Move XMLSecurity to RubySaml::XML

Author: johnnyshields

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2024-07-08 10:27:10 UTC using RuboCop version 1.64.1.
+# on 2024-07-09 07:40:52 UTC using RuboCop version 1.64.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -20,7 +20,7 @@ Layout/EmptyLineAfterGuardClause:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
 
-# Offense count: 9
+# Offense count: 6
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines, beginning_only, ending_only
@@ -32,15 +32,14 @@ Layout/EmptyLinesAroundClassBody:
     - 'lib/ruby_saml/logoutresponse.rb'
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/xml_security.rb'
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
 Layout/EmptyLinesAroundMethodBody:
   Exclude:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 12
+# Offense count: 11
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines
@@ -57,14 +56,6 @@ Layout/EmptyLinesAroundModuleBody:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
-
-# Offense count: 1
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: native, lf, crlf
-Layout/EndOfLine:
-  Exclude:
-    - 'lib/ruby_saml.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -81,7 +72,7 @@ Layout/ExtraSpacing:
 Layout/FirstArgumentIndentation:
   Exclude:
     - 'lib/ruby_saml/response.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
@@ -105,7 +96,7 @@ Layout/SpaceAfterComma:
   Exclude:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/settings.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 12
 # This cop supports safe autocorrection (--autocorrect).
@@ -130,7 +121,8 @@ Layout/SpaceAroundOperators:
   Exclude:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
@@ -154,15 +146,8 @@ Layout/SpaceInsideHashLiteralBraces:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/settings.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/xml_security.rb'
-
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: final_newline, final_blank_line
-Layout/TrailingEmptyLines:
-  Exclude:
-    - 'lib/ruby_saml.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 2
 Lint/NoReturnInBeginEndBlocks:
@@ -308,7 +293,7 @@ Performance/StringReplacement:
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 54
 # This cop supports safe autocorrection (--autocorrect).
@@ -361,7 +346,7 @@ Style/ConditionalAssignment:
     - 'lib/ruby_saml/logoutresponse.rb'
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 6
 # Configuration parameters: AllowedConstants.
@@ -372,7 +357,9 @@ Style/Documentation:
     - 'lib/ruby_saml/error_handling.rb'
     - 'lib/ruby_saml/idp_metadata_parser.rb'
     - 'lib/ruby_saml/logging.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/base_document.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
@@ -416,7 +403,9 @@ Style/IfUnlessModifier:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/base_document.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 15
 # Configuration parameters: AllowedMethods.
@@ -431,7 +420,7 @@ Style/OptionalBooleanParameter:
     - 'lib/ruby_saml/settings.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
@@ -445,7 +434,7 @@ Style/RedundantRegexpArgument:
   Exclude:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -473,7 +462,7 @@ Style/StringConcatenation:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 440
+# Offense count: 351
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
 # SupportedStyles: single_quotes, double_quotes
@@ -492,7 +481,7 @@ Style/StringLiterals:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -510,7 +499,7 @@ Style/SymbolArray:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 94
+# Offense count: 95
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
 # URISchemes: http, https

CHANGELOG.md

@@ -5,6 +5,7 @@
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Create namespace alias `OneLogin = Object` for backward compatibility, to be removed in version `2.1.0`.
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Move schema files from `lib/onelogin/schemas` to `lib/ruby_saml/schemas`.
+* [#692](https://github.com/SAML-Toolkits/ruby-saml/pull/692) Remove `XMLSecurity` namespace and replace with `RubySaml::XML`.
 * [#686](https://github.com/SAML-Toolkits/ruby-saml/pull/686) Use SHA-256 as the default hashing algorithm everywhere instead of SHA-1, including signatures, fingerprints, and digests.
 
 ### 1.17.0

LICENSE

@@ -21,4 +21,3 @@ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
-

README.md

@@ -411,7 +411,7 @@ but it can be done as follows:
 * Provide the XML to the parse method if the signature was validated
 
 ```ruby
-require "xml_security"
+require "ruby_saml/xml"
 require "ruby_saml/utils"
 require "ruby_saml/idp_metadata_parser"
 
@@ -431,7 +431,7 @@ get.basic_auth uri.user, uri.password if uri.user
 response = http.request(get)
 xml = response.body
 errors = []
-doc = XMLSecurity::SignedDocument.new(xml, errors)
+doc = RubySaml::XML::SignedDocument.new(xml, errors)
 cert_str = "<include_cert_here>"
 cert = RubySaml::Utils.format_cert("cert_str")
 metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
@@ -634,8 +634,8 @@ to specify different certificates for each function.
 You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
 
 ```ruby
-  settings.security[:digest_method]    = XMLSecurity::Document::SHA1
-  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.security[:digest_method]    = RubySaml::XML::Document::SHA1
+  settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
 ```
 
 #### Signing SP Metadata
@@ -979,3 +979,14 @@ end
 # Output XML with custom metadata
 MyMetadata.new.generate(settings)
 ```
+
+## Attribution
+
+Portions of the code in `RubySaml::XML` namespace is adapted from earlier work
+copyrighted by either Oracle and/or Todd W. Saxton. The original code was distributed
+under the Common Development and Distribution License (CDDL) 1.0. This code is planned to
+be written entirely in future versions.
+
+## License
+
+RubySaml is made available under the MIT License. Refer to [LICENSE](LICENSE).

UPGRADING.md

@@ -8,14 +8,26 @@ Before attempting to upgrade to `2.0.0`:
 - Upgrade your project to minimum Ruby 3.0, JRuby 9.4, or TruffleRuby 22.
 - Upgrade RubySaml to `1.17.x`. Note that RubySaml `1.17.x` is compatible with up to Ruby 3.3.
 
-### Root namespace changed to RubySaml
+### Root "OneLogin" namespace changed to "RubySaml"
 
-RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`. This will require you
-to search your codebase for the string `OneLogin::` and remove it as appropriate. Aside from this namespace change,
+RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`.
+Please remove `OneLogin::` and `onelogin/` everywhere in your codebase. Aside from this namespace change,
 the class names themselves have intentionally been kept the same.
 
-For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work.
-This alias will be removed in RubySaml version `2.1.0`.
+Note that the project folder structure has also been updated accordingly. Notably, the directory
+`lib/onelogin/schemas` is now `lib/ruby_saml/schemas`.
+
+For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work
+as before. This alias will be removed in RubySaml version `2.1.0`.
+
+### Root "XMLSecurity" namespace changed to "RubySaml::XML"
+
+RubySaml version `2.0.0` changes the namespace `RubySaml::XML::` to `RubySaml::XML::`. Please search your
+codebase for `RubySaml::XML::` and replace it as appropriate. In addition, you must replace direct usage of
+`require 'xml_security'` with `require 'ruby_saml/xml'`.
+
+For backward compatibility, the alias `XMLSecurity = RubySaml::XML` has been set, so `RubySaml::XML::` will still work
+as before. This alias will be removed in RubySaml version `2.1.0`.
 
 ### Security: Change default hashing algorithm to SHA-256 (was SHA-1)
 
@@ -30,9 +42,9 @@ To preserve the old insecure SHA-1 behavior *(not recommended)*, you may set `Ru
 ```ruby
 # Preserve RubySaml 1.x insecure SHA-1 behavior
 settings = RubySaml::Settings.new
-settings.idp_cert_fingerprint_algorithm = XMLSecurity::Document::SHA1
-settings.security[:digest_method] = XMLSecurity::Document::SHA1
-settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+settings.idp_cert_fingerprint_algorithm = RubySaml::XML::Document::SHA1
+settings.security[:digest_method] = RubySaml::XML::Document::SHA1
+settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
 ```
 
 ## Updating from 1.12.x to 1.13.0
@@ -108,7 +120,7 @@ The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is v
 # In this example `query_params` is assumed to contain decoded query parameters,
 # and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
 settings = {
-  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
   settings.soft = false
 }
 options = {

lib/ruby_saml.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'ruby_saml/logging'
+require 'ruby_saml/xml'
 require 'ruby_saml/saml_message'
 require 'ruby_saml/authrequest'
 require 'ruby_saml/logoutrequest'
@@ -18,5 +19,6 @@
 require 'ruby_saml/utils'
 require 'ruby_saml/version'
 
-# @deprecated This alias will be removed in version 2.1.0
+# @deprecated These aliases add compatibility with v1.x and will be removed in v2.1.0
 OneLogin = Object
+XMLSecurity = RubySaml::XML

lib/ruby_saml/authrequest.rb

@@ -84,7 +84,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        sign_algorithm = RubySaml::XML::BaseDocument.new.algorithm(settings.security[:signature_method])
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end
@@ -108,7 +108,7 @@ def create_authentication_xml_doc(settings)
     def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-      request_doc = XMLSecurity::Document.new
+      request_doc = RubySaml::XML::Document.new
       request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

lib/ruby_saml/idp_metadata_parser.rb

@@ -376,13 +376,13 @@ def certificates
 
       # @return [String|nil] the fingerpint of the X509Certificate if it exists
       #
-      def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA256)
+      def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::Document::SHA256)
         @fingerprint ||= begin
           return unless certificate
 
           cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
 
-          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+          fingerprint_alg = RubySaml::XML::BaseDocument.new.algorithm(fingerprint_algorithm).new
           fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
         end
       end

lib/ruby_saml/logoutrequest.rb

@@ -81,7 +81,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        sign_algorithm = RubySaml::XML::BaseDocument.new.algorithm(settings.security[:signature_method])
         signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end
@@ -105,7 +105,7 @@ def create_logout_request_xml_doc(settings)
     def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-      request_doc = XMLSecurity::Document.new
+      request_doc = RubySaml::XML::Document.new
       request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

lib/ruby_saml/logoutresponse.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-require "xml_security"
+require "ruby_saml/xml"
 require "ruby_saml/saml_message"
-
 require "time"
 
 # Only supports SAML 2.0
@@ -45,7 +44,7 @@ def initialize(response, settings = nil, options = {})
 
       @options = options
       @response = decode_raw_saml(response, settings)
-      @document = XMLSecurity::SignedDocument.new(@response)
+      @document = RubySaml::XML::SignedDocument.new(@response)
       super()
     end