saml-kit 0.1.0 → 0.2.0

data/lib/saml/kit/crypto/simple_cipher.rb

@@ -0,0 +1,38 @@
+module Saml
+  module Kit
+    module Crypto
+      class SimpleCipher
+        ALGORITHMS = {
+          'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' => 'DES-EDE3-CBC',
+          'http://www.w3.org/2001/04/xmlenc#aes128-cbc' => 'AES-128-CBC',
+          'http://www.w3.org/2001/04/xmlenc#aes192-cbc' => 'AES-192-CBC',
+          'http://www.w3.org/2001/04/xmlenc#aes256-cbc' => 'AES-256-CBC',
+        }
+
+        def initialize(algorithm, private_key)
+          @algorithm = algorithm
+          @private_key = private_key
+        end
+
+        def self.matches?(algorithm)
+          ALGORITHMS[algorithm]
+        end
+
+        def decrypt(cipher_text)
+          cipher = OpenSSL::Cipher.new(ALGORITHMS[@algorithm])
+          cipher.decrypt
+          iv = cipher_text[0..cipher.iv_len-1]
+          data = cipher_text[cipher.iv_len..-1]
+          #cipher.padding = 0
+          cipher.key = @private_key
+          cipher.iv = iv
+
+          Saml::Kit.logger.debug ['-key', @private_key].inspect
+          Saml::Kit.logger.debug ['-iv', iv].inspect
+
+          cipher.update(data) + cipher.final
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/crypto/unknown_cipher.rb

@@ -0,0 +1,18 @@
+module Saml
+  module Kit
+    module Crypto
+      class UnknownCipher
+        def initialize(algorithm, key)
+        end
+
+        def self.matches?(algorithm)
+          true
+        end
+
+        def decrypt(cipher_text)
+          cipher_text
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/cryptography.rb

@@ -0,0 +1,30 @@
+module Saml
+  module Kit
+    class Cryptography
+      attr_reader :private_key
+
+      def initialize(private_key = Saml::Kit.configuration.encryption_private_key)
+        @private_key = private_key
+      end
+
+      def decrypt(data)
+        encrypt_data = data['EncryptedData']
+        symmetric_key = symmetric_key_from(encrypt_data)
+        cipher_text = Base64.decode64(encrypt_data["CipherData"]["CipherValue"])
+        to_plaintext(cipher_text, symmetric_key, encrypt_data["EncryptionMethod"]['Algorithm'])
+      end
+
+      private
+
+      def symmetric_key_from(encrypted_data)
+        encrypted_key = encrypted_data['KeyInfo']['EncryptedKey']
+        cipher_text = Base64.decode64(encrypted_key['CipherData']['CipherValue'])
+        to_plaintext(cipher_text, private_key, encrypted_key["EncryptionMethod"]['Algorithm'])
+      end
+
+      def to_plaintext(cipher_text, symmetric_key, algorithm)
+        return Crypto.decryptor_for(algorithm, symmetric_key).decrypt(cipher_text)
+      end
+    end
+  end
+end

data/lib/saml/kit/default_registry.rb

@@ -6,6 +6,7 @@ module Saml
       end
 
       def register(metadata)
+        Saml::Kit.logger.debug(metadata.to_xml(pretty: true))
         @items[metadata.entity_id] = metadata
       end
 

data/lib/saml/kit/document.rb

@@ -48,8 +48,12 @@ module Saml
         @xml_hash
       end
 
-      def to_xml
-        content
+      def to_xml(pretty: false)
+        pretty ? Nokogiri::XML(content).to_xml(indent: 2) : content
+      end
+
+      def to_xhtml
+        Nokogiri::XML(content, &:noblanks).to_xhtml
       end
 
       def to_s

data/lib/saml/kit/identity_provider_metadata.rb

@@ -7,7 +7,7 @@ module Saml
 
       def want_authn_requests_signed
         xpath = "/md:EntityDescriptor/md:#{name}"
-        attribute = find_by(xpath).attribute("WantAuthnRequestsSigned")
+        attribute = document.find_by(xpath).attribute("WantAuthnRequestsSigned")
         return true if attribute.nil?
         attribute.text.downcase == "true"
       end
@@ -21,7 +21,7 @@ module Saml
       end
 
       def attributes
-        find_all("/md:EntityDescriptor/md:#{name}/saml:Attribute").map do |item|
+        document.find_all("/md:EntityDescriptor/md:#{name}/saml:Attribute").map do |item|
           {
             format: item.attribute("NameFormat").try(:value),
             name: item.attribute("Name").value,
@@ -48,19 +48,19 @@ module Saml
           @want_authn_requests_signed = true
         end
 
-        def add_single_sign_on_service(url, binding: :post)
-          @single_sign_on_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        def add_single_sign_on_service(url, binding: :http_post)
+          @single_sign_on_urls.push(location: url, binding: Bindings.binding_for(binding))
         end
 
-        def add_single_logout_service(url, binding: :post)
-          @logout_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        def add_single_logout_service(url, binding: :http_post)
+          @logout_urls.push(location: url, binding: Bindings.binding_for(binding))
         end
 
         def to_xml
-          Signature.sign(id, sign: sign) do |xml, signature|
+          Signature.sign(sign: sign) do |xml, signature|
             xml.instruct!
             xml.EntityDescriptor entity_descriptor_options do
-              signature.template(xml)
+              signature.template(id)
               xml.IDPSSODescriptor idp_sso_descriptor_options do
                 xml.KeyDescriptor use: "signing" do
                   xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
@@ -112,8 +112,8 @@ module Saml
 
         def idp_sso_descriptor_options
           {
+            WantAuthnRequestsSigned: want_authn_requests_signed,
             protocolSupportEnumeration: Namespaces::PROTOCOL,
-            WantAuthnRequestsSigned: want_authn_requests_signed
           }
         end
       end

data/lib/saml/kit/locales/en.yml

@@ -14,12 +14,13 @@ en:
       LogoutResponse:
         unregistered: "is unregistered."
       Response:
-        invalid: "must contain Response."
-        unregistered: "must originate from registered identity provider."
         expired: "must not be expired."
-        invalid_version: "must be 2.0."
+        invalid: "must contain Response."
+        invalid_fingerprint: "does not match."
         invalid_response_to: "must match request id."
+        invalid_version: "must be 2.0."
         must_match_issuer: "must match entityId."
+        unregistered: "must originate from registered identity provider."
       SPSSODescriptor:
         invalid: "must contain SPSSODescriptor."
         invalid_signature: "invalid signature."

data/lib/saml/kit/logout_request.rb

@@ -40,11 +40,11 @@ module Saml
         end
 
         def to_xml
-          Signature.sign(id, sign: sign) do |xml, signature|
+          Signature.sign(sign: sign) do |xml, signature|
             xml.instruct!
             xml.LogoutRequest logout_request_options do
               xml.Issuer({ xmlns: Namespaces::ASSERTION }, issuer)
-              signature.template(xml)
+              signature.template(id)
               xml.NameID name_id_options, user.name_id_for(name_id_format)
             end
           end

data/lib/saml/kit/logout_response.rb

@@ -25,15 +25,15 @@ module Saml
           @issuer = configuration.issuer
           provider = configuration.registry.metadata_for(@issuer)
           if provider
-            @destination = provider.single_logout_service_for(binding: :post).try(:location)
+            @destination = provider.single_logout_service_for(binding: :http_post).try(:location)
           end
         end
 
         def to_xml
-          Signature.sign(id, sign: sign) do |xml, signature|
+          Signature.sign(sign: sign) do |xml, signature|
             xml.LogoutResponse logout_response_options do
               xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
-              signature.template(xml)
+              signature.template(id)
               xml.Status do
                 xml.StatusCode Value: status_code
               end

data/lib/saml/kit/metadata.rb

@@ -3,14 +3,7 @@ module Saml
     class Metadata
       include ActiveModel::Validations
       include XsdValidatable
-
       METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
-      NAMESPACES = {
-        "NameFormat": Namespaces::ATTR_SPLAT,
-        "ds": Namespaces::XMLDSIG,
-        "md": Namespaces::METADATA,
-        "saml": Namespaces::ASSERTION,
-      }.freeze
 
       validates_presence_of :metadata
       validate :must_contain_descriptor
@@ -27,16 +20,16 @@ module Saml
       end
 
       def entity_id
-        find_by("/md:EntityDescriptor/@entityID").value
+        document.find_by("/md:EntityDescriptor/@entityID").value
       end
 
       def name_id_formats
-        find_all("/md:EntityDescriptor/md:#{name}/md:NameIDFormat").map(&:text)
+        document.find_all("/md:EntityDescriptor/md:#{name}/md:NameIDFormat").map(&:text)
       end
 
       def certificates
-        @certificates ||= find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
-          cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NAMESPACES).text
+        @certificates ||= document.find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
+          cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", Xml::NAMESPACES).text
           {
             text: cert,
             fingerprint: Fingerprint.new(cert).algorithm(hash_algorithm),
@@ -54,15 +47,15 @@ module Saml
       end
 
       def services(type)
-        find_all("/md:EntityDescriptor/md:#{name}/md:#{type}").map do |item|
+        document.find_all("/md:EntityDescriptor/md:#{name}/md:#{type}").map do |item|
           binding = item.attribute("Binding").value
           location = item.attribute("Location").value
-          binding_for(binding, location)
+          Saml::Kit::Bindings.create_for(binding, location)
         end
       end
 
       def service_for(binding:, type:)
-        binding = Saml::Kit::Namespaces.binding_for(binding)
+        binding = Saml::Kit::Bindings.binding_for(binding)
         services(type).find { |x| x.binding?(binding) }
       end
 
@@ -78,6 +71,7 @@ module Saml
         if :signing == use.to_sym
           hash_value = fingerprint.algorithm(hash_algorithm)
           signing_certificates.find do |signing_certificate|
+            Saml::Kit.logger.debug [hash_value, signing_certificate[:fingerprint]].inspect
             hash_value == signing_certificate[:fingerprint]
           end
         end
@@ -87,8 +81,8 @@ module Saml
         @xml_hash ||= Hash.from_xml(to_xml)
       end
 
-      def to_xml
-        @xml
+      def to_xml(pretty: false)
+        document.to_xml(pretty: pretty)
       end
 
       def to_s
@@ -116,19 +110,11 @@ module Saml
       private
 
       def document
-        @document ||= Nokogiri::XML(@xml)
-      end
-
-      def find_by(xpath)
-        document.at_xpath(xpath, NAMESPACES)
-      end
-
-      def find_all(xpath)
-        document.search(xpath, NAMESPACES)
+        @document ||= Xml.new(xml)
       end
 
       def metadata
-        find_by("/md:EntityDescriptor/md:#{name}").present?
+        document.find_by("/md:EntityDescriptor/md:#{name}").present?
       end
 
       def must_contain_descriptor
@@ -155,17 +141,6 @@ module Saml
         end
         result
       end
-
-      def binding_for(binding, location)
-        case binding
-        when Namespaces::HTTP_REDIRECT
-          Saml::Kit::HttpRedirectBinding.new(location: location)
-        when Namespaces::POST
-          Saml::Kit::HttpPostBinding.new(location: location)
-        else
-          Saml::Kit::Binding.new(binding: binding, location: location)
-        end
-      end
     end
   end
 end

data/lib/saml/kit/namespaces.rb

@@ -7,9 +7,6 @@ module Saml
       BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
       EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
       ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-      HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
-      HTTP_POST = POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-      HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
       METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
       PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
       PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
@@ -32,16 +29,7 @@ module Saml
       URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       VERSION_MISMATCH_ERROR = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
       XMLDSIG = "http://www.w3.org/2000/09/xmldsig#"
-
-      def self.binding_for(binding)
-        if :post == binding
-          Namespaces::HTTP_POST
-        elsif :http_redirect == binding
-          Namespaces::HTTP_REDIRECT
-        else
-          nil
-        end
-      end
+      XMLENC = "http://www.w3.org/2001/04/xmlenc#"
     end
   end
 end

data/lib/saml/kit/respondable.rb

@@ -21,6 +21,10 @@ module Saml
         to_h.fetch(name, {}).fetch('InResponseTo', nil)
       end
 
+      def success?
+        Namespaces::SUCCESS == status_code
+      end
+
       private
 
       def must_match_request_id

data/lib/saml/kit/response.rb

@@ -12,7 +12,7 @@ module Saml
       end
 
       def name_id
-        to_h.fetch(name, {}).fetch('Assertion', {}).fetch('Subject', {}).fetch('NameID', nil)
+        assertion.fetch('Subject', {}).fetch('NameID', nil)
       end
 
       def [](key)
@@ -20,18 +20,19 @@ module Saml
       end
 
       def attributes
-        @attributes ||= Hash[to_h.fetch(name, {}).fetch('Assertion', {}).fetch('AttributeStatement', {}).fetch('Attribute', []).map do |item|
-          [item['Name'].to_sym, item['AttributeValue']]
-        end].with_indifferent_access
+        @attributes ||= Hash[
+          assertion.fetch('AttributeStatement', {}).fetch('Attribute', []).map do |item|
+            [item['Name'].to_sym, item['AttributeValue']]
+          end
+        ].with_indifferent_access
       end
 
-
       def started_at
-        parse_date(to_h.fetch(name, {}).fetch('Assertion', {}).fetch('Conditions', {}).fetch('NotBefore', nil))
+        parse_date(assertion.fetch('Conditions', {}).fetch('NotBefore', nil))
       end
 
       def expired_at
-        parse_date(to_h.fetch(name, {}).fetch('Assertion', {}).fetch('Conditions', {}).fetch('NotOnOrAfter', nil))
+        parse_date(assertion.fetch('Conditions', {}).fetch('NotOnOrAfter', nil))
       end
 
       def expired?
@@ -42,15 +43,42 @@ module Saml
         Time.current > started_at && !expired?
       end
 
+      def encrypted?
+        to_h[name]['EncryptedAssertion'].present?
+      end
+
+      def assertion
+        @assertion =
+          begin
+            if encrypted?
+              decrypted = Cryptography.new.decrypt(to_h.fetch(name, {}).fetch('EncryptedAssertion', {}))
+              Saml::Kit.logger.debug(decrypted)
+              Hash.from_xml(decrypted)['Assertion']
+            else
+              to_h.fetch(name, {}).fetch('Assertion', {})
+            end
+          end
+      end
+
+      def signed?
+        super || assertion.fetch('Signature', nil).present?
+      end
+
+      def certificate
+        super || assertion.fetch('Signature', {}).fetch('KeyInfo', {}).fetch('X509Data', {}).fetch('X509Certificate', nil)
+      end
+
       private
 
       def must_be_active_session
         return unless expected_type?
+        return unless success?
         errors[:base] << error_message(:expired) unless active?
       end
 
       def must_match_issuer
         return unless expected_type?
+        return unless success?
 
         unless audiences.include?(Saml::Kit.configuration.issuer)
           errors[:audience] << error_message(:must_match_issuer)
@@ -58,7 +86,7 @@ module Saml
       end
 
       def audiences
-        Array(to_h[name]['Assertion']['Conditions']['AudienceRestriction']['Audience'])
+        Array(assertion['Conditions']['AudienceRestriction']['Audience'])
       rescue => error
         Saml::Kit.logger.error(error)
         []
@@ -75,7 +103,7 @@ module Saml
         attr_reader :user, :request
         attr_accessor :id, :reference_id, :now
         attr_accessor :version, :status_code
-        attr_accessor :issuer, :sign, :destination
+        attr_accessor :issuer, :sign, :destination, :encrypt
 
         def initialize(user, request)
           @user = user
@@ -86,8 +114,9 @@ module Saml
           @version = "2.0"
           @status_code = Namespaces::SUCCESS
           @issuer = configuration.issuer
-          @destination = request.acs_url
+          @destination = destination_for(request)
           @sign = want_assertions_signed
+          @encrypt = false
         end
 
         def want_assertions_signed
@@ -98,38 +127,51 @@ module Saml
         end
 
         def to_xml
-          Signature.sign(id, sign: sign) do |xml, signature|
+          Signature.sign(sign: sign) do |xml, signature|
             xml.Response response_options do
               xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
-              signature.template(xml)
+              signature.template(id)
               xml.Status do
                 xml.StatusCode Value: status_code
               end
-              xml.Assertion(assertion_options) do
-                xml.Issuer issuer
-                xml.Subject do
-                  xml.NameID user.name_id_for(request.name_id_format), Format: request.name_id_format
-                  xml.SubjectConfirmation Method: Namespaces::BEARER do
-                    xml.SubjectConfirmationData "", subject_confirmation_data_options
-                  end
+              assertion(xml, signature)
+            end
+          end
+        end
+
+        def build
+          Response.new(to_xml, request_id: request.id)
+        end
+
+        private
+
+        def assertion(xml, signature)
+          with_encryption(xml) do |xml|
+            xml.Assertion(assertion_options) do
+              xml.Issuer issuer
+              signature.template(reference_id) unless encrypt
+              xml.Subject do
+                xml.NameID user.name_id_for(request.name_id_format), Format: request.name_id_format
+                xml.SubjectConfirmation Method: Namespaces::BEARER do
+                  xml.SubjectConfirmationData "", subject_confirmation_data_options
                 end
-                xml.Conditions conditions_options do
-                  xml.AudienceRestriction do
-                    xml.Audience request.issuer
-                  end
+              end
+              xml.Conditions conditions_options do
+                xml.AudienceRestriction do
+                  xml.Audience request.issuer
                 end
-                xml.AuthnStatement authn_statement_options do
-                  xml.AuthnContext do
-                    xml.AuthnContextClassRef Namespaces::PASSWORD
-                  end
+              end
+              xml.AuthnStatement authn_statement_options do
+                xml.AuthnContext do
+                  xml.AuthnContextClassRef Namespaces::PASSWORD
                 end
-                assertion_attributes = user.assertion_attributes_for(request)
-                if assertion_attributes.any?
-                  xml.AttributeStatement do
-                    assertion_attributes.each do |key, value|
-                      xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
-                        xml.AttributeValue value.to_s
-                      end
+              end
+              assertion_attributes = user.assertion_attributes_for(request)
+              if assertion_attributes.any?
+                xml.AttributeStatement do
+                  assertion_attributes.each do |key, value|
+                    xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
+                      xml.AttributeValue value.to_s
                     end
                   end
                 end
@@ -138,11 +180,52 @@ module Saml
           end
         end
 
-        def build
-          Response.new(to_xml, request_id: request.id)
+        def with_encryption(xml)
+          if encrypt
+            temp = ::Builder::XmlMarkup.new
+            yield temp
+            raw_xml_to_encrypt = temp.target!
+
+            encryption_certificate = OpenSSL::X509::Certificate.new(Base64.decode64(request.provider.encryption_certificates.first[:text]))
+            public_key = encryption_certificate.public_key
+
+            cipher = OpenSSL::Cipher.new('AES-256-CBC')
+            cipher.encrypt
+            key = cipher.random_key
+            iv = cipher.random_iv
+            encrypted = cipher.update(raw_xml_to_encrypt) + cipher.final
+
+            Saml::Kit.logger.debug ['+iv', iv].inspect
+            Saml::Kit.logger.debug ['+key', key].inspect
+
+            xml.EncryptedAssertion xmlns: Namespaces::ASSERTION do
+              xml.EncryptedData xmlns: Namespaces::XMLENC do
+                xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+                xml.KeyInfo xmlns: Namespaces::XMLDSIG do
+                  xml.EncryptedKey xmlns: Namespaces::XMLENC do
+                    xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
+                    xml.CipherData do
+                      xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
+                    end
+                  end
+                end
+                xml.CipherData do
+                  xml.CipherValue Base64.encode64(iv + encrypted)
+                end
+              end
+            end
+          else
+            yield xml
+          end
         end
 
-        private
+        def destination_for(request)
+          if request.signed? && request.trusted?
+            request.acs_url || request.provider.assertion_consumer_service_for(binding: :http_post).try(:location)
+          else
+            request.provider.assertion_consumer_service_for(binding: :http_post).try(:location)
+          end
+        end
 
         def configuration
           Saml::Kit.configuration