saml-kit 1.0.6 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27101b53cc92074aa1b0ea8f84d40d41f1bf32b6b208a1a5d9b94d92087cfa51
-  data.tar.gz: c0ad9546f68fa6feb9afaf34e8609cfac835ab7607790542a9a7146fe94ed846
+  metadata.gz: f336ef3e71456ef8822afe806133e69cdf66051db1cb47ff29b4604cd3c14080
+  data.tar.gz: 0af28562d5ceeb54517113a179d002584a806f5054f11e73b0aac2c91c392640
 SHA512:
-  metadata.gz: 656acd1866446463a4bf2578eb0b543657713ec83e8cf9c9cde89c6298c54075f857bf008c7812e42539bb715e4c5158fce899fff390c558dedc0dd692d09aac
-  data.tar.gz: bb7a65a294eb4a47edc1c29e16908f12c57fe74a0423b26baefc713e9fc223f47ef6533f35b66cb2ffc4bb64921352afd849296dbfed98e202ab4d53ae03f67e
+  metadata.gz: ff41286ca85b6fa5d076ba78fabf7f7fe3e8e1cf7e951af112a2e77e1e90d7f073515694ba63e688e38263456f24fe12af0e775c6d836e8a77becf82ebbb6034
+  data.tar.gz: bb1b0cf0d15d68af2115f1c14f36aa702c7367c9f34af031214263b0c405e1bb078a9b5783184979eef431caa37075639a4640a842f80fb92d445e4545a5bf53

data/.gitlab-ci.yml

@@ -5,11 +5,11 @@ before_script:
   - echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
   - locale-gen
   - export LC_ALL=en_US.UTF-8
-  - ruby -v
-  - which ruby
-  - gem install bundler --no-ri --no-rdoc
-  - bundle install --jobs $(nproc) "${FLAGS[@]}"
 
 rspec:
   script:
-    - bundle exec rspec
+    - bin/cibuild
+
+lint:
+  script:
+    - bin/lint

data/.rubocop.yml

@@ -0,0 +1,92 @@
+inherit_from: .rubocop_todo.yml
+
+require:
+  - rubocop/cop/internal_affairs
+  - rubocop-rspec
+
+AllCops:
+  Exclude:
+    - 'coverage/**/*'
+    - 'pkg/**/*'
+    - 'spec/fixtures/**/*'
+    - 'spec/examples/**/*'
+    - 'tmp/**/*'
+    - 'vendor/**/*'
+  TargetRubyVersion: 2.2
+
+Layout/ClassStructure:
+  Enabled: true
+  Categories:
+    module_inclusion:
+      - include
+      - prepend
+      - extend
+  ExpectedOrder:
+      - module_inclusion
+      - constants
+      - public_class_methods
+      - initializer
+      - instance_methods
+      - protected_methods
+      - private_methods
+
+Layout/EndOfLine:
+  EnforcedStyle: lf
+
+Layout/IndentArray:
+  EnforcedStyle: consistent
+
+Layout/IndentHeredoc:
+  EnforcedStyle: active_support
+
+Lint/AmbiguousBlockAssociation:
+  Exclude:
+    - 'spec/**/*.rb'
+
+Lint/InterpolationCheck:
+  Exclude:
+    - 'spec/**/*.rb'
+
+Metrics/BlockLength:
+  Exclude:
+    - '**/**/*.builder'
+    - '**/*.rake'
+    - '*.gemspec'
+    - 'Rakefile'
+    - 'spec/**/*.rb'
+
+Metrics/ModuleLength:
+  Exclude:
+    - 'spec/**/*.rb'
+
+Metrics/LineLength:
+  Exclude:
+    - 'spec/**/*.rb'
+
+Naming/FileName:
+  Exclude:
+    - 'lib/saml-kit.rb'
+
+Style/Documentation:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: 'single_quotes'
+
+Style/TrailingCommaInLiteral:
+  Enabled: false
+
+RSpec/ExampleLength:
+  Max: 80
+
+RSpec/MultipleExpectations:
+  Enabled: false
+
+RSpec/NamedSubject:
+  Enabled: false
+
+RSpec/NestedGroups:
+  Max: 7
+
+RSpec/SubjectStub:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,45 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2018-02-16 22:08:54 -0700 using RuboCop version 0.52.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: AllowUnusedKeywordArguments, IgnoreEmptyMethods.
+Lint/UnusedMethodArgument:
+  Exclude:
+    - 'lib/saml/kit/invalid_document.rb'
+
+# Offense count: 2
+Metrics/AbcSize:
+  Max: 16
+
+# Offense count: 3
+# Configuration parameters: CountComments.
+Metrics/ClassLength:
+  Max: 136
+
+# Offense count: 6
+# Configuration parameters: CountComments.
+Metrics/MethodLength:
+  Max: 13
+
+# Offense count: 1
+Style/DateTime:
+  Exclude:
+    - 'lib/saml/kit/assertion.rb'
+
+# Offense count: 1
+# Cop supports --auto-correct.
+Style/IfUnlessModifier:
+  Exclude:
+    - 'lib/saml/kit/builders/authentication_request.rb'
+
+# Offense count: 128
+# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
+# URISchemes: http, https
+Metrics/LineLength:
+  Max: 313

data/.travis.yml

@@ -1,6 +1,10 @@
 sudo: false
 language: ruby
 rvm:
-  - 2.4.2
-before_install: gem install bundler -v 1.15.4
-script: "bundle exec rspec"
+  - 2.2.9
+  - 2.3.6
+  - 2.4.3
+  - 2.5.0
+script:
+  - bin/cibuild
+  - bin/lint

data/Gemfile

@@ -1,6 +1,6 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in saml-kit.gemspec
 gemspec

data/Rakefile

@@ -1,6 +1,8 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
+task default: :spec
 
-task :default => :spec
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new(:rubocop)

data/bin/cibuild

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# script/cibuild: Setup environment for CI to run tests. This is primarily
+#                 designed to run on the continuous integration server.
+
+set -e
+
+cd "$(dirname "$0")/.."
+
+echo "Started at…"
+date "+%H:%M:%S"
+
+# GC customizations
+export RUBY_GC_MALLOC_LIMIT=79000000
+export RUBY_GC_HEAP_INIT_SLOTS=800000
+export RUBY_HEAP_FREE_MIN=100000
+export RUBY_HEAP_SLOTS_INCREMENT=400000
+export RUBY_HEAP_SLOTS_GROWTH_FACTOR=1
+
+gem install bundler --no-ri --no-rdoc --conservative
+# run tests
+ruby -v
+bin/test

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
-require "bundler/setup"
-require "saml/kit"
+require 'bundler/setup'
+require 'saml/kit'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +10,5 @@ require "saml/kit"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/bin/lint

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+[ -z "$DEBUG" ] || set -x
+
+echo "==> Running setup…"
+date "+%H:%M:%S"
+bin/setup
+
+echo "==> Running linters…"
+date "+%H:%M:%S"
+bundle exec rake rubocop

data/bin/setup

@@ -3,6 +3,6 @@ set -euo pipefail
 IFS=$'\n\t'
 set -vx
 
-bundle install
+bundle check || bundle install --jobs $(nproc)
 
 # Do any other automated setup that you need to do here

data/bin/test

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# script/test: Run test suite for application. Optionally pass in a path to an
+#              individual test file to run a single test.
+
+
+set -e
+
+cd "$(dirname "$0")/.."
+
+[ -z "$DEBUG" ] || set -x
+
+echo "==> Running setup…"
+date "+%H:%M:%S"
+bin/setup
+
+echo "==> Running tests…"
+date "+%H:%M:%S"
+bundle exec rake spec

data/exe/saml-kit-create-self-signed-certificate

@@ -3,22 +3,22 @@ require 'saml/kit'
 
 Saml::Kit.deprecate("Use the 'saml-kit-cli' gem instead. saml-kit-create-self-signed-certificate")
 
-puts "Enter Passphrase:"
+puts 'Enter Passphrase:'
 passphrase = STDIN.read.strip
 certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new.create(passphrase: passphrase)
 
-puts "** BEGIN File Format **"
+puts '** BEGIN File Format **'
 print certificate
 puts private_key
-puts "***********************"
+puts '***********************'
 
 puts
 
-puts "*** BEGIN ENV Format **"
+puts '*** BEGIN ENV Format **'
 puts certificate.inspect
 puts private_key.inspect
-puts "***********************"
+puts '***********************'
 
 puts
-puts "Private Key Passphrase:"
+puts 'Private Key Passphrase:'
 puts passphrase.inspect

data/exe/saml-kit-decode-http-redirect

@@ -6,9 +6,13 @@ Saml::Kit.deprecate("Use the 'saml-kit-cli' gem instead. saml-kit-decode-http-re
 input = STDIN.read
 binding = Saml::Kit::Bindings::HttpRedirect.new(location: '')
 
-uri = URI.parse(input) rescue nil
+uri = begin
+        URI.parse(input)
+      rescue StandardError
+        nil
+      end
 if uri
-  query_params =  Hash[uri.query.split('&').map { |x| x.split('=', 2) }]
+  query_params = Hash[uri.query.split('&').map { |x| x.split('=', 2) }]
   puts binding.deserialize(query_params).to_xml(pretty: true)
 else
   puts binding.deserialize('SAMLRequest' => input).to_xml(pretty: true)

data/lib/saml/kit.rb

@@ -1,46 +1,49 @@
-require "saml/kit/version"
+require 'saml/kit/version'
 
-require "active_model"
-require "active_support/core_ext/date/calculations"
-require "active_support/core_ext/hash/conversions"
-require "active_support/core_ext/hash/indifferent_access"
-require "active_support/core_ext/numeric/time"
-require "active_support/deprecation"
-require "active_support/duration"
-require "forwardable"
-require "logger"
-require "net/http"
-require "nokogiri"
-require "securerandom"
-require "xml/kit"
+require 'active_model'
+require 'active_support/core_ext/date/calculations'
+require 'active_support/core_ext/hash/conversions'
+require 'active_support/core_ext/hash/indifferent_access'
+require 'active_support/core_ext/numeric/time'
+require 'active_support/deprecation'
+require 'active_support/duration'
+require 'forwardable'
+require 'logger'
+require 'net/http'
+require 'nokogiri'
+require 'securerandom'
+require 'uri'
+require 'xml/kit'
 
-require "saml/kit/buildable"
-require "saml/kit/builders"
-require "saml/kit/namespaces"
-require "saml/kit/serializable"
-require "saml/kit/xsd_validatable"
-require "saml/kit/respondable"
-require "saml/kit/requestable"
-require "saml/kit/trustable"
-require "saml/kit/translatable"
-require "saml/kit/document"
+require 'saml/kit/buildable'
+require 'saml/kit/builders'
+require 'saml/kit/namespaces'
+require 'saml/kit/serializable'
+require 'saml/kit/xsd_validatable'
+require 'saml/kit/respondable'
+require 'saml/kit/requestable'
+require 'saml/kit/trustable'
+require 'saml/kit/translatable'
+require 'saml/kit/document'
 
-require "saml/kit/assertion"
-require "saml/kit/authentication_request"
-require "saml/kit/bindings"
-require "saml/kit/configuration"
-require "saml/kit/default_registry"
-require "saml/kit/logout_response"
-require "saml/kit/logout_request"
-require "saml/kit/metadata"
-require "saml/kit/composite_metadata"
-require "saml/kit/response"
-require "saml/kit/identity_provider_metadata"
-require "saml/kit/invalid_document"
-require "saml/kit/service_provider_metadata"
-require "saml/kit/signature"
+require 'saml/kit/assertion'
+require 'saml/kit/authentication_request'
+require 'saml/kit/bindings'
+require 'saml/kit/configuration'
+require 'saml/kit/default_registry'
+require 'saml/kit/logout_response'
+require 'saml/kit/logout_request'
+require 'saml/kit/metadata'
+require 'saml/kit/null_assertion'
+require 'saml/kit/composite_metadata'
+require 'saml/kit/response'
+require 'saml/kit/identity_provider_metadata'
+require 'saml/kit/invalid_document'
+require 'saml/kit/service_provider_metadata'
+require 'saml/kit/signature'
 
-I18n.load_path += Dir[File.expand_path("kit/locales/*.yml", File.dirname(__FILE__))]
+I18n.load_path +=
+  Dir[File.expand_path('kit/locales/*.yml', File.dirname(__FILE__))]
 
 module Saml
   module Kit

data/lib/saml/kit/assertion.rb

@@ -3,17 +3,29 @@ module Saml
     class Assertion
       include ActiveModel::Validations
       include Translatable
-
-      validate :must_match_issuer
-      validate :must_be_active_session
+      XPATH = [
+        '/samlp:Response/saml:Assertion',
+        '/samlp:Response/saml:EncryptedAssertion'
+      ].join('|')
+
+      validate :must_be_decryptable
+      validate :must_match_issuer, if: :decryptable?
+      validate :must_be_active_session, if: :decryptable?
+      validate :must_have_valid_signature, if: :decryptable?
       attr_reader :name
       attr_accessor :occurred_at
 
-      def initialize(xml_hash, configuration: Saml::Kit.configuration)
-        @name = "Assertion"
-        @xml_hash = xml_hash
+      def initialize(node, configuration: Saml::Kit.configuration, private_keys: [])
+        @name = 'Assertion'
+        @node = node
+        @xml_hash = hash_from(node)['Response'] || {}
         @configuration = configuration
         @occurred_at = Time.current
+        decrypt!(::Xml::Kit::Decryption.new(
+                   private_keys: (
+                     configuration.private_keys(use: :encryption) + private_keys
+                   ).uniq
+        ))
       end
 
       def issuer
@@ -29,8 +41,7 @@ module Saml
       end
 
       def signature
-        xml_hash = assertion.fetch('Signature', nil)
-        xml_hash ? Signature.new(xml_hash) : nil
+        @signature ||= Signature.new(at_xpath('./ds:Signature'))
       end
 
       def expired?(now = occurred_at)
@@ -47,7 +58,7 @@ module Saml
           begin
             attrs = assertion.fetch('AttributeStatement', {}).fetch('Attribute', [])
             items = if attrs.is_a? Hash
-                      [[attrs["Name"], attrs["AttributeValue"]]]
+                      [[attrs['Name'], attrs['AttributeValue']]]
                     else
                       attrs.map { |item| [item['Name'], item['AttributeValue']] }
                     end
@@ -65,57 +76,88 @@ module Saml
 
       def audiences
         Array(assertion['Conditions']['AudienceRestriction']['Audience'])
-      rescue => error
+      rescue StandardError => error
         Saml::Kit.logger.error(error)
         []
       end
 
       def encrypted?
-        @xml_hash.fetch('Response', {}).fetch('EncryptedAssertion', nil).present?
+        @xml_hash.fetch('EncryptedAssertion', nil).present?
+      end
+
+      def decryptable?
+        return true unless encrypted?
+        !@cannot_decrypt
       end
 
       def present?
         assertion.present?
       end
 
+      def to_xml(pretty: false)
+        pretty ? @node.to_xml(indent: 2) : @node.to_s
+      end
+
       private
 
       attr_reader :configuration
 
       def assertion
         @assertion ||=
-          if encrypted?
-            private_keys = configuration.private_keys(use: :encryption)
-            decryptor = ::Xml::Kit::Decryption.new(private_keys: private_keys)
-            decrypted = decryptor.decrypt_hash(@xml_hash['Response']['EncryptedAssertion'])
-            Saml::Kit.logger.debug(decrypted)
-            Hash.from_xml(decrypted)['Assertion']
-          else
-            result = @xml_hash.fetch('Response', {}).fetch('Assertion', {})
+          begin
+            result = (hash_from(@node)['Response'] || {})['Assertion']
             return result if result.is_a?(Hash)
-
-            errors[:assertion] << error_message(:must_contain_single_assertion)
             {}
           end
       end
 
+      def decrypt!(decryptor)
+        return unless encrypted?
+
+        encrypted_assertion = @node.at_xpath('./xmlenc:EncryptedData', Saml::Kit::Document::NAMESPACES)
+        @node = decryptor.decrypt_node(encrypted_assertion)
+      rescue Xml::Kit::DecryptionError => error
+        @cannot_decrypt = true
+        Saml::Kit.logger.error(error)
+      end
+
       def parse_date(value)
         DateTime.parse(value)
-      rescue => error
+      rescue StandardError => error
         Saml::Kit.logger.error(error)
         Time.at(0).to_datetime
       end
 
       def must_match_issuer
-        unless audiences.include?(configuration.entity_id)
-          errors[:audience] << error_message(:must_match_issuer)
-        end
+        return if audiences.include?(configuration.entity_id)
+        errors[:audience] << error_message(:must_match_issuer)
       end
 
       def must_be_active_session
         return if active?
         errors[:base] << error_message(:expired)
       end
+
+      def must_have_valid_signature
+        return if !signed? || signature.valid?
+
+        signature.errors.each do |attribute, message|
+          errors.add(attribute, message)
+        end
+      end
+
+      def must_be_decryptable
+        errors.add(:base, error_message(:cannot_decrypt)) unless decryptable?
+      end
+
+      def at_xpath(xpath)
+        @node.at_xpath(xpath, Saml::Kit::Document::NAMESPACES)
+      end
+
+      def hash_from(node)
+        return {} if node.nil?
+        Hash.from_xml(node.document.root.to_s) || {}
+      end
     end
   end
 end