samlr 2.7.1.pre.3 → 2.7.2.pre.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99111c7af501ed1d300602d81d603fe0869e042dc9b330cb38aa800c77a79517
-  data.tar.gz: 755f39f3397bdff3454a05bd47c329ebbf0440c4103469153ed3518bf1aa47c1
+  metadata.gz: f29fb87e4f9c2e892ff008b93ceaa0406683aefb33b5b7772933498db217324d
+  data.tar.gz: 87e0905875456dac62a5bb66a4436b6549ff10a1859d42d54dcd426acb7026db
 SHA512:
-  metadata.gz: 49bb0ebfda779df0a6950eaedac7487b5c1a03475b488573b028d4b86b51a1cbf16c641ad09f15e3bae9bc8717795572d59103590b456b82f22879347881a4d2
-  data.tar.gz: f111bab5d4b7f933bf217b7bd0a2c89d179768409fc0215e78e9c0a739ebf8bf5860fb481ec4c94da9e352da7c6975f8293003acc19160c03d04e2ae38bd8577
+  metadata.gz: a540ead119f309d5bba8a85641fe379a15ca421a48f1be082327f99c2c3bc30e94b7b26db756e2a1490170937e9518ea9fd5aa917e316b15b79657fa79102b6c
+  data.tar.gz: 2bad133e71423fa9207488c470832244e20bf889a25befa6e5718ffca5176c46ecb0129521091dcd8dfa0421d33314d65db2ca330b91f463826284cbcc4eaf0f

data/lib/samlr/assertion.rb

@@ -5,7 +5,7 @@ module Samlr
 
     def initialize(document, options)
       @document = document
-      @options  = options
+      @options = options
     end
 
     def verify!
@@ -31,15 +31,15 @@ module Samlr
     def attributes
       @attributes ||= {}.tap do |attrs|
         assertion.xpath("./saml:AttributeStatement/saml:Attribute", NS_MAP).each do |statement|
-          name   = statement["Name"]
+          name = statement["Name"]
           values = statement.xpath("./saml:AttributeValue", NS_MAP)
 
-          if values.size == 0
-            value = nil
+          value = if values.size == 0
+            nil
           elsif values.size == 1
-            value = values.first.text
+            values.first.text
           else
-            value = values.map { |value| value.text }
+            values.map { |value| value.text }
           end
 
           attrs[name] = value
@@ -56,7 +56,7 @@ module Samlr
     end
 
     def name_id_options
-      @name_id_options ||= Hash[name_id_node.attributes.map{|k,v| [k, v.value]}]
+      @name_id_options ||= name_id_node.attributes.map { |k, v| [k, v.value] }.to_h
     end
 
     def conditions

data/lib/samlr/command.rb

@@ -4,10 +4,10 @@ require "logger"
 module Samlr
   # Helper module for command line options
   module Command
-    COMMANDS = [ :verify, :schema_validate, :print ]
+    COMMANDS = [:verify, :schema_validate, :print]
 
     def self.execute(options, path = nil)
-      Samlr.logger.level    = Logger::DEBUG if options[:verbose]
+      Samlr.logger.level = Logger::DEBUG if options[:verbose]
       Samlr.validation_mode = :log if options[:skip_validation]
 
       if options[:verify]
@@ -21,21 +21,18 @@ module Samlr
           execute_verify(path, options)
         end
       elsif options[:schema_validate]
-        Samlr::Tools.validate(:path => path)
+        Samlr::Tools.validate(path: path)
       elsif options[:print]
         Samlr::Response.parse(File.read(path)).to_xml
       end
     end
 
-    private
-
     def self.execute_verify(path, options)
-      begin
-        Samlr::Response.new(File.read(path), options).verify!
-        "Verification passed for #{path}"
-      rescue Samlr::SamlrError => e
-        "Verification failed for #{path}: #{e.message}"
-      end
+      Samlr::Response.new(File.read(path), options).verify!
+      "Verification passed for #{path}"
+    rescue Samlr::SamlrError => e
+      "Verification failed for #{path}: #{e.message}"
     end
+    private_class_method :execute_verify
   end
 end

data/lib/samlr/condition.rb

@@ -3,10 +3,10 @@ module Samlr
     attr_reader :audience, :not_before, :not_on_or_after, :options
 
     def initialize(condition, options)
-      @options         = options
-      @not_before      = (condition || {})["NotBefore"]
+      @options = options
+      @not_before = (condition || {})["NotBefore"]
       @not_on_or_after = (condition || {})["NotOnOrAfter"]
-      @audience        = extract_audience(condition)
+      @audience = extract_audience(condition)
     end
 
     def verify!
@@ -35,9 +35,9 @@ module Samlr
 
     def audience_satisfied?
       options[:audience].nil? ||
-      audience.nil?           ||
-      audience.empty?         ||
-      audience.any? { |a| options[:audience] === a }
+        audience.nil? ||
+        audience.empty? ||
+        audience.any? { |a| options[:audience] === a }
     end
 
     private
@@ -45,10 +45,10 @@ module Samlr
     def extract_audience(condition)
       return unless condition
 
-      audience_restriction_node = condition.at('./saml:AudienceRestriction', NS_MAP)
+      audience_restriction_node = condition.at("./saml:AudienceRestriction", NS_MAP)
       return unless audience_restriction_node
 
-      audience_nodes = audience_restriction_node.search('./saml:Audience', NS_MAP)
+      audience_nodes = audience_restriction_node.search("./saml:Audience", NS_MAP)
       return unless audience_nodes.any?
 
       audience_nodes.map(&:text)

data/lib/samlr/fingerprint.rb

@@ -3,16 +3,16 @@ module Samlr
     attr_accessor :value
 
     def initialize(value)
-      if value.is_a?(OpenSSL::X509::Certificate)
-        @value = self.class.x509(value)
+      @value = if value.is_a?(OpenSSL::X509::Certificate)
+        self.class.x509(value)
       else
-        @value = self.class.normalize(value)
+        self.class.normalize(value)
       end
     end
 
     def self.from_string(string)
       normalized = normalize(string)
-      if string.gsub(':', '').length == 64
+      if string.delete(":").length == 64
         FingerprintSHA256.new(normalized)
       else
         FingerprintSHA1.new(normalized)
@@ -46,7 +46,7 @@ module Samlr
 
     # Extracts a fingerprint for an x509 certificate
     def self.x509(certificate)
-      raise NotImplementedError, 'subclass must implement x509'
+      raise NotImplementedError, "subclass must implement x509"
     end
 
     # Converts a string to fingerprint normal form

data/lib/samlr/fingerprint_sha1.rb

@@ -4,7 +4,7 @@ module Samlr
   class FingerprintSHA1 < Fingerprint
     # Extracts a fingerprint for an x509 certificate
     def self.x509(certificate)
-      normalize(OpenSSL::Digest::SHA1.new.hexdigest(certificate.to_der))
+      normalize(OpenSSL::Digest.new("SHA1").hexdigest(certificate.to_der))
     end
   end
 end

data/lib/samlr/fingerprint_sha256.rb

@@ -4,7 +4,7 @@ module Samlr
   class FingerprintSHA256 < Fingerprint
     # Extracts a fingerprint for an x509 certificate
     def self.x509(certificate)
-      normalize(OpenSSL::Digest::SHA256.new.hexdigest(certificate.to_der))
+      normalize(OpenSSL::Digest.new("SHA256").hexdigest(certificate.to_der))
     end
   end
 end

data/lib/samlr/reference.rb

@@ -6,7 +6,7 @@ module Samlr
 
     def initialize(node)
       @node = node
-      @uri  = node["URI"][1..-1]
+      @uri = node["URI"][1..]
     end
 
     def digest_method
@@ -14,7 +14,7 @@ module Samlr
     end
 
     def digest_value
-      @digest_value  ||= node.at("./ds:DigestValue", NS_MAP).text
+      @digest_value ||= node.at("./ds:DigestValue", NS_MAP).text
     end
 
     def decoded_digest_value
@@ -27,6 +27,5 @@ module Samlr
         attribute ? attribute.split(" ") : []
       end
     end
-
   end
 end

data/lib/samlr/request.rb

@@ -41,14 +41,14 @@ module Samlr
       Samlr::Tools.parse(data, compressed: true)
     end
 
-    def get_attribute_or_element(x_path,attribute=nil)
+    def get_attribute_or_element(x_path, attribute = nil)
       if document
         element = document.xpath(x_path)
         if element.length == 0
           nil
         elsif attribute
           value = element.attr(attribute)
-          value.to_s if value
+          value&.to_s
         else
           element
         end

data/lib/samlr/response.rb

@@ -2,7 +2,6 @@ require "forwardable"
 require "nokogiri"
 
 module Samlr
-
   # This is the object interface to the XML response object.
   class Response
     extend Forwardable
@@ -11,7 +10,7 @@ module Samlr
     attr_reader :document, :options
 
     def initialize(data, options)
-      @options  = options
+      @options = options
       @document = Response.parse(data)
     end
 

data/lib/samlr/signature.rb

@@ -13,18 +13,12 @@ module Samlr
       # Signature validations require document alterations
       @original = original
       @document = original.dup
-      @prefix   = prefix
-      @options  = options
+      @prefix = prefix
+      @options = options
       @signature = nil
 
-      # TODO: This option exists only in a pre-release version to allow testing the feature; remove it from the final release
-      if options[:skip_signature_reference_checking]
-        @signature = @document.at("#{prefix}/ds:Signature", NS_MAP)
-        @signature.remove if @signature # enveloped signatures only
-      else
-        id = @document.at("#{prefix}", NS_MAP)&.attribute('ID')
-        @signature = find_signature_for_element_id(id) if id
-      end
+      id = @document.at(prefix.to_s, NS_MAP)&.attribute("ID")
+      @signature = find_signature_for_element_id(id) if id
 
       @fingerprint = if options[:fingerprint]
         Fingerprint.from_string(options[:fingerprint])
@@ -45,30 +39,18 @@ module Samlr
       raise SignatureError.new("No signature at #{prefix}/ds:Signature") unless present?
 
       verify_fingerprint! unless options[:skip_fingerprint]
-      if options[:skip_signature_reference_checking]
-        verify_digests!
-        verify_signature!
-      else
-        verify_signature!  # <- Do this first while signature is still available
-        verify_digests!    # <- This can remove the signature
-      end
+      verify_signature!  # Do this first while signature is still available
+      verify_digests!    # This may remove enveloped signatures
 
       true
     end
 
     def references
       @references ||= [].tap do |refs|
-        if options[:skip_signature_reference_checking]
-          original.xpath("#{prefix}/ds:Signature/ds:SignedInfo/ds:Reference[@URI]", NS_MAP).each do |ref|
-            refs << Samlr::Reference.new(ref)
-          end
-        else
-          refs_xpath = @signature.xpath("./ds:SignedInfo/ds:Reference[@URI]", NS_MAP)
-          refs_xpath.each do |ref|
-            refs << Samlr::Reference.new(ref)
-          end
+        refs_xpath = @signature.xpath("./ds:SignedInfo/ds:Reference[@URI]", NS_MAP)
+        refs_xpath.each do |ref|
+          refs << Samlr::Reference.new(ref)
         end
-
       end
     end
 
@@ -85,58 +67,39 @@ module Samlr
 
     # Tests that the document content has not been edited
     def verify_digests!
-      if options[:skip_signature_reference_checking]
-        references.each do |reference|
-          node    = referenced_node(reference.uri)
-          canoned = node.canonicalize(C14N, reference.namespaces)
-          digest  = reference.digest_method.digest(canoned)
-
-          if digest != reference.decoded_digest_value
-            raise SignatureError.new("Reference validation error: Digest mismatch for #{reference.uri}")
-          end
-        end
-      else
-        # Check if we need to remove an enveloped signature
-        if @signature && !@signature_removed
-          signed_element = @document.at("#{prefix}", NS_MAP)
-          is_enveloped = signed_element&.xpath(".//ds:Signature", NS_MAP)&.include?(@signature)
-
-          # Remove enveloped signature for digest verification
-          if is_enveloped
-            @signature.remove
-            @signature_removed = true
-          end
+      # Check if we need to remove an enveloped signature
+      if @signature && !@signature_removed
+        signed_element = @document.at(prefix.to_s, NS_MAP)
+        is_enveloped = signed_element&.xpath(".//ds:Signature", NS_MAP)&.include?(@signature)
+
+        # Remove enveloped signature for digest verification
+        if is_enveloped
+          @signature.remove
+          @signature_removed = true
         end
+      end
 
-        references.each do |reference|
-          node    = referenced_node(reference.uri)
-          canoned = node.canonicalize(C14N, reference.namespaces)
-          digest  = reference.digest_method.digest(canoned)
+      references.each do |reference|
+        node = referenced_node(reference.uri)
+        canoned = node.canonicalize(C14N, reference.namespaces)
+        digest = reference.digest_method.digest(canoned)
 
-          if digest != reference.decoded_digest_value
-            raise SignatureError.new("Reference validation error: Digest mismatch for #{reference.uri}")
-          end
+        if digest != reference.decoded_digest_value
+          raise SignatureError.new("Reference validation error: Digest mismatch for #{reference.uri}")
         end
       end
     end
 
     # Tests correctness of the signature (and hence digests)
     def verify_signature!
-      if options[:skip_signature_reference_checking]
-        node = original.at("#{prefix}/ds:Signature/ds:SignedInfo", NS_MAP)
-        canoned = node.canonicalize(C14N)
-        unless x509.public_key.verify(signature_method.new, decoded_signature_value, canoned)
-          raise SignatureError.new("Signature validation error: Possible canonicalization mismatch", "This canonicalizer returns #{canoned}")
-        end
-      else
-        # Cache the canonicalized SignedInfo to avoid DOM issues with multiple verifications
-        unless @canonicalized_signed_info
-          node = @signature.at("./ds:SignedInfo", NS_MAP)
-          @canonicalized_signed_info = node.canonicalize(C14N)
-        end
-        unless x509.public_key.verify(signature_method.new, decoded_signature_value, @canonicalized_signed_info)
-          raise SignatureError.new("Signature validation error: Possible canonicalization mismatch", "This canonicalizer returns #{@canonicalized_signed_info}")
-        end
+      # Cache the canonicalized SignedInfo to avoid DOM issues with multiple verifications
+      unless @canonicalized_signed_info
+        node = @signature.at("./ds:SignedInfo", NS_MAP)
+        @canonicalized_signed_info = node.canonicalize(C14N)
+      end
+
+      unless x509.public_key.verify(signature_method.new, decoded_signature_value, @canonicalized_signed_info)
+        raise SignatureError.new("Signature validation error: Possible canonicalization mismatch", "This canonicalizer returns #{@canonicalized_signed_info}")
       end
     end
 
@@ -164,14 +127,10 @@ module Samlr
     end
 
     def certificate
-      @certificate ||= begin
-        if node = certificate_node
-          Certificate.new(Base64.decode64(node.text))
-        elsif cert = options[:certificate]
-          Certificate.new(cert)
-        else
-          nil
-        end
+      @certificate ||= if (node = certificate_node)
+        Certificate.new(Base64.decode64(node.text))
+      elsif (cert = options[:certificate])
+        Certificate.new(cert)
       end
     end
 
@@ -186,9 +145,14 @@ module Samlr
     def find_signature_for_element_id(element_id)
       return nil unless element_id
 
-      return @document.at_xpath("//ds:Signature[ds:SignedInfo/ds:Reference[@URI='##{element_id}']]", NS_MAP)
-
+      # Prevent XPath injection by using parameterized XPath queries with variable bindings.
+      # Nokogiri's xpath() method supports passing variables separately from the query,
+      # which prevents injection attacks like "_x'or'1'='1" from breaking out of the predicate.
+      @document.at_xpath(
+        "//ds:Signature[ds:SignedInfo/ds:Reference[@URI=$uri]]",
+        NS_MAP,
+        {uri: "##{element_id}"}
+      )
     end
-
   end
 end

data/lib/samlr/tools/certificate_builder.rb

@@ -1,35 +1,34 @@
 module Samlr
   module Tools
-
     # Container for generating/referencing X509 and keys
     class CertificateBuilder
       attr_reader :key_size
 
       def initialize(options = {})
         @key_size = options.fetch(:key_size, 4096)
-        @x509     = options[:x509]
+        @x509 = options[:x509]
         @key_pair = options[:key_pair]
       end
 
       def x509
         @x509 ||= begin
           domain = "example.org"
-          name   = OpenSSL::X509::Name.new([
-            [ 'C', 'US', OpenSSL::ASN1::PRINTABLESTRING ],
-            [ 'O', domain, OpenSSL::ASN1::UTF8STRING ],
-            [ 'OU', 'Samlr ResponseBuilder', OpenSSL::ASN1::UTF8STRING ],
-            [ 'CN', 'CA' ]
-            ])
+          name = OpenSSL::X509::Name.new([
+            ["C", "US", OpenSSL::ASN1::PRINTABLESTRING],
+            ["O", domain, OpenSSL::ASN1::UTF8STRING],
+            ["OU", "Samlr ResponseBuilder", OpenSSL::ASN1::UTF8STRING],
+            ["CN", "CA"]
+          ])
 
           certificate = OpenSSL::X509::Certificate.new
-          certificate.subject    = name
-          certificate.issuer     = name
+          certificate.subject = name
+          certificate.issuer = name
           certificate.not_before = (Time.now - 5)
-          certificate.not_after  = (Time.now + 60 * 60 * 24 * 365 * 20)
+          certificate.not_after = (Time.now + 60 * 60 * 24 * 365 * 20)
           certificate.public_key = key_pair.public_key
-          certificate.serial     = 1
-          certificate.version    = 2
-          certificate.sign(key_pair, OpenSSL::Digest::SHA1.new)
+          certificate.serial = 1
+          certificate.version = 2
+          certificate.sign(key_pair, OpenSSL::Digest.new("SHA1"))
 
           certificate
         end
@@ -47,11 +46,11 @@ module Samlr
       end
 
       def sign(string)
-        Base64.encode64(key_pair.sign(OpenSSL::Digest::SHA1.new, string)).delete("\n")
+        Base64.encode64(key_pair.sign(OpenSSL::Digest.new("SHA1"), string)).delete("\n")
       end
 
       def verify(signature, string)
-        key_pair.public_key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(signature), string)
+        key_pair.public_key.verify(OpenSSL::Digest.new("SHA1"), Base64.decode64(signature), string)
       end
 
       def to_certificate
@@ -59,15 +58,15 @@ module Samlr
       end
 
       def self.dump(path, certificate, id = "samlr")
-        File.open(File.join(path, "#{id}_private_key.pem"), "w") { |f| f.write(certificate.key_pair.to_pem) }
-        File.open(File.join(path, "#{id}_certificate.pem"), "w") { |f| f.write(certificate.x509.to_pem) }
+        File.write(File.join(path, "#{id}_private_key.pem"), certificate.key_pair.to_pem)
+        File.write(File.join(path, "#{id}_certificate.pem"), certificate.x509.to_pem)
       end
 
       def self.load(path, id = "samlr")
-        key_pair  = OpenSSL::PKey::RSA.new(File.read(File.join(path, "#{id}_private_key.pem")))
+        key_pair = OpenSSL::PKey::RSA.new(File.read(File.join(path, "#{id}_private_key.pem")))
         x509_cert = OpenSSL::X509::Certificate.new(File.read(File.join(path, "#{id}_certificate.pem")))
 
-        new(:key_pair => key_pair, :x509 => x509_cert)
+        new(key_pair: key_pair, x509: x509_cert)
       end
     end
   end

data/lib/samlr/tools/logout_request_builder.rb

@@ -7,7 +7,7 @@ module Samlr
       def self.build(options = {})
         # Mandatory
         name_id = options.fetch(:name_id)
-        issuer  = options.fetch(:issuer)
+        issuer = options.fetch(:issuer)
 
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.LogoutRequest("xmlns:samlp" => NS_MAP["samlp"], "xmlns:saml" => NS_MAP["saml"], "ID" => Samlr::Tools.uuid, "IssueInstant" => Samlr::Tools::Timestamp.stamp, "Version" => "2.0") do
@@ -21,10 +21,10 @@ module Samlr
       end
 
       def self.logout_options(options)
-        name_id_options  = options[:name_id_options] || {}
-        options = { "Format" => format_option(options) }
-        options.merge!("NameQualifier" => name_id_options[:name_qualifier]) if name_id_options[:name_qualifier]
-        options.merge!("SPNameQualifier" => name_id_options[:spname_qualifier]) if name_id_options[:spname_qualifier]
+        name_id_options = options[:name_id_options] || {}
+        options = {"Format" => format_option(options)}
+        options["NameQualifier"] = name_id_options[:name_qualifier] if name_id_options[:name_qualifier]
+        options["SPNameQualifier"] = name_id_options[:spname_qualifier] if name_id_options[:spname_qualifier]
         options
       end
 

data/lib/samlr/tools/logout_response_builder.rb

@@ -25,7 +25,7 @@ module Samlr
           "Version" => "2.0"
         }
         result["InResponseTo"] = options[:in_response_to] if options[:in_response_to]
-        result["Destination"] = options[:destination]     if options[:destination]
+        result["Destination"] = options[:destination] if options[:destination]
         result
       end
     end

data/lib/samlr/tools/metadata_builder.rb

@@ -1,6 +1,5 @@
 module Samlr
   module Tools
-
     # Builds you some SP metadata. Accepts a hash with the below keys. No support for arrays
     # of name id formats or asserion consumer services, build it if you need it.
     #
@@ -8,16 +7,15 @@ module Samlr
     #  :name_identity_format => Samlr::EMAIL_FORMAT,
     #  :consumer_service_url => "https://sp.example.org/saml"
     class MetadataBuilder
-
       def self.build(options = {})
-        name_identity_format     = options[:name_identity_format]
-        consumer_service_url     = options[:consumer_service_url]
+        name_identity_format = options[:name_identity_format]
+        consumer_service_url = options[:consumer_service_url]
         consumer_service_binding = options[:consumer_service_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-        metadata_id              = options[:metadata_id] || Samlr::Tools.uuid
-        sign_metadata            = options[:sign_metadata] || false
+        metadata_id = options[:metadata_id] || Samlr::Tools.uuid
+        sign_metadata = options[:sign_metadata] || false
 
         # Mandatory
-        entity_id                = options.fetch(:entity_id)
+        entity_id = options.fetch(:entity_id)
 
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.EntityDescriptor("xmlns:md" => NS_MAP["md"], "ID" => metadata_id, "entityID" => entity_id) do

data/lib/samlr/tools/request_builder.rb

@@ -2,15 +2,14 @@ require "nokogiri"
 
 module Samlr
   module Tools
-
     # Use this for building the SAML auth request XML
     module RequestBuilder
       def self.build(options = {})
         consumer_service_url = options[:consumer_service_url]
-        issuer               = options[:issuer]
+        issuer = options[:issuer]
         name_identity_format = options[:name_identity_format]
-        allow_create         = options[:allow_create] || "true"
-        authn_context        = options[:authn_context]
+        allow_create = options[:allow_create] || "true"
+        authn_context = options[:authn_context]
 
         builder = Nokogiri::XML::Builder.new do |xml|
           xml.AuthnRequest("xmlns:samlp" => NS_MAP["samlp"], "xmlns:saml" => NS_MAP["saml"], "ID" => Samlr::Tools.uuid, "IssueInstant" => Samlr::Tools::Timestamp.stamp, "Version" => "2.0") do
@@ -38,7 +37,6 @@ module Samlr
 
         builder.to_xml(COMPACT)
       end
-
     end
   end
 end

data/lib/samlr/tools/response_builder.rb

@@ -4,41 +4,39 @@ require "uuidtools"
 
 module Samlr
   module Tools
-
     # Use this for building test data, not ready to use for production data
     module ResponseBuilder
-
       def self.build(options = {})
-        issue_instant     = options[:issue_instant]  || Samlr::Tools::Timestamp.stamp
-        response_id       = options[:response_id]    || Samlr::Tools.uuid
-        assertion_id      = options[:assertion_id]   || Samlr::Tools.uuid
-        status_code       = options[:status_code]    || "urn:oasis:names:tc:SAML:2.0:status:Success"
-        name_id_format    = options[:name_id_format] || EMAIL_FORMAT
-        subject_conf_m    = options[:subject_conf_m] || "urn:oasis:names:tc:SAML:2.0:cm:bearer"
-        version           = options[:version]        || "2.0"
-        auth_context      = options[:auth_context]   || "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
-        issuer            = options[:issuer]         || "ResponseBuilder IdP"
-        attributes        = options[:attributes]     || {}
-        name_id           = options[:name_id]
-        name_qualifier    = options[:name_qualifier]
+        issue_instant = options[:issue_instant] || Samlr::Tools::Timestamp.stamp
+        response_id = options[:response_id] || Samlr::Tools.uuid
+        assertion_id = options[:assertion_id] || Samlr::Tools.uuid
+        status_code = options[:status_code] || "urn:oasis:names:tc:SAML:2.0:status:Success"
+        name_id_format = options[:name_id_format] || EMAIL_FORMAT
+        subject_conf_m = options[:subject_conf_m] || "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        version = options[:version] || "2.0"
+        auth_context = options[:auth_context] || "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+        issuer = options[:issuer] || "ResponseBuilder IdP"
+        attributes = options[:attributes] || {}
+        name_id = options[:name_id]
+        name_qualifier = options[:name_qualifier]
         sp_name_qualifier = options[:sp_name_qualifier]
 
         # Mandatory for responses
-        destination     = options.fetch(:destination)
-        in_response_to  = options.fetch(:in_response_to)
+        destination = options.fetch(:destination)
+        in_response_to = options.fetch(:in_response_to)
         not_on_or_after = options.fetch(:not_on_or_after)
-        not_before      = options.fetch(:not_before)
-        audience        = options.fetch(:audience)
+        not_before = options.fetch(:not_before)
+        audience = options.fetch(:audience)
 
         # Signature settings
-        sign_assertion  = [ true, false ].member?(options[:sign_assertion]) ? options[:sign_assertion] : true
-        sign_response   = [ true, false ].member?(options[:sign_response]) ? options[:sign_response] : true
+        sign_assertion = [true, false].member?(options[:sign_assertion]) ? options[:sign_assertion] : true
+        sign_response = [true, false].member?(options[:sign_response]) ? options[:sign_response] : true
 
         # Fixture controls
-        skip_assertion  = options[:skip_assertion]
+        skip_assertion = options[:skip_assertion]
         skip_conditions = options[:skip_conditions]
 
-        builder = Nokogiri::XML::Builder.new(:encoding => "UTF-8") do |xml|
+        builder = Nokogiri::XML::Builder.new(encoding: "UTF-8") do |xml|
           xml.Response("xmlns:samlp" => NS_MAP["samlp"], "ID" => response_id, "InResponseTo" => in_response_to, "Version" => version, "IssueInstant" => issue_instant, "Destination" => destination) do
             xml.doc.root.add_namespace_definition("saml", NS_MAP["saml"])
             xml.doc.root.namespace = xml.doc.root.namespace_definitions.find { |ns| ns.prefix == "samlp" }
@@ -51,9 +49,9 @@ module Samlr
                 xml["saml"].Issuer(issuer)
 
                 xml["saml"].Subject do
-                  name_id_options = { "Format" => name_id_format}
-                  name_id_options.merge!("NameQualifier" => name_qualifier) unless name_qualifier.nil?
-                  name_id_options.merge!("SPNameQualifier" => sp_name_qualifier) unless sp_name_qualifier.nil?
+                  name_id_options = {"Format" => name_id_format}
+                  name_id_options["NameQualifier"] = name_qualifier unless name_qualifier.nil?
+                  name_id_options["SPNameQualifier"] = sp_name_qualifier unless sp_name_qualifier.nil?
 
                   xml["saml"].NameID(name_id, name_id_options) unless name_id.nil?
 
@@ -99,30 +97,32 @@ module Samlr
 
         # The core response is ready, not on to signing
         response = builder.doc
-        assertion_options = options.merge(:skip_keyinfo => options[:skip_assertion_keyinfo])
+        assertion_options = options.merge(skip_keyinfo: options[:skip_assertion_keyinfo])
         response = sign(response, assertion_id, assertion_options) if sign_assertion
 
-        response_options = options.merge(:skip_keyinfo => options[:skip_response_keyinfo])
-        response = sign(response, response_id, response_options)  if sign_response
+        response_options = options.merge(skip_keyinfo: options[:skip_response_keyinfo])
+        response = sign(response, response_id, response_options) if sign_response
 
         response.to_xml(COMPACT)
       end
 
       def self.sign(document, element_id, options)
-        certificate  = options[:certificate] || Samlr::Tools::CertificateBuilder.new
-        element      = document.at("//*[@ID='#{element_id}']")
-        digest       = digest(document, element, options)
-        canoned      = digest.at("./ds:SignedInfo", NS_MAP).canonicalize(C14N)
-        signature    = certificate.sign(canoned)
+        certificate = options[:certificate] || Samlr::Tools::CertificateBuilder.new
+        element = document.at("//*[@ID='#{element_id}']")
+        digest = digest(document, element, options)
+        canoned = digest.at("./ds:SignedInfo", NS_MAP).canonicalize(C14N)
+        signature = certificate.sign(canoned)
         skip_keyinfo = options[:skip_keyinfo]
 
         Nokogiri::XML::Builder.with(digest) do |xml|
           xml.SignatureValue(signature)
-          xml.KeyInfo do
-            xml.X509Data do
-              xml.X509Certificate(certificate.x509_as_pem)
+          unless skip_keyinfo
+            xml.KeyInfo do
+              xml.X509Data do
+                xml.X509Certificate(certificate.x509_as_pem)
+              end
             end
-          end unless skip_keyinfo
+          end
         end
         # digest.root.last_element_child.after "<SignatureValue>#{signature}</SignatureValue>"
         if element.at("./saml:Issuer", NS_MAP)
@@ -135,23 +135,22 @@ module Samlr
       end
 
       def self.digest(document, element, options)
-        c14n_method   = options[:c14n_method]   || "http://www.w3.org/2001/10/xml-exc-c14n#"
-        sign_method   = options[:sign_method]   || "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        c14n_method = options[:c14n_method] || "http://www.w3.org/2001/10/xml-exc-c14n#"
+        sign_method = options[:sign_method] || "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
         digest_method = options[:digest_method] || "http://www.w3.org/2000/09/xmldsig#sha1"
         env_signature = options[:env_signature] || "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-        namespaces    = options[:namespaces]    || [ "#default", "samlp", "saml", "ds", "xs", "xsi" ]
+        namespaces = options[:namespaces] || ["#default", "samlp", "saml", "ds", "xs", "xsi"]
 
-        canoned       = element.canonicalize(C14N, namespaces)
-        digest_value  = Base64.encode64(OpenSSL::Digest::SHA1.new.digest(canoned)).delete("\n")
+        canoned = element.canonicalize(C14N, namespaces)
+        digest_value = Base64.encode64(OpenSSL::Digest.new("SHA1").digest(canoned)).delete("\n")
 
-        builder = Nokogiri::XML::Builder.new(:encoding => "UTF-8") do |xml|
+        builder = Nokogiri::XML::Builder.new(encoding: "UTF-8") do |xml|
           xml.Signature("xmlns" => NS_MAP["ds"]) do
-
             xml.SignedInfo do
               xml.CanonicalizationMethod("Algorithm" => c14n_method)
               xml.SignatureMethod("Algorithm" => sign_method)
 
-              xml.Reference("URI" => "##{element['ID']}") do
+              xml.Reference("URI" => "##{element["ID"]}") do
                 xml.Transforms do
                   xml.Transform("Algorithm" => env_signature)
                   xml.Transform("Algorithm" => c14n_method) do
@@ -167,7 +166,6 @@ module Samlr
 
         builder.doc.root
       end
-
     end
   end
 end

data/lib/samlr/tools/timestamp.rb

@@ -1,7 +1,6 @@
 module Samlr
   module Tools
     module Timestamp
-
       # Generate a current timestamp in ISO8601 format
       def self.stamp(time = Time.now)
         time.utc.iso8601
@@ -20,7 +19,6 @@ module Samlr
       def self.not_before?(time)
         Time.now.to_i >= (time.to_i - Samlr.jitter.to_i)
       end
-
     end
   end
 end

data/lib/samlr/tools.rb

@@ -15,10 +15,10 @@ require "samlr/tools/logout_response_builder"
 module Samlr
   module Tools
     SHA_MAP = {
-      1    => OpenSSL::Digest::SHA1,
-      256  => OpenSSL::Digest::SHA256,
-      384  => OpenSSL::Digest::SHA384,
-      512  => OpenSSL::Digest::SHA512
+      1 => OpenSSL::Digest::SHA1,
+      256 => OpenSSL::Digest::SHA256,
+      384 => OpenSSL::Digest::SHA384,
+      512 => OpenSSL::Digest::SHA512
     }
 
     # Convert algorithm attribute value to Ruby implementation
@@ -32,13 +32,13 @@ module Samlr
 
     # Accepts a document and optionally :path => xpath, :c14n_mode => c14n_mode
     def self.canonicalize(xml, options = {})
-      options  = { :c14n_mode => C14N }.merge(options)
+      options = {c14n_mode: C14N}.merge(options)
       document = Nokogiri::XML(xml) { |c| c.strict.noblanks }
 
-      if path = options[:path]
-        node = document.at(path, NS_MAP)
+      node = if (path = options[:path])
+        document.at(path, NS_MAP)
       else
-        node = document
+        document
       end
 
       node.canonicalize(options[:c14n_mode], options[:namespaces])
@@ -52,17 +52,16 @@ module Samlr
     # Deflates, Base64 encodes and CGI escapes a string
     def self.encode(string)
       deflated = Zlib::Deflate.deflate(string, 9)[2..-5]
-      encoded  = Base64.encode64(deflated)
-      escaped  = CGI.escape(encoded)
-      escaped
+      encoded = Base64.encode64(deflated)
+      CGI.escape(encoded)
     end
 
     # CGI unescapes, Base64 decodes and inflates a string
     def self.decode(string)
       unescaped = CGI.unescape(string)
-      decoded   = Base64.decode64(unescaped)
-      inflater  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      inflated  = inflater.inflate(decoded)
+      decoded = Base64.decode64(unescaped)
+      inflater = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated = inflater.inflate(decoded)
 
       inflater.finish
       inflater.close
@@ -71,29 +70,29 @@ module Samlr
     end
 
     def self.validate!(options = {})
-      validate(options.merge(:bang => true))
+      validate(options.merge(bang: true))
     end
 
     # Validate a SAML request or response against an XSD. Supply either :path or :document in the options and
     # a :schema (defaults to SAML validation)
     def self.validate(options = {})
       document = options[:document] || File.read(options[:path])
-      schema   = options.fetch(:schema, SAML_SCHEMA)
-      bang     = options.fetch(:bang, false)
+      schema = options.fetch(:schema, SAML_SCHEMA)
+      bang = options.fetch(:bang, false)
 
-      if document.is_a?(Nokogiri::XML::Document)
-        xml = document
+      xml = if document.is_a?(Nokogiri::XML::Document)
+        document
       else
-        xml = Nokogiri::XML(document) { |c| c.strict }
+        Nokogiri::XML(document) { |c| c.strict }
       end
 
       # All bundled schemas are using relative schemaLocation. This means we'll have to
       # change working directory to find them during validation.
       Dir.chdir(Samlr.schema_location) do
-        if schema.is_a?(Nokogiri::XML::Schema)
-          xsd = schema
+        xsd = if schema.is_a?(Nokogiri::XML::Schema)
+          schema
         else
-          xsd = Nokogiri::XML::Schema(File.read(schema))
+          Nokogiri::XML::Schema(File.read(schema))
         end
 
         result = xsd.validate(xml)
@@ -113,7 +112,7 @@ module Samlr
     def self.parse(data, compressed: false)
       return unless data
       decoded = Base64.decode64(data)
-      decoded = self.inflate(decoded) if compressed
+      decoded = inflate(decoded) if compressed
       return unless decoded
       begin
         doc = Nokogiri::XML(decoded) { |config| config.strict }
@@ -126,7 +125,7 @@ module Samlr
       end
 
       begin
-        Samlr::Tools.validate!(:document => doc)
+        Samlr::Tools.validate!(document: doc)
       rescue Samlr::SamlrError => e
         Samlr.logger.warn("Accepting non schema conforming response: #{e.message}, #{e.details}")
         raise e unless Samlr.validation_mode == :log
@@ -135,7 +134,7 @@ module Samlr
     end
 
     def self.inflate(data)
-      inflater  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflater = Zlib::Inflate.new(-Zlib::MAX_WBITS)
       decoded = inflater.inflate(data)
       inflater.finish
       inflater.close

data/lib/samlr/version.rb

@@ -1,3 +1,3 @@
 module Samlr
-  VERSION = "2.7.1.pre.3"
+  VERSION = "2.7.2.pre.1"
 end

data/lib/samlr.rb

@@ -2,22 +2,22 @@ require "nokogiri"
 require "logger"
 
 module Samlr
-  C14N    = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
-  COMPACT = { :indent => 0, :save_with => Nokogiri::XML::Node::SaveOptions::AS_XML }
+  C14N = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+  COMPACT = {indent: 0, save_with: Nokogiri::XML::Node::SaveOptions::AS_XML}
 
-  NS_MAP  = {
-    "c14n"  => "http://www.w3.org/2001/10/xml-exc-c14n#",
-    "ds"    => "http://www.w3.org/2000/09/xmldsig#",
-    "saml"  => "urn:oasis:names:tc:SAML:2.0:assertion",
+  NS_MAP = {
+    "c14n" => "http://www.w3.org/2001/10/xml-exc-c14n#",
+    "ds" => "http://www.w3.org/2000/09/xmldsig#",
+    "saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
     "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-    "md"    => "urn:oasis:names:tc:SAML:2.0:metadata",
-    "xsi"   => "http://www.w3.org/2001/XMLSchema-instance",
-    "xs"    => "http://www.w3.org/2001/XMLSchema"
+    "md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+    "xsi" => "http://www.w3.org/2001/XMLSchema-instance",
+    "xs" => "http://www.w3.org/2001/XMLSchema"
   }
 
   EMAIL_FORMAT = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-  SAML_SCHEMA  = "saml-schema-protocol-2.0.xsd"
-  META_SCHEMA  = "saml-schema-metadata-2.0.xsd"
+  SAML_SCHEMA = "saml-schema-protocol-2.0.xsd"
+  META_SCHEMA = "saml-schema-metadata-2.0.xsd"
 
   class << self
     attr_accessor :schema_location
@@ -28,9 +28,9 @@ module Samlr
 
   self.schema_location = File.join(File.dirname(__FILE__), "..", "config", "schemas")
   self.validation_mode = :reject
-  self.jitter          = 0
-  self.logger          = Logger.new(STDERR)
-  self.logger.level    = Logger::UNKNOWN
+  self.jitter = 0
+  self.logger = Logger.new($stderr)
+  logger.level = Logger::UNKNOWN
 end
 
 unless Object.new.respond_to?(:try)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: samlr
 version: !ruby/object:Gem::Version
-  version: 2.7.1.pre.3
+  version: 2.7.2.pre.1
 platform: ruby
 authors:
 - Morten Primdahl
@@ -9,34 +9,6 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: nokogiri
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.5.5
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.5.5
-- !ruby/object:Gem::Dependency
-  name: uuidtools
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.3
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.3
 - !ruby/object:Gem::Dependency
   name: base64
   requirement: !ruby/object:Gem::Requirement
@@ -52,7 +24,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: logger
+  name: cgi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -66,27 +38,13 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: bundler
+  name: logger
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  type: :development
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -94,47 +52,33 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: bump
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: 1.5.5
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '6.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '6.0'
+        version: 1.5.5
 - !ruby/object:Gem::Dependency
-  name: minitest-mock
+  name: uuidtools
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: 2.1.3
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.1.3
 description: Helps you implement a SAML SP
 email: primdahl@me.com
 executables:
@@ -187,7 +131,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="