Class: OneLogin::RubySaml::Utils

Inherits:
Object
  • Object
show all
Defined in:
lib/onelogin/ruby-saml/utils.rb

Overview

SAML2 Auxiliary class

Constant Summary collapse

DSIG =
"http://www.w3.org/2000/09/xmldsig#"
XENC =
"http://www.w3.org/2001/04/xmlenc#"
@@uuid_generator =
UUID.new

Class Method Summary collapse

Class Method Details

.build_query(params) ⇒ String

Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature

Parameters:

  • params (Hash)

    Parameters to build the Query String

Options Hash (params):

  • :type (String)

    'SAMLRequest' or 'SAMLResponse'

  • :data (String)

    Base64 encoded SAMLRequest or SAMLResponse

  • :relay_state (String)

    The RelayState parameter

  • :sig_alg (String)

    The SigAlg parameter

Returns:

  • (String)

    The Query String


70
71
72
73
74
75
76
# File 'lib/onelogin/ruby-saml/utils.rb', line 70

def self.build_query(params)
  type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{CGI.escape(data)}"
  url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
  url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
end

.build_query_from_raw_parts(params) ⇒ String

Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature

Parameters:

  • params (Hash)

    Parameters to build the Query String

Options Hash (params):

  • :type (String)

    'SAMLRequest' or 'SAMLResponse'

  • :raw_data (String)

    URI-encoded, base64 encoded SAMLRequest or SAMLResponse, as sent by IDP

  • :raw_relay_state (String)

    URI-encoded RelayState parameter, as sent by IDP

  • :raw_sig_alg (String)

    URI-encoded SigAlg parameter, as sent by IDP

Returns:

  • (String)

    The Query String


87
88
89
90
91
92
93
# File 'lib/onelogin/ruby-saml/utils.rb', line 87

def self.build_query_from_raw_parts(params)
  type, raw_data, raw_relay_state, raw_sig_alg = [:type, :raw_data, :raw_relay_state, :raw_sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{raw_data}"
  url_string << "&RelayState=#{raw_relay_state}" if raw_relay_state
  url_string << "&SigAlg=#{raw_sig_alg}"
end

.decrypt_data(encrypted_node, private_key) ⇒ String

Obtains the decrypted string from an Encrypted node element in XML

Parameters:

  • encrypted_node (REXML::Element)

    The Encrypted element

  • private_key (OpenSSL::PKey::RSA)

    The Service provider private key

Returns:

  • (String)

    The decrypted data


164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# File 'lib/onelogin/ruby-saml/utils.rb', line 164

def self.decrypt_data(encrypted_node, private_key)
  encrypt_data = REXML::XPath.first(
    encrypted_node,
    "./xenc:EncryptedData",
    { 'xenc' => XENC }
  )
  symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
  cipher_value = REXML::XPath.first(
    encrypt_data,
    "./xenc:CipherData/xenc:CipherValue",
    { 'xenc' => XENC }
  )
  node = Base64.decode64(element_text(cipher_value))
  encrypt_method = REXML::XPath.first(
    encrypt_data,
    "./xenc:EncryptionMethod",
    { 'xenc' => XENC }
  )
  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(node, symmetric_key, algorithm)
end

.element_text(element) ⇒ Object

Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes that there all children other than text nodes can be ignored (e.g. comments). If nil is passed, nil will be returned.


288
289
290
# File 'lib/onelogin/ruby-saml/utils.rb', line 288

def self.element_text(element)
  element.texts.map(&:value).join if element
end

.format_cert(cert) ⇒ String

Return a properly formatted x509 certificate

Parameters:

  • cert (String)

    The original certificate

Returns:

  • (String)

    The formatted certificate


23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/onelogin/ruby-saml/utils.rb', line 23

def self.format_cert(cert)
  # don't try to format an encoded certificate or if is empty or nil
  return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)

  if cert.scan(/BEGIN CERTIFICATE/).length > 1
    formatted_cert = []
    cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
      formatted_cert << format_cert(c)
    }
    formatted_cert.join("\n")
  else
    cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
    cert = cert.gsub(/[\n\r\s]/, "")
    cert = cert.scan(/.{1,64}/)
    cert = cert.join("\n")
    "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
  end
end

.format_private_key(key) ⇒ String

Return a properly formatted private key

Parameters:

  • key (String)

    The original private key

Returns:

  • (String)

    The formatted private key


47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/onelogin/ruby-saml/utils.rb', line 47

def self.format_private_key(key)
  # don't try to format an encoded private key or if is empty
  return key if key.nil? || key.empty? || key.match(/\x0d/)

  # is this an rsa key?
  rsa_key = key.match("RSA PRIVATE KEY")
  key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
  key = key.gsub(/[\n\r\s]/, "")
  key = key.scan(/.{1,64}/)
  key = key.join("\n")
  key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
  "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
end

.original_uri_match?(destination_url, settings_url) ⇒ Boolean

If Rails' URI.parse can't match to valid URL, default back to the original matching service.

Returns:

  • (Boolean)

281
282
283
# File 'lib/onelogin/ruby-saml/utils.rb', line 281

def self.original_uri_match?(destination_url, settings_url)
  destination_url == settings_url
end

.prepare_raw_get_params(rawparams, params) ⇒ Hash

Prepare raw GET parameters (build them from normal parameters if not provided).

Parameters:

  • rawparams (Hash)

    Raw GET Parameters

  • params (Hash)

    GET Parameters

Returns:

  • (Hash)

    New raw parameters


102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# File 'lib/onelogin/ruby-saml/utils.rb', line 102

def self.prepare_raw_get_params(rawparams, params)
  rawparams ||= {}

  if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
    rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
  end
  if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
    rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
  end        
  if rawparams['RelayState'].nil? && !params['RelayState'].nil?
    rawparams['RelayState'] = CGI.escape(params['RelayState'])
  end
  if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
    rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
  end

  rawparams
end

.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String

Obtains the deciphered text

Parameters:

  • cipher_text (String)

    The ciphered text

  • symmetric_key (String)

    The symetric key used to encrypt the text

  • algorithm (String)

    The encrypted algorithm

Returns:

  • (String)

    The deciphered text


229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
# File 'lib/onelogin/ruby-saml/utils.rb', line 229

def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
  case algorithm
    when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
    when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
  end

  if cipher
    iv_len = cipher.iv_len
    data = cipher_text[iv_len..-1]
    cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
    assertion_plaintext = cipher.update(data)
    assertion_plaintext << cipher.final
  elsif rsa
    rsa.private_decrypt(cipher_text)
  elsif oaep
    oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
  else
    cipher_text
  end
end

.retrieve_symetric_key_reference(encrypt_data) ⇒ Object


216
217
218
219
220
221
222
# File 'lib/onelogin/ruby-saml/utils.rb', line 216

def self.retrieve_symetric_key_reference(encrypt_data)
  REXML::XPath.first(
    encrypt_data,
    "substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')",
    { "ds" => DSIG }
  )
end

.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String

Obtains the symmetric key from the EncryptedData element

Parameters:

  • encrypt_data (REXML::Element)

    The EncryptedData element

  • private_key (OpenSSL::PKey::RSA)

    The Service provider private key

Returns:

  • (String)

    The symmetric key


190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
# File 'lib/onelogin/ruby-saml/utils.rb', line 190

def self.retrieve_symmetric_key(encrypt_data, private_key)
  encrypted_key = REXML::XPath.first(
    encrypt_data,
    "./ds:KeyInfo/xenc:EncryptedKey | ./KeyInfo/xenc:EncryptedKey | //xenc:EncryptedKey[@Id=$id]",
    { "ds" => DSIG, "xenc" => XENC },
    { "id" => self.retrieve_symetric_key_reference(encrypt_data) }
  )

  encrypted_symmetric_key_element = REXML::XPath.first(
    encrypted_key,
    "./xenc:CipherData/xenc:CipherValue",
    "xenc" => XENC
  )

  cipher_text = Base64.decode64(element_text(encrypted_symmetric_key_element))

  encrypt_method = REXML::XPath.first(
    encrypted_key,
    "./xenc:EncryptionMethod",
    "xenc" => XENC
  )

  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(cipher_text, private_key, algorithm)
end

.status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String

Build the status error message

Parameters:

  • status_code (String) (defaults to: nil)

    StatusCode value

  • status_message (Strig) (defaults to: nil)

    StatusMessage value

Returns:

  • (String)

    The status error message


139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# File 'lib/onelogin/ruby-saml/utils.rb', line 139

def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
  unless status_code.nil?
    if status_code.include? "|"
      status_codes = status_code.split(' | ')
      values = status_codes.collect do |status_code|
        status_code.split(':').last
      end
      printable_code = values.join(" => ")
    else
      printable_code = status_code.split(':').last
    end
    error_msg << ', was ' + printable_code
  end

  unless status_message.nil?
    error_msg << ' -> ' + status_message
  end

  error_msg
end

.uri_match?(destination_url, settings_url) ⇒ Boolean

Given two strings, attempt to match them as URIs using Rails' parse method. If they can be parsed, then the fully-qualified domain name and the host should performa a case-insensitive match, per the RFC for URIs. If Rails can not parse the string in to URL pieces, return a boolean match of the two strings. This maintains the previous functionality.

Returns:

  • (Boolean)

263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
# File 'lib/onelogin/ruby-saml/utils.rb', line 263

def self.uri_match?(destination_url, settings_url)
  dest_uri = URI.parse(destination_url)
  acs_uri = URI.parse(settings_url)

  if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
    raise URI::InvalidURIError
  else
    dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
      dest_uri.host.downcase == acs_uri.host.downcase &&
      dest_uri.path == acs_uri.path &&
      dest_uri.query == acs_uri.query
  end
rescue URI::InvalidURIError
  original_uri_match?(destination_url, settings_url)
end

.uuidObject


254
255
256
# File 'lib/onelogin/ruby-saml/utils.rb', line 254

def self.uuid
  RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
end

.verify_signature(params) ⇒ Boolean

Validate the Signature parameter sent on the HTTP-Redirect binding

Parameters:

  • params (Hash)

    Parameters to be used in the validation process

Options Hash (params):

  • cert (OpenSSL::X509::Certificate)

    The Identity provider public certtificate

  • sig_alg (String)

    The SigAlg parameter

  • signature (String)

    The Signature parameter (base64 encoded)

  • query_string (String)

    The full GET Query String to be compared

Returns:

  • (Boolean)

    True if the Signature is valid, False otherwise


129
130
131
132
133
# File 'lib/onelogin/ruby-saml/utils.rb', line 129

def self.verify_signature(params)
  cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
  signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg)
  return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
end