Merge branch 'v2.x' into fix-error-text

.rubocop.yml

@@ -16,6 +16,9 @@ AllCops:
     - 'tmp/**/*'
     - 'vendor/**/*'
 
+Style/ModuleFunction:
+  EnforcedStyle: extend_self
+
 Style/NumericPredicate:
   EnforcedStyle: comparison
 

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2024-07-10 16:10:44 UTC using RuboCop version 1.64.1.
+# on 2024-07-11 13:04:30 UTC using RuboCop version 1.64.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -127,7 +127,7 @@ Layout/SpaceAroundOperators:
     - 'lib/ruby_saml/xml/document.rb'
     - 'lib/ruby_saml/xml/signed_document.rb'
 
-# Offense count: 5
+# Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
 # SupportedStyles: space, no_space
@@ -180,7 +180,7 @@ Lint/UselessAssignment:
   Exclude:
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 42
+# Offense count: 41
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 100
@@ -191,21 +191,26 @@ Metrics/AbcSize:
 Metrics/BlockLength:
   Max: 27
 
-# Offense count: 9
+# Offense count: 8
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
   Max: 652
 
-# Offense count: 25
+# Offense count: 26
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/CyclomaticComplexity:
   Max: 21
 
-# Offense count: 59
+# Offense count: 58
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Max: 63
 
+# Offense count: 1
+# Configuration parameters: CountComments, CountAsOne.
+Metrics/ModuleLength:
+  Max: 244
+
 # Offense count: 2
 # Configuration parameters: Max, CountKeywordArgs.
 Metrics/ParameterLists:
@@ -279,22 +284,20 @@ Performance/RedundantEqualityComparisonBlock:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 5
+# Offense count: 3
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Performance/StringInclude:
   Exclude:
     - 'lib/ruby_saml/authrequest.rb'
     - 'lib/ruby_saml/logoutrequest.rb'
     - 'lib/ruby_saml/slo_logoutresponse.rb'
-    - 'lib/ruby_saml/utils.rb'
 
-# Offense count: 8
+# Offense count: 4
 # This cop supports safe autocorrection (--autocorrect).
 Performance/StringReplacement:
   Exclude:
     - 'lib/ruby_saml/metadata.rb'
     - 'lib/ruby_saml/saml_message.rb'
-    - 'lib/ruby_saml/utils.rb'
     - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 48
@@ -409,14 +412,6 @@ Style/IfUnlessModifier:
     - 'lib/ruby_saml/xml/document.rb'
     - 'lib/ruby_saml/xml/signed_document.rb'
 
-# Offense count: 1
-# This cop supports unsafe autocorrection (--autocorrect-all).
-# Configuration parameters: EnforcedStyle, Autocorrect.
-# SupportedStyles: module_function, extend_self, forbidden
-Style/ModuleFunction:
-  Exclude:
-    - 'lib/ruby_saml/logging.rb'
-
 # Offense count: 16
 # Configuration parameters: AllowedMethods.
 # AllowedMethods: respond_to_missing?
@@ -432,18 +427,11 @@ Style/OptionalBooleanParameter:
     - 'lib/ruby_saml/utils.rb'
     - 'lib/ruby_saml/xml/signed_document.rb'
 
-# Offense count: 1
-# This cop supports safe autocorrection (--autocorrect).
-Style/RedundantBegin:
-  Exclude:
-    - 'lib/ruby_saml/utils.rb'
-
-# Offense count: 8
+# Offense count: 3
 # This cop supports safe autocorrection (--autocorrect).
 Style/RedundantRegexpArgument:
   Exclude:
     - 'lib/ruby_saml/saml_message.rb'
-    - 'lib/ruby_saml/utils.rb'
     - 'lib/ruby_saml/xml/document.rb'
 
 # Offense count: 3
@@ -472,7 +460,7 @@ Style/StringConcatenation:
     - 'lib/ruby_saml/saml_message.rb'
     - 'lib/ruby_saml/slo_logoutrequest.rb'
 
-# Offense count: 351
+# Offense count: 339
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
 # SupportedStyles: single_quotes, double_quotes
@@ -509,7 +497,7 @@ Style/SymbolArray:
   Exclude:
     - 'lib/ruby_saml/settings.rb'
 
-# Offense count: 92
+# Offense count: 104
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
 # URISchemes: http, https

CHANGELOG.md

@@ -12,6 +12,8 @@
 * [#697](https://github.com/SAML-Toolkits/ruby-saml/pull/697) Add deprecation for various parameters in `RubySaml::Settings`.
 * [#709](https://github.com/SAML-Toolkits/ruby-saml/pull/709) Allow passing in `Net::HTTP` `:open_timeout`, `:read_timeout`, and `:max_retries` settings to `IdpMetadataParser#parse_remote`.
 * [#715](https://github.com/SAML-Toolkits/ruby-saml/pull/715) Fix typo in error when SPNameQualifier value does not match the SP entityID.
+* [#718](https://github.com/SAML-Toolkits/ruby-saml/pull/718/) Add support to retrieve from SAMLResponse the AuthnInstant and AuthnContextClassRef values
+* [#711](https://github.com/SAML-Toolkits/ruby-saml/pull/711) Standardize how RubySaml reads and formats certificate and private_key PEM values, including the `RubySaml::Util#format_cert` and `#format_private_key` methods.
 
 ### 1.17.0
 * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
@@ -28,7 +30,7 @@
 
 ### 1.15.0 (Jan 04, 2023)
 * [#650](https://github.com/SAML-Toolkits/ruby-saml/pull/650) Replace strip! by strip on compute_digest method
-* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata 
+* [#638](https://github.com/SAML-Toolkits/ruby-saml/pull/638) Fix dateTime format for the validUntil attribute of the generated metadata
 * [#576](https://github.com/SAML-Toolkits/ruby-saml/pull/576) Support `Settings#idp_cert_multi` with string keys
 * [#567](https://github.com/SAML-Toolkits/ruby-saml/pull/567) Improve Code quality
 * Add info about new repo, new maintainer, new security contact
@@ -62,7 +64,7 @@
 
 ### 1.12.0 (Feb 18, 2021)
 * Support AES-128-GCM, AES-192-GCM, and AES-256-GCM encryptions
-* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings 
+* Parse & return SLO ResponseLocation in IDPMetadataParser & Settings
 * Adding idp_sso_service_url and idp_slo_service_url settings
 * [#536](https://github.com/SAML-Toolkits/ruby-saml/pull/536) Adding feth method to be able retrieve attributes based on regex
 * Reduce size of built gem by excluding the test folder
@@ -192,7 +194,7 @@
 * Fix response_test.rb of gem 1.3.0
 * Add reference to Security Guidelines
 * Update License
-* [#334](https://github.com/SAML-Toolkits/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method. 
+* [#334](https://github.com/SAML-Toolkits/ruby-saml/pull/334) Keep API backward-compatibility on IdpMetadataParser fingerprint method.
 
 ### 1.3.0 (June 24, 2016)
 * [Security Fix](https://github.com/SAML-Toolkits/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995) Add extra validations to prevent Signature wrapping attacks
@@ -210,7 +212,7 @@
 * [#316](https://github.com/SAML-Toolkits/ruby-saml/pull/316) Fix Misspelling of transation_id to transaction_id
 * [#321](https://github.com/SAML-Toolkits/ruby-saml/pull/321) Support Attribute Names on IDPSSODescriptor parser
 * Changes on empty URI of Signature reference management
-* [#320](https://github.com/SAML-Toolkits/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI 
+* [#320](https://github.com/SAML-Toolkits/ruby-saml/pull/320) Dont mutate document to fix lack of reference URI
 * [#306](https://github.com/SAML-Toolkits/ruby-saml/pull/306) Support WantAssertionsSigned
 
 ### 1.1.2 (February 15, 2016)
@@ -227,17 +229,17 @@
 * [#270](https://github.com/SAML-Toolkits/ruby-saml/pull/270) Allow SAML elements to come from any namespace (at decryption process)
 * [#261](https://github.com/SAML-Toolkits/ruby-saml/pull/261) Allow validate_subject_confirmation Response validation to be skipped
 * [#258](https://github.com/SAML-Toolkits/ruby-saml/pull/258) Fix allowed_clock_drift on the validate_session_expiration test
-* [#256](https://github.com/SAML-Toolkits/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods. 
+* [#256](https://github.com/SAML-Toolkits/ruby-saml/pull/256) Separate the create_authentication_xml_doc in two methods.
 * [#255](https://github.com/SAML-Toolkits/ruby-saml/pull/255) Refactor validate signature.
-* [#254](https://github.com/SAML-Toolkits/ruby-saml/pull/254) Handle empty URI references 
+* [#254](https://github.com/SAML-Toolkits/ruby-saml/pull/254) Handle empty URI references
 * [#251](https://github.com/SAML-Toolkits/ruby-saml/pull/251) Support qualified and unqualified NameID in attributes
 * [#234](https://github.com/SAML-Toolkits/ruby-saml/pull/234) Add explicit support for JRuby
 
 ### 1.0.0 (June 30, 2015)
 * [#247](https://github.com/SAML-Toolkits/ruby-saml/pull/247) Avoid entity expansion (XEE attacks)
 * [#246](https://github.com/SAML-Toolkits/ruby-saml/pull/246) Fix bug generating Logout Response (issuer was at wrong order)
 * [#243](https://github.com/SAML-Toolkits/ruby-saml/issues/243) and [#244](https://github.com/SAML-Toolkits/ruby-saml/issues/244) Fix metadata builder errors. Fix metadata xsd.
-* [#241](https://github.com/SAML-Toolkits/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces. 
+* [#241](https://github.com/SAML-Toolkits/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces.
 * [#240](https://github.com/SAML-Toolkits/ruby-saml/pull/240) and [#238](https://github.com/SAML-Toolkits/ruby-saml/pull/238) Improve test coverage and refactor.
 * [#239](https://github.com/SAML-Toolkits/ruby-saml/pull/239) Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
 * [#237](https://github.com/SAML-Toolkits/ruby-saml/pull/237) Don't pretty print metadata by default.

UPGRADING.md

@@ -50,7 +50,7 @@ settings.security[:digest_method] = RubySaml::XML::Document::SHA1
 settings.security[:signature_method] = RubySaml::XML::Document::RSA_SHA1
 ```
 
-### Removal of embed_sign Setting
+### Removal of embed_sign setting
 
 The deprecated `settings.security[:embed_sign]` parameter has been removed. If you were using it, please instead switch
 to using both the `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding` parameters as show below.
@@ -68,7 +68,7 @@ settings.idp_slo_service_binding = :redirect
 
 For clarity, the default value of both parameters is `:redirect` if they are not set.
 
-### Deprecation of Compression Settings
+### Deprecation of compression settings
 
 The `settings.compress_request` and `settings.compress_response` parameters have been deprecated
 and are no longer functional. They will be removed in RubySaml 2.1.0. Please remove `compress_request`
@@ -80,7 +80,7 @@ The SAML SP request/response message compression behavior is now controlled auto
 "compression" is used to make redirect URLs which contain SAML messages be shorter. For POST messages,
 compression may be achieved by enabling `Content-Encoding: gzip` on your webserver.
 
-## Settings deprecations
+### Other settings deprecations
 
 The following parameters in `RubySaml::Settings` are deprecated and will be removed in RubySaml 2.1.0:
 
@@ -92,6 +92,35 @@ The following parameters in `RubySaml::Settings` are deprecated and will be remo
 - `#certificate_new` is deprecated and replaced by `#sp_cert_multi`. Refer to documentation as `#sp_cert_multi`
   has a different value type than `#certificate_new`.
 
+### Minor changes to Util#format_cert and #format_private_key
+
+Version 2.0.0 standardizes how RubySaml reads and formats certificate and private key
+PEM strings. In general, version 2.0.0 is more permissive than 1.x, and the changes
+are not anticipated to affect most users. Please note the change affects parameters
+such `#idp_cert` and `#certificate`, as well as the `RubySaml::Util#format_cert`
+and `#format_private_key` methods. Specifically:
+
+| # | Input value                                          | RubySaml 2.0.0                                          | RubySaml 1.x              |
+|---|------------------------------------------------------|---------------------------------------------------------|---------------------------|
+| 1 | Input contains a bad (e.g. non-base64) PEM           | Skip PEM formatting                                     | Return a bad PEM          |
+| 2 | Input contains `\r` character(s)                     | Strip out all `\r` character(s) and format as PEM       | Skip PEM formatting       |
+| 3 | PEM header other than `CERTIFICATE` or `PRIVATE KEY` | Format if header ends in `CERTIFICATE` or `PRIVATE KEY` | Skip PEM formatting       |
+| 4 | `#format_cert` given `PRIVATE KEY` (and vice-versa)  | Ignore PEMs of incorrect type                           | Return a bad PEM          |
+| 5 | Text outside header/footer values                    | Strip out text outside header/footer values             | Skip PEM formatting       |
+| 6 | Input non-ASCII characters                           | Ignore non-ASCII chars if they are outside the PEM      | Skip PEM formatting       |
+| 7 | `#format_cert` input contains mix of good/bad certs  | Return only good cert PEMs (joined with `\n`)           | Return good and bad certs |
+
+**Notes**
+- Case 3: For example, `-----BEGIN TRUSTED X509 CERTIFICATE-----` is now
+  considered a valid header as an input, but it will be formatted to
+  `-----BEGIN CERTIFICATE-----` in the output. As a special case, in both 2.0.0
+  and 1.x, if `RSA PRIVATE KEY` is present in the input string, the `RSA` prefix will
+  be preserved in the output.
+- Case 5: When formatting multiple certificates in one string (i.e. a certificate chain),
+  text present between the footer and header of two different certificates will also be
+  stripped out.
+- Case 7: If no valid certificates are found, the entire original string will be returned.
+
 ## Updating from 1.12.x to 1.13.0
 
 Version `1.13.0` adds `settings.idp_sso_service_binding` and `settings.idp_slo_service_binding`, and

lib/ruby_saml.rb

@@ -16,6 +16,7 @@
 require 'ruby_saml/validation_error'
 require 'ruby_saml/metadata'
 require 'ruby_saml/idp_metadata_parser'
+require 'ruby_saml/pem_formatter'
 require 'ruby_saml/utils'
 require 'ruby_saml/version'