merge v0.9.2

Author: dnroot

.travis.yml

@@ -4,4 +4,14 @@ rvm:
   - 1.9.3
   - 2.0.0
   - 2.1.5
+  - 2.2.0
   - ree
+gemfile:
+  - Gemfile
+  - gemfiles/nokogiri-1.5.gemfile
+matrix:
+  exclude:
+    - rvm: 1.8.7
+      gemfile: Gemfile
+    - rvm: ree
+      gemfile: Gemfile

Gemfile

@@ -1,6 +1,6 @@
 #
 # Please keep this file alphabetized and organized
 #
-source 'http://rubygems.org'
+source 'https://rubygems.org'
 
 gemspec

README.md

@@ -18,7 +18,7 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * 1.8.7
 * 1.9.x
 * 2.1.x
-* 2.2 (not yet officially supported)
+* 2.2.0
 
 ## Adding Features, Pull Requests
 * Fork the repository
@@ -41,7 +41,7 @@ gem 'ruby-saml', '~> 0.9.1'
 gem 'ruby-saml', :github => 'onelogin/ruby-saml'
 ```
 
-Using Bundler
+Using RubyGems
 
 ```sh
 gem install ruby-saml
@@ -58,6 +58,22 @@ or just the required components individually:
 require 'onelogin/ruby-saml/authrequest'
 ```
 
+### Installation on Ruby 1.8.7
+
+This gem has a dependency on Nokogiri, which dropped support for Ruby 1.8.x in Nokogiri 1.6. When installing this gem on Ruby 1.8.7, you will need to make sure a version of Nokogiri prior to 1.6 is installed or specified if it hasn't been already.
+
+Using `Gemfile`
+
+```ruby
+gem 'nokogiri', '~> 1.5.10'
+```
+
+Using RubyGems
+
+```sh
+gem install nokogiri --version '~> 1.5.10'
+````
+
 ## The Initialization Phase
 
 This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
@@ -100,6 +116,7 @@ def saml_settings
   settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
   settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+  settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 
   # Optional for most SAML IdPs
@@ -192,7 +209,7 @@ The following attributes are set:
   * idp_slo_target_url
   * id_cert_fingerpint
 
-If are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
+If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
 `single_value_compatibility` (when activate, only one value returned, the first one)
 
 ```ruby
@@ -320,16 +337,23 @@ In order to be able to sign we need first to define the private key and the publ
 The settings related to sign are stored in the `security` attribute of the settings:
 
 ```ruby
-  settings.security[:authn_requests_signed]  = true     # Enable or not signature on AuthNRequest
-  settings.security[:logout_requests_signed] = true     # Enable or not signature on Logout Request
+  settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
+  settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
   settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1
-  settings.security[:signature_method] = XMLSecurity::Document::SHA1
+  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
 
-  settings.security[:embed_sign]        = false                # Embeded signature or HTTP GET parameter Signature
+  # Embeded signature or HTTP GET parameter signature
+  # Note that metadata signature is always embedded regardless of this value.
+  settings.security[:embed_sign] = false
 ```
 
+Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding,
+remember to provide it to the Signature builder if you are sending a GET RelayState parameter or
+Signature validation process will fail at the Identity Provider.
+
 
 ## Single Log Out
 

changelog.md

@@ -1,4 +1,22 @@
 # RubySaml Changelog
+### 0.9.2 (Apr 28, 2015)
+* [#216](https://github.com/onelogin/ruby-saml/pull/216) Add fingerprint algorithm support
+* [#218](https://github.com/onelogin/ruby-saml/pull/218) Update README.md
+* [#214](https://github.com/onelogin/ruby-saml/pull/214) Cleanup `SamlMessage` class
+* [#213](https://github.com/onelogin/ruby-saml/pull/213) Add ability to sign metadata. (Improved)
+* [#212](https://github.com/onelogin/ruby-saml/pull/212) Rename library entry point
+* [#210](https://github.com/onelogin/ruby-saml/pull/210) Call assert in tests
+* [#208](https://github.com/onelogin/ruby-saml/pull/208) Update tests and CI for Ruby 2.2.0
+* [#205](https://github.com/onelogin/ruby-saml/pull/205) Allow requirement of single files
+* [#204](https://github.com/onelogin/ruby-saml/pull/204) Require ‘net/http’ library
+* [#201](https://github.com/onelogin/ruby-saml/pull/201) Freeze and duplicate default security settings hash so that it doesn't get modified.
+* [#200](https://github.com/onelogin/ruby-saml/pull/200) Set default SSL certificate store in Ruby 1.8.
+* [#199](https://github.com/onelogin/ruby-saml/pull/199) Change Nokogiri's runtime dependency to fix support for Ruby 1.8.7.
+* [#179](https://github.com/onelogin/ruby-saml/pull/179) Add support for setting the entity ID and name ID format when parsing metadata
+* [#175](https://github.com/onelogin/ruby-saml/pull/175) Introduce thread safety to SAML schema validation
+* [#171](https://github.com/onelogin/ruby-saml/pull/171) Fix inconsistent results with using regex matches in decode_raw_saml
+* 
+
 ### 0.9.1 (Feb 10, 2015)
 * [#194](https://github.com/onelogin/ruby-saml/pull/194) Relax nokogiri gem requirements
 * [#191](https://github.com/onelogin/ruby-saml/pull/191) Use Minitest instead of Test::Unit

gemfiles/nokogiri-1.5.gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem "nokogiri", "~> 1.5.10"
+
+gemspec :path => "../"

lib/onelogin/ruby-saml.rb

@@ -0,0 +1,16 @@
+require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/saml_message'
+require 'onelogin/ruby-saml/authrequest'
+require 'onelogin/ruby-saml/logoutrequest'
+require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/attributes'
+require 'onelogin/ruby-saml/slo_logoutrequest'
+require 'onelogin/ruby-saml/slo_logoutresponse'
+require 'onelogin/ruby-saml/response'
+require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/attribute_service'
+require 'onelogin/ruby-saml/validation_error'
+require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/idp_metadata_parser'
+require 'onelogin/ruby-saml/utils'
+require 'onelogin/ruby-saml/version'

lib/onelogin/ruby-saml/authrequest.rb

@@ -1,6 +1,8 @@
 require "uuid"
+require "rexml/document"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
 
 module OneLogin
   module RubySaml
@@ -25,7 +27,10 @@ def create(settings, params = {})
       end
 
       def create_params(settings, params={})
-        params = {} if params.nil?
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
 
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -40,10 +45,10 @@ def create_params(settings, params={})
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = XMLSecurity::Document::SHA1
+          params['SigAlg']    = settings.security[:signature_method]
           url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
-          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
-          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          url_string         << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+          url_string         << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
           private_key         = settings.get_sp_key()
           signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
           params['Signature'] = encode(signature)
@@ -123,7 +128,7 @@ def create_authentication_xml_doc(settings)
           end
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -2,6 +2,8 @@
 require "uuid"
 require "zlib"
 require "cgi"
+require "net/http"
+require "net/https"
 require "rexml/document"
 require "rexml/xpath"
 
@@ -25,7 +27,8 @@ def parse(idp_metadata)
         @document = REXML::Document.new(idp_metadata)
 
         OneLogin::RubySaml::Settings.new.tap do |settings|
-
+          settings.idp_entity_id = idp_entity_id
+          settings.name_identifier_format = idp_name_id_format
           settings.idp_sso_target_url = single_signon_service_url
           settings.idp_slo_target_url = single_logout_service_url
           settings.idp_cert_fingerprint = fingerprint
@@ -47,6 +50,12 @@ def get_idp_metadata(url, validate_cert)
           # Most IdPs will probably use self signed certs
           if validate_cert
             http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+            # Net::HTTP in Ruby 1.8 did not set the default certificate store
+            # automatically when VERIFY_PEER was specified.
+            if RUBY_VERSION < '1.9' && !http.ca_file && !http.ca_path && !http.cert_store
+              http.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+            end
           else
             http.verify_mode = OpenSSL::SSL::VERIFY_NONE
           end
@@ -57,6 +66,16 @@ def get_idp_metadata(url, validate_cert)
         meta_text
       end
 
+      def idp_entity_id
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/@entityID", { "md" => METADATA })
+        node.value if node
+      end
+
+      def idp_name_id_format
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat", { "md" => METADATA })
+        node.text if node
+      end
+
       def single_signon_service_url
         node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location", { "md" => METADATA })
         node.value if node

lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,6 +1,7 @@
 require "uuid"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
 
 module OneLogin
   module RubySaml
@@ -24,7 +25,10 @@ def create(settings, params={})
       end
 
       def create_params(settings, params={})
-        params = {} if params.nil?
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
 
         request_doc = create_logout_request_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -39,10 +43,10 @@ def create_params(settings, params={})
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = XMLSecurity::Document::SHA1
+          params['SigAlg']    = settings.security[:signature_method]
           url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
-          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
-          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          url_string         << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+          url_string         << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
           private_key         = settings.get_sp_key()
           signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
           params['Signature'] = encode(signature)
@@ -88,7 +92,7 @@ def create_logout_request_xml_doc(settings)
           sessionindex.text = settings.sessionindex
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

lib/onelogin/ruby-saml/logoutresponse.rb

@@ -1,4 +1,6 @@
 require "xml_security"
+require "onelogin/ruby-saml/saml_message"
+
 require "time"
 
 module OneLogin