Skip to content

Commit

Permalink
Merge remote-tracking branch 'remotes/johnnyshields/remove-compress-r…
Browse files Browse the repository at this point in the history 
…equest-response-parameters' into remove-onelogin
  • Loading branch information
@johnnyshields
johnnyshields committed Jul 8, 2024
2 parents 9f12376 + 3776d92 commit 75c8dc2
Show file tree
Hide file tree
Showing 12 changed files with 30 additions and 55 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Create namespace alias `OneLogin = Object` for backward compatibility, to be removed in version `2.1.0`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Change directly structure from `lib/onelogin/ruby-saml` to `lib/ruby_saml`.
* [#685](https://github.com/SAML-Toolkits/ruby-saml/pull/685) Move schema files from `lib/onelogin/schemas` to `lib/ruby_saml/schemas`.
* [#689](https://github.com/SAML-Toolkits/ruby-saml/pull/689) Remove `settings.compress_request` and `settings.compess_response` parameters.

### 1.17.0
* [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
Expand Down
9 changes: 9 additions & 0 deletions UPGRADING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,15 @@ the class names themselves have intentionally been kept the same.
For backward compatibility, the alias `OneLogin = Object` has been set, so `OneLogin::RubySaml::` will still work.
This alias will be removed in RubySaml version `2.1.0`.

### Removal of Compression Settings

The `settings.compress_request` and `settings.compress_response` parameters have been removed.
Please remove them everywhere within your project code. These behaviors are now set automatically
according to the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters
respectively: `HTTP-Redirect` will always use compression, while `HTTP-POST` will not. For clarity,
here "compression" is used to make redirect URLs which contain SAML messages be shorter. For POST
messages, compression may be achieved by enabling `Content-Encoding: gzip` on your webserver.

## Updating from 1.12.x to 1.13.0

Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and
Expand Down
5 changes: 3 additions & 2 deletions lib/ruby_saml/authrequest.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ def create_params(settings, params={})
# The method expects :RelayState but sometimes we get 'RelayState' instead.
# Based on the HashWithIndifferentAccess value in Rails we could experience
# conflicts so this line will solve them.
binding_redirect = settings.idp_sso_service_binding == Utils::BINDINGS[:redirect]
relay_state = params[:RelayState] || params['RelayState']

if relay_state.nil?
Expand All @@ -71,12 +72,12 @@ def create_params(settings, params={})

Logging.debug "Created AuthnRequest: #{request}"

request = deflate(request) if settings.compress_request
request = deflate(request) if binding_redirect
base64_request = encode(request)
request_params = {"SAMLRequest" => base64_request}
sp_signing_key = settings.get_sp_signing_key

if settings.idp_sso_service_binding == Utils::BINDINGS[:redirect] && settings.security[:authn_requests_signed] && sp_signing_key
if binding_redirect && settings.security[:authn_requests_signed] && sp_signing_key
params['SigAlg'] = settings.security[:signature_method]
url_string = RubySaml::Utils.build_query(
type: 'SAMLRequest',
Expand Down
5 changes: 3 additions & 2 deletions lib/ruby_saml/logoutrequest.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ def create_params(settings, params={})
# The method expects :RelayState but sometimes we get 'RelayState' instead.
# Based on the HashWithIndifferentAccess value in Rails we could experience
# conflicts so this line will solve them.
binding_redirect = settings.idp_slo_service_binding == Utils::BINDINGS[:redirect]
relay_state = params[:RelayState] || params['RelayState']

if relay_state.nil?
Expand All @@ -68,12 +69,12 @@ def create_params(settings, params={})

Logging.debug "Created SLO Logout Request: #{request}"

request = deflate(request) if settings.compress_request
request = deflate(request) if binding_redirect
base64_request = encode(request)
request_params = {"SAMLRequest" => base64_request}
sp_signing_key = settings.get_sp_signing_key

if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && sp_signing_key
if binding_redirect && settings.security[:logout_requests_signed] && sp_signing_key
params['SigAlg'] = settings.security[:signature_method]
url_string = RubySaml::Utils.build_query(
type: 'SAMLRequest',
Expand Down
6 changes: 3 additions & 3 deletions lib/ruby_saml/saml_message.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,11 +104,11 @@ def decode_raw_saml(saml, settings = nil)

# Deflate, base64 encode and url-encode a SAML Message (To be used in the HTTP-redirect binding)
# @param saml [String] The plain SAML Message
# @param settings [RubySaml::Settings|nil] Toolkit settings
# @param compress [true|false] Whether or not the SAML should be deflated.
# @return [String] The deflated and encoded SAML Message (encoded if the compression is requested)
#
def encode_raw_saml(saml, settings)
saml = deflate(saml) if settings.compress_request
def encode_raw_saml(saml, compress = false)
saml = deflate(saml) if compress

CGI.escape(encode(saml))
end
Expand Down
4 changes: 0 additions & 4 deletions lib/ruby_saml/settings.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,6 @@ def initialize(overrides = {}, keep_security_attributes = false)
attr_accessor :name_identifier_value
attr_accessor :name_identifier_value_requested
attr_accessor :sessionindex
attr_accessor :compress_request
attr_accessor :compress_response
attr_accessor :double_quote_xml_attribute_values
attr_accessor :message_max_bytesize
attr_accessor :passive
Expand Down Expand Up @@ -278,8 +276,6 @@ def get_binding(value)
assertion_consumer_service_binding: Utils::BINDINGS[:post],
single_logout_service_binding: Utils::BINDINGS[:redirect],
idp_cert_fingerprint_algorithm: XMLSecurity::Document::SHA1,
compress_request: true,
compress_response: true,
message_max_bytesize: 250_000,
soft: true,
double_quote_xml_attribute_values: false,
Expand Down
5 changes: 3 additions & 2 deletions lib/ruby_saml/slo_logoutresponse.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
# The method expects :RelayState but sometimes we get 'RelayState' instead.
# Based on the HashWithIndifferentAccess value in Rails we could experience
# conflicts so this line will solve them.
binding_redirect = settings.idp_slo_service_binding == Utils::BINDINGS[:redirect]
relay_state = params[:RelayState] || params['RelayState']

if relay_state.nil?
Expand All @@ -77,12 +78,12 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},

Logging.debug "Created SLO Logout Response: #{response}"

response = deflate(response) if settings.compress_response
response = deflate(response) if binding_redirect
base64_response = encode(response)
response_params = {"SAMLResponse" => base64_response}
sp_signing_key = settings.get_sp_signing_key

if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && sp_signing_key
if binding_redirect && settings.security[:logout_responses_signed] && sp_signing_key
params['SigAlg'] = settings.security[:signature_method]
url_string = RubySaml::Utils.build_query(
type: 'SAMLResponse',
Expand Down
29 changes: 4 additions & 25 deletions test/logoutrequest_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,21 +152,7 @@ class RequestTest < Minitest::Test
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
end

it "create a signed logout request" do
settings.compress_request = true

unauth_req = RubySaml::Logoutrequest.new
unauth_url = unauth_req.create(settings)

inflated = decode_saml_request_payload(unauth_url)
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
end

it "create an uncompressed signed logout request" do
settings.compress_request = false

params = RubySaml::Logoutrequest.new.create_params(settings)
request_xml = Base64.decode64(params["SAMLRequest"])

Expand All @@ -176,7 +162,6 @@ class RequestTest < Minitest::Test
end

it "create a signed logout request with 256 digest and signature method" do
settings.compress_request = false
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
settings.security[:digest_method] = XMLSecurity::Document::SHA256

Expand All @@ -188,7 +173,6 @@ class RequestTest < Minitest::Test
end

it "create a signed logout request with 512 digest and signature method RSA_SHA384" do
settings.compress_request = false
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA384
settings.security[:digest_method] = XMLSecurity::Document::SHA512

Expand All @@ -201,7 +185,6 @@ class RequestTest < Minitest::Test
end

it "create a signed logout request using the first certificate and key" do
settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
Expand All @@ -220,7 +203,6 @@ class RequestTest < Minitest::Test
end

it "create a signed logout request using the first valid certificate and key when :check_sp_cert_expiration is true" do
settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.security[:check_sp_cert_expiration] = true
Expand Down Expand Up @@ -328,7 +310,6 @@ class RequestTest < Minitest::Test

it "create a signature parameter using the first certificate and key" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
Expand Down Expand Up @@ -366,22 +347,20 @@ class RequestTest < Minitest::Test

before do
# sign the logout request
settings.idp_slo_service_binding = RubySaml::Utils::BINDINGS[:post]
settings.security[:logout_requests_signed] = true
settings.security[:embed_sign] = true
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
end

it "created a signed logout request" do
settings.compress_request = true

unauth_req = RubySaml::Logoutrequest.new
unauth_url = unauth_req.create(settings)
inflated = unauth_req.create_logout_request_xml_doc(settings).to_s

inflated = decode_saml_request_payload(unauth_url)
assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>], inflated
assert_match %r[<ds:SignatureMethod Algorithm='http://www\.w3\.org/2000/09/xmldsig#rsa-sha1'/>], inflated
assert_match %r[<ds:DigestMethod Algorithm='http://www\.w3\.org/2000/09/xmldsig#sha1'/>], inflated
end
end

Expand Down
7 changes: 1 addition & 6 deletions test/request_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ class RequestTest < Minitest::Test
end

it "create the SAMLRequest URL parameter without deflating" do
settings.compress_request = false
settings.idp_sso_service_binding = RubySaml::Utils::BINDINGS[:post]
auth_url = RubySaml::Authrequest.new.create(settings)
assert_match(/^http:\/\/example\.com\?SAMLRequest=/, auth_url)
payload = CGI.unescape(auth_url.split("=").last)
Expand Down Expand Up @@ -242,7 +242,6 @@ class RequestTest < Minitest::Test

describe "#create_params signing with HTTP-POST binding" do
before do
settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.idp_sso_service_binding = :post
settings.security[:authn_requests_signed] = true
Expand Down Expand Up @@ -317,7 +316,6 @@ class RequestTest < Minitest::Test
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }

before do
settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.idp_sso_service_binding = :redirect
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Expand Down Expand Up @@ -362,7 +360,6 @@ class RequestTest < Minitest::Test

it "create a signature parameter using the first certificate and key" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
Expand Down Expand Up @@ -432,7 +429,6 @@ class RequestTest < Minitest::Test

describe "DEPRECATED: #create_params signing with HTTP-POST binding via :embed_sign" do
before do
settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.security[:authn_requests_signed] = true
settings.security[:embed_sign] = true
Expand All @@ -452,7 +448,6 @@ class RequestTest < Minitest::Test
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }

before do
settings.compress_request = false
settings.idp_sso_service_url = "http://example.com?field=value"
settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
settings.security[:authn_requests_signed] = true
Expand Down
6 changes: 2 additions & 4 deletions test/saml_message_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,11 @@ class RubySamlTest < Minitest::Test
end

it "return encoded raw saml" do
settings.compress_request = true
encoded_raw = saml_message.send(:encode_raw_saml, logout_request_document, settings)
encoded_raw = saml_message.send(:encode_raw_saml, logout_request_document, true)
assert logout_request_deflated_base64, encoded_raw

settings.compress_request = false
deflated = saml_message.send(:deflate, logout_request_deflated_base64)
encoded_raw = saml_message.send(:encode_raw_saml, deflated, settings)
encoded_raw = saml_message.send(:encode_raw_saml, deflated, false)
assert logout_request_deflated_base64, encoded_raw
end

Expand Down
2 changes: 1 addition & 1 deletion test/settings_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ class SettingsTest < Minitest::Test
:idp_attribute_names, :issuer, :assertion_consumer_service_url, :single_logout_service_url,
:sp_name_qualifier, :name_identifier_format, :name_identifier_value, :name_identifier_value_requested,
:sessionindex, :attributes_index, :passive, :force_authn,
:compress_request, :double_quote_xml_attribute_values, :message_max_bytesize,
:double_quote_xml_attribute_values, :message_max_bytesize,
:security, :certificate, :private_key, :certificate_new, :sp_cert_multi,
:authn_context, :authn_context_comparison, :authn_context_decl_ref,
:assertion_consumer_logout_service_url
Expand Down
6 changes: 0 additions & 6 deletions test/slo_logoutresponse_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ class SloLogoutresponseTest < Minitest::Test
settings.idp_entity_id = 'https://app.onelogin.com/saml/metadata/SOMEACCOUNT'
settings.idp_slo_service_url = "http://unauth.com/logout"
settings.name_identifier_value = "f00f00"
settings.compress_request = true
settings.certificate = ruby_saml_cert_text
settings.private_key = ruby_saml_key_text
logout_request.settings = settings
Expand Down Expand Up @@ -102,7 +101,6 @@ class SloLogoutresponseTest < Minitest::Test
before do
settings.idp_sso_service_binding = :redirect
settings.idp_slo_service_binding = :post
settings.compress_response = false
settings.security[:logout_responses_signed] = true
end

Expand Down Expand Up @@ -232,7 +230,6 @@ class SloLogoutresponseTest < Minitest::Test
before do
settings.idp_sso_service_binding = :post
settings.idp_slo_service_binding = :redirect
settings.compress_response = false
settings.security[:logout_responses_signed] = true
end

Expand Down Expand Up @@ -313,7 +310,6 @@ class SloLogoutresponseTest < Minitest::Test

it "create a signature parameter using the first certificate and key" do
settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
settings.compress_request = false
settings.certificate = nil
settings.private_key = nil
settings.sp_cert_multi = {
Expand Down Expand Up @@ -349,7 +345,6 @@ class SloLogoutresponseTest < Minitest::Test

describe "DEPRECATED: signing with HTTP-POST binding via :embed_sign" do
before do
settings.compress_response = false
settings.security[:logout_responses_signed] = true
settings.security[:embed_sign] = true
end
Expand Down Expand Up @@ -384,7 +379,6 @@ class SloLogoutresponseTest < Minitest::Test
let(:cert) { OpenSSL::X509::Certificate.new(ruby_saml_cert_text) }

before do
settings.compress_response = false
settings.security[:logout_responses_signed] = true
settings.security[:embed_sign] = false
end
Expand Down

0 comments on commit 75c8dc2

Please sign in to comment.