Skip to content

Commit cfad250

Browse files
pitbulkpitbulk
authored
Merge pull request #744 from johnnyshields/v2.x-double-quote-xml
V2.x - Nokogiri Upgrade Part 1 - Always double quote XML
2 parents 0c8efe1 + 6e8cfb3 commit cfad250

15 files changed

+113
-78
lines changed

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -585,8 +585,8 @@ to specify different certificates for each function.
585585
You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
586586

587587
```ruby
588-
settings.security[:digest_method] = RubySaml::XML::Document::SHA1
589-
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
588+
settings.security[:digest_method] = RubySaml::XML::Crypto::SHA1
589+
settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA1
590590
```
591591

592592
#### Signing SP Metadata

UPGRADING.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,18 @@ settings.security[:digest_method] = RubySaml::XML::Crypto::SHA1
5959
settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA1
6060
```
6161

62+
### Behavior change of double_quote_xml_attribute_values setting
63+
64+
RubySaml now always uses double quotes for attribute values when generating XML.
65+
The `settings.double_quote_xml_attribute_values` parameter now always behaves as `true`,
66+
and will be removed in RubySaml 2.1.0.
67+
68+
The reasons for this change are:
69+
- RubySaml will use Nokogiri instead of REXML to generate XML. Nokogiri does not support
70+
generating XML with single quotes.
71+
- Double-quoted XML attributes are more commonly used than single quotes. There are no known
72+
SAML clients which cannot support double-quoted XML.
73+
6274
### Removal of embed_sign setting
6375

6476
The deprecated `settings.security[:embed_sign]` parameter has been removed. If you were using it, please instead switch

lib/ruby_saml/authrequest.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ def create_params(settings, params={})
5454
end
5555

5656
request_doc = create_authentication_xml_doc(settings)
57-
request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
57+
request_doc.context[:attribute_quote] = :quote
5858

5959
request = +""
6060
request_doc.write(request)
@@ -100,6 +100,7 @@ def create_xml_document(settings)
100100
assign_uuid(settings)
101101

102102
request_doc = RubySaml::XML::Document.new
103+
request_doc.context[:attribute_quote] = :quote
103104
request_doc.uuid = uuid
104105

105106
root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

lib/ruby_saml/logoutrequest.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ def create_params(settings, params={})
5252
end
5353

5454
request_doc = create_logout_request_xml_doc(settings)
55-
request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
55+
request_doc.context[:attribute_quote] = :quote
5656

5757
request = +""
5858
request_doc.write(request)
@@ -98,6 +98,7 @@ def create_xml_document(settings)
9898
assign_uuid(settings)
9999

100100
request_doc = RubySaml::XML::Document.new
101+
request_doc.context[:attribute_quote] = :quote
101102
request_doc.uuid = uuid
102103

103104
root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

lib/ruby_saml/metadata.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ class Metadata
2222
#
2323
def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
2424
meta_doc = RubySaml::XML::Document.new
25+
meta_doc.context[:attribute_quote] = :quote
2526
add_xml_declaration(meta_doc)
2627
root = add_root_element(meta_doc, settings, valid_until, cache_duration)
2728
sp_sso = add_sp_sso_element(root, settings)

lib/ruby_saml/settings.rb

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,6 @@ def initialize(overrides = {}, keep_security_attributes = false)
5454
attr_accessor :name_identifier_value
5555
attr_accessor :name_identifier_value_requested
5656
attr_accessor :sessionindex
57-
attr_accessor :double_quote_xml_attribute_values
5857
attr_accessor :message_max_bytesize
5958
attr_accessor :passive
6059
attr_reader :protocol_binding
@@ -230,7 +229,6 @@ def get_binding(value)
230229
idp_cert_fingerprint_algorithm: RubySaml::XML::Crypto::SHA256,
231230
message_max_bytesize: 250_000,
232231
soft: true,
233-
double_quote_xml_attribute_values: false,
234232
security: {
235233
authn_requests_signed: false,
236234
logout_requests_signed: false,
@@ -248,6 +246,22 @@ def get_binding(value)
248246
}.freeze
249247
}.freeze
250248

249+
{
250+
double_quote_xml_attribute_values: true
251+
}.each do |old_param, new_value|
252+
# @deprecated Will be removed in v2.1.0
253+
define_method(old_param) do
254+
removed_deprecation(old_param, new_value)
255+
new_value
256+
end
257+
258+
# @deprecated Will be removed in v2.1.0
259+
define_method(:"#{old_param}=") do |_|
260+
removed_deprecation(old_param, new_value)
261+
new_value
262+
end
263+
end
264+
251265
{
252266
issuer: :sp_entity_id,
253267
idp_sso_target_url: :idp_sso_service_url,
@@ -355,6 +369,12 @@ def compress_response=(value)
355369

356370
private
357371

372+
# @deprecated Will be removed in v2.1.0
373+
def removed_deprecation(old_param, new_value)
374+
Logging.deprecate "`RubySaml::Settings##{old_param}` is deprecated and will be removed in RubySaml 2.1.0. " \
375+
"It no longer has any effect, and will behave as if always set to #{new_value.inspect}."
376+
end
377+
358378
# @deprecated Will be removed in v2.1.0
359379
def replaced_deprecation(old_param, new_param)
360380
Logging.deprecate "`RubySaml::Settings##{old_param}` is deprecated and will be removed in RubySaml 2.1.0. " \

lib/ruby_saml/slo_logoutresponse.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
6060
end
6161

6262
response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
63-
response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
63+
response_doc.context[:attribute_quote] = :quote
6464

6565
response = +""
6666
response_doc.write(response)
@@ -109,6 +109,7 @@ def create_xml_document(settings, request_id = nil, logout_message = nil, status
109109
assign_uuid(settings)
110110

111111
response_doc = RubySaml::XML::Document.new
112+
response_doc.context[:attribute_quote] = :quote
112113
response_doc.uuid = uuid
113114

114115
destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url

test/authrequest_test.rb

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ class AuthrequestTest < Minitest::Test
3636
zstream.finish
3737
zstream.close
3838

39-
assert_match(/<samlp:AuthnRequest[^<]* Destination='http:\/\/example.com'/, inflated)
39+
assert_match(/<samlp:AuthnRequest[^<]* Destination="http:\/\/example\.com"/, inflated)
4040
end
4141

4242
it "create the SAMLRequest URL parameter without deflating" do
@@ -61,7 +61,7 @@ class AuthrequestTest < Minitest::Test
6161
zstream.finish
6262
zstream.close
6363

64-
assert_match(/<samlp:AuthnRequest[^<]* IsPassive='true'/, inflated)
64+
assert_match(/<samlp:AuthnRequest[^<]* IsPassive="true"/, inflated)
6565
end
6666

6767
it "create the SAMLRequest URL parameter with ProtocolBinding" do
@@ -76,7 +76,7 @@ class AuthrequestTest < Minitest::Test
7676
zstream.finish
7777
zstream.close
7878

79-
assert_match(/<samlp:AuthnRequest[^<]* ProtocolBinding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'/, inflated)
79+
assert_match(/<samlp:AuthnRequest[^<]* ProtocolBinding="urn:oasis:names:tc:SAML:2\.0:bindings:HTTP-POST"/, inflated)
8080
end
8181

8282
it "create the SAMLRequest URL parameter with AttributeConsumingServiceIndex" do
@@ -90,7 +90,7 @@ class AuthrequestTest < Minitest::Test
9090
inflated = zstream.inflate(decoded)
9191
zstream.finish
9292
zstream.close
93-
assert_match(/<samlp:AuthnRequest[^<]* AttributeConsumingServiceIndex='30'/, inflated)
93+
assert_match(/<samlp:AuthnRequest[^<]* AttributeConsumingServiceIndex="30"/, inflated)
9494
end
9595

9696
it "create the SAMLRequest URL parameter with ForceAuthn" do
@@ -104,7 +104,7 @@ class AuthrequestTest < Minitest::Test
104104
inflated = zstream.inflate(decoded)
105105
zstream.finish
106106
zstream.close
107-
assert_match(/<samlp:AuthnRequest[^<]* ForceAuthn='true'/, inflated)
107+
assert_match(/<samlp:AuthnRequest[^<]* ForceAuthn="true"/, inflated)
108108
end
109109

110110
it "create the SAMLRequest URL parameter with NameID Format" do
@@ -118,8 +118,8 @@ class AuthrequestTest < Minitest::Test
118118
zstream.finish
119119
zstream.close
120120

121-
assert_match(/<samlp:NameIDPolicy[^<]* AllowCreate='true'/, inflated)
122-
assert_match(/<samlp:NameIDPolicy[^<]* Format='urn:oasis:names:tc:SAML:2.0:nameid-format:transient'/, inflated)
121+
assert_match(/<samlp:NameIDPolicy[^<]* AllowCreate="true"/, inflated)
122+
assert_match(/<samlp:NameIDPolicy[^<]* Format="urn:oasis:names:tc:SAML:2\.0:nameid-format:transient"/, inflated)
123123
end
124124

125125
it "create the SAMLRequest URL parameter with Subject" do
@@ -135,8 +135,8 @@ class AuthrequestTest < Minitest::Test
135135
zstream.close
136136

137137
assert inflated.include?('<saml:Subject>')
138-
assert inflated.include?("<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>testuser@example.com</saml:NameID>")
139-
assert inflated.include?("<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>")
138+
assert inflated.include?('<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@example.com</saml:NameID>')
139+
assert inflated.include?('<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>')
140140
end
141141

142142
it "accept extra parameters" do
@@ -199,9 +199,9 @@ class AuthrequestTest < Minitest::Test
199199

200200
it "can mutate the uuid" do
201201
request = RubySaml::Authrequest.new
202-
request_id = request.request_id
203202
assert_nil request.uuid
204-
assert_nil request_id
203+
assert_nil request.request_id
204+
205205
request.uuid = "new_uuid"
206206
assert_equal "new_uuid", request.uuid
207207
assert_equal request.uuid, request.request_id
@@ -225,7 +225,7 @@ class AuthrequestTest < Minitest::Test
225225
it "create the SAMLRequest parameter correctly" do
226226

227227
auth_url = RubySaml::Authrequest.new.create(settings)
228-
assert_match(/^http:\/\/example.com\?SAMLRequest/, auth_url)
228+
assert_match(/^http:\/\/example\.com\?SAMLRequest/, auth_url)
229229
end
230230
end
231231

@@ -234,7 +234,7 @@ class AuthrequestTest < Minitest::Test
234234
settings.idp_sso_service_url = "http://example.com?field=value"
235235

236236
auth_url = RubySaml::Authrequest.new.create(settings)
237-
assert_match(/^http:\/\/example.com\?field=value&SAMLRequest/, auth_url)
237+
assert_match(/^http:\/\/example\.com\?field=value&SAMLRequest/, auth_url)
238238
end
239239
end
240240

@@ -254,22 +254,22 @@ class AuthrequestTest < Minitest::Test
254254
it "create the saml:AuthnContextClassRef with comparison exact" do
255255
settings.authn_context = 'secure/name/password/uri'
256256
auth_doc = RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
257-
assert_match(/<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/, auth_doc.to_s)
257+
assert_match(/<samlp:RequestedAuthnContext[\S ]+Comparison="exact"/, auth_doc.to_s)
258258
assert_match(/<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/, auth_doc.to_s)
259259
end
260260

261261
it "create the saml:AuthnContextClassRef with comparison minimun" do
262262
settings.authn_context = 'secure/name/password/uri'
263263
settings.authn_context_comparison = 'minimun'
264264
auth_doc = RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
265-
assert_match(/<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/, auth_doc.to_s)
265+
assert_match(/<samlp:RequestedAuthnContext[\S ]+Comparison="minimun"/, auth_doc.to_s)
266266
assert_match(/<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/, auth_doc.to_s)
267267
end
268268

269269
it "create the saml:AuthnContextDeclRef element correctly" do
270270
settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
271271
auth_doc = RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
272-
assert_match(/<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/, auth_doc.to_s)
272+
assert_match(/<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2\.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/, auth_doc.to_s)
273273
end
274274

275275
it "create the saml:AuthnContextClassRef element correctly" do
@@ -281,22 +281,22 @@ class AuthrequestTest < Minitest::Test
281281
it "create the saml:AuthnContextClassRef with comparison exact" do
282282
settings.authn_context = 'secure/name/password/uri'
283283
auth_doc = RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
284-
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='exact'/
284+
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison="exact"/
285285
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
286286
end
287287

288288
it "create the saml:AuthnContextClassRef with comparison minimun" do
289289
settings.authn_context = 'secure/name/password/uri'
290290
settings.authn_context_comparison = 'minimun'
291291
auth_doc = RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
292-
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison='minimun'/
292+
assert auth_doc.to_s =~ /<samlp:RequestedAuthnContext[\S ]+Comparison="minimun"/
293293
assert auth_doc.to_s =~ /<saml:AuthnContextClassRef>secure\/name\/password\/uri<\/saml:AuthnContextClassRef>/
294294
end
295295

296296
it "create the saml:AuthnContextDeclRef element correctly" do
297297
settings.authn_context_decl_ref = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
298298
auth_doc = RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
299-
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
299+
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2\.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
300300
end
301301

302302
it "create multiple saml:AuthnContextDeclRef elements correctly " do
@@ -329,7 +329,7 @@ class AuthrequestTest < Minitest::Test
329329
unless sp_hash_algo == :sha256
330330
it 'using mixed signature and digest methods (signature SHA256)' do
331331
# RSA is ignored here; only the hash sp_key_algo is used
332-
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA256
332+
settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA256
333333
params = RubySaml::Authrequest.new.create_params(settings)
334334
request_xml = Base64.decode64(params["SAMLRequest"])
335335

@@ -339,7 +339,7 @@ class AuthrequestTest < Minitest::Test
339339
end
340340

341341
it 'using mixed signature and digest methods (digest SHA256)' do
342-
settings.security[:digest_method] = RubySaml::XML::Document::SHA256
342+
settings.security[:digest_method] = RubySaml::XML::Crypto::SHA256
343343
params = RubySaml::Authrequest.new.create_params(settings)
344344
request_xml = Base64.decode64(params["SAMLRequest"])
345345

@@ -428,7 +428,7 @@ class AuthrequestTest < Minitest::Test
428428
unless sp_hash_algo == :sha256
429429
it 'using mixed signature and digest methods (signature SHA256)' do
430430
# RSA is ignored here; only the hash sp_key_algo is used
431-
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA256
431+
settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA256
432432
params = RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
433433

434434
assert params['SAMLRequest']
@@ -444,7 +444,7 @@ class AuthrequestTest < Minitest::Test
444444
end
445445

446446
it 'using mixed signature and digest methods (digest SHA256)' do
447-
settings.security[:digest_method] = RubySaml::XML::Document::SHA256
447+
settings.security[:digest_method] = RubySaml::XML::Crypto::SHA256
448448
params = RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
449449

450450
assert params['SAMLRequest']
@@ -461,7 +461,7 @@ class AuthrequestTest < Minitest::Test
461461
end
462462

463463
it "create a signature parameter using the first certificate and key" do
464-
settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
464+
settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA1
465465
settings.certificate = nil
466466
settings.private_key = nil
467467
cert, pkey = CertificateHelper.generate_pair(sp_key_algo)

test/idp_metadata_parser_test.rb

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -157,27 +157,27 @@ def initialize; end
157157
settings = idp_metadata_parser.parse(idp_metadata, {
158158
:settings => {
159159
:security => {
160-
:digest_method => RubySaml::XML::Document::SHA256,
161-
:signature_method => RubySaml::XML::Document::RSA_SHA256
160+
:digest_method => RubySaml::XML::Crypto::SHA256,
161+
:signature_method => RubySaml::XML::Crypto::RSA_SHA256
162162
}
163163
}
164164
})
165165
assert_equal "C4:C6:BD:41:EC:AD:57:97:CE:7B:7D:80:06:C3:E4:30:53:29:02:0B:DD:2D:47:02:9E:BD:85:AD:93:02:45:21", settings.idp_cert_fingerprint
166-
assert_equal RubySaml::XML::Document::SHA256, settings.get_sp_digest_method
167-
assert_equal RubySaml::XML::Document::RSA_SHA256, settings.get_sp_signature_method
166+
assert_equal RubySaml::XML::Crypto::SHA256, settings.get_sp_digest_method
167+
assert_equal RubySaml::XML::Crypto::RSA_SHA256, settings.get_sp_signature_method
168168
end
169169

170170
it "merges results into given settings object" do
171171
settings = RubySaml::Settings.new(:security => {
172-
:digest_method => RubySaml::XML::Document::SHA256,
173-
:signature_method => RubySaml::XML::Document::RSA_SHA256
172+
:digest_method => RubySaml::XML::Crypto::SHA256,
173+
:signature_method => RubySaml::XML::Crypto::RSA_SHA256
174174
})
175175

176176
RubySaml::IdpMetadataParser.new.parse(idp_metadata_descriptor, :settings => settings)
177177

178178
assert_equal "C4:C6:BD:41:EC:AD:57:97:CE:7B:7D:80:06:C3:E4:30:53:29:02:0B:DD:2D:47:02:9E:BD:85:AD:93:02:45:21", settings.idp_cert_fingerprint
179-
assert_equal RubySaml::XML::Document::SHA256, settings.get_sp_digest_method
180-
assert_equal RubySaml::XML::Document::RSA_SHA256, settings.get_sp_signature_method
179+
assert_equal RubySaml::XML::Crypto::SHA256, settings.get_sp_digest_method
180+
assert_equal RubySaml::XML::Crypto::RSA_SHA256, settings.get_sp_signature_method
181181
end
182182
end
183183

@@ -256,8 +256,8 @@ def initialize; end
256256
parsed_metadata = idp_metadata_parser.parse_to_hash(idp_metadata, {
257257
:settings => {
258258
:security => {
259-
:digest_method => RubySaml::XML::Document::SHA256,
260-
:signature_method => RubySaml::XML::Document::RSA_SHA256
259+
:digest_method => RubySaml::XML::Crypto::SHA256,
260+
:signature_method => RubySaml::XML::Crypto::RSA_SHA256
261261
}
262262
}
263263
})

0 commit comments

Comments
 (0)