spid 0.10.0 → 0.11.0

data/lib/spid/saml2/service_provider.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module Spid
+  module Saml2
+    class ServiceProvider # :nodoc:
+      attr_reader :host
+      attr_reader :acs_path
+      attr_reader :acs_binding
+      attr_reader :slo_path
+      attr_reader :slo_binding
+      attr_reader :metadata_path
+      attr_reader :private_key
+      attr_reader :certificate
+      attr_reader :digest_method
+      attr_reader :signature_method
+      attr_reader :attribute_service_name
+
+      # rubocop:disable Metrics/ParameterLists
+      # rubocop:disable Metrics/MethodLength
+      def initialize(
+            host:,
+            acs_path:,
+            acs_binding:,
+            slo_path:,
+            slo_binding:,
+            metadata_path:,
+            private_key:,
+            certificate:,
+            digest_method:,
+            signature_method:,
+            attribute_service_name:
+          )
+        @host = host
+        @acs_path               = acs_path
+        @acs_binding            = acs_binding
+        @slo_path               = slo_path
+        @slo_binding            = slo_binding
+        @metadata_path          = metadata_path
+        @private_key            = private_key
+        @certificate            = certificate
+        @digest_method          = digest_method
+        @signature_method       = signature_method
+        @attribute_service_name = attribute_service_name
+        validate_attributes
+      end
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/ParameterLists
+
+      def acs_url
+        @acs_url ||= URI.join(host, acs_path).to_s
+      end
+
+      def slo_url
+        @slo_url ||= URI.join(host, slo_path).to_s
+      end
+
+      def metadata_url
+        @metadata_url ||= URI.join(host, metadata_path).to_s
+      end
+
+      private
+
+      def validate_attributes
+        if !DIGEST_METHODS.include?(digest_method)
+          raise UnknownDigestMethodError,
+                "Provided digest method is not valid:" \
+                " use one of #{DIGEST_METHODS.join(', ')}"
+        elsif !SIGNATURE_METHODS.include?(signature_method)
+          raise UnknownSignatureMethodError,
+                "Provided digest method is not valid:" \
+                " use one of #{SIGNATURE_METHODS.join(', ')}"
+        end
+      end
+    end
+  end
+end

data/lib/spid/saml2/settings.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module Spid
+  module Saml2
+    class Settings # :nodoc:
+      attr_reader :identity_provider
+      attr_reader :service_provider
+      attr_reader :authn_context
+
+      def initialize(identity_provider:, service_provider:, authn_context: nil)
+        @authn_context = authn_context || Spid::L1
+        unless AUTHN_CONTEXTS.include?(@authn_context)
+          raise Spid::UnknownAuthnContextError,
+                "Provided authn_context '#{@authn_context}' is not valid:" \
+                " use one of #{AUTHN_CONTEXTS.join(', ')}"
+        end
+
+        @identity_provider = identity_provider
+        @service_provider = service_provider
+      end
+
+      def idp_entity_id
+        identity_provider.entity_id
+      end
+
+      def idp_sso_target_url
+        identity_provider.sso_target_url
+      end
+
+      def idp_slo_target_url
+        identity_provider.slo_target_url
+      end
+
+      def sp_entity_id
+        service_provider.host
+      end
+
+      def sp_acs_url
+        service_provider.acs_url
+      end
+
+      def sp_acs_binding
+        service_provider.acs_binding
+      end
+
+      def sp_slo_service_url
+        service_provider.slo_url
+      end
+
+      def sp_slo_service_binding
+        service_provider.slo_binding
+      end
+
+      def private_key
+        service_provider.private_key
+      end
+
+      def certificate
+        service_provider.certificate
+      end
+
+      def signature_method
+        service_provider.signature_method
+      end
+
+      def acs_index
+        "0"
+      end
+
+      def force_authn?
+        authn_context > Spid::L1
+      end
+
+      def x509_certificate_der
+        @x509_certificate_der ||=
+          begin
+            cert = OpenSSL::X509::Certificate.new(certificate)
+            Base64.encode64(cert.to_der).delete("\n")
+          end
+      end
+    end
+  end
+end

data/lib/spid/saml2/sp_metadata.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module Spid
+  module Saml2
+    class SPMetadata # :nodoc:
+      attr_reader :document
+      attr_reader :settings
+      attr_reader :uuid
+
+      def initialize(settings:, uuid: nil)
+        @document = REXML::Document.new
+        @settings = settings
+        @uuid = uuid || SecureRandom.uuid
+      end
+
+      def to_saml
+        document.add_element(entity_descriptor)
+        document.to_s
+      end
+
+      def entity_descriptor
+        @entity_descriptor ||=
+          begin
+            element = REXML::Element.new("md:EntityDescriptor")
+            element.add_attributes(entity_descriptor_attributes)
+            element.add_element sp_sso_descriptor
+            element
+          end
+      end
+
+      def entity_descriptor_attributes
+        @entity_descriptor_attributes ||= {
+          "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#",
+          "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+          "entityID" => settings.sp_entity_id,
+          "ID" => "_#{uuid}"
+        }
+      end
+
+      def sp_sso_descriptor
+        @sp_sso_descriptor ||=
+          begin
+            element = REXML::Element.new("md:SPSSODescriptor")
+            element.add_attributes(sp_sso_descriptor_attributes)
+            element.add_element key_descriptor
+            element.add_element ac_service
+            element.add_element slo_service
+            element
+          end
+      end
+
+      def sp_sso_descriptor_attributes
+        @sp_sso_descriptor_attributes ||= {
+          "protocolSupportEnumeration" =>
+            "urn:oasis:names:tc:SAML:2.0:protocol",
+          "AuthnRequestsSigned" => true
+        }
+      end
+
+      def ac_service
+        @ac_service ||=
+          begin
+            element = REXML::Element.new("md:AssertionConsumerService")
+            element.add_attributes(ac_service_attributes)
+            element
+          end
+      end
+
+      def ac_service_attributes
+        @ac_service_attributes ||= {
+          "Binding" => settings.sp_acs_binding,
+          "Location" => settings.sp_acs_url,
+          "index" => 0,
+          "isDefault" => true
+        }
+      end
+
+      def slo_service
+        @slo_service ||=
+          begin
+            element = REXML::Element.new("md:SingleLogoutService")
+            element.add_attributes(
+              "Binding" => settings.sp_slo_service_binding,
+              "Location" => settings.sp_slo_service_url
+            )
+            element
+          end
+      end
+
+      def key_descriptor
+        @key_descriptor ||=
+          begin
+            kd = REXML::Element.new("md:KeyDescriptor")
+            kd.add_attributes("use" => "signing")
+            ki = kd.add_element "ds:KeyInfo"
+            data = ki.add_element "ds:X509Data"
+            certificate = data.add_element "ds:X509Certificate"
+            certificate.text = settings.x509_certificate_der
+            kd
+          end
+      end
+    end
+  end
+end

data/lib/spid/saml2/utils.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "base64"
+require "zlib"
+require "cgi"
+require "spid/saml2/utils/query_params_signer"
+
+module Spid
+  module Saml2
+    module Utils # :nodoc:
+      def decode(message)
+        Base64.decode64(message)
+      end
+
+      def encode(message)
+        Base64.encode64(message)
+      end
+
+      def deflate(message)
+        Zlib::Deflate.deflate(message, 9)[2..-5]
+      end
+
+      def inflate(message)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(message)
+      rescue Zlib::DataError => _e
+        message
+      end
+
+      def deflate_and_encode(message)
+        encode(deflate(message)).delete("\n")
+      end
+
+      def decode_and_inflate(message)
+        inflate(decode(message))
+      end
+
+      def escaped_params(params)
+        params.each_with_object({}) do |(key, value), acc|
+          acc[key] = CGI.escape(value)
+        end
+      end
+
+      def query_param(key, value)
+        "#{key}=#{value}"
+      end
+
+      def query_params(params)
+        params.map do |key, value|
+          query_param(key, value)
+        end
+      end
+
+      def query_string(params)
+        query_params(params).join("&")
+      end
+
+      def escaped_query_string(params)
+        query_string(escaped_params(params))
+      end
+    end
+  end
+end

data/lib/spid/saml2/utils/query_params_signer.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module Spid
+  module Saml2
+    module Utils
+      class QueryParamsSigner # :nodoc:
+        include Spid::Saml2::Utils
+
+        attr_reader :saml_message
+        attr_reader :private_key
+        attr_reader :signature_method
+        attr_reader :relay_state
+
+        def initialize(
+              saml_message:,
+              private_key:,
+              signature_method:,
+              relay_state: nil
+            )
+          @saml_message = saml_message.delete("\n")
+          @private_key = OpenSSL::PKey::RSA.new(private_key)
+          @signature_method = signature_method
+          @relay_state = relay_state
+        end
+
+        def signature_algorithm
+          @signature_algorithm ||= Spid::SIGNATURE_ALGORITHMS[signature_method]
+        end
+
+        def signature
+          @signature ||=
+            begin
+              encode(raw_signature)
+            end
+        end
+
+        def signed_query_params
+          params_for_signature.merge(
+            "Signature" => signature
+          )
+        end
+
+        def escaped_signed_query_string
+          @escaped_signed_query_string ||=
+            escaped_query_string(signed_query_params)
+        end
+
+        def raw_signature
+          @raw_signature ||=
+            begin
+              private_key.sign(
+                signature_algorithm,
+                escaped_query_string(params_for_signature)
+              )
+            end
+        end
+
+        def params_for_signature
+          @params_for_signature ||=
+            begin
+              params = {
+                "SAMLRequest" => deflate_and_encode(saml_message),
+                "RelayState" => relay_state,
+                "SigAlg" => signature_method
+              }
+              params.delete("RelayState") if params["RelayState"].nil?
+              params
+            end
+        end
+      end
+    end
+  end
+end

data/lib/spid/slo.rb

@@ -2,7 +2,6 @@
 
 require "spid/slo/request"
 require "spid/slo/response"
-require "spid/slo/settings"
 
 module Spid
   module Slo # :nodoc:

data/lib/spid/slo/request.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-require "spid/logout_request"
-require "onelogin/ruby-saml/settings"
-
 module Spid
   module Slo
     class Request # :nodoc:
@@ -19,25 +16,43 @@ module Spid
           end
       end
 
-      def to_saml
-        logout_request.create(
-          saml_settings,
-          "RelayState" => relay_state
-        )
+      def url
+        [
+          settings.idp_slo_target_url,
+          query_params_signer.escaped_signed_query_string
+        ].join("?")
+      end
+
+      def query_params_signer
+        @query_params_signer ||=
+          begin
+            Spid::Saml2::Utils::QueryParamsSigner.new(
+              saml_message: saml_message,
+              relay_state: relay_state,
+              private_key: settings.private_key,
+              signature_method: settings.signature_method
+            )
+          end
       end
 
-      def saml_settings
-        slo_settings.saml_settings
+      def saml_message
+        @saml_message ||= logout_request.to_saml
       end
 
-      def slo_settings
-        Settings.new(
-          service_provider: service_provider,
-          identity_provider: identity_provider,
+      def logout_request
+        @logout_request ||= Spid::Saml2::LogoutRequest.new(
+          settings: settings,
           session_index: session_index
         )
       end
 
+      def settings
+        @settings ||= Spid::Saml2::Settings.new(
+          service_provider: service_provider,
+          identity_provider: identity_provider
+        )
+      end
+
       def identity_provider
         @identity_provider ||=
           IdentityProviderManager.find_by_name(idp_name)
@@ -47,12 +62,6 @@ module Spid
         @service_provider ||=
           Spid.configuration.service_provider
       end
-
-      private
-
-      def logout_request
-        LogoutRequest.new
-      end
     end
   end
 end