RubyGems - saml2 - Versions diffs - 3.1.2 → 3.1.4 - Mend

saml2 3.1.2 → 3.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

checksums.yaml +4 -4
data/Rakefile +6 -4
data/exe/bulk_verify_responses +94 -0
data/lib/saml2/assertion.rb +7 -7
data/lib/saml2/attribute/x500.rb +31 -28
data/lib/saml2/attribute.rb +53 -49
data/lib/saml2/attribute_consuming_service.rb +29 -31
data/lib/saml2/authn_request.rb +54 -47
data/lib/saml2/authn_statement.rb +31 -20
data/lib/saml2/base.rb +72 -63
data/lib/saml2/bindings/http_post.rb +7 -7
data/lib/saml2/bindings/http_redirect.rb +37 -33
data/lib/saml2/bindings.rb +1 -1
data/lib/saml2/conditions.rb +19 -16
data/lib/saml2/contact.rb +19 -18
data/lib/saml2/endpoint.rb +14 -11
data/lib/saml2/entity.rb +27 -27
data/lib/saml2/identity_provider.rb +13 -10
data/lib/saml2/indexed_object.rb +15 -12
data/lib/saml2/key.rb +43 -34
data/lib/saml2/localized_name.rb +11 -10
data/lib/saml2/logout_request.rb +8 -8
data/lib/saml2/logout_response.rb +4 -4
data/lib/saml2/message.rb +24 -20
data/lib/saml2/name_id.rb +45 -41
data/lib/saml2/namespaces.rb +8 -8
data/lib/saml2/organization.rb +11 -10
data/lib/saml2/organization_and_contacts.rb +5 -5
data/lib/saml2/request.rb +3 -3
data/lib/saml2/requested_authn_context.rb +4 -4
data/lib/saml2/response.rb +45 -33
data/lib/saml2/role.rb +11 -11
data/lib/saml2/schemas.rb +13 -10
data/lib/saml2/service_provider.rb +11 -12
data/lib/saml2/signable.rb +23 -18
data/lib/saml2/sso.rb +5 -5
data/lib/saml2/status.rb +9 -7
data/lib/saml2/status_response.rb +5 -5
data/lib/saml2/subject.rb +28 -28
data/lib/saml2/version.rb +1 -1
data/lib/saml2.rb +7 -7
metadata +78 -122
data/spec/fixtures/FederationMetadata.xml +0 -670
data/spec/fixtures/authnrequest.xml +0 -12
data/spec/fixtures/certificate.pem +0 -24
data/spec/fixtures/entities.xml +0 -13
data/spec/fixtures/external-uri-reference-response.xml +0 -48
data/spec/fixtures/identity_provider.xml +0 -46
data/spec/fixtures/noconditions_response.xml +0 -1
data/spec/fixtures/othercertificate.pem +0 -25
data/spec/fixtures/privatekey.key +0 -27
data/spec/fixtures/response_assertion_signed_reffed_from_response.xml +0 -6
data/spec/fixtures/response_signed.xml +0 -46
data/spec/fixtures/response_tampered_certificate.xml +0 -25
data/spec/fixtures/response_tampered_signature.xml +0 -46
data/spec/fixtures/response_with_attribute_signed.xml +0 -46
data/spec/fixtures/response_with_encrypted_assertion.xml +0 -58
data/spec/fixtures/response_with_rsa_key_value.xml +0 -1
data/spec/fixtures/response_with_signed_assertion_and_encrypted_subject.xml +0 -116
data/spec/fixtures/response_without_keyinfo.xml +0 -1
data/spec/fixtures/service_provider.xml +0 -79
data/spec/fixtures/test3-response.xml +0 -9
data/spec/fixtures/test6-response.xml +0 -10
data/spec/fixtures/test7-response.xml +0 -10
data/spec/fixtures/xml_missigned_assertion.xml +0 -84
data/spec/fixtures/xml_signature_wrapping_attack_duplicate_ids.xml +0 -11
data/spec/fixtures/xml_signature_wrapping_attack_response_attributes.xml +0 -45
data/spec/fixtures/xml_signature_wrapping_attack_response_nameid.xml +0 -44
data/spec/fixtures/xslt-transform-response.xml +0 -57
data/spec/lib/attribute_consuming_service_spec.rb +0 -129
data/spec/lib/attribute_spec.rb +0 -149
data/spec/lib/authn_request_spec.rb +0 -52
data/spec/lib/bindings/http_redirect_spec.rb +0 -183
data/spec/lib/conditions_spec.rb +0 -74
data/spec/lib/entity_spec.rb +0 -58
data/spec/lib/identity_provider_spec.rb +0 -43
data/spec/lib/indexed_object_spec.rb +0 -71
data/spec/lib/key_spec.rb +0 -23
data/spec/lib/logout_request_spec.rb +0 -33
data/spec/lib/logout_response_spec.rb +0 -33
data/spec/lib/message_spec.rb +0 -23
data/spec/lib/response_spec.rb +0 -293
data/spec/lib/service_provider_spec.rb +0 -76
data/spec/lib/signable_spec.rb +0 -15
data/spec/spec_helper.rb +0 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c6bee2a21b427f883ac61136eba8021c72f7f90a3a41654a964f165d1ae3641
-  data.tar.gz: 0e53c2b7e6d460f61f331c0d2cc4031ba3cea9895cc3b3b9d6fca153f1ca7653
+  metadata.gz: 6af3303cbbfd4c78c055015c30df1772bddbee535f27144696c57464398f439e
+  data.tar.gz: fd0fb87f88e987cf4fc081e7c4e833e12d3a7489662f314a5e5383e5f4278952
 SHA512:
-  metadata.gz: c427fc0852c531675c5573b1a51a3a6097414fc7ceee458a1c80d682dff696123e59d61a6e90cea0f6c221fbcef01a87f5a91f33dfebb2d0bf0f281e2b278794
-  data.tar.gz: a2281d564327fe52d98055559663cd4c26945aafc3b535c2d4adc2851480418f387e3a80f73f8bed665afc3eaf2ab771d94576c0332a1296ef8c0e73208467eb
+  metadata.gz: 5af19de37ce48ef31e22c18fa7eeaeb44c371d8751af579c2d2a06b6b1cd76579c64eba9b40a304a8da549937d0d7e0b9a8ef38439149be52567e0f424b85a9e
+  data.tar.gz: 6a224a75ff2d4f6408adf1beb3ca4fa65c15be36d65173b5882b6a0223b5b71fd3499fa4364e53f47ccba5ebd6c746fa2c2433012a0bdcd698cdb864fafd6dd8

data/Rakefile CHANGED Viewed

@@ -1,8 +1,10 @@
-require 'rubygems'
-require 'bundler'
+# frozen_string_literal: true
+require "rubygems"
+require "bundler"
 Bundler::GemHelper.install_tasks
-require 'rspec/core/rake_task'
+require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new
-task :default => :spec
+task default: :spec

data/exe/bulk_verify_responses ADDED Viewed

@@ -0,0 +1,94 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require "json"
+require "openssl"
+require "saml2"
+debug = ARGV.delete("--debug")
+service_provider_entity = SAML2::Entity.new
+service_provider = SAML2::ServiceProvider.new
+service_provider_entity.roles << service_provider
+def getarg(key)
+  return unless (index = ARGV.index(key))
+  ARGV.delete_at(index)
+  ARGV.delete_at(index)
+end
+if (verification_time = getarg("--at"))
+  verification_time = Time.parse(verification_time)
+end
+verification_time ||= Time.now.utc
+while (key_file = getarg("--key"))
+  service_provider.private_keys << OpenSSL::PKey.read(File.read(key_file))
+end
+while (cert_file = getarg("--certificate"))
+  service_provider.keys << SAML2::KeyDescriptor.new(File.read(cert_file))
+end
+ignored_idps = Set.new
+while (idp = getarg("--ignore"))
+  if idp[0] == "@"
+    ignored_idps.merge(File.read(idp[1..]).strip.split("\n"))
+  else
+    ignored_idps << idp
+  end
+end
+idps = {}
+if (trusted_certificates_file = getarg("--trusted-certificates"))
+  trusted_certificates = JSON.parse(File.read(trusted_certificates_file))
+  trusted_certificates.each do |(issuer, fingerprints)|
+    idp_entity = SAML2::Entity.new
+    idp_entity.entity_id = issuer
+    idp = SAML2::IdentityProvider.new
+    idp.fingerprints = fingerprints
+    idp_entity.roles << idp
+    idps[issuer] = idp_entity
+  end
+end
+responses = JSON.parse(File.read(ARGV.first))
+index = ARGV.pop.to_i if ARGV.last.to_i.to_s == ARGV.last
+bad_counts = Hash.new(0)
+non_ignored_count = 0
+responses = [responses[index]] if index
+responses.each_with_index do |response_raw, i|
+  next if response_raw["SAMLResponse"].empty?
+  next if response_raw["error"] # we're not expected to be able to validate this
+  begin
+    puts response_raw.to_json if debug
+    response, _relay_state = SAML2::Bindings::HTTP_POST.decode(response_raw)
+  rescue => e
+    warn "Unable to decode '#{response_raw}' (index #{i}) due to #{e}"
+    next
+  end
+  next if ignored_idps.include?(response.issuer&.id)
+  non_ignored_count += 1
+  puts response.xml if debug
+  # TODO: ignore audience restrictions
+  errors = response.validate(service_provider: service_provider_entity,
+                             identity_provider: idps[response.issuer&.id],
+                             verification_time: verification_time)
+  unless errors.empty?
+    bad_counts[response.issuer&.id] += 1
+    warn "#{errors.inspect} for response #{response.id} from #{response.issuer&.id} (index #{i})"
+  end
+end
+puts ""
+puts bad_counts.sort_by(&:last).reverse.to_h.inspect
+puts "#{bad_counts.values.sum}/#{non_ignored_count} failed"

data/lib/saml2/assertion.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require 'saml2/conditions'
+require "saml2/conditions"
 module SAML2
   class Assertion < Message
@@ -21,7 +21,7 @@ module SAML2
     # @return [Subject, nil]
     def subject
       if xml && !instance_variable_defined?(:@subject)
-        @subject = Subject.from_xml(xml.at_xpath('saml:Subject', Namespaces::ALL))
+        @subject = Subject.from_xml(xml.at_xpath("saml:Subject", Namespaces::ALL))
       end
       @subject
     end
@@ -29,7 +29,7 @@ module SAML2
     # @return [Conditions]
     def conditions
       if !instance_variable_defined?(:@conditions) && xml
-        @conditions = Conditions.from_xml(xml.at_xpath('saml:Conditions', Namespaces::ALL))
+        @conditions = Conditions.from_xml(xml.at_xpath("saml:Conditions", Namespaces::ALL))
       end
       @conditions
     end
@@ -46,19 +46,19 @@ module SAML2
     # @return [Array<AuthnStatement, AttributeStatement>]
     def statements
-      @statements ||= load_object_array(xml, 'saml:AuthnStatement|saml:AttributeStatement')
+      @statements ||= load_object_array(xml, "saml:AuthnStatement|saml:AttributeStatement")
     end
     # (see Base#build)
     def build(builder)
-      builder['saml'].Assertion(
-          'xmlns:saml' => Namespaces::SAML
+      builder["saml"].Assertion(
+        "xmlns:saml" => Namespaces::SAML
       ) do |assertion|
         super(assertion)
         subject.build(assertion)
-        conditions.build(assertion) if conditions
+        conditions&.build(assertion)
         statements.each { |stmt| stmt.build(assertion) }
       end

data/lib/saml2/attribute/x500.rb CHANGED Viewed

@@ -3,41 +3,42 @@
 module SAML2
   class Attribute
     class X500 < Attribute
-      GIVEN_NAME             = 'urn:oid:2.5.4.42'
-      SN = SURNAME           = 'urn:oid:2.5.4.4'
+      GIVEN_NAME             = "urn:oid:2.5.4.42"
+      SN = SURNAME           = "urn:oid:2.5.4.4"
       # https://www.ietf.org/rfc/rfc2798.txt
       module InetOrgPerson
-        DISPLAY_NAME         = 'urn:oid:2.16.840.1.113730.3.1.241'
-        EMPLOYEE_NUMBER      = 'urn:oid:2.16.840.1.113730.3.1.3'
-        EMPLOYEE_TYPE        = 'urn:oid:2.16.840.1.113730.3.1.4'
-        PREFERRED_LANGUAGE   = 'urn:oid:2.16.840.1.113730.3.1.39'
+        DISPLAY_NAME         = "urn:oid:2.16.840.1.113730.3.1.241"
+        EMPLOYEE_NUMBER      = "urn:oid:2.16.840.1.113730.3.1.3"
+        EMPLOYEE_TYPE        = "urn:oid:2.16.840.1.113730.3.1.4"
+        PREFERRED_LANGUAGE   = "urn:oid:2.16.840.1.113730.3.1.39"
       end
       # https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html
       module EduPerson
-        AFFILIATION          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1'
-        ASSURANCE            = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.11'
-        ENTITLEMENT          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
-        NICKNAME             = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2'
-        ORG_D_N              = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3'
-        ORG_UNIT_D_N         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4'
-        PRIMARY_AFFILIATION  = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5'
-        PRIMARY_ORG_UNIT_D_N = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8'
-        PRINCIPAL_NAME       = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6'
-        SCOPED_AFFILIATION   = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
-        TARGETED_I_D         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
+        AFFILIATION          = "urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+        ASSURANCE            = "urn:oid:1.3.6.1.4.1.5923.1.1.1.11"
+        ENTITLEMENT          = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
+        NICKNAME             = "urn:oid:1.3.6.1.4.1.5923.1.1.1.2"
+        ORG_D_N              = "urn:oid:1.3.6.1.4.1.5923.1.1.1.3"
+        ORG_UNIT_D_N         = "urn:oid:1.3.6.1.4.1.5923.1.1.1.4"
+        PRIMARY_AFFILIATION  = "urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
+        PRIMARY_ORG_UNIT_D_N = "urn:oid:1.3.6.1.4.1.5923.1.1.1.8"
+        PRINCIPAL_NAME       = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+        SCOPED_AFFILIATION   = "urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
+        TARGETED_I_D         = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
       end
       # http://www.ietf.org/rfc/rfc4519.txt
-      UID = USERID           = 'urn:oid:0.9.2342.19200300.100.1.1'
+      UID = USERID           = "urn:oid:0.9.2342.19200300.100.1.1"
       # http://www.ietf.org/rfc/rfc4524.txt
-      MAIL                   = 'urn:oid:0.9.2342.19200300.100.1.3'
+      MAIL                   = "urn:oid:0.9.2342.19200300.100.1.3"
       # Returns true if the param should be an {X500} Attribute.
       # @param name_or_node [String, Nokogiri::XML::Element]
       def self.recognizes?(name_or_node)
         if name_or_node.is_a?(Nokogiri::XML::Element)
           !!name_or_node.at_xpath("@x500:Encoding", Namespaces::ALL) ||
-              (name_or_node['NameFormat'] == NameFormats::URI || name_or_node['NameFormat'].nil?) &&
-              OIDS.include?(name_or_node['Name'])
+            ((name_or_node["NameFormat"] == NameFormats::URI || name_or_node["NameFormat"].nil?) &&
+              OIDS.include?(name_or_node["Name"]))
         else
           FRIENDLY_NAMES.include?(name_or_node) || OIDS.include?(name_or_node)
         end
@@ -58,7 +59,8 @@ module SAML2
           # if they pass a friendly name, infer the OID
           proper_name = FRIENDLY_NAMES[name]
           if proper_name
-            name, friendly_name = proper_name, name
+            friendly_name = name
+            name = proper_name
           end
         end
@@ -77,25 +79,26 @@ module SAML2
       def build(builder)
         super
         attr = builder.parent.last_element_child
-        attr.add_namespace_definition('x500', Namespaces::X500)
-        attr['x500:Encoding'] = 'LDAP'
+        attr.add_namespace_definition("x500", Namespaces::X500)
+        attr["x500:Encoding"] = "LDAP"
       end
       # build hashes out of our known attribute names for quick lookup
-      FRIENDLY_NAMES = ([self] + constants).inject({}) do |hash, mod|
+      FRIENDLY_NAMES = ([self] + constants).each_with_object({}) do |mod, hash|
         mod = const_get(mod) unless mod.is_a?(Module)
         next hash unless mod.is_a?(Module)
         # Don't look in modules inherited from parent classes
-        next hash unless mod.name.start_with?(self.name)
+        next hash unless mod.name.start_with?(name)
         mod.constants.each do |key|
           value = mod.const_get(key)
           next unless value.is_a?(String)
           key = key.to_s.downcase.gsub(/_\w/) { |c| c[1].upcase }
           # eduPerson prefixes all of their names
-          key = "eduPerson#{key.sub(/^\w/) { |c| c.upcase }}" if mod == EduPerson
+          key = "eduPerson#{key.sub(/^\w/, &:upcase)}" if mod == EduPerson
           hash[key] = value
         end
-        hash
       end.freeze
       OIDS = FRIENDLY_NAMES.invert.freeze
       private_constant :FRIENDLY_NAMES, :OIDS

data/lib/saml2/attribute.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'date'
+require "date"
-require 'active_support/core_ext/array/wrap'
+require "active_support/core_ext/array/wrap"
-require 'saml2/base'
-require 'saml2/namespaces'
+require "saml2/base"
+require "saml2/namespaces"
 module SAML2
   class Attribute < Base
@@ -43,13 +43,13 @@ module SAML2
       # The XML namespace that this attribute class serializes as.
       # @return ['saml']
       def namespace
-        'saml'
+        "saml"
       end
       # The XML element that this attribute class serializes as.
       # @return ['Attribute']
       def element
-        'Attribute'
+        "Attribute"
       end
       protected
@@ -59,10 +59,10 @@ module SAML2
       end
       def inherited(klass)
+        super
         subclasses << klass
       end
       def class_for(name_or_node)
         subclasses.find do |klass|
           klass.respond_to?(:recognizes?) && klass.recognizes?(name_or_node)
@@ -84,18 +84,22 @@ module SAML2
     # @param friendly_name optional [String, nil]
     # @param name_format optional [String, nil]
     def initialize(name = nil, value = nil, friendly_name = nil, name_format = nil)
-      @name, @value, @friendly_name, @name_format = name, value, friendly_name, name_format
+      super()
+      @name = name
+      @value = value
+      @friendly_name = friendly_name
+      @name_format = name_format
     end
     # (see Base#build)
     def build(builder)
-      builder[self.class.namespace].__send__(self.class.element, 'Name' => name) do |attribute|
-        attribute.parent['FriendlyName'] = friendly_name if friendly_name
-        attribute.parent['NameFormat'] = name_format if name_format
+      builder[self.class.namespace].__send__(self.class.element, "Name" => name) do |attribute|
+        attribute.parent["FriendlyName"] = friendly_name if friendly_name
+        attribute.parent["NameFormat"] = name_format if name_format
         Array.wrap(value).each do |value|
           xsi_type, val = convert_to_xsi(value)
-          attribute['saml'].AttributeValue(val) do |attribute_value|
-            attribute_value.parent['xsi:type'] = xsi_type if xsi_type
+          attribute["saml"].AttributeValue(val) do |attribute_value|
+            attribute_value.parent["xsi:type"] = xsi_type if xsi_type
           end
         end
       end
@@ -104,15 +108,15 @@ module SAML2
     # (see Base#from_xml)
     def from_xml(node)
       super
-      @name = node['Name']
-      @friendly_name = node['FriendlyName']
-      @name_format = node['NameFormat']
-      values = node.xpath('saml:AttributeValue', Namespaces::ALL).map do |value|
-        convert_from_xsi(value.attribute_with_ns('type', Namespaces::XSI), value.content && value.content.strip)
+      @name = node["Name"]
+      @friendly_name = node["FriendlyName"]
+      @name_format = node["NameFormat"]
+      values = node.xpath("saml:AttributeValue", Namespaces::ALL).map do |value|
+        convert_from_xsi(value.attribute_with_ns("type", Namespaces::XSI), value.content && value.content.strip)
       end
       @value = case values.length
-               when 0; nil
-               when 1; values.first
+               when 0 then nil
+               when 1 then values.first
                else; values
                end
     end
@@ -120,13 +124,13 @@ module SAML2
     private
     XS_TYPES = {
-      lookup_qname('xs:boolean', Namespaces::ALL) =>
-        [[TrueClass, FalseClass], nil, ->(v) { %w{true 1}.include?(v) ? true : false }],
-      lookup_qname('xs:string', Namespaces::ALL) =>
+      lookup_qname("xs:boolean", Namespaces::ALL) =>
+        [[TrueClass, FalseClass], nil, ->(v) { %w[true 1].include?(v) }],
+      lookup_qname("xs:string", Namespaces::ALL) =>
         [String, nil, nil],
-      lookup_qname('xs:date', Namespaces::ALL) =>
+      lookup_qname("xs:date", Namespaces::ALL) =>
         [Date, nil, ->(v) { Date.parse(v) if v }],
-      lookup_qname('xs:dateTime', Namespaces::ALL) =>
+      lookup_qname("xs:dateTime", Namespaces::ALL) =>
         [Time, ->(v) { v.iso8601 }, ->(v) { Time.parse(v) if v }]
     }.freeze
@@ -134,11 +138,11 @@ module SAML2
       xs_type = nil
       converter = nil
       XS_TYPES.each do |type, (klasses, to_xsi, _from_xsi)|
-        if Array.wrap(klasses).any? { |klass| klass === value }
-          xs_type = "xs:#{type.last}"
-          converter = to_xsi
-          break
-        end
+        next unless Array.wrap(klasses).any? { |klass| value.is_a?(klass) }
+        xs_type = "xs:#{type.last}"
+        converter = to_xsi
+        break
       end
       value = converter.call(value) if converter
       [xs_type, value]
@@ -146,12 +150,11 @@ module SAML2
     def convert_from_xsi(type, value)
       return value unless type
       qname = self.class.lookup_qname(type.value, type.namespaces)
       info = XS_TYPES[qname]
-      if info && info.last
-        value = info.last.call(value)
-      end
+      value = info.last.call(value) if info&.last
       value
     end
   end
@@ -160,12 +163,13 @@ module SAML2
     attr_reader :attributes
     def initialize(attributes = [])
+      super()
       @attributes = attributes
     end
     def from_xml(node)
       super
-      @attributes = node.xpath('saml:Attribute', Namespaces::ALL).map do |attr|
+      @attributes = node.xpath("saml:Attribute", Namespaces::ALL).map do |attr|
         Attribute.from_xml(attr)
       end
     end
@@ -190,29 +194,29 @@ module SAML2
         prior_value = result[key]
         result[key] = if prior_value
-          value = Array.wrap(prior_value)
-          # repeated key; convert to array
-          if attribute.value.is_a?(Array)
-            # both values are arrays; concatenate them
-            value.concat(attribute.value)
-          else
-            value << attribute.value
-          end
-          value
-        else
-          attribute.value
-        end
+                        value = Array.wrap(prior_value)
+                        # repeated key; convert to array
+                        if attribute.value.is_a?(Array)
+                          # both values are arrays; concatenate them
+                          value.concat(attribute.value)
+                        else
+                          value << attribute.value
+                        end
+                        value
+                      else
+                        attribute.value
+                      end
       end
       result
     end
     def build(builder)
-      builder['saml'].AttributeStatement('xmlns:xs' => Namespaces::XS,
-                                         'xmlns:xsi' => Namespaces::XSI) do |statement|
+      builder["saml"].AttributeStatement("xmlns:xs" => Namespaces::XS,
+                                         "xmlns:xsi" => Namespaces::XSI) do |statement|
         @attributes.each { |attr| attr.build(statement) }
       end
     end
   end
 end
-require 'saml2/attribute/x500'
+require "saml2/attribute/x500"

data/lib/saml2/attribute_consuming_service.rb CHANGED Viewed

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
-require 'active_support/core_ext/array/wrap'
+require "active_support/core_ext/array/wrap"
-require 'saml2/attribute'
-require 'saml2/indexed_object'
-require 'saml2/localized_name'
-require 'saml2/namespaces'
+require "saml2/attribute"
+require "saml2/indexed_object"
+require "saml2/localized_name"
+require "saml2/namespaces"
 module SAML2
   class RequestedAttribute < Attribute
@@ -13,13 +13,13 @@ module SAML2
       # The XML namespace that this attribute class serializes as.
       # @return ['md']
       def namespace
-        'md'
+        "md"
       end
       # The XML element that this attribute class serializes as.
       # @return ['RequestedAttribute']
       def element
-        'RequestedAttribute'
+        "RequestedAttribute"
       end
       # Create a RequestAttribute object to represent an attribute.
@@ -51,7 +51,7 @@ module SAML2
     # (see Base#from_xml)
     def from_xml(node)
       super
-      @is_required = node['isRequired'] && node['isRequired'] == 'true'
+      @is_required = node["isRequired"] && node["isRequired"] == "true"
     end
     # @return [true, false, nil]
@@ -79,9 +79,10 @@ module SAML2
     # @param requested_attribute [RequestedAttribute]
     def initialize(requested_attribute, provided_value)
       super("Attribute #{requested_attribute.name} is provided value " \
-        "#{provided_value.inspect}, but only allows "                  \
-        "#{Array.wrap(requested_attribute.value).inspect}")
-      @requested_attribute, @provided_value = requested_attribute, provided_value
+            "#{provided_value.inspect}, but only allows " \
+            "#{Array.wrap(requested_attribute.value).inspect}")
+      @requested_attribute = requested_attribute
+      @provided_value = provided_value
     end
   end
@@ -97,16 +98,16 @@ module SAML2
     # @param requested_attributes [::Array<RequestedAttributes>]
     def initialize(name = nil, requested_attributes = [])
       super()
-      @name = LocalizedName.new('ServiceName', name)
-      @description = LocalizedName.new('ServiceDescription')
+      @name = LocalizedName.new("ServiceName", name)
+      @description = LocalizedName.new("ServiceDescription")
       @requested_attributes = requested_attributes
     end
     # (see Base#from_xml)
     def from_xml(node)
       super
-      name.from_xml(node.xpath('md:ServiceName', Namespaces::ALL))
-      description.from_xml(node.xpath('md:ServiceDescription', Namespaces::ALL))
+      name.from_xml(node.xpath("md:ServiceName", Namespaces::ALL))
+      description.from_xml(node.xpath("md:ServiceDescription", Namespaces::ALL))
       @requested_attributes = load_object_array(node, "md:RequestedAttribute", RequestedAttribute)
     end
@@ -126,49 +127,46 @@ module SAML2
     #   If a {RequestedAttribute} is tagged as required, but it has not been
     #   supplied.
     def create_statement(attributes)
-      if attributes.is_a?(Hash)
-        attributes = attributes.map { |k, v| Attribute.create(k, v) }
-      end
+      attributes = attributes.map { |k, v| Attribute.create(k, v) } if attributes.is_a?(Hash)
       attributes_hash = {}
       attributes.each do |attr|
         attr.value = attr.value.call if attr.value.respond_to?(:call)
         attributes_hash[[attr.name, attr.name_format]] = attr
-        if attr.name_format
-          attributes_hash[[attr.name, nil]] = attr
-        end
+        attributes_hash[[attr.name, nil]] = attr if attr.name_format
       end
       attributes = []
       requested_attributes.each do |requested_attr|
         attr = attributes_hash[[requested_attr.name, requested_attr.name_format]]
-        if requested_attr.name_format
-          attr ||= attributes_hash[[requested_attr.name, nil]]
-        end
+        attr ||= attributes_hash[[requested_attr.name, nil]] if requested_attr.name_format
         if attr
           if requested_attr.value &&
-            !Array.wrap(requested_attr.value).include?(attr.value)
+             !Array.wrap(requested_attr.value).include?(attr.value)
             raise InvalidAttributeValue.new(requested_attr, attr.value)
           end
           attributes << attr
         elsif requested_attr.required?
           # if the metadata includes only one possible value, helpfully set
           # that value
-          if requested_attr.value && !requested_attr.value.is_a?(::Array)
-            attributes << Attribute.create(requested_attr.name,
-                                           requested_attr.value)
-          else
-            raise RequiredAttributeMissing.new(requested_attr)
+          unless requested_attr.value && !requested_attr.value.is_a?(::Array)
+            raise RequiredAttributeMissing, requested_attr
           end
+          attributes << Attribute.create(requested_attr.name,
+                                         requested_attr.value)
         end
       end
       return nil if attributes.empty?
       AttributeStatement.new(attributes)
     end
     # (see Base#build)
     def build(builder)
-      builder['md'].AttributeConsumingService do |attribute_consuming_service|
+      builder["md"].AttributeConsumingService do |attribute_consuming_service|
         name.build(attribute_consuming_service)
         description.build(attribute_consuming_service)
         requested_attributes.each do |requested_attribute|