RubyGems - GoogleSSO - Versions diffs - 1.0.1 - Mend

GoogleSSO 1.0.1

Files changed (4) hide show

@@ -0,0 +1,6 @@
+require 'xmlcanonicalizer'
+require 'processresponse'
+class GoogleSSO
+  VERSION = '1.0'
+end

data/lib/processresponse.rb ADDED

@@ -0,0 +1,183 @@
+require "openssl"
+require "openssl/x509"
+require "base64"
+require "rexml/document"
+require "rexml/xpath"
+require "zlib"
+require "digest/sha1"
+require "xmlcanonicalizer"
+include REXML
+include OpenSSL
+  class XmlProcessResponse
+    attr_accessor :acs, :encodedresponse, :authenticateform, :logger
+    def initialize(certificate_path, private_key_path)
+      @certificate_path = certificate_path
+      @private_key_path = private_key_path
+      libpath = "#{Gem.dir}/gems/GoogleSSO-#{GoogleSSO::VERSION}/lib"
+      @signature_template_path = "#{libpath}/SignatureTemplate.xml"
+      @response_template_path = "#{libpath}/SamlResponseTemplate.xml"
+      @issueinstant = ""
+      @providername = ""
+      @acs = ""
+      @encodedresponse = ""
+      @authenticateform = ""
+      @logger = Logger.new("response.log")
+      @logger.level = Logger::DEBUG
+    end
+    def process_response(samlRequest, relayState, username)
+      xml_string = decodeAuthnRequestXML(samlRequest)
+      getRequestAttributes(xml_string)
+      samlResponse = createSamlResponse(username)
+      @logger.debug("\nSAML Response\n" + samlResponse.to_s()) if @logger
+      signedResponse = signXML(samlResponse)
+      @logger.debug("\nSigned Response\n" + signedResponse.to_s()) if @logger
+      @encodedresponse = Base64.encode64(signedResponse)
+#      @authenticateform = "<form name='acsForm' id='acsForm' action='#{@acs}' method='post'>"+
+# WHY IS THIS ENCODED??
+#"  <textarea name='SAMLResponse'>#{@encodedresponse}</textarea>"+
+      @authenticateform = "<form name='acsForm' id='acsForm' action='#{@acs}' method='post'>"+
+  	                      "  SAMLResponse:<textarea rows='10' cols='80' name='SAMLResponse'>#{signedResponse}</textarea>"+
+  	                      "  RelayState:<textarea rows='10' cols='80' name='RelayState'>#{relayState}</textarea>"+
+													"		<p><input type='submit' /></p>"+
+                          "</form>"
+    end
+#    private
+    def decodeAuthnRequestXML(encodedRequestXmlString)
+      unzipper = Zlib::Inflate.new( -Zlib::MAX_WBITS )
+      return unzipper.inflate(Base64.decode64( encodedRequestXmlString ))
+    end
+    def getRequestAttributes(xmlString)
+      doc = Document.new( xmlString )
+      @issueinstant = doc.root.attributes["IssueInstant"]
+      @providername = doc.root.attributes["ProviderName"]
+      @acs = doc.root.attributes["AssertionConsumerServiceURL"]
+    end
+    def createSamlResponse(authenticatedUser)
+      current_time = Time.new().utc().strftime("%Y-%m-%dT%H:%M:%SZ")
+      # 20 minutes after issued time
+      notOnOrAfter = (Time.new().utc()+60*20).strftime("%Y-%m-%dT%H:%M:%SZ")
+      samlResponse = ""
+      File.open(@response_template_path).each { |line|
+        samlResponse += line
+      }
+      samlResponse.sub!("<USERNAME_STRING>", authenticatedUser)
+      samlResponse.sub!("<RESPONSE_ID>",  generateUniqueHexCode(42))
+      samlResponse.gsub!("<ISSUE_INSTANT>",  current_time)
+      samlResponse.sub!("<AUTHN_INSTANT>",  current_time)
+      samlResponse.sub!("<NOT_BEFORE>",  @issueinstant)
+      samlResponse.sub!("<NOT_ON_OR_AFTER>",  notOnOrAfter)
+      samlResponse.sub!("<ASSERTION_ID>",  generateUniqueHexCode(42))
+      return samlResponse
+    end
+    def signXML(xml)
+      signature = ""
+      File.open(@signature_template_path).each { |line|
+        signature += line
+      }
+      document = Document.new(xml)
+      sigDoc = Document.new(signature)
+      # 3. Apply digesting algorithms over the resource, and calculate the digest value.
+      digestValue = calculateDigest(document)
+      # 4. Enclose the details in the <Reference> element.
+      # 5. Collect all <Reference> elements inside the <SignedInfo> element. Indicate the canonicalization and signature methodologies.
+      digestElement = XPath.first(sigDoc, "//DigestValue")
+      digestElement.add_text(digestValue)
+      # 6. Canonicalize contents of <SignedInfo>, apply the signature algorithm, and generate the XML Digital signature.
+      signedElement = XPath.first(sigDoc, "//SignedInfo")
+      signatureValue = calculateSignatureValue(signedElement)
+      # 7. Enclose the signature within the <SignatureValue> element.
+      signatureValueElement = XPath.first(sigDoc, "//SignatureValue")
+      signatureValueElement.add_text(signatureValue)
+      # 8. Add relevant key information, if any, and produce the <Signature> element.
+      cert = ""
+      File.open(@certificate_path).each { |line|
+        cert += line
+      }
+      cert.sub!(/.*BEGIN CERTIFICATE-----\s*(.*)\s*-----END CERT.*/m, '\1')
+      certNode = XPath.first(sigDoc, "//X509Certificate")
+      certNode.add_text(cert)
+      # 9. put it all together
+      status_child = document.elements["//samlp:Status"]
+      status_child.parent.insert_before(status_child, sigDoc.root)
+      retval = document.to_s()
+#      XPath.first(document, "//Signature").remove
+#      canoner = XmlCanonicalizer.new(false, true)
+#      canon_element = canoner.canonicalize(document)
+      return retval
+    end
+    def calculateSignatureValue(element)
+      element.add_namespace("http://www.w3.org/2000/09/xmldsig#")
+      element.add_namespace("xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol")
+      element.add_namespace("xmlns:xenc", "http://www.w3.org/2001/04/xmlenc#")
+      canoner = XmlCanonicalizer.new(false, true)
+      canon_element = canoner.canonicalize(element)
+      pkey = PKey::RSA.new(File::read(@private_key_path))
+      signature = Base64.encode64(pkey.sign(OpenSSL::Digest::SHA1.new, canon_element.to_s.chomp).chomp).chomp
+      element.delete_attribute("xmlns")
+      element.delete_attribute("xmlns:samlp")
+      element.delete_attribute("xmlns:xenc")
+      return signature
+    end
+    def calculateDigest(element)
+      canoner = XmlCanonicalizer.new(false, true)
+      canon_element = canoner.canonicalize(element)
+      element_hash = Base64.encode64(Digest::SHA1.digest(canon_element.to_s.chomp).chomp).chomp
+      return element_hash
+    end
+    def generateUniqueHexCode( codeLength )
+      validChars = ("A".."F").to_a + ("0".."9").to_a
+      length = validChars.size
+      validStartChars = ("A".."F").to_a
+      startLength = validStartChars.size
+      hexCode = ""
+      hexCode << validStartChars[rand(startLength-1)]
+      1.upto(codeLength-1) { |i| hexCode << validChars[rand(length-1)] }
+      return hexCode
+    end
+  end

data/lib/xmlcanonicalizer.rb ADDED

@@ -0,0 +1,395 @@
+require "rexml/document"
+require "base64"
+include REXML
+  class REXML::Instruction
+    def write(writer, indent=-1, transitive=false, ie_hack=false)
+      indent(writer, indent)
+      writer << START.sub(/\\/u, '')
+      writer << @target
+      writer << ' '
+      writer << @content if @content != nil
+      writer << STOP.sub(/\\/u, '')
+    end
+  end
+  class REXML::Attribute
+    def <=>(a2)
+      if (self === a2)
+        return 0
+      elsif (self == nil)
+        return -1
+      elsif (a2 == nil)
+        return 1
+      elsif (self.prefix() == a2.prefix())
+        return self.name()<=>a2.name()
+      end
+      if (self.prefix() == nil)
+        return -1
+      elsif (a2.prefix() == nil)
+        return 1
+      end
+      ret = self.namespace()<=>a2.namespace()
+      if (ret == 0)
+        ret = self.prefix()<=>a2.prefix()
+      end
+      return ret
+    end
+  end
+  class REXML::Element
+    def search_namespace(prefix)
+      if (self.namespace(prefix) == nil)
+        return (self.parent().search_namespace(prefix)) if (self.parent() != nil)
+      else
+        return self.namespace(prefix)
+      end
+    end
+    def rendered=(rendered)
+    	@rendered = rendered
+    end
+    def rendered?()
+    	return @rendered
+    end
+    def node_namespaces()
+      ns = Array.new()
+      ns.push(self.prefix())
+      self.attributes().each_attribute{|a|
+        if (a.prefix() == "xmlns" or (a.prefix() == "" && a.local_name() == "xmlns"))
+          ns.push("xmlns")
+        end
+      }
+      self.prefixes().each { |prefix| ns.push(prefix) }
+      ns
+    end
+  end
+  class NamespaceNode
+    attr_reader :prefix, :uri
+    def initialize(prefix, uri)
+      @prefix = prefix
+      @uri = uri
+    end
+  end
+  class XmlCanonicalizer
+    attr_accessor :prefix_list, :logger
+    BEFORE_DOC_ELEMENT = 0
+    INSIDE_DOC_ELEMENT = 1
+    AFTER_DOC_ELEMENT  = 2
+    NODE_TYPE_ATTRIBUTE  = 3
+    NODE_TYPE_WHITESPACE = 4
+    NODE_TYPE_COMMENT    = 5
+    NODE_TYPE_PI         = 6
+    NODE_TYPE_TEXT       = 7
+    def initialize(with_comments, excl_c14n)
+      @with_comments = with_comments
+      @exclusive = excl_c14n
+      @res = ""
+      @state = BEFORE_DOC_ELEMENT
+      @xnl = Array.new()
+      @prevVisibleNamespacesStart = 0
+      @prevVisibleNamespacesEnd = 0
+      @visibleNamespaces = Array.new()
+      @inclusive_namespaces = Array.new()
+      @prefix_list = nil
+      @rendered_prefixes = Array.new()
+      @logger = Logger.new("xmlcanonicalizer.log")
+      @logger.level = Logger::DEBUG
+    end
+    def add_inclusive_namespaces(prefix_list, element, visible_namespaces)
+      namespaces = element.attributes()
+      namespaces.each_attribute{|ns|
+        if (ns.prefix=="xmlns")
+          if (prefix_list.include?(ns.local_name()))
+            visible_namespaces.push(NamespaceNode.new("xmlns:"+ns.local_name(), ns.value()))
+          end
+        end
+      }
+      parent = element.parent()
+      add_inclusive_namespaces(prefix_list, parent, visible_namespaces) if (parent)
+      visible_namespaces
+    end
+    def canonicalize(document)
+      write_document_node(document)
+      @logger.debug("\nCanonicalized result\n" + @res.to_s()) if @logger
+      @res
+    end
+    def canonicalize_element(element, logging = true)
+      @logger.debug("Canonicalize element:\n" + element.to_s()) if @logger
+      @inclusive_namespaces = add_inclusive_namespaces(@prefix_list, element, @inclusive_namespaces) if (@prefix_list)
+      @preserve_document = element.document()
+      tmp_parent = element.parent()
+      body_string = remove_whitespace(element.to_s().gsub("\n","").gsub("\t","").gsub("\r",""))
+      document = Document.new(body_string)
+      tmp_parent.delete_element(element)
+      element = tmp_parent.add_element(document.root())
+      @preserve_element = element
+      document = Document.new(element.to_s())
+      ns = element.namespace(element.prefix())
+      document.root().add_namespace(element.prefix(), ns)
+      write_document_node(document)
+      @logger.debug("Canonicalized result:\n" + @res.to_s()) if @logger
+      @res
+    end
+    def write_document_node(document)
+      @state = BEFORE_DOC_ELEMENT
+      if (document.class().to_s() == "REXML::Element")
+        write_node(document)
+      else
+        document.each_child{|child|
+          write_node(child)
+        }
+      end
+      @res
+    end
+    def write_node(node)
+      visible = is_node_visible(node)
+      if ((node.node_type() == :text) && white_text?(node.value()))
+        res = node.value()
+        res.gsub("\r\n","\n")
+        #res = res.delete(" ").delete("\t")
+        res.delete("\r")
+        @res = @res + res
+        #write_text_node(node,visible) if (@state == INSIDE_DOC_ELEMENT)
+        return
+      end
+      if (node.node_type() == :text)
+        write_text_node(node, visible)
+        return
+      end
+      if (node.node_type() == :element)
+        write_element_node(node, visible) if (!node.rendered?())
+		    node.rendered=(true)
+      end
+      if (node.node_type() == :processing_instruction)
+      end
+      if (node.node_type() == :comment)
+      end
+    end
+    def write_element_node(node, visible)
+      savedPrevVisibleNamespacesStart = @prevVisibleNamespacesStart
+      savedPrevVisibleNamespacesEnd = @prevVisibleNamespacesEnd
+      savedVisibleNamespacesSize = @visibleNamespaces.size()
+      state = @state
+      state = INSIDE_DOC_ELEMENT if (visible && state == BEFORE_DOC_ELEMENT)
+      @res = @res + "<" + node.expanded_name() if (visible)
+      write_namespace_axis(node, visible)
+      write_attribute_axis(node)
+      @res = @res + ">" if (visible)
+      node.each_child{|child|
+    	 	write_node(child)
+    	}
+      @res = @res + "</" +node.expanded_name() + ">" if (visible)
+      @state = AFTER_DOC_ELEMENT if (visible && state == BEFORE_DOC_ELEMENT)
+      @prevVisibleNamespacesStart = savedPrevVisibleNamespacesStart
+      @prevVisibleNamespacesEnd = savedPrevVisibleNamespacesEnd
+      @visibleNamespaces.slice!(savedVisibleNamespacesSize, @visibleNamespaces.size() - savedVisibleNamespacesSize) 		if (@visibleNamespaces.size() > savedVisibleNamespacesSize)
+    end
+    def write_namespace_axis(node, visible)
+      doc = node.document()
+      has_empty_namespace = false
+      list = Array.new()
+      cur = node
+      #while ((cur != nil) && (cur != doc) && (cur.node_type() != :document))
+      namespaces = cur.node_namespaces()
+      namespaces.each{|prefix|
+        next if ((prefix == "xmlns") && (node.namespace(prefix) == ""))
+        namespace = cur.namespace(prefix)
+        next if (is_namespace_node(namespace))
+        next if (node.namespace(prefix) != cur.namespace(prefix))
+        next if (prefix == "xml" && namespace == "http://www.w3.org/XML/1998/namespace")
+        next if (!is_node_visible(cur))
+        rendered = is_namespace_rendered(prefix, namespace)
+        @visibleNamespaces.push(NamespaceNode.new("xmlns:"+prefix,namespace)) if (visible)
+        if ((!rendered) && !list.include?(prefix))
+          list.push(prefix)
+        end
+        has_empty_namespace = true if (prefix == nil)
+      }
+      if (visible && !has_empty_namespace && !is_namespace_rendered(nil, nil))
+        @res = @res + ' xmlns=""'
+      end
+      #TODO: ns of inclusive_list
+#=begin
+      if ((@prefix_list) && (node.to_s() == node.parent().to_s()))
+        #list.push(node.prefix())
+        @inclusive_namespaces.each{|ns|
+          prefix = ns.prefix().split(":")[1]
+          list.push(prefix) if (!list.include?(prefix) && (!node.attributes.prefixes.include?(prefix)))
+        }
+		@prefix_list = nil
+      end
+#=end
+      list.sort!()
+      list.insert(0, "xmlns") unless list.delete("xmlns").nil?
+      list.each{|prefix|
+        next if (prefix == "")
+    		next if (@rendered_prefixes.include?(prefix))
+    		@rendered_prefixes.push(prefix)
+        ns = node.namespace(prefix)
+        ns = @preserve_element.namespace(prefix) if (ns == nil)
+        @res = @res + normalize_string(" " + prefix + '="' + ns + '"', NODE_TYPE_TEXT) if (prefix == "xmlns")
+        @res = @res + normalize_string(" xmlns:" + prefix + '="' + ns + '"', NODE_TYPE_TEXT) if (prefix != nil && prefix != "xmlns")
+      }
+      if (visible)
+        @prevVisibleNamespacesStart = @prevVisibleNamespacesEnd
+        @prevVisibleNamespacesEnd = @visibleNamespaces.size()
+      end
+    end
+    def write_attribute_axis(node)
+      list = Array.new()
+      node.attributes().sort.each{|key, attr|
+        list.push(attr) if (!is_namespace_node(attr.value()) && !is_namespace_decl(attr)) # && is_node_visible(
+      }
+      if (!@exclusive && node.parent() != nil && node.parent().parent() != nil)
+        cur = node.parent()
+        while (cur != nil)
+          #next if (cur.attributes() == nil)
+          cur.each_attribute{|attribute|
+            next if (attribute.prefix() != "xml")
+            next if (attribute.prefix().index("xmlns") == 0)
+            next if (node.namespace(attribute.prefix()) == attribute.value())
+            found = true
+            list.each{|n|
+              if (n.prefix() == "xml" && n.value() == attritbute.value())
+                found = true
+                break
+              end
+            }
+            next if (found)
+            list.push(attribute)
+          }
+        end
+      end
+      list.each{|attribute|
+        if (attribute != nil)
+          if (attribute.name() != "xmlns")
+            @res = @res + " " + normalize_string(attribute.to_string(), NODE_TYPE_ATTRIBUTE).gsub("'",'"')
+          end
+          #	else
+          #	@res = @res + " " + normalize_string(attribute.name()+'="'+attribute.to_s()+'"', NODE_TYPE_ATTRIBUTE).gsub("'",'"')
+          #end
+        end
+      }
+    end
+    def is_namespace_node(namespace_uri)
+      return (namespace_uri == "http://www.w3.org/2000/xmlns/")
+    end
+    def is_namespace_rendered(prefix, uri)
+      is_empty_ns = prefix == nil && uri == nil
+      if (is_empty_ns)
+        start = 0
+      else
+        start = @prevVisibleNamespacesStart
+      end
+      @visibleNamespaces.each{|ns|
+        if (ns.prefix() == "xmlns:"+prefix.to_s() && ns.uri() == uri)
+          return true
+        end
+      }
+      return is_empty_ns
+      #(@visibleNamespaces.size()-1).downto(start) {|i|
+      #   ns = @visibleNamespaces[i]
+      #	return true if (ns.prefix() == "xmlns:"+prefix.to_s() && ns.uri() == uri)
+      #	#p = ns.prefix() if (ns.prefix().index("xmlns") == 0)
+      #	#return ns.uri() == uri if (p == prefix)
+      #}
+      #return is_empty_ns
+    end
+    def is_node_visible(node)
+      return true if (@xnl.size() == 0)
+      @xnl.each{|element|
+        return true if (element == node)
+      }
+      return false
+    end
+    def normalize_string(input, type)
+      sb = ""
+      return input
+    end
+    #input.each_byte{|b|
+    #	if (b ==60 && (type == NODE_TYPE_ATTRIBUTE || is_text_node(type)))
+    #		sb = sb + "&lt;"
+    #	elsif (b == 62 && is_text_node(type))
+    #		sb = sb + "&gt;"
+    #	elsif (b == 38 && (is_text_node(type) || is_text_node(type))) #Ampersand
+    #		sb = sb + "&amp;"
+    #	elsif (b == 34 && is_text_node(type)) #Quote
+    #		sb = sb + "&quot;"
+    #	elsif (b == 9 && is_text_node(type)) #Tabulator
+    #		sb = sb + "&#x9;"
+    #	elsif (b == 11 && is_text_node(type)) #CR
+    #		sb = sb + "&#xA;"
+    #	elsif (b == 13 && (type == NODE_TYPE_ATTRIBUTE || (is_text_node(type) && type != NODE_TYPE_WHITESPACE) || type == NODE_TYPE_COMMENT || type == NODE_TYPE_PI))
+    #		sb = sb + "&#xD;"
+    #	elsif (b == 13)
+    #		next
+    #	else
+    #		sb = sb.concat(b)
+    #	end
+    #}
+    #sb
+    #end
+    def write_text_node(node, visible)
+      if (visible)
+        @res = @res + normalize_string(node.value(), node.node_type())
+      end
+    end
+    def white_text?(text)
+      return true if ((text.strip() == "") || (text.strip() == nil))
+      return false
+    end
+    def is_namespace_decl(attribute)
+      #return true if (attribute.name() == "xmlns")
+      return true if (attribute.prefix().index("xmlns") == 0)
+      return false
+    end
+    def is_text_node(type)
+      return true if (type == NODE_TYPE_TEXT || type == NODE_TYPE_CDATA || type == NODE_TYPE_WHITESPACE)
+      return false
+    end
+    def remove_whitespace(string)
+      new_string = ""
+      in_white = false
+      string.each_byte{|b|
+        #if (in_white && b == 32)
+        #else
+        if !(in_white && b == 32)
+          new_string = new_string + b.chr()
+        end
+        if (b == 62) #>
+          in_white = true
+        end
+        if (b == 60) #<
+          in_white = false
+        end
+      }
+      new_string
+    end
+  end

metadata ADDED

@@ -0,0 +1,48 @@
+--- !ruby/object:Gem::Specification
+rubygems_version: 0.9.2
+specification_version: 1
+name: GoogleSSO
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+date: 2007-06-14 00:00:00 +02:00
+summary: "Google SSO: SAML signing and processing."
+require_paths:
+- lib
+email: NN
+homepage: http://rubyforge.org
+rubyforge_project:
+description: "Google SSO: SAML signing and processing."
+autorequire:
+default_executable:
+bindir: bin
+has_rdoc: false
+required_ruby_version: !ruby/object:Gem::Version::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 0.0.0
+  version:
+platform: ruby
+signing_key:
+cert_chain:
+post_install_message:
+authors:
+- NN
+files:
+- lib/GoogleSSO.rb
+- lib/processresponse.rb
+- lib/xmlcanonicalizer.rb
+test_files: []
+rdoc_options: []
+extra_rdoc_files: []
+executables: []
+extensions: []
+requirements: []
+dependencies: []