ruby-saml 1.1.2 → 1.2.0

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -5,6 +5,7 @@ require 'nokogiri'
 require 'rexml/document'
 require 'rexml/xpath'
 require 'thread'
+require "onelogin/ruby-saml/error_handling"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -69,23 +70,15 @@ module OneLogin
           end
         rescue Exception => error
           return false if soft
-          validation_error("XML load failed: #{error.message}")
+          raise ValidationError.new("XML load failed: #{error.message}")
         end
 
         SamlMessage.schema.validate(xml).map do |error|
           return false if soft
-          validation_error("#{error.message}\n\n#{xml.to_s}")
+          raise ValidationError.new("#{error.message}\n\n#{xml.to_s}")
         end
       end
 
-      # Raise a ValidationError with the provided message
-      # @param message [String] Message of the exception
-      # @raise [ValidationError]
-      #
-      def validation_error(message)
-        raise ValidationError.new(message)
-      end
-
       private
 
       # Base64 decode and try also to inflate a SAML Message

data/lib/onelogin/ruby-saml/settings.rb

@@ -28,6 +28,7 @@ module OneLogin
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert_fingerprint_algorithm
+      attr_accessor :idp_attribute_names
       # SP Data
       attr_accessor :issuer
       attr_accessor :assertion_consumer_service_url
@@ -153,6 +154,7 @@ module OneLogin
           :authn_requests_signed    => false,
           :logout_requests_signed   => false,
           :logout_responses_signed  => false,
+          :want_assertions_signed   => false,
           :metadata_signed          => false,
           :embed_sign               => false,
           :digest_method            => XMLSecurity::Document::SHA1,

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -11,13 +11,11 @@ module OneLogin
     # SAML2 Logout Request (SLO IdP initiated, Parser)
     #
     class SloLogoutrequest < SamlMessage
+      include ErrorHandling
 
       # OneLogin::RubySaml::Settings Toolkit settings
       attr_accessor :settings
 
-      # Array with the causes [Array of strings]
-      attr_accessor :errors
-
       attr_reader :document
       attr_reader :request
       attr_reader :options
@@ -32,15 +30,15 @@ module OneLogin
       # @raise [ArgumentError] If Request is nil
       #
       def initialize(request, options = {})
-        @errors = []
         raise ArgumentError.new("Request cannot be nil") if request.nil?
-        @options  = options
 
+        @errors = []
+        @options = options
         @soft = true
-        if !options.empty? && !options[:settings].nil?
+        unless options[:settings].nil?
           @settings = options[:settings]
-          if !options[:settings].soft.nil? 
-            @soft = options[:settings].soft
+          unless @settings.soft.nil?
+            @soft = @settings.soft
           end
         end
 
@@ -48,23 +46,12 @@ module OneLogin
         @document = REXML::Document.new(@request)
       end
 
-      # Append the cause to the errors array, and based on the value of soft, return false or raise
-      # an exception
-      def append_error(error_msg)
-        @errors << error_msg
-        return soft ? false : validation_error(error_msg)
-      end
-
-      # Reset the errors array
-      def reset_errors!
-        @errors = []
-      end
-
       # Validates the Logout Request with the default values (soft = true)
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating.
       # @return [Boolean] TRUE if the Logout Request is valid
       #
-      def is_valid?
-        validate
+      def is_valid?(collect_errors = false)
+        validate(collect_errors)
       end
 
       # @return [String] Gets the NameID of the Logout Request.
@@ -132,19 +119,32 @@ module OneLogin
       private
 
       # Hard aux function to validate the Logout Request
+      # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the Logout Request is valid
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate
+      def validate(collect_errors = false)
         reset_errors!
 
-        validate_request_state &&
-        validate_id &&
-        validate_version &&        
-        validate_structure &&
-        validate_not_on_or_after &&
-        validate_issuer &&
-        validate_signature
+        if collect_errors
+          validate_request_state
+          validate_id
+          validate_version
+          validate_structure
+          validate_not_on_or_after
+          validate_issuer
+          validate_signature
+
+          @errors.empty?
+        else
+          validate_request_state &&
+          validate_id &&
+          validate_version &&
+          validate_structure &&
+          validate_not_on_or_after &&
+          validate_issuer &&
+          validate_signature
+        end
       end
 
       # Validates that the Logout Request contains an ID
@@ -213,7 +213,7 @@ module OneLogin
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_issuer
-        return true if settings.idp_entity_id.nil? || issuer.nil?
+        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
 
         unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
           return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
@@ -230,7 +230,7 @@ module OneLogin
         return true if options.nil?
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        return true if settings.nil? || settings.get_idp_cert.nil?
+        return true if settings.get_idp_cert.nil?
 
         query_string = OneLogin::RubySaml::Utils.build_query(
           :type        => 'SAMLRequest',

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -1,7 +1,7 @@
-require "uuid"
-
 require "onelogin/ruby-saml/logging"
+
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -18,7 +18,7 @@ module OneLogin
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the Logout Response string.

data/lib/onelogin/ruby-saml/utils.rb

@@ -1,9 +1,16 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
 module OneLogin
   module RubySaml
 
     # SAML2 Auxiliary class
-    #    
+    #
     class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
 
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
       XENC      = "http://www.w3.org/2001/04/xmlenc#"
@@ -30,7 +37,7 @@ module OneLogin
       # @return [String] The formatted private key
       #
       def self.format_private_key(key)
-        # don't try to format an encoded private key or if is empty  
+        # don't try to format an encoded private key or if is empty
         return key if key.nil? || key.empty? || key.match(/\x0d/)
 
         # is this an rsa key?
@@ -114,7 +121,7 @@ module OneLogin
           { 'xenc' => XENC }
         )
         algorithm = encrypt_method.attributes['Algorithm']
-        retrieve_plaintext(node, symmetric_key, algorithm)        
+        retrieve_plaintext(node, symmetric_key, algorithm)
       end
 
       # Obtains the symmetric key from the EncryptedData element
@@ -122,19 +129,25 @@ module OneLogin
       # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
       # @return [String] The symmetric key
       def self.retrieve_symmetric_key(encrypt_data, private_key)
-        encrypted_symmetric_key_element = REXML::XPath.first(
+        encrypted_key = REXML::XPath.first(
           encrypt_data,
-          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue",
+          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \
+           //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        encrypted_symmetric_key_element = REXML::XPath.first(
+          encrypted_key,
+          "./xenc:CipherData/xenc:CipherValue",
           { "ds" => DSIG, "xenc" => XENC }
         )
         cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
         encrypt_method = REXML::XPath.first(
-          encrypt_data,
-          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey/xenc:EncryptionMethod",
+          encrypted_key,
+          "./xenc:EncryptionMethod",
           {"ds" => DSIG,  "xenc" => XENC }
         )
         algorithm = encrypt_method.attributes['Algorithm']
-        retrieve_plaintext(cipher_text, private_key, algorithm)        
+        retrieve_plaintext(cipher_text, private_key, algorithm)
       end
 
       # Obtains the deciphered text
@@ -152,7 +165,7 @@ module OneLogin
           when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
         end
 
-        if cipher          
+        if cipher
           iv_len = cipher.iv_len
           data = cipher_text[iv_len..-1]
           cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
@@ -167,6 +180,9 @@ module OneLogin
         end
       end
 
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.1.2'
+    VERSION = '1.2.0'
   end
 end

data/lib/xml_security.rb

@@ -29,7 +29,7 @@ require "openssl"
 require 'nokogiri'
 require "digest/sha1"
 require "digest/sha2"
-require "onelogin/ruby-saml/validation_error"
+require "onelogin/ruby-saml/error_handling"
 
 module XMLSecurity
 
@@ -48,9 +48,14 @@ module XMLSecurity
       end
 
       case algorithm
-        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
-        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
-        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
+             "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
+          Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11",
+             "http://www.w3.org/2006/12/xml-c14n11#WithComments"
+          Nokogiri::XML::XML_C14N_1_1
+        else
+          Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
       end
     end
 
@@ -74,10 +79,10 @@ module XMLSecurity
   end
 
   class Document < BaseDocument
-    RSA_SHA1            = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-    RSA_SHA256            = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
-    RSA_SHA384            = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
-    RSA_SHA512            = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+    RSA_SHA1        = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+    RSA_SHA256      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    RSA_SHA384      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+    RSA_SHA512      = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
     SHA1            = "http://www.w3.org/2000/09/xmldsig#sha1"
     SHA256          = "http://www.w3.org/2001/04/xmldsig-more#sha256"
     SHA384          = "http://www.w3.org/2001/04/xmldsig-more#sha384"
@@ -179,9 +184,9 @@ module XMLSecurity
   end
 
   class SignedDocument < BaseDocument
+    include OneLogin::RubySaml::ErrorHandling
 
     attr_accessor :signed_element_id
-    attr_accessor :errors
 
     def initialize(response, errors = [])
       super(response)
@@ -200,10 +205,14 @@ module XMLSecurity
         { "ds"=>DSIG }
       )
 
-      if cert_element        
+      if cert_element
         base64_cert = cert_element.text
         cert_text = Base64.decode64(base64_cert)
-        cert = OpenSSL::X509::Certificate.new(cert_text)
+        begin
+          cert = OpenSSL::X509::Certificate.new(cert_text)
+        rescue OpenSSL::X509::CertificateError => e
+          return append_error("Certificate Error", soft)
+        end
 
         if options[:fingerprint_alg]
           fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(options[:fingerprint_alg]).new
@@ -215,7 +224,7 @@ module XMLSecurity
         # check cert matches registered idp cert
         if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
           @errors << "Fingerprint mismatch"
-          return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Fingerprint mismatch"))
+          return append_error("Fingerprint mismatch", soft)
         end
       else
         if options[:cert]
@@ -224,8 +233,8 @@ module XMLSecurity
           if soft
             return false
           else
-            raise OneLogin::RubySaml::ValidationError.new("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings")
-          end          
+            return append_error("Certificate element missing in response (ds:X509Certificate) and not cert provided at settings", soft)
+          end
         end
       end
       validate_signature(base64_cert, soft)
@@ -273,12 +282,6 @@ module XMLSecurity
       noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
       noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
 
-      # Handle when no URI
-      noko_signed_info_reference_element_uri_attr = noko_signed_info_element.at_xpath('./ds:Reference', 'ds' => DSIG).attributes["URI"]
-      if (noko_signed_info_reference_element_uri_attr.value.empty?)
-        noko_signed_info_reference_element_uri_attr.value = "##{document.root.attribute('ID')}"
-      end
-
       canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
       noko_sig_element.remove
 
@@ -289,8 +292,8 @@ module XMLSecurity
       ref = REXML::XPath.first(sig_element, "//ds:Reference", {"ds"=>DSIG})
       uri = ref.attributes.get_attribute("URI").value
 
-      hashed_element = uri.empty? ? document : document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
-      # hashed_element = document.at_xpath("//*[@ID=$uri]", nil, { 'uri' => uri[1..-1] })
+      hashed_element = document.at_xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
+      
       canon_algorithm = canon_algorithm REXML::XPath.first(
         ref,
         '//ds:CanonicalizationMethod',
@@ -313,7 +316,7 @@ module XMLSecurity
 
       unless digests_match?(hash, digest_value)
         @errors << "Digest mismatch"
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Digest mismatch"))
+        return append_error("Digest mismatch", soft)
       end
 
       # get certificate object
@@ -322,8 +325,7 @@ module XMLSecurity
 
       # verify signature
       unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
-        @errors << "Key validation error"
-        return soft ? false : (raise OneLogin::RubySaml::ValidationError.new("Key validation error"))
+        return append_error("Key validation error", soft)
       end
 
       return true
@@ -344,8 +346,8 @@ module XMLSecurity
 
       return nil if reference_element.nil?
 
-      sei = reference_element.attribute("URI").value[1..-1] 
-      sei.nil? ? self.root.attribute("ID") : sei
+      sei = reference_element.attribute("URI").value[1..-1]
+      sei.nil? ? reference_element.parent.parent.parent.attribute("ID").value : sei
     end
 
     def extract_inclusive_namespaces

data/ruby-saml.gemspec

@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
   s.summary = %q{SAML Ruby Tookit}
   s.test_files = `git ls-files test/*`.split("\n")
 
-  s.add_runtime_dependency('uuid', '~> 2.3')
+
 
   # Because runtime dependencies are determined at build time, we cannot make
   # Nokogiri's version dependent on the Ruby version, even though we would
@@ -33,6 +33,9 @@ Gem::Specification.new do |s|
   if defined?(JRUBY_VERSION)
     s.add_runtime_dependency('nokogiri', '>= 1.6.0')
     s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
+  elsif RUBY_VERSION < '1.9'
+    s.add_runtime_dependency('uuid')
+    s.add_runtime_dependency('nokogiri', '<= 1.5.11')
   else
     s.add_runtime_dependency('nokogiri', '>= 1.5.10')
   end

data/test/idp_metadata_parser_test.rb

@@ -28,7 +28,34 @@ class IdpMetadataParserTest < Minitest::Test
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
       assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
+      assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
     end
+
+    it "extract certificate from md:KeyDescriptor[@use='signing']" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = read_response("idp_descriptor.xml")
+      settings = idp_metadata_parser.parse(idp_metadata)
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+    end
+
+    it "extract certificate from md:KeyDescriptor[@use='encryption']" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = read_response("idp_descriptor.xml")
+      idp_metadata = idp_metadata.sub(/<md:KeyDescriptor use="signing">(.*?)<\/md:KeyDescriptor>/m, "")
+      settings = idp_metadata_parser.parse(idp_metadata)
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+    end
+
+    it "extract certificate from md:KeyDescriptor" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = read_response("idp_descriptor.xml")
+      idp_metadata = idp_metadata.sub(/<md:KeyDescriptor use="signing">(.*?)<\/md:KeyDescriptor>/m, "")
+      idp_metadata = idp_metadata.sub('<md:KeyDescriptor use="encryption">', '<md:KeyDescriptor>')
+      settings = idp_metadata_parser.parse(idp_metadata)
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+    end
+
   end
 
   describe "download and parse IdP descriptor file" do
@@ -52,6 +79,7 @@ class IdpMetadataParserTest < Minitest::Test
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
       assert_equal "https://example.hello.com/access/saml/logout", settings.idp_slo_target_url
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", settings.name_identifier_format
+      assert_equal ["AuthToken", "SSOStartPage"], settings.idp_attribute_names
       assert_equal OpenSSL::SSL::VERIFY_PEER, @http.verify_mode
     end