SAML-Toolkits#331. Allow multiple authn_context_decl_ref in settings

Author: pitbulk

lib/onelogin/ruby-saml/authrequest.rb

@@ -136,16 +136,19 @@ def create_xml_document(settings)
           }
 
           if settings.authn_context != nil
-            authn_contexts = settings.authn_context.is_a?(Array) ? settings.authn_context : [settings.authn_context]
-            authn_contexts.each do |authn_context|
+            authn_contexts_class_ref = settings.authn_context.is_a?(Array) ? settings.authn_context : [settings.authn_context]
+            authn_contexts_class_ref.each do |authn_context_class_ref|
               class_ref = requested_context.add_element "saml:AuthnContextClassRef"
-              class_ref.text = authn_context
+              class_ref.text = authn_context_class_ref
             end
           end
-          # add saml:AuthnContextDeclRef element
+
           if settings.authn_context_decl_ref != nil
-            class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
-            class_ref.text = settings.authn_context_decl_ref
+            authn_contexts_decl_refs = settings.authn_context_decl_ref.is_a?(Array) ? settings.authn_context_decl_ref : [settings.authn_context_decl_ref]
+            authn_contexts_decl_refs.each do |authn_context_decl_ref|
+              decl_ref = requested_context.add_element "saml:AuthnContextDeclRef"
+              decl_ref.text = authn_context_decl_ref
+            end
           end
         end
 

lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -27,7 +27,7 @@ class IdpMetadataParser
       # IdP values
       #
       # @param (see IdpMetadataParser#get_idp_metadata)
-      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
       # @return (see IdpMetadataParser#get_idp_metadata)
       # @raise (see IdpMetadataParser#get_idp_metadata)
       def parse_remote(url, validate_cert = true, options = {})
@@ -37,12 +37,17 @@ def parse_remote(url, validate_cert = true, options = {})
 
       # Parse the Identity Provider metadata and update the settings with the IdP values
       # @param idp_metadata [String] 
-      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object
+      # @param options  [Hash]   :settings to provide the OneLogin::RubySaml::Settings object or an hash for Settings overrides
       #
       def parse(idp_metadata, options = {})
         @document = REXML::Document.new(idp_metadata)
 
-        (options[:settings] || OneLogin::RubySaml::Settings.new).tap do |settings|
+        settings = options[:settings]
+        if settings.nil? || settings.is_a?(Hash)
+          settings = OneLogin::RubySaml::Settings.new(settings || {})
+        end
+
+        settings.tap do |settings|
           settings.idp_entity_id = idp_entity_id
           settings.name_identifier_format = idp_name_id_format
           settings.idp_sso_target_url = single_signon_service_url(options)

lib/onelogin/ruby-saml/response.rb

@@ -248,6 +248,39 @@ def not_on_or_after
         @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
       end
 
+      # Gets the Issuers (from Response and Assertion).
+      # (returns the first node that matches the supplied xpath from the Response and from the Assertion)
+      # @return [Array] Array with the Issuers (REXML::Element)
+      #
+      def issuers
+        @issuers ||= begin
+          issuers = []
+          issuer_response_nodes = REXML::XPath.match(
+            document,
+            "/p:Response/a:Issuer",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+
+          unless issuer_response_nodes.size == 1
+            error_msg = "Issuer of the Response not found or multiple."
+            ValidationError.new(error_msg)
+          end
+
+          doc = decrypted_document.nil? ? document : decrypted_document
+          issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
+          unless issuer_assertion_nodes.size == 1
+            error_msg = "Issuer of the Assertion not found or multiple."
+            ValidationError.new(error_msg)
+          end
+
+          nodes = issuer_response_nodes + issuer_assertion_nodes
+          nodes.each do |node|
+            issuers << node.text if node.text
+          end
+          issuers.uniq
+        end
+      end
+
       # @return [String|nil] The InResponseTo attribute from the SAML Response.
       #
       def in_response_to
@@ -635,32 +668,13 @@ def validate_conditions
       def validate_issuer
         return true if settings.idp_entity_id.nil?
 
-        issuers = []
-        issuer_response_nodes = REXML::XPath.match(
-          document,
-          "/p:Response/a:Issuer",
-          { "p" => PROTOCOL, "a" => ASSERTION }
-        )
-
-        unless issuer_response_nodes.size == 1
-          error_msg = "Issuer of the Response not found or multiple."
-          return append_error(error_msg)
-        end
-
-        doc = decrypted_document.nil? ? document : decrypted_document
-        issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
-        unless issuer_assertion_nodes.size == 1
-          error_msg = "Issuer of the Assertion not found or multiple."
-          return append_error(error_msg)
-        end
-
-        nodes = issuer_response_nodes + issuer_assertion_nodes
-        nodes.each do |node|
-          issuers << node.text if node.text
+        begin
+          obtained_issuers = issuers
+        rescue ValidationError => e
+          return append_error(e.message)
         end
-        issuers.uniq
 
-        issuers.each do |issuer|
+        obtained_issuers.each do |issuer|
           unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
             error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
             return append_error(error_msg)

test/idp_metadata_parser_test.rb

@@ -56,6 +56,22 @@ def initialize; end
       assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
     end
 
+    it "uses settings options as hash for overrides" do
+      idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+      idp_metadata = read_response("idp_descriptor.xml")
+      settings = idp_metadata_parser.parse(idp_metadata, {
+        :settings => {
+          :security => {
+            :digest_method => XMLSecurity::Document::SHA256,
+            :signature_method => XMLSecurity::Document::RSA_SHA256
+          }
+        }
+      })
+      assert_equal "F1:3C:6B:80:90:5A:03:0E:6C:91:3E:5D:15:FA:DD:B0:16:45:48:72", settings.idp_cert_fingerprint
+      assert_equal XMLSecurity::Document::SHA256, settings.security[:digest_method]
+      assert_equal XMLSecurity::Document::RSA_SHA256, settings.security[:signature_method]
+    end
+
   end
 
   describe "download and parse IdP descriptor file" do

test/request_test.rb

@@ -285,5 +285,12 @@ class RequestTest < Minitest::Test
       auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
       assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<\/saml:AuthnContextDeclRef>/
     end
+
+    it "create multiple saml:AuthnContextDeclRef elements correctly " do
+      settings.authn_context_decl_ref = ['name/password/uri', 'example/decl/ref']
+      auth_doc = OneLogin::RubySaml::Authrequest.new.create_authentication_xml_doc(settings)
+      assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>name\/password\/uri<\/saml:AuthnContextDeclRef>/
+      assert auth_doc.to_s =~ /<saml:AuthnContextDeclRef>example\/decl\/ref<\/saml:AuthnContextDeclRef>/
+    end
   end
 end