saml-kit 0.1.0

data/lib/saml/kit/fingerprint.rb

@@ -0,0 +1,40 @@
+module Saml
+  module Kit
+    class Fingerprint
+      attr_reader :x509
+
+      def initialize(raw_certificate)
+        @x509 = OpenSSL::X509::Certificate.new(raw_certificate)
+      rescue OpenSSL::X509::CertificateError => error
+        Saml::Kit.logger.warn(error)
+        @x509 = OpenSSL::X509::Certificate.new(Base64.decode64(raw_certificate))
+      end
+
+      def algorithm(algorithm)
+        pretty_fingerprint(algorithm.new.hexdigest(x509.to_der))
+      end
+
+      def ==(other)
+        self.to_s == other.to_s
+      end
+
+      def eql?(other)
+        self == other
+      end
+
+      def hash
+        to_s.hash
+      end
+
+      def to_s
+        algorithm(OpenSSL::Digest::SHA256)
+      end
+
+      private
+
+      def pretty_fingerprint(fingerprint)
+        fingerprint.upcase.scan(/../).join(":")
+      end
+    end
+  end
+end

data/lib/saml/kit/http_post_binding.rb

@@ -0,0 +1,27 @@
+module Saml
+  module Kit
+    class HttpPostBinding < Binding
+      include Serializable
+
+      def initialize(location:)
+        super(binding: Saml::Kit::Namespaces::HTTP_POST, location: location)
+      end
+
+      def serialize(builder, relay_state: nil)
+        builder.sign = true
+        builder.destination = location
+        document = builder.build
+        saml_params = {
+          document.query_string_parameter => Base64.strict_encode64(document.to_xml),
+        }
+        saml_params['RelayState'] = relay_state if relay_state.present?
+        [location, saml_params]
+      end
+
+      def deserialize(params)
+        xml = decode(saml_param_from(params))
+        Saml::Kit::Document.to_saml_document(xml)
+      end
+    end
+  end
+end

data/lib/saml/kit/http_redirect_binding.rb

@@ -0,0 +1,58 @@
+module Saml
+  module Kit
+    class HttpRedirectBinding < Binding
+      include Serializable
+
+      def initialize(location:)
+        super(binding: Saml::Kit::Namespaces::HTTP_REDIRECT, location: location)
+      end
+
+      def serialize(builder, relay_state: nil)
+        builder.sign = false
+        builder.destination = location
+        document = builder.build
+        [UrlBuilder.new.build(document, relay_state: relay_state), {}]
+      end
+
+      def deserialize(params)
+        document = deserialize_document_from!(params)
+        ensure_valid_signature!(params, document)
+        document
+      end
+
+      private
+
+      def deserialize_document_from!(params)
+        xml = inflate(decode(unescape(saml_param_from(params))))
+        Saml::Kit.logger.debug(xml)
+        Saml::Kit::Document.to_saml_document(xml)
+      end
+
+      def ensure_valid_signature!(params, document)
+        return if params['Signature'].blank? || params['SigAlg'].blank?
+
+        signature = decode(params['Signature'])
+        canonical_form = ['SAMLRequest', 'SAMLResponse', 'RelayState', 'SigAlg'].map do |key|
+          value = params[key]
+          value.present? ? "#{key}=#{value}" : nil
+        end.compact.join('&')
+
+        valid = document.provider.verify(algorithm_for(params['SigAlg']), signature, canonical_form)
+        raise ArgumentError.new("Invalid Signature") unless valid
+      end
+
+      def algorithm_for(algorithm)
+        case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+        when 256
+          OpenSSL::Digest::SHA256.new
+        when 384
+          OpenSSL::Digest::SHA384.new
+        when 512
+          OpenSSL::Digest::SHA512.new
+        else
+          OpenSSL::Digest::SHA1.new
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/identity_provider_metadata.rb

@@ -0,0 +1,122 @@
+module Saml
+  module Kit
+    class IdentityProviderMetadata < Metadata
+      def initialize(xml)
+        super("IDPSSODescriptor", xml)
+      end
+
+      def want_authn_requests_signed
+        xpath = "/md:EntityDescriptor/md:#{name}"
+        attribute = find_by(xpath).attribute("WantAuthnRequestsSigned")
+        return true if attribute.nil?
+        attribute.text.downcase == "true"
+      end
+
+      def single_sign_on_services
+        services('SingleSignOnService')
+      end
+
+      def single_sign_on_service_for(binding:)
+        service_for(binding: binding, type: 'SingleSignOnService')
+      end
+
+      def attributes
+        find_all("/md:EntityDescriptor/md:#{name}/saml:Attribute").map do |item|
+          {
+            format: item.attribute("NameFormat").try(:value),
+            name: item.attribute("Name").value,
+          }
+        end
+      end
+
+      private
+
+      class Builder
+        attr_accessor :id, :organization_name, :organization_url, :contact_email, :entity_id, :attributes, :name_id_formats
+        attr_accessor :want_authn_requests_signed, :sign
+        attr_reader :logout_urls, :single_sign_on_urls
+
+        def initialize(configuration = Saml::Kit.configuration)
+          @id = SecureRandom.uuid
+          @entity_id = configuration.issuer
+          @attributes = []
+          @name_id_formats = [Namespaces::PERSISTENT]
+          @single_sign_on_urls = []
+          @logout_urls = []
+          @configuration = configuration
+          @sign = true
+          @want_authn_requests_signed = true
+        end
+
+        def add_single_sign_on_service(url, binding: :post)
+          @single_sign_on_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        end
+
+        def add_single_logout_service(url, binding: :post)
+          @logout_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        end
+
+        def to_xml
+          Signature.sign(id, sign: sign) do |xml, signature|
+            xml.instruct!
+            xml.EntityDescriptor entity_descriptor_options do
+              signature.template(xml)
+              xml.IDPSSODescriptor idp_sso_descriptor_options do
+                xml.KeyDescriptor use: "signing" do
+                  xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
+                    xml.X509Data do
+                      xml.X509Certificate @configuration.stripped_signing_certificate
+                    end
+                  end
+                end
+                logout_urls.each do |item|
+                  xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
+                end
+                name_id_formats.each do |format|
+                  xml.NameIDFormat format
+                end
+                single_sign_on_urls.each do |item|
+                  xml.SingleSignOnService Binding: item[:binding], Location: item[:location]
+                end
+                attributes.each do |attribute|
+                  xml.tag! 'saml:Attribute', Name: attribute
+                end
+              end
+              xml.Organization do
+                xml.OrganizationName organization_name, 'xml:lang': "en"
+                xml.OrganizationDisplayName organization_name, 'xml:lang': "en"
+                xml.OrganizationURL organization_url, 'xml:lang': "en"
+              end
+              xml.ContactPerson contactType: "technical" do
+                xml.Company "mailto:#{contact_email}"
+              end
+            end
+          end
+        end
+
+        def build
+          IdentityProviderMetadata.new(to_xml)
+        end
+
+        private
+
+        def entity_descriptor_options
+          {
+            'xmlns': Namespaces::METADATA,
+            'xmlns:ds': Namespaces::XMLDSIG,
+            'xmlns:saml': Namespaces::ASSERTION,
+            ID: "_#{id}",
+            entityID: entity_id,
+          }
+        end
+
+        def idp_sso_descriptor_options
+          {
+            protocolSupportEnumeration: Namespaces::PROTOCOL,
+            WantAuthnRequestsSigned: want_authn_requests_signed
+          }
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/invalid_document.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Kit
+    class InvalidDocument < Document
+      validate do |model|
+        model.errors[:base] << model.error_message(:invalid)
+      end
+
+      def initialize(xml)
+        super(xml, name: "InvalidDocument")
+      end
+    end
+  end
+end

data/lib/saml/kit/locales/en.yml

@@ -0,0 +1,25 @@
+---
+en:
+  saml/kit:
+    errors:
+      AuthnRequest:
+        invalid: "must contain AuthnRequest."
+        invalid_fingerprint: "does not match."
+        unregistered: "is unregistered."
+      IDPSSODescriptor:
+        invalid: "must contain IDPSSODescriptor."
+        invalid_signature: "invalid signature."
+      InvalidDocument:
+        invalid: "must contain valid SAMLRequest"
+      LogoutResponse:
+        unregistered: "is unregistered."
+      Response:
+        invalid: "must contain Response."
+        unregistered: "must originate from registered identity provider."
+        expired: "must not be expired."
+        invalid_version: "must be 2.0."
+        invalid_response_to: "must match request id."
+        must_match_issuer: "must match entityId."
+      SPSSODescriptor:
+        invalid: "must contain SPSSODescriptor."
+        invalid_signature: "invalid signature."

data/lib/saml/kit/logout_request.rb

@@ -0,0 +1,78 @@
+module Saml
+  module Kit
+    class LogoutRequest < Document
+      include Requestable
+      validates_presence_of :single_logout_service, if: :expected_type?
+
+      def initialize(xml)
+        super(xml, name: "LogoutRequest")
+      end
+
+      def name_id
+        to_h[name]['NameID']
+      end
+
+      def single_logout_service
+        return if provider.nil?
+        urls = provider.single_logout_services
+        urls.first
+      end
+
+      def response_for(user)
+        LogoutResponse::Builder.new(user, self)
+      end
+
+      private
+
+      class Builder
+        attr_accessor :id, :destination, :issuer, :name_id_format, :now
+        attr_accessor :sign, :version
+        attr_reader :user
+
+        def initialize(user, configuration: Saml::Kit.configuration, sign: true)
+          @user = user
+          @id = SecureRandom.uuid
+          @issuer = configuration.issuer
+          @name_id_format = Saml::Kit::Namespaces::PERSISTENT
+          @now = Time.now.utc
+          @version = "2.0"
+          @sign = sign
+        end
+
+        def to_xml
+          Signature.sign(id, sign: sign) do |xml, signature|
+            xml.instruct!
+            xml.LogoutRequest logout_request_options do
+              xml.Issuer({ xmlns: Namespaces::ASSERTION }, issuer)
+              signature.template(xml)
+              xml.NameID name_id_options, user.name_id_for(name_id_format)
+            end
+          end
+        end
+
+        def build
+          Saml::Kit::LogoutRequest.new(to_xml)
+        end
+
+        private
+
+        def logout_request_options
+          {
+            ID: "_#{id}",
+            Version: version,
+            IssueInstant: now.utc.iso8601,
+            Destination: destination,
+            xmlns: Namespaces::PROTOCOL,
+          }
+        end
+
+        def name_id_options
+          {
+            Format: name_id_format,
+            xmlns: Namespaces::ASSERTION,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/logout_response.rb

@@ -0,0 +1,63 @@
+module Saml
+  module Kit
+    class LogoutResponse < Document
+      include Respondable
+
+      def initialize(xml, request_id: nil)
+        @request_id = request_id
+        super(xml, name: "LogoutResponse")
+      end
+
+      private
+
+      class Builder
+        attr_accessor :id, :issuer, :version, :status_code, :sign, :now, :destination
+        attr_reader :request
+
+        def initialize(user, request, configuration: Saml::Kit.configuration, sign: true)
+          @user = user
+          @now = Time.now.utc
+          @request = request
+          @id = SecureRandom.uuid
+          @version = "2.0"
+          @status_code = Namespaces::SUCCESS
+          @sign = sign
+          @issuer = configuration.issuer
+          provider = configuration.registry.metadata_for(@issuer)
+          if provider
+            @destination = provider.single_logout_service_for(binding: :post).try(:location)
+          end
+        end
+
+        def to_xml
+          Signature.sign(id, sign: sign) do |xml, signature|
+            xml.LogoutResponse logout_response_options do
+              xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
+              signature.template(xml)
+              xml.Status do
+                xml.StatusCode Value: status_code
+              end
+            end
+          end
+        end
+
+        def build
+          LogoutResponse.new(to_xml, request_id: request.id)
+        end
+
+        private
+
+        def logout_response_options
+          {
+            xmlns: Namespaces::PROTOCOL,
+            ID: "_#{id}",
+            Version: version,
+            IssueInstant: now.utc.iso8601,
+            Destination: destination,
+            InResponseTo: request.id,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/metadata.rb

@@ -0,0 +1,171 @@
+module Saml
+  module Kit
+    class Metadata
+      include ActiveModel::Validations
+      include XsdValidatable
+
+      METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
+      NAMESPACES = {
+        "NameFormat": Namespaces::ATTR_SPLAT,
+        "ds": Namespaces::XMLDSIG,
+        "md": Namespaces::METADATA,
+        "saml": Namespaces::ASSERTION,
+      }.freeze
+
+      validates_presence_of :metadata
+      validate :must_contain_descriptor
+      validate :must_match_xsd
+      validate :must_have_valid_signature
+
+      attr_reader :xml, :name
+      attr_accessor :hash_algorithm
+
+      def initialize(name, xml)
+        @name = name
+        @xml = xml
+        @hash_algorithm = OpenSSL::Digest::SHA256
+      end
+
+      def entity_id
+        find_by("/md:EntityDescriptor/@entityID").value
+      end
+
+      def name_id_formats
+        find_all("/md:EntityDescriptor/md:#{name}/md:NameIDFormat").map(&:text)
+      end
+
+      def certificates
+        @certificates ||= find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
+          cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NAMESPACES).text
+          {
+            text: cert,
+            fingerprint: Fingerprint.new(cert).algorithm(hash_algorithm),
+            use: item.attribute('use').value.to_sym,
+          }
+        end
+      end
+
+      def encryption_certificates
+        certificates.find_all { |x| x[:use] == :encryption }
+      end
+
+      def signing_certificates
+        certificates.find_all { |x| x[:use] == :signing }
+      end
+
+      def services(type)
+        find_all("/md:EntityDescriptor/md:#{name}/md:#{type}").map do |item|
+          binding = item.attribute("Binding").value
+          location = item.attribute("Location").value
+          binding_for(binding, location)
+        end
+      end
+
+      def service_for(binding:, type:)
+        binding = Saml::Kit::Namespaces.binding_for(binding)
+        services(type).find { |x| x.binding?(binding) }
+      end
+
+      def single_logout_services
+        services('SingleLogoutService')
+      end
+
+      def single_logout_service_for(binding:)
+        service_for(binding: binding, type: 'SingleLogoutService')
+      end
+
+      def matches?(fingerprint, use: :signing)
+        if :signing == use.to_sym
+          hash_value = fingerprint.algorithm(hash_algorithm)
+          signing_certificates.find do |signing_certificate|
+            hash_value == signing_certificate[:fingerprint]
+          end
+        end
+      end
+
+      def to_h
+        @xml_hash ||= Hash.from_xml(to_xml)
+      end
+
+      def to_xml
+        @xml
+      end
+
+      def to_s
+        to_xml
+      end
+
+      def verify(algorithm, signature, data)
+        signing_certificates.find do |cert|
+          x509 = OpenSSL::X509::Certificate.new(Base64.decode64(cert[:text]))
+          public_key = x509.public_key
+          public_key.verify(algorithm, signature, data)
+        end
+      end
+
+      def self.from(content)
+        hash = Hash.from_xml(content)
+        entity_descriptor = hash["EntityDescriptor"]
+        if entity_descriptor.keys.include?("SPSSODescriptor")
+          Saml::Kit::ServiceProviderMetadata.new(content)
+        elsif entity_descriptor.keys.include?("IDPSSODescriptor")
+          Saml::Kit::IdentityProviderMetadata.new(content)
+        end
+      end
+
+      private
+
+      def document
+        @document ||= Nokogiri::XML(@xml)
+      end
+
+      def find_by(xpath)
+        document.at_xpath(xpath, NAMESPACES)
+      end
+
+      def find_all(xpath)
+        document.search(xpath, NAMESPACES)
+      end
+
+      def metadata
+        find_by("/md:EntityDescriptor/md:#{name}").present?
+      end
+
+      def must_contain_descriptor
+        errors[:base] << error_message(:invalid) unless metadata
+      end
+
+      def must_match_xsd
+        matches_xsd?(METADATA_XSD)
+      end
+
+      def must_have_valid_signature
+        return if to_xml.blank?
+
+        unless valid_signature?
+          errors[:base] << error_message(:invalid_signature)
+        end
+      end
+
+      def valid_signature?
+        xml = Saml::Kit::Xml.new(to_xml)
+        result = xml.valid?
+        xml.errors.each do |error|
+          errors[:base] << error
+        end
+        result
+      end
+
+      def binding_for(binding, location)
+        case binding
+        when Namespaces::HTTP_REDIRECT
+          Saml::Kit::HttpRedirectBinding.new(location: location)
+        when Namespaces::POST
+          Saml::Kit::HttpPostBinding.new(location: location)
+        else
+          Saml::Kit::Binding.new(binding: binding, location: location)
+        end
+      end
+    end
+  end
+end