Merge branch 'master' of github.com:onelogin/ruby-saml

Author: pitbulk

.travis.yml

@@ -7,13 +7,13 @@ rvm:
   - 2.2.10
   - 2.3.8
   - 2.4.6
-  - 2.5.5
-  - 2.6.3
-  - 2.7.0
+  - 2.5.8
+  - 2.6.6
+  - 2.7.2
   - ree
   - jruby-1.7.27
   - jruby-9.1.17.0
-  - jruby-9.2.7.0
+  - jruby-9.2.13.0
 gemfile:
   - Gemfile
   - gemfiles/nokogiri-1.5.gemfile
@@ -29,7 +29,7 @@ matrix:
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: jruby-9.1.17.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: jruby-9.2.7.0
+    - rvm: jruby-9.2.13.0
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.1.5
       gemfile: gemfiles/nokogiri-1.5.gemfile
@@ -39,11 +39,11 @@ matrix:
       gemfile: gemfiles/nokogiri-1.5.gemfile
     - rvm: 2.4.6
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.5.5
+    - rvm: 2.5.8
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.6.3
+    - rvm: 2.6.6
       gemfile: gemfiles/nokogiri-1.5.gemfile
-    - rvm: 2.7.0
+    - rvm: 2.7.2
       gemfile: gemfiles/nokogiri-1.5.gemfile
 env:
   - JRUBY_OPTS="--debug"

README.md

@@ -292,6 +292,7 @@ response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_authnst
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_conditions: true}) # skips conditions
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_subject_confirmation: true}) # skips subject confirmation
 response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_recipient_check: true}) # doens't skip subject confirmation, but skips the recipient check which is a sub check of the subject_confirmation check
+response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], {skip_audience: true}) # skips audience check
 ```
 
 All that's left is to wrap everything in a controller and reference it in the initialization and consumption URLs in OneLogin. A full controller example could look like this:

lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -189,6 +189,7 @@ def get_idp_metadata(url, validate_cert)
         end
 
         get = Net::HTTP::Get.new(uri.request_uri)
+        get.basic_auth uri.user, uri.password if uri.user
         @response = http.request(get)
         return response.body if response.is_a? Net::HTTPSuccess
 

lib/onelogin/ruby-saml/response.rb

@@ -34,7 +34,7 @@ class Response < SamlMessage
       # This is not a whitelist to allow people extending OneLogin::RubySaml:Response
       # and pass custom options
       AVAILABLE_OPTIONS = [
-        :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_authnstatement, :skip_conditions,
+        :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_audience, :skip_authnstatement, :skip_conditions,
         :skip_destination, :skip_recipient_check, :skip_subject_confirmation
       ]
       # TODO: Update the comment on initialize to describe every option
@@ -47,6 +47,8 @@ class Response < SamlMessage
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
       #                          or skip the recipient validation of the subject confirmation element with :skip_recipient_check option
+      #                          or skip the audience validation with :skip_audience option
+      #
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
 
@@ -595,11 +597,13 @@ def validate_in_response_to
       end
 
       # Validates the Audience, (If the Audience match the Service Provider EntityID)
+      # If the response was initialized with the :skip_audience option, this validation is skipped,
       # If fails, the error is added to the errors array
       # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_audience
+        return true if options[:skip_audience]
         return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
         unless audiences.include? settings.sp_entity_id

lib/xml_security.rb

@@ -241,7 +241,7 @@ def validate_document(idp_cert_fingerprint, soft = true, options = {})
       validate_signature(base64_cert, soft)
     end
 
-    def validate_document_with_cert(idp_cert)
+    def validate_document_with_cert(idp_cert, soft = true)
       # get cert from response
       cert_element = REXML::XPath.first(
         self,

ruby-saml.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |s|
     "README.md"
   ]
   s.files = `git ls-files`.split("\n")
-  s.homepage = %q{http://github.com/onelogin/ruby-saml}
+  s.homepage = %q{https://github.com/onelogin/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
     s.add_runtime_dependency('nokogiri', '<= 1.5.11')
   elsif RUBY_VERSION < '2.1'
     s.add_runtime_dependency('nokogiri', '>= 1.5.10', '<= 1.6.8.1')
-  elseif RUBY_VERSION < '2.3'
+  elsif RUBY_VERSION < '2.3'
     s.add_runtime_dependency('nokogiri', '>= 1.9.1', '<= 1.10.0')
   else
     s.add_runtime_dependency('nokogiri', '>= 1.10.5')

test/response_test.rb

@@ -38,6 +38,7 @@ class RubySamlTest < Minitest::Test
     let(:response_multiple_signed) { OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64")) }
     let(:response_audience_self_closed) { OneLogin::RubySaml::Response.new(read_response("response_audience_self_closed_tag.xml.base64")) }
     let(:response_invalid_audience) { OneLogin::RubySaml::Response.new(read_invalid_response("invalid_audience.xml.base64")) }
+    let(:response_invalid_audience_with_skip) { OneLogin::RubySaml::Response.new(read_invalid_response("invalid_audience.xml.base64"), {:skip_audience => true}) }
     let(:response_invalid_signed_element) { OneLogin::RubySaml::Response.new(read_invalid_response("response_invalid_signed_element.xml.base64")) }
     let(:response_invalid_issuer_assertion) { OneLogin::RubySaml::Response.new(read_invalid_response("invalid_issuer_assertion.xml.base64")) }
     let(:response_invalid_issuer_message) { OneLogin::RubySaml::Response.new(read_invalid_response("invalid_issuer_message.xml.base64")) }
@@ -703,6 +704,13 @@ def generate_audience_error(expected, actual)
         assert !response_invalid_audience.send(:validate_audience)
         assert_includes response_invalid_audience.errors, generate_audience_error(response_invalid_audience.settings.sp_entity_id, ['http://invalid.audience.com'])
       end
+
+      it "return true when there is no valid audience but skip_destination option is used" do
+        response_invalid_audience_with_skip.settings = settings
+        response_invalid_audience_with_skip.settings.sp_entity_id = "https://invalid.example.com/audience"
+        assert response_invalid_audience_with_skip.send(:validate_audience)
+        assert_empty response_invalid_audience_with_skip.errors
+      end
     end
 
     describe "#validate_issuer" do

test/xml_security_test.rb

@@ -395,6 +395,19 @@ class XmlSecurityTest < Minitest::Test
     end
 
     describe '#validate_document_with_cert' do
+      describe 'with invalid document ' do
+        describe 'when certificate is invalid' do
+          let(:document_data) { read_response('response_with_signed_message_and_assertion.xml')
+            .sub(/<ds:X509Certificate>.*<\/ds:X509Certificate>/, "<ds:X509Certificate>invalid<\/ds:X509Certificate>") }
+          let(:document) { OneLogin::RubySaml::Response.new(document_data).document }
+          let(:idp_cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }
+
+          it 'is invalid' do
+            refute document.validate_document_with_cert(idp_cert), 'Document should be invalid'
+          end
+        end
+      end
+
       describe 'with valid document ' do
         describe 'when response has cert' do
           let(:document_data) { read_response('response_with_signed_message_and_assertion.xml') }