ruby-saml 0.9.1 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 472b9871eb65dc7e7290cd0eeefbe32299062339
-  data.tar.gz: 6275d19b96066aa9f17502b4e521b2c3d30626a3
+  metadata.gz: 87259e0d311dfd9ad0d9e4a9aa440e10b637f977
+  data.tar.gz: 82d80b9439b54b29d2da85b7454b4225070991d5
 SHA512:
-  metadata.gz: b2f4796bb5f8ee71f40fdf18f28552038c0c9b6ac85f626452a2614a898f60775fdf482eab044f8643c178da126ea3d640eb3b72427c86e59b935418649ae5b8
-  data.tar.gz: 96050fa0bfb1451640fe4e1fa799b60fffee4f33622832e9f2a3c0bee20b085c8f99d087b1541d60277de4c4a88c01890206dca8b16c29f4d2dbbe5106b4666f
+  metadata.gz: 500dfa98a3746237a3e5c4425e57f7231fd6a9b15efaac4aeaf0ab694d0f3dbf9b8535a4f3c858ecbe87c55e4318f777ce1ce94b31efb8af8238d8097c534b58
+  data.tar.gz: 5007fc0c661da41c87ee5132bf96d4e483cfd925fb88afe795c8fde5252fab818daa35ae6a76edc2d096a7a114132c39c6aae3300f335714c0441c0dab81ce27

data/.travis.yml

@@ -4,4 +4,14 @@ rvm:
   - 1.9.3
   - 2.0.0
   - 2.1.5
+  - 2.2.0
   - ree
+gemfile:
+  - Gemfile
+  - gemfiles/nokogiri-1.5.gemfile
+matrix:
+  exclude:
+    - rvm: 1.8.7
+      gemfile: Gemfile
+    - rvm: ree
+      gemfile: Gemfile

data/Gemfile

@@ -1,6 +1,6 @@
 #
 # Please keep this file alphabetized and organized
 #
-source 'http://rubygems.org'
+source 'https://rubygems.org'
 
 gemspec

data/README.md

@@ -18,7 +18,7 @@ We created a demo project for Rails4 that uses the latest version of this librar
 * 1.8.7
 * 1.9.x
 * 2.1.x
-* 2.2 (not yet officially supported)
+* 2.2.0
 
 ## Adding Features, Pull Requests
 * Fork the repository
@@ -41,7 +41,7 @@ gem 'ruby-saml', '~> 0.9.1'
 gem 'ruby-saml', :github => 'onelogin/ruby-saml'
 ```
 
-Using Bundler
+Using RubyGems
 
 ```sh
 gem install ruby-saml
@@ -58,6 +58,22 @@ or just the required components individually:
 require 'onelogin/ruby-saml/authrequest'
 ```
 
+### Installation on Ruby 1.8.7
+
+This gem has a dependency on Nokogiri, which dropped support for Ruby 1.8.x in Nokogiri 1.6. When installing this gem on Ruby 1.8.7, you will need to make sure a version of Nokogiri prior to 1.6 is installed or specified if it hasn't been already.
+
+Using `Gemfile`
+
+```ruby
+gem 'nokogiri', '~> 1.5.10'
+```
+
+Using RubyGems
+
+```sh
+gem install nokogiri --version '~> 1.5.10'
+````
+
 ## The Initialization Phase
 
 This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
@@ -100,6 +116,7 @@ def saml_settings
   settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/#{OneLoginAppId}"
   settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/#{OneLoginAppId}"
   settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+  settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
   settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 
   # Optional for most SAML IdPs
@@ -192,7 +209,7 @@ The following attributes are set:
   * idp_slo_target_url
   * id_cert_fingerpint
 
-If are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
+If you are using saml:AttributeStatement to transfer metadata, like the user name, you can access all the attributes through response.attributes. It contains all the saml:AttributeStatement with its 'Name' as a indifferent key the one/more saml:AttributeValue as value. The value returned depends on the value of the
 `single_value_compatibility` (when activate, only one value returned, the first one)
 
 ```ruby
@@ -320,16 +337,23 @@ In order to be able to sign we need first to define the private key and the publ
 The settings related to sign are stored in the `security` attribute of the settings:
 
 ```ruby
-  settings.security[:authn_requests_signed]  = true     # Enable or not signature on AuthNRequest
-  settings.security[:logout_requests_signed] = true     # Enable or not signature on Logout Request
+  settings.security[:authn_requests_signed]   = true     # Enable or not signature on AuthNRequest
+  settings.security[:logout_requests_signed]  = true     # Enable or not signature on Logout Request
   settings.security[:logout_responses_signed] = true     # Enable or not signature on Logout Response
+  settings.security[:metadata_signed]         = true     # Enable or not signature on Metadata
 
   settings.security[:digest_method]    = XMLSecurity::Document::SHA1
-  settings.security[:signature_method] = XMLSecurity::Document::SHA1
+  settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
 
-  settings.security[:embed_sign]        = false                # Embeded signature or HTTP GET parameter Signature
+  # Embeded signature or HTTP GET parameter signature
+  # Note that metadata signature is always embedded regardless of this value.
+  settings.security[:embed_sign] = false
 ```
 
+Notice that the RelayState parameter is used when creating the Signature on the HTTP-Redirect Binding,
+remember to provide it to the Signature builder if you are sending a GET RelayState parameter or
+Signature validation process will fail at the Identity Provider.
+
 
 ## Single Log Out
 

data/changelog.md

@@ -1,4 +1,22 @@
 # RubySaml Changelog
+### 0.9.2 (Apr 28, 2015)
+* [#216](https://github.com/onelogin/ruby-saml/pull/216) Add fingerprint algorithm support
+* [#218](https://github.com/onelogin/ruby-saml/pull/218) Update README.md
+* [#214](https://github.com/onelogin/ruby-saml/pull/214) Cleanup `SamlMessage` class
+* [#213](https://github.com/onelogin/ruby-saml/pull/213) Add ability to sign metadata. (Improved)
+* [#212](https://github.com/onelogin/ruby-saml/pull/212) Rename library entry point
+* [#210](https://github.com/onelogin/ruby-saml/pull/210) Call assert in tests
+* [#208](https://github.com/onelogin/ruby-saml/pull/208) Update tests and CI for Ruby 2.2.0
+* [#205](https://github.com/onelogin/ruby-saml/pull/205) Allow requirement of single files
+* [#204](https://github.com/onelogin/ruby-saml/pull/204) Require ‘net/http’ library
+* [#201](https://github.com/onelogin/ruby-saml/pull/201) Freeze and duplicate default security settings hash so that it doesn't get modified.
+* [#200](https://github.com/onelogin/ruby-saml/pull/200) Set default SSL certificate store in Ruby 1.8.
+* [#199](https://github.com/onelogin/ruby-saml/pull/199) Change Nokogiri's runtime dependency to fix support for Ruby 1.8.7.
+* [#179](https://github.com/onelogin/ruby-saml/pull/179) Add support for setting the entity ID and name ID format when parsing metadata
+* [#175](https://github.com/onelogin/ruby-saml/pull/175) Introduce thread safety to SAML schema validation
+* [#171](https://github.com/onelogin/ruby-saml/pull/171) Fix inconsistent results with using regex matches in decode_raw_saml
+* 
+
 ### 0.9.1 (Feb 10, 2015)
 * [#194](https://github.com/onelogin/ruby-saml/pull/194) Relax nokogiri gem requirements
 * [#191](https://github.com/onelogin/ruby-saml/pull/191) Use Minitest instead of Test::Unit

data/gemfiles/nokogiri-1.5.gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem "nokogiri", "~> 1.5.10"
+
+gemspec :path => "../"

data/lib/onelogin/ruby-saml.rb

@@ -0,0 +1,16 @@
+require 'onelogin/ruby-saml/logging'
+require 'onelogin/ruby-saml/saml_message'
+require 'onelogin/ruby-saml/authrequest'
+require 'onelogin/ruby-saml/logoutrequest'
+require 'onelogin/ruby-saml/logoutresponse'
+require 'onelogin/ruby-saml/attributes'
+require 'onelogin/ruby-saml/slo_logoutrequest'
+require 'onelogin/ruby-saml/slo_logoutresponse'
+require 'onelogin/ruby-saml/response'
+require 'onelogin/ruby-saml/settings'
+require 'onelogin/ruby-saml/attribute_service'
+require 'onelogin/ruby-saml/validation_error'
+require 'onelogin/ruby-saml/metadata'
+require 'onelogin/ruby-saml/idp_metadata_parser'
+require 'onelogin/ruby-saml/utils'
+require 'onelogin/ruby-saml/version'

data/lib/onelogin/ruby-saml/authrequest.rb

@@ -1,6 +1,8 @@
 require "uuid"
+require "rexml/document"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
 
 module OneLogin
   module RubySaml
@@ -25,7 +27,10 @@ module OneLogin
       end
 
       def create_params(settings, params={})
-        params = {} if params.nil?
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
 
         request_doc = create_authentication_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -40,10 +45,10 @@ module OneLogin
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = XMLSecurity::Document::SHA1
+          params['SigAlg']    = settings.security[:signature_method]
           url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
-          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
-          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          url_string         << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+          url_string         << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
           private_key         = settings.get_sp_key()
           signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
           params['Signature'] = encode(signature)
@@ -111,7 +116,7 @@ module OneLogin
           end
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign] 
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

data/lib/onelogin/ruby-saml/idp_metadata_parser.rb

@@ -2,6 +2,8 @@ require "base64"
 require "uuid"
 require "zlib"
 require "cgi"
+require "net/http"
+require "net/https"
 require "rexml/document"
 require "rexml/xpath"
 
@@ -25,7 +27,8 @@ module OneLogin
         @document = REXML::Document.new(idp_metadata)
 
         OneLogin::RubySaml::Settings.new.tap do |settings|
-
+          settings.idp_entity_id = idp_entity_id
+          settings.name_identifier_format = idp_name_id_format
           settings.idp_sso_target_url = single_signon_service_url
           settings.idp_slo_target_url = single_logout_service_url
           settings.idp_cert_fingerprint = fingerprint
@@ -47,6 +50,12 @@ module OneLogin
           # Most IdPs will probably use self signed certs
           if validate_cert
             http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+            # Net::HTTP in Ruby 1.8 did not set the default certificate store
+            # automatically when VERIFY_PEER was specified.
+            if RUBY_VERSION < '1.9' && !http.ca_file && !http.ca_path && !http.cert_store
+              http.cert_store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+            end
           else
             http.verify_mode = OpenSSL::SSL::VERIFY_NONE
           end
@@ -57,6 +66,16 @@ module OneLogin
         meta_text
       end
 
+      def idp_entity_id
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/@entityID", { "md" => METADATA })
+        node.value if node
+      end
+
+      def idp_name_id_format
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:NameIDFormat", { "md" => METADATA })
+        node.text if node
+      end
+
       def single_signon_service_url
         node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location", { "md" => METADATA })
         node.value if node

data/lib/onelogin/ruby-saml/logoutrequest.rb

@@ -1,6 +1,7 @@
 require "uuid"
 
 require "onelogin/ruby-saml/logging"
+require "onelogin/ruby-saml/saml_message"
 
 module OneLogin
   module RubySaml
@@ -24,7 +25,10 @@ module OneLogin
       end
 
       def create_params(settings, params={})
-        params = {} if params.nil?
+        # The method expects :RelayState but sometimes we get 'RelayState' instead.
+        # Based on the HashWithIndifferentAccess value in Rails we could experience
+        # conflicts so this line will solve them.
+        relay_state = params[:RelayState] || params['RelayState']
 
         request_doc = create_logout_request_xml_doc(settings)
         request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
@@ -39,10 +43,10 @@ module OneLogin
         request_params = {"SAMLRequest" => base64_request}
 
         if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
-          params['SigAlg']    = XMLSecurity::Document::SHA1
+          params['SigAlg']    = settings.security[:signature_method]
           url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
-          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
-          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          url_string         << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+          url_string         << "&SigAlg=#{CGI.escape(params['SigAlg'])}"
           private_key         = settings.get_sp_key()
           signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
           params['Signature'] = encode(signature)
@@ -88,7 +92,7 @@ module OneLogin
           sessionindex.text = settings.sessionindex
         end
 
-        # embebed sign
+        # embed signature
         if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
           private_key = settings.get_sp_key()
           cert = settings.get_sp_cert()

data/lib/onelogin/ruby-saml/logoutresponse.rb

@@ -1,4 +1,6 @@
 require "xml_security"
+require "onelogin/ruby-saml/saml_message"
+
 require "time"
 
 module OneLogin

data/lib/onelogin/ruby-saml/metadata.rb

@@ -1,6 +1,5 @@
-require "rexml/document"
-require "rexml/xpath"
 require "uri"
+require "uuid"
 
 require "onelogin/ruby-saml/logging"
 
@@ -10,10 +9,9 @@ require "onelogin/ruby-saml/logging"
 # will be updated automatically
 module OneLogin
   module RubySaml
-    include REXML
     class Metadata
-      def generate(settings)
-        meta_doc = REXML::Document.new
+      def generate(settings, pretty_print=true)
+        meta_doc = XMLSecurity::Document.new
         root = meta_doc.add_element "md:EntityDescriptor", {
             "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
         }
@@ -23,6 +21,7 @@ module OneLogin
             # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
             "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
         }
+        root.attributes["ID"] = "_" + UUID.new.generate
         if settings.issuer
           root.attributes["entityID"] = settings.issuer
         end
@@ -85,9 +84,20 @@ module OneLogin
         #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
 
         meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+
+        # embed signature
+        if settings.security[:metadata_signed] && settings.private_key && settings.certificate
+          private_key = settings.get_sp_key()
+          meta_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
         ret = ""
         # pretty print the XML so IdP administrators can easily see what the SP supports
-        meta_doc.write(ret, 1)
+        if pretty_print
+          meta_doc.write(ret, 1)
+        else 
+          ret = meta_doc.to_s
+        end
 
         return ret
       end

data/lib/onelogin/ruby-saml/response.rb

@@ -1,4 +1,6 @@
 require "xml_security"
+require "onelogin/ruby-saml/attributes"
+
 require "time"
 require "nokogiri"
 
@@ -138,7 +140,7 @@ module OneLogin
         validate_response_state(soft) &&
         validate_conditions(soft)     &&
         validate_issuer(soft)         &&
-        document.validate_document(get_fingerprint, soft) &&
+        document.validate_document(get_fingerprint, soft, :fingerprint_alg => settings.idp_cert_fingerprint_algorithm) &&
         validate_success_status(soft)
       end
 
@@ -151,19 +153,18 @@ module OneLogin
       end
 
       def validate_structure(soft = true)
-        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
-          @schema = Nokogiri::XML::Schema(IO.read('saml-schema-protocol-2.0.xsd'))
-          @xml = Nokogiri::XML(self.document.to_s)
-        end
-        if soft
-          @schema.validate(@xml).map{
-            @errors << "Schema validation failed";
-            return false
-          }
-        else
-          @schema.validate(@xml).map{ |error| @errors << "#{error.message}\n\n#{@xml.to_s}";
-            validation_error("#{error.message}\n\n#{@xml.to_s}")
-          }
+        xml = Nokogiri::XML(self.document.to_s)
+
+        SamlMessage.schema.validate(xml).map do |error|
+          if soft
+            @errors << "Schema validation failed"
+            break false
+          else
+            error_message = [error.message, xml.to_s].join("\n\n")
+
+            @errors << error_message
+            validation_error(error_message)
+          end
         end
       end
 
@@ -202,7 +203,8 @@ module OneLogin
       def get_fingerprint
         if settings.idp_cert
           cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(settings.idp_cert_fingerprint_algorithm).new
+          fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
         else
           settings.idp_cert_fingerprint
         end

data/lib/onelogin/ruby-saml/saml_message.rb

@@ -1,8 +1,10 @@
 require 'cgi'
 require 'zlib'
 require 'base64'
-require "rexml/document"
-require "rexml/xpath"
+require 'nokogiri'
+require 'rexml/document'
+require 'rexml/xpath'
+require 'thread'
 
 module OneLogin
   module RubySaml
@@ -12,15 +14,22 @@ module OneLogin
       ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
       PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
 
-      def valid_saml?(document, soft = true)
-        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
-          @schema = Nokogiri::XML::Schema(IO.read('saml-schema-protocol-2.0.xsd'))
-          @xml = Nokogiri::XML(document.to_s)
+      BASE64_FORMAT = %r(\A[A-Za-z0-9+/]{4}*[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=?\Z)
+
+      def self.schema
+        @schema ||= Mutex.new.synchronize do
+          Dir.chdir(File.expand_path("../../../schemas", __FILE__)) do
+            ::Nokogiri::XML::Schema(File.read("saml-schema-protocol-2.0.xsd"))
+          end
         end
-        if soft
-          @schema.validate(@xml).map{ return false }
-        else
-          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+      end
+
+      def valid_saml?(document, soft = true)
+        xml = Nokogiri::XML(document.to_s)
+
+        SamlMessage.schema.validate(xml).map do |error|
+          break false if soft
+          validation_error("#{error.message}\n\n#{xml.to_s}")
         end
       end
 
@@ -30,22 +39,29 @@ module OneLogin
 
       private
 
+      ##
+      # Take a SAML object provided by +saml+, determine its status and return
+      # a decoded XML as a String.
+      #
+      # Since SAML decided to use the RFC1951 and therefor has no zlib markers,
+      # the only reliable method of deciding whether we have a zlib stream or not
+      # is to try and inflate it and fall back to the base64 decoded string if
+      # the stream contains errors.
       def decode_raw_saml(saml)
-        if saml =~ /^</
-          return saml
-        elsif (decoded  = decode(saml)) =~ /^</
-          return decoded
-        elsif (inflated = inflate(decoded)) =~ /^</
-          return inflated
-        end
+        return saml unless base64_encoded?(saml)
 
-        return nil
+        decoded = decode(saml)
+        begin
+          inflate(decoded)
+        rescue
+          decoded
+        end
       end
 
       def encode_raw_saml(saml, settings)
-        saml           = Zlib::Deflate.deflate(saml, 9)[2..-5] if settings.compress_request
-        base64_saml    = Base64.encode64(saml)
-        return CGI.escape(base64_saml)
+        saml = deflate(saml) if settings.compress_request
+
+        CGI.escape(Base64.encode64(saml))
       end
 
       def decode(encoded)
@@ -56,23 +72,21 @@ module OneLogin
         Base64.encode64(encoded).gsub(/\n/, "")
       end
 
-      def escape(unescaped)
-        CGI.escape(unescaped)
-      end
-
-      def unescape(escaped)
-        CGI.unescape(escaped)
+      # Check if a string is base64 encoded
+      #
+      # @param string [String] string to check the encoding of
+      # @return [true, false] whether or not the string is base64 encoded
+      def base64_encoded?(string)
+        !!string.gsub(/[\r\n]|\\r|\\n/, "").match(BASE64_FORMAT)
       end
 
       def inflate(deflated)
-        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        zlib.inflate(deflated)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated)
       end
 
       def deflate(inflated)
         Zlib::Deflate.deflate(inflated, 9)[2..-5]
       end
-
     end
   end
 end