ruby-saml-mod 0.1.30 → 0.2.0

data/spec/logout_request_spec.rb

@@ -0,0 +1,89 @@
+require 'spec_helper'
+
+def verify_query_string_signature(settings, forward_url)
+  url = URI.parse(forward_url)
+  signed_data, signature = url.query.split('&Signature=')
+  cert = OpenSSL::X509::Certificate.new(File.read(settings.xmlsec_certificate))
+  cert.public_key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(CGI.unescape(signature)), signed_data)
+end
+
+# see http://stackoverflow.com/questions/1361892/how-to-decompress-gzip-string-in-ruby
+def inflate(string)
+  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+  buf = zstream.inflate(string)
+  zstream.finish
+  zstream.close
+  buf
+end
+
+describe Onelogin::Saml::LogoutRequest do
+  let(:settings) do
+    Onelogin::Saml::Settings.new(
+      :xmlsec_certificate => fixture_path("test1-cert.pem"),
+      :xmlsec_privatekey => fixture_path("test1-key.pem"),
+      :idp_slo_target_url => "http://idp.example.com/saml2",
+      :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33',
+      :name_identifier_format => Onelogin::Saml::NameIdentifiers::UNSPECIFIED
+    )
+  end
+
+  let(:name_qualifier) { 'foo' }
+  let(:name_id) { 'bar'}
+  let(:session_index) { 'baz' }
+
+  let(:logout_request) do
+    Onelogin::Saml::LogoutRequest::generate(
+      name_qualifier,
+      name_id,
+      session_index,
+      settings
+    )
+  end
+
+  let(:forward_url) { logout_request.forward_url }
+
+  it "includes destination in the saml:LogoutRequest attributes" do
+    logout_xml = LibXML::XML::Document.string(logout_request.xml)
+    logout_xml.find_first('/samlp:LogoutRequest', Onelogin::NAMESPACES).attributes['Destination'].should ==  "http://idp.example.com/saml2"
+  end
+
+  it "properly sets the Format attribute NameID based on settings" do
+    logout_xml = LibXML::XML::Document.string(logout_request.xml)
+    logout_xml.find_first('/samlp:LogoutRequest/saml:NameID', Onelogin::NAMESPACES).attributes['Format'].should == Onelogin::Saml::NameIdentifiers::UNSPECIFIED
+  end
+
+  it "does not include the signature in the request xml" do
+    logout_xml = LibXML::XML::Document.string(logout_request.xml)
+    logout_xml.find_first('/samlp:LogoutRequest/ds:Signature', Onelogin::NAMESPACES).should be_nil
+  end
+
+  it "can sign the generated query string" do
+    expect(verify_query_string_signature(settings, forward_url)).to be_true
+  end
+
+  it "properly signs when the IDP URL already contains a query string" do
+    settings = Onelogin::Saml::Settings.new(
+      :xmlsec_certificate => fixture_path("test1-cert.pem"),
+      :xmlsec_privatekey => fixture_path("test1-key.pem"),
+      :idp_slo_target_url => "http://idp.example.com/saml2?existing=param",
+      :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33',
+      :name_identifier_format => Onelogin::Saml::NameIdentifiers::UNSPECIFIED
+    )
+    request = Onelogin::Saml::LogoutRequest.generate(name_qualifier, name_id, session_index, settings)
+    expect(request.forward_url).to match(%r{^http://idp.example.com/saml2\?existing=param&})
+    expect(verify_query_string_signature(settings, request.forward_url)).to be_true
+  end
+
+  it "parses a logout request" do
+    xml = Zlib::Deflate.deflate(File.read(fixture_path("logout_request.xml")), 9)[2..-5]
+
+    xmlb64 = Base64.encode64(xml)
+    settings = Onelogin::Saml::Settings.new
+    request = Onelogin::Saml::LogoutRequest::parse(xmlb64)
+
+    expect(request.id).to eq '_cbb63e9741259e3f1c98a1ae38ac5ac25889720b32'
+    expect(request.issuer).to eq 'http://saml.example.com:8080/opensso'
+    expect(request.name_id).to eq '_6a171f538d4f733ae95eca74ce264cfb602808c850'
+    expect(request.session_index).to eq '_b976de57fcf0f707de297069f33a6b0248827d96a9'
+  end
+end

data/spec/logout_response_spec.rb

@@ -0,0 +1,76 @@
+require 'spec_helper'
+require 'rexml/document'
+require 'cgi'
+
+describe Onelogin::Saml::LogoutResponse do
+  let(:id) { Onelogin::Saml::LogoutResponse.generate_unique_id(42) }
+  let(:issue_instant) { Onelogin::Saml::LogoutResponse.get_timestamp }
+  let(:in_response_to) { Onelogin::Saml::LogoutResponse.generate_unique_id(42) }
+  let(:idp_slo_target_url) { 'http://idp.example.com/saml2' }
+  let(:issuer) { 'http://idp.example.com/saml2' }
+  let(:session) { {} }
+
+  let(:settings) do
+    Onelogin::Saml::Settings.new(
+      idp_slo_target_url: idp_slo_target_url,
+      issuer: issuer
+    )
+  end
+
+  let(:xml) do
+    allow(Onelogin::Saml::LogoutResponse).to receive(:generate_unique_id).and_return(id)
+    allow(Onelogin::Saml::LogoutResponse).to receive(:get_timestamp).and_return(issue_instant)
+
+    Onelogin::Saml::LogoutResponse::generate(in_response_to, settings).document
+  end
+
+  it "includes destination in the saml:LogoutRequest attributes" do
+    value = xml.find_first('/samlp:LogoutResponse', Onelogin::NAMESPACES).attributes['Destination']
+    expect(value).to eq "http://idp.example.com/saml2"
+  end
+
+  it "includes id in the saml:LogoutRequest attributes" do
+    value = xml.find_first('/samlp:LogoutResponse', Onelogin::NAMESPACES).attributes['ID']
+    expect(value).to eq id
+  end
+
+  it "includes issue_instant in the saml:LogoutRequest attributes" do
+    value = xml.find_first('/samlp:LogoutResponse', Onelogin::NAMESPACES).attributes['IssueInstant']
+    expect(value).to eq issue_instant
+  end
+
+  it "includes in_response_to in the saml:LogoutRequest attributes" do
+    value = xml.find_first('/samlp:LogoutResponse', Onelogin::NAMESPACES).attributes['InResponseTo']
+    expect(value).to eq in_response_to
+  end
+
+  it "includes issuer tag" do
+    value = xml.find_first("/samlp:LogoutResponse/saml:Issuer", Onelogin::NAMESPACES).content
+    expect(value).to eq issuer
+  end
+
+  it "includes status code tag" do
+    value = xml.find_first("/samlp:LogoutResponse/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES).attributes['Value']
+    expect(value).to eq Onelogin::Saml::StatusCodes::SUCCESS_URI
+  end
+
+  it "includes status message tag" do
+    value = xml.find_first("/samlp:LogoutResponse/samlp:Status/samlp:StatusMessage", Onelogin::NAMESPACES).content
+    expect(value).to eq Onelogin::Saml::LogoutResponse::STATUS_MESSAGE
+  end
+
+  it "should use namespaces correctly to look up attributes" do
+    xml = Zlib::Deflate.deflate(File.read(fixture_path("logout_response.xml")), 9)[2..-5]
+
+    xmlb64 = Base64.encode64(xml)
+    settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33')
+    response = Onelogin::Saml::LogoutResponse::parse(xmlb64, settings)
+
+    expect(response.id).to eq '_cbb63e9741259e3f1c98a1ae38ac5ac25889720b32'
+    expect(response.issuer).to eq 'http://saml.example.com:8080/opensso'
+    expect(response.in_response_to).to eq "_72424ea37e28763e351189529639b9c2b150ff37e5"
+    expect(response.destination).to eq "http://saml.example.com:8080/opensso/SingleLogoutService"
+    expect(response.status_code).to eq Onelogin::Saml::StatusCodes::SUCCESS_URI
+    expect(response.status_message).to eq "Successfully logged out from service"
+  end
+end

data/spec/meta_data_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe Onelogin::Saml::MetaData do
+  before do
+    @settings = Onelogin::Saml::Settings.new(:issuer => "yourmom", :sp_slo_url => 'http://example.com/logout')
+  end
+
+  it "should have correct consumer service with one endpoint" do
+    @settings.assertion_consumer_service_url = 'http://example.com/consume'
+    doc = REXML::Document.new Onelogin::Saml::MetaData.create(@settings)
+    service = REXML::XPath.first(doc, "//AssertionConsumerService/")
+    service.attributes["index"].should == "0"
+    service.attributes["Location"].should == 'http://example.com/consume'
+  end
+
+  it "should have correct consumer service with multiple endpoints" do
+    @settings.assertion_consumer_service_url = ['http://example.com/consume', 'http://example.com/alt_consume']
+    doc = REXML::Document.new Onelogin::Saml::MetaData.create(@settings)
+    services = REXML::XPath.match(doc, "//AssertionConsumerService/")
+    services[0].attributes["index"].should == "0"
+    services[0].attributes["Location"].should == @settings.assertion_consumer_service_url[0]
+    services[1].attributes["index"].should == "1"
+    services[1].attributes["Location"].should == @settings.assertion_consumer_service_url[1]
+  end
+
+  it "publishes the public key for both encryption and signing" do
+    settings = Onelogin::Saml::Settings.new(
+      :xmlsec_certificate => fixture_path("test1-cert.pem"),
+      :xmlsec_privatekey => fixture_path("test1-key.pem"),
+      :idp_slo_target_url => "http://idp.example.com/saml2",
+      :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33'
+    )
+    doc = REXML::Document.new Onelogin::Saml::MetaData.create(settings)
+    key_descriptors = REXML::XPath.match(doc, "//KeyDescriptor")
+    key_descriptors.should have(2).keys
+    key_descriptors[0].attributes["use"].should == "encryption"
+    key_descriptors[1].attributes["use"].should == "signing"
+  end
+end

data/spec/response_spec.rb

@@ -0,0 +1,193 @@
+require 'spec_helper'
+
+describe Onelogin::Saml::Response do
+  describe "decrypting assertions" do
+    before :each do
+      @xmlb64 = Base64.encode64(File.read(fixture_path("test1-response.xml")))
+      @settings = Onelogin::Saml::Settings.new(
+        :xmlsec_certificate => fixture_path("test1-cert.pem"),
+        :xmlsec_privatekey => fixture_path("test1-key.pem"),
+        :idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33'
+      )
+    end
+
+    it "should find the right attributes from an encrypted assertion" do
+      @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+      @response.should be_is_valid
+
+      @response.name_id.should == "zach@zwily.com"
+      @response.name_qualifier.should == "http://saml.example.com:8080/opensso"
+      @response.session_index.should == "s2c57ee92b5ca08e93d751987d591c58acc68d2501"
+      @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
+      @response.status_message.strip.should == ""
+    end
+
+    it "should not be able to decrypt without the proper key" do
+      @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
+      XMLSecurity.mute do
+        @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+      end
+      document = REXML::Document.new(@response.decrypted_document.to_s)
+      REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should be_nil
+      @response.name_qualifier.should be_nil
+    end
+
+    it "should be able to decrypt using additional private keys" do
+      @settings.xmlsec_privatekey = fixture_path("wrong-key.pem")
+      @settings.xmlsec_additional_privatekeys = [fixture_path("test1-key.pem")]
+      XMLSecurity.mute do
+        @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+      end
+      document = REXML::Document.new(@response.decrypted_document.to_s)
+      REXML::XPath.first(document, "/samlp:Response/saml:Assertion").should_not be_nil
+      REXML::XPath.first(document, "/samlp:Response/saml:Assertion/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestValue").text.should == "eMQal6uuWKMbUMbOwBfrFH90bzE="
+      @response.name_qualifier.should == "http://saml.example.com:8080/opensso"
+      @response.session_index.should == "s2c57ee92b5ca08e93d751987d591c58acc68d2501"
+      @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
+      @response.status_message.strip.should == ""
+    end
+  end
+
+  it "should not verify when XSLT transforms are being used" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("test4-response.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
+    @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+
+    XMLSecurity.mute do
+      @response.should_not be_is_valid
+    end
+
+    TestServer.requests.should == []
+  end
+
+  it "should not allow external reference URIs" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("test5-response.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'bc71f7bacb36011694405dd0e2beafcc069de45f')
+    @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+
+    XMLSecurity.mute do
+      @response.should_not be_is_valid
+    end
+
+    TestServer.requests.should == []
+  end
+
+  it "should use namespaces correctly to look up attributes" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("test2-response.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'def18dbed547cdf3d52b627f41637c443045fe33')
+    @response = Onelogin::Saml::Response.new(@xmlb64)
+    @response.disable_signature_validation!(@settings)
+    @response.process(@settings)
+    @response.name_id.should == "zach@example.com"
+    @response.name_qualifier.should == "http://saml.example.com:8080/opensso"
+    @response.session_index.should == "s2c57ee92b5ca08e93d751987d591c58acc68d2501"
+    @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
+    @response.saml_attributes['eduPersonAffiliation'].should == 'member'
+    @response.saml_attributes['eduPersonPrincipalName'].should == 'user@example.edu'
+    @response.status_message.should == ""
+    @response.fingerprint_from_idp.should == 'def18dbed547cdf3d52b627f41637c443045fe33'
+    @response.issuer.should == 'http://saml.example.com:8080/opensso'
+  end
+
+  it "should protect against xml signature wrapping attacks targeting nameid" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_nameid.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
+    @response = Onelogin::Saml::Response.new(@xmlb64)
+    @response.process(@settings)
+    @response.should be_is_valid
+    @response.name_id.should == "_3b3e7714b72e29dc4290321a075fa0b73333a4f25f"
+  end
+
+  it "should protect against xml signature wrapping attacks targeting attributes" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("xml_signature_wrapping_attack_response_attributes.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
+    @response = Onelogin::Saml::Response.new(@xmlb64)
+    @response.process(@settings)
+    @response.should be_is_valid
+    @response.saml_attributes['eduPersonAffiliation'].should == 'member'
+    @response.saml_attributes['eduPersonPrincipalName'].should == 'student@example.edu'
+  end
+
+  it "should protect against xml signature wrapping attacks with duplicate IDs" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path('xml_signature_wrapping_attack_duplicate_ids.xml')))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => '7292914fc5bffa6f3fe1e43fd47c205395fecfa2')
+    @response = Onelogin::Saml::Response.new(@xmlb64)
+    @response.process(@settings)
+    @response.should_not be_is_valid
+  end
+
+  it "should allow non-ascii characters in attributes" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("test6-response.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
+    @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+    @response.should be_is_valid
+    @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
+    @response.saml_attributes['eduPersonAffiliation'].should == 'member'
+    @response.saml_attributes['givenName'].should == 'Canvas'
+    @response.saml_attributes['displayName'].should == 'Canvas Üser'
+    @response.fingerprint_from_idp.should == 'afe71c28ef740bc87425be13a2263d37971da1f9'
+  end
+
+  it "should map OIDs to known attributes" do
+    @xmlb64 = Base64.encode64(File.read(fixture_path("test3-response.xml")))
+    @settings = Onelogin::Saml::Settings.new(:idp_cert_fingerprint => 'afe71c28ef740bc87425be13a2263d37971da1f9')
+    @response = Onelogin::Saml::Response.new(@xmlb64, @settings)
+    @response.should be_is_valid
+    @response.status_code.should == "urn:oasis:names:tc:SAML:2.0:status:Success"
+    @response.saml_attributes['eduPersonAffiliation'].should == 'member'
+    @response.saml_attributes['eduPersonPrincipalName'].should == 'student@example.edu'
+    @response.fingerprint_from_idp.should == 'afe71c28ef740bc87425be13a2263d37971da1f9'
+  end
+
+  it "should not throw an exception when an empty string is passed as the doc" do
+    settings = Onelogin::Saml::Settings.new
+    lambda {
+      r = Onelogin::Saml::Response.new('foo', settings)
+      r.should_not be_is_valid
+    }.should_not raise_error
+    lambda {
+      r = Onelogin::Saml::Response.new('', settings)
+      r.should_not be_is_valid
+    }.should_not raise_error
+  end
+
+  describe "forward_urls" do
+    let(:name_qualifier) { 'foo' }
+    let(:name_id) { 'bar'}
+    let(:session_index) { 'baz' }
+
+    it "should should append the saml request to a url" do
+      settings = Onelogin::Saml::Settings.new(
+        :xmlsec_certificate => fixture_path("test1-cert.pem"),
+        :xmlsec_privatekey => fixture_path("test1-key.pem"),
+        :idp_sso_target_url => "http://example.com/login.php",
+        :idp_slo_target_url => "http://example.com/logout.php"
+      )
+
+      request = Onelogin::Saml::AuthRequest::generate(settings)
+      prefix = "http://example.com/login.php?SAMLRequest="
+      expect(request.forward_url[0...prefix.size]).to eql(prefix)
+
+      request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
+      prefix = "http://example.com/logout.php?SAMLRequest="
+      expect(request.forward_url[0...prefix.size]).to eql(prefix)
+    end
+
+    it "should append the saml request to a url with query parameters" do
+      settings = Onelogin::Saml::Settings.new(
+        :xmlsec_certificate => fixture_path("test1-cert.pem"),
+        :xmlsec_privatekey => fixture_path("test1-key.pem"),
+        :idp_sso_target_url => "http://example.com/login.php?param=foo",
+        :idp_slo_target_url => "http://example.com/logout.php?param=foo"
+      )
+
+      request = Onelogin::Saml::AuthRequest::generate(settings)
+      prefix = "http://example.com/login.php?param=foo&SAMLRequest="
+      expect(request.forward_url[0...prefix.size]).to eql(prefix)
+
+      request = Onelogin::Saml::LogoutRequest::generate(name_qualifier, name_id, session_index, settings)
+      prefix = "http://example.com/logout.php?param=foo&SAMLRequest="
+      expect(request.forward_url[0...prefix.size]).to eql(prefix)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,33 @@
+require 'rexml/document'
+require 'cgi'
+require 'uri'
+
+require File.expand_path(File.dirname(__FILE__) + '/../lib/onelogin/saml.rb')
+
+Dir[File.expand_path(File.dirname(__FILE__) + '/support/**/*.rb')].each { |f| require f }
+
+RSpec.configure do |config|
+  FIXTURE_PATH = File.expand_path(File.dirname(__FILE__) + '/fixtures')
+
+  def fixture_path(filename)
+    "#{FIXTURE_PATH}/#{filename}"
+  end
+
+  config.before(:suite) do
+    TestServer.start(ENV['TEST_SERVER_PORT'] || 2345)
+  end
+
+  config.after(:each) do
+    TestServer.reset
+  end
+
+  config.after(:suite) do
+    TestServer.stop
+  end
+
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  config.order = 'random'
+  config.color = true
+end

data/spec/support/test_server.rb

@@ -0,0 +1,73 @@
+require 'socket'
+require 'net/http'
+
+class TestServer
+  class << self
+    def start(port)
+      @port = port
+      @requests = []
+      @process = Process.fork {
+        @server = TCPServer.open(port)
+        work
+      }
+    end
+
+    def stop
+      Process.kill("TERM", @process)
+    end
+
+    def get(path)
+      Net::HTTP.get_response(URI("http://127.0.0.1:#{@port}#{path}"))
+    end
+
+    def requests
+      get('/requests').body.split("\n")
+    end
+
+    def reset
+      get('/reset')
+    end
+
+    def work
+      loop do
+        socket = @server.accept
+
+        request = socket.gets
+        response = process(request)
+
+        socket.print([
+          "HTTP/1.1 200 OK",
+          "Content-Type: application/xml",
+          "Content-Length: #{response.bytesize}",
+          "Connection: close",
+          "",
+          response
+        ].join("\r\n"))
+
+        socket.close
+      end
+    end
+
+    private
+
+    def process(request)
+      _, path, _ = request.split(' ')
+
+      case path
+      when '/requests'
+        @requests.join("\n")
+      when '/reset'
+        @requests = []
+        '<status>OK</status>'
+      when '/exploit'
+        <<-RESPONSE
+<!DOCTYPE Response [<!ENTITY file PUBLIC 'p' 'file:///etc/hostname'>]>
+<Response>&file;</Response>
+        RESPONSE
+      else
+        @requests << request.chomp
+        '<status>RECORDED</status>'
+      end
+    end
+  end
+end