Skip to content

Commit

Permalink
Merge pull request #692 from johnnyshields/xml-security-to-rubysaml-xml
Browse files Browse the repository at this point in the history
v2.0: Move XMLSecurity namespace to RubySaml::XML
  • Loading branch information
pitbulk authored Jul 9, 2024
2 parents a3d2045 + ff1cf3f commit 38d41fe
Show file tree
Hide file tree
Showing 34 changed files with 881 additions and 656 deletions.
66 changes: 31 additions & 35 deletions .rubocop_todo.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# This configuration was generated by
# `rubocop --auto-gen-config`
# on 2024-07-08 10:27:10 UTC using RuboCop version 1.64.1.
# on 2024-07-09 11:29:15 UTC using RuboCop version 1.64.1.
# The point is for the user to remove these configuration records
# one by one as the offenses are removed from the code base.
# Note that changes in the inspected code, or installation of new
Expand All @@ -20,7 +20,7 @@ Layout/EmptyLineAfterGuardClause:
- 'lib/ruby_saml/slo_logoutrequest.rb'
- 'lib/ruby_saml/slo_logoutresponse.rb'

# Offense count: 9
# Offense count: 6
# This cop supports safe autocorrection (--autocorrect).
# Configuration parameters: EnforcedStyle.
# SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines, beginning_only, ending_only
Expand All @@ -32,15 +32,14 @@ Layout/EmptyLinesAroundClassBody:
- 'lib/ruby_saml/logoutresponse.rb'
- 'lib/ruby_saml/metadata.rb'
- 'lib/ruby_saml/slo_logoutresponse.rb'
- 'lib/xml_security.rb'

# Offense count: 1
# This cop supports safe autocorrection (--autocorrect).
Layout/EmptyLinesAroundMethodBody:
Exclude:
- 'lib/ruby_saml/slo_logoutrequest.rb'

# Offense count: 12
# Offense count: 11
# This cop supports safe autocorrection (--autocorrect).
# Configuration parameters: EnforcedStyle.
# SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines
Expand All @@ -57,14 +56,6 @@ Layout/EmptyLinesAroundModuleBody:
- 'lib/ruby_saml/slo_logoutrequest.rb'
- 'lib/ruby_saml/slo_logoutresponse.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'

# Offense count: 1
# Configuration parameters: EnforcedStyle.
# SupportedStyles: native, lf, crlf
Layout/EndOfLine:
Exclude:
- 'lib/ruby_saml.rb'

# Offense count: 3
# This cop supports safe autocorrection (--autocorrect).
Expand All @@ -81,7 +72,7 @@ Layout/ExtraSpacing:
Layout/FirstArgumentIndentation:
Exclude:
- 'lib/ruby_saml/response.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 5
# This cop supports safe autocorrection (--autocorrect).
Expand All @@ -105,7 +96,7 @@ Layout/SpaceAfterComma:
Exclude:
- 'lib/ruby_saml/response.rb'
- 'lib/ruby_saml/settings.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 12
# This cop supports safe autocorrection (--autocorrect).
Expand All @@ -130,7 +121,8 @@ Layout/SpaceAroundOperators:
Exclude:
- 'lib/ruby_saml/response.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/document.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 5
# This cop supports safe autocorrection (--autocorrect).
Expand All @@ -154,15 +146,8 @@ Layout/SpaceInsideHashLiteralBraces:
- 'lib/ruby_saml/response.rb'
- 'lib/ruby_saml/settings.rb'
- 'lib/ruby_saml/slo_logoutresponse.rb'
- 'lib/xml_security.rb'

# Offense count: 1
# This cop supports safe autocorrection (--autocorrect).
# Configuration parameters: EnforcedStyle.
# SupportedStyles: final_newline, final_blank_line
Layout/TrailingEmptyLines:
Exclude:
- 'lib/ruby_saml.rb'
- 'lib/ruby_saml/xml/document.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 2
Lint/NoReturnInBeginEndBlocks:
Expand All @@ -185,12 +170,11 @@ Lint/UnreachableLoop:
Exclude:
- 'lib/ruby_saml/saml_message.rb'

# Offense count: 3
# Offense count: 2
# This cop supports unsafe autocorrection (--autocorrect-all).
# Configuration parameters: AutoCorrect.
Lint/UselessAssignment:
Exclude:
- 'lib/ruby_saml/logging.rb'
- 'lib/ruby_saml/slo_logoutrequest.rb'

# Offense count: 42
Expand Down Expand Up @@ -308,7 +292,7 @@ Performance/StringReplacement:
- 'lib/ruby_saml/metadata.rb'
- 'lib/ruby_saml/saml_message.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/document.rb'

# Offense count: 54
# This cop supports safe autocorrection (--autocorrect).
Expand Down Expand Up @@ -361,7 +345,7 @@ Style/ConditionalAssignment:
- 'lib/ruby_saml/logoutresponse.rb'
- 'lib/ruby_saml/response.rb'
- 'lib/ruby_saml/slo_logoutrequest.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 6
# Configuration parameters: AllowedConstants.
Expand All @@ -372,7 +356,9 @@ Style/Documentation:
- 'lib/ruby_saml/error_handling.rb'
- 'lib/ruby_saml/idp_metadata_parser.rb'
- 'lib/ruby_saml/logging.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/base_document.rb'
- 'lib/ruby_saml/xml/document.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 2
# This cop supports safe autocorrection (--autocorrect).
Expand Down Expand Up @@ -416,7 +402,17 @@ Style/IfUnlessModifier:
- 'lib/ruby_saml/slo_logoutrequest.rb'
- 'lib/ruby_saml/slo_logoutresponse.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/base_document.rb'
- 'lib/ruby_saml/xml/document.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 1
# This cop supports unsafe autocorrection (--autocorrect-all).
# Configuration parameters: EnforcedStyle, Autocorrect.
# SupportedStyles: module_function, extend_self, forbidden
Style/ModuleFunction:
Exclude:
- 'lib/ruby_saml/logging.rb'

# Offense count: 15
# Configuration parameters: AllowedMethods.
Expand All @@ -431,7 +427,7 @@ Style/OptionalBooleanParameter:
- 'lib/ruby_saml/settings.rb'
- 'lib/ruby_saml/slo_logoutrequest.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 1
# This cop supports safe autocorrection (--autocorrect).
Expand All @@ -445,7 +441,7 @@ Style/RedundantRegexpArgument:
Exclude:
- 'lib/ruby_saml/saml_message.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/document.rb'

# Offense count: 3
# This cop supports safe autocorrection (--autocorrect).
Expand Down Expand Up @@ -473,7 +469,7 @@ Style/StringConcatenation:
- 'lib/ruby_saml/saml_message.rb'
- 'lib/ruby_saml/slo_logoutrequest.rb'

# Offense count: 440
# Offense count: 351
# This cop supports safe autocorrection (--autocorrect).
# Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
# SupportedStyles: single_quotes, double_quotes
Expand All @@ -492,7 +488,7 @@ Style/StringLiterals:
- 'lib/ruby_saml/slo_logoutrequest.rb'
- 'lib/ruby_saml/slo_logoutresponse.rb'
- 'lib/ruby_saml/utils.rb'
- 'lib/xml_security.rb'
- 'lib/ruby_saml/xml/signed_document.rb'

# Offense count: 3
# This cop supports safe autocorrection (--autocorrect).
Expand All @@ -510,7 +506,7 @@ Style/SymbolArray:
Exclude:
- 'lib/ruby_saml/settings.rb'

# Offense count: 94
# Offense count: 95
# This cop supports safe autocorrection (--autocorrect).
# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
# URISchemes: http, https
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Create namespace alias `OneLogin = Object` for backward compatibility, to be removed in version `2.1.0`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Move schema files from `lib/onelogin/schemas` to `lib/ruby_saml/schemas`.
* [#692](https://github.com/SAML-Toolkits/ruby-saml/pull/692) Remove `XMLSecurity` namespace and replace with `RubySaml::XML`.
* [#686](https://github.com/SAML-Toolkits/ruby-saml/pull/686) Use SHA-256 as the default hashing algorithm everywhere instead of SHA-1, including signatures, fingerprints, and digests.

### 1.17.0
Expand Down
1 change: 0 additions & 1 deletion LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,3 @@ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.

19 changes: 15 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ but it can be done as follows:
* Provide the XML to the parse method if the signature was validated
```ruby
require "xml_security"
require "ruby_saml/xml"
require "ruby_saml/utils"
require "ruby_saml/idp_metadata_parser"
Expand All @@ -431,7 +431,7 @@ get.basic_auth uri.user, uri.password if uri.user
response = http.request(get)
xml = response.body
errors = []
doc = XMLSecurity::SignedDocument.new(xml, errors)
doc = RubySaml::XML::SignedDocument.new(xml, errors)
cert_str = "<include_cert_here>"
cert = RubySaml::Utils.format_cert("cert_str")
metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
Expand Down Expand Up @@ -634,8 +634,8 @@ to specify different certificates for each function.
You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
```ruby
settings.security[:digest_method] = XMLSecurity::Document::SHA1
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.security[:digest_method] = RubySaml::XML::Document::SHA1
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
```
#### Signing SP Metadata
Expand Down Expand Up @@ -979,3 +979,14 @@ end
# Output XML with custom metadata
MyMetadata.new.generate(settings)
```
## Attribution
Portions of the code in `RubySaml::XML` namespace is adapted from earlier work
copyrighted by either Oracle and/or Todd W. Saxton. The original code was distributed
under the Common Development and Distribution License (CDDL) 1.0. This code is planned to
be written entirely in future versions.
## License
RubySaml is made available under the MIT License. Refer to [LICENSE](LICENSE).
31 changes: 22 additions & 9 deletions UPGRADING.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,27 @@ Before attempting to upgrade to `2.0.0`:
- Upgrade your project to minimum Ruby 3.0, JRuby 9.4, or TruffleRuby 22.
- Upgrade RubySaml to `1.17.x`. Note that RubySaml `1.17.x` is compatible with up to Ruby 3.3.

### Root namespace changed to RubySaml
### Root "OneLogin" namespace changed to "RubySaml"

RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`. This will require you
to search your codebase for the string `OneLogin::` and remove it as appropriate. Aside from this namespace change,
RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`.
Please remove `OneLogin::` and `onelogin/` everywhere in your codebase. Aside from this namespace change,
the class names themselves have intentionally been kept the same.

For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work.
This alias will be removed in RubySaml version `2.1.0`.
Note that the project folder structure has also been updated accordingly. Notably, the directory
`lib/onelogin/schemas` is now `lib/ruby_saml/schemas`.

For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work
as before. This alias will be removed in RubySaml version `2.1.0`.

### Root "XMLSecurity" namespace changed to "RubySaml::XML"

RubySaml version `2.0.0` changes the namespace `RubySaml::XML::` to `RubySaml::XML::`. Please search your
codebase for `RubySaml::XML::` and replace it as appropriate. In addition, you must replace direct usage of
`require 'xml_security'` with `require 'ruby_saml/xml'`.

For backward compatibility, the alias `XMLSecurity = RubySaml::XML` has been set, so `RubySaml::XML::` will still work
as before. In addition, a shim file has been added so that `require 'xml_security'` continues to work.
These aliases will be removed in RubySaml version `2.1.0`.

### Security: Change default hashing algorithm to SHA-256 (was SHA-1)

Expand All @@ -30,9 +43,9 @@ To preserve the old insecure SHA-1 behavior *(not recommended)*, you may set `Ru
```ruby
# Preserve RubySaml 1.x insecure SHA-1 behavior
settings = RubySaml::Settings.new
settings.idp_cert_fingerprint_algorithm = XMLSecurity::Document::SHA1
settings.security[:digest_method] = XMLSecurity::Document::SHA1
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.idp_cert_fingerprint_algorithm = RubySaml::XML::Document::SHA1
settings.security[:digest_method] = RubySaml::XML::Document::SHA1
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
```

## Updating from 1.12.x to 1.13.0
Expand Down Expand Up @@ -108,7 +121,7 @@ The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is v
# In this example `query_params` is assumed to contain decoded query parameters,
# and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
settings = {
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
settings.soft = false
}
options = {
Expand Down
3 changes: 2 additions & 1 deletion lib/ruby_saml.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# frozen_string_literal: true

require 'ruby_saml/logging'
require 'ruby_saml/xml'
require 'ruby_saml/saml_message'
require 'ruby_saml/authrequest'
require 'ruby_saml/logoutrequest'
Expand All @@ -18,5 +19,5 @@
require 'ruby_saml/utils'
require 'ruby_saml/version'

# @deprecated This alias will be removed in version 2.1.0
# @deprecated This alias adds compatibility with v1.x and will be removed in v2.1.0
OneLogin = Object
4 changes: 2 additions & 2 deletions lib/ruby_saml/authrequest.rb
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ def create_params(settings, params={})
relay_state: relay_state,
sig_alg: params['SigAlg']
)
sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
sign_algorithm = RubySaml::XML::BaseDocument.new.algorithm(settings.security[:signature_method])
signature = sp_signing_key.sign(sign_algorithm.new, url_string)
params['Signature'] = encode(signature)
end
Expand All @@ -108,7 +108,7 @@ def create_authentication_xml_doc(settings)
def create_xml_document(settings)
time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")

request_doc = XMLSecurity::Document.new
request_doc = RubySaml::XML::Document.new
request_doc.uuid = uuid

root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
Expand Down
4 changes: 2 additions & 2 deletions lib/ruby_saml/idp_metadata_parser.rb
Original file line number Diff line number Diff line change
Expand Up @@ -376,13 +376,13 @@ def certificates

# @return [String|nil] the fingerpint of the X509Certificate if it exists
#
def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA256)
def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::Document::SHA256)
@fingerprint ||= begin
return unless certificate

cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))

fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
fingerprint_alg = RubySaml::XML::BaseDocument.new.algorithm(fingerprint_algorithm).new
fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
end
end
Expand Down
Loading

0 comments on commit 38d41fe

Please sign in to comment.