ruby-saml 0.8.9 → 0.8.14

data/lib/onelogin/ruby-saml/setting_error.rb

@@ -0,0 +1,6 @@
+module OneLogin
+  module RubySaml
+    class SettingError < StandardError
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -1,27 +1,52 @@
+require "xml_security"
+require "onelogin/ruby-saml/utils"
+
 module OneLogin
   module RubySaml
     class Settings
-      def initialize(overrides = {})
-        config = DEFAULTS.merge(overrides)
-        config.each do |k,v|
-          acc = "#{k.to_s}=".to_sym
-          self.send(acc, v) if self.respond_to? acc
-        end
+      def initialize(overrides = {}, keep_security_attributes = false)
+        if keep_security_attributes
+           security_attributes = overrides.delete(:security) || {}
+           config = DEFAULTS.merge(overrides)
+           config[:security] = DEFAULTS[:security].merge(security_attributes)
+         else
+           config = DEFAULTS.merge(overrides)
+         end
+
+         config.each do |k,v|
+           acc = "#{k.to_s}=".to_sym
+           if respond_to? acc
+             value = v.is_a?(Hash) ? v.dup : v
+             send(acc, value)
+           end
+         end
       end
-      attr_accessor :assertion_consumer_service_url, :sp_entity_id, :sp_name_qualifier
-      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
-      attr_accessor :authn_context
+
+      #idp data
+      attr_accessor :idp_sso_target_url
+      attr_accessor :idp_cert_fingerprint
+      attr_accessor :idp_cert
       attr_accessor :idp_slo_target_url
+      #sp data
+      attr_accessor :sp_entity_id
+      attr_accessor :assertion_consumer_service_url
+      attr_accessor :authn_context
+      attr_accessor :sp_name_qualifier
+      attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
       attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :compress_request
+      attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
       attr_accessor :force_authn
       attr_accessor :passive
       attr_accessor :protocol_binding
-
+      attr_accessor :certificate
+      attr_accessor :private_key
+      # Work-flow
+      attr_accessor :security
       # Compability
       attr_accessor :issuer
       attr_accessor :assertion_consumer_logout_service_url
@@ -92,14 +117,50 @@ module OneLogin
         @single_logout_service_binding = url
       end
 
+      # @return [OpenSSL::X509::Certificate|nil] Build the SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert
+        return nil if certificate.nil? || certificate.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
+      # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
+      #
+      def get_sp_cert_new
+        return nil if certificate_new.nil? || certificate_new.empty?
+
+        formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate_new)
+        OpenSSL::X509::Certificate.new(formatted_cert)
+      end
+
+      # @return [OpenSSL::PKey::RSA] Build the SP private from the settings (previously format it)
+      #
+      def get_sp_key
+        return nil if private_key.nil? || private_key.empty?
+
+        formatted_private_key = OneLogin::RubySaml::Utils.format_private_key(private_key)
+        OpenSSL::PKey::RSA.new(formatted_private_key)
+      end
+
       private
 
       DEFAULTS = {
         :compress_request => true,
+        :compress_response => true,
         :double_quote_xml_attribute_values => false,
         :assertion_consumer_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
-        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze
-      }
+        :single_logout_service_binding => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :security                                  => {
+          :authn_requests_signed      => false,
+          :logout_requests_signed     => false,
+          :logout_responses_signed    => false,
+          :embed_sign                 => false,
+          :digest_method              => XMLSecurity::Document::SHA1,
+          :signature_method           => XMLSecurity::Document::RSA_SHA1
+        }.freeze
+      }.freeze
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -0,0 +1,158 @@
+require "base64"
+require "zlib"
+require "cgi"
+require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
+
+module OneLogin
+  module RubySaml
+
+    # SAML2 Logout Response (SLO SP initiated)
+    #
+    class SloLogoutresponse
+
+      # Logout Response ID
+      attr_reader :uuid
+
+      # Initializes the Logout Response. A SloLogoutresponse Object.
+      # Asigns an ID, a random uuid.
+      #
+      def initialize
+        @uuid = OneLogin::RubySaml::Utils.uuid
+      end
+
+      # Creates the Logout Response string.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [String] Logout Request string that includes the SAMLRequest
+      #
+      def create(settings, request_id = nil, logout_message = nil, params = {})
+        params = create_params(settings, request_id, logout_message, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_response = CGI.escape(params.delete("SAMLResponse"))
+        response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
+        params.each_pair do |key, value|
+          response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+        @logout_url = settings.idp_slo_target_url + response_params
+      end
+
+      # Creates the Get parameters for the logout response.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @return [Hash] Parameters
+      #
+      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
+
+        if relay_state.nil?
+          params.delete(:RelayState)
+          params.delete('RelayState')
+        end
+
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        response = ""
+        response_doc.write(response)
+
+        Logging.debug "Created SLO Logout Response: #{response}"
+
+        response = Zlib::Deflate.deflate(response, 9)[2..-5] if settings.compress_response
+        if Base64.respond_to?('strict_encode64')
+          base64_response = Base64.strict_encode64(response)
+        else
+          base64_response = Base64.encode64(response).gsub(/\n/, "")
+        end
+        response_params = {"SAMLResponse" => base64_response}
+
+        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = settings.security[:signature_method]
+          url_string = OneLogin::RubySaml::Utils.build_query(
+            :type => 'SAMLResponse',
+            :data => base64_response,
+            :relay_state => relay_state,
+            :sig_alg => params['SigAlg']
+          )
+          sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
+          signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
+          if Base64.respond_to?('strict_encode64')
+            params['Signature'] = Base64.strict_encode64(signature)
+          else
+            params['Signature'] = Base64.encode64(signature).gsub(/\n/, "")
+          end
+        end
+
+        params.each_pair do |key, value|
+          response_params[key] = value.to_s
+        end
+
+        response_params
+      end
+
+      # Creates the SAMLResponse String.
+      # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
+      # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
+      # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @return [String] The SAMLResponse String.
+      #
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
+        document = create_xml_document(settings, request_id, logout_message)
+        sign_document(document, settings)
+      end
+
+      def create_xml_document(settings, request_id = nil, logout_message = nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        response_doc = XMLSecurity::Document.new
+        response_doc.uuid = uuid
+
+        root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = '2.0'
+        root.attributes['InResponseTo'] = request_id unless request_id.nil?
+        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
+
+        if settings.sp_entity_id != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.sp_entity_id
+        end
+
+        # add success message
+        status = root.add_element 'samlp:Status'
+
+        # success status code
+        status_code = status.add_element 'samlp:StatusCode'
+        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+
+        # success status message
+        logout_message ||= 'Successfully Signed Out'
+        status_message = status.add_element 'samlp:StatusMessage'
+        status_message.text = logout_message
+
+        response_doc
+      end
+
+      def sign_document(document, settings)
+        # embed signature
+        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key
+          cert = settings.get_sp_cert
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        document
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/utils.rb

@@ -1,15 +1,184 @@
+if RUBY_VERSION < '1.9'
+  require 'uuid'
+else
+  require 'securerandom'
+end
+
+require "base64"
+require "zlib"
+
 module OneLogin
   module RubySaml
 
     # SAML2 Auxiliary class
     #
     class Utils
+      @@uuid_generator = UUID.new if RUBY_VERSION < '1.9'
+
+      BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
+
       # Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes
       # that there all children other than text nodes can be ignored (e.g. comments). If nil is
       # passed, nil will be returned.
       def self.element_text(element)
         element.texts.map(&:value).join if element
       end
+
+      # Return a properly formatted x509 certificate
+      #
+      # @param cert [String] The original certificate
+      # @return [String] The formatted certificate
+      #
+      def self.format_cert(cert)
+        # don't try to format an encoded certificate or if is empty or nil
+        if cert.respond_to?(:ascii_only?)
+          return cert if cert.nil? || cert.empty? || !cert.ascii_only?
+        else
+          return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+        end
+
+        if cert.scan(/BEGIN CERTIFICATE/).length > 1
+            formatted_cert = []
+          cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
+            formatted_cert << format_cert(c)
+          }
+          formatted_cert.join("\n")
+        else
+          cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
+          cert = cert.gsub(/\r/, "")
+          cert = cert.gsub(/\n/, "")
+          cert = cert.gsub(/\s/, "")
+          cert = cert.scan(/.{1,64}/)
+          cert = cert.join("\n")
+          "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
+        end
+      end
+
+      # Return a properly formatted private key
+      #
+      # @param key [String] The original private key
+      # @return [String] The formatted private key
+      #
+      def self.format_private_key(key)
+        # don't try to format an encoded private key or if is empty
+        return key if key.nil? || key.empty? || key.match(/\x0d/)
+
+        # is this an rsa key?
+        rsa_key = key.match("RSA PRIVATE KEY")
+        key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
+        key = key.gsub(/\n/, "")
+        key = key.gsub(/\r/, "")
+        key = key.gsub(/\s/, "")
+        key = key.scan(/.{1,64}/)
+        key = key.join("\n")
+        key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
+        "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
+      end
+
+      # Build the Query String signature that will be used in the HTTP-Redirect binding
+      # to generate the Signature
+      # @param params [Hash] Parameters to build the Query String
+      # @option params [String] :type 'SAMLRequest' or 'SAMLResponse'
+      # @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse
+      # @option params [String] :relay_state The RelayState parameter
+      # @option params [String] :sig_alg The SigAlg parameter
+      # @return [String] The Query String
+      #
+      def self.build_query(params)
+        type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}
+          url_string = "#{type}=#{CGI.escape(data)}"
+        url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+        url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
+      end
+
+      def self.uuid
+        RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
+      end
+
+      # Build the status error message
+      # @param status_code [String] StatusCode value
+      # @param status_message [Strig] StatusMessage value
+      # @return [String] The status error message
+      def self.status_error_msg(error_msg, raw_status_code = nil, status_message = nil)
+        unless raw_status_code.nil?
+          if raw_status_code.include? "|"
+            status_codes = raw_status_code.split(' | ')
+            values = status_codes.collect do |status_code|
+              status_code.split(':').last
+            end
+            printable_code = values.join(" => ")
+          else
+            printable_code = raw_status_code.split(':').last
+          end
+          error_msg << ', was ' + printable_code
+        end
+
+        unless status_message.nil?
+          error_msg << ' -> ' + status_message
+        end
+
+        error_msg
+      end
+
+      # Base64 decode and try also to inflate a SAML Message
+      # @param saml [String] The deflated and encoded SAML Message
+      # @return [String] The plain SAML Message
+      #
+      def self.decode_raw_saml(saml)
+        return saml unless base64_encoded?(saml)
+
+        decoded = decode(saml)
+        begin
+          inflate(decoded)
+        rescue
+          decoded
+        end
+      end
+
+      # Base 64 decode method
+      # @param string [String] The string message
+      # @return [String] The decoded string
+      #
+      def self.decode(string)
+        Base64.decode64(string)
+      end
+
+      # Base 64 encode method
+      # @param string [String] The string
+      # @return [String] The encoded string
+      #
+      def self.encode(string)
+        if Base64.respond_to?('strict_encode64')
+          Base64.strict_encode64(string)
+        else
+          Base64.encode64(string).gsub(/\n/, "")
+        end
+      end
+
+      # Check if a string is base64 encoded
+      # @param string [String] string to check the encoding of
+      # @return [true, false] whether or not the string is base64 encoded
+      #
+      def self.base64_encoded?(string)
+        !!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)
+      end
+
+      # Inflate method
+      # @param deflated [String] The string
+      # @return [String] The inflated string
+      #
+      def self.inflate(deflated)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
+      end
+
+      # Deflate method
+      # @param inflated [String] The string
+      # @return [String] The deflated string
+      #
+      def self.deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
     end
   end
 end