samlr 2.0.0

data/lib/samlr/certificate.rb

@@ -0,0 +1,23 @@
+module Samlr
+  class Certificate
+    attr_reader :x509
+    
+    def initialize(value)
+      @x509 = if value.is_a?(OpenSSL::X509::Certificate)
+        value
+      elsif value.is_a?(IO)
+        OpenSSL::X509::Certificate.new(value.read)
+      else
+        OpenSSL::X509::Certificate.new(value)
+      end
+    end
+
+    def fingerprint
+      @fingerprint ||= Fingerprint.new(@x509)
+    end
+
+    def ==(other)
+      other.is_a?(Certificate) && fingerprint == other.fingerprint
+    end
+  end
+end

data/lib/samlr/command.rb

@@ -0,0 +1,41 @@
+require "samlr"
+require "logger"
+
+module Samlr
+  # Helper module for command line options
+  module Command
+    COMMANDS = [ :verify, :schema_validate, :print ]
+
+    def self.execute(options, path = nil)
+      Samlr.logger.level    = Logger::DEBUG if options[:verbose]
+      Samlr.validation_mode = :log if options[:skip_validation]
+
+      if options[:verify]
+        if File.directory?(path)
+          result = []
+          Dir.glob("#{path}/*.*").each do |file|
+            result << execute_verify(file, options)
+          end
+          result.join("\n")
+        else
+          execute_verify(path, options)
+        end
+      elsif options[:schema_validate]
+        Samlr::Tools.validate(:path => path)
+      elsif options[:print]
+        Samlr::Response.parse(File.read(path)).to_xml
+      end
+    end
+
+    private
+
+    def self.execute_verify(path, options)
+      begin
+        Samlr::Response.new(File.read(path), options).verify!
+        "Verification passed for #{path}"
+      rescue Samlr::SamlrError => e
+        "Verification failed for #{path}: #{e.message}"
+      end
+    end
+  end
+end

data/lib/samlr/condition.rb

@@ -0,0 +1,31 @@
+module Samlr
+  class Condition
+    attr_reader :not_before, :not_on_or_after
+
+    def initialize(condition)
+      @not_before      = (condition || {})["NotBefore"]
+      @not_on_or_after = (condition || {})["NotOnOrAfter"]
+    end
+
+    def verify!
+      unless not_before_satisfied?
+        raise Samlr::ConditionsError.new("Not before violation, now #{Samlr::Tools::Timestamp.stamp} vs. earliest #{not_before}")
+      end
+
+      unless not_on_or_after_satisfied?
+        raise Samlr::ConditionsError.new("Not on or after violation, now #{Samlr::Tools::Timestamp.stamp} vs. at latest #{not_on_or_after}")
+      end
+
+      true
+    end
+
+    def not_before_satisfied?
+      not_before.nil? || Samlr::Tools::Timestamp.not_before?(Samlr::Tools::Timestamp.parse(not_before))
+    end
+
+    def not_on_or_after_satisfied?
+      not_on_or_after.nil? || Samlr::Tools::Timestamp.not_on_or_after?(Samlr::Tools::Timestamp.parse(not_on_or_after))
+    end
+  end
+
+end

data/lib/samlr/errors.rb

@@ -0,0 +1,22 @@
+module Samlr
+  class SamlrError < StandardError
+    attr_reader :details
+
+    def initialize(*args)
+      super(args.shift)
+      @details = args.shift unless args.empty?
+    end
+  end
+
+  class FormatError < SamlrError
+  end
+
+  class SignatureError < SamlrError
+  end
+
+  class FingerprintError < SamlrError
+  end
+
+  class ConditionsError < SamlrError
+  end
+end

data/lib/samlr/fingerprint.rb

@@ -0,0 +1,44 @@
+module Samlr
+  class Fingerprint
+    attr_accessor :value
+
+    def initialize(value)
+      if value.is_a?(OpenSSL::X509::Certificate)
+        @value = Fingerprint.x509(value)
+      else
+        @value = Fingerprint.normalize(value)
+      end
+    end
+
+    # Fingerprints compare if their values are equal and not blank
+    def ==(other)
+      other.is_a?(Fingerprint) && other.valid? && valid? && other.to_s == to_s
+    end
+
+    def compare!(other)
+      if self != other
+        raise FingerprintError.new("Fingerprint mismatch", "#{self} vs. #{other}")
+      else
+        true
+      end
+    end
+
+    def valid?
+      value =~ /([A-F0-9]:?)+/
+    end
+
+    def to_s
+      value
+    end
+
+    # Extracts a fingerprint for an x509 certificate
+    def self.x509(certificate)
+      normalize(OpenSSL::Digest::SHA1.new.hexdigest(certificate.to_der))
+    end
+
+    # Converts a string to fingerprint normal form
+    def self.normalize(value)
+      value.to_s.upcase.gsub(/[^A-F0-9]/, "").scan(/../).join(":")
+    end
+  end
+end

data/lib/samlr/logout_request.rb

@@ -0,0 +1,7 @@
+module Samlr
+  class LogoutRequest < Request
+    def body
+      @body ||= Samlr::Tools::LogoutRequestBuilder.build(options)
+    end
+  end
+end

data/lib/samlr/reference.rb

@@ -0,0 +1,32 @@
+require "base64"
+
+module Samlr
+  class Reference
+    attr_reader :uri, :node
+
+    def initialize(node)
+      @node = node
+      @uri  = node["URI"][1..-1]
+    end
+
+    def digest_method
+      @digest_method ||= Samlr::Tools.algorithm(node.at("./ds:DigestMethod/@Algorithm", NS_MAP).try(:value))
+    end
+
+    def digest_value
+      @digest_value  ||= node.at("./ds:DigestValue", NS_MAP).text
+    end
+
+    def decoded_digest_value
+      @decoded_digest_value ||= Base64.decode64(digest_value)
+    end
+
+    def namespaces
+      @namespaces ||= begin
+        attribute = node.at("./ds:Transforms/ds:Transform/c14n:InclusiveNamespaces/@PrefixList", NS_MAP).try(:value)
+        attribute ? attribute.split(" ") : []
+      end
+    end
+
+  end
+end

data/lib/samlr/request.rb

@@ -0,0 +1,37 @@
+require "cgi"
+
+module Samlr
+  class Request
+    attr_reader :options
+
+    def initialize(options = {})
+      @options = options
+    end
+
+    # The encoded SAML request
+    def param
+      @param ||= Samlr::Tools.encode(body)
+    end
+
+    # The XML payload body
+    def body
+      @body ||= Samlr::Tools::RequestBuilder.build(options)
+    end
+
+    # Utility method to get the full redirect destination, Request#url("https://idp.example.com/saml", { :RelayState => "https://sp.example.com/saml" })
+    def url(root, params = {})
+      dest = root.dup
+      if dest.include?("?")
+        dest << "&SAMLRequest=#{param}"
+      else
+        dest << "?SAMLRequest=#{param}"
+      end
+
+      params.each_pair do |key, value|
+        dest << "&#{key}=#{CGI.escape(value.to_s)}"
+      end
+
+      dest
+    end
+  end
+end

data/lib/samlr/response.rb

@@ -0,0 +1,68 @@
+require "forwardable"
+require "nokogiri"
+
+module Samlr
+
+  # This is the object interface to the XML response object.
+  class Response
+    extend Forwardable
+
+    def_delegators :assertion, :name_id, :attributes
+    attr_reader :document, :options
+
+    def initialize(data, options)
+      @options  = options
+      @document = Response.parse(data)
+    end
+
+    # The verification process assumes that all signatures are enveloped. Since this process
+    # is destructive the document needs to verify itself first, and then any signed assertions
+    def verify!
+      if signature.missing? && assertion.signature.missing?
+        raise Samlr::SignatureError.new("Neither response nor assertion signed")
+      end
+
+      signature.verify! unless signature.missing?
+      assertion.verify!
+
+      true
+    end
+
+    def location
+      "/samlp:Response"
+    end
+
+    def signature
+      @signature ||= Samlr::Signature.new(document, location, options)
+    end
+
+    # Returns the assertion element. Only supports a single assertion.
+    def assertion
+      @assertion ||= Samlr::Assertion.new(document, options)
+    end
+
+    # Tries to parse the SAML response. First, it assumes it to be Base64 encoded
+    # If this fails, it subsequently attempts to parse the raw input as select IdP's
+    # send that rather than a Base64 encoded value
+    def self.parse(data)
+      begin
+        document = Nokogiri::XML(Base64.decode64(data)) { |config| config.strict }
+      rescue Nokogiri::XML::SyntaxError => e
+        begin
+          document = Nokogiri::XML(data) { |config| config.strict }
+        rescue
+          raise Samlr::FormatError.new(e.message)
+        end
+      end
+
+      begin
+        Samlr::Tools.validate!(:document => document)
+      rescue Samlr::SamlrError => e
+        Samlr.logger.warn("Accepting non schema conforming response: #{e.message}, #{e.details}")
+        raise e unless Samlr.validation_mode == :log
+      end
+
+      document
+    end
+  end
+end

data/lib/samlr/signature.rb

@@ -0,0 +1,129 @@
+require "openssl"
+require "base64"
+require "samlr/certificate"
+require "samlr/reference"
+
+module Samlr
+  # A SAML specific implementation http://en.wikipedia.org/wiki/XML_Signature
+  class Signature
+    attr_reader :original, :document, :prefix, :options, :signature, :fingerprint
+
+    # Is initialized with the source document and a path to the element embedding the signature
+    def initialize(original, prefix, options)
+      # Signature validations require document alterations
+      @original = original
+      @document = original.dup
+      @prefix   = prefix
+      @options  = options
+
+      if @signature = document.at("#{prefix}/ds:Signature", NS_MAP)
+        @signature.remove # enveloped signatures only
+      end
+
+      @fingerprint = if options[:fingerprint]
+        Fingerprint.new(options[:fingerprint])
+      elsif options[:certificate]
+        Certificate.new(options[:certificate]).fingerprint
+      end
+    end
+
+    def present?
+      !missing?
+    end
+
+    def missing?
+      signature.nil?
+    end
+
+    def verify!
+      raise SignatureError.new("No signature at #{prefix}/ds:Signature") unless present?
+
+      verify_fingerprint! unless options[:skip_fingerprint]
+      verify_digests!
+      verify_signature!
+
+      true
+    end
+
+    def references
+      @references ||= [].tap do |refs|
+        original.xpath("#{prefix}/ds:Signature/ds:SignedInfo/ds:Reference[@URI]", NS_MAP).each do |ref|
+          refs << Samlr::Reference.new(ref)
+        end
+      end
+    end
+
+    private
+
+    def x509
+      @x509 ||= certificate.x509
+    end
+
+    # Establishes trust that the remote party is who you think
+    def verify_fingerprint!
+      fingerprint.compare!(certificate.fingerprint)
+    end
+
+    # Tests that the document content has not been edited
+    def verify_digests!
+      references.each do |reference|
+        node    = referenced_node(reference.uri)
+        canoned = node.canonicalize(C14N, reference.namespaces)
+        digest  = reference.digest_method.digest(canoned)
+
+        if digest != reference.decoded_digest_value
+          raise SignatureError.new("Reference validation error: Digest mismatch for #{reference.uri}")
+        end
+      end
+    end
+
+    # Tests correctness of the signature (and hence digests)
+    def verify_signature!
+      node      = original.at("#{prefix}/ds:Signature/ds:SignedInfo", NS_MAP)
+      canoned   = node.canonicalize(C14N)
+
+      unless x509.public_key.verify(signature_method.new, decoded_signature_value, canoned)
+        raise SignatureError.new("Signature validation error: Possible canonicalization mismatch", "This canonicalizer returns #{canoned}")
+      end
+    end
+
+    # Looks up node by id, checks that there's only a single node with a given id
+    def referenced_node(id)
+      nodes = document.xpath("//*[@ID='#{id}']")
+
+      if nodes.size != 1
+        raise SignatureError.new("Reference validation error: Invalid element references", "Expected 1 element with id #{id}, found #{nodes.size}")
+      end
+
+      nodes.first
+    end
+
+    def signature_method
+      @signature_method ||= Samlr::Tools.algorithm(signature.at("./ds:SignedInfo/ds:SignatureMethod/@Algorithm", NS_MAP).try(:value))
+    end
+
+    def signature_value
+      @signature_value ||= signature.at("./ds:SignatureValue", NS_MAP).text
+    end
+
+    def decoded_signature_value
+      @decoded_signature_value = Base64.decode64(signature_value)
+    end
+
+    def certificate
+      @certificate ||= begin
+        if node = certificate_node
+          Certificate.new(Base64.decode64(node.text))
+        elsif cert = options[:certificate]
+          Certificate.new(cert)
+        else
+          raise SignatureError.new("No X509Certificate element in response signature. Cannot validate signature.")
+        end
+      end
+    end
+
+    def certificate_node
+      signature.at("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NS_MAP)
+    end
+  end
+end