saml_idp 0.2.1 → 0.3.0

data/README.md

@@ -36,12 +36,15 @@ Add to your `routes.rb` file, for example:
 get '/saml/auth' => 'saml_idp#new'
 get '/saml/metadata' => 'saml_idp#show'
 post '/saml/auth' => 'saml_idp#create'
+match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
 ```
 
 Create a controller that looks like this, customize to your own situation:
 
 ``` ruby
-class SamlIdpController < SamlIdp::IdpController
+class SamlIdpController
+  include SamlIdp::IdpController
+
   def idp_authenticate(email, password) # not using params intentionally
     user = User.by_email(email).first
     user && user.valid_password?(password) ? user : nil
@@ -49,9 +52,20 @@ class SamlIdpController < SamlIdp::IdpController
   private :idp_authenticate
 
   def idp_make_saml_response(found_user) # not using params intentionally
-    encode_response found_user
+    # NOTE encryption is optional
+    encode_response found_user, encryption: {
+      cert: saml_request.service_provider.cert,
+      block_encryption: 'aes256-cbc',
+      key_transport: 'rsa-oaep-mgf1p'
+    }
   end
   private :idp_make_saml_response
+
+  def idp_logout
+    user = User.by_email(saml_request.name_id)
+    user.logout
+  end
+  private :idp_logout
 end
 ```
 

data/app/controllers/saml_idp/idp_controller.rb

@@ -29,6 +29,17 @@ module SamlIdp
       render :template => "saml_idp/idp/new"
     end
 
+    def logout
+      idp_logout
+      @saml_response = idp_make_saml_response(nil)
+      render :template => "saml_idp/idp/saml_post", :layout => false
+    end
+
+    def idp_logout
+      raise NotImplementedError
+    end
+    private :idp_logout
+
     def idp_authenticate(email, password)
       raise NotImplementedError
     end

data/lib/saml_idp.rb

@@ -71,11 +71,11 @@ module Saml
 
       def valid_signature?(fingerprint)
         signed? &&
-          signed_document.validate_document(fingerprint, :soft)
+          signed_document.validate(fingerprint, :soft)
       end
 
       def signed_document
-        XMLSecurity::SignedDocument.new(to_xml)
+        SamlIdp::XMLSecurity::SignedDocument.new(to_xml)
       end
 
       def signature_namespace

data/lib/saml_idp/assertion_builder.rb

@@ -14,10 +14,11 @@ module SamlIdp
     attr_accessor :raw_algorithm
     attr_accessor :authn_context_classref
     attr_accessor :expiry
+    attr_accessor :encryption_opts
 
     delegate :config, to: :SamlIdp
 
-    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60)
+    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil)
       self.reference_id = reference_id
       self.issuer_uri = issuer_uri
       self.principal = principal
@@ -27,6 +28,7 @@ module SamlIdp
       self.raw_algorithm = raw_algorithm
       self.authn_context_classref = authn_context_classref
       self.expiry = expiry
+      self.encryption_opts = encryption_opts
     end
 
     def fresh
@@ -73,6 +75,14 @@ module SamlIdp
     alias_method :raw, :fresh
     private :fresh
 
+    def encrypt(opts = {})
+      raise "Must set encryption_opts to encrypt" unless encryption_opts
+      raw_xml = opts[:sign] ? signed : raw
+      require 'saml_idp/encryptor'
+      encryptor = Encryptor.new encryption_opts
+      encryptor.encrypt(raw_xml)
+    end
+
     def get_values_for(friendly_name, getter)
       result = nil
       if getter.present?

data/lib/saml_idp/configurator.rb

@@ -13,6 +13,7 @@ module SamlIdp
     attr_accessor :reference_id_generator
     attr_accessor :attribute_service_location
     attr_accessor :single_service_post_location
+    attr_accessor :single_logout_service_post_location
     attr_accessor :attributes
     attr_accessor :service_provider
 

data/lib/saml_idp/controller.rb

@@ -4,6 +4,7 @@ require 'base64'
 require 'time'
 require 'uuid'
 require 'saml_idp/request'
+require 'saml_idp/logout_response_builder'
 module SamlIdp
   module Controller
     extend ActiveSupport::Concern
@@ -30,10 +31,14 @@ module SamlIdp
       Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
     end
 
-    def encode_response(principal, opts = {})
-      response_id, reference_id = get_saml_response_id, get_saml_reference_id
+    def encode_authn_response(principal, opts = {})
+      response_id = get_saml_response_id
+      reference_id = opts[:reference_id] || get_saml_reference_id
       audience_uri = opts[:audience_uri] || saml_request.issuer || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
       opt_issuer_uri = opts[:issuer_uri] || issuer_uri
+      my_authn_context_classref = opts[:authn_context_classref] || authn_context_classref
+      expiry = opts[:expiry] || 60*60
+      encryption_opts = opts[:encryption] || nil
 
       SamlResponse.new(
         reference_id,
@@ -43,11 +48,33 @@ module SamlIdp
         audience_uri,
         saml_request_id,
         saml_acs_url,
-        algorithm,
-        authn_context_classref
+        (opts[:algorithm] || algorithm || default_algorithm),
+        my_authn_context_classref,
+        expiry,
+        encryption_opts
       ).build
     end
 
+    def encode_logout_response(principal, opts = {})
+      SamlIdp::LogoutResponseBuilder.new(
+        get_saml_response_id,
+        (opts[:issuer_uri] || issuer_uri),
+        saml_logout_url,
+        saml_request_id,
+        (opts[:algorithm] || algorithm || default_algorithm)
+      ).signed
+    end
+
+    def encode_response(principal, opts = {})
+      if saml_request.authn_request?
+        encode_authn_response(principal, opts)
+      elsif saml_request.logout_request?
+        encode_logout_response(principal, opts)
+      else
+        raise "Unknown request: #{saml_request}"
+      end
+    end
+
     def issuer_uri
       (SamlIdp.config.base_saml_location.present? && SamlIdp.config.base_saml_location) ||
         (defined?(request) && request.url.to_s.split("?").first) ||
@@ -66,6 +93,10 @@ module SamlIdp
       saml_request.acs_url
     end
 
+    def saml_logout_url
+      saml_request.logout_url
+    end
+
     def get_saml_response_id
       UUID.generate
     end
@@ -73,5 +104,9 @@ module SamlIdp
     def get_saml_reference_id
       UUID.generate
     end
+
+    def default_algorithm
+      OpenSSL::Digest::SHA256
+    end
   end
 end

data/lib/saml_idp/encryptor.rb

@@ -0,0 +1,86 @@
+require 'xmlenc'
+module SamlIdp
+  class Encryptor
+    attr_accessor :encryption_key
+    attr_accessor :block_encryption
+    attr_accessor :key_transport
+    attr_accessor :cert
+
+    def initialize(opts)
+      self.block_encryption = opts[:block_encryption]
+      self.key_transport = opts[:key_transport]
+      self.cert = opts[:cert]
+    end
+
+    def encrypt(raw_xml) 
+      encryption_template = Nokogiri::XML::Document.parse(build_encryption_template).root
+      encrypted_data = Xmlenc::EncryptedData.new(encryption_template)
+      @encryption_key = encrypted_data.encrypt(raw_xml)
+      encrypted_key_node = encrypted_data.node.at_xpath(
+        '//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey',
+        Xmlenc::NAMESPACES
+      )   
+      encrypted_key = Xmlenc::EncryptedKey.new(encrypted_key_node)
+      encrypted_key.encrypt(openssl_cert.public_key, encryption_key)
+      xml = Builder::XmlMarkup.new
+      xml.EncryptedAssertion xmlns: Saml::XML::Namespaces::ASSERTION do |enc_assert|
+        enc_assert << encrypted_data.node.to_s
+      end 
+    end
+
+    def openssl_cert
+      if cert.is_a?(String)
+        @_openssl_cert ||= OpenSSL::X509::Certificate.new(Base64.decode64(cert))
+      else
+        @_openssl_cert ||= cert
+      end 
+    end 
+    private :openssl_cert
+
+    def block_encryption_ns
+      "http://www.w3.org/2001/04/xmlenc##{block_encryption}"
+    end 
+    private :block_encryption_ns
+
+    def key_transport_ns
+      "http://www.w3.org/2001/04/xmlenc##{key_transport}"
+    end 
+    private :key_transport_ns
+
+    def cipher_algorithm
+      Xmlenc::EncryptedData::ALGORITHMS[block_encryption_ns]
+    end 
+    private :cipher_algorithm
+
+    def build_encryption_template
+      xml = Builder::XmlMarkup.new
+      xml.EncryptedData Id: 'ED', Type: 'http://www.w3.org/2001/04/xmlenc#Element',
+        xmlns: 'http://www.w3.org/2001/04/xmlenc#' do |enc_data|
+        enc_data.EncryptionMethod Algorithm: block_encryption_ns
+        enc_data.tag! 'ds:KeyInfo', 'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#' do |key_info|
+          key_info.EncryptedKey Id: 'EK', xmlns: 'http://www.w3.org/2001/04/xmlenc#' do |enc_key|
+            enc_key.EncryptionMethod Algorithm: key_transport_ns
+            enc_key.tag! 'ds:KeyInfo', 'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#' do |key_info2|
+              key_info2.tag! 'ds:KeyName'
+              key_info2.tag! 'ds:X509Data' do |x509_data|
+                x509_data.tag! 'ds:X509Certificate' do |x509_cert|
+                  x509_cert << cert.to_s.gsub(/-+(BEGIN|END) CERTIFICATE-+/, '') 
+                end
+              end
+            end
+            enc_key.CipherData do |cipher_data|
+              cipher_data.CipherValue
+            end
+            enc_key.ReferenceList do |ref_list|
+              ref_list.DataReference URI: 'ED'
+            end
+          end
+        end
+        enc_data.CipherData do |cipher_data|
+          cipher_data.CipherValue
+        end
+      end
+    end
+    private :build_encryption_template
+  end
+end

data/lib/saml_idp/logout_builder.rb

@@ -0,0 +1,42 @@
+require 'builder'
+module SamlIdp
+  class LogoutBuilder
+    include Signable
+
+    # this is an abstract base class.
+    def build
+      raise "#{self.class} must implement build method"
+    end
+
+    def reference_id
+      UUID.generate
+    end
+
+    def digest
+      algorithm.hexdigest raw
+    end
+
+    def encoded
+      @encoded ||= encode
+    end 
+
+    def raw 
+      build
+    end 
+
+    def encode
+      Base64.strict_encode64(raw)
+    end 
+    private :encode
+
+    def response_id_string
+      "_#{response_id}"
+    end 
+    private :response_id_string
+
+    def now_iso
+      Time.now.utc.iso8601
+    end
+    private :now_iso
+  end
+end

data/lib/saml_idp/logout_request_builder.rb

@@ -0,0 +1,36 @@
+require 'saml_idp/logout_builder'
+module SamlIdp
+  class LogoutRequestBuilder < LogoutBuilder
+    attr_accessor :response_id
+    attr_accessor :issuer_uri
+    attr_accessor :saml_slo_url
+    attr_accessor :name_id
+    attr_accessor :session_index
+    attr_accessor :algorithm
+
+    def initialize(response_id, issuer_uri, saml_slo_url, name_id, session_index, algorithm)
+      self.response_id = response_id
+      self.issuer_uri = issuer_uri
+      self.saml_slo_url = saml_slo_url
+      self.name_id = name_id
+      self.session_index = session_index
+      self.algorithm = algorithm
+    end
+
+    def build
+      builder = Builder::XmlMarkup.new
+      builder.LogoutRequest ID: response_id_string,
+        Version: "2.0",
+        IssueInstant: now_iso,
+        Destination: saml_slo_url,
+        "xmlns" => Saml::XML::Namespaces::PROTOCOL do |request|
+          request.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign request
+          request.NameID name_id, xmlns: Saml::XML::Namespaces::ASSERTION,
+            Format: Saml::XML::Namespaces::Formats::NameId::PERSISTENT
+          request.SessionIndex session_index
+        end
+    end
+    private :build
+  end
+end

data/lib/saml_idp/logout_response_builder.rb

@@ -0,0 +1,35 @@
+require 'saml_idp/logout_builder'
+module SamlIdp
+  class LogoutResponseBuilder < LogoutBuilder
+    attr_accessor :response_id
+    attr_accessor :issuer_uri
+    attr_accessor :saml_slo_url
+    attr_accessor :saml_request_id
+    attr_accessor :algorithm
+
+    def initialize(response_id, issuer_uri, saml_slo_url, saml_request_id, algorithm)
+      self.response_id = response_id
+      self.issuer_uri = issuer_uri
+      self.saml_slo_url = saml_slo_url
+      self.saml_request_id = saml_request_id
+      self.algorithm = algorithm
+    end 
+
+    def build
+      builder = Builder::XmlMarkup.new
+      builder.LogoutResponse ID: response_id_string,
+        Version: "2.0",
+        IssueInstant: now_iso,
+        Destination: saml_slo_url,
+        InResponseTo: saml_request_id,
+        xmlns: Saml::XML::Namespaces::PROTOCOL do |response|
+          response.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign response
+          response.Status xmlns: Saml::XML::Namespaces::PROTOCOL do |status|
+            status.StatusCode Value: Saml::XML::Namespaces::Statuses::SUCCESS 
+          end 
+        end 
+    end
+    private :build
+  end
+end

data/lib/saml_idp/metadata_builder.rb

@@ -25,6 +25,8 @@ module SamlIdp
             entity.IDPSSODescriptor protocolSupportEnumeration: protocol_enumeration do |descriptor|
               build_key_descriptor descriptor
               build_name_id_formats descriptor
+              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: single_logout_service_post_location
               descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
                 Location: single_service_post_location
               build_attribute descriptor
@@ -146,6 +148,7 @@ module SamlIdp
       organization_url
       attribute_service_location
       single_service_post_location
+      single_logout_service_post_location
       technical_contact
     ].each do |delegatable|
       define_method(delegatable) do

data/lib/saml_idp/request.rb

@@ -31,8 +31,32 @@ module SamlIdp
       self.raw_xml = raw_xml
     end
 
+    def logout_request?
+      logout_request.nil? ? false : true
+    end
+
+    def authn_request?
+      authn_request.nil? ? false : true
+    end
+
     def request_id
-      authn_request["ID"]
+      request["ID"]
+    end
+
+    def request
+      if authn_request?
+        authn_request
+      elsif logout_request?
+        logout_request
+      end
+    end
+
+    def requested_authn_context
+      if authn_request? && authn_context_node
+        authn_context_node.content
+      else
+        nil
+      end
     end
 
     def acs_url
@@ -40,14 +64,54 @@ module SamlIdp
         authn_request["AssertionConsumerServiceURL"].to_s
     end
 
+    def logout_url
+      service_provider.assertion_consumer_logout_service_url
+    end
+
+    def response_url
+      if authn_request?
+        acs_url
+      elsif logout_request?
+        logout_url
+      end
+    end
+
+    def log(msg)
+      if Rails && Rails.logger
+        Rails.logger.info msg
+      else
+        puts msg
+      end
+    end
+
     def valid?
-      service_provider? &&
-        valid_signature? &&
-        acs_url.present?
+      unless service_provider?
+        log "Unable to find service provider for issuer #{issuer}"
+        return false
+      end
+
+      unless (authn_request? ^ logout_request?)
+        log "One and only one of authnrequest and logout request is required. authnrequest: #{authn_request?} logout_request: #{logout_request?} "
+        return false
+      end
+
+      unless valid_signature?
+        log "Signature is invalid in #{raw_xml}"
+        return false
+      end
+
+      if response_url.nil?
+        log "Unable to find response url for #{issuer}: #{raw_xml}"
+        return false
+      end
+
+      return true
     end
 
     def valid_signature?
-      service_provider.valid_signature? document
+      # Force signatures for logout requests because there is no other
+      # protection against a cross-site DoS.
+      service_provider.valid_signature?(document, logout_request?)
     end
 
     def service_provider?
@@ -55,24 +119,44 @@ module SamlIdp
     end
 
     def service_provider
-      @service_provider ||= ServiceProvider.new((service_provider_finder[issuer] || {}).merge(identifier: issuer))
+      @_service_provider ||= ServiceProvider.new((service_provider_finder[issuer] || {}).merge(identifier: issuer))
     end
 
     def issuer
-      @content ||= xpath("//saml:Issuer", saml: assertion).first.try(:content)
-      @content if @content.present?
+      @_issuer ||= xpath("//saml:Issuer", saml: assertion).first.try(:content)
+      @_issuer if @_issuer.present?
+    end
+
+    def name_id
+      @_name_id ||= xpath("//saml:NameID", saml: assertion).first.try(:content)
+    end
+
+    def session_index
+      @_session_index ||= xpath("//samlp:SessionIndex", samlp: samlp).first.try(:content)
     end
 
     def document
-      @document ||= Saml::XML::Document.parse(raw_xml)
+      @_document ||= Saml::XML::Document.parse(raw_xml)
     end
     private :document
 
+    def authn_context_node
+      @_authn_context_node ||= xpath("//samlp:AuthnRequest/samlp:RequestedAuthnContext/saml:AuthnContextClassRef",
+        samlp: samlp,
+        saml: assertion).first
+    end
+    private :authn_context_node
+
     def authn_request
-      xpath("//samlp:AuthnRequest", samlp: samlp).first
+      @_authn_request ||= xpath("//samlp:AuthnRequest", samlp: samlp).first
     end
     private :authn_request
 
+    def logout_request
+      @_logout_request ||= xpath("//samlp:LogoutRequest", samlp: samlp).first
+    end
+    private :logout_request
+
     def samlp
       Saml::XML::Namespaces::PROTOCOL
     end