kl-ruby-saml 0.0.1

data/lib/onelogin/ruby-saml/http_error.rb

@@ -0,0 +1,7 @@
+module OneLogin
+  module RubySaml
+    class HttpError < StandardError
+    end
+  end
+end
+

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -0,0 +1,161 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "net/http"
+require "net/https"
+require "rexml/document"
+require "rexml/xpath"
+
+# Only supports SAML 2.0
+module OneLogin
+  module RubySaml
+    include REXML
+
+    # Auxiliary class to retrieve and parse the Identity Provider Metadata
+    #
+    class IdpMetadataParser
+
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      DSIG     = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_reader :document
+      attr_reader :response
+
+      # Parse the Identity Provider metadata and update the settings with the
+      # IdP values
+      #
+      # @param (see IdpMetadataParser#get_idp_metadata)
+      # @return (see IdpMetadataParser#get_idp_metadata)
+      # @raise (see IdpMetadataParser#get_idp_metadata)
+      def parse_remote(url, validate_cert = true)
+        idp_metadata = get_idp_metadata(url, validate_cert)
+        parse(idp_metadata)
+      end
+
+      # Parse the Identity Provider metadata and update the settings with the IdP values
+      # @param idp_metadata [String] 
+      #
+      def parse(idp_metadata)
+        @document = REXML::Document.new(idp_metadata)
+
+        OneLogin::RubySaml::Settings.new.tap do |settings|
+          settings.idp_entity_id = idp_entity_id
+          settings.name_identifier_format = idp_name_id_format
+          settings.idp_sso_target_url = single_signon_service_url
+          settings.idp_slo_target_url = single_logout_service_url
+          settings.idp_cert_fingerprint = fingerprint
+        end
+      end
+
+      private
+
+      # Retrieve the remote IdP metadata from the URL or a cached copy.
+      # @param url [String] Url where the XML of the Identity Provider Metadata is published.
+      # @param validate_cert [Boolean] If true and the URL is HTTPs, the cert of the domain is checked.
+      # @return [REXML::document] Parsed XML IdP metadata
+      # @raise [HttpError] Failure to fetch remote IdP metadata
+      def get_idp_metadata(url, validate_cert)
+        uri = URI.parse(url)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+          meta_text = response.body
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          if validate_cert
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+            # Net::HTTP in Ruby 1.8 did not set the default certificate store
+            # automatically when VERIFY_PEER was specified.
+            if RUBY_VERSION < '1.9' && !http.ca_file && !http.ca_path && !http.cert_store
+              http.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+            end
+          else
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+          meta_text = response.body
+        else
+          raise ArgumentError.new("url must begin with http or https")
+        end
+
+        unless response.is_a? Net::HTTPSuccess
+          raise OneLogin::RubySaml::HttpError.new("Failed to fetch idp metadata")
+        end
+
+        meta_text
+      end
+
+      # @return [String|nil] IdP Entity ID value if exists
+      #
+      def idp_entity_id
+        node = REXML::XPath.first(
+          document,
+          "/md:EntityDescriptor/@entityID",
+          { "md" => METADATA }
+        )
+        node.value if node
+      end
+
+      # @return [String|nil] IdP Name ID Format value if exists
+      #
+      def idp_name_id_format
+        node = REXML::XPath.first(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat",
+          { "md" => METADATA }
+        )
+        node.text if node
+      end
+
+      # @return [String|nil] SingleSignOnService endpoint if exists
+      #
+      def single_signon_service_url
+        node = REXML::XPath.first(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location",
+          { "md" => METADATA }
+        )
+        node.value if node
+      end
+
+      # @return [String|nil] SingleLogoutService endpoint if exists
+      #
+      def single_logout_service_url
+        node = REXML::XPath.first(
+          document,
+          "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location",
+          { "md" => METADATA }
+        )
+        node.value if node
+      end
+
+      # @return [String|nil] X509Certificate if exists
+      #
+      def certificate
+        @certificate ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+            { "md" => METADATA, "ds" => DSIG }
+          )
+          Base64.decode64(node.text) if node
+        end
+      end
+
+      # @return [String|nil] the SHA-1 fingerpint of the X509Certificate if it exists
+      #
+      def fingerprint
+        @fingerprint ||= begin
+          if certificate
+            cert = OpenSSL::X509::Certificate.new(certificate)
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logging.rb

@@ -0,0 +1,30 @@
+require 'logger'
+
+# Simplistic log class when we're running in Rails
+module OneLogin
+  module RubySaml
+    class Logging
+      DEFAULT_LOGGER = ::Logger.new(STDOUT)
+
+      def self.logger
+        @logger || (defined?(::Rails) && Rails.logger) || DEFAULT_LOGGER
+      end
+
+      def self.logger=(logger)
+        @logger = logger
+      end
+
+      def self.debug(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        logger.debug message
+      end
+
+      def self.info(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        logger.info message
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -0,0 +1,131 @@
+require "uuid"
+
+require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
+
+# Only supports SAML 2.0
+module OneLogin
+  module RubySaml
+
+    # SAML2 Logout Request (SLO SP initiated, Builder)
+    #
+    class Logoutrequest < SamlMessage
+
+      # Logout Request ID
+      attr_reader :uuid
+
+      # Initializes the Logout Request. A Logoutrequest Object that is an extension of the SamlMessage class.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = "_" + UUID.new.generate
+      end
+
+      # Creates the Logout Request string.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [String] Logout Request string that includes the SAMLRequest
+      #
+      def create(settings, params={})
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        @logout_url = settings.idp_slo_target_url + request_params
+      end
+
+      # Creates the Get parameters for the logout request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        request_doc = create_logout_request_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created SLO Logout Request: #{request}"
+
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          params['Signature'] = encode(signature)
+        end
+
+        params.each_pair do |key, value|
+          request_params[key] = value.to_s
+        end
+
+        request_params
+      end
+
+      # Creates the SAMLRequest String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @return [String] The SAMLRequest String.
+      #
+      def create_logout_request_xml_doc(settings)
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
+
+        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
+
+        if settings.issuer
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
+        end
+
+        nameid = root.add_element "saml:NameID"
+        if settings.name_identifier_value
+          nameid.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          nameid.text = settings.name_identifier_value
+        else
+          # If no NameID is present in the settings we generate one
+          nameid.text = "_" + UUID.new.generate
+          nameid.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        end
+
+        if settings.sessionindex
+          sessionindex = root.add_element "samlp:SessionIndex"
+          sessionindex.text = settings.sessionindex
+        end
+
+        # embed signature
+        if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        request_doc
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -0,0 +1,241 @@
+require "xml_security"
+require "onelogin/ruby-saml/saml_message"
+
+require "time"
+
+# Only supports SAML 2.0
+module OneLogin
+  module RubySaml
+
+    # SAML2 Logout Response (SLO IdP initiated, Parser)
+    #
+    class Logoutresponse < SamlMessage
+
+      # OneLogin::RubySaml::Settings Toolkit settings
+      attr_accessor :settings
+
+      # Array with the causes
+      attr_accessor :errors
+
+      attr_reader :document
+      attr_reader :response
+      attr_reader :options
+
+      attr_accessor :soft
+
+      # Constructs the Logout Response. A Logout Response Object that is an extension of the SamlMessage class.
+      # @param response  [String] A UUEncoded logout response from the IdP.
+      # @param settings  [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param options   [Hash] Extra parameters. 
+      #                    :matches_request_id It will validate that the logout response matches the ID of the request.
+      #                    :get_params GET Parameters, including the SAMLResponse
+      # @raise [ArgumentError] if response is nil
+      #
+      def initialize(response, settings = nil, options = {})
+        @errors = []
+        raise ArgumentError.new("Logoutresponse cannot be nil") if response.nil?
+        @settings = settings
+
+        if settings.nil? || settings.soft.nil?
+          @soft = true
+        else
+          @soft = settings.soft
+        end
+
+        @options = options
+        @response = decode_raw_saml(response)
+        @document = XMLSecurity::SignedDocument.new(@response)
+      end
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception
+      def append_error(error_msg)
+        @errors << error_msg
+        return soft ? false : validation_error(error_msg)
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+
+      # Checks if the Status has the "Success" code
+      # @return [Boolean] True if the StatusCode is Sucess
+      # @raise [ValidationError] if soft == false and validation fails
+      # 
+      def success?
+        unless status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+          return append_error("Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <#@status_code>")
+        end
+        true
+      end
+
+      # @return [String|nil] Gets the InResponseTo attribute from the Logout Response if exists.
+      #
+      def in_response_to
+        @in_response_to ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/p:LogoutResponse",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+          node.nil? ? nil : node.attributes['InResponseTo']
+        end
+      end
+
+      # @return [String] Gets the Issuer from the Logout Response.
+      #
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/p:LogoutResponse/a:Issuer",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+          node.nil? ? nil : node.text
+        end
+      end
+
+      # @return [String] Gets the StatusCode from a Logout Response.
+      #
+      def status_code
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes["Value"]
+        end
+      end
+
+      def status_message
+        @status_message ||= begin
+          node = REXML::XPath.first(
+            document,
+            "/p:LogoutResponse/p:Status/p:StatusMessage",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+          node.text if node
+        end
+      end
+
+      # Aux function to validate the Logout Response
+      # @return [Boolean] TRUE if the SAML Response is valid
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate
+        reset_errors!
+
+        valid_state? &&
+        validate_success_status &&
+        validate_structure &&
+        valid_in_response_to? &&
+        valid_issuer? &&
+        validate_signature
+      end
+
+      private
+
+      # Validates the Status of the Logout Response
+      # If fails, the error is added to the errors array, including the StatusCode returned and the Status Message.
+      # @return [Boolean] True if the Logout Response contains a Success code, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate_success_status
+        return true if success?
+
+        error_msg = 'The status code of the Logout Response was not Success'
+        status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+        append_error(status_error_msg)
+      end
+
+      # Validates the Logout Response against the specified schema.
+      # @return [Boolean] True if the XML is valid, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails 
+      #
+      def validate_structure
+        unless valid_saml?(document, soft)
+          return append_error("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd")
+        end
+
+        true
+      end
+
+       # Validates that the Logout Response provided in the initialization is not empty,
+       # also check that the setting and the IdP cert were also provided
+       # @return [Boolean] True if the required info is found, otherwise False if soft=True
+       # @raise [ValidationError] if soft == false and validation fails
+       #
+      def valid_state?
+        return append_error("Blank logout response") if response.empty?
+
+        return append_error("No settings on logout response") if settings.nil?
+
+        return append_error("No issuer in settings of the logout response") if settings.issuer.nil?
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return append_error("No fingerprint or certificate on settings of the logout response")
+        end
+
+        true
+      end
+
+      # Validates if a provided :matches_request_id matchs the inResponseTo value.
+      # @param soft [String|nil] request_id The ID of the Logout Request sent by this SP to the IdP (if was sent any)
+      # @return [Boolean] True if there is no request_id or it match, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def valid_in_response_to?
+        return true unless options.has_key? :matches_request_id
+
+        unless options[:matches_request_id] == in_response_to
+          return append_error("Response does not match the request ID, expected: <#{options[:matches_request_id]}>, but was: <#{in_response_to}>")
+        end
+
+        true
+      end
+
+      # Validates the Issuer of the Logout Response
+      # @return [Boolean] True if the Issuer matchs the IdP entityId, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def valid_issuer?
+        return true if settings.idp_entity_id.nil? || issuer.nil?
+
+        unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+          return append_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
+        end
+        true
+      end
+
+      # Validates the Signature if it exists and the GET parameters are provided
+      # @return [Boolean] True if not contains a Signature or if the Signature is valid, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #      
+      def validate_signature
+        return true unless !options.nil?
+        return true unless options.has_key? :get_params
+        return true unless options[:get_params].has_key? 'Signature'
+        return true if settings.nil? || settings.get_idp_cert.nil?
+        
+        query_string = OneLogin::RubySaml::Utils.build_query(
+          :type        => 'SAMLResponse',
+          :data        => options[:get_params]['SAMLResponse'],
+          :relay_state => options[:get_params]['RelayState'],
+          :sig_alg     => options[:get_params]['SigAlg']
+        )
+
+        valid = OneLogin::RubySaml::Utils.verify_signature(
+          :cert         => settings.get_idp_cert,
+          :sig_alg      => options[:get_params]['SigAlg'],
+          :signature    => options[:get_params]['Signature'],
+          :query_string => query_string
+        )
+
+        unless valid
+          error_msg = "Invalid Signature on Logout Response"
+          return append_error(error_msg)
+        end
+        true        
+      end
+
+    end
+  end
+end