saml-kit 0.1.0 → 0.2.0

data/lib/saml/kit/service_provider_metadata.rb

@@ -14,7 +14,7 @@ module Saml
       end
 
       def want_assertions_signed
-        attribute = find_by("/md:EntityDescriptor/md:#{name}").attribute("WantAssertionsSigned")
+        attribute = document.find_by("/md:EntityDescriptor/md:#{name}").attribute("WantAssertionsSigned")
         attribute.text.downcase == "true"
       end
 
@@ -35,19 +35,19 @@ module Saml
           @want_assertions_signed = true
         end
 
-        def add_assertion_consumer_service(url, binding: :post)
-          @acs_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        def add_assertion_consumer_service(url, binding: :http_post)
+          @acs_urls.push(location: url, binding: Bindings.binding_for(binding))
         end
 
-        def add_single_logout_service(url, binding: :post)
-          @logout_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        def add_single_logout_service(url, binding: :http_post)
+          @logout_urls.push(location: url, binding: Bindings.binding_for(binding))
         end
 
         def to_xml
-          Signature.sign(id, sign: sign) do |xml, signature|
+          Signature.sign(sign: sign) do |xml, signature|
             xml.instruct!
             xml.EntityDescriptor entity_descriptor_options do
-              signature.template(xml)
+              signature.template(id)
               xml.SPSSODescriptor descriptor_options do
                 if @configuration.signing_certificate_pem.present?
                   xml.KeyDescriptor use: "signing" do
@@ -58,6 +58,15 @@ module Saml
                     end
                   end
                 end
+                if @configuration.encryption_certificate_pem.present?
+                  xml.KeyDescriptor use: "encryption" do
+                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
+                      xml.X509Data do
+                        xml.X509Certificate @configuration.stripped_encryption_certificate
+                      end
+                    end
+                  end
+                end
                 logout_urls.each do |item|
                   xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
                 end

data/lib/saml/kit/signature.rb

@@ -16,17 +16,19 @@ module Saml
         SHA512: "http://www.w3.org/2001/04/xmlenc#sha512",
       }.freeze
 
-      attr_reader :configuration, :reference_id, :sign
+      attr_reader :configuration, :sign, :xml
 
-      def initialize(reference_id, configuration: Saml::Kit.configuration, sign: true)
-        @reference_id = reference_id
+      def initialize(xml, configuration:, sign: true)
+        @xml = xml
         @configuration = configuration
         @sign = sign
+        @reference_ids = []
       end
 
-      def template(xml = ::Builder::XmlMarkup.new)
+      def template(reference_id)
         return unless sign
         return if reference_id.blank?
+        @reference_ids << reference_id
 
         xml.Signature "xmlns" => Namespaces::XMLDSIG do
           xml.SignedInfo do
@@ -50,19 +52,20 @@ module Saml
         end
       end
 
-      def finalize(xml)
-        if sign && reference_id.present?
-          document = Xmldsig::SignedDocument.new(xml.target!)
-          document.sign(private_key)
-        else
-          xml.target!
+      def finalize
+        return xml.target! unless sign
+
+        raw_xml = xml.target!
+        @reference_ids.each do |reference_id|
+          raw_xml = Xmldsig::SignedDocument.new(raw_xml).sign(private_key)
         end
+        raw_xml
       end
 
-      def self.sign(id, sign: true, xml: ::Builder::XmlMarkup.new)
-        signature = new(id, sign: sign)
+      def self.sign(sign: true, xml: ::Builder::XmlMarkup.new, configuration: Saml::Kit.configuration)
+        signature = new(xml, sign: sign, configuration: configuration)
         yield xml, signature
-        signature.finalize(xml)
+        signature.finalize
       end
 
       private

data/lib/saml/kit/trustable.rb

@@ -4,8 +4,9 @@ module Saml
       extend ActiveSupport::Concern
 
       included do
-        validate :must_have_valid_signature
+        validate :must_have_valid_signature, unless: :signature_manually_verified
         validate :must_be_registered
+        validate :must_be_trusted, unless: :signature_manually_verified
       end
 
       def certificate
@@ -19,7 +20,7 @@ module Saml
       end
 
       def signed?
-        to_h[name]['Signature'].present?
+        to_h.fetch(name, {}).fetch('Signature', nil).present?
       end
 
       def trusted?
@@ -36,8 +37,14 @@ module Saml
         Saml::Kit.configuration.registry
       end
 
+      def signature_verified!
+        @signature_manually_verified = true
+      end
+
       private
 
+      attr_reader :signature_manually_verified
+
       def must_have_valid_signature
         return if to_xml.blank?
 
@@ -50,10 +57,11 @@ module Saml
 
       def must_be_registered
         return unless expected_type?
-        if provider.nil?
-          errors[:provider] << error_message(:unregistered)
-          return
-        end
+        return if provider.present?
+        errors[:provider] << error_message(:unregistered)
+      end
+
+      def must_be_trusted
         return if trusted?
         errors[:fingerprint] << error_message(:invalid_fingerprint)
       end

data/lib/saml/kit/version.rb

@@ -1,5 +1,5 @@
 module Saml
   module Kit
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/saml/kit/xml.rb

@@ -2,6 +2,12 @@ module Saml
   module Kit
     class Xml
       include ActiveModel::Validations
+      NAMESPACES = {
+        "NameFormat": Namespaces::ATTR_SPLAT,
+        "ds": Namespaces::XMLDSIG,
+        "md": Namespaces::METADATA,
+        "saml": Namespaces::ASSERTION,
+      }.freeze
 
       attr_reader :raw_xml, :document
 
@@ -10,9 +16,7 @@ module Saml
 
       def initialize(raw_xml)
         @raw_xml = raw_xml
-        @document = Nokogiri::XML(raw_xml, nil, nil, Nokogiri::XML::ParseOptions::STRICT) do |config|
-          config.noblanks
-        end
+        @document = Nokogiri::XML(raw_xml)
       end
 
       def x509_certificates
@@ -22,6 +26,18 @@ module Saml
         end
       end
 
+      def find_by(xpath)
+        document.at_xpath(xpath, NAMESPACES)
+      end
+
+      def find_all(xpath)
+        document.search(xpath, NAMESPACES)
+      end
+
+      def to_xml(pretty: true)
+        pretty ? document.to_xml(indent: 2) : raw_xml
+      end
+
       private
 
       def validate_signatures

data/saml-kit.gemspec

@@ -22,8 +22,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "activemodel", "~> 5.1"
-  spec.add_dependency "activesupport", "~> 5.1"
+  spec.add_dependency "activemodel", ">= 4.2.0"
+  spec.add_dependency "activesupport", ">= 4.2.0"
   spec.add_dependency "builder", "~> 3.2"
   spec.add_dependency "nokogiri", "~> 1.8"
   spec.add_dependency "xmldsig", "~> 0.6"

metadata

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: saml-kit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - mo khan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-11-19 00:00:00.000000000 Z
+date: 2017-11-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 4.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 4.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -154,6 +154,7 @@ description: A simple toolkit for working with SAML.
 email:
 - mo@mokhan.ca
 executables:
+- saml-kit-decode-http-post
 - saml-kit-decode-http-redirect
 extensions: []
 extra_rdoc_files: []
@@ -167,16 +168,25 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- exe/saml-kit-decode-http-post
 - exe/saml-kit-decode-http-redirect
 - lib/saml/kit.rb
 - lib/saml/kit/authentication_request.rb
-- lib/saml/kit/binding.rb
+- lib/saml/kit/bindings.rb
+- lib/saml/kit/bindings/binding.rb
+- lib/saml/kit/bindings/http_post.rb
+- lib/saml/kit/bindings/http_redirect.rb
+- lib/saml/kit/bindings/url_builder.rb
 - lib/saml/kit/configuration.rb
+- lib/saml/kit/crypto.rb
+- lib/saml/kit/crypto/oaep_cipher.rb
+- lib/saml/kit/crypto/rsa_cipher.rb
+- lib/saml/kit/crypto/simple_cipher.rb
+- lib/saml/kit/crypto/unknown_cipher.rb
+- lib/saml/kit/cryptography.rb
 - lib/saml/kit/default_registry.rb
 - lib/saml/kit/document.rb
 - lib/saml/kit/fingerprint.rb
-- lib/saml/kit/http_post_binding.rb
-- lib/saml/kit/http_redirect_binding.rb
 - lib/saml/kit/identity_provider_metadata.rb
 - lib/saml/kit/invalid_document.rb
 - lib/saml/kit/locales/en.yml
@@ -192,7 +202,6 @@ files:
 - lib/saml/kit/service_provider_metadata.rb
 - lib/saml/kit/signature.rb
 - lib/saml/kit/trustable.rb
-- lib/saml/kit/url_builder.rb
 - lib/saml/kit/version.rb
 - lib/saml/kit/xml.rb
 - lib/saml/kit/xsd/MetadataExchange.xsd

data/lib/saml/kit/binding.rb

@@ -1,40 +0,0 @@
-module Saml
-  module Kit
-    class Binding
-      attr_reader :binding, :location
-
-      def initialize(binding:, location:)
-        @binding = binding
-        @location = location
-      end
-
-      def binding?(other)
-        binding == other
-      end
-
-      def serialize(builder, relay_state: nil)
-        []
-      end
-
-      def deserialize(params)
-        raise ArgumentError.new("Unsupported binding")
-      end
-
-      def to_h
-        { binding: binding, location: location }
-      end
-
-      protected
-
-      def saml_param_from(params)
-        if params['SAMLRequest'].present?
-          params['SAMLRequest']
-        elsif params['SAMLResponse'].present?
-          params['SAMLResponse']
-        else
-          raise ArgumentError.new("SAMLRequest or SAMLResponse parameter is required.")
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/http_post_binding.rb

@@ -1,27 +0,0 @@
-module Saml
-  module Kit
-    class HttpPostBinding < Binding
-      include Serializable
-
-      def initialize(location:)
-        super(binding: Saml::Kit::Namespaces::HTTP_POST, location: location)
-      end
-
-      def serialize(builder, relay_state: nil)
-        builder.sign = true
-        builder.destination = location
-        document = builder.build
-        saml_params = {
-          document.query_string_parameter => Base64.strict_encode64(document.to_xml),
-        }
-        saml_params['RelayState'] = relay_state if relay_state.present?
-        [location, saml_params]
-      end
-
-      def deserialize(params)
-        xml = decode(saml_param_from(params))
-        Saml::Kit::Document.to_saml_document(xml)
-      end
-    end
-  end
-end

data/lib/saml/kit/http_redirect_binding.rb

@@ -1,58 +0,0 @@
-module Saml
-  module Kit
-    class HttpRedirectBinding < Binding
-      include Serializable
-
-      def initialize(location:)
-        super(binding: Saml::Kit::Namespaces::HTTP_REDIRECT, location: location)
-      end
-
-      def serialize(builder, relay_state: nil)
-        builder.sign = false
-        builder.destination = location
-        document = builder.build
-        [UrlBuilder.new.build(document, relay_state: relay_state), {}]
-      end
-
-      def deserialize(params)
-        document = deserialize_document_from!(params)
-        ensure_valid_signature!(params, document)
-        document
-      end
-
-      private
-
-      def deserialize_document_from!(params)
-        xml = inflate(decode(unescape(saml_param_from(params))))
-        Saml::Kit.logger.debug(xml)
-        Saml::Kit::Document.to_saml_document(xml)
-      end
-
-      def ensure_valid_signature!(params, document)
-        return if params['Signature'].blank? || params['SigAlg'].blank?
-
-        signature = decode(params['Signature'])
-        canonical_form = ['SAMLRequest', 'SAMLResponse', 'RelayState', 'SigAlg'].map do |key|
-          value = params[key]
-          value.present? ? "#{key}=#{value}" : nil
-        end.compact.join('&')
-
-        valid = document.provider.verify(algorithm_for(params['SigAlg']), signature, canonical_form)
-        raise ArgumentError.new("Invalid Signature") unless valid
-      end
-
-      def algorithm_for(algorithm)
-        case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
-        when 256
-          OpenSSL::Digest::SHA256.new
-        when 384
-          OpenSSL::Digest::SHA384.new
-        when 512
-          OpenSSL::Digest::SHA512.new
-        else
-          OpenSSL::Digest::SHA1.new
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/url_builder.rb

@@ -1,38 +0,0 @@
-module Saml
-  module Kit
-    class UrlBuilder
-      include Serializable
-
-      def initialize(private_key: Saml::Kit.configuration.signing_private_key)
-        @private_key = private_key
-      end
-
-      def build(saml_document, relay_state: nil)
-        payload = canonicalize(saml_document, relay_state)
-        "#{saml_document.destination}?#{payload}&Signature=#{signature_for(payload)}"
-      end
-
-      private
-
-      attr_reader :private_key
-
-      def signature_for(payload)
-        encode(private_key.sign(OpenSSL::Digest::SHA256.new, payload))
-      end
-
-      def canonicalize(saml_document, relay_state)
-        {
-          saml_document.query_string_parameter => serialize(saml_document.to_xml),
-          'RelayState' => relay_state,
-          'SigAlg' => Saml::Kit::Namespaces::SHA256,
-        }.map do |(key, value)|
-          value.present? ? "#{key}=#{escape(value)}" : nil
-        end.compact.join('&')
-      end
-
-      def serialize(value)
-        encode(deflate(value))
-      end
-    end
-  end
-end