-
-
Notifications
You must be signed in to change notification settings - Fork 566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SAML Response, Logout Request and Logout Response validations. Add also tests and documentation #197
Conversation
…tead of request.host
@luisvm @Lordnibbler @daniel-g Can you review this PR? |
# If fails, the attribute errors will contains the reason for the invalidation. | ||
# @param [Boolean] soft Enable or Disable the soft mode (In order to raise exceptions when the logout response is invalid or not) | ||
# @param [String|nil] request_id The ID of the Logout Request sent by this SP to the IdP (if was sent any) | ||
# @return [Boolean|ValidationError] True if the Logout Response is valid, otherwise |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can take this approach with documentation when there is the possibility that a method will raise
an exception
# Validates the Logout Response (calls several validation methods)
# If fails, the attribute errors will contains the reason for the invalidation.
# @param [Boolean] soft Enable or Disable the soft mode in order to raise exceptions if logout response is invalid
# @param [String|nil] request_id The ID of the Logout Request sent by this SP to the IdP (if was sent any)
# @return [Boolean|ValidationError] true if the Logout Response is valid, otherwise false if soft == true
# @raise [ValidationError] if soft == false
I recommend cleaning up documentation in all other methods that uses this syntax, as it will not generate pretty documentation in YARD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok I will see what YARD generates and fix the documentation to be compatible with YARD.
|
@@ -60,6 +71,102 @@ def response_document_7 | |||
@response_document7 ||= Base64.encode64(File.read(File.join(File.dirname(__FILE__), 'responses', 'response_no_cert_and_encrypted_attrs.xml'))) | |||
end | |||
|
|||
def response_document_8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i dont see this being used?
end | ||
end | ||
|
||
describe "#build_query" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either fill these in or remove them.
I appreciate the renewed effort this library is receiving, however I think you need to be very careful about affecting both all of the people currently using it, and the ability to continue maintaining it going forward. There is a lot going on here, and as someone who is also working on functionality and changes to this library, PRs like this make things harder to understand and harder to change. |
+1 on breaking it apart |
I appreciate the review that you did to the code and will fix it asap. As you noticed the gem had some validation required on the SAML standard that were missed. I tested it with IdPs and added code coverage to be sure that all keep working. I plan to give time people to test it in master before releasing a new version of the gem. I apologies for my ruby knowledge. I'm a SAML expert that developed the php-saml and the python-saml and doing my best learning ruby fast. |
@pitbulk I think it's commendable that you are putting so much time and effort into making this a better library. If SAMl is your area of expertise, how about a process like this: (1) create tagged issues around features and fixes that are needed, (2) propose those fixes and features in small, concise pull requests, (3) let the community help you with the Ruby aspect of it, (4) merge and be happy. :) |
def issuers | ||
@issuers ||= begin | ||
issuers = [] | ||
nodes = REXML::XPath.match(document, "/p:Response/a:Issuer | /p:Response/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pitbulk should we make sure it's the absolute path (//p:Response/a:Issuer
) or should we keep the relative ones?
- Use of assert_match and assert_includes in tests - Delete unnecesary spaces - or/and replaced by || and && in conditions - New reset_errors and append_error methods - REXML::PAth sentences Formatted - Some vars renamed by descriptive names
I'm also in the process of rolling out SAML to one of our products, and started hacking out support for multiple signing certificates from the IdP when I came across this and #195. So before I just fork and start crazily modifying the project perhaps a discussion around joining efforts would be good? |
…validations Fingerprint Algorithm Support Conflicts: lib/onelogin/ruby-saml/response.rb test/xml_security_test.rb
* Comment the code * Remove spaces and format some lines * Remove unnecesary errors method
Some features from the PR #197 (PR splitted): * Comment the code. * Remove spaces and format some lines. * Remove unnecessary errors method. * Improve format_cert and format_private_key. * Fix xpath injection on xml_security.rb
Related to #197, Improve validations: * Store the causes in the errors array * Clean code Improve response_test, test_helper and xml_security: * Avoid random names (vars and files) * Clean code
def idp_entity_id | ||
node = REXML::XPath.first(document, "/md:EntityDescriptor/@entityID", { "md" => METADATA }) | ||
node = REXML::XPath.first( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do all of these value accessors guarantee that the value was fetched from a part of the SAML response that was covered by the XMLDSIG signature? There have been successful attacks on SAML implementations by sending assertions with additional fields that were not covered by the signature, but were trusted because the parts of the assertion that were signed were valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Notice that here we are parsing Metadatas, not SAMLResponses
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
This PR is a meta-PR: