saml-kit 1.0.6 → 1.0.7

data/lib/saml/kit/identity_provider_metadata.rb

@@ -32,15 +32,15 @@ module Saml
     # {include:file:spec/examples/identity_provider_metadata_spec.rb}
     class IdentityProviderMetadata < Metadata
       def initialize(xml)
-        super("IDPSSODescriptor", xml)
+        super('IDPSSODescriptor', xml)
       end
 
       # Returns the IDPSSODescriptor/@WantAuthnRequestsSigned attribute.
       def want_authn_requests_signed
         xpath = "/md:EntityDescriptor/md:#{name}"
-        attribute = document.find_by(xpath).attribute("WantAuthnRequestsSigned")
+        attribute = document.find_by(xpath).attribute('WantAuthnRequestsSigned')
         return true if attribute.nil?
-        attribute.text.downcase == "true"
+        attribute.text.casecmp('true').zero?
       end
 
       # Returns each of the SingleSignOnService elements.
@@ -59,8 +59,8 @@ module Saml
       def attributes
         document.find_all("/md:EntityDescriptor/md:#{name}/saml:Attribute").map do |item|
           {
-            format: item.attribute("NameFormat").try(:value),
-            name: item.attribute("Name").value,
+            format: item.attribute('NameFormat').try(:value),
+            name: item.attribute('Name').value,
           }
         end
       end
@@ -71,7 +71,7 @@ module Saml
       # @param relay_state [Object] The RelayState to include the returned SAML params.
       # @param configuration [Saml::Kit::Configuration] the configuration to use for generating the request.
       # @return [Array] The url and saml params encoded using the rules for the specified binding.
-      def login_request_for(binding:, relay_state: nil, configuration: Saml::Kit.configuration) # :yields builder
+      def login_request_for(binding:, relay_state: nil, configuration: Saml::Kit.configuration)
         builder = Saml::Kit::AuthenticationRequest.builder(configuration: configuration) do |x|
           x.embed_signature = want_authn_requests_signed
           yield x if block_given?

data/lib/saml/kit/invalid_document.rb

@@ -7,12 +7,12 @@ module Saml
       end
 
       def initialize(xml, configuration: nil)
-        super(xml, name: "InvalidDocument")
+        super(xml, name: 'InvalidDocument')
       end
 
       def to_h
         super
-      rescue
+      rescue StandardError
         {}
       end
     end

data/lib/saml/kit/locales/en.yml

@@ -3,12 +3,13 @@ en:
   saml/kit:
     errors:
       Assertion:
+        cannot_decrypt: "cannot be decrypted."
         expired: "must not be expired."
         must_match_issuer: "must match entityId."
         must_contain_single_assertion: "must contain single Assertion."
       AuthnRequest:
         invalid: "must contain AuthnRequest."
-        invalid_fingerprint: "does not match."
+        invalid_fingerprint: "is not registered."
         unregistered: "is unregistered."
       IDPSSODescriptor:
         invalid: "must contain IDPSSODescriptor."
@@ -16,16 +17,24 @@ en:
       InvalidDocument:
         invalid: "must contain valid SAMLRequest"
       LogoutRequest:
-        invalid_fingerprint: "does not match."
+        invalid_fingerprint: "is not registered."
         unregistered: "is unregistered."
       LogoutResponse:
         unregistered: "is unregistered."
+      NullAssertion:
+        invalid: "is missing."
       Response:
         invalid: "must contain Response."
-        invalid_fingerprint: "does not match."
+        invalid_fingerprint: "is not registered."
         invalid_response_to: "must match request id."
         invalid_version: "must be 2.0."
         unregistered: "must originate from registered identity provider."
+        must_contain_single_assertion: "must contain a single Assertion."
+      Signature:
+        certificate: "Not valid before %{not_before}. Not valid after %{not_after}."
+        digest_value: "is invalid."
+        empty: "is missing."
+        signature: "is invalid."
       SPSSODescriptor:
         invalid: "must contain SPSSODescriptor."
         invalid_signature: "invalid signature."

data/lib/saml/kit/logout_request.rb

@@ -31,7 +31,7 @@ module Saml
       # @param xml [String] The raw xml string.
       # @param configuration [Saml::Kit::Configuration] the configuration to use.
       def initialize(xml, configuration: Saml::Kit.configuration)
-        super(xml, name: "LogoutRequest", configuration: configuration)
+        super(xml, name: 'LogoutRequest', configuration: configuration)
       end
 
       # Returns the NameID value.

data/lib/saml/kit/logout_response.rb

@@ -10,7 +10,7 @@ module Saml
 
       def initialize(xml, request_id: nil, configuration: Saml::Kit.configuration)
         @request_id = request_id
-        super(xml, name: "LogoutResponse", configuration: configuration)
+        super(xml, name: 'LogoutResponse', configuration: configuration)
       end
     end
   end

data/lib/saml/kit/metadata.rb

@@ -23,7 +23,11 @@ module Saml
     # for a list of options that can be specified.
     # {include:file:spec/examples/metadata_spec.rb}
     class Metadata
-      METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
+      include ActiveModel::Validations
+      include XsdValidatable
+      include Translatable
+      include Buildable
+      METADATA_XSD = File.expand_path('./xsd/saml-schema-metadata-2.0.xsd', File.dirname(__FILE__)).freeze
       NAMESPACES = {
         "NameFormat": Namespaces::ATTR_SPLAT,
         "ds": ::Xml::Kit::Namespaces::XMLDSIG,
@@ -31,10 +35,6 @@ module Saml
         "saml": Namespaces::ASSERTION,
         "samlp": Namespaces::PROTOCOL,
       }.freeze
-      include ActiveModel::Validations
-      include XsdValidatable
-      include Translatable
-      include Buildable
 
       validates_presence_of :metadata
       validate :must_contain_descriptor
@@ -50,7 +50,7 @@ module Saml
 
       # Returns the /EntityDescriptor/@entityID
       def entity_id
-        document.find_by("/md:EntityDescriptor/@entityID").value
+        document.find_by('/md:EntityDescriptor/@entityID').value
       end
 
       # Returns the supported NameIDFormats.
@@ -60,23 +60,23 @@ module Saml
 
       # Returns the Organization Name
       def organization_name
-        document.find_by("/md:EntityDescriptor/md:Organization/md:OrganizationName").try(:text)
+        document.find_by('/md:EntityDescriptor/md:Organization/md:OrganizationName').try(:text)
       end
 
       # Returns the Organization URL
       def organization_url
-        document.find_by("/md:EntityDescriptor/md:Organization/md:OrganizationURL").try(:text)
+        document.find_by('/md:EntityDescriptor/md:Organization/md:OrganizationURL').try(:text)
       end
 
       # Returns the Company
       def contact_person_company
-        document.find_by("/md:EntityDescriptor/md:ContactPerson/md:Company").try(:text)
+        document.find_by('/md:EntityDescriptor/md:ContactPerson/md:Company').try(:text)
       end
 
       # Returns each of the X509 certificates.
       def certificates
         @certificates ||= document.find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
-          cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NAMESPACES).text
+          cert = item.at_xpath('./ds:KeyInfo/ds:X509Data/ds:X509Certificate', NAMESPACES).text
           attribute = item.attribute('use')
           use = attribute.nil? ? nil : item.attribute('use').value
           ::Xml::Kit::Certificate.new(cert, use: use)
@@ -98,8 +98,8 @@ module Saml
       # @param type [String] the type of service. .E.g. `AssertionConsumerServiceURL`
       def services(type)
         document.find_all("/md:EntityDescriptor/md:#{name}/md:#{type}").map do |item|
-          binding = item.attribute("Binding").value
-          location = item.attribute("Location").value
+          binding = item.attribute('Binding').value
+          location = item.attribute('Location').value
           Saml::Kit::Bindings.create_for(binding, location)
         end
       end
@@ -179,25 +179,31 @@ module Saml
         end
       end
 
-      # Creates a `{Saml::Kit::Metadata}` object from a raw XML [String].
-      #
-      # @param content [String] the raw metadata XML.
-      # @return [Saml::Kit::Metadata] the metadata document or subclass.
-      def self.from(content)
-        hash = Hash.from_xml(content)
-        entity_descriptor = hash["EntityDescriptor"]
-        if entity_descriptor.key?("SPSSODescriptor") && entity_descriptor.key?("IDPSSODescriptor")
-          Saml::Kit::CompositeMetadata.new(content)
-        elsif entity_descriptor.keys.include?("SPSSODescriptor")
-          Saml::Kit::ServiceProviderMetadata.new(content)
-        elsif entity_descriptor.keys.include?("IDPSSODescriptor")
-          Saml::Kit::IdentityProviderMetadata.new(content)
+      def signature
+        @signature ||= Signature.new(at_xpath('/md:EntityDescriptor/ds:Signature'))
+      end
+
+      class << self
+        # Creates a `{Saml::Kit::Metadata}` object from a raw XML [String].
+        #
+        # @param content [String] the raw metadata XML.
+        # @return [Saml::Kit::Metadata] the metadata document or subclass.
+        def from(content)
+          hash = Hash.from_xml(content)
+          entity_descriptor = hash['EntityDescriptor']
+          if entity_descriptor.key?('SPSSODescriptor') && entity_descriptor.key?('IDPSSODescriptor')
+            Saml::Kit::CompositeMetadata.new(content)
+          elsif entity_descriptor.keys.include?('SPSSODescriptor')
+            Saml::Kit::ServiceProviderMetadata.new(content)
+          elsif entity_descriptor.keys.include?('IDPSSODescriptor')
+            Saml::Kit::IdentityProviderMetadata.new(content)
+          end
         end
-      end
 
-      # @!visibility private
-      def self.builder_class
-        Saml::Kit::Builders::Metadata
+        # @!visibility private
+        def builder_class
+          Saml::Kit::Builders::Metadata
+        end
       end
 
       private
@@ -208,6 +214,10 @@ module Saml
         @document ||= ::Xml::Kit::Document.new(xml, namespaces: NAMESPACES)
       end
 
+      def at_xpath(xpath)
+        document.find_by(xpath)
+      end
+
       def metadata
         document.find_by("/md:EntityDescriptor/md:#{name}").present?
       end
@@ -221,20 +231,12 @@ module Saml
       end
 
       def must_have_valid_signature
-        return if to_xml.blank?
-
-        unless valid_signature?
-          errors[:base] << error_message(:invalid_signature)
-        end
-      end
+        return unless signature.present?
 
-      def valid_signature?
-        xml = document
-        result = xml.valid?
-        xml.errors.each do |error|
-          errors[:base] << error
+        signature.valid?
+        signature.errors.each do |attribute, error|
+          errors[attribute] << error
         end
-        result
       end
     end
   end

data/lib/saml/kit/namespaces.rb

@@ -1,32 +1,32 @@
 module Saml
   module Kit
     module Namespaces
-      SAML_2_0 = "urn:oasis:names:tc:SAML:2.0"
-      SAML_1_1 = "urn:oasis:names:tc:SAML:1.1"
-      ATTR_NAME_FORMAT = "#{SAML_2_0}:attrname-format"
-      NAME_ID_FORMAT_1_1 = "#{SAML_1_1}:nameid-format"
-      NAME_ID_FORMAT_2_0 = "#{SAML_2_0}:nameid-format"
-      STATUS = "#{SAML_2_0}:status"
+      SAML_2_0 = 'urn:oasis:names:tc:SAML:2.0'.freeze
+      SAML_1_1 = 'urn:oasis:names:tc:SAML:1.1'.freeze
+      ATTR_NAME_FORMAT = "#{SAML_2_0}:attrname-format".freeze
+      NAME_ID_FORMAT_1_1 = "#{SAML_1_1}:nameid-format".freeze
+      NAME_ID_FORMAT_2_0 = "#{SAML_2_0}:nameid-format".freeze
+      STATUS = "#{SAML_2_0}:status".freeze
 
-      ASSERTION = "#{SAML_2_0}:assertion"
-      ATTR_SPLAT = "#{ATTR_NAME_FORMAT}:*"
-      BASIC = "#{ATTR_NAME_FORMAT}:basic"
-      BEARER = "#{SAML_2_0}:cm:bearer"
-      EMAIL_ADDRESS = "#{NAME_ID_FORMAT_1_1}:emailAddress"
-      INVALID_NAME_ID_POLICY = "#{STATUS}:InvalidNameIDPolicy"
-      METADATA = "#{SAML_2_0}:metadata"
-      PASSWORD = "#{SAML_2_0}:ac:classes:Password"
-      PASSWORD_PROTECTED = "#{SAML_2_0}:ac:classes:PasswordProtectedTransport"
-      PERSISTENT = "#{NAME_ID_FORMAT_2_0}:persistent"
-      PROTOCOL = "#{SAML_2_0}:protocol"
-      REQUESTER_ERROR = "#{STATUS}:Requester"
-      RESPONDER_ERROR = "#{STATUS}:Responder"
-      SUCCESS = "#{STATUS}:Success"
-      TRANSIENT = "#{NAME_ID_FORMAT_2_0}:transient"
-      UNSPECIFIED = "#{SAML_2_0}:consent:unspecified"
-      UNSPECIFIED_NAMEID = "#{NAME_ID_FORMAT_1_1}:unspecified"
-      URI = "#{ATTR_NAME_FORMAT}:uri"
-      VERSION_MISMATCH_ERROR = "#{STATUS}:VersionMismatch"
+      ASSERTION = "#{SAML_2_0}:assertion".freeze
+      ATTR_SPLAT = "#{ATTR_NAME_FORMAT}:*".freeze
+      BASIC = "#{ATTR_NAME_FORMAT}:basic".freeze
+      BEARER = "#{SAML_2_0}:cm:bearer".freeze
+      EMAIL_ADDRESS = "#{NAME_ID_FORMAT_1_1}:emailAddress".freeze
+      INVALID_NAME_ID_POLICY = "#{STATUS}:InvalidNameIDPolicy".freeze
+      METADATA = "#{SAML_2_0}:metadata".freeze
+      PASSWORD = "#{SAML_2_0}:ac:classes:Password".freeze
+      PASSWORD_PROTECTED = "#{SAML_2_0}:ac:classes:PasswordProtectedTransport".freeze
+      PERSISTENT = "#{NAME_ID_FORMAT_2_0}:persistent".freeze
+      PROTOCOL = "#{SAML_2_0}:protocol".freeze
+      REQUESTER_ERROR = "#{STATUS}:Requester".freeze
+      RESPONDER_ERROR = "#{STATUS}:Responder".freeze
+      SUCCESS = "#{STATUS}:Success".freeze
+      TRANSIENT = "#{NAME_ID_FORMAT_2_0}:transient".freeze
+      UNSPECIFIED = "#{SAML_2_0}:consent:unspecified".freeze
+      UNSPECIFIED_NAMEID = "#{NAME_ID_FORMAT_1_1}:unspecified".freeze
+      URI = "#{ATTR_NAME_FORMAT}:uri".freeze
+      VERSION_MISMATCH_ERROR = "#{STATUS}:VersionMismatch".freeze
     end
   end
 end

data/lib/saml/kit/null_assertion.rb

@@ -0,0 +1,17 @@
+module Saml
+  module Kit
+    class NullAssertion
+      include ActiveModel::Validations
+      include Translatable
+      validate :invalid
+
+      def invalid
+        errors[:assertion].push(error_message(:invalid))
+      end
+
+      def name
+        'NullAssertion'
+      end
+    end
+  end
+end

data/lib/saml/kit/respondable.rb

@@ -33,10 +33,9 @@ module Saml
 
       def must_match_request_id
         return if request_id.nil?
+        return if in_response_to == request_id
 
-        if in_response_to != request_id
-          errors[:in_response_to] << error_message(:invalid_response_to)
-        end
+        errors[:in_response_to] << error_message(:invalid_response_to)
       end
     end
   end

data/lib/saml/kit/response.rb

@@ -8,14 +8,23 @@ module Saml
       def_delegators :assertion, :name_id, :[], :attributes
 
       validate :must_be_valid_assertion
+      validate :must_contain_single_assertion
 
       def initialize(xml, request_id: nil, configuration: Saml::Kit.configuration)
         @request_id = request_id
-        super(xml, name: "Response", configuration: configuration)
+        super(xml, name: 'Response', configuration: configuration)
       end
 
-      def assertion
-        @assertion ||= Saml::Kit::Assertion.new(to_h, configuration: @configuration)
+      def assertion(private_keys = configuration.private_keys(use: :encryption))
+        @assertion ||=
+          begin
+            node = assertion_nodes.last
+            if node.nil?
+              Saml::Kit::NullAssertion.new
+            else
+              Saml::Kit::Assertion.new(node, configuration: @configuration, private_keys: private_keys)
+            end
+          end
       end
 
       private
@@ -23,9 +32,19 @@ module Saml
       def must_be_valid_assertion
         assertion.valid?
         assertion.errors.each do |attribute, error|
-          self.errors[attribute] << error
+          attribute = :assertion if attribute == :base
+          errors[attribute] << error
         end
       end
+
+      def must_contain_single_assertion
+        return if assertion_nodes.count <= 1
+        errors[:base] << error_message(:must_contain_single_assertion)
+      end
+
+      def assertion_nodes
+        search(Saml::Kit::Assertion::XPATH)
+      end
     end
   end
 end

data/lib/saml/kit/rspec/have_query_param.rb

@@ -6,7 +6,7 @@ RSpec::Matchers.define :have_query_param do |key|
   end
 
   def query_params_from(url)
-    Hash[query_for(url).split("&").map { |x| x.split('=', 2) }]
+    Hash[query_for(url).split('&').map { |x| x.split('=', 2) }]
   end
 
   def uri_for(url)

data/lib/saml/kit/service_provider_metadata.rb

@@ -3,7 +3,7 @@ module Saml
     # {include:file:spec/examples/service_provider_metadata_spec.rb}
     class ServiceProviderMetadata < Metadata
       def initialize(xml)
-        super("SPSSODescriptor", xml)
+        super('SPSSODescriptor', xml)
       end
 
       # Returns each of the AssertionConsumerService bindings.
@@ -20,9 +20,9 @@ module Saml
 
       # Returns true when the metadata demands that Assertions must be signed.
       def want_assertions_signed
-        attribute = document.find_by("/md:EntityDescriptor/md:#{name}").attribute("WantAssertionsSigned")
+        attribute = document.find_by("/md:EntityDescriptor/md:#{name}").attribute('WantAssertionsSigned')
         return true if attribute.nil?
-        attribute.text.downcase == "true"
+        attribute.text.casecmp('true').zero?
       end
 
       # @!visibility private

data/lib/saml/kit/signature.rb

@@ -2,14 +2,21 @@ module Saml
   module Kit
     class Signature
       include ActiveModel::Validations
+      include Translatable
 
-      def initialize(xml_hash)
-        @xml_hash = xml_hash
+      validate :validate_signature
+      validate :validate_certificate
+
+      attr_reader :name
+
+      def initialize(node)
+        @name = 'Signature'
+        @node = node
       end
 
       # Returns the embedded X509 Certificate
       def certificate
-        value = to_h.fetch('KeyInfo', {}).fetch('X509Data', {}).fetch('X509Certificate', nil)
+        value = at_xpath('./ds:KeyInfo/ds:X509Data/ds:X509Certificate').try(:text)
         return if value.nil?
         ::Xml::Kit::Certificate.new(value, use: :signing)
       end
@@ -20,9 +27,72 @@ module Saml
         metadata.matches?(certificate.fingerprint, use: :signing)
       end
 
+      def digest_value
+        at_xpath('./ds:SignedInfo/ds:Reference/ds:DigestValue').try(:text)
+      end
+
+      def digest_method
+        at_xpath('./ds:SignedInfo/ds:Reference/ds:DigestMethod/@Algorithm').try(:value)
+      end
+
+      def signature_value
+        at_xpath('./ds:SignatureValue').try(:text)
+      end
+
+      def signature_method
+        at_xpath('./ds:SignedInfo/ds:SignatureMethod/@Algorithm').try(:value)
+      end
+
+      def canonicalization_method
+        at_xpath('./ds:SignedInfo/ds:CanonicalizationMethod/@Algorithm').try(:value)
+      end
+
+      def transforms
+        node.search('./ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform/@Algorithm', Saml::Kit::Document::NAMESPACES).try(:map, &:value)
+      end
+
       # Returns the XML Hash.
       def to_h
-        @xml_hash
+        @xml_hash ||= present? ? Hash.from_xml(to_xml)['Signature'] : {}
+      end
+
+      def present?
+        node
+      end
+
+      def to_xml
+        node.to_s
+      end
+
+      private
+
+      attr_reader :node
+
+      def validate_signature
+        return errors[:base].push(error_message(:empty)) if certificate.nil?
+
+        signature = Xmldsig::Signature.new(@node, 'ID=$uri or @Id')
+        return if signature.valid?(certificate.x509)
+        signature.errors.each do |attribute|
+          errors.add(attribute, error_message(attribute))
+        end
+      end
+
+      def validate_certificate(now = Time.now.utc)
+        return unless certificate.present?
+        return if certificate.active?(now)
+
+        message = error_message(
+          :certificate,
+          not_before: certificate.not_before,
+          not_after: certificate.not_after
+        )
+        errors.add(:certificate, message)
+      end
+
+      def at_xpath(xpath)
+        return nil unless node
+        node.at_xpath(xpath, Saml::Kit::Document::NAMESPACES)
       end
     end
   end