ciam-es 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4e95196cb69850d66b4ad960fcf279885cb600448b39548e22b627998da49363
+  data.tar.gz: 53895057eaafde1db9a846ca1f885219348bdeb0dcaffffb29c39c74e78bd20c
+SHA512:
+  metadata.gz: 12312ab615271d5e7213a49528de7a286ffd3a103bdd7cf4ff810c2f146fe5bd7fba0bb10df24a37a7c9d3c74be0c875d43fdaaa3e05bead86c1366545278918
+  data.tar.gz: 2f46ce928a88d79369d7b22d8ef29f4490b0a6a8c600c2927b511e539d8b62a189c3c81ff56a3276b965d907d2f0ea78890c28594c9a71a98c092fd6a5749f85

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+gemspec
+

data/README.md

@@ -0,0 +1,127 @@
+# SPID Euro Servizi
+
+La libreria è un fork della libreria Ruby SAML e serve per l'integrazione di un client (Service Provider) con l'autenticazione CIAM del Comune di Milano
+Utilizza lo standard SAML 2
+
+
+<!-- ## Fase iniziale
+
+Azione di partenza in cui viene creata la request da inviare all'idp e viene fatto un redirect all'identity provider.
+
+```ruby
+    def init
+        #creo un istanza di Spid::Saml::Authrequest
+        saml_settings = get_saml_settings
+        #create an instance of Spid::Saml::Authrequest
+        request = Spid::Saml::Authrequest.new(saml_settings)
+        auth_request = request.create
+        # Based on the IdP metadata, select the appropriate binding 
+        # and return the action to perform to the controller
+        meta = Spid::Saml::Metadata.new(saml_settings)
+        signature = get_signature(auth_request.uuid,auth_request.request,"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
+        sso_request = meta.create_sso_request( auth_request.request, {  :RelayState   => request.uuid,
+                                                                        :SigAlg       => "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+                                                                        :Signature    => signature } )
+        redirect_to sso_request
+    end
+
+```
+## Generazione della firma
+
+```ruby
+    def get_signature(relayState, request, sigAlg)
+        #url encode relayState
+        relayState_encoded = escape(relayState)
+        #deflate e base64 della samlrequest
+        deflate_request_B64 = encode(deflate(request))
+        #url encode della samlrequest
+        deflate_request_B64_encoded = escape(deflate_request_B64)
+        #url encode della sigAlg
+        sigAlg_encoded = escape(sigAlg)
+        querystring="SAMLRequest=#{deflate_request_B64_encoded}&RelayState=#{relayState_encoded}&SigAlg=#{sigAlg_encoded}"
+        #puts "**QUERYSTRING** = "+querystring
+        digest = OpenSSL::Digest::SHA256.new(querystring.strip) #sha2 a 256
+        chiave_privata = xxxxxx  #path della chiave privata con cui firmare 
+        pk = OpenSSL::PKey::RSA.new File.read(chiave_privata) #chiave privata
+        qssigned = pk.sign(digest,querystring.strip)
+        Base64.encode64(qssigned).gsub(/\n/, "")
+    end
+```
+
+
+Questo metodo è l'endpoint impostato a livello di metadata del service provider come 'assertion consumer', riceve la response saml con i dati di registrazione fatta su SPID dagli utenti. 
+
+```ruby
+    def assertion_consumer
+        #id dell' idp che manda response (es: 'infocert','poste')
+        provider_id = @request.params['ProviderID']
+        #response saml inviata dall'idp
+        saml_response = @request.params['SAMLResponse'] 
+        if !saml_response.nil? 
+            #assegno i settaggi
+            settings = get_saml_settings
+            #creo un oggetto response
+            response = Spid::Saml::Response.new(saml_response)
+            #assegno alla response i settaggi
+            response.settings = settings
+            #estraggo dal Base64 l'xml
+            saml_response_dec = Base64.decode64(saml_response)
+            #puts "**SAML RESPONSE DECODIFICATA: #{saml_response_dec}"
+
+            #validation of response
+            if response.is_valid? 
+                attributi_utente = response.attributes
+                ...
+            else
+                #autenticazione fallita!
+            end
+      end
+    end  
+```
+
+Questo metodo va a impostare le varie configurazioni che servono per connettersi ad un idp. ( NB: nel caso di SPID ci sono vari idp (Poste, TIM, Info Cert) ) 
+
+```ruby
+    def get_saml_settings  
+        settings = Spid::Saml::Settings.new
+        settings.assertion_consumer_service_url    #= ...String, url dell' assertion consumer al quale arriva la response dell' idp.
+        settings.issuer                            #= ...String, host del service provider o url dei metadata.
+        settings.sp_cert                           #= ...String, path del certificato pubblico in formato pem.
+        settings.sp_private_key                    #= ...String, path della chiave privata in formato pem.
+        settings.single_logout_service_url         #= ...String, url del servizio di logout dell'idp.
+        settings.sp_name_qualifier                 #= ...String, nome qualificato del service provider o url dei metadata.
+        settings.idp_name_qualifier                #= ...String, nome qualificato dell' identity provider o url dei metadata dell' idp.
+        settings.name_identifier_format            #= ...Array, formato di nomi ( impostare: ["urn:oasis:names:tc:SAML:2.0:nameid-format:transient"] ).
+        settings.destination_service_url           #= ...String, url del servizio per l'identity provider, usato come proxy per il sso.
+        settings.single_logout_destination         #= ...String, url di destinazione per la request logout. 
+        settings.authn_context                     #= ...Array, tipi di autorizzazioni permesse (impostare: ["urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", 
+                                                                "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"]).
+        settings.requester_identificator           #= ...Array con id dei richiedenti (non usato).
+        settings.skip_validation                   #= ...Bool, imposta se evitare la validazione della response o delle asserzioni (false).
+        settings.idp_sso_target_url                #= ...String, url target del sso dell' identity provider.
+        settings.idp_metadata                      #= ...String, url dei metadata dell' idp.
+        settings.requested_attribute               #= ...Array, contiene i nomi dei campi richiesti dal servizio nei metadata.
+        settings.metadata_signed                   #= ...String, imposta se firmare i metadata.
+        settings.organization                      #= ...Hash, contiene nome breve (org_name), nome esteso (org_display_name) e url (org_url) 
+                                                               dell' organizzazione fornitore di servizi.
+        settings
+    end  
+```
+
+
+
+## Service Provider Metadata
+
+Per una relazione sicura con l'idp, il Service Provider deve fornire i metadata in formato xml.
+La classe Spid::Saml::Metadata legge i settaggi e fornisce l'xml richiesto dagli idp.
+
+```ruby
+    def sp_metadata
+        settings = get_saml_settings
+        meta = Spid::Saml::Metadata.new
+        
+        @response.headers['Content-Type'] = 'application/samlmetadata+xml'
+        $out << meta.generate(settings)
+    end
+``` -->
+

data/ciam-es.gemspec

@@ -0,0 +1,23 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+
+Gem::Specification.new do |s|
+  s.name = 'ciam-es'
+  s.version = '0.0.1'
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Fabiano Pavan"]
+  s.date = Time.now.strftime("%Y-%m-%d")
+  s.description = %q{SAML toolkit for Ruby programs to integrate with CIAM Milano }
+  s.email = %q{fabiano.pavan@soluzionipa.it}
+  s.files = `git ls-files`.split("\n")
+  s.homepage = %q{https://github.com/EuroServizi/ciam-es}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.summary = %q{SAML Ruby Tookit CIAM}
+  s.license = "MIT"
+
+  s.add_runtime_dependency("canonix", ["0.1.1"])
+  s.add_runtime_dependency("uuid", ["~> 2.3"])
+  s.add_runtime_dependency("nokogiri", '>= 1.6.7.2')
+  s.add_runtime_dependency("addressable", ["2.7.0"])
+end

data/lib/ciam-es.rb

@@ -0,0 +1,14 @@
+require 'ciam/xml_security'
+require 'ciam/ruby-saml/utils'
+require 'ciam/ruby-saml/logging'
+require 'ciam/ruby-saml/coding'
+require 'ciam/ruby-saml/request'
+require 'ciam/ruby-saml/authrequest'
+require 'ciam/ruby-saml/logout_request'
+require 'ciam/ruby-saml/logout_response'
+require 'ciam/ruby-saml/response'
+require 'ciam/ruby-saml/settings'
+require 'ciam/ruby-saml/error_handling'
+require 'ciam/ruby-saml/validation_error'
+require 'ciam/ruby-saml/metadata'
+require 'ciam/ruby-saml/version'

data/lib/ciam/ruby-saml/authrequest.rb

@@ -0,0 +1,206 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+require "rubygems"
+require "addressable/uri"
+
+module Ciam::Saml
+  include REXML
+  class Authrequest
+    # a few symbols for SAML class names
+    HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+    HTTP_GET = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    
+    attr_accessor :uuid, :request, :issue_instant
+
+    def initialize( settings )
+      @settings = settings
+      @request_params = Hash.new
+    end
+    
+    def create(params = {})
+      uuid = "_" + UUID.new.generate
+      self.uuid = uuid
+      time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      self.issue_instant = time
+      # Create AuthnRequest root element using REXML 
+      request_doc = Ciam::XMLSecurityNew::Document.new
+      request_doc.context[:attribute_quote] = :quote
+      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol", 
+                                                              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
+                                                             }
+      root.attributes['ID'] = uuid
+      root.attributes['IssueInstant'] = time
+      root.attributes['Version'] = "2.0"
+      #root.attributes['ProtocolBinding'] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      root.attributes['AttributeConsumingServiceIndex'] = @settings.assertion_consumer_service_index
+      root.attributes['ForceAuthn'] = "true"
+      #root.attributes['IsPassive'] = "false"
+      #usato AssertionConsumerServiceURL e ProtocolBinding in alternativa, pag 8 regole tecniche
+      root.attributes['AssertionConsumerServiceIndex'] = @settings.attribute_consuming_service_index
+
+      #Tolto, utilizzo AssertionConsumerServiceIndex
+      # # Conditionally defined elements based on settings
+      # if @settings.assertion_consumer_service_url != nil
+      #   root.attributes["AssertionConsumerServiceURL"] = @settings.assertion_consumer_service_url
+      # end
+
+      if @settings.destination_service_url != nil
+        root.attributes["Destination"] = @settings.destination_service_url
+      end
+
+      unless @settings.issuer.blank?
+        issuer = root.add_element "saml:Issuer"
+        issuer.attributes['NameQualifier'] =  @settings.issuer #non metto @settings.sp_name_qualifier, questo valore deve essere uguale al 
+        #entityID dei metadata che usa @settings.issuer
+        issuer.attributes['Format'] =  "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+        issuer.text = @settings.issuer
+      end
+
+      #opzionale
+      unless @settings.sp_name_qualifier.blank?
+        subject = root.add_element "saml:Subject"
+        name_id = subject.add_element "saml:NameID"
+        name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        name_id.attributes['NameQualifier'] = @settings.sp_name_qualifier
+        name_id.text = @settings.sp_name_identifier
+      end
+
+
+
+      if @settings.name_identifier_format != nil
+        root.add_element "saml2p:NameIDPolicy", { 
+            # Might want to make AllowCreate a setting?
+            #{}"AllowCreate"     => "true",
+            "Format"          => @settings.name_identifier_format[0]
+        }
+      end
+
+      # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+      # match required for authentication to succeed.  If this is not defined, 
+      # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+      if @settings.authn_context != nil
+        requested_context = root.add_element "saml2p:RequestedAuthnContext", { 
+          "Comparison" => "minimum"
+        }
+        context_class = []
+        @settings.authn_context.each_with_index{ |context, index|
+          context_class[index] = requested_context.add_element "saml:AuthnContextClassRef"
+          context_class[index].text = context
+        }
+        
+      end
+
+      if @settings.requester_identificator != nil
+        requester_identificator = root.add_element "saml2p:Scoping", { 
+          "ProxyCount" => "0"
+        }
+        identificators = []
+        @settings.requester_identificator.each_with_index{ |requester, index|
+          identificators[index] = requester_identificator.add_element "saml2p:RequesterID"
+          identificators[index].text = requester
+        }
+        
+      end
+
+      request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+      
+      #LA FIRMA VA MESSA SOLO NEL CASO CON HTTP POST
+      # cert = @settings.get_sp_cert
+      #   # embed signature
+      #   if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+      #     private_key = @settings.get_sp_key
+      #     request_doc.sign_document(private_key, cert)
+      #   end
+
+      # stampo come stringa semplice i metadata per non avere problemi con validazione firma
+      #ret = request_doc.to_s
+
+      @request = request_doc.to_s
+
+      #Logging.debug "Created AuthnRequest: #{@request}"
+
+      return self
+
+    end
+  
+    # get the IdP metadata, and select the appropriate SSO binding
+    # that we can support.  Currently this is HTTP-Redirect and HTTP-POST
+    # but more could be added in the future
+    def binding_select
+      # first check if we're still using the old hard coded method for 
+      # backwards compatability
+      if @settings.idp_metadata == nil && @settings.idp_sso_target_url != nil
+        @URL = @settings.idp_sso_target_url
+        return "GET", content_get
+      end
+      # grab the metadata
+      metadata = Metadata::new
+      meta_doc = metadata.get_idp_metadata(@settings)
+      
+      # first try POST
+      sso_element = REXML::XPath.first(meta_doc,
+        "/EntityDescriptor/IDPSSODescriptor/SingleSignOnService[@Binding='#{HTTP_POST}']")
+      if sso_element 
+        @URL = sso_element.attributes["Location"]
+        #Logging.debug "binding_select: POST to #{@URL}"
+        return "POST", content_post
+      end
+      
+      # next try GET
+      sso_element = REXML::XPath.first(meta_doc,
+        "/EntityDescriptor/IDPSSODescriptor/SingleSignOnService[@Binding='#{HTTP_GET}']")
+      if sso_element 
+        @URL = sso_element.attributes["Location"]
+        Logging.debug "binding_select: GET from #{@URL}"
+        return "GET", content_get
+      end
+      # other types we might want to add in the future:  SOAP, Artifact
+    end
+    
+    # construct the the parameter list on the URL and return
+    def content_get
+      # compress GET requests to try and stay under that 8KB request limit
+      deflated_request  = Zlib::Deflate.deflate(@request, 9)[2..-5]
+      # strict_encode64() isn't available?  sub out the newlines
+      @request_params["SAMLRequest"] = Base64.encode64(deflated_request).gsub(/\n/, "")
+      
+      Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+      uri = Addressable::URI.parse(@URL)
+      if uri.query_values == nil
+        uri.query_values = @request_params
+      else
+        # solution to stevenwilkin's parameter merge
+        uri.query_values = @request_params.merge(uri.query_values)
+      end
+      url = uri.to_s
+      #Logging.debug "Sending to URL #{url}"
+      return url
+    end
+    # construct an HTML form (POST) and return the content
+    def content_post
+      # POST requests seem to bomb out when they're deflated
+      # and they probably don't need to be compressed anyway
+      @request_params["SAMLRequest"] = Base64.encode64(@request).gsub(/\n/, "")
+      
+      #Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+      # kind of a cheesy method of building an HTML, form since we can't rely on Rails too much,
+      # and REXML doesn't work well with quote characters
+      str = "<html><body onLoad=\"document.getElementById('form').submit();\">\n"
+      str += "<form id='form' name='form' method='POST' action=\"#{@URL}\">\n"
+      # we could change this in the future to associate a temp auth session ID
+      str += "<input name='RelayState' value='ruby-saml' type='hidden' />\n"
+      @request_params.each_pair do |key, value|
+        str += "<input name=\"#{key}\" value=\"#{value}\" type='hidden' />\n"
+        #str += "<input name=\"#{key}\" value=\"#{CGI.escape(value)}\" type='hidden' />\n"
+      end
+      str += "</form></body></html>\n"
+      
+      #Logging.debug "Created form:\n#{str}"
+      return str
+    end
+  end
+end

data/lib/ciam/ruby-saml/coding.rb

@@ -0,0 +1,34 @@
+require "cgi"
+require 'zlib'
+
+module Ciam
+  module Saml
+    module Coding
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.encode64(encoded).gsub(/\n/, "")
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+  end
+end

data/lib/ciam/ruby-saml/error_handling.rb

@@ -0,0 +1,27 @@
+require "ciam/ruby-saml/validation_error"
+
+module Ciam
+  module Saml
+    module ErrorHandling
+      attr_accessor :errors
+
+      # Append the cause to the errors array, and based on the value of soft, return false or raise
+      # an exception. soft_override is provided as a means of overriding the object's notion of
+      # soft for just this invocation.
+      def append_error(error_msg, soft_override = nil)
+        @errors << error_msg
+
+        unless soft_override.nil? ? soft : soft_override
+          raise ValidationError.new(error_msg)
+        end
+
+        false
+      end
+
+      # Reset the errors array
+      def reset_errors!
+        @errors = []
+      end
+    end
+  end
+end