ruby-saml 0.8.16 → 0.9

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -0,0 +1,87 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+
+module OneLogin
+  module RubySaml
+    include REXML
+
+    class IdpMetadataParser
+
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      DSIG     = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_reader :document
+
+      def parse_remote(url, validate_cert = true)
+        idp_metadata = get_idp_metadata(url, validate_cert)
+        parse(idp_metadata)
+      end
+
+      def parse(idp_metadata)
+        @document = REXML::Document.new(idp_metadata)
+
+        OneLogin::RubySaml::Settings.new.tap do |settings|
+
+          settings.idp_sso_target_url = single_signon_service_url
+          settings.idp_slo_target_url = single_logout_service_url
+          settings.idp_cert_fingerprint = fingerprint
+        end
+      end
+
+      private
+
+      # Retrieve the remote IdP metadata from the URL or a cached copy
+      # # returns a REXML document of the metadata
+      def get_idp_metadata(url, validate_cert)
+        uri = URI.parse(url)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+          meta_text = response.body
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          if validate_cert
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          else
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+          meta_text = response.body
+        end
+        meta_text
+      end
+
+      def single_signon_service_url
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location", { "md" => METADATA })
+        node.value if node
+      end
+
+      def single_logout_service_url
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location", { "md" => METADATA })
+        node.value if node
+      end
+
+      def certificate
+        @certificate ||= begin
+          node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate", { "md" => METADATA, "ds" => DSIG })
+          Base64.decode64(node.text) if node
+        end
+      end
+
+      def fingerprint
+        @fingerprint ||= begin
+          if certificate
+            cert = OpenSSL::X509::Certificate.new(certificate)
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,19 +1,15 @@
-require "base64"
-require "zlib"
-require "cgi"
-require 'rexml/document'
-require "onelogin/ruby-saml/utils"
-require "onelogin/ruby-saml/setting_error"
+require "uuid"
+
+require "onelogin/ruby-saml/logging"
 
 module OneLogin
   module RubySaml
-
-    class Logoutrequest
+    class Logoutrequest < SamlMessage
 
       attr_reader :uuid # Can be obtained if neccessary
 
       def initialize
-        @uuid = OneLogin::RubySaml::Utils.uuid
+        @uuid = "_" + UUID.new.generate
       end
 
       def create(settings, params={})
@@ -24,25 +20,11 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
         @logout_url = settings.idp_slo_target_url + request_params
       end
 
-      # Creates the Get parameters for the logout request.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
-      # @return [Hash] Parameters
-      #
       def create_params(settings, params={})
-        # The method expects :RelayState but sometimes we get 'RelayState' instead.
-        # Based on the HashWithIndifferentAccess value in Rails we could experience
-        # conflicts so this line will solve them.
-        relay_state = params[:RelayState] || params['RelayState']
-
-        if relay_state.nil?
-          params.delete(:RelayState)
-          params.delete('RelayState')
-        end
+        params = {} if params.nil?
 
         request_doc = create_logout_request_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -52,29 +34,18 @@ module OneLogin
 
         Logging.debug "Created SLO Logout Request: #{request}"
 
-        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
-        if Base64.respond_to?('strict_encode64')
-          base64_request = Base64.strict_encode64(request)
-        else
-          base64_request = Base64.encode64(request).gsub(/\n/, "")
-        end
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
-          url_string = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLRequest',
-            :data => base64_request,
-            :relay_state => relay_state,
-            :sig_alg => params['SigAlg']
-          )
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
-          if Base64.respond_to?('strict_encode64')
-            params['Signature'] = Base64.strict_encode64(signature)
-          else
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          end
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
         end
 
         params.each_pair do |key, value|
@@ -84,77 +55,47 @@ module OneLogin
         request_params
       end
 
-      # Creates the SAMLRequest String.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @return [String] The SAMLRequest String.
-      #
       def create_logout_request_xml_doc(settings)
-        document = create_xml_document(settings)
-        sign_document(document, settings)
-      end
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
-      def create_xml_document(settings, request_doc=nil)
-        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
-
-        if request_doc.nil?
-          request_doc = XMLSecurity::Document.new
-          request_doc.uuid = uuid
-        end
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
 
-        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
 
-        if settings.sp_entity_id
-          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-          issuer.text = settings.sp_entity_id
+        if settings.issuer
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
         end
 
+        name_id = root.add_element "saml:NameID"
         if settings.name_identifier_value
-          name_id = root.add_element "saml:NameID", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
           name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           name_id.text = settings.name_identifier_value
+        else
+          # If no NameID is present in the settings we generate one
+          name_id.text = "_" + UUID.new.generate
+          name_id.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
         end
 
         if settings.sessionindex
-          sessionindex = root.add_element "samlp:SessionIndex", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+          sessionindex = root.add_element "samlp:SessionIndex"
           sessionindex.text = settings.sessionindex
         end
 
-        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
-        # match required for authentication to succeed.  If this is not defined,
-        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
-        if settings.authn_context != nil
-          requested_context = root.add_element "samlp:RequestedAuthnContext", {
-              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
-              "Comparison" => "exact",
-          }
-          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
-              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
-          }
-          class_ref.text = settings.authn_context
-        end
-        request_doc
-      end
-
-      def sign_document(document, settings)
-        # embed signature
+        # embebed sign
         if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
-          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
-        document
-      end
-
-      # Leave due compatibility
-      def create_unauth_xml_doc(settings, params)
-        request_doc = ReXML::Document.new
-        create_xml_document(settings, request_doc)
+        request_doc
       end
     end
   end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -3,11 +3,7 @@ require "time"
 
 module OneLogin
   module RubySaml
-    class Logoutresponse
-
-      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
-
+    class Logoutresponse < SamlMessage
       # For API compability, this is mutable.
       attr_accessor :settings
 
@@ -28,7 +24,7 @@ module OneLogin
         self.settings = settings
 
         @options = options
-        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
+        @response = decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
@@ -37,7 +33,7 @@ module OneLogin
       end
 
       def validate(soft = true)
-        return false unless validate_structure(soft)
+        return false unless valid_saml?(document, soft) && valid_state?(soft)
 
         valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
       end
@@ -51,7 +47,7 @@ module OneLogin
 
       def in_response_to
         @in_response_to ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL })
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
           node.nil? ? nil : node.attributes['InResponseTo']
         end
       end
@@ -59,7 +55,8 @@ module OneLogin
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
-          Utils.element_text(node)
+          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
         end
       end
 
@@ -72,16 +69,24 @@ module OneLogin
 
       private
 
-      def validate_structure(soft = true)
-        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
-          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
-          @xml = Nokogiri::XML(self.document.to_s)
+      def valid_state?(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
         end
-        if soft
-          @schema.validate(@xml).map{ return false }
-        else
-          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+
+        if settings.issuer.nil?
+          return soft ? false : validation_error("No issuer in settings")
         end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
       end
 
       def valid_in_response_to?(soft = true)
@@ -95,17 +100,13 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
+        return true if self.settings.idp_entity_id.nil? or self.issuer.nil?
 
-        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
+        unless URI.parse(self.issuer) == URI.parse(self.settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
         end
         true
       end
-
-      def validation_error(message)
-        raise ValidationError.new(message)
-      end
     end
   end
 end

data/lib/onelogin/ruby-saml/metadata.rb

@@ -2,6 +2,8 @@ require "rexml/document"
 require "rexml/xpath"
 require "uri"
 
+require "onelogin/ruby-saml/logging"
+
 # Class to return SP metadata based on the settings requested.
 # Return this XML in a controller, then give that URL to the the
 # IdP administrator.  The IdP will poll the URL and your settings
@@ -17,49 +19,77 @@ module OneLogin
         }
         sp_sso = root.add_element "md:SPSSODescriptor", {
             "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
-            # Metadata request need not be signed (as we don't publish our cert)
-            "AuthnRequestsSigned" => false,
+            "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
             # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
-            "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
+            "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
         }
-        if settings.sp_entity_id != nil
-          root.attributes["entityID"] = settings.sp_entity_id
+        if settings.issuer
+          root.attributes["entityID"] = settings.issuer
         end
-        if settings.single_logout_service_url != nil
+        if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
-              # Add this as a setting to create different bindings?
-              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+              "Binding" => settings.single_logout_service_binding,
               "Location" => settings.single_logout_service_url,
               "ResponseLocation" => settings.single_logout_service_url,
               "isDefault" => true,
               "index" => 0
           }
         end
-        if settings.name_identifier_format != nil
+        if settings.name_identifier_format
           name_id = sp_sso.add_element "md:NameIDFormat"
           name_id.text = settings.name_identifier_format
         end
-        if settings.assertion_consumer_service_url != nil
+        if settings.assertion_consumer_service_url
           sp_sso.add_element "md:AssertionConsumerService", {
-              # Add this as a setting to create different bindings?
-              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Binding" => settings.assertion_consumer_service_binding,
               "Location" => settings.assertion_consumer_service_url,
               "isDefault" => true,
               "index" => 0
           }
         end
+
+        # Add KeyDescriptor if messages will be signed
+        cert = settings.get_sp_cert()
+        if cert
+          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          xd = ki.add_element "ds:X509Data"
+          xc = xd.add_element "ds:X509Certificate"
+          xc.text = Base64.encode64(cert.to_der).gsub("\n", '')
+        end
+
+        if settings.attribute_consuming_service.configured?
+          sp_acs = sp_sso.add_element "md:AttributeConsumingService", {
+            "isDefault" => "true",
+            "index" => settings.attribute_consuming_service.index 
+          }
+          srv_name = sp_acs.add_element "md:ServiceName", {
+            "xml:lang" => "en"
+          }
+          srv_name.text = settings.attribute_consuming_service.name
+          settings.attribute_consuming_service.attributes.each do |attribute|
+            sp_req_attr = sp_acs.add_element "md:RequestedAttribute", {
+              "NameFormat" => attribute[:name_format],
+              "Name" => attribute[:name], 
+              "FriendlyName" => attribute[:friendly_name]
+            }
+            unless attribute[:attribute_value].nil?
+              sp_attr_val = sp_req_attr.add_element "md:AttributeValue"
+              sp_attr_val.text = attribute[:attribute_value]
+            end
+          end
+        end
+
         # With OpenSSO, it might be required to also include
         #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
-        meta_doc << REXML::XMLDecl.new
+        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
         ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
         meta_doc.write(ret, 1)
 
-        Logging.debug "Generated metadata:\n#{ret}"
-
-        ret
+        return ret
       end
     end
   end