saml-kit 1.0.6 → 1.0.7

data/lib/saml/kit/authentication_request.rb

@@ -25,7 +25,7 @@ module Saml
       # @param xml [String] the raw xml.
       # @param configuration [Saml::Kit::Configuration] defaults to the global configuration.
       def initialize(xml, configuration: Saml::Kit.configuration)
-        super(xml, name: "AuthnRequest", configuration: configuration)
+        super(xml, name: 'AuthnRequest', configuration: configuration)
       end
 
       # Extract the AssertionConsumerServiceURL from the AuthnRequest

data/lib/saml/kit/bindings.rb

@@ -1,19 +1,19 @@
-require "saml/kit/bindings/binding"
-require "saml/kit/bindings/http_post"
-require "saml/kit/bindings/http_redirect"
-require "saml/kit/bindings/url_builder"
+require 'saml/kit/bindings/binding'
+require 'saml/kit/bindings/http_post'
+require 'saml/kit/bindings/http_redirect'
+require 'saml/kit/bindings/url_builder'
 
 module Saml
   module Kit
     module Bindings
-      HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
-      HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-      HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'.freeze
+      HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'.freeze
+      HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'.freeze
       ALL = {
         http_post: HTTP_POST,
         http_redirect: HTTP_REDIRECT,
         http_artifact: HTTP_ARTIFACT,
-      }
+      }.freeze
 
       def self.binding_for(binding)
         ALL[binding]

data/lib/saml/kit/bindings/binding.rb

@@ -14,12 +14,12 @@ module Saml
           binding == other
         end
 
-        def serialize(builder, relay_state: nil)
+        def serialize(*)
           []
         end
 
-        def deserialize(params)
-          raise ArgumentError.new("Unsupported binding")
+        def deserialize(_params)
+          raise ArgumentError, 'Unsupported binding'
         end
 
         def to_h
@@ -27,7 +27,7 @@ module Saml
         end
 
         def ==(other)
-          self.to_s == other.to_s
+          to_s == other.to_s
         end
 
         def eql?(other)
@@ -58,7 +58,7 @@ module Saml
           elsif parameters[:SAMLResponse].present?
             parameters[:SAMLResponse]
           else
-            raise ArgumentError.new("SAMLRequest or SAMLResponse parameter is required.")
+            raise ArgumentError, 'SAMLRequest or SAMLResponse parameter is required.'
           end
         end
       end

data/lib/saml/kit/bindings/http_redirect.rb

@@ -17,7 +17,7 @@ module Saml
         end
 
         def deserialize(params, configuration: Saml::Kit.configuration)
-          parameters = normalize(params)
+          parameters = normalize(params_to_hash(params))
           document = deserialize_document_from!(parameters, configuration)
           ensure_valid_signature!(parameters, document)
           document
@@ -35,25 +35,25 @@ module Saml
           return if document.provider.nil?
 
           if document.provider.verify(
-              algorithm_for(params[:SigAlg]),
-              decode(params[:Signature]),
-              canonicalize(params)
+            algorithm_for(params[:SigAlg]),
+            decode(params[:Signature]),
+            canonicalize(params)
           )
             document.signature_verified!
           else
-            raise ArgumentError.new("Invalid Signature")
+            raise ArgumentError, 'Invalid Signature'
           end
         end
 
         def canonicalize(params)
-          [:SAMLRequest, :SAMLResponse, :RelayState, :SigAlg].map do |key|
+          %i[SAMLRequest SAMLResponse RelayState SigAlg].map do |key|
             value = params[key]
             value.present? ? "#{key}=#{value}" : nil
           end.compact.join('&')
         end
 
         def algorithm_for(algorithm)
-          case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+          case algorithm =~ /(rsa-)?sha(.*?)$/i && Regexp.last_match(2).to_i
           when 256
             OpenSSL::Digest::SHA256.new
           when 384
@@ -74,6 +74,11 @@ module Saml
             SigAlg: params['SigAlg'] || params[:SigAlg],
           }
         end
+
+        def params_to_hash(value)
+          return value unless value.is_a?(String)
+          Hash[URI.parse(value).query.split('&').map { |x| x.split('=', 2) }]
+        end
       end
     end
   end

data/lib/saml/kit/bindings/url_builder.rb

@@ -17,7 +17,7 @@ module Saml
           else
             payload = to_query_string(
               saml_document.query_string_parameter => serialize(saml_document.to_xml),
-              'RelayState' => relay_state,
+              'RelayState' => relay_state
             )
             "#{saml_document.destination}?#{payload}"
           end
@@ -34,7 +34,7 @@ module Saml
           to_query_string(
             saml_document.query_string_parameter => serialize(saml_document.to_xml),
             'RelayState' => relay_state,
-            'SigAlg' => ::Xml::Kit::Namespaces::SHA256,
+            'SigAlg' => ::Xml::Kit::Namespaces::SHA256
           )
         end
 

data/lib/saml/kit/buildable.rb

@@ -4,19 +4,19 @@ module Saml
       extend ActiveSupport::Concern
 
       class_methods do
-        def build(*args) # :yields builder
+        def build(*args)
           builder(*args) do |builder|
             yield builder if block_given?
           end.build
         end
 
-        def build_xml(*args) # :yields builder
+        def build_xml(*args)
           builder(*args) do |builder|
             yield builder if block_given?
           end.to_xml
         end
 
-        def builder(*args) # :yields builder
+        def builder(*args)
           builder_class.new(*args).tap do |builder|
             yield builder if block_given?
           end

data/lib/saml/kit/builders/assertion.rb

@@ -25,6 +25,10 @@ module Saml
           user.assertion_attributes_for(request)
         end
 
+        def signing_key_pair
+          super || @response_builder.signing_key_pair
+        end
+
         private
 
         def assertion_options

data/lib/saml/kit/builders/authentication_request.rb

@@ -15,7 +15,7 @@ module Saml
           @issuer = configuration.entity_id
           @name_id_format = Namespaces::PERSISTENT
           @now = Time.now.utc
-          @version = "2.0"
+          @version = '2.0'
         end
 
         def build
@@ -26,8 +26,8 @@ module Saml
 
         def request_options
           options = {
-            "xmlns:samlp" => Namespaces::PROTOCOL,
-            "xmlns:saml" => Namespaces::ASSERTION,
+            'xmlns:samlp' => Namespaces::PROTOCOL,
+            'xmlns:saml' => Namespaces::ASSERTION,
             ID: id,
             Version: version,
             IssueInstant: now.utc.iso8601,

data/lib/saml/kit/builders/logout_request.rb

@@ -16,7 +16,7 @@ module Saml
           @issuer = configuration.entity_id
           @name_id_format = Saml::Kit::Namespaces::PERSISTENT
           @now = Time.now.utc
-          @version = "2.0"
+          @version = '2.0'
         end
 
         def build

data/lib/saml/kit/builders/logout_response.rb

@@ -16,7 +16,7 @@ module Saml
           @now = Time.now.utc
           @request = request
           @status_code = Namespaces::SUCCESS
-          @version = "2.0"
+          @version = '2.0'
         end
 
         def build

data/lib/saml/kit/builders/response.rb

@@ -17,9 +17,10 @@ module Saml
           @id = ::Xml::Kit::Id.generate
           @reference_id = ::Xml::Kit::Id.generate
           @now = Time.now.utc
-          @version = "2.0"
+          @version = '2.0'
           @status_code = Namespaces::SUCCESS
           @issuer = configuration.entity_id
+          @encryption_certificate = request.try(:provider).try(:encryption_certificates).try(:last)
           @encrypt = encryption_certificate.present?
           @configuration = configuration
         end
@@ -28,13 +29,6 @@ module Saml
           Saml::Kit::Response.new(to_xml, request_id: request.id, configuration: configuration)
         end
 
-        def encryption_certificate
-          request.provider.encryption_certificates.first
-        rescue => error
-          Saml::Kit.logger.error(error)
-          nil
-        end
-
         def assertion
           @assertion ||=
             begin

data/lib/saml/kit/builders/templates/assertion.builder

@@ -4,7 +4,7 @@ xml.Assertion(assertion_options) do
   xml.Subject do
     xml.NameID name_id, Format: name_id_format
     xml.SubjectConfirmation Method: Saml::Kit::Namespaces::BEARER do
-      xml.SubjectConfirmationData "", subject_confirmation_data_options
+      xml.SubjectConfirmationData '', subject_confirmation_data_options
     end
   end
   xml.Conditions conditions_options do

data/lib/saml/kit/builders/templates/metadata.builder

@@ -4,11 +4,11 @@ xml.EntityDescriptor entity_descriptor_options do
   render identity_provider, xml: xml
   render service_provider, xml: xml
   xml.Organization do
-    xml.OrganizationName organization_name, 'xml:lang': "en"
-    xml.OrganizationDisplayName organization_name, 'xml:lang': "en"
-    xml.OrganizationURL organization_url, 'xml:lang': "en"
+    xml.OrganizationName organization_name, 'xml:lang': 'en'
+    xml.OrganizationDisplayName organization_name, 'xml:lang': 'en'
+    xml.OrganizationURL organization_url, 'xml:lang': 'en'
   end
-  xml.ContactPerson contactType: "technical" do
+  xml.ContactPerson contactType: 'technical' do
     xml.Company "mailto:#{contact_email}"
   end
 end

data/lib/saml/kit/builders/templates/service_provider_metadata.builder

@@ -12,6 +12,6 @@ xml.SPSSODescriptor descriptor_options do
     xml.NameIDFormat format
   end
   acs_urls.each_with_index do |item, index|
-    xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
+    xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index.zero?
   end
 end

data/lib/saml/kit/composite_metadata.rb

@@ -5,7 +5,7 @@ module Saml
       attr_reader :service_provider, :identity_provider
 
       def initialize(xml)
-        super("IDPSSODescriptor", xml)
+        super('IDPSSODescriptor', xml)
         @metadatum = [
           Saml::Kit::ServiceProviderMetadata.new(xml),
           Saml::Kit::IdentityProviderMetadata.new(xml),
@@ -13,10 +13,10 @@ module Saml
       end
 
       def services(type)
-        xpath = map { |x| "//md:EntityDescriptor/md:#{x.name}/md:#{type}" }.join("|")
+        xpath = map { |x| "//md:EntityDescriptor/md:#{x.name}/md:#{type}" }.join('|')
         document.find_all(xpath).map do |item|
-          binding = item.attribute("Binding").value
-          location = item.attribute("Location").value
+          binding = item.attribute('Binding').value
+          location = item.attribute('Location').value
           Saml::Kit::Bindings.create_for(binding, location)
         end
       end
@@ -30,12 +30,16 @@ module Saml
       end
 
       def method_missing(name, *args)
-        if target = find { |x| x.respond_to?(name) }
+        if (target = find { |x| x.respond_to?(name) })
           target.public_send(name, *args)
         else
           super
         end
       end
+
+      def respond_to_missing?(method, *)
+        find { |x| x.respond_to?(method) }
+      end
     end
   end
 end

data/lib/saml/kit/configuration.rb

@@ -20,7 +20,7 @@ module Saml
     #     configuration.add_key_pair(ENV["X509_CERTIFICATE"], ENV["PRIVATE_KEY"], passphrase: ENV['PRIVATE_KEY_PASSPHRASE'], use: :encryption)
     #   end
     class Configuration
-      USES = [:signing, :encryption]
+      USES = %i[signing encryption].freeze
       # The issuer to use in requests or responses from this entity to use.
       attr_accessor :entity_id
       # The signature method to use when generating signatures (See {Saml::Kit::Builders::XmlSignature::SIGNATURE_METHODS})
@@ -36,7 +36,7 @@ module Saml
       # The total allowable clock drift for session timeout validation.
       attr_accessor :clock_drift
 
-      def initialize # :yields configuration
+      def initialize
         @clock_drift = 30.seconds
         @digest_method = :SHA256
         @key_pairs = []
@@ -85,7 +85,7 @@ module Saml
       # Return each private for a specific use.
       #
       # @param use [Symbol] the type of key pair to return `nil`, `:signing` or `:encryption`
-      def private_keys(use: :signing)
+      def private_keys(use: nil)
         key_pairs(use: use).flat_map(&:private_key)
       end
 
@@ -97,10 +97,10 @@ module Saml
       private
 
       def ensure_proper_use!(use)
-        unless USES.include?(use)
-          error_message = "Use must be either :signing or :encryption"
-          raise ArgumentError.new(error_message)
-        end
+        return if USES.include?(use)
+
+        error_message = 'Use must be either :signing or :encryption'
+        raise ArgumentError, error_message
       end
     end
   end

data/lib/saml/kit/default_registry.rb

@@ -62,7 +62,7 @@ module Saml
 
       # Yields each registered [Saml::Kit::Metadata] to the block.
       def each
-        @items.each do |key, value|
+        @items.each_value do |value|
           yield value
         end
       end

data/lib/saml/kit/document.rb

@@ -1,19 +1,20 @@
 module Saml
   module Kit
     class Document
-      PROTOCOL_XSD = File.expand_path("./xsd/saml-schema-protocol-2.0.xsd", File.dirname(__FILE__)).freeze
+      include ActiveModel::Validations
+      include XsdValidatable
+      include Translatable
+      include Trustable
+      include Buildable
+      PROTOCOL_XSD = File.expand_path('./xsd/saml-schema-protocol-2.0.xsd', File.dirname(__FILE__)).freeze
       NAMESPACES = {
         "NameFormat": ::Saml::Kit::Namespaces::ATTR_SPLAT,
         "ds": ::Xml::Kit::Namespaces::XMLDSIG,
         "md": ::Saml::Kit::Namespaces::METADATA,
         "saml": ::Saml::Kit::Namespaces::ASSERTION,
         "samlp": ::Saml::Kit::Namespaces::PROTOCOL,
+        'xmlenc' => ::Xml::Kit::Namespaces::XMLENC,
       }.freeze
-      include ActiveModel::Validations
-      include XsdValidatable
-      include Translatable
-      include Trustable
-      include Buildable
       validates_presence_of :content
       validates_presence_of :id
       validate :must_match_xsd
@@ -60,13 +61,28 @@ module Saml
       #
       # @param pretty [Boolean] formats the xml or returns the raw xml.
       def to_xml(pretty: false)
-        pretty ? Nokogiri::XML(content).to_xml(indent: 2) : content
+        pretty ? to_nokogiri.to_xml(indent: 2) : content
       end
 
-      # Returns the SAML document as an XHTML string. 
+      # Returns the SAML document as an XHTML string.
       # This is useful for rendering in a web page.
       def to_xhtml
-        Nokogiri::XML(content, &:noblanks).to_xhtml
+        Nokogiri::XML(to_xml, &:noblanks).to_xhtml
+      end
+
+      # @!visibility private
+      def to_nokogiri
+        @nokogiri ||= Nokogiri::XML(content)
+      end
+
+      # @!visibility private
+      def at_xpath(xpath)
+        to_nokogiri.at_xpath(xpath, NAMESPACES)
+      end
+
+      # @!visibility private
+      def search(xpath)
+        to_nokogiri.search(xpath, NAMESPACES)
       end
 
       def to_s
@@ -75,11 +91,11 @@ module Saml
 
       class << self
         XPATH = [
-          "/samlp:AuthnRequest",
-          "/samlp:LogoutRequest",
-          "/samlp:LogoutResponse",
-          "/samlp:Response",
-        ].join("|")
+          '/samlp:AuthnRequest',
+          '/samlp:LogoutRequest',
+          '/samlp:LogoutResponse',
+          '/samlp:Response',
+        ].join('|')
 
         # Returns the raw xml as a Saml::Kit SAML document.
         #
@@ -87,16 +103,16 @@ module Saml
         # @param configuration [Saml::Kit::Configuration] the configuration to use for unpacking the document.
         def to_saml_document(xml, configuration: Saml::Kit.configuration)
           xml_document = ::Xml::Kit::Document.new(xml, namespaces: {
-            "samlp": ::Saml::Kit::Namespaces::PROTOCOL
-          })
+                                                    "samlp": ::Saml::Kit::Namespaces::PROTOCOL
+                                                  })
           constructor = {
-            "AuthnRequest" => Saml::Kit::AuthenticationRequest,
-            "LogoutRequest" => Saml::Kit::LogoutRequest,
-            "LogoutResponse" => Saml::Kit::LogoutResponse,
-            "Response" => Saml::Kit::Response,
+            'AuthnRequest' => Saml::Kit::AuthenticationRequest,
+            'LogoutRequest' => Saml::Kit::LogoutRequest,
+            'LogoutResponse' => Saml::Kit::LogoutResponse,
+            'Response' => Saml::Kit::Response,
           }[xml_document.find_by(XPATH).name] || InvalidDocument
           constructor.new(xml, configuration: configuration)
-        rescue => error
+        rescue StandardError => error
           Saml::Kit.logger.error(error)
           InvalidDocument.new(xml, configuration: configuration)
         end
@@ -113,7 +129,7 @@ module Saml
           when Saml::Kit::LogoutRequest.to_s
             Saml::Kit::Builders::LogoutRequest
           else
-            raise ArgumentError.new("Unknown SAML Document #{name}")
+            raise ArgumentError, "Unknown SAML Document #{name}"
           end
         end
       end
@@ -140,7 +156,7 @@ module Saml
 
       def must_be_valid_version
         return unless expected_type?
-        return if "2.0" == version
+        return if version == '2.0'
         errors[:version] << error_message(:invalid_version)
       end
     end