saml_idp 0.9.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4692b2d2c5266c2db128e4942daddd534c7e22efe32f1f45b02776db2eb8b607
-  data.tar.gz: cc0b169ea2d024b91590e270c6a6cbe742a661280651917147eb0401f821c6a8
+  metadata.gz: 4a0fd46437c04823ad86f269552282b0252cb888294345984c5e16b88bcfa9cf
+  data.tar.gz: b7c56c2516f7aaf392fe5a999e98f67af0b79f799374757f3724724605616fc4
 SHA512:
-  metadata.gz: 0d1eaa0e214b1c2cb17970987fc0956c991e33831a05f7bf40936180f6a4fc2a22d5539051b456f7a920a49b7cbd98e83296ae55858025351e9fb693a6f6d595
-  data.tar.gz: 587c1ca1bc298dc8381bd50e49bd3b361fd011b4ae7509107f2336ec2b9cbc30bd625915a76d5833ebbe7c36eb9181acbee2f1f8b60dae0cb71f27a0436a9fec
+  metadata.gz: 558df23c6ffefed06a205df4ea72cc530f7a963c64741e0bb86cae16f7ffd26a822299793a6b4d7a587addf49428a71e3449f46650d1a26990ec563b690a6cac
+  data.tar.gz: ee6eec4ee019c3e01443bbc6d383e4eb6dcd422e3eb5dddcbefd10666799d9604e094e9dec22b213780a415f9efaaebfe54f8b512fef90322f6ce3cc89e4d751

data/README.md

@@ -1,8 +1,7 @@
 # Ruby SAML Identity Provider (IdP)
 
-Forked from https://github.com/lawrencepit/ruby-saml-idp
+Forked from <https://github.com/lawrencepit/ruby-saml-idp>
 
-[![Build Status](https://travis-ci.org/saml-idp/saml_idp.svg)](https://travis-ci.org/saml-idp/saml_idp)
 [![Gem Version](https://badge.fury.io/rb/saml_idp.svg)](http://badge.fury.io/rb/saml_idp)
 
 The ruby SAML Identity Provider library is for implementing the server side of SAML authentication. It allows
@@ -13,64 +12,53 @@ protocol. It provides a means for managing authentication requests and confirmat
 This was originally setup by @lawrencepit to test SAML Clients. I took it closer to a real
 SAML IDP implementation.
 
-# Installation and Usage
+## Installation and Usage
 
 Add this to your Gemfile:
 
+```ruby
     gem 'saml_idp'
+```
 
-## Not using rails?
+### Not using rails?
 
 Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
 
-Basically you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value
-`saml_acs_url` to determine the source for which you need to authenticate a user. How you authenticate
-a user is entirely up to you.
+Basically, you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value 
+`saml_acs_url` to determine the source for which you need to authenticate a user. 
+If the signature (`Signature`) and signing algorithm (`SigAlg`) are provided as external parameters in the request,
+you can pass those parameters as `decode_request(params[:SAMLRequest], params[:Signature], params[:SigAlg], params[:RelayState])`.
+Then, you can verify the request signature with the `valid?` method.
+
+How you authenticate a user is entirely up to you.
 
-Once a user has successfully authenticated on your system send the Service Provider a SAMLReponse by
+Once a user has successfully authenticated on your system send the Service Provider a SAMLResponse by
 posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to
 `encode_response(user_email)`.
 
-## Using rails?
+### Using rails?
 
-Add to your `routes.rb` file, for example:
+Check out our Wiki page for Rails integration
+[Rails Integration guide](https://github.com/saml-idp/saml_idp/wiki/Rails_Integration)
 
-```ruby
-get '/saml/auth' => 'saml_idp#new'
-get '/saml/metadata' => 'saml_idp#show'
-post '/saml/auth' => 'saml_idp#create'
-match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
-```
+### Configuration
 
-Create a controller that looks like this, customize to your own situation:
+#### Signed assertions and Signed Response
 
-```ruby
-class SamlIdpController < SamlIdp::IdpController
-  def idp_authenticate(email, password) # not using params intentionally
-    user = User.by_email(email).first
-    user && user.valid_password?(password) ? user : nil
-  end
-  private :idp_authenticate
-
-  def idp_make_saml_response(found_user) # not using params intentionally
-    # NOTE encryption is optional
-    encode_response found_user, encryption: {
-      cert: saml_request.service_provider.cert,
-      block_encryption: 'aes256-cbc',
-      key_transport: 'rsa-oaep-mgf1p'
-    }
-  end
-  private :idp_make_saml_response
+By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`, because SAML assertions contain secure information used for authentication such as NameID.
+Besides that, signing assertions could be optional and can be defined with `config.signed_assertion` option. Setting this configuration flag to `false` will add raw assertions on the response instead of signed ones. If the response is encrypted the `config.signed_assertion` will be ignored and all assertions will be signed.
 
-  def idp_logout
-    user = User.by_email(saml_request.name_id)
-    user.logout
-  end
-  private :idp_logout
-end
-```
+Signing SAML Response is optional, but some security perspective SP services might require Response message itself must be signed.
+For that, you can enable it with `signed_message: true` option for `encode_response(user_email, signed_message: true)` method. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
 
-## Configuration
+#### Signing algorithm
+
+Following algorithms you can set in your response signing algorithm
+:sha1 - RSA-SHA1 default value but not recommended to production environment
+Highly recommended to use one of following algorithm, suit with your computing power.
+:sha256 - RSA-SHA256
+:sha384 - RSA-SHA384
+:sha512 - RSA-SHA512
 
 Be sure to load a file like this during your app initialization:
 
@@ -90,17 +78,25 @@ KEY DATA
 -----END RSA PRIVATE KEY-----
 CERT
 
+  # x509_certificate, secret_key, and password may also be set from within a proc, for example:
+  # config.x509_certificate = -> { File.read("cert.pem") }
+  # config.secret_key = -> { SecretKeyFinder.key_for(id: 1) }
+  # config.password = -> { "password" }
+
   # config.password = "secret_key_password"
-  # config.algorithm = :sha256
+  # config.algorithm = :sha256                                    # Default: sha1 only for development.
   # config.organization_name = "Your Organization"
   # config.organization_url = "http://example.com"
   # config.base_saml_location = "#{base}/saml"
-  # config.reference_id_generator                                 # Default: -> { UUID.generate }
+  # config.reference_id_generator                                 # Default: -> { SecureRandom.uuid }
   # config.single_logout_service_post_location = "#{base}/saml/logout"
   # config.single_logout_service_redirect_location = "#{base}/saml/logout"
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
   # config.session_expiry = 86400                                 # Default: 0 which means never
+  # config.signed_assertion = false                               # Default: true which means signed assertions on the SAML Response
+  # config.compress = true                                        # Default: false which means the SAML Response is not being compressed
+  # config.logger = ::Logger.new($stdout)                         # Default: if in Rails context - Rails.logger, else ->(msg) { puts msg }. Works with either a Ruby Logger or a lambda
 
   # Principal (e.g. User) is passed in when you `encode_response`
   #
@@ -213,7 +209,7 @@ CERT
 end
 ```
 
-# Keys and Secrets
+## Keys and Secrets
 
 To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret.
 You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032.
@@ -224,22 +220,31 @@ and `SamlIdp.config.secret_key` properties.
 
 The fingerprint to use, if you use the default X.509 certificate of this gem, is:
 
+```bash
+  9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
 ```
-9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
+
+## Fingerprint
+
+The gem provides an helper to generate a fingerprint for a X.509 certificate.
+The second parameter is optional and default to your configuration `SamlIdp.config.algorithm`
+
+```ruby
+  SamlIdp::Fingerprint.certificate_digest(x509_cert, :sha512)
 ```
 
-# Service Providers
+## Service Providers
 
 To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the
 excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
 
-# Author
+## Author
 
 Jon Phenow, jon@jphenow.com, jphenow.com, @jphenow
 
 Lawrence Pit, lawrence.pit@gmail.com, lawrencepit.com, @lawrencepit
 
-# Copyright
+## Copyright
 
 Copyright (c) 2012 Sport Ngin.
 Portions Copyright (c) 2010 OneLogin, LLC

data/lib/saml_idp/assertion_builder.rb

@@ -16,10 +16,26 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :name_id_formats_opts
+    attr_accessor :asserted_attributes_opts
 
     delegate :config, to: :SamlIdp
 
-    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil)
+    def initialize(
+        reference_id,
+        issuer_uri,
+        principal,
+        audience_uri,
+        saml_request_id,
+        saml_acs_url,
+        raw_algorithm,
+        authn_context_classref,
+        expiry=60*60,
+        encryption_opts=nil,
+        session_expiry=nil,
+        name_id_formats_opts = nil,
+        asserted_attributes_opts = nil
+    )
       self.reference_id = reference_id
       self.issuer_uri = issuer_uri
       self.principal = principal
@@ -31,6 +47,8 @@ module SamlIdp
       self.expiry = expiry
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry.nil? ? config.session_expiry : session_expiry
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
     end
 
     def fresh
@@ -98,7 +116,9 @@ module SamlIdp
     end
 
     def asserted_attributes
-      if principal.respond_to?(:asserted_attributes)
+      if asserted_attributes_opts.present? && !asserted_attributes_opts.empty?
+        asserted_attributes_opts
+      elsif principal.respond_to?(:asserted_attributes)
         principal.send(:asserted_attributes)
       elsif !config.attributes.nil? && !config.attributes.empty?
         config.attributes
@@ -139,10 +159,15 @@ module SamlIdp
     private :name_id_getter
 
     def name_id_format
-      @name_id_format ||= NameIdFormatter.new(config.name_id.formats).chosen
+      @name_id_format ||= NameIdFormatter.new(name_id_formats).chosen
     end
     private :name_id_format
 
+    def name_id_formats
+      @name_id_formats ||= (name_id_formats_opts || config.name_id.formats)
+    end
+    private :name_id_formats
+
     def reference_string
       "_#{reference_id}"
     end

data/lib/saml_idp/configurator.rb

@@ -1,5 +1,7 @@
 # encoding: utf-8
 require 'ostruct'
+require 'securerandom'
+
 module SamlIdp
   class Configurator
     attr_accessor :x509_certificate
@@ -13,24 +15,27 @@ module SamlIdp
     attr_accessor :reference_id_generator
     attr_accessor :attribute_service_location
     attr_accessor :single_service_post_location
+    attr_accessor :single_service_redirect_location
     attr_accessor :single_logout_service_post_location
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
     attr_accessor :service_provider
     attr_accessor :assertion_consumer_service_hosts
     attr_accessor :session_expiry
+    attr_accessor :logger
 
     def initialize
-      self.x509_certificate = Default::X509_CERTIFICATE
-      self.secret_key = Default::SECRET_KEY
+      self.x509_certificate = -> { Default::X509_CERTIFICATE }
+      self.secret_key = -> { Default::SECRET_KEY }
       self.algorithm = :sha1
-      self.reference_id_generator = ->() { UUID.generate }
+      self.reference_id_generator = ->() { SecureRandom.uuid }
       self.service_provider = OpenStruct.new
       self.service_provider.finder = ->(_) { Default::SERVICE_PROVIDER }
       self.service_provider.metadata_persister = ->(id, settings) {  }
       self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
       self.session_expiry = 0
       self.attributes = {}
+      self.logger = (defined?(::Rails) && Rails.respond_to?(:logger)) ? Rails.logger : ->(msg) { puts msg }
     end
 
     # formats

data/lib/saml_idp/controller.rb

@@ -1,8 +1,7 @@
-# encoding: utf-8
 require 'openssl'
 require 'base64'
 require 'time'
-require 'uuid'
+require 'securerandom'
 require 'saml_idp/request'
 require 'saml_idp/logout_response_builder'
 module SamlIdp
@@ -34,20 +33,18 @@ module SamlIdp
     end
 
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
-      decode_request(raw_saml_request)
-      return true if valid_saml_request?
-      if defined?(::Rails)
-        if Rails::VERSION::MAJOR >= 4
-          head :forbidden
-        else
-          render nothing: true, status: :forbidden
-        end
-      end
-      false
+      decode_request(raw_saml_request, params[:Signature], params[:SigAlg], params[:RelayState])
+      valid_saml_request?
     end
 
-    def decode_request(raw_saml_request)
-      @saml_request = Request.from_deflated_request(raw_saml_request)
+    def decode_request(raw_saml_request, signature, sig_algorithm, relay_state)
+      @saml_request = Request.from_deflated_request(
+        raw_saml_request,
+        saml_request: raw_saml_request,
+        signature: signature,
+        sig_algorithm: sig_algorithm,
+        relay_state: relay_state
+      )
     end
 
     def authn_context_classref
@@ -64,6 +61,13 @@ module SamlIdp
       expiry = opts[:expiry] || 60*60
       session_expiry = opts[:session_expiry]
       encryption_opts = opts[:encryption] || nil
+      name_id_formats_opts = opts[:name_id_formats] || nil
+      asserted_attributes_opts = opts[:attributes] || nil
+      signed_message_opts = opts[:signed_message] || false
+      name_id_formats_opts = opts[:name_id_formats] || nil
+      asserted_attributes_opts = opts[:attributes] || nil
+      signed_assertion_opts = opts[:signed_assertion].nil? ? true : opts[:signed_assertion]
+      compress_opts = opts[:compress] || false
 
       SamlResponse.new(
         reference_id,
@@ -77,11 +81,16 @@ module SamlIdp
         my_authn_context_classref,
         expiry,
         encryption_opts,
-        session_expiry
+        session_expiry,
+        name_id_formats_opts,
+        asserted_attributes_opts,
+        signed_message_opts,
+        signed_assertion_opts,
+        compress_opts
       ).build
     end
 
-    def encode_logout_response(principal, opts = {})
+    def encode_logout_response(_principal, opts = {})
       SamlIdp::LogoutResponseBuilder.new(
         get_saml_response_id,
         (opts[:issuer_uri] || issuer_uri),
@@ -124,11 +133,11 @@ module SamlIdp
     end
 
     def get_saml_response_id
-      UUID.generate
+      SecureRandom.uuid
     end
 
     def get_saml_reference_id
-      UUID.generate
+      SecureRandom.uuid
     end
 
     def default_algorithm

data/lib/saml_idp/encryptor.rb

@@ -61,7 +61,6 @@ module SamlIdp
           key_info.EncryptedKey Id: 'EK', xmlns: 'http://www.w3.org/2001/04/xmlenc#' do |enc_key|
             enc_key.EncryptionMethod Algorithm: key_transport_ns
             enc_key.tag! 'ds:KeyInfo', 'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#' do |key_info2|
-              key_info2.tag! 'ds:KeyName'
               key_info2.tag! 'ds:X509Data' do |x509_data|
                 x509_data.tag! 'ds:X509Certificate' do |x509_cert|
                   x509_cert << cert.to_s.gsub(/-+(BEGIN|END) CERTIFICATE-+/, '') 

data/lib/saml_idp/fingerprint.rb

@@ -0,0 +1,19 @@
+module SamlIdp
+  module Fingerprint
+    def self.certificate_digest(cert, sha_size = nil)
+      sha_size ||= SamlIdp.config.algorithm
+      digest_sha_class(sha_size).hexdigest(OpenSSL::X509::Certificate.new(cert).to_der).scan(/../).join(':')
+    end
+
+    def self.digest_sha_class(sha_size)
+      case sha_size
+      when :sha256
+        Digest::SHA256
+      when :sha512
+        Digest::SHA512
+      else
+        raise ArgumentError, "Unsupported sha size parameter: #{sha_size}"
+      end
+    end
+  end
+end

data/lib/saml_idp/incoming_metadata.rb

@@ -34,6 +34,19 @@ module SamlIdp
     end
     hashable :sign_assertions
 
+    def sign_authn_request
+      doc = xpath(
+        "//md:SPSSODescriptor",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first
+      if (doc && !doc['AuthnRequestsSigned'].nil?)
+        return doc['AuthnRequestsSigned'].strip.downcase == 'true'
+      end
+      return false
+    end
+    hashable :sign_authn_request
+
     def display_name
       role_descriptor_document.present? ? role_descriptor_document["ServiceDisplayName"] : ""
     end
@@ -50,6 +63,15 @@ module SamlIdp
     end
     hashable :contact_person
 
+    def unspecified_certificate
+      xpath(
+        "//md:SPSSODescriptor/md:KeyDescriptor[not(@use)]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first.try(:content).to_s
+    end
+    hashable :unspecified_certificate
+
     def signing_certificate
       xpath(
         "//md:SPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",

data/lib/saml_idp/metadata_builder.rb

@@ -24,13 +24,15 @@ module SamlIdp
 
             entity.IDPSSODescriptor protocolSupportEnumeration: protocol_enumeration do |descriptor|
               build_key_descriptor descriptor
-              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: single_logout_service_post_location
-              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: single_logout_service_redirect_location
+              build_endpoint descriptor, [
+                { tag: 'SingleLogoutService', url: single_logout_service_post_location, bind: 'HTTP-POST' }, 
+                { tag: 'SingleLogoutService', url: single_logout_service_redirect_location, bind: 'HTTP-Redirect'}
+              ]
               build_name_id_formats descriptor
-              descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: single_service_post_location
+              build_endpoint descriptor, [
+                { tag: 'SingleSignOnService', url: single_service_post_location, bind: 'HTTP-POST' }, 
+                { tag: 'SingleSignOnService', url: single_service_redirect_location, bind: 'HTTP-Redirect'}
+              ]
               build_attribute descriptor
             end
 
@@ -38,8 +40,9 @@ module SamlIdp
               build_key_descriptor authority_descriptor
               build_organization authority_descriptor
               build_contact authority_descriptor
-              authority_descriptor.AttributeService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-                Location: attribute_service_location
+              build_endpoint authority_descriptor, [
+                { tag: 'AttributeService', url: attribute_service_location, bind: 'HTTP-Redirect' }
+              ]
               build_name_id_formats authority_descriptor
               build_attribute authority_descriptor
             end
@@ -69,6 +72,17 @@ module SamlIdp
     end
     private :build_name_id_formats
 
+    def build_endpoint(el, end_points)
+      end_points.each do |ep|
+        next unless ep[:url].present?
+
+        el.tag! ep[:tag],
+          Binding: "urn:oasis:names:tc:SAML:2.0:bindings:#{ep[:bind]}",
+          Location: ep[:url]
+      end
+    end
+    private :build_endpoint
+
     def build_attribute(el)
       attributes.each do |attribute|
         el.tag! "saml:Attribute",
@@ -138,7 +152,8 @@ module SamlIdp
     private :raw_algorithm
 
     def x509_certificate
-      SamlIdp.config.x509_certificate
+      certificate = SamlIdp.config.x509_certificate.is_a?(Proc) ? SamlIdp.config.x509_certificate.call : SamlIdp.config.x509_certificate
+      certificate
       .to_s
       .gsub(/-----BEGIN CERTIFICATE-----/,"")
       .gsub(/-----END CERTIFICATE-----/,"")
@@ -151,6 +166,7 @@ module SamlIdp
       organization_url
       attribute_service_location
       single_service_post_location
+      single_service_redirect_location
       single_logout_service_post_location
       single_logout_service_redirect_location
       technical_contact

data/lib/saml_idp/persisted_metadata.rb

@@ -6,5 +6,9 @@ module SamlIdp
     def sign_assertions?
       !!attributes[:sign_assertions]
     end
+
+    def sign_authn_request?
+      !!attributes[:sign_authn_request]
+    end
   end
 end