ruby-saml-mod 0.1.27 → 0.1.28

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9fb25d67d2b17dd051b1b4ced52bbbfc8fac8c3f
-  data.tar.gz: e1576c19390be8d294128d1a5d3ae60a6d7813d2
+  metadata.gz: 364210a5dc8d2c29558b9b0a19c258f64cdb1c9b
+  data.tar.gz: 5c389976863d3d599ea7fdcf1c91932f0418b169
 SHA512:
-  metadata.gz: 96dadc807bb4f4b26c356f991452ee26b2b54251352d996d65f47256621c79a07a1a4c0690505b704d368311bc8ba2951500b66dd65b1472118738671ea103eb
-  data.tar.gz: e83f4fa8df332d3301898811e00a8952d6b91099b6a9d1d54439ff639c4e300ac5fb518d9c073b22145c93b4e8ab43e8fed8052dc20791e66cb164b68bae7df2
+  metadata.gz: b025fe482372d414d6fc263f5bbc2623e7070daa3d5fe8e2f6004b9e51494260f0746339d71791e7911c10be75b5f692069f2a98dc3d8e99985bf99c39cdab63
+  data.tar.gz: 5826d046b3eccb253f38611afde71d6e602778b1e998d3baf3c7ba1629505821b60bfc4687f8f9e5e63164a305b429adfd39b6ccbd2358450636161eb6a73cdd

data/lib/onelogin/saml/response.rb

@@ -2,7 +2,7 @@ module Onelogin::Saml
   class Response
 
     attr_accessor :settings
-    attr_reader :document, :decrypted_document, :xml, :response
+    attr_reader :document, :xml, :response
     attr_reader :name_id, :name_qualifier, :session_index, :saml_attributes
     attr_reader :status_code, :status_message
     attr_reader :in_response_to, :destination, :issuer
@@ -14,14 +14,14 @@ module Onelogin::Saml
         @xml = Base64.decode64(@response)
         @document = LibXML::XML::Document.string(@xml)
         @document.extend(XMLSecurity::SignedDocument)
-      rescue => e
+      rescue
         # could not parse document, everything is invalid
         @response = nil
         return
       end
 
-      @issuer = @document.find_first("/samlp:Response/saml:Issuer", Onelogin::NAMESPACES).content rescue nil
-      @status_code = @document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)["Value"] rescue nil
+      @issuer = document.find_first("/samlp:Response/saml:Issuer", Onelogin::NAMESPACES).content rescue nil
+      @status_code = document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)["Value"] rescue nil
 
       process(settings) if settings
     end
@@ -30,79 +30,119 @@ module Onelogin::Saml
       @settings = settings
       return unless @response
 
-      @decrypted_document = LibXML::XML::Document.document(@document)
-      @decrypted_document.extend(XMLSecurity::SignedDocument)
-      @decrypted_document.decrypt!(@settings)
+      @in_response_to = untrusted_find_first("/samlp:Response")['InResponseTo'] rescue nil
+      @destination    = untrusted_find_first("/samlp:Response")['Destination'] rescue nil
+      @status_message = untrusted_find_first("/samlp:Response/samlp:Status/samlp:StatusCode").content rescue nil
+
+      @name_id        = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID").content rescue nil
+      @name_qualifier = trusted_find_first("saml:Assertion/saml:Subject/saml:NameID")["NameQualifier"] rescue nil
+      @session_index  = trusted_find_first("saml:Assertion/saml:AuthnStatement")["SessionIndex"] rescue nil
 
-      @in_response_to = @decrypted_document.find_first("/samlp:Response", Onelogin::NAMESPACES)['InResponseTo'] rescue nil
-      @destination = @decrypted_document.find_first("/samlp:Response", Onelogin::NAMESPACES)['Destination'] rescue nil
-      @name_id = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Onelogin::NAMESPACES).content rescue nil
       @saml_attributes = {}
-      @decrypted_document.find("//saml:Attribute", Onelogin::NAMESPACES).each do |attr|
+      trusted_find("saml:Attribute").each do |attr|
         attrname = attr['FriendlyName'] || Onelogin::ATTRIBUTES[attr['Name']] || attr['Name']
         @saml_attributes[attrname] = attr.content.strip rescue nil
       end
-      @name_qualifier = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Onelogin::NAMESPACES)["NameQualifier"] rescue nil
-      @session_index = @decrypted_document.find_first("/samlp:Response/saml:Assertion/saml:AuthnStatement", Onelogin::NAMESPACES)["SessionIndex"] rescue nil
-      @status_message = @decrypted_document.find_first("/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES).content rescue nil
+    end
+
+    def disable_signature_validation!(settings)
+      @settings      = settings
+      @is_valid      = true
+      @trusted_roots = [decrypted_document.root]
+    end
+
+    def decrypted_document
+      @decrypted_document ||= LibXML::XML::Document.document(document).tap do |doc|
+        doc.extend(XMLSecurity::SignedDocument)
+        doc.decrypt!(settings)
+      end
+    end
+
+    def untrusted_find_first(xpath)
+      decrypted_document.find(xpath, Onelogin::NAMESPACES).first
+    end
+
+    def trusted_find_first(xpath)
+      trusted_find(xpath).first
+    end
+
+    def trusted_find(xpath)
+      trusted_roots.map do |trusted_root|
+        trusted_root.find("descendant-or-self::#{xpath}", Onelogin::NAMESPACES).to_a
+      end.flatten.compact
     end
 
     def logger=(val)
       @logger = val
     end
-    
+
     def is_valid?
-      if @response.nil? || @response == ""
+      @is_valid ||= validate
+    end
+
+    def validate
+      if response.nil? || response == ""
         @validation_error = "No response to validate"
         return false
       end
-      
-      if !@settings.idp_cert_fingerprint
+
+      if !settings.idp_cert_fingerprint
         @validation_error = "No fingerprint configured in SAML settings"
         return false
       end
-      
+
       # Verify the original document if it has a signature, otherwise verify the signature
       # in the encrypted portion. If there is no signature, then we can't verify.
       verified = false
-      if @document.find_first("//ds:Signature", Onelogin::NAMESPACES)
-        verified = @document.validate(@settings.idp_cert_fingerprint, @logger)
+
+      if document.has_signature?
+        verified = document.validate(settings.idp_cert_fingerprint, @logger)
         if !verified
-          @validation_error = @document.validation_error
+          @validation_error = document.validation_error
           return false
         end
       end
 
-      if !verified && @decrypted_document.find_first("//ds:Signature", Onelogin::NAMESPACES)
-        verified = @decrypted_document.validate(@settings.idp_cert_fingerprint, @logger)
+      if !verified && decrypted_document.has_signature?
+        verified = decrypted_document.validate(settings.idp_cert_fingerprint, @logger)
         if !verified
-          @validation_error = @document.validation_error
+          @validation_error = decrypted_document.validation_error
           return false
         end
       end
-      
+
       if !verified
         @validation_error = "No signature found in the response"
         return false
       end
-      
+
+      # If we get here, validation has succeeded, and we can trust all
+      # <ds:Signature> elements. Each of those has a <ds:Reference> which
+      # points to the root of the root of the NodeSet it signs.
+      @trusted_roots = decrypted_document.signed_roots
+
       true
     end
-    
+
+    # triggers validation
+    def trusted_roots
+      is_valid? ? @trusted_roots : []
+    end
+
     def success_status?
       @status_code == Onelogin::Saml::StatusCodes::SUCCESS_URI
     end
-    
+
     def auth_failure?
       @status_code == Onelogin::Saml::StatusCodes::AUTHN_FAILED_URI
     end
-    
+
     def no_authn_context?
       @status_code == Onelogin::Saml::StatusCodes::NO_AUTHN_CONTEXT_URI
     end
-    
+
     def fingerprint_from_idp
-      if base64_cert = @decrypted_document.find_first("//ds:X509Certificate", Onelogin::NAMESPACES)
+      if base64_cert = decrypted_document.find_first("//ds:X509Certificate", Onelogin::NAMESPACES)
         cert_text = Base64.decode64(base64_cert.content)
         cert = OpenSSL::X509::Certificate.new(cert_text)
         Digest::SHA1.hexdigest(cert.to_der)

data/lib/xml_sec.rb

@@ -79,6 +79,9 @@ module XMLSecurity
       :xmlSecDSigStatusInvalid
   ]
 
+  XMLSEC_ERRORS_R_INVALID_DATA = 12
+  class XmlSecError < ::RuntimeError; end
+
   class XmlSecPtrList < FFI::Struct
     layout \
       :id,                          :string,
@@ -170,6 +173,12 @@ module XMLSecurity
       :reserved1,                   :pointer
   end
 
+  ErrorCallback = FFI::Function.new(:void,
+      [ :string, :int, :string, :string,     :string,      :int,   :string ]
+  ) do |file,    line, func,    errorObject, errorSubject, reason, msg     |
+    XMLSecurity.handle_xmlsec_error_callback(file, line, func, errorObject, errorSubject, reason, msg)
+  end
+
   # xmlsec functions
   attach_function :xmlSecInit, [], :int
   attach_function :xmlSecParseMemory, [ :pointer, :uint, :int ], :pointer
@@ -193,7 +202,9 @@ module XMLSecurity
   attach_function :xmlSecEncCtxDecrypt, [ :pointer, :pointer ], :int
   attach_function :xmlSecEncCtxDestroy, [ :pointer ], :void
 
+  attach_function :xmlSecErrorsDefaultCallback, [ :string, :int, :string, :string, :string, :int, :string ], :void
   attach_function :xmlSecErrorsDefaultCallbackEnableOutput, [ :bool ], :void
+  attach_function :xmlSecErrorsSetCallback, [:pointer], :void
 
   attach_function :xmlSecTransformExclC14NGetKlass, [], :pointer
   attach_function :xmlSecOpenSSLTransformRsaSha1GetKlass, [], :pointer
@@ -238,6 +249,18 @@ module XMLSecurity
   raise "Failed initializing XMLSec" if self.xmlSecInit < 0
   raise "Failed initializing app crypto" if self.xmlSecOpenSSLAppInit(nil) < 0
   raise "Failed initializing crypto" if self.xmlSecOpenSSLInit < 0
+  self.xmlSecErrorsSetCallback(ErrorCallback)
+
+  def self.handle_xmlsec_error_callback(*args)
+    raise_exception_if_necessary(*args)
+    xmlSecErrorsDefaultCallback(*args)
+  end
+
+  def self.raise_exception_if_necessary(file, line, func, errorObject, errorSubject, reason, msg)
+    if reason == XMLSEC_ERRORS_R_INVALID_DATA
+      raise XmlSecError.new(msg)
+    end
+  end
 
 
   def self.mute(&block)
@@ -267,6 +290,29 @@ module XMLSecurity
       "-----BEGIN PUBLIC KEY-----\n#{base64}-----END PUBLIC KEY-----"
     end
 
+    def has_signature?
+      signatures.any?
+    end
+
+    def signed_roots
+      signatures.map do |sig|
+        ref = sig.find('.//ds:Reference', Onelogin::NAMESPACES).first
+        signed_element_id = ref['URI'].sub(/^#/, '')
+
+        if signed_element_id.empty?
+          self.root
+        else
+          xpath_id_query = %Q(ancestor::*[@ID = "#{signed_element_id}"])
+
+          ref.find(xpath_id_query, Onelogin::NAMESPACES).first
+        end
+      end.compact
+    end
+
+    def signatures
+      @signatures ||= self.find("//ds:Signature", Onelogin::NAMESPACES)
+    end
+
     def validate(idp_cert_fingerprint, logger = nil)
       # get cert from response
       base64_cert = self.find_first("//ds:X509Certificate", Onelogin::NAMESPACES).content

data/ruby-saml-mod.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml-mod}
-  s.version = "0.1.27"
+  s.version = "0.1.28"
 
   s.authors = ["OneLogin LLC", "Bracken", "Zach", "Cody", "Jeremy", "Paul"]
   s.date = %q{2014-05-05}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby-saml-mod
 version: !ruby/object:Gem::Version
-  version: 0.1.27
+  version: 0.1.28
 platform: ruby
 authors:
 - OneLogin LLC
@@ -89,4 +89,3 @@ signing_key:
 specification_version: 4
 summary: Ruby library for SAML service providers
 test_files: []
-has_rdoc: