Merge pull request SAML-Toolkits#289 from GyldendalDigital/use-secure-random-and-encapsulate-uuid-creation

pitbulk · pitbulk · commit 9f52a280381f · 2016-04-28T20:23:56.000+02:00
Use secure random and encapsulate uuid creation
diff --git a/lib/onelogin/ruby-saml/authrequest.rb b/lib/onelogin/ruby-saml/authrequest.rb
@@ -1,8 +1,8 @@
-require "uuid"
 require "rexml/document"
 
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -20,7 +20,7 @@ class Authrequest < SamlMessage
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the AuthNRequest string.
diff --git a/lib/onelogin/ruby-saml/idp_metadata_parser.rb b/lib/onelogin/ruby-saml/idp_metadata_parser.rb
@@ -1,5 +1,4 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
 require "net/http"
diff --git a/lib/onelogin/ruby-saml/logoutrequest.rb b/lib/onelogin/ruby-saml/logoutrequest.rb
@@ -1,7 +1,6 @@
-require "uuid"
-
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -18,7 +17,7 @@ class Logoutrequest < SamlMessage
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the Logout Request string.
@@ -108,7 +107,7 @@ def create_logout_request_xml_doc(settings)
           nameid.text = settings.name_identifier_value
         else
           # If no NameID is present in the settings we generate one
-          nameid.text = "_" + UUID.new.generate
+          nameid.text = OneLogin::RubySaml::Utils.uuid
           nameid.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
         end
 
diff --git a/lib/onelogin/ruby-saml/metadata.rb b/lib/onelogin/ruby-saml/metadata.rb
@@ -1,7 +1,7 @@
 require "uri"
-require "uuid"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -49,7 +49,7 @@ def generate(settings, pretty_print=false)
           xc2.text = cert_text
         end
 
-        root.attributes["ID"] = "_" + UUID.new.generate
+        root.attributes["ID"] = OneLogin::RubySaml::Utils.uuid
         if settings.issuer
           root.attributes["entityID"] = settings.issuer
         end
diff --git a/lib/onelogin/ruby-saml/slo_logoutresponse.rb b/lib/onelogin/ruby-saml/slo_logoutresponse.rb
@@ -1,7 +1,7 @@
-require "uuid"
-
 require "onelogin/ruby-saml/logging"
+
 require "onelogin/ruby-saml/saml_message"
+require "onelogin/ruby-saml/utils"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -18,7 +18,7 @@ class SloLogoutresponse < SamlMessage
       # Asigns an ID, a random uuid.
       #
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       # Creates the Logout Response string.
diff --git a/lib/onelogin/ruby-saml/utils.rb b/lib/onelogin/ruby-saml/utils.rb
@@ -1,9 +1,16 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
 module OneLogin
   module RubySaml
 
     # SAML2 Auxiliary class
-    #    
+    #
     class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
 
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
       XENC      = "http://www.w3.org/2001/04/xmlenc#"
@@ -30,7 +37,7 @@ def self.format_cert(cert)
       # @return [String] The formatted private key
       #
       def self.format_private_key(key)
-        # don't try to format an encoded private key or if is empty  
+        # don't try to format an encoded private key or if is empty
         return key if key.nil? || key.empty? || key.match(/\x0d/)
 
         # is this an rsa key?
@@ -114,7 +121,7 @@ def self.decrypt_data(encrypted_node, private_key)
           { 'xenc' => XENC }
         )
         algorithm = encrypt_method.attributes['Algorithm']
-        retrieve_plaintext(node, symmetric_key, algorithm)        
+        retrieve_plaintext(node, symmetric_key, algorithm)
       end
 
       # Obtains the symmetric key from the EncryptedData element
@@ -140,7 +147,7 @@ def self.retrieve_symmetric_key(encrypt_data, private_key)
           {"ds" => DSIG,  "xenc" => XENC }
         )
         algorithm = encrypt_method.attributes['Algorithm']
-        retrieve_plaintext(cipher_text, private_key, algorithm)        
+        retrieve_plaintext(cipher_text, private_key, algorithm)
       end
 
       # Obtains the deciphered text
@@ -158,7 +165,7 @@ def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
           when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
         end
 
-        if cipher          
+        if cipher
           iv_len = cipher.iv_len
           data = cipher_text[iv_len..-1]
           cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
@@ -173,6 +180,9 @@ def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
         end
       end
 
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
     end
   end
 end
diff --git a/ruby-saml.gemspec b/ruby-saml.gemspec
@@ -25,14 +25,17 @@ Gem::Specification.new do |s|
   s.summary = %q{SAML Ruby Tookit}
   s.test_files = `git ls-files test/*`.split("\n")
 
-  s.add_runtime_dependency('uuid', '~> 2.3')
+
 
   # Because runtime dependencies are determined at build time, we cannot make
   # Nokogiri's version dependent on the Ruby version, even though we would
   # have liked to constrain Ruby 1.8.7 to install only the 1.5.x versions.
   if defined?(JRUBY_VERSION)
     s.add_runtime_dependency('nokogiri', '>= 1.6.0')
     s.add_runtime_dependency('jruby-openssl', '>= 0.9.8')
+  elsif RUBY_VERSION < '1.9'
+    s.add_runtime_dependency('uuid')
+    s.add_runtime_dependency('nokogiri', '<= 1.5.11')
   else
     s.add_runtime_dependency('nokogiri', '>= 1.5.10')
   end
diff --git a/test/logoutrequest_test.rb b/test/logoutrequest_test.rb
@@ -29,7 +29,8 @@ class RequestTest < Minitest::Test
     end
 
     it "set sessionindex" do
-      sessionidx = UUID.new.generate
+      settings.idp_slo_target_url = "http://example.com"
+      sessionidx = OneLogin::RubySaml::Utils.uuid
       settings.sessionindex = sessionidx
 
       unauth_url = OneLogin::RubySaml::Logoutrequest.new.create(settings, { :nameid => "there" })
diff --git a/test/test_helper.rb b/test/test_helper.rb
@@ -203,7 +203,7 @@ def ruby_saml_key_text
   # logoutresponse fixtures
   #
   def random_id
-    "_#{UUID.new.generate}"
+    "_#{OneLogin::RubySaml::Utils.uuid}"
   end
 
   #
diff --git a/test/utils_test.rb b/test/utils_test.rb
@@ -142,4 +142,17 @@ class UtilsTest < Minitest::Test
       assert_equal = "The status code of the Logout Response was not Success", status_error_msg3
     end
   end
-end
+
+  describe "Utils" do
+
+    describe ".uuid" do
+      it "returns a uuid starting with an underscore" do
+        assert_match /^_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, OneLogin::RubySaml::Utils.uuid
+      end
+
+      it "doesn't return the same value twice" do
+        refute_equal OneLogin::RubySaml::Utils.uuid, OneLogin::RubySaml::Utils.uuid
+      end
+    end
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`require "base64"`
`2`		`-require "uuid"`
`3`	`2`	`require "zlib"`
`4`	`3`	`require "cgi"`
`5`	`4`	`require "net/http"`
Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ def ruby_saml_key_text`
`203`	`203`	`# logoutresponse fixtures`
`204`	`204`	`#`
`205`	`205`	`def random_id`
`206`		`- "_#{UUID.new.generate}"`
	`206`	`+ "_#{OneLogin::RubySaml::Utils.uuid}"`
`207`	`207`	`end`
`208`	`208`
`209`	`209`	`#`