ruby-saml 0.8.11 → 0.8.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 10ec0e5a4a9fc6a7f65613599597cef7ae8b8293
-  data.tar.gz: 0b63798d5d6b78e3073ccb899e355e6aa0134648
+SHA256:
+  metadata.gz: 68cb87ca6e3a580cea96b7784b71f60afe0f0982fc9b3c7b2de4fdda0ea1af31
+  data.tar.gz: 216f43c0d0a179f3a9c506f198c31e2a01a08a8661bfaafbe3cb50811b1acf88
 SHA512:
-  metadata.gz: 1883986a5fd1b3925e6745bf7d259a907c656d36958efe50dfb760192c8273a3723b76344ee542a3a07b84da677808fad850b8bd272d949c5ce7fcd8c171a881
-  data.tar.gz: 8538b7c75961e99186b320ff1425fb82fa0c759e3e7267eaad76659adf9f0ba98249207122092dbc383f464c1c600b03a37f010d5a3e8bfa7fbb6fba0aaa8915
+  metadata.gz: 35ba610649dbff55acae0612782ab7e81947907212b9c454494f9baa5c3926a126430eed919356049261a9cb40767d7079874f56f1b4cb1bd7efb637f4f6ba4f
+  data.tar.gz: a3e9ce681547c0e648f477198a134749c9febb1f86e042d2bb3266e01a740767672a667d0c85a162d0f11489e87ee4c1a53cbd15d45e6aeefeb31fc30a2fe99f

data/Gemfile

@@ -7,10 +7,13 @@ gemspec
 
 if RUBY_VERSION < '1.9'
   gem 'nokogiri',   '~> 1.5.0'
+  gem 'minitest',  '~> 5.5', '<= 5.11.3'
 elsif RUBY_VERSION < '2.1'
   gem 'nokogiri',   '>= 1.5.0', '<= 1.6.8.1'
+  gem 'minitest',  '~> 5.5'
 else
   gem 'nokogiri',   '>= 1.5.0'
+  gem 'minitest',  '~> 5.5'
 end
 
 group :test do
@@ -30,6 +33,5 @@ group :test do
   gem 'shoulda',   '~> 2.11'
   gem 'systemu',   '~> 2'
   gem 'test-unit', '~> 3.0.9'
-  gem 'minitest',  '~> 5.5'
   gem 'timecop',   '<= 0.6.0'
 end

data/Rakefile

@@ -25,17 +25,3 @@ end
 task :test
 
 task :default => :test
-
-# require 'rake/rdoctask'
-# Rake::RDocTask.new do |rdoc|
-#   if File.exist?('VERSION')
-#     version = File.read('VERSION')
-#   else
-#     version = ""
-#   end
-
-#   rdoc.rdoc_dir = 'rdoc'
-#   rdoc.title = "ruby-saml #{version}"
-#   rdoc.rdoc_files.include('README*')
-#   rdoc.rdoc_files.include('lib/**/*.rb')
-#end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -1,7 +1,5 @@
 require "xml_security"
 require "time"
-require "base64"
-require "zlib"
 
 module OneLogin
   module RubySaml
@@ -30,8 +28,8 @@ module OneLogin
         self.settings = settings
 
         @options = options
-        @response = decode_raw_response(response)
-        @document = XMLSecurity::SignedDocument.new(response)
+        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
+        @document = XMLSecurity::SignedDocument.new(@response)
       end
 
       def validate!
@@ -39,7 +37,7 @@ module OneLogin
       end
 
       def validate(soft = true)
-        return false unless valid_saml?(soft) && valid_state?(soft)
+        return false unless validate_structure(soft)
 
         valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
       end
@@ -53,7 +51,7 @@ module OneLogin
 
       def in_response_to
         @in_response_to ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL })
           node.nil? ? nil : node.attributes['InResponseTo']
         end
       end
@@ -61,7 +59,6 @@ module OneLogin
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
-          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
           Utils.element_text(node)
         end
       end
@@ -75,28 +72,7 @@ module OneLogin
 
       private
 
-      def decode(encoded)
-        Base64.decode64(encoded)
-      end
-
-      def inflate(deflated)
-        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        zlib.inflate(deflated)
-      end
-
-      def decode_raw_response(response)
-        if response =~ /^</
-          return response
-        elsif (decoded  = decode(response)) =~ /^</
-          return decoded
-        elsif (inflated = inflate(decoded)) =~ /^</
-          return inflated
-        end
-
-        raise "Couldn't decode SAMLResponse"
-      end
-
-      def valid_saml?(soft = true)
+      def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
           @xml = Nokogiri::XML(self.document.to_s)
@@ -108,26 +84,6 @@ module OneLogin
         end
       end
 
-      def valid_state?(soft = true)
-        if response.empty?
-          return soft ? false : validation_error("Blank response")
-        end
-
-        if settings.nil?
-          return soft ? false : validation_error("No settings on response")
-        end
-
-        if settings.sp_entity_id.nil?
-          return soft ? false : validation_error("No sp_entity_id in settings")
-        end
-
-        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
-          return soft ? false : validation_error("No fingerprint or certificate on settings")
-        end
-
-        true
-      end
-
       def valid_in_response_to?(soft = true)
         return true unless self.options.has_key? :matches_request_id
 
@@ -139,8 +95,10 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
+        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+
+        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
         end
         true
       end

data/lib/onelogin/ruby-saml/response.rb

@@ -1,6 +1,7 @@
 require "xml_security"
 require "time"
 require "nokogiri"
+require "onelogin/ruby-saml/utils"
 require 'onelogin/ruby-saml/attributes'
 
 # Only supports SAML 2.0
@@ -22,7 +23,7 @@ module OneLogin
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
         @options  = options
-        @response = (response =~ /^</) ? response : Base64.decode64(response)
+        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
@@ -133,6 +134,34 @@ module OneLogin
         end
       end
 
+      # Gets the Issuers (from Response and Assertion).
+      # (returns the first node that matches the supplied xpath from the Response and from the Assertion)
+      # @return [Array] Array with the Issuers (REXML::Element)
+      #
+      def issuers
+        @issuers ||= begin
+          issuer_response_nodes = REXML::XPath.match(
+            document,
+            "/p:Response/a:Issuer",
+            { "p" => PROTOCOL, "a" => ASSERTION }
+          )
+
+          unless issuer_response_nodes.size == 1
+            error_msg = "Issuer of the Response not found or multiple."
+            raise ValidationError.new(error_msg)
+          end
+
+          issuer_assertion_nodes = xpath_from_signed_assertion("/a:Issuer")
+          unless issuer_assertion_nodes.size == 1
+            error_msg = "Issuer of the Assertion not found or multiple."
+            raise ValidationError.new(error_msg)
+          end
+
+          nodes = issuer_response_nodes + issuer_assertion_nodes
+          nodes.map { |node| Utils.element_text(node) }.compact.uniq
+        end
+      end
+
       # @return [Array] The Audience elements from the Contitions of the SAML Response.
       #
       def audiences
@@ -149,14 +178,15 @@ module OneLogin
       end
 
       def validate(soft = true)
-        validate_success_status       &&
-        validate_num_assertion        &&
-        validate_signed_elements      &&
-        validate_structure(soft)      &&
-        validate_response_state(soft) &&
-        validate_conditions(soft)     &&
-        validate_audience(soft)       &&
-        document.validate_document(get_fingerprint, soft) &&
+        validate_structure(soft)       &&
+        validate_success_status(soft)  &&
+        validate_num_assertion         &&
+        validate_signed_elements(soft) &&
+        validate_response_state(soft)  &&
+        validate_conditions(soft)      &&
+        validate_audience(soft)        &&
+        validate_issuer(soft)          &&
+        validate_signature(soft)       &&
         success?
       end
 
@@ -175,10 +205,6 @@ module OneLogin
           { "a" => ASSERTION }
         )
 
-        unless assertions.size != 0
-          return soft ? false : validation_error("Encrypted assertion is not supported")
-        end
-
         unless assertions.size + encrypted_assertions.size == 1
           return soft ? false : validation_error("SAML Response must contain 1 assertion")
         end
@@ -190,7 +216,7 @@ module OneLogin
       # @return [Boolean] True if there is 1 or 2 Elements signed in the SAML Response
       #                        an are a Response or an Assertion Element, otherwise False if soft=True
       #
-      def validate_signed_elements
+      def validate_signed_elements(soft)
         signature_nodes = REXML::XPath.match(
           document,
           "//ds:Signature",
@@ -228,7 +254,6 @@ module OneLogin
 
               if verified_seis.include?(sei)
                 return soft ? false : validation_error("Duplicated Reference URI. SAML Response rejected")
-                return append_error("Duplicated Reference URI. SAML Response rejected")
               end
 
               verified_seis.push(sei)
@@ -249,7 +274,7 @@ module OneLogin
       # @return [Boolean] True if the SAML Response contains a Success code, otherwise False if soft == false
       # @raise [ValidationError] if soft == false and validation fails
       #
-      def validate_success_status
+      def validate_success_status(soft = true)
         return true if success?
 
         return false unless soft
@@ -298,6 +323,21 @@ module OneLogin
         end
       end
 
+      # @return [String] the StatusMessage value from a SAML Response.
+      #
+      def status_message
+        @status_message ||= begin
+          nodes = REXML::XPath.match(
+            document,
+            "/p:Response/p:Status/p:StatusMessage",
+            { "p" => PROTOCOL }
+          )
+          if nodes.size == 1
+            Utils.element_text(nodes.first)
+          end
+        end
+      end
+
       def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
@@ -362,15 +402,6 @@ module OneLogin
         ))
       end
 
-      def get_fingerprint
-        if settings.idp_cert
-          cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-        else
-          settings.idp_cert_fingerprint
-        end
-      end
-
       def validate_conditions(soft = true)
         return true if conditions.nil?
         return true if options[:skip_conditions]
@@ -388,17 +419,76 @@ module OneLogin
         true
       end
 
+      def validate_issuer(soft = true)
+        return true if settings.idp_entity_id.nil?
+
+        begin
+          obtained_issuers = issuers
+        rescue ValidationError => e
+          return soft ? false : validation_error("Error while extracting issuers")
+        end
+
+        obtained_issuers.each do |issuer|
+          unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
+            error_msg = "Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>"
+            return soft ? false : validation_error(error_msg)
+          end
+        end
+
+        true
+      end
+
+      def validate_signature(soft = true)
+        error_msg = "Invalid Signature on SAML Response"
+
+        sig_elements = REXML::XPath.match(
+          document,
+          "/p:Response[@ID=$id]/ds:Signature]",
+          { "p" => PROTOCOL, "ds" => DSIG },
+          { 'id' => document.signed_element_id }
+        )
+
+        # Check signature nodes
+        if sig_elements.nil? || sig_elements.size == 0
+          sig_elements = REXML::XPath.match(
+            document,
+            "/p:Response/a:Assertion[@ID=$id]/ds:Signature",
+            {"p" => PROTOCOL, "a" => ASSERTION, "ds"=>DSIG},
+            { 'id' => document.signed_element_id }
+          )
+        end
+
+        if sig_elements.size != 1
+          if  sig_elements.size == 0
+             error_msg += ". Signed element id ##{doc.signed_element_id} is not found"
+          else
+             error_msg += ". Signed element id ##{doc.signed_element_id} is found more than once"
+          end
+          return soft ? false : validation_error(error_msg)
+        end
+
+        opts = {}
+        opts[:fingerprint_alg] = OpenSSL::Digest::SHA1.new
+        opts[:cert] = settings.get_idp_cert
+        fingerprint = settings.get_fingerprint
+
+        unless fingerprint
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        unless document.validate_document(fingerprint, soft, opts)
+          return soft ? false : validation_error(error_msg)
+        end
+
+        true
+      end
+
       def parse_time(node, attribute)
         if node && node.attributes[attribute]
           Time.parse(node.attributes[attribute])
         end
       end
 
-      # Validates the Audience, (If the Audience match the Service Provider EntityID)
-      # If fails, the error is added to the errors array
-      # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
-      # @raise [ValidationError] if soft == false and validation fails
-      #
       def validate_audience(soft = true)
         return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
@@ -410,6 +500,7 @@ module OneLogin
 
         true
       end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/settings.rb

@@ -27,6 +27,7 @@ module OneLogin
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
+      attr_accessor :idp_entity_id
       #sp data
       attr_accessor :sp_entity_id
       attr_accessor :assertion_consumer_service_url
@@ -36,7 +37,6 @@ module OneLogin
       attr_accessor :name_identifier_value
       attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
-      attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
@@ -117,21 +117,38 @@ module OneLogin
         @single_logout_service_binding = url
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      # Calculates the fingerprint of the IdP x509 certificate.
+      # @return [String] The fingerprint
       #
-      def get_sp_cert
-        return nil if certificate.nil? || certificate.empty?
+      def get_fingerprint
+        idp_cert_fingerprint || begin
+          idp_cert = get_idp_cert
+          if idp_cert
+            Digest::SHA1.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
 
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+      # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
+      #
+      def get_idp_cert
+        return nil if idp_cert.nil?
+
+        if idp_cert.respond_to?(:to_pem)
+          idp_cert
+        else
+          return nil if idp_cert.empty?
+          formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
+          OpenSSL::X509::Certificate.new(formatted_cert)
+        end
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
       #
-      def get_sp_cert_new
-        return nil if certificate_new.nil? || certificate_new.empty?
+      def get_sp_cert
+        return nil if certificate.nil? || certificate.empty?
 
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
         OpenSSL::X509::Certificate.new(formatted_cert)
       end