ruby-saml 0.8.16 → 0.9

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -0,0 +1,78 @@
+require 'cgi'
+require 'zlib'
+require 'base64'
+require "rexml/document"
+require "rexml/xpath"
+
+module OneLogin
+  module RubySaml
+    class SamlMessage
+      include REXML
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      def valid_saml?(document, soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml-schema-protocol-2.0.xsd'))
+          @xml = Nokogiri::XML(document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+        end
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+      private
+
+      def decode_raw_saml(saml)
+        if saml =~ /^</
+          return saml
+        elsif (decoded  = decode(saml)) =~ /^</
+          return decoded
+        elsif (inflated = inflate(decoded)) =~ /^</
+          return inflated
+        end
+
+        return nil
+      end
+
+      def encode_raw_saml(saml, settings)
+        saml           = Zlib::Deflate.deflate(saml, 9)[2..-5] if settings.compress_request
+        base64_saml    = Base64.encode64(saml)
+        return CGI.escape(base64_saml)
+      end
+
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.encode64(encoded).gsub(/\n/, "")
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,81 +1,48 @@
-require "xml_security"
-require "onelogin/ruby-saml/utils"
-
 module OneLogin
   module RubySaml
     class Settings
-      def initialize(overrides = {}, keep_security_attributes = false)
-        if keep_security_attributes
-           security_attributes = overrides.delete(:security) || {}
-           config = DEFAULTS.merge(overrides)
-           config[:security] = DEFAULTS[:security].merge(security_attributes)
-         else
-           config = DEFAULTS.merge(overrides)
-         end
-
-         config.each do |k,v|
-           acc = "#{k.to_s}=".to_sym
-           if respond_to? acc
-             value = v.is_a?(Hash) ? v.dup : v
-             send(acc, value)
-           end
-         end
+      def initialize(overrides = {})
+        config = DEFAULTS.merge(overrides)
+        config.each do |k,v|
+          acc = "#{k.to_s}=".to_sym
+          self.send(acc, v) if self.respond_to? acc
+        end
+        @attribute_consuming_service = AttributeService.new
       end
 
-      #idp data
+      # IdP Data
+      attr_accessor :idp_entity_id
       attr_accessor :idp_sso_target_url
-      attr_accessor :idp_cert_fingerprint
-      attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
-      attr_accessor :idp_entity_id
-      #sp data
-      attr_accessor :sp_entity_id
+      attr_accessor :idp_cert
+      attr_accessor :idp_cert_fingerprint
+      # SP Data
+      attr_accessor :issuer
       attr_accessor :assertion_consumer_service_url
-      attr_accessor :authn_context
+      attr_accessor :assertion_consumer_service_binding
       attr_accessor :sp_name_qualifier
       attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
-      attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
-      attr_accessor :force_authn
       attr_accessor :passive
       attr_accessor :protocol_binding
+      attr_accessor :attributes_index
+      attr_accessor :force_authn
+      attr_accessor :security
       attr_accessor :certificate
       attr_accessor :private_key
-      # Work-flow
-      attr_accessor :security
+      attr_accessor :authn_context
+      attr_accessor :authn_context_comparison
+      attr_accessor :authn_context_decl_ref
+      attr_reader :attribute_consuming_service
       # Compability
-      attr_accessor :issuer
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :assertion_consumer_logout_service_binding
 
-      # @return [String] SP Entity ID
-      #
-      def sp_entity_id
-        val = nil
-        if @sp_entity_id.nil?
-          if @issuer
-            val = @issuer
-          end
-        else
-          val = @sp_entity_id
-        end
-        val
-      end
-
-       # Setter for SP Entity ID.
-      # @param val [String].
-      #
-      def sp_entity_id=(val)
-        @sp_entity_id = val
-      end
-
-      # @return [String] Single Logout Service URL.
-      #
-      def single_logout_service_url
+      def single_logout_service_url()
         val = nil
         if @single_logout_service_url.nil?
           if @assertion_consumer_logout_service_url
@@ -87,16 +54,12 @@ module OneLogin
         val
       end
 
-      # Setter for the Single Logout Service URL.
-      # @param url [String].
-      #
-      def single_logout_service_url=(url)
-        @single_logout_service_url = url
+      # setter
+      def single_logout_service_url=(val)
+        @single_logout_service_url = val
       end
 
-      # @return [String] Single Logout Service Binding.
-      #
-      def single_logout_service_binding
+      def single_logout_service_binding()
         val = nil
         if @single_logout_service_binding.nil?
           if @assertion_consumer_logout_service_binding
@@ -108,76 +71,46 @@ module OneLogin
         val
       end
 
-      # Setter for Single Logout Service Binding.
-      #
-      # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
-      # @param url [String]
-      #
-      def single_logout_service_binding=(url)
-        @single_logout_service_binding = url
-      end
-
-      # Calculates the fingerprint of the IdP x509 certificate.
-      # @return [String] The fingerprint
-      #
-      def get_fingerprint
-        idp_cert_fingerprint || begin
-          idp_cert = get_idp_cert
-          if idp_cert
-            Digest::SHA1.hexdigest(idp_cert.to_der).upcase.scan(/../).join(":")
-          end
-        end
+      # setter
+      def single_logout_service_binding=(val)
+        @single_logout_service_binding = val
       end
 
-      # @return [OpenSSL::X509::Certificate|nil] Build the IdP certificate from the settings (previously format it)
-      #
-      def get_idp_cert
-        return nil if idp_cert.nil?
-
-        if idp_cert.respond_to?(:to_pem)
-          idp_cert
-        else
-          return nil if idp_cert.empty?
-          formatted_cert = OneLogin::RubySaml::Utils.format_cert(idp_cert)
-          OpenSSL::X509::Certificate.new(formatted_cert)
-        end
-      end
-
-      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
-      #
       def get_sp_cert
-        return nil if certificate.nil? || certificate.empty?
-
-        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+        cert = nil
+        if self.certificate
+          formated_cert = OneLogin::RubySaml::Utils.format_cert(self.certificate)
+          cert = OpenSSL::X509::Certificate.new(formated_cert)
+        end
+        cert
       end
 
-      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
-      #
       def get_sp_key
-        return nil if private_key.nil? || private_key.empty?
-
-        formatted_private_key = OneLogin::RubySaml::Utils.format_private_key(private_key)
-        OpenSSL::PKey::RSA.new(formatted_private_key)
+        private_key = nil
+        if self.private_key
+          formated_private_key = OneLogin::RubySaml::Utils.format_private_key(self.private_key)
+          private_key = OpenSSL::PKey::RSA.new(formated_private_key)
+        end
+        private_key
       end
 
       private
 
       DEFAULTS = {
-        :compress_request => true,
-        :compress_response => true,
-        :double_quote_xml_attribute_values => false,
-        :assertion_consumer_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
-        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+        :compress_request                          => true,
+        :compress_response                         => true,
         :security                                  => {
-          :authn_requests_signed      => false,
-          :logout_requests_signed     => false,
-          :logout_responses_signed    => false,
-          :embed_sign                 => false,
-          :digest_method              => XMLSecurity::Document::SHA1,
-          :signature_method           => XMLSecurity::Document::RSA_SHA1
-        }.freeze
-      }.freeze
+          :authn_requests_signed    => false,
+          :logout_requests_signed   => false,
+          :logout_responses_signed   => false,
+          :embed_sign               => false,
+          :digest_method            => XMLSecurity::Document::SHA1,
+          :signature_method         => XMLSecurity::Document::SHA1
+        },
+        :double_quote_xml_attribute_values         => false,
+      }
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -1,101 +1,66 @@
-require "xml_security"
-require "time"
+require 'zlib'
+require 'time'
+require 'nokogiri'
 
 # Only supports SAML 2.0
-# SAML2 Logout Request (SLO IdP initiated, Parser)
 module OneLogin
   module RubySaml
-    class SloLogoutrequest
-
-      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
-
-      # OneLogin::RubySaml::Settings Toolkit settings
-      attr_accessor :settings
-
-      attr_reader :document
-      attr_reader :request
+    class SloLogoutrequest < SamlMessage
       attr_reader :options
+      attr_reader :request
+      attr_reader :document
 
-      def initialize(request, settings = nil, options = {})
+      def initialize(request, options = {})
         raise ArgumentError.new("Request cannot be nil") if request.nil?
-        self.settings = settings
+        @options  = options
+        @request = decode_raw_saml(request)
+        @document = REXML::Document.new(@request)
+      end
 
-        @options = options
-        @request = OneLogin::RubySaml::Utils.decode_raw_saml(request)
-        @document = XMLSecurity::SignedDocument.new(@request)
+      def is_valid?
+        validate
       end
 
       def validate!
         validate(false)
       end
 
-      def validate(soft = true)
-        return false unless validate_structure(soft)
-
-        valid_issuer?(soft)
-      end
-
+      # The value of the user identifier as designated by the initialization request response
       def name_id
         @name_id ||= begin
           node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
-          Utils.element_text(node)
+          node.nil? ? nil : node.text
         end
       end
 
-      alias_method :nameid, :name_id
-
-      def name_id_format
-        @name_id_node ||= REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
-        @name_id_format ||=
-          if @name_id_node && @name_id_node.attribute("Format")
-            @name_id_node.attribute("Format").value
-          end
-      end
-
-      alias_method :nameid_format, :name_id_format
-
       def id
-        @id ||= begin
-          node = REXML::XPath.first(document, "/p:LogoutRequest", { "p" => PROTOCOL } )
-          node.nil? ? nil : node.attributes['ID']
-        end
+        return @id if @id
+        element = REXML::XPath.first(document, "/p:LogoutRequest", {
+            "p" => PROTOCOL} )
+        return nil if element.nil?
+        return element.attributes["ID"]
       end
 
       def issuer
         @issuer ||= begin
           node = REXML::XPath.first(document, "/p:LogoutRequest/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
-          Utils.element_text(node)
+          node.nil? ? nil : node.text
         end
       end
 
       private
 
-      def validate_structure(soft = true)
-        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
-          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
-          @xml = Nokogiri::XML(self.document.to_s)
-        end
-        if soft
-          @schema.validate(@xml).map{ return false }
-        else
-          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
-        end
+      def validate(soft = true)
+        valid_saml?(document, soft)  && validate_request_state(soft)
       end
 
-      def valid_issuer?(soft = true)
-        return true if settings.nil? || settings.idp_entity_id.nil? || issuer.nil?
-
-        unless OneLogin::RubySaml::Utils.uri_match?(issuer, settings.idp_entity_id)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.idp_entity_id}>, but was: <#{issuer}>")
+      def validate_request_state(soft = true)
+        if request.empty?
+          return soft ? false : validation_error("Blank request")
         end
         true
       end
 
-      def validation_error(message)
-        raise ValidationError.new(message)
-      end
-
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -1,33 +1,17 @@
-require "base64"
-require "zlib"
-require "cgi"
-require "onelogin/ruby-saml/utils"
-require "onelogin/ruby-saml/setting_error"
+require "uuid"
+
+require "onelogin/ruby-saml/logging"
 
 module OneLogin
   module RubySaml
+    class SloLogoutresponse < SamlMessage
 
-    # SAML2 Logout Response (SLO SP initiated)
-    #
-    class SloLogoutresponse
-
-      # Logout Response ID
-      attr_reader :uuid
+      attr_reader :uuid # Can be obtained if neccessary
 
-      # Initializes the Logout Response. A SloLogoutresponse Object.
-      # Asigns an ID, a random uuid.
-      #
       def initialize
-        @uuid = OneLogin::RubySaml::Utils.uuid
+        @uuid = "_" + UUID.new.generate
       end
 
-      # Creates the Logout Response string.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
-      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
-      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
-      # @return [String] Logout Request string that includes the SAMLRequest
-      #
       def create(settings, request_id = nil, logout_message = nil, params = {})
         params = create_params(settings, request_id, logout_message, params)
         params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
@@ -36,27 +20,12 @@ module OneLogin
         params.each_pair do |key, value|
           response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+
         @logout_url = settings.idp_slo_target_url + response_params
       end
 
-      # Creates the Get parameters for the logout response.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
-      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
-      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
-      # @return [Hash] Parameters
-      #
       def create_params(settings, request_id = nil, logout_message = nil, params = {})
-        # The method expects :RelayState but sometimes we get 'RelayState' instead.
-        # Based on the HashWithIndifferentAccess value in Rails we could experience
-        # conflicts so this line will solve them.
-        relay_state = params[:RelayState] || params['RelayState']
-
-        if relay_state.nil?
-          params.delete(:RelayState)
-          params.delete('RelayState')
-        end
+        params = {} if params.nil?
 
         response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
         response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -66,29 +35,18 @@ module OneLogin
 
         Logging.debug "Created SLO Logout Response: #{response}"
 
-        response = Zlib::Deflate.deflate(response, 9)[2..-5] if settings.compress_response
-        if Base64.respond_to?('strict_encode64')
-          base64_response = Base64.strict_encode64(response)
-        else
-          base64_response = Base64.encode64(response).gsub(/\n/, "")
-        end
+        response = deflate(response) if settings.compress_response
+        base64_response = encode(response)
         response_params = {"SAMLResponse" => base64_response}
 
         if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = settings.security[:signature_method]
-          url_string = OneLogin::RubySaml::Utils.build_query(
-            :type => 'SAMLResponse',
-            :data => base64_response,
-            :relay_state => relay_state,
-            :sig_alg => params['SigAlg']
-          )
-          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
-          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
-          if Base64.respond_to?('strict_encode64')
-            params['Signature'] = Base64.strict_encode64(signature)
-          else
-            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
-          end
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLResponse=#{CGI.escape(base64_response)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
         end
 
         params.each_pair do |key, value|
@@ -98,18 +56,7 @@ module OneLogin
         response_params
       end
 
-      # Creates the SAMLResponse String.
-      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
-      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
-      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
-      # @return [String] The SAMLResponse String.
-      #
       def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
-        document = create_xml_document(settings, request_id, logout_message)
-        sign_document(document, settings)
-      end
-
-      def create_xml_document(settings, request_id = nil, logout_message = nil)
         time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
 
         response_doc = XMLSecurity::Document.new
@@ -120,12 +67,7 @@ module OneLogin
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = '2.0'
         root.attributes['InResponseTo'] = request_id unless request_id.nil?
-        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
-
-        if settings.sp_entity_id != nil
-          issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.sp_entity_id
-        end
+        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
 
         # add success message
         status = root.add_element 'samlp:Status'
@@ -139,18 +81,19 @@ module OneLogin
         status_message = status.add_element 'samlp:StatusMessage'
         status_message.text = logout_message
 
-        response_doc
-      end
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
+        end
 
-      def sign_document(document, settings)
-        # embed signature
+        # embebed sign
         if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
-          private_key = settings.get_sp_key
-          cert = settings.get_sp_cert
-          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          response_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
 
-        document
+        response_doc
       end
 
     end