saml2 3.1.2 → 3.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c6bee2a21b427f883ac61136eba8021c72f7f90a3a41654a964f165d1ae3641
-  data.tar.gz: 0e53c2b7e6d460f61f331c0d2cc4031ba3cea9895cc3b3b9d6fca153f1ca7653
+  metadata.gz: 8f10ad7e5f4379ecbb273d27aed0db3b58ac1db6115b54f2199662169b0ee808
+  data.tar.gz: 7842786be374bb809438567a58abcda27c88b5953512787b1d7a9338cf8e9901
 SHA512:
-  metadata.gz: c427fc0852c531675c5573b1a51a3a6097414fc7ceee458a1c80d682dff696123e59d61a6e90cea0f6c221fbcef01a87f5a91f33dfebb2d0bf0f281e2b278794
-  data.tar.gz: a2281d564327fe52d98055559663cd4c26945aafc3b535c2d4adc2851480418f387e3a80f73f8bed665afc3eaf2ab771d94576c0332a1296ef8c0e73208467eb
+  metadata.gz: 0ad080a07e9083b9c4734319e4344e81e0866c8d73c08da9d55312866607f6820141c161875905726f5bc8aeaa36ca50f79fb4c8bcf334c03f71b498a692d68b
+  data.tar.gz: a8905fd54b6137a4474857155e40288798d8fdeb033282dbfbf37bbcc0740d1c12080efc5e4a0f83bdc9a91ace3da2f1b71f9290d7019c386179e82fb3f2acb4

data/Rakefile

@@ -1,8 +1,10 @@
-require 'rubygems'
-require 'bundler'
+# frozen_string_literal: true
+
+require "rubygems"
+require "bundler"
 Bundler::GemHelper.install_tasks
 
-require 'rspec/core/rake_task'
+require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new
 
-task :default => :spec
+task default: :spec

data/exe/bulk_verify_responses

@@ -0,0 +1,94 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "json"
+require "openssl"
+
+require "saml2"
+
+debug = ARGV.delete("--debug")
+
+service_provider_entity = SAML2::Entity.new
+service_provider = SAML2::ServiceProvider.new
+service_provider_entity.roles << service_provider
+
+def getarg(key)
+  return unless (index = ARGV.index(key))
+
+  ARGV.delete_at(index)
+  ARGV.delete_at(index)
+end
+
+if (verification_time = getarg("--at"))
+  verification_time = Time.parse(verification_time)
+end
+verification_time ||= Time.now.utc
+
+while (key_file = getarg("--key"))
+  service_provider.private_keys << OpenSSL::PKey.read(File.read(key_file))
+end
+
+while (cert_file = getarg("--certificate"))
+  service_provider.keys << SAML2::KeyDescriptor.new(File.read(cert_file))
+end
+
+ignored_idps = Set.new
+while (idp = getarg("--ignore"))
+  if idp[0] == "@"
+    ignored_idps.merge(File.read(idp[1..]).strip.split("\n"))
+  else
+    ignored_idps << idp
+  end
+end
+
+idps = {}
+if (trusted_certificates_file = getarg("--trusted-certificates"))
+  trusted_certificates = JSON.parse(File.read(trusted_certificates_file))
+  trusted_certificates.each do |(issuer, fingerprints)|
+    idp_entity = SAML2::Entity.new
+    idp_entity.entity_id = issuer
+    idp = SAML2::IdentityProvider.new
+    idp.fingerprints = fingerprints
+    idp_entity.roles << idp
+    idps[issuer] = idp_entity
+  end
+end
+
+responses = JSON.parse(File.read(ARGV.first))
+index = ARGV.pop.to_i if ARGV.last.to_i.to_s == ARGV.last
+
+bad_counts = Hash.new(0)
+non_ignored_count = 0
+
+responses = [responses[index]] if index
+responses.each_with_index do |response_raw, i|
+  next if response_raw["SAMLResponse"].empty?
+  next if response_raw["error"] # we're not expected to be able to validate this
+
+  begin
+    puts response_raw.to_json if debug
+    response, _relay_state = SAML2::Bindings::HTTP_POST.decode(response_raw)
+  rescue => e
+    warn "Unable to decode '#{response_raw}' (index #{i}) due to #{e}"
+    next
+  end
+
+  next if ignored_idps.include?(response.issuer&.id)
+
+  non_ignored_count += 1
+
+  puts response.xml if debug
+
+  # TODO: ignore audience restrictions
+  errors = response.validate(service_provider: service_provider_entity,
+                             identity_provider: idps[response.issuer&.id],
+                             verification_time: verification_time)
+  unless errors.empty?
+    bad_counts[response.issuer&.id] += 1
+    warn "#{errors.inspect} for response #{response.id} from #{response.issuer&.id} (index #{i})"
+  end
+end
+
+puts ""
+puts bad_counts.sort_by(&:last).reverse.to_h.inspect
+puts "#{bad_counts.values.sum}/#{non_ignored_count} failed"

data/lib/saml2/assertion.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'saml2/conditions'
+require "saml2/conditions"
 
 module SAML2
   class Assertion < Message
@@ -21,7 +21,7 @@ module SAML2
     # @return [Subject, nil]
     def subject
       if xml && !instance_variable_defined?(:@subject)
-        @subject = Subject.from_xml(xml.at_xpath('saml:Subject', Namespaces::ALL))
+        @subject = Subject.from_xml(xml.at_xpath("saml:Subject", Namespaces::ALL))
       end
       @subject
     end
@@ -29,7 +29,7 @@ module SAML2
     # @return [Conditions]
     def conditions
       if !instance_variable_defined?(:@conditions) && xml
-        @conditions = Conditions.from_xml(xml.at_xpath('saml:Conditions', Namespaces::ALL))
+        @conditions = Conditions.from_xml(xml.at_xpath("saml:Conditions", Namespaces::ALL))
       end
       @conditions
     end
@@ -46,19 +46,19 @@ module SAML2
 
     # @return [Array<AuthnStatement, AttributeStatement>]
     def statements
-      @statements ||= load_object_array(xml, 'saml:AuthnStatement|saml:AttributeStatement')
+      @statements ||= load_object_array(xml, "saml:AuthnStatement|saml:AttributeStatement")
     end
 
     # (see Base#build)
     def build(builder)
-      builder['saml'].Assertion(
-          'xmlns:saml' => Namespaces::SAML
+      builder["saml"].Assertion(
+        "xmlns:saml" => Namespaces::SAML
       ) do |assertion|
         super(assertion)
 
         subject.build(assertion)
 
-        conditions.build(assertion) if conditions
+        conditions&.build(assertion)
 
         statements.each { |stmt| stmt.build(assertion) }
       end

data/lib/saml2/attribute/x500.rb

@@ -3,41 +3,42 @@
 module SAML2
   class Attribute
     class X500 < Attribute
-      GIVEN_NAME             = 'urn:oid:2.5.4.42'
-      SN = SURNAME           = 'urn:oid:2.5.4.4'
+      GIVEN_NAME             = "urn:oid:2.5.4.42"
+      SN = SURNAME           = "urn:oid:2.5.4.4"
       # https://www.ietf.org/rfc/rfc2798.txt
       module InetOrgPerson
-        DISPLAY_NAME         = 'urn:oid:2.16.840.1.113730.3.1.241'
-        EMPLOYEE_NUMBER      = 'urn:oid:2.16.840.1.113730.3.1.3'
-        EMPLOYEE_TYPE        = 'urn:oid:2.16.840.1.113730.3.1.4'
-        PREFERRED_LANGUAGE   = 'urn:oid:2.16.840.1.113730.3.1.39'
+        DISPLAY_NAME         = "urn:oid:2.16.840.1.113730.3.1.241"
+        EMPLOYEE_NUMBER      = "urn:oid:2.16.840.1.113730.3.1.3"
+        EMPLOYEE_TYPE        = "urn:oid:2.16.840.1.113730.3.1.4"
+        PREFERRED_LANGUAGE   = "urn:oid:2.16.840.1.113730.3.1.39"
       end
+
       # https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html
       module EduPerson
-        AFFILIATION          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1'
-        ASSURANCE            = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.11'
-        ENTITLEMENT          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
-        NICKNAME             = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2'
-        ORG_D_N              = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3'
-        ORG_UNIT_D_N         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4'
-        PRIMARY_AFFILIATION  = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5'
-        PRIMARY_ORG_UNIT_D_N = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8'
-        PRINCIPAL_NAME       = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6'
-        SCOPED_AFFILIATION   = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
-        TARGETED_I_D         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
+        AFFILIATION          = "urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+        ASSURANCE            = "urn:oid:1.3.6.1.4.1.5923.1.1.1.11"
+        ENTITLEMENT          = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
+        NICKNAME             = "urn:oid:1.3.6.1.4.1.5923.1.1.1.2"
+        ORG_D_N              = "urn:oid:1.3.6.1.4.1.5923.1.1.1.3"
+        ORG_UNIT_D_N         = "urn:oid:1.3.6.1.4.1.5923.1.1.1.4"
+        PRIMARY_AFFILIATION  = "urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
+        PRIMARY_ORG_UNIT_D_N = "urn:oid:1.3.6.1.4.1.5923.1.1.1.8"
+        PRINCIPAL_NAME       = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+        SCOPED_AFFILIATION   = "urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
+        TARGETED_I_D         = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"
       end
       # http://www.ietf.org/rfc/rfc4519.txt
-      UID = USERID           = 'urn:oid:0.9.2342.19200300.100.1.1'
+      UID = USERID           = "urn:oid:0.9.2342.19200300.100.1.1"
       # http://www.ietf.org/rfc/rfc4524.txt
-      MAIL                   = 'urn:oid:0.9.2342.19200300.100.1.3'
+      MAIL                   = "urn:oid:0.9.2342.19200300.100.1.3"
 
       # Returns true if the param should be an {X500} Attribute.
       # @param name_or_node [String, Nokogiri::XML::Element]
       def self.recognizes?(name_or_node)
         if name_or_node.is_a?(Nokogiri::XML::Element)
           !!name_or_node.at_xpath("@x500:Encoding", Namespaces::ALL) ||
-              (name_or_node['NameFormat'] == NameFormats::URI || name_or_node['NameFormat'].nil?) &&
-              OIDS.include?(name_or_node['Name'])
+            ((name_or_node["NameFormat"] == NameFormats::URI || name_or_node["NameFormat"].nil?) &&
+              OIDS.include?(name_or_node["Name"]))
         else
           FRIENDLY_NAMES.include?(name_or_node) || OIDS.include?(name_or_node)
         end
@@ -58,7 +59,8 @@ module SAML2
           # if they pass a friendly name, infer the OID
           proper_name = FRIENDLY_NAMES[name]
           if proper_name
-            name, friendly_name = proper_name, name
+            friendly_name = name
+            name = proper_name
           end
         end
 
@@ -77,25 +79,26 @@ module SAML2
       def build(builder)
         super
         attr = builder.parent.last_element_child
-        attr.add_namespace_definition('x500', Namespaces::X500)
-        attr['x500:Encoding'] = 'LDAP'
+        attr.add_namespace_definition("x500", Namespaces::X500)
+        attr["x500:Encoding"] = "LDAP"
       end
 
       # build hashes out of our known attribute names for quick lookup
-      FRIENDLY_NAMES = ([self] + constants).inject({}) do |hash, mod|
+      FRIENDLY_NAMES = ([self] + constants).each_with_object({}) do |mod, hash|
         mod = const_get(mod) unless mod.is_a?(Module)
         next hash unless mod.is_a?(Module)
         # Don't look in modules inherited from parent classes
-        next hash unless mod.name.start_with?(self.name)
+        next hash unless mod.name.start_with?(name)
+
         mod.constants.each do |key|
           value = mod.const_get(key)
           next unless value.is_a?(String)
+
           key = key.to_s.downcase.gsub(/_\w/) { |c| c[1].upcase }
           # eduPerson prefixes all of their names
-          key = "eduPerson#{key.sub(/^\w/) { |c| c.upcase }}" if mod == EduPerson
+          key = "eduPerson#{key.sub(/^\w/, &:upcase)}" if mod == EduPerson
           hash[key] = value
         end
-        hash
       end.freeze
       OIDS = FRIENDLY_NAMES.invert.freeze
       private_constant :FRIENDLY_NAMES, :OIDS

data/lib/saml2/attribute.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-require 'date'
+require "date"
 
-require 'active_support/core_ext/array/wrap'
+require "active_support/core_ext/array/wrap"
 
-require 'saml2/base'
-require 'saml2/namespaces'
+require "saml2/base"
+require "saml2/namespaces"
 
 module SAML2
   class Attribute < Base
@@ -43,13 +43,13 @@ module SAML2
       # The XML namespace that this attribute class serializes as.
       # @return ['saml']
       def namespace
-        'saml'
+        "saml"
       end
 
       # The XML element that this attribute class serializes as.
       # @return ['Attribute']
       def element
-        'Attribute'
+        "Attribute"
       end
 
       protected
@@ -59,10 +59,10 @@ module SAML2
       end
 
       def inherited(klass)
+        super
         subclasses << klass
       end
 
-
       def class_for(name_or_node)
         subclasses.find do |klass|
           klass.respond_to?(:recognizes?) && klass.recognizes?(name_or_node)
@@ -84,18 +84,22 @@ module SAML2
     # @param friendly_name optional [String, nil]
     # @param name_format optional [String, nil]
     def initialize(name = nil, value = nil, friendly_name = nil, name_format = nil)
-      @name, @value, @friendly_name, @name_format = name, value, friendly_name, name_format
+      super()
+      @name = name
+      @value = value
+      @friendly_name = friendly_name
+      @name_format = name_format
     end
 
     # (see Base#build)
     def build(builder)
-      builder[self.class.namespace].__send__(self.class.element, 'Name' => name) do |attribute|
-        attribute.parent['FriendlyName'] = friendly_name if friendly_name
-        attribute.parent['NameFormat'] = name_format if name_format
+      builder[self.class.namespace].__send__(self.class.element, "Name" => name) do |attribute|
+        attribute.parent["FriendlyName"] = friendly_name if friendly_name
+        attribute.parent["NameFormat"] = name_format if name_format
         Array.wrap(value).each do |value|
           xsi_type, val = convert_to_xsi(value)
-          attribute['saml'].AttributeValue(val) do |attribute_value|
-            attribute_value.parent['xsi:type'] = xsi_type if xsi_type
+          attribute["saml"].AttributeValue(val) do |attribute_value|
+            attribute_value.parent["xsi:type"] = xsi_type if xsi_type
           end
         end
       end
@@ -104,15 +108,15 @@ module SAML2
     # (see Base#from_xml)
     def from_xml(node)
       super
-      @name = node['Name']
-      @friendly_name = node['FriendlyName']
-      @name_format = node['NameFormat']
-      values = node.xpath('saml:AttributeValue', Namespaces::ALL).map do |value|
-        convert_from_xsi(value.attribute_with_ns('type', Namespaces::XSI), value.content && value.content.strip)
+      @name = node["Name"]
+      @friendly_name = node["FriendlyName"]
+      @name_format = node["NameFormat"]
+      values = node.xpath("saml:AttributeValue", Namespaces::ALL).map do |value|
+        convert_from_xsi(value.attribute_with_ns("type", Namespaces::XSI), value.content && value.content.strip)
       end
       @value = case values.length
-               when 0; nil
-               when 1; values.first
+               when 0 then nil
+               when 1 then values.first
                else; values
                end
     end
@@ -120,13 +124,13 @@ module SAML2
     private
 
     XS_TYPES = {
-      lookup_qname('xs:boolean', Namespaces::ALL) =>
-        [[TrueClass, FalseClass], nil, ->(v) { %w{true 1}.include?(v) ? true : false }],
-      lookup_qname('xs:string', Namespaces::ALL) =>
+      lookup_qname("xs:boolean", Namespaces::ALL) =>
+        [[TrueClass, FalseClass], nil, ->(v) { %w[true 1].include?(v) }],
+      lookup_qname("xs:string", Namespaces::ALL) =>
         [String, nil, nil],
-      lookup_qname('xs:date', Namespaces::ALL) =>
+      lookup_qname("xs:date", Namespaces::ALL) =>
         [Date, nil, ->(v) { Date.parse(v) if v }],
-      lookup_qname('xs:dateTime', Namespaces::ALL) =>
+      lookup_qname("xs:dateTime", Namespaces::ALL) =>
         [Time, ->(v) { v.iso8601 }, ->(v) { Time.parse(v) if v }]
     }.freeze
 
@@ -134,11 +138,11 @@ module SAML2
       xs_type = nil
       converter = nil
       XS_TYPES.each do |type, (klasses, to_xsi, _from_xsi)|
-        if Array.wrap(klasses).any? { |klass| klass === value }
-          xs_type = "xs:#{type.last}"
-          converter = to_xsi
-          break
-        end
+        next unless Array.wrap(klasses).any? { |klass| value.is_a?(klass) }
+
+        xs_type = "xs:#{type.last}"
+        converter = to_xsi
+        break
       end
       value = converter.call(value) if converter
       [xs_type, value]
@@ -146,12 +150,11 @@ module SAML2
 
     def convert_from_xsi(type, value)
       return value unless type
+
       qname = self.class.lookup_qname(type.value, type.namespaces)
 
       info = XS_TYPES[qname]
-      if info && info.last
-        value = info.last.call(value)
-      end
+      value = info.last.call(value) if info&.last
       value
     end
   end
@@ -160,12 +163,13 @@ module SAML2
     attr_reader :attributes
 
     def initialize(attributes = [])
+      super()
       @attributes = attributes
     end
 
     def from_xml(node)
       super
-      @attributes = node.xpath('saml:Attribute', Namespaces::ALL).map do |attr|
+      @attributes = node.xpath("saml:Attribute", Namespaces::ALL).map do |attr|
         Attribute.from_xml(attr)
       end
     end
@@ -190,29 +194,29 @@ module SAML2
 
         prior_value = result[key]
         result[key] = if prior_value
-          value = Array.wrap(prior_value)
-          # repeated key; convert to array
-          if attribute.value.is_a?(Array)
-            # both values are arrays; concatenate them
-            value.concat(attribute.value)
-          else
-            value << attribute.value
-          end
-          value
-        else
-          attribute.value
-        end
+                        value = Array.wrap(prior_value)
+                        # repeated key; convert to array
+                        if attribute.value.is_a?(Array)
+                          # both values are arrays; concatenate them
+                          value.concat(attribute.value)
+                        else
+                          value << attribute.value
+                        end
+                        value
+                      else
+                        attribute.value
+                      end
       end
       result
     end
 
     def build(builder)
-      builder['saml'].AttributeStatement('xmlns:xs' => Namespaces::XS,
-                                         'xmlns:xsi' => Namespaces::XSI) do |statement|
+      builder["saml"].AttributeStatement("xmlns:xs" => Namespaces::XS,
+                                         "xmlns:xsi" => Namespaces::XSI) do |statement|
         @attributes.each { |attr| attr.build(statement) }
       end
     end
   end
 end
 
-require 'saml2/attribute/x500'
+require "saml2/attribute/x500"

data/lib/saml2/attribute_consuming_service.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-require 'active_support/core_ext/array/wrap'
+require "active_support/core_ext/array/wrap"
 
-require 'saml2/attribute'
-require 'saml2/indexed_object'
-require 'saml2/localized_name'
-require 'saml2/namespaces'
+require "saml2/attribute"
+require "saml2/indexed_object"
+require "saml2/localized_name"
+require "saml2/namespaces"
 
 module SAML2
   class RequestedAttribute < Attribute
@@ -13,13 +13,13 @@ module SAML2
       # The XML namespace that this attribute class serializes as.
       # @return ['md']
       def namespace
-        'md'
+        "md"
       end
 
       # The XML element that this attribute class serializes as.
       # @return ['RequestedAttribute']
       def element
-        'RequestedAttribute'
+        "RequestedAttribute"
       end
 
       # Create a RequestAttribute object to represent an attribute.
@@ -51,7 +51,7 @@ module SAML2
     # (see Base#from_xml)
     def from_xml(node)
       super
-      @is_required = node['isRequired'] && node['isRequired'] == 'true'
+      @is_required = node["isRequired"] && node["isRequired"] == "true"
     end
 
     # @return [true, false, nil]
@@ -79,9 +79,10 @@ module SAML2
     # @param requested_attribute [RequestedAttribute]
     def initialize(requested_attribute, provided_value)
       super("Attribute #{requested_attribute.name} is provided value " \
-        "#{provided_value.inspect}, but only allows "                  \
-        "#{Array.wrap(requested_attribute.value).inspect}")
-      @requested_attribute, @provided_value = requested_attribute, provided_value
+            "#{provided_value.inspect}, but only allows " \
+            "#{Array.wrap(requested_attribute.value).inspect}")
+      @requested_attribute = requested_attribute
+      @provided_value = provided_value
     end
   end
 
@@ -97,16 +98,16 @@ module SAML2
     # @param requested_attributes [::Array<RequestedAttributes>]
     def initialize(name = nil, requested_attributes = [])
       super()
-      @name = LocalizedName.new('ServiceName', name)
-      @description = LocalizedName.new('ServiceDescription')
+      @name = LocalizedName.new("ServiceName", name)
+      @description = LocalizedName.new("ServiceDescription")
       @requested_attributes = requested_attributes
     end
 
     # (see Base#from_xml)
     def from_xml(node)
       super
-      name.from_xml(node.xpath('md:ServiceName', Namespaces::ALL))
-      description.from_xml(node.xpath('md:ServiceDescription', Namespaces::ALL))
+      name.from_xml(node.xpath("md:ServiceName", Namespaces::ALL))
+      description.from_xml(node.xpath("md:ServiceDescription", Namespaces::ALL))
       @requested_attributes = load_object_array(node, "md:RequestedAttribute", RequestedAttribute)
     end
 
@@ -126,49 +127,46 @@ module SAML2
     #   If a {RequestedAttribute} is tagged as required, but it has not been
     #   supplied.
     def create_statement(attributes)
-      if attributes.is_a?(Hash)
-        attributes = attributes.map { |k, v| Attribute.create(k, v) }
-      end
+      attributes = attributes.map { |k, v| Attribute.create(k, v) } if attributes.is_a?(Hash)
 
       attributes_hash = {}
       attributes.each do |attr|
         attr.value = attr.value.call if attr.value.respond_to?(:call)
         attributes_hash[[attr.name, attr.name_format]] = attr
-        if attr.name_format
-          attributes_hash[[attr.name, nil]] = attr
-        end
+        attributes_hash[[attr.name, nil]] = attr if attr.name_format
       end
 
       attributes = []
       requested_attributes.each do |requested_attr|
         attr = attributes_hash[[requested_attr.name, requested_attr.name_format]]
-        if requested_attr.name_format
-          attr ||= attributes_hash[[requested_attr.name, nil]]
-        end
+        attr ||= attributes_hash[[requested_attr.name, nil]] if requested_attr.name_format
         if attr
           if requested_attr.value &&
-            !Array.wrap(requested_attr.value).include?(attr.value)
+             !Array.wrap(requested_attr.value).include?(attr.value)
             raise InvalidAttributeValue.new(requested_attr, attr.value)
           end
+
           attributes << attr
         elsif requested_attr.required?
           # if the metadata includes only one possible value, helpfully set
           # that value
-          if requested_attr.value && !requested_attr.value.is_a?(::Array)
-            attributes << Attribute.create(requested_attr.name,
-                                           requested_attr.value)
-          else
-            raise RequiredAttributeMissing.new(requested_attr)
+          unless requested_attr.value && !requested_attr.value.is_a?(::Array)
+            raise RequiredAttributeMissing, requested_attr
           end
+
+          attributes << Attribute.create(requested_attr.name,
+                                         requested_attr.value)
+
         end
       end
       return nil if attributes.empty?
+
       AttributeStatement.new(attributes)
     end
 
     # (see Base#build)
     def build(builder)
-      builder['md'].AttributeConsumingService do |attribute_consuming_service|
+      builder["md"].AttributeConsumingService do |attribute_consuming_service|
         name.build(attribute_consuming_service)
         description.build(attribute_consuming_service)
         requested_attributes.each do |requested_attribute|