saml2 1.1.5 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3fd767fa1f70be5220dc97ce1c23908fa77f9956
-  data.tar.gz: 38629f1bb5913371f916a324db13492d5fe482cb
+  metadata.gz: 49552e3c1623dc97bebb250e582f14925c243a01
+  data.tar.gz: ec92142eee88b9f0bb7b53cb747ca7c9c874ea52
 SHA512:
-  metadata.gz: 52aafbc49cee69b4a56aea2cbc2b287b9129baafd9ed11fddf605bdde16d9a732e37e995c76ac0fec5d0a1f273c9a6436b2e90043a88ae79d999eeb0bf65653b
-  data.tar.gz: b917c7be4728202fdfc2021628ee3feea6decc38c203eaba8e1152bf2e5920611729cfcf1d8e87c2077ab76a74ccb29e9aa9bc48cf15ece816065ba134c527e8
+  metadata.gz: 22a08e29c00544c48402463bf5615829348abffc0ca79b823f8d594480a422af4ecef8e49cd934a6898d16c5f6dcb890b3183c6fc8d62d0796f21532d87a6778
+  data.tar.gz: a000f59983fff2fc9c2b6385d5a2f94076f15fee45503c8b58de2c2647b112fa954503c3023ca2baf5c049e493f023e386524b8646ff7b254090eb2119f7503c

data/lib/saml2/assertion.rb

@@ -1,45 +1,48 @@
 require 'saml2/conditions'
 
 module SAML2
-  class Assertion
-    attr_reader :id, :issue_instant, :conditions, :statements
-    attr_accessor :issuer, :subject
+  class Assertion < Message
+    attr_writer :statements, :subject
 
     def initialize
-      @id = "_#{SecureRandom.uuid}"
-      @issue_instant = Time.now.utc
+      super
       @statements = []
       @conditions = Conditions.new
     end
 
-    def sign(x509_certificate, private_key, algorithm_name = :sha256)
-      to_xml
+    def from_xml(node)
+      super
+      @conditions = nil
+      @statements = nil
+    end
+
+    def subject
+      if xml && !instance_variable_defined?(:@subject)
+        @subject = Subject.from_xml(xml.at_xpath('saml:Subject', Namespaces::ALL))
+      end
+      @subject
+    end
+
+    def conditions
+      @conditions ||= Conditions.from_xml(xml.at_xpath('saml:Conditions', Namespaces::ALL))
+    end
 
-      @xml.set_id_attribute('ID')
-      @xml.sign!(cert: x509_certificate, key: private_key, digest_alg: algorithm_name.to_s, signature_alg: "rsa-#{algorithm_name}", uri: "##{id}")
-      # the Signature element must be right after the Issuer, so put it there
-      issuer = @xml.at_xpath("saml:Issuer", Namespaces::ALL)
-      signature = @xml.at_xpath("dsig:Signature", Namespaces::ALL)
-      issuer.add_next_sibling(signature)
-      self
+    def statements
+      @statements ||= load_object_array(xml, 'saml:AuthnStatement|saml:AttributeStatement')
     end
 
-    def to_xml
-      @xml ||= Nokogiri::XML::Builder.new do |builder|
-        builder['saml'].Assertion(
-            'xmlns:saml' => Namespaces::SAML,
-            ID: id,
-            Version: '2.0',
-            IssueInstant: issue_instant.iso8601
-        ) do |assertion|
-          issuer.build(assertion, element: 'Issuer')
-
-          subject.build(assertion)
-
-          conditions.build(assertion)
-          statements.each { |stmt| stmt.build(assertion) }
-        end
-      end.doc.root
+    def build(builder)
+      builder['saml'].Assertion(
+          'xmlns:saml' => Namespaces::SAML
+      ) do |assertion|
+        super(assertion)
+
+        subject.build(assertion)
+
+        conditions.build(assertion)
+
+        statements.each { |stmt| stmt.build(assertion) }
+      end
     end
   end
 end

data/lib/saml2/attribute.rb

@@ -32,10 +32,17 @@ module SAML2
       end
 
       def create(name, value = nil)
-
         (class_for(name) || self).new(name, value)
       end
 
+      def namespace
+        'saml'
+      end
+
+      def element
+        'Attribute'
+      end
+
       protected
 
       def class_for(name_or_node)
@@ -52,7 +59,7 @@ module SAML2
     end
 
     def build(builder)
-      builder['saml'].Attribute('Name' => name) do |attribute|
+      builder[self.class.namespace].__send__(self.class.element, 'Name' => name) do |attribute|
         attribute.parent['FriendlyName'] = friendly_name if friendly_name
         attribute.parent['NameFormat'] = name_format if name_format
         Array.wrap(value).each do |value|

data/lib/saml2/attribute_consuming_service.rb

@@ -2,12 +2,30 @@ require 'active_support/core_ext/array/wrap'
 
 require 'saml2/attribute'
 require 'saml2/indexed_object'
+require 'saml2/localized_name'
 require 'saml2/namespaces'
 
 module SAML2
   class RequestedAttribute < Attribute
-    def initialize(name = nil, is_required = nil, name_format = nil)
-      super(name, nil, nil, name_format)
+    class << self
+      def namespace
+        'md'
+      end
+
+      def element
+        'RequestedAttribute'
+      end
+
+      def create(name, is_required = nil)
+        # use Attribute.create to get other subclasses to automatically fill out friendly_name
+        # and name_format, but still return a RequestedAttribute object
+        attribute = Attribute.create(name)
+        new(attribute.name, is_required, attribute.friendly_name, attribute.name_format)
+      end
+    end
+
+    def initialize(name = nil, is_required = nil, friendly_name = nil, name_format = nil)
+      super(name, nil, friendly_name, name_format)
       @is_required = is_required
     end
 
@@ -44,16 +62,19 @@ module SAML2
   class AttributeConsumingService < Base
     include IndexedObject
 
-    attr_reader :name, :requested_attributes
+    attr_reader :name, :description, :requested_attributes
 
     def initialize(name = nil, requested_attributes = [])
       super()
-      @name, @requested_attributes = name, requested_attributes
+      @name = LocalizedName.new('ServiceName', name)
+      @description = LocalizedName.new('ServiceDescription')
+      @requested_attributes = requested_attributes
     end
 
     def from_xml(node)
       super
-      @name = node['ServiceName']
+      name.from_xml(node.xpath('md:ServiceName', Namespaces::ALL))
+      description.from_xml(node.xpath('md:ServiceDescription', Namespaces::ALL))
       @requested_attributes = load_object_array(node, "md:RequestedAttribute", RequestedAttribute)
     end
 
@@ -97,5 +118,16 @@ module SAML2
       return nil if attributes.empty?
       AttributeStatement.new(attributes)
     end
+
+    def build(builder)
+      builder['md'].AttributeConsumingService do |attribute_consuming_service|
+        name.build(attribute_consuming_service)
+        description.build(attribute_consuming_service)
+        requested_attributes.each do |requested_attribute|
+          requested_attribute.build(attribute_consuming_service)
+        end
+      end
+      super
+    end
   end
 end

data/lib/saml2/authn_request.rb

@@ -13,15 +13,6 @@ require 'saml2/subject'
 
 module SAML2
   class AuthnRequest < Request
-    # deprecated; takes _just_ the SAMLRequest parameter's value
-    def self.decode(authnrequest)
-      result, _relay_state = Bindings::HTTPRedirect.decode("http://host/?SAMLRequest=#{CGI.escape(authnrequest)}")
-      return nil unless result.is_a?(AuthnRequest)
-      result
-    rescue CorruptMessage
-      AuthnRequest.from_xml(Nokogiri::XML('<xml></xml>').root)
-    end
-
     attr_writer :assertion_consumer_service_index,
                 :assertion_consumer_service_url,
                 :attribute_consuming_service_index,

data/lib/saml2/authn_statement.rb

@@ -1,5 +1,7 @@
+require 'saml2/base'
+
 module SAML2
-  class AuthnStatement
+  class AuthnStatement < Base
     module Classes
       INTERNET_PROTOCOL            = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol".freeze # IP address
       INTERNET_PROTOCOL_PASSWORD   = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword".freeze # IP address, as well as username/password
@@ -13,10 +15,20 @@ module SAML2
       UNSPECIFIED                  = "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified".freeze
     end
 
-    attr_accessor :authn_instant, :authn_context_class_ref
+    attr_accessor :authn_instant, :authn_context_class_ref, :session_index, :session_not_on_or_after
+
+    def from_xml(node)
+      super
+      @authn_instant = Time.parse(node['AuthnInstant'])
+      @session_index = node['SessionIndex']
+      @session_not_on_or_after = Time.parse(node['SessionNotOnOrAfter']) if node['SessionNotOnOrAfter']
+      @authn_context_class_ref = node.at_xpath('saml:AuthnContext/saml:AuthnContextClassRef', Namespaces::ALL)&.content&.strip
+    end
 
     def build(builder)
       builder['saml'].AuthnStatement('AuthnInstant' => authn_instant.iso8601) do |authn_statement|
+        authn_statement.parent['SessionIndex'] = session_index if session_index
+        authn_statement.parent['SessionNotOnOrAfter'] = session_not_on_or_after.iso8601 if session_not_on_or_after
         authn_statement['saml'].AuthnContext do |authn_context|
           authn_context['saml'].AuthnContextClassRef(authn_context_class_ref) if authn_context_class_ref
         end

data/lib/saml2/base.rb

@@ -15,9 +15,19 @@ module SAML2
       @xml = node
     end
 
-    def to_s
-      # make sure to not FORMAT it - it breaks signatures!
-      to_xml.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION)
+    def to_s(pretty: true)
+      if xml
+        xml.to_s
+      elsif pretty
+        to_xml.to_s
+      else
+        # make sure to not FORMAT it - it breaks signatures!
+        to_xml.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION)
+      end
+    end
+
+    def inspect
+      "#<#{self.class.name} #{instance_variables.map { |iv| next if iv == :@xml; "#{iv}=#{instance_variable_get(iv).inspect}" }.compact.join(", ") }>"
     end
 
     def to_xml
@@ -25,19 +35,27 @@ module SAML2
         builder = Nokogiri::XML::Builder.new
         build(builder)
         @document = builder.doc
+        # if we're re-serializing a parsed document (i.e. after mutating/parsing it),
+        # forget the original document we parsed
+        @xml = nil
       end
       @document
     end
 
+    def build(builder)
+    end
+
     def self.load_string_array(node, element)
       node.xpath(element, Namespaces::ALL).map do |element_node|
         element_node.content&.strip
       end
     end
 
-    def self.load_object_array(node, element, klass)
+    def self.load_object_array(node, element, klass = nil)
       node.xpath(element, Namespaces::ALL).map do |element_node|
-        if klass.is_a?(Hash)
+        if klass.nil?
+          SAML2.const_get(element_node.name, false).from_xml(element_node)
+        elsif klass.is_a?(Hash)
           klass[element_node.name].from_xml(element_node)
         else
           klass.from_xml(element_node)
@@ -51,11 +69,12 @@ module SAML2
     end
 
     protected
+
     def load_string_array(node, element)
       self.class.load_string_array(node, element)
     end
 
-    def load_object_array(node, element, klass)
+    def load_object_array(node, element, klass = nil)
       self.class.load_object_array(node, element, klass)
     end
 

data/lib/saml2/bindings/http_post.rb

@@ -1,7 +1,35 @@
+require 'base64'
+
 module SAML2
   module Bindings
     module HTTP_POST
       URN ="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze
+
+      class << self
+        def decode(post_params)
+          base64 = post_params['SAMLRequest'] || post_params['SAMLResponse']
+          raise MissingMessage unless base64
+
+          raise MessageTooLarge if base64.bytesize > SAML2.config[:max_message_size]
+
+          xml = begin
+            Base64.decode64(base64)
+          rescue ArgumentError
+            raise CorruptMessage
+          end
+
+          message = Message.parse(xml)
+          [message, post_params['RelayState']]
+        end
+
+        def encode(message, relay_state: nil)
+          xml = message.to_s(pretty: false)
+          key = message.is_a?(Request) ? 'SAMLRequest' : 'SAMLResponse'
+          post_params = { key => Base64.encode64(xml) }
+          post_params['RelayState'] = relay_state if relay_state
+          post_params
+        end
+      end
     end
   end
 end

data/lib/saml2/bindings/http_redirect.rb

@@ -107,7 +107,7 @@ module SAML2
             original_query.delete_if { |(k, v)| k == param }
           end
 
-          xml = message.to_s
+          xml = message.to_s(pretty: false)
           zstream = Zlib::Deflate.new(Zlib::BEST_COMPRESSION, -Zlib::MAX_WBITS)
           deflated = zstream.deflate(xml, Zlib::FINISH)
           zstream.close

data/lib/saml2/conditions.rb

@@ -3,6 +3,21 @@ require 'active_support/core_ext/array/wrap'
 module SAML2
   class Conditions < Array
     attr_accessor :not_before, :not_on_or_after
+    attr_reader :xml
+
+    def self.from_xml(node)
+      result = new
+      result.from_xml(node)
+      result
+    end
+
+    def from_xml(node)
+      @xml = node
+      @not_before = Time.parse(node['NotBefore']) if node['NotBefore']
+      @not_on_or_after = Time.parse(node['NotOnOrAfter']) if node['NotOnOrAfter']
+
+      replace(node.children.map { |restriction| self.class.const_get(restriction.name, false).from_xml(restriction) })
+    end
 
     def valid?(options = {})
       now = options[:now] || Time.now
@@ -37,19 +52,28 @@ module SAML2
     end
 
     # Any unknown condition
-    class Condition
+    class Condition < Base
       def valid?(_)
         :indeterminate
       end
     end
 
     class AudienceRestriction < Condition
-      attr_accessor :audience
+      attr_writer :audience
 
-      def initialize(audience)
+      def initialize(audience = [])
         @audience = audience
       end
 
+      def from_xml(node)
+        super
+        @audience = nil
+      end
+
+      def audience
+        @audience ||= load_string_array(xml, 'saml:Audience')
+      end
+
       def valid?(options)
         Array.wrap(audience).include?(options[:audience]) ? :valid : :invalid
       end

data/lib/saml2/endpoint.rb

@@ -1,16 +1,10 @@
-require 'saml2/bindings/http_redirect'
 require 'saml2/bindings/http_post'
 
 module SAML2
   class Endpoint < Base
-    module Bindings
-      HTTP_POST     = ::SAML2::Bindings::HTTP_POST::URN
-      HTTP_REDIRECT = ::SAML2::Bindings::HTTPRedirect::URN
-    end
-
     attr_reader :location, :binding
 
-    def initialize(location = nil, binding = ::SAML2::Bindings::HTTP_POST::URN)
+    def initialize(location = nil, binding = Bindings::HTTP_POST::URN)
       @location, @binding = location, binding
     end
 
@@ -31,7 +25,7 @@ module SAML2
     class Indexed < Endpoint
       include IndexedObject
 
-      def initialize(location = nil, index = nil, is_default = nil, binding = ::SAML2::Bindings::HTTP_POST::URN)
+      def initialize(location = nil, index = nil, is_default = nil, binding = Bindings::HTTP_POST::URN)
         super(location, binding)
         @index, @is_default = index, is_default
       end

data/lib/saml2/entity.rb

@@ -4,10 +4,12 @@ require 'saml2/base'
 require 'saml2/identity_provider'
 require 'saml2/organization_and_contacts'
 require 'saml2/service_provider'
+require 'saml2/signable'
 
 module SAML2
   class Entity < Base
     include OrganizationAndContacts
+    include Signable
 
     attr_writer :entity_id
 
@@ -28,6 +30,8 @@ module SAML2
 
     class Group < Base
       include Enumerable
+      include Signable
+
       [:each, :[]].each do |method|
         class_eval <<-RUBY, __FILE__, __LINE__ + 1
           def #{method}(*args, &block)
@@ -38,11 +42,13 @@ module SAML2
 
       def initialize
         @entities = []
+        @id = "_#{SecureRandom.uuid}"
         @valid_until = nil
       end
 
       def from_xml(node)
         super
+        @id = nil
         remove_instance_variable(:@valid_until)
         @entities = Base.load_object_array(xml, "md:EntityDescriptor|md:EntitiesDescriptor",
                 'EntityDescriptor' => Entity,
@@ -53,23 +59,8 @@ module SAML2
         Schemas.federation.valid?(xml.document)
       end
 
-      def signature
-        unless instance_variable_defined?(:@signature)
-          @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
-          signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
-          # validating the schema will automatically add ID attributes, so check that first
-          xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
-          @signature = nil unless signed_node == "##{xml['ID']}"
-        end
-        @signature
-      end
-
-      def signed?
-        !!signature
-      end
-
-      def valid_signature?(*args)
-        signature.verify_with(*args)
+      def id
+        @id ||= xml['ID']
       end
 
       def valid_until
@@ -85,10 +76,12 @@ module SAML2
       @valid_until = nil
       @entity_id = nil
       @roles = []
+      @id = "_#{SecureRandom.uuid}"
     end
 
     def from_xml(node)
       super
+      @id = nil
       remove_instance_variable(:@valid_until)
       @roles = nil
     end
@@ -101,6 +94,10 @@ module SAML2
       @entity_id || xml && xml['entityID']
     end
 
+    def id
+      @id ||= xml['ID']
+    end
+
     def valid_until
       unless instance_variable_defined?(:@valid_until)
         @valid_until = xml['validUntil'] && Time.parse(xml['validUntil'])
@@ -126,6 +123,8 @@ module SAML2
                                      'xmlns:md' => Namespaces::METADATA,
                                      'xmlns:dsig' => Namespaces::DSIG,
                                      'xmlns:xenc' => Namespaces::XENC) do |entity_descriptor|
+        entity_descriptor.parent['ID'] = id if id
+
         roles.each do |role|
           role.build(entity_descriptor)
         end

data/lib/saml2/indexed_object.rb

@@ -2,7 +2,7 @@ require 'saml2/base'
 
 module SAML2
   module IndexedObject
-    attr_reader :index
+    attr_accessor :index
 
     def initialize(*args)
       @is_default = nil
@@ -57,8 +57,13 @@ module SAML2
       protected
 
       def re_index
+        last_index = -1
         @index = {}
-        each { |object| @index[object.index] = object }
+        each do |object|
+          object.index ||= last_index + 1
+          last_index = object.index
+          @index[object.index] = object
+        end
         @default = find { |object| object.default? } || first
       end
     end

data/lib/saml2/key.rb

@@ -51,8 +51,12 @@ module SAML2
       @certificate ||= OpenSSL::X509::Certificate.new(Base64.decode64(x509))
     end
 
+    def self.format_fingerprint(fingerprint)
+      fingerprint.downcase.gsub(/(\h{2})(?=\h)/, '\1:')
+    end
+
     def fingerprint
-      @fingerprint ||= Digest::SHA1.hexdigest(certificate.to_der).gsub(/(\h{2})(?=\h)/, '\1:')
+      @fingerprint ||= self.class.format_fingerprint(Digest::SHA1.hexdigest(certificate.to_der))
     end
 
     def build(builder)

data/lib/saml2/localized_name.rb

@@ -0,0 +1,48 @@
+require 'saml2/base'
+require 'saml2/namespaces'
+
+module SAML2
+  class LocalizedName < Hash
+    attr_reader :element
+
+    def initialize(element, name = nil)
+      @element = element
+      unless name.nil?
+        if name.is_a?(Hash)
+          replace(name)
+        else
+          self[nil] = name
+        end
+      end
+    end
+
+    def [](lang)
+      case lang
+      when :all
+        self
+      when nil
+        !empty? && first.last
+      else
+        super(lang.to_sym)
+      end
+    end
+
+    def to_s
+      self[nil].to_s
+    end
+
+    def from_xml(nodes)
+      clear
+      nodes.each do |node|
+        self[node['xml:lang'].to_sym] = node.content && node.content.strip
+      end
+      self
+    end
+
+    def build(builder)
+      each do |lang, value|
+        builder['md'].__send__(element, value, 'xml:lang' => lang)
+      end
+    end
+  end
+end

data/lib/saml2/message.rb

@@ -2,6 +2,7 @@ require 'securerandom'
 require 'time'
 
 require 'saml2/base'
+require 'saml2/signable'
 
 module SAML2
   class InvalidMessage < RuntimeError
@@ -38,8 +39,9 @@ module SAML2
   # ancestor, but they have several things in common so it's useful to represent
   # that here
   class Message < Base
-    attr_reader :id, :issue_instant
-    attr_accessor :issuer, :destination
+    include Signable
+
+    attr_writer :issuer, :destination
 
     class << self
       def inherited(klass)
@@ -86,14 +88,41 @@ module SAML2
       true
     end
 
-    def issuer
-      @issuer ||= NameID.from_xml(xml.at_xpath('saml:Issuer', Namespaces::ALL))
+    def validate_signature(fingerprint: nil, cert: nil, verification_time: nil)
+      # verify the signature (certificate's validity) as of the time the message was generated
+      super(fingerprint: fingerprint, cert: cert, verification_time: issue_instant)
+    end
+
+    def sign(x509_certificate, private_key, algorithm_name = :sha256)
+      super
+
+      xml = @document.root
+      # the Signature element must be right after the Issuer, so put it there
+      issuer = xml.at_xpath("saml:Issuer", Namespaces::ALL)
+      signature = xml.at_xpath("dsig:Signature", Namespaces::ALL)
+      issuer.add_next_sibling(signature)
+      self
     end
 
     def id
       @id ||= xml['ID']
     end
 
+    def issue_instant
+      @issue_instant ||= Time.parse(xml['IssueInstant'])
+    end
+
+    def destination
+      if xml && !instance_variable_defined?(:@destination)
+        @destination = xml['Destination']
+      end
+      @destination
+    end
+
+    def issuer
+      @issuer ||= NameID.from_xml(xml.at_xpath('saml:Issuer', Namespaces::ALL))
+    end
+
     protected
 
     # should be called from inside the specific request element

data/lib/saml2/organization.rb

@@ -1,73 +1,28 @@
+require 'saml2/base'
+require 'saml2/localized_name'
 require 'saml2/namespaces'
 
 module SAML2
-  class Organization
-    def self.from_xml(node)
-      return nil unless node
+  class Organization < Base
+    attr_reader :name, :display_name, :url
 
-      new(nodes_to_hash(node.xpath('md:OrganizationName', Namespaces::ALL)),
-        nodes_to_hash(node.xpath('md:OrganizationDisplayName', Namespaces::ALL)),
-        nodes_to_hash(node.xpath('md:OrganizationURL', Namespaces::ALL)))
+    def from_xml(node)
+      name.from_xml(node.xpath('md:OrganizationName', Namespaces::ALL))
+      display_name.from_xml(node.xpath('md:OrganizationDisplayName', Namespaces::ALL))
+      url.from_xml(node.xpath('md:OrganizationURL', Namespaces::ALL))
     end
 
-    def initialize(name, display_name, url)
-      if !name.is_a?(Hash)
-        name = { nil => name}
-      end
-      if !display_name.is_a?(Hash)
-        display_name = { nil => display_name }
-      end
-      if !url.is_a?(Hash)
-        url = { nil => url }
-      end
-
-      @name, @display_name, @url = name, display_name, url
-    end
-
-    def name(lang = nil)
-      self.class.localized_name(@name, lang)
-    end
-
-    def display_name(lang = nil)
-      self.class.localized_name(@display_name, lang)
-    end
-
-    def url(lang = nil)
-      self.class.localized_name(@url, lang)
+    def initialize(name = nil, display_name = nil, url = nil)
+      @name = LocalizedName.new('OrganizationName', name)
+      @display_name = LocalizedName.new('OrganizationDisplayName', display_name)
+      @url = LocalizedName.new('OrganizationURL', url)
     end
 
     def build(builder)
       builder['md'].Organization do |organization|
-        self.class.build(organization, @name, 'OrganizationName')
-        self.class.build(organization, @display_name, 'OrganizationDisplayName')
-        self.class.build(organization, @url, 'OrganizationURL')
-      end
-    end
-
-    private
-
-    def self.build(builder, hash, element)
-      hash.each do |lang, value|
-        builder['md'].__send__(element, value, 'xml:lang' => lang)
-      end
-    end
-
-    def self.nodes_to_hash(nodes)
-      hash = {}
-      nodes.each do |node|
-        hash[node['xml:lang'].to_sym] = node.content && node.content.strip
-      end
-      hash
-    end
-
-    def self.localized_name(hash, lang)
-      case lang
-        when :all
-          hash
-        when nil
-          !hash.empty? && hash.first.last
-        else
-          hash[lang.to_sym]
+        @name.build(organization)
+        @display_name.build(organization)
+        @url.build(organization)
       end
     end
   end

data/lib/saml2/response.rb

@@ -57,6 +57,18 @@ module SAML2
       @assertions = []
     end
 
+    def from_xml(node)
+      super
+      remove_instance_variable(:@assertions)
+    end
+
+    def assertions
+      unless instance_variable_defined?(:@assertions)
+        @assertions = load_object_array(xml, 'saml:Assertion', Assertion)
+      end
+      @assertions
+    end
+
     def sign(*args)
       assertions.each { |assertion| assertion.sign(*args) }
     end
@@ -71,7 +83,10 @@ module SAML2
         super(response)
 
         assertions.each do |assertion|
-          response.parent << assertion.to_xml
+          # we can't just call build, because it may already
+          # be signed as a separate message, so call to_xml to
+          # get the cached signed result
+          response.parent << assertion.to_xml.root
         end
       end
     end

data/lib/saml2/role.rb

@@ -1,8 +1,9 @@
 require 'set'
 
 require 'saml2/base'
-require 'saml2/organization_and_contacts'
 require 'saml2/key'
+require 'saml2/organization_and_contacts'
+require 'saml2/signable'
 
 module SAML2
   class Role < Base
@@ -11,6 +12,7 @@ module SAML2
     end
 
     include OrganizationAndContacts
+    include Signable
 
     attr_writer :supported_protocols, :keys
 

data/lib/saml2/service_provider.rb

@@ -38,6 +38,10 @@ module SAML2
         assertion_consumer_services.each do |acs|
           acs.build(sp_sso_descriptor, 'AssertionConsumerService')
         end
+
+        attribute_consuming_services.each do |acs|
+          acs.build(sp_sso_descriptor)
+        end
       end
     end
   end

data/lib/saml2/signable.rb

@@ -0,0 +1,69 @@
+require 'saml2/key'
+
+module SAML2
+  module Signable
+    def signature
+      unless instance_variable_defined?(:@signature)
+        @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
+        if @signature
+          signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
+          if signed_node == ''
+            @signature = nil unless xml == xml.document.root
+          elsif signed_node != "##{xml['ID']}"
+            # validating the schema will automatically add ID attributes, so check that first
+            xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
+            @signature = nil
+          end
+        end
+      end
+      @signature
+    end
+
+    def signing_key
+      @signing_key ||= Key.from_xml(signature)
+    end
+
+    def signed?
+      !!signature
+    end
+
+    def validate_signature(fingerprint: nil, cert: nil, verification_time: nil)
+      return ["not signed"] unless signed?
+
+      certs = Array(cert)
+      # see if any given fingerprints match the certificate embedded in the XML;
+      # if so, extract the certificate, and add it to the allowed certificates list
+      Array(fingerprint)&.each do |fp|
+        certs << signing_key.certificate if signing_key&.fingerprint == Key.format_fingerprint(fp)
+      end
+      certs = certs.uniq
+      return ["no certificate found"] if certs.empty?
+
+      begin
+        # verify_certificates being false is hopefully a temporary thing, until I can figure
+        # out how to get xmlsec to root a trust chain in a non-root certificate
+        result = signature.verify_with(certs: certs, verification_time: verification_time, verify_certificates: false)
+        result ? [] : ["signature does not match"]
+      rescue XMLSec::VerificationError => e
+        [e.message]
+      end
+    end
+
+    def valid_signature?(fingerprint: nil, cert: nil, verification_time: nil)
+      validate_signature(fingerprint: fingerprint, cert: cert, verification_time: verification_time).empty?
+    end
+
+    def sign(x509_certificate, private_key, algorithm_name = :sha256)
+      to_xml
+
+      xml = @document.root
+      xml.set_id_attribute('ID')
+      xml.sign!(cert: x509_certificate, key: private_key, digest_alg: algorithm_name.to_s, signature_alg: "rsa-#{algorithm_name}", uri: "##{id}")
+      # the Signature element must be the first element
+      signature = xml.at_xpath("dsig:Signature", Namespaces::ALL)
+      xml.children.first.add_previous_sibling(signature)
+
+      self
+    end
+  end
+end

data/lib/saml2/status.rb

@@ -2,7 +2,7 @@ require 'saml2/base'
 
 module SAML2
   class Status < Base
-    SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success".freeze
+    SUCCESS      = "urn:oasis:names:tc:SAML:2.0:status:Success".freeze
 
     attr_accessor :code, :message
 
@@ -16,6 +16,10 @@ module SAML2
       self.message = load_string_array(xml, 'samlp:StatusMessage')
     end
 
+    def success?
+      code == SUCCESS
+    end
+
     def build(builder)
       builder['samlp'].Status do |status|
         status['samlp'].StatusCode(Value: code)

data/lib/saml2/subject.rb

@@ -4,19 +4,42 @@ require 'saml2/namespaces'
 module SAML2
   class Subject < Base
     attr_writer :name_id
-    attr_accessor :confirmation
+    attr_writer :confirmations
+
+    def initialize
+      @confirmations = []
+    end
+
+    def from_xml(node)
+      super
+      @confirmations = nil
+    end
 
     def name_id
       if xml && !instance_variable_defined?(:@name_id)
-        @name_id = NameID.from_xml(node.at_xpath('saml:NameID', Namespaces::ALL))
+        @name_id = NameID.from_xml(xml.at_xpath('saml:NameID', Namespaces::ALL))
       end
       @name_id
     end
 
+    def confirmation
+      Array.wrap(confirmations).first
+    end
+
+    def confirmation=(value)
+      @confirmations = [value]
+    end
+
+    def confirmations
+      @confirmations ||= load_object_array(xml, 'saml:SubjectConfirmation', Confirmation)
+    end
+
     def build(builder)
       builder['saml'].Subject do |subject|
         name_id.build(subject) if name_id
-        confirmation.build(subject) if confirmation
+        Array(confirmations).each do |confirmation|
+          confirmation.build(subject)
+        end
       end
     end
 
@@ -29,6 +52,18 @@ module SAML2
 
       attr_accessor :method, :not_before, :not_on_or_after, :recipient, :in_response_to
 
+      def from_xml(node)
+        super
+        self.method = node['Method']
+        confirmation_data = node.at_xpath('saml:SubjectConfirmationData', Namespaces::ALL)
+        if confirmation_data
+          self.not_before = Time.parse(confirmation_data['NotBefore']) if confirmation_data['NotBefore']
+          self.not_on_or_after = Time.parse(confirmation_data['NotOnOrAfter']) if confirmation_data['NotOnOrAfter']
+          self.recipient = confirmation_data['Recipient']
+          self.in_response_to = confirmation_data['InResponseTo']
+        end
+      end
+
       def build(builder)
         builder['saml'].SubjectConfirmation('Method' => method) do |subject_confirmation|
           if in_response_to ||

data/lib/saml2/version.rb

@@ -1,3 +1,3 @@
 module SAML2
-  VERSION = '1.1.5'
+  VERSION = '2.0.0'
 end

data/spec/fixtures/service_provider.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2">
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://siteadmin.instructure.com/saml2" ID="unique">
   <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 
     <KeyDescriptor use="encryption">

data/spec/lib/authn_request_spec.rb

@@ -5,24 +5,6 @@ module SAML2
     let(:sp) { Entity.parse(fixture('service_provider.xml')).roles.first }
     let(:request) { AuthnRequest.parse(fixture('authnrequest.xml')) }
 
-    describe '.decode' do
-      it "should not choke on empty string" do
-        authnrequest = AuthnRequest.decode('')
-        expect(authnrequest.valid_schema?).to eq false
-      end
-
-      it "should not choke on garbage" do
-        authnrequest = AuthnRequest.decode('abc')
-        expect(authnrequest.valid_schema?).to eq false
-      end
-
-      it "properly handles authnrequests that have pluses in them" do
-        samlrequest = "hZJbU8IwEIX/Smbfe6H1mqE4COPIDGoHqg++hXShmWkTzKao/95QQNEHfN09J2f32/RvPpqabdCSMjqDXhgDQy1NqfQqg+fiLriCm0GfRFMnaz5sXaVn+NYiOeaNmviuk0FrNTeCFHEtGiTuJJ8PH6Y8CWO+tsYZaWpgQyK0zkeNjKa2QTtHu1ESn2fTDCrn1sSjSJqmabVyn6EUeiOobij0tWgbFREZYGOfr7Rw3cwHm+/8MWwHSKKpWSkN7M5Yid0CGSxFTQhsMs5ApCotqzKRWEmxqha91VVVxvIMy1TGl8qLKBdEaoM/NqIWJ5qc0C6DJO5dBvFFkJwVvXOepDy9DtPr+BVYvl/7VukdzlOMFjsR8fuiyIP8aV4AezmcxQtgfwTepdtj+qcfFgfkMPgHcD86Tvg++qN/cjLOTa3kJxvWtXkfWRTO83C2xQ5sI9zpIbYVVQbLTsrX273IoXYQDfapvz/X4As="
-        authnrequest = AuthnRequest.decode(samlrequest)
-        expect(authnrequest.valid_schema?).to eq true
-      end
-    end
-
     it "should be valid" do
       expect(request.valid_schema?).to eq true
       expect(request.resolve(sp)).to eq true

data/spec/lib/bindings/http_redirect_spec.rb

@@ -29,8 +29,9 @@ module SAML2
       end
 
       it "doesn't allow deflate bombs" do
-        message = "\0" * 2 * 1024 * 1024
+        message = double()
         allow(message).to receive(:destination).and_return("http://somewhere/")
+        allow(message).to receive(:to_s).and_return("\0" * 2 * 1024 * 1024)
         url = Bindings::HTTPRedirect.encode(message)
 
         expect { Bindings::HTTPRedirect.decode(url) }.to raise_error(MessageTooLarge)
@@ -47,16 +48,18 @@ module SAML2
       end
 
       it "validates encoding" do
-        message = "hi"
+        message = double()
         allow(message).to receive(:destination).and_return("http://somewhere/")
+        allow(message).to receive(:to_s).and_return("hi")
         url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
         url << "&SAMLEncoding=garbage"
         expect { Bindings::HTTPRedirect.decode(url) }.to raise_error(UnsupportedEncoding)
       end
 
       it "returns relay state" do
-        message = "hi"
+        message = double()
         allow(message).to receive(:destination).and_return("http://somewhere/")
+        allow(message).to receive(:to_s).and_return("hi")
         url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
         allow(Message).to receive(:parse).with("hi").and_return("parsed")
         message, relay_state = Bindings::HTTPRedirect.decode(url)
@@ -88,8 +91,9 @@ module SAML2
         end
 
         it "allows the caller to detect an unsigned message" do
-          message = "hi"
+          message = double()
           allow(message).to receive(:destination).and_return("http://somewhere/")
+          allow(message).to receive(:to_s).and_return("hi")
           url = Bindings::HTTPRedirect.encode(message)
           allow(Message).to receive(:parse).with("hi").and_return("parsed")
 
@@ -102,8 +106,9 @@ module SAML2
         end
 
         it "requires a signature if a key is passed" do
-          message = "hi"
+          message = double()
           allow(message).to receive(:destination).and_return("http://somewhere/")
+          allow(message).to receive(:to_s).and_return("hi")
           url = Bindings::HTTPRedirect.encode(message)
           allow(Message).to receive(:parse).with("hi").and_return("parsed")
 
@@ -127,15 +132,17 @@ module SAML2
 
     describe '.encode' do
       it 'works' do
-        message = "hi"
+        message = double()
         allow(message).to receive(:destination).and_return("http://somewhere/")
+        allow(message).to receive(:to_s).and_return("hi")
         url = Bindings::HTTPRedirect.encode(message, relay_state: "abc")
         expect(url).to match(%r{^http://somewhere/\?SAMLResponse=(?:.*)&RelayState=abc})
       end
 
       it 'signs a message' do
-        message = "hi"
+        message = double()
         allow(message).to receive(:destination).and_return("http://somewhere/")
+        allow(message).to receive(:to_s).and_return("hi")
         key = OpenSSL::PKey::RSA.new(fixture('privatekey.key'))
         url = Bindings::HTTPRedirect.encode(message, relay_state: "abc", private_key: key)
 

data/spec/lib/entity_spec.rb

@@ -25,10 +25,10 @@ module SAML2
       end
 
       it "should parse the organization" do
-        expect(entity.organization.display_name).to eq 'Canvas'
-        expect(entity.organization.display_name('en')).to eq 'Canvas'
-        expect(entity.organization.display_name('es')).to be_nil
-        expect(entity.organization.display_name(:all)).to eq en: 'Canvas'
+        expect(entity.organization.display_name.to_s).to eq 'Canvas'
+        expect(entity.organization.display_name['en']).to eq 'Canvas'
+        expect(entity.organization.display_name['es']).to be_nil
+        expect(entity.organization.display_name[:all]).to eq en: 'Canvas'
       end
 
       it "validates metadata from ADFS containing lots of non-SAML schemas" do
@@ -36,6 +36,13 @@ module SAML2
       end
     end
 
+    it "should sign correctly" do
+      entity = Entity.parse(fixture('service_provider.xml'))
+      entity.sign(fixture('certificate.pem'), fixture('privatekey.key'))
+      entity2 = Entity.parse(entity.to_s)
+      expect(entity2.valid_schema?).to eq true
+    end
+
     describe Entity::Group do
       it "should parse and validate" do
         group = Entity.parse(fixture('entities.xml'))

data/spec/lib/response_spec.rb

@@ -42,14 +42,14 @@ module SAML2
       expect(Schemas.protocol.validate(response.to_xml)).to eq []
       # verifiable on the command line with:
       # xmlsec1 --verify --pubkey-cert-pem certificate.pem --privkey-pem privatekey.key --id-attr:ID urn:oasis:names:tc:SAML:2.0:assertion:Assertion response_signed.xml
-      expect(response.to_s).to eq fixture('response_signed.xml')
+      expect(response.to_s(pretty: false)).to eq fixture('response_signed.xml')
     end
 
     it "should generate a valid signature when attributes are present" do
       freeze_response
       response.assertions.first.statements << sp.attribute_consuming_services.default.create_statement('givenName' => 'cody')
       response.sign(fixture('certificate.pem'), fixture('privatekey.key'))
-      expect(response.to_s).to eq fixture('response_with_attribute_signed.xml')
+      expect(response.to_s(pretty: false)).to eq fixture('response_with_attribute_signed.xml')
     end
 
     it "should generate valid XML for IdP initiated response" do
@@ -57,5 +57,11 @@ module SAML2
                               NameID.new('jacob', NameID::Format::PERSISTENT))
       expect(Schemas.protocol.validate(Nokogiri::XML(response.to_s))).to eq []
     end
+
+    it "parses a serialized assertion" do
+      response2 = Message.parse(response.to_s)
+      expect(response2.assertions.length).to eq 1
+      expect(response2.assertions.first.subject.name_id.id).to eq 'jacob'
+    end
   end
 end

data/spec/lib/service_provider_spec.rb

@@ -14,10 +14,14 @@ module SAML2
       sp = ServiceProvider.new
       sp.single_logout_services << Endpoint.new('https://sso.canvaslms.com/SAML2/Logout',
                                                  Bindings::HTTPRedirect::URN)
-      sp.assertion_consumer_services << Endpoint::Indexed.new('https://sso.canvaslms.com/SAML2/Login1', 0)
-      sp.assertion_consumer_services << Endpoint::Indexed.new('https://sso.canvaslms.com/SAML2/Login2', 1)
+      sp.assertion_consumer_services << Endpoint::Indexed.new('https://sso.canvaslms.com/SAML2/Login1')
+      sp.assertion_consumer_services << Endpoint::Indexed.new('https://sso.canvaslms.com/SAML2/Login2')
       sp.keys << Key.new('somedata', Key::Type::ENCRYPTION, [Key::EncryptionMethod.new])
       sp.keys << Key.new('somedata', Key::Type::SIGNING)
+      acs = AttributeConsumingService.new
+      acs.name[:en] = 'service'
+      acs.requested_attributes << RequestedAttribute.create('uid')
+      sp.attribute_consuming_services << acs
 
       entity.roles << sp
       expect(Schemas.metadata.validate(Nokogiri::XML(entity.to_s))).to eq []
@@ -38,7 +42,7 @@ module SAML2
       end
 
       it "should load the organization" do
-        expect(entity.organization.display_name).to eq 'Canvas'
+        expect(entity.organization.display_name.to_s).to eq 'Canvas'
       end
 
       it "should load contacts" do
@@ -46,6 +50,15 @@ module SAML2
         expect(entity.contacts.first.type).to eq Contact::Type::TECHNICAL
         expect(entity.contacts.first.surname).to eq 'Administrator'
       end
+
+      it "loads attribute_consuming_services" do
+        expect(sp.attribute_consuming_services.length).to eq 1
+        acs = sp.attribute_consuming_services.first
+        expect(acs.index).to eq 0
+        expect(acs.name.to_s).to eq 'service'
+        expect(acs.requested_attributes.length).to eq 1
+        expect(acs.requested_attributes.first.name).to eq 'urn:oid:2.5.4.42'
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml2
 version: !ruby/object:Gem::Version
-  version: 1.1.5
+  version: 2.0.0
 platform: ruby
 authors:
 - Cody Cutrer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-11-16 00:00:00.000000000 Z
+date: 2017-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -147,6 +147,7 @@ files:
 - lib/saml2/identity_provider.rb
 - lib/saml2/indexed_object.rb
 - lib/saml2/key.rb
+- lib/saml2/localized_name.rb
 - lib/saml2/logout_request.rb
 - lib/saml2/logout_response.rb
 - lib/saml2/message.rb
@@ -160,6 +161,7 @@ files:
 - lib/saml2/role.rb
 - lib/saml2/schemas.rb
 - lib/saml2/service_provider.rb
+- lib/saml2/signable.rb
 - lib/saml2/sso.rb
 - lib/saml2/status.rb
 - lib/saml2/status_response.rb
@@ -221,7 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
 summary: SAML 2.0 Library