spid 0.16.1 → 0.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c1de73229206a3f51acebe2ffd176336baf6ecf7b7ab56587f2baa4338f5300
-  data.tar.gz: 5c39d1327255aa6f6c91f8b893ff8d0698bcd2e8476a6fb55fc85cd2cd507c6b
+  metadata.gz: 8c918415822f2873b617da91c797c8987825252578e359c620a334ad9ba439d3
+  data.tar.gz: 2e699735bcefc0e37ed9efced5ed53ad845a29405b4c1616ec4985bcd497a346
 SHA512:
-  metadata.gz: 8861c1b4c9d517f73dee139742e186e1cd96a10267ec9d73ed2987426bd65fc9832114ad41f34b00bcad05595d17e760602eb894344ff8d77f16309dda829757
-  data.tar.gz: aace38dd40188f84b5dabc3d4f33dbaabe0005e81f4fa47a2777d437e9032112ab25fd6b981dbd99424017349eabbcf86e0b715582c0cb626c9aa0887338f7e0
+  metadata.gz: 2e80c2322252a27a0362c738a3eace0fdba76735026fe0a7dd344bbf25b4543d2a014724301915d87a97fb517399d3bf0695e792141d90b95d1e5df3d82ca40c
+  data.tar.gz: 9fd3aecb75d5a2dad2e6464532c774fd40f2737eecc471f693aabdabf688ca9c5644a6fa3f8c29ea8576076570616d0a402a389f5922f403f8e0c67087330709

data/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## [Unreleased]
 
+## [0.17.0] - 2018-09-10
+### Added
+- Ensure private key lenght and certificate validation
+- Previous SPID specification use sp_entity_id for /samlp:Response/@Destination
+- Validate Subject attributes
+- Validate Issuer and Assertion/Issuer
+
 ## [0.16.1] - 2018-09-05
 ### Changed
 - Use login_path and logout_path instead of start_sso_path and start_slo_path
@@ -127,8 +134,9 @@
 - Coveralls Integration
 - Rubygems version badge in README
 
-[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.16.1...HEAD
-[0.16.0]: https://github.com/italia/spid-ruby/compare/v0.16.0...v0.16.1
+[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.17.0...HEAD
+[0.17.0]: https://github.com/italia/spid-ruby/compare/v0.16.1...v0.17.0
+[0.16.1]: https://github.com/italia/spid-ruby/compare/v0.16.0...v0.16.1
 [0.16.0]: https://github.com/italia/spid-ruby/compare/v0.15.2...v0.16.0
 [0.15.2]: https://github.com/italia/spid-ruby/compare/v0.15.1...v0.15.2
 [0.15.1]: https://github.com/italia/spid-ruby/compare/v0.15.0...v0.15.1

data/lib/spid.rb

@@ -18,6 +18,8 @@ module Spid # :nodoc:
   class UnknownSignatureMethodError < StandardError; end
   class UnknownAttributeFieldError < StandardError; end
   class MissingAttributeServicesError < StandardError; end
+  class PrivateKeyTooShortError < StandardError; end
+  class CertificateNotBelongsToPKeyError < StandardError; end
 
   EXACT_COMPARISON = :exact
   MINIMUM_COMPARISON = :minimum

data/lib/spid/saml2.rb

@@ -4,6 +4,7 @@ require "spid/saml2/service_provider"
 require "spid/saml2/identity_provider"
 require "spid/saml2/settings"
 require "spid/saml2/authn_request"
+require "spid/saml2/saml_parser"
 require "spid/saml2/response"
 require "spid/saml2/logout_request"
 require "spid/saml2/idp_logout_request"

data/lib/spid/saml2/idp_logout_request.rb

@@ -2,51 +2,37 @@
 
 module Spid
   module Saml2
-    class IdpLogoutRequest # :nodoc:
-      attr_reader :saml_message
-      attr_reader :document
-
-      def initialize(saml_message:)
-        @saml_message = saml_message
-        @document = REXML::Document.new(@saml_message)
-      end
-
+    class IdpLogoutRequest < SamlParser # :nodoc:
       def id
-        document.elements["/samlp:LogoutRequest/@ID"]&.value
+        element_from_xpath("/samlp:LogoutRequest/@ID")
       end
 
       def destination
-        document.elements["/samlp:LogoutRequest/@Destination"]&.value
+        element_from_xpath("/samlp:LogoutRequest/@Destination")
       end
 
       def issue_instant
-        document.elements["/samlp:LogoutRequest/@IssueInstant"]&.value
+        element_from_xpath("/samlp:LogoutRequest/@IssueInstant")
       end
 
       def issuer_name_qualifier
-        document.elements[
-          "/samlp:LogoutRequest/saml:Issuer/@NameQualifier"
-        ]&.value
+        element_from_xpath("/samlp:LogoutRequest/saml:Issuer/@NameQualifier")
       end
 
       def name_id
-        document.elements["/samlp:LogoutRequest/saml:NameID/text()"]&.value
+        element_from_xpath("/samlp:LogoutRequest/saml:NameID/text()")
       end
 
       def name_id_name_qualifier
-        document.elements[
-          "/samlp:LogoutRequest/saml:NameID/@NameQualifier"
-        ]&.value
+        element_from_xpath("/samlp:LogoutRequest/saml:NameID/@NameQualifier")
       end
 
       def issuer
-        document.elements["/samlp:LogoutRequest/saml:Issuer/text()"]&.value
+        element_from_xpath("/samlp:LogoutRequest/saml:Issuer/text()")
       end
 
       def session_index
-        document.elements[
-          "/samlp:LogoutRequest/saml:SessionIndex/text()"
-        ]&.value
+        element_from_xpath("/samlp:LogoutRequest/saml:SessionIndex/text()")
       end
     end
   end

data/lib/spid/saml2/logout_response.rb

@@ -4,35 +4,17 @@ require "spid/saml2/utils"
 
 module Spid
   module Saml2
-    class LogoutResponse # :nodoc:
-      include Spid::Saml2::Utils
-
-      attr_reader :body
-      attr_reader :saml_message
-      attr_reader :document
-
-      def initialize(body:)
-        @body = body
-        @saml_message = decode_and_inflate(body)
-        @document = REXML::Document.new(@saml_message)
-      end
-
+    class LogoutResponse < SamlParser # :nodoc:
       def issuer
-        document.elements[
-          "/samlp:LogoutResponse/saml:Issuer/text()"
-        ]&.value&.strip
+        element_from_xpath("/samlp:LogoutResponse/saml:Issuer/text()")
       end
 
       def in_response_to
-        document.elements[
-          "/samlp:LogoutResponse/@InResponseTo"
-        ]&.value&.strip
+        element_from_xpath("/samlp:LogoutResponse/@InResponseTo")
       end
 
       def destination
-        document.elements[
-          "/samlp:LogoutResponse/@Destination"
-        ]&.value
+        element_from_xpath("/samlp:LogoutResponse/@Destination")
       end
     end
   end

data/lib/spid/saml2/response.rb

@@ -1,20 +1,8 @@
 # frozen_string_literal: true
 
-require "spid/saml2/utils"
-
 module Spid
   module Saml2
-    class Response # :nodoc:
-      include Spid::Saml2::Utils
-
-      attr_reader :saml_message
-      attr_reader :document
-
-      def initialize(saml_message:)
-        @saml_message = saml_message
-        @document = REXML::Document.new(@saml_message)
-      end
-
+    class Response < SamlParser # :nodoc:
       def issuer
         document.elements["/samlp:Response/saml:Issuer/text()"]&.value
       end
@@ -24,15 +12,16 @@ module Spid
       end
 
       def name_id
-        document.elements[
+        element_from_xpath(
           "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID/text()"
-        ]&.value
+        )
       end
 
       def raw_certificate
-        xpath = "/samlp:Response/saml:Assertion/ds:Signature/ds:KeyInfo"
-        xpath = "#{xpath}/ds:X509Data/ds:X509Certificate/text()"
-        document.elements[xpath]&.value
+        element_from_xpath(
+          "/samlp:Response/saml:Assertion/ds:Signature/ds:KeyInfo" \
+          "/ds:X509Data/ds:X509Certificate/text()"
+        )
       end
 
       def certificate
@@ -40,59 +29,77 @@ module Spid
       end
 
       def assertion_issuer
-        document.elements[
-          "/samlp:Response/saml:Assertion/saml:Issuer/text()"
-        ]&.value
+        element_from_xpath("/samlp:Response/saml:Assertion/saml:Issuer/text()")
       end
 
       def session_index
-        document.elements[
+        element_from_xpath(
           "/samlp:Response/saml:Assertion/saml:AuthnStatement/@SessionIndex"
-        ]&.value
+        )
       end
 
       def destination
-        document.elements[
-          "/samlp:Response/@Destination"
-        ]&.value
+        element_from_xpath("/samlp:Response/@Destination")
       end
 
       def conditions_not_before
-        document.elements[
+        element_from_xpath(
           "/samlp:Response/saml:Assertion/saml:Conditions/@NotBefore"
-        ]&.value
+        )
       end
 
       def conditions_not_on_or_after
-        document.elements[
+        element_from_xpath(
           "/samlp:Response/saml:Assertion/saml:Conditions/@NotOnOrAfter"
-        ]&.value
+        )
       end
 
       def audience
-        xpath = "/samlp:Response/saml:Assertion/saml:Conditions"
-        xpath = "#{xpath}/saml:AudienceRestriction/saml:Audience/text()"
-        document.elements[xpath]&.value
+        element_from_xpath(
+          "/samlp:Response/saml:Assertion/saml:Conditions" \
+          "/saml:AudienceRestriction/saml:Audience/text()"
+        )
+      end
+
+      def subject_confirmation_data_node_xpath
+        xpath = "/samlp:Response/saml:Assertion/saml:Subject/"
+        "#{xpath}/saml:SubjectConfirmation/saml:SubjectConfirmationData"
+      end
+
+      def subject_recipient
+        element_from_xpath("#{subject_confirmation_data_node_xpath}/@Recipient")
+      end
+
+      def subject_in_response_to
+        element_from_xpath(
+          "#{subject_confirmation_data_node_xpath}/@InResponseTo"
+        )
+      end
+
+      def subject_not_on_or_after
+        element_from_xpath(
+          "#{subject_confirmation_data_node_xpath}/@NotOnOrAfter"
+        )
       end
 
       def status_code
-        document.elements[
+        element_from_xpath(
           "/samlp:Response/samlp:Status/samlp:StatusCode/@Value"
-        ]&.value
+        )
       end
 
       def status_message
-        document.elements[
-          "/samlp:Response/samlp:Status/samlp:StatusCode/" \
-          "samlp:StatusMessage/@Value"
-        ]&.value
+        element_from_xpath(
+          "samlp:StatusMessage/@Value" \
+          "/samlp:Response/samlp:Status/samlp:StatusCode/"
+        )
       end
 
       def status_detail
-        document.elements[
+        element_from_xpath(
           "/samlp:Response/samlp:Status/samlp:StatusCode/" \
           "samlp:StatusDetail/@Value"
-        ]&.value
+        )
       end
 
       def attributes

data/lib/spid/saml2/response_validator.rb

@@ -4,6 +4,7 @@ require "xmldsig"
 
 module Spid
   module Saml2
+    # rubocop:disable Metrics/ClassLength
     class ResponseValidator # :nodoc:
       attr_reader :response
       attr_reader :settings
@@ -20,13 +21,8 @@ module Spid
       def call
         return false unless success?
         [
-          matches_request_uuid,
-          issuer,
-          certificate,
-          destination,
-          conditions,
-          audience,
-          signature
+          matches_request_uuid, issuer, assertion_issuer, certificate,
+          destination, conditions, audience, signature
         ].all?
       end
 
@@ -50,11 +46,22 @@ module Spid
       end
 
       def issuer
-        return true if response.assertion_issuer == settings.idp_entity_id
+        return true if response.issuer == settings.idp_entity_id
 
         @errors["issuer"] =
           begin
-            "Response Issuer is '#{response.assertion_issuer}'" \
+            "Response Issuer is '#{response.issuer}'" \
+            " but was expected '#{settings.idp_entity_id}'"
+          end
+        false
+      end
+
+      def assertion_issuer
+        return true if response.assertion_issuer == settings.idp_entity_id
+
+        @errors["assertion_issuer"] =
+          begin
+            "Response Assertion Issuer is '#{response.assertion_issuer}'" \
             " but was expected '#{settings.idp_entity_id}'"
           end
         false
@@ -71,6 +78,7 @@ module Spid
 
       def destination
         return true if response.destination == settings.sp_acs_url
+        return true if response.destination == settings.sp_entity_id
 
         @errors["destination"] =
           begin
@@ -85,6 +93,7 @@ module Spid
 
         if response.conditions_not_before <= time &&
            response.conditions_not_on_or_after > time
+
           return true
         end
 
@@ -109,6 +118,21 @@ module Spid
         @errors["signature"] = "Signature mismatch"
         false
       end
+
+      def subject_recipient
+        return true if response.subject_recipient == settings.sp_acs_url
+      end
+
+      def subject_in_response_to
+        return true if response.subject_in_response_to == request_uuid
+      end
+
+      def subject_not_on_or_after
+        time = Time.now.utc.iso8601
+
+        return true if response.subject_not_on_or_after > time
+      end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/spid/saml2/saml_parser.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "spid/saml2/utils"
+
+module Spid
+  module Saml2
+    class SamlParser # :nodoc:
+      include Spid::Saml2::Utils
+
+      attr_reader :saml_message
+      attr_reader :document
+
+      def initialize(saml_message:)
+        @saml_message = saml_message
+        @document = REXML::Document.new(@saml_message)
+      end
+
+      def element_from_xpath(xpath)
+        document.elements[xpath]&.value&.strip
+      end
+    end
+  end
+end

data/lib/spid/saml2/service_provider.rb

@@ -45,6 +45,8 @@ module Spid
         @attribute_services     = attribute_services
         validate_digest_methods
         validate_attributes
+        validate_private_key
+        validate_certificate
       end
       # rubocop:enable Metrics/MethodLength
       # rubocop:enable Metrics/ParameterLists
@@ -92,6 +94,19 @@ module Spid
                 " use one of #{SIGNATURE_METHODS.join(', ')}"
         end
       end
+
+      def validate_private_key
+        return true if private_key.n.num_bits >= 1024
+        raise PrivateKeyTooShortError,
+              "Private key is too short: provide at least a " \
+              " private key with 1024 bits"
+      end
+
+      def validate_certificate
+        return true if certificate.verify(private_key)
+        raise CertificateNotBelongsToPKeyError,
+              "Provided a certificate signed with current private key"
+      end
     end
   end
 end

data/lib/spid/saml2/settings.rb

@@ -91,8 +91,7 @@ module Spid
       def x509_certificate_der
         @x509_certificate_der ||=
           begin
-            cert = OpenSSL::X509::Certificate.new(certificate)
-            Base64.encode64(cert.to_der).delete("\n")
+            Base64.encode64(certificate.to_der).delete("\n")
           end
       end
     end

data/lib/spid/saml2/sp_metadata.rb

@@ -6,12 +6,10 @@ module Spid
     class SPMetadata # :nodoc:
       attr_reader :document
       attr_reader :settings
-      attr_reader :uuid
 
-      def initialize(settings:, uuid: nil)
+      def initialize(settings:)
         @document = REXML::Document.new
         @settings = settings
-        @uuid = uuid || SecureRandom.uuid
       end
 
       def to_saml
@@ -34,7 +32,7 @@ module Spid
           "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#",
           "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata",
           "entityID" => settings.sp_entity_id,
-          "ID" => "_#{uuid}"
+          "ID" => settings.sp_entity_id
         }
       end
 

data/lib/spid/slo/response.rb

@@ -3,14 +3,18 @@
 module Spid
   module Slo
     class Response # :nodoc:
+      include Spid::Saml2::Utils
+
       attr_reader :body
       attr_reader :session_index
       attr_reader :request_uuid
+      attr_reader :saml_message
 
       def initialize(body:, session_index:, request_uuid:)
         @body = body
         @session_index = session_index
         @request_uuid = request_uuid
+        @saml_message = decode_and_inflate(body)
       end
 
       def valid?
@@ -59,7 +63,7 @@ module Spid
 
       def saml_response
         @saml_response ||= Spid::Saml2::LogoutResponse.new(
-          body: body
+          saml_message: saml_message
         )
       end
     end

data/lib/spid/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Spid
-  VERSION = "0.16.1"
+  VERSION = "0.17.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spid
 version: !ruby/object:Gem::Version
-  version: 0.16.1
+  version: 0.17.0
 platform: ruby
 authors:
 - David Librera
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-05 00:00:00.000000000 Z
+date: 2018-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -343,6 +343,7 @@ files:
 - lib/spid/saml2/logout_response_validator.rb
 - lib/spid/saml2/response.rb
 - lib/spid/saml2/response_validator.rb
+- lib/spid/saml2/saml_parser.rb
 - lib/spid/saml2/service_provider.rb
 - lib/spid/saml2/settings.rb
 - lib/spid/saml2/sp_metadata.rb