Merge branch 'v2.x' into deprecate-compress-request

.rubocop_todo.yml

@@ -20,7 +20,7 @@ Layout/EmptyLineAfterGuardClause:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
 
-# Offense count: 9
+# Offense count: 6
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines, beginning_only, ending_only
@@ -32,15 +32,14 @@ Layout/EmptyLinesAroundClassBody:
     - 'lib/ruby_saml/logoutresponse.rb'
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/xml_security.rb'
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
 Layout/EmptyLinesAroundMethodBody:
   Exclude:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 12
+# Offense count: 11
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: empty_lines, empty_lines_except_namespace, empty_lines_special, no_empty_lines
@@ -57,7 +56,6 @@ Layout/EmptyLinesAroundModuleBody:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -74,7 +72,7 @@ Layout/ExtraSpacing:
 Layout/FirstArgumentIndentation:
   Exclude:
     - 'lib/ruby_saml/response.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
@@ -98,7 +96,7 @@ Layout/SpaceAfterComma:
   Exclude:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/settings.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 12
 # This cop supports safe autocorrection (--autocorrect).
@@ -123,7 +121,8 @@ Layout/SpaceAroundOperators:
   Exclude:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
@@ -147,7 +146,8 @@ Layout/SpaceInsideHashLiteralBraces:
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/settings.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 2
 Lint/NoReturnInBeginEndBlocks:
@@ -292,7 +292,7 @@ Performance/StringReplacement:
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 52
 # This cop supports safe autocorrection (--autocorrect).
@@ -345,7 +345,7 @@ Style/ConditionalAssignment:
     - 'lib/ruby_saml/logoutresponse.rb'
     - 'lib/ruby_saml/response.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 6
 # Configuration parameters: AllowedConstants.
@@ -356,7 +356,9 @@ Style/Documentation:
     - 'lib/ruby_saml/error_handling.rb'
     - 'lib/ruby_saml/idp_metadata_parser.rb'
     - 'lib/ruby_saml/logging.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/base_document.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
@@ -400,7 +402,17 @@ Style/IfUnlessModifier:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/base_document.rb'
+    - 'lib/ruby_saml/xml/document.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle, Autocorrect.
+# SupportedStyles: module_function, extend_self, forbidden
+Style/ModuleFunction:
+  Exclude:
+    - 'lib/ruby_saml/logging.rb'
 
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
@@ -423,7 +435,7 @@ Style/OptionalBooleanParameter:
     - 'lib/ruby_saml/settings.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 1
 # This cop supports safe autocorrection (--autocorrect).
@@ -437,7 +449,7 @@ Style/RedundantRegexpArgument:
   Exclude:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -465,7 +477,7 @@ Style/StringConcatenation:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 440
+# Offense count: 351
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
 # SupportedStyles: single_quotes, double_quotes
@@ -484,7 +496,7 @@ Style/StringLiterals:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
     - 'lib/ruby_saml/utils.rb'
-    - 'lib/xml_security.rb'
+    - 'lib/ruby_saml/xml/signed_document.rb'
 
 # Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
@@ -502,7 +514,7 @@ Style/SymbolArray:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 91
+# Offense count: 95
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
 # URISchemes: http, https

CHANGELOG.md

@@ -5,8 +5,10 @@
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Create namespace alias `OneLogin = Object` for backward compatibility, to be removed in version `2.1.0`.
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
 * [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Move schema files from `lib/onelogin/schemas` to `lib/ruby_saml/schemas`.
+* [#692](https://github.com/SAML-Toolkits/ruby-saml/pull/692) Remove `XMLSecurity` namespace and replace with `RubySaml::XML`.
 * [#686](https://github.com/SAML-Toolkits/ruby-saml/pull/686) Use SHA-256 as the default hashing algorithm everywhere instead of SHA-1, including signatures, fingerprints, and digests.
 * [#695](https://github.com/SAML-Toolkits/ruby-saml/pull/695) Deprecate `settings.compress_request` and `settings.compess_response` parameters.
+* [#690](https://github.com/SAML-Toolkits/ruby-saml/pull/690) Remove deprecated `settings.security[:embed_sign]` parameter.
 
 ### 1.17.0
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.

LICENSE

@@ -21,4 +21,3 @@ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 OTHER DEALINGS IN THE SOFTWARE.
-

README.md

@@ -411,7 +411,7 @@ but it can be done as follows:
 * Provide the XML to the parse method if the signature was validated
 
 ```ruby
-require "xml_security"
+require "ruby_saml/xml"
 require "ruby_saml/utils"
 require "ruby_saml/idp_metadata_parser"
 
@@ -431,7 +431,7 @@ get.basic_auth uri.user, uri.password if uri.user
 response = http.request(get)
 xml = response.body
 errors = []
-doc = XMLSecurity::SignedDocument.new(xml, errors)
+doc = RubySaml::XML::SignedDocument.new(xml, errors)
 cert_str = "<include_cert_here>"
 cert = RubySaml::Utils.format_cert("cert_str")
 metadata_sign_cert = OpenSSL::X509::Certificate.new(cert)
@@ -634,8 +634,8 @@ to specify different certificates for each function.
 You may also globally set the SP signature and digest method, to be used in SP signing (functions 1 and 2 above):
 
 ```ruby
-  settings.security[:digest_method]    = XMLSecurity::Document::SHA1
-  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.security[:digest_method]    = RubySaml::XML::Document::SHA1
+  settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
 ```
 
 #### Signing SP Metadata
@@ -979,3 +979,14 @@ end
 # Output XML with custom metadata
 MyMetadata.new.generate(settings)
 ```
+
+## Attribution
+
+Portions of the code in `RubySaml::XML` namespace is adapted from earlier work
+copyrighted by either Oracle and/or Todd W. Saxton. The original code was distributed
+under the Common Development and Distribution License (CDDL) 1.0. This code is planned to
+be written entirely in future versions.
+
+## License
+
+RubySaml is made available under the MIT License. Refer to [LICENSE](LICENSE).

UPGRADING.md

@@ -2,20 +2,35 @@
 
 ## Updating from 1.17.x to 2.0.0
 
+**IMPORTANT: Please read this section carefully as it contains breaking changes!**
+
 ### Before upgrading
 
 Before attempting to upgrade to `2.0.0`:
 - Upgrade your project to minimum Ruby 3.0, JRuby 9.4, or TruffleRuby 22.
 - Upgrade RubySaml to `1.17.x`. Note that RubySaml `1.17.x` is compatible with up to Ruby 3.3.
 
-### Root namespace changed to RubySaml
+### Root "OneLogin" namespace changed to "RubySaml"
 
-RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`. This will require you
-to search your codebase for the string `OneLogin::` and remove it as appropriate. Aside from this namespace change,
+RubySaml version `2.0.0` changes the root namespace from `OneLogin::RubySaml::` to just `RubySaml::`.
+Please remove `OneLogin::` and `onelogin/` everywhere in your codebase. Aside from this namespace change,
 the class names themselves have intentionally been kept the same.
 
-For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work.
-This alias will be removed in RubySaml version `2.1.0`.
+Note that the project folder structure has also been updated accordingly. Notably, the directory
+`lib/onelogin/schemas` is now `lib/ruby_saml/schemas`.
+
+For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work
+as before. This alias will be removed in RubySaml version `2.1.0`.
+
+### Root "XMLSecurity" namespace changed to "RubySaml::XML"
+
+RubySaml version `2.0.0` changes the namespace `RubySaml::XML::` to `RubySaml::XML::`. Please search your
+codebase for `RubySaml::XML::` and replace it as appropriate. In addition, you must replace direct usage of
+`require 'xml_security'` with `require 'ruby_saml/xml'`.
+
+For backward compatibility, the alias `XMLSecurity = RubySaml::XML` has been set, so `RubySaml::XML::` will still work
+as before. In addition, a shim file has been added so that `require 'xml_security'` continues to work.
+These aliases will be removed in RubySaml version `2.1.0`.
 
 ### Security: Change default hashing algorithm to SHA-256 (was SHA-1)
 
@@ -30,11 +45,29 @@ To preserve the old insecure SHA-1 behavior *(not recommended)*, you may set `Ru
 ```ruby
 # Preserve RubySaml 1.x insecure SHA-1 behavior
 settings = RubySaml::Settings.new
-settings.idp_cert_fingerprint_algorithm = XMLSecurity::Document::SHA1
-settings.security[:digest_method] = XMLSecurity::Document::SHA1
-settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+settings.idp_cert_fingerprint_algorithm = RubySaml::XML::Document::SHA1
+settings.security[:digest_method] = RubySaml::XML::Document::SHA1
+settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
+```
+
+### Removal of embed_sign Setting
+
+The deprecated `settings.security[:embed_sign]` parameter has been removed. If you were using it, please instead switch
+to using both the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters as show below.
+(This new syntax is supported on version 1.13.0 and later.)
+
+```ruby
+# Replace settings.security[:embed_sign] = true with
+settings.idp_sso_service_binding = :post
+settings.idp_slo_service_binding = :post
+
+# Replace settings.security[:embed_sign] = false with
+settings.idp_sso_service_binding = :redirect
+settings.idp_slo_service_binding = :redirect
 ```
 
+For clarity, the default value of both parameters is `:redirect` if they are not set.
+
 ### Deprecation of Compression Settings
 
 The `settings.compress_request` and `settings.compress_response` parameters have been deprecated
@@ -120,7 +153,7 @@ The new preferred way to provide _SAMLResponse_, _RelayState_, and _SigAlg_ is v
 # In this example `query_params` is assumed to contain decoded query parameters,
 # and `raw_query_params` is assumed to contain encoded query parameters as sent by the IDP.
 settings = {
-  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+  settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
   settings.soft = false
 }
 options = {

lib/ruby_saml.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'ruby_saml/logging'
+require 'ruby_saml/xml'
 require 'ruby_saml/saml_message'
 require 'ruby_saml/authrequest'
 require 'ruby_saml/logoutrequest'
@@ -18,5 +19,5 @@
 require 'ruby_saml/utils'
 require 'ruby_saml/version'
 
-# @deprecated This alias will be removed in version 2.1.0
+# @deprecated This alias adds compatibility with v1.x and will be removed in v2.1.0
 OneLogin = Object

lib/ruby_saml/authrequest.rb

@@ -85,7 +85,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        sign_algorithm = RubySaml::XML::BaseDocument.new.algorithm(settings.security[:signature_method])
         signature = sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end
@@ -109,7 +109,7 @@ def create_authentication_xml_doc(settings)
     def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-      request_doc = XMLSecurity::Document.new
+      request_doc = RubySaml::XML::Document.new
       request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

lib/ruby_saml/idp_metadata_parser.rb

@@ -376,13 +376,13 @@ def certificates
 
       # @return [String|nil] the fingerpint of the X509Certificate if it exists
       #
-      def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA256)
+      def fingerprint(certificate, fingerprint_algorithm = RubySaml::XML::Document::SHA256)
         @fingerprint ||= begin
           return unless certificate
 
           cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))
 
-          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
+          fingerprint_alg = RubySaml::XML::BaseDocument.new.algorithm(fingerprint_algorithm).new
           fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
         end
       end

lib/ruby_saml/logoutrequest.rb

@@ -82,7 +82,7 @@ def create_params(settings, params={})
           relay_state: relay_state,
           sig_alg: params['SigAlg']
         )
-        sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+        sign_algorithm = RubySaml::XML::BaseDocument.new.algorithm(settings.security[:signature_method])
         signature = settings.get_sp_signing_key.sign(sign_algorithm.new, url_string)
         params['Signature'] = encode(signature)
       end
@@ -106,7 +106,7 @@ def create_logout_request_xml_doc(settings)
     def create_xml_document(settings)
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-      request_doc = XMLSecurity::Document.new
+      request_doc = RubySaml::XML::Document.new
       request_doc.uuid = uuid
 
       root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

lib/ruby_saml/logoutresponse.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-require "xml_security"
+require "ruby_saml/xml"
 require "ruby_saml/saml_message"
-
 require "time"
 
 # Only supports SAML 2.0
@@ -45,7 +44,7 @@ def initialize(response, settings = nil, options = {})
 
       @options = options
       @response = decode_raw_saml(response, settings)
-      @document = XMLSecurity::SignedDocument.new(@response)
+      @document = RubySaml::XML::SignedDocument.new(@response)
       super()
     end