saml2 3.1.2 → 3.1.3

data/lib/saml2/response.rb

@@ -1,17 +1,15 @@
 # frozen_string_literal: true
 
-require 'nokogiri-xmlsec'
-require 'time'
+require "nokogiri-xmlsec"
+require "time"
 
-require 'saml2/assertion'
-require 'saml2/authn_statement'
-require 'saml2/status_response'
-require 'saml2/subject'
+require "saml2/assertion"
+require "saml2/authn_statement"
+require "saml2/status_response"
+require "saml2/subject"
 
 module SAML2
   class Response < StatusResponse
-    attr_reader :assertions
-
     # Respond to an {AuthnRequest}
     #
     # {AuthnRequest#resolve} needs to have been previously called on the {AuthnRequest}.
@@ -98,7 +96,11 @@ module SAML2
                  verification_time: nil,
                  ignore_audience_condition: false)
       raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
-      raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
+
+      unless (sp = service_provider.service_providers.first)
+        raise ArgumentError,
+              "service_provider should have at least one service_provider role"
+      end
 
       # validate the schema
       super()
@@ -108,7 +110,9 @@ module SAML2
         verification_time = Time.now.utc
         # they issued it in the (near) future according to our clock;
         # use their clock instead
-        verification_time = issue_instant if issue_instant > verification_time && issue_instant < verification_time + 5 * 60
+        if issue_instant > verification_time && issue_instant < verification_time + (5 * 60)
+          verification_time = issue_instant
+        end
       end
 
       # not finding the issuer is not exceptional
@@ -119,16 +123,21 @@ module SAML2
 
       # getting the wrong data type is exceptional, and we should raise an error
       raise ArgumentError, "identity_provider should be an Entity object" unless identity_provider.is_a?(Entity)
-      raise ArgumentError, "identity_provider should have at least one identity_provider role" unless (idp = identity_provider.identity_providers.first)
+
+      unless (idp = identity_provider.identity_providers.first)
+        raise ArgumentError,
+              "identity_provider should have at least one identity_provider role"
+      end
 
       issuer = self.issuer || assertions.first&.issuer
       unless identity_provider.entity_id == issuer&.id
-        errors << "received unexpected message from '#{issuer&.id}'; expected it to be from '#{identity_provider.entity_id}'"
+        errors << "received unexpected message from '#{issuer&.id}'; " \
+                  "expected it to be from '#{identity_provider.entity_id}'"
         return errors
       end
 
-      certificates = idp.signing_keys.map(&:certificate).compact
-      keys = idp.signing_keys.map(&:key).compact
+      certificates = idp.signing_keys.filter_map(&:certificate)
+      keys = idp.signing_keys.filter_map(&:key)
       if idp.fingerprints.empty? && certificates.empty? && keys.empty?
         errors << "could not find certificate to validate message"
         return errors
@@ -140,6 +149,7 @@ module SAML2
                                                       cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
+
         response_signed = true
       end
 
@@ -152,24 +162,27 @@ module SAML2
                                                                 cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
+
         assertion_signed = true
       end
 
-      find_decryption_key = ->(embedded_certificates) do
+      find_decryption_key = lambda do |embedded_certificates|
         key = nil
         embedded_certificates.each do |cert_info|
           cert = case cert_info
-                   when OpenSSL::X509::Certificate; cert_info
-                   when Hash; sp.encryption_keys.map(&:certificate).find { |c| c.serial == cert_info[:serial] }
+                 when OpenSSL::X509::Certificate then cert_info
+                 when Hash then sp.encryption_keys.map(&:certificate).find { |c| c.serial == cert_info[:serial] }
                  end
           next unless cert
+
           key = sp.private_keys.find { |k| cert.check_private_key(k) }
           break if key
         end
-        if !key
+        unless key
           # couldn't figure out which key to use; just try them all
           next sp.private_keys
         end
+
         key
       end
 
@@ -208,23 +221,24 @@ module SAML2
                                                                 cert: certificates)).empty?
           return errors.concat(signature_errors)
         end
+
         assertion_signed = true
       end
 
       # only do our own issue instant validation if the assertion
       # doesn't mandate any
-      unless assertion.conditions&.not_on_or_after
-        if assertion.issue_instant +  5 * 60 < verification_time ||
-            assertion.issue_instant - 5 * 60 > verification_time
-          errors << "assertion not recently issued"
-          return errors
-        end
+      if !assertion.conditions&.not_on_or_after && (assertion.issue_instant + (5 * 60) < verification_time ||
+           assertion.issue_instant - (5 * 60) > verification_time)
+        errors << "assertion not recently issued"
+        return errors
       end
 
       if assertion.conditions &&
-          !(condition_errors = assertion.conditions.validate(verification_time: verification_time,
-                                                             audience: service_provider.entity_id,
-                                                             ignore_audience_condition: ignore_audience_condition)).empty?
+         !(condition_errors = assertion.conditions.validate(
+           verification_time: verification_time,
+           audience: service_provider.entity_id,
+           ignore_audience_condition: ignore_audience_condition
+         )).empty?
         return errors.concat(condition_errors)
       end
 
@@ -253,9 +267,7 @@ module SAML2
 
     # @return [Array<Assertion>]
     def assertions
-      unless instance_variable_defined?(:@assertions)
-        @assertions = load_object_array(xml, 'saml:Assertion', Assertion)
-      end
+      @assertions = load_object_array(xml, "saml:Assertion", Assertion) unless instance_variable_defined?(:@assertions)
       @assertions
     end
 
@@ -275,9 +287,9 @@ module SAML2
     private
 
     def build(builder)
-      builder['samlp'].Response(
-        'xmlns:samlp' => Namespaces::SAMLP,
-        'xmlns:saml' => Namespaces::SAML
+      builder["samlp"].Response(
+        "xmlns:samlp" => Namespaces::SAMLP,
+        "xmlns:saml" => Namespaces::SAML
       ) do |response|
         super(response)
 

data/lib/saml2/role.rb

@@ -1,17 +1,17 @@
 # frozen_string_literal: true
 
-require 'set'
+require "set"
 
-require 'saml2/base'
-require 'saml2/key'
-require 'saml2/organization_and_contacts'
-require 'saml2/signable'
+require "saml2/base"
+require "saml2/key"
+require "saml2/organization_and_contacts"
+require "saml2/signable"
 
 module SAML2
   # @abstract
   class Role < Base
     module Protocols
-      SAML2 = 'urn:oasis:names:tc:SAML:2.0:protocol'
+      SAML2 = "urn:oasis:names:tc:SAML:2.0:protocol"
     end
 
     include OrganizationAndContacts
@@ -47,29 +47,29 @@ module SAML2
     # @see Protocols
     # @return [Array<String>]
     def supported_protocols
-      @supported_protocols ||= xml['protocolSupportEnumeration'].split
+      @supported_protocols ||= xml["protocolSupportEnumeration"].split
     end
 
     # @return [Array<KeyDescriptor>]
     def keys
-      @keys ||= load_object_array(xml, 'md:KeyDescriptor', KeyDescriptor)
+      @keys ||= load_object_array(xml, "md:KeyDescriptor", KeyDescriptor)
     end
 
     # @return [Array<KeyDescriptor>]
     def signing_keys
-      keys.select { |key| key.signing? }
+      keys.select(&:signing?)
     end
 
     # @return [Array<KeyDescriptor>]
     def encryption_keys
-      keys.select { |key| key.encryption? }
+      keys.select(&:encryption?)
     end
 
     protected
 
     # should be called from inside the role element
     def build(builder)
-      builder.parent['protocolSupportEnumeration'] = supported_protocols.to_a.join(' ')
+      builder.parent["protocolSupportEnumeration"] = supported_protocols.to_a.join(" ")
       keys.each do |key|
         key.build(builder)
       end

data/lib/saml2/schemas.rb

@@ -2,18 +2,21 @@
 
 module SAML2
   module Schemas
-    def self.metadata
-      @metadata ||= schema('metadata_combined.xsd')
-    end
+    class << self
+      def metadata
+        @metadata ||= schema("metadata_combined.xsd")
+      end
 
-    def self.protocol
-      @protocol ||= schema('saml-schema-protocol-2.0.xsd')
-    end
+      def protocol
+        @protocol ||= schema("saml-schema-protocol-2.0.xsd")
+      end
+
+      private
 
-    private
-    def self.schema(filename)
-      Dir.chdir(File.expand_path(File.join(__FILE__, '../../../schemas'))) do
-        Nokogiri::XML::Schema(File.read(filename))
+      def schema(filename)
+        Dir.chdir(File.expand_path(File.join(__FILE__, "../../../schemas"))) do
+          Nokogiri::XML::Schema(File.read(filename))
+        end
       end
     end
   end

data/lib/saml2/service_provider.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-require 'nokogiri'
+require "nokogiri"
 
-require 'saml2/endpoint'
-require 'saml2/sso'
+require "saml2/endpoint"
+require "saml2/sso"
 
 module SAML2
   class ServiceProvider < SSO
@@ -29,7 +29,7 @@ module SAML2
     # @return [Boolean, nil]
     def authn_requests_signed?
       unless instance_variable_defined?(:@authn_requests_signed)
-        @authn_requests_signed = xml['AuthnRequestsSigned'] && xml['AuthnRequestsSigned'] == 'true'
+        @authn_requests_signed = xml["AuthnRequestsSigned"] && xml["AuthnRequestsSigned"] == "true"
       end
       @authn_requests_signed
     end
@@ -37,7 +37,7 @@ module SAML2
     # @return [Boolean, nil]
     def want_assertions_signed?
       unless instance_variable_defined?(:@want_assertions_signed)
-        @want_assertions_signed = xml['WantAssertionsSigned'] && xml['WantAssertionsSigned'] == 'true'
+        @want_assertions_signed = xml["WantAssertionsSigned"] && xml["WantAssertionsSigned"] == "true"
       end
       @want_assertions_signed
     end
@@ -45,7 +45,7 @@ module SAML2
     # @return [Endpoint::Indexed::Array]
     def assertion_consumer_services
       @assertion_consumer_services ||= begin
-        nodes = xml.xpath('md:AssertionConsumerService', Namespaces::ALL)
+        nodes = xml.xpath("md:AssertionConsumerService", Namespaces::ALL)
         Endpoint::Indexed::Array.from_xml(nodes)
       end
     end
@@ -53,21 +53,21 @@ module SAML2
     # @return [AttributeConsumingService::Array]
     def attribute_consuming_services
       @attribute_consuming_services ||= begin
-        nodes = xml.xpath('md:AttributeConsumingService', Namespaces::ALL)
+        nodes = xml.xpath("md:AttributeConsumingService", Namespaces::ALL)
         AttributeConsumingService::Array.from_xml(nodes)
       end
     end
 
     # (see Base#build)
     def build(builder)
-      builder['md'].SPSSODescriptor do |sp_sso_descriptor|
+      builder["md"].SPSSODescriptor do |sp_sso_descriptor|
         super(sp_sso_descriptor)
 
-        sp_sso_descriptor.parent['AuthnRequestsSigned'] = authn_requests_signed? unless authn_requests_signed?.nil?
-        sp_sso_descriptor.parent['WantAssertionsSigned'] = want_assertions_signed? unless authn_requests_signed?.nil?
+        sp_sso_descriptor.parent["AuthnRequestsSigned"] = authn_requests_signed? unless authn_requests_signed?.nil?
+        sp_sso_descriptor.parent["WantAssertionsSigned"] = want_assertions_signed? unless authn_requests_signed?.nil?
 
         assertion_consumer_services.each do |acs|
-          acs.build(sp_sso_descriptor, 'AssertionConsumerService')
+          acs.build(sp_sso_descriptor, "AssertionConsumerService")
         end
 
         attribute_consuming_services.each do |acs|
@@ -77,4 +77,3 @@ module SAML2
     end
   end
 end
-

data/lib/saml2/signable.rb

@@ -1,21 +1,21 @@
 # frozen_string_literal: true
 
-require 'saml2/key'
+require "saml2/key"
 
 module SAML2
   module Signable
     # @return [Nokogiri::XML::Element, nil]
     def signature
       unless instance_variable_defined?(:@signature)
-        @signature = xml.xpath('//dsig:Signature', Namespaces::ALL).find do |signature|
-          signed_node = signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
-          if signed_node == ''
+        @signature = xml.xpath("//dsig:Signature", Namespaces::ALL).find do |signature|
+          signed_node = signature.at_xpath("dsig:SignedInfo/dsig:Reference", Namespaces::ALL)["URI"]
+          if signed_node == ""
             true if xml == xml.document.root
-          elsif signed_node != "##{xml['ID']}"
+          elsif signed_node != "##{xml["ID"]}"
             false
           else
             # validating the schema will automatically add ID attributes, so check that first
-            xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
+            xml.set_id_attribute("ID") unless xml.document.get_id(xml["ID"])
             true
           end
         end
@@ -27,7 +27,12 @@ module SAML2
     def signing_key
       unless instance_variable_defined?(:@signing_key)
         # don't use `... if signature.at_xpath(...)` - we need to make sure we assign the nil
-        @signing_key = (key_info = signature.at_xpath('dsig:KeyInfo', Namespaces::ALL)) ? KeyInfo.from_xml(key_info) : nil
+        @signing_key = if (key_info = signature.at_xpath("dsig:KeyInfo",
+                                                         Namespaces::ALL))
+                         KeyInfo.from_xml(key_info)
+                       else
+                         nil
+                       end
       end
       @signing_key
     end
@@ -69,19 +74,15 @@ module SAML2
       certs = certs.uniq
 
       trusted_keys = Array.wrap(key).map(&:to_s)
-      trusted_keys.concat(certs.map do |cert|
-        cert = cert.is_a?(String) ? OpenSSL::X509::Certificate.new(cert) : cert
-        cert.public_key.to_s
+      trusted_keys.concat(certs.map do |certificate|
+        certificate = OpenSSL::X509::Certificate.new(certificate) if certificate.is_a?(String)
+        certificate.public_key.to_s
       end)
 
-      if trusted_keys.include?(signing_key&.public_key&.to_s)
-        verification_key = signing_key.public_key.to_s
-      end
+      verification_key = signing_key.public_key.to_s if trusted_keys.include?(signing_key&.public_key&.to_s)
       # signature doesn't say who signed it. hope and pray it's with the only certificate
       # we know about
-      if signing_key.nil?
-        verification_key = trusted_keys.first
-      end
+      verification_key = trusted_keys.first if signing_key.nil?
 
       return ["no trusted signing key found"] if verification_key.nil?
 
@@ -116,8 +117,12 @@ module SAML2
       to_xml
 
       xml = @document.root
-      xml.set_id_attribute('ID')
-      xml.sign!(cert: x509_certificate, key: private_key, digest_alg: algorithm_name.to_s, signature_alg: "rsa-#{algorithm_name}", uri: "##{id}")
+      xml.set_id_attribute("ID")
+      xml.sign!(cert: x509_certificate,
+                key: private_key,
+                digest_alg: algorithm_name.to_s,
+                signature_alg: "rsa-#{algorithm_name}",
+                uri: "##{id}")
       # the Signature element must be the first element
       signature = xml.at_xpath("dsig:Signature", Namespaces::ALL)
       xml.children.first.add_previous_sibling(signature)

data/lib/saml2/sso.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'saml2/role'
+require "saml2/role"
 
 module SAML2
   # @abstract
@@ -20,12 +20,12 @@ module SAML2
 
     # @return [Array<Endpoint>]
     def single_logout_services
-      @single_logout_services ||= load_object_array(xml, 'md:SingleLogoutService', Endpoint)
+      @single_logout_services ||= load_object_array(xml, "md:SingleLogoutService", Endpoint)
     end
 
     # @return [Array<String>]
     def name_id_formats
-      @name_id_formats ||= load_string_array(xml, 'md:NameIDFormat')
+      @name_id_formats ||= load_string_array(xml, "md:NameIDFormat")
     end
 
     protected
@@ -35,10 +35,10 @@ module SAML2
       super
 
       single_logout_services.each do |slo|
-        slo.build(builder, 'SingleLogoutService')
+        slo.build(builder, "SingleLogoutService")
       end
       name_id_formats.each do |nif|
-        builder['md'].NameIDFormat(nif)
+        builder["md"].NameIDFormat(nif)
       end
     end
   end

data/lib/saml2/status.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'saml2/base'
+require "saml2/base"
 
 module SAML2
   class Status < Base
@@ -12,14 +12,16 @@ module SAML2
     # @param code [String]
     # @param message [String, nil]
     def initialize(code = SUCCESS, message = nil)
-      @code, @message = code, message
+      super()
+      @code = code
+      @message = message
     end
 
     # (see Base#from_xml)
     def from_xml(node)
       super
-      self.code = node.at_xpath('samlp:StatusCode', Namespaces::ALL)['Value']
-      self.message = load_string_array(xml, 'samlp:StatusMessage')
+      self.code = node.at_xpath("samlp:StatusCode", Namespaces::ALL)["Value"]
+      self.message = load_string_array(xml, "samlp:StatusMessage")
     end
 
     def success?
@@ -28,10 +30,10 @@ module SAML2
 
     # (see Base#build)
     def build(builder)
-      builder['samlp'].Status do |status|
-        status['samlp'].StatusCode(Value: code)
+      builder["samlp"].Status do |status|
+        status["samlp"].StatusCode(Value: code)
         Array(message).each do |m|
-          status['samlp'].StatusMessage(m)
+          status["samlp"].StatusMessage(m)
         end
       end
     end

data/lib/saml2/status_response.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require 'saml2/message'
-require 'saml2/status'
+require "saml2/message"
+require "saml2/status"
 
 module SAML2
   class StatusResponse < Message
@@ -19,12 +19,12 @@ module SAML2
       super
       @status = nil
       remove_instance_variable(:@status)
-      @in_response_to = node['InResponseTo']
+      @in_response_to = node["InResponseTo"]
     end
 
     # @return [Status]
     def status
-      @status ||= Status.from_xml(xml.at_xpath('samlp:Status', Namespaces::ALL))
+      @status ||= Status.from_xml(xml.at_xpath("samlp:Status", Namespaces::ALL))
     end
 
     protected
@@ -32,7 +32,7 @@ module SAML2
     def build(status_response)
       super(status_response)
 
-      status_response.parent['InResponseTo'] = in_response_to if in_response_to
+      status_response.parent["InResponseTo"] = in_response_to if in_response_to
 
       status.build(status_response)
     end

data/lib/saml2/subject.rb

@@ -1,14 +1,14 @@
 # frozen_string_literal: true
 
-require 'saml2/name_id'
-require 'saml2/namespaces'
+require "saml2/name_id"
+require "saml2/namespaces"
 
 module SAML2
   class Subject < Base
-    attr_writer :name_id
-    attr_writer :confirmations
+    attr_writer :name_id, :confirmations
 
     def initialize
+      super
       @confirmations = []
     end
 
@@ -21,7 +21,7 @@ module SAML2
     # @return [NameID]
     def name_id
       if xml && !instance_variable_defined?(:@name_id)
-        @name_id = NameID.from_xml(xml.at_xpath('saml:NameID', Namespaces::ALL))
+        @name_id = NameID.from_xml(xml.at_xpath("saml:NameID", Namespaces::ALL))
       end
       @name_id
     end
@@ -39,13 +39,13 @@ module SAML2
 
     # @return [Confirmation, Array<Confirmation>]
     def confirmations
-      @confirmations ||= load_object_array(xml, 'saml:SubjectConfirmation', Confirmation)
+      @confirmations ||= load_object_array(xml, "saml:SubjectConfirmation", Confirmation)
     end
 
     # (see Base#build)
     def build(builder)
-      builder['saml'].Subject do |subject|
-        name_id.build(subject) if name_id
+      builder["saml"].Subject do |subject|
+        name_id&.build(subject)
         Array(confirmations).each do |confirmation|
           confirmation.build(subject)
         end
@@ -54,9 +54,9 @@ module SAML2
 
     class Confirmation < Base
       module Methods
-        BEARER         = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
-        HOLDER_OF_KEY  = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'
-        SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'
+        BEARER         = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        HOLDER_OF_KEY  = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"
+        SENDER_VOUCHES = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"
       end
 
       # @see Methods
@@ -70,28 +70,28 @@ module SAML2
       # (see Base#from_xml)
       def from_xml(node)
         super
-        self.method = node['Method']
-        confirmation_data = node.at_xpath('saml:SubjectConfirmationData', Namespaces::ALL)
-        if confirmation_data
-          self.not_before = Time.parse(confirmation_data['NotBefore']) if confirmation_data['NotBefore']
-          self.not_on_or_after = Time.parse(confirmation_data['NotOnOrAfter']) if confirmation_data['NotOnOrAfter']
-          self.recipient = confirmation_data['Recipient']
-          self.in_response_to = confirmation_data['InResponseTo']
-        end
+        self.method = node["Method"]
+        confirmation_data = node.at_xpath("saml:SubjectConfirmationData", Namespaces::ALL)
+        return unless confirmation_data
+
+        self.not_before = Time.parse(confirmation_data["NotBefore"]) if confirmation_data["NotBefore"]
+        self.not_on_or_after = Time.parse(confirmation_data["NotOnOrAfter"]) if confirmation_data["NotOnOrAfter"]
+        self.recipient = confirmation_data["Recipient"]
+        self.in_response_to = confirmation_data["InResponseTo"]
       end
 
       # (see Base#build)
       def build(builder)
-        builder['saml'].SubjectConfirmation('Method' => method) do |subject_confirmation|
+        builder["saml"].SubjectConfirmation("Method" => method) do |subject_confirmation|
           if in_response_to ||
-              recipient ||
-              not_before ||
-              not_on_or_after
-            subject_confirmation['saml'].SubjectConfirmationData do |subject_confirmation_data|
-              subject_confirmation_data.parent['NotBefore'] = not_before.iso8601 if not_before
-              subject_confirmation_data.parent['NotOnOrAfter'] = not_on_or_after.iso8601 if not_on_or_after
-              subject_confirmation_data.parent['Recipient'] = recipient if recipient
-              subject_confirmation_data.parent['InResponseTo'] = in_response_to if in_response_to
+             recipient ||
+             not_before ||
+             not_on_or_after
+            subject_confirmation["saml"].SubjectConfirmationData do |subject_confirmation_data|
+              subject_confirmation_data.parent["NotBefore"] = not_before.iso8601 if not_before
+              subject_confirmation_data.parent["NotOnOrAfter"] = not_on_or_after.iso8601 if not_on_or_after
+              subject_confirmation_data.parent["Recipient"] = recipient if recipient
+              subject_confirmation_data.parent["InResponseTo"] = in_response_to if in_response_to
             end
           end
         end

data/lib/saml2/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SAML2
-  VERSION = '3.1.2'
+  VERSION = "3.1.3"
 end

data/lib/saml2.rb

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
-require 'saml2/authn_request'
-require 'saml2/entity'
-require 'saml2/logout_request'
-require 'saml2/logout_response'
-require 'saml2/response'
-require 'saml2/version'
+require "saml2/authn_request"
+require "saml2/entity"
+require "saml2/logout_request"
+require "saml2/logout_response"
+require "saml2/response"
+require "saml2/version"
 
-require 'saml2/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+require "saml2/engine" if defined?(Rails) && Rails::VERSION::MAJOR > 2
 
 module SAML2
   class << self