zipnosis
diff --git a/‎README.md‎
Lines changed: 21 additions & 8 deletions b/‎README.md‎
Lines changed: 21 additions & 8 deletions
diff --git a/‎changelog.md‎
Lines changed: 29 additions & 1 deletion b/‎changelog.md‎
Lines changed: 29 additions & 1 deletion
diff --git a/‎lib/onelogin/ruby-saml/authrequest.rb‎
Lines changed: 2 additions & 2 deletions b/‎lib/onelogin/ruby-saml/authrequest.rb‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/onelogin/ruby-saml/error_handling.rb‎
Lines changed: 27 additions & 0 deletions b/‎lib/onelogin/ruby-saml/error_handling.rb‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎lib/onelogin/ruby-saml/idp_metadata_parser.rb‎
Lines changed: 96 additions & 22 deletions b/‎lib/onelogin/ruby-saml/idp_metadata_parser.rb‎
Lines changed: 96 additions & 22 deletions
diff --git a/‎lib/onelogin/ruby-saml/logoutrequest.rb‎
Lines changed: 3 additions & 4 deletions b/‎lib/onelogin/ruby-saml/logoutrequest.rb‎
Lines changed: 3 additions & 4 deletions
@@ -1,12 +1,21 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.2.x to 1.3.X
 
-## Updating from 1.0.x to 1.1.X
+Version `1.3.0` is a recommended update for all Ruby SAML users as it includes security fixes. It  adds security improvements in order to prevent Signature wrapping attacks. [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697)
 
-Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+## Updating from 1.1.x to 1.2.X
+
+Version `1.2` adds IDP metadata parsing improvements, uuid deprecation in favour of SecureRandom, refactor error handling and some minor improvements
+
+There is no compatibility issue detected.
 
 For more details, please review [the changelog](changelog.md).
 
+## Updating from 1.0.x to 1.1.X
+
+Version `1.1` adds some improvements on signature validation and solves some namespace conflicts.
+
 ## Updating from 0.9.x to 1.0.X
 
 Version `1.0` is a recommended update for all Ruby SAML users as it includes security fixes.
@@ -33,6 +42,7 @@ We created a demo project for Rails4 that uses the latest version of this librar
 ### Supported versions of Ruby
 * 1.8.7
 * 1.9.x
+* 2.0.x
 * 2.1.x
 * 2.2.x
 * JRuby 1.7.19
@@ -102,7 +112,7 @@ To override the default behavior and control the destination of log messages, pr
 a ruby Logger object to the gem's logging singleton:
 
 ```ruby
-OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w')
+OneLogin::RubySaml::Logging.logger = Logger.new(File.open('/var/log/ruby-saml.log', 'w'))
 ```
 
 ## The Initialization Phase
@@ -252,9 +262,9 @@ def saml_settings
 end
 ```
 The following attributes are set:
-  * id_sso_target_url
+  * idp_sso_target_url
   * idp_slo_target_url
-  * id_cert_fingerpint
+  * idp_cert_fingerprint
 
 If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
 `single_value_compatibility` (when activate, only one value returned, the first one)
@@ -386,7 +396,10 @@ The settings related to sign are stored in the `security` attribute of the setti
 ```ruby
   settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
   settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
-  settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:logout_responses_signed] = true     # Enable or not 
+  signature on Logout Response
+  settings.security[:want_assertions_signed]  = true     # Enable or not 
+  the requirement of signed assertion
   settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1
@@ -466,8 +479,8 @@ and this method process the SAML Logout Response sent by the IdP as reply of the
 def process_logout_response
   settings = Account.get_saml_settings
 
-  if session.has_key? :transation_id
-    logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transation_id])
+  if session.has_key? :transaction_id
+    logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transaction_id])
   else
     logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings)
   end
 
@@ -1,10 +1,38 @@
 # RubySaml Changelog
 
+### 1.3.0 (June 24, 2016)
+* [Security Fix](https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
+* Fix XMLSecurity SHA256 and SHA512 uris
+* [#326](https://github.com/onelogin/ruby-saml/pull/326) Fix Destination validation
+
+### 1.2.0 (April 29, 2016)
+* [#269](https://github.com/onelogin/ruby-saml/pull/269) Refactor error handling; allow collect error messages when soft=true (normal validation stop after find first error)
+* [#289](https://github.com/onelogin/ruby-saml/pull/289) Remove uuid gem in favor of SecureRandom
+* [#297](https://github.com/onelogin/ruby-saml/pull/297) Implement EncryptedKey RetrievalMethod support
+* [#298](https://github.com/onelogin/ruby-saml/pull/298) IDP metadata parsing improved: binding parsing, fingerprint_algorithm support)
+* [#299](https://github.com/onelogin/ruby-saml/pull/299) Make 'signing' at KeyDescriptor optional
+* [#308](https://github.com/onelogin/ruby-saml/pull/308) Support name_id_format on SAMLResponse
+* [#315](https://github.com/onelogin/ruby-saml/pull/315) Support for canonicalization with comments
+* [#316](https://github.com/onelogin/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
+* [#321](https://github.com/onelogin/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
+* Changes on empty URI of Signature reference management
+* [#320](https://github.com/onelogin/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI 
+* [#306](https://github.com/onelogin/ruby-saml/pull/306) Support WantAssertionsSigned
+
+### 1.1.2 (February 15, 2016)
+* Improve signature validation. Add tests.
+ [#302](https://github.com/onelogin/ruby-saml/pull/302) Add Destination validation.
+* [#292](https://github.com/onelogin/ruby-saml/pull/292) Improve the error message when validating the audience.
+* [#287](https://github.com/onelogin/ruby-saml/pull/287) Keep the extracted certificate when parsing IdP metadata.
+
+### 1.1.1 (November 10, 2015)
+* [#275](https://github.com/onelogin/ruby-saml/pull/275) Fix a bug on signature validations that invalidates valid SAML messages.
+
 ### 1.1.0 (October 27, 2015)
 * [#273](https://github.com/onelogin/ruby-saml/pull/273) Support SAMLResponse without ds:x509certificate
 * [#270](https://github.com/onelogin/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
 * [#261](https://github.com/onelogin/ruby-saml/pull/261) Allow validate_subject_confirmation Response validation to be skipped
-* [258](https://github.com/onelogin/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
+* [#258](https://github.com/onelogin/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
 * [#256](https://github.com/onelogin/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods. 
 * [#255](https://github.com/onelogin/ruby-saml/pull/255) Refactor validate signature.
 * [#254](https://github.com/onelogin/ruby-saml/pull/254) Handle empty URI references 
 
@@ -1,8 +1,8 @@
-require "uuid"
 require "rexml/document"
 
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -20,7 +20,7 @@ class Authrequest < SamlMessage
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the AuthNRequest string.
 
@@ -0,0 +1,27 @@
+require "onelogin/ruby-saml/validation_error"
+
+module OneLogin
+  module RubySaml
+    module ErrorHandling
+      attr_accessor :errors
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception. soft_override is provided as a means of overriding the object's notion of
+      # soft for just this invocation.
+      def append_error(error_msg, soft_override = nil)
+        @errors << error_msg
+
+        unless soft_override.nil? ? soft : soft_override
+          raise ValidationError.new(error_msg)
+        end
+
+        false
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+    end
+  end
+end
@@ -1,5 +1,4 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
 require "net/http"
@@ -16,8 +15,10 @@ module RubySaml
     #
     class IdpMetadataParser
 
-      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
-      DSIG     = "http://www.w3.org/2000/09/xmldsig#"
+      METADATA       = "urn:oasis:names:tc:SAML:2.0:metadata"
+      DSIG           = "http://www.w3.org/2000/09/xmldsig#"
+      NAME_FORMAT    = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
+      SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
 
       attr_reader :document
       attr_reader :response
@@ -26,25 +27,30 @@ class IdpMetadataParser
       # IdP values
       #
       # @param (see IdpMetadataParser#get_idp_metadata)
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
       # @return (see IdpMetadataParser#get_idp_metadata)
       # @raise (see IdpMetadataParser#get_idp_metadata)
-      def parse_remote(url, validate_cert = true)
+      def parse_remote(url, validate_cert = true, options = {})
         idp_metadata = get_idp_metadata(url, validate_cert)
-        parse(idp_metadata)
+        parse(idp_metadata, options)
       end
 
       # Parse the Identity Provider metadata and update the settings with the IdP values
       # @param idp_metadata [String] 
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
       #
-      def parse(idp_metadata)
+      def parse(idp_metadata, options = {})
         @document = REXML::Document.new(idp_metadata)
 
-        OneLogin::RubySaml::Settings.new.tap do |settings|
+        (options[:settings] || OneLogin::RubySaml::Settings.new).tap do |settings|
           settings.idp_entity_id = idp_entity_id
           settings.name_identifier_format = idp_name_id_format
-          settings.idp_sso_target_url = single_signon_service_url
-          settings.idp_slo_target_url = single_logout_service_url
-          settings.idp_cert_fingerprint = fingerprint
+          settings.idp_sso_target_url = single_signon_service_url(options)
+          settings.idp_slo_target_url = single_logout_service_url(options)
+          settings.idp_cert = certificate_base64
+          settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
+          settings.idp_attribute_names = attribute_names
+          settings.idp_cert_fingerprint = fingerprint(settings.idp_cert_fingerprint_algorithm)
         end
       end
 
@@ -111,51 +117,119 @@ def idp_name_id_format
         node.text if node
       end
 
+      # @param binding_priority [Array]
+      # @return [String|nil] SingleSignOnService binding if exists
+      #
+      def single_signon_service_binding(binding_priority = nil)
+        nodes = REXML::XPath.match(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Binding",
+          { "md" => METADATA }
+        )
+        if binding_priority
+          values = nodes.map(&:value)
+          binding_priority.detect{ |binding| values.include? binding }
+        else
+          nodes.first.value if nodes.any?
+        end
+      end
+
+      # @param options [Hash]
       # @return [String|nil] SingleSignOnService endpoint if exists
       #
-      def single_signon_service_url
+      def single_signon_service_url(options = {})
+        binding = options[:sso_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         node = REXML::XPath.first(
           document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location",
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
           { "md" => METADATA }
         )
         node.value if node
       end
 
+      # @param binding_priority [Array]
+      # @return [String|nil] SingleLogoutService binding if exists
+      #
+      def single_logout_service_binding(binding_priority = nil)
+        nodes = REXML::XPath.match(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Binding",
+          { "md" => METADATA }
+        )
+        if binding_priority
+          values = nodes.map(&:value)
+          binding_priority.detect{ |binding| values.include? binding }
+        else
+          nodes.first.value if nodes.any?
+        end
+      end
+
+      # @param options [Hash]
       # @return [String|nil] SingleLogoutService endpoint if exists
       #
-      def single_logout_service_url
+      def single_logout_service_url(options = {})
+        binding = options[:slo_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         node = REXML::XPath.first(
           document,
-          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location",
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
           { "md" => METADATA }
         )
         node.value if node
       end
 
+      # @return [String|nil] Unformatted Certificate if exists
+      #
+      def certificate_base64
+        @certificate_base64 ||= begin
+          node = REXML::XPath.first(
+              document,
+              "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+              { "md" => METADATA, "ds" => DSIG }
+          )
+
+          unless node
+            node = REXML::XPath.first(
+                document,
+                "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+                { "md" => METADATA, "ds" => DSIG }
+            )
+          end
+          node.text if node
+        end
+      end
+
       # @return [String|nil] X509Certificate if exists
       #
       def certificate
         @certificate ||= begin
-          node = REXML::XPath.first(
-            document,
-            "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-            { "md" => METADATA, "ds" => DSIG }
-          )
-          Base64.decode64(node.text) if node
+          Base64.decode64(certificate_base64) if certificate_base64
         end
       end
 
+
       # @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
       #
-      def fingerprint
+      def fingerprint(fingerprint_algorithm)
         @fingerprint ||= begin
           if certificate
             cert = OpenSSL::X509::Certificate.new(certificate)
-            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+
+            fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+            fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
           end
         end
       end
+
+      # @return [Array] the names of all SAML attributes if any exist
+      #
+      def attribute_names
+        nodes = REXML::XPath.match(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/saml:Attribute/@Name",
+          { "md" => METADATA, "NameFormat" => NAME_FORMAT, "saml" => SAML_ASSERTION }
+        )
+        nodes.map(&:value)
+      end
     end
   end
 end
@@ -1,7 +1,6 @@
-require "uuid"
-
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -18,7 +17,7 @@ class Logoutrequest < SamlMessage
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the Logout Request string.
@@ -108,7 +107,7 @@ def create_logout_request_xml_doc(settings)
           nameid.text = settings.name_identifier_value
         else
           # If no NameID is present in the settings we generate one
-          nameid.text = "_" + UUID.new.generate
+          nameid.text = OneLogin::RubySaml::Utils.uuid
           nameid.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
         end