saml2 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7882f9e6593924c18faed398409e973ca227162a990557156d7992a51c4f7cdb
-  data.tar.gz: c862c3fd1c560068e59340ba4f19a3d810807b6c22a4c36c07fb0ef9a6711132
+  metadata.gz: af55cbf920b9c47ceee2e7f2fcad2878c042d1665f02b6933004ce7675cfb05f
+  data.tar.gz: 1f0f3e3cb1e009b7bf4d2af5e46a63d94d0d9d676d197554156cbc48c31786b1
 SHA512:
-  metadata.gz: 89aa07641f0625f8f9fd781cb41a169349567531984c1fe2adc278ae0568687c4e4822be1a9c00e0c561116ffbc39d140abde34a1be439bd36b1a3869d34dcf5
-  data.tar.gz: f07d6fbf9dc816d3223ae9cd1728b3232b469b61057ae7e6e14518efd939e3e8e4aff5c1e3b4a3c56584d7e5dbc9abc33dab180452a8b5d9b5ff7e34012c15e3
+  metadata.gz: 3d1cac3ac228678cf72214505d7eebec1af9c33b5f9464163119dd666549d82b4ab8fed696f739469ed740d51f1c69cef6ac858e9cfca5633633df396494e0bc
+  data.tar.gz: f23498a3981fd055ba7b791e33efe78d5bec213fd91866d7cc863c84133858459f224d1a391394d2c33d655cea8e335ef4cd06a7ecf76a407dc93025573e3ca4

data/lib/saml2/assertion.rb

@@ -31,6 +31,16 @@ module SAML2
       @conditions ||= Conditions.from_xml(xml.at_xpath('saml:Conditions', Namespaces::ALL))
     end
 
+    # @return [Array<AuthnStatement]
+    def authn_statements
+      statements.select { |s| s.is_a?(AuthnStatement) }
+    end
+
+    # @return [Array<AttributeStatement>]
+    def attribute_statements
+      statements.select { |s| s.is_a?(AttributeStatement) }
+    end
+
     # @return [Array<AuthnStatement, AttributeStatement>]
     def statements
       @statements ||= load_object_array(xml, 'saml:AuthnStatement|saml:AttributeStatement')

data/lib/saml2/attribute.rb

@@ -170,6 +170,38 @@ module SAML2
       end
     end
 
+    # Convert the {AttributeStatement} to a {Hash}
+    #
+    # Repeated attributes become an array.
+    #
+    # @param name optional [:name, :friendly_name]
+    #   Which name field to use as keys to the hash
+    def to_h(name = :friendly_name)
+      result = {}
+      attributes.each do |attribute|
+        key = attribute.send(name)
+        # fall back to name on missing friendly name;
+        # no need for the opposite, because name is required
+        key ||= attribute.name if name == :friendly_name
+
+        prior_value = result[key]
+        result[key] = if prior_value
+          value = Array.wrap(prior_value)
+          # repeated key; convert to array
+          if attribute.value.is_a?(Array)
+            # both values are arrays; concatenate them
+            prior_value.concat(attribute.value)
+          else
+            value << attribute.value
+          end
+          value
+        else
+          attribute.value
+        end
+      end
+      result
+    end
+
     def build(builder)
       builder['saml'].AttributeStatement('xmlns:xs' => Namespaces::XS,
                                          'xmlns:xsi' => Namespaces::XSI) do |statement|

data/lib/saml2/attribute/x500.rb

@@ -19,12 +19,12 @@ module SAML2
         ENTITLEMENT          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
         NICKNAME             = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2'
         ORG_D_N              = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3'
+        ORG_UNIT_D_N         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4'
         PRIMARY_AFFILIATION  = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5'
         PRIMARY_ORG_UNIT_D_N = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8'
         PRINCIPAL_NAME       = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6'
         SCOPED_AFFILIATION   = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'
         TARGETED_I_D         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'
-        UNIT_D_N             = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4'
       end
       # http://www.ietf.org/rfc/rfc4519.txt
       UID = USERID           = 'urn:oid:0.9.2342.19200300.100.1.1'
@@ -35,7 +35,8 @@ module SAML2
       # @param name_or_node [String, Nokogiri::XML::Element]
       def self.recognizes?(name_or_node)
         if name_or_node.is_a?(Nokogiri::XML::Element)
-          !!name_or_node.at_xpath("@x500:Encoding", Namespaces::ALL)
+          !!name_or_node.at_xpath("@x500:Encoding", Namespaces::ALL) ||
+              name_or_node['NameFormat'] == NameFormats::URI && OIDS.include?(name_or_node['Name'])
         else
           FRIENDLY_NAMES.include?(name_or_node) || OIDS.include?(name_or_node)
         end
@@ -63,6 +64,14 @@ module SAML2
         super(name, value, friendly_name, NameFormats::URI)
       end
 
+      # (see Base.from_xml)
+      def from_xml(node)
+        super
+        # infer the friendly name if not provided
+        self.friendly_name ||= OIDS[name]
+        self
+      end
+
       # (see Base#build)
       def build(builder)
         super

data/lib/saml2/base.rb

@@ -85,6 +85,56 @@ module SAML2
     def build(builder)
     end
 
+    # Decrypt (in-place) encrypted portions of this object
+    #
+    # Either the +keys+ parameter, or a block that returns key(s), should be
+    # provided.
+    #
+    # @param keys optional [Array<OpenSSL::PKey, String>, OpenSSL::PKey, String, nil]
+    # @yield Optional block to fetch the necessary keys, given information
+    #   contained in the encrypted elements of which certificates it was
+    #   encrypted for.
+    # @yieldparam allowed_certs [Array<OpenSSL::X509::Certificate, Hash, String, nil>]
+    #   An array of certificates describing who the node was encrypted for.
+    #   Identified by an X.509 Certificate, a hash with +:issuer+ and +:serial+
+    #   keys, or a string of SubjectName.
+    # @yieldreturn [Array<OpenSSL::PKey, String>, OpenSSL::PKey, String, nil]
+    # @return [Boolean] If any nodes were present.
+    def decrypt(keys = nil)
+      encrypted_nodes = self.encrypted_nodes
+      encrypted_nodes.each do |node|
+        this_nodes_keys = keys
+        if keys.nil?
+          allowed_certs = node.xpath("dsig:KeyInfo/xenc:EncryptedKey/dsig:KeyInfo/dsig:X509Data", SAML2::Namespaces::ALL).map do |x509data|
+            if (cert = x509data.at_xpath("dsig:X509Certificate", SAML2::Namespaces::ALL)&.content&.strip)
+              OpenSSL::X509::Certificate.new(Base64.decode64(cert))
+            elsif (issuer_serial = x509data.at_xpath("dsig:X509IssuerSerial", SAML2::Namespaces::ALL))
+              {
+                  issuer: issuer_serial.at_xpath("dsig:X509IssuerName", SAML2::Namespaces::ALL).content.strip,
+                  serial: issuer_serial.at_xpath("dsig:X509SerialNumber", SAML2::Namespaces::ALL).content.strip.to_i,
+              }
+            elsif (subject_name = x509data.at_xpath("dsig:X509SubjectName", SAML2::Namespaces::ALL)&.content&.strip)
+              subject_name
+            end
+          end
+          this_nodes_keys = yield allowed_certs
+        end
+        this_nodes_keys = Array(this_nodes_keys)
+        raise ArgumentError("no decryption key provided or found") if this_nodes_keys.empty?
+
+        old_node = node.parent
+        this_nodes_keys.each_with_index do |key, i|
+          begin
+            old_node.replace(node.decrypt_with(key: key))
+          rescue XMLSec::DecryptionError
+            # swallow errors on all but the last key
+            raise if i - 1 == this_nodes_keys.length
+          end
+        end
+      end
+      !encrypted_nodes.empty?
+    end
+
     def self.load_string_array(node, element)
       node.xpath(element, Namespaces::ALL).map do |element_node|
         element_node.content&.strip
@@ -119,6 +169,10 @@ module SAML2
       self.class.load_object_array(node, element, klass)
     end
 
+    def encrypted_nodes
+      xml.xpath('//xenc:EncryptedData', Namespaces::ALL)
+    end
+
     def self.split_qname(qname)
       if qname.include?(':')
         qname.split(':', 2)

data/lib/saml2/conditions.rb

@@ -22,38 +22,46 @@ module SAML2
       @not_before = Time.parse(node['NotBefore']) if node['NotBefore']
       @not_on_or_after = Time.parse(node['NotOnOrAfter']) if node['NotOnOrAfter']
 
-      replace(node.children.map { |restriction| self.class.const_get(restriction.name, false).from_xml(restriction) })
+      replace(node.element_children.map do |restriction|
+        klass = if self.class.const_defined?(restriction.name, false)
+          self.class.const_get(restriction.name, false)
+        else
+          Condition
+        end
+        klass.from_xml(restriction)
+      end)
     end
 
     # Evaluate these conditions.
     #
-    # @param now optional [Time]
+    # @param verification_time optional [Time]
     # @param options
     #   Additional options to pass to specific {Condition}s
-    # @return [Boolean, nil]
+    # @return [Array<>]
     #   It's only valid if every sub-condition is completely valid.
     #   If any sub-condition is invalid, the whole statement is invalid.
     #   If the validity can't be determined due to an unsupported condition,
     #   +nil+ will be returned (which is false-ish)
-    def valid?(now: Time.now.utc, **options)
-      options[:now] ||= now
-      return false if not_before && now < not_before
-      return false if not_on_or_after && now >= not_on_or_after
+    def validate(verification_time: Time.now.utc, **options)
+      options[:verification_time] ||= verification_time
+      errors = []
+      if not_before && verification_time < not_before
+        errors << "not_before #{not_before} is later than now (#{verification_time})"
+      end
+      if not_on_or_after && verification_time >= not_on_or_after
+        errors << "not_on_or_after #{not_on_or_after} is earlier than now (#{verification_time})"
+      end
 
-      result = true
       each do |condition|
-        this_result = condition.valid?(**options)
-        case this_result
-        when false
-          return false
-        when nil
-          result = nil
-        when true
-        else
-          raise "unknown validity of #{condition}"
-        end
+        errors.concat(condition.validate(**options))
       end
-      result
+      errors
+    end
+
+    # Use validate instead.
+    # @deprecated
+    def valid?(now: Time.now.utc, **options)
+      validate(verification_time: now, **options).empty?
     end
 
     # (see Base#build)
@@ -70,9 +78,13 @@ module SAML2
 
     # Any unknown condition
     class Condition < Base
-      # @return [nil]
-      def valid?(_)
-        nil
+      # @return []
+      def validate(_)
+        ["unable to validate #{xml&.name || 'unrecognized'} condition"]
+      end
+
+      def valid?(*args)
+        validate(*args).empty?
       end
     end
 
@@ -96,8 +108,11 @@ module SAML2
       end
 
       # @param audience [String]
-      def valid?(audience: nil, **_)
-        Array.wrap(self.audience).include?(audience)
+      def validate(audience: nil, **_)
+        unless Array.wrap(self.audience).include?(audience)
+          return ["audience #{audience} not in allowed list of #{Array.wrap(self.audience).join(', ')}"]
+        end
+        []
       end
 
       # (see Base#build)
@@ -113,9 +128,9 @@ module SAML2
     class OneTimeUse < Condition
       # The caller will need to see if this condition exists, and validate it
       # using their own state store.
-      # @return [true]
-      def valid?(_)
-        true
+      # @return [[]]
+      def validate(_)
+        []
       end
 
       # (see Base#build)

data/lib/saml2/entity.rb

@@ -82,10 +82,11 @@ module SAML2
       end
     end
 
-    def initialize
-      super
+    # @param id [String] The Entity ID
+    def initialize(entity_id = nil)
+      super()
       @valid_until = nil
-      @entity_id = nil
+      @entity_id = entity_id
       @roles = []
       @id = "_#{SecureRandom.uuid}"
     end
@@ -152,5 +153,24 @@ module SAML2
         super
       end
     end
+
+    # Validate a message is a valid response.
+    #
+    # @param message [Message]
+    # @param identity_provider [Entity]
+    def valid_response?(message,
+                        identity_provider,
+                        verification_time: Time.now.utc,
+                        allow_expired_certificate: false)
+      unless message.is_a?(Response)
+        message.errors << "not a Response object"
+        return false
+      end
+
+      message.validate(service_provider: self,
+                       identity_provider: identity_provider,
+                       verification_time: verification_time,
+                       allow_expired_certificate: allow_expired_certificate).empty?
+    end
   end
 end

data/lib/saml2/key.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'openssl'
+
 require 'saml2/base'
 require 'saml2/namespaces'
 

data/lib/saml2/message.rb

@@ -44,6 +44,7 @@ module SAML2
   class Message < Base
     include Signable
 
+    attr_reader :errors
     attr_writer :issuer, :destination
 
     class << self
@@ -93,6 +94,7 @@ module SAML2
 
     def initialize
       super
+      @errors = []
       @id = "_#{SecureRandom.uuid}"
       @issue_instant = Time.now.utc
     end
@@ -104,6 +106,11 @@ module SAML2
       @issue_instant = nil
     end
 
+    def validate
+      @errors = Schemas.protocol.validate(xml.document)
+      errors
+    end
+
     # If the XML is valid according to SAML XSDs.
     # @return [Boolean]
     def valid_schema?
@@ -115,9 +122,15 @@ module SAML2
     # (see Signable#validate_signature)
     # @param verification_time
     #   Ignored. The message's {issue_instant} is always used.
-    def validate_signature(fingerprint: nil, cert: nil, verification_time: issue_instant)
+    def validate_signature(fingerprint: nil,
+                           cert: nil,
+                           verification_time: issue_instant,
+                           allow_expired_certificate: false)
       # verify the signature (certificate's validity) as of the time the message was generated
-      super(fingerprint: fingerprint, cert: cert, verification_time: issue_instant)
+      super(fingerprint: fingerprint,
+            cert: cert,
+            verification_time: verification_time,
+            allow_expired_certificate: allow_expired_certificate)
     end
 
     # (see Signable#sign)

data/lib/saml2/response.rb

@@ -77,6 +77,150 @@ module SAML2
       remove_instance_variable(:@assertions)
     end
 
+    # Validates a response is well-formed, signed, and optionally decrypts it
+    #
+    # @param service_provider [Entity]
+    #   The metadata object for the {ServiceProvider} receiving this
+    #   {Response}. The first {ServiceProvider} in the {Entity} is used.
+    # @param identity_provider [Entity]
+    #   The metadata object for the {IdentityProvider} the {Response} is
+    #   being received from. The first {IdentityProvider} in the {Entity} is
+    #   used.
+    # @param verification_time optional [DateTime]
+    #   Validate timestamps (signing certificate validity, issued at, etc.) as of
+    #   this point in time.
+    def validate(service_provider:,
+                 identity_provider:,
+                 verification_time: Time.now.utc,
+                 allow_expired_certificate: false)
+      raise ArgumentError, "service_provider should be an Entity object" unless service_provider.is_a?(Entity)
+      raise ArgumentError, "service_provider should have at least one service_provider role" unless (sp = service_provider.service_providers.first)
+
+      # validate the schema
+      super()
+      return errors unless errors.empty?
+
+      # not finding the issuer is not exceptional
+      if identity_provider.nil?
+        errors << "could not find issuer of response"
+        return errors
+      end
+
+      # getting the wrong data type is exceptional, and we should raise an error
+      raise ArgumentError, "identity_provider should be an Entity object" unless identity_provider.is_a?(Entity)
+      raise ArgumentError, "identity_provider should have at least one identity_provider role" unless (idp = identity_provider.identity_providers.first)
+
+      unless identity_provider.entity_id == issuer.id
+        errors << "received unexpected message from '#{issuer.id}'; expected it to be from '#{identity_provider.entity_id}'"
+        return errors
+      end
+
+      certificates = idp.signing_keys.map(&:certificate)
+      if idp.fingerprints.empty? && certificates.empty?
+        errors << "could not find certificate to validate message"
+        return errors
+      end
+
+      if signed?
+        unless (signature_errors = validate_signature(fingerprint: idp.fingerprints,
+                                                      cert: certificates,
+                                                      allow_expired_certificate: allow_expired_certificate)).empty?
+          return errors.concat(signature_errors)
+        end
+        response_signed = true
+      end
+
+      find_decryption_key = ->(embedded_certificates) do
+        key = nil
+        embedded_certificates.each do |cert_info|
+          cert = case cert_info
+                   when OpenSSL::X509::Certificate; cert_info
+                   when Hash; sp.encryption_keys.map(&:certificate).find { |c| c.serial == cert_info[:serial] }
+                 end
+          next unless cert
+          key = sp.private_keys.find { |k| cert.check_private_key(k) }
+          break if key
+        end
+        if !key
+          # couldn't figure out which key to use; just try them all
+          next sp.private_keys
+        end
+        key
+      end
+
+      unless sp.private_keys.empty?
+        begin
+          decypted_anything = decrypt(&find_decryption_key)
+        rescue XMLSec::DecryptionError
+          errors << "unable to decrypt response"
+          return errors
+        end
+
+        if decypted_anything
+          # have to re-validate the schema, since we just replaced content
+          super()
+          return errors unless errors.empty?
+        end
+      end
+
+      unless status.success?
+        errors << "response is not successful: #{status}"
+        return errors
+      end
+
+      assertion = assertions.first
+      unless assertion
+        errors << "no assertion found"
+        return errors
+      end
+
+      if assertion.signed?
+        unless (signature_errors = assertion.validate_signature(fingerprint: idp.fingerprints,
+                                                                cert: certificates,
+                                                                allow_expired_certificate: allow_expired_certificate)).empty?
+          return errors.concat(signature_errors)
+        end
+        assertion_signed = true
+      end
+
+      # only do our own issue instant validation if the assertion
+      # doesn't mandate any
+      unless assertion.conditions.not_on_or_after
+        if assertion.issue_instant +  5 * 60 < verification_time ||
+            assertion.issue_instant - 5 * 60 > verification_time
+          errors << "assertion not recently issued"
+          return errors
+        end
+      end
+
+      unless (condition_errors = assertion.conditions.validate(verification_time: verification_time,
+                                                               audience: service_provider.entity_id)).empty?
+        return errors.concat(condition_errors)
+      end
+
+      if !response_signed && !assertion_signed
+        errors << "neither response nor assertion were signed"
+        return errors
+      end
+
+      unless sp.private_keys.empty?
+        begin
+          decypted_anything = assertion.decrypt(&find_decryption_key)
+        rescue XMLSec::DecryptionError
+          errors << "unable to decrypt assertion"
+          return errors
+        end
+
+        if decypted_anything
+          super()
+          return errors unless errors.empty?
+        end
+      end
+
+      # no error
+      errors
+    end
+
     # @return [Array<Assertion>]
     def assertions
       unless instance_variable_defined?(:@assertions)
@@ -88,10 +232,14 @@ module SAML2
     # (see Signable#sign)
     # Signs each assertion.
     def sign(x509_certificate, private_key, algorithm_name = :sha256)
-      assertions.each { |assertion| assertion.sign(x509_certificate, private_key, algorithm_name) }
       # make sure we no longer pretty print this object
       @pretty = false
-      nil
+
+      # if there are no assertions (encrypted?), just sign the response itself
+      return super if assertions.empty?
+
+      assertions.each { |assertion| assertion.sign(x509_certificate, private_key, algorithm_name) }
+      self
     end
 
     private