samlr 2.0.0

data/lib/samlr/tools.rb

@@ -0,0 +1,108 @@
+require "time"
+require "uuidtools"
+require "openssl"
+require "cgi"
+require "zlib"
+
+require "samlr/tools/timestamp"
+require "samlr/tools/certificate_builder"
+require "samlr/tools/request_builder"
+require "samlr/tools/response_builder"
+require "samlr/tools/metadata_builder"
+require "samlr/tools/logout_request_builder"
+
+module Samlr
+  module Tools
+    SHA_MAP = {
+      1    => OpenSSL::Digest::SHA1,
+      256  => OpenSSL::Digest::SHA256,
+      384  => OpenSSL::Digest::SHA384,
+      512  => OpenSSL::Digest::SHA512
+    }
+
+    # Convert algorithm attribute value to Ruby implementation
+    def self.algorithm(value)
+      if value =~ /sha(\d+)$/
+        implementation = SHA_MAP[$1.to_i]
+      end
+
+      implementation || OpenSSL::Digest::SHA1
+    end
+
+    # Accepts a document and optionally :path => xpath, :c14n_mode => c14n_mode
+    def self.canonicalize(xml, options = {})
+      options  = { :c14n_mode => C14N }.merge(options)
+      document = Nokogiri::XML(xml) { |c| c.strict.noblanks }
+
+      if path = options[:path]
+        node = document.at(path, NS_MAP)
+      else
+        node = document
+      end
+
+      node.canonicalize(options[:c14n_mode], options[:namespaces])
+    end
+
+    # Generate an xs:NCName conforming UUID
+    def self.uuid
+      "samlr-#{UUIDTools::UUID.timestamp_create}"
+    end
+
+    # Deflates, Base64 encodes and CGI escapes a string
+    def self.encode(string)
+      deflated = Zlib::Deflate.deflate(string, 9)[2..-5]
+      encoded  = Base64.encode64(deflated)
+      escaped  = CGI.escape(encoded)
+      escaped
+    end
+
+    # CGI unescapes, Base64 decodes and inflates a string
+    def self.decode(string)
+      unescaped = CGI.unescape(string)
+      decoded   = Base64.decode64(unescaped)
+      inflater  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      inflated  = inflater.inflate(decoded)
+
+      inflater.finish
+      inflater.close
+
+      inflated
+    end
+
+    def self.validate!(options = {})
+      validate(options.merge(:bang => true))
+    end
+
+    # Validate a SAML request or response against an XSD. Supply either :path or :document in the options and
+    # a :schema (defaults to SAML validation)
+    def self.validate(options = {})
+      document = options[:document] || File.read(options[:path])
+      schema   = options.fetch(:schema, SAML_SCHEMA)
+      bang     = options.fetch(:bang, false)
+
+      if document.is_a?(Nokogiri::XML::Document)
+        xml = document
+      else
+        xml = Nokogiri::XML(document) { |c| c.strict }
+      end
+
+      # All bundled schemas are using relative schemaLocation. This means we'll have to
+      # change working directory to find them during validation.
+      Dir.chdir(Samlr.schema_location) do
+        if schema.is_a?(Nokogiri::XML::Schema)
+          xsd = schema
+        else
+          xsd = Nokogiri::XML::Schema(File.read(schema))
+        end
+
+        result = xsd.validate(xml)
+
+        if bang && result.length != 0
+          raise Samlr::FormatError.new("Schema validation failed", "XSD validation errors: #{result.join(", ")}")
+        else
+          result.length == 0
+        end
+      end
+    end
+  end
+end

data/lib/samlr/tools/certificate_builder.rb

@@ -0,0 +1,74 @@
+module Samlr
+  module Tools
+
+    # Container for generating/referencing X509 and keys
+    class CertificateBuilder
+      attr_reader :key_size
+
+      def initialize(options = {})
+        @key_size = options.fetch(:key_size, 4096)
+        @x509     = options[:x509]
+        @key_pair = options[:key_pair]
+      end
+
+      def x509
+        @x509 ||= begin
+          domain = "example.org"
+          name   = OpenSSL::X509::Name.new([
+            [ 'C', 'US', OpenSSL::ASN1::PRINTABLESTRING ],
+            [ 'O', domain, OpenSSL::ASN1::UTF8STRING ],
+            [ 'OU', 'Samlr ResponseBuilder', OpenSSL::ASN1::UTF8STRING ],
+            [ 'CN', 'CA' ]
+            ])
+
+          certificate = OpenSSL::X509::Certificate.new
+          certificate.subject    = name
+          certificate.issuer     = name
+          certificate.not_before = (Time.now - 5)
+          certificate.not_after  = (Time.now + 60 * 60 * 24 * 365 * 20)
+          certificate.public_key = key_pair.public_key
+          certificate.serial     = 1
+          certificate.version    = 2
+          certificate.sign(key_pair, OpenSSL::Digest::SHA1.new)
+
+          certificate
+        end
+      end
+
+      def x509_as_pem
+        pem = x509.to_pem.split("\n")
+        pem.pop
+        pem.shift
+        pem.join
+      end
+
+      def key_pair
+        @key_pair ||= OpenSSL::PKey::RSA.new(key_size)
+      end
+
+      def sign(string)
+        Base64.encode64(key_pair.sign(OpenSSL::Digest::SHA1.new, string)).delete("\n")
+      end
+
+      def verify(signature, string)
+        key_pair.public_key.verify(OpenSSL::Digest::SHA1.new, Base64.decode64(signature), string)
+      end
+
+      def to_certificate
+        Samlr::Certificate.new(x509)
+      end
+
+      def self.dump(path, certificate, id = "samlr")
+        File.open(File.join(path, "#{id}_private_key.pem"), "w") { |f| f.write(certificate.key_pair.to_pem) }
+        File.open(File.join(path, "#{id}_certificate.pem"), "w") { |f| f.write(certificate.x509.to_pem) }
+      end
+
+      def self.load(path, id = "samlr")
+        key_pair  = OpenSSL::PKey::RSA.new(File.read(File.join(path, "#{id}_private_key.pem")))
+        x509_cert = OpenSSL::X509::Certificate.new(File.read(File.join(path, "#{id}_certificate.pem")))
+
+        new(:key_pair => key_pair, :x509 => x509_cert)
+      end
+    end
+  end
+end

data/lib/samlr/tools/logout_request_builder.rb

@@ -0,0 +1,27 @@
+require "nokogiri"
+
+module Samlr
+  module Tools
+    # Use this for building the SAML logout request XML
+    module LogoutRequestBuilder
+      def self.build(options = {})
+        name_id_format  = options[:name_id_format] || EMAIL_FORMAT
+
+        # Mandatory
+        name_id = options.fetch(:name_id)
+        issuer  = options.fetch(:issuer)
+
+        builder = Nokogiri::XML::Builder.new do |xml|
+          xml.LogoutRequest("xmlns:samlp" => NS_MAP["samlp"], "xmlns:saml" => NS_MAP["saml"], "ID" => Samlr::Tools.uuid, "IssueInstant" => Samlr::Tools::Timestamp.stamp, "Version" => "2.0") do
+            xml.doc.root.namespace = xml.doc.root.namespace_definitions.find { |ns| ns.prefix == "samlp" }
+
+            xml["saml"].Issuer(issuer)
+            xml["saml"].NameID(name_id, "Format" => name_id_format)
+          end
+        end
+
+        builder.to_xml(COMPACT)
+      end
+    end
+  end
+end

data/lib/samlr/tools/metadata_builder.rb

@@ -0,0 +1,41 @@
+module Samlr
+  module Tools
+
+    # Builds you some SP metadata. Accepts a hash with the below keys. No support for arrays
+    # of name id formats or asserion consumer services, build it if you need it.
+    #
+    #  :entity_id            => "https://sp.example.org/saml", # mandatory
+    #  :name_identity_format => Samlr::EMAIL_FORMAT,
+    #  :consumer_service_url => "https://sp.example.org/saml"
+    class MetadataBuilder
+
+      def self.build(options = {})
+        name_identity_format     = options[:name_identity_format]
+        consumer_service_url     = options[:consumer_service_url]
+        consumer_service_binding = options[:consumer_service_binding] || "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+
+        # Mandatory
+        entity_id                 = options.fetch(:entity_id)
+
+        builder = Nokogiri::XML::Builder.new do |xml|
+          xml.EntityDescriptor("xmlns:md" => NS_MAP["md"], "entityID" => entity_id) do
+            xml.doc.root.namespace = xml.doc.root.namespace_definitions.find { |ns| ns.prefix == "md" }
+
+            xml["md"].SPSSODescriptor("protocolSupportEnumeration" => NS_MAP["samlp"]) do
+              unless name_identity_format.nil?
+                xml["md"].NameIDFormat(name_identity_format)
+              end
+
+              unless consumer_service_url.nil?
+                xml["md"].AssertionConsumerService("index" => "0", "Binding" => consumer_service_binding, "Location" => consumer_service_url)
+              end
+            end
+          end
+        end
+
+        builder.to_xml(COMPACT)
+      end
+
+    end
+  end
+end

data/lib/samlr/tools/request_builder.rb

@@ -0,0 +1,44 @@
+require "nokogiri"
+
+module Samlr
+  module Tools
+
+    # Use this for building the SAML auth request XML
+    module RequestBuilder
+      def self.build(options = {})
+        consumer_service_url = options[:consumer_service_url]
+        issuer               = options[:issuer]
+        name_identity_format = options[:name_identity_format]
+        allow_create         = options[:allow_create] || "true"
+        authn_context        = options[:authn_context]
+
+        builder = Nokogiri::XML::Builder.new do |xml|
+          xml.AuthnRequest("xmlns:samlp" => NS_MAP["samlp"], "xmlns:saml" => NS_MAP["saml"], "ID" => Samlr::Tools.uuid, "IssueInstant" => Samlr::Tools::Timestamp.stamp, "Version" => "2.0") do
+            xml.doc.root.namespace = xml.doc.root.namespace_definitions.find { |ns| ns.prefix == "samlp" }
+
+            unless consumer_service_url.nil?
+              xml.doc.root["AssertionConsumerServiceURL"] = consumer_service_url
+            end
+
+            unless issuer.nil?
+              xml["saml"].Issuer(issuer)
+            end
+
+            unless name_identity_format.nil?
+              xml["samlp"].NameIDPolicy("AllowCreate" => allow_create, "Format" => name_identity_format)
+            end
+
+            unless authn_context.nil?
+              xml["samlp"].RequestedAuthnContext("Comparison" => "exact") do
+                xml["saml"].AuthnContextClassRef(authn_context)
+              end
+            end
+          end
+        end
+
+        builder.to_xml(COMPACT)
+      end
+
+    end
+  end
+end

data/lib/samlr/tools/response_builder.rb

@@ -0,0 +1,157 @@
+require "nokogiri"
+require "time"
+require "uuidtools"
+
+module Samlr
+  module Tools
+
+    # Use this for building test data, not ready to use for production data
+    module ResponseBuilder
+
+      def self.build(options = {})
+        issue_instant   = options[:issue_instant]  || Samlr::Tools::Timestamp.stamp
+        response_id     = options[:response_id]    || Samlr::Tools.uuid
+        assertion_id    = options[:assertion_id]   || Samlr::Tools.uuid
+        status_code     = options[:status_code]    || "urn:oasis:names:tc:SAML:2.0:status:Success"
+        name_id_format  = options[:name_id_format] || EMAIL_FORMAT
+        subject_conf_m  = options[:subject_conf_m] || "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+        version         = options[:version]        || "2.0"
+        auth_context    = options[:auth_context]   || "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+        issuer          = options[:issuer]         || "ResponseBuilder IdP"
+        attributes      = options[:attributes]     || {}
+
+        # Mandatory for responses
+        destination     = options.fetch(:destination)
+        in_response_to  = options.fetch(:in_response_to)
+        name_id         = options.fetch(:name_id)
+        not_on_or_after = options.fetch(:not_on_or_after)
+        not_before      = options.fetch(:not_before)
+        audience        = options.fetch(:audience)
+
+        # Signature settings
+        sign_assertion  = [ true, false ].member?(options[:sign_assertion]) ? options[:sign_assertion] : true
+        sign_response   = [ true, false ].member?(options[:sign_response]) ? options[:sign_response] : true
+
+        # Fixture controls
+        skip_assertion  = options[:skip_assertion]
+        skip_conditions = options[:skip_conditions]
+
+        builder = Nokogiri::XML::Builder.new(:encoding => "UTF-8") do |xml|
+          xml.Response("xmlns:samlp" => NS_MAP["samlp"], "ID" => response_id, "InResponseTo" => in_response_to, "Version" => version, "IssueInstant" => issue_instant, "Destination" => destination) do
+            xml.doc.root.add_namespace_definition("saml", NS_MAP["saml"])
+            xml.doc.root.namespace = xml.doc.root.namespace_definitions.find { |ns| ns.prefix == "samlp" }
+
+            xml["saml"].Issuer(issuer)
+            xml["samlp"].Status { |xml| xml["samlp"].StatusCode("Value" => status_code) }
+
+            unless skip_assertion
+              xml["saml"].Assertion("xmlns:saml" => NS_MAP["saml"], "ID" => assertion_id, "IssueInstant" => issue_instant, "Version" => "2.0") do
+                xml["saml"].Issuer(issuer)
+
+                xml["saml"].Subject do
+                  xml["saml"].NameID(name_id, "Format" => name_id_format)
+
+                  xml["saml"].SubjectConfirmation("Method" => subject_conf_m) do
+                    xml["saml"].SubjectConfirmationData("InResponseTo" => in_response_to, "NotOnOrAfter" => not_on_or_after, "Recipient" => destination)
+                  end
+                end
+
+                unless skip_conditions
+                  xml["saml"].Conditions("NotBefore" => not_before, "NotOnOrAfter" => not_on_or_after) do
+                    xml["saml"].AudienceRestriction do
+                      xml["saml"].Audience(audience)
+                    end
+                  end
+                end
+
+                xml["saml"].AuthnStatement("AuthnInstant" => issue_instant, "SessionIndex" => assertion_id) do
+                  xml["saml"].AuthnContext do
+                    xml["saml"].AuthnContextClassRef(auth_context)
+                  end
+                end
+
+                unless attributes.empty?
+                  xml["saml"].AttributeStatement do
+                    attributes.keys.sort.each do |name|
+                      xml["saml"].Attribute("Name" => name) do
+                        values = Array(attributes[name])
+                        values.each do |value|
+                          xml["saml"].AttributeValue(value, "xmlns:xsi" => NS_MAP["xsi"], "xmlns:xs" => NS_MAP["xs"], "xsi:type" => "xs:string")
+                        end
+                      end
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        # The core response is ready, not on to signing
+        response = builder.doc
+
+        response = sign(response, assertion_id, options) if sign_assertion
+        response = sign(response, response_id, options)  if sign_response
+
+        response.to_xml(COMPACT)
+      end
+
+      def self.sign(document, element_id, options)
+        certificate  = options[:certificate] || Samlr::Tools::CertificateBuilder.new
+        element      = document.at("//*[@ID='#{element_id}']")
+        digest       = digest(document, element, options)
+        canoned      = digest.at("./ds:SignedInfo", NS_MAP).canonicalize(C14N)
+        signature    = certificate.sign(canoned)
+        skip_keyinfo = options[:skip_keyinfo]
+
+        Nokogiri::XML::Builder.with(digest) do |xml|
+          xml.SignatureValue(signature)
+          xml.KeyInfo do
+            xml.X509Data do
+              xml.X509Certificate(certificate.x509_as_pem)
+            end
+          end unless skip_keyinfo
+        end
+        # digest.root.last_element_child.after "<SignatureValue>#{signature}</SignatureValue>"
+        element.at("./saml:Issuer", NS_MAP).add_next_sibling(digest)
+
+        document
+      end
+
+      def self.digest(document, element, options)
+        c14n_method   = options[:c14n_method]   || "http://www.w3.org/2001/10/xml-exc-c14n#"
+        sign_method   = options[:sign_method]   || "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+        digest_method = options[:digest_method] || "http://www.w3.org/2000/09/xmldsig#sha1"
+        env_signature = options[:env_signature] || "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+        namespaces    = options[:namespaces]    || [ "#default", "samlp", "saml", "ds", "xs", "xsi" ]
+
+        canoned       = element.canonicalize(C14N, namespaces)
+        digest_value  = Base64.encode64(OpenSSL::Digest::SHA1.new.digest(canoned)).delete("\n")
+
+        builder = Nokogiri::XML::Builder.new(:encoding => "UTF-8") do |xml|
+          xml.Signature("xmlns" => NS_MAP["ds"]) do
+
+            xml.SignedInfo do
+              xml.CanonicalizationMethod("Algorithm" => c14n_method)
+              xml.SignatureMethod("Algorithm" => sign_method)
+
+              xml.Reference("URI" => "##{element['ID']}") do
+                xml.Transforms do
+                  xml.Transform("Algorithm" => env_signature)
+                  xml.Transform("Algorithm" => c14n_method) do
+                    xml.InclusiveNamespaces("xmlns" => c14n_method, "PrefixList" => namespaces.join(" "))
+                  end
+                end
+                xml.DigestMethod("Algorithm" => digest_method)
+                xml.DigestValue(digest_value)
+              end
+            end
+          end
+        end
+
+        builder.doc.root
+      end
+
+    end
+  end
+end