samlsso 0.1.0

data/lib/samlsso/saml_message.rb

@@ -0,0 +1,117 @@
+require 'cgi'
+require 'zlib'
+require 'base64'
+require "nokogiri"
+require "rexml/document"
+require "rexml/xpath"
+require "xmlenc"
+require "thread"
+
+module Samlsso
+    class SamlMessage
+      include REXML
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      def self.schema
+        @schema ||= Mutex.new.synchronize do
+          Dir.chdir(File.expand_path("../../../schemas", __FILE__)) do
+            ::Nokogiri::XML::Schema(File.read("saml-schema-protocol-2.0.xsd"))
+          end
+        end
+      end
+
+      def valid_saml?(document, soft = true)
+        xml = Nokogiri::XML(document.to_s)
+
+        SamlMessage.schema.validate(xml).map do |error|
+          break false if soft
+          validation_error("#{error.message}\n\n#{xml.to_s}")
+        end
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+      private
+
+      def decrypt_saml(decoded_saml, private_key_file_path=nil)
+        noko_xml = Nokogiri::XML(decoded_saml)
+        if (noko_xml.xpath('//saml:EncryptedAssertion', { :saml => ASSERTION }).count > 0)
+          raise ArgumentError, "Decryption Key File Path not provided for Encrypted Assertion" if private_key_file_path.nil?
+          key_pem = File.read(private_key_file_path)
+          encrypted_response = Xmlenc::EncryptedDocument.new(decoded_saml)
+          private_key = OpenSSL::PKey::RSA.new(key_pem)
+          decrypted_string = encrypted_response.decrypt(private_key)
+          decrypted_doc = Nokogiri::XML(decrypted_string) do |config|
+            # config.strict.nonet # for an ideal world
+          end
+          saml_namespace = {:saml => ASSERTION}
+          assertion = decrypted_doc.xpath("//saml:EncryptedAssertion/saml:Assertion", saml_namespace)
+          assertion = decrypted_doc.xpath("//saml:assertion", saml_namespace) if assertion.empty?
+          assertion = decrypted_doc.xpath("//saml:Assertion", saml_namespace) if assertion.empty?
+          assertion = decrypted_doc.xpath("//saml:ASSERTION", saml_namespace) if assertion.empty?
+
+          encrypted_assertion = decrypted_doc.xpath("//saml:EncryptedAssertion", saml_namespace)
+          encrypted_assertion = decrypted_doc.xpath("//saml:encryptedassertion", saml_namespace) if encrypted_assertion.empty?
+          encrypted_assertion = decrypted_doc.xpath("//saml:Encryptedassertion", saml_namespace) if encrypted_assertion.empty?
+          encrypted_assertion = decrypted_doc.xpath("//saml:ENCRYPTEDASSERTION", saml_namespace) if encrypted_assertion.empty?
+
+          if assertion.empty?
+            validation_error("XML document seems to be malformed and does not have correct Nodes")
+          else
+            encrypted_assertion.remove
+            decrypted_doc.root.add_child(assertion.last)
+            return decrypted_doc.to_xml.squish
+          end
+        end
+        return decoded_saml
+      end
+      
+      def decode_raw_saml(saml)
+        if saml =~ /^</
+          return saml
+        elsif (decoded  = decode(saml)) =~ /^</
+          return decoded
+        elsif (inflated = inflate(decoded)) =~ /^</
+          return inflated
+        end
+
+        return nil
+      end
+
+      def encode_raw_saml(saml, settings)
+        saml           = Zlib::Deflate.deflate(saml, 9)[2..-5] if settings.compress_request
+        base64_saml    = Base64.encode64(saml)
+        return CGI.escape(base64_saml)
+      end
+
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.encode64(encoded).gsub(/\n/, "")
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+end

data/lib/samlsso/settings.rb

@@ -0,0 +1,115 @@
+module Samlsso
+    class Settings
+      def initialize(overrides = {})
+        config = DEFAULTS.merge(overrides)
+        config.each do |k,v|
+          acc = "#{k.to_s}=".to_sym
+          self.send(acc, v) if self.respond_to? acc
+        end
+        @attribute_consuming_service = AttributeService.new
+      end
+
+      # IdP Data
+      attr_accessor :idp_entity_id
+      attr_accessor :idp_sso_target_url
+      attr_accessor :idp_slo_target_url
+      attr_accessor :idp_cert
+      attr_accessor :idp_cert_fingerprint
+      attr_accessor :idp_sso_is_encrypted
+      # SP Data
+      attr_accessor :issuer
+      attr_accessor :assertion_consumer_service_url
+      attr_accessor :assertion_consumer_service_binding
+      attr_accessor :sp_name_qualifier
+      attr_accessor :name_identifier_format
+      attr_accessor :name_identifier_value
+      attr_accessor :sessionindex
+      attr_accessor :compress_request
+      attr_accessor :compress_response
+      attr_accessor :double_quote_xml_attribute_values
+      attr_accessor :passive
+      attr_accessor :protocol_binding
+      attr_accessor :attributes_index
+      attr_accessor :force_authn
+      attr_accessor :security
+      attr_accessor :certificate
+      attr_accessor :private_key
+      attr_accessor :authn_context
+      attr_accessor :authn_context_comparison
+      attr_accessor :authn_context_decl_ref
+      attr_reader :attribute_consuming_service
+      # Compability
+      attr_accessor :assertion_consumer_logout_service_url
+      attr_accessor :assertion_consumer_logout_service_binding
+
+      def single_logout_service_url()
+        val = nil
+        if @single_logout_service_url.nil?
+          if @assertion_consumer_logout_service_url
+            val = @assertion_consumer_logout_service_url
+          end
+        else
+          val = @single_logout_service_url
+        end
+        val
+      end
+
+      # setter
+      def single_logout_service_url=(val)
+        @single_logout_service_url = val
+      end
+
+      def single_logout_service_binding()
+        val = nil
+        if @single_logout_service_binding.nil?
+          if @assertion_consumer_logout_service_binding
+            val = @assertion_consumer_logout_service_binding
+          end
+        else
+          val = @single_logout_service_binding
+        end
+        val
+      end
+
+      # setter
+      def single_logout_service_binding=(val)
+        @single_logout_service_binding = val
+      end
+
+      def get_sp_cert
+        cert = nil
+        if self.certificate
+          formated_cert = Samlsso::Utils.format_cert(self.certificate)
+          cert = OpenSSL::X509::Certificate.new(formated_cert)
+        end
+        cert
+      end
+
+      def get_sp_key
+        private_key = nil
+        if self.private_key
+          formated_private_key = Samlsso::Utils.format_private_key(self.private_key)
+          private_key = OpenSSL::PKey::RSA.new(formated_private_key)
+        end
+        private_key
+      end
+
+      private
+
+      DEFAULTS = {
+        :assertion_consumer_service_binding        => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        :single_logout_service_binding             => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+        :compress_request                          => true,
+        :compress_response                         => true,
+        :security                                  => {
+          :authn_requests_signed    => false,
+          :logout_requests_signed   => false,
+          :logout_responses_signed   => false,
+          :embed_sign               => false,
+          :digest_method            => XMLSecurity::Document::SHA1,
+          :signature_method         => XMLSecurity::Document::SHA1
+        },
+        :double_quote_xml_attribute_values         => false,
+      }
+    end
+end

data/lib/samlsso/slo_logoutrequest.rb

@@ -0,0 +1,64 @@
+require 'zlib'
+require 'time'
+require 'nokogiri'
+
+# Only supports SAML 2.0
+module Samlsso
+    class SloLogoutrequest < SamlMessage
+      attr_reader :options
+      attr_reader :request
+      attr_reader :document
+
+      def initialize(request, options = {})
+        raise ArgumentError.new("Request cannot be nil") if request.nil?
+        @options  = options
+        @request = decode_raw_saml(request)
+        @document = REXML::Document.new(@request)
+      end
+
+      def is_valid?
+        validate
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      def id
+        return @id if @id
+        element = REXML::XPath.first(document, "/p:LogoutRequest", {
+            "p" => PROTOCOL} )
+        return nil if element.nil?
+        return element.attributes["ID"]
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validate(soft = true)
+        valid_saml?(document, soft)  && validate_request_state(soft)
+      end
+
+      def validate_request_state(soft = true)
+        if request.empty?
+          return soft ? false : validation_error("Blank request")
+        end
+        true
+      end
+
+    end
+end

data/lib/samlsso/slo_logoutresponse.rb

@@ -0,0 +1,99 @@
+require "uuid"
+
+require "samlsso/logging"
+
+module Samlsso
+    class SloLogoutresponse < SamlMessage
+
+      attr_reader :uuid # Can be obtained if neccessary
+
+      def initialize
+        @uuid = "_" + UUID.new.generate
+      end
+
+      def create(settings, request_id = nil, logout_message = nil, params = {})
+        params = create_params(settings, request_id, logout_message, params)
+        params_prefix = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        saml_response = CGI.escape(params.delete("SAMLResponse"))
+        response_params = "#{params_prefix}SAMLResponse=#{saml_response}"
+        params.each_pair do |key, value|
+          response_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+
+        @logout_url = settings.idp_slo_target_url + response_params
+      end
+
+      def create_params(settings, request_id = nil, logout_message = nil, params = {})
+        params = {} if params.nil?
+
+        response_doc = create_logout_response_xml_doc(settings, request_id, logout_message)
+        response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        response = ""
+        response_doc.write(response)
+
+        Logging.debug "Created SLO Logout Response: #{response}"
+
+        response = deflate(response) if settings.compress_response
+        base64_response = encode(response)
+        response_params = {"SAMLResponse" => base64_response}
+
+        if settings.security[:logout_responses_signed] && !settings.security[:embed_sign] && settings.private_key
+          params['SigAlg']    = XMLSecurity::Document::SHA1
+          url_string          = "SAMLResponse=#{CGI.escape(base64_response)}"
+          url_string         += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
+          url_string         += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
+          private_key         = settings.get_sp_key()
+          signature           = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
+          params['Signature'] = encode(signature)
+        end
+
+        params.each_pair do |key, value|
+          response_params[key] = value.to_s
+        end
+
+        response_params
+      end
+
+      def create_logout_response_xml_doc(settings, request_id = nil, logout_message = nil)
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        response_doc = XMLSecurity::Document.new
+        response_doc.uuid = uuid
+
+        root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol', "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = '2.0'
+        root.attributes['InResponseTo'] = request_id unless request_id.nil?
+        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
+
+        # add success message
+        status = root.add_element 'samlp:Status'
+
+        # success status code
+        status_code = status.add_element 'samlp:StatusCode'
+        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+
+        # success status message
+        logout_message ||= 'Successfully Signed Out'
+        status_message = status.add_element 'samlp:StatusMessage'
+        status_message.text = logout_message
+
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer"
+          issuer.text = settings.issuer
+        end
+
+        # embebed sign
+        if settings.security[:logout_responses_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
+          private_key = settings.get_sp_key()
+          cert = settings.get_sp_cert()
+          response_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
+        end
+
+        response_doc
+      end
+
+    end
+end

data/lib/samlsso/utils.rb

@@ -0,0 +1,42 @@
+module Samlsso
+    class Utils
+      def self.format_cert(cert, heads=true)
+        cert = cert.delete("\n").delete("\r").delete("\x0D")
+        if cert
+          cert = cert.gsub('-----BEGIN CERTIFICATE-----', '')
+          cert = cert.gsub('-----END CERTIFICATE-----', '')
+          cert = cert.gsub(' ', '')
+
+          if heads
+            cert = cert.scan(/.{1,64}/).join("\n")+"\n"
+            cert = "-----BEGIN CERTIFICATE-----\n" + cert + "-----END CERTIFICATE-----\n"
+          end
+        end
+        cert
+      end
+
+      def self.format_private_key(key, heads=true)
+        key = key.delete("\n").delete("\r").delete("\x0D")
+        if key
+          if key.index('-----BEGIN PRIVATE KEY-----') != nil
+            key = key.gsub('-----BEGIN PRIVATE KEY-----', '')
+            key = key.gsub('-----END PRIVATE KEY-----', '')
+            key = key.gsub(' ', '')
+            if heads
+              key = key.scan(/.{1,64}/).join("\n")+"\n"
+              key = "-----BEGIN PRIVATE KEY-----\n" + key + "-----END PRIVATE KEY-----\n"
+            end
+          else
+            key = key.gsub('-----BEGIN RSA PRIVATE KEY-----', '')
+            key = key.gsub('-----END RSA PRIVATE KEY-----', '')
+            key = key.gsub(' ', '')
+            if heads
+              key = key.scan(/.{1,64}/).join("\n")+"\n"
+              key = "-----BEGIN RSA PRIVATE KEY-----\n" + key + "-----END RSA PRIVATE KEY-----\n"
+            end
+          end
+        end
+      end
+
+    end
+end

data/lib/samlsso/validation_error.rb

@@ -0,0 +1,5 @@
+module Samlsso
+    class ValidationError < StandardError
+    end
+end
+