ciam-es 0.0.1 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e95196cb69850d66b4ad960fcf279885cb600448b39548e22b627998da49363
-  data.tar.gz: 53895057eaafde1db9a846ca1f885219348bdeb0dcaffffb29c39c74e78bd20c
+  metadata.gz: 3dad8a3cc1881093b5b571a3a6ff5ef017a580efd63eabe3a40551c365b2ed06
+  data.tar.gz: a5f904d9fb491a5fa3e916f81ff3a85b86f93536fb32546e35605ca09a3b3530
 SHA512:
-  metadata.gz: 12312ab615271d5e7213a49528de7a286ffd3a103bdd7cf4ff810c2f146fe5bd7fba0bb10df24a37a7c9d3c74be0c875d43fdaaa3e05bead86c1366545278918
-  data.tar.gz: 2f46ce928a88d79369d7b22d8ef29f4490b0a6a8c600c2927b511e539d8b62a189c3c81ff56a3276b965d907d2f0ea78890c28594c9a71a98c092fd6a5749f85
+  metadata.gz: f15050be6418bf31b9b680e16de3646cd987d5142db14a9a07656e62b2916d0dd21c891d594cbf8ded5a288ab03162126480318c5fa0cc130ccc1483e03bfd48
+  data.tar.gz: 5e49de6e43c66d2823efc1a472be655edca69deebec364d595aea1577eedd203ed272846ab76e252474502f28addd9b3dcc36949a8e51478aa8a6b46dff02a02

data/ciam-es.gemspec

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |s|
   s.name = 'ciam-es'
-  s.version = '0.0.1'
+  s.version = '0.0.6'
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Fabiano Pavan"]
@@ -19,5 +19,5 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency("canonix", ["0.1.1"])
   s.add_runtime_dependency("uuid", ["~> 2.3"])
   s.add_runtime_dependency("nokogiri", '>= 1.6.7.2')
-  s.add_runtime_dependency("addressable", ["2.7.0"])
+  s.add_runtime_dependency("addressable", [">= 2.4.0"])
 end

data/lib/ciam/ruby-saml/authrequest.rb

@@ -29,7 +29,7 @@ module Ciam::Saml
       # Create AuthnRequest root element using REXML 
       request_doc = Ciam::XMLSecurityNew::Document.new
       request_doc.context[:attribute_quote] = :quote
-      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol", 
+      root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", 
                                                               "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
                                                              }
       root.attributes['ID'] = uuid
@@ -72,7 +72,7 @@ module Ciam::Saml
 
 
       if @settings.name_identifier_format != nil
-        root.add_element "saml2p:NameIDPolicy", { 
+        root.add_element "samlp:NameIDPolicy", { 
             # Might want to make AllowCreate a setting?
             #{}"AllowCreate"     => "true",
             "Format"          => @settings.name_identifier_format[0]
@@ -83,8 +83,8 @@ module Ciam::Saml
       # match required for authentication to succeed.  If this is not defined, 
       # the IdP will choose default rules for authentication.  (Shibboleth IdP)
       if @settings.authn_context != nil
-        requested_context = root.add_element "saml2p:RequestedAuthnContext", { 
-          "Comparison" => "minimum"
+        requested_context = root.add_element "samlp:RequestedAuthnContext", { 
+          "Comparison" => "exact"
         }
         context_class = []
         @settings.authn_context.each_with_index{ |context, index|
@@ -95,12 +95,12 @@ module Ciam::Saml
       end
 
       if @settings.requester_identificator != nil
-        requester_identificator = root.add_element "saml2p:Scoping", { 
+        requester_identificator = root.add_element "samlp:Scoping", { 
           "ProxyCount" => "0"
         }
         identificators = []
         @settings.requester_identificator.each_with_index{ |requester, index|
-          identificators[index] = requester_identificator.add_element "saml2p:RequesterID"
+          identificators[index] = requester_identificator.add_element "samlp:RequesterID"
           identificators[index].text = requester
         }
         
@@ -109,12 +109,12 @@ module Ciam::Saml
       request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
       
       #LA FIRMA VA MESSA SOLO NEL CASO CON HTTP POST
-      # cert = @settings.get_sp_cert
-      #   # embed signature
-      #   if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
-      #     private_key = @settings.get_sp_key
-      #     request_doc.sign_document(private_key, cert)
-      #   end
+      cert = @settings.get_cert(@settings.sp_cert)
+      # embed signature
+      if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+        private_key = @settings.get_sp_key
+        request_doc.sign_document(private_key, cert)
+      end
 
       # stampo come stringa semplice i metadata per non avere problemi con validazione firma
       #ret = request_doc.to_s

data/lib/ciam/ruby-saml/logout_request.rb

@@ -37,85 +37,106 @@ module Ciam::Saml
       opt = { :name_id => nil, :session_index => nil, :extra_parameters => nil  }.merge(options)
       return nil unless opt[:name_id]
       
-      @request = REXML::Document.new
-      @request.context[:attribute_quote] = :quote
+      request_doc = Ciam::XMLSecurityNew::Document.new
+      request_doc.context[:attribute_quote] = :quote
       
                                 
-      root = @request.add_element "saml2p:LogoutRequest", { "xmlns:saml2p" => PROTOCOL }
+      root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => PROTOCOL, "xmlns:saml" => ASSERTION }
       root.attributes['ID'] = @transaction_id
       root.attributes['IssueInstant'] = @issue_instant
       root.attributes['Version'] = "2.0"
       root.attributes['Destination'] = @settings.single_logout_destination
       
-      issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => ASSERTION  }
-      issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
-      #issuer.text = @settings.issuer
-      #per la federazione trentina qui ci vanno i metadati...
-      issuer.text = @settings.idp_metadata
+      issuer = root.add_element "saml:Issuer"#, { "xmlns:saml2" => ASSERTION  }
+      #issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+      issuer.text = @settings.issuer
 
-      name_id = root.add_element "saml2:NameID", { "xmlns:saml2" => ASSERTION }
+      name_id = root.add_element "saml:NameID"#, { "xmlns:saml2" => ASSERTION }
       name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       name_id.attributes['NameQualifier'] = @settings.idp_name_qualifier
       name_id.text = opt[:name_id]
       # I believe the rest of these are optional
-      if @settings && @settings.sp_name_qualifier
-        name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
-      end
+      # if @settings && @settings.sp_name_qualifier
+      #   name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
+      # end
       if opt[:session_index] 
-        session_index = root.add_element "saml2p:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
+        session_index = root.add_element "samlp:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
         session_index.text = opt[:session_index]
       end
-      Logging.debug "Created LogoutRequest: #{@request}"
-      meta = Metadata.new(@settings)
-      return meta.create_slo_request( to_s, opt[:extra_parameters] )
+
+      request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+      #sign logout_request
+      cert = @settings.get_cert(@settings.sp_cert)
+      
+      # embed signature
+      if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+        private_key = @settings.get_sp_key
+        request_doc.sign_document(private_key, cert)
+      end
+
+
+      puts "Created LogoutRequest: #{request_doc}"
+      
+      #Logout per binding redirect
+      # meta = Metadata.new(@settings)
+      # slo_req = meta.create_slo_request( request_doc.to_s, opt[:extra_parameters] )
+      
+      
+      return request_doc.to_s
+      
       #action, content =  binding_select("SingleLogoutService")
       #Logging.debug "action: #{action} content: #{content}"
       #return [action, content]
-     end
+    end
 
-  # function to return the created request as an XML document
+    # function to return the created request as an XML document
     def to_xml
-    text = ""
-    @request.write(text, 1)
-      return text
+        text = ""
+        @request.write(text, 1)
+        return text
+    end
+
+    def to_s
+        @request.to_s
     end
-   def to_s
-     @request.to_s
-   end
+
     # Functions for pulling values out from an IdP initiated LogoutRequest
-  def name_id 
-    element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", { 
-        "p" => PROTOCOL, "a" => ASSERTION } )
-    return nil if element.nil?
-    # Can't seem to get this to work right...
-    #element.context[:compress_whitespace] = ["NameID"]
-    #element.context[:compress_whitespace] = :all
-    str = element.text.gsub(/^\s+/, "")
-    str.gsub!(/\s+$/, "")
-    return str
-  end
+    def name_id 
+      element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", { 
+          "p" => PROTOCOL, "a" => ASSERTION } )
+      return nil if element.nil?
+      # Can't seem to get this to work right...
+      #element.context[:compress_whitespace] = ["NameID"]
+      #element.context[:compress_whitespace] = :all
+      str = element.text.gsub(/^\s+/, "")
+      str.gsub!(/\s+$/, "")
+      return str
+    end
   
-  def transaction_id
-    return @transaction_id if @transaction_id 
-    element = REXML::XPath.first(@request, "/p:LogoutRequest", { 
-        "p" => PROTOCOL} )
-    return nil if element.nil?
-    return element.attributes["ID"]
-  end
-  def is_valid?
-    validate(soft = true)
-  end
+    def transaction_id
+      return @transaction_id if @transaction_id 
+      element = REXML::XPath.first(@request, "/p:LogoutRequest", { 
+          "p" => PROTOCOL} )
+      return nil if element.nil?
+      return element.attributes["ID"]
+    end
+
+    def is_valid?
+      validate(soft = true)
+    end
   
-  def validate!
-    validate( soft = false )
-  end
-  def validate( soft = true )
-    return false if @request.nil?
-      return false if @request.validate(@settings, soft) == false
-    
-    return true
-    
-  end
+    def validate!
+      validate( soft = false )
+    end
+
+    def validate( soft = true )
+      return false if @request.nil?
+        return false if @request.validate(@settings, soft) == false
+      
+      return true
+      
+    end
+
     private 
     
     def self.timestamp

data/lib/ciam/ruby-saml/metadata.rb

@@ -30,18 +30,10 @@ module Ciam
       def generate(settings)
         #meta_doc = REXML::Document.new
         meta_doc = Ciam::XMLSecurityNew::Document.new
-        if settings.aggregato
-          root = meta_doc.add_element "md:EntityDescriptor", { 
-            "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
-            "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace",
-            "xmlns:ciam"        => "https://ciam.gov.it/saml-extensions",
-          }
-        else
-          root = meta_doc.add_element "md:EntityDescriptor", { 
+        root = meta_doc.add_element "md:EntityDescriptor", { 
             "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
             "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace"
           }
-        end
         
         if settings.issuer != nil
           root.attributes["entityID"] = settings.issuer
@@ -223,53 +215,12 @@ module Ciam
             "xml:lang" => "it"
         }
     
-        org_display_name.text = settings.organization['org_display_name']+(settings.aggregato ? " tramite #{settings.hash_aggregatore['soggetto_aggregatore']}" : '')
+        org_display_name.text = settings.organization['org_display_name']
         org_url = organization.add_element "md:OrganizationURL", {
             "xml:lang" => "it"
         }
         org_url.text = settings.organization['org_url']
 
-        #ContactPerson per sp aggregato
-        if settings.aggregato
-          contact_person_aggregatore = root.add_element "md:ContactPerson", {
-            "contactType" => "other",
-            "ciam:entityType" => "ciam:aggregator"
-          }
-          company = contact_person_aggregatore.add_element "md:Company"
-          company.text = settings.hash_aggregatore['soggetto_aggregatore']
-
-          extensions_aggregatore = contact_person_aggregatore.add_element "md:Extensions"
-          vat_number_aggregatore = extensions_aggregatore.add_element "ciam:VATNumber"
-          vat_number_aggregatore.text = settings.hash_aggregatore['piva_aggregatore']
-          
-          ipa_code_aggregatore = extensions_aggregatore.add_element "ciam:IPACode"
-          ipa_code_aggregatore.text = settings.hash_aggregatore['cipa_aggregatore']
-
-          fiscal_code_aggregatore = extensions_aggregatore.add_element "ciam:FiscalCode"
-          fiscal_code_aggregatore.text = settings.hash_aggregatore['cf_aggregatore']
-
-          contact_person_aggregato = root.add_element "md:ContactPerson", {
-            "contactType" => "other",
-            "ciam:entityType" => "ciam:aggregated"
-          }
-          company = contact_person_aggregato.add_element "md:Company"
-          company.text = settings.organization['org_name']
-
-          extensions_aggregato = contact_person_aggregato.add_element "md:Extensions"
-          unless settings.hash_aggregatore['soggetto_aggregato']['vat_number'].blank?
-            vat_number_aggregato = extensions_aggregato.add_element "ciam:VATNumber"
-            vat_number_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['vat_number']
-          end
-          unless settings.hash_aggregatore['soggetto_aggregato']['ipa_code'].blank?
-            ipa_code_aggregato = extensions_aggregato.add_element "ciam:IPACode" 
-            ipa_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['ipa_code']
-          end
-          unless settings.hash_aggregatore['soggetto_aggregato']['fiscal_code'].blank?
-            fiscal_code_aggregato = extensions_aggregato.add_element "ciam:FiscalCode" 
-            fiscal_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['fiscal_code']
-          end
-        end
-
         #meta_doc << REXML::XMLDecl.new(version='1.0', encoding='UTF-8')
         meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")
 

data/lib/ciam/ruby-saml/response.rb

@@ -98,8 +98,13 @@ module Ciam
             parse_time(node, "SessionNotOnOrAfter")
           end
         end
-        
 
+        def session_index
+          @session_index ||= begin
+            node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+            node.attributes["SessionIndex"] unless node.blank?
+          end
+        end
 
         # Checks the status of the response for a "Success" code
         def success?
@@ -166,12 +171,6 @@ module Ciam
 
             }
 
-            issuer_assertion_nodes.each{ |iss|
-              #controllo: L'attributo Format di Issuer deve essere presente con il valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity
-              return (soft ? false : validation_error("Elemento Issuer non ha formato corretto ")) if iss.attributes['Format'] != 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
-
-            }
-
             nodes = issuer_response_nodes + issuer_assertion_nodes
 
             nodes.map { |node| Utils.element_text(node) }.compact.uniq

data/lib/ciam/ruby-saml/settings.rb

@@ -10,7 +10,7 @@ module Ciam
       attr_accessor :name_identifier_value, :name_identifier_format
       attr_accessor :sessionindex, :issuer, :destination_service_url, :authn_context, :requester_identificator
       attr_accessor :single_logout_service_url, :single_logout_service_binding, :single_logout_destination
-      attr_accessor :skip_validation, :aggregato, :hash_aggregatore
+      attr_accessor :skip_validation
     
       def initialize(config = {})
         config.each do |k,v|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ciam-es
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.6
 platform: ruby
 authors:
 - Fabiano Pavan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-31 00:00:00.000000000 Z
+date: 2020-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix
@@ -56,16 +56,16 @@ dependencies:
   name: addressable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.7.0
+        version: 2.4.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.7.0
+        version: 2.4.0
 description: 'SAML toolkit for Ruby programs to integrate with CIAM Milano '
 email: fabiano.pavan@soluzionipa.it
 executables: []
@@ -138,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit CIAM