Merge branch 'v2.x' into remove-embed-sign-parameter

SAML-Toolkits · Jul 9, 2024 · a614a06 · a614a06
2 parents 3eee188 + 38d41fe
commit a614a06
Show file tree

Hide file tree

Showing 34 changed files with 872 additions and 647 deletions.
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2024-07-08 10:27:10 UTC using RuboCop version 1.64.1.
+# on 2024-07-09 11:29:15 UTC using RuboCop version 1.64.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -20,7 +20,7 @@ Layout/EmptyLineAfterGuardClause:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
 
-# Offense count: 9
+# Offense count: 6
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines, beginning_only, ending_only
@@ -32,15 +32,14 @@ Layout/EmptyLinesAroundClassBody:
     - 'lib/ruby_saml/logoutresponse.rb'
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/xml_security.rb'
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
 Layout/EmptyLinesAroundMethodBody:
   Exclude:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 12
+# Offense count: 11
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines
@@ -57,14 +56,6 @@ Layout/EmptyLinesAroundModuleBody:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
-
-# Offense count: 1
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: native, lf, crlf
-Layout/EndOfLine:
-  Exclude:
-    - 'lib/ruby_saml.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -81,7 +72,7 @@ Layout/ExtraSpacing:
 Layout/FirstArgumentIndentation:
   Exclude:
     - 'lib/ruby_saml/response.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
@@ -105,7 +96,7 @@ Layout/SpaceAfterComma:
   Exclude:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/settings.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 12
 # This cop supports safe autocorrection (--autocorrect).
@@ -130,7 +121,8 @@ Layout/SpaceAroundOperators:
   Exclude:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
@@ -154,15 +146,8 @@ Layout/SpaceInsideHashLiteralBraces:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/settings.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/xml_security.rb'
-
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: final_newline, final_blank_line
-Layout/TrailingEmptyLines:
-  Exclude:
-    - 'lib/ruby_saml.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 2
 Lint/NoReturnInBeginEndBlocks:
@@ -185,12 +170,11 @@ Lint/UnreachableLoop:
   Exclude:
     - 'lib/ruby_saml/saml_message.rb'
 
-# Offense count: 3
+# Offense count: 2
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: AutoCorrect.
 Lint/UselessAssignment:
   Exclude:
-    - 'lib/ruby_saml/logging.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
 # Offense count: 42
@@ -308,7 +292,7 @@ Performance/StringReplacement:
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 54
 # This cop supports safe autocorrection (--autocorrect).
@@ -361,7 +345,7 @@ Style/ConditionalAssignment:
     - 'lib/ruby_saml/logoutresponse.rb'
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 6
 # Configuration parameters: AllowedConstants.
@@ -372,7 +356,9 @@ Style/Documentation:
     - 'lib/ruby_saml/error_handling.rb'
     - 'lib/ruby_saml/idp_metadata_parser.rb'
     - 'lib/ruby_saml/logging.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/base_document.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
@@ -416,7 +402,17 @@ Style/IfUnlessModifier:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/base_document.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle, Autocorrect.
+# SupportedStyles: module_function, extend_self, forbidden
+Style/ModuleFunction:
+  Exclude:
+    - 'lib/ruby_saml/logging.rb'
 
 # Offense count: 15
 # Configuration parameters: AllowedMethods.
@@ -431,7 +427,7 @@ Style/OptionalBooleanParameter:
     - 'lib/ruby_saml/settings.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
@@ -445,7 +441,7 @@ Style/RedundantRegexpArgument:
   Exclude:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -473,7 +469,7 @@ Style/StringConcatenation:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 440
+# Offense count: 351
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
 # SupportedStyles: single_quotes, double_quotes
@@ -492,7 +488,7 @@ Style/StringLiterals:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -510,7 +506,7 @@ Style/SymbolArray:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 94
+# Offense count: 95
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
 # URISchemes: http, https

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Create namespace alias `OneLogin = Object` for backward compatibility, to be removed in version `2.1.0`.
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Move schema files from `lib/onelogin/schemas` to `lib/ruby_saml/schemas`.
+* [#692](https://github.com/SAML-Toolkits/ruby-saml/pull/692) Remove `XMLSecurity` namespace and replace with `RubySaml::XML`.
 * [#686](https://github.com/SAML-Toolkits/ruby-saml/pull/686) Use SHA-256 as the default hashing algorithm everywhere instead of SHA-1, including signatures, fingerprints, and digests.
 * [#690](https://github.com/SAML-Toolkits/ruby-saml/pull/690) Remove deprecated `settings.security[:embed_sign]` parameter.
 

diff --git a/LICENSE b/LICENSE
@@ -21,4 +21,3 @@ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
-
diff --git a/README.md b/README.md
@@ -411,7 +411,7 @@ but it can be done as follows:
 * Provide the XML to the parse method if the signature was validated
 
 ```ruby
-require "xml_security"
+require "ruby_saml/xml"
 require "ruby_saml/utils"
 require "ruby_saml/idp_metadata_parser"
 
@@ -431,7 +431,7 @@ get.basic_auth uri.user, uri.password if uri.user
 response = http.request(get)
 xml = response.body
 errors = []
-doc = XMLSecurity::SignedDocument.new(xml, errors)
+doc = RubySaml::XML::SignedDocument.new(xml, errors)
 cert_str = "<include_cert_here>"
 cert = RubySaml::Utils.format_cert("cert_str")
 metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
@@ -634,8 +634,8 @@ to specify different certificates for each function.
 You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
 
 ```ruby
-  settings.security[:digest_method]    = XMLSecurity::Document::SHA1
-  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.security[:digest_method]    = RubySaml::XML::Document::SHA1
+  settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
 ```
 
 #### Signing SP Metadata
@@ -979,3 +979,14 @@ end
 # Output XML with custom metadata
 MyMetadata.new.generate(settings)
 ```
+
+## Attribution
+
+Portions of the code in `RubySaml::XML` namespace is adapted from earlier work
+copyrighted by either Oracle and/or Todd W. Saxton. The original code was distributed
+under the Common Development and Distribution License (CDDL) 1.0. This code is planned to
+be written entirely in future versions.
+
+## License
+
+RubySaml is made available under the MIT License. Refer to [LICENSE](LICENSE).
diff --git a/UPGRADING.md b/UPGRADING.md
@@ -10,14 +10,27 @@ Before attempting to upgrade to `2.0.0`:
 - Upgrade your project to minimum Ruby 3.0, JRuby 9.4, or TruffleRuby 22.
 - Upgrade RubySaml to `1.17.x`. Note that RubySaml `1.17.x` is compatible with up to Ruby 3.3.
 
-### Root namespace changed to RubySaml
+### Root "OneLogin" namespace changed to "RubySaml"
 
-RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`. This will require you
-to search your codebase for the string `OneLogin::` and remove it as appropriate. Aside from this namespace change,
+RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`.
+Please remove `OneLogin::` and `onelogin/` everywhere in your codebase. Aside from this namespace change,
 the class names themselves have intentionally been kept the same.
 
-For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work.
-This alias will be removed in RubySaml version `2.1.0`.
+Note that the project folder structure has also been updated accordingly. Notably, the directory
+`lib/onelogin/schemas` is now `lib/ruby_saml/schemas`.
+
+For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work
+as before. This alias will be removed in RubySaml version `2.1.0`.
+
+### Root "XMLSecurity" namespace changed to "RubySaml::XML"
+
+RubySaml version `2.0.0` changes the namespace `RubySaml::XML::` to `RubySaml::XML::`. Please search your
+codebase for `RubySaml::XML::` and replace it as appropriate. In addition, you must replace direct usage of
+`require 'xml_security'` with `require 'ruby_saml/xml'`.
+
+For backward compatibility, the alias `XMLSecurity = RubySaml::XML` has been set, so `RubySaml::XML::` will still work
+as before. In addition, a shim file has been added so that `require 'xml_security'` continues to work.
+These aliases will be removed in RubySaml version `2.1.0`.
 
 ### Security: Change default hashing algorithm to SHA-256 (was SHA-1)
 
@@ -32,9 +45,9 @@ To preserve the old insecure SHA-1 behavior *(not recommended)*, you may set `Ru
 ```ruby
 # Preserve RubySaml 1.x insecure SHA-1 behavior
 settings = RubySaml::Settings.new
-settings.idp_cert_fingerprint_algorithm = XMLSecurity::Document::SHA1
-settings.security[:digest_method] = XMLSecurity::Document::SHA1
-settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+settings.idp_cert_fingerprint_algorithm = RubySaml::XML::Document::SHA1
+settings.security[:digest_method] = RubySaml::XML::Document::SHA1
+settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
 ```
 
 ### Removal of embed_sign Setting
@@ -128,7 +141,7 @@ The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is v
 # In this example `query_params` is assumed to contain decoded query parameters,
 # and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
 settings = {
-  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
   settings.soft = false
 }
 options = {

diff --git a/lib/ruby_saml.rb b/lib/ruby_saml.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'ruby_saml/logging'
+require 'ruby_saml/xml'
 require 'ruby_saml/saml_message'
 require 'ruby_saml/authrequest'
 require 'ruby_saml/logoutrequest'
@@ -18,5 +19,5 @@
 require 'ruby_saml/utils'
 require 'ruby_saml/version'
 
-# @deprecated This alias will be removed in version 2.1.0
+# @deprecated This alias adds compatibility with v1.x and will be removed in v2.1.0
 OneLogin = Object
diff --git a/lib/ruby_saml/authrequest.rb b/lib/ruby_saml/authrequest.rb
@@ -84,7 +84,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        sign_algorithm = RubySaml::XML::BaseDocument.new.algorithm(settings.security[:signature_method])
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end
@@ -108,7 +108,7 @@ def create_authentication_xml_doc(settings)
     def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-      request_doc = XMLSecurity::Document.new
+      request_doc = RubySaml::XML::Document.new
       request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

diff --git a/lib/ruby_saml/idp_metadata_parser.rb b/lib/ruby_saml/idp_metadata_parser.rb
@@ -376,13 +376,13 @@ def certificates
 
       # @return [String|nil] the fingerpint of the X509Certificate if it exists
       #
-      def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA256)
+      def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::Document::SHA256)
         @fingerprint ||= begin
           return unless certificate
 
           cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
 
-          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+          fingerprint_alg = RubySaml::XML::BaseDocument.new.algorithm(fingerprint_algorithm).new
           fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
         end
       end