ciam-es 0.0.1

data/lib/ciam/ruby-saml/settings.rb

@@ -0,0 +1,89 @@
+require_relative "../xml_security_new"
+
+module Ciam
+  module Saml
+    class Settings
+     
+      attr_accessor :sp_name_qualifier, :sp_name_identifier, :sp_cert, :sp_external_consumer_cert, :sp_private_key, :metadata_signed, :requested_attribute,:requested_attribute_eidas_min, :requested_attribute_eidas_full, :organization
+      attr_accessor :idp_entity_id, :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :idp_slo_target_url, :idp_metadata, :idp_metadata_ttl, :idp_name_qualifier
+      attr_accessor :assertion_consumer_service_binding, :assertion_consumer_service_url, :assertion_consumer_service_index, :attribute_consuming_service_index, :hash_assertion_consumer
+      attr_accessor :name_identifier_value, :name_identifier_format
+      attr_accessor :sessionindex, :issuer, :destination_service_url, :authn_context, :requester_identificator
+      attr_accessor :single_logout_service_url, :single_logout_service_binding, :single_logout_destination
+      attr_accessor :skip_validation, :aggregato, :hash_aggregatore
+    
+      def initialize(config = {})
+        config.each do |k,v|
+          acc = "#{k.to_s}=".to_sym
+          self.send(acc, v) if self.respond_to? acc
+        end
+
+        # Set some sane default values on a few options
+        self.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        self.single_logout_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        # Default cache TTL for metadata is 1 day
+        self.idp_metadata_ttl = 86400
+      end
+
+
+      def get_fingerprint
+        idp_cert_fingerprint || begin
+          idp_cert = get_idp_cert
+          if idp_cert
+            fingerprint_alg = Ciam::XMLSecurity::BaseDocument.new.algorithm(idp_cert_fingerprint_algorithm).new
+            fingerprint_alg.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
+      #
+      def get_idp_cert
+        return nil if idp_cert.nil? || idp_cert.empty?
+        #decoded_content = Base64.decode64(File.read(idp_cert))
+        #formatted_cert = Ciam::Saml::Utils.format_cert(idp_cert)
+        OpenSSL::X509::Certificate.new(File.read(idp_cert))
+      end
+
+      # def get_sp_cert
+      #   return nil if certificate.nil? || certificate.empty?
+
+      #   formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
+      #   OpenSSL::X509::Certificate.new(formatted_cert)
+      # end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      #
+      #Questo metodo e' stato generalizzato sotto
+      # def get_sp_cert
+      #   return nil if sp_cert.nil? || sp_cert.empty?
+      #   #decoded_content = Base64.decode64(File.read(sp_cert))
+      #   formatted_cert = Ciam::Saml::Utils.format_cert(sp_cert)
+      #   OpenSSL::X509::Certificate.new(File.read(sp_cert))
+      # end
+
+      def get_cert(cert)
+        return nil if cert.nil? || cert.empty?
+        #decoded_content = Base64.decode64(File.read(cert))
+        formatted_cert = Ciam::Saml::Utils.format_cert(cert)
+        OpenSSL::X509::Certificate.new(File.read(cert))
+      end
+
+
+
+      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
+      #
+      def get_sp_key
+        return nil if sp_private_key.nil? || sp_private_key.empty?
+
+        #formatted_private_key = Ciam::Saml::Utils.format_private_key(sp_private_key)
+        OpenSSL::PKey::RSA.new(File.read(sp_private_key))
+      end
+
+
+
+
+
+    end
+  end
+end

data/lib/ciam/ruby-saml/utils.rb

@@ -0,0 +1,225 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
+module Ciam
+  module Saml
+
+    # SAML2 Auxiliary class
+    #
+    class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
+
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+      XENC      = "http://www.w3.org/2001/04/xmlenc#"
+
+      # Return a properly formatted x509 certificate
+      #
+      # @param cert [String] The original certificate
+      # @return [String] The formatted certificate
+      #
+      def self.format_cert(cert)
+        # don't try to format an encoded certificate or if is empty or nil
+        return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+
+        cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+        cert = cert.gsub(/[\n\r\s]/, "")
+        cert = cert.scan(/.{1,64}/)
+        cert = cert.join("\n")
+        "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+      end
+
+      # Return a properly formatted private key
+      #
+      # @param key [String] The original private key
+      # @return [String] The formatted private key
+      #
+      def self.format_private_key(key)
+        # don't try to format an encoded private key or if is empty
+        return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+        # is this an rsa key?
+        rsa_key = key.match("RSA PRIVATE KEY")
+        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+        key = key.gsub(/[\n\r\s]/, "")
+        key = key.scan(/.{1,64}/)
+        key = key.join("\n")
+        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+      end
+
+      # Build the Query String signature that will be used in the HTTP-Redirect binding
+      # to generate the Signature
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+      # @option params [String] :relay_state The RelayState parameter
+      # @option params [String] :sig_alg The SigAlg parameter
+      # @return [String] The Query String
+      #
+      def self.build_query(params)
+        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+
+        url_string = "#{type}=#{CGI.escape(data)}"
+        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+      end
+
+      # Validate the Signature parameter sent on the HTTP-Redirect binding
+      # @param params [Hash] Parameters to be used in the validation process
+      # @option params [OpenSSL::X509::Certificate] cert The Identity provider public certtificate
+      # @option params [String] sig_alg The SigAlg parameter
+      # @option params [String] signature The Signature parameter (base64 encoded)
+      # @option params [String] query_string The full GET Query String to be compared
+      # @return [Boolean] True if the Signature is valid, False otherwise
+      #
+      def self.verify_signature(params)
+        cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
+        signature_algorithm = Ciam::XMLSecurityNew::BaseDocument.new.algorithm(sig_alg)
+        return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
+      end
+
+      # Build the status error message
+      # @param status_code [String] StatusCode value
+      # @param status_message [Strig] StatusMessage value
+      # @return [String] The status error message
+      def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
+        unless status_code.nil?
+          printable_code = status_code.split(':').last
+          error_msg << ', was ' + printable_code
+        end
+
+        unless status_message.nil?
+          error_msg << ' -> ' + status_message
+        end
+
+        error_msg
+      end
+
+      # Obtains the decrypted string from an Encrypted node element in XML
+      # @param encrypted_node [REXML::Element]     The Encrypted element
+      # @param private_key    [OpenSSL::PKey::RSA] The Service provider private key
+      # @return [String] The decrypted data
+      def self.decrypt_data(encrypted_node, private_key)
+        encrypt_data = REXML::XPath.first(
+          encrypted_node,
+          "./xenc:EncryptedData",
+          { 'xenc' => XENC }
+        )
+        symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
+        cipher_value = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue",
+          { 'xenc' => XENC }
+        )
+        node = Base64.decode64(cipher_value.text)
+        encrypt_method = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/xenc:EncryptionMethod",
+          { 'xenc' => XENC }
+        )
+        algorithm = encrypt_method.attributes['Algorithm']
+        retrieve_plaintext(node, symmetric_key, algorithm)
+      end
+
+      # Obtains the symmetric key from the EncryptedData element
+      # @param encrypt_data [REXML::Element]     The EncryptedData element
+      # @param private_key [OpenSSL::PKey::RSA] The Service provider private key
+      # @return [String] The symmetric key
+      def self.retrieve_symmetric_key(encrypt_data, private_key)
+        encrypted_key = REXML::XPath.first(
+          encrypt_data,
+          "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey or \
+           //xenc:EncryptedKey[@Id=substring-after(//xenc:EncryptedData/ds:KeyInfo/ds:RetrievalMethod/@URI, '#')]",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        encrypted_symmetric_key_element = REXML::XPath.first(
+          encrypted_key,
+          "./xenc:CipherData/xenc:CipherValue",
+          { "ds" => DSIG, "xenc" => XENC }
+        )
+        cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)
+        encrypt_method = REXML::XPath.first(
+          encrypted_key,
+          "./xenc:EncryptionMethod",
+          {"ds" => DSIG,  "xenc" => XENC }
+        )
+        algorithm = encrypt_method.attributes['Algorithm']
+        retrieve_plaintext(cipher_text, private_key, algorithm)
+      end
+
+      # Obtains the deciphered text
+      # @param cipher_text [String]   The ciphered text
+      # @param symmetric_key [String] The symetric key used to encrypt the text
+      # @param algorithm [String]     The encrypted algorithm
+      # @return [String] The deciphered text
+      def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+        case algorithm
+          when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+          when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+          when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+        end
+
+        if cipher
+          iv_len = cipher.iv_len
+          data = cipher_text[iv_len..-1]
+          cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
+          assertion_plaintext = cipher.update(data)
+          assertion_plaintext << cipher.final
+        elsif rsa
+          rsa.private_decrypt(cipher_text)
+        elsif oaep
+          oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+        else
+          cipher_text
+        end
+      end
+
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
+
+
+      # Given two strings, attempt to match them as URIs using Rails' parse method.  If they can be parsed,
+      # then the fully-qualified domain name and the host should performa a case-insensitive match, per the
+      # RFC for URIs.  If Rails can not parse the string in to URL pieces, return a boolean match of the
+      # two strings.  This maintains the previous functionality.
+      # @return [Boolean]
+      def self.uri_match?(destination_url, settings_url)
+        dest_uri = URI.parse(destination_url)
+        acs_uri = URI.parse(settings_url)
+
+        if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
+          raise URI::InvalidURIError
+        else
+          dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
+            dest_uri.host.downcase == acs_uri.host.downcase &&
+            dest_uri.path == acs_uri.path &&
+            dest_uri.query == acs_uri.query
+        end
+      rescue URI::InvalidURIError
+        original_uri_match?(destination_url, settings_url)
+      end
+
+      # If Rails' URI.parse can't match to valid URL, default back to the original matching service.
+      # @return [Boolean]
+      def self.original_uri_match?(destination_url, settings_url)
+        destination_url == settings_url
+      end
+
+      # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
+      # that there all children other than text nodes can be ignored (e.g. comments). If nil is
+      # passed, nil will be returned.
+      def self.element_text(element)
+        element.texts.map(&:value).join if element
+      end
+
+
+    end
+  end
+end

data/lib/ciam/ruby-saml/validation_error.rb

@@ -0,0 +1,7 @@
+module Ciam
+  module Saml
+    class ValidationError < Exception
+    end
+  end
+end
+

data/lib/ciam/ruby-saml/version.rb

@@ -0,0 +1,5 @@
+module Ciam
+  module Saml
+    VERSION = '0.6.0'
+  end
+end

data/lib/ciam/xml_security.rb

@@ -0,0 +1,166 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+require "ciam/ruby-saml/validation_error"
+
+module Ciam
+  module XMLSecurity
+
+    class SignedDocument < REXML::Document
+      C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
+      DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :signed_element_id, :sig_element, :noko_sig_element
+
+      def initialize(response)
+        super(response)
+        extract_signed_element_id
+      end
+
+      def validate(idp_cert_fingerprint, soft = true)
+        # get cert from response
+        cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+        base64_cert  = cert_element.text
+        cert_text    = Base64.decode64(base64_cert)
+        cert         = OpenSSL::X509::Certificate.new(cert_text)
+
+        # check cert matches registered idp cert
+        fingerprint = Digest::SHA2.hexdigest(cert.to_der)
+
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          return soft ? false : (raise Ciam::Saml::ValidationError.new("Fingerprint mismatch"))
+        end
+
+        validate_doc(base64_cert, soft)
+      end
+
+      def validate_doc(base64_cert, soft = true)
+        # validate references
+        # check for inclusive namespaces
+        inclusive_namespaces = extract_inclusive_namespaces
+
+        document = Nokogiri.parse(self.to_s)
+
+        # store and remove signature node
+        self.sig_element ||= begin
+          element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>DSIG})
+          element.remove
+        end
+
+
+        # verify signature
+        signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+        self.noko_sig_element ||= document.at_xpath('//ds:Signature', 'ds' => DSIG)
+        noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+        canon_algorithm = canon_algorithm REXML::XPath.first(sig_element, '//ds:CanonicalizationMethod')
+        canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+        noko_sig_element.remove
+
+        # check digests
+        REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+          uri                           = ref.attributes.get_attribute("URI").value
+
+          hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
+          canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod')
+          canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub('&','&amp;')
+
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+
+          hash                          = digest_algorithm.digest(canon_hashed_element)
+          digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
+
+          unless digests_match?(hash, digest_value)
+            return soft ? false : (raise Ciam::Saml::ValidationError.new("Digest mismatch"))
+          end
+        end
+
+        base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+        signature               = Base64.decode64(base64_signature)
+
+        # get certificate object
+        cert_text               = Base64.decode64(base64_cert)
+        cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+        # signature method
+        signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+
+        unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+          return soft ? false : (raise Ciam::Saml::ValidationError.new("Key validation error"))
+        end
+
+        return true
+      end
+
+      private
+
+      def digests_match?(hash, digest_value)
+        hash == digest_value
+      end
+
+      def extract_signed_element_id
+        reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+        self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
+      end
+
+      def canon_algorithm(element)
+        algorithm = element.attribute('Algorithm').value if element
+        case algorithm
+          when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+          when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
+          when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
+          else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        end
+      end
+
+      def algorithm(element)
+        algorithm = element.attribute("Algorithm").value if element
+        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
+        case algorithm
+        when 256 then OpenSSL::Digest::SHA256
+        when 384 then OpenSSL::Digest::SHA384
+        when 512 then OpenSSL::Digest::SHA512
+        else
+          OpenSSL::Digest::SHA1
+        end
+      end
+
+      def extract_inclusive_namespaces
+        if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+          prefix_list = element.attributes.get_attribute("PrefixList").value
+          prefix_list.split(" ")
+        else
+          []
+        end
+      end
+
+    end
+  end
+end