samlsso 0.1.0

data/lib/samlsso/idp_metadata_parser.rb

@@ -0,0 +1,85 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+
+module Samlsso
+    include REXML
+
+    class IdpMetadataParser
+
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      DSIG     = "http://www.w3.org/2000/09/xmldsig#"
+
+      attr_reader :document
+
+      def parse_remote(url, validate_cert = true)
+        idp_metadata = get_idp_metadata(url, validate_cert)
+        parse(idp_metadata)
+      end
+
+      def parse(idp_metadata)
+        @document = REXML::Document.new(idp_metadata)
+
+        Samlsso::Settings.new.tap do |settings|
+
+          settings.idp_sso_target_url = single_signon_service_url
+          settings.idp_slo_target_url = single_logout_service_url
+          settings.idp_cert_fingerprint = fingerprint
+        end
+      end
+
+      private
+
+      # Retrieve the remote IdP metadata from the URL or a cached copy
+      # # returns a REXML document of the metadata
+      def get_idp_metadata(url, validate_cert)
+        uri = URI.parse(url)
+        if uri.scheme == "http"
+          response = Net::HTTP.get_response(uri)
+          meta_text = response.body
+        elsif uri.scheme == "https"
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = true
+          # Most IdPs will probably use self signed certs
+          if validate_cert
+            http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          else
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          end
+          get = Net::HTTP::Get.new(uri.request_uri)
+          response = http.request(get)
+          meta_text = response.body
+        end
+        meta_text
+      end
+
+      def single_signon_service_url
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService/@Location", { "md" => METADATA })
+        node.value if node
+      end
+
+      def single_logout_service_url
+        node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location", { "md" => METADATA })
+        node.value if node
+      end
+
+      def certificate
+        @certificate ||= begin
+          node = REXML::XPath.first(document, "/md:EntityDescriptor/md:IDPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate", { "md" => METADATA, "ds" => DSIG })
+          Base64.decode64(node.text) if node
+        end
+      end
+
+      def fingerprint
+        @fingerprint ||= begin
+          if certificate
+            cert = OpenSSL::X509::Certificate.new(certificate)
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          end
+        end
+      end
+    end
+end

data/lib/samlsso/logging.rb

@@ -0,0 +1,20 @@
+# Simplistic log class when we're running in Rails
+module Samlsso
+    class Logging
+      def self.debug(message)
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+
+      def self.info(message)
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+end

data/lib/samlsso/logoutrequest.rb

@@ -0,0 +1,100 @@
+require "uuid"
+
+require "samlsso/logging"
+
+module Samlsso
+    class Logoutrequest < SamlMessage
+
+      attr_reader :uuid # Can be obtained if neccessary
+
+      def initialize
+        @uuid = "_" + UUID.new.generate
+      end
+
+      def create(settings, params={})
+        params = create_params(settings, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_request = CGI.escape(params.delete("SAMLRequest"))
+        request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
+        params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        @logout_url = settings.idp_slo_target_url + request_params
+      end
+
+      def create_params(settings, params={})
+        params = {} if params.nil?
+
+        request_doc = create_logout_request_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created SLO Logout Request: #{request}"
+
+        request = deflate(request) if settings.compress_request
+        base64_request = encode(request)
+        request_params = {"SAMLRequest" => base64_request}
+
+        if settings.security[:logout_requests_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLRequest=#{CGI.escape(base64_request)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
+        end
+
+        params.each_pair do |key, value|
+          request_params[key] = value.to_s
+        end
+
+        request_params
+      end
+
+      def create_logout_request_xml_doc(settings)
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
+
+        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_slo_target_url  unless settings.idp_slo_target_url.nil?
+
+        if settings.issuer
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
+        end
+
+        name_id = root.add_element "saml:NameID"
+        if settings.name_identifier_value
+          name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          name_id.text = settings.name_identifier_value
+        else
+          # If no NameID is present in the settings we generate one
+          name_id.text = "_" + UUID.new.generate
+          name_id.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        end
+
+        if settings.sessionindex
+          sessionindex = root.add_element "samlp:SessionIndex"
+          sessionindex.text = settings.sessionindex
+        end
+
+        # embebed sign
+        if settings.security[:logout_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        request_doc
+      end
+    end
+end

data/lib/samlsso/logoutresponse.rb

@@ -0,0 +1,110 @@
+require "xml_security"
+require "time"
+
+module Samlsso
+    class Logoutresponse < SamlMessage
+      # For API compability, this is mutable.
+      attr_accessor :settings
+
+      attr_reader :document
+      attr_reader :response
+      attr_reader :options
+
+      #
+      # In order to validate that the response matches a given request, append
+      # the option:
+      #   :matches_request_id => REQUEST_ID
+      #
+      # It will validate that the logout response matches the ID of the request.
+      # You can also do this yourself through the in_response_to accessor.
+      #
+      def initialize(response, settings = nil, options = {})
+        raise ArgumentError.new("Logoutresponse cannot be nil") if response.nil?
+        self.settings = settings
+
+        @options = options
+        @response = decode_raw_saml(response)
+        @document = XMLSecurity::SignedDocument.new(@response)
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      def validate(soft = true)
+        return false unless valid_saml?(document, soft) && valid_state?(soft)
+
+        valid_in_response_to?(soft) && valid_issuer?(soft) && success?(soft)
+      end
+
+      def success?(soft = true)
+        unless status_code == "urn:oasis:names:tc:SAML:2.0:status:Success"
+          return soft ? false : validation_error("Bad status code. Expected <urn:oasis:names:tc:SAML:2.0:status:Success>, but was: <#@status_code> ")
+        end
+        true
+      end
+
+      def in_response_to
+        @in_response_to ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes['InResponseTo']
+        end
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= REXML::XPath.first(document, "/p:LogoutResponse/a:Assertion/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      def status_code
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutResponse/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.attributes["Value"]
+        end
+      end
+
+      private
+
+      def valid_state?(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.issuer.nil?
+          return soft ? false : validation_error("No issuer in settings")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def valid_in_response_to?(soft = true)
+        return true unless self.options.has_key? :matches_request_id
+
+        unless self.options[:matches_request_id] == in_response_to
+          return soft ? false : validation_error("Response does not match the request ID, expected: <#{self.options[:matches_request_id]}>, but was: <#{in_response_to}>")
+        end
+
+        true
+      end
+
+      def valid_issuer?(soft = true)
+        return true if self.settings.idp_entity_id.nil? or self.issuer.nil?
+
+        unless URI.parse(self.issuer) == URI.parse(self.settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{self.settings.issuer}>, but was: <#{issuer}>")
+        end
+        true
+      end
+    end
+end

data/lib/samlsso/metadata.rb

@@ -0,0 +1,94 @@
+require "rexml/document"
+require "rexml/xpath"
+require "uri"
+
+require "samlsso/logging"
+
+# Class to return SP metadata based on the settings requested.
+# Return this XML in a controller, then give that URL to the the
+# IdP administrator.  The IdP will poll the URL and your settings
+# will be updated automatically
+module Samlsso
+    include REXML
+    class Metadata
+      def generate(settings)
+        meta_doc = REXML::Document.new
+        root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
+        }
+        sp_sso = root.add_element "md:SPSSODescriptor", {
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "AuthnRequestsSigned" => settings.security[:authn_requests_signed],
+            # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
+            "WantAssertionsSigned" => !!(settings.idp_cert_fingerprint || settings.idp_cert)
+        }
+        if settings.issuer
+          root.attributes["entityID"] = settings.issuer
+        end
+        if settings.single_logout_service_url
+          sp_sso.add_element "md:SingleLogoutService", {
+              "Binding" => settings.single_logout_service_binding,
+              "Location" => settings.single_logout_service_url,
+              "ResponseLocation" => settings.single_logout_service_url,
+              "isDefault" => true,
+              "index" => 0
+          }
+        end
+        if settings.name_identifier_format
+          name_id = sp_sso.add_element "md:NameIDFormat"
+          name_id.text = settings.name_identifier_format
+        end
+        if settings.assertion_consumer_service_url
+          sp_sso.add_element "md:AssertionConsumerService", {
+              "Binding" => settings.assertion_consumer_service_binding,
+              "Location" => settings.assertion_consumer_service_url,
+              "isDefault" => true,
+              "index" => 0
+          }
+        end
+
+        # Add KeyDescriptor if messages will be signed
+        cert = settings.get_sp_cert()
+        if cert
+          kd = sp_sso.add_element "md:KeyDescriptor", { "use" => "signing" }
+          ki = kd.add_element "ds:KeyInfo", {"xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#"}
+          xd = ki.add_element "ds:X509Data"
+          xc = xd.add_element "ds:X509Certificate"
+          xc.text = Base64.encode64(cert.to_der).gsub("\n", '')
+        end
+
+        if settings.attribute_consuming_service.configured?
+          sp_acs = sp_sso.add_element "md:AttributeConsumingService", {
+            "isDefault" => "true",
+            "index" => settings.attribute_consuming_service.index 
+          }
+          srv_name = sp_acs.add_element "md:ServiceName", {
+            "xml:lang" => "en"
+          }
+          srv_name.text = settings.attribute_consuming_service.name
+          settings.attribute_consuming_service.attributes.each do |attribute|
+            sp_req_attr = sp_acs.add_element "md:RequestedAttribute", {
+              "NameFormat" => attribute[:name_format],
+              "Name" => attribute[:name], 
+              "FriendlyName" => attribute[:friendly_name]
+            }
+            unless attribute[:attribute_value].nil?
+              sp_attr_val = sp_req_attr.add_element "md:AttributeValue"
+              sp_attr_val.text = attribute[:attribute_value]
+            end
+          end
+        end
+
+        # With OpenSSO, it might be required to also include
+        #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+        #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+
+        meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+        ret = ""
+        # pretty print the XML so IdP administrators can easily see what the SP supports
+        meta_doc.write(ret, 1)
+
+        return ret
+      end
+    end
+end

data/lib/samlsso/response.rb

@@ -0,0 +1,271 @@
+require "xml_security"
+require "time"
+require "nokogiri"
+
+# Only supports SAML 2.0
+module Samlsso
+
+    class Response < SamlMessage
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+      # TODO: This should probably be ctor initialized too... WDYT?
+      attr_accessor :settings
+      attr_accessor :errors
+
+      attr_reader :options
+      attr_reader :response
+      attr_reader :document
+      attr_reader :decoded_response
+      attr_reader :decrypted_response
+      attr_reader :decoded_document
+      
+      def initialize(response, options = {})
+        @errors = []
+        raise ArgumentError.new("Response cannot be nil") if response.nil?
+        @options  = options
+        @decoded_response = decode_raw_saml(response)
+        @decrypted_response = decrypt_saml(@decoded_response, @options[:private_key_file_path])
+        @response = @decrypted_response
+        @document = XMLSecurity::SignedDocument.new(@response, @errors)
+        @decoded_document = XMLSecurity::SignedDocument.new(@decoded_response, @errors)
+      end
+
+      def is_valid?
+        validate
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      def errors
+        @errors
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+          node.nil? ? nil : node.text
+        end
+      end
+
+      def sessionindex
+        @sessionindex ||= begin
+          node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          node.nil? ? nil : (node.attributes['SessionIndex'] ? node.attributes['SessionIndex'] : node.attributes['sessionindex'])
+        end
+      end
+
+      # Returns Samlsso::Attributes enumerable collection.
+      # All attributes can be iterated over +attributes.each+ or returned as array by +attributes.all+
+      #
+      # For backwards compatibility samlsso returns by default only the first value for a given attribute with
+      #    attributes['name']
+      # To get all of the attributes, use:
+      #    attributes.multi('name')
+      # Or turn off the compatibility:
+      #    Samlsso::Attributes.single_value_compatibility = false
+      # Now this will return an array:
+      #    attributes['name']
+      def attributes
+        @attr_statements ||= begin
+          attributes = Attributes.new
+
+          stmt_element = xpath_first_from_signed_assertion('/a:AttributeStatement')
+          return attributes if stmt_element.nil?
+
+          stmt_element.elements.each do |attr_element|
+            name  = attr_element.attributes["Name"] ? attr_element.attributes["Name"] : attr_element.attributes["name"]
+            values = attr_element.elements.collect{|e|
+              # SAMLCore requires that nil AttributeValues MUST contain xsi:nil XML attribute set to "true" or "1"
+              # otherwise the value is to be regarded as empty.
+              ["true", "1"].include?(e.attributes['xsi:nil']) ? nil : e.text.to_s
+            }
+
+            attributes.add(name, values)
+          end
+
+          attributes
+        end
+      end
+
+      # When this user session should expire at latest
+      def session_expires_at
+        @expires_at ||= begin
+          node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          parse_time(node, "SessionNotOnOrAfter")
+        end
+      end
+
+      # Checks the status of the response for a "Success" code
+      def success?
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success" || node.attributes["value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+        end
+      end
+
+      def status_message
+        @status_message ||= begin
+          node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusMessage", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.text if node
+        end
+      end
+
+      # Conditions (if any) for the assertion to run
+      def conditions
+        @conditions ||= xpath_first_from_signed_assertion('/a:Conditions')
+      end
+
+      def not_before
+        @not_before ||= parse_time(conditions, "NotBefore")
+      end
+
+      def not_on_or_after
+        @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= xpath_first_from_signed_assertion('/a:Issuer')
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validate(soft = true)
+        valid_saml?(decoded_document, soft)      &&
+        validate_response_state(soft) &&
+        validate_conditions(soft)     &&
+        validate_issuer(soft)         &&
+        decoded_document.validate_document(get_fingerprint, soft) &&
+        validate_success_status(soft)
+      end
+
+      def validate_success_status(soft = true)
+        if success?
+          true
+        else
+          soft ? false : validation_error(status_message)
+        end
+      end
+
+      def validate_structure(soft = true)
+        return true #temp
+        xml = Nokogiri::XML(self.document.to_s)
+
+        SamlMessage.schema.validate(xml).map do |error|
+          if soft
+            @errors << "Schema validation failed"
+            break false
+          else
+            error_message = [error.message, xml.to_s].join("\n\n")
+
+            @errors << error_message
+            validation_error(error_message)
+          end
+        end
+      end
+
+      def validate_response_state(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def xpath_first_from_signed_assertion(subelt=nil)
+        id_str = ""
+        id_str = "[@ID=$id]" unless document.signed_element_id.blank?
+        node = REXML::XPath.first(
+            document,
+            "/p:Response/a:Assertion#{id_str}#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response#{id_str}/a:Assertion#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response/a:assertion#{id_str}#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        )
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response#{id_str}/a:assertion#{subelt}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        ) 
+        node ||= REXML::XPath.first(
+            document,
+            "/p:Response#{id_str}/a:assertion#{subelt.downcase}",
+            { "p" => PROTOCOL, "a" => ASSERTION },
+            { 'id' => document.signed_element_id }
+        ) 
+        node
+      end
+
+      def get_fingerprint
+        if settings.idp_cert
+          cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        else
+          settings.idp_cert_fingerprint
+        end
+      end
+
+      def validate_conditions(soft = true)
+        return true if conditions.nil?
+        return true if options[:skip_conditions]
+
+        now = Time.now.utc
+
+        if not_before && (now + (options[:allowed_clock_drift] || 0)) < not_before
+          @errors << "Current time is earlier than NotBefore condition #{(now + (options[:allowed_clock_drift] || 0))} < #{not_before})"
+          return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+        end
+
+        if not_on_or_after && now >= not_on_or_after
+          @errors << "Current time is on or after NotOnOrAfter condition (#{now} >= #{not_on_or_after})"
+          return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+        end
+
+        true
+      end
+
+      def validate_issuer(soft = true)
+        return true if settings.idp_entity_id.nil?
+
+        unless URI.parse(issuer) == URI.parse(settings.idp_entity_id)
+          return soft ? false : validation_error("Doesn't match the issuer, expected: <#{settings.idp_entity_id}>, but was: <#{issuer}>")
+        end
+        true
+      end
+
+      def parse_time(node, attribute)
+        if node
+          attrs = node.attributes[attribute] ? node.attributes[attribute] : node.attributes[attribute.downcase]
+          Time.parse(attrs) if attrs
+        end
+      end
+    end
+end