saml2 1.0.10 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7c19f162d8dcc43d0a264bc4c1b1f1f0e497b476
-  data.tar.gz: e0d34ccb811ce49f36449d7ec843f2f58516a733
+  metadata.gz: 382418cbc200bcf81a58ff09ebadd551d0c16101
+  data.tar.gz: 0f7318a0d65eb9b80afbe0405d6dc768cc4e3f0d
 SHA512:
-  metadata.gz: 70083ff8f78e8eaf3302c548babff43b54478d7bc5dc45346612e18b378695570dbcae619c1776150d80bee59f60dcf658b7848fd78fe0e9e3b592f7e6c7468a
-  data.tar.gz: 863e91a34172a34526f20935b092160185e2189edf3881d98e7cb82d577c89d16ff1d5a4c21ad0b08eee602348523b74326409161b5d0aa59e84191f6baaef1d
+  metadata.gz: 0b0462631aa2d2c0208655bf85e8a104555034176df8825f42029f1356a745d07f561f15a5c78719e8a1400eb70063cc89c6014abaf226a3294d5a6a0aa319c1
+  data.tar.gz: c1ad828d647e905e3e92e4e34c2e4856a370fe32abf9bfe337e344dd34e46a95b9d344f5c3cd7542a1636a068febad623af0a83ee2cc524d7c0e74eb7cb8a61e

data/Rakefile

@@ -2,12 +2,7 @@ require 'rubygems'
 require 'bundler'
 Bundler::GemHelper.install_tasks
 
-require 'rake'
-require 'rake/testtask'
-
-Rake::TestTask.new do |t|
-  t.name = "spec"
-  t.pattern = "spec/**/*_spec.rb"
-end
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
 
 task :default => :spec

data/lib/saml2.rb

@@ -1,5 +1,7 @@
 require 'saml2/authn_request'
 require 'saml2/entity'
+require 'saml2/logout_request'
+require 'saml2/logout_response'
 require 'saml2/response'
 require 'saml2/version'
 

data/lib/saml2/attribute.rb

@@ -65,6 +65,7 @@ module SAML2
     end
 
     def from_xml(node)
+      super
       @name = node['Name']
       @friendly_name = node['FriendlyName']
       @name_format = node['NameFormat']
@@ -124,6 +125,7 @@ module SAML2
     end
 
     def from_xml(node)
+      super
       @attributes = node.xpath('saml:Attribute', Namespaces::ALL).map do |attr|
         Attribute.from_xml(attr)
       end

data/lib/saml2/attribute_consuming_service.rb

@@ -52,6 +52,7 @@ module SAML2
     end
 
     def from_xml(node)
+      super
       @name = node['ServiceName']
       @requested_attributes = load_object_array(node, "md:RequestedAttribute", RequestedAttribute)
     end

data/lib/saml2/authn_request.rb

@@ -2,49 +2,29 @@ require 'base64'
 require 'zlib'
 
 require 'saml2/attribute_consuming_service'
+require 'saml2/bindings/http_redirect'
 require 'saml2/endpoint'
 require 'saml2/name_id'
 require 'saml2/namespaces'
+require 'saml2/request'
 require 'saml2/schemas'
 require 'saml2/subject'
 
 module SAML2
-  class MessageTooLarge < RuntimeError
-  end
-
-  class AuthnRequest
+  class AuthnRequest < Request
+    # deprecated; takes _just_ the SAMLRequest parameter's value
     def self.decode(authnrequest)
-      begin
-        raise MessageTooLarge if authnrequest.bytesize > SAML2.config[:max_message_size]
-        authnrequest = Base64.decode64(authnrequest)
-        zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        xml = ''
-        # do it in 1K slices, so we can protect against bombs
-        (0..authnrequest.bytesize / 1024).each do |i|
-          xml.concat(zstream.inflate(authnrequest.byteslice(i * 1024, 1024)))
-          raise MessageTooLarge if xml.bytesize > SAML2.config[:max_message_size]
-        end
-        xml.concat(zstream.finish)
-        raise MessageTooLarge if xml.bytesize > SAML2.config[:max_message_size]
-
-        zstream.close
-      rescue Zlib::DataError, Zlib::BufError
-      end
-      parse(xml)
-    end
-
-    def self.parse(authnrequest)
-      new(Nokogiri::XML(authnrequest))
-    end
-
-    def initialize(document)
-      @document = document
+      result, _relay_state = Bindings::HTTPRedirect.decode("http://host/?SAMLRequest=#{authnrequest}")
+      return nil unless result.is_a?(AuthnRequest)
+      result
+    rescue CorruptMessage
+      AuthnRequest.from_xml(Nokogiri::XML('<xml></xml>').root)
     end
 
     def valid_schema?
-      return false unless Schemas.protocol.valid?(@document)
+      return false unless super
       # Check for the correct root element
-      return false unless @document.at_xpath('/samlp:AuthnRequest', Namespaces::ALL)
+      return false unless xml.at_xpath('/samlp:AuthnRequest', Namespaces::ALL)
 
       true
     end
@@ -83,46 +63,38 @@ module SAML2
       true
     end
 
-    def issuer
-      @issuer ||= NameID.from_xml(@document.root.at_xpath('saml:Issuer', Namespaces::ALL))
-    end
-
     def name_id_policy
-      @name_id_policy ||= NameID::Policy.from_xml(@document.root.at_xpath('samlp:NameIDPolicy', Namespaces::ALL))
-    end
-
-    def id
-      @document.root['ID']
+      @name_id_policy ||= NameID::Policy.from_xml(xml.at_xpath('samlp:NameIDPolicy', Namespaces::ALL))
     end
 
     attr_reader :assertion_consumer_service, :attribute_consuming_service
 
     def assertion_consumer_service_url
-      @document.root['AssertionConsumerServiceURL']
+      xml['AssertionConsumerServiceURL']
     end
 
     def assertion_consumer_service_index
-      @document.root['AssertionConsumerServiceIndex'] && @document.root['AssertionConsumerServiceIndex'].to_i
+      xml['AssertionConsumerServiceIndex'] && xml['AssertionConsumerServiceIndex'].to_i
     end
 
     def attribute_consuming_service_index
-      @document.root['AttributeConsumerServiceIndex'] && @document.root['AttributeConsumerServiceIndex'].to_i
+      xml['AttributeConsumerServiceIndex'] && xml['AttributeConsumerServiceIndex'].to_i
     end
 
     def force_authn?
-      @document.root['ForceAuthn']
+      xml['ForceAuthn']
     end
 
     def passive?
-      @document.root['IsPassive']
+      xml['IsPassive']
     end
 
     def protocol_binding
-      @document.root['ProtocolBinding']
+      xml['ProtocolBinding']
     end
 
     def subject
-      @subject ||= Subject.from_xml(@document.at_xpath('saml:Subject', Namespaces::ALL))
+      @subject ||= Subject.from_xml(xml.at_xpath('saml:Subject', Namespaces::ALL))
     end
   end
 end

data/lib/saml2/base.rb

@@ -9,7 +9,10 @@ module SAML2
       result
     end
 
-    def from_xml(_node)
+    attr_reader :xml
+
+    def from_xml(node)
+      @xml = node
     end
 
     def to_s
@@ -28,7 +31,7 @@ module SAML2
 
     def self.load_string_array(node, element)
       node.xpath(element, Namespaces::ALL).map do |element_node|
-        element_node.content && element_node.content.strip
+        element_node.content&.strip
       end
     end
 

data/lib/saml2/bindings.rb

@@ -0,0 +1,7 @@
+module SAML2
+  module Bindings
+    module Encodings
+      DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE'.freeze
+    end
+  end
+end

data/lib/saml2/bindings/http_redirect.rb

@@ -0,0 +1,141 @@
+require 'base64'
+require 'uri'
+require 'zlib'
+
+require 'saml2/bindings'
+require 'saml2/message'
+
+module SAML2
+  module Bindings
+    module HTTPRedirect
+      URN ="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze
+
+      module SigAlgs
+        DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1".freeze
+        RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1".freeze
+
+        RECOGNIZED = [DSA_SHA1, RSA_SHA1].freeze
+      end
+
+      class << self
+        def decode(url, public_key: nil, public_key_used: nil)
+          uri = begin
+            URI.parse(url)
+          rescue URI::InvalidURIError
+            raise CorruptMessage
+          end
+
+          raise MissingMessage unless uri.query
+          query = URI.decode_www_form(uri.query)
+          base64 = query.assoc('SAMLRequest')&.last
+          if base64
+            message_param = 'SAMLRequest'
+          else
+            base64 = query.assoc('SAMLResponse')&.last
+            message_param = 'SAMLResponse'
+          end
+          encoding = query.assoc('SAMLEncoding')&.last
+          relay_state = query.assoc('RelayState')&.last
+          signature = query.assoc('Signature')&.last
+          sig_alg = query.assoc('SigAlg')&.last
+          raise MissingMessage unless base64
+
+          raise UnsupportedEncoding if encoding && encoding != Encodings::DEFLATE
+
+          raise MessageTooLarge if base64.bytesize > SAML2.config[:max_message_size]
+
+          deflated = begin
+            Base64.strict_decode64(base64)
+          rescue ArgumentError
+            raise CorruptMessage
+          end
+
+          zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+          xml = ''
+          begin
+            # do it in 1K slices, so we can protect against bombs
+            (0..deflated.bytesize / 1024).each do |i|
+              xml.concat(zstream.inflate(deflated.byteslice(i * 1024, 1024)))
+              raise MessageTooLarge if xml.bytesize > SAML2.config[:max_message_size]
+            end
+            xml.concat(zstream.finish)
+            raise MessageTooLarge if xml.bytesize > SAML2.config[:max_message_size]
+          rescue Zlib::DataError, Zlib::BufError
+            raise CorruptMessage
+          end
+
+          zstream.close
+          message = Message.parse(xml)
+          # if a block is provided, it's to fetch the proper certificate
+          # based on the contents of the message
+          public_key ||= yield(message, sig_alg) if block_given?
+          if public_key
+            raise UnsignedMessage unless signature
+            raise UnsupportedSignatureAlgorithm unless SigAlgs::RECOGNIZED.include?(sig_alg)
+
+            begin
+              signature = Base64.strict_decode64(signature)
+            rescue ArgumentError
+              raise CorruptMessage
+            end
+
+            base_string = find_raw_query_param(uri.query, message_param)
+            base_string << '&' << find_raw_query_param(uri.query, 'RelayState') if relay_state
+            base_string << '&' << find_raw_query_param(uri.query, 'SigAlg')
+
+            valid_signature = false
+            # there could be multiple certificates to try
+            Array(public_key).each do |key|
+              if key.verify(OpenSSL::Digest::SHA1.new, signature, base_string)
+                # notify the caller which certificate was used
+                public_key_used&.call(key)
+                valid_signature = true
+                break
+              end
+            end
+            raise InvalidSignature unless valid_signature
+          end
+          [message, relay_state]
+        end
+
+        def encode(message, relay_state: nil, private_key: nil)
+          result = URI.parse(message.destination)
+          original_query = URI.decode_www_form(result.query) if result.query
+          original_query ||= []
+          # remove any SAML protocol parameters
+          %w{SAMLEncoding SAMLRequest SAMLResponse RelayState SigAlg Signature}.each do |param|
+            original_query.delete_if { |(k, v)| k == param }
+          end
+
+          xml = message.to_s
+          zstream = Zlib::Deflate.new(Zlib::BEST_COMPRESSION, -Zlib::MAX_WBITS)
+          deflated = zstream.deflate(xml, Zlib::FINISH)
+          zstream.close
+          base64 = Base64.strict_encode64(deflated)
+
+          query = []
+          query << [message.is_a?(Request) ? 'SAMLRequest' : 'SAMLResponse', base64]
+          query << ['RelayState', relay_state] if relay_state
+          if private_key
+            query << ['SigAlg', SigAlgs::RSA_SHA1]
+            base_string = URI.encode_www_form(query)
+            signature = private_key.sign(OpenSSL::Digest::SHA1.new, base_string)
+            query << ['Signature', Base64.strict_encode64(signature)]
+          end
+
+          result.query = URI.encode_www_form(original_query + query)
+          result.to_s
+        end
+
+        private
+
+        # we need to find the param, and return it still encoded from the URL
+        def find_raw_query_param(query, param)
+          start = query.index(param)
+          finish = (query.index('&', start + param.length + 1) || 0) - 1
+          query[start..finish]
+        end
+      end
+    end
+  end
+end

data/lib/saml2/contact.rb

@@ -1,7 +1,7 @@
 require 'saml2/base'
 
 module SAML2
-  class Contact
+  class Contact < Base
     module Type
       ADMINISTRATIVE = 'administrative'.freeze
       BILLING        = 'billing'.freeze
@@ -12,27 +12,25 @@ module SAML2
 
     attr_accessor :type, :company, :given_name, :surname, :email_addresses, :telephone_numbers
 
-    def self.from_xml(node)
-      return nil unless node
-
-      result = new(node['contactType'])
-      company = node.at_xpath('md:Company', Namespaces::ALL)
-      result.company = company && company.content && company.content.strip
-      given_name = node.at_xpath('md:GivenName', Namespaces::ALL)
-      result.given_name = given_name && given_name.content && given_name.content.strip
-      surname = node.at_xpath('md:SurName', Namespaces::ALL)
-      result.surname = surname && surname.content && surname.content.strip
-      result.email_addresses = Base.load_string_array(node, 'md:EmailAddress')
-      result.telephone_numbers = Base.load_string_array(node, 'md:TelephoneNumber')
-      result
-    end
-
     def initialize(type = Type::OTHER)
       @type = type
       @email_addresses = []
       @telephone_numbers = []
     end
 
+    def from_xml(node)
+      self.type = node['contactType']
+      company = node.at_xpath('md:Company', Namespaces::ALL)
+      self.company = company && company.content && company.content.strip
+      given_name = node.at_xpath('md:GivenName', Namespaces::ALL)
+      self.given_name = given_name && given_name.content && given_name.content.strip
+      surname = node.at_xpath('md:SurName', Namespaces::ALL)
+      self.surname = surname && surname.content && surname.content.strip
+      self.email_addresses = load_string_array(node, 'md:EmailAddress')
+      self.telephone_numbers = load_string_array(node, 'md:TelephoneNumber')
+      self
+    end
+
     def build(builder)
       builder['md'].ContactPerson('contactType' => type) do |contact_person|
         contact_person['md'].Company(company) if company

data/lib/saml2/endpoint.rb

@@ -1,12 +1,10 @@
+require 'saml2/bindings/http_redirect'
+
 module SAML2
   class Endpoint < Base
     module Bindings
       HTTP_POST     = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze
-      HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze
-    end
-
-    module Encodings
-      DEFLATE= "urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE".freeze
+      HTTP_REDIRECT = ::SAML2::Bindings::HTTPRedirect::URN
     end
 
     attr_reader :location, :binding
@@ -20,6 +18,7 @@ module SAML2
     end
 
     def from_xml(node)
+      super
       @location = node['Location']
       @binding = node['Binding']
     end
@@ -31,7 +30,7 @@ module SAML2
     class Indexed < Endpoint
       include IndexedObject
 
-      def initialize(location = nil, index = nil, is_default = false, binding = Bindings::HTTP_POST)
+      def initialize(location = nil, index = nil, is_default = nil, binding = Bindings::HTTP_POST)
         super(location, binding)
         @index, @is_default = index, is_default
       end

data/lib/saml2/entity.rb

@@ -26,34 +26,40 @@ module SAML2
       end
     end
 
-    class Group < Array
-      def self.from_xml(node)
-        node && new.from_xml(node)
+    class Group < Base
+      include Enumerable
+      [:each, :[]].each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__ + 1
+          def #{method}(*args, &block)
+            @entities.#{method}(*args, &block)
+          end
+        RUBY
       end
 
       def initialize
+        @entities = []
         @valid_until = nil
       end
 
       def from_xml(node)
-        @root = node
+        super
         remove_instance_variable(:@valid_until)
-        replace(Base.load_object_array(@root, "md:EntityDescriptor|md:EntitiesDescriptor",
+        @entities = Base.load_object_array(xml, "md:EntityDescriptor|md:EntitiesDescriptor",
                 'EntityDescriptor' => Entity,
-                'EntitiesDescriptor' => Group))
+                'EntitiesDescriptor' => Group)
       end
 
       def valid_schema?
-        Schemas.federation.valid?(@root.document)
+        Schemas.federation.valid?(xml.document)
       end
 
       def signature
         unless instance_variable_defined?(:@signature)
-          @signature = @root.at_xpath('dsig:Signature', Namespaces::ALL)
+          @signature = xml.at_xpath('dsig:Signature', Namespaces::ALL)
           signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
           # validating the schema will automatically add ID attributes, so check that first
-          @root.set_id_attribute('ID') unless @root.document.get_id(@root['ID'])
-          @signature = nil unless signed_node == "##{@root['ID']}"
+          xml.set_id_attribute('ID') unless xml.document.get_id(xml['ID'])
+          @signature = nil unless signed_node == "##{xml['ID']}"
         end
         @signature
       end
@@ -68,7 +74,7 @@ module SAML2
 
       def valid_until
         unless instance_variable_defined?(:@valid_until)
-          @valid_until = @root['validUntil'] && Time.parse(@root['validUntil'])
+          @valid_until = xml['validUntil'] && Time.parse(xml['validUntil'])
         end
         @valid_until
       end
@@ -82,23 +88,22 @@ module SAML2
     end
 
     def from_xml(node)
-      @root = node
+      super
       remove_instance_variable(:@valid_until)
       @roles = nil
-      super
     end
 
     def valid_schema?
-      Schemas.federation.valid?(@root.document)
+      Schemas.federation.valid?(xml.document)
     end
 
     def entity_id
-      @entity_id || @root && @root['entityID']
+      @entity_id || xml && xml['entityID']
     end
 
     def valid_until
       unless instance_variable_defined?(:@valid_until)
-        @valid_until = @root['validUntil'] && Time.parse(@root['validUntil'])
+        @valid_until = xml['validUntil'] && Time.parse(xml['validUntil'])
       end
       @valid_until
     end
@@ -112,8 +117,8 @@ module SAML2
     end
 
     def roles
-      @roles ||= load_object_array(@root, 'md:IDPSSODescriptor', IdentityProvider) +
-          load_object_array(@root, 'md:SPSSODescriptor', ServiceProvider)
+      @roles ||= load_object_array(xml, 'md:IDPSSODescriptor', IdentityProvider) +
+          load_object_array(xml, 'md:SPSSODescriptor', ServiceProvider)
     end
 
     def build(builder)