Deprecate the use of settings.issuer. Use instead settings.sp_entity_id

pitbulk · pitbulk · commit 660fc1071b59 · 2019-05-07T11:41:22.000+02:00
diff --git a/README.md b/README.md
@@ -238,7 +238,7 @@ def saml_settings
   settings = OneLogin::RubySaml::Settings.new
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/#{OneLoginAppId}"
   settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
   settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
@@ -262,6 +262,8 @@ def saml_settings
 end
 ```
 
+The use of settings.issuer is deprecated in favour of settings.sp_entity_id
+
 Some assertion validations can be skipped by passing parameters to `OneLogin::RubySaml::Response.new()`.  For example, you can skip the `AuthnStatement`, `Conditions`, `Recipient`, or the `SubjectConfirmation` validations by initializing the response with different options:
 
 ```ruby
@@ -301,7 +303,7 @@ class SamlController < ApplicationController
     settings = OneLogin::RubySaml::Settings.new
 
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.issuer                         = "http://#{request.host}/saml/metadata"
+    settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
     settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -364,7 +366,7 @@ def saml_settings
   settings = idp_metadata_parser.parse_remote("https://example.com/auth/saml2/idp/metadata")
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-  settings.issuer                         = "http://#{request.host}/saml/metadata"
+  settings.sp_entity_id                   = "http://#{request.host}/saml/metadata"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
   # Optional for most SAML IdPs
   settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
diff --git a/lib/onelogin/ruby-saml/authrequest.rb b/lib/onelogin/ruby-saml/authrequest.rb
@@ -117,9 +117,9 @@ def create_xml_document(settings)
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         if settings.name_identifier_value_requested != nil
diff --git a/lib/onelogin/ruby-saml/logoutrequest.rb b/lib/onelogin/ruby-saml/logoutrequest.rb
@@ -105,9 +105,9 @@ def create_xml_document(settings)
         root.attributes['Version'] = "2.0"
         root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
 
-        if settings.issuer
+        if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         nameid = root.add_element "saml:NameID"
diff --git a/lib/onelogin/ruby-saml/logoutresponse.rb b/lib/onelogin/ruby-saml/logoutresponse.rb
@@ -163,7 +163,7 @@ def valid_state?
 
         return append_error("No settings on logout response") if settings.nil?
 
-        return append_error("No issuer in settings of the logout response") if settings.issuer.nil?
+        return append_error("No sp_entity_id in settings of the logout response") if settings.sp_entity_id.nil?
 
         if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil? && settings.idp_cert_multi.nil?
           return append_error("No fingerprint or certificate on settings of the logout response")
diff --git a/lib/onelogin/ruby-saml/metadata.rb b/lib/onelogin/ruby-saml/metadata.rb
@@ -57,8 +57,8 @@ def generate(settings, pretty_print=false)
         end
 
         root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
-        if settings.issuer
-          root.attributes["entityID"] = settings.issuer
+        if settings.sp_entity_id
+          root.attributes["entityID"] = settings.sp_entity_id
         end
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -589,11 +589,11 @@ def validate_in_response_to
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_audience
-        return true if audiences.empty? || settings.issuer.nil? || settings.issuer.empty?
+        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
-        unless audiences.include? settings.issuer
+        unless audiences.include? settings.sp_entity_id
           s = audiences.count > 1 ? 's' : '';
-          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.issuer}"
+          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.sp_entity_id}"
           return append_error(error_msg)
         end
 
@@ -781,8 +781,8 @@ def validate_name_id
             return append_error("An empty NameID value found")
           end
 
-          unless settings.issuer.nil? || settings.issuer.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
-            if name_id_spnamequalifier != settings.issuer
+          unless settings.sp_entity_id.nil? || settings.sp_entity_id.empty? || name_id_spnamequalifier.nil? || name_id_spnamequalifier.empty?
+            if name_id_spnamequalifier != settings.sp_entity_id
               return append_error("The SPNameQualifier value mistmatch the SP entityID value.")
             end
           end
diff --git a/lib/onelogin/ruby-saml/settings.rb b/lib/onelogin/ruby-saml/settings.rb
@@ -40,7 +40,6 @@ def initialize(overrides = {}, keep_security_attributes = false)
       attr_accessor :idp_name_qualifier
       attr_accessor :valid_until
       # SP Data
-      attr_accessor :issuer
       attr_accessor :assertion_consumer_service_url
       attr_accessor :assertion_consumer_service_binding
       attr_accessor :sp_name_qualifier
@@ -68,6 +67,28 @@ def initialize(overrides = {}, keep_security_attributes = false)
       # Compability
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :assertion_consumer_logout_service_binding
+      attr_accessor :issuer
+
+      # @return [String] SP Entity ID
+      #
+      def sp_entity_id
+        val = nil
+        if @sp_entity_id.nil?
+          if @issuer
+            val = @issuer
+          end
+        else
+          val = @sp_entity_id
+        end
+        val
+      end
+
+      # Setter for SP Entity ID.
+      # @param val [String].
+      #
+      def sp_entity_id=(val)
+        @sp_entity_id = val
+      end
 
       # @return [String] Single Logout Service URL.
       #
diff --git a/lib/onelogin/ruby-saml/slo_logoutresponse.rb b/lib/onelogin/ruby-saml/slo_logoutresponse.rb
@@ -114,9 +114,9 @@ def create_xml_document(settings, request_id = nil, logout_message = nil)
         root.attributes['InResponseTo'] = request_id unless request_id.nil?
         root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
 
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         # add success message
diff --git a/test/logoutresponse_test.rb b/test/logoutresponse_test.rb
@@ -62,7 +62,7 @@ class RubySamlTest < Minitest::Test
 
           assert logoutresponse.validate
 
-          assert_equal settings.issuer, logoutresponse.issuer
+          assert_equal settings.sp_entity_id, logoutresponse.issuer
           assert_equal in_relation_to_request_id, logoutresponse.in_response_to
 
           assert logoutresponse.success?
@@ -123,12 +123,13 @@ class RubySamlTest < Minitest::Test
           assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester -> Logoutrequest expired"
         end
 
-        it "invalidate logout response when in lack of issuer setting" do
+        it "invalidate logout response when in lack of sp_entity_id setting" do
           bad_settings = settings
           bad_settings.issuer = nil
+          bad_settings.sp_entity_id = nil
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, bad_settings)
           assert !logoutresponse.validate
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
+          assert_includes logoutresponse.errors, "No sp_entity_id in settings of the logout response"
         end
 
         it "invalidate logout response with wrong issuer" do
@@ -202,11 +203,12 @@ class RubySamlTest < Minitest::Test
           assert_includes logoutresponse.errors, "The status code of the Logout Response was not Success, was Requester"
         end
 
-        it "raise validation error when in lack of issuer setting" do
+        it "raise validation error when in lack of sp_entity_id setting" do
           settings.issuer = nil
+          settings.sp_entity_id = nil
           logoutresponse = OneLogin::RubySaml::Logoutresponse.new(unsuccessful_logout_response_document, settings)
           assert_raises(OneLogin::RubySaml::ValidationError) { logoutresponse.validate }
-          assert_includes logoutresponse.errors, "No issuer in settings of the logout response"
+          assert_includes logoutresponse.errors, "No sp_entity_id in settings of the logout response"
         end
 
         it "raise validation error when logout response with wrong issuer" do
diff --git a/test/metadata_test.rb b/test/metadata_test.rb
@@ -12,7 +12,7 @@ class MetadataTest < Minitest::Test
     let(:acs)               { REXML::XPath.first(xml_doc, "//md:AssertionConsumerService") }
 
     before do
-      settings.issuer = "https://example.com"
+      settings.sp_entity_id = "https://example.com"
       settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
       settings.assertion_consumer_service_url = "https://foo.example/saml/consume"
     end
diff --git a/test/response_test.rb b/test/response_test.rb
@@ -259,10 +259,10 @@ def generate_audience_error(expected, actual)
 
         it "raise when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
-          settings.issuer = 'invalid'
+          settings.sp_entity_id = 'invalid'
           response_valid_signed.settings = settings
           response_valid_signed.soft = false
-          error_msg = generate_audience_error(response_valid_signed.settings.issuer, ['https://someone.example.com/audience'])
+          error_msg = generate_audience_error(response_valid_signed.settings.sp_entity_id, ['https://someone.example.com/audience'])
           assert_raises(OneLogin::RubySaml::ValidationError, error_msg) do
             response_valid_signed.is_valid?
           end
@@ -415,11 +415,11 @@ def generate_audience_error(expected, actual)
 
         it "return false when there is no valid audience" do
           settings.idp_cert_fingerprint = signature_fingerprint_1
-          settings.issuer = 'invalid'
+          settings.sp_entity_id = 'invalid'
           response_valid_signed.settings = settings
           response_valid_signed.is_valid?
 
-          assert_includes response_valid_signed.errors, generate_audience_error(response_valid_signed.settings.issuer, ['https://someone.example.com/audience'])
+          assert_includes response_valid_signed.errors, generate_audience_error(response_valid_signed.settings.sp_entity_id, ['https://someone.example.com/audience'])
         end
 
         it "return false when no ID present in the SAML Response" do
@@ -451,7 +451,7 @@ def generate_audience_error(expected, actual)
 
         it "collect errors when collect_errors=true" do
           settings.idp_cert = ruby_saml_cert_text
-          settings.issuer = 'invalid'
+          settings.sp_entity_id = 'invalid'
           response_invalid_subjectconfirmation_recipient.settings = settings
           collect_errors = true
           response_invalid_subjectconfirmation_recipient.is_valid?(collect_errors)
@@ -464,23 +464,23 @@ def generate_audience_error(expected, actual)
     describe "#validate_audience" do
       it "return true when the audience is valid" do
         response.settings = settings
-        response.settings.issuer = '{audience}'
+        response.settings.sp_entity_id = '{audience}'
         assert response.send(:validate_audience)
         assert_empty response.errors
       end
 
       it "return true when the audience is self closing" do
         response_audience_self_closed.settings = settings
-        response_audience_self_closed.settings.issuer = '{audience}'
+        response_audience_self_closed.settings.sp_entity_id = '{audience}'
         assert response_audience_self_closed.send(:validate_audience)
         assert_empty response_audience_self_closed.errors
       end
 
       it "return false when the audience is valid" do
         response.settings = settings
-        response.settings.issuer = 'invalid_audience'
+        response.settings.sp_entity_id = 'invalid_audience'
         assert !response.send(:validate_audience)
-        assert_includes response.errors, generate_audience_error(response.settings.issuer, ['{audience}'])
+        assert_includes response.errors, generate_audience_error(response.settings.sp_entity_id, ['{audience}'])
       end
     end
 
@@ -665,23 +665,23 @@ def generate_audience_error(expected, actual)
     describe "#validate_audience" do
       it "return true when the audience is valid" do
         response_valid_signed.settings = settings
-        response_valid_signed.settings.issuer = "https://someone.example.com/audience"
+        response_valid_signed.settings.sp_entity_id = "https://someone.example.com/audience"
         assert response_valid_signed.send(:validate_audience)
         assert_empty response_valid_signed.errors
       end
 
-      it "return true when there is not issuer defined" do
+      it "return true when there is not sp_entity_id defined" do
         response_valid_signed.settings = settings
-        response_valid_signed.settings.issuer = nil
+        response_valid_signed.settings.sp_entity_id = nil
         assert response_valid_signed.send(:validate_audience)
         assert_empty response_valid_signed.errors
       end
 
       it "return false when there is no valid audience" do
         response_invalid_audience.settings = settings
-        response_invalid_audience.settings.issuer = "https://invalid.example.com/audience"
+        response_invalid_audience.settings.sp_entity_id = "https://invalid.example.com/audience"
         assert !response_invalid_audience.send(:validate_audience)
-        assert_includes response_invalid_audience.errors, generate_audience_error(response_invalid_audience.settings.issuer, ['http://invalid.audience.com'])
+        assert_includes response_invalid_audience.errors, generate_audience_error(response_invalid_audience.settings.sp_entity_id, ['http://invalid.audience.com'])
       end
     end
 
@@ -953,7 +953,7 @@ def generate_audience_error(expected, actual)
       end
 
       it "return false when wrong_spnamequalifier" do
-        settings.issuer = 'sp_entity_id'
+        settings.sp_entity_id = 'sp_entity_id'
         response_wrong_spnamequalifier.settings = settings
         assert !response_wrong_spnamequalifier.send(:validate_name_id)
         assert_includes response_wrong_spnamequalifier.errors, "The SPNameQualifier value mistmatch the SP entityID value."
@@ -966,7 +966,7 @@ def generate_audience_error(expected, actual)
       end
 
       it "return true when nameid is valid and response_wrong_spnamequalifier matches the SP issuer" do
-        settings.issuer = 'wrong-sp-entityid'
+        settings.sp_entity_id = 'wrong-sp-entityid'
         response_wrong_spnamequalifier.settings = settings
         assert response_wrong_spnamequalifier.send(:validate_name_id)
       end
@@ -1398,7 +1398,7 @@ def generate_audience_error(expected, actual)
 
       before do
         settings.idp_cert_fingerprint = 'EE:17:4E:FB:A8:81:71:12:0D:2A:78:43:BC:E7:0C:07:58:79:F4:F4'
-        settings.issuer = 'http://rubysaml.com:3000/saml/metadata'
+        settings.sp_entity_id = 'http://rubysaml.com:3000/saml/metadata'
         settings.assertion_consumer_service_url = 'http://rubysaml.com:3000/saml/acs'
         settings.certificate = ruby_saml_cert_text
         settings.private_key = ruby_saml_key_text
diff --git a/test/xml_security_test.rb b/test/xml_security_test.rb
@@ -239,7 +239,7 @@ class XmlSecurityTest < Minitest::Test
         settings.idp_sso_target_url = "https://idp.example.com/sso"
         settings.protocol_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         settings.idp_slo_target_url = "https://idp.example.com/slo",
-        settings.issuer = "https://sp.example.com/saml2"
+        settings.sp_entity_id = "https://sp.example.com/saml2"
         settings.assertion_consumer_service_url = "https://sp.example.com/acs"
         settings.single_logout_service_url = "https://sp.example.com/sls"
       end
