ruby-saml 0.8.16 → 0.9

data/Rakefile

@@ -25,3 +25,17 @@ end
 task :test
 
 task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/changelog.md

@@ -1,13 +1,26 @@
 # RubySaml Changelog
-
-### 0.8.4 (March 5, 2018)
-* Improve the fix for CVE-2017-11428 to parse CDATA properly
-
-### 0.8.3 (Feb 27, 2018)
-* Fix vulnerability CVE-2017-11428. Process text of nodes properly, ignoring comments
-* Fix DigestMethod lookup bug #144
-
-### 0.8.2 (Jan 26, 2014)
+### 0.9 (Jan 26, 2015)
+* [#169](https://github.com/onelogin/ruby-saml/pull/169) WantAssertionSigned should be either true or false
+* [#167](https://github.com/onelogin/ruby-saml/pull/167) (doc update) make unit of clock drift obvious
+* [#160](https://github.com/onelogin/ruby-saml/pull/160) Extended solution for Attributes method [] can raise NoMethodError
+* [#158](https://github.com/onelogin/ruby-saml/pull/1) Added ability to specify attribute services in metadata
+* [#154](https://github.com/onelogin/ruby-saml/pull/154) Fix incorrect gem declaration statement
+* [#152](https://github.com/onelogin/ruby-saml/pull/152) Fix the PR #99
+* [#150](https://github.com/onelogin/ruby-saml/pull/150) Nokogiri already in gemspec
+* [#147](https://github.com/onelogin/ruby-saml/pull/147) Fix LogoutResponse issuer validation and implement SAML Response issuer validation.
+* [#144](https://github.com/onelogin/ruby-saml/pull/144) Fix DigestMethod lookup bug
+* [#139](https://github.com/onelogin/ruby-saml/pull/139) Fixes handling of some soft and hard validation failures
+* [#138](https://github.com/onelogin/ruby-saml/pull/138) Change logoutrequest.rb to UTC time
+* [#136](https://github.com/onelogin/ruby-saml/pull/136) Remote idp metadata
+* [#135](https://github.com/onelogin/ruby-saml/pull/135) Restored support for NIL as well as empty AttributeValues
+* [#134](https://github.com/onelogin/ruby-saml/pull/134) explicitly require "onelogin/ruby-saml/logging"
+* [#133](https://github.com/onelogin/ruby-saml/pull/133) Added license to gemspec
+* [#132](https://github.com/onelogin/ruby-saml/pull/132) Support AttributeConsumingServiceIndex in AuthnRequest
+* [#131](https://github.com/onelogin/ruby-saml/pull/131) Add ruby 2.1.1 to .travis.yml
+* [#122](https://github.com/onelogin/ruby-saml/pull/122) Fixes #112 and #117 in a backwards compatible manner
+* [#119](https://github.com/onelogin/ruby-saml/pull/119) Add support for extracting IdP details from metadata xml
+
+### 0.8.2 (Jan 26, 2015)
 * [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
 
 ### 0.8.0 (Feb 21, 2014)

data/lib/onelogin/ruby-saml/attribute_service.rb

@@ -0,0 +1,34 @@
+module OneLogin
+  module RubySaml
+    class AttributeService
+      attr_reader :attributes
+      attr_reader :name
+      attr_reader :index
+
+      def initialize
+        @index = "1"
+        @attributes = []
+      end
+
+      def configure(&block)
+        instance_eval &block
+      end
+
+      def configured?
+        @attributes.length > 0 && !@name.nil?
+      end
+
+      def service_name(name)
+        @name = name
+      end
+
+      def service_index(index)
+        @index = index
+      end
+      
+      def add_attribute(options={})
+        attributes << options 
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/attributes.rb

@@ -1,118 +1,91 @@
 module OneLogin
   module RubySaml
-
-    # SAML2 Attributes. Parse the Attributes from the AttributeStatement of the SAML Response. 
-    #
+    # Wraps all attributes and provides means to query them for single or multiple values.
+    # 
+    # For backwards compatibility Attributes#[] returns *first* value for the attribute.
+    # Turn off compatibility to make it return all values as an array:
+    #    Attributes.single_value_compatibility = false
     class Attributes
       include Enumerable
 
-      attr_reader :attributes
-
       # By default Attributes#[] is backwards compatible and
       # returns only the first value for the attribute
       # Setting this to `false` returns all values for an attribute
       @@single_value_compatibility = true
 
-      # @return [Boolean] Get current status of backwards compatibility mode.
-      #
+      # Get current status of backwards compatibility mode.
       def self.single_value_compatibility
         @@single_value_compatibility
       end
 
       # Sets the backwards compatibility mode on/off.
-      # @param value [Boolean]
-      #
       def self.single_value_compatibility=(value)
         @@single_value_compatibility = value
       end
 
-      # @param attrs [Hash] The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
+      # Initialize Attributes collection, optionally taking a Hash of attribute names and values.
+      #
+      # The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
       #    Attributes.new({
       #      'name' => ['value1', 'value2'],
       #      'mail' => ['value1'],
       #    })
-      #
       def initialize(attrs = {})
         @attributes = attrs
       end
 
 
       # Iterate over all attributes
-      #
       def each
         attributes.each{|name, values| yield name, values}
       end
 
-      
       # Test attribute presence by name
-      # @param name [String] The attribute name to be checked
-      #
       def include?(name)
-        attributes.has_key?(canonize_name(name)) || attributes.has_key?(name)
+        attributes.has_key?(canonize_name(name))
       end
       
       # Return first value for an attribute
-      # @param name [String] The attribute name
-      # @return [String] The value (First occurrence)
-      #
       def single(name)
-        multi(name).first if include?(name)
+        attributes[canonize_name(name)].first if include?(name)
       end
 
       # Return all values for an attribute
-      # @param name [String] The attribute name
-      # @return [Array] Values of the attribute
-      #
       def multi(name)
-        values = attributes[canonize_name(name)] || attributes[name]
-        
-        if values.is_a?(Array)
-          values
-        elsif !values.nil?
-          Array(values)
-        else
-          nil
-        end
+        attributes[canonize_name(name)]
       end
 
-      # Retrieve attribute value(s)
-      # @param name [String] The attribute name
-      # @return [String|Array] Depending on the single value compatibility status this returns:
-      #                        - First value if single_value_compatibility = true
-      #                          response.attributes['mail']  # => 'user@example.com'
-      #                        - All values if single_value_compatibility = false
-      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      # By default returns first value for an attribute.
+      #
+      # Depending on the single value compatibility status this returns first value
+      #    Attributes.single_value_compatibility = true # Default
+      #    response.attributes['mail']  # => 'user@example.com'
       #
+      # Or all values:
+      #    Attributes.single_value_compatibility = false
+      #    response.attributes['mail']  # => ['user@example.com','user@example.net']
       def [](name)
-        self.class.single_value_compatibility ? single(name) : multi(name)
+        self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
       end
 
-      # @return [Array] Return all attributes as an array
-      #
+      # Return all attributes as an array
       def all
         attributes
       end
 
-      # @param name [String] The attribute name
-      # @param values [Array] The values
-      #
+      # Set values for an attribute, overwriting all existing values
       def set(name, values)
         attributes[canonize_name(name)] = values
       end
       alias_method :[]=, :set
 
-      # @param name [String] The attribute name
-      # @param values [Array] The values
-      #
+      # Add new attribute or new value(s) to an existing attribute
       def add(name, values = [])
         attributes[canonize_name(name)] ||= []
         attributes[canonize_name(name)] += Array(values)
       end
 
       # Make comparable to another Attributes collection based on attributes
-      # @param other [Attributes] An Attributes object to compare with
-      # @return [Boolean] True if are contains the same attributes and values
-      #
       def ==(other)
         if other.is_a?(Attributes)
           all == other.all
@@ -121,26 +94,15 @@ module OneLogin
         end
       end
 
-      def respond_to?(name)
-        attributes.respond_to?(name) || super
-      end
-
       protected
 
       # stringifies all names so both 'email' and :email return the same result
-      # @param name [String] The attribute name
-      # @return [String] stringified name
-      #
       def canonize_name(name)
         name.to_s
       end
 
-      def method_missing(name, *args, &block)
-        if attributes.respond_to?(name)
-          attributes.send(name, *args, &block)
-        else
-          super
-        end
+      def attributes
+        @attributes
       end
     end
   end

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -1,21 +1,16 @@
-require "base64"
-require "zlib"
-require "cgi"
-require "onelogin/ruby-saml/utils"
-require "onelogin/ruby-saml/setting_error"
+require "uuid"
+
+require "onelogin/ruby-saml/logging"
 
 module OneLogin
   module RubySaml
+  include REXML
+    class Authrequest < SamlMessage
 
-    class Authrequest
-      # AuthNRequest ID
-      attr_reader :uuid
+      attr_reader :uuid # Can be obtained if neccessary
 
-      # Initializes the AuthNRequest. An Authrequest Object.
-      # Asigns an ID, a random uuid.
-      #
       def initialize
-        @uuid = OneLogin::RubySaml::Utils.uuid
+        @uuid = "_" + UUID.new.generate
       end
 
       def create(settings, params = {})
@@ -26,25 +21,11 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise SettingError.new "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
         @login_url = settings.idp_sso_target_url + request_params
       end
 
-      # Creates the Get parameters for the request.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
-      # @return [Hash] Parameters
-      #
       def create_params(settings, params={})
-        # The method expects :RelayState but sometimes we get 'RelayState' instead.
-        # Based on the HashWithIndifferentAccess value in Rails we could experience
-        # conflicts so this line will solve them.
-        relay_state = params[:RelayState] || params['RelayState']
-
-        if relay_state.nil?
-          params.delete(:RelayState)
-          params.delete('RelayState')
-        end
+        params = {} if params.nil?
 
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -54,30 +35,18 @@ module OneLogin
 
         Logging.debug "Created AuthnRequest: #{request}"
 
-        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
-        if Base64.respond_to?('strict_encode64')
-          base64_request = Base64.strict_encode64(request)
-        else
-          base64_request = Base64.encode64(request).gsub(/\n/, "")
-        end
-
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
-          url_string = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLRequest',
-            :data => base64_request,
-            :relay_state => relay_state,
-            :sig_alg => params['SigAlg']
-          )
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
-          if Base64.respond_to?('strict_encode64')
-            params['Signature'] = Base64.strict_encode64(signature)
-          else
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          end
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
         end
 
         params.each_pair do |key, value|
@@ -88,12 +57,7 @@ module OneLogin
       end
 
       def create_authentication_xml_doc(settings)
-        document = create_xml_document(settings)
-        sign_document(document, settings)
-      end
-
-      def create_xml_document(settings)
-        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
         request_doc = XMLSecurity::Document.new
         request_doc.uuid = uuid
@@ -102,65 +66,59 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
+        root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
         root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
 
         # Conditionally defined elements based on settings
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.sp_entity_id != nil
+        if settings.issuer != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.sp_entity_id
-        end
-
-        if settings.name_identifier_value_requested != nil
-          subject = root.add_element "saml:Subject"
-
-          nameid = subject.add_element "saml:NameID"
-          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
-          nameid.text = settings.name_identifier_value_requested
-
-          subject_confirmation = subject.add_element "saml:SubjectConfirmation"
-          subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+          issuer.text = settings.issuer
         end
-
         if settings.name_identifier_format != nil
           root.add_element "samlp:NameIDPolicy", {
-              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
               # Might want to make AllowCreate a setting?
               "AllowCreate" => "true",
               "Format" => settings.name_identifier_format
           }
         end
 
-        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined,
-        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
-        if settings.authn_context != nil
+        if settings.authn_context || settings.authn_context_decl_ref
+
+          if settings.authn_context_comparison != nil
+            comparison = settings.authn_context_comparison
+          else
+            comparison = 'exact'
+          end
+
           requested_context = root.add_element "samlp:RequestedAuthnContext", {
-            "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-            "Comparison" => "exact",
-          }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
-            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+            "Comparison" => comparison,
           }
-          class_ref.text = settings.authn_context
+
+          if settings.authn_context != nil
+            class_ref = requested_context.add_element "saml:AuthnContextClassRef"
+            class_ref.text = settings.authn_context
+          end
+          # add saml:AuthnContextDeclRef element
+          if settings.authn_context_decl_ref != nil
+            class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
+            class_ref.text = settings.authn_context_decl_ref
+          end
         end
-        request_doc
-      end
 
-      def sign_document(document, settings)
-        # embed signature
-        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
-          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        # embebed sign
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
-        document
+        request_doc
       end
 
     end