RubyGems - ciam-es - Versions diffs - 0.0.2 → 0.0.7 - Mend

ciam-es 0.0.2 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/ciam-es.gemspec +1 -1
data/lib/ciam/ruby-saml/authrequest.rb +12 -12
data/lib/ciam/ruby-saml/logout_request.rb +76 -55
data/lib/ciam/ruby-saml/logout_response.rb +44 -26
data/lib/ciam/ruby-saml/metadata.rb +2 -51
data/lib/ciam/ruby-saml/response.rb +6 -7
data/lib/ciam/ruby-saml/settings.rb +1 -1
data/lib/ciam/ruby-saml/version.rb +1 -1
metadata +3 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb8518dd8770087934f1e2c2a660933024bc95cefb2e0236f1d6a6d9978ec261
-  data.tar.gz: d079efe7ad4bfd58517037d553bd16f206db66c0e4a4ea56d6adeeda62380ac5
+  metadata.gz: e1ce973bd3d499cd24750bfc8fbaec35056734fd284a1c2e2cc5e5ad4e97298e
+  data.tar.gz: 4d0ec7b507ccbd00422bd868460efeefb358de04ab4b92bb185591b7922bb2c4
 SHA512:
-  metadata.gz: 4f6c22bf83eeb57247d65cc83a974ce4b759a850cb18d919e4c6053d450e2ed6cde1dd7178cb5122f81171dcfaa7a50d92fbe403b7eaffe8546238065bf2bdb5
-  data.tar.gz: 8f76ca315b71604b04432a619b7c835e222a555335775b80445b4e706eda498d0f22eff938b2708935a4fd82f47e7b277fa01e007f1c92eb32c5075d1e2a9b2e
+  metadata.gz: 426e3b6ea6bac67c4f25f0ad0636519e8d24f93d5ac87f457ccf7e6a08c7f81d157ece5aa2be393c516c3b9e310edabbe10e8a278b55f68acf65df3295ba7bd8
+  data.tar.gz: 98c23881eb82db9f2c790d91347ba2c38e249b9c689dc44db07e1ce166f7db495cde8d4c73dc0d4d13e0ab2647dcf7c46981194de8a7f726371463df486f4d4c

data/ciam-es.gemspec CHANGED

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 Gem::Specification.new do |s|
   s.name = 'ciam-es'
-  s.version = '0.0.2'
+  s.version = '0.0.7'
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Fabiano Pavan"]

data/lib/ciam/ruby-saml/authrequest.rb CHANGED

@@ -29,7 +29,7 @@ module Ciam::Saml
       # Create AuthnRequest root element using REXML
       request_doc = Ciam::XMLSecurityNew::Document.new
       request_doc.context[:attribute_quote] = :quote
-      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol",
+      root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
                                                               "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion"
                                                              }
       root.attributes['ID'] = uuid
@@ -72,7 +72,7 @@ module Ciam::Saml
       if @settings.name_identifier_format != nil
-        root.add_element "saml2p:NameIDPolicy", {
+        root.add_element "samlp:NameIDPolicy", {
             # Might want to make AllowCreate a setting?
             #{}"AllowCreate"     => "true",
             "Format"          => @settings.name_identifier_format[0]
@@ -83,8 +83,8 @@ module Ciam::Saml
       # match required for authentication to succeed.  If this is not defined,
       # the IdP will choose default rules for authentication.  (Shibboleth IdP)
       if @settings.authn_context != nil
-        requested_context = root.add_element "saml2p:RequestedAuthnContext", {
-          "Comparison" => "minimum"
+        requested_context = root.add_element "samlp:RequestedAuthnContext", {
+          "Comparison" => "exact"
         }
         context_class = []
         @settings.authn_context.each_with_index{ |context, index|
@@ -95,12 +95,12 @@ module Ciam::Saml
       end
       if @settings.requester_identificator != nil
-        requester_identificator = root.add_element "saml2p:Scoping", {
+        requester_identificator = root.add_element "samlp:Scoping", {
           "ProxyCount" => "0"
         }
         identificators = []
         @settings.requester_identificator.each_with_index{ |requester, index|
-          identificators[index] = requester_identificator.add_element "saml2p:RequesterID"
+          identificators[index] = requester_identificator.add_element "samlp:RequesterID"
           identificators[index].text = requester
         }
@@ -109,12 +109,12 @@ module Ciam::Saml
       request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
       #LA FIRMA VA MESSA SOLO NEL CASO CON HTTP POST
-      # cert = @settings.get_sp_cert
-      #   # embed signature
-      #   if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
-      #     private_key = @settings.get_sp_key
-      #     request_doc.sign_document(private_key, cert)
-      #   end
+      cert = @settings.get_cert(@settings.sp_cert)
+      # embed signature
+      if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+        private_key = @settings.get_sp_key
+        request_doc.sign_document(private_key, cert)
+      end
       # stampo come stringa semplice i metadata per non avere problemi con validazione firma
       #ret = request_doc.to_s

data/lib/ciam/ruby-saml/logout_request.rb CHANGED

@@ -37,85 +37,106 @@ module Ciam::Saml
       opt = { :name_id => nil, :session_index => nil, :extra_parameters => nil  }.merge(options)
       return nil unless opt[:name_id]
-      @request = REXML::Document.new
-      @request.context[:attribute_quote] = :quote
+      request_doc = Ciam::XMLSecurityNew::Document.new
+      request_doc.context[:attribute_quote] = :quote
-      root = @request.add_element "saml2p:LogoutRequest", { "xmlns:saml2p" => PROTOCOL }
+      root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => PROTOCOL, "xmlns:saml" => ASSERTION }
       root.attributes['ID'] = @transaction_id
       root.attributes['IssueInstant'] = @issue_instant
       root.attributes['Version'] = "2.0"
       root.attributes['Destination'] = @settings.single_logout_destination
-      issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => ASSERTION  }
-      issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
-      #issuer.text = @settings.issuer
-      #per la federazione trentina qui ci vanno i metadati...
-      issuer.text = @settings.idp_metadata
+      issuer = root.add_element "saml:Issuer"#, { "xmlns:saml2" => ASSERTION  }
+      #issuer.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+      issuer.text = @settings.issuer
-      name_id = root.add_element "saml2:NameID", { "xmlns:saml2" => ASSERTION }
+      name_id = root.add_element "saml:NameID"#, { "xmlns:saml2" => ASSERTION }
       name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       name_id.attributes['NameQualifier'] = @settings.idp_name_qualifier
       name_id.text = opt[:name_id]
       # I believe the rest of these are optional
-      if @settings && @settings.sp_name_qualifier
-        name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
-      end
+      # if @settings && @settings.sp_name_qualifier
+      #   name_id.attributes["SPNameQualifier"] = @settings.sp_name_qualifier
+      # end
       if opt[:session_index]
-        session_index = root.add_element "saml2p:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
+        session_index = root.add_element "samlp:SessionIndex" #, { "xmlns:samlp" => PROTOCOL }
         session_index.text = opt[:session_index]
       end
-      Logging.debug "Created LogoutRequest: #{@request}"
-      meta = Metadata.new(@settings)
-      return meta.create_slo_request( to_s, opt[:extra_parameters] )
+      request_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+      #sign logout_request
+      cert = @settings.get_cert(@settings.sp_cert)
+      # embed signature
+      if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+        private_key = @settings.get_sp_key
+        request_doc.sign_document(private_key, cert)
+      end
+      puts "Created LogoutRequest: #{request_doc}"
+      #Logout per binding redirect
+      # meta = Metadata.new(@settings)
+      # slo_req = meta.create_slo_request( request_doc.to_s, opt[:extra_parameters] )
+      return request_doc.to_s
       #action, content =  binding_select("SingleLogoutService")
       #Logging.debug "action: #{action} content: #{content}"
       #return [action, content]
-     end
+    end
-  # function to return the created request as an XML document
+    # function to return the created request as an XML document
     def to_xml
-    text = ""
-    @request.write(text, 1)
-      return text
+        text = ""
+        @request.write(text, 1)
+        return text
+    end
+    def to_s
+        @request.to_s
     end
-   def to_s
-     @request.to_s
-   end
     # Functions for pulling values out from an IdP initiated LogoutRequest
-  def name_id
-    element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", {
-        "p" => PROTOCOL, "a" => ASSERTION } )
-    return nil if element.nil?
-    # Can't seem to get this to work right...
-    #element.context[:compress_whitespace] = ["NameID"]
-    #element.context[:compress_whitespace] = :all
-    str = element.text.gsub(/^\s+/, "")
-    str.gsub!(/\s+$/, "")
-    return str
-  end
+    def name_id
+      element = REXML::XPath.first(@request, "/p:LogoutRequest/a:NameID", {
+          "p" => PROTOCOL, "a" => ASSERTION } )
+      return nil if element.nil?
+      # Can't seem to get this to work right...
+      #element.context[:compress_whitespace] = ["NameID"]
+      #element.context[:compress_whitespace] = :all
+      str = element.text.gsub(/^\s+/, "")
+      str.gsub!(/\s+$/, "")
+      return str
+    end
-  def transaction_id
-    return @transaction_id if @transaction_id
-    element = REXML::XPath.first(@request, "/p:LogoutRequest", {
-        "p" => PROTOCOL} )
-    return nil if element.nil?
-    return element.attributes["ID"]
-  end
-  def is_valid?
-    validate(soft = true)
-  end
+    def transaction_id
+      return @transaction_id if @transaction_id
+      element = REXML::XPath.first(@request, "/p:LogoutRequest", {
+          "p" => PROTOCOL} )
+      return nil if element.nil?
+      return element.attributes["ID"]
+    end
+    def is_valid?
+      validate(soft = true)
+    end
-  def validate!
-    validate( soft = false )
-  end
-  def validate( soft = true )
-    return false if @request.nil?
-      return false if @request.validate(@settings, soft) == false
-    return true
-  end
+    def validate!
+      validate( soft = false )
+    end
+    def validate( soft = true )
+      return false if @request.nil?
+        return false if @request.validate(@settings, soft) == false
+      return true
+    end
     private
     def self.timestamp

data/lib/ciam/ruby-saml/logout_response.rb CHANGED

@@ -5,13 +5,15 @@ require "rexml/document"
 module Ciam
   module Saml
     class LogoutResponse
-      include Coding
-		include Request
+        include Coding
+		include Response
 		ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
 		PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
 		DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-      def initialize( options = { } )
+		attr_accessor :settings
+		def initialize( options = { } )
 			opt = { :response => nil, :settings => nil }.merge(options)
 			# We've recieved a LogoutResponse from the IdP
 			if opt[:response]
@@ -32,7 +34,7 @@ module Ciam
 			if opt[:settings]
 				@settings = opt[:settings]
 			end
-      end
+		end
 		# Create a LogoutResponse to to the IdP's LogoutRequest
 		#  (For IdP initiated SLO)
@@ -42,11 +44,12 @@ module Ciam
 				:status => "urn:oasis:names:tc:SAML:2.0:status:Success",
 				:extra_parameters => nil }.merge(options)
 			return nil if opt[:transaction_id].nil?
-			@response = REXML::Document.new
-			@response.context[:attribute_quote] = :quote
+			response_doc = Ciam::XMLSecurityNew::Document.new
+			response_doc.context[:attribute_quote] = :quote
 			uuid = "_" + UUID.new.generate
 			time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
-			root = @response.add_element "saml2p:LogoutResponse", { "xmlns:saml2p" => PROTOCOL }
+			root = response_doc.add_element "saml2p:LogoutResponse", { "xmlns:saml2p" => PROTOCOL }
 			root.attributes['ID'] = uuid
 			root.attributes['IssueInstant'] = time
 			root.attributes['Version'] = "2.0"
@@ -68,44 +71,56 @@ module Ciam
 				}
 				issuer.text = @settings.issuer
 			end
-			meta = Metadata.new( @settings )
-			Logging.debug "Created LogoutResponse:\n#{@response}"
-			return meta.create_slo_response( to_s, opt[:extra_parameters] )
+			response_doc << REXML::XMLDecl.new("1.0", "UTF-8")
+      		#sign logout_response
+      		cert = @settings.get_cert(@settings.sp_cert)
+			# embed signature
+			if @settings.metadata_signed && @settings.sp_private_key && @settings.sp_cert
+				private_key = @settings.get_sp_key
+				response_doc.sign_document(private_key, cert)
+			  end
-			#root.attributes['Destination'] = action
+			Logging.debug "Created LogoutResponse:\n #{response_doc}"
+			return request_doc.to_s
 		end
 		# function to return the created request as an XML document
 		def to_xml
 			text = ""
 			@response.write(text, 1)
 			return text
 		end
 		def to_s
 			@response.to_s
 		end
-      def issuer
-			element = REXML::XPath.first(@response, "/p:LogoutResponse/a:Issuer", {
-						"p" => PROTOCOL, "a" => ASSERTION} )
-			return nil if element.nil?
-			element.text
-      end
+		def issuer
+				element = REXML::XPath.first(@response, "/p:LogoutResponse/a:Issuer", {
+							"p" => PROTOCOL, "a" => ASSERTION} )
+				return nil if element.nil?
+				element.text
+		end
-      def in_response_to
+		def in_response_to
 			element = REXML::XPath.first(@response, "/p:LogoutResponse", {
 					 "p" => PROTOCOL })
 			return nil if element.nil?
-        element.attributes["InResponseTo"]
-      end
+        	element.attributes["InResponseTo"]
+      	end
-      def success?
+      	def success?
 			element = REXML::XPath.first(@response, "/p:LogoutResponse/p:Status/p:StatusCode", {
 					"p" => PROTOCOL })
 			return false if element.nil?
-        element.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
-      end
+			element.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+		end
 		def is_valid?
 			validate(soft = true)
 		end
@@ -113,6 +128,7 @@ module Ciam
 		def validate!
 			validate( soft = false )
 		end
 		def validate( soft = true )
 			return false if @response.nil?
 			# Skip validation with a failed response if we don't have settings
@@ -123,10 +139,12 @@ module Ciam
 		end
-    protected
+	protected
       def document
         REXML::Document.new(@response)
       end
-    end
+	end
   end
 end

data/lib/ciam/ruby-saml/metadata.rb CHANGED

@@ -30,18 +30,10 @@ module Ciam
       def generate(settings)
         #meta_doc = REXML::Document.new
         meta_doc = Ciam::XMLSecurityNew::Document.new
-        if settings.aggregato
-          root = meta_doc.add_element "md:EntityDescriptor", {
-            "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
-            "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace",
-            "xmlns:ciam"        => "https://ciam.gov.it/saml-extensions",
-          }
-        else
-          root = meta_doc.add_element "md:EntityDescriptor", {
+        root = meta_doc.add_element "md:EntityDescriptor", {
             "xmlns:md"        => "urn:oasis:names:tc:SAML:2.0:metadata",
             "xmlns:xml"       => "http://www.w3.org/XML/1998/namespace"
           }
-        end
         if settings.issuer != nil
           root.attributes["entityID"] = settings.issuer
@@ -223,53 +215,12 @@ module Ciam
             "xml:lang" => "it"
         }
-        org_display_name.text = settings.organization['org_display_name']+(settings.aggregato ? " tramite #{settings.hash_aggregatore['soggetto_aggregatore']}" : '')
+        org_display_name.text = settings.organization['org_display_name']
         org_url = organization.add_element "md:OrganizationURL", {
             "xml:lang" => "it"
         }
         org_url.text = settings.organization['org_url']
-        #ContactPerson per sp aggregato
-        if settings.aggregato
-          contact_person_aggregatore = root.add_element "md:ContactPerson", {
-            "contactType" => "other",
-            "ciam:entityType" => "ciam:aggregator"
-          }
-          company = contact_person_aggregatore.add_element "md:Company"
-          company.text = settings.hash_aggregatore['soggetto_aggregatore']
-          extensions_aggregatore = contact_person_aggregatore.add_element "md:Extensions"
-          vat_number_aggregatore = extensions_aggregatore.add_element "ciam:VATNumber"
-          vat_number_aggregatore.text = settings.hash_aggregatore['piva_aggregatore']
-          ipa_code_aggregatore = extensions_aggregatore.add_element "ciam:IPACode"
-          ipa_code_aggregatore.text = settings.hash_aggregatore['cipa_aggregatore']
-          fiscal_code_aggregatore = extensions_aggregatore.add_element "ciam:FiscalCode"
-          fiscal_code_aggregatore.text = settings.hash_aggregatore['cf_aggregatore']
-          contact_person_aggregato = root.add_element "md:ContactPerson", {
-            "contactType" => "other",
-            "ciam:entityType" => "ciam:aggregated"
-          }
-          company = contact_person_aggregato.add_element "md:Company"
-          company.text = settings.organization['org_name']
-          extensions_aggregato = contact_person_aggregato.add_element "md:Extensions"
-          unless settings.hash_aggregatore['soggetto_aggregato']['vat_number'].blank?
-            vat_number_aggregato = extensions_aggregato.add_element "ciam:VATNumber"
-            vat_number_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['vat_number']
-          end
-          unless settings.hash_aggregatore['soggetto_aggregato']['ipa_code'].blank?
-            ipa_code_aggregato = extensions_aggregato.add_element "ciam:IPACode"
-            ipa_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['ipa_code']
-          end
-          unless settings.hash_aggregatore['soggetto_aggregato']['fiscal_code'].blank?
-            fiscal_code_aggregato = extensions_aggregato.add_element "ciam:FiscalCode"
-            fiscal_code_aggregato.text = settings.hash_aggregatore['soggetto_aggregato']['fiscal_code']
-          end
-        end
         #meta_doc << REXML::XMLDecl.new(version='1.0', encoding='UTF-8')
         meta_doc << REXML::XMLDecl.new("1.0", "UTF-8")

data/lib/ciam/ruby-saml/response.rb CHANGED

@@ -98,8 +98,13 @@ module Ciam
             parse_time(node, "SessionNotOnOrAfter")
           end
         end
+        def session_index
+          @session_index ||= begin
+            node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+            node.attributes["SessionIndex"] unless node.blank?
+          end
+        end
         # Checks the status of the response for a "Success" code
         def success?
@@ -166,12 +171,6 @@ module Ciam
             }
-            issuer_assertion_nodes.each{ |iss|
-              #controllo: L'attributo Format di Issuer deve essere presente con il valore urn:oasis:names:tc:SAML:2.0:nameid-format:entity
-              return (soft ? false : validation_error("Elemento Issuer non ha formato corretto ")) if iss.attributes['Format'] != 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
-            }
             nodes = issuer_response_nodes + issuer_assertion_nodes
             nodes.map { |node| Utils.element_text(node) }.compact.uniq

data/lib/ciam/ruby-saml/settings.rb CHANGED

@@ -10,7 +10,7 @@ module Ciam
       attr_accessor :name_identifier_value, :name_identifier_format
       attr_accessor :sessionindex, :issuer, :destination_service_url, :authn_context, :requester_identificator
       attr_accessor :single_logout_service_url, :single_logout_service_binding, :single_logout_destination
-      attr_accessor :skip_validation, :aggregato, :hash_aggregatore
+      attr_accessor :skip_validation
       def initialize(config = {})
         config.each do |k,v|

data/lib/ciam/ruby-saml/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Ciam
   module Saml
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ciam-es
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.7
 platform: ruby
 authors:
 - Fabiano Pavan
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-31 00:00:00.000000000 Z
+date: 2020-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix
@@ -138,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
 summary: SAML Ruby Tookit CIAM