Move SAML namespaces into constants

Author: johnnyshields

lib/ruby_saml/authrequest.rb

@@ -88,8 +88,8 @@ def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
       assign_uuid(settings)
       root_attributes = {
-        'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
-        'xmlns:saml' => 'urn:oasis:names:tc:SAML:2.0:assertion',
+        'xmlns:samlp' => RubySaml::XML::NS_PROTOCOL,
+        'xmlns:saml' => RubySaml::XML::NS_ASSERTION,
         'ID' => uuid,
         'IssueInstant' => time,
         'Version' => '2.0',

lib/ruby_saml/idp_metadata_parser.rb

@@ -11,31 +11,20 @@ module RubySaml
   # make sure to validate it properly before use it in a parse_remote method.
   # Read the `Security warning` section of the README.md file to get more info
   class IdpMetadataParser
-    module SamlMetadata
-      module Vocabulary
-        METADATA       = "urn:oasis:names:tc:SAML:2.0:metadata"
-        DSIG           = "http://www.w3.org/2000/09/xmldsig#"
-        NAME_FORMAT    = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
-        SAML_ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      end
-
-      NAMESPACE = {
-        "md" => Vocabulary::METADATA,
-        "NameFormat" => Vocabulary::NAME_FORMAT,
-        "saml" => Vocabulary::SAML_ASSERTION,
-        "ds" => Vocabulary::DSIG
-      }.freeze
-    end
+    NAMESPACES = {
+      "ds" => RubySaml::XML::DSIG,
+      "md" => RubySaml::XML::NS_METADATA,
+      "saml" => RubySaml::XML::NS_ASSERTION
+    }.freeze
 
-    include SamlMetadata::Vocabulary
     attr_reader :document
     attr_reader :response
     attr_reader :options
 
     # fetch IdP descriptors from a metadata document
     def self.get_idps(noko_document, only_entity_id = nil)
       path = "//md:EntityDescriptor#{"[@entityID=\"#{only_entity_id}\"]" if only_entity_id}/md:IDPSSODescriptor"
-      noko_document.xpath(path, SamlMetadata::NAMESPACE)
+      noko_document.xpath(path, NAMESPACES)
     end
 
     # Parse the Identity Provider metadata and update the settings with the
@@ -272,7 +261,7 @@ def cache_duration
       def idp_name_id_format(name_id_priority = nil)
         nodes = @idpsso_descriptor.xpath(
           "md:NameIDFormat",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         first_ranked_text(nodes, name_id_priority)
       end
@@ -283,7 +272,7 @@ def idp_name_id_format(name_id_priority = nil)
       def single_signon_service_binding(binding_priority = nil)
         nodes = @idpsso_descriptor.xpath(
           "md:SingleSignOnService/@Binding",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         first_ranked_value(nodes, binding_priority)
       end
@@ -294,7 +283,7 @@ def single_signon_service_binding(binding_priority = nil)
       def single_logout_service_binding(binding_priority = nil)
         nodes = @idpsso_descriptor.xpath(
           "md:SingleLogoutService/@Binding",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         first_ranked_value(nodes, binding_priority)
       end
@@ -308,7 +297,7 @@ def single_signon_service_url(binding_priority = nil)
 
         @idpsso_descriptor.at_xpath(
           "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )&.value
       end
 
@@ -321,7 +310,7 @@ def single_logout_service_url(binding_priority = nil)
 
         @idpsso_descriptor.at_xpath(
           "md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )&.value
       end
 
@@ -334,7 +323,7 @@ def single_logout_response_service_url(binding_priority = nil)
 
         node = @idpsso_descriptor.at_xpath(
           "md:SingleLogoutService[@Binding=\"#{binding}\"]/@ResponseLocation",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         node&.value
       end
@@ -345,12 +334,12 @@ def certificates
         @certificates ||= begin
           signing_nodes = @idpsso_descriptor.xpath(
             "md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-            SamlMetadata::NAMESPACE
+            NAMESPACES
           )
 
           encryption_nodes = @idpsso_descriptor.xpath(
             "md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
-            SamlMetadata::NAMESPACE
+            NAMESPACES
           )
 
           return nil if signing_nodes.empty? && encryption_nodes.empty?
@@ -389,7 +378,7 @@ def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::SHA256)
       def attribute_names
         nodes = @idpsso_descriptor.xpath(
           "saml:Attribute/@Name",
-          SamlMetadata::NAMESPACE
+          NAMESPACES
         )
         nodes.map(&:value)
       end

lib/ruby_saml/logoutrequest.rb

@@ -89,8 +89,8 @@ def create_xml_document(settings)
       assign_uuid(settings)
 
       root_attributes = {
-        'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
-        'xmlns:saml' => 'urn:oasis:names:tc:SAML:2.0:assertion',
+        'xmlns:samlp' => RubySaml::XML::NS_PROTOCOL,
+        'xmlns:saml' => RubySaml::XML::NS_ASSERTION,
         'ID' => uuid,
         'IssueInstant' => time,
         'Version' => '2.0',

lib/ruby_saml/logoutresponse.rb

@@ -64,7 +64,7 @@ def in_response_to
         node = REXML::XPath.first(
           document,
           "/p:LogoutResponse",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         node.nil? ? nil : node.attributes['InResponseTo']
       end
@@ -77,7 +77,7 @@ def issuer
         node = REXML::XPath.first(
           document,
           "/p:LogoutResponse/a:Issuer",
-          { "p" => PROTOCOL, "a" => ASSERTION }
+          { "p" => RubySaml::XML::NS_PROTOCOL, "a" => RubySaml::XML::NS_ASSERTION }
         )
         Utils.element_text(node)
       end
@@ -87,7 +87,7 @@ def issuer
     #
     def status_code
       @status_code ||= begin
-        node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL })
+        node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => RubySaml::XML::NS_PROTOCOL })
         node.nil? ? nil : node.attributes["Value"]
       end
     end
@@ -97,7 +97,7 @@ def status_message
         node = REXML::XPath.first(
           document,
           "/p:LogoutResponse/p:Status/p:StatusMessage",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         Utils.element_text(node)
       end

lib/ruby_saml/metadata.rb

@@ -32,12 +32,12 @@ def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
 
         # Add saml namespace if attribute consuming service is configured
         if settings.attribute_consuming_service.configured?
-          root_attributes['xmlns:saml'] = 'urn:oasis:names:tc:SAML:2.0:assertion'
+          root_attributes['xmlns:saml'] = RubySaml::XML::NS_ASSERTION
         end
 
         xml['md'].EntityDescriptor(root_attributes) do
           sp_sso_attributes = {
-            'protocolSupportEnumeration' => 'urn:oasis:names:tc:SAML:2.0:protocol',
+            'protocolSupportEnumeration' => RubySaml::XML::NS_PROTOCOL,
             'AuthnRequestsSigned' => settings.security[:authn_requests_signed] ? 'true' : 'false',
             'WantAssertionsSigned' => settings.security[:want_assertions_signed] ? 'true' : 'false'
           }

lib/ruby_saml/response.rb

@@ -10,13 +10,10 @@ module RubySaml
   class Response < SamlMessage
     include ErrorHandling
 
-    ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-    PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
-    DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-    XENC      = "http://www.w3.org/2001/04/xmlenc#"
+    # TODO: Migrate this to RubySaml::XML
     SAML_NAMESPACES = {
-      "p" => PROTOCOL,
-      "a" => ASSERTION
+      'p' => RubySaml::XML::NS_PROTOCOL,
+      'a' => RubySaml::XML::NS_ASSERTION
     }.freeze
 
     # TODO: Settings should probably be initialized too... WDYT?
@@ -197,7 +194,7 @@ def handle_rexml_attribute(node, attributes)
           # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
           # identify the subject in an SP rather than email or other less opaque attributes
           # NameQualifier, if present is prefixed with a "/" to the value
-          REXML::XPath.match(e,'a:NameID', { "a" => ASSERTION }).collect do |n|
+          REXML::XPath.match(e,'a:NameID', { "a" => RubySaml::XML::NS_ASSERTION }).map do |n|
             base_path = n.attributes['NameQualifier'] ? "#{n.attributes['NameQualifier']}/" : ''
             "#{base_path}#{Utils.element_text(n)}"
           end
@@ -224,7 +221,7 @@ def handle_nokogiri_attribute(node, attributes)
           # this is useful for allowing eduPersonTargetedId to be passed as an opaque identifier to use to
           # identify the subject in an SP rather than email or other less opaque attributes
           # NameQualifier, if present is prefixed with a "/" to the value
-          e.xpath('a:NameID', { "a" => ASSERTION }).map do |n|
+          e.xpath('a:NameID', { "a" => RubySaml::XML::NS_ASSERTION }).map do |n|
             next unless (value = n&.content)
             base_path = n['NameQualifier'] ? "#{n['NameQualifier']}/" : ''
             "#{base_path}#{value}"
@@ -281,7 +278,7 @@ def status_code
         nodes = REXML::XPath.match(
           document,
           "/p:Response/p:Status/p:StatusCode",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         if nodes.size == 1
           node = nodes[0]
@@ -291,9 +288,9 @@ def status_code
             nodes = REXML::XPath.match(
               document,
               "/p:Response/p:Status/p:StatusCode/p:StatusCode",
-              { "p" => PROTOCOL }
+              { "p" => RubySaml::XML::NS_PROTOCOL }
             )
-            statuses = nodes.collect do |inner_node|
+            statuses = nodes.map do |inner_node|
               inner_node.attributes["Value"]
             end
 
@@ -312,7 +309,7 @@ def status_message
         nodes = REXML::XPath.match(
           document,
           "/p:Response/p:Status/p:StatusMessage",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
 
         Utils.element_text(nodes.first) if nodes.size == 1
@@ -376,7 +373,7 @@ def in_response_to
         node = REXML::XPath.first(
           document,
           "/p:Response",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         node.nil? ? nil : node.attributes['InResponseTo']
       end
@@ -389,7 +386,7 @@ def destination
         node = REXML::XPath.first(
           document,
           "/p:Response",
-          { "p" => PROTOCOL }
+          { "p" => RubySaml::XML::NS_PROTOCOL }
         )
         node.nil? ? nil : node.attributes['Destination']
       end
@@ -546,12 +543,12 @@ def validate_num_assertion
       assertions = REXML::XPath.match(
         document,
         "//a:Assertion",
-        { "a" => ASSERTION }
+        { "a" => RubySaml::XML::NS_ASSERTION }
       )
       encrypted_assertions = REXML::XPath.match(
         document,
         "//a:EncryptedAssertion",
-        { "a" => ASSERTION }
+        { "a" => RubySaml::XML::NS_ASSERTION }
       )
 
       unless assertions.size + encrypted_assertions.size == 1
@@ -562,7 +559,7 @@ def validate_num_assertion
         assertions = REXML::XPath.match(
           decrypted_document,
           "//a:Assertion",
-          { "a" => ASSERTION }
+          { "a" => RubySaml::XML::NS_ASSERTION }
         )
         unless assertions.size == 1
           return append_error(error_msg)
@@ -598,7 +595,7 @@ def validate_signed_elements
       signature_nodes = REXML::XPath.match(
         decrypted_document.nil? ? document : decrypted_document,
         "//ds:Signature",
-        {"ds"=>DSIG}
+        { "ds" => RubySaml::XML::DSIG }
       )
       signed_elements = []
       verified_seis = []
@@ -620,7 +617,7 @@ def validate_signed_elements
         verified_ids.push(id)
 
         # Check that reference URI matches the parent ID and no duplicate References or IDs
-        ref = REXML::XPath.first(signature_node, ".//ds:Reference", {"ds"=>DSIG})
+        ref = REXML::XPath.first(signature_node, ".//ds:Reference", { "ds" => RubySaml::XML::DSIG })
         if ref
           uri = ref.attributes.get_attribute("URI")
           if uri && !uri.value.empty?
@@ -838,7 +835,7 @@ def validate_subject_confirmation
         confirmation_data_node = REXML::XPath.first(
           subject_confirmation,
           'a:SubjectConfirmationData',
-          { "a" => ASSERTION }
+          { "a" => RubySaml::XML::NS_ASSERTION }
         )
 
         next unless confirmation_data_node
@@ -870,7 +867,7 @@ def validate_subject_confirmation_nokogiri(subject_confirmation_nodes)
           next
         end
 
-        confirmation_data_node = subject_confirmation.at_xpath('a:SubjectConfirmationData', { "a" => ASSERTION })
+        confirmation_data_node = subject_confirmation.at_xpath('a:SubjectConfirmationData', { "a" => RubySaml::XML::NS_ASSERTION })
 
         next unless confirmation_data_node
 
@@ -916,7 +913,7 @@ def doc_to_validate
       sig_elements = REXML::XPath.match(
         document,
         "/p:Response[@ID=$id]/ds:Signature",
-        { "p" => PROTOCOL, "ds" => DSIG },
+        { "p" => RubySaml::XML::NS_PROTOCOL, "ds" => RubySaml::XML::DSIG },
         { 'id' => document.signed_element_id }
       )
 
@@ -941,7 +938,7 @@ def validate_signature
       sig_elements = REXML::XPath.match(
         document,
         "/p:Response[@ID=$id]/ds:Signature",
-        { "p" => PROTOCOL, "ds" => DSIG },
+        { "p" => RubySaml::XML::NS_PROTOCOL, "ds" => RubySaml::XML::DSIG },
         { 'id' => document.signed_element_id }
       )
 
@@ -950,7 +947,7 @@ def validate_signature
         sig_elements = REXML::XPath.match(
           doc,
           "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
-          SAML_NAMESPACES.merge({ "ds" => DSIG }),
+          SAML_NAMESPACES.merge({ "ds" => RubySaml::XML::DSIG }),
           { 'id' => doc.signed_element_id }
         )
       end
@@ -1037,10 +1034,10 @@ def cached_signed_assertion
 
       assertion = empty_doc
       if root.name == "Response"
-        if REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
-          assertion = REXML::XPath.first(root, "a:Assertion", {"a" => ASSERTION})
-        elsif REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION})
-          assertion = RubySaml::XML::Decryptor.decrypt_assertion(REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => ASSERTION}), settings&.get_sp_decryption_keys)
+        if REXML::XPath.first(root, "a:Assertion", {"a" => RubySaml::XML::NS_ASSERTION})
+          assertion = REXML::XPath.first(root, "a:Assertion", {"a" => RubySaml::XML::NS_ASSERTION})
+        elsif REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => RubySaml::XML::NS_ASSERTION})
+          assertion = RubySaml::XML::Decryptor.decrypt_assertion(REXML::XPath.first(root, "a:EncryptedAssertion", {"a" => RubySaml::XML::NS_ASSERTION}), settings&.get_sp_decryption_keys)
         end
       elsif root.name == "Assertion"
         assertion = root