeyDescriptor" +
515
- # "/ds:KeyInfo/ds:X509Data/ds:X509Certificate"
516
- # )
512
+ if !x509.nil?
513
+ if x509.length > 1
514
+ @settings.idp_cert = []
515
+ x509.children.each{|child_cert|
516
+ @settings.idp_cert << child_cert.to_s.gsub(/\n/, "").gsub(/\t/, "")
517
+ }
518
+ else #un array con un campo
519
+ @settings.idp_cert = [x509.children[0].to_s.gsub(/\n/, "").gsub(/\t/, "")]
520
+ end
521
+ else #se nil uso il certificato in keyinfo, non dovrebbe mai accadere
522
+ x509 = meta_doc.xpath("//EntityDescriptor//Signature//KeyInfo//X509Data//X509Certificate")
517
523
  end
518
- @settings.idp_cert = x509.children.to_s.gsub(/\n/, "").gsub(/\t/, "")
524
+ #se ci sono n certificati ritorno array
525
+ @settings.idp_cert
519
526
  end
520
527
 
521
528
  # construct the parameter list on the URL and return
data/lib/spid/ruby-saml/response.rb CHANGED
@@ -514,11 +514,12 @@ module Spid
514
514
 
515
515
  return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
516
516
 
517
- unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
518
- # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
519
- # return append_error(error_msg)
520
- return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
521
- end
517
+ #DA-RIPRISTINARE!
518
+ # unless Spid::Saml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
519
+ # # error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
520
+ # # return append_error(error_msg)
521
+ # return soft ? false : validation_error("The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}")
522
+ # end
522
523
 
523
524
  true
524
525
  end
@@ -615,15 +616,25 @@ module Spid
615
616
 
616
617
  def get_fingerprint
617
618
  idp_metadata = Spid::Saml::Metadata.new(settings).get_idp_metadata
618
-
619
619
  if settings.idp_cert
620
- cert_text = Base64.decode64(settings.idp_cert)
621
- cert = OpenSSL::X509::Certificate.new(cert_text)
622
- Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
620
+ #controllo se ho n certificati
621
+ if settings.idp_cert.length > 1
622
+ array_fingerprint = []
623
+ settings.idp_cert.each{|cert_metadata_ipd|
624
+ cert_text = Base64.decode64(cert_metadata_ipd)
625
+ cert = OpenSSL::X509::Certificate.new(cert_text)
626
+ array_fingerprint << Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")
627
+ }
628
+ return array_fingerprint
629
+ else
630
+ cert_text = Base64.decode64(settings.idp_cert[0])
631
+ cert = OpenSSL::X509::Certificate.new(cert_text)
632
+ return [Digest::SHA2.hexdigest(cert.to_der).upcase.scan(/../).join(":")]
633
+ end
634
+
623
635
  else
624
- settings.idp_cert_fingerprint
636
+ return [settings.idp_cert_fingerprint]
625
637
  end
626
-
627
638
  end
628
639
 
629
640
  def validate_conditions(soft = true)
data/lib/spid/xml_security_new.rb CHANGED
@@ -200,7 +200,7 @@ module Spid
200
200
  def signed_element_id
201
201
  @signed_element_id ||= extract_signed_element_id
202
202
  end
203
-
203
+ #idp_cert_fingerprint e' un array di fingerprint
204
204
  def validate_document(idp_cert_fingerprint, soft = true, options = {})
205
205
  # get cert from response
206
206
  cert_element = REXML::XPath.first(
@@ -226,7 +226,11 @@ module Spid
226
226
  fingerprint = fingerprint_alg.hexdigest(cert.to_der)
227
227
 
228
228
  # check cert matches registered idp cert
229
- if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
229
+ trovato = false
230
+ idp_cert_fingerprint.each{|fingerprint_from_idp|
231
+ trovato = true if fingerprint_from_idp.gsub(/[^a-zA-Z0-9]/,"").downcase == fingerprint
232
+ }
233
+ if !trovato
230
234
  @errors << "Fingerprint mismatch"
231
235
  return append_error("Fingerprint mismatch", soft)
232
236
  end
data/spid-es.gemspec CHANGED
@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = 'spid-es'
5
- s.version = '0.0.44'
5
+ s.version = '0.0.49'
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Fabiano Pavan"]
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: spid-es
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.44
4
+ version: 0.0.49
5
5
  platform: ruby
6
6
  authors:
7
7
  - Fabiano Pavan
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-11 00:00:00.000000000 Z
11
+ date: 2021-04-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: canonix