spid 0.12.0 → 0.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc64c3b3b469b3e5e031547db6c09e359902aa6c15b3d37b3426e7549ecc2ebd
-  data.tar.gz: 02e57b8f55b111ec4c0ed1074c023e816077df9e687897f0acb1ad58d0b2b3d8
+  metadata.gz: 83dc2ec01f9adb676d89eb91c160f3aacacf30cb6473514fc5c4655b1f2c0f32
+  data.tar.gz: ce9606fdab6a9349888111b259979269977643add8e6f68a15a26c5286d38b82
 SHA512:
-  metadata.gz: 9d2c88ef7f6a5ddaab7ba1e35b6e93c7fea274db9a1fddeaa066d070ec5a49fee3457ef882ced3303b5a5f55aeecdecf5cddccb5ecaf198049b2e770c0c23f91
-  data.tar.gz: 3ba760f88fc7e765d4d71e6381753859d0fe84731bd606cffc884f083db0a83e9d367694a3c38716101a227e96171117989eae91acbe9d378b225aeef54b1396
+  metadata.gz: 5d5b83dcc34a604397c5d60a682081d04064777cc54cf72fc1f61e3e0a6703215856715c5bd553335ad128231ac4da0a80a2bc084063bd130860566b84369e86
+  data.tar.gz: dcea75e1ce343c0a3e3297a02f78f889150ae0693a3a68a1258fdab1d7d24999ec99a79d1e53a1b87544fd15c144559f91f4b0f19c0633814271b35c6c0760f0

data/.gitignore

@@ -25,4 +25,5 @@ build-iPhoneOS/
 build-iPhoneSimulator/
 build/
 /Gemfile.lock
-/idp_metadata/*.xml
+/idp_metadata/*.xml
+/.ruby-version

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+## [0.13.0] - 2018-08-29
+### Added
+- Validation of Response and LogoutResponse
+
 ## [0.12.0] - 2018-08-27
 ### Added
 - AttributeConsumingService management
@@ -97,7 +101,8 @@
 - Coveralls Integration
 - Rubygems version badge in README
 
-[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.12.0...HEAD
+[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.13.0...HEAD
+[0.13.0]: https://github.com/italia/spid-ruby/compare/v0.12.0...v0.13.0
 [0.12.0]: https://github.com/italia/spid-ruby/compare/v0.11.0...v0.12.0
 [0.11.0]: https://github.com/italia/spid-ruby/compare/v0.10.0...v0.11.0
 [0.10.0]: https://github.com/italia/spid-ruby/compare/v0.9.0...v0.10.0

data/README.md

@@ -35,31 +35,31 @@ gem "spid"
 |HTTP-POST binding||
 |`AssertionConsumerServiceURL` customization|✓|
 |`AssertionConsumerServiceIndex` customization||
-|`AttributeConsumingServiceIndex` customization||
+|`AttributeConsumingServiceIndex` customization|✓|
 |`AuthnContextClassRef` (SPID level) customization|✓|
 |`RequestedAuthnContext/@Comparison` customization||
 |`RelayState` customization (1.2.2)|✓|
 |**Response/Assertion parsing**||
 |verification of `Response/Signature` value (if any)||
 |verification of `Response/Signature` certificate (if any) against IdP/AA metadata||
-|verification of `Assertion/Signature` value||
-|verification of `Assertion/Signature` certificate against IdP/AA metadata||
+|verification of `Assertion/Signature` value|✓|
+|verification of `Assertion/Signature` certificate against IdP/AA metadata|✓|
 |verification of `SubjectConfirmationData/@Recipient`||
 |verification of `SubjectConfirmationData/@NotOnOrAfter`||
 |verification of `SubjectConfirmationData/@InResponseTo`||
-|verification of `Issuer`||
-|verification of `Destination`||
-|verification of `Conditions/@NotBefore`||
-|verification of `Conditions/@NotOnOrAfter`||
-|verification of `Audience`||
+|verification of `Issuer`|✓|
+|verification of `Destination`|✓|
+|verification of `Conditions/@NotBefore`|✓|
+|verification of `Conditions/@NotOnOrAfter`|✓|
+|verification of `Audience`|✓|
 |parsing of Response with no `Assertion` (authentication/query failure)||
 |parsing of failure `StatusCode` (Requester/Responder)||
 |**Response/Assertion parsing for SSO (1.2.1, 1.2.2.2, 1.3.1):**||
-|parsing of `NameID`||
+|parsing of `NameID`|✓|
 |parsing of `AuthnContextClassRef` (SPID level)||
-|parsing of attributes||
-|**Response/Assertion parsing for attribute query (2.2.2.2, 2.3.1):**||
 |parsing of attributes|✓|
+|**Response/Assertion parsing for attribute query (2.2.2.2, 2.3.1):**||
+|parsing of attributes||
 |**LogoutRequest generation (for SP-initiated logout):**||
 |generation of LogoutRequest XML|✓|
 |HTTP-Redirect binding|✓|
@@ -68,8 +68,8 @@ gem "spid"
 |parsing of LogoutResponse XML|✓|
 |verification of `Response/Signature` value (if any)||
 |verification of `Response/Signature` certificate (if any) against IdP metadata||
-|verification of `Issuer`||
-|verification of `Destination`||
+|verification of `Issuer`|✓|
+|verification of `Destination`|✓|
 |PartialLogout detection||
 |**LogoutRequest parsing (for third-party-initiated logout):**||
 |parsing of LogoutRequest XML||

data/lib/spid/configuration.rb

@@ -11,12 +11,12 @@ module Spid
     attr_accessor :slo_path
     attr_accessor :digest_method
     attr_accessor :signature_method
-    attr_accessor :private_key
-    attr_accessor :certificate
     attr_accessor :default_relay_state_path
     attr_accessor :acs_binding
     attr_accessor :slo_binding
     attr_accessor :attribute_services
+    attr_writer :private_key
+    attr_writer :certificate
 
     def initialize
       @idp_metadata_dir_path    = "idp_metadata"
@@ -52,6 +52,14 @@ module Spid
       @certificate              = nil
     end
 
+    def certificate
+      OpenSSL::X509::Certificate.new(@certificate) unless @certificate.nil?
+    end
+
+    def private_key
+      OpenSSL::PKey::RSA.new(@private_key) unless @private_key.nil?
+    end
+
     def service_provider
       @service_provider ||=
         begin

data/lib/spid/identity_provider_manager.rb

@@ -1,7 +1,10 @@
 # frozen_string_literal: true
 
+require "base64"
+
 module Spid
   class IdentityProviderManager # :nodoc:
+    extend Spid::Saml2::Utils
     include Singleton
 
     def identity_providers
@@ -37,7 +40,8 @@ module Spid
         entity_id: idp_settings[:idp_entity_id],
         sso_target_url: idp_settings[:idp_sso_target_url],
         slo_target_url: idp_settings[:idp_slo_target_url],
-        cert_fingerprint: idp_settings[:idp_cert_fingerprint]
+        cert_fingerprint: idp_settings[:idp_cert_fingerprint],
+        certificate: certificate_from_encoded_der(idp_settings[:idp_cert])
       )
     end
 

data/lib/spid/saml2.rb

@@ -10,6 +10,8 @@ require "spid/saml2/logout_response"
 require "spid/saml2/sp_metadata"
 require "spid/saml2/utils"
 require "spid/saml2/idp_metadata_parser"
+require "spid/saml2/response_validator"
+require "spid/saml2/logout_response_validator"
 
 module Spid
   module Saml2 # :nodoc:

data/lib/spid/saml2/identity_provider.rb

@@ -8,20 +8,25 @@ module Spid
       attr_reader :sso_target_url
       attr_reader :slo_target_url
       attr_reader :cert_fingerprint
+      attr_reader :certificate
 
+      # rubocop:disable Metrics/ParameterLists
       def initialize(
             name:,
             entity_id:,
             sso_target_url:,
             slo_target_url:,
-            cert_fingerprint:
+            cert_fingerprint:,
+            certificate:
           )
         @name = name
         @entity_id = entity_id
         @sso_target_url = sso_target_url
         @slo_target_url = slo_target_url
         @cert_fingerprint = cert_fingerprint
+        @certificate = certificate
       end
+      # rubocop:enable Metrics/ParameterLists
     end
   end
 end

data/lib/spid/saml2/logout_response.rb

@@ -28,6 +28,12 @@ module Spid
           "/samlp:LogoutResponse/@InResponseTo"
         ]&.value&.strip
       end
+
+      def destination
+        document.elements[
+          "/samlp:LogoutResponse/@Destination"
+        ]&.value
+      end
     end
   end
 end

data/lib/spid/saml2/logout_response_validator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Spid
+  module Saml2
+    class LogoutResponseValidator # :nodoc:
+      attr_reader :response
+      attr_reader :settings
+
+      def initialize(response:, settings:)
+        @response = response
+        @settings = settings
+      end
+
+      def call
+        [
+          destination,
+          issuer
+        ].all?
+      end
+
+      def destination
+        response.destination == settings.sp_slo_service_url
+      end
+
+      def issuer
+        response.issuer == settings.idp_entity_id
+      end
+    end
+  end
+end

data/lib/spid/saml2/response.rb

@@ -7,13 +7,11 @@ module Spid
     class Response # :nodoc:
       include Spid::Saml2::Utils
 
-      attr_reader :body
       attr_reader :saml_message
       attr_reader :document
 
-      def initialize(body:)
-        @body = body
-        @saml_message = decode_and_inflate(body)
+      def initialize(saml_message:)
+        @saml_message = saml_message
         @document = REXML::Document.new(@saml_message)
       end
 
@@ -21,6 +19,22 @@ module Spid
         document.elements["/samlp:Response/saml:Issuer/text()"]&.value
       end
 
+      def name_id
+        document.elements[
+          "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID/text()"
+        ]&.value
+      end
+
+      def raw_certificate
+        xpath = "/samlp:Response/saml:Assertion/ds:Signature/ds:KeyInfo"
+        xpath = "#{xpath}/ds:X509Data/ds:X509Certificate/text()"
+        document.elements[xpath]&.value
+      end
+
+      def certificate
+        certificate_from_encoded_der(raw_certificate)
+      end
+
       def assertion_issuer
         document.elements[
           "/samlp:Response/saml:Assertion/saml:Issuer/text()"
@@ -39,6 +53,24 @@ module Spid
         ]&.value
       end
 
+      def conditions_not_before
+        document.elements[
+          "/samlp:Response/saml:Assertion/saml:Conditions/@NotBefore"
+        ]&.value
+      end
+
+      def conditions_not_on_or_after
+        document.elements[
+          "/samlp:Response/saml:Assertion/saml:Conditions/@NotOnOrAfter"
+        ]&.value
+      end
+
+      def audience
+        xpath = "/samlp:Response/saml:Assertion/saml:Conditions"
+        xpath = "#{xpath}/saml:AudienceRestriction/saml:Audience/text()"
+        document.elements[xpath]&.value
+      end
+
       def attributes
         main_xpath = "/samlp:Response/saml:Assertion/saml:AttributeStatement"
         main_xpath = "#{main_xpath}/saml:Attribute"

data/lib/spid/saml2/response_validator.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "xmldsig"
+
+module Spid
+  module Saml2
+    class ResponseValidator # :nodoc:
+      attr_reader :response
+      attr_reader :settings
+
+      def initialize(response:, settings:)
+        @response = response
+        @settings = settings
+      end
+
+      def call
+        [
+          issuer,
+          certificate,
+          destination,
+          conditions,
+          audience,
+          signature
+        ].all?
+      end
+
+      def issuer
+        response.assertion_issuer == settings.idp_entity_id
+      end
+
+      def certificate
+        response.certificate.to_der == settings.idp_certificate.to_der
+      end
+
+      def destination
+        response.destination == settings.sp_acs_url
+      end
+
+      def conditions
+        time = Time.now.iso8601
+
+        response.conditions_not_before <= time &&
+          response.conditions_not_on_or_after > time
+      end
+
+      def audience
+        response.audience == settings.sp_entity_id
+      end
+
+      def signature
+        signed_document = Xmldsig::SignedDocument.new(response.saml_message)
+        signed_document.validate(response.certificate)
+      end
+    end
+  end
+end

data/lib/spid/saml2/settings.rb

@@ -72,6 +72,10 @@ module Spid
         service_provider.certificate
       end
 
+      def idp_certificate
+        identity_provider.certificate
+      end
+
       def signature_method
         service_provider.signature_method
       end

data/lib/spid/saml2/utils.rb

@@ -57,6 +57,11 @@ module Spid
       def escaped_query_string(params)
         query_string(escaped_params(params))
       end
+
+      def certificate_from_encoded_der(der_encoded)
+        der = Base64.decode64(der_encoded)
+        OpenSSL::X509::Certificate.new(der)
+      end
     end
   end
 end

data/lib/spid/saml2/utils/query_params_signer.rb

@@ -20,7 +20,7 @@ module Spid
               relay_state: nil
             )
           @saml_message = saml_message.delete("\n")
-          @private_key = OpenSSL::PKey::RSA.new(private_key)
+          @private_key = private_key
           @signature_method = signature_method
           @relay_state = relay_state
         end

data/lib/spid/slo/response.rb

@@ -14,7 +14,10 @@ module Spid
       end
 
       def valid?
-        saml_response.in_response_to == matches_request_id
+        Spid::Saml2::LogoutResponseValidator.new(
+          response: saml_response,
+          settings: settings
+        ).call
       end
 
       def errors
@@ -35,6 +38,13 @@ module Spid
         saml_response.issuer
       end
 
+      def settings
+        @settings ||= Spid::Saml2::Settings.new(
+          service_provider: service_provider,
+          identity_provider: identity_provider
+        )
+      end
+
       def saml_response
         @saml_response ||= Spid::Saml2::LogoutResponse.new(
           body: body

data/lib/spid/sso/response.rb

@@ -1,22 +1,30 @@
 # frozen_string_literal: true
 
+require "spid/saml2/utils"
 require "active_support/inflector/methods"
 
 module Spid
   module Sso
     class Response # :nodoc:
+      include Spid::Saml2::Utils
+
       attr_reader :body
+      attr_reader :saml_message
 
       def initialize(body:)
         @body = body
+        @saml_message = decode_and_inflate(body)
       end
 
       def valid?
-        saml_response.destination == service_provider.acs_url
+        Spid::Saml2::ResponseValidator.new(
+          response: saml_response,
+          settings: settings
+        ).call
       end
 
       def issuer
-        saml_response.issuer
+        saml_response.assertion_issuer
       end
 
       def attributes
@@ -44,7 +52,14 @@ module Spid
       end
 
       def saml_response
-        @saml_response ||= Spid::Saml2::Response.new(body: body)
+        @saml_response ||= Spid::Saml2::Response.new(saml_message: saml_message)
+      end
+
+      def settings
+        @settings ||= Spid::Saml2::Settings.new(
+          identity_provider: identity_provider,
+          service_provider: service_provider
+        )
       end
 
       private

data/lib/spid/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spid
-  VERSION = "0.12.0"
+  VERSION = "0.13.0"
 end

data/spid.gemspec

@@ -26,6 +26,7 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency "activesupport", ">= 3.0.0", "< 5.3"
   spec.add_runtime_dependency "rack", ">= 1", "< 3"
+  spec.add_runtime_dependency "xmldsig", ">= 0.6.6"
 
   spec.add_development_dependency "bundler", "~> 1.16"
   spec.add_development_dependency "bundler-audit", "~> 0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 0.13.0
 platform: ruby
 authors:
 - David Librera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-27 00:00:00.000000000 Z
+date: 2018-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -50,6 +50,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
+- !ruby/object:Gem::Dependency
+  name: xmldsig
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.6
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -313,7 +327,9 @@ files:
 - lib/spid/saml2/idp_metadata_parser.rb
 - lib/spid/saml2/logout_request.rb
 - lib/spid/saml2/logout_response.rb
+- lib/spid/saml2/logout_response_validator.rb
 - lib/spid/saml2/response.rb
+- lib/spid/saml2/response_validator.rb
 - lib/spid/saml2/service_provider.rb
 - lib/spid/saml2/settings.rb
 - lib/spid/saml2/sp_metadata.rb