maestrano 0.1.0

data/lib/maestrano/saml/settings.rb

@@ -0,0 +1,37 @@
+module Maestrano
+  module Saml
+    class Settings
+      NAMEID_EMAIL_ADDRESS                 = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+      NAMEID_X509_SUBJECT_NAME             = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'
+      NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'
+      NAMEID_KERBEROS   = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'
+      NAMEID_ENTITY     = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
+      NAMEID_TRANSIENT  = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+      NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+      PROTOCOL_BINDING_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+      
+      def initialize(overrides = {})
+        config = DEFAULTS.merge(overrides)
+        config.each do |k,v|
+          acc = "#{k.to_s}=".to_sym
+          self.send(acc, v) if self.respond_to? acc
+        end
+      end
+      attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
+      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
+      attr_accessor :authn_context
+      attr_accessor :idp_slo_target_url
+      attr_accessor :name_identifier_value
+      attr_accessor :sessionindex
+      attr_accessor :assertion_consumer_logout_service_url
+      attr_accessor :compress_request
+      attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :passive
+      attr_accessor :protocol_binding
+
+      private
+
+      DEFAULTS = {:compress_request => true, :double_quote_xml_attribute_values => false}
+    end
+  end
+end

data/lib/maestrano/saml/validation_error.rb

@@ -0,0 +1,7 @@
+module Maestrano
+  module Saml
+    class ValidationError < StandardError
+    end
+  end
+end
+

data/lib/maestrano/sso.rb

@@ -0,0 +1,81 @@
+module Maestrano
+  module SSO
+    # Return the saml_settings based on
+    # Maestrano configuration
+    def self.saml_settings
+      settings = Maestrano::Saml::Settings.new
+      settings.assertion_consumer_service_url = self.consume_url
+      settings.issuer                         = Maestrano.param('app_host')
+      settings.idp_sso_target_url             = self.idp_url
+      settings.idp_cert_fingerprint           = Maestrano.param('sso_x509_fingerprint')
+      settings.name_identifier_format         = Maestrano.param('sso_name_id_format')
+      settings
+    end
+    
+    # Build a new SAML Request
+    def self.build_request(get_params = {})
+      Maestrano::Saml::Request.new(get_params)
+    end
+    
+    # Build a new SAML response
+    def self.build_response(saml_post_param)
+      Maestrano::Saml::Response.new(saml_post_param)
+    end
+    
+    def self.enabled?
+      !!Maestrano.param('sso_enabled')
+    end
+    
+    def self.init_url
+      host = Maestrano.param('app_host')
+      path = Maestrano.param('sso_app_init_path')
+      return "#{host}#{path}"
+    end
+    
+    def self.consume_url
+      host = Maestrano.param('app_host')
+      path = Maestrano.param('sso_app_consume_path')
+      return "#{host}#{path}"
+    end
+    
+    def self.logout_url
+      host = Maestrano.param('api_host')
+      path = '/app_logout'
+      return "#{host}#{path}"
+    end
+    
+    def self.unauthorized_url
+      host = Maestrano.param('api_host')
+      path = '/app_access_unauthorized'
+      return "#{host}#{path}";
+    end
+    
+    def self.idp_url
+      host = Maestrano.param('api_host')
+      api_base = Maestrano.param('api_base')
+      endpoint = 'auth/saml'
+      return "#{host}#{api_base}#{endpoint}"
+    end
+    
+    def self.session_check_url(user_uid,sso_session) 
+      host = Maestrano.param('api_host')
+      api_base = Maestrano.param('api_base')
+      endpoint = 'auth/saml'
+      return URI.escape("#{host}#{api_base}#{endpoint}/#{user_uid}?session=#{sso_session}")
+    end
+    
+    # Set maestrano attributes in session
+    # Takes the BaseUser hash representation and current session
+    # in arguments
+    def self.set_session(session, auth)
+      if auth && (extra = (auth[:extra] || auth['extra'])) && (sso_session = (extra[:session] || extra['session']))
+        session[:mno_uid] = (sso_session[:uid] || sso_session['uid'])
+        session[:mno_session] = (sso_session[:token] || sso_session['token'])
+        if recheck = (sso_session[:recheck] || sso_session['recheck'])
+          session[:mno_session_recheck] = recheck.utc.iso8601
+        end
+        session[:mno_group_uid] = (sso_session[:group_uid] || sso_session['group_uid'])
+      end
+    end
+  end
+end

data/lib/maestrano/sso/base_group.rb

@@ -0,0 +1,31 @@
+module Maestrano
+  module SSO
+    class BaseGroup
+      attr_accessor :local_id
+      attr_reader :uid,:country, :company_name, :free_trial_end_at
+      
+      # Initializer
+      # @param Maestrano::SAML::Response
+      def initialize(saml_response)
+        att = saml_response.attributes
+        @uid = att['group_uid']
+        @country = att['country']
+        @free_trial_end_at = Time.iso8601(att['group_end_free_trial'])
+        @company_name = att['company_name']
+      end
+      
+      def to_hash
+        {
+          provider: 'maestrano',
+          uid: self.uid,
+          info: {
+            free_trial_end_at: self.free_trial_end_at,
+            company_name: self.company_name,
+            country: self.country,
+          },
+          extra: {}
+        }
+      end
+    end
+  end
+end

data/lib/maestrano/sso/base_user.rb

@@ -0,0 +1,75 @@
+module Maestrano
+  module SSO
+    class BaseUser
+      attr_accessor :local_id
+      attr_reader :sso_session,:sso_session_recheck,
+        :group_uid,:group_role,:uid,:virtual_uid,:email,
+        :virtual_email,:first_name, :last_name,:country, :company_name
+      
+      # Initializer
+      # @param Maestrano::SAML::Response
+      def initialize(saml_response)
+        att = saml_response.attributes
+        @sso_session = att['mno_session']
+        @sso_session_recheck = Time.iso8601(att['mno_session_recheck'])
+        @group_uid = att['group_uid']
+        @group_role = att['group_role']
+        @uid = att['uid']
+        @virtual_uid = att['virtual_uid']
+        @email = att['email']
+        @virtual_email = att['virtual_email']
+        @first_name = att['name']
+        @last_name = att['surname']
+        @country = att['country']
+        @company_name = att['company_name']
+      end
+      
+      def to_uid
+        if Maestrano.param('user_creation_mode') == 'real'
+          return self.uid
+        else
+          return self.virtual_uid
+        end
+      end
+      
+      def to_email
+        if Maestrano.param('user_creation_mode') == 'real'
+          return self.email
+        else
+          return self.virtual_email
+        end
+      end
+      
+      # Hash representation of the resource
+      def to_hash
+        {
+          provider: 'maestrano',
+          uid: self.to_uid,
+          info: {
+            email: self.to_email,
+            first_name: self.first_name,
+            last_name: self.last_name,
+            country: self.country,
+            company_name: self.company_name,
+          },
+          extra: {
+            uid: self.uid,
+            virtual_uid: self.virtual_uid,
+            real_email: self.email,
+            virtual_email: self.virtual_email,
+            group: {
+              uid: self.group_uid,
+              role: self.group_role,
+            },
+            session: {
+              uid: self.uid,
+              token: self.sso_session,
+              recheck: self.sso_session_recheck,
+              group_uid: self.group_uid
+            },
+          }
+        }
+      end
+    end
+  end
+end

data/lib/maestrano/sso/group.rb

@@ -0,0 +1,24 @@
+module Maestrano
+  module SSO
+    module Group
+      def find_for_maestrano_auth(auth)
+        # E.g with Rails
+        # where(auth.slice(:provider, :uid)).first_or_create do |group|
+        #   group.provider = auth[:provider]
+        #   group.uid = auth[:uid]
+        #   group.name = (auth[:info][:company_name] || 'Your Group')
+        #   group.country = auth[:info][:country]
+        # end
+        raise NoMethodError, "You need to override find_for_maestrano_auth in your #{self.class.name} model"
+      end
+      
+      def maestrano?
+        if self.respond_to?(:provider)
+          return self.provider.to_s == 'maestrano'
+        else
+          raise NoMethodError, "You need to override maestrano? in your #{self.class.name} model"
+        end
+      end
+    end
+  end
+end

data/lib/maestrano/sso/session.rb

@@ -0,0 +1,63 @@
+module Maestrano
+  module SSO
+    class Session
+      attr_accessor :session, :uid, :session_token, :recheck
+      
+      def initialize(session)
+        self.session = session
+        self.uid = (self.session['mno_uid'] || self.session[:mno_uid])
+        self.session_token = (self.session['mno_session'] || self.session[:mno_session])
+        if recheck = (self.session['mno_session_recheck'] || self.session[:mno_session_recheck])
+          self.recheck = Time.iso8601(recheck)
+        end
+        
+        if self.uid.nil? || self.session_token.nil? || self.recheck.nil?
+          $stderr.puts "WARNING: Maestrano session information missing. User will have to relogin"
+        end 
+      end
+      
+      def remote_check_required?
+        if self.uid && self.session_token && self.recheck
+          return (self.recheck <= Time.now)
+        end
+        return true
+      end
+      
+      # Check remote maestrano session and update the
+      # recheck attribute if the session is still valid
+      # Return true if the session is still valid and
+      # false otherwise
+      def perform_remote_check
+        # Get remote session info
+        url = Maestrano::SSO.session_check_url(self.uid, self.session_token)
+        begin
+          response = RestClient.get(url)
+          response = JSON.parse(response)
+        rescue Exception => e
+          response = {}
+        end
+        
+        # Process response
+        if response['valid'] && response['recheck']
+          self.recheck = Time.iso8601(response['recheck'])
+          return true
+        end
+        
+        return false
+      end
+      
+      def valid?
+        if self.remote_check_required?
+          if perform_remote_check
+            self.session[:mno_session_recheck] = self.recheck.utc.iso8601
+            return true
+          else
+            return false
+          end
+        end
+        return true
+      end
+      
+    end
+  end
+end

data/lib/maestrano/sso/user.rb

@@ -0,0 +1,34 @@
+module Maestrano
+  module SSO
+    module User
+      def find_for_maestrano_auth(auth)
+        # E.g with Rails
+        # where(auth.slice(:provider, :uid)).first_or_create do |user|
+        #   user.provider = auth[:provider]
+        #   user.uid = auth[:uid]
+        #   user.email = auth[:info][:email]
+        #   user.name = auth[:info][:first_name]
+        #   user.surname = auth[:info][:last_name]
+        #   user.country = auth[:info][:country]
+        #   user.company = auth[:info][:company_name]
+        # end
+        raise NoMethodError, "You need to override find_for_maestrano_auth in your #{self.class.name} model"
+      end
+      
+      # Check whether the user is a maestrano one
+      def maestrano?
+        if self.respond_to?(:provider)
+          return self.provider.to_s == 'maestrano'
+        else
+          raise NoMethodError, "You need to override maestrano? in your #{self.class.name} model"
+        end
+      end
+      
+      # Check whether the SSO session is still valid
+      # or not
+      def maestrano_session_valid?(session)
+        Maestrano::SSO::Session.new(session).valid?
+      end
+    end
+  end
+end

data/lib/maestrano/version.rb

@@ -0,0 +1,3 @@
+module Maestrano
+  VERSION = '0.1.0'
+end

data/lib/maestrano/xml_security/signed_document.rb

@@ -0,0 +1,170 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+require "maestrano/saml/validation_error"
+
+module Maestrano
+  module XMLSecurity
+    class SignedDocument < REXML::Document
+      C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
+      DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :signed_element_id
+
+      def initialize(response)
+        super(response)
+        extract_signed_element_id
+      end
+
+      def validate_document(idp_cert_fingerprint, soft = true)
+        # get cert from response
+        cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+        raise Maestrano::Saml::ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
+        base64_cert  = cert_element.text
+        cert_text    = Base64.decode64(base64_cert)
+        cert         = OpenSSL::X509::Certificate.new(cert_text)
+
+        # check cert matches registered idp cert
+        fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          return soft ? false : (raise Maestrano::Saml::ValidationError.new("Fingerprint mismatch"))
+        end
+
+        validate_signature(base64_cert, soft)
+      end
+
+      def validate_signature(base64_cert, soft = true)
+        # validate references
+
+        # check for inclusive namespaces
+        inclusive_namespaces = extract_inclusive_namespaces
+
+        document = Nokogiri.parse(self.to_s)
+
+        # create a working copy so we don't modify the original
+        @working_copy ||= REXML::Document.new(self.to_s).root
+
+        # store and remove signature node
+        @sig_element ||= begin
+          element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
+          element.remove
+        end
+
+
+        # verify signature
+        signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+        noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+        noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+        canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+        canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+        noko_sig_element.remove
+
+        # check digests
+        REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+          uri                           = ref.attributes.get_attribute("URI").value
+
+          hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
+          canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+          canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+
+          hash                          = digest_algorithm.digest(canon_hashed_element)
+          digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
+
+          unless digests_match?(hash, digest_value)
+            return soft ? false : (raise Maestrano::Saml::ValidationError.new("Digest mismatch"))
+          end
+        end
+
+        base64_signature        = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+        signature               = Base64.decode64(base64_signature)
+
+        # get certificate object
+        cert_text               = Base64.decode64(base64_cert)
+        cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+        # signature method
+        signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+
+        unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+          return soft ? false : (raise Maestrano::Saml::ValidationError.new("Key validation error"))
+        end
+
+        return true
+      end
+
+      private
+
+      def digests_match?(hash, digest_value)
+        hash == digest_value
+      end
+
+      def extract_signed_element_id
+        reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+        self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
+      end
+
+      def canon_algorithm(element)
+        algorithm = element.attribute('Algorithm').value if element
+        case algorithm
+          when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+          when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
+          when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
+          else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        end
+      end
+
+      def algorithm(element)
+        algorithm = element.attribute("Algorithm").value if element
+        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
+        case algorithm
+        when 256 then OpenSSL::Digest::SHA256
+        when 384 then OpenSSL::Digest::SHA384
+        when 512 then OpenSSL::Digest::SHA512
+        else
+          OpenSSL::Digest::SHA1
+        end
+      end
+
+      def extract_inclusive_namespaces
+        if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+          prefix_list = element.attributes.get_attribute("PrefixList").value
+          prefix_list.split(" ")
+        else
+          []
+        end
+      end
+
+    end
+  end
+end