ruby-saml 0.8.8 → 0.8.13

data/lib/onelogin/ruby-saml/metadata.rb

@@ -22,15 +22,15 @@ module OneLogin
             # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
             "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
         }
-        if settings.issuer != nil
-          root.attributes["entityID"] = settings.issuer
+        if settings.sp_entity_id != nil
+          root.attributes["entityID"] = settings.sp_entity_id
         end
-        if settings.assertion_consumer_logout_service_url != nil
+        if settings.single_logout_service_url != nil
           sp_sso.add_element "md:SingleLogoutService", {
               # Add this as a setting to create different bindings?
               "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-              "Location" => settings.assertion_consumer_logout_service_url,
-              "ResponseLocation" => settings.assertion_consumer_logout_service_url,
+              "Location" => settings.single_logout_service_url,
+              "ResponseLocation" => settings.single_logout_service_url,
               "isDefault" => true,
               "index" => 0
           }

data/lib/onelogin/ruby-saml/response.rb

@@ -1,6 +1,7 @@
 require "xml_security"
 require "time"
 require "nokogiri"
+require "onelogin/ruby-saml/utils"
 require 'onelogin/ruby-saml/attributes'
 
 # Only supports SAML 2.0
@@ -22,7 +23,7 @@ module OneLogin
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
         @options  = options
-        @response = (response =~ /^</) ? response : Base64.decode64(response)
+        @response = OneLogin::RubySaml::Utils.decode_raw_saml(response)
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
@@ -42,6 +43,8 @@ module OneLogin
         end
       end
 
+      alias nameid name_id
+
       def sessionindex
         @sessionindex ||= begin
           node = xpath_first_from_signed_assertion('/a:AuthnStatement')
@@ -131,6 +134,15 @@ module OneLogin
         end
       end
 
+      # @return [Array] The Audience elements from the Contitions of the SAML Response.
+      #
+      def audiences
+        @audiences ||= begin
+          nodes = xpath_from_signed_assertion('/a:Conditions/a:AudienceRestriction/a:Audience')
+          nodes.map { |node| Utils.element_text(node) }.reject(&:empty?)
+        end
+      end
+
       private
 
       def validation_error(message)
@@ -138,13 +150,166 @@ module OneLogin
       end
 
       def validate(soft = true)
-        validate_structure(soft)      &&
-        validate_response_state(soft) &&
-        validate_conditions(soft)     &&
+        validate_structure(soft)       &&
+        validate_success_status(soft)  &&
+        validate_num_assertion         &&
+        validate_signed_elements(soft) &&
+        validate_response_state(soft)  &&
+        validate_conditions(soft)      &&
+        validate_audience(soft)        &&
         document.validate_document(get_fingerprint, soft) &&
         success?
       end
 
+      # Validates that the SAML Response only contains a single Assertion (encrypted or not).
+      # @return [Boolean] True if the SAML Response contains one unique Assertion, otherwise False
+      #
+      def validate_num_assertion(soft = true)
+        assertions = REXML::XPath.match(
+          document,
+          "//a:Assertion",
+          { "a" => ASSERTION }
+        )
+        encrypted_assertions = REXML::XPath.match(
+          document,
+          "//a:EncryptedAssertion",
+          { "a" => ASSERTION }
+        )
+
+        unless assertions.size + encrypted_assertions.size == 1
+          return soft ? false : validation_error("SAML Response must contain 1 assertion")
+        end
+
+        true
+      end
+
+      # Validates the Signed elements
+      # @return [Boolean] True if there is 1 or 2 Elements signed in the SAML Response
+      #                        an are a Response or an Assertion Element, otherwise False if soft=True
+      #
+      def validate_signed_elements(soft)
+        signature_nodes = REXML::XPath.match(
+          document,
+          "//ds:Signature",
+          {"ds"=>DSIG}
+        )
+        signed_elements = []
+        verified_seis = []
+        verified_ids = []
+        signature_nodes.each do |signature_node|
+          signed_element = signature_node.parent.name
+          if signed_element != 'Response' && signed_element != 'Assertion'
+            return soft ? false : validation_error("Invalid Signature Element '#{signed_element}'. SAML Response rejected")
+          end
+
+          if signature_node.parent.attributes['ID'].nil?
+            return soft ? false : validation_error("Signed Element must contain an ID. SAML Response rejected")
+          end
+
+          id = signature_node.parent.attributes.get_attribute("ID").value
+          if verified_ids.include?(id)
+            return soft ? false : validation_error("Duplicated ID. SAML Response rejected")
+          end
+          verified_ids.push(id)
+
+          # Check that reference URI matches the parent ID and no duplicate References or IDs
+          ref = REXML::XPath.first(signature_node, ".//ds:Reference", {"ds"=>DSIG})
+          if ref
+            uri = ref.attributes.get_attribute("URI")
+            if uri && !uri.value.empty?
+              sei = uri.value[1..-1]
+
+              unless sei == id
+                return soft ? false : validation_error("Found an invalid Signed Element. SAML Response rejected")
+              end
+
+              if verified_seis.include?(sei)
+                return soft ? false : validation_error("Duplicated Reference URI. SAML Response rejected")
+                return append_error("Duplicated Reference URI. SAML Response rejected")
+              end
+
+              verified_seis.push(sei)
+            end
+          end
+
+          signed_elements << signed_element
+        end
+
+        unless signature_nodes.length < 3 && !signed_elements.empty?
+          return soft ? false : validation_error("Found an unexpected number of Signature Element. SAML Response rejected")
+        end
+
+        true
+      end
+
+      # Validates the Status of the SAML Response
+      # @return [Boolean] True if the SAML Response contains a Success code, otherwise False if soft == false
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate_success_status(soft = true)
+        return true if success?
+
+        return false unless soft
+
+        error_msg = 'The status code of the Response was not Success'
+        status_error_msg = OneLogin::RubySaml::Utils.status_error_msg(error_msg, status_code, status_message)
+        return validation_error(status_error_msg)
+      end
+
+      # Checks if the Status has the "Success" code
+      # @return [Boolean] True if the StatusCode is Sucess
+      #
+      def success?
+        status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+      end
+
+      # @return [String] StatusCode value from a SAML Response.
+      #
+      def status_code
+        @status_code ||= begin
+          nodes = REXML::XPath.match(
+            document,
+            "/p:Response/p:Status/p:StatusCode",
+            { "p" => PROTOCOL }
+          )
+          if nodes.size == 1
+            node = nodes[0]
+            code = node.attributes["Value"] if node && node.attributes
+
+            unless code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+              nodes = REXML::XPath.match(
+                document,
+                "/p:Response/p:Status/p:StatusCode/p:StatusCode",
+                { "p" => PROTOCOL }
+              )
+              statuses = nodes.collect do |inner_node|
+                inner_node.attributes["Value"]
+              end
+              extra_code = statuses.join(" | ")
+              if extra_code
+                code = "#{code} | #{extra_code}"
+              end
+            end
+            code
+          end
+        end
+      end
+
+      # @return [String] the StatusMessage value from a SAML Response.
+      #
+      def status_message
+        @status_message ||= begin
+          nodes = REXML::XPath.match(
+            document,
+            "/p:Response/p:Status/p:StatusMessage",
+            { "p" => PROTOCOL }
+          )
+          if nodes.size == 1
+            Utils.element_text(nodes.first)
+          end
+        end
+      end
+
       def validate_structure(soft = true)
         Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
           @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
@@ -240,6 +405,24 @@ module OneLogin
           Time.parse(node.attributes[attribute])
         end
       end
+
+      # Validates the Audience, (If the Audience match the Service Provider EntityID)
+      # If fails, the error is added to the errors array
+      # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
+      # @raise [ValidationError] if soft == false and validation fails
+      #
+      def validate_audience(soft = true)
+        return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
+
+        unless audiences.include? settings.sp_entity_id
+          s = audiences.count > 1 ? 's' : '';
+          error_msg = "Invalid Audience#{s}. The audience#{s} #{audiences.join(',')}, did not match the expected audience #{settings.sp_entity_id}"
+          return soft ? false : validation_error(error_msg)
+        end
+
+        true
+      end
+
     end
   end
 end

data/lib/onelogin/ruby-saml/setting_error.rb

@@ -0,0 +1,6 @@
+module OneLogin
+  module RubySaml
+    class SettingError < StandardError
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,30 +1,166 @@
+require "xml_security"
+require "onelogin/ruby-saml/utils"
+
 module OneLogin
   module RubySaml
     class Settings
-      def initialize(overrides = {})
-        config = DEFAULTS.merge(overrides)
-        config.each do |k,v|
-          acc = "#{k.to_s}=".to_sym
-          self.send(acc, v) if self.respond_to? acc
-        end
+      def initialize(overrides = {}, keep_security_attributes = false)
+        if keep_security_attributes
+           security_attributes = overrides.delete(:security) || {}
+           config = DEFAULTS.merge(overrides)
+           config[:security] = DEFAULTS[:security].merge(security_attributes)
+         else
+           config = DEFAULTS.merge(overrides)
+         end
+
+         config.each do |k,v|
+           acc = "#{k.to_s}=".to_sym
+           if respond_to? acc
+             value = v.is_a?(Hash) ? v.dup : v
+             send(acc, value)
+           end
+         end
       end
-      attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
-      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
-      attr_accessor :authn_context
+
+      #idp data
+      attr_accessor :idp_sso_target_url
+      attr_accessor :idp_cert_fingerprint
+      attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
+      #sp data
+      attr_accessor :sp_entity_id
+      attr_accessor :assertion_consumer_service_url
+      attr_accessor :authn_context
+      attr_accessor :sp_name_qualifier
+      attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
       attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :compress_request
+      attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
       attr_accessor :force_authn
       attr_accessor :passive
       attr_accessor :protocol_binding
+      attr_accessor :certificate
+      attr_accessor :private_key
+      # Work-flow
+      attr_accessor :security
+      # Compability
+      attr_accessor :issuer
+      attr_accessor :assertion_consumer_logout_service_url
+      attr_accessor :assertion_consumer_logout_service_binding
+
+      # @return [String] SP Entity ID
+      #
+      def sp_entity_id
+        val = nil
+        if @sp_entity_id.nil?
+          if @issuer
+            val = @issuer
+          end
+        else
+          val = @sp_entity_id
+        end
+        val
+      end
+
+       # Setter for SP Entity ID.
+      # @param val [String].
+      #
+      def sp_entity_id=(val)
+        @sp_entity_id = val
+      end
+
+      # @return [String] Single Logout Service URL.
+      #
+      def single_logout_service_url
+        val = nil
+        if @single_logout_service_url.nil?
+          if @assertion_consumer_logout_service_url
+            val = @assertion_consumer_logout_service_url
+          end
+        else
+          val = @single_logout_service_url
+        end
+        val
+      end
+
+      # Setter for the Single Logout Service URL.
+      # @param url [String].
+      #
+      def single_logout_service_url=(url)
+        @single_logout_service_url = url
+      end
+
+      # @return [String] Single Logout Service Binding.
+      #
+      def single_logout_service_binding
+        val = nil
+        if @single_logout_service_binding.nil?
+          if @assertion_consumer_logout_service_binding
+            val = @assertion_consumer_logout_service_binding
+          end
+        else
+          val = @single_logout_service_binding
+        end
+        val
+      end
+
+      # Setter for Single Logout Service Binding.
+      #
+      # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+      # @param url [String]
+      #
+      def single_logout_service_binding=(url)
+        @single_logout_service_binding = url
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert
+        return nil if certificate.nil? || certificate.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert_new
+        return nil if certificate_new.nil? || certificate_new.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
+      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
+      #
+      def get_sp_key
+        return nil if private_key.nil? || private_key.empty?
+
+        formatted_private_key = OneLogin::RubySaml::Utils.format_private_key(private_key)
+        OpenSSL::PKey::RSA.new(formatted_private_key)
+      end
 
       private
 
-      DEFAULTS = {:compress_request => true, :double_quote_xml_attribute_values => false}
+      DEFAULTS = {
+        :compress_request => true,
+        :compress_response => true,
+        :double_quote_xml_attribute_values => false,
+        :assertion_consumer_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
+        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :security                                  => {
+          :authn_requests_signed      => false,
+          :logout_requests_signed     => false,
+          :logout_responses_signed    => false,
+          :embed_sign                 => false,
+          :digest_method              => XMLSecurity::Document::SHA1,
+          :signature_method           => XMLSecurity::Document::RSA_SHA1
+        }.freeze
+      }.freeze
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -0,0 +1,158 @@
+require "base64"
+require "zlib"
+require "cgi"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+module OneLogin
+  module RubySaml
+
+    # SAML2 Logout Response (SLO SP initiated)
+    #
+    class SloLogoutresponse
+
+      # Logout Response ID
+      attr_reader :uuid
+
+      # Initializes the Logout Response. A SloLogoutresponse Object.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
+      # Creates the Logout Response string.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [String] Logout Request string that includes the SAMLRequest
+      #
+      def create(settings, request_id = nil, logout_message = nil, params = {})
+        params = create_params(settings, request_id, logout_message, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_response = CGI.escape(params.delete("SAMLResponse"))
+        response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
+        params.each_pair do |key, value|
+          response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        @logout_url = settings.idp_slo_target_url + response_params
+      end
+
+      # Creates the Get parameters for the logout response.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        response = ""
+        response_doc.write(response)
+
+        Logging.debug "Created SLO Logout Response: #{response}"
+
+        response = Zlib::Deflate.deflate(response, 9)[2..-5] if settings.compress_response
+        if Base64.respond_to?('strict_encode64')
+          base64_response = Base64.strict_encode64(response)
+        else
+          base64_response = Base64.encode64(response).gsub(/\n/, "")
+        end
+        response_params = {"SAMLResponse" => base64_response}
+
+        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLResponse',
+            :data => base64_response,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
+
+        params.each_pair do |key, value|
+          response_params[key] = value.to_s
+        end
+
+        response_params
+      end
+
+      # Creates the SAMLResponse String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @return [String] The SAMLResponse String.
+      #
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
+        document = create_xml_document(settings, request_id, logout_message)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings, request_id = nil, logout_message = nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        response_doc = XMLSecurity::Document.new
+        response_doc.uuid = uuid
+
+        root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = '2.0'
+        root.attributes['InResponseTo'] = request_id unless request_id.nil?
+        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+
+        if settings.sp_entity_id != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.sp_entity_id
+        end
+
+        # add success message
+        status = root.add_element 'samlp:Status'
+
+        # success status code
+        status_code = status.add_element 'samlp:StatusCode'
+        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+
+        # success status message
+        logout_message ||= 'Successfully Signed Out'
+        status_message = status.add_element 'samlp:StatusMessage'
+        status_message.text = logout_message
+
+        response_doc
+      end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+    end
+  end
+end