Merge pull request #758 from johnnyshields/v2.x-decryption-refactor

v2.x - Nokogiri Refactor Part 5: Extract out RubySaml::XML::Decryptor + Decoder

Author: pitbulk

lib/ruby_saml/authrequest.rb

@@ -51,8 +51,7 @@ def create_params(settings, params={})
 
       Logging.debug "Created AuthnRequest: #{request}"
 
-      request = deflate(request) if binding_redirect
-      base64_request = encode(request)
+      base64_request = RubySaml::XML::Decoder.encode_message(request, compress: binding_redirect)
       request_params = {"SAMLRequest" => base64_request}
       sp_signing_key = settings.get_sp_signing_key
 
@@ -66,7 +65,7 @@ def create_params(settings, params={})
         )
         sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
-        params['Signature'] = encode(signature)
+        params['Signature'] = Base64.strict_encode64(signature)
       end
 
       params.each_pair do |key, value|
@@ -88,8 +87,8 @@ def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
       assign_uuid(settings)
       root_attributes = {
-        'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
-        'xmlns:saml' => 'urn:oasis:names:tc:SAML:2.0:assertion',
+        'xmlns:samlp' => RubySaml::XML::NS_PROTOCOL,
+        'xmlns:saml' => RubySaml::XML::NS_ASSERTION,
         'ID' => uuid,
         'IssueInstant' => time,
         'Version' => '2.0',

lib/ruby_saml/error_handling.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "ruby_saml/validation_error"
+require 'ruby_saml/validation_error'
 
 module RubySaml
   module ErrorHandling
@@ -9,10 +9,10 @@ module ErrorHandling
     # Append the cause to the errors array, and based on the value of soft, return false or raise
     # an exception. soft_override is provided as a means of overriding the object's notion of
     # soft for just this invocation.
-    def append_error(error_msg, soft_override = nil)
+    def append_error(error_msg, soft_override = false) # rubocop:disable Style/OptionalBooleanParameter
       @errors << error_msg
 
-      unless soft_override.nil? ? soft : soft_override
+      unless soft_override || (respond_to?(:soft) && soft)
         raise ValidationError.new(error_msg)
       end
 

lib/ruby_saml/idp_metadata_parser.rb

@@ -11,31 +11,20 @@ module RubySaml
   # make sure to validate it properly before use it in a parse_remote method.
   # Read the `Security warning` section of the README.md file to get more info
   class IdpMetadataParser
-    module SamlMetadata
-      module Vocabulary
-        METADATA       = "urn:oasis:names:tc:SAML:2.0:metadata"
-        DSIG           = "http://www.w3.org/2000/09/xmldsig#"
-        NAME_FORMAT    = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
-        SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      end
-
-      NAMESPACE = {
-        "md" => Vocabulary::METADATA,
-        "NameFormat" => Vocabulary::NAME_FORMAT,
-        "saml" => Vocabulary::SAML_ASSERTION,
-        "ds" => Vocabulary::DSIG
-      }.freeze
-    end
+    NAMESPACES = {
+      "ds" => RubySaml::XML::DSIG,
+      "md" => RubySaml::XML::NS_METADATA,
+      "saml" => RubySaml::XML::NS_ASSERTION
+    }.freeze
 
-    include SamlMetadata::Vocabulary
     attr_reader :document
     attr_reader :response
     attr_reader :options
 
     # fetch IdP descriptors from a metadata document
     def self.get_idps(noko_document, only_entity_id = nil)
       path = "//md:EntityDescriptor#{"[@entityID=\"#{only_entity_id}\"]" if only_entity_id}/md:IDPSSODescriptor"
-      noko_document.xpath(path, SamlMetadata::NAMESPACE)
+      noko_document.xpath(path, NAMESPACES)
     end
 
     # Parse the Identity Provider metadata and update the settings with the
@@ -272,7 +261,7 @@ def cache_duration
       def idp_name_id_format(name_id_priority = nil)
         nodes = @idpsso_descriptor.xpath(
           "md:NameIDFormat",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         first_ranked_text(nodes, name_id_priority)
       end
@@ -283,7 +272,7 @@ def idp_name_id_format(name_id_priority = nil)
       def single_signon_service_binding(binding_priority = nil)
         nodes = @idpsso_descriptor.xpath(
           "md:SingleSignOnService/@Binding",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         first_ranked_value(nodes, binding_priority)
       end
@@ -294,7 +283,7 @@ def single_signon_service_binding(binding_priority = nil)
       def single_logout_service_binding(binding_priority = nil)
         nodes = @idpsso_descriptor.xpath(
           "md:SingleLogoutService/@Binding",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         first_ranked_value(nodes, binding_priority)
       end
@@ -308,7 +297,7 @@ def single_signon_service_url(binding_priority = nil)
 
         @idpsso_descriptor.at_xpath(
           "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )&.value
       end
 
@@ -321,7 +310,7 @@ def single_logout_service_url(binding_priority = nil)
 
         @idpsso_descriptor.at_xpath(
           "md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )&.value
       end
 
@@ -334,7 +323,7 @@ def single_logout_response_service_url(binding_priority = nil)
 
         node = @idpsso_descriptor.at_xpath(
           "md:SingleLogoutService[@Binding=\"#{binding}\"]/@ResponseLocation",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         node&.value
       end
@@ -345,12 +334,12 @@ def certificates
         @certificates ||= begin
           signing_nodes = @idpsso_descriptor.xpath(
             "md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-            SamlMetadata::NAMESPACE
+            NAMESPACES
           )
 
           encryption_nodes = @idpsso_descriptor.xpath(
             "md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-            SamlMetadata::NAMESPACE
+            NAMESPACES
           )
 
           return nil if signing_nodes.empty? && encryption_nodes.empty?
@@ -389,7 +378,7 @@ def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::SHA256)
       def attribute_names
         nodes = @idpsso_descriptor.xpath(
           "saml:Attribute/@Name",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         nodes.map(&:value)
       end

lib/ruby_saml/logoutrequest.rb

@@ -51,8 +51,7 @@ def create_params(settings, params={})
 
       Logging.debug "Created SLO Logout Request: #{request}"
 
-      request = deflate(request) if binding_redirect
-      base64_request = encode(request)
+      base64_request = RubySaml::XML::Decoder.encode_message(request, compress: binding_redirect)
       request_params = {"SAMLRequest" => base64_request}
       sp_signing_key = settings.get_sp_signing_key
 
@@ -66,7 +65,7 @@ def create_params(settings, params={})
         )
         sign_algorithm = RubySaml::XML.hash_algorithm(settings.get_sp_signature_method)
         signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
-        params['Signature'] = encode(signature)
+        params['Signature'] = Base64.strict_encode64(signature)
       end
 
       params.each_pair do |key, value|
@@ -89,8 +88,8 @@ def create_xml_document(settings)
       assign_uuid(settings)
 
       root_attributes = {
-        'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
-        'xmlns:saml' => 'urn:oasis:names:tc:SAML:2.0:assertion',
+        'xmlns:samlp' => RubySaml::XML::NS_PROTOCOL,
+        'xmlns:saml' => RubySaml::XML::NS_ASSERTION,
         'ID' => uuid,
         'IssueInstant' => time,
         'Version' => '2.0',

lib/ruby_saml/logoutresponse.rb

@@ -40,7 +40,7 @@ def initialize(response, settings = nil, options = {})
       end
 
       @options = options
-      @response = decode_raw_saml(response, settings)
+      @response = RubySaml::XML::Decoder.decode_message(response, @settings&.message_max_bytesize)
       @document = RubySaml::XML::SignedDocument.new(@response)
       super()
     end
@@ -64,7 +64,7 @@ def in_response_to
         node = REXML::XPath.first(
           document,
           "/p:LogoutResponse",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         node.nil? ? nil : node.attributes['InResponseTo']
       end
@@ -77,7 +77,7 @@ def issuer
         node = REXML::XPath.first(
           document,
           "/p:LogoutResponse/a:Issuer",
-          { "p" => PROTOCOL, "a" => ASSERTION }
+          { "p" => RubySaml::XML::NS_PROTOCOL, "a" => RubySaml::XML::NS_ASSERTION }
         )
         Utils.element_text(node)
       end
@@ -87,7 +87,7 @@ def issuer
     #
     def status_code
       @status_code ||= begin
-        node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL })
+        node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => RubySaml::XML::NS_PROTOCOL })
         node.nil? ? nil : node.attributes["Value"]
       end
     end
@@ -97,7 +97,7 @@ def status_message
         node = REXML::XPath.first(
           document,
           "/p:LogoutResponse/p:Status/p:StatusMessage",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         Utils.element_text(node)
       end

lib/ruby_saml/metadata.rb

@@ -33,12 +33,12 @@ def generate(settings, pretty_print = false, valid_until = nil, cache_duration =
 
         # Add saml namespace if attribute consuming service is configured
         if settings.attribute_consuming_service.configured?
-          root_attributes['xmlns:saml'] = 'urn:oasis:names:tc:SAML:2.0:assertion'
+          root_attributes['xmlns:saml'] = RubySaml::XML::NS_ASSERTION
         end
 
         xml['md'].EntityDescriptor(root_attributes) do
           sp_sso_attributes = {
-            'protocolSupportEnumeration' => 'urn:oasis:names:tc:SAML:2.0:protocol',
+            'protocolSupportEnumeration' => RubySaml::XML::NS_PROTOCOL,
             'AuthnRequestsSigned' => settings.security[:authn_requests_signed] ? 'true' : 'false',
             'WantAssertionsSigned' => settings.security[:want_assertions_signed] ? 'true' : 'false'
           }
@@ -150,7 +150,7 @@ def output_xml(meta_doc, pretty_print)
     private
 
     def add_certificate_element(xml, cert, use)
-      cert_text = Base64.encode64(cert.to_der).delete("\n")
+      cert_text = Base64.strict_encode64(cert.to_der)
       xml['md'].KeyDescriptor('use' => use.to_s) do
         xml['ds'].KeyInfo do
           xml['ds'].X509Data do