RubyGems - ruby-saml - Versions diffs - 1.9.0 → 1.14.0 - Mend

ruby-saml 1.9.0 → 1.14.0

Potentially problematic release.

This version of ruby-saml might be problematic. Click here for more details.

Files changed (159) hide show

data/lib/onelogin/ruby-saml/settings.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require "xml_security"
 require "onelogin/ruby-saml/attribute_service"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/validation_error"
 # Only supports SAML 2.0
 module OneLogin
@@ -30,27 +31,32 @@ module OneLogin
       # IdP Data
       attr_accessor :idp_entity_id
-      attr_accessor :idp_sso_target_url
-      attr_accessor :idp_slo_target_url
+      attr_writer   :idp_sso_service_url
+      attr_writer   :idp_slo_service_url
+      attr_accessor :idp_slo_response_service_url
       attr_accessor :idp_cert
       attr_accessor :idp_cert_fingerprint
       attr_accessor :idp_cert_fingerprint_algorithm
       attr_accessor :idp_cert_multi
       attr_accessor :idp_attribute_names
       attr_accessor :idp_name_qualifier
+      attr_accessor :valid_until
       # SP Data
-      attr_accessor :issuer
+      attr_writer   :sp_entity_id
       attr_accessor :assertion_consumer_service_url
-      attr_accessor :assertion_consumer_service_binding
+      attr_reader   :assertion_consumer_service_binding
+      attr_writer   :single_logout_service_url
       attr_accessor :sp_name_qualifier
       attr_accessor :name_identifier_format
       attr_accessor :name_identifier_value
+      attr_accessor :name_identifier_value_requested
       attr_accessor :sessionindex
       attr_accessor :compress_request
       attr_accessor :compress_response
       attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :message_max_bytesize
       attr_accessor :passive
-      attr_accessor :protocol_binding
+      attr_reader   :protocol_binding
       attr_accessor :attributes_index
       attr_accessor :force_authn
       attr_accessor :certificate
@@ -63,52 +69,99 @@ module OneLogin
       # Work-flow
       attr_accessor :security
       attr_accessor :soft
-      # Compability
+      # Deprecated
       attr_accessor :assertion_consumer_logout_service_url
-      attr_accessor :assertion_consumer_logout_service_binding
+      attr_reader   :assertion_consumer_logout_service_binding
+      attr_accessor :issuer
+      attr_accessor :idp_sso_target_url
+      attr_accessor :idp_slo_target_url
-      # @return [String] Single Logout Service URL.
+      # @return [String] IdP Single Sign On Service URL
       #
-      def single_logout_service_url
-        val = nil
-        if @single_logout_service_url.nil?
-          if @assertion_consumer_logout_service_url
-            val = @assertion_consumer_logout_service_url
-          end
-        else
-          val = @single_logout_service_url
-        end
-        val
+      def idp_sso_service_url
+        @idp_sso_service_url || @idp_sso_target_url
+      end
+      # @return [String] IdP Single Logout Service URL
+      #
+      def idp_slo_service_url
+        @idp_slo_service_url || @idp_slo_target_url
+      end
+      # @return [String] IdP Single Sign On Service Binding
+      #
+      def idp_sso_service_binding
+        @idp_sso_service_binding || idp_binding_from_embed_sign
+      end
+      # Setter for IdP Single Sign On Service Binding
+      # @param value [String, Symbol].
+      #
+      def idp_sso_service_binding=(value)
+        @idp_sso_service_binding = get_binding(value)
+      end
+      # @return [String] IdP Single Logout Service Binding
+      #
+      def idp_slo_service_binding
+        @idp_slo_service_binding || idp_binding_from_embed_sign
+      end
+      # Setter for IdP Single Logout Service Binding
+      # @param value [String, Symbol].
+      #
+      def idp_slo_service_binding=(value)
+        @idp_slo_service_binding = get_binding(value)
+      end
+      # @return [String] SP Entity ID
+      #
+      def sp_entity_id
+        @sp_entity_id || @issuer
       end
-      # Setter for the Single Logout Service URL.
-      # @param url [String].
+      # Setter for SP Protocol Binding
+      # @param value [String, Symbol].
       #
-      def single_logout_service_url=(url)
-        @single_logout_service_url = url
+      def protocol_binding=(value)
+        @protocol_binding = get_binding(value)
+      end
+      # Setter for SP Assertion Consumer Service Binding
+      # @param value [String, Symbol].
+      #
+      def assertion_consumer_service_binding=(value)
+        @assertion_consumer_service_binding = get_binding(value)
+      end
+      # @return [String] Single Logout Service URL.
+      #
+      def single_logout_service_url
+        @single_logout_service_url || @assertion_consumer_logout_service_url
       end
       # @return [String] Single Logout Service Binding.
       #
       def single_logout_service_binding
-        val = nil
-        if @single_logout_service_binding.nil?
-          if @assertion_consumer_logout_service_binding
-            val = @assertion_consumer_logout_service_binding
-          end
-        else
-          val = @single_logout_service_binding
-        end
-        val
+        @single_logout_service_binding || @assertion_consumer_logout_service_binding
       end
       # Setter for Single Logout Service Binding.
       #
       # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
-      # @param url [String]
+      # @param value [String, Symbol]
+      #
+      def single_logout_service_binding=(value)
+        @single_logout_service_binding = get_binding(value)
+      end
+      # @deprecated Setter for legacy Single Logout Service Binding parameter.
+      #
+      # (Currently we only support "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect")
+      # @param value [String, Symbol]
       #
-      def single_logout_service_binding=(url)
-        @single_logout_service_binding = url
+      def assertion_consumer_logout_service_binding=(value)
+        @assertion_consumer_logout_service_binding = get_binding(value)
       end
       # Calculates the fingerprint of the IdP x509 certificate.
@@ -165,7 +218,15 @@ module OneLogin
         return nil if certificate.nil? || certificate.empty?
         formatted_cert = OneLogin::RubySaml::Utils.format_cert(certificate)
-        OpenSSL::X509::Certificate.new(formatted_cert)
+        cert = OpenSSL::X509::Certificate.new(formatted_cert)
+        if security[:check_sp_cert_expiration]
+          if OneLogin::RubySaml::Utils.is_cert_expired(cert)
+            raise OneLogin::RubySaml::ValidationError.new("The SP certificate expired.")
+          end
+        end
+        cert
       end
       # @return [OpenSSL::X509::Certificate|nil] Build the New SP certificate from the settings (previously format it)
@@ -188,13 +249,25 @@ module OneLogin
       private
+      def idp_binding_from_embed_sign
+        security[:embed_sign] ? Utils::BINDINGS[:post] : Utils::BINDINGS[:redirect]
+      end
+      def get_binding(value)
+        return unless value
+        Utils::BINDINGS[value.to_sym] || value
+      end
       DEFAULTS = {
-        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze,
-        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze,
+        :assertion_consumer_service_binding        => Utils::BINDINGS[:post],
+        :single_logout_service_binding             => Utils::BINDINGS[:redirect],
         :idp_cert_fingerprint_algorithm            => XMLSecurity::Document::SHA1,
         :compress_request                          => true,
         :compress_response                         => true,
+        :message_max_bytesize                      => 250000,
         :soft                                      => true,
+        :double_quote_xml_attribute_values         => false,
         :security                                  => {
           :authn_requests_signed      => false,
           :logout_requests_signed     => false,
@@ -203,11 +276,14 @@ module OneLogin
           :want_assertions_encrypted  => false,
           :want_name_id               => false,
           :metadata_signed            => false,
-          :embed_sign                 => false,
+          :embed_sign                 => false, # Deprecated
           :digest_method              => XMLSecurity::Document::SHA1,
-          :signature_method           => XMLSecurity::Document::RSA_SHA1
-        }.freeze,
-        :double_quote_xml_attribute_values         => false,
+          :signature_method           => XMLSecurity::Document::RSA_SHA1,
+          :check_idp_cert_expiration  => false,
+          :check_sp_cert_expiration   => false,
+          :strict_audience_validation => false,
+          :lowercase_url_encoding     => false
+        }.freeze
       }.freeze
     end
   end

data/lib/onelogin/ruby-saml/slo_logoutrequest.rb CHANGED Viewed

@@ -43,10 +43,14 @@ module OneLogin
           end
         end
-        @request = decode_raw_saml(request)
+        @request = decode_raw_saml(request, settings)
         @document = REXML::Document.new(@request)
       end
+      def request_id
+        id(document)
+      end
       # Validates the Logout Request with the default values (soft = true)
       # @param collect_errors [Boolean] Stop validation when first error appears or keep validating.
       # @return [Boolean] TRUE if the Logout Request is valid
@@ -126,6 +130,12 @@ module OneLogin
       private
+      # returns the allowed clock drift on timing validation
+      # @return [Float]
+      def allowed_clock_drift
+        options[:allowed_clock_drift].to_f.abs + Float::EPSILON
+      end
       # Hard aux function to validate the Logout Request
       # @param collect_errors [Boolean] Stop validation when first error appears or keep validating. (if soft=true)
       # @return [Boolean] TRUE if the Logout Request is valid
@@ -176,15 +186,17 @@ module OneLogin
         true
       end
-      # Validates the time. (If the logout request was initialized with the :allowed_clock_drift option, the timing validations are relaxed by the allowed_clock_drift value)
+      # Validates the time. (If the logout request was initialized with the :allowed_clock_drift
+      # option, the timing validations are relaxed by the allowed_clock_drift value)
       # If fails, the error is added to the errors array
       # @return [Boolean] True if satisfies the conditions, otherwise False if soft=True
       # @raise [ValidationError] if soft == false and validation fails
       #
       def validate_not_on_or_after
         now = Time.now.utc
-        if not_on_or_after && now >= (not_on_or_after + (options[:allowed_clock_drift] || 0))
-          return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after})")
+        if not_on_or_after && now >= (not_on_or_after + allowed_clock_drift)
+          return append_error("Current time is on or after NotOnOrAfter (#{now} >= #{not_on_or_after}#{" + #{allowed_clock_drift.ceil}s" if allowed_clock_drift > 0})")
         end
         true
@@ -236,32 +248,8 @@ module OneLogin
         return true unless options.has_key? :get_params
         return true unless options[:get_params].has_key? 'Signature'
-        # SAML specifies that the signature should be derived from a concatenation
-        # of URI-encoded values _as sent by the IDP_:
-        #
-        # > Further, note that URL-encoding is not canonical; that is, there are multiple legal encodings for a given
-        # > value. The relying party MUST therefore perform the verification step using the original URL-encoded
-        # > values it received on the query string. It is not sufficient to re-encode the parameters after they have been
-        # > processed by software because the resulting encoding may not match the signer's encoding.
-        #
-        # <http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf>
-        #
-        # If we don't have the original parts (for backward compatibility) required to correctly verify the signature,
-        # then fabricate them by re-encoding the parsed URI parameters, and hope that we're lucky enough to use
-        # the exact same URI-encoding as the IDP. (This is not the case if the IDP is ADFS!)
-        options[:raw_get_params] ||= {}
-        if options[:raw_get_params]['SAMLRequest'].nil? && !options[:get_params]['SAMLRequest'].nil?
-          options[:raw_get_params]['SAMLRequest'] = CGI.escape(options[:get_params]['SAMLRequest'])
-        end
-        if options[:raw_get_params]['RelayState'].nil? && !options[:get_params]['RelayState'].nil?
-          options[:raw_get_params]['RelayState'] = CGI.escape(options[:get_params]['RelayState'])
-        end
-        if options[:raw_get_params]['SigAlg'].nil? && !options[:get_params]['SigAlg'].nil?
-          options[:raw_get_params]['SigAlg'] = CGI.escape(options[:get_params]['SigAlg'])
-        end
+        options[:raw_get_params] = OneLogin::RubySaml::Utils.prepare_raw_get_params(options[:raw_get_params], options[:get_params], settings.security[:lowercase_url_encoding])
-        # If we only received the raw version of SigAlg,
-        # then parse it back into the decoded params hash for convenience.
         if options[:get_params]['SigAlg'].nil? && !options[:raw_get_params]['SigAlg'].nil?
           options[:get_params]['SigAlg'] = CGI.unescape(options[:raw_get_params]['SigAlg'])
         end
@@ -280,13 +268,19 @@ module OneLogin
           :raw_sig_alg     => options[:raw_get_params]['SigAlg']
         )
+        expired = false
         if idp_certs.nil? || idp_certs[:signing].empty?
           valid = OneLogin::RubySaml::Utils.verify_signature(
-            :cert         => settings.get_idp_cert,
+            :cert         => idp_cert,
             :sig_alg      => options[:get_params]['SigAlg'],
             :signature    => options[:get_params]['Signature'],
             :query_string => query_string
           )
+          if valid && settings.security[:check_idp_cert_expiration]
+            if OneLogin::RubySaml::Utils.is_cert_expired(idp_cert)
+              expired = true
+            end
+          end
         else
           valid = false
           idp_certs[:signing].each do |signing_idp_cert|
@@ -297,18 +291,26 @@ module OneLogin
               :query_string => query_string
             )
             if valid
+              if settings.security[:check_idp_cert_expiration]
+                if OneLogin::RubySaml::Utils.is_cert_expired(signing_idp_cert)
+                  expired = true
+                end
+              end
               break
             end
           end
         end
+        if expired
+          error_msg = "IdP x509 certificate expired"
+          return append_error(error_msg)
+        end
         unless valid
           return append_error("Invalid Signature on Logout Request")
         end
         true
       end
     end
   end
 end

data/lib/onelogin/ruby-saml/slo_logoutresponse.rb CHANGED Viewed

@@ -2,6 +2,7 @@ require "onelogin/ruby-saml/logging"
 require "onelogin/ruby-saml/saml_message"
 require "onelogin/ruby-saml/utils"
+require "onelogin/ruby-saml/setting_error"
 # Only supports SAML 2.0
 module OneLogin
@@ -12,7 +13,7 @@ module OneLogin
     class SloLogoutresponse < SamlMessage
       # Logout Response ID
-      attr_reader :uuid
+      attr_accessor :uuid
       # Initializes the Logout Response. A SloLogoutresponse Object that is an extension of the SamlMessage class.
       # Asigns an ID, a random uuid.
@@ -21,23 +22,30 @@ module OneLogin
         @uuid = OneLogin::RubySaml::Utils.uuid
       end
+      def response_id
+        @uuid
+      end
       # Creates the Logout Response string.
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [String] Logout Request string that includes the SAMLRequest
       #
-      def create(settings, request_id = nil, logout_message = nil, params = {})
-        params = create_params(settings, request_id, logout_message, params)
-        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+      def create(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
+        params = create_params(settings, request_id, logout_message, params, logout_status_code)
+        params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
+        url = settings.idp_slo_response_service_url || settings.idp_slo_service_url
         saml_response = CGI.escape(params.delete("SAMLResponse"))
         response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
         params.each_pair do |key, value|
           response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
         end
-        @logout_url = settings.idp_slo_target_url + response_params
+        raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if url.nil? or url.empty?
+        @logout_url = url + response_params
       end
       # Creates the Get parameters for the logout response.
@@ -45,9 +53,10 @@ module OneLogin
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
       # @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [Hash] Parameters
       #
-      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+      def create_params(settings, request_id = nil, logout_message = nil, params = {}, logout_status_code = nil)
         # The method expects :RelayState but sometimes we get 'RelayState' instead.
         # Based on the HashWithIndifferentAccess value in Rails we could experience
         # conflicts so this line will solve them.
@@ -58,7 +67,7 @@ module OneLogin
           params.delete('RelayState')
         end
-        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
         response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
         response = ""
@@ -70,7 +79,7 @@ module OneLogin
         base64_response = encode(response)
         response_params = {"SAMLResponse" => base64_response}
-        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_responses_signed] && settings.private_key
           params['SigAlg']    = settings.security[:signature_method]
           url_string = OneLogin::RubySaml::Utils.build_query(
             :type => 'SAMLResponse',
@@ -94,46 +103,60 @@ module OneLogin
       # @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
       # @param request_id [String] The ID of the LogoutRequest sent by this SP to the IdP. That ID will be placed as the InResponseTo in the logout response
       # @param logout_message [String] The Message to be placed as StatusMessage in the logout response
+      # @param logout_status_code [String] The StatusCode to be placed as StatusMessage in the logout response
       # @return [String] The SAMLResponse String.
       #
-      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil, logout_status_code = nil)
+        document = create_xml_document(settings, request_id, logout_message, logout_status_code)
+        sign_document(document, settings)
+      end
+      def create_xml_document(settings, request_id = nil, logout_message = nil, status_code = nil)
         time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
         response_doc = XMLSecurity::Document.new
         response_doc.uuid = uuid
+        destination = settings.idp_slo_response_service_url || settings.idp_slo_service_url
         root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
         root.attributes['ID'] = uuid
         root.attributes['IssueInstant'] = time
         root.attributes['Version'] = '2.0'
         root.attributes['InResponseTo'] = request_id unless request_id.nil?
-        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
+        root.attributes['Destination'] = destination unless destination.nil? or destination.empty?
-        if settings.issuer != nil
+        if settings.sp_entity_id != nil
           issuer = root.add_element "saml:Issuer"
-          issuer.text = settings.issuer
+          issuer.text = settings.sp_entity_id
         end
-        # add success message
+        # add status
         status = root.add_element 'samlp:Status'
-        # success status code
-        status_code = status.add_element 'samlp:StatusCode'
-        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+        # status code
+        status_code ||= 'urn:oasis:names:tc:SAML:2.0:status:Success'
+        status_code_elem = status.add_element 'samlp:StatusCode'
+        status_code_elem.attributes['Value'] = status_code
-        # success status message
+        # status message
         logout_message ||= 'Successfully Signed Out'
         status_message = status.add_element 'samlp:StatusMessage'
         status_message.text = logout_message
+        response_doc
+      end
+      def sign_document(document, settings)
         # embed signature
-        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+        if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.private_key && settings.certificate
           private_key = settings.get_sp_key
           cert = settings.get_sp_cert
-          response_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+          document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
         end
-        response_doc
+        document
       end
     end