ruby-saml 0.8.8 → 0.8.13

checksums.yaml

@@ -1,7 +1,7 @@
---- 
-SHA512: 
-  metadata.gz: 4841fc584fcb21a2d195ca2a0a7a3835301b4888d6eb10a916db75aaae47baa2db3142ea816cced287cda13e0e94261e33096532888e0c4dbfb88f3e815a561c
-  data.tar.gz: e1c81d64bc9cd5d3c9930934b02bbbe0b974b6a2606aae95ac81a0934a445971692f5ee6d5575baa5ca118f113776d824c581829fbf6f493a93041c7c6f74752
-SHA256: 
-  metadata.gz: 660a02871864e652d4676233c6c3f9afb36b5584a30dc6c12db8d683a891f609
-  data.tar.gz: 317d540f0b08fc67e91d74e3d46f553a50634cf9b1d199084470d1f099b79b51
+---
+SHA1:
+  metadata.gz: c3f3a436bf74c3342e13ed40b9d6d7c71e8b25f1
+  data.tar.gz: c39cb2b2fa7844d97cd83e2d6a34f7a5ab68151e
+SHA512:
+  metadata.gz: 38e6e375700d52f5bd4300dc5a1e7b9b20e5283b00371418730b1857ffc9b98857e72066a9ea67b504953eddaefc8683a0d40a29156f614dc18f9aaea7e7e0e5
+  data.tar.gz: a93d2f2c35bed0a8c44db64e3672aa8e811883d37b0386618dd51d0d7a9f19ddd37c59381dfa2c94cc04a361f3ecce8cd9677dc9ab6f44dee4eb653fefedba91

data/Gemfile

@@ -5,9 +5,19 @@ source 'http://rubygems.org'
 
 gemspec
 
+if RUBY_VERSION < '1.9'
+  gem 'nokogiri',   '~> 1.5.0'
+  gem 'minitest',  '~> 5.5', '<= 5.11.3'
+elsif RUBY_VERSION < '2.1'
+  gem 'nokogiri',   '>= 1.5.0', '<= 1.6.8.1'
+  gem 'minitest',  '~> 5.5'
+else
+  gem 'nokogiri',   '>= 1.5.0'
+  gem 'minitest',  '~> 5.5'
+end
+
 group :test do
   if RUBY_VERSION < '1.9'
-    gem 'nokogiri',   '~> 1.5.0'
     gem 'ruby-debug', '~> 0.10.4'
   elsif RUBY_VERSION < '2.0'
     gem 'debugger-linecache', '~> 1.2.0'

data/README.md

@@ -1,5 +1,8 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.png)](http://travis-ci.org/onelogin/ruby-saml)
 
+# Updating from 0.8.8 to 0.8.9
+Version `0.8.9` deprecates the use of settings.issuer, use instead settings.sp_entity_id. Deprecates assertion_consumer_logout_service_url and assertion_consumer_logout_service_binding as well, use instead single_logout_service_url and single_logout_service_binding. Adds validate_audience.
+
 # Updating from 0.8.7 to 0.8.8
 Version `0.8.8` adds support for ForceAuthn and Subjects on AuthNRequests by the new name_identifier_value_requested setting
 
@@ -52,7 +55,7 @@ def saml_settings
   settings = OneLogin::RubySaml::Settings.new
 
   settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
-  settings.issuer                         = request.host
+  settings.sp_entity_id                   = request.host
   settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -90,7 +93,7 @@ class SamlController < ApplicationController
     settings = OneLogin::RubySaml::Settings.new
 
     settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
-    settings.issuer                         = request.host
+    settings.sp_entity_id                   = request.host
     settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
     settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

data/Rakefile

@@ -25,17 +25,3 @@ end
 task :test
 
 task :default => :test
-
-# require 'rake/rdoctask'
-# Rake::RDocTask.new do |rdoc|
-#   if File.exist?('VERSION')
-#     version = File.read('VERSION')
-#   else
-#     version = ""
-#   end
-
-#   rdoc.rdoc_dir = 'rdoc'
-#   rdoc.title = "ruby-saml #{version}"
-#   rdoc.rdoc_files.include('README*')
-#   rdoc.rdoc_files.include('lib/**/*.rb')
-#end

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -1,16 +1,50 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
-require "rexml/document"
-require "rexml/xpath"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 module OneLogin
   module RubySaml
-  include REXML
+
     class Authrequest
+      # AuthNRequest ID
+      attr_reader :uuid
+
+      # Initializes the AuthNRequest. An Authrequest Object.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
       def create(settings, params = {})
-        params = {} if params.nil?
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise SettingError.new "Invalid settings, idp_sso_target_url is not set!" if settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
+        @login_url = settings.idp_sso_target_url + request_params
+      end
+
+      # Creates the Get parameters for the request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
 
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -20,34 +54,55 @@ module OneLogin
 
         Logging.debug "Created AuthnRequest: #{request}"
 
-        request           = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
+        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
         if Base64.respond_to?('strict_encode64')
-            base64_request    = Base64.strict_encode64(request)
+          base64_request = Base64.strict_encode64(request)
         else
-            base64_request    = Base64.encode64(request).gsub(/\n/, "")
+          base64_request = Base64.encode64(request).gsub(/\n/, "")
+        end
+
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
         end
-        encoded_request   = CGI.escape(base64_request)
-        params_prefix     = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
-        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
 
         params.each_pair do |key, value|
-          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+          request_params[key] = value.to_s
         end
 
-        settings.idp_sso_target_url + request_params
+        request_params
       end
 
       def create_authentication_xml_doc(settings)
-        uuid = "_" + UUID.new.generate
-        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-        # Create AuthnRequest root element using REXML
-        request_doc = REXML::Document.new
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
 
         root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil? or settings.idp_sso_target_url.empty?
         root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
         root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
         root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
@@ -56,9 +111,9 @@ module OneLogin
         if settings.assertion_consumer_service_url != nil
           root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
         end
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         if settings.name_identifier_value_requested != nil
@@ -97,6 +152,17 @@ module OneLogin
         request_doc
       end
 
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,55 +1,115 @@
 require "base64"
-require "uuid"
 require "zlib"
 require "cgi"
+require 'rexml/document'
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 module OneLogin
   module RubySaml
-    include REXML
+
     class Logoutrequest
 
       attr_reader :uuid # Can be obtained if neccessary
 
       def initialize
-        @uuid = "_" + UUID.new.generate
+        @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
       def create(settings, params={})
-        request_doc = create_unauth_xml_doc(settings, params)
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        @logout_url = settings.idp_slo_target_url + request_params
+      end
+
+      # Creates the Get parameters for the logout request.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, params={})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        request_doc = create_logout_request_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
         request = ""
         request_doc.write(request)
 
-        deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+        Logging.debug "Created SLO Logout Request: #{request}"
+
+        request = Zlib::Deflate.deflate(request, 9)[2..-5] if settings.compress_request
         if Base64.respond_to?('strict_encode64')
-            base64_request    = Base64.strict_encode64(deflated_request)
+          base64_request = Base64.strict_encode64(request)
         else
-            base64_request    = Base64.encode64(deflated_request).gsub(/\n/, "")
+          base64_request = Base64.encode64(request).gsub(/\n/, "")
         end
-        encoded_request   = CGI.escape(base64_request)
+        request_params = {"SAMLRequest" => base64_request}
 
-        params_prefix     = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
-        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
+        if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLRequest',
+            :data => base64_request,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
 
         params.each_pair do |key, value|
-          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+          request_params[key] = value.to_s
         end
 
-        @logout_url = settings.idp_slo_target_url + request_params
+        request_params
       end
 
-      def create_unauth_xml_doc(settings, params)
+      # Creates the SAMLRequest String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @return [String] The SAMLRequest String.
+      #
+      def create_logout_request_xml_doc(settings)
+        document = create_xml_document(settings)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings, request_doc=nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
 
-        time = Time.new().strftime("%Y-%m-%dT%H:%M:%S")
+        if request_doc.nil?
+          request_doc = XMLSecurity::Document.new
+          request_doc.uuid = uuid
+        end
 
-        request_doc = REXML::Document.new
         root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
-        root.attributes['ID'] = @uuid
+        root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
 
-        if settings.issuer
+        if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
 
         if settings.name_identifier_value
@@ -57,8 +117,6 @@ module OneLogin
           name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
           name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
           name_id.text = settings.name_identifier_value
-        else
-          raise ValidationError.new("Missing required name identifier")
         end
 
         if settings.sessionindex
@@ -81,6 +139,23 @@ module OneLogin
         end
         request_doc
       end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+      # Leave due compatibility
+      def create_unauth_xml_doc(settings, params)
+        request_doc = ReXML::Document.new
+        create_xml_document(settings, request_doc)
+      end
     end
   end
 end

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -1,7 +1,5 @@
 require "xml_security"
 require "time"
-require "base64"
-require "zlib"
 
 module OneLogin
   module RubySaml
@@ -30,7 +28,7 @@ module OneLogin
         self.settings = settings
 
         @options = options
-        @response = decode_raw_response(response)
+        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(response)
       end
 
@@ -75,27 +73,6 @@ module OneLogin
 
       private
 
-      def decode(encoded)
-        Base64.decode64(encoded)
-      end
-
-      def inflate(deflated)
-        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        zlib.inflate(deflated)
-      end
-
-      def decode_raw_response(response)
-        if response =~ /^</
-          return response
-        elsif (decoded  = decode(response)) =~ /^</
-          return decoded
-        elsif (inflated = inflate(decoded)) =~ /^</
-          return inflated
-        end
-
-        raise "Couldn't decode SAMLResponse"
-      end
-
       def valid_saml?(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
@@ -117,8 +94,8 @@ module OneLogin
           return soft ? false : validation_error("No settings on response")
         end
 
-        if settings.issuer.nil?
-          return soft ? false : validation_error("No issuer in settings")
+        if settings.sp_entity_id.nil?
+          return soft ? false : validation_error("No sp_entity_id in settings")
         end
 
         if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
@@ -139,8 +116,8 @@ module OneLogin
       end
 
       def valid_issuer?(soft = true)
-        unless URI.parse(issuer) == URI.parse(self.settings.issuer)
-          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
+        unless URI.parse(issuer) == URI.parse(self.settings.sp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.sp_entity_id}>, but was: <#{issuer}>")
         end
         true
       end