saml_idp 0.16.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7cd98d292836070eddac0b7f710dbd15b0d3611cc849de827b999c3a2fa12d86
-  data.tar.gz: f49f1035b63375d5b8aebfd38484c1859d8ac35520f82df92fc698cea00dde1a
+  metadata.gz: 4a0fd46437c04823ad86f269552282b0252cb888294345984c5e16b88bcfa9cf
+  data.tar.gz: b7c56c2516f7aaf392fe5a999e98f67af0b79f799374757f3724724605616fc4
 SHA512:
-  metadata.gz: 7ab18f32c643b5c8be43a093349ff5c1c0f3142b8156fb650f749ffde2ce1306e104d4006178f77f27055bc6683a35ffbf8aa1d79331140b9c94ae7a2a1da7ee
-  data.tar.gz: e68e9a8f0dd08f5dd9aa31c8ff8461ca229b97cbc5e9813eed9c3575ee65bafd2c766bcfd19d9081d0956bab62b8819574b8765be692156d10967589a791cda3
+  metadata.gz: 558df23c6ffefed06a205df4ea72cc530f7a963c64741e0bb86cae16f7ffd26a822299793a6b4d7a587addf49428a71e3449f46650d1a26990ec563b690a6cac
+  data.tar.gz: ee6eec4ee019c3e01443bbc6d383e4eb6dcd422e3eb5dddcbefd10666799d9604e094e9dec22b213780a415f9efaaebfe54f8b512fef90322f6ce3cc89e4d751

data/README.md

@@ -24,9 +24,13 @@ Add this to your Gemfile:
 
 Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
 
-Basically you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value
-`saml_acs_url` to determine the source for which you need to authenticate a user. How you authenticate
-a user is entirely up to you.
+Basically, you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value 
+`saml_acs_url` to determine the source for which you need to authenticate a user. 
+If the signature (`Signature`) and signing algorithm (`SigAlg`) are provided as external parameters in the request,
+you can pass those parameters as `decode_request(params[:SAMLRequest], params[:Signature], params[:SigAlg], params[:RelayState])`.
+Then, you can verify the request signature with the `valid?` method.
+
+How you authenticate a user is entirely up to you.
 
 Once a user has successfully authenticated on your system send the Service Provider a SAMLResponse by
 posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to
@@ -74,6 +78,11 @@ KEY DATA
 -----END RSA PRIVATE KEY-----
 CERT
 
+  # x509_certificate, secret_key, and password may also be set from within a proc, for example:
+  # config.x509_certificate = -> { File.read("cert.pem") }
+  # config.secret_key = -> { SecretKeyFinder.key_for(id: 1) }
+  # config.password = -> { "password" }
+
   # config.password = "secret_key_password"
   # config.algorithm = :sha256                                    # Default: sha1 only for development.
   # config.organization_name = "Your Organization"

data/lib/saml_idp/configurator.rb

@@ -25,8 +25,8 @@ module SamlIdp
     attr_accessor :logger
 
     def initialize
-      self.x509_certificate = Default::X509_CERTIFICATE
-      self.secret_key = Default::SECRET_KEY
+      self.x509_certificate = -> { Default::X509_CERTIFICATE }
+      self.secret_key = -> { Default::SECRET_KEY }
       self.algorithm = :sha1
       self.reference_id_generator = ->() { SecureRandom.uuid }
       self.service_provider = OpenStruct.new
@@ -35,7 +35,7 @@ module SamlIdp
       self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
       self.session_expiry = 0
       self.attributes = {}
-      self.logger = defined?(::Rails) ? Rails.logger : ->(msg) { puts msg }
+      self.logger = (defined?(::Rails) && Rails.respond_to?(:logger)) ? Rails.logger : ->(msg) { puts msg }
     end
 
     # formats

data/lib/saml_idp/controller.rb

@@ -33,15 +33,18 @@ module SamlIdp
     end
 
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
-      decode_request(raw_saml_request)
-      return true if valid_saml_request?
-
-      head :forbidden if defined?(::Rails)
-      false
+      decode_request(raw_saml_request, params[:Signature], params[:SigAlg], params[:RelayState])
+      valid_saml_request?
     end
 
-    def decode_request(raw_saml_request)
-      @saml_request = Request.from_deflated_request(raw_saml_request)
+    def decode_request(raw_saml_request, signature, sig_algorithm, relay_state)
+      @saml_request = Request.from_deflated_request(
+        raw_saml_request,
+        saml_request: raw_saml_request,
+        signature: signature,
+        sig_algorithm: sig_algorithm,
+        relay_state: relay_state
+      )
     end
 
     def authn_context_classref
@@ -63,7 +66,7 @@ module SamlIdp
       signed_message_opts = opts[:signed_message] || false
       name_id_formats_opts = opts[:name_id_formats] || nil
       asserted_attributes_opts = opts[:attributes] || nil
-      signed_assertion_opts = opts[:signed_assertion] || true
+      signed_assertion_opts = opts[:signed_assertion].nil? ? true : opts[:signed_assertion]
       compress_opts = opts[:compress] || false
 
       SamlResponse.new(

data/lib/saml_idp/incoming_metadata.rb

@@ -63,6 +63,15 @@ module SamlIdp
     end
     hashable :contact_person
 
+    def unspecified_certificate
+      xpath(
+        "//md:SPSSODescriptor/md:KeyDescriptor[not(@use)]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first.try(:content).to_s
+    end
+    hashable :unspecified_certificate
+
     def signing_certificate
       xpath(
         "//md:SPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",

data/lib/saml_idp/metadata_builder.rb

@@ -152,7 +152,8 @@ module SamlIdp
     private :raw_algorithm
 
     def x509_certificate
-      SamlIdp.config.x509_certificate
+      certificate = SamlIdp.config.x509_certificate.is_a?(Proc) ? SamlIdp.config.x509_certificate.call : SamlIdp.config.x509_certificate
+      certificate
       .to_s
       .gsub(/-----BEGIN CERTIFICATE-----/,"")
       .gsub(/-----END CERTIFICATE-----/,"")

data/lib/saml_idp/request.rb

@@ -3,7 +3,9 @@ require 'saml_idp/service_provider'
 require 'logger'
 module SamlIdp
   class Request
-    def self.from_deflated_request(raw)
+    attr_accessor :errors
+
+    def self.from_deflated_request(raw, external_attributes = {})
       if raw
         decoded = Base64.decode64(raw)
         zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
@@ -18,18 +20,23 @@ module SamlIdp
       else
         inflated = ""
       end
-      new(inflated)
+      new(inflated, external_attributes)
     end
 
-    attr_accessor :raw_xml
+    attr_accessor :raw_xml, :saml_request, :signature, :sig_algorithm, :relay_state
 
     delegate :config, to: :SamlIdp
     private :config
     delegate :xpath, to: :document
     private :xpath
 
-    def initialize(raw_xml = "")
+    def initialize(raw_xml = "", external_attributes = {})
       self.raw_xml = raw_xml
+      self.saml_request = external_attributes[:saml_request]
+      self.relay_state = external_attributes[:relay_state]
+      self.sig_algorithm = external_attributes[:sig_algorithm]
+      self.signature = external_attributes[:signature]
+      self.errors = []
     end
 
     def logout_request?
@@ -85,30 +92,53 @@ module SamlIdp
       end
     end
 
-    def valid?
+    def collect_errors(error_type)
+      errors.push(error_type)
+    end
+
+    def valid?(external_attributes = {})
       unless service_provider?
         log "Unable to find service provider for issuer #{issuer}"
+        collect_errors(:sp_not_found)
         return false
       end
 
       unless (authn_request? ^ logout_request?)
         log "One and only one of authnrequest and logout request is required. authnrequest: #{authn_request?} logout_request: #{logout_request?} "
+        collect_errors(:unaccepted_request)
         return false
       end
 
-      unless valid_signature?
-        log "Signature is invalid in #{raw_xml}"
+      if (logout_request? || validate_auth_request_signature?) && (service_provider.cert.to_s.empty? || !!service_provider.fingerprint.to_s.empty?)
+        log "Verifying request signature is required. But certificate and fingerprint was empty."
+        collect_errors(:empty_certificate)
+        return false
+      end
+
+      # XML embedded signature
+      if signature.nil? && !valid_signature?
+        log "Requested document signature is invalid in #{raw_xml}"
+        collect_errors(:invalid_embedded_signature)
+        return false
+      end
+
+      # URI query signature
+      if signature.present? && !valid_external_signature?
+        log "Requested URI signature is invalid in #{raw_xml}"
+        collect_errors(:invalid_external_signature)
         return false
       end
 
       if response_url.nil?
         log "Unable to find response url for #{issuer}: #{raw_xml}"
+        collect_errors(:empty_response_url)
         return false
       end
 
       if !service_provider.acceptable_response_hosts.include?(response_host)
         log "#{service_provider.acceptable_response_hosts} compare to #{response_host}"
         log "No acceptable AssertionConsumerServiceURL, either configure them via config.service_provider.response_hosts or match to your metadata_url host"
+        collect_errors(:not_allowed_host)
         return false
       end
 
@@ -117,15 +147,39 @@ module SamlIdp
 
     def valid_signature?
       # Force signatures for logout requests because there is no other protection against a cross-site DoS.
-      # Validate signature when metadata specify AuthnRequest should be signed
-      metadata = service_provider.current_metadata
-      if logout_request? || authn_request? && metadata.respond_to?(:sign_authn_request?) && metadata.sign_authn_request?
-        document.valid_signature?(service_provider.fingerprint)
+      if logout_request? || authn_request? && validate_auth_request_signature?
+        document.valid_signature?(service_provider.cert, service_provider.fingerprint)
       else
         true
       end
     end
 
+    def valid_external_signature?
+      return true if authn_request? && !validate_auth_request_signature?
+
+      cert = OpenSSL::X509::Certificate.new(service_provider.cert)
+
+      sha_version = sig_algorithm =~ /sha(.*?)$/i && $1.to_i
+      raw_signature = Base64.decode64(signature)
+
+      signature_algorithm = case sha_version
+      when 256 then OpenSSL::Digest::SHA256
+      when 384 then OpenSSL::Digest::SHA384
+      when 512 then OpenSSL::Digest::SHA512
+      else
+        OpenSSL::Digest::SHA1
+      end
+
+      result = cert.public_key.verify(signature_algorithm.new, raw_signature, query_request_string)
+      # Match all percent-encoded sequences (e.g., %20, %2B) and convert them to lowercase
+      # Upper case is recommended for consistency but some services such as MS Entra Id not follows it
+      # https://datatracker.ietf.org/doc/html/rfc3986#section-2.1
+      result || cert.public_key.verify(signature_algorithm.new, raw_signature, query_request_string.gsub(/%[A-F0-9]{2}/) { |match| match.downcase })
+    rescue OpenSSL::X509::CertificateError => e
+      log e.message
+      collect_errors(:cert_format_error)
+    end
+
     def service_provider?
       service_provider && service_provider.valid?
     end
@@ -148,6 +202,13 @@ module SamlIdp
       @_session_index ||= xpath("//samlp:SessionIndex", samlp: samlp).first.try(:content)
     end
 
+    def query_request_string
+      url_string = "SAMLRequest=#{CGI.escape(saml_request)}"
+      url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
+      url_string << "&SigAlg=#{CGI.escape(sig_algorithm)}"
+    end
+    private :query_request_string
+
     def response_host
       uri = URI(response_url)
       if uri
@@ -197,5 +258,14 @@ module SamlIdp
       config.service_provider.finder
     end
     private :service_provider_finder
+
+    def validate_auth_request_signature?
+      # Validate signature when metadata specify AuthnRequest should be signed
+      metadata = service_provider.current_metadata
+      sign_authn_request = metadata.respond_to?(:sign_authn_request?) && metadata.sign_authn_request?
+      sign_authn_request = service_provider.sign_authn_request unless service_provider.sign_authn_request.nil? 
+      sign_authn_request
+    end
+    private :validate_auth_request_signature?
   end
 end

data/lib/saml_idp/saml_response.rb

@@ -98,7 +98,7 @@ module SamlIdp
 
     def assertion_builder
       @assertion_builder ||=
-        AssertionBuilder.new SecureRandom.uuid,
+        AssertionBuilder.new(reference_id || SecureRandom.uuid,
                              issuer_uri,
                              principal,
                              audience_uri,
@@ -110,7 +110,7 @@ module SamlIdp
                              encryption_opts,
                              session_expiry,
                              name_id_formats_opts,
-                             asserted_attributes_opts
+                             asserted_attributes_opts)
     end
     private :assertion_builder
   end

data/lib/saml_idp/service_provider.rb

@@ -11,6 +11,7 @@ module SamlIdp
     attribute :fingerprint
     attribute :metadata_url
     attribute :validate_signature
+    attribute :sign_authn_request
     attribute :acs_url
     attribute :assertion_consumer_logout_service_url
     attribute :response_hosts

data/lib/saml_idp/signature_builder.rb

@@ -21,7 +21,8 @@ module SamlIdp
     end
 
     def x509_certificate
-      SamlIdp.config.x509_certificate
+      certificate = SamlIdp.config.x509_certificate.is_a?(Proc) ? SamlIdp.config.x509_certificate.call : SamlIdp.config.x509_certificate
+      certificate
       .to_s
       .gsub(/-----BEGIN CERTIFICATE-----/,"")
       .gsub(/-----END CERTIFICATE-----/,"")

data/lib/saml_idp/signed_info_builder.rb

@@ -65,12 +65,12 @@ module SamlIdp
     private :clean_algorithm_name
 
     def secret_key
-      SamlIdp.config.secret_key
+      SamlIdp.config.secret_key.is_a?(Proc) ? SamlIdp.config.secret_key.call : SamlIdp.config.secret_key
     end
     private :secret_key
 
     def password
-      SamlIdp.config.password
+      SamlIdp.config.password.is_a?(Proc) ? SamlIdp.config.password.call : SamlIdp.config.password
     end
     private :password
 

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.16.0'
+  VERSION = '1.0.0'
 end

data/lib/saml_idp/xml_security.rb

@@ -43,24 +43,29 @@ module SamlIdp
         extract_signed_element_id
       end
 
-      def validate(idp_cert_fingerprint, soft = true)
+      def validate(idp_base64_cert, idp_cert_fingerprint, soft = true)
         # get cert from response
         cert_element = REXML::XPath.first(self, "//ds:X509Certificate", { "ds"=>DSIG })
-        raise ValidationError.new("Certificate element missing in response (ds:X509Certificate)") unless cert_element
-        base64_cert  = cert_element.text
-        cert_text    = Base64.decode64(base64_cert)
-        cert         = OpenSSL::X509::Certificate.new(cert_text)
-
-        # check cert matches registered idp cert
-        fingerprint = fingerprint_cert(cert)
-        sha1_fingerprint = fingerprint_cert_sha1(cert)
-        plain_idp_cert_fingerprint = idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-
-        if fingerprint != plain_idp_cert_fingerprint && sha1_fingerprint != plain_idp_cert_fingerprint
-          return soft ? false : (raise ValidationError.new("Fingerprint mismatch"))
+        if cert_element
+          idp_base64_cert = cert_element.text
+          cert_text    = Base64.decode64(idp_base64_cert)
+          cert         = OpenSSL::X509::Certificate.new(cert_text)
+
+          # check cert matches registered idp cert
+          fingerprint = fingerprint_cert(cert)
+          sha1_fingerprint = fingerprint_cert_sha1(cert)
+          plain_idp_cert_fingerprint = idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+
+          if fingerprint != plain_idp_cert_fingerprint && sha1_fingerprint != plain_idp_cert_fingerprint
+            return soft ? false : (raise ValidationError.new("Fingerprint mismatch"))
+          end
+        end
+
+        if idp_base64_cert.nil? || idp_base64_cert.empty?
+          raise ValidationError.new("Certificate validation is required, but it doesn't exist.")
         end
 
-        validate_doc(base64_cert, soft)
+        validate_doc(idp_base64_cert, soft)
       end
 
       def fingerprint_cert(cert)

data/lib/saml_idp.rb

@@ -9,7 +9,7 @@ module SamlIdp
   require 'saml_idp/metadata_builder'
   require 'saml_idp/version'
   require 'saml_idp/fingerprint'
-  require 'saml_idp/engine' if defined?(::Rails)
+  require 'saml_idp/engine' if defined?(::Rails::Engine)
 
   def self.config
     @config ||= SamlIdp::Configurator.new
@@ -70,9 +70,9 @@ module Saml
         !!xpath("//ds:Signature", ds: signature_namespace).first
       end
 
-      def valid_signature?(fingerprint)
+      def valid_signature?(certificate, fingerprint)
         signed? &&
-          signed_document.validate(fingerprint, :soft)
+          signed_document.validate(certificate, fingerprint, :soft)
       end
 
       def signed_document

data/saml_idp.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |s|
   s.authors = ['Jon Phenow']
   s.email = 'jon.phenow@sportngin.com'
   s.homepage = 'https://github.com/saml-idp/saml_idp'
-  s.summary = 'SAML Indentity Provider for Ruby'
+  s.summary = 'SAML Identity Provider for Ruby'
   s.description = 'SAML IdP (Identity Provider) Library for Ruby'
   s.date = Time.now.utc.strftime('%Y-%m-%d')
   s.files = Dir['lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
@@ -46,14 +46,15 @@ Gem::Specification.new do |s|
   s.add_dependency('activesupport', '>= 5.2')
   s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
+  s.add_dependency('ostruct')
   s.add_dependency('rexml')
   s.add_dependency('xmlenc', '>= 0.7.1')
 
-  s.add_development_dependency('activeresource', '>= 5.1')
+  s.add_development_dependency('activeresource', '~> 6.1')
   s.add_development_dependency('appraisal')
-  s.add_development_dependency('byebug')
   s.add_development_dependency('capybara', '>= 2.16')
   s.add_development_dependency('rails', '>= 5.2')
+  s.add_development_dependency('debug')
   s.add_development_dependency('rake')
   s.add_development_dependency('rspec', '>= 3.7.0')
   s.add_development_dependency('ruby-saml', '>= 1.7.2')

data/spec/lib/saml_idp/configurator_spec.rb

@@ -20,11 +20,11 @@ module SamlIdp
     it { should respond_to :logger }
 
     it "has a valid x509_certificate" do
-      expect(subject.x509_certificate).to eq(Default::X509_CERTIFICATE)
+      expect(subject.x509_certificate.call).to eq(Default::X509_CERTIFICATE)
     end
 
     it "has a valid secret_key" do
-      expect(subject.secret_key).to eq(Default::SECRET_KEY)
+      expect(subject.secret_key.call).to eq(Default::SECRET_KEY)
     end
 
     it "has a valid algorithm" do
@@ -47,5 +47,41 @@ module SamlIdp
     it 'has a valid session_expiry' do
       expect(subject.session_expiry).to eq(0)
     end
+
+    context "logger initialization" do
+      context 'when Rails has been properly initialized' do
+        before do
+          stub_const("Rails", double(logger: double("Rails.logger")))
+        end
+
+        it 'sets logger to Rails.logger' do
+          expect(subject.logger).to eq(Rails.logger)
+        end
+      end
+
+      context 'when Rails is not fully initialized' do
+        before do
+          stub_const("Rails", Class.new)          
+        end
+
+        it 'sets logger to a lambda' do
+          expect(subject.logger).to be_a(Proc)
+          expect { subject.logger.call("test") }.to output("test\n").to_stdout
+        end
+      end
+
+      context 'when Rails is not defined' do
+        it 'sets logger to a lambda' do
+          hide_const("Rails")
+
+          expect(subject.logger).to be_a(Proc)
+          expect { subject.logger.call("test") }.to output("test\n").to_stdout
+        end
+      end
+
+      after do
+        hide_const("Rails")
+      end
+    end
   end
 end

data/spec/lib/saml_idp/controller_spec.rb

@@ -33,7 +33,7 @@ describe SamlIdp::Controller do
     end
 
     it 'should call xml signature validation method' do
-      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(params[:SAMLRequest])
+      signed_doc = SamlIdp::XMLSecurity::SignedDocument.new(decode_saml_request(params[:SAMLRequest]))
       allow(signed_doc).to receive(:validate).and_return(true)
       allow(SamlIdp::XMLSecurity::SignedDocument).to receive(:new).and_return(signed_doc)
       validate_saml_request
@@ -66,6 +66,16 @@ describe SamlIdp::Controller do
       end
     end
 
+    context '#encode_authn_response' do
+      it 'uses default values when opts are not provided' do
+        saml_response = encode_authn_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume', signed_assertion: false })
+
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        response.settings = saml_settings
+        expect(response.document.to_s).to_not include("<ds:Signature>")
+      end
+    end
+
     context "solicited Response" do
       before(:each) do
         params[:SAMLRequest] = make_saml_request
@@ -81,16 +91,6 @@ describe SamlIdp::Controller do
         expect(response.is_valid?).to be_truthy
       end
 
-      it "should create a SAML Logout Response" do
-        params[:SAMLRequest] = make_saml_logout_request
-        expect(validate_saml_request).to eq(true)
-        expect(saml_request.logout_request?).to eq true
-        saml_response = encode_response(principal)
-        response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
-        expect(response.validate).to eq(true)
-        expect(response.issuer).to eq("http://example.com")
-      end
-
       it "should by default create a SAML Response with a signed assertion" do
         saml_response = encode_response(principal)
         response = OneLogin::RubySaml::Response.new(saml_response)
@@ -124,4 +124,32 @@ describe SamlIdp::Controller do
       end
     end
   end
+
+  context "Single Logout Request" do
+    before do
+      idp_configure("https://foo.example.com/saml/consume", true)
+      slo_request = make_saml_sp_slo_request(security_options: { embed_sign: false })
+      params[:SAMLRequest] = slo_request['SAMLRequest']
+      params[:RelayState] = slo_request['RelayState']
+      params[:SigAlg] = slo_request['SigAlg']
+      params[:Signature] = slo_request['Signature']
+    end
+
+    it 'should successfully validate signature' do
+      expect(validate_saml_request).to eq(true)
+    end
+
+    context "solicited Response" do
+      let(:principal) { double email_address: "foo@example.com" }
+
+      it "should create a SAML Logout Response" do
+        expect(validate_saml_request).to eq(true)
+        expect(saml_request.logout_request?).to eq true
+        saml_response = encode_response(principal)
+        response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
+        expect(response.validate).to eq(true)
+        expect(response.issuer).to eq("http://idp.com/saml/idp")
+      end
+    end
+  end
 end