ruby-saml 1.9.0 → 1.14.0

data/UPGRADING.md

@@ -0,0 +1,149 @@
+# Ruby SAML Migration Guide
+
+## Updating from 1.12.x to 1.13.0
+
+Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
+deprecates `settings.security[:embed_sign]`. If specified, new binding parameters will be used in place of `:embed_sign`
+to determine how to handle SAML message signing (`HTTP-POST` embeds signature and `HTTP-Redirect` does not.)
+
+In addition, the `IdpMetadataParser#parse`, `#parse_to_hash` and `#parse_to_array` methods now retrieve
+`idp_sso_service_binding` and `idp_slo_service_binding`.
+
+Lastly, for convenience you may now use the Symbol aliases `:post` and `:redirect` for any `settings.*_binding` parameter.
+
+## Upgrading from 1.11.x to 1.12.0
+
+Version `1.12.0` adds support for gcm algorithm and
+change/adds specific error messages for signature validations
+
+`idp_sso_target_url` and `idp_slo_target_url` attributes of the Settings class deprecated
+in favor of `idp_sso_service_url` and `idp_slo_service_url`. The `IdpMetadataParser#parse`,
+`#parse_to_hash` and `#parse_to_array` methods now retrieve SSO URL and SLO URL endpoints with
+`idp_sso_service_url` and `idp_slo_service_url` (previously `idp_sso_target_url` and
+`idp_slo_target_url` respectively).
+
+## Upgrading from 1.10.x to 1.11.0
+
+Version `1.11.0` deprecates the use of `settings.issuer` in favour of `settings.sp_entity_id`.
+There are two new security settings: `settings.security[:check_idp_cert_expiration]` and
+`settings.security[:check_sp_cert_expiration]` (both false by default) that check if the
+IdP or SP X.509 certificate has expired, respectively.
+
+Version `1.10.2` includes the `valid_until` attribute in parsed IdP metadata.
+
+Version `1.10.1` improves Ruby 1.8.7 support.
+
+## Upgrading from 1.9.0 to 1.10.0
+
+Version `1.10.0` improves IdpMetadataParser to allow parse multiple IDPSSODescriptor,
+Add Subject support on AuthNRequest to allow SPs provide info to the IdP about the user
+to be authenticated and updates the format_cert method to accept certs with /\x0d/
+
+## Upgrading from 1.8.0 to 1.9.0
+
+Version `1.9.0` better supports Ruby 2.4+ and JRuby 9.2.0.0. `Settings` initialization
+now has a second parameter, `keep_security_settings` (default: false), which saves security
+settings attributes that are not explicitly overridden, if set to true.
+
+## Upgrading from 1.7.x to 1.8.0
+
+On Version `1.8.0`, creating AuthRequests/LogoutRequests/LogoutResponses with nil RelayState
+param will not generate a URL with an empty RelayState parameter anymore. It also changes
+the invalid audience error message.
+
+## Upgrading from 1.6.0 to 1.7.0
+
+Version `1.7.0` is a recommended update for all Ruby SAML users as it includes a fix for
+the [CVE-2017-11428](https://www.cvedetails.com/cve/CVE-2017-11428/) vulnerability.
+
+## Upgrading from 1.5.0 to 1.6.0
+
+Version `1.6.0` changes the preferred way to construct instances of `Logoutresponse` and
+`SloLogoutrequest`. Previously the _SAMLResponse_, _RelayState_, and _SigAlg_ parameters
+of these message types were provided via the constructor's `options[:get_params]` parameter.
+Unfortunately this can result in incompatibility with other SAML implementations; signatures
+are specified to be computed based on the _sender's_ URI-encoding of the message, which can
+differ from that of Ruby SAML. In particular, Ruby SAML's URI-encoding does not match that
+of Microsoft ADFS, so messages from ADFS can fail signature validation.
+
+The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is via the
+`options[:raw_get_params]` parameter. For example:
+
+```ruby
+# In this example `query_params` is assumed to contain decoded query parameters,
+# and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
+settings = {
+  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.soft = false
+}
+options = {
+  get_params: {
+    "Signature" => query_params["Signature"],
+  },
+  raw_get_params: {
+    "SAMLRequest" => raw_query_params["SAMLRequest"],
+    "SigAlg" => raw_query_params["SigAlg"],
+    "RelayState" => raw_query_params["RelayState"],
+  },
+}
+slo_logout_request = OneLogin::RubySaml::SloLogoutrequest.new(query_params["SAMLRequest"], settings, options)
+raise "Invalid Logout Request" unless slo_logout_request.is_valid?
+```
+
+The old form is still supported for backward compatibility, but all Ruby SAML users
+should prefer `options[:raw_get_params]` where possible to ensure compatibility with
+other SAML implementations.
+
+## Upgrading from 1.4.2 to 1.4.3
+
+Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
+The 'Recipient' value is compared with the settings.assertion_consumer_service_url
+value.
+
+If you want to skip that validation, add the :skip_recipient_check option to the
+initialize method of the Response object.
+
+Parsing metadata that contains more than one certificate will propagate the
+idp_cert_multi property rather than idp_cert. See [signature validation
+section](#signature-validation) for details.
+
+## Upgrading from 1.3.x to 1.4.x
+
+Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.
+
+## Upgrading from 1.2.x to 1.3.x
+
+Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes.
+It adds security improvements in order to prevent Signature wrapping attacks.
+[CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
+
+## Upgrading from 1.1.x to 1.2.x
+
+Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom,
+refactor error handling and some minor improvements.
+
+There is no compatibility issue detected.
+
+For more details, please review [CHANGELOG.md](CHANGELOG.md).
+
+## Upgrading from 1.0.x to 1.1.x
+
+Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+
+## Upgrading from 0.9.x to 1.0.x
+
+Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
+
+Version `1.0` adds security improvements like entity expansion limitation, more SAML message validations, and other important improvements like decrypt support.
+
+### Important Changes
+
+Please note the `get_idp_metadata` method raises an exception when it is not able to fetch the idp metadata, so review your integration if you are using this functionality.
+
+## Upgrading from 0.8.x to 0.9.x
+
+Version `0.9` adds many new features and improvements.
+
+## Upgrading from 0.7.x to 0.8.x
+
+Version `0.8.x` changes the namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.

data/lib/onelogin/ruby-saml/attributes.rb

@@ -79,7 +79,7 @@ module OneLogin
         self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
       end
 
-      # @return [Array] Return all attributes as an array
+      # @return [Hash] Return all attributes as a hash
       #
       def all
         attributes
@@ -113,6 +113,29 @@ module OneLogin
         end
       end
 
+      # Fetch attribute value using name or regex
+      # @param name [String|Regexp] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def fetch(name)
+        attributes.each_key do |attribute_key|
+          if name.is_a?(Regexp)
+            if name.respond_to? :match?
+              return self[attribute_key] if name.match?(attribute_key)
+            else 
+              return self[attribute_key] if name.match(attribute_key)
+            end
+          elsif canonize_name(name) == canonize_name(attribute_key)
+            return self[attribute_key]
+          end
+        end
+        nil
+      end
+
       protected
 
       # stringifies all names so both 'email' and :email return the same result

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -3,6 +3,7 @@ require "rexml/document"
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -14,7 +15,7 @@ module OneLogin
     class Authrequest < SamlMessage
 
       # AuthNRequest ID
-      attr_reader :uuid
+      attr_accessor :uuid
 
       # Initializes the AuthNRequest. An Authrequest Object that is an extension of the SamlMessage class.
       # Asigns an ID, a random uuid.
@@ -23,6 +24,10 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       # Creates the AuthNRequest string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
@@ -30,14 +35,14 @@ module OneLogin
       #
       def create(settings, params = {})
         params = create_params(settings, params)
-        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        params_prefix = (settings.idp_sso_service_url =~ /\?/) ? '&' : '?'
         saml_request = CGI.escape(params.delete("SAMLRequest"))
         request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil?
-        @login_url = settings.idp_sso_target_url + request_params
+        raise SettingError.new "Invalid settings, idp_sso_service_url is not set!" if settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
+        @login_url = settings.idp_sso_service_url + request_params
       end
 
       # Creates the Get parameters for the request.
@@ -68,7 +73,7 @@ module OneLogin
         base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
-        if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+        if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && settings.private_key
           params['SigAlg']    = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLRequest',
@@ -107,7 +112,7 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['Destination'] = settings.idp_sso_service_url unless settings.idp_sso_service_url.nil? or settings.idp_sso_service_url.empty?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
         root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
@@ -117,10 +122,22 @@ module OneLogin
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
+
+        if settings.name_identifier_value_requested != nil
+          subject = root.add_element "saml:Subject"
+
+          nameid = subject.add_element "saml:NameID"
+          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          nameid.text = settings.name_identifier_value_requested
+
+          subject_confirmation = subject.add_element "saml:SubjectConfirmation"
+          subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        end
+
         if settings.name_identifier_format != nil
           root.add_element "samlp:NameIDPolicy", {
               # Might want to make AllowCreate a setting?
@@ -162,8 +179,7 @@ module OneLogin
       end
 
       def sign_document(document, settings)
-        # embed signature
-        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+        if settings.idp_sso_service_binding == Utils::BINDINGS[:post] && settings.security[:authn_requests_signed] && settings.private_key && settings.certificate
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
           document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])