[DRE-commits] [ruby-saml] 01/07: Merge tag 'upstream/1.3.0'
Praveen Arimbrathodiyil
praveen at moszumanska.debian.org
Sun Jul 10 08:32:25 UTC 2016
This is an automated email from the git hooks/post-receive script.
praveen pushed a commit to branch master
in repository ruby-saml.
commit ab477ce1d54c6ddb0612c9f47bf1f64f4390e66f
Merge: aa72668 07b3705
Author: Praveen Arimbrathodiyil <praveen at debian.org>
Date: Sun Jul 10 12:39:26 2016 +0530
Merge tag 'upstream/1.3.0'
Upstream version 1.3.0
README.md | 27 +++-
changelog.md | 22 ++-
lib/onelogin/ruby-saml/authrequest.rb | 4 +-
lib/onelogin/ruby-saml/error_handling.rb | 27 ++++
lib/onelogin/ruby-saml/idp_metadata_parser.rb | 96 +++++++++--
lib/onelogin/ruby-saml/logoutrequest.rb | 7 +-
lib/onelogin/ruby-saml/logoutresponse.rb | 40 +++--
lib/onelogin/ruby-saml/metadata.rb | 7 +-
lib/onelogin/ruby-saml/response.rb | 178 ++++++++++++++-------
lib/onelogin/ruby-saml/saml_message.rb | 13 +-
lib/onelogin/ruby-saml/settings.rb | 2 +
lib/onelogin/ruby-saml/slo_logoutrequest.rb | 61 ++++---
lib/onelogin/ruby-saml/slo_logoutresponse.rb | 6 +-
lib/onelogin/ruby-saml/utils.rb | 34 ++--
lib/onelogin/ruby-saml/version.rb | 2 +-
lib/xml_security.rb | 60 +++----
ruby-saml.gemspec | 5 +-
test/idp_metadata_parser_test.rb | 28 ++++
test/logoutrequest_test.rb | 7 +-
test/logoutresponse_test.rb | 9 ++
test/metadata_test.rb | 16 +-
test/request_test.rb | 2 +-
test/response_test.rb | 89 ++++++++++-
test/responses/idp_descriptor.xml | 2 +-
test/responses/response_with_retrieval_method.xml | 26 +++
.../response_without_reference_uri.xml.base64 | 2 +-
test/settings_test.rb | 2 +-
test/slo_logoutrequest_test.rb | 31 +++-
test/slo_logoutresponse_test.rb | 4 +-
test/test_helper.rb | 2 +-
test/utils_test.rb | 15 +-
test/xml_security_test.rb | 2 +
32 files changed, 612 insertions(+), 216 deletions(-)
diff --cc README.md
index 64d4ecb,04b2b50..8579ada
--- a/README.md
+++ b/README.md
@@@ -1,12 -1,21 +1,27 @@@
# Ruby SAML [](http://travis-ci.org/onelogin/ruby-saml) [](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [](http://badge.fury.io/rb/ruby-saml)
+ ## Updating from 1.2.x to 1.3.X
+
+ Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes. It adds security improvements in order to prevent Signature wrapping attacks. [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
+
+ ## Updating from 1.1.x to 1.2.X
+
+ Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom, refactor error handling and some minor improvements
+
+ There is no compatibility issue detected.
+
+ For more details, please review [the changelog](changelog.md).
+
+ ## Updating from 1.0.x to 1.1.X
+
+ Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+## Updating from 1.0.x to 1.1.X
+
+Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+
+For more details, please review [the changelog](changelog.md).
+
## Updating from 0.9.x to 1.0.X
Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
diff --cc changelog.md
index 97e2a03,5b2e8b4..07f14f7
--- a/changelog.md
+++ b/changelog.md
@@@ -1,6 -1,25 +1,26 @@@
# RubySaml Changelog
- ### 1.1.2 (February 15, 2015)
+ ### 1.3.0 (June 24, 2016)
+ * [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
+ * Fix XMLSecurity SHA256 and SHA512 uris
+ * [#326](https://github.com/onelogin/ruby-saml/pull/326) Fix Destination validation
+
+ ### 1.2.0 (April 29, 2016)
+ * [#269](https://github.com/onelogin/ruby-saml/pull/269) Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
+ * [#289](https://github.com/onelogin/ruby-saml/pull/289) Remove uuid gem in favor of SecureRandom
+ * [#297](https://github.com/onelogin/ruby-saml/pull/297) Implement EncryptedKey RetrievalMethod support
+ * [#298](https://github.com/onelogin/ruby-saml/pull/298) IDP metadata parsing improved: binding parsing, fingerprint_algorithm support)
+ * [#299](https://github.com/onelogin/ruby-saml/pull/299) Make 'signing' at KeyDescriptor optional
+ * [#308](https://github.com/onelogin/ruby-saml/pull/308) Support name_id_format on SAMLResponse
+ * [#315](https://github.com/onelogin/ruby-saml/pull/315) Support for canonicalization with comments
+ * [#316](https://github.com/onelogin/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
+ * [#321](https://github.com/onelogin/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
+ * Changes on empty URI of Signature reference management
+ * [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
+ * [#306](https://github.com/onelogin/ruby-saml/pull/306) Support WantAssertionsSigned
+
+ ### 1.1.2 (February 15, 2016)
++>>>>>>> upstream/1.3.0
* Improve signature validation. Add tests.
[#302](https://github.com/onelogin/ruby-saml/pull/302) Add Destination validation.
* [#292](https://github.com/onelogin/ruby-saml/pull/292) Improve the error message when validating the audience.
diff --cc lib/onelogin/ruby-saml/response.rb
index f18c92b,4dc4507..39a7ab4
--- a/lib/onelogin/ruby-saml/response.rb
+++ b/lib/onelogin/ruby-saml/response.rb
@@@ -294,25 -288,35 +288,36 @@@ module OneLogi
# @return [Boolean] True if the SAML Response is valid, otherwise False if soft=True
# @raise [ValidationError] if soft == false and validation fails
#
- def validate
+ def validate(collect_errors = false)
reset_errors!
+
- validate_response_state &&
- validate_version &&
- validate_id &&
- validate_success_status &&
- validate_num_assertion &&
- validate_no_encrypted_attributes &&
- validate_signed_elements &&
- validate_structure &&
- validate_in_response_to &&
- validate_conditions &&
- validate_audience &&
- validate_destination &&
- validate_issuer &&
- validate_session_expiration &&
- validate_subject_confirmation &&
- validate_signature
+ return false unless validate_response_state
+
+ validations = [
+ :validate_response_state,
+ :validate_version,
+ :validate_id,
+ :validate_success_status,
+ :validate_num_assertion,
+ :validate_no_encrypted_attributes,
+ :validate_signed_elements,
+ :validate_structure,
+ :validate_in_response_to,
+ :validate_conditions,
+ :validate_audience,
+ :validate_destination,
+ :validate_issuer,
+ :validate_session_expiration,
+ :validate_subject_confirmation,
+ :validate_signature
+ ]
+
+ if collect_errors
+ validations.each { |validation| send(validation) }
+ @errors.empty?
+ else
+ validations.all? { |validation| send(validation) }
+ end
end
diff --cc test/responses/response_without_reference_uri.xml.base64
index dd5f7b5,603fceb..c0fc3ed
--- a/test/responses/response_without_reference_uri.xml.base64
+++ b/test/responses/response_without_reference_uri.xml.base64
@@@ -1,1 -1,1 +1,1 @@@
- PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGQ1OTQzNDdkLTQ5NWYtYjhkMS0wZWUyLTQxY2ZkYTE0ZGQzNSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDAxL3YxL3VzZXJzL2F1dGhvcml6ZS9zYW1sIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3Ij4NCiAgPElzc3VlciB [...]
-PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGQ1OTQzNDdkLTQ5NWYtYjhkMS0wZWUyLTQxY2ZkYTE0ZGQzNSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDAxL3YxL3VzZXJzL2F1dGhvcml6ZS9zYW1sIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3Ij4NCiAgPElzc3VlciB [...]
++PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9InBmeGQ1OTQzNDdkLTQ5NWYtYjhkMS0wZWUyLTQxY2ZkYTE0ZGQzNSIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMDEtMDJUMjI6NDg6NDhaIiBEZXN0aW5hdGlvbj0iaHR0cDovL2xvY2FsaG9zdDo5MDAxL3YxL3VzZXJzL2F1dGhvcml6ZS9zYW1sIiBDb25zZW50PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y29uc2VudDp1bnNwZWNpZmllZCIgSW5SZXNwb25zZVRvPSJfZWQ5MTVhNDAtNzRmYi0wMTMyLTViMTYtNDhlMGViMTRhMWM3Ij4NCiAgPElzc3VlciB [...]
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-saml.git
More information about the Pkg-ruby-extras-commits
mailing list