class OneLogin::RubySaml::Utils

SAML2 Auxiliary class

Constants

BINDINGS
DSIG
DURATION_FORMAT
UUID_PREFIX
XENC

Public Class Methods

build_cert_object(cert) click to toggle source

Given a certificate string, return an OpenSSL::X509::Certificate object.

@param cert [String] The original certificate @return [OpenSSL::X509::Certificate] The certificate object

# File lib/onelogin/ruby-saml/utils.rb, line 150
def self.build_cert_object(cert)
  return nil if cert.nil? || cert.empty?

  OpenSSL::X509::Certificate.new(format_cert(cert))
end
build_private_key_object(private_key) click to toggle source

Given a private key string, return an OpenSSL::PKey::RSA object.

@param cert [String] The original private key @return [OpenSSL::PKey::RSA] The private key object

# File lib/onelogin/ruby-saml/utils.rb, line 161
def self.build_private_key_object(private_key)
  return nil if private_key.nil? || private_key.empty?

  OpenSSL::PKey::RSA.new(format_private_key(private_key))
end
build_query(params) click to toggle source

Build the Query String signature that will be used in the HTTP-Redirect binding to generate the Signature @param params [Hash] Parameters to build the Query String @option params [String] :type ‘SAMLRequest’ or ‘SAMLResponse’ @option params [String] :data Base64 encoded SAMLRequest or SAMLResponse @option params [String] :relay_state The RelayState parameter @option params [String] :sig_alg The SigAlg parameter @return [String] The Query String

# File lib/onelogin/ruby-saml/utils.rb, line 176
def self.build_query(params)
  type, data, relay_state, sig_alg = [:type, :data, :relay_state, :sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{CGI.escape(data)}"
  url_string << "&RelayState=#{CGI.escape(relay_state)}" if relay_state
  url_string << "&SigAlg=#{CGI.escape(sig_alg)}"
end
build_query_from_raw_parts(params) click to toggle source

Reconstruct a canonical query string from raw URI-encoded parts, to be used in verifying a signature

@param params [Hash] Parameters to build the Query String @option params [String] :type ‘SAMLRequest’ or ‘SAMLResponse’ @option params [String] :raw_data URI-encoded, base64 encoded SAMLRequest or SAMLResponse, as sent by IDP @option params [String] :raw_relay_state URI-encoded RelayState parameter, as sent by IDP @option params [String] :raw_sig_alg URI-encoded SigAlg parameter, as sent by IDP @return [String] The Query String

# File lib/onelogin/ruby-saml/utils.rb, line 193
def self.build_query_from_raw_parts(params)
  type, raw_data, raw_relay_state, raw_sig_alg = [:type, :raw_data, :raw_relay_state, :raw_sig_alg].map { |k| params[k]}

  url_string = "#{type}=#{raw_data}"
  url_string << "&RelayState=#{raw_relay_state}" if raw_relay_state
  url_string << "&SigAlg=#{raw_sig_alg}"
end
decrypt_data(encrypted_node, private_key) click to toggle source

Obtains the decrypted string from an Encrypted node element in XML @param encrypted_node [REXML::Element] The Encrypted element @param private_key [OpenSSL::PKey::RSA] The Service provider private key @return [String] The decrypted data

# File lib/onelogin/ruby-saml/utils.rb, line 299
def self.decrypt_data(encrypted_node, private_key)
  encrypt_data = REXML::XPath.first(
    encrypted_node,
    "./xenc:EncryptedData",
    { 'xenc' => XENC }
  )
  symmetric_key = retrieve_symmetric_key(encrypt_data, private_key)
  cipher_value = REXML::XPath.first(
    encrypt_data,
    "./xenc:CipherData/xenc:CipherValue",
    { 'xenc' => XENC }
  )
  node = Base64.decode64(element_text(cipher_value))
  encrypt_method = REXML::XPath.first(
    encrypt_data,
    "./xenc:EncryptionMethod",
    { 'xenc' => XENC }
  )
  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(node, symmetric_key, algorithm)
end
decrypt_multi(encrypted_node, private_keys) click to toggle source

Obtains the decrypted string from an Encrypted node element in XML, given multiple private keys to try. @param encrypted_node [REXML::Element] The Encrypted element @param private_keys [Array<OpenSSL::PKey::RSA>] The Service provider private key @return [String] The decrypted data

# File lib/onelogin/ruby-saml/utils.rb, line 280
def self.decrypt_multi(encrypted_node, private_keys)
  raise ArgumentError.new('private_keys must be specified') if !private_keys || private_keys.empty?

  error = nil
  private_keys.each do |key|
    begin
      return decrypt_data(encrypted_node, key)
    rescue OpenSSL::PKey::PKeyError => e
      error ||= e
    end
  end

  raise(error) if error
end
element_text(element) click to toggle source

Given a REXML::Element instance, return the concatenation of all child text nodes. Assumes that there all children other than text nodes can be ignored (e.g. comments). If nil is passed, nil will be returned.

# File lib/onelogin/ruby-saml/utils.rb, line 440
def self.element_text(element)
  element.texts.map(&:value).join if element
end
escape_request_param(param, lowercase_url_encoding) click to toggle source
# File lib/onelogin/ruby-saml/utils.rb, line 228
def self.escape_request_param(param, lowercase_url_encoding)
  CGI.escape(param).tap do |escaped|
    next unless lowercase_url_encoding

    escaped.gsub!(/%[A-Fa-f0-9]{2}/) { |match| match.downcase }
  end
end
format_cert(cert) click to toggle source

Return a properly formatted x509 certificate

@param cert [String] The original certificate @return [String] The formatted certificate

# File lib/onelogin/ruby-saml/utils.rb, line 99
def self.format_cert(cert)
  # don't try to format an encoded certificate or if is empty or nil
  if cert.respond_to?(:ascii_only?)
    return cert if cert.nil? || cert.empty? || !cert.ascii_only?
  else
    return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
  end

  if cert.scan(/BEGIN CERTIFICATE/).length > 1
    formatted_cert = []
    cert.scan(/-{5}BEGIN CERTIFICATE-{5}[\n\r]?.*?-{5}END CERTIFICATE-{5}[\n\r]?/m) {|c|
      formatted_cert << format_cert(c)
    }
    formatted_cert.join("\n")
  else
    cert = cert.gsub(/\-{5}\s?(BEGIN|END) CERTIFICATE\s?\-{5}/, "")
    cert = cert.gsub(/\r/, "")
    cert = cert.gsub(/\n/, "")
    cert = cert.gsub(/\s/, "")
    cert = cert.scan(/.{1,64}/)
    cert = cert.join("\n")
    "-----BEGIN CERTIFICATE-----\n#{cert}\n-----END CERTIFICATE-----"
  end
end
format_private_key(key) click to toggle source

Return a properly formatted private key

@param key [String] The original private key @return [String] The formatted private key

# File lib/onelogin/ruby-saml/utils.rb, line 129
def self.format_private_key(key)
  # don't try to format an encoded private key or if is empty
  return key if key.nil? || key.empty? || key.match(/\x0d/)

  # is this an rsa key?
  rsa_key = key.match("RSA PRIVATE KEY")
  key = key.gsub(/\-{5}\s?(BEGIN|END)( RSA)? PRIVATE KEY\s?\-{5}/, "")
  key = key.gsub(/\n/, "")
  key = key.gsub(/\r/, "")
  key = key.gsub(/\s/, "")
  key = key.scan(/.{1,64}/)
  key = key.join("\n")
  key_label = rsa_key ? "RSA PRIVATE KEY" : "PRIVATE KEY"
  "-----BEGIN #{key_label}-----\n#{key}\n-----END #{key_label}-----"
end
is_cert_active(cert) click to toggle source

Checks if the x509 cert provided has both started and has not expired.

@param cert [OpenSSL::X509::Certificate|String] The x509 certificate. @return [true|false] Whether the certificate is currently active.

# File lib/onelogin/ruby-saml/utils.rb, line 51
def self.is_cert_active(cert)
  cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)
  now = Time.now
  cert.not_before <= now && cert.not_after >= now
end
is_cert_expired(cert) click to toggle source

Checks if the x509 cert provided is expired.

@param cert [OpenSSL::X509::Certificate|String] The x509 certificate. @return [true|false] Whether the certificate is expired.

# File lib/onelogin/ruby-saml/utils.rb, line 41
def self.is_cert_expired(cert)
  cert = OpenSSL::X509::Certificate.new(cert) if cert.is_a?(String)

  cert.not_after < Time.now
end
original_uri_match?(destination_url, settings_url) click to toggle source

If Rails’ URI.parse can’t match to valid URL, default back to the original matching service. @return [Boolean]

# File lib/onelogin/ruby-saml/utils.rb, line 433
def self.original_uri_match?(destination_url, settings_url)
  destination_url == settings_url
end
parse_duration(duration, timestamp=Time.now.utc) click to toggle source

Interprets a ISO8601 duration value relative to a given timestamp.

@param duration [String] The duration, as a string. @param timestamp [Integer] The unix timestamp we should apply the

duration to. Optional, default to the
current time.

@return [Integer] The new timestamp, after the duration is applied.

# File lib/onelogin/ruby-saml/utils.rb, line 66
def self.parse_duration(duration, timestamp=Time.now.utc)
  return nil if RUBY_VERSION < '1.9'  # 1.8.7 not supported

  matches = duration.match(DURATION_FORMAT)

  if matches.nil?
    raise StandardError.new("Invalid ISO 8601 duration")
  end

  sign = matches[1] == '-' ? -1 : 1

  durYears, durMonths, durDays, durHours, durMinutes, durSeconds, durWeeks =
    matches[2..8].map do |match|
      if match
        match = match.tr(',', '.').gsub(/\.0*\z/, '')
        sign * (match.include?('.') ? match.to_f : match.to_i)
      else
        0
      end
    end

  datetime = Time.at(timestamp).utc.to_datetime
  datetime = datetime.next_year(durYears)
  datetime = datetime.next_month(durMonths)
  datetime = datetime.next_day((7*durWeeks) + durDays)
  datetime.to_time.utc.to_i + (durHours * 3600) + (durMinutes * 60) + durSeconds
end
prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false) click to toggle source

Prepare raw GET parameters (build them from normal parameters if not provided).

@param rawparams [Hash] Raw GET Parameters @param params [Hash] GET Parameters @param lowercase_url_encoding [bool] Lowercase URL Encoding (For ADFS urlencode compatiblity) @return [Hash] New raw parameters

# File lib/onelogin/ruby-saml/utils.rb, line 209
def self.prepare_raw_get_params(rawparams, params, lowercase_url_encoding=false)
  rawparams ||= {}

  if rawparams['SAMLRequest'].nil? && !params['SAMLRequest'].nil?
    rawparams['SAMLRequest'] = escape_request_param(params['SAMLRequest'], lowercase_url_encoding)
  end
  if rawparams['SAMLResponse'].nil? && !params['SAMLResponse'].nil?
    rawparams['SAMLResponse'] = escape_request_param(params['SAMLResponse'], lowercase_url_encoding)
  end
  if rawparams['RelayState'].nil? && !params['RelayState'].nil?
    rawparams['RelayState'] = escape_request_param(params['RelayState'], lowercase_url_encoding)
  end
  if rawparams['SigAlg'].nil? && !params['SigAlg'].nil?
    rawparams['SigAlg'] = escape_request_param(params['SigAlg'], lowercase_url_encoding)
  end

  rawparams
end
retrieve_plaintext(cipher_text, symmetric_key, algorithm) click to toggle source

Obtains the deciphered text @param cipher_text [String] The ciphered text @param symmetric_key [String] The symmetric key used to encrypt the text @param algorithm [String] The encrypted algorithm @return [String] The deciphered text

# File lib/onelogin/ruby-saml/utils.rb, line 364
def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
  case algorithm
    when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
    when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
    when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
    when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(192, :GCM).decrypt
    when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher::AES.new(256, :GCM).decrypt
    when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
    when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
  end

  if cipher
    iv_len = cipher.iv_len
    data = cipher_text[iv_len..-1]
    cipher.padding, cipher.key, cipher.iv = 0, symmetric_key, cipher_text[0..iv_len-1]
    assertion_plaintext = cipher.update(data)
    assertion_plaintext << cipher.final
  elsif auth_cipher
    iv_len, text_len, tag_len = auth_cipher.iv_len, cipher_text.length, 16
    data = cipher_text[iv_len..text_len-1-tag_len]
    auth_cipher.padding = 0
    auth_cipher.key = symmetric_key
    auth_cipher.iv = cipher_text[0..iv_len-1]
    auth_cipher.auth_data = ''
    auth_cipher.auth_tag = cipher_text[text_len-tag_len..-1]
    assertion_plaintext = auth_cipher.update(data)
    assertion_plaintext << auth_cipher.final
  elsif rsa
    rsa.private_decrypt(cipher_text)
  elsif oaep
    oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
  else
    cipher_text
  end
end
retrieve_symetric_key_reference(encrypt_data) click to toggle source
# File lib/onelogin/ruby-saml/utils.rb, line 351
def self.retrieve_symetric_key_reference(encrypt_data)
  REXML::XPath.first(
    encrypt_data,
    "substring-after(./ds:KeyInfo/ds:RetrievalMethod/@URI, '#')",
    { "ds" => DSIG }
  )
end
retrieve_symmetric_key(encrypt_data, private_key) click to toggle source

Obtains the symmetric key from the EncryptedData element @param encrypt_data [REXML::Element] The EncryptedData element @param private_key [OpenSSL::PKey::RSA] The Service provider private key @return [String] The symmetric key

# File lib/onelogin/ruby-saml/utils.rb, line 325
def self.retrieve_symmetric_key(encrypt_data, private_key)
  encrypted_key = REXML::XPath.first(
    encrypt_data,
    "./ds:KeyInfo/xenc:EncryptedKey | ./KeyInfo/xenc:EncryptedKey | //xenc:EncryptedKey[@Id=$id]",
    { "ds" => DSIG, "xenc" => XENC },
    { "id" => self.retrieve_symetric_key_reference(encrypt_data) }
  )

  encrypted_symmetric_key_element = REXML::XPath.first(
    encrypted_key,
    "./xenc:CipherData/xenc:CipherValue",
    "xenc" => XENC
  )

  cipher_text = Base64.decode64(element_text(encrypted_symmetric_key_element))

  encrypt_method = REXML::XPath.first(
    encrypted_key,
    "./xenc:EncryptionMethod",
    "xenc" => XENC
  )

  algorithm = encrypt_method.attributes['Algorithm']
  retrieve_plaintext(cipher_text, private_key, algorithm)
end
set_prefix(value) click to toggle source
# File lib/onelogin/ruby-saml/utils.rb, line 402
def self.set_prefix(value)
  UUID_PREFIX.replace value
end
status_error_msg(error_msg, raw_status_code = nil, status_message = nil) click to toggle source

Build the status error message @param status_code [String] StatusCode value @param status_message [Strig] StatusMessage value @return [String] The status error message

# File lib/onelogin/ruby-saml/utils.rb, line 254
def self.status_error_msg(error_msg, raw_status_code = nil, status_message = nil)
  unless raw_status_code.nil?
    if raw_status_code.include? "|"
      status_codes = raw_status_code.split(' | ')
      values = status_codes.collect do |status_code|
        status_code.split(':').last
      end
      printable_code = values.join(" => ")
    else
      printable_code = raw_status_code.split(':').last
    end
    error_msg << ', was ' + printable_code
  end

  unless status_message.nil?
    error_msg << ' -> ' + status_message
  end

  error_msg
end
uri_match?(destination_url, settings_url) click to toggle source

Given two strings, attempt to match them as URIs using Rails’ parse method. If they can be parsed, then the fully-qualified domain name and the host should performa a case-insensitive match, per the RFC for URIs. If Rails can not parse the string in to URL pieces, return a boolean match of the two strings. This maintains the previous functionality. @return [Boolean]

# File lib/onelogin/ruby-saml/utils.rb, line 415
def self.uri_match?(destination_url, settings_url)
  dest_uri = URI.parse(destination_url)
  acs_uri = URI.parse(settings_url)

  if dest_uri.scheme.nil? || acs_uri.scheme.nil? || dest_uri.host.nil? || acs_uri.host.nil?
    raise URI::InvalidURIError
  else
    dest_uri.scheme.downcase == acs_uri.scheme.downcase &&
      dest_uri.host.downcase == acs_uri.host.downcase &&
      dest_uri.path == acs_uri.path &&
      dest_uri.query == acs_uri.query
  end
rescue URI::InvalidURIError
  original_uri_match?(destination_url, settings_url)
end
uuid() click to toggle source
# File lib/onelogin/ruby-saml/utils.rb, line 406
def self.uuid
  "#{UUID_PREFIX}" + (RUBY_VERSION < '1.9' ? "#{@@uuid_generator.generate}" : "#{SecureRandom.uuid}")
end
verify_signature(params) click to toggle source

Validate the Signature parameter sent on the HTTP-Redirect binding @param params [Hash] Parameters to be used in the validation process @option params [OpenSSL::X509::Certificate] cert The IDP public certificate @option params [String] sig_alg The SigAlg parameter @option params [String] signature The Signature parameter (base64 encoded) @option params [String] query_string The full GET Query String to be compared @return [Boolean] True if the Signature is valid, False otherwise

# File lib/onelogin/ruby-saml/utils.rb, line 244
def self.verify_signature(params)
  cert, sig_alg, signature, query_string = [:cert, :sig_alg, :signature, :query_string].map { |k| params[k]}
  signature_algorithm = XMLSecurity::BaseDocument.new.algorithm(sig_alg)
  return cert.public_key.verify(signature_algorithm.new, Base64.decode64(signature), query_string)
end