ruby-saml 0.8.5 → 0.8.6

checksums.yaml

@@ -1,7 +1,7 @@
---- 
-SHA512: 
-  metadata.gz: 8489326fd3207aa709c005557141665444ef5653c4850520908e7bbc16cb8cb6529fe6bf7d85ee7cb7f896a441ac078fa8eca87341c1737bbb8cc2c6a1712e54
-  data.tar.gz: dc7006007ed9e9bfa190401c4e003992ff66786854dfac4725b956714281eba2503d83814653674f171a02885c136adc078d5c13e3d6277f9677989591c6d375
-SHA256: 
-  metadata.gz: 024d00094972f6386863705f834f4ecb2c4e42d5b462181573151493211cfd52
-  data.tar.gz: 7346f35e9750a26de6b4d1079817ef148945c4949bdaa05ba0249e72ecac0a64
+---
+SHA1:
+  metadata.gz: 57e7a2eb4f514972244fc12215e6586386fb5fe3
+  data.tar.gz: cf05522f6c29de7ae71c30407a93ee2cfe5926b9
+SHA512:
+  metadata.gz: 039cc1a41f64dd95707f441afc2015bc44948944fa0356ead52280d5420ebc314d9b004f3e048694356aa40b36546c0a3a98e2f8e4c98f79079b199629f4872f
+  data.tar.gz: 57a46834046c71fce8a1845487e6dfb53fb6b9dadac4d411462e2e2731c8457b162be13563fbad92f3f15e7639916c59e8a266842d018191c40cbfb5f77038c6

data/lib/onelogin/ruby-saml/attributes.rb

@@ -0,0 +1,128 @@
+module OneLogin
+  module RubySaml
+
+    # SAML2 Attributes. Parse the Attributes from the AttributeStatement of the SAML Response. 
+    #
+    class Attributes
+      include Enumerable
+
+      attr_reader :attributes
+
+      # By default Attributes#[] is backwards compatible and
+      # returns only the first value for the attribute
+      # Setting this to `false` returns all values for an attribute
+      @@single_value_compatibility = true
+
+      # @return [Boolean] Get current status of backwards compatibility mode.
+      #
+      def self.single_value_compatibility
+        @@single_value_compatibility
+      end
+
+      # Sets the backwards compatibility mode on/off.
+      # @param value [Boolean]
+      #
+      def self.single_value_compatibility=(value)
+        @@single_value_compatibility = value
+      end
+
+      # @param attrs [Hash] The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
+      #    Attributes.new({
+      #      'name' => ['value1', 'value2'],
+      #      'mail' => ['value1'],
+      #    })
+      #
+      def initialize(attrs = {})
+        @attributes = attrs
+      end
+
+
+      # Iterate over all attributes
+      #
+      def each
+        attributes.each{|name, values| yield name, values}
+      end
+
+      
+      # Test attribute presence by name
+      # @param name [String] The attribute name to be checked
+      #
+      def include?(name)
+        attributes.has_key?(canonize_name(name))
+      end
+      
+      # Return first value for an attribute
+      # @param name [String] The attribute name
+      # @return [String] The value (First occurrence)
+      #
+      def single(name)
+        attributes[canonize_name(name)].first if include?(name)
+      end
+
+      # Return all values for an attribute
+      # @param name [String] The attribute name
+      # @return [Array] Values of the attribute
+      #
+      def multi(name)
+        attributes[canonize_name(name)]
+      end
+
+      # Retrieve attribute value(s)
+      # @param name [String] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def [](name)
+        self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
+      end
+
+      # @return [Array] Return all attributes as an array
+      #
+      def all
+        attributes
+      end
+
+      # @param name [String] The attribute name
+      # @param values [Array] The values
+      #
+      def set(name, values)
+        attributes[canonize_name(name)] = values
+      end
+      alias_method :[]=, :set
+
+      # @param name [String] The attribute name
+      # @param values [Array] The values
+      #
+      def add(name, values = [])
+        attributes[canonize_name(name)] ||= []
+        attributes[canonize_name(name)] += Array(values)
+      end
+
+      # Make comparable to another Attributes collection based on attributes
+      # @param other [Attributes] An Attributes object to compare with
+      # @return [Boolean] True if are contains the same attributes and values
+      #
+      def ==(other)
+        if other.is_a?(Attributes)
+          all == other.all
+        else
+          super
+        end
+      end
+
+      protected
+
+      # stringifies all names so both 'email' and :email return the same result
+      # @param name [String] The attribute name
+      # @return [String] stringified name
+      #
+      def canonize_name(name)
+        name.to_s
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/response.rb

@@ -1,6 +1,7 @@
 require "xml_security"
 require "time"
 require "nokogiri"
+require 'onelogin/ruby-saml/attributes'
 
 # Only supports SAML 2.0
 module OneLogin
@@ -48,26 +49,48 @@ module OneLogin
         end
       end
 
-      # A hash of alle the attributes with the response. Assuming there is only one value for each key
+      # Gets the Attributes from the AttributeStatement element.
+      #
+      # All attributes can be iterated over +attributes.each+ or returned as array by +attributes.all+
+      # For backwards compatibility ruby-saml returns by default only the first value for a given attribute with
+      #    attributes['name']
+      # To get all of the attributes, use:
+      #    attributes.multi('name')
+      # Or turn off the compatibility:
+      #    OneLogin::RubySaml::Attributes.single_value_compatibility = false
+      # Now this will return an array:
+      #    attributes['name']
+      #
+      # @return [Attributes] OneLogin::RubySaml::Attributes enumerable collection.
+      #
       def attributes
         @attr_statements ||= begin
-          result = {}
-
-          stmt_element = xpath_first_from_signed_assertion('/a:AttributeStatement')
-          return {} if stmt_element.nil?
-
-          stmt_element.elements.each do |attr_element|
-            name  = attr_element.attributes["Name"]
-            value = Utils.element_text(attr_element.elements.first)
-
-            result[name] = value
-          end
-
-          result.keys.each do |key|
-            result[key.intern] = result[key]
+          attributes = Attributes.new
+
+          stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
+          stmt_elements.each do |stmt_element|
+            stmt_element.elements.each do |attr_element|
+              name = attr_element.attributes["Name"]
+              values = attr_element.elements.collect{|e|
+                if (e.elements.nil? || e.elements.size == 0)
+                  # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
+                  # otherwise the value is to be regarded as empty.
+                  ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : Utils.element_text(e)
+                # explicitly support saml2:NameID with saml2:NameQualifier if supplied in attributes
+                # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
+                # identify the subject in an SP rather than email or other less opaque attributes
+                # NameQualifier, if present is prefixed with a "/" to the value
+                else
+                 REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect{|n|
+                    (n.attributes['NameQualifier'] ? n.attributes['NameQualifier'] +"/" : '') + Utils.element_text(n)
+                  }
+                end
+              }
+
+              attributes.add(name, values.flatten)
+            end
           end
-
-          result
+          attributes
         end
       end
 
@@ -166,6 +189,26 @@ module OneLogin
         node
       end
 
+      # Extracts all the appearances that matchs the subelt (pattern)
+      # Search on any Assertion that is signed, or has a Response parent signed
+      # @param subelt [String] The XPath pattern
+      # @return [Array of REXML::Element] Return all matches
+      #
+      def xpath_from_signed_assertion(subelt=nil)
+        node = REXML::XPath.match(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node.concat( REXML::XPath.match(
+            document,
+            "/p:Response[@ID=$id]/a:Assertion#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        ))
+      end
+
       def get_fingerprint
         if settings.idp_cert
           cert = OpenSSL::X509::Certificate.new(settings.idp_cert)

data/lib/onelogin/ruby-saml/version.rb

@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '0.8.5'
+    VERSION = '0.8.6'
   end
 end

data/lib/ruby-saml.rb

@@ -8,3 +8,4 @@ require 'onelogin/ruby-saml/utils'
 require 'onelogin/ruby-saml/validation_error'
 require 'onelogin/ruby-saml/metadata'
 require 'onelogin/ruby-saml/version'
+require 'onelogin/ruby-saml/attributes'

data/test/response_test.rb

@@ -229,7 +229,12 @@ class RubySamlTest < Test::Unit::TestCase
 
       should "not raise on responses without attributes" do
         response = OneLogin::RubySaml::Response.new(response_document_4)
-        assert_equal Hash.new, response.attributes
+        assert_equal OneLogin::RubySaml::Attributes.new, response.attributes
+      end
+
+      should "extract attributes from all AttributeStatement tags" do
+        assert_equal "smith", response_with_multiple_attribute_statements.attributes[:surname]
+        assert_equal "bob", response_with_multiple_attribute_statements.attributes[:firstname]
       end
     end
 
@@ -270,5 +275,97 @@ class RubySamlTest < Test::Unit::TestCase
         assert_equal($evalled, nil)
       end
     end
+
+    context "#multiple values" do
+      should "extract single value as string" do
+        assert_equal "demo", response_multiple_attr_values.attributes[:uid]
+      end
+
+      should "extract single value as string in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ["demo"], response_multiple_attr_values.attributes[:uid]
+        # classes are not reloaded between tests so restore default
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "extract first of multiple values as string for b/w compatibility" do
+        assert_equal 'value1', response_multiple_attr_values.attributes[:another_value]
+      end
+
+      should "extract first of multiple values as string for b/w compatibility in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ['value1', 'value2'], response_multiple_attr_values.attributes[:another_value]
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "return array with all attributes when asked in XML order" do
+        assert_equal ['value1', 'value2'], response_multiple_attr_values.attributes.multi(:another_value)
+      end
+
+      should "return array with all attributes when asked in XML order in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ['value1', 'value2'], response_multiple_attr_values.attributes.multi(:another_value)
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "return first of multiple values when multiple Attribute tags in XML" do
+        assert_equal 'role1', response_multiple_attr_values.attributes[:role]
+      end
+
+      should "return first of multiple values when multiple Attribute tags in XML in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ['role1', 'role2', 'role3'], response_multiple_attr_values.attributes[:role]
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "return all of multiple values in reverse order when multiple Attribute tags in XML" do
+        assert_equal ['role1', 'role2', 'role3'], response_multiple_attr_values.attributes.multi(:role)
+      end
+
+      should "return all of multiple values in reverse order when multiple Attribute tags in XML in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ['role1', 'role2', 'role3'], response_multiple_attr_values.attributes.multi(:role)
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "return all of multiple values when multiple Attribute tags in multiple AttributeStatement tags" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ['role1', 'role2', 'role3'], response_with_multiple_attribute_statements.attributes.multi(:role)
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "return nil value correctly" do
+        assert_nil response_multiple_attr_values.attributes[:attribute_with_nil_value]
+      end
+
+      should "return nil value correctly when not in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal [nil], response_multiple_attr_values.attributes[:attribute_with_nil_value]
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "return multiple values including nil and empty string" do
+        response = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values))
+        assert_equal ["", "valuePresent", nil, nil], response.attributes.multi(:attribute_with_nils_and_empty_strings)
+      end
+
+      should "return multiple values from [] when not in compatibility mode off" do
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal ["", "valuePresent", nil, nil], response_multiple_attr_values.attributes[:attribute_with_nils_and_empty_strings]
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+
+      should "check what happens when trying retrieve attribute that does not exists" do
+        assert_equal nil, response_multiple_attr_values.attributes[:attribute_not_exists]
+        assert_equal nil, response_multiple_attr_values.attributes.single(:attribute_not_exists)
+        assert_equal nil, response_multiple_attr_values.attributes.multi(:attribute_not_exists)
+
+        OneLogin::RubySaml::Attributes.single_value_compatibility = false
+        assert_equal nil, response_multiple_attr_values.attributes[:attribute_not_exists]
+        assert_equal nil, response_multiple_attr_values.attributes.single(:attribute_not_exists)
+        assert_equal nil, response_multiple_attr_values.attributes.multi(:attribute_not_exists)
+        OneLogin::RubySaml::Attributes.single_value_compatibility = true
+      end
+    end
   end
 end

data/test/responses/response_with_multiple_attribute_statements.xml

@@ -0,0 +1,72 @@
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="GOSAMLR12901174571794" Version="2.0" IssueInstant="2010-11-18T21:57:37Z" Destination="{recipient}">
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
+  <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfxa46574df-b3b0-a06a-23c8-636413198772" IssueInstant="2010-11-18T21:57:37Z">
+    <saml:Issuer>https://app.onelogin.com/saml/metadata/13590</saml:Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <ds:Reference URI="#pfxa46574df-b3b0-a06a-23c8-636413198772">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue>yiveKcPdDpuDNj6shrQ3ABwr/cA3CryD2phG/xLZszKWxU5/mlaKt8ewbZOdKKvtOs2pHBy5Dua3k94AF+zxGyel5gOowmoyXJr+AOr+kPO0vli1V8o3hPPUZwRgSX6Q9pS1CqQghKiEasRyylqqJUaPYzmOzOE8/XlMkwiWmO0=</ds:SignatureValue>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTg0NVoXDTE1MDMwOTA5NTg0NVowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjSu1fjPy8d5w4QyL1+zd4hIw1Mkkff4WY/TLG8OZkU5YTSWmmHPD5kvYH5uoXS/6qQ81qXpR2wV8CTowZJULg09ddRdRn8Qsqj1FyOC5slE3y2bZ2oFua72of/49fpujnFT6KnQ61CBMqlDoTQqOT62vGJ8nP6MZWvA6sxqud5AgMBAAEwAwYBAAMBAA==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </ds:Signature>
+    <saml:Subject>
+      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">support@onelogin.com</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2010-11-18T22:02:37Z" Recipient="{recipient}"/></saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2010-11-18T21:52:37Z" NotOnOrAfter="2010-11-18T22:02:37Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>{audience}</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2010-11-18T21:57:37Z" SessionNotOnOrAfter="2010-11-19T21:57:37Z" SessionIndex="_531c32d283bdff7e04e487bcdbc4dd8d">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="surname">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">smith</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="another_value">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value1</saml:AttributeValue>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value2</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="role">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role1</saml:AttributeValue>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="firstname">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">bob</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="role">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role2</saml:AttributeValue>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role3</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="attribute_with_nil_value">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+      </saml:Attribute>
+      <saml:Attribute Name="attribute_with_nils_and_empty_strings">
+        <saml:AttributeValue/>
+        <saml:AttributeValue>valuePresent</saml:AttributeValue>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>

data/test/responses/response_with_multiple_attribute_values.xml

@@ -0,0 +1,67 @@
+<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="GOSAMLR12901174571794" Version="2.0" IssueInstant="2010-11-18T21:57:37Z" Destination="{recipient}">
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
+  <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfxa46574df-b3b0-a06a-23c8-636413198772" IssueInstant="2010-11-18T21:57:37Z">
+    <saml:Issuer>https://app.onelogin.com/saml/metadata/13590</saml:Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+        <ds:Reference URI="#pfxa46574df-b3b0-a06a-23c8-636413198772">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+          <ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue>yiveKcPdDpuDNj6shrQ3ABwr/cA3CryD2phG/xLZszKWxU5/mlaKt8ewbZOdKKvtOs2pHBy5Dua3k94AF+zxGyel5gOowmoyXJr+AOr+kPO0vli1V8o3hPPUZwRgSX6Q9pS1CqQghKiEasRyylqqJUaPYzmOzOE8/XlMkwiWmO0=</ds:SignatureValue>
+      <ds:KeyInfo>
+        <ds:X509Data>
+          <ds:X509Certificate>MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTg0NVoXDTE1MDMwOTA5NTg0NVowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjSu1fjPy8d5w4QyL1+zd4hIw1Mkkff4WY/TLG8OZkU5YTSWmmHPD5kvYH5uoXS/6qQ81qXpR2wV8CTowZJULg09ddRdRn8Qsqj1FyOC5slE3y2bZ2oFua72of/49fpujnFT6KnQ61CBMqlDoTQqOT62vGJ8nP6MZWvA6sxqud5AgMBAAEwAwYBAAMBAA==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </ds:Signature>
+    <saml:Subject>
+      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">support@onelogin.com</saml:NameID>
+      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <saml:SubjectConfirmationData NotOnOrAfter="2010-11-18T22:02:37Z" Recipient="{recipient}"/></saml:SubjectConfirmation>
+    </saml:Subject>
+    <saml:Conditions NotBefore="2010-11-18T21:52:37Z" NotOnOrAfter="2010-11-18T22:02:37Z">
+      <saml:AudienceRestriction>
+        <saml:Audience>{audience}</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+    <saml:AuthnStatement AuthnInstant="2010-11-18T21:57:37Z" SessionNotOnOrAfter="2010-11-19T21:57:37Z" SessionIndex="_531c32d283bdff7e04e487bcdbc4dd8d">
+      <saml:AuthnContext>
+        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+      </saml:AuthnContext>
+    </saml:AuthnStatement>
+    <saml:AttributeStatement>
+      <saml:Attribute Name="uid">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">demo</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="another_value">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value1</saml:AttributeValue>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">value2</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="role">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role1</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="role">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role2</saml:AttributeValue>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">role3</saml:AttributeValue>
+      </saml:Attribute>
+      <saml:Attribute Name="attribute_with_nil_value">
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+      </saml:Attribute>
+      <saml:Attribute Name="attribute_with_nils_and_empty_strings">
+        <saml:AttributeValue/>
+        <saml:AttributeValue>valuePresent</saml:AttributeValue>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
+        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="1"/>
+      </saml:Attribute>
+    </saml:AttributeStatement>
+  </saml:Assertion>
+</samlp:Response>

data/test/test_helper.rb

@@ -71,4 +71,12 @@ class Test::Unit::TestCase
     @signature2 ||= File.read(File.join(File.dirname(__FILE__), 'certificates', 'r1_certificate2_base64'))
   end
 
+  def response_with_multiple_attribute_statements
+    @response_with_multiple_attribute_statements = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_statements))
+  end
+
+  def response_multiple_attr_values
+    @response_multiple_attr_values = OneLogin::RubySaml::Response.new(fixture(:response_with_multiple_attribute_values)) 
+  end
+
 end

metadata

@@ -1,54 +1,60 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: ruby-saml
-version: !ruby/object:Gem::Version 
-  version: 0.8.5
+version: !ruby/object:Gem::Version
+  version: 0.8.6
 platform: ruby
-authors: 
+authors:
 - OneLogin LLC
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2018-09-12 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2019-02-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: uuid
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "2.3"
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: nokogiri
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
+      - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
-  version_requirements: *id002
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.0
 description: SAML toolkit for Ruby on Rails
 email: support@onelogin.com
 executables: []
-
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - LICENSE
 - README.md
-files: 
-- .document
-- .gitignore
-- .travis.yml
+files:
+- ".document"
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
 - changelog.md
+- lib/onelogin/ruby-saml/attributes.rb
 - lib/onelogin/ruby-saml/authrequest.rb
 - lib/onelogin/ruby-saml/logging.rb
 - lib/onelogin/ruby-saml/logoutrequest.rb
@@ -89,6 +95,8 @@ files:
 - test/responses/response_node_text_attack.xml.base64
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
+- test/responses/response_with_multiple_attribute_statements.xml
+- test/responses/response_with_multiple_attribute_values.xml
 - test/responses/simple_saml_php.xml
 - test/responses/starfield_response.xml.base64
 - test/responses/wrapped_response_2.xml.base64
@@ -98,31 +106,29 @@ files:
 - test/xml_security_test.rb
 homepage: http://github.com/onelogin/ruby-saml
 licenses: []
-
 metadata: {}
-
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
-require_paths: 
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - &id003 
-    - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - *id003
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: http://www.rubygems.org/gems/ruby-saml
-rubygems_version: 2.7.7
+rubygems_version: 2.5.2.1
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
-test_files: 
+test_files:
 - test/certificates/certificate1
 - test/certificates/r1_certificate2_base64
 - test/logoutrequest_test.rb
@@ -146,6 +152,8 @@ test_files:
 - test/responses/response_node_text_attack.xml.base64
 - test/responses/response_with_ampersands.xml
 - test/responses/response_with_ampersands.xml.base64
+- test/responses/response_with_multiple_attribute_statements.xml
+- test/responses/response_with_multiple_attribute_values.xml
 - test/responses/simple_saml_php.xml
 - test/responses/starfield_response.xml.base64
 - test/responses/wrapped_response_2.xml.base64