saml_camel 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d301a7a75f983e4a996abb0c7929c03918e0b9a0
-  data.tar.gz: 80c7b4c2083c751a1f384f854af60d5e6e243e1f
+  metadata.gz: ae748230ac0230ac13ca645a14e0d5394a4a7ae0
+  data.tar.gz: 1cc2096cbc175ee27688750af186f897fb6f525a
 SHA512:
-  metadata.gz: 232ceb4b900009acf4ba6df0b73b24dd0a87b726062e5fc6c5bbe9038ee72ddd3561edfaf68fde56d0f21a82721c811ce6051c900c5ba1e401af0b5ad65b0a97
-  data.tar.gz: 8cbfe2f298adabff017463fa86fe062d3c7b0ca379167b37214b63714f41deefac2b9ad46c8872e757a4c060f5bda19c99fc3e4a08b14b7bce3e322052631bbe
+  metadata.gz: 55c69cba9cee795e417709c02d4c8348bd657ee104ebefd65241a57a91b0dd2177548adbc1998f753d073646ef8346dd8850b3abde2bcff86650281b7d22c1df
+  data.tar.gz: 95d27ce112e6b95ce27f4f30af3af1a881888a7a67b39ef0a1c0771ae4f78f07497ce8d96d231674f9b0be02c8980e8f12cd11b5555323706bc407ff28dc58f4

data/README.md

@@ -1,4 +1,18 @@
 # SamlCamel - (not production ready)
+## About
+SamlCamel is a SAML gem/engine built off of the OneLogin ruby-saml gem.
+It is intended to provide Rails applications with capability to generate and consume
+SAML requests and responses. The gem is optimized to integrate with the Duke University
+Identity Provider, but can be used to integrate with other Identity Provider. Additional Information
+about integrating with the Duke IDP can be found here https://authentication.oit.duke.edu/manager/docs
+
+## Terminology within the context of the gem
+- **Identity Provider (IDP)**: This is the system providing the authentication Service and provides user credentials.
+- **Service Provider (SP)**: This is the system that sends authentication requests and consumes attributes from the response. SamlCamel is the SP in SAML integrations.
+- **Entity ID**: A unique identifier for your SP. It usually takes the form of a url but does not have to resolve. The entity id is not used for routing in any way, only for identification to the IDP. Example: *https://my-site.com/does/not/resolve*   
+- **Assertion Consumer Service (ACS)**: the endpoint of the SP where the IDP should send the response. The is part of the SamlCamel gem. Example: */saml/consumeSaml*
+
+
 ## Installation
 Add this line to your application's Gemfile:
 
@@ -36,7 +50,7 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
   - fill out functional purpose, responsible dept, function owner dept, and audience with information relevant to your application
   - copy the cert from `saml/development/saml_certificate.crt` and paste it into the Certificate Field
   - copy the acs value and paste it into the Location field in the Assertion Consumer Service box
-    - note that the default host value for ACS is `http://locahost:3000` which is the default `rails s` host. If you're using a differnet host (such as in production or using docker) you will want to replace the host value with what is relevent for your situation(*e.g. https://my-app.duke.edu/saml/consumeSaml*), but keep the path `/saml/consumeSaml`
+    - note that the default host value for ACS is `http://locahost:3000` which is the default `rails s` host. If you're using a different host (such as in production or using docker) you will want to replace the host value with what is relevent for your situation(*e.g. https://my-app.duke.edu/saml/consumeSaml*), but keep the path `/saml/consumeSaml`
 
 5. In your app mount the engine in config/routes.rb
   ```ruby
@@ -66,18 +80,22 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
 
 9. Logging is turned on by default. Logging is configured in `saml/development/settings.json`. To utilize logging saml_logging should be set to true (default), and primary_id must have a value. primary_id is the saml attribute you consider to be a primary identifier for a user
 
+
 10. Users can go to http://localhost:3000/saml/attributes to view attributes being passed through
 
+
 ## Example settings.json
 ```json
 {
   "_comment": "note you will need to restart the application when you make changes to this file",
   "settings": {
     "acs": "http://localhost:3000/saml/consumeSaml",
-    "entity_id": "http://my-entity-id.corgi",
+    "entity_id": "https://samlCamel.com/doesNotResolve",
     "sso_url": "https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO",
     "logout_return_url": "http://localhost:3000",
     "primary_id": "eduPersonPrincipalName",
+    "sp_session_timeout": 1,
+    "sp_session_lifetime": 8,
     "saml_logging": true
   },
   "attribute_map": {

data/app/controllers/concerns/saml_camel/saml_helpers.rb

@@ -4,58 +4,127 @@ module SamlCamel::SamlHelpers
     extend ActiveSupport::Concern
     SP_SETTINGS = JSON.parse(File.read("saml/#{Rails.env}/settings.json"))
 
-
     #this generates a call to the idp, which will then be returned to the consume action the in saml_contorller
     def saml_request(host_request)
-      relay_state = SecureRandom.base64.chomp.gsub( /\W/, '' ) #set relay state to secure against replay attack
       request = OneLogin::RubySaml::Authrequest.new
-
-      #store relay state, ip address and original url request in memory to be used for verification and redirect after response
       assign_permit_key
+      lifetime =  SP_SETTINGS['settings']["sp_session_lifetime"]
       permit_key = session[:saml_session_id].to_sym
-      Rails.cache.fetch(permit_key, expires_in: 5.minutes) do
-        {ip_address: host_request.remote_ip, relay_state: relay_state, redirect_url:  host_request.url }
+
+      #store ip address and original url request in memory to be used for verification and redirect after response
+      Rails.cache.fetch(permit_key, expires_in: lifetime.hours) do
+        {ip_address: host_request.remote_ip,  redirect_url:  host_request.url }
       end
-      saml_request_url = request.create(SamlCamel::Transaction.saml_settings) + "&RelayState=#{Rails.cache.fetch(permit_key)[:relay_state]}"
+
+      saml_request_url = request.create(SamlCamel::Transaction.saml_settings)
       redirect_to(saml_request_url)
     end
 
 
-    #validates the user ip address and relay state given to IDP. Prevents Replay Attacks.
-    def valid_state(param_relay_state, remote_ip)
-      permit_key = session[:saml_session_id].to_sym
-      saml_cache = Rails.cache.fetch(permit_key)
-      
-      if saml_cache
-        stored_relay = saml_cache[:relay_state]
-        stored_ip = saml_cache[:ip_address]
+    #ensures that a saml response can not be used more than once.
+    #stores response ids and checks to see if the response id has already been used.
+    def duplicate_response_id?(response_id)
+      ids = Rails.cache.fetch("response_ids")
+      if ids
+        if ids.include?(response_id)
+          session[:sp_session] = nil
+          raise "SAML response ID already issued."
+        else
+          ids << response_id
+          Rails.cache.fetch("response_ids", expires_in: 1.hours) do
+            ids
+          end
+        end
       else
-        raise "Unable to access cache. Ensure cache is configrued according to documentation."
+        Rails.cache.fetch("response_ids", expires_in: 1.hours) do
+          []
+        end
       end
+    end
 
-      SamlCamel::Logging.saml_state({stored_relay: stored_relay, request_relay: param_relay_state, stored_ip: stored_ip, remote_ip: remote_ip})
-      param_relay_state == stored_relay && remote_ip == stored_ip
+    def set_saml_session_lifetime(permit_key)
+      user_saml_cache = Rails.cache.fetch(permit_key)
+      user_saml_cache[:session_start_time] = Time.now
+      Rails.cache.fetch(permit_key, expires_in: 8.hours) do
+        user_saml_cache
+      end
     end
 
 
     #Make it so sp sessions only last 1 hour, sp_session is set on a succesfull saml response.
     #We check that the session time is less than in hour if so we refresh, otherwise we delete the session
     def expired_session?
+      permit_key = session[:saml_session_id].to_sym
+      user_cache = Rails.cache.fetch(permit_key)
+      cache_available?(user_cache)
+
+      sp_timeout = SP_SETTINGS["settings"]["sp_session_timeout"]
+      sp_lifetime = SP_SETTINGS['settings']["sp_session_lifetime"]
+
+      set_saml_session_lifetime(permit_key) if user_cache[:session_start_time].nil?
+      sp_session_init_time = user_cache[:session_start_time]
+
       if session[:sp_session]
-        if (Time.now - Time.parse(session[:sp_session])) < 1.hour
+        #if the session has timed out remove session, otherwise refresh
+        if (Time.now - Time.parse(session[:sp_session])) < sp_timeout.hour
           session[:sp_session] = Time.now
-          return true
+        else
+          SamlCamel::Logging.expired_session(session[:saml_attributes])
+          session[:sp_session] = nil
+        end
+
+        #if the session has exceeded the allowed lifetime, remove session
+        if (Time.now - sp_session_init_time) > sp_lifetime.hour
+          SamlCamel::Logging.expired_session(session[:saml_attributes])
+          session[:sp_session] = nil
         end
       end
     end
 
 
+    def valid_ip?(remote_ip)
+      permit_key = session[:saml_session_id].to_sym
+      saml_cache =  Rails.cache.fetch(permit_key)
+      cache_available?(saml_cache)
+        unless remote_ip == saml_cache[:ip_address]
+          SamlCamel::Logging.bad_ip(session[:saml_attributes], saml_cache[:ip_address], remote_ip)
+          session[:sp_session] = nil
+        end
+    end
+
+
     #saml_protect is what is called in the app. it initiates the saml request if there is no active session, or if a user has been idle for over an hour
-    #TODO re-factor in future
     def saml_protect
-        not_expired = expired_session?
-        saml_request(request) unless (session[:saml_success] || session[:sp_session] || not_expired) #keeps us from looping, and maintains sp session
-        session[:saml_success] = nil
+      user_cache = cache_available?(Rails.cache.fetch(session[:saml_session_id]))
+      if session[:saml_session_id] && user_cache
+        #sets session[:sp_session] to nil if expired, of if the ip adress changes
+
+        expired_session?
+        valid_ip?(request.remote_ip)
+        saml_request(request) unless (session[:saml_response_success] || session[:sp_session])
+      else
+        saml_request(request)
+      end
+      session[:saml_response_success] = nil #keeps us from looping
+    end
+
+
+    def cache_available?(app_cache)
+      if app_cache
+        true
+      else
+        session[:sp_session] = nil
+        false
+      end
+    end
+
+
+    def verify_sha_type(response)
+      raw_xml_string = response.decrypted_document.to_s
+      attr_scan = raw_xml_string.scan(/<ds:SignatureMethod.*\/>/)
+      is_sha1 = attr_scan[0].match?("sha1")
+
+      raise "SHA1 algorithm not supported " if is_sha1
     end
 
     def assign_permit_key

data/app/controllers/saml_camel/application_controller.rb

@@ -1,6 +1,5 @@
 module SamlCamel
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception
-    
   end
 end

data/app/controllers/saml_camel/saml_controller.rb

@@ -7,6 +7,7 @@ module SamlCamel
     before_action :saml_protect, only: [:attr_check]
 
 
+
     #convinence route to see attributes that are coming through
     def index
       @attributes = session[:saml_attributes]
@@ -15,18 +16,30 @@ module SamlCamel
 
     #consumes the saml response from the IDP
     def consume
-      raise "Invalid RelayState" unless valid_state(params[:RelayState], request.remote_ip)
       permit_key = session[:saml_session_id].to_sym
-      redirect_path = Rails.cache.fetch(permit_key)[:redirect_url]
-      Rails.cache.delete(permit_key) #we no longer need cache at this stage
-      session[:saml_session_id] = nil
+      user_cache =  Rails.cache.fetch(permit_key)
+      raise "Unable to access cache. Ensure cache is configrued according to documentation." unless cache_available?(user_cache)
 
+      redirect_path = user_cache[:redirect_url]
       response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
       response.settings = saml_settings
 
       if response.is_valid? # validate the SAML Response
+
+        #verify not sha1
+        verify_sha_type(response)
+
+        response_id = response.id(response.document)
+
+        #confirm that IP address from response matches that of original request
+        valid_ip?(request.remote_ip)
+
+        #check that response id has not already been used
+        duplicate_response_id?(response_id)
+
         # authorize_success, log the user
-        session[:saml_success] = true
+        session[:saml_response_success] = true
+        set_saml_session_lifetime(permit_key)
         session[:sp_session] = Time.now
 
         session[:saml_attributes] = SamlCamel::Transaction.map_attributes(response.attributes)
@@ -39,18 +52,21 @@ module SamlCamel
           Rails.cache.delete(permit_key)
           session[:saml_session_id] = nil
         end
-
-        session[:saml_success] = false
+        session[:sp_session] = nil
+        session[:saml_response_success] = false
         response.errors
         SamlCamel::Logging.auth_failure(response.errors)
 
         redirect_to action: "failure", locals:{errors: response.errors}
       end
     rescue => e
-      permit_key = session[:saml_session_id].to_sym
-      Rails.cache.delete(permit_key)
-      session[:saml_success] = false
+      if  session[:saml_session_id]
+        permit_key = session[:saml_session_id].to_sym
+        Rails.cache.delete(permit_key)
+      end
+      session[:saml_response_success] = false
       session[:saml_session_id] = nil
+      session[:sp_session] = nil
 
       SamlCamel::Logging.auth_failure(e)
       redirect_to action: "failure", locals:{errors: e}

data/app/models/saml_camel/logging.rb

@@ -26,6 +26,20 @@ module SamlCamel
       logger.debug("Unknown error logging user logout. Most likely anonymous user clicked a logout button.")
     end
 
+    def self.expired_session(saml_attrs)
+      logger = Logger.new("log/saml.log")
+      logger.info("Session Expired for #{saml_attrs[PRIMARY_ID]}")
+    rescue
+      logger.debug("Unknown Error During relay state logging.")
+    end
+
+    def self.bad_ip(saml_attrs,request_ip,current_ip)
+      logger = Logger.new("log/saml.log")
+      logger.info("Bad IP address for #{saml_attrs[PRIMARY_ID]}. IP at SAML request #{request_ip} | IP presented #{current_ip}")
+    rescue
+      logger.debug("Unknown Error During relay state logging.")
+    end
+
     def self.saml_state(data)
       logger = Logger.new("log/saml.log")
       logger.info("Stored Relay: #{data[:stored_relay]} | RequestRelay: #{data[:request_relay]} | Stored IP: #{data[:stored_ip]}  RemoteIP: #{data[:remote_ip]}")

data/app/models/saml_camel/transaction.rb

@@ -21,6 +21,11 @@ module SamlCamel
       # certificate to verify IDP signature
       settings.idp_cert = File.read("saml/#{Rails.env}/idp_certificate.crt")
 
+
+      #TODO test by modding relying party duke-coi-smart example
+      settings.security[:digest_method]    = XMLSecurity::Document::SHA256
+      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
+
       # Optional for most SAML IdPs
       settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
       settings.attribute_consuming_service.configure do

data/lib/saml_camel/version.rb

@@ -1,3 +1,3 @@
 module SamlCamel
-  VERSION = '0.2.0'
+  VERSION = '0.2.1'
 end

data/lib/tasks/saml_camel_tasks.rake

@@ -70,6 +70,8 @@ tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
         sso_url: "https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO",
         logout_return_url: "http://localhost:3000",
         primary_id: "eduPersonPrincipalName",
+        sp_session_timeout: 1,
+        sp_session_lifetime: 8,
         saml_logging: true
       },
       "attribute_map": {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_camel
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - 'Danai Adkisson '
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-20 00:00:00.000000000 Z
+date: 2018-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails