Class: OneLogin::RubySaml::Utils

Inherits:

Object

• Object
• OneLogin::RubySaml::Utils

Defined in:

lib/onelogin/ruby-saml/utils.rb

Overview

SAML2 Auxiliary class

Constant Summary

DSIG =

"http://www.w3.org/2000/09/xmldsig#"

XENC =

"http://www.w3.org/2001/04/xmlenc#"

@@uuid_generator =

UUID.new

Class Method Summary

• .build_query(params) ⇒ String

  Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature.

• .build_query_from_raw_parts(params) ⇒ String

  Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature.

• .decrypt_data(encrypted_node, private_key) ⇒ String

  Obtains the decrypted string from an Encrypted node element in XML.

• .format_cert(cert) ⇒ String

  Return a properly formatted x509 certificate.

• .format_private_key(key) ⇒ String

  Return a properly formatted private key.

• .original_uri_match?(destination_url, settings_url) ⇒ Boolean

  If Rails’ URI.parse can’t match to valid URL, default back to the original matching service.

• .prepare_raw_get_params(rawparams, params) ⇒ Hash

  Prepare raw GET parameters (build them from normal parameters if not provided).

• .retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String

  Obtains the deciphered text.

• .retrieve_symetric_key_reference(encrypt_data) ⇒ Object
• .retrieve_symmetric_key(encrypt_data, private_key) ⇒ String

  Obtains the symmetric key from the EncryptedData element.

• .status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String

  Build the status error message.

• .uri_match?(destination_url, settings_url) ⇒ Boolean

  Given two strings, attempt to match them as URIs using Rails’ parse method.

• .uuid ⇒ Object
• .verify_signature(params) ⇒ Boolean

  Validate the Signature parameter sent on the HTTP-Redirect binding.

Class Method Details

.build_query(params) ⇒ String

Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature

Parameters:

• params (Hash) —

  Parameters to build the Query String

Options Hash (params):

• :type (String) —

  ‘SAMLRequest’ or ‘SAMLResponse’

• :data (String) —

  Base64 encoded SAMLRequest or SAMLResponse

• :relay_state (String) —

  The RelayState parameter

• :sig_alg (String) —

  The SigAlg parameter

Returns:

• (String) —

  The Query String

# File 'lib/onelogin/ruby-saml/utils.rb', line 70

def self.build_query(params)
  type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{CGI.escape(data)}"
  url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
  url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
end

.build_query_from_raw_parts(params) ⇒ String

Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature

Parameters:

• params (Hash) —

  Parameters to build the Query String

Options Hash (params):

• :type (String) —

  ‘SAMLRequest’ or ‘SAMLResponse’

• :raw_data (String) —

  URI-encoded, base64 encoded SAMLRequest or SAMLResponse, as sent by IDP

• :raw_relay_state (String) —

  URI-encoded RelayState parameter, as sent by IDP

• :raw_sig_alg (String) —

  URI-encoded SigAlg parameter, as sent by IDP

Returns:

• (String) —

  The Query String

# File 'lib/onelogin/ruby-saml/utils.rb', line 87

def self.build_query_from_raw_parts(params)
  type, raw_data, raw_relay_state, raw_sig_alg = [:type, :raw_data, :raw_relay_state, :raw_sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{raw_data}"
  url_string << "&RelayState=#{raw_relay_state}" if raw_relay_state
  url_string << "&SigAlg=#{raw_sig_alg}"
end

.decrypt_data(encrypted_node, private_key) ⇒ String

Obtains the decrypted string from an Encrypted node element in XML

Parameters:

• encrypted_node (REXML::Element) —

  The Encrypted element

• private_key (OpenSSL::PKey::RSA) —

  The Service provider private key

Returns:

• (String) —

  The decrypted data

# File 'lib/onelogin/ruby-saml/utils.rb', line 164

def self.decrypt_data(encrypted_node, private_key)
  encrypt_data = REXML::XPath.first(
    encrypted_node,
    "./xenc:EncryptedData",
    { 'xenc' => XENC }
  )
  symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
  cipher_value = REXML::XPath.first(
    encrypt_data,
    "./xenc:CipherData/xenc:CipherValue",
    { 'xenc' => XENC }
  )
  node = Base64.decode64(cipher_value.text)
  encrypt_method = REXML::XPath.first(
    encrypt_data,
    "./xenc:EncryptionMethod",
    { 'xenc' => XENC }
  )
  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(node, symmetric_key, algorithm)
end

.format_cert(cert) ⇒ String

Return a properly formatted x509 certificate

Parameters:

• cert (String) —

  The original certificate

Returns:

• (String) —

  The formatted certificate

# File 'lib/onelogin/ruby-saml/utils.rb', line 23

def self.format_cert(cert)
  # don't try to format an encoded certificate or if is empty or nil
  return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)

  if cert.scan(/BEGIN CERTIFICATE/).length > 1
    formatted_cert = []
    cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
      formatted_cert << format_cert(c)
    }
    formatted_cert.join("\n")
  else
    cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
    cert = cert.gsub(/[\n\r\s]/, "")
    cert = cert.scan(/.{1,64}/)
    cert = cert.join("\n")
    "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
  end
end

.format_private_key(key) ⇒ String

Return a properly formatted private key

Parameters:

• key (String) —

  The original private key

Returns:

• (String) —

  The formatted private key

# File 'lib/onelogin/ruby-saml/utils.rb', line 47

def self.format_private_key(key)
  # don't try to format an encoded private key or if is empty
  return key if key.nil? || key.empty? || key.match(/\x0d/)

  # is this an rsa key?
  rsa_key = key.match("RSA PRIVATE KEY")
  key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
  key = key.gsub(/[\n\r\s]/, "")
  key = key.scan(/.{1,64}/)
  key = key.join("\n")
  key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
  "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
end

.original_uri_match?(destination_url, settings_url) ⇒ Boolean

If Rails’ URI.parse can’t match to valid URL, default back to the original matching service.

Returns:

• (Boolean)

# File 'lib/onelogin/ruby-saml/utils.rb', line 281

def self.original_uri_match?(destination_url, settings_url)
  destination_url == settings_url
end

.prepare_raw_get_params(rawparams, params) ⇒ Hash

Prepare raw GET parameters (build them from normal parameters if not provided).

Parameters:

• rawparams (Hash) —

  Raw GET Parameters

• params (Hash) —

  GET Parameters

Returns:

• (Hash) —

  New raw parameters

# File 'lib/onelogin/ruby-saml/utils.rb', line 102

def self.prepare_raw_get_params(rawparams, params)
  rawparams ||= {}

  if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
    rawparams['SAMLRequest'] = CGI.escape(params['SAMLRequest'])
  end
  if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
    rawparams['SAMLResponse'] = CGI.escape(params['SAMLResponse'])
  end        
  if rawparams['RelayState'].nil? && !params['RelayState'].nil?
    rawparams['RelayState'] = CGI.escape(params['RelayState'])
  end
  if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
    rawparams['SigAlg'] = CGI.escape(params['SigAlg'])
  end

  rawparams
end

.retrieve_plaintext(cipher_text, symmetric_key, algorithm) ⇒ String

Obtains the deciphered text

Parameters:

• cipher_text (String) —

  The ciphered text

• symmetric_key (String) —

  The symetric key used to encrypt the text

• algorithm (String) —

  The encrypted algorithm

Returns:

• (String) —

  The deciphered text

# File 'lib/onelogin/ruby-saml/utils.rb', line 229

def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
  case algorithm
    when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
    when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
  end

  if cipher
    iv_len = cipher.iv_len
    data = cipher_text[iv_len..-1]
    cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
    assertion_plaintext = cipher.update(data)
    assertion_plaintext << cipher.final
  elsif rsa
    rsa.private_decrypt(cipher_text)
  elsif oaep
    oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
  else
    cipher_text
  end
end

.retrieve_symetric_key_reference(encrypt_data) ⇒ Object

# File 'lib/onelogin/ruby-saml/utils.rb', line 216

def self.retrieve_symetric_key_reference(encrypt_data)
  REXML::XPath.first(
    encrypt_data,
    "substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')",
    { "ds" => DSIG }
  )
end

.retrieve_symmetric_key(encrypt_data, private_key) ⇒ String

Obtains the symmetric key from the EncryptedData element

Parameters:

• encrypt_data (REXML::Element) —

  The EncryptedData element

• private_key (OpenSSL::PKey::RSA) —

  The Service provider private key

Returns:

• (String) —

  The symmetric key

# File 'lib/onelogin/ruby-saml/utils.rb', line 190

def self.retrieve_symmetric_key(encrypt_data, private_key)
  encrypted_key = REXML::XPath.first(
    encrypt_data,
    "./ds:KeyInfo/xenc:EncryptedKey | ./KeyInfo/xenc:EncryptedKey | //xenc:EncryptedKey[@Id=$id]",
    { "ds" => DSIG, "xenc" => XENC },
    { "id" => self.retrieve_symetric_key_reference(encrypt_data) }
  )

  encrypted_symmetric_key_element = REXML::XPath.first(
    encrypted_key,
    "./xenc:CipherData/xenc:CipherValue",
    "xenc" => XENC
  )

  cipher_text = Base64.decode64(encrypted_symmetric_key_element.text)

  encrypt_method = REXML::XPath.first(
    encrypted_key,
    "./xenc:EncryptionMethod",
    "xenc" => XENC
  )

  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(cipher_text, private_key, algorithm)
end

.status_error_msg(error_msg, status_code = nil, status_message = nil) ⇒ String

Build the status error message

Parameters:

• status_code (String) (defaults to: nil) —

  StatusCode value

• status_message (Strig) (defaults to: nil) —

  StatusMessage value

Returns:

• (String) —

  The status error message

# File 'lib/onelogin/ruby-saml/utils.rb', line 139

def self.status_error_msg(error_msg, status_code = nil, status_message = nil)
  unless status_code.nil?
    if status_code.include? "|"
      status_codes = status_code.split(' | ')
      values = status_codes.collect do |status_code|
        status_code.split(':').last
      end
      printable_code = values.join(" => ")
    else
      printable_code = status_code.split(':').last
    end
    error_msg << ', was ' + printable_code
  end

  unless status_message.nil?
    error_msg << ' -> ' + status_message
  end

  error_msg
end

.uri_match?(destination_url, settings_url) ⇒ Boolean

Given two strings, attempt to match them as URIs using Rails’ parse method. If they can be parsed, then the fully-qualified domain name and the host should performa a case-insensitive match, per the RFC for URIs. If Rails can not parse the string in to URL pieces, return a boolean match of the two strings. This maintains the previous functionality.

Returns:

• (Boolean)

# File 'lib/onelogin/ruby-saml/utils.rb', line 263

def self.uri_match?(destination_url, settings_url)
  dest_uri = URI.parse(destination_url)
  acs_uri = URI.parse(settings_url)

  if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
    raise URI::InvalidURIError
  else
    dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
      dest_uri.host.downcase == acs_uri.host.downcase &&
      dest_uri.path == acs_uri.path &&
      dest_uri.query == acs_uri.query
  end
rescue URI::InvalidURIError
  original_uri_match?(destination_url, settings_url)
end

.uuid ⇒ Object

# File 'lib/onelogin/ruby-saml/utils.rb', line 254

def self.uuid
  RUBY_VERSION < '1.9' ? "_#{@@uuid_generator.generate}" : "_#{SecureRandom.uuid}"
end

.verify_signature(params) ⇒ Boolean

Validate the Signature parameter sent on the HTTP-Redirect binding

Parameters:

• params (Hash) —

  Parameters to be used in the validation process

Options Hash (params):

• cert (OpenSSL::X509::Certificate) —

  The Identity provider public certtificate

• sig_alg (String) —

  The SigAlg parameter

• signature (String) —

  The Signature parameter (base64 encoded)

• query_string (String) —

  The full GET Query String to be compared

Returns:

• (Boolean) —

  True if the Signature is valid, False otherwise

# File 'lib/onelogin/ruby-saml/utils.rb', line 129

def self.verify_signature(params)
  cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
  signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg)
  return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
end