Merge pull request #201 from Umofomia/fix-default-security-settings

Freeze and duplicate default security settings hash so that it doesn't get modified.

Author: Lordnibbler

lib/onelogin/ruby-saml/settings.rb

@@ -5,7 +5,10 @@ def initialize(overrides = {})
         config = DEFAULTS.merge(overrides)
         config.each do |k,v|
           acc = "#{k.to_s}=".to_sym
-          self.send(acc, v) if self.respond_to? acc
+          if self.respond_to? acc
+            value = v.is_a?(Hash) ? v.dup : v
+            self.send(acc, value)
+          end
         end
         @attribute_consuming_service = AttributeService.new
       end
@@ -97,8 +100,8 @@ def get_sp_key
       private
 
       DEFAULTS = {
-        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
         :compress_request                          => true,
         :compress_response                         => true,
         :security                                  => {
@@ -108,9 +111,9 @@ def get_sp_key
           :embed_sign               => false,
           :digest_method            => XMLSecurity::Document::SHA1,
           :signature_method         => XMLSecurity::Document::SHA1
-        },
+        }.freeze,
         :double_quote_xml_attribute_values         => false,
-      }
+      }.freeze
     end
   end
 end

test/logoutrequest_test.rb

@@ -104,6 +104,8 @@ class RequestTest < Minitest::Test
 
         inflated = decode_saml_request_payload(unauth_url)
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], inflated
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], inflated
       end
 
       it "create a signed logout request with 256 digest and signature methods" do
@@ -123,8 +125,8 @@ class RequestTest < Minitest::Test
         request_xml = Base64.decode64(params["SAMLRequest"])
 
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
-        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'/>], request_xml
       end
     end
 

test/request_test.rb

@@ -156,8 +156,8 @@ class RequestTest < Minitest::Test
         params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
-        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1'\/>/
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>], request_xml
       end
 
       it "create a signed request with 256 digest and signature methods" do
@@ -174,8 +174,8 @@ class RequestTest < Minitest::Test
         params = OneLogin::RubySaml::Authrequest.new.create_params(settings)
         request_xml = Base64.decode64(params["SAMLRequest"])
         assert_match %r[<ds:SignatureValue>([a-zA-Z0-9/+=]+)</ds:SignatureValue>], request_xml
-        request_xml =~ /<ds:SignatureMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha256'\/>/
-        request_xml =~ /<ds:DigestMethod Algorithm='http:\/\/www.w3.org\/2001\/04\/xmldsig-more#rsa-sha512'\/>/
+        assert_match %r[<ds:SignatureMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'/>], request_xml
+        assert_match %r[<ds:DigestMethod Algorithm='http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'/>], request_xml
       end
     end
 

test/settings_test.rb

@@ -61,5 +61,19 @@ class SettingsTest < Minitest::Test
       assert_equal @settings.attribute_consuming_service.name, "Test Service"
       assert_equal @settings.attribute_consuming_service.attributes, [{:name => "Name", :name_format => "Name Format", :friendly_name => "Friendly Name" }]
     end
+
+    it "does not modify default security settings" do
+      settings = OneLogin::RubySaml::Settings.new
+      settings.security[:authn_requests_signed] = true
+      settings.security[:embed_sign] = true
+      settings.security[:digest_method] = XMLSecurity::Document::SHA256
+      settings.security[:signature_method] = XMLSecurity::Document::SHA256
+
+      new_settings = OneLogin::RubySaml::Settings.new
+      assert_equal new_settings.security[:authn_requests_signed], false
+      assert_equal new_settings.security[:embed_sign], false
+      assert_equal new_settings.security[:digest_method], XMLSecurity::Document::SHA1
+      assert_equal new_settings.security[:signature_method], XMLSecurity::Document::SHA1
+    end
   end
 end