#354 Allows scheme and domain to match ignoring case

Author: pitbulk

lib/onelogin/ruby-saml/logoutresponse.rb

@@ -195,7 +195,7 @@ def valid_in_response_to?
       def valid_issuer?
         return true if settings.idp_entity_id.nil? || issuer.nil?
 
-        unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
           return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
         end
         true

lib/onelogin/ruby-saml/response.rb

@@ -600,7 +600,7 @@ def validate_destination
 
         return true if settings.assertion_consumer_service_url.nil? || settings.assertion_consumer_service_url.empty?
 
-        unless destination == settings.assertion_consumer_service_url
+        unless OneLogin::RubySaml::Utils.uri_match?(destination, settings.assertion_consumer_service_url)
           error_msg = "The response was received at #{destination} instead of #{settings.assertion_consumer_service_url}"
           return append_error(error_msg)
         end
@@ -675,7 +675,7 @@ def validate_issuer
         end
 
         obtained_issuers.each do |issuer|
-          unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+          unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
             error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
             return append_error(error_msg)
           end

lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -212,7 +212,7 @@ def validate_request_state
       def validate_issuer
         return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
 
-        unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
           return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
         end
 

lib/onelogin/ruby-saml/utils.rb

@@ -193,6 +193,33 @@ def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
       def self.uuid
         RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
       end
+
+      # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,
+      # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
+      # RFC for URIs.  If Rails can not parse the string in to URL pieces, return a boolean match of the
+      # two strings.  This maintains the previous functionality.
+      # @return [Boolean]
+      def self.uri_match?(destination_url, settings_url)
+        dest_uri = URI.parse(destination_url)
+        acs_uri = URI.parse(settings_url)
+
+        if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
+          raise URI::InvalidURIError
+        else
+          dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
+            dest_uri.host.downcase == acs_uri.host.downcase &&
+            dest_uri.path == acs_uri.path &&
+            dest_uri.query == acs_uri.query
+        end
+      rescue URI::InvalidURIError
+        original_uri_match?(destination_url, settings_url)
+      end
+
+      # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
+      # @return [Boolean]
+      def self.original_uri_match?(destination_url, settings_url)
+        destination_url == settings_url
+      end
     end
   end
 end

test/response_test.rb

@@ -435,6 +435,34 @@ class RubySamlTest < Minitest::Test
         assert !response_empty_destination.send(:validate_destination)
         assert_includes response_empty_destination.errors, "The response has an empty Destination value"
       end
+
+      it "returns true on a case insensitive match on the domain" do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'http://APP.muDa.no/sso/consume'
+        assert response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_empty response_valid_signed_without_x509certificate.errors
+      end
+
+      it "returns true on a case insensitive match on the scheme" do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'HTTP://app.muda.no/sso/consume'
+        assert response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_empty response_valid_signed_without_x509certificate.errors
+      end
+
+      it "returns false on a case insenstive match on the path" do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'http://app.muda.no/SSO/consume'
+        assert !response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_includes response_valid_signed_without_x509certificate.errors, "The response was received at #{response_valid_signed_without_x509certificate.destination} instead of #{response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url}"
+      end
+
+      it "returns true if it can't parse out a full URI." do
+        response_valid_signed_without_x509certificate.settings = settings
+        response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url = 'presenter'
+        assert !response_valid_signed_without_x509certificate.send(:validate_destination)
+        assert_includes response_valid_signed_without_x509certificate.errors, "The response was received at #{response_valid_signed_without_x509certificate.destination} instead of #{response_valid_signed_without_x509certificate.settings.assertion_consumer_service_url}"
+      end
     end
 
     describe "#validate_issuer" do

test/utils_test.rb

@@ -1,4 +1,4 @@
-require "test_helper"
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
 
 class UtilsTest < Minitest::Test
   describe ".format_cert" do
@@ -154,5 +154,55 @@ class UtilsTest < Minitest::Test
         refute_equal OneLogin::RubySaml::Utils.uuid, OneLogin::RubySaml::Utils.uuid
       end
     end
+
+    describe 'uri_match' do
+      it 'matches two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it 'fails to match two urls' do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/othertest?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "matches two URLs if the scheme case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'HTTP://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "matches two URLs if the host case doesn't match" do
+        destination = 'http://www.EXAMPLE.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two URLs if the path case doesn't match" do
+        destination = 'http://www.example.com/TEST?var=stuff'
+        settings = 'http://www.example.com/test?var=stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two URLs if the query case doesn't match" do
+        destination = 'http://www.example.com/test?var=stuff'
+        settings = 'http://www.example.com/test?var=STUFF'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it 'matches two non urls' do
+        destination = 'stuff'
+        settings = 'stuff'
+        assert OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+
+      it "fails to match two non urls" do
+        destination = 'stuff'
+        settings = 'not stuff'
+        assert !OneLogin::RubySaml::Utils.uri_match?(destination, settings)
+      end
+    end
   end
 end