saml-kit 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0515744b0635a50a555fd60c1f85bce1852d0ce2
-  data.tar.gz: 8326c0666b2734045c89b8d7454677037b3af01f
+  metadata.gz: 0ebef3199d5a8a66f49c3c57a2aafb1a4f54149c
+  data.tar.gz: 9dce4bab8931cd0fc1aa8b147a461bdaf198328f
 SHA512:
-  metadata.gz: 6e1648fdcab73f9b17a64632d884ab12ceb7ef92e1df7d6dc0e71371fbc74fd693ae6280373efe83ba80916cfe04dc0fb4357bd4b591c62885aa5c29c1cd06a4
-  data.tar.gz: c07432a96634cf785e6a36bef6e690d098863ebc24c311872c021ffc72fa070ff55b69d3b143527e41fdf26bae3696a286d7dff90ef101f48dff6c89db3ac149
+  metadata.gz: a6f4922d39dd247dd91caa3262ed5cb0119c2f2d245c1609a5fa41bee27742a47845fea3dfe6605d7124030f9e7f844c2029e75d2cafbbf57288ded697fa14fa
+  data.tar.gz: 99d7c34ce9fae83d81ce16eec10fd6ef9fd1d70f8d67cfbb412d4be45e59b2f28f2db5818de8c7520756a508c9e973c6598571054bb52cda6b5d57fcf8af2c77

data/exe/saml-kit-decode-http-post

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+require 'saml/kit'
+
+saml = STDIN.read
+
+binding = Saml::Kit::Bindings::HttpPost.new(location: '')
+xml = binding.deserialize('SAMLRequest' => saml).to_xml
+puts Nokogiri::XML(xml).to_xml(indent: 2)

data/lib/saml/kit.rb

@@ -3,6 +3,7 @@ require "saml/kit/version"
 require "active_model"
 require "active_support/core_ext/date/calculations"
 require "active_support/core_ext/hash/conversions"
+require "active_support/core_ext/hash/indifferent_access"
 require "active_support/core_ext/numeric/time"
 require "active_support/duration"
 require "builder"
@@ -21,14 +22,14 @@ require "saml/kit/trustable"
 require "saml/kit/document"
 
 require "saml/kit/authentication_request"
-require "saml/kit/binding"
+require "saml/kit/bindings"
 require "saml/kit/configuration"
+require "saml/kit/crypto"
+require "saml/kit/cryptography"
 require "saml/kit/default_registry"
 require "saml/kit/fingerprint"
 require "saml/kit/logout_response"
 require "saml/kit/logout_request"
-require "saml/kit/http_post_binding"
-require "saml/kit/http_redirect_binding"
 require "saml/kit/metadata"
 require "saml/kit/response"
 require "saml/kit/identity_provider_metadata"
@@ -36,7 +37,6 @@ require "saml/kit/invalid_document"
 require "saml/kit/self_signed_certificate"
 require "saml/kit/service_provider_metadata"
 require "saml/kit/signature"
-require "saml/kit/url_builder"
 require "saml/kit/xml"
 
 I18n.load_path += Dir[File.expand_path("kit/locales/*.yml", File.dirname(__FILE__))]

data/lib/saml/kit/authentication_request.rb

@@ -2,18 +2,13 @@ module Saml
   module Kit
     class AuthenticationRequest < Document
       include Requestable
-      validates_presence_of :acs_url, if: :expected_type?
 
       def initialize(xml)
         super(xml, name: "AuthnRequest")
       end
 
       def acs_url
-        #if signed? && trusted?
-          to_h[name]['AssertionConsumerServiceURL'] || registered_acs_url(binding: :post)
-        #else
-          #registered_acs_url
-        #end
+        to_h[name]['AssertionConsumerServiceURL']
       end
 
       def name_id_format
@@ -26,11 +21,6 @@ module Saml
 
       private
 
-      def registered_acs_url(binding:)
-        return if provider.nil?
-        provider.assertion_consumer_service_for(binding: binding).try(:location)
-      end
-
       class Builder
         attr_accessor :id, :now, :issuer, :acs_url, :name_id_format, :sign, :destination
         attr_accessor :version
@@ -45,10 +35,10 @@ module Saml
         end
 
         def to_xml
-          Signature.sign(id, sign: sign) do |xml, signature|
+          Signature.sign(sign: sign) do |xml, signature|
             xml.tag!('samlp:AuthnRequest', request_options) do
               xml.tag!('saml:Issuer', issuer)
-              signature.template(xml)
+              signature.template(id)
               xml.tag!('samlp:NameIDPolicy', Format: name_id_format)
             end
           end

data/lib/saml/kit/bindings.rb

@@ -0,0 +1,45 @@
+require "saml/kit/bindings/binding"
+require "saml/kit/bindings/http_post"
+require "saml/kit/bindings/http_redirect"
+require "saml/kit/bindings/url_builder"
+
+module Saml
+  module Kit
+    module Bindings
+      HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
+      HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      ALL = {
+        http_post: HTTP_POST,
+        http_redirect: HTTP_REDIRECT,
+        http_artifact: HTTP_ARTIFACT,
+      }
+
+      def self.binding_for(binding)
+        ALL[binding]
+      end
+
+      def self.to_symbol(binding)
+        case binding
+        when HTTP_REDIRECT
+          :http_redirect
+        when HTTP_POST
+          :http_post
+        else
+          binding
+        end
+      end
+
+      def self.create_for(binding, location)
+        case binding
+        when HTTP_REDIRECT
+          HttpRedirect.new(location: location)
+        when HTTP_POST
+          HttpPost.new(location: location)
+        else
+          Binding.new(binding: binding, location: location)
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/bindings/binding.rb

@@ -0,0 +1,42 @@
+module Saml
+  module Kit
+    module Bindings
+      class Binding
+        attr_reader :binding, :location
+
+        def initialize(binding:, location:)
+          @binding = binding
+          @location = location
+        end
+
+        def binding?(other)
+          binding == other
+        end
+
+        def serialize(builder, relay_state: nil)
+          []
+        end
+
+        def deserialize(params)
+          raise ArgumentError.new("Unsupported binding")
+        end
+
+        def to_h
+          { binding: binding, location: location }
+        end
+
+        protected
+
+        def saml_param_from(params)
+          if params['SAMLRequest'].present?
+            params['SAMLRequest']
+          elsif params['SAMLResponse'].present?
+            params['SAMLResponse']
+          else
+            raise ArgumentError.new("SAMLRequest or SAMLResponse parameter is required.")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/bindings/http_post.rb

@@ -0,0 +1,29 @@
+module Saml
+  module Kit
+    module Bindings
+      class HttpPost < Binding
+        include Serializable
+
+        def initialize(location:)
+          super(binding: Saml::Kit::Bindings::HTTP_POST, location: location)
+        end
+
+        def serialize(builder, relay_state: nil)
+          builder.sign = true
+          builder.destination = location
+          document = builder.build
+          saml_params = {
+            document.query_string_parameter => Base64.strict_encode64(document.to_xml),
+          }
+          saml_params['RelayState'] = relay_state if relay_state.present?
+          [location, saml_params]
+        end
+
+        def deserialize(params)
+          xml = decode(saml_param_from(params))
+          Saml::Kit::Document.to_saml_document(xml)
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/bindings/http_redirect.rb

@@ -0,0 +1,61 @@
+module Saml
+  module Kit
+    module Bindings
+      class HttpRedirect < Binding
+        include Serializable
+
+        def initialize(location:)
+          super(binding: Saml::Kit::Bindings::HTTP_REDIRECT, location: location)
+        end
+
+        def serialize(builder, relay_state: nil)
+          builder.sign = false
+          builder.destination = location
+          document = builder.build
+          [UrlBuilder.new.build(document, relay_state: relay_state), {}]
+        end
+
+        def deserialize(params)
+          document = deserialize_document_from!(params)
+          ensure_valid_signature!(params, document)
+          document.signature_verified!
+          document
+        end
+
+        private
+
+        def deserialize_document_from!(params)
+          xml = inflate(decode(unescape(saml_param_from(params))))
+          Saml::Kit.logger.debug(xml)
+          Saml::Kit::Document.to_saml_document(xml)
+        end
+
+        def ensure_valid_signature!(params, document)
+          return if params['Signature'].blank? || params['SigAlg'].blank?
+
+          signature = decode(params['Signature'])
+          canonical_form = ['SAMLRequest', 'SAMLResponse', 'RelayState', 'SigAlg'].map do |key|
+            value = params[key]
+            value.present? ? "#{key}=#{value}" : nil
+          end.compact.join('&')
+
+          valid = document.provider.verify(algorithm_for(params['SigAlg']), signature, canonical_form)
+          raise ArgumentError.new("Invalid Signature") unless valid
+        end
+
+        def algorithm_for(algorithm)
+          case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+          when 256
+            OpenSSL::Digest::SHA256.new
+          when 384
+            OpenSSL::Digest::SHA384.new
+          when 512
+            OpenSSL::Digest::SHA512.new
+          else
+            OpenSSL::Digest::SHA1.new
+          end
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/bindings/url_builder.rb

@@ -0,0 +1,40 @@
+module Saml
+  module Kit
+    module Bindings
+      class UrlBuilder
+        include Serializable
+
+        def initialize(private_key: Saml::Kit.configuration.signing_private_key)
+          @private_key = private_key
+        end
+
+        def build(saml_document, relay_state: nil)
+          payload = canonicalize(saml_document, relay_state)
+          "#{saml_document.destination}?#{payload}&Signature=#{signature_for(payload)}"
+        end
+
+        private
+
+        attr_reader :private_key
+
+        def signature_for(payload)
+          encode(private_key.sign(OpenSSL::Digest::SHA256.new, payload))
+        end
+
+        def canonicalize(saml_document, relay_state)
+          {
+            saml_document.query_string_parameter => serialize(saml_document.to_xml),
+            'RelayState' => relay_state,
+            'SigAlg' => Saml::Kit::Namespaces::SHA256,
+          }.map do |(key, value)|
+            value.present? ? "#{key}=#{escape(value)}" : nil
+          end.compact.join('&')
+        end
+
+        def serialize(value)
+          encode(deflate(value))
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/configuration.rb

@@ -7,6 +7,7 @@ module Saml
       attr_accessor :issuer
       attr_accessor :signature_method, :digest_method
       attr_accessor :signing_certificate_pem, :signing_private_key_pem, :signing_private_key_password
+      attr_accessor :encryption_certificate_pem, :encryption_private_key_pem, :encryption_private_key_password
       attr_accessor :registry, :session_timeout
       attr_accessor :logger
 
@@ -14,23 +15,43 @@ module Saml
         @signature_method = :SHA256
         @digest_method = :SHA256
         @signing_private_key_password = SecureRandom.uuid
+        @encryption_private_key_password = SecureRandom.uuid
         @signing_certificate_pem, @signing_private_key_pem = SelfSignedCertificate.new(@signing_private_key_password).create
+        @encryption_certificate_pem, @encryption_private_key_pem = SelfSignedCertificate.new(@encryption_private_key_password).create
         @registry = DefaultRegistry.new
         @session_timeout = 3.hours
         @logger = Logger.new(STDOUT)
       end
 
       def stripped_signing_certificate
-        signing_certificate_pem.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
+        normalize(signing_certificate_pem)
+      end
+
+      def stripped_encryption_certificate
+        normalize(encryption_certificate_pem)
       end
 
       def signing_x509
         OpenSSL::X509::Certificate.new(signing_certificate_pem)
       end
 
+      def encryption_x509
+        OpenSSL::X509::Certificate.new(encryption_certificate_pem)
+      end
+
       def signing_private_key
         OpenSSL::PKey::RSA.new(signing_private_key_pem, signing_private_key_password)
       end
+
+      def encryption_private_key
+        OpenSSL::PKey::RSA.new(encryption_private_key_pem, encryption_private_key_password)
+      end
+
+      private
+
+      def normalize(certificate)
+        certificate.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
+      end
     end
   end
 end

data/lib/saml/kit/crypto.rb

@@ -0,0 +1,16 @@
+require 'saml/kit/crypto/oaep_cipher'
+require 'saml/kit/crypto/rsa_cipher'
+require 'saml/kit/crypto/simple_cipher'
+require 'saml/kit/crypto/unknown_cipher'
+
+module Saml
+  module Kit
+    module Crypto
+      DECRYPTORS = [ SimpleCipher, RsaCipher, OaepCipher, UnknownCipher ]
+
+      def self.decryptor_for(algorithm, key)
+        DECRYPTORS.find { |x| x.matches?(algorithm) }.new(algorithm, key)
+      end
+    end
+  end
+end

data/lib/saml/kit/crypto/oaep_cipher.rb

@@ -0,0 +1,22 @@
+module Saml
+  module Kit
+    module Crypto
+      class OaepCipher
+        ALGORITHMS = {
+          'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => true,
+        }
+        def initialize(algorithm, key)
+          @key = key
+        end
+
+        def self.matches?(algorithm)
+          ALGORITHMS[algorithm]
+        end
+
+        def decrypt(cipher_text)
+          @key.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/crypto/rsa_cipher.rb

@@ -0,0 +1,23 @@
+module Saml
+  module Kit
+    module Crypto
+      class RsaCipher
+        ALGORITHMS = {
+          'http://www.w3.org/2001/04/xmlenc#rsa-1_5' => true,
+        }
+
+        def initialize(algorithm, key)
+          @key = key
+        end
+
+        def self.matches?(algorithm)
+          ALGORITHMS[algorithm]
+        end
+
+        def decrypt(cipher_text)
+          @key.private_decrypt(cipher_text)
+        end
+      end
+    end
+  end
+end