saml2 2.0.2 → 2.1.0

data/lib/saml2/schemas.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module SAML2
   module Schemas
     def self.federation

data/lib/saml2/service_provider.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'nokogiri'
 
 require 'saml2/endpoint'
@@ -11,12 +13,14 @@ module SAML2
       @attribute_consuming_services = AttributeConsumingService::Array.new
     end
 
+    # (see Base#from_xml)
     def from_xml(node)
       super
       @assertion_consumer_services = nil
       @attribute_consuming_services = nil
     end
 
+    # @return [Endpoint::Indexed::Array]
     def assertion_consumer_services
       @assertion_consumer_services ||= begin
         nodes = xml.xpath('md:AssertionConsumerService', Namespaces::ALL)
@@ -24,6 +28,7 @@ module SAML2
       end
     end
 
+    # @return [AttributeConsumingService::Array]
     def attribute_consuming_services
       @attribute_consuming_services ||= begin
         nodes = xml.xpath('md:AttributeConsumingService', Namespaces::ALL)
@@ -31,6 +36,7 @@ module SAML2
       end
     end
 
+    # (see Base#build)
     def build(builder)
       builder['md'].SPSSODescriptor do |sp_sso_descriptor|
         super(sp_sso_descriptor)

data/lib/saml2/signable.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 require 'saml2/key'
 
 module SAML2
   module Signable
+    # @return [Nokogiri::XML::Element, nil]
     def signature
       unless instance_variable_defined?(:@signature)
         @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
@@ -19,14 +22,26 @@ module SAML2
       @signature
     end
 
+    # @return [KeyInfo, nil]
     def signing_key
-      @signing_key ||= Key.from_xml(signature)
+      @signing_key ||= KeyInfo.from_xml(signature)
     end
 
     def signed?
       !!signature
     end
 
+    # Validate the signature on this object.
+    #
+    # Either +fingerprint+ or +cert+ must be provided.
+    #
+    # @param fingerprint optional [Array<String>, String]
+    #   SHA1 fingerprints of trusted certificates. If provided, they will be
+    #   checked against the {#signing_key} embedded in the {#signature}, and if
+    #   a match is found, the certificate embedded in the signature will be
+    #   added to the list of certificates used for verifying the signature.
+    # @param cert optional [Array<String>, String]
+    # @return [Array<String>] An empty array on success, details of errors on failure.
     def validate_signature(fingerprint: nil, cert: nil, verification_time: nil)
       return ["not signed"] unless signed?
 
@@ -34,7 +49,7 @@ module SAML2
       # see if any given fingerprints match the certificate embedded in the XML;
       # if so, extract the certificate, and add it to the allowed certificates list
       Array(fingerprint)&.each do |fp|
-        certs << signing_key.certificate if signing_key&.fingerprint == Key.format_fingerprint(fp)
+        certs << signing_key.certificate if signing_key&.fingerprint == KeyInfo.format_fingerprint(fp)
       end
       certs = certs.uniq
       return ["no certificate found"] if certs.empty?
@@ -49,10 +64,25 @@ module SAML2
       end
     end
 
+    # Check if the signature on this object is valid.
+    #
+    # Either +fingerprint+ or +cert+ must be provided.
+    #
+    # @param (see #validate_signature)
+    # @return [Boolean]
     def valid_signature?(fingerprint: nil, cert: nil, verification_time: nil)
       validate_signature(fingerprint: fingerprint, cert: cert, verification_time: verification_time).empty?
     end
 
+    # Sign this object.
+    #
+    # @param x509_certificate [String]
+    #   The certificate corresponding to +private_key+, to be embedded in the
+    #   signature.
+    # @param private_key [String]
+    #   The key to use to sign.
+    # @param algorithm_name [Symbol]
+    # @return [self]
     def sign(x509_certificate, private_key, algorithm_name = :sha256)
       to_xml
 

data/lib/saml2/sso.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 require 'saml2/role'
 
 module SAML2
+  # @abstract
   class SSO < Role
     def initialize
       super
@@ -8,21 +11,25 @@ module SAML2
       @name_id_formats = []
     end
 
+    # (see Base#from_xml)
     def from_xml(node)
       super
       @single_logout_services = nil
       @name_id_formats = nil
     end
 
+    # @return [Array<Endpoint>]
     def single_logout_services
       @single_logout_services ||= load_object_array(xml, 'md:SingleLogoutService', Endpoint)
     end
 
+    # @return [Array<String>]
     def name_id_formats
       @name_id_formats ||= load_string_array(xml, 'md:NameIDFormat')
     end
 
     protected
+
     # should be called from inside the role element
     def build(builder)
       super

data/lib/saml2/status.rb

@@ -1,15 +1,21 @@
+# frozen_string_literal: true
+
 require 'saml2/base'
 
 module SAML2
   class Status < Base
-    SUCCESS      = "urn:oasis:names:tc:SAML:2.0:status:Success".freeze
+    SUCCESS      = "urn:oasis:names:tc:SAML:2.0:status:Success"
 
+    # @return [String]
     attr_accessor :code, :message
 
+    # @param code [String]
+    # @param message [String, nil]
     def initialize(code = SUCCESS, message = nil)
       @code, @message = code, message
     end
 
+    # (see Base#from_xml)
     def from_xml(node)
       super
       self.code = node.at_xpath('samlp:StatusCode', Namespaces::ALL)['Value']
@@ -20,6 +26,7 @@ module SAML2
       code == SUCCESS
     end
 
+    # (see Base#build)
     def build(builder)
       builder['samlp'].Status do |status|
         status['samlp'].StatusCode(Value: code)

data/lib/saml2/status_response.rb

@@ -1,21 +1,27 @@
+# frozen_string_literal: true
+
 require 'saml2/message'
 require 'saml2/status'
 
 module SAML2
   class StatusResponse < Message
-    attr_accessor :in_response_to, :status
+    # @return [String]
+    attr_accessor :in_response_to
+    attr_writer :status
 
     def initialize
       super
       @status = Status.new
     end
 
+    # (see Base#from_xml)
     def from_xml(node)
       super
       @status = nil
       remove_instance_variable(:@status)
     end
 
+    # @return [Status]
     def status
       @status ||= Status.from_xml(xml.at_xpath('samlp:Status', Namespaces::ALL))
     end

data/lib/saml2/subject.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'saml2/name_id'
 require 'saml2/namespaces'
 
@@ -10,11 +12,13 @@ module SAML2
       @confirmations = []
     end
 
+    # (see Base#from_xml)
     def from_xml(node)
       super
       @confirmations = nil
     end
 
+    # @return [NameID]
     def name_id
       if xml && !instance_variable_defined?(:@name_id)
         @name_id = NameID.from_xml(xml.at_xpath('saml:NameID', Namespaces::ALL))
@@ -22,18 +26,23 @@ module SAML2
       @name_id
     end
 
+    # @return [Confirmation, nil]
     def confirmation
       Array.wrap(confirmations).first
     end
 
+    # @return [Confirmation, nil]
     def confirmation=(value)
-      @confirmations = [value]
+      @confirmations = value.nil? ? [] : [value]
+      confirmation
     end
 
+    # @return [Confirmation, Array<Confirmation>]
     def confirmations
       @confirmations ||= load_object_array(xml, 'saml:SubjectConfirmation', Confirmation)
     end
 
+    # (see Base#build)
     def build(builder)
       builder['saml'].Subject do |subject|
         name_id.build(subject) if name_id
@@ -45,13 +54,20 @@ module SAML2
 
     class Confirmation < Base
       module Methods
-        BEARER         = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'.freeze
-        HOLDER_OF_KEY  = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'.freeze
-        SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'.freeze
+        BEARER         = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
+        HOLDER_OF_KEY  = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'
+        SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
       end
 
-      attr_accessor :method, :not_before, :not_on_or_after, :recipient, :in_response_to
+      # @see Methods
+      # @return [String]
+      attr_accessor :method
+      # @return [Time, nil]
+      attr_accessor :not_before, :not_on_or_after
+      # @return [String, nil]
+      attr_accessor :recipient, :in_response_to
 
+      # (see Base#from_xml)
       def from_xml(node)
         super
         self.method = node['Method']
@@ -64,6 +80,7 @@ module SAML2
         end
       end
 
+      # (see Base#build)
       def build(builder)
         builder['saml'].SubjectConfirmation('Method' => method) do |subject_confirmation|
           if in_response_to ||

data/lib/saml2/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module SAML2
-  VERSION = '2.0.2'
+  VERSION = '2.1.0'
 end

data/spec/lib/bindings/http_redirect_spec.rb

@@ -146,15 +146,36 @@ module SAML2
         allow(message).to receive(:destination).and_return("http://somewhere/")
         allow(message).to receive(:to_s).and_return("hi")
         key = OpenSSL::PKey::RSA.new(fixture('privatekey.key'))
-        url = Bindings::HTTPRedirect.encode(message, relay_state: "abc", private_key: key)
+        url = Bindings::HTTPRedirect.encode(message,
+                                            relay_state: "abc",
+                                            private_key: key)
 
         # verify the signature
         allow(Message).to receive(:parse).with("hi").and_return("parsed")
         Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
-          expect(sig_alg).not_to be_nil
+          expect(sig_alg).to eq Bindings::HTTPRedirect::SigAlgs::RSA_SHA1
           OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key
         end
       end
+
+      it 'signs a message with RSA-SHA256' do
+        message = double()
+        allow(message).to receive(:destination).and_return("http://somewhere/")
+        allow(message).to receive(:to_s).and_return("hi")
+        key = OpenSSL::PKey::RSA.new(fixture('privatekey.key'))
+        url = Bindings::HTTPRedirect.encode(message,
+                                            relay_state: "abc",
+                                            private_key: key,
+                                            sig_alg: Bindings::HTTPRedirect::SigAlgs::RSA_SHA256)
+
+        # verify the signature
+        allow(Message).to receive(:parse).with("hi").and_return("parsed")
+        Bindings::HTTPRedirect.decode(url) do |_message, sig_alg|
+          expect(sig_alg).to eq Bindings::HTTPRedirect::SigAlgs::RSA_SHA256
+          OpenSSL::X509::Certificate.new(fixture('certificate.pem')).public_key
+        end
+      end
+
     end
   end
 end

data/spec/lib/conditions_spec.rb

@@ -3,13 +3,13 @@ require_relative '../spec_helper'
 module SAML2
   describe Conditions do
     it "empty should be valid" do
-      expect(Conditions.new.valid?).to eq :valid
+      expect(Conditions.new.valid?).to eq true
     end
 
     it "should be valid with unknown condition" do
       conditions = Conditions.new
       conditions << Conditions::Condition.new
-      expect(conditions.valid?).to eq :indeterminate
+      expect(conditions.valid?).to eq nil
     end
 
     it "should be valid with timestamps" do
@@ -17,7 +17,7 @@ module SAML2
       now = Time.now.utc
       conditions.not_before = now - 5
       conditions.not_on_or_after = now + 30
-      expect(conditions.valid?).to eq :valid
+      expect(conditions.valid?).to eq true
     end
 
     it "should be invalid with out of range timestamps" do
@@ -25,7 +25,7 @@ module SAML2
       now = Time.now.utc
       conditions.not_before = now - 35
       conditions.not_on_or_after = now - 5
-      expect(conditions.valid?).to eq :invalid
+      expect(conditions.valid?).to eq false
     end
 
     it "should allow passing now" do
@@ -33,7 +33,7 @@ module SAML2
       now = Time.now.utc
       conditions.not_before = now - 35
       conditions.not_on_or_after = now - 5
-      expect(conditions.valid?(now: now - 10)).to eq :valid
+      expect(conditions.valid?(now: now - 10)).to eq true
     end
 
     it "should be invalid before indeterminate" do
@@ -41,29 +41,28 @@ module SAML2
       now = Time.now.utc
       conditions.not_before = now + 5
       conditions << Conditions::Condition.new
-      expect(conditions.valid?).to eq :invalid
+      expect(conditions.valid?).to eq false
     end
 
     it "should be invalid before indeterminate (actual conditions)" do
       conditions = Conditions.new
       conditions << Conditions::Condition.new
       conditions << Conditions::AudienceRestriction.new('audience')
-      expect(conditions.valid?).to eq :invalid
+      expect(conditions.valid?).to eq false
     end
-
   end
 
   describe Conditions::AudienceRestriction do
     it "should be invalid" do
-      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual')).to eq :invalid
+      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'actual')).to eq false
     end
 
     it "should be valid" do
-      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'expected')).to eq :valid
+      expect(Conditions::AudienceRestriction.new('expected').valid?(audience: 'expected')).to eq true
     end
 
     it "should be valid with an array" do
-      expect(Conditions::AudienceRestriction.new(['expected', 'actual']).valid?(audience: 'actual')).to eq :valid
+      expect(Conditions::AudienceRestriction.new(['expected', 'actual']).valid?(audience: 'actual')).to eq true
     end
   end
 end

data/spec/lib/identity_provider_spec.rb

@@ -14,7 +14,7 @@ module SAML2
       idp = IdentityProvider.new
       idp.name_id_formats << NameID::Format::PERSISTENT
       idp.single_sign_on_services << Endpoint.new('https://sso.canvaslms.com/SAML2/Login')
-      idp.keys << Key.new('somedata', Key::Type::SIGNING)
+      idp.keys << KeyDescriptor.new('somedata', KeyDescriptor::Type::SIGNING)
 
       entity.roles << idp
       expect(Schemas.metadata.validate(Nokogiri::XML(entity.to_s))).to eq []

data/spec/lib/service_provider_spec.rb

@@ -16,8 +16,8 @@ module SAML2
                                                  Bindings::HTTPRedirect::URN)
       sp.assertion_consumer_services << Endpoint::Indexed.new('https://sso.canvaslms.com/SAML2/Login1')
       sp.assertion_consumer_services << Endpoint::Indexed.new('https://sso.canvaslms.com/SAML2/Login2')
-      sp.keys << Key.new('somedata', Key::Type::ENCRYPTION, [Key::EncryptionMethod.new])
-      sp.keys << Key.new('somedata', Key::Type::SIGNING)
+      sp.keys << KeyDescriptor.new('somedata', KeyDescriptor::Type::ENCRYPTION, [KeyDescriptor::EncryptionMethod.new])
+      sp.keys << KeyDescriptor.new('somedata', KeyDescriptor::Type::SIGNING)
       acs = AttributeConsumingService.new
       acs.name[:en] = 'service'
       acs.requested_attributes << RequestedAttribute.create('uid')
@@ -59,6 +59,11 @@ module SAML2
         expect(acs.requested_attributes.length).to eq 1
         expect(acs.requested_attributes.first.name).to eq 'urn:oid:2.5.4.42'
       end
+
+      it "loads the key info" do
+        expect(sp.keys.first.encryption_methods.first.algorithm).to eq KeyDescriptor::EncryptionMethod::Algorithm::AES128_CBC
+        expect(sp.keys.first.encryption_methods.first.key_size).to eq 128
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.1.0
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-17 00:00:00.000000000 Z
+date: 2018-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -31,7 +31,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.9'
 - !ruby/object:Gem::Dependency
-  name: nokogiri-xmlsec-me-harder
+  name: nokogiri-xmlsec-instructure
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -39,7 +39,7 @@ dependencies:
         version: '0.9'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.3pre
+        version: 0.9.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -49,7 +49,7 @@ dependencies:
         version: '0.9'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.9.3pre
+        version: 0.9.4
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement