kl-ruby-saml 0.0.1

data/Rakefile

@@ -0,0 +1,41 @@
+require 'rubygems'
+require 'rake'
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test
+
+task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/changelog.md

@@ -0,0 +1,75 @@
+# RubySaml Changelog
+
+### 1.0.0 (June 30, 2015)
+* [#247](https://github.com/onelogin/ruby-saml/pull/247) Avoid entity expansion (XEE attacks)
+* [#246](https://github.com/onelogin/ruby-saml/pull/246) Fix bug generating Logout Response (issuer was at wrong order)
+* [#243](https://github.com/onelogin/ruby-saml/issues/243) and [#244](https://github.com/onelogin/ruby-saml/issues/244) Fix metadata builder errors. Fix metadata xsd.
+* [#241](https://github.com/onelogin/ruby-saml/pull/241) Add decrypt support (EncryptID and EncryptedAssertion). Improve compatibility with namespaces. 
+* [#240](https://github.com/onelogin/ruby-saml/pull/240) and [#238](https://github.com/onelogin/ruby-saml/pull/238) Improve test coverage and refactor.
+* [#239](https://github.com/onelogin/ruby-saml/pull/239) Improve security: Add more validations to SAMLResponse, LogoutRequest and LogoutResponse. Refactor code and improve tests coverage.
+* [#237](https://github.com/onelogin/ruby-saml/pull/237) Don't pretty print metadata by default.
+* [#235](https://github.com/onelogin/ruby-saml/pull/235) Remove the soft parameter from validation methods. Now can be configured on the settings and each class read it and store as an attribute of the class. Adding some validations and refactor old ones.
+* [#232](https://github.com/onelogin/ruby-saml/pull/232) Improve validations: Store the causes in the errors array, code refactor
+* [#231](https://github.com/onelogin/ruby-saml/pull/231) Refactor HTTP-Redirect Sign method, Move test data to right folder
+* [#226](https://github.com/onelogin/ruby-saml/pull/226) Ensure IdP certificate is formatted properly
+* [#225](https://github.com/onelogin/ruby-saml/pull/225) Add documentation to several methods. Fix xpath injection on xml_security.rb
+* [#223](https://github.com/onelogin/ruby-saml/pull/223) Allow logging to be delegated to an arbitrary Logger
+* [#222](https://github.com/onelogin/ruby-saml/pull/222) No more silent failure fetching idp metadata (OneLogin::RubySaml::HttpError raised).
+
+### 0.9.2 (Apr 28, 2015)
+* [#216](https://github.com/onelogin/ruby-saml/pull/216) Add fingerprint algorithm support
+* [#218](https://github.com/onelogin/ruby-saml/pull/218) Update README.md
+* [#214](https://github.com/onelogin/ruby-saml/pull/214) Cleanup `SamlMessage` class
+* [#213](https://github.com/onelogin/ruby-saml/pull/213) Add ability to sign metadata. (Improved)
+* [#212](https://github.com/onelogin/ruby-saml/pull/212) Rename library entry point
+* [#210](https://github.com/onelogin/ruby-saml/pull/210) Call assert in tests
+* [#208](https://github.com/onelogin/ruby-saml/pull/208) Update tests and CI for Ruby 2.2.0
+* [#205](https://github.com/onelogin/ruby-saml/pull/205) Allow requirement of single files
+* [#204](https://github.com/onelogin/ruby-saml/pull/204) Require ‘net/http’ library
+* [#201](https://github.com/onelogin/ruby-saml/pull/201) Freeze and duplicate default security settings hash so that it doesn't get modified.
+* [#200](https://github.com/onelogin/ruby-saml/pull/200) Set default SSL certificate store in Ruby 1.8.
+* [#199](https://github.com/onelogin/ruby-saml/pull/199) Change Nokogiri's runtime dependency to fix support for Ruby 1.8.7.
+* [#179](https://github.com/onelogin/ruby-saml/pull/179) Add support for setting the entity ID and name ID format when parsing metadata
+* [#175](https://github.com/onelogin/ruby-saml/pull/175) Introduce thread safety to SAML schema validation
+* [#171](https://github.com/onelogin/ruby-saml/pull/171) Fix inconsistent results with using regex matches in decode_raw_saml
+
+### 0.9.1 (Feb 10, 2015)
+* [#194](https://github.com/onelogin/ruby-saml/pull/194) Relax nokogiri gem requirements
+* [#191](https://github.com/onelogin/ruby-saml/pull/191) Use Minitest instead of Test::Unit
+
+### 0.9 (Jan 26, 2015)
+* [#169](https://github.com/onelogin/ruby-saml/pull/169) WantAssertionSigned should be either true or false
+* [#167](https://github.com/onelogin/ruby-saml/pull/167) (doc update) make unit of clock drift obvious
+* [#160](https://github.com/onelogin/ruby-saml/pull/160) Extended solution for Attributes method [] can raise NoMethodError
+* [#158](https://github.com/onelogin/ruby-saml/pull/1) Added ability to specify attribute services in metadata
+* [#154](https://github.com/onelogin/ruby-saml/pull/154) Fix incorrect gem declaration statement
+* [#152](https://github.com/onelogin/ruby-saml/pull/152) Fix the PR #99
+* [#150](https://github.com/onelogin/ruby-saml/pull/150) Nokogiri already in gemspec
+* [#147](https://github.com/onelogin/ruby-saml/pull/147) Fix LogoutResponse issuer validation and implement SAML Response issuer validation.
+* [#144](https://github.com/onelogin/ruby-saml/pull/144) Fix DigestMethod lookup bug
+* [#139](https://github.com/onelogin/ruby-saml/pull/139) Fixes handling of some soft and hard validation failures
+* [#138](https://github.com/onelogin/ruby-saml/pull/138) Change logoutrequest.rb to UTC time
+* [#136](https://github.com/onelogin/ruby-saml/pull/136) Remote idp metadata
+* [#135](https://github.com/onelogin/ruby-saml/pull/135) Restored support for NIL as well as empty AttributeValues
+* [#134](https://github.com/onelogin/ruby-saml/pull/134) explicitly require "onelogin/ruby-saml/logging"
+* [#133](https://github.com/onelogin/ruby-saml/pull/133) Added license to gemspec
+* [#132](https://github.com/onelogin/ruby-saml/pull/132) Support AttributeConsumingServiceIndex in AuthnRequest
+* [#131](https://github.com/onelogin/ruby-saml/pull/131) Add ruby 2.1.1 to .travis.yml
+* [#122](https://github.com/onelogin/ruby-saml/pull/122) Fixes #112 and #117 in a backwards compatible manner
+* [#119](https://github.com/onelogin/ruby-saml/pull/119) Add support for extracting IdP details from metadata xml
+
+### 0.8.2 (Jan 26, 2015)
+* [#183](https://github.com/onelogin/ruby-saml/pull/183) Resolved a security vulnerability where string interpolation in a `REXML::XPath.first()` method call allowed for arbitrary code execution.
+
+### 0.8.0 (Feb 21, 2014)
+**IMPORTANT**: This release changed namespace of the gem from `OneLogin::Saml` to `OneLogin::RubySaml`.  Please update your implementations of the gem accordingly.
+
+* [#111](https://github.com/onelogin/ruby-saml/pull/111) `Onelogin::` is `OneLogin::`
+* [#108](https://github.com/onelogin/ruby-saml/pull/108) Change namespacing from `Onelogin::Saml` to `Onelogin::Rubysaml`
+
+
+### 0.7.3 (Feb 20, 2014)
+Updated gem dependencies to be compatible with Ruby 1.8.7-p374 and 1.9.3-p448. Removed unnecessary `canonix` gem dependency.
+
+* [#107](https://github.com/onelogin/ruby-saml/pull/107) Relax nokogiri version requirement to >= 1.5.0
+* [#105](https://github.com/onelogin/ruby-saml/pull/105) Lock Gem versions, fix to resolve possible namespace collision

data/gemfiles/nokogiri-1.5.gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem "nokogiri", "~> 1.5.10"
+
+gemspec :path => "../"

data/lib/onelogin/ruby-saml.rb

@@ -0,0 +1,17 @@
+require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/saml_message'
+require 'onelogin/ruby-saml/authrequest'
+require 'onelogin/ruby-saml/logoutrequest'
+require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/attributes'
+require 'onelogin/ruby-saml/slo_logoutrequest'
+require 'onelogin/ruby-saml/slo_logoutresponse'
+require 'onelogin/ruby-saml/response'
+require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/attribute_service'
+require 'onelogin/ruby-saml/http_error'
+require 'onelogin/ruby-saml/validation_error'
+require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/idp_metadata_parser'
+require 'onelogin/ruby-saml/utils'
+require 'onelogin/ruby-saml/version'

data/lib/onelogin/ruby-saml/attribute_service.rb

@@ -0,0 +1,57 @@
+module OneLogin
+  module RubySaml
+
+    # SAML2 AttributeService. Auxiliary class to build the AttributeService of the SP Metadata
+    #
+    class AttributeService
+      attr_reader :attributes
+      attr_reader :name
+      attr_reader :index
+
+      # Initializes the AttributeService, set the index value as 1 and an empty array as attributes
+      #
+      def initialize
+        @index = "1"
+        @attributes = []
+      end
+
+      def configure(&block)
+        instance_eval &block
+      end
+
+      # @return [Boolean] True if the AttributeService object has been initialized and set with the required values
+      #                   (has attributes and a name)
+      def configured?
+        @attributes.length > 0 && !@name.nil?
+      end
+
+      # Set a name to the service
+      # @param name [String] The service name
+      #
+      def service_name(name)
+        @name = name
+      end
+
+      # Set an index to the service
+      # @param index [Integer] An index
+      #
+      def service_index(index)
+        @index = index
+      end
+
+      # Add an AttributeService
+      # @param options [Hash] AttributeService option values
+      #   add_attribute(
+      #                 :name => "Name",
+      #                 :name_format => "Name Format",
+      #                 :index => 1,
+      #                 :friendly_name => "Friendly Name",
+      #                 :attribute_value => "Attribute Value"
+      #                )
+      #
+      def add_attribute(options={})
+        attributes << options
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/attributes.rb

@@ -0,0 +1,128 @@
+module OneLogin
+  module RubySaml
+
+    # SAML2 Attributes. Parse the Attributes from the AttributeStatement of the SAML Response. 
+    #
+    class Attributes
+      include Enumerable
+
+      attr_reader :attributes
+
+      # By default Attributes#[] is backwards compatible and
+      # returns only the first value for the attribute
+      # Setting this to `false` returns all values for an attribute
+      @@single_value_compatibility = true
+
+      # @return [Boolean] Get current status of backwards compatibility mode.
+      #
+      def self.single_value_compatibility
+        @@single_value_compatibility
+      end
+
+      # Sets the backwards compatibility mode on/off.
+      # @param value [Boolean]
+      #
+      def self.single_value_compatibility=(value)
+        @@single_value_compatibility = value
+      end
+
+      # @param attrs [Hash] The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
+      #    Attributes.new({
+      #      'name' => ['value1', 'value2'],
+      #      'mail' => ['value1'],
+      #    })
+      #
+      def initialize(attrs = {})
+        @attributes = attrs
+      end
+
+
+      # Iterate over all attributes
+      #
+      def each
+        attributes.each{|name, values| yield name, values}
+      end
+
+      
+      # Test attribute presence by name
+      # @param name [String] The attribute name to be checked
+      #
+      def include?(name)
+        attributes.has_key?(canonize_name(name))
+      end
+      
+      # Return first value for an attribute
+      # @param name [String] The attribute name
+      # @return [String] The value (First occurrence)
+      #
+      def single(name)
+        attributes[canonize_name(name)].first if include?(name)
+      end
+
+      # Return all values for an attribute
+      # @param name [String] The attribute name
+      # @return [Array] Values of the attribute
+      #
+      def multi(name)
+        attributes[canonize_name(name)]
+      end
+
+      # Retrieve attribute value(s)
+      # @param name [String] The attribute name
+      # @return [String|Array] Depending on the single value compatibility status this returns:
+      #                        - First value if single_value_compatibility = true
+      #                          response.attributes['mail']  # => 'user@example.com'
+      #                        - All values if single_value_compatibility = false
+      #                          response.attributes['mail']  # => ['user@example.com','user@example.net']
+      #
+      def [](name)
+        self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
+      end
+
+      # @return [Array] Return all attributes as an array
+      #
+      def all
+        attributes
+      end
+
+      # @param name [String] The attribute name
+      # @param values [Array] The values
+      #
+      def set(name, values)
+        attributes[canonize_name(name)] = values
+      end
+      alias_method :[]=, :set
+
+      # @param name [String] The attribute name
+      # @param values [Array] The values
+      #
+      def add(name, values = [])
+        attributes[canonize_name(name)] ||= []
+        attributes[canonize_name(name)] += Array(values)
+      end
+
+      # Make comparable to another Attributes collection based on attributes
+      # @param other [Attributes] An Attributes object to compare with
+      # @return [Boolean] True if are contains the same attributes and values
+      #
+      def ==(other)
+        if other.is_a?(Attributes)
+          all == other.all
+        else
+          super
+        end
+      end
+
+      protected
+
+      # stringifies all names so both 'email' and :email return the same result
+      # @param name [String] The attribute name
+      # @return [String] stringified name
+      #
+      def canonize_name(name)
+        name.to_s
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -0,0 +1,156 @@
+require "uuid"
+require "rexml/document"
+
+require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
+
+# Only supports SAML 2.0
+module OneLogin
+  module RubySaml
+  include REXML
+
+    # SAML2 Authentication. AuthNRequest (SSO SP initiated, Builder)
+    #
+    class Authrequest < SamlMessage
+
+      # AuthNRequest ID
+      attr_reader :uuid
+
+      # Initializes the AuthNRequest. An Authrequest Object that is an extension of the SamlMessage class.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = "_" + UUID.new.generate
+      end
+
+      # Creates the AuthNRequest string.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [String] AuthNRequest string that includes the SAMLRequest
+      #
+      def create(settings, params = {})
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        @login_url = settings.idp_sso_target_url + request_params
+      end
+
+      # Creates the Get parameters for the request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        request_doc = create_authentication_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created AuthnRequest: #{request}"
+
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          params['Signature'] = encode(signature)
+        end
+
+        params.each_pair do |key, value|
+          request_params[key] = value.to_s
+        end
+
+        request_params
+      end
+
+      # Creates the SAMLRequest String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @return [String] The SAMLRequest String.
+      #
+      def create_authentication_xml_doc(settings)
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
+
+        root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
+        root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
+        root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
+        root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
+
+        # Conditionally defined elements based on settings
+        if settings.assertion_consumer_service_url != nil
+          root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
+        end
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
+        end
+        if settings.name_identifier_format != nil
+          root.add_element "samlp:NameIDPolicy", {
+              # Might want to make AllowCreate a setting?
+              "AllowCreate" => "true",
+              "Format" => settings.name_identifier_format
+          }
+        end
+
+        if settings.authn_context || settings.authn_context_decl_ref
+
+          if settings.authn_context_comparison != nil
+            comparison = settings.authn_context_comparison
+          else
+            comparison = 'exact'
+          end
+
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
+            "Comparison" => comparison,
+          }
+
+          if settings.authn_context != nil
+            class_ref = requested_context.add_element "saml:AuthnContextClassRef"
+            class_ref.text = settings.authn_context
+          end
+          # add saml:AuthnContextDeclRef element
+          if settings.authn_context_decl_ref != nil
+            class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
+            class_ref.text = settings.authn_context_decl_ref
+          end
+        end
+
+        # embed signature
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        request_doc
+      end
+
+    end
+  end
+end