Skip to content

Commit

Permalink
Remove the deprecated settings.security[:embed_sign] parameter. It …
Browse files Browse the repository at this point in the history
…can be migrated to idp_sso/slo_service_binding.
  • Loading branch information
johnnyshields committed Jul 8, 2024
1 parent 3776d92 commit 52cf370
Show file tree
Hide file tree
Showing 8 changed files with 32 additions and 195 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Remove `OneLogin` namespace. The root namespace of the gem is now `RubySaml`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Move schema files from `lib/onelogin/schemas` to `lib/ruby_saml/schemas`.
* [#689](https://github.com/SAML-Toolkits/ruby-saml/pull/689) Remove `settings.compress_request` and `settings.compess_response` parameters.
* [#690](https://github.com/SAML-Toolkits/ruby-saml/pull/690) Remove deprecated `settings.security[:embed_sign]` parameter.

### 1.17.0
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
Expand Down
28 changes: 27 additions & 1 deletion UPGRADING.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,41 @@

## Updating from 1.17.x to 2.0.0

**IMPORTANT: Please read this section carefully as it contains breaking changes!**

### Before Upgrading

Before attempting to upgrade to `2.0.0`:
- Upgrade your project to minimum Ruby 3.0, JRuby 9.4, or TruffleRuby 22.
- Upgrade RubySaml to `1.17.x`. Note that RubySaml `1.17.x` is compatible with up to Ruby 3.3.

### Root Namespace Changed to RubySaml

RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`. This will require you
to search your codebase for the string `OneLogin::` and remove it as appropriate. Aside from this namespace change,
the class names themselves have intentionally been kept the same.

The `settings.compress_request` and `settings.compress_response` attributes have been removed.
### Removal of embed_sign Parameter

The deprecated `settings.security[:embed_sign]` parameter has been removed. If you were using it, please instead switch
to using both the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters as show below.
(This new syntax is supported on version 1.13.0 and later.)

```ruby
# Replace settings.security[:embed_sign] = true with
settings.idp_sso_service_binding = :post
settings.idp_slo_service_binding = :post

# Replace settings.security[:embed_sign] = false with
settings.idp_sso_service_binding = :redirect
settings.idp_slo_service_binding = :redirect
```

For clarity, the default value of both parameters is `:redirect` if they are not set.

### Removal of Compression Parameters

The `settings.compress_request` and `settings.compress_response` parameters have been removed.
Please remove them everywhere within your project code. These behaviors are now set automatically
according to the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters
respectively: `HTTP-Redirect` will always use compression, while `HTTP-POST` will not. For clarity,
Expand Down
9 changes: 2 additions & 7 deletions lib/ruby_saml/settings.rb
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ def idp_slo_service_url
# @return [String] IdP Single Sign On Service Binding
#
def idp_sso_service_binding
@idp_sso_service_binding || idp_binding_from_embed_sign
@idp_sso_service_binding || Utils::BINDINGS[:redirect]
end

# Setter for IdP Single Sign On Service Binding
Expand All @@ -104,7 +104,7 @@ def idp_sso_service_binding=(value)
# @return [String] IdP Single Logout Service Binding
#
def idp_slo_service_binding
@idp_slo_service_binding || idp_binding_from_embed_sign
@idp_slo_service_binding || Utils::BINDINGS[:redirect]
end

# Setter for IdP Single Logout Service Binding
Expand Down Expand Up @@ -262,10 +262,6 @@ def get_sp_cert_new
node[0] if node
end

def idp_binding_from_embed_sign
security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
end

def get_binding(value)
return unless value

Expand All @@ -287,7 +283,6 @@ def get_binding(value)
want_assertions_encrypted: false,
want_name_id: false,
metadata_signed: false,
embed_sign: false, # Deprecated
digest_method: XMLSecurity::Document::SHA1,
signature_method: XMLSecurity::Document::RSA_SHA1,
check_idp_cert_expiration: false,
Expand Down
3 changes: 1 addition & 2 deletions test/idp_metadata_parser_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -654,8 +654,8 @@ def initialize; end
assert_equal("https://app.onelogin.com/saml/metadata/383123", @settings.idp_entity_id)
assert_equal("urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", @settings.name_identifier_format)
assert_equal("https://app.onelogin.com/trust/saml2/http-post/sso/383123", @settings.idp_sso_service_url)
assert_equal("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.idp_sso_service_binding)
assert_nil(@settings.idp_slo_service_url)
# TODO: next line can be changed to `assert_nil @settings.idp_slo_service_binding` after :embed_sign is removed.
assert_nil(@settings.instance_variable_get('@idp_slo_service_binding'))
end
end
Expand Down Expand Up @@ -726,7 +726,6 @@ def initialize; end
assert_equal "https://app.onelogin.com/trust/saml2/http-post/sso/383123", @settings.idp_sso_service_url
assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.idp_sso_service_binding
assert_nil @settings.idp_slo_service_url
# TODO: next line can be changed to `assert_nil @settings.idp_slo_service_binding` after :embed_sign is removed.
assert_nil @settings.instance_variable_get('@idp_slo_service_binding')
end
end
Expand Down
51 changes: 0 additions & 51 deletions test/logoutrequest_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -343,57 +343,6 @@ class RequestTest < Minitest::Test
end
end

describe "DEPRECATED: signing with HTTP-POST binding via :embed_sign" do

before do
# sign the logout request
settings.idp_slo_service_binding = RubySaml::Utils::BINDINGS[:post]
settings.security[:logout_requests_signed] = true
settings.security[:embed_sign] = true
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
end

it "created a signed logout request" do
unauth_req = RubySaml::Logoutrequest.new
inflated = unauth_req.create_logout_request_xml_doc(settings).to_s

assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
assert_match %r[<ds:SignatureMethod Algorithm='http://www\.w3\.org/2000/09/xmldsig#rsa-sha1'/>], inflated
assert_match %r[<ds:DigestMethod Algorithm='http://www\.w3\.org/2000/09/xmldsig#sha1'/>], inflated
end
end

describe "DEPRECATED: signing with HTTP-Redirect binding via :embed_sign" do

let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }

before do
settings.security[:logout_requests_signed] = true
settings.security[:embed_sign] = false
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
end

it "create a signature parameter with RSA_SHA1 / SHA1 and validate it" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1

params = RubySaml::Logoutrequest.new.create_params(settings, :RelayState => 'http://example.com')
assert params['SAMLRequest']
assert params[:RelayState]
assert params['Signature']
assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1

query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"

signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
end
end

describe "#manipulate request_id" do
it "be able to modify the request id" do
logoutrequest = RubySaml::Logoutrequest.new
Expand Down
49 changes: 0 additions & 49 deletions test/request_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -427,55 +427,6 @@ class RequestTest < Minitest::Test
assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>example\/decl\/ref<\/saml:AuthnContextDeclRef>/
end

describe "DEPRECATED: #create_params signing with HTTP-POST binding via :embed_sign" do
before do
settings.idp_sso_service_url = "http://example.com?field=value"
settings.security[:authn_requests_signed] = true
settings.security[:embed_sign] = true
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
end

it "create a signed request" do
params = RubySaml::Authrequest.new.create_params(settings)
request_xml = Base64.decode64(params["SAMLRequest"])
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
end
end

describe "DEPRECATED: #create_params signing with HTTP-Redirect binding via :embed_sign" do
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }

before do
settings.idp_sso_service_url = "http://example.com?field=value"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
settings.security[:authn_requests_signed] = true
settings.security[:embed_sign] = false
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
end

it "create a signature parameter with RSA_SHA1 and validate it" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1

params = RubySaml::Authrequest.new.create_params(settings, :RelayState => 'http://example.com')
assert params['SAMLRequest']
assert params[:RelayState]
assert params['Signature']
assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1

query_string = "SAMLRequest=#{CGI.escape(params['SAMLRequest'])}"
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"

signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
assert_equal signature_algorithm, OpenSSL::Digest::SHA1

assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
end
end

describe "#manipulate request_id" do
it "be able to modify the request id" do
authnrequest = RubySaml::Authrequest.new
Expand Down
26 changes: 0 additions & 26 deletions test/settings_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,30 +55,6 @@ class SettingsTest < Minitest::Test
end
end

it "idp_sso/slo_service_binding should fallback to :embed_sign inferred value" do
accessors = [:idp_sso_service_binding, :idp_slo_service_binding]

accessors.each do |accessor|
@settings.security[:embed_sign] = true

value = Kernel.rand.to_s
@settings.send("#{accessor}=".to_sym, value)
assert_equal value, @settings.send(accessor)

@settings.send("#{accessor}=".to_sym, :redirect)
assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.send(accessor)

@settings.send("#{accessor}=".to_sym, :post)
assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", @settings.send(accessor)

@settings.send("#{accessor}=".to_sym, nil)
assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", @settings.send(accessor)

@settings.security[:embed_sign] = false
assert_equal "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", @settings.send(accessor)
end
end

it "create settings from hash" do
config = {
:assertion_consumer_service_url => "http://app.muda.no/sso",
Expand Down Expand Up @@ -117,13 +93,11 @@ class SettingsTest < Minitest::Test
it "does not modify default security settings" do
settings = RubySaml::Settings.new
settings.security[:authn_requests_signed] = true
settings.security[:embed_sign] = true
settings.security[:digest_method] = XMLSecurity::Document::SHA256
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256

new_settings = RubySaml::Settings.new
assert_equal new_settings.security[:authn_requests_signed], false
assert_equal new_settings.security[:embed_sign], false
assert_equal new_settings.security[:digest_method], XMLSecurity::Document::SHA1
assert_equal new_settings.security[:signature_method], XMLSecurity::Document::RSA_SHA1
end
Expand Down
59 changes: 0 additions & 59 deletions test/slo_logoutresponse_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -343,65 +343,6 @@ class SloLogoutresponseTest < Minitest::Test
end
end

describe "DEPRECATED: signing with HTTP-POST binding via :embed_sign" do
before do
settings.security[:logout_responses_signed] = true
settings.security[:embed_sign] = true
end

it "doesn't sign through create_xml_document" do
unauth_res = RubySaml::SloLogoutresponse.new
inflated = unauth_res.create_xml_document(settings).to_s

refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
end

it "sign unsigned request" do
unauth_res = RubySaml::SloLogoutresponse.new
unauth_res_doc = unauth_res.create_xml_document(settings)
inflated = unauth_res_doc.to_s

refute_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
refute_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
refute_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated

inflated = unauth_res.sign_document(unauth_res_doc, settings).to_s

assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
end
end

describe "DEPRECATED: signing with HTTP-Redirect binding via :embed_sign" do
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }

before do
settings.security[:logout_responses_signed] = true
settings.security[:embed_sign] = false
end

it "create a signature parameter with RSA_SHA1 and validate it" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1

params = RubySaml::SloLogoutresponse.new.create_params(settings, logout_request.id, "Custom Logout Message", :RelayState => 'http://example.com')
assert params['SAMLResponse']
assert params[:RelayState]
assert params['Signature']
assert_equal params['SigAlg'], XMLSecurity::Document::RSA_SHA1

query_string = "SAMLResponse=#{CGI.escape(params['SAMLResponse'])}"
query_string << "&RelayState=#{CGI.escape(params[:RelayState])}"
query_string << "&SigAlg=#{CGI.escape(params['SigAlg'])}"

signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(params['SigAlg'])
assert_equal signature_algorithm, OpenSSL::Digest::SHA1
assert cert.public_key.verify(signature_algorithm.new, Base64.decode64(params['Signature']), query_string)
end
end

describe "#manipulate response_id" do
it "be able to modify the response id" do
logoutresponse = RubySaml::SloLogoutresponse.new
Expand Down

0 comments on commit 52cf370

Please sign in to comment.