ruby-saml 0.4.7 → 0.5.0

data/README.rdoc

@@ -36,7 +36,9 @@ In the above there are a few assumptions in place, one being that the response.n
       settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
       settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
       settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-
+      # Optional for most SAML IdPs
+      settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      
       settings
     end
 
@@ -70,7 +72,9 @@ What's left at this point, is to wrap it all up in a controller and point the in
       settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
       settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
       settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-
+      # Optional for most SAML IdPs
+      settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      
       settings
     end
   end
@@ -83,6 +87,25 @@ contains all the saml:AttributeStatement with its 'Name' as a indifferent key an
 
   response.attributes[:username]
 
+== Service Provider Metadata
+
+To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
+to the IdP for various good reasons.  (Caching, certificate lookups, relying party permissions, etc)
+
+The class Onelogin::Saml::Metdata takes care of this by reading the Settings and returning XML.  All
+you have to do is add a controller to return the data, then give this URL to the IdP administrator.  
+The metdata will be polled by the IdP every few minutes, so updating your settings should propagate
+to the IdP settings.
+
+  class SamlController < ApplicationController
+    # ... the rest of your controller definitions ...
+    def metadata
+      settings = Account.get_saml_settings
+      meta = Onelogin::Saml::Metadata.new
+      render :xml => meta.create(settings)
+    end
+  end
+
 
 = Full Example
 

data/Rakefile

@@ -1,27 +1,6 @@
 require 'rubygems'
 require 'rake'
 
-begin
-  require 'jeweler'
-  Jeweler::Tasks.new do |gem|
-    gem.name = "ruby-saml"
-    gem.summary = %Q{SAML Ruby Tookit}
-    gem.description = %Q{SAML toolkit for Ruby on Rails}
-    gem.email = "support@onelogin.com"
-    gem.homepage = "http://github.com/onelogin/ruby-saml"
-    gem.authors = ["OneLogin LLC"]
-    gem.add_dependency("canonix","~> 0.1")
-    gem.add_dependency("uuid","~> 2.3")
-    gem.add_development_dependency "shoulda"
-    gem.add_development_dependency "ruby-debug"
-    gem.add_development_dependency "mocha"
-    #gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
-  end
-  Jeweler::GemcutterTasks.new
-rescue LoadError
-  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
-end
-
 #not being used yet.
 require 'rake/testtask'
 Rake::TestTask.new(:test) do |test|
@@ -43,7 +22,7 @@ rescue LoadError
   end
 end
 
-task :test => :check_dependencies
+task :test
 
 task :default => :test
 

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -0,0 +1,74 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+
+module Onelogin
+  module Saml
+  include REXML
+    class Authrequest
+      def create(settings, params = {})
+        uuid = "_" + UUID.new.generate
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+        # Create AuthnRequest root element using REXML 
+        request_doc = REXML::Document.new
+
+        root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+
+        # Conditionally defined elements based on settings
+        if settings.assertion_consumer_service_url != nil
+          root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
+        end
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          issuer.text = settings.issuer
+        end
+        if settings.name_identifier_format != nil
+          root.add_element "samlp:NameIDPolicy", { 
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              # Might want to make AllowCreate a setting?
+              "AllowCreate" => "true",
+              "Format" => settings.name_identifier_format
+          }
+        end
+
+        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+        # match required for authentication to succeed.  If this is not defined, 
+        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+        if settings.authn_context != nil
+          requested_context = root.add_element "samlp:RequestedAuthnContext", { 
+            "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "Comparison" => "exact",
+          }
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", { 
+            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          }
+          class_ref.text = settings.authn_context
+        end
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created AuthnRequest: #{request}"
+
+        deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+        base64_request    = Base64.encode64(deflated_request)
+        encoded_request   = CGI.escape(base64_request)
+        params_prefix     = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
+
+        params.each_pair do |key, value|
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+        end
+
+        settings.idp_sso_target_url + request_params
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml/logging.rb

@@ -0,0 +1,22 @@
+# Simplistic log class when we're running in Rails
+module Onelogin
+  module Saml
+    class Logging
+      def self.debug(message)
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+
+      def self.info(message)
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/metadata.rb

@@ -0,0 +1,47 @@
+require "rexml/document"
+require "rexml/xpath"
+require "uri"
+
+# Class to return SP metadata based on the settings requested.
+# Return this XML in a controller, then give that URL to the the 
+# IdP administrator.  The IdP will poll the URL and your settings
+# will be updated automatically
+module Onelogin
+  module Saml
+    include REXML
+    class Metadata
+      def generate(settings)
+        meta_doc = REXML::Document.new
+        root = meta_doc.add_element "md:EntityDescriptor", { 
+            "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata" 
+        }
+        sp_sso = root.add_element "md:SPSSODescriptor", { 
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol"
+        }
+        if settings.issuer != nil
+          root.attributes["entityID"] = settings.issuer
+        end
+        if settings.name_identifier_format != nil
+          name_id = sp_sso.add_element "md:NameIDFormat"
+          name_id.text = settings.name_identifier_format
+        end
+        if settings.assertion_consumer_service_url != nil
+          sp_sso.add_element "md:AssertionConsumerService", {
+              # Add this as a setting to create different bindings?
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Location" => settings.assertion_consumer_service_url
+          }
+        end
+        meta_doc << REXML::XMLDecl.new
+        ret = ""
+        # pretty print the XML so IdP administrators can easily see what the SP supports
+        meta_doc.write(ret, 1)
+
+        Logging.debug "Generated metadata:\n#{ret}"
+
+        return ret
+
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/response.rb

@@ -0,0 +1,146 @@
+require "xml_security"
+require "time"
+
+module Onelogin
+  module Saml
+
+    class Response
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :options, :response, :document, :settings
+
+      def initialize(response, options = {})
+        raise ArgumentError.new("Response cannot be nil") if response.nil?
+        self.options  = options
+        self.response = response
+        self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+      end
+
+      def is_valid?
+        validate(soft = true)
+      end
+
+      def validate!
+        validate(soft = false)
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||=  REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      # A hash of alle the attributes with the response. Assuming there is only one value for each key
+      def attributes
+        @attr_statements ||= begin
+          result = {}
+
+          stmt_element = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AttributeStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          return {} if stmt_element.nil?
+
+          stmt_element.elements.each do |attr_element|
+            name  = attr_element.attributes["Name"]
+            value = attr_element.elements.first.text
+
+            result[name] = value
+          end
+
+          result.keys.each do |key|
+            result[key.intern] = result[key]
+          end
+
+          result
+        end
+      end
+
+      # When this user session should expire at latest
+      def session_expires_at
+        @expires_at ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+          parse_time(node, "SessionNotOnOrAfter")
+        end
+      end
+
+      # Conditions (if any) for the assertion to run
+      def conditions
+        @conditions ||= begin
+          REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Conditions", { "p" => PROTOCOL, "a" => ASSERTION })
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+      def validate(soft = true)
+        validate_response_state(soft) &&
+        validate_conditions(soft)     &&
+        document.validate(get_fingerprint, soft)
+      end
+
+      def validate_response_state(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def get_fingerprint
+        if settings.idp_cert
+          cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        else
+          settings.idp_cert_fingerprint
+        end
+      end
+
+      def validate_conditions(soft = true)
+        return true if conditions.nil?
+        return true if options[:skip_conditions]
+
+        if not_before = parse_time(conditions, "NotBefore")
+          if Time.now.utc < not_before
+            return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+          end
+        end
+
+        if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+          if Time.now.utc >= not_on_or_after
+            return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+          end
+        end
+
+        true
+      end
+
+      def parse_time(node, attribute)
+        if node && node.attributes[attribute]
+          Time.parse(node.attributes[attribute])
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml/settings.rb

@@ -0,0 +1,9 @@
+module Onelogin
+  module Saml
+    class Settings
+      attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
+      attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :idp_cert, :name_identifier_format
+     attr_accessor :authn_context
+    end
+  end
+end

data/lib/onelogin/ruby-saml/version.rb

@@ -0,0 +1,5 @@
+module Onelogin
+  module Saml
+    VERSION = '0.5.0'
+  end
+end

data/lib/ruby-saml.rb

@@ -1,5 +1,7 @@
-module Onelogin
-end
-
-require 'onelogin/saml'
-
+require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/authrequest'
+require 'onelogin/ruby-saml/response'
+require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/validation_error'
+require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/version'

data/lib/xml_security.rb

@@ -44,7 +44,7 @@ module XMLSecurity
 
     def validate(idp_cert_fingerprint, soft = true)
       # get cert from response
-      base64_cert = self.elements["//ds:X509Certificate"].text
+      base64_cert = REXML::XPath.first(self, "//ds:X509Certificate").text
       cert_text   = Base64.decode64(base64_cert)
       cert        = OpenSSL::X509::Certificate.new(cert_text)
 
@@ -81,11 +81,11 @@ module XMLSecurity
         hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
         canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
         canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
-        canon_hashed_element          = canoner.canonicalize(hashed_element)
+        canon_hashed_element          = canoner.canonicalize(hashed_element).gsub('&','&')
         hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
         digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
 
-        if hash != digest_value
+        unless digests_match?(hash, digest_value)
           return soft ? false : (raise Onelogin::Saml::ValidationError.new("Digest mismatch"))
         end
       end
@@ -111,6 +111,10 @@ module XMLSecurity
 
     private
 
+    def digests_match?(hash, digest_value)
+      hash == digest_value
+    end
+
     def extract_signed_element_id
       reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
       self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?

data/ruby-saml.gemspec

@@ -1,11 +1,9 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
-# -*- encoding: utf-8 -*-
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+require 'onelogin/ruby-saml/version'
 
 Gem::Specification.new do |s|
-  s.name = %q{ruby-saml}
-  s.version = "0.4.7"
+  s.name = 'ruby-saml'
+  s.version = Onelogin::Saml::VERSION
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["OneLogin LLC"]
@@ -16,48 +14,14 @@ Gem::Specification.new do |s|
     "LICENSE",
      "README.rdoc"
   ]
-  s.files = [
-    ".document",
-     ".gitignore",
-     "LICENSE",
-     "README.rdoc",
-     "Rakefile",
-     "VERSION",
-     "lib/onelogin/saml.rb",
-     "lib/onelogin/saml/authrequest.rb",
-     "lib/onelogin/saml/response.rb",
-     "lib/onelogin/saml/settings.rb",
-     "lib/onelogin/saml/validation_error.rb",
-     "lib/ruby-saml.rb",
-     "lib/xml_security.rb",
-     "ruby-saml.gemspec",
-     "test/certificates/certificate1",
-     "test/request_test.rb",
-     "test/response_test.rb",
-     "test/responses/adfs_response.xml.base64",
-     "test/responses/open_saml_response.xml",
-     "test/responses/response1.xml.base64",
-     "test/responses/response2.xml.base64",
-     "test/responses/response3.xml.base64",
-     "test/responses/response4.xml.base64",
-     "test/responses/response5.xml.base64",
-     "test/responses/simple_saml_php.xml",
-     "test/settings_test.rb",
-     "test/test_helper.rb",
-     "test/xml_security_test.rb"
-  ]
+  s.files = `git ls-files`.split("\n")
   s.homepage = %q{http://github.com/onelogin/ruby-saml}
+  s.rubyforge_project = %q{http://www.rubygems.org/gems/ruby-saml}
   s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{SAML Ruby Tookit}
-  s.test_files = [
-    "test/request_test.rb",
-     "test/response_test.rb",
-     "test/settings_test.rb",
-     "test/test_helper.rb",
-     "test/xml_security_test.rb"
-  ]
+  s.test_files = `git ls-files test/*`.split("\n")
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION