saml_idp 0.7.1 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f5e1bd3ed3c6f24d3a0793606d08e6eb99d51eb8
-  data.tar.gz: 29215034a6b59ee05a73da302a986f516e8e7ad8
+SHA256:
+  metadata.gz: 1a69c8d8c945c47e87cb526d4dfcf5f30c2f687d03b33e99013eef63acbe4377
+  data.tar.gz: 4933af3eb5cb686111307cd86d074ab45cc879a253f7a0833aaaa3262add74db
 SHA512:
-  metadata.gz: f2231a17b50851ee8d7c370b1b2ff4c372430ce5bae98e7c4e840a93b0985a29c4ed242c634b80ccd94fa9c47391b0a8987fb5267a718192ace7346eb18db098
-  data.tar.gz: 71e4162bd719e566bbb85f37c7ed84c50ec241211275c405f24da83eddbffbda4fdd21918d8e8042139968cec1d4b2171358ef31ec44895827e486485e715199
+  metadata.gz: 61d5e37801af0e41b71cdf0bdbac6cac61e0b86969de75c27519b74ede55e3b9c2ec7c2dfc8bff9ef82ec1fa1a870c9483fe31e65e17d645fdf6cab5205ac2d1
+  data.tar.gz: a1594a0f1da0694a93c478259dcece4d38c30863564aa653b585bdae9ef6834699b784ff151b7569e7cccee22b41e0b5a37f0a5151a89b664feda92005f3f21f

data/Gemfile

@@ -1,2 +1,2 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 gemspec

data/README.md

@@ -1,8 +1,9 @@
 # Ruby SAML Identity Provider (IdP)
+
 Forked from https://github.com/lawrencepit/ruby-saml-idp
 
-[![Build Status](https://travis-ci.org/sportngin/saml_idp.png)](https://travis-ci.org/sportngin/saml_idp)
-[![Gem Version](https://badge.fury.io/rb/saml_idp.png)](http://badge.fury.io/rb/saml_idp)
+[![Build Status](https://travis-ci.org/saml-idp/saml_idp.svg)](https://travis-ci.org/saml-idp/saml_idp)
+[![Gem Version](https://badge.fury.io/rb/saml_idp.svg)](http://badge.fury.io/rb/saml_idp)
 
 The ruby SAML Identity Provider library is for implementing the server side of SAML authentication. It allows
 your application to act as an IdP (Identity Provider) using the
@@ -19,6 +20,7 @@ Add this to your Gemfile:
     gem 'saml_idp'
 
 ## Not using rails?
+
 Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
 
 Basically you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value
@@ -30,9 +32,10 @@ posting to `saml_acs_url` the parameter `SAMLResponse` with the return value fro
 `encode_response(user_email)`.
 
 ## Using rails?
+
 Add to your `routes.rb` file, for example:
 
-``` ruby
+```ruby
 get '/saml/auth' => 'saml_idp#new'
 get '/saml/metadata' => 'saml_idp#show'
 post '/saml/auth' => 'saml_idp#create'
@@ -41,7 +44,7 @@ match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
 
 Create a controller that looks like this, customize to your own situation:
 
-``` ruby
+```ruby
 class SamlIdpController < SamlIdp::IdpController
   def idp_authenticate(email, password) # not using params intentionally
     user = User.by_email(email).first
@@ -69,6 +72,22 @@ end
 
 ## Configuration
 
+#### Signed assertions and Signed Response
+
+By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`. Because SAML assertions contain secure information used for authentication such as NameID.
+
+Signing SAML Response is optional, but some security perspective SP services might require Response message itself must be signed.
+For that, you can enable it with `config.signed_message` option. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
+
+#### Signing algorithm
+
+Following algorithms you can set in your response signing algorithm
+:sha1 - RSA-SHA1 default value but not recommended to production environment
+Highly recommended to use one of following algorithm, suit with your computing power.
+:sha256 - RSA-SHA256
+:sha384 - RSA-SHA384
+:sha512 - RSA-SHA512
+
 Be sure to load a file like this during your app initialization:
 
 ```ruby
@@ -88,18 +107,21 @@ KEY DATA
 CERT
 
   # config.password = "secret_key_password"
-  # config.algorithm = :sha256
+  # config.algorithm = :sha256                                    # Default: sha1 only for development.
   # config.organization_name = "Your Organization"
   # config.organization_url = "http://example.com"
   # config.base_saml_location = "#{base}/saml"
   # config.reference_id_generator                                 # Default: -> { UUID.generate }
+  # config.single_logout_service_post_location = "#{base}/saml/logout"
+  # config.single_logout_service_redirect_location = "#{base}/saml/logout"
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
   # config.session_expiry = 86400                                 # Default: 0 which means never
+  # config.signed_message = true                                  # Default: false which means unsigned SAML Response
 
   # Principal (e.g. User) is passed in when you `encode_response`
   #
-  # config.name_id.formats # =>
+  # config.name_id.formats =
   #   {                         # All 2.0
   #     email_address: -> (principal) { principal.email_address },
   #     transient: -> (principal) { principal.id },
@@ -169,7 +191,11 @@ CERT
   service_providers = {
     "some-issuer-url.com/saml" => {
       fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D",
-      metadata_url: "http://some-issuer-url.com/saml/metadata"
+      metadata_url: "http://some-issuer-url.com/saml/metadata",
+
+      # We now validate AssertionConsumerServiceURL will match the MetadataURL set above.
+      # *If* it's not going to match your Metadata URL's Host, then set this so we can validate the host using this list
+      response_hosts: ["foo.some-issuer-url.com"]
     },
   }
 
@@ -177,7 +203,7 @@ CERT
   # settings is an IncomingMetadata object which has a to_h method that needs to be persisted
   config.service_provider.metadata_persister = ->(identifier, settings) {
     fname = identifier.to_s.gsub(/\/|:/,"_")
-    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
     File.open Rails.root.join("cache/saml/metadata/#{fname}"), "r+b" do |f|
       Marshal.dump settings.to_h, f
     end
@@ -188,7 +214,7 @@ CERT
   # `service_provider` you should return the settings.to_h from above
   config.service_provider.persisted_metadata_getter = ->(identifier, service_provider){
     fname = identifier.to_s.gsub(/\/|:/,"_")
-    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    FileUtils.mkdir_p(Rails.root.join('cache', 'saml', 'metadata').to_s)
     full_filename = Rails.root.join("cache/saml/metadata/#{fname}")
     if File.file?(full_filename)
       File.open full_filename, "rb" do |f|
@@ -205,6 +231,7 @@ end
 ```
 
 # Keys and Secrets
+
 To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret.
 You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032.
 Obviously you shouldn't use these if you intend to use this in production environments. In that case,
@@ -218,18 +245,19 @@ The fingerprint to use, if you use the default X.509 certificate of this gem, is
 9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
 ```
 
-
 # Service Providers
+
 To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the
 excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
 
-
 # Author
-Jon Phenow, me@jphenow.com
+
+Jon Phenow, jon@jphenow.com, jphenow.com, @jphenow
 
 Lawrence Pit, lawrence.pit@gmail.com, lawrencepit.com, @lawrencepit
 
 # Copyright
+
 Copyright (c) 2012 Sport Ngin.
 Portions Copyright (c) 2010 OneLogin, LLC
 Portions Copyright (c) 2012 Lawrence Pit (http://lawrencepit.com)

data/lib/saml_idp/configurator.rb

@@ -17,6 +17,7 @@ module SamlIdp
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
     attr_accessor :service_provider
+    attr_accessor :assertion_consumer_service_hosts
     attr_accessor :session_expiry
 
     def initialize

data/lib/saml_idp/controller.rb

@@ -35,13 +35,15 @@ module SamlIdp
 
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
       decode_request(raw_saml_request)
-      unless valid_saml_request?
+      return true if valid_saml_request?
+      if defined?(::Rails)
         if Rails::VERSION::MAJOR >= 4
           head :forbidden
         else
           render nothing: true, status: :forbidden
         end
       end
+      false
     end
 
     def decode_request(raw_saml_request)
@@ -62,6 +64,7 @@ module SamlIdp
       expiry = opts[:expiry] || 60*60
       session_expiry = opts[:session_expiry]
       encryption_opts = opts[:encryption] || nil
+      signed_message_opts = opts[:signed_message] || false
 
       SamlResponse.new(
         reference_id,
@@ -75,7 +78,8 @@ module SamlIdp
         my_authn_context_classref,
         expiry,
         encryption_opts,
-        session_expiry
+        session_expiry,
+        signed_message_opts
       ).build
     end
 

data/lib/saml_idp/encryptor.rb

@@ -72,7 +72,7 @@ module SamlIdp
               cipher_data.CipherValue
             end
             enc_key.ReferenceList do |ref_list|
-              ref_list.DataReference URI: 'ED'
+              ref_list.DataReference URI: '#ED'
             end
           end
         end

data/lib/saml_idp/incoming_metadata.rb

@@ -16,13 +16,21 @@ module SamlIdp
       @document ||= Saml::XML::Document.parse raw
     end
 
+    def entity_id
+      xpath('//md:EntityDescriptor/@entityID', md: metadata_namespace).first.try(:content).to_s
+    end
+    hashable :entity_id
+
     def sign_assertions
       doc = xpath(
         "//md:SPSSODescriptor",
         ds: signature_namespace,
         md: metadata_namespace
       ).first
-      doc ? !!doc["WantAssertionsSigned"] : false
+      if (doc && !doc['WantAssertionsSigned'].nil?)
+        return doc['WantAssertionsSigned'].strip.downcase == 'true'
+      end
+      return false
     end
     hashable :sign_assertions
 

data/lib/saml_idp/request.rb

@@ -105,6 +105,12 @@ module SamlIdp
         return false
       end
 
+      if !service_provider.acceptable_response_hosts.include?(response_host)
+        log "#{service_provider.acceptable_response_hosts} compare to #{response_host}"
+        log "No acceptable AssertionConsumerServiceURL, either configure them via config.service_provider.response_hosts or match to your metadata_url host"
+        return false
+      end
+
       return true
     end
 
@@ -136,6 +142,14 @@ module SamlIdp
       @_session_index ||= xpath("//samlp:SessionIndex", samlp: samlp).first.try(:content)
     end
 
+    def response_host
+      uri = URI(response_url)
+      if uri
+        uri.host
+      end
+    end
+    private :response_host
+
     def document
       @_document ||= Saml::XML::Document.parse(raw_xml)
     end

data/lib/saml_idp/response_builder.rb

@@ -1,32 +1,45 @@
 require 'builder'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
 module SamlIdp
   class ResponseBuilder
+    include Algorithmable
+    include Signable
     attr_accessor :response_id
     attr_accessor :issuer_uri
     attr_accessor :saml_acs_url
     attr_accessor :saml_request_id
     attr_accessor :assertion_and_signature
+    attr_accessor :raw_algorithm
 
-    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature)
+    alias_method :reference_id, :response_id
+
+    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature, raw_algorithm)
       self.response_id = response_id
       self.issuer_uri = issuer_uri
       self.saml_acs_url = saml_acs_url
       self.saml_request_id = saml_request_id
       self.assertion_and_signature = assertion_and_signature
+      self.raw_algorithm = raw_algorithm
     end
 
-    def encoded
-      @encoded ||= encode
+    def encoded(signed_message: false)
+      @encoded ||= signed_message ? encode_signed_message : encode_raw_message
     end
 
     def raw
       build
     end
 
-    def encode
+    def encode_raw_message
       Base64.strict_encode64(raw)
     end
-    private :encode
+    private :encode_raw_message
+
+    def encode_signed_message
+      Base64.strict_encode64(signed)
+    end
+    private :encode_signed_message
 
     def build
       resp_options = {}
@@ -41,6 +54,7 @@ module SamlIdp
       builder = Builder::XmlMarkup.new
       builder.tag! "samlp:Response", resp_options do |response|
           response.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign response
           response.tag! "samlp:Status" do |status|
             status.tag! "samlp:StatusCode", Value: Saml::XML::Namespaces::Statuses::SUCCESS
           end

data/lib/saml_idp/saml_response.rb

@@ -17,6 +17,7 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :signed_message_opts
 
     def initialize(reference_id,
           response_id,
@@ -29,7 +30,8 @@ module SamlIdp
           authn_context_classref,
           expiry=60*60,
           encryption_opts=nil,
-          session_expiry=0
+          session_expiry=0,
+          signed_message_opts
           )
       self.reference_id = reference_id
       self.response_id = response_id
@@ -45,10 +47,11 @@ module SamlIdp
       self.expiry = expiry
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry
+      self.signed_message_opts = signed_message_opts
     end
 
     def build
-      @built ||= response_builder.encoded
+      @built ||= encoded_message
     end
 
     def signed_assertion
@@ -60,8 +63,17 @@ module SamlIdp
     end
     private :signed_assertion
 
+    def encoded_message
+      if signed_message_opts
+        response_builder.encoded(signed_message: true)
+      else
+        response_builder.encoded(signed_message: false)
+      end
+    end
+    private :encoded_message
+
     def response_builder
-      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion)
+      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion, algorithm)
     end
     private :response_builder
 

data/lib/saml_idp/service_provider.rb

@@ -13,6 +13,7 @@ module SamlIdp
     attribute :validate_signature
     attribute :acs_url
     attribute :assertion_consumer_logout_service_url
+    attribute :response_hosts
 
     delegate :config, to: :SamlIdp
 
@@ -46,6 +47,19 @@ module SamlIdp
       @current_metadata ||= get_current_or_build
     end
 
+    def acceptable_response_hosts
+      hosts = Array(self.response_hosts)
+      hosts.push(metadata_url_host) if metadata_url_host
+
+      hosts
+    end
+
+    def metadata_url_host
+      if metadata_url.present?
+        URI(metadata_url).host
+      end
+    end
+
     def get_current_or_build
       persisted = metadata_getter[identifier, self]
       if persisted.is_a? Hash

data/lib/saml_idp/signable.rb

@@ -108,8 +108,7 @@ module SamlIdp
       canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
       canon_hashed_element = noko_raw.canonicalize(canon_algorithm, inclusive_namespaces)
       digest_algorithm = get_algorithm
-
-      hash                          = digest_algorithm.digest(canon_hashed_element)
+      hash = digest_algorithm.digest(canon_hashed_element)
       Base64.strict_encode64(hash).gsub(/\n/, '')
     end
     private :digest

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.7.1'
+  VERSION = '0.10.0'
 end

data/lib/saml_idp/xml_security.rb

@@ -108,7 +108,7 @@ module SamlIdp
           canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
           canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
 
-          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", {'ds' => DSIG}))
 
           hash                          = digest_algorithm.digest(canon_hashed_element)
           digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)

data/saml_idp.gemspec

@@ -7,28 +7,29 @@ Gem::Specification.new do |s|
   s.version = SamlIdp::VERSION
   s.platform = Gem::Platform::RUBY
   s.authors = ["Jon Phenow"]
-  s.email = %q{jon.phenow@sportngin.com}
-  s.homepage = %q{http://github.com/sportngin/saml_idp}
-  s.summary = %q{SAML Indentity Provider in ruby}
-  s.description = %q{SAML IdP (Identity Provider) library in ruby}
+  s.email = 'jon.phenow@sportngin.com'
+  s.homepage = 'https://github.com/saml-idp/saml_idp'
+  s.summary = 'SAML Indentity Provider for Ruby'
+  s.description = 'SAML IdP (Identity Provider) Library for Ruby'
   s.date = Time.now.utc.strftime("%Y-%m-%d")
-  s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
-     "LICENSE",
-     "README.md",
-     "Gemfile",
-     "saml_idp.gemspec"
-  ]
+  s.files = Dir['app/**/*', 'lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
   s.required_ruby_version = '>= 2.2'
-  s.license = "LICENSE"
+  s.license = 'MIT'
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
-  s.rdoc_options = ["--charset=UTF-8"]
+  s.rdoc_options = ['--charset=UTF-8']
+  s.metadata = {
+    'homepage_uri'      => 'https://github.com/saml-idp/saml_idp',
+    'source_code_uri'   => 'https://github.com/saml-idp/saml_idp',
+    'bug_tracker_uri'   => 'https://github.com/saml-idp/saml_idp/issues',
+    'documentation_uri' => "http://rdoc.info/gems/saml_idp/#{SamlIdp::VERSION}"
+  }
 
   s.post_install_message = <<-INST
 If you're just recently updating saml_idp - please be aware we've changed the default
 certificate. See the PR and a description of why we've done this here:
-https://github.com/sportngin/saml_idp/pull/29
+https://github.com/saml-idp/saml_idp/pull/29
 
 If you just need to see the certificate `bundle open saml_idp` and go to
 `lib/saml_idp/default.rb`
@@ -43,17 +44,19 @@ section of the README.
   INST
 
   s.add_dependency('activesupport', '>= 3.2')
-  s.add_dependency('uuid', '~> 2.3')
-  s.add_dependency('builder', '~> 3.0')
+  s.add_dependency('uuid', '>= 2.3')
+  s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
 
-  s.add_development_dependency('rake', '~> 10.4.2')
-  s.add_development_dependency('simplecov', '~> 0.12')
-  s.add_development_dependency('rspec', '~> 2.5')
-  s.add_development_dependency('ruby-saml', '~> 1.3')
-  s.add_development_dependency('rails', '~> 3.2')
-  s.add_development_dependency('capybara', '~> 2.11.0')
-  s.add_development_dependency('timecop', '~> 0.8')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('simplecov')
+  s.add_development_dependency('rspec', '>= 3.7.0')
+  s.add_development_dependency('ruby-saml', '>= 1.7.2')
+  s.add_development_dependency('rails', '>= 3.2')
+  s.add_development_dependency('activeresource', '>= 3.2')
+  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('timecop', '>= 0.8')
   s.add_development_dependency('xmlenc', '>= 0.6.4')
+  s.add_development_dependency('appraisal')
+  s.add_development_dependency('byebug')
 end
-