ruby-saml 0.8.18 → 0.9

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -3,11 +3,7 @@ require "time"
 
 module OneLogin
   module RubySaml
-    class Logoutresponse
-
-      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
-
+    class Logoutresponse < SamlMessage
       # For API compability, this is mutable.
       attr_accessor :settings
 
@@ -28,27 +24,16 @@ module OneLogin
         self.settings = settings
 
         @options = options
-        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
+        @response = decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
-      def response_id
-        @response_id ||= begin
-          node = REXML::XPath.first(
-            document,
-            "/p:LogoutResponse",
-            { "p" => PROTOCOL }
-          )
-          node.nil? ? nil : node.attributes['ID']
-        end
-      end
-
       def validate!
         validate(false)
       end
 
       def validate(soft = true)
-        return false unless validate_structure(soft)
+        return false unless valid_saml?(document, soft) && valid_state?(soft)
 
         valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
       end
@@ -62,7 +47,7 @@ module OneLogin
 
       def in_response_to
         @in_response_to ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL })
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
           node.nil? ? nil : node.attributes['InResponseTo']
         end
       end
@@ -70,7 +55,8 @@ module OneLogin
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
-          Utils.element_text(node)
+          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
         end
       end
 
@@ -83,16 +69,24 @@ module OneLogin
 
       private
 
-      def validate_structure(soft = true)
-        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
-          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
-          @xml = Nokogiri::XML(self.document.to_s)
+      def valid_state?(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
         end
-        if soft
-          @schema.validate(@xml).map{ return false }
-        else
-          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+
+        if settings.issuer.nil?
+          return soft ? false : validation_error("No issuer in settings")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
         end
+
+        true
       end
 
       def valid_in_response_to?(soft = true)
@@ -106,17 +100,13 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+        return true if self.settings.idp_entity_id.nil? or self.issuer.nil?
 
-        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
+        unless URI.parse(self.issuer) == URI.parse(self.settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
         end
         true
       end
-
-      def validation_error(message)
-        raise ValidationError.new(message)
-      end
     end
   end
 end

data/lib/onelogin/ruby-saml/metadata.rb

@@ -2,6 +2,8 @@ require "rexml/document"
 require "rexml/xpath"
 require "uri"
 
+require "onelogin/ruby-saml/logging"
+
 # Class to return SP metadata based on the settings requested.
 # Return this XML in a controller, then give that URL to the the
 # IdP administrator.  The IdP will poll the URL and your settings
@@ -17,49 +19,77 @@ module OneLogin
         }
         sp_sso = root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
-            # Metadata request need not be signed (as we don't publish our cert)
-            "AuthnRequestsSigned" => false,
+            "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
             # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
-            "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
+            "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
         }
-        if settings.sp_entity_id != nil
-          root.attributes["entityID"] = settings.sp_entity_id
+        if settings.issuer
+          root.attributes["entityID"] = settings.issuer
         end
-        if settings.single_logout_service_url != nil
+        if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
-              # Add this as a setting to create different bindings?
-              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+              "Binding" => settings.single_logout_service_binding,
               "Location" => settings.single_logout_service_url,
               "ResponseLocation" => settings.single_logout_service_url,
               "isDefault" => true,
               "index" => 0
           }
         end
-        if settings.name_identifier_format != nil
+        if settings.name_identifier_format
           name_id = sp_sso.add_element "md:NameIDFormat"
           name_id.text = settings.name_identifier_format
         end
-        if settings.assertion_consumer_service_url != nil
+        if settings.assertion_consumer_service_url
           sp_sso.add_element "md:AssertionConsumerService", {
-              # Add this as a setting to create different bindings?
-              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Binding" => settings.assertion_consumer_service_binding,
               "Location" => settings.assertion_consumer_service_url,
               "isDefault" => true,
               "index" => 0
           }
         end
+
+        # Add KeyDescriptor if messages will be signed
+        cert = settings.get_sp_cert()
+        if cert
+          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          xd = ki.add_element "ds:X509Data"
+          xc = xd.add_element "ds:X509Certificate"
+          xc.text = Base64.encode64(cert.to_der).gsub("\n", '')
+        end
+
+        if settings.attribute_consuming_service.configured?
+          sp_acs = sp_sso.add_element "md:AttributeConsumingService", {
+            "isDefault" => "true",
+            "index" => settings.attribute_consuming_service.index 
+          }
+          srv_name = sp_acs.add_element "md:ServiceName", {
+            "xml:lang" => "en"
+          }
+          srv_name.text = settings.attribute_consuming_service.name
+          settings.attribute_consuming_service.attributes.each do |attribute|
+            sp_req_attr = sp_acs.add_element "md:RequestedAttribute", {
+              "NameFormat" => attribute[:name_format],
+              "Name" => attribute[:name], 
+              "FriendlyName" => attribute[:friendly_name]
+            }
+            unless attribute[:attribute_value].nil?
+              sp_attr_val = sp_req_attr.add_element "md:AttributeValue"
+              sp_attr_val.text = attribute[:attribute_value]
+            end
+          end
+        end
+
         # With OpenSSO, it might be required to also include
         #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
-        meta_doc << REXML::XMLDecl.new
+        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
         ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         meta_doc.write(ret, 1)
 
-        Logging.debug "Generated metadata:\n#{ret}"
-
-        ret
+        return ret
       end
     end
   end