ruby-saml 1.11.0 → 1.12.0

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,6 +1,7 @@
 require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -20,6 +21,10 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def request_id
+        @uuid
+      end
+
       # Creates the Logout Request string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
@@ -33,6 +38,7 @@ module OneLogin
         params.each_pair do |key, value|
           request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
         @logout_url = settings.idp_slo_target_url + request_params
       end
 
@@ -103,7 +109,7 @@ module OneLogin
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = "2.0"
-        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil? or settings.idp_slo_target_url.empty?
 
         if settings.sp_entity_id
           issuer = root.add_element "saml:Issuer"

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -47,6 +47,10 @@ module OneLogin
         @document = XMLSecurity::SignedDocument.new(@response)
       end
 
+      def response_id
+        id(document)
+      end
+
       # Checks if the Status has the "Success" code
       # @return [Boolean] True if the StatusCode is Sucess
       # @raise [ValidationError] if soft == false and validation fails

data/lib/onelogin/ruby-saml/metadata.rb

@@ -15,9 +15,11 @@ module OneLogin
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param pretty_print [Boolean] Pretty print or not the response
       #                               (No pretty print if you gonna validate the signature)
+      # @param valid_until [DateTime] Metadata's valid time
+      # @param cache_duration [Integer] Duration of the cache in seconds
       # @return [String] XML Metadata of the Service Provider
       #
-      def generate(settings, pretty_print=false)
+      def generate(settings, pretty_print=false, valid_until=nil, cache_duration=nil)
         meta_doc = XMLSecurity::Document.new
         namespaces = {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
@@ -60,6 +62,12 @@ module OneLogin
         if settings.sp_entity_id
           root.attributes["entityID"] = settings.sp_entity_id
         end
+        if valid_until
+          root.attributes["validUntil"] = valid_until.strftime('%Y-%m-%dT%H:%M:%S%z')
+        end
+        if cache_duration
+          root.attributes["cacheDuration"] = "PT" + cache_duration.to_s + "S"
+        end
         if settings.single_logout_service_url
           sp_sso.add_element "md:SingleLogoutService", {
               "Binding" => settings.single_logout_service_binding,

data/lib/onelogin/ruby-saml/response.rb

@@ -34,7 +34,7 @@ module OneLogin
       # This is not a whitelist to allow people extending OneLogin::RubySaml:Response
       # and pass custom options
       AVAILABLE_OPTIONS = [
-        :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_authnstatement, :skip_conditions,
+        :allowed_clock_drift, :check_duplicated_attributes, :matches_request_id, :settings, :skip_audience, :skip_authnstatement, :skip_conditions,
         :skip_destination, :skip_recipient_check, :skip_subject_confirmation
       ]
       # TODO: Update the comment on initialize to describe every option
@@ -47,6 +47,8 @@ module OneLogin
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
       #                          or skip the recipient validation of the subject confirmation element with :skip_recipient_check option
+      #                          or skip the audience validation with :skip_audience option
+      #
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?
 
@@ -341,6 +343,28 @@ module OneLogin
         return options[:allowed_clock_drift].to_f
       end
 
+      # Checks if the SAML Response contains or not an EncryptedAssertion element
+      # @return [Boolean] True if the SAML Response contains an EncryptedAssertion element
+      #
+      def assertion_encrypted?
+        ! REXML::XPath.first(
+          document,
+          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
+          { "p" => PROTOCOL, "a" => ASSERTION }
+        ).nil?
+      end
+
+      def response_id
+        id(document)
+      end
+
+      def assertion_id
+        @assertion_id ||= begin
+          node = xpath_first_from_signed_assertion("")
+          node.nil? ? nil : node.attributes['ID']
+        end
+      end
+
       private
 
       # Validates the SAML Response (calls several validation methods)
@@ -435,7 +459,7 @@ module OneLogin
       # @return [Boolean] True if the SAML Response contains an ID, otherwise returns False
       #
       def validate_id
-        unless id(document)
+        unless response_id
           return append_error("Missing ID attribute on SAML Response")
         end
 
@@ -584,11 +608,13 @@ module OneLogin
       end
 
       # Validates the Audience, (If the Audience match the Service Provider EntityID)
+      # If the response was initialized with the :skip_audience option, this validation is skipped,
       # If fails, the error is added to the errors array
       # @return [Boolean] True if there is an Audience Element that match the Service Provider EntityID, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_audience
+        return true if options[:skip_audience]
         return true if audiences.empty? || settings.sp_entity_id.nil? || settings.sp_entity_id.empty?
 
         unless audiences.include? settings.sp_entity_id
@@ -821,7 +847,7 @@ module OneLogin
         end
 
         if sig_elements.size != 1
-          if  sig_elements.size == 0
+          if sig_elements.size == 0
              append_error("Signed element id ##{doc.signed_element_id} is not found")
           else
              append_error("Signed element id ##{doc.signed_element_id} is found more than once")
@@ -829,6 +855,7 @@ module OneLogin
           return append_error(error_msg)
         end
 
+        old_errors = @errors.clone
 
         idp_certs = settings.get_idp_cert_multi
         if idp_certs.nil? || idp_certs[:signing].empty?
@@ -852,21 +879,27 @@ module OneLogin
           valid = false
           expired = false
           idp_certs[:signing].each do |idp_cert|
-            valid = doc.validate_document_with_cert(idp_cert)
+            valid = doc.validate_document_with_cert(idp_cert, true)
             if valid
               if settings.security[:check_idp_cert_expiration]
                 if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
                   expired = true
                 end
               end
+
+              # At least one certificate is valid, restore the old accumulated errors
+              @errors = old_errors
               break
             end
+
           end
           if expired
             error_msg = "IdP x509 certificate expired"
             return append_error(error_msg)
           end
           unless valid
+            # Remove duplicated errors
+            @errors = @errors.uniq
             return append_error(error_msg)
           end
         end
@@ -967,17 +1000,6 @@ module OneLogin
         XMLSecurity::SignedDocument.new(response_node.to_s)
       end
 
-      # Checks if the SAML Response contains or not an EncryptedAssertion element
-      # @return [Boolean] True if the SAML Response contains an EncryptedAssertion element
-      #
-      def assertion_encrypted?
-        ! REXML::XPath.first(
-          document,
-          "(/p:Response/EncryptedAssertion/)|(/p:Response/a:EncryptedAssertion/)",
-          { "p" => PROTOCOL, "a" => ASSERTION }
-        ).nil?
-      end
-
       # Decrypts an EncryptedAssertion element
       # @param encrypted_assertion_node [REXML::Element] The EncryptedAssertion element
       # @return [REXML::Document] The decrypted EncryptedAssertion element

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -22,6 +22,8 @@ module OneLogin
       BASE64_FORMAT = %r(\A([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z)
       @@mutex = Mutex.new
 
+      MAX_BYTE_SIZE = 250000
+
       # @return [Nokogiri::XML::Schema] Gets the schema object of the SAML 2.0 Protocol schema
       #
       def self.schema
@@ -89,6 +91,10 @@ module OneLogin
       def decode_raw_saml(saml)
         return saml unless base64_encoded?(saml)
 
+        if saml.bytesize > MAX_BYTE_SIZE
+          raise ValidationError.new("Encoded SAML Message exceeds " + MAX_BYTE_SIZE.to_s + " bytes, so was rejected")
+        end
+
         decoded = decode(saml)
         begin
           inflate(decoded)

data/lib/onelogin/ruby-saml/setting_error.rb

@@ -0,0 +1,6 @@
+module OneLogin
+  module RubySaml
+    class SettingError < StandardError
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -31,8 +31,10 @@ module OneLogin
 
       # IdP Data
       attr_accessor :idp_entity_id
-      attr_accessor :idp_sso_target_url
-      attr_accessor :idp_slo_target_url
+
+      attr_accessor :idp_sso_service_url
+      attr_accessor :idp_slo_service_url
+      attr_accessor :idp_slo_response_service_url
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert_fingerprint_algorithm
@@ -69,6 +71,36 @@ module OneLogin
       attr_accessor :assertion_consumer_logout_service_url
       attr_accessor :assertion_consumer_logout_service_binding
       attr_accessor :issuer
+      attr_accessor :idp_sso_target_url
+      attr_accessor :idp_slo_target_url
+
+      # @return [String] IdP Single Sign On Service URL
+      #
+      def idp_sso_service_url
+        val = nil
+        if @idp_sso_service_url.nil?
+          if @idp_sso_target_url
+            val = @idp_sso_target_url
+          end
+        else
+          val = @idp_sso_service_url
+        end
+        val
+      end
+
+      # @return [String] IdP Single Logout Service URL
+      #
+      def idp_slo_service_url
+        val = nil
+        if @idp_slo_service_url.nil?
+          if @idp_slo_target_url
+            val = @idp_slo_target_url
+          end
+        else
+          val = @idp_slo_service_url
+        end
+        val
+      end
 
       # @return [String] SP Entity ID
       #

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb

@@ -47,6 +47,10 @@ module OneLogin
         @document = REXML::Document.new(@request)
       end
 
+      def request_id
+        id(document)
+      end
+
       # Validates the Logout Request with the default values (soft = true)
       # @param collect_errors [Boolean] Stop validation when first error appears or keep validating.
       # @return [Boolean] TRUE if the Logout Request is valid

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb

@@ -2,6 +2,7 @@ require "onelogin/ruby-saml/logging"
 
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 
 # Only supports SAML 2.0
 module OneLogin
@@ -21,23 +22,30 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
 
+      def response_id
+        @uuid
+      end
+
       # Creates the Logout Response string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [String] Logout Request string that includes the SAMLRequest
       #
-      def create(settings, request_id = nil, logout_message = nil, params = {})
-        params = create_params(settings, request_id, logout_message, params)
+      def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
+        params = create_params(settings, request_id, logout_message, params, logout_status_code)
         params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        url = settings.idp_slo_response_service_url || settings.idp_slo_target_url
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
         params.each_pair do |key, value|
           response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
 
-        @logout_url = settings.idp_slo_target_url + response_params
+        raise SettingError.new "Invalid settings, idp_slo_target_url is not set!" if url.nil? or url.empty?
+        @logout_url = url + response_params
       end
 
       # Creates the Get parameters for the logout response.
@@ -45,9 +53,10 @@ module OneLogin
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [Hash] Parameters
       #
-      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+      def create_params(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
         # The method expects :RelayState but sometimes we get 'RelayState' instead.
         # Based on the HashWithIndifferentAccess value in Rails we could experience
         # conflicts so this line will solve them.
@@ -58,7 +67,7 @@ module OneLogin
           params.delete('RelayState')
         end
 
-        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
         response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
 
         response = ""
@@ -94,39 +103,43 @@ module OneLogin
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [String] The SAMLResponse String.
       #
-      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
-        document = create_xml_document(settings, request_id, logout_message)
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil, logout_status_code = nil)
+        document = create_xml_document(settings, request_id, logout_message, logout_status_code)
         sign_document(document, settings)
       end
 
-      def create_xml_document(settings, request_id = nil, logout_message = nil)
+      def create_xml_document(settings, request_id = nil, logout_message = nil, status_code = nil)
         time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
 
         response_doc = XMLSecurity::Document.new
         response_doc.uuid = uuid
 
+        destination = settings.idp_slo_response_service_url || settings.idp_slo_target_url
+
         root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = '2.0'
         root.attributes['InResponseTo'] = request_id unless request_id.nil?
-        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
+        root.attributes['Destination'] = destination unless destination.nil? or destination.empty?
 
         if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
           issuer.text = settings.sp_entity_id
         end
 
-        # add success message
+        # add status
         status = root.add_element 'samlp:Status'
 
-        # success status code
-        status_code = status.add_element 'samlp:StatusCode'
-        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+        # status code
+        status_code ||= 'urn:oasis:names:tc:SAML:2.0:status:Success'
+        status_code_elem = status.add_element 'samlp:StatusCode'
+        status_code_elem.attributes['Value'] = status_code
 
-        # success status message
+        # status message
         logout_message ||= 'Successfully Signed Out'
         status_message = status.add_element 'samlp:StatusMessage'
         status_message.text = logout_message

data/lib/onelogin/ruby-saml/utils.rb

@@ -15,6 +15,7 @@ module OneLogin
 
       DSIG      = "http://www.w3.org/2000/09/xmldsig#"
       XENC      = "http://www.w3.org/2001/04/xmlenc#"
+      DURATION_FORMAT = %r(^(-?)P(?:(?:(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?(?:T(?:(\d+)H)?(?:(\d+)M)?(?:(\d+)S)?)?)|(?:(\d+)W))$)
 
       # Checks if the x509 cert provided is expired
       #
@@ -28,6 +29,48 @@ module OneLogin
         return cert.not_after < Time.now
       end
 
+      # Interprets a ISO8601 duration value relative to a given timestamp.
+      #
+      # @param duration [String] The duration, as a string.
+      # @param timestamp [Integer] The unix timestamp we should apply the
+      #                            duration to. Optional, default to the
+      #                            current time.
+      #
+      # @return [Integer] The new timestamp, after the duration is applied.
+      # 
+      def self.parse_duration(duration, timestamp=Time.now.utc)
+        matches = duration.match(DURATION_FORMAT)
+      
+        if matches.nil?
+          raise Exception.new("Invalid ISO 8601 duration")
+        end
+
+        durYears = matches[2].to_i
+        durMonths = matches[3].to_i
+        durDays = matches[4].to_i
+        durHours = matches[5].to_i
+        durMinutes = matches[6].to_i
+        durSeconds = matches[7].to_f
+        durWeeks = matches[8].to_i
+
+        if matches[1] == "-"
+          durYears = -durYears
+          durMonths = -durMonths
+          durDays = -durDays
+          durHours = -durHours
+          durMinutes = -durMinutes
+          durSeconds = -durSeconds
+          durWeeks = -durWeeks
+        end
+
+        initial_datetime = Time.at(timestamp).utc.to_datetime
+        final_datetime = initial_datetime.next_year(durYears)
+        final_datetime = final_datetime.next_month(durMonths)
+        final_datetime = final_datetime.next_day((7*durWeeks) + durDays)
+        final_timestamp = final_datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
+        return final_timestamp
+      end
+
       # Return a properly formatted x509 certificate
       #
       # @param cert [String] The original certificate
@@ -253,6 +296,9 @@ module OneLogin
           when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
           when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
           when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+          when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
+          when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
+          when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
           when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
           when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
         end
@@ -263,6 +309,16 @@ module OneLogin
           cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
           assertion_plaintext = cipher.update(data)
           assertion_plaintext << cipher.final
+        elsif auth_cipher
+          iv_len, text_len, tag_len = auth_cipher.iv_len, cipher_text.length, 16
+          data = cipher_text[iv_len..text_len-1-tag_len]
+          auth_cipher.padding = 0
+          auth_cipher.key = symmetric_key
+          auth_cipher.iv = cipher_text[0..iv_len-1]
+          auth_cipher.auth_data = ''
+          auth_cipher.auth_tag = cipher_text[text_len-tag_len..-1]
+          assertion_plaintext = auth_cipher.update(data)
+          assertion_plaintext << auth_cipher.final
         elsif rsa
           rsa.private_decrypt(cipher_text)
         elsif oaep