SAML-Toolkits
diff --git a/‎lib/onelogin/ruby-saml/response.rb‎
Lines changed: 38 additions & 30 deletions b/‎lib/onelogin/ruby-saml/response.rb‎
Lines changed: 38 additions & 30 deletions
diff --git a/‎lib/onelogin/ruby-saml/utils.rb‎
Lines changed: 15 additions & 5 deletions b/‎lib/onelogin/ruby-saml/utils.rb‎
Lines changed: 15 additions & 5 deletions
diff --git a/‎test/response_test.rb‎
Lines changed: 20 additions & 39 deletions b/‎test/response_test.rb‎
Lines changed: 20 additions & 39 deletions
diff --git a/‎test/responses/invalids/response_encrypted_attrs.xml.base64‎
Lines changed: 0 additions & 1 deletion b/‎test/responses/invalids/response_encrypted_attrs.xml.base64‎
Lines changed: 0 additions & 1 deletion
@@ -132,6 +132,7 @@ def sessionindex
       #    attributes['name']
       #
       # @return [Attributes] OneLogin::RubySaml::Attributes enumerable collection.
+      # @raise [ValidationError] if there are 2+ Attribute with the same Name
       #
       def attributes
         @attr_statements ||= begin
@@ -140,8 +141,19 @@ def attributes
           stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
           stmt_elements.each do |stmt_element|
             stmt_element.elements.each do |attr_element|
-              name = attr_element.attributes["Name"]
-              values = attr_element.elements.collect{|e|
+              if attr_element.name == "EncryptedAttribute"
+                node = decrypt_attribute(attr_element.dup)
+              else
+                node = attr_element
+              end
+
+              name  = node.attributes["Name"]
+
+              if options[:check_duplicated_attributes] && attributes.include?(name)
+                raise ValidationError.new("Found an Attribute element with duplicated Name")
+              end
+
+              values = node.elements.collect{|e|
                 if (e.elements.nil? || e.elements.size == 0)
                   # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
                   # otherwise the value is to be regarded as empty.
@@ -300,7 +312,6 @@ def validate(collect_errors = false)
           :validate_id,
           :validate_success_status,
           :validate_num_assertion,
-          :validate_no_encrypted_attributes,
           :validate_no_duplicated_attributes,
           :validate_signed_elements,
           :validate_structure,
@@ -432,37 +443,17 @@ def validate_num_assertion
         true
       end
 
-      # Validates that there are not EncryptedAttribute (not supported)
-      # If fails, the error is added to the errors array
-      # @return [Boolean] True if there are no EncryptedAttribute elements, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails
-      #
-      def validate_no_encrypted_attributes
-        nodes = xpath_from_signed_assertion("/a:AttributeStatement/a:EncryptedAttribute")        
-        if nodes && nodes.length > 0
-          return append_error("There is an EncryptedAttribute in the Response and this SP not support them")
-        end
-
-        true
-      end
-
       # Validates that there are not duplicated attributes
       # If fails, the error is added to the errors array
       # @return [Boolean] True if there are no duplicated attribute elements, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_no_duplicated_attributes
         if options[:check_duplicated_attributes]
-          processed_names = []
-          stmt_elements = xpath_from_signed_assertion('/a:AttributeStatement')
-          stmt_elements.each do |stmt_element|
-            stmt_element.elements.each do |attr_element|
-              name = attr_element.attributes["Name"]
-              if attributes.include?(name)
-                return append_error("Found an Attribute element with duplicated Name")
-              end
-              processed_names.add(name)
-            end
+          begin
+            attributes
+          rescue ValidationError => e
+            return append_error(e.message)
           end
         end
 
@@ -928,22 +919,39 @@ def decrypt_nameid(encryptedid_node)
         decrypt_element(encryptedid_node, /(.*<\/(\w+:)?NameID>)/m)
       end
 
+      # Decrypts an EncryptedID element
+      # @param encryptedid_node [REXML::Element] The EncryptedID element
+      # @return [REXML::Document] The decrypted EncrypedtID element
+      #
+      def decrypt_attribute(encryptedattribute_node)
+        decrypt_element(encryptedattribute_node, /(.*<\/(\w+:)?Attribute>)/m)
+      end
+
       # Decrypt an element
       # @param encryptedid_node [REXML::Element] The encrypted element
+      # @param rgrex string Regex
       # @return [REXML::Document] The decrypted element
       #
       def decrypt_element(encrypt_node, rgrex)
         if settings.nil? || !settings.get_sp_key
           raise ValidationError.new('An ' + encrypt_node.name + ' found and no SP private key found on the settings to decrypt it')
         end
 
+
+        if encrypt_node.name == 'EncryptedAttribute'
+          node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
+        else
+          node_header = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">'
+        end
+
         elem_plaintext = OneLogin::RubySaml::Utils.decrypt_data(encrypt_node, settings.get_sp_key)
         # If we get some problematic noise in the plaintext after decrypting.
         # This quick regexp parse will grab only the Element and discard the noise.
         elem_plaintext = elem_plaintext.match(rgrex)[0]
-        # To avoid namespace errors if saml namespace is not defined at assertion_plaintext
-        # create a parent node first with the saml namespace defined
-        elem_plaintext = '<node xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">' + elem_plaintext + '</node>'
+
+        # To avoid namespace errors if saml namespace is not defined
+        # create a parent node first with the namespace defined
+        elem_plaintext = node_header + elem_plaintext + '</node>'
         doc = REXML::Document.new(elem_plaintext)
         doc.root[0]
       end
 
@@ -111,13 +111,13 @@ def self.decrypt_data(encrypted_node, private_key)
         symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
         cipher_value = REXML::XPath.first(
           encrypt_data,
-          "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue",
+          "./xenc:CipherData/xenc:CipherValue",
           { 'xenc' => XENC }
         )
         node = Base64.decode64(cipher_value.text)
         encrypt_method = REXML::XPath.first(
           encrypt_data,
-          "//xenc:EncryptedData/xenc:EncryptionMethod",
+          "./xenc:EncryptionMethod",
           { 'xenc' => XENC }
         )
         algorithm = encrypt_method.attributes['Algorithm']
@@ -131,10 +131,12 @@ def self.decrypt_data(encrypted_node, private_key)
       def self.retrieve_symmetric_key(encrypt_data, private_key)
         encrypted_key = REXML::XPath.first(
           encrypt_data,
-          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \
-           //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]",
-          { "ds" => DSIG, "xenc" => XENC }
+          "./ds:KeyInfo/xenc:EncryptedKey or \
+           //xenc:EncryptedKey[@Id=$id]",
+          { "ds" => DSIG, "xenc" => XENC },
+          { "id" =>  self.retrieve_symetric_key_reference(encrypt_data) }
         )
+
         encrypted_symmetric_key_element = REXML::XPath.first(
           encrypted_key,
           "./xenc:CipherData/xenc:CipherValue",
@@ -150,6 +152,14 @@ def self.retrieve_symmetric_key(encrypt_data, private_key)
         retrieve_plaintext(cipher_text, private_key, algorithm)
       end
 
+      def self.retrieve_symetric_key_reference(encrypt_data)
+        REXML::XPath.first(
+          encrypt_data,
+          "substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')",
+          { "ds" => DSIG }
+        )
+      end
+
       # Obtains the deciphered text
       # @param cipher_text [String]   The ciphered text
       # @param symmetric_key [String] The symetric key used to encrypt the text
 
@@ -28,7 +28,7 @@ class RubySamlTest < Minitest::Test
     let(:response_no_statuscode) { OneLogin::RubySaml::Response.new(read_invalid_response("no_status_code.xml.base64")) }
     let(:response_statuscode_responder) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responder.xml.base64")) }
     let(:response_statuscode_responder_and_msg) { OneLogin::RubySaml::Response.new(read_invalid_response("status_code_responer_and_msg.xml.base64")) }
-    let(:response_encrypted_attrs) { OneLogin::RubySaml::Response.new(read_invalid_response("response_encrypted_attrs.xml.base64")) }
+    let(:response_encrypted_attrs) { OneLogin::RubySaml::Response.new(response_document_encrypted_attrs) }
     let(:response_no_signed_elements) { OneLogin::RubySaml::Response.new(read_invalid_response("no_signature.xml.base64")) }
     let(:response_multiple_signed) { OneLogin::RubySaml::Response.new(read_invalid_response("multiple_signed.xml.base64")) }
     let(:response_invalid_audience) { OneLogin::RubySaml::Response.new(read_invalid_response("invalid_audience.xml.base64")) }
@@ -198,17 +198,6 @@ class RubySamlTest < Minitest::Test
           assert_includes response_valid_signed.errors, error_msg
         end
 
-        it "raise when the assertion contains encrypted attributes" do
-          settings.idp_cert_fingerprint = signature_fingerprint_1
-          response_encrypted_attrs.settings = settings
-          response_encrypted_attrs.soft = false
-          error_msg = "There is an EncryptedAttribute in the Response and this SP not support them"
-          assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
-            response_encrypted_attrs.is_valid?
-          end
-          assert_includes response_encrypted_attrs.errors, error_msg
-        end
-
         it "raise when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
           settings.issuer = 'invalid'
@@ -365,14 +354,6 @@ class RubySamlTest < Minitest::Test
           assert_includes response_valid_signed.errors, "The InResponseTo of the Response: _fc4a34b0-7efb-012e-caae-782bcb13bb38, does not match the ID of the AuthNRequest sent by the SP: invalid_request_id"
         end
 
-        it "return false when the assertion contains encrypted attributes" do
-          settings.idp_cert_fingerprint = signature_fingerprint_1
-          response_encrypted_attrs.settings = settings
-          response_encrypted_attrs.soft = true
-          response_encrypted_attrs.is_valid?
-          assert_includes response_encrypted_attrs.errors, "There is an EncryptedAttribute in the Response and this SP not support them"
-        end
-
         it "return false when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
           settings.issuer = 'invalid'
@@ -559,20 +540,6 @@ class RubySamlTest < Minitest::Test
       end
     end
 
-    describe "#validate_no_encrypted_attributes" do
-      it "return true when the assertion does not contain encrypted attributes" do
-        response_valid_signed.settings = settings
-        assert response_valid_signed.send(:validate_no_encrypted_attributes)
-        assert_empty response_valid_signed.errors
-      end
-
-      it "return false when the assertion contains encrypted attributes" do
-        response_encrypted_attrs.settings = settings
-        assert !response_encrypted_attrs.send(:validate_no_encrypted_attributes)
-        assert_includes response_encrypted_attrs.errors, "There is an EncryptedAttribute in the Response and this SP not support them"
-      end
-    end
-
     describe "#validate_audience" do
       it "return true when the audience is valid" do
         response_valid_signed.settings = settings
@@ -953,15 +920,29 @@ class RubySamlTest < Minitest::Test
         assert_equal "bob", response_with_multiple_attribute_statements.attributes[:firstname]
       end
 
-      it "not raise errors about nil/empty attributes for EncryptedAttributes" do
-        response_no_cert_and_encrypted_attrs = OneLogin::RubySaml::Response.new(response_document_no_cert_and_encrypted_attrs)
-        assert_equal 'Demo', response_no_cert_and_encrypted_attrs.attributes["first_name"]
-      end
-
       it "not raise on responses without attributes" do
         assert_equal OneLogin::RubySaml::Attributes.new, response_unsigned.attributes
       end
 
+      describe "#encrypted attributes" do
+        it "raise error when the assertion contains encrypted attributes but no private key to decrypt" do
+          settings.private_key = nil
+          response_encrypted_attrs.settings = settings
+          assert_raises(OneLogin::RubySaml::ValidationError, "An EncryptedAttribute found and no SP private key found on the settings to decrypt it") do
+            attrs = response_encrypted_attrs.attributes
+          end
+        end
+
+        it "extract attributes when the assertion contains encrypted attributes and the private key is provided" do
+          settings.certificate = ruby_saml_cert_text
+          settings.private_key = ruby_saml_key_text
+          response_encrypted_attrs.settings = settings
+          attributes = response_encrypted_attrs.attributes
+          assert_equal "test", attributes[:uid]
+          assert_equal "[email protected]", attributes[:mail]
+        end
+      end
+
       it "return false when validating a response with duplicate attributes" do
         response_duplicated_attributes.settings = settings
         response_duplicated_attributes.options[:check_duplicated_attributes] = true