Merge pull request #743 from johnnyshields/v2.x-partial-nokogiri-upgrade

 V2.x - Migrate some inner code to Nokogiri

Author: pitbulk

lib/ruby_saml/authrequest.rb

@@ -101,7 +101,6 @@ def create_xml_document(settings)
 
       request_doc = RubySaml::XML::Document.new
       request_doc.context[:attribute_quote] = :quote
-      request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
       root.attributes['ID'] = uuid

lib/ruby_saml/logoutrequest.rb

@@ -99,7 +99,6 @@ def create_xml_document(settings)
 
       request_doc = RubySaml::XML::Document.new
       request_doc.context[:attribute_quote] = :quote
-      request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
       root.attributes['ID'] = uuid

lib/ruby_saml/slo_logoutresponse.rb

@@ -110,7 +110,6 @@ def create_xml_document(settings, request_id = nil, logout_message = nil, status
 
       response_doc = RubySaml::XML::Document.new
       response_doc.context[:attribute_quote] = :quote
-      response_doc.uuid = uuid
 
       destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
 

lib/ruby_saml/xml/crypto.rb

@@ -85,7 +85,9 @@ def hash_algorithm(element)
       private
 
       def get_algorithm_attr(element)
-        if element.is_a?(REXML::Element)
+        if element.is_a?(Nokogiri::XML::Element)
+          element['Algorithm']
+        elsif element.is_a?(REXML::Element)
           element.attribute('Algorithm').value
         elsif element
           element

lib/ruby_saml/xml/document.rb

@@ -27,12 +27,6 @@ class Document < BaseDocument
       SHA512        = RubySaml::XML::Crypto::SHA512
       ENVELOPED_SIG = RubySaml::XML::Crypto::ENVELOPED_SIG
 
-      attr_writer :uuid
-
-      def uuid
-        @uuid ||= document.root&.attributes&.[]('ID')
-      end
-
       # <Signature>
       #   <SignedInfo>
       #     <CanonicalizationMethod />
@@ -48,70 +42,114 @@ def uuid
       #   <KeyInfo />
       #   <Object />
       # </Signature>
-      def sign_document(private_key, certificate, signature_method = RSA_SHA256, digest_method = SHA256)
+      def sign_document(private_key, certificate, signature_method = RubySaml::XML::Crypto::RSA_SHA256, digest_method = RubySaml::XML::Crypto::SHA256)
+        signature_element = build_signature_element(private_key, certificate, signature_method, digest_method)
+        signature_element = convert_nokogiri_to_rexml(signature_element)
+        issuer_element = elements['//saml:Issuer']
+        if issuer_element
+          root.insert_after(issuer_element, signature_element)
+        elsif (first_child = root.children[0])
+          root.insert_before(first_child, signature_element)
+        else
+          root.add_element(signature_element)
+        end
+      end
+
+      private
+
+      def build_signature_element(private_key, certificate, signature_method, digest_method)
+        # Parse the original document
         noko = Nokogiri::XML(to_s) do |config|
           config.options = RubySaml::XML::BaseDocument::NOKOGIRI_OPTIONS
         end
 
-        signature_element = REXML::Element.new('ds:Signature').add_namespace('ds', RubySaml::XML::Crypto::DSIG)
-        signed_info_element = signature_element.add_element('ds:SignedInfo')
-        signed_info_element.add_element('ds:CanonicalizationMethod', {'Algorithm' => RubySaml::XML::Crypto::C14N})
-        signed_info_element.add_element('ds:SignatureMethod', {'Algorithm'=>signature_method})
+        # Build the Signature element
+        signature_element = Nokogiri::XML::Builder.new do |xml|
+          xml['ds'].Signature('xmlns:ds' => RubySaml::XML::Crypto::DSIG) do
+            xml['ds'].SignedInfo do
+              xml['ds'].CanonicalizationMethod(Algorithm: RubySaml::XML::Crypto::C14N)
+              xml['ds'].SignatureMethod(Algorithm: signature_method)
+              xml['ds'].Reference(URI: "##{noko.root.attr('ID')}") do
+                xml['ds'].Transforms do
+                  xml['ds'].Transform(Algorithm: RubySaml::XML::Crypto::ENVELOPED_SIG)
+                  xml['ds'].Transform(Algorithm: RubySaml::XML::Crypto::C14N) do
+                    xml['ec'].InclusiveNamespaces(
+                      'xmlns:ec' => RubySaml::XML::Crypto::C14N,
+                      PrefixList: INC_PREFIX_LIST
+                    )
+                  end
+                end
+                xml['ds'].DigestMethod(Algorithm: digest_method)
+                xml['ds'].DigestValue(digest_value(noko, digest_method))
+              end
+            end
+            xml['ds'].SignatureValue # Value is added below
+            xml['ds'].KeyInfo do
+              xml['ds'].X509Data do
+                xml['ds'].X509Certificate(certificate_value(certificate))
+              end
+            end
+          end
+        end.doc.root
+
+        # Set the signature value
+        signed_info_element = signature_element.at_xpath('//ds:SignedInfo', 'ds' => RubySaml::XML::Crypto::DSIG)
+        sig_value_element = signature_element.at_xpath('//ds:SignatureValue', 'ds' => RubySaml::XML::Crypto::DSIG)
+        sig_value_element.content = signature_value(signed_info_element, private_key, signature_method)
+
+        signature_element
+      end
 
-        # Add Reference
-        reference_element = signed_info_element.add_element('ds:Reference', {'URI' => "##{uuid}"})
+      def digest_value(document, digest_method)
+        inclusive_namespaces = INC_PREFIX_LIST.split
+        canon_algorithm = RubySaml::XML::Crypto.canon_algorithm(RubySaml::XML::Crypto::C14N)
+        hash_algorithm = RubySaml::XML::Crypto.hash_algorithm(digest_method)
 
-        # Add Transforms
-        transforms_element = reference_element.add_element('ds:Transforms')
-        transforms_element.add_element('ds:Transform', {'Algorithm' => RubySaml::XML::Crypto::ENVELOPED_SIG})
-        c14element = transforms_element.add_element('ds:Transform', {'Algorithm' => RubySaml::XML::Crypto::C14N})
-        c14element.add_element('ec:InclusiveNamespaces', {'xmlns:ec' => RubySaml::XML::Crypto::C14N, 'PrefixList' => INC_PREFIX_LIST})
+        canon_doc = document.canonicalize(canon_algorithm, inclusive_namespaces)
+        Base64.encode64(hash_algorithm.digest(canon_doc)).strip
+      end
 
-        digest_method_element = reference_element.add_element('ds:DigestMethod', {'Algorithm' => digest_method})
-        inclusive_namespaces = INC_PREFIX_LIST.split
-        canon_doc = noko.canonicalize(RubySaml::XML::Crypto.canon_algorithm(RubySaml::XML::Crypto::C14N), inclusive_namespaces)
-        reference_element.add_element('ds:DigestValue').text = compute_digest(canon_doc, RubySaml::XML::Crypto.hash_algorithm(digest_method_element))
+      def signature_value(signed_info_element, private_key, signature_method)
+        canon_algorithm = RubySaml::XML::Crypto.canon_algorithm(RubySaml::XML::Crypto::C14N)
+        hash_algorithm = RubySaml::XML::Crypto.hash_algorithm(signature_method).new
 
-        # add SignatureValue
-        noko_sig_element = Nokogiri::XML(signature_element.to_s) do |config|
-          config.options = RubySaml::XML::BaseDocument::NOKOGIRI_OPTIONS
-        end
+        canon_string = signed_info_element.canonicalize(canon_algorithm)
+        Base64.encode64(private_key.sign(hash_algorithm, canon_string)).delete("\n")
+      end
 
-        noko_signed_info_element = noko_sig_element.at_xpath('//ds:Signature/ds:SignedInfo', 'ds' => RubySaml::XML::Crypto::DSIG)
-        canon_string = noko_signed_info_element.canonicalize(RubySaml::XML::Crypto.canon_algorithm(RubySaml::XML::Crypto::C14N))
+      def certificate_value(certificate)
+        certificate = OpenSSL::X509::Certificate.new(certificate) if certificate.is_a?(String)
+        Base64.encode64(certificate.to_der).delete("\n")
+      end
 
-        signature = compute_signature(private_key, RubySaml::XML::Crypto.hash_algorithm(signature_method).new, canon_string)
-        signature_element.add_element('ds:SignatureValue').text = signature
+      # TODO: This is a shim method which will be removed when the
+      # full Nokogiri conversion is complete
+      def convert_nokogiri_to_rexml(noko_element, parent_namespaces = Set.new)
+        rexml_element = REXML::Element.new("#{"#{noko_element.namespace.prefix}:" if noko_element.namespace}#{noko_element.name}")
 
-        # add KeyInfo
-        key_info_element  = signature_element.add_element('ds:KeyInfo')
-        x509_element      = key_info_element.add_element('ds:X509Data')
-        x509_cert_element = x509_element.add_element('ds:X509Certificate')
-        if certificate.is_a?(String)
-          certificate = OpenSSL::X509::Certificate.new(certificate)
+        if noko_element.namespace && !parent_namespaces.include?(noko_element.namespace)
+          rexml_element.add_namespace(noko_element.namespace.prefix, noko_element.namespace.href)
         end
-        x509_cert_element.text = Base64.encode64(certificate.to_der).gsub(/\n/, '')
 
-        # add the signature
-        issuer_element = elements['//saml:Issuer']
-        if issuer_element
-          root.insert_after(issuer_element, signature_element)
-        elsif (first_child = root.children[0])
-          root.insert_before(first_child, signature_element)
-        else
-          root.add_element(signature_element)
+        noko_element.attributes.each do |name, value|
+          rexml_element.add_attribute(name, value)
         end
-      end
 
-      private
+        # Copy text content (if any)
+        if noko_element.text?
+          rexml_element.text = noko_element.text
+        end
 
-      def compute_signature(private_key, signature_hash_algorithm, document)
-        Base64.encode64(private_key.sign(signature_hash_algorithm, document)).gsub(/\n/, '')
-      end
+        # Recursively copy child elements
+        noko_element.children.each do |child|
+          if child.element?
+            rexml_element.add_element(convert_nokogiri_to_rexml(child, parent_namespaces << noko_element.namespace))
+          elsif child.text?
+            rexml_element.add_text(child.text)
+          end
+        end
 
-      def compute_digest(document, digest_algorithm)
-        digest = digest_algorithm.digest(document)
-        Base64.encode64(digest).strip
+        rexml_element
       end
     end
   end

lib/ruby_saml/xml/signed_document.rb

@@ -9,8 +9,6 @@ module XML
     class SignedDocument < BaseDocument
       include RubySaml::ErrorHandling
 
-      attr_writer :signed_element_id
-
       def initialize(response, errors = [])
         super(response)
         @errors = errors
@@ -55,6 +53,7 @@ def validate_document(idp_cert_fingerprint, soft = true, options = {})
         else
           return append_error('Certificate element missing in response (ds:X509Certificate) and not cert provided at settings', soft)
         end
+
         validate_signature(base64_cert, soft)
       end
 
@@ -82,56 +81,50 @@ def validate_document_with_cert(idp_cert, soft = true)
         else
           base64_cert = Base64.encode64(idp_cert.to_pem)
         end
+
         validate_signature(base64_cert, true)
       end
 
       def validate_signature(base64_cert, soft = true)
-        document = Nokogiri::XML(to_s) do |config|
+        noko = Nokogiri::XML(to_s) do |config|
           config.options = RubySaml::XML::BaseDocument::NOKOGIRI_OPTIONS
         end
 
-        # create a rexml document
-        @working_copy ||= REXML::Document.new(to_s).root
-
         # get signature node
-        sig_element = REXML::XPath.first(
-            @working_copy,
-            '//ds:Signature',
-            { 'ds' => RubySaml::XML::Crypto::DSIG }
-          )
+        sig_element = noko.at_xpath(
+          '//ds:Signature',
+          { 'ds' => RubySaml::XML::Crypto::DSIG }
+        )
 
         # signature method
-        sig_alg_value = REXML::XPath.first(
-          sig_element,
+        sig_alg_value = sig_element.at_xpath(
           './ds:SignedInfo/ds:SignatureMethod',
           { 'ds' => RubySaml::XML::Crypto::DSIG }
         )
         signature_hash_algorithm = RubySaml::XML::Crypto.hash_algorithm(sig_alg_value)
 
         # get signature
-        base64_signature = REXML::XPath.first(
-          sig_element,
+        base64_signature = sig_element.at_xpath(
           './ds:SignatureValue',
-          { 'ds' => RubySaml::XML::Crypto::DSIG}
-        )
-        signature = Base64.decode64(RubySaml::Utils.element_text(base64_signature))
+          { 'ds' => RubySaml::XML::Crypto::DSIG }
+        ).content
+        signature = Base64.decode64(base64_signature)
 
         # canonicalization method
-        canon_algorithm = RubySaml::XML::Crypto.canon_algorithm(REXML::XPath.first(
-          sig_element,
+        canon_method_node = sig_element.at_xpath(
           './ds:SignedInfo/ds:CanonicalizationMethod',
-          'ds' => RubySaml::XML::Crypto::DSIG
-        ))
+          { 'ds' => RubySaml::XML::Crypto::DSIG }
+        )
+        canon_algorithm = RubySaml::XML::Crypto.canon_algorithm(canon_method_node)
 
-        noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => RubySaml::XML::Crypto::DSIG)
+        noko_sig_element = noko.at_xpath('//ds:Signature', 'ds' => RubySaml::XML::Crypto::DSIG)
         noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => RubySaml::XML::Crypto::DSIG)
 
         canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
         noko_sig_element.remove
 
         # get signed info
-        signed_info_element = REXML::XPath.first(
-          sig_element,
+        signed_info_element = sig_element.at_xpath(
           './ds:SignedInfo',
           { 'ds' => RubySaml::XML::Crypto::DSIG }
         )
@@ -140,13 +133,12 @@ def validate_signature(base64_cert, soft = true)
         inclusive_namespaces = extract_inclusive_namespaces
 
         # check digests
-        ref = REXML::XPath.first(
-          signed_info_element,
+        ref = signed_info_element.at_xpath(
           './ds:Reference',
           { 'ds' => RubySaml::XML::Crypto::DSIG }
         )
 
-        reference_nodes = document.xpath('//*[@ID=$id]', nil, { 'id' => extract_signed_element_id })
+        reference_nodes = noko.xpath('//*[@ID=$id]', nil, { 'id' => extract_signed_element_id })
 
         # ensure no elements with same ID to prevent signature wrapping attack.
         if reference_nodes.length > 1
@@ -155,28 +147,27 @@ def validate_signature(base64_cert, soft = true)
 
         hashed_element = reference_nodes[0]
 
-        canon_algorithm = RubySaml::XML::Crypto.canon_algorithm(REXML::XPath.first(
-          signed_info_element,
+        canon_method_node = signed_info_element.at_xpath(
           './ds:CanonicalizationMethod',
           { 'ds' => RubySaml::XML::Crypto::DSIG }
-        ))
-
+        )
+        canon_algorithm = RubySaml::XML::Crypto.canon_algorithm(canon_method_node)
         canon_algorithm = process_transforms(ref, canon_algorithm)
 
         canon_hashed_element = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
 
-        digest_algorithm = RubySaml::XML::Crypto.hash_algorithm(REXML::XPath.first(
-          ref,
+        digest_method_node = ref.at_xpath(
           './ds:DigestMethod',
           { 'ds' => RubySaml::XML::Crypto::DSIG }
-        ))
+        )
+        digest_algorithm = RubySaml::XML::Crypto.hash_algorithm(digest_method_node)
+
         hash = digest_algorithm.digest(canon_hashed_element)
-        encoded_digest_value = REXML::XPath.first(
-          ref,
+        encoded_digest_value = ref.at_xpath(
           './ds:DigestValue',
           { 'ds' => RubySaml::XML::Crypto::DSIG }
-        )
-        digest_value = Base64.decode64(RubySaml::Utils.element_text(encoded_digest_value))
+        ).content
+        digest_value = Base64.decode64(encoded_digest_value)
 
         unless digests_match?(hash, digest_value)
           return append_error('Digest mismatch', soft)

test/utils_test.rb

@@ -375,11 +375,11 @@ def result(duration, reference = 0)
     end
 
     it 'successfully decrypts with the first private key' do
-      assert_match(%r{\A<saml:Assertion}, RubySaml::Utils.decrypt_multi(encrypted, [private_key]))
+      assert_match(/\A<saml:Assertion/, RubySaml::Utils.decrypt_multi(encrypted, [private_key]))
     end
 
     it 'successfully decrypts with a subsequent private key' do
-      assert_match(%r{\A<saml:Assertion}, RubySaml::Utils.decrypt_multi(encrypted, [invalid_key1, private_key]))
+      assert_match(/\A<saml:Assertion/, RubySaml::Utils.decrypt_multi(encrypted, [invalid_key1, private_key]))
     end
 
     it 'raises an error when there is only one key and it fails to decrypt' do