saml_idp 0.2.1 → 0.3.0

data/lib/saml_idp/response_builder.rb

@@ -24,7 +24,7 @@ module SamlIdp
     end
 
     def encode
-      Base64.encode64(raw)
+      Base64.strict_encode64(raw)
     end
     private :encode
 

data/lib/saml_idp/saml_response.rb

@@ -15,6 +15,7 @@ module SamlIdp
     attr_accessor :x509_certificate
     attr_accessor :authn_context_classref
     attr_accessor :expiry
+    attr_accessor :encryption_opts
 
     def initialize(reference_id,
           response_id,
@@ -25,7 +26,8 @@ module SamlIdp
           saml_acs_url,
           algorithm,
           authn_context_classref,
-          expiry=60*60
+          expiry=60*60,
+          encryption_opts=nil
           )
       self.reference_id = reference_id
       self.response_id = response_id
@@ -39,6 +41,7 @@ module SamlIdp
       self.x509_certificate = x509_certificate
       self.authn_context_classref = authn_context_classref
       self.expiry = expiry
+      self.encryption_opts = encryption_opts
     end
 
     def build
@@ -46,9 +49,13 @@ module SamlIdp
     end
 
     def signed_assertion
-      assertion_builder.signed
+      if encryption_opts
+        assertion_builder.encrypt(sign: true)
+      else
+        assertion_builder.signed
+      end
     end
-    private
+    private :signed_assertion
 
     def response_builder
       ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion)
@@ -64,7 +71,8 @@ module SamlIdp
         saml_acs_url,
         algorithm,
         authn_context_classref,
-        expiry
+        expiry,
+        encryption_opts
     end
     private :assertion_builder
   end

data/lib/saml_idp/service_provider.rb

@@ -6,10 +6,12 @@ module SamlIdp
   class ServiceProvider
     include Attributeable
     attribute :identifier
+    attribute :cert
     attribute :fingerprint
     attribute :metadata_url
     attribute :validate_signature
     attribute :acs_url
+    attribute :assertion_consumer_logout_service_url
 
     delegate :config, to: :SamlIdp
 
@@ -17,9 +19,12 @@ module SamlIdp
       attributes.present?
     end
 
-    def valid_signature?(doc)
-      !should_validate_signature? ||
+    def valid_signature?(doc, require_signature = false)
+      if require_signature || should_validate_signature?
         doc.valid_signature?(fingerprint)
+      else
+        true
+      end
     end
 
     def should_validate_signature?

data/lib/saml_idp/signable.rb

@@ -110,7 +110,7 @@ module SamlIdp
       digest_algorithm = get_algorithm
 
       hash                          = digest_algorithm.digest(canon_hashed_element)
-      Base64.encode64(hash).gsub(/\n/, '')
+      Base64.strict_encode64(hash).gsub(/\n/, '')
     end
     private :digest
 

data/lib/saml_idp/signed_info_builder.rb

@@ -76,7 +76,7 @@ module SamlIdp
 
     def encoded
       key = OpenSSL::PKey::RSA.new(secret_key, password)
-      Base64.encode64(key.sign(algorithm.new, raw))
+      Base64.strict_encode64(key.sign(algorithm.new, raw))
     end
     private :encoded
 

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.2.1'
+  VERSION = '0.3.0'
 end

data/lib/saml_idp/xml_security.rb

@@ -52,15 +52,28 @@ module SamlIdp
         cert         = OpenSSL::X509::Certificate.new(cert_text)
 
         # check cert matches registered idp cert
-        fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+        fingerprint = fingerprint_cert(cert)
+        sha1_fingerprint = fingerprint_cert_sha1(cert)
+        plain_idp_cert_fingerprint = idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
 
-        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+        if fingerprint != plain_idp_cert_fingerprint && sha1_fingerprint != plain_idp_cert_fingerprint
           return soft ? false : (raise ValidationError.new("Fingerprint mismatch"))
         end
 
         validate_doc(base64_cert, soft)
       end
 
+      def fingerprint_cert(cert)
+        # pick algorithm based on the doc's digest algorithm
+        ref_elem = REXML::XPath.first(self, "//ds:Reference", {"ds"=>DSIG})
+        digest_algorithm = algorithm(REXML::XPath.first(ref_elem, "//ds:DigestMethod"))
+        digest_algorithm.hexdigest(cert.to_der)
+      end
+
+      def fingerprint_cert_sha1(cert)
+        OpenSSL::Digest::SHA1.hexdigest(cert.to_der)
+      end
+
       def validate_doc(base64_cert, soft = true)
         # validate references
 

data/saml_idp.gemspec

@@ -34,6 +34,11 @@ If you just need to see the certificate `bundle open saml_idp` and go to
 
 Similarly, please see the README about certificates - you should avoid using the
 defaults in a Production environment. Post any issues you to github.
+
+** New in Version 0.3.0 **
+
+Encrypted Assertions require the xmlenc gem. See the example in the Controller
+section of the README.
   INST
 
   s.add_dependency('activesupport')
@@ -45,9 +50,10 @@ defaults in a Production environment. Post any issues you to github.
   s.add_development_dependency "rake"
   s.add_development_dependency "simplecov"
   s.add_development_dependency "rspec", "~> 2.5"
-  s.add_development_dependency "ruby-saml", "~> 0.8"
+  s.add_development_dependency "ruby-saml", "~> 1.2"
   s.add_development_dependency("rails", "~> 3.2")
   s.add_development_dependency("capybara")
   s.add_development_dependency("timecop")
+  s.add_development_dependency("xmlenc", ">= 0.6.4")
 end
 

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -12,6 +12,13 @@ module SamlIdp
       Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
     }
     let(:expiry) { 3*60*60 }
+    let (:encryption_opts) do
+      {
+        cert: Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }
+    end
     subject { described_class.new(
       reference_id,
       issuer_uri,
@@ -29,5 +36,22 @@ module SamlIdp
         subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
       end
     end
+
+    it "builds encrypted XML" do
+      builder = described_class.new(
+        reference_id,
+        issuer_uri,
+        name_id,
+        audience_uri,
+        saml_request_id,
+        saml_acs_url,
+        algorithm,
+        authn_context_classref,
+        expiry,
+        encryption_opts
+      )
+      encrypted_xml = builder.encrypt
+      encrypted_xml.should_not match(audience_uri)
+    end
   end
 end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -10,6 +10,7 @@ module SamlIdp
     it { should respond_to :reference_id_generator }
     it { should respond_to :attribute_service_location }
     it { should respond_to :single_service_post_location }
+    it { should respond_to :single_logout_service_post_location }
     it { should respond_to :name_id }
     it { should respond_to :attributes }
     it { should respond_to :service_provider }

data/spec/lib/saml_idp/controller_spec.rb

@@ -25,26 +25,56 @@ describe SamlIdp::Controller do
     end
 
     let(:principal) { double email_address: "foo@example.com" }
+    let (:encryption_opts) do
+      {
+        cert: SamlIdp::Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }
+    end
 
     it "should create a SAML Response" do
       saml_response = encode_response(principal)
       response = OneLogin::RubySaml::Response.new(saml_response)
       response.name_id.should == "foo@example.com"
-      response.issuer.should == "http://example.com"
+      response.issuers.first.should == "http://example.com"
       response.settings = saml_settings
       response.is_valid?.should be_truthy
     end
 
+    it "should create a SAML Logout Response" do
+      params[:SAMLRequest] = make_saml_logout_request
+      validate_saml_request
+      expect(saml_request.logout_request?).to eq true
+      saml_response = encode_response(principal)
+      response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
+      response.validate.should == true
+      response.issuer.should == "http://example.com"
+    end
+
     [:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
       it "should create a SAML Response using the #{algorithm_name} algorithm" do
         self.algorithm = algorithm_name
         saml_response = encode_response(principal)
         response = OneLogin::RubySaml::Response.new(saml_response)
         response.name_id.should == "foo@example.com"
-        response.issuer.should == "http://example.com"
+        response.issuers.first.should == "http://example.com"
         response.settings = saml_settings
         response.is_valid?.should be_truthy
       end
+
+      it "should encrypt SAML Response assertion" do
+        self.algorithm = algorithm_name
+        saml_response = encode_response(principal, encryption: encryption_opts)
+        resp_settings = saml_settings
+        resp_settings.private_key = SamlIdp::Default::SECRET_KEY
+        response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
+        response.document.to_s.should_not match("foo@example.com")
+        response.decrypted_document.to_s.should match("foo@example.com")
+        response.name_id.should == "foo@example.com"
+        response.issuers.first.should == "http://example.com"
+        response.is_valid?.should be_truthy
+      end
     end
   end
 

data/spec/lib/saml_idp/encryptor_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+require 'saml_idp/encryptor'
+
+module SamlIdp
+  describe Encryptor do
+    let (:encryption_opts) do
+      {   
+        cert: Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }   
+    end
+
+    subject { described_class.new encryption_opts }
+
+    it "encrypts XML" do
+      raw_xml = '<foo>bar</foo>'
+      encrypted_xml = subject.encrypt(raw_xml)
+      encrypted_xml.should_not match 'bar'
+      encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
+      encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
+      decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
+      decrypted_xml.should == raw_xml
+    end
+  end
+end

data/spec/lib/saml_idp/logout_request_builder_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+require 'saml_idp/logout_request_builder'
+
+module SamlIdp
+  describe LogoutRequestBuilder do
+    before do
+      Timecop.freeze(Time.local(1990))
+    end
+
+    after do
+      Timecop.return
+    end
+
+    let(:response_id) { 'some_response_id' }
+    let(:issuer_uri) { 'http://example.com' }
+    let(:saml_slo_url) { 'http://localhost:3000/saml/logout' }
+    let(:name_id) { 'some_name_id' }
+    let(:session_index) { 'abc123index' }
+    let(:algorithm) { OpenSSL::Digest::SHA256 }
+
+    subject do
+      described_class.new(
+        response_id,
+        issuer_uri,
+        saml_slo_url,
+        name_id,
+        session_index,
+        algorithm
+      )
+    end
+
+    it "is a valid SloLogoutrequest" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        slo_request = OneLogin::RubySaml::SloLogoutrequest.new(
+          subject.encoded,
+          settings: saml_settings('localhost:3000')
+        )
+        slo_request.soft = false
+        expect(slo_request.is_valid?).to eq true
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/logout_response_builder_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'saml_idp/logout_response_builder'
+
+module SamlIdp
+  describe LogoutResponseBuilder do
+    before do
+      Timecop.freeze(Time.local(1990))
+    end
+
+    after do
+      Timecop.return
+    end
+
+    let(:response_id) { 'some_response_id' }
+    let(:issuer_uri) { 'http://example.com' }
+    let(:saml_slo_url) { 'http://localhost:3000/saml/logout' }
+    let(:request_id) { 'some_request_id' }
+    let(:algorithm) { OpenSSL::Digest::SHA256 }
+
+    subject do
+      described_class.new(
+        response_id,
+        issuer_uri,
+        saml_slo_url,
+        request_id,
+        algorithm
+      )
+    end
+
+    it "is a valid LogoutResponse" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        logout_response = OneLogin::RubySaml::Logoutresponse.new(
+          subject.encoded,
+          saml_settings('localhost:3000')
+        )
+        logout_response.soft = false
+        expect(logout_response.validate).to eq true
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -8,5 +8,12 @@ module SamlIdp
     it "signs valid xml" do
       Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).should be_truthy
     end
+
+    it "includes logout element" do
+      subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
+      subject.fresh.should match(
+        '<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>'
+      )
+    end
   end
 end

data/spec/lib/saml_idp/request_spec.rb

@@ -1,32 +1,90 @@
 require 'spec_helper'
 module SamlIdp
   describe Request do
-    let(:raw_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/></samlp:AuthnRequest>" }
-    subject { described_class.new raw_request }
+    describe "authn request" do
+      let(:raw_authn_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+      subject { described_class.new raw_authn_request }
 
-    it "has a valid request_id" do
-      subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
-    end
+      it "has a valid request_id" do
+        subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
+      end
 
-    it "has a valid acs_url" do
-      subject.acs_url.should == "http://localhost:3000/saml/consume"
-    end
+      it "has a valid acs_url" do
+        subject.acs_url.should == "http://localhost:3000/saml/consume"
+      end
 
-    it "has a valid service_provider" do
-      subject.service_provider.should be_a ServiceProvider
-    end
+      it "has a valid service_provider" do
+        subject.service_provider.should be_a ServiceProvider
+      end
 
-    it "has a valid service_provider" do
-      subject.service_provider.should be_truthy
-    end
+      it "has a valid service_provider" do
+        subject.service_provider.should be_truthy
+      end
 
-    it "has a valid issuer" do
-      subject.issuer.should == "localhost:3000"
-    end
+      it "has a valid issuer" do
+        subject.issuer.should == "localhost:3000"
+      end
+
+      it "has a valid valid_signature" do
+        subject.valid_signature?.should be_truthy
+      end
+
+      it "should return acs_url for response_url" do
+        subject.response_url.should == subject.acs_url
+      end
+
+      it "is a authn request" do
+        subject.authn_request?.should == true
+      end
+
+      it "fetches internal request" do
+        subject.request['ID'].should == subject.request_id
+      end
+
+      it "has a valid authn context" do
+        subject.requested_authn_context.should == "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      end
 
-    it "has a valid valid_signature" do
-      subject.valid_signature?.should be_truthy
+      it "does not permit empty issuer" do
+        raw_req = raw_authn_request.gsub('localhost:3000', '')
+        authn_request = described_class.new raw_req
+        authn_request.issuer.should_not == ''
+        authn_request.issuer.should == nil
+      end
     end
 
+    describe "logout request" do
+      let(:raw_logout_request) { "<LogoutRequest ID='_some_response_id' Version='2.0' IssueInstant='2010-06-01T13:00:00Z' Destination='http://localhost:3000/saml/logout' xmlns='urn:oasis:names:tc:SAML:2.0:protocol'><Issuer xmlns='urn:oasis:names:tc:SAML:2.0:assertion'>http://example.com</Issuer><NameID xmlns='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'>some_name_id</NameID><SessionIndex>abc123index</SessionIndex></LogoutRequest>" }
+
+      subject { described_class.new raw_logout_request }
+
+      it "has a valid request_id" do
+        subject.request_id.should == '_some_response_id'
+      end
+
+      it "should be flagged as a logout_request" do
+        subject.logout_request?.should == true
+      end
+
+      it "should have a valid name_id" do
+        subject.name_id.should == 'some_name_id'
+      end
+
+      it "should have a session index" do
+        subject.session_index.should == 'abc123index'
+      end
+
+      it "should have a valid issuer" do
+        subject.issuer.should == 'http://example.com'
+      end
+
+      it "fetches internal request" do
+        subject.request['ID'].should == subject.request_id
+      end
+
+      it "should return logout_url for response_url" do
+        subject.response_url.should == subject.logout_url
+      end
+    end
   end
 end