ruby-saml 0.8.12

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -0,0 +1,168 @@
+require "base64"
+require "zlib"
+require "cgi"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+module OneLogin
+  module RubySaml
+
+    class Authrequest
+      # AuthNRequest ID
+      attr_reader :uuid
+
+      # Initializes the AuthNRequest. An Authrequest Object.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
+      def create(settings, params = {})
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise SettingError.new "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
+        @login_url = settings.idp_sso_target_url + request_params
+      end
+
+      # Creates the Get parameters for the request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        request_doc = create_authentication_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created AuthnRequest: #{request}"
+
+        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
+        if Base64.respond_to?('strict_encode64')
+          base64_request = Base64.strict_encode64(request)
+        else
+          base64_request = Base64.encode64(request).gsub(/\n/, "")
+        end
+
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
+
+        params.each_pair do |key, value|
+          request_params[key] = value.to_s
+        end
+
+        request_params
+      end
+
+      def create_authentication_xml_doc(settings)
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
+
+        root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
+        root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
+        root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
+        root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
+
+        # Conditionally defined elements based on settings
+        if settings.assertion_consumer_service_url != nil
+          root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
+        end
+        if settings.sp_entity_id != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.sp_entity_id
+        end
+
+        if settings.name_identifier_value_requested != nil
+          subject = root.add_element "saml:Subject"
+
+          nameid = subject.add_element "saml:NameID"
+          nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          nameid.text = settings.name_identifier_value_requested
+
+          subject_confirmation = subject.add_element "saml:SubjectConfirmation"
+          subject_confirmation.attributes['Method'] = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        end
+
+        if settings.name_identifier_format != nil
+          root.add_element "samlp:NameIDPolicy", {
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              # Might want to make AllowCreate a setting?
+              "AllowCreate" => "true",
+              "Format" => settings.name_identifier_format
+          }
+        end
+
+        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+        # match required for authentication to succeed.  If this is not defined,
+        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+        if settings.authn_context != nil
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
+            "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "Comparison" => "exact",
+          }
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
+            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          }
+          class_ref.text = settings.authn_context
+        end
+        request_doc
+      end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logging.rb

@@ -0,0 +1,26 @@
+# Simplistic log class when we're running in Rails
+module OneLogin
+  module RubySaml
+    class Logging
+      def self.debug(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+
+      def self.info(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -0,0 +1,161 @@
+require "base64"
+require "zlib"
+require "cgi"
+require 'rexml/document'
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+module OneLogin
+  module RubySaml
+
+    class Logoutrequest
+
+      attr_reader :uuid # Can be obtained if neccessary
+
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
+      def create(settings, params={})
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        @logout_url = settings.idp_slo_target_url + request_params
+      end
+
+      # Creates the Get parameters for the logout request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        request_doc = create_logout_request_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created SLO Logout Request: #{request}"
+
+        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
+        if Base64.respond_to?('strict_encode64')
+          base64_request = Base64.strict_encode64(request)
+        else
+          base64_request = Base64.encode64(request).gsub(/\n/, "")
+        end
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
+
+        params.each_pair do |key, value|
+          request_params[key] = value.to_s
+        end
+
+        request_params
+      end
+
+      # Creates the SAMLRequest String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @return [String] The SAMLRequest String.
+      #
+      def create_logout_request_xml_doc(settings)
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings, request_doc=nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        if request_doc.nil?
+          request_doc = XMLSecurity::Document.new
+          request_doc.uuid = uuid
+        end
+
+        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+
+        if settings.sp_entity_id
+          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          issuer.text = settings.sp_entity_id
+        end
+
+        if settings.name_identifier_value
+          name_id = root.add_element "saml:NameID", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          name_id.text = settings.name_identifier_value
+        end
+
+        if settings.sessionindex
+          sessionindex = root.add_element "samlp:SessionIndex", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+          sessionindex.text = settings.sessionindex
+        end
+
+        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+        # match required for authentication to succeed.  If this is not defined,
+        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+        if settings.authn_context != nil
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "Comparison" => "exact",
+          }
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
+              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          }
+          class_ref.text = settings.authn_context
+        end
+        request_doc
+      end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+      # Leave due compatibility
+      def create_unauth_xml_doc(settings, params)
+        request_doc = ReXML::Document.new
+        create_xml_document(settings, request_doc)
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -0,0 +1,153 @@
+require "xml_security"
+require "time"
+require "base64"
+require "zlib"
+
+module OneLogin
+  module RubySaml
+    class Logoutresponse
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      # For API compability, this is mutable.
+      attr_accessor :settings
+
+      attr_reader :document
+      attr_reader :response
+      attr_reader :options
+
+      #
+      # In order to validate that the response matches a given request, append
+      # the option:
+      #   :matches_request_id => REQUEST_ID
+      #
+      # It will validate that the logout response matches the ID of the request.
+      # You can also do this yourself through the in_response_to accessor.
+      #
+      def initialize(response, settings = nil, options = {})
+        raise ArgumentError.new("Logoutresponse cannot be nil") if response.nil?
+        self.settings = settings
+
+        @options = options
+        @response = decode_raw_response(response)
+        @document = XMLSecurity::SignedDocument.new(response)
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      def validate(soft = true)
+        return false unless valid_saml?(soft) && valid_state?(soft)
+
+        valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
+      end
+
+      def success?(soft = true)
+        unless status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+          return soft ? false : validation_error("Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <#@status_code> ")
+        end
+        true
+      end
+
+      def in_response_to
+        @in_response_to ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes['InResponseTo']
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          Utils.element_text(node)
+        end
+      end
+
+      def status_code
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes["Value"]
+        end
+      end
+
+      private
+
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def decode_raw_response(response)
+        if response =~ /^</
+          return response
+        elsif (decoded  = decode(response)) =~ /^</
+          return decoded
+        elsif (inflated = inflate(decoded)) =~ /^</
+          return inflated
+        end
+
+        raise "Couldn't decode SAMLResponse"
+      end
+
+      def valid_saml?(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+        end
+      end
+
+      def valid_state?(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.sp_entity_id.nil?
+          return soft ? false : validation_error("No sp_entity_id in settings")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def valid_in_response_to?(soft = true)
+        return true unless self.options.has_key? :matches_request_id
+
+        unless self.options[:matches_request_id] == in_response_to
+          return soft ? false : validation_error("Response does not match the request ID, expected: <#{self.options[:matches_request_id]}>, but was: <#{in_response_to}>")
+        end
+
+        true
+      end
+
+      def valid_issuer?(soft = true)
+        unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
+        end
+        true
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+    end
+  end
+end