ruby-saml 0.8.10 → 0.8.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a564ad5fdd002f4648b22638bf51dd7ad029ea633484289c7ce2e8759a3c5d6
-  data.tar.gz: 15d0f1c459006f4c65fc9cb916b29b55098e68d9e3c5123080737b41b4e5e449
+  metadata.gz: 3039afb4b2668c3859e51ae9eff0c1b423d7dda319a7d646b26702de315047af
+  data.tar.gz: 2ef188024bd8030c659b499db22b3b28f2ae24930954f8c45cc69c175b8fc4e3
 SHA512:
-  metadata.gz: 943d65750b9895285e60b24d612c1cce77bef3a262387121ccf9b7f8536ebfea27874d3a68ff095dc1a36e2bc3c53f509de07d2e4e31c02a20437e18015af561
-  data.tar.gz: ccf1223639a43235641ba2533e61473e4ff248624571cd05177ccd1dd0611f7d8df16f405fd74af2987112a988f5fcb0f2f6c54fe3830f89d3688964780ea333
+  metadata.gz: 0ab896476c0de2ebcd71b060dc305d091e3b6c3be7abd81ce702389cb8e8409cbd5730a4a73a71dfdfedbeb7a0081f448ed4aec60737a8ce6c1b6fb966ce9c4f
+  data.tar.gz: 203b1fd9b1fa4d23ab66cac8a034d3154a48e243bff21040ae2e873d191e90c0d8b8ccdfee368ca542c306fd58ddcdbeec700047893ae6044b82b406af43de18

data/Gemfile

@@ -7,10 +7,13 @@ gemspec
 
 if RUBY_VERSION < '1.9'
   gem 'nokogiri',   '~> 1.5.0'
+  gem 'minitest',  '~> 5.5', '<= 5.11.3'
 elsif RUBY_VERSION < '2.1'
   gem 'nokogiri',   '>= 1.5.0', '<= 1.6.8.1'
+  gem 'minitest',  '~> 5.5'
 else
   gem 'nokogiri',   '>= 1.5.0'
+  gem 'minitest',  '~> 5.5'
 end
 
 group :test do
@@ -30,6 +33,5 @@ group :test do
   gem 'shoulda',   '~> 2.11'
   gem 'systemu',   '~> 2'
   gem 'test-unit', '~> 3.0.9'
-  gem 'minitest',  '~> 5.5'
   gem 'timecop',   '<= 0.6.0'
 end

data/Rakefile

@@ -25,17 +25,3 @@ end
 task :test
 
 task :default => :test
-
-# require 'rake/rdoctask'
-# Rake::RDocTask.new do |rdoc|
-#   if File.exist?('VERSION')
-#     version = File.read('VERSION')
-#   else
-#     version = ""
-#   end
-
-#   rdoc.rdoc_dir = 'rdoc'
-#   rdoc.title = "ruby-saml #{version}"
-#   rdoc.rdoc_files.include('README*')
-#   rdoc.rdoc_files.include('lib/**/*.rb')
-#end

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -2,6 +2,7 @@ require "base64"
 require "zlib"
 require "cgi"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 module OneLogin
   module RubySaml
@@ -25,7 +26,7 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil?
+        raise SettingError.new "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
         @login_url = settings.idp_sso_target_url + request_params
       end
 
@@ -101,7 +102,7 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
         root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -3,6 +3,7 @@ require "zlib"
 require "cgi"
 require 'rexml/document'
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 module OneLogin
   module RubySaml
@@ -23,6 +24,7 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
         @logout_url = settings.idp_slo_target_url + request_params
       end
 
@@ -103,6 +105,7 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
 
         if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -1,7 +1,5 @@
 require "xml_security"
 require "time"
-require "base64"
-require "zlib"
 
 module OneLogin
   module RubySaml
@@ -30,7 +28,7 @@ module OneLogin
         self.settings = settings
 
         @options = options
-        @response = decode_raw_response(response)
+        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(response)
       end
 
@@ -75,27 +73,6 @@ module OneLogin
 
       private
 
-      def decode(encoded)
-        Base64.decode64(encoded)
-      end
-
-      def inflate(deflated)
-        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        zlib.inflate(deflated)
-      end
-
-      def decode_raw_response(response)
-        if response =~ /^</
-          return response
-        elsif (decoded  = decode(response)) =~ /^</
-          return decoded
-        elsif (inflated = inflate(decoded)) =~ /^</
-          return inflated
-        end
-
-        raise "Couldn't decode SAMLResponse"
-      end
-
       def valid_saml?(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))

data/lib/onelogin/ruby-saml/response.rb

@@ -1,6 +1,7 @@
 require "xml_security"
 require "time"
 require "nokogiri"
+require "onelogin/ruby-saml/utils"
 require 'onelogin/ruby-saml/attributes'
 
 # Only supports SAML 2.0
@@ -22,7 +23,7 @@ module OneLogin
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
         @options  = options
-        @response = (response =~ /^</) ? response : Base64.decode64(response)
+        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
@@ -42,6 +43,8 @@ module OneLogin
         end
       end
 
+      alias nameid name_id
+
       def sessionindex
         @sessionindex ||= begin
           node = xpath_first_from_signed_assertion('/a:AuthnStatement')
@@ -147,14 +150,165 @@ module OneLogin
       end
 
       def validate(soft = true)
-        validate_structure(soft)      &&
-        validate_response_state(soft) &&
-        validate_conditions(soft)     &&
-        validate_audience(soft)       &&
-        document.validate_document(get_fingerprint, soft) &&
+        validate_structure(soft)       &&
+        validate_success_status(soft)  &&
+        validate_num_assertion         &&
+        validate_signed_elements(soft) &&
+        validate_response_state(soft)  &&
+        validate_conditions(soft)      &&
+        validate_audience(soft)        &&
+        validate_signature(soft)       &&
         success?
       end
 
+      # Validates that the SAML Response only contains a single Assertion (encrypted or not).
+      # @return [Boolean] True if the SAML Response contains one unique Assertion, otherwise False
+      #
+      def validate_num_assertion(soft = true)
+        assertions = REXML::XPath.match(
+          document,
+          "//a:Assertion",
+          { "a" => ASSERTION }
+        )
+        encrypted_assertions = REXML::XPath.match(
+          document,
+          "//a:EncryptedAssertion",
+          { "a" => ASSERTION }
+        )
+
+        unless assertions.size + encrypted_assertions.size == 1
+          return soft ? false : validation_error("SAML Response must contain 1 assertion")
+        end
+
+        true
+      end
+
+      # Validates the Signed elements
+      # @return [Boolean] True if there is 1 or 2 Elements signed in the SAML Response
+      #                        an are a Response or an Assertion Element, otherwise False if soft=True
+      #
+      def validate_signed_elements(soft)
+        signature_nodes = REXML::XPath.match(
+          document,
+          "//ds:Signature",
+          {"ds"=>DSIG}
+        )
+        signed_elements = []
+        verified_seis = []
+        verified_ids = []
+        signature_nodes.each do |signature_node|
+          signed_element = signature_node.parent.name
+          if signed_element != 'Response' && signed_element != 'Assertion'
+            return soft ? false : validation_error("Invalid Signature Element '#{signed_element}'. SAML Response rejected")
+          end
+
+          if signature_node.parent.attributes['ID'].nil?
+            return soft ? false : validation_error("Signed Element must contain an ID. SAML Response rejected")
+          end
+
+          id = signature_node.parent.attributes.get_attribute("ID").value
+          if verified_ids.include?(id)
+            return soft ? false : validation_error("Duplicated ID. SAML Response rejected")
+          end
+          verified_ids.push(id)
+
+          # Check that reference URI matches the parent ID and no duplicate References or IDs
+          ref = REXML::XPath.first(signature_node, ".//ds:Reference", {"ds"=>DSIG})
+          if ref
+            uri = ref.attributes.get_attribute("URI")
+            if uri && !uri.value.empty?
+              sei = uri.value[1..-1]
+
+              unless sei == id
+                return soft ? false : validation_error("Found an invalid Signed Element. SAML Response rejected")
+              end
+
+              if verified_seis.include?(sei)
+                return soft ? false : validation_error("Duplicated Reference URI. SAML Response rejected")
+              end
+
+              verified_seis.push(sei)
+            end
+          end
+
+          signed_elements << signed_element
+        end
+
+        unless signature_nodes.length < 3 && !signed_elements.empty?
+          return soft ? false : validation_error("Found an unexpected number of Signature Element. SAML Response rejected")
+        end
+
+        true
+      end
+
+      # Validates the Status of the SAML Response
+      # @return [Boolean] True if the SAML Response contains a Success code, otherwise False if soft == false
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate_success_status(soft = true)
+        return true if success?
+
+        return false unless soft
+
+        error_msg = 'The status code of the Response was not Success'
+        status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+        return validation_error(status_error_msg)
+      end
+
+      # Checks if the Status has the "Success" code
+      # @return [Boolean] True if the StatusCode is Sucess
+      #
+      def success?
+        status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+      end
+
+      # @return [String] StatusCode value from a SAML Response.
+      #
+      def status_code
+        @status_code ||= begin
+          nodes = REXML::XPath.match(
+            document,
+            "/p:Response/p:Status/p:StatusCode",
+            { "p" => PROTOCOL }
+          )
+          if nodes.size == 1
+            node = nodes[0]
+            code = node.attributes["Value"] if node && node.attributes
+
+            unless code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+              nodes = REXML::XPath.match(
+                document,
+                "/p:Response/p:Status/p:StatusCode/p:StatusCode",
+                { "p" => PROTOCOL }
+              )
+              statuses = nodes.collect do |inner_node|
+                inner_node.attributes["Value"]
+              end
+              extra_code = statuses.join(" | ")
+              if extra_code
+                code = "#{code} | #{extra_code}"
+              end
+            end
+            code
+          end
+        end
+      end
+
+      # @return [String] the StatusMessage value from a SAML Response.
+      #
+      def status_message
+        @status_message ||= begin
+          nodes = REXML::XPath.match(
+            document,
+            "/p:Response/p:Status/p:StatusMessage",
+            { "p" => PROTOCOL }
+          )
+          if nodes.size == 1
+            Utils.element_text(nodes.first)
+          end
+        end
+      end
+
       def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
@@ -219,15 +373,6 @@ module OneLogin
         ))
       end
 
-      def get_fingerprint
-        if settings.idp_cert
-          cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-        else
-          settings.idp_cert_fingerprint
-        end
-      end
-
       def validate_conditions(soft = true)
         return true if conditions.nil?
         return true if options[:skip_conditions]
@@ -245,17 +390,57 @@ module OneLogin
         true
       end
 
+      def validate_signature(soft = true)
+        error_msg = "Invalid Signature on SAML Response"
+
+        sig_elements = REXML::XPath.match(
+          document,
+          "/p:Response[@ID=$id]/ds:Signature]",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
+        )
+
+        # Check signature nodes
+        if sig_elements.nil? || sig_elements.size == 0
+          sig_elements = REXML::XPath.match(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
+            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            { 'id' => document.signed_element_id }
+          )
+        end
+
+        if sig_elements.size != 1
+          if  sig_elements.size == 0
+             error_msg += ". Signed element id ##{doc.signed_element_id} is not found"
+          else
+             error_msg += ". Signed element id ##{doc.signed_element_id} is found more than once"
+          end
+          return soft ? false : validation_error(error_msg)
+        end
+
+        opts = {}
+        opts[:fingerprint_alg] = OpenSSL::Digest::SHA1.new
+        opts[:cert] = settings.get_idp_cert
+        fingerprint = settings.get_fingerprint
+
+        unless fingerprint
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        unless document.validate_document(fingerprint, soft, opts)
+          return soft ? false : validation_error(error_msg)
+        end
+
+        true
+      end
+
       def parse_time(node, attribute)
         if node && node.attributes[attribute]
           Time.parse(node.attributes[attribute])
         end
       end
 
-      # Validates the Audience, (If the Audience match the Service Provider EntityID)
-      # If fails, the error is added to the errors array
-      # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails
-      #
       def validate_audience(soft = true)
         return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
@@ -267,6 +452,7 @@ module OneLogin
 
         true
       end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/setting_error.rb

@@ -0,0 +1,6 @@
+module OneLogin
+  module RubySaml
+    class SettingError < StandardError
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -117,6 +117,32 @@ module OneLogin
         @single_logout_service_binding = url
       end
 
+      # Calculates the fingerprint of the IdP x509 certificate.
+      # @return [String] The fingerprint
+      #
+      def get_fingerprint
+        idp_cert_fingerprint || begin
+          idp_cert = get_idp_cert
+          if idp_cert
+            Digest::SHA1.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
+      #
+      def get_idp_cert
+        return nil if idp_cert.nil?
+
+        if idp_cert.respond_to?(:to_pem)
+          idp_cert
+        else
+          return nil if idp_cert.empty?
+          formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+          OpenSSL::X509::Certificate.new(formatted_cert)
+        end
+      end
+
       # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
       #
       def get_sp_cert