ruby-saml 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d6958524060034d6eaaf5c0f968711ecdc45e2bd
-  data.tar.gz: f1714aa26982ce596b8e07f2e20a8637611d7523
+  metadata.gz: 39c30acdf4c50284b1112ea62b2be51c412cea9c
+  data.tar.gz: beeb518c01d3bb6d0b871a9909e7ab52f418eb4e
 SHA512:
-  metadata.gz: 1cb2ee3fefaec17210a0087dbadc68698b4fa9969d20c81512c9d1904bf941a59179a73b2d46ed52c38867f0c201b82e9f8cdd0f50b114103b7fe72cfcbb7bdc
-  data.tar.gz: ed45f61f08919d846edb627699ed1679f5d7e8c1c5136a4703d3c9129bc7259e9f761a1a8fc12bb439bd5e96128069c5c0b3b9115e1f8d38e55a874523793cec
+  metadata.gz: 387733f9fc5979968ec493dd2e961969925470ad5c2882a5b4e96266cac027d001a4ce5e11139948e5f2bef1f6cb1bbd436c617e3399fb605958ad76b9e93db5
+  data.tar.gz: ceeb701e8fe82826a20a1768406088cfd2a8f90f3970d95e6c79ca70cc609dac9072dfe58000f88cd8502e3e025fd1948fef0754d63387f0f922fe7fc1d53c39

data/README.md

@@ -1,5 +1,34 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.5.0 to 1.6.0
+
+Version `1.6.0` changes the preferred way to construct instances of `Logoutresponse` and `SloLogoutrequest`. Previously the _SAMLResponse_, _RelayState_, and _SigAlg_ parameters of these message types were provided via the constructor's `options[:get_params]` parameter. Unfortunately this can result in incompatibility with other SAML implementations; signatures are specified to be computed based on the _sender's_ URI-encoding of the message, which can differ from that of Ruby SAML. In particular, Ruby SAML's URI-encoding does not match that of Microsoft ADFS, so messages from ADFS can fail signature validation.
+
+The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is via the `options[:raw_get_params]` parameter. For example:
+
+```ruby
+# In this example `query_params` is assumed to contain decoded query parameters,
+# and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
+settings = {
+  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.soft = false
+}
+options = {
+  get_params: {
+    "Signature" => query_params["Signature"],
+  },
+  raw_get_params: {
+    "SAMLRequest" => raw_query_params["SAMLRequest"],
+    "SigAlg" => raw_query_params["SigAlg"],
+    "RelayState" => raw_query_params["RelayState"],
+  },
+}
+slo_logout_request = OneLogin::RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
+raise "Invalid Logout Request" unless slo_logout_request.is_valid?
+```
+
+The old form is still supported for backward compatibility, but all Ruby SAML users should prefer `options[:raw_get_params]` where possible to ensure compatibility with other SAML implementations.
+
 ## Updating from 1.4.2 to 1.4.3
 
 Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
@@ -470,10 +499,8 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```ruby
   settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
   settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
-  settings.security[:logout_responses_signed] = true     # Enable or not
-  signature on Logout Response
-  settings.security[:want_assertions_signed]  = true     # Enable or not
-  the requirement of signed assertion
+  settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:want_assertions_signed]  = true     # Enable or not the requirement of signed assertion
   settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1

data/changelog.md

@@ -1,4 +1,11 @@
 # RubySaml Changelog
+### 1.6.0 (November 27, 2017)
+* [#418](https://github.com/onelogin/ruby-saml/pull/418) Improve SAML message signature validation using original encoded parameters instead decoded in order to avoid conflicts (URL-encoding is not canonical, reported issues with ADFS)
+* [#420](https://github.com/onelogin/ruby-saml/pull/420) Expose NameID Format on SloLogoutrequest
+* [#423](https://github.com/onelogin/ruby-saml/pull/423) Allow format_cert to work with chained certificates
+* [#422](https://github.com/onelogin/ruby-saml/pull/422) Use to_s for requested attribute value
+
+
 ### 1.5.0 (August 31, 2017)
 * [#400](https://github.com/onelogin/ruby-saml/pull/400) When validating Signature use stored IdP certficate if Signature contains no info about Certificate
 * [#402](https://github.com/onelogin/ruby-saml/pull/402)  Fix validate_response_state method that rejected SAMLResponses when using idp_cert_multi and idp_cert and idp_cert_fingerprint were not provided.

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -103,7 +103,7 @@ module OneLogin
         @entity_descriptor = nil
 
         if idpsso_descriptor.nil?
-          raise ArgumentError.new("idp_metadata may contain an IDPSSODescriptor element")
+          raise ArgumentError.new("idp_metadata must contain an IDPSSODescriptor element")
         end
 
         {

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -211,6 +211,12 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
+        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params])
+
+        if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
+          options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
+        end
+
         idp_cert = settings.get_idp_cert
         idp_certs = settings.get_idp_cert_multi
 
@@ -218,11 +224,11 @@ module OneLogin
           return options.has_key? :relax_signature_validation
         end
 
-        query_string = OneLogin::RubySaml::Utils.build_query(
-          :type        => 'SAMLResponse',
-          :data        => options[:get_params]['SAMLResponse'],
-          :relay_state => options[:get_params]['RelayState'],
-          :sig_alg     => options[:get_params]['SigAlg']
+        query_string = OneLogin::RubySaml::Utils.build_query_from_raw_parts(
+          :type            => 'SAMLResponse',
+          :raw_data        => options[:raw_get_params]['SAMLResponse'],
+          :raw_relay_state => options[:raw_get_params]['RelayState'],
+          :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
 
         if idp_certs.nil? || idp_certs[:signing].empty?

data/lib/onelogin/ruby-saml/metadata.rb

@@ -8,12 +8,12 @@ module OneLogin
   module RubySaml
 
     # SAML2 Metadata. XML Metadata Builder
-    # 
+    #
     class Metadata
 
       # Return SP metadata based on the settings.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param pretty_print [Boolean] Pretty print or not the response 
+      # @param pretty_print [Boolean] Pretty print or not the response
       #                               (No pretty print if you gonna validate the signature)
       # @return [String] XML Metadata of the Service Provider
       #
@@ -83,7 +83,7 @@ module OneLogin
         if settings.attribute_consuming_service.configured?
           sp_acs = sp_sso.add_element "md:AttributeConsumingService", {
             "isDefault" => "true",
-            "index" => settings.attribute_consuming_service.index 
+            "index" => settings.attribute_consuming_service.index
           }
           srv_name = sp_acs.add_element "md:ServiceName", {
             "xml:lang" => "en"
@@ -92,14 +92,14 @@ module OneLogin
           settings.attribute_consuming_service.attributes.each do |attribute|
             sp_req_attr = sp_acs.add_element "md:RequestedAttribute", {
               "NameFormat" => attribute[:name_format],
-              "Name" => attribute[:name], 
+              "Name" => attribute[:name],
               "FriendlyName" => attribute[:friendly_name],
               "isRequired" => attribute[:is_required] || false
             }
             unless attribute[:attribute_value].nil?
               Array(attribute[:attribute_value]).each do |value|
                 sp_attr_val = sp_req_attr.add_element "saml:AttributeValue"
-                sp_attr_val.text = value.to_str
+                sp_attr_val.text = value.to_s
               end
             end
           end
@@ -121,7 +121,7 @@ module OneLogin
         # pretty print the XML so IdP administrators can easily see what the SP supports
         if pretty_print
           meta_doc.write(ret, 1)
-        else 
+        else
           ret = meta_doc.to_s
         end
 

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -66,6 +66,18 @@ module OneLogin
 
       alias_method :nameid, :name_id
 
+      # @return [String] Gets the NameID Format of the Logout Request.
+      #
+      def name_id_format
+        @name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+        @name_id_format ||=
+          if @name_id_node && @name_id_node.attribute("Format")
+            @name_id_node.attribute("Format").value
+          end
+      end
+
+      alias_method :nameid_format, :name_id_format
+
       # @return [String|nil] Gets the ID attribute from the Logout Request. if exists.
       #
       def id
@@ -229,6 +241,36 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
 
+        # SAML specifies that the signature should be derived from a concatenation
+        # of URI-encoded values _as sent by the IDP_:
+        #
+        # > Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given
+        # > value. The relying party MUST therefore perform the verification step using the original URL-encoded
+        # > values it received on the query string. It is not sufficient to re-encode the parameters after they have been
+        # > processed by software because the resulting encoding may not match the signer's encoding.
+        #
+        # <http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>
+        #
+        # If we don't have the original parts (for backward compatibility) required to correctly verify the signature,
+        # then fabricate them by re-encoding the parsed URI parameters, and hope that we're lucky enough to use
+        # the exact same URI-encoding as the IDP. (This is not the case if the IDP is ADFS!)
+        options[:raw_get_params] ||= {}
+        if options[:raw_get_params]['SAMLRequest'].nil? && !options[:get_params]['SAMLRequest'].nil?
+          options[:raw_get_params]['SAMLRequest'] = CGI.escape(options[:get_params]['SAMLRequest'])
+        end
+        if options[:raw_get_params]['RelayState'].nil? && !options[:get_params]['RelayState'].nil?
+          options[:raw_get_params]['RelayState'] = CGI.escape(options[:get_params]['RelayState'])
+        end
+        if options[:raw_get_params]['SigAlg'].nil? && !options[:get_params]['SigAlg'].nil?
+          options[:raw_get_params]['SigAlg'] = CGI.escape(options[:get_params]['SigAlg'])
+        end
+
+        # If we only received the raw version of SigAlg,
+        # then parse it back into the decoded params hash for convenience.
+        if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
+          options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
+        end
+
         idp_cert = settings.get_idp_cert
         idp_certs = settings.get_idp_cert_multi
 
@@ -236,11 +278,11 @@ module OneLogin
           return options.has_key? :relax_signature_validation
         end
 
-        query_string = OneLogin::RubySaml::Utils.build_query(
-          :type        => 'SAMLRequest',
-          :data        => options[:get_params]['SAMLRequest'],
-          :relay_state => options[:get_params]['RelayState'],
-          :sig_alg     => options[:get_params]['SigAlg']
+        query_string = OneLogin::RubySaml::Utils.build_query_from_raw_parts(
+          :type            => 'SAMLRequest',
+          :raw_data        => options[:raw_get_params]['SAMLRequest'],
+          :raw_relay_state => options[:raw_get_params]['RelayState'],
+          :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
 
         if idp_certs.nil? || idp_certs[:signing].empty?

data/lib/onelogin/ruby-saml/utils.rb

@@ -24,11 +24,19 @@ module OneLogin
         # don't try to format an encoded certificate or if is empty or nil
         return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
 
-        cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
-        cert = cert.gsub(/[\n\r\s]/, "")
-        cert = cert.scan(/.{1,64}/)
-        cert = cert.join("\n")
-        "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+        if cert.scan(/BEGIN CERTIFICATE/).length > 1
+          formatted_cert = []
+          cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
+            formatted_cert << format_cert(c)
+          }
+          formatted_cert.join("\n")
+        else
+          cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+          cert = cert.gsub(/[\n\r\s]/, "")
+          cert = cert.scan(/.{1,64}/)
+          cert = cert.join("\n")
+          "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+        end
       end
 
       # Return a properly formatted private key
@@ -67,6 +75,49 @@ module OneLogin
         url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
       end
 
+      # Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature
+      #
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :raw_data URI-encoded, base64 encoded SAMLRequest or SAMLResponse, as sent by IDP
+      # @option params [String] :raw_relay_state URI-encoded RelayState parameter, as sent by IDP
+      # @option params [String] :raw_sig_alg URI-encoded SigAlg parameter, as sent by IDP
+      # @return [String] The Query String
+      #
+      def self.build_query_from_raw_parts(params)
+        type, raw_data, raw_relay_state, raw_sig_alg = [:type, :raw_data, :raw_relay_state, :raw_sig_alg].map { |k| params[k]}
+
+        url_string = "#{type}=#{raw_data}"
+        url_string << "&RelayState=#{raw_relay_state}" if raw_relay_state
+        url_string << "&SigAlg=#{raw_sig_alg}"
+      end
+
+      # Prepare raw GET parameters (build them from normal parameters
+      # if not provided).
+      #
+      # @param rawparams [Hash] Raw GET Parameters
+      # @param params [Hash] GET Parameters
+      # @return [Hash] New raw parameters
+      # 
+      def self.prepare_raw_get_params(rawparams, params)
+        rawparams ||= {}
+
+        if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
+          rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
+        end
+        if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
+          rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
+        end        
+        if rawparams['RelayState'].nil? && !params['RelayState'].nil?
+          rawparams['RelayState'] = CGI.escape(params['RelayState'])
+        end
+        if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
+          rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
+        end
+
+        rawparams
+      end
+
       # Validate the Signature parameter sent on the HTTP-Redirect binding
       # @param params [Hash] Parameters to be used in the validation process
       # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.5.0'
+    VERSION = '1.6.0'
   end
 end

data/test/certificates/formatted_chained_certificate

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UE
+BhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVh
+MDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIx
+wsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNz
+c28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkq
+hkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jC
+mdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpw
+Vvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N
+4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0G
+CSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ
++4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/1
+2Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ
+-----END CERTIFICATE-----

data/test/certificates/invalid_chained_certificate1

@@ -0,0 +1 @@
+-----BEGIN CERTIFICATE-----MIICPDCCAaWgAwIBAgIIEiC/9HMAWW AwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWE wMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpwVvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0GCSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ+4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/12Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICPDCCAaWgAw IBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpwVvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0GCSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ+4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/12Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIICPDCCAaWgAwIBAgIIEiC/9HMAWWAwDQYJKoZIhvcNAQEFBQAwTzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2libTEMMAoGA1UECxMDc3NvMSQwIgYDVQQDExtjMjVhMDI3Ny50b3JvbnRvLmNhLmlibS5jb20wHhcNMTEwNTI0MTYzNTQ4WhcNMjEwNTIxwsQMPBj4WQTNzTYMCQYDVQQGEwJVUzEMMAoGA1UEChMDaWJtMQwwCgYDVQQLEwNzc28xJDAiBgNVBAMTG2MyNWEwMjc3LnRvcm9udG8uY2EuaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgzfYQZuf5FVdJTcrsIQZ+YHTPjOsw2MGo0jCmdGMcp4brWeFgk1OVaOmytPx6P76wHWR436AleX3crHBPd8gPxuZdnvBQ7PkrKpwVvaq52juenFrho8JY0TeVgVkY5jAh45YzytjP2y2k/cGQurI/56NT0PpQJ0S1G3N4eTg718CAwEAAaMhMB8wHQYDVR0OBBYEFCYVLJqcJ7WgdzGIsuJ/TzDGDqinMA0GCSqGSIb3DQEBBQUAA4GBAB80bIePf+qWDvWe+9bEEnbFTw7pCknLexxZ0AMqrsmZ+4jmI+evP1JZYCjfIg9X+MBH01hfp5dFcetz3o6w6SkV+BxLYLgfcy5KUcYsIM/12Zkedj87bS1glzOy5B89pKD2DMbu6828Abzgc+4lyQ2ASifsqM4cZdVayzo8n+dQ-----END CERTIFICATE-----

data/test/logout_requests/slo_request_with_name_id_format.xml

@@ -0,0 +1,4 @@
+<samlp:LogoutRequest Version='2.0' ID='_c0348950-935b-0131-1060-782bcb56fcaa' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' IssueInstant='2014-03-21T19:20:13'>
+  <saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>https://app.onelogin.com/saml/metadata/SOMEACCOUNT</saml:Issuer>
+  <saml:NameID xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>someone@example.org</saml:NameID>
+</samlp:LogoutRequest>

data/test/logoutresponse_test.rb

@@ -283,6 +283,80 @@ class RubySamlTest < Minitest::Test
           assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.send(:validate_signature) }
           assert logoutresponse.errors.include? "Invalid Signature on Logout Response"
         end
+
+        it "raise when get_params encoding differs from what this library generates" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          settings.soft = false
+          options = {}
+          options[:get_params] = params
+          options[:get_params]['RelayState'] = 'http://example.com'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          # Assemble query string.
+          query = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLResponse',
+            :data => params['SAMLResponse'],
+            :relay_state => params['RelayState'],
+            :sig_alg => params['SigAlg']
+          )
+          # Modify the query string so that it encodes the same values,
+          # but with different percent-encoding. Sanity-check that they
+          # really are equialent before moving on.
+          original_query = query.dup
+          query.gsub!("example", "ex%61mple")
+          refute_equal(query, original_query)
+          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
+          # Make normalised signature based on our modified params.
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
+          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          # Re-create the Logoutresponse based on these modified parameters,
+          # and ask it to validate the signature. It will do it incorrectly,
+          # because it will compute it based on re-encoded query parameters,
+          # rather than their original encodings.
+          options[:get_params] = params
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do
+            logoutresponse.send(:validate_signature)
+          end
+        end
+
+        it "return true even if raw_get_params encoding differs from what this library generates" do
+          settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+          settings.soft = false
+          options = {}
+          options[:get_params] = params
+          options[:get_params]['RelayState'] = 'http://example.com'
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          # Assemble query string.
+          query = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLResponse',
+            :data => params['SAMLResponse'],
+            :relay_state => params['RelayState'],
+            :sig_alg => params['SigAlg']
+          )
+          # Modify the query string so that it encodes the same values,
+          # but with different percent-encoding. Sanity-check that they
+          # really are equialent before moving on.
+          original_query = query.dup
+          query.gsub!("example", "ex%61mple")
+          refute_equal(query, original_query)
+          assert_equal(CGI.unescape(query), CGI.unescape(original_query))
+          # Make normalised signature based on our modified params.
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, query)
+          params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          # Re-create the Logoutresponse based on these modified parameters,
+          # and ask it to validate the signature. Provide the altered parameter
+          # in its raw URI-encoded form, so that we don't have to guess the value
+          # that contributed to the signature.
+          options[:get_params] = params
+          options[:get_params].delete("RelayState")
+          options[:raw_get_params] = {
+            "RelayState" => "http%3A%2F%2Fex%61mple.com",
+          }
+          logoutresponse = OneLogin::RubySaml::Logoutresponse.new(params['SAMLResponse'], settings, options)
+          assert logoutresponse.send(:validate_signature)
+        end
       end
 
       describe "#validate_signature" do

data/test/metadata_test.rb

@@ -32,7 +32,7 @@ class MetadataTest < Minitest::Test
       assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", REXML::XPath.first(xml_doc, "//md:NameIDFormat").text.strip
 
       assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", acs.attribute("Binding").value
-      assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value      
+      assert_equal "https://foo.example/saml/consume", acs.attribute("Location").value
 
       assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
     end
@@ -225,7 +225,7 @@ class MetadataTest < Minitest::Test
       before do
         settings.attribute_consuming_service.configure do
           service_name "Test Service"
-          add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => ["Attribute Value One", "Attribute Value Two"])
+          add_attribute(:name => 'Name', :name_format => 'Name Format', :friendly_name => 'Friendly Name', :attribute_value => ['Attribute Value One', false])
         end
       end
 
@@ -240,20 +240,20 @@ class MetadataTest < Minitest::Test
 
         attribute_values = REXML::XPath.match(xml_doc, "//saml:AttributeValue").map(&:text)
         assert_equal "Attribute Value One", attribute_values[0]
-        assert_equal "Attribute Value Two", attribute_values[1]
+        assert_equal 'false', attribute_values[1]
 
         assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
     end
 
     describe "when attribute service is configured" do
-      let(:attr_svc)  { REXML::XPath.first(xml_doc, "//md:AttributeConsumingService") }
-      let(:req_attr)  { REXML::XPath.first(xml_doc, "//md:RequestedAttribute") }
+      let(:attr_svc) { REXML::XPath.first(xml_doc, '//md:AttributeConsumingService') }
+      let(:req_attr) { REXML::XPath.first(xml_doc, '//md:RequestedAttribute') }
 
       before do
         settings.attribute_consuming_service.configure do
           service_name "Test Service"
-          add_attribute(:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name", :attribute_value => "Attribute Value")
+          add_attribute(:name => 'active', :name_format => 'format', :friendly_name => 'Active', :attribute_value => true)
         end
       end
 
@@ -262,10 +262,10 @@ class MetadataTest < Minitest::Test
         assert_equal "1", attr_svc.attribute("index").value
         assert_equal REXML::XPath.first(xml_doc, "//md:ServiceName").text.strip, "Test Service"
 
-        assert_equal "Name", req_attr.attribute("Name").value
-        assert_equal "Name Format", req_attr.attribute("NameFormat").value
-        assert_equal "Friendly Name", req_attr.attribute("FriendlyName").value
-        assert_equal "Attribute Value", REXML::XPath.first(xml_doc, "//saml:AttributeValue").text.strip
+        assert_equal 'active', req_attr.attribute('Name').value
+        assert_equal 'format', req_attr.attribute('NameFormat').value
+        assert_equal 'Active', req_attr.attribute('FriendlyName').value
+        assert_equal 'true', REXML::XPath.first(xml_doc, '//saml:AttributeValue').text.strip
 
         assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
@@ -303,7 +303,7 @@ class MetadataTest < Minitest::Test
         assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], xml_text
         assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], xml_text
         signed_metadata = XMLSecurity::SignedDocument.new(xml_text)
-        assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)        
+        assert signed_metadata.validate_document(ruby_saml_cert_fingerprint, false)
 
         assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
       end
@@ -321,7 +321,7 @@ class MetadataTest < Minitest::Test
 
           signed_metadata_2 = XMLSecurity::SignedDocument.new(xml_text)
 
-          assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)          
+          assert signed_metadata_2.validate_document(ruby_saml_cert_fingerprint, false)
 
           assert validate_xml!(xml_text, "saml-schema-metadata-2.0.xsd")
         end

data/test/slo_logoutrequest_test.rb

@@ -91,6 +91,14 @@ class RubySamlTest < Minitest::Test
       end
     end
 
+    describe "#nameid_format" do
+      let(:logout_request) { OneLogin::RubySaml::SloLogoutrequest.new(logout_request_document_with_name_id_format) }
+
+      it "extract the format attribute of the name id element" do
+        assert_equal "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", logout_request.nameid_format
+      end
+    end
+
     describe "#issuer" do
       it "return the issuer inside the logout request" do
         assert_equal "https://app.onelogin.com/saml/metadata/SOMEACCOUNT", logout_request.issuer
@@ -322,6 +330,78 @@ class RubySamlTest < Minitest::Test
           logout_request_sign_test.send(:validate_signature)
         end
       end
+
+      it "raise when get_params encoding differs from what this library generates" do
+        # Use Logoutrequest only to build the SAMLRequest parameter.
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        settings.soft = false
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, "RelayState" => "http://example.com")
+        # Assemble query string.
+        query = OneLogin::RubySaml::Utils.build_query(
+          :type => 'SAMLRequest',
+          :data => params['SAMLRequest'],
+          :relay_state => params['RelayState'],
+          :sig_alg => params['SigAlg']
+        )
+        # Modify the query string so that it encodes the same values,
+        # but with different percent-encoding. Sanity-check that they
+        # really are equialent before moving on.
+        original_query = query.dup
+        query.gsub!("example", "ex%61mple")
+        refute_equal(query, original_query)
+        assert_equal(CGI.unescape(query), CGI.unescape(original_query))
+        # Make normalised signature based on our modified params.
+        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        signature = settings.get_sp_key.sign(sign_algorithm.new, query)
+        params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+        # Construct SloLogoutrequest and ask it to validate the signature.
+        # It will do it incorrectly, because it will compute it based on re-encoded
+        # query parameters, rather than their original encodings.
+        options = {}
+        options[:get_params] = params
+        options[:settings] = settings
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        assert_raises(OneLogin::RubySaml::ValidationError, "Invalid Signature on Logout Request") do
+          logout_request_sign_test.send(:validate_signature)
+        end
+      end
+
+      it "return true even if raw_get_params encoding differs from what this library generates" do
+        # Use Logoutrequest only to build the SAMLRequest parameter.
+        settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+        settings.soft = false
+        params = OneLogin::RubySaml::Logoutrequest.new.create_params(settings, "RelayState" => "http://example.com")
+        # Assemble query string.
+        query = OneLogin::RubySaml::Utils.build_query(
+          :type => 'SAMLRequest',
+          :data => params['SAMLRequest'],
+          :relay_state => params['RelayState'],
+          :sig_alg => params['SigAlg']
+        )
+        # Modify the query string so that it encodes the same values,
+        # but with different percent-encoding. Sanity-check that they
+        # really are equialent before moving on.
+        original_query = query.dup
+        query.gsub!("example", "ex%61mple")
+        refute_equal(query, original_query)
+        assert_equal(CGI.unescape(query), CGI.unescape(original_query))
+        # Make normalised signature based on our modified params.
+        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        signature = settings.get_sp_key.sign(sign_algorithm.new, query)
+        params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+        # Construct SloLogoutrequest and ask it to validate the signature.
+        # Provide the altered parameter in its raw URI-encoded form,
+        # so that we don't have to guess the value that contributed to the signature.
+        options = {}
+        options[:get_params] = params
+        options[:get_params].delete("RelayState")
+        options[:raw_get_params] = {
+          "RelayState" => "http%3A%2F%2Fex%61mple.com",
+        }
+        options[:settings] = settings
+        logout_request_sign_test = OneLogin::RubySaml::SloLogoutrequest.new(params['SAMLRequest'], options)
+        assert logout_request_sign_test.send(:validate_signature)
+      end
     end
 
     describe "#validate_signature with multiple idp certs" do

data/test/test_helper.rb

@@ -183,6 +183,15 @@ class Minitest::Test
     @logout_request_document
   end
 
+  def logout_request_document_with_name_id_format
+    unless @logout_request_document_with_name_id_format
+      xml = read_logout_request("slo_request_with_name_id_format.xml")
+      deflated = Zlib::Deflate.deflate(xml, 9)[2..-5]
+      @logout_request_document_with_name_id_format = Base64.encode64(deflated)
+    end
+    @logout_request_document_with_name_id_format
+  end
+
   def logout_request_xml_with_session_index
     @logout_request_xml_with_session_index ||= File.read(File.join(File.dirname(__FILE__), 'logout_requests', 'slo_request_with_session_index.xml'))
   end

data/test/utils_test.rb

@@ -2,9 +2,8 @@ require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 class UtilsTest < Minitest::Test
   describe ".format_cert" do
-    let(:formatted_certificate) do
-      read_certificate("formatted_certificate")
-    end
+    let(:formatted_certificate) {read_certificate("formatted_certificate")}
+    let(:formatted_chained_certificate) {read_certificate("formatted_chained_certificate")}
 
     it "returns empty string when the cert is an empty string" do
       cert = ""
@@ -34,6 +33,16 @@ class UtilsTest < Minitest::Test
       invalid_certificate3 = read_certificate("invalid_certificate3")
       assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)
     end
+
+    it "returns the chained certificate when it is a valid chained certificate" do
+      assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(formatted_chained_certificate)
+    end
+
+    it "reformats the chained certificate when there are spaces and no line breaks" do
+      invalid_chained_certificate1 = read_certificate("invalid_chained_certificate1")
+      assert_equal formatted_chained_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_chained_certificate1)
+    end
+
   end
 
   describe ".format_private_key" do
@@ -138,7 +147,7 @@ class UtilsTest < Minitest::Test
       status_error_msg2 = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code)
       assert_equal = "The status code of the Logout Response was not Success, was Requester", status_error_msg2
 
-      status_error_msg3 =  OneLogin::RubySaml::Utils.status_error_msg(error_msg)
+      status_error_msg3 = OneLogin::RubySaml::Utils.status_error_msg(error_msg)
       assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-31 00:00:00.000000000 Z
+date: 2017-11-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -190,11 +190,13 @@ files:
 - test/certificates/certificate1
 - test/certificates/certificate_without_head_foot
 - test/certificates/formatted_certificate
+- test/certificates/formatted_chained_certificate
 - test/certificates/formatted_private_key
 - test/certificates/formatted_rsa_private_key
 - test/certificates/invalid_certificate1
 - test/certificates/invalid_certificate2
 - test/certificates/invalid_certificate3
+- test/certificates/invalid_chained_certificate1
 - test/certificates/invalid_private_key1
 - test/certificates/invalid_private_key2
 - test/certificates/invalid_private_key3
@@ -210,6 +212,7 @@ files:
 - test/logout_requests/slo_request.xml
 - test/logout_requests/slo_request.xml.base64
 - test/logout_requests/slo_request_deflated.xml.base64
+- test/logout_requests/slo_request_with_name_id_format.xml
 - test/logout_requests/slo_request_with_session_index.xml
 - test/logout_responses/logoutresponse_fixtures.rb
 - test/logoutrequest_test.rb
@@ -330,7 +333,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.5.1
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
@@ -338,11 +341,13 @@ test_files:
 - test/certificates/certificate1
 - test/certificates/certificate_without_head_foot
 - test/certificates/formatted_certificate
+- test/certificates/formatted_chained_certificate
 - test/certificates/formatted_private_key
 - test/certificates/formatted_rsa_private_key
 - test/certificates/invalid_certificate1
 - test/certificates/invalid_certificate2
 - test/certificates/invalid_certificate3
+- test/certificates/invalid_chained_certificate1
 - test/certificates/invalid_private_key1
 - test/certificates/invalid_private_key2
 - test/certificates/invalid_private_key3
@@ -358,6 +363,7 @@ test_files:
 - test/logout_requests/slo_request.xml
 - test/logout_requests/slo_request.xml.base64
 - test/logout_requests/slo_request_deflated.xml.base64
+- test/logout_requests/slo_request_with_name_id_format.xml
 - test/logout_requests/slo_request_with_session_index.xml
 - test/logout_responses/logoutresponse_fixtures.rb
 - test/logoutrequest_test.rb