saml_idp 0.0.1

data/lib/saml_idp/signature_builder.rb

@@ -0,0 +1,42 @@
+require 'builder'
+module SamlIdp
+  class SignatureBuilder
+    attr_accessor :signed_info_builder
+
+    def initialize(signed_info_builder)
+      self.signed_info_builder = signed_info_builder
+    end
+
+    def raw
+      builder = Builder::XmlMarkup.new
+      builder.tag! "ds:Signature", "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" do |signature|
+        signature << signed_info
+        signature.tag! "ds:SignatureValue", signature_value
+        signature.KeyInfo xmlns: "http://www.w3.org/2000/09/xmldsig#" do |key_info|
+          key_info.tag! "ds:X509Data" do |x509|
+            x509.tag! "ds:X509Certificate", x509_certificate
+          end
+        end
+      end
+    end
+
+    def x509_certificate
+      SamlIdp.config.x509_certificate
+      .to_s
+      .gsub(/-----BEGIN CERTIFICATE-----/,"")
+      .gsub(/-----END CERTIFICATE-----/,"")
+      .gsub(/\n/, "")
+    end
+    private :x509_certificate
+
+    def signed_info
+      signed_info_builder.raw
+    end
+    private :signed_info
+
+    def signature_value
+      signed_info_builder.signed
+    end
+    private :signature_value
+  end
+end

data/lib/saml_idp/signed_info_builder.rb

@@ -0,0 +1,51 @@
+require 'builder'
+module SamlIdp
+  class SignedInfoBuilder
+    include Algorithmable
+    attr_accessor :reference_id
+    attr_accessor :digest_value
+    attr_accessor :raw_algorithm
+
+    def initialize(reference_id, digest_value, raw_algorithm)
+      self.reference_id = reference_id
+      self.digest_value = digest_value
+      self.raw_algorithm = raw_algorithm
+    end
+
+    def raw
+      builder = Builder::XmlMarkup.new
+      builder.tag! "ds:SignedInfo", "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#" do |signed_info|
+        signed_info.tag!("ds:CanonicalizationMethod", Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#") {}
+        signed_info.tag!("ds:SignatureMethod", Algorithm: "http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}") {}
+        signed_info.tag! "ds:Reference", URI: reference_string do |reference|
+          reference.tag! "ds:Transforms" do |transforms|
+            transforms.tag!("ds:Transform", Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature") {}
+            transforms.tag!("ds:Transform", Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#") {}
+          end
+          reference.tag!("ds:DigestMethod", Algorithm: "http://www.w3.org/2000/09/xmldsig##{algorithm_name}") {}
+          reference.tag! "ds:DigestValue", digest_value
+        end
+      end
+    end
+
+    def signed
+      encoded.gsub(/\n/, "")
+    end
+
+    def secret_key
+      SamlIdp.config.secret_key
+    end
+    private :secret_key
+
+    def encoded
+      key = OpenSSL::PKey::RSA.new(secret_key)
+      Base64.encode64(key.sign(algorithm.new, raw))
+    end
+    private :encoded
+
+    def reference_string
+      "#_#{reference_id}"
+    end
+    private :reference_string
+  end
+end

data/lib/saml_idp/version.rb

@@ -0,0 +1,4 @@
+# encoding: utf-8
+module SamlIdp
+  VERSION = '0.0.1'
+end

data/lib/saml_idp/xml_security.rb

@@ -0,0 +1,168 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require 'nokogiri'
+require "digest/sha1"
+require "digest/sha2"
+
+module SamlIdp
+  module XMLSecurity
+    class SignedDocument < REXML::Document
+      ValidationError = Class.new(StandardError)
+      C14N = "http://www.w3.org/2001/10/xml-exc-c14n#"
+      DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_accessor :signed_element_id
+
+      def initialize(response)
+        super(response)
+        extract_signed_element_id
+      end
+
+      def validate(idp_cert_fingerprint, soft = true)
+        # get cert from response
+        cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
+        raise ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
+        base64_cert  = cert_element.text
+        cert_text    = Base64.decode64(base64_cert)
+        cert         = OpenSSL::X509::Certificate.new(cert_text)
+
+        # check cert matches registered idp cert
+        fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+          return soft ? false : (raise ValidationError.new("Fingerprint mismatch"))
+        end
+
+        validate_doc(base64_cert, soft)
+      end
+
+      def validate_doc(base64_cert, soft = true)
+        # validate references
+
+        # check for inclusive namespaces
+        inclusive_namespaces = extract_inclusive_namespaces
+
+        document = Nokogiri.parse(self.to_s)
+
+        # create a working copy so we don't modify the original
+        @working_copy ||= REXML::Document.new(self.to_s).root
+
+        # store and remove signature node
+        @sig_element ||= begin
+                           element = REXML::XPath.first(@working_copy, "//ds:Signature", {"ds"=>DSIG})
+                           element.remove
+                         end
+
+
+        # verify signature
+        signed_info_element     = REXML::XPath.first(@sig_element, "//ds:SignedInfo", {"ds"=>DSIG})
+        noko_sig_element = document.at_xpath('//ds:Signature', 'ds' => DSIG)
+        noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => DSIG)
+        canon_algorithm = canon_algorithm REXML::XPath.first(@sig_element, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+        canon_string = noko_signed_info_element.canonicalize(canon_algorithm)
+        noko_sig_element.remove
+
+        # check digests
+        REXML::XPath.each(@sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
+          uri                           = ref.attributes.get_attribute("URI").value
+
+          hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
+          canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
+          canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
+
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+
+          hash                          = digest_algorithm.digest(canon_hashed_element)
+          digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)
+
+          unless digests_match?(hash, digest_value)
+            return soft ? false : (raise ValidationError.new("Digest mismatch"))
+          end
+        end
+
+        base64_signature        = REXML::XPath.first(@sig_element, "//ds:SignatureValue", {"ds"=>DSIG}).text
+        signature               = Base64.decode64(base64_signature)
+
+        # get certificate object
+        cert_text               = Base64.decode64(base64_cert)
+        cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+        # signature method
+        signature_algorithm     = algorithm(REXML::XPath.first(signed_info_element, "//ds:SignatureMethod", {"ds"=>DSIG}))
+
+        unless cert.public_key.verify(signature_algorithm.new, signature, canon_string)
+          return soft ? false : (raise ValidationError.new("Key validation error"))
+        end
+
+        return true
+      end
+
+      private
+
+      def digests_match?(hash, digest_value)
+        hash == digest_value
+      end
+
+      def extract_signed_element_id
+        reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+        self.signed_element_id  = reference_element.attribute("URI").value[1..-1] unless reference_element.nil?
+      end
+
+      def canon_algorithm(element)
+        algorithm = element.attribute('Algorithm').value if element
+        case algorithm
+        when "http://www.w3.org/2001/10/xml-exc-c14n#"         then Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        when "http://www.w3.org/TR/2001/REC-xml-c14n-20010315" then Nokogiri::XML::XML_C14N_1_0
+        when "http://www.w3.org/2006/12/xml-c14n11"            then Nokogiri::XML::XML_C14N_1_1
+        else                                                        Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        end
+      end
+
+      def algorithm(element)
+        algorithm = element.attribute("Algorithm").value if element
+        algorithm = algorithm && algorithm =~ /sha(.*?)$/i && $1.to_i
+        case algorithm
+        when 256 then OpenSSL::Digest::SHA256
+        when 384 then OpenSSL::Digest::SHA384
+        when 512 then OpenSSL::Digest::SHA512
+        else
+          OpenSSL::Digest::SHA1
+        end
+      end
+
+      def extract_inclusive_namespaces
+        if element = REXML::XPath.first(self, "//ec:InclusiveNamespaces", { "ec" => C14N })
+          prefix_list = element.attributes.get_attribute("PrefixList").value
+          prefix_list.split(" ")
+        else
+          []
+        end
+      end
+    end
+  end
+end

data/saml_idp.gemspec

@@ -0,0 +1,38 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "saml_idp/version"
+
+Gem::Specification.new do |s|
+  s.name = %q{saml_idp}
+  s.version = SamlIdp::VERSION
+  s.platform = Gem::Platform::RUBY
+  s.authors = ["Jon Phenow"]
+  s.email = %q{jon.phenow@sportngin.com}
+  s.homepage = %q{http://github.com/sportngin/saml_idp}
+  s.summary = %q{SAML Indentity Provider in ruby}
+  s.description = %q{SAML IdP (Identity Provider) library in ruby}
+  s.date = Time.now.utc.strftime("%Y-%m-%d")
+  s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
+     "LICENSE",
+     "README.md",
+     "Gemfile",
+     "saml_idp.gemspec"
+  ]
+  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.add_dependency('activesupport')
+  s.add_dependency('uuid')
+  s.add_dependency('builder')
+  s.add_dependency('httparty')
+
+  s.add_development_dependency "rake"
+  s.add_development_dependency "simplecov"
+  s.add_development_dependency "rspec"
+  s.add_development_dependency "ruby-saml"
+  s.add_development_dependency("rails", "~> 3.2")
+  s.add_development_dependency("capybara")
+  s.add_development_dependency("timecop")
+end
+

data/spec/acceptance/acceptance_helper.rb

@@ -0,0 +1,9 @@
+require File.expand_path(File.dirname(__FILE__) + "/../spec_helper")
+require 'capybara/rspec'
+
+# Put your acceptance spec helpers inside /spec/acceptance/support
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  config.include Rails.application.routes.url_helpers, :type => :request
+end

data/spec/acceptance/idp_controller_spec.rb

@@ -0,0 +1,16 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature 'IdpController' do
+
+  scenario 'Login via default signup page' do
+    saml_request = make_saml_request("http://foo.example.com/saml/consume")
+    visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
+    fill_in 'Email', :with => "foo@example.com"
+    fill_in 'Password', :with => "okidoki"
+    click_button 'Sign in'
+    click_button 'Submit'   # simulating onload
+    current_url.should == 'http://foo.example.com/saml/consume'
+    page.should have_content "foo@example.com"
+  end
+
+end

data/spec/lib/saml_idp/algorithmable_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+module SamlIdp
+  describe "Algorithmable" do
+    include Algorithmable
+
+    describe "named raw algorithm" do
+      def raw_algorithm
+        :sha256
+      end
+
+      it "finds algorithm class" do
+        algorithm.should == OpenSSL::Digest::SHA256
+      end
+
+      it "finds the name" do
+        algorithm_name.should == "sha256"
+      end
+    end
+
+    describe "class raw algorithm" do
+      def raw_algorithm
+        OpenSSL::Digest::SHA512
+      end
+
+      it "finds algorithm class" do
+        algorithm.should == OpenSSL::Digest::SHA512
+      end
+
+      it "finds the name" do
+        algorithm_name.should == "sha512"
+      end
+    end
+
+    describe "nonexistent raw algorithm" do
+      def raw_algorithm
+        :sha1024
+      end
+
+      it "finds algorithm class" do
+        algorithm.should == OpenSSL::Digest::SHA1
+      end
+
+      it "finds the name" do
+        algorithm_name.should == "sha1"
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+module SamlIdp
+  describe AssertionBuilder do
+    let(:reference_id) { "abc" }
+    let(:issuer_uri) { "http://sportngin.com" }
+    let(:name_id) { "jon.phenow@sportngin.com" }
+    let(:audience_uri) { "http://example.com" }
+    let(:saml_request_id) { "123" }
+    let(:saml_acs_url) { "http://saml.acs.url" }
+    let(:algorithm) { :sha256 }
+    subject { described_class.new(
+      reference_id,
+      issuer_uri,
+      name_id,
+      audience_uri,
+      saml_request_id,
+      saml_acs_url,
+      algorithm
+    ) }
+
+    it "builds a legit raw XML file" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T14:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/attribute_decorator_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+module SamlIdp
+  describe AttributeDecorator do
+    subject { described_class.new name: name,
+              friendly_name: friendly_name,
+              name_format: name_format,
+              values: values
+    }
+    let(:name) { nil }
+    let(:friendly_name) { nil }
+    let(:name_format) { nil }
+    let(:values) { nil }
+
+    its(:name) { should be_nil }
+    its(:friendly_name) { should be_nil }
+    its(:name_format) { should == Saml::XML::Namespaces::Formats::Attr::URI }
+    its(:values) { should == [] }
+
+    describe "with values set" do
+      let(:name) { "test" }
+      let(:friendly_name) { "test too" }
+      let(:name_format) { "some format" }
+      let(:values) { :val }
+
+      its(:name) { should == name }
+      its(:friendly_name) { should == friendly_name }
+      its(:name_format) { should == name_format }
+      its(:values) { should == [values] }
+    end
+  end
+end