fake_idp 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b50b9e2c4cd4e172edc611187bd17f3dac879078abe55d58eb8e6ecab18c9dba
+  data.tar.gz: 2339286b95f50fa05dc64cb3dcb2c49b2ee95927c79562a3b8484b95eb1a7ee1
+SHA512:
+  metadata.gz: c3956511324619f761439951aa85bd40e0e107bf1b72047a1b9f03b7aa651c3040a7aa277e384e4349cd4908e7b7445b08bdf1e134d7704f78ba78a19d487714
+  data.tar.gz: 2b79b09ada2b3fca8c27e4c5dd1f3a35a303ff40bc30d37e740242a08f154282a1d1f8877daa74251035c456eb9a9b7ad5f4af03b5cc9d6014c5954893bacb41

data/.env.example

@@ -0,0 +1,7 @@
+SSO_UID=123456
+CALLBACK_URL="http://localhost.dev:3000/auth/saml/devidp/callback"
+USERNAME=bobthessouser
+FIRST_NAME=Bob
+LAST_NAME=TheSsoUser
+EMAIL=bobthessouser@example.com
+NAME_ID=bobthessouser@example.com

data/.gitignore

@@ -0,0 +1,2 @@
+.idea
+.env

data/.ruby-version

@@ -0,0 +1 @@
+2.6.5

data/.travis.yml

@@ -0,0 +1,19 @@
+language: ruby
+cache: bundler
+rvm:
+  - 2.7
+  - 2.6
+  - 2.5
+  - 2.4
+  - truffleruby
+  - jruby
+sudo: false
+gemfile: Gemfile
+script: bundle exec rspec spec
+before_install:
+  - gem update --system 3.1.2 --no-document
+  - gem install bundler -v 2.1.2 --no-document
+jobs:
+  allow_failures:
+    - rvm: truffleruby
+    - rvm: jruby

data/Gemfile

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+git_source(:github) do |repo_name|
+  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
+  "https://github.com/#{repo_name}.git"
+end
+
+# overrides gem source in gemspec
+# needed to enable attributes statement in SAMLRequest
+gem 'ruby-saml-idp', github: 'lawrencepit/ruby-saml-idp'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,102 @@
+GIT
+  remote: https://github.com/lawrencepit/ruby-saml-idp.git
+  revision: ae53d76af08711affaeb182e7a877676ab554818
+  specs:
+    ruby-saml-idp (0.3.2)
+      uuid
+
+PATH
+  remote: .
+  specs:
+    fake_idp (1.0.0)
+      activesupport (~> 5.2.4.3)
+      builder (>= 3.2.2)
+      nokogiri (>= 1.10.5)
+      ruby-saml (~> 1.11.0)
+      ruby-saml-idp
+      sinatra (~> 2.0.0)
+      xmlenc (>= 0.7.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (5.2.4.3)
+      activesupport (= 5.2.4.3)
+    activesupport (5.2.4.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    builder (3.2.4)
+    coderay (1.1.2)
+    concurrent-ruby (1.1.7)
+    diff-lcs (1.4.2)
+    dotenv (1.0.2)
+    i18n (1.8.5)
+      concurrent-ruby (~> 1.0)
+    macaddr (1.7.1)
+      systemu (~> 2.6.2)
+    method_source (0.9.2)
+    mini_portile2 (2.4.0)
+    minitest (5.14.1)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    nokogiri (1.10.10)
+      mini_portile2 (~> 2.4.0)
+    pry (0.12.2)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    rack (2.2.3)
+    rack-protection (2.0.8.1)
+      rack
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    ruby-saml (1.11.0)
+      nokogiri (>= 1.5.10)
+    ruby2_keywords (0.0.2)
+    sinatra (2.0.8.1)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.8.1)
+      tilt (~> 2.0)
+    systemu (2.6.5)
+    thread_safe (0.3.6)
+    tilt (2.0.10)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    uuid (2.3.8)
+      macaddr (~> 1.0)
+    xmlenc (0.7.1)
+      activemodel (>= 3.0.0)
+      activesupport (>= 3.0.0)
+      nokogiri (>= 1.6.0, < 2.0.0)
+      xmlmapper (>= 0.7.3)
+    xmlmapper (0.7.3)
+      nokogiri (~> 1.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2)
+  dotenv (~> 1.0)
+  fake_idp!
+  pry (~> 0.12.2)
+  rake (~> 13.0)
+  rspec (~> 3.9.0)
+  ruby-saml-idp!
+
+BUNDLED WITH
+   2.1.4

data/README.md

@@ -0,0 +1,128 @@
+# Fake IdP
+
+[![Build Status](https://travis-ci.com/healthify/fake_idp.svg?branch=master)](https://travis-ci.com/healthify/fake_idp)
+
+## About
+
+This is an open source Ruby gem intended for developers needing to spin up a fake Identity Provider (IdP) for testing SAML authentication flows. It's made by the [Healthify](http://healthify.us) team. It's _not_ for setting up an IdP within Healthify—to do that, you'll need to reach out to integrations@healthify.us.
+
+## Installation
+
+Clone the repo and `cd` into the project directory.
+
+```sh
+bin/setup
+```
+
+## Running in Development
+
+To run locally, you first need to set up the following environment variables:
+
+|Variables|Description|
+|---|---|
+|CALLBACK_URL|The URL of the Healthify app to POST to for SAML authentication - required|
+|NAME_ID|Name_id of the user you want to log in as - may be nil/blank|
+|SSO_UID|Unique id of the user you want to log in as - may be nil/blank|
+|USERNAME|Username of the user you want to log in as - may be nil/blank|
+|ENCRYPTION_ENABLED| Set to 'true' to indicate that the generated assertion should be encrypted. Defaults to false|
+
+The `.env.example` file has examples of what these env variables could look like.
+You can copy that over to your own `.env` file to set these environment variables:
+
+    cp .env.example .env
+
+Next, to start the server, you can run:
+
+```sh
+bin/server
+```
+
+Then navigate to `http://localhost:9292/saml/auth` to begin making your SAML requests.
+
+## Running in Test
+
+### Gemfile
+
+If you are using this gem to provide a Fake IDP server in a test suite, add the gem to the Gemfile:
+
+```ruby
+gem 'fake_idp', github: 'healthify/fake_idp'
+```
+
+### Configuration
+
+You can set the relevant variables in a configuration block if they aren't provided as environment variables. For example:
+
+```ruby
+FakeIdp.configure do |config|
+  config.callback_url = 'http://localhost.dev:3000/auth/saml/devidp/callback'
+  config.sso_uid = '12345'
+  config.name_id = 'user@example.com'
+  config.username = nil
+  config.certificate = "YOUR CERT HERE"
+  config.idp_certificate = "YOUR IDP CERT HERE"
+  config.idp_secret_key = "YOUR IDP SECRET KEY HERE"
+  config.algorithm = :sha512
+  config.additional_attributes = { custom_saml_attr: "DELIVERED_IN_ASSERTION" }
+end
+```
+
+#### Resetting Configuration
+
+If you ever want to reset your FakeIdp configuration (e.g. between test specs), you can use the following:
+
+```ruby
+FakeIdp.reset!
+```
+
+### Use
+
+You can use Capybara Discoball to spin `FakeIdp::Application` up in a test:
+
+```ruby
+require 'fake_idp'
+
+before(:each) do
+  FakeIdp.configure do |config|
+    config.callback_url = callback_url
+    config.sso_uid = sso_uid
+    config.name_id = name_id
+  end
+end
+
+it 'logs the sso user in' do
+  Capybara::Discoball.spin(FakeIdp::Application) do |fake_idp_server|
+    # ...
+  end
+end
+```
+
+### Generating a SAML Response
+
+The gem provides a `SamlResponse` class used to generate a custom signed XML SAML response with an assertion that can be encrypted by setting `encryption_enabled` to `true`.
+
+**Usage**
+
+```ruby
+# Instantiate with your IDP settings, user attributes and service provider details
+saml_response = FakeIdp::SamlResponse.new(
+  saml_acs_url: "http://localhost.dev:3000/auth/saml/devidp/callback",
+  saml_request_id: "_#{SecureRandom.uuid}",
+  name_id: "bob_builder@gmail.com",
+  issuer_uri: "http://publichost.dev:3000",
+  algorithm_name: :sha256,
+  certificate: "YOUR IDP CERTIFICATE HERE",
+  secret_key: "YOUR IDP SECRET KEY HERE",
+  encryption_enabled: false,
+  user_attributes: {
+    uuid: "12345",
+    username: "bob_builder",
+    first_name: "Bob",
+    last_name: "The Builder",
+    email: "bob_builder@gmail.com",
+  },
+)
+
+# Returns a signed XML SAML response document
+saml_response.build
+```

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "fake_idp"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/server

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -vx
+
+bundle exec rackup

data/bin/setup

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+cp .env.example .env
+
+# Do any other automated setup that you need to do here

data/config.ru

@@ -0,0 +1,6 @@
+$LOAD_PATH << File.expand_path("../lib", __FILE__)
+require "fake_idp"
+require 'dotenv'
+
+Dotenv.load
+run FakeIdp::Application

data/fake_idp.gemspec

@@ -0,0 +1,39 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'fake_idp/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "fake_idp"
+  spec.version       = FakeIdp::VERSION
+  spec.authors       = [
+    "Shelby Switzer",
+    "Tyler Willingham",
+    "Robyn-Dale Samuda",
+    "Chet Bortz",
+  ]
+  spec.email         = ["engineering@healthify.us"]
+
+  spec.summary       = 'Fake IDP to test SAML authentication'
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "nokogiri", ">= 1.10.5"
+  spec.add_dependency "builder", ">= 3.2.2"
+  spec.add_dependency "activesupport", "~> 5.2.4.3"
+  spec.add_dependency "xmlenc", ">= 0.7.1"
+
+  spec.add_development_dependency "bundler", "~> 2"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.9.0"
+  spec.add_development_dependency "dotenv", "~> 1.0"
+  spec.add_development_dependency "pry", "~> 0.12.2"
+
+  spec.add_runtime_dependency "sinatra", "~> 2.0.0"
+  spec.add_runtime_dependency "ruby-saml-idp"
+  spec.add_runtime_dependency "ruby-saml", "~> 1.11.0"
+end

data/lib/fake_idp.rb

@@ -0,0 +1,24 @@
+require 'sinatra/base'
+require 'ruby-saml-idp'
+require 'zlib'
+require 'tilt/erb'
+require 'fake_idp/configuration'
+require 'fake_idp/application'
+
+module FakeIdp
+  class << self
+    attr_writer :configuration
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configure
+    yield(configuration)
+  end
+
+  def self.reset!
+    @configuration = nil
+  end
+end

data/lib/fake_idp/application.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require_relative "./saml_response"
+require "ruby-saml"
+
+module FakeIdp
+  class Application < Sinatra::Base
+    include SamlIdp::Controller
+
+    get "/saml/auth" do
+      begin
+        decode_SAMLRequest(generate_saml_request)
+        @saml_response = Base64.encode64(build_xml_saml_response).delete("\r\n")
+
+        erb :auth
+      rescue => e
+        puts e
+      end
+    end
+
+    private
+
+    def configuration
+      FakeIdp.configuration
+    end
+
+    def build_xml_saml_response
+      FakeIdp::SamlResponse.new(
+        name_id: configuration.name_id,
+        issuer_uri: configuration.issuer,
+        saml_acs_url: @saml_acs_url, # Defined in #decode_SAMLRequest in ruby-saml-idp gem
+        saml_request_id: @saml_request_id, # Defined in #decode_SAMLRequest in ruby-saml-idp gem
+        user_attributes: user_attributes,
+        algorithm_name: configuration.algorithm,
+        certificate: configuration.idp_certificate,
+        secret_key: configuration.idp_secret_key,
+        encryption_enabled: configuration.encryption_enabled,
+      ).build
+    end
+
+    def user_attributes
+      {
+        uuid: configuration.sso_uid,
+        username: configuration.username,
+        first_name: configuration.first_name,
+        last_name: configuration.last_name,
+        email: configuration.email,
+      }.merge(configuration.additional_attributes)
+    end
+
+    # An AuthRequest is required by the ruby-saml-idp gem to begin the process of returning
+    # a SAMLResponse. We will likely remove the ruby-saml-idp dependency in a future update
+    def generate_saml_request
+      auth_request = OneLogin::RubySaml::Authrequest.new
+      auth_url = auth_request.create(saml_settings)
+      CGI.unescape(auth_url.split("=").last)
+    end
+
+    def saml_settings
+      OneLogin::RubySaml::Settings.new.tap do |setting|
+        setting.assertion_consumer_service_url = configuration.callback_url
+        setting.issuer = configuration.issuer
+        setting.idp_sso_target_url = configuration.idp_sso_target_url
+        setting.name_identifier_format = FakeIdp::SamlResponse::EMAIL_ADDRESS_FORMAT
+      end
+    end
+  end
+end

data/lib/fake_idp/configuration.rb

@@ -0,0 +1,65 @@
+module FakeIdp
+  class Configuration
+    attr_accessor(
+      :callback_url,
+      :sso_uid,
+      :username,
+      :first_name,
+      :last_name,
+      :email,
+      :name_id,
+      :certificate,
+      :idp_certificate,
+      :idp_secret_key,
+      :idp_sso_target_url,
+      :issuer,
+      :algorithm,
+      :additional_attributes,
+      :encryption_enabled,
+    )
+
+    def initialize
+      @callback_url = ENV['CALLBACK_URL']
+      @sso_uid = ENV['SSO_UID']
+      @username = ENV['USERNAME']
+      @first_name = ENV['FIRST_NAME']
+      @last_name = ENV['LAST_NAME']
+      @email = ENV['EMAIL']
+      @name_id = ENV['NAME_ID']
+      @certificate = default_certificate
+      @idp_certificate = default_idp_certificate
+      @idp_secret_key = default_idp_secret_key
+      @idp_sso_target_url = idp_sso_target_url
+      @issuer = issuer
+      @algorithm = default_algorithm
+      @additional_attributes = {}
+      @encryption_enabled = default_encryption
+    end
+
+    private
+
+    def default_certificate
+      ENV["CERTIFICATE"] ||
+        SamlIdp::Default::X509_CERTIFICATE
+    end
+
+    def default_idp_certificate
+      ENV["IDP_CERTIFICATE"] ||
+        SamlIdp::Default::X509_CERTIFICATE
+    end
+
+    def default_idp_secret_key
+      ENV["IDP_SECRET_KEY"] ||
+        SamlIdp::Default::SECRET_KEY
+    end
+
+    def default_algorithm
+      ENV["ALGORITHM"]&.to_sym ||
+        :sha1
+    end
+
+    def default_encryption
+      ENV["ENCRYPTION_ENABLED"] == "true"
+    end
+  end
+end

data/lib/fake_idp/encryptor.rb

@@ -0,0 +1,90 @@
+require "xmlenc"
+require "builder"
+
+module FakeIdp
+  class Encryptor
+    ENCRYPTION_STRATEGY = "aes256-cbc".freeze
+    KEY_TRANSPORT = "rsa-oaep-mgf1p".freeze
+
+    attr_reader :raw_xml, :certificate, :encryption_key
+
+    def initialize(raw_xml, certificate)
+      @raw_xml = raw_xml
+      @certificate = certificate
+    end
+
+    # Encryption approach borrowed from
+    # https://github.com/saml-idp/saml_idp/blob/master/lib/saml_idp/encryptor.rb
+    def encrypt
+      encryption_template = Nokogiri::XML::Document.parse(build_encryption_template).root
+      encrypted_data = Xmlenc::EncryptedData.new(encryption_template)
+      @encryption_key = encrypted_data.encrypt(raw_xml)
+      encrypted_key_node = encrypted_data.node.at_xpath(
+        "//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey",
+        Xmlenc::NAMESPACES,
+      )
+      encrypted_key = Xmlenc::EncryptedKey.new(encrypted_key_node)
+      encrypted_key.encrypt(openssl_cert.public_key, encryption_key)
+
+      xml = Builder::XmlMarkup.new
+      xml.EncryptedAssertion(xmlns: "urn:oasis:names:tc:SAML:2.0:assertion") do |enc_assert|
+        enc_assert << encrypted_data.node.to_s
+      end
+    end
+
+    private
+
+    def openssl_cert
+      @_openssl_cert ||= if certificate.is_a?(String)
+                           OpenSSL::X509::Certificate.new(certificate)
+                         else
+                           certificate
+                         end
+    end
+
+    def encryption_strategy_ns
+      "http://www.w3.org/2001/04/xmlenc##{ENCRYPTION_STRATEGY}"
+    end
+
+    def key_transport_ns
+      "http://www.w3.org/2001/04/xmlenc##{KEY_TRANSPORT}"
+    end
+
+    def build_encryption_template
+      xml = Builder::XmlMarkup.new
+      xml.EncryptedData(
+        Id: "ED",
+        Type: "http://www.w3.org/2001/04/xmlenc#Element",
+        xmlns: "http://www.w3.org/2001/04/xmlenc#",
+      ) do |enc_data|
+        enc_data.EncryptionMethod(Algorithm: encryption_strategy_ns)
+        enc_data.tag!("ds:KeyInfo", "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#") do |key_info|
+          key_info.EncryptedKey(Id: "EK", xmlns: "http://www.w3.org/2001/04/xmlenc#") do |enc_key|
+            enc_key.EncryptionMethod(Algorithm: key_transport_ns)
+            enc_key.tag!("ds:KeyInfo", "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#") do |key_info_child|
+              key_info_child.tag!("ds:KeyName")
+              key_info_child.tag!("ds:X509Data") do |x509_data|
+                x509_data.tag!("ds:X509Certificate") do |x509_cert|
+                  x509_cert << certificate.to_s.gsub(/-+(BEGIN|END) CERTIFICATE-+/, "")
+                end
+              end
+            end
+
+            enc_key.CipherData(&:CipherValue)
+            enc_key.ReferenceList { |ref_list| ref_list.DataReference(URI: "#ED") }
+          end
+        end
+
+        enc_data.CipherData(&:CipherValue)
+      end
+    end
+
+    def encrypted_data_namespace
+      {
+        Id: "ED",
+        Type: "http://www.w3.org/2001/04/xmlenc#Element",
+        xmlns: "http://www.w3.org/2001/04/xmlenc#",
+      }
+    end
+  end
+end

data/lib/fake_idp/saml_response.rb

@@ -0,0 +1,280 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "nokogiri"
+require "openssl"
+require_relative "./encryptor"
+
+module FakeIdp
+  class SamlResponse
+    DSIG = "http://www.w3.org/2000/09/xmldsig#"
+    SAML_VERSION = "2.0"
+    ASSERTION_NAMESPACE = "urn:oasis:names:tc:SAML:2.0:assertion"
+    ENTITY_FORMAT = "urn:oasis:names:SAML:2.0:nameid-format:entity"
+    BEARER_FORMAT = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+    ENVELOPE_SCHEMA = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+    STATUS_CODE_VALUE = "urn:oasis:names:tc:SAML:2.0:status:Success"
+    FEDERATION_SOURCE = "urn:federation:authentication:windows"
+    EMAIL_ADDRESS_FORMAT = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    # For the time being we're only supporting a single canonical schema since
+    # supporting multiple is inconsequential for our immediate need.
+    CANONICAL_VALUE = 1
+    CANONICAL_SCHEMA = "http://www.w3.org/2001/10/xml-exc-c14n#"
+
+    def initialize(
+      name_id:,
+      issuer_uri:,
+      saml_acs_url:,
+      saml_request_id:,
+      user_attributes:,
+      algorithm_name:,
+      certificate:,
+      secret_key:,
+      encryption_enabled: false
+    )
+      @name_id = name_id
+      @issuer_uri = issuer_uri
+      @saml_acs_url = saml_acs_url
+      @saml_request_id = saml_request_id
+      @user_attributes = user_attributes
+      @algorithm_name = algorithm_name
+      @certificate = certificate
+      @secret_key = secret_key
+      @encryption_enabled = encryption_enabled
+      @builder = Nokogiri::XML::Builder.new
+      @timestamp = Time.now
+    end
+
+    def build
+      @builder[:samlp].Response(root_namespace_attributes) do |response|
+        build_issuer_segment(response)
+        build_status_segment(response)
+        build_assertion_segment(response)
+      end
+
+      document_with_digest = replace_digest_value(@builder.to_xml)
+      document = replace_signature_value(document_with_digest)
+      encrypt_assertion!(document)
+    end
+
+    private
+
+    def encrypt_assertion!(document)
+      return document unless @encryption_enabled
+
+      document_copy = document.dup
+      working_document = Nokogiri::XML(document)
+      assertion = working_document.at_xpath("//saml:Assertion", "saml" => ASSERTION_NAMESPACE)
+      encrypted_assertion_xml = FakeIdp::Encryptor.new(
+        assertion.to_xml,
+        @certificate,
+      ).encrypt
+
+      document_copy = Nokogiri::XML(document_copy)
+      target_assertion_node = document_copy.at_xpath(
+        "//saml:Assertion",
+        "saml" => ASSERTION_NAMESPACE,
+      )
+      # Replace Assertion node with encrypted assertion
+      target_assertion_node.replace(encrypted_assertion_xml)
+      document_copy.to_xml
+    end
+
+    def replace_digest_value(document)
+      document_copy = document.dup
+      working_document = Nokogiri::XML(document)
+
+      # The signature element needs to be removed from the assertion before creating a digest
+      signature_element = working_document.at_xpath("//ds:Signature", "ds" => DSIG)
+      signature_element.remove
+
+      assertion_without_signature = working_document.
+        at_xpath("//*[@ID=$id]", nil, "id" => assertion_reference_response_id)
+      canon_hashed_element = assertion_without_signature.canonicalize(CANONICAL_VALUE)
+
+      digest_value = Base64.encode64(algorithm.digest(canon_hashed_element)).strip
+
+      # Replace digest node with the generated value
+      document_copy = Nokogiri::XML(document_copy)
+      target_digest_node = document_copy.at_xpath("//ds:DigestValue", "ds" => DSIG)
+      target_digest_node.content = digest_value
+      document_copy
+    end
+
+    def replace_signature_value(document)
+      document_copy = document.dup
+      signature_element = document.at_xpath("//ds:Signature", "ds" => DSIG)
+
+      # The SignatureValue is a signed copy of the SignedInfo element
+      signed_info_element = signature_element.at_xpath("./ds:SignedInfo", "ds" => DSIG)
+      canon_string = signed_info_element.canonicalize(CANONICAL_VALUE)
+
+      signature_value = sign(canon_string)
+
+      target_signature_node = document_copy.at_xpath("//ds:SignatureValue", "ds" => DSIG)
+      target_signature_node.content = signature_value
+      document_copy.to_xml
+    end
+
+    def build_issuer_segment(parent_attribute)
+      parent_attribute[:saml].Issuer("xmlns:saml" => ASSERTION_NAMESPACE) do |issuer|
+        issuer << @issuer_uri
+      end
+    end
+
+    def build_status_segment(parent_attribute)
+      parent_attribute[:samlp].Status do |status|
+        status[:samlp].StatusCode("Value" => STATUS_CODE_VALUE)
+      end
+    end
+
+    def build_assertion_segment(parent_attribute)
+      parent_attribute[:saml].Assertion(assertion_namespace_attributes) do |assertion|
+        assertion[:saml].Issuer("Format" => ENTITY_FORMAT) do |issuer|
+          issuer << @issuer_uri
+        end
+
+        build_assertion_signature(assertion)
+
+        assertion[:saml].Subject do |subject|
+          subject[:saml].NameID("Format" => EMAIL_ADDRESS_FORMAT) do |name_id|
+            name_id << @name_id
+          end
+
+          subject[:saml].SubjectConfirmation("Method" => BEARER_FORMAT) do |subject_confirmation|
+            subject_confirmation[:saml].SubjectConfirmationData(subject_confirmation_data) { "" }
+          end
+        end
+
+        assertion[:saml].Conditions(saml_conditions) do |conditions|
+          conditions[:saml].AudienceRestriction do |restriction|
+            restriction[:saml].Audience { |audience| audience << @issuer_uri }
+          end
+        end
+
+        assertion[:saml].AttributeStatement do |attribute_statement|
+          @user_attributes.map do |name, value|
+            attribute_statement[:saml].Attribute("Name" => name) do |attribute|
+              attribute[:saml].AttributeValue { |attribute_value| attribute_value << value }
+            end
+          end
+        end
+
+        assertion[:saml].AuthnStatement(authn_statement) do |statement|
+          statement[:saml].AuthnContext do |authn_context|
+            authn_context[:saml].AuthnContextClassRef do |context_class_ref|
+              context_class_ref << FEDERATION_SOURCE
+            end
+          end
+        end
+      end
+    end
+
+    def build_assertion_signature(parent_attribute)
+      parent_attribute[:ds].Signature("xmlns:ds" => DSIG) do |signature|
+        signature[:ds].SignedInfo("xmlns:ds" => DSIG) do |signed_info|
+          signed_info[:ds].CanonicalizationMethod("Algorithm" => CANONICAL_SCHEMA)
+          signed_info[:ds].SignatureMethod("Algorithm" => "#{DSIG}#{@algorithm_name}")
+
+          signed_info[:ds].Reference("URI" => reference_uri) do |reference|
+            reference[:ds].Transforms do |transform|
+              transform[:ds].Transform("Algorithm" => ENVELOPE_SCHEMA)
+              transform[:ds].Transform("Algorithm" => CANONICAL_SCHEMA)
+            end
+
+            reference[:ds].DigestMethod("Algorithm" => "#{DSIG}#{@algorithm_name}")
+
+            # The digest_value is set and derived from creating a digest of the Assertion element
+            # without the signature element after the document is generated
+            reference[:ds].DigestValue("xmlns:ds" => DSIG) { |d| d << "" }
+          end
+        end
+
+        # The signature_value is set and derived from signing the SignedInfo element after the
+        # document is generated
+        signature[:ds].SignatureValue { |signature_value| signature_value << "" }
+
+        signature.KeyInfo("xmlns:ds" => DSIG) do |key_info|
+          key_info[:ds].X509Data do |x509_data|
+            x509_data[:ds].X509Certificate do |x509_certificate|
+              x509_certificate << Base64.encode64(@certificate)
+            end
+          end
+        end
+      end
+    end
+
+    def algorithm
+      raise "Algorithm name must be a Symbol" unless @algorithm_name.is_a?(Symbol)
+
+      case @algorithm_name
+      when :sha256 then OpenSSL::Digest::SHA256
+      when :sha384 then OpenSSL::Digest::SHA384
+      when :sha512 then OpenSSL::Digest::SHA512
+      else
+        OpenSSL::Digest::SHA1
+      end
+    end
+
+    def sign(data)
+      key = OpenSSL::PKey::RSA.new(@secret_key)
+      Base64.encode64(key.sign(algorithm.new, data)).gsub(/\n/, "")
+    end
+
+    def reference_response_id
+      @_reference_response_id ||= "_#{SecureRandom.uuid}"
+    end
+
+    def assertion_reference_response_id
+      @assertion_reference_response_id ||= "_#{SecureRandom.uuid}"
+    end
+
+    def reference_uri
+      "_#{assertion_reference_response_id}"
+    end
+
+    def root_namespace_attributes
+      {
+        "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+        "Consent" => "urn:oasis:names:tc:SAML:2.0:consent:unspecified",
+        "Destination" => @saml_acs_url,
+        "ID" => reference_response_id,
+        "InResponseTo" => @saml_request_id,
+        "IssueInstant" => @timestamp.strftime("%Y-%m-%dT%H:%M:%S"),
+        "Version" => SAML_VERSION,
+      }
+    end
+
+    def assertion_namespace_attributes
+      {
+        "xmlns:saml" => ASSERTION_NAMESPACE,
+        "ID" => assertion_reference_response_id,
+        "IssueInstant" => @timestamp.strftime("%Y-%m-%dT%H:%M:%S"),
+        "Version" => SAML_VERSION,
+      }
+    end
+
+    def subject_confirmation_data
+      {
+        "InResponseTo" => @saml_request_id,
+        "NotOnOrAfter" => (@timestamp + 3 * 60).strftime("%Y-%m-%dT%H:%M:%S"),
+        "Recipient" => @saml_acs_url,
+      }
+    end
+
+    def saml_conditions
+      {
+        "NotBefore" => (@timestamp - 5).strftime("%Y-%m-%dT%H:%M:%S"),
+        "NotOnOrAfter" => (@timestamp + 60 * 60).strftime("%Y-%m-%dT%H:%M:%S"),
+      }
+    end
+
+    def authn_statement
+      {
+        "AuthnInstant" => @timestamp.strftime("%Y-%m-%dT%H:%M:%S"),
+        "SessionIndex" => reference_response_id,
+      }
+    end
+  end
+end

data/lib/fake_idp/version.rb

@@ -0,0 +1,3 @@
+module FakeIdp
+  VERSION = "1.0.0"
+end

data/lib/fake_idp/views/auth.erb

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+</head>
+<body>
+<h1>Fake SAML SSO Authenticator</h1>
+
+<form action="<%= @saml_acs_url %>" method="post">
+  <input name="SAMLResponse" type="hidden" value="<%= @saml_response %>">
+  <input type="submit" value="Login">
+</form>
+
+<h2>Encrypted Response</h2>
+<pre><%= @saml_response.strip %></pre>
+</body>
+</html>

data/license.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Shelby Switzer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

metadata

@@ -0,0 +1,235 @@
+--- !ruby/object:Gem::Specification
+name: fake_idp
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Shelby Switzer
+- Tyler Willingham
+- Robyn-Dale Samuda
+- Chet Bortz
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2020-08-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.10.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.10.5
+- !ruby/object:Gem::Dependency
+  name: builder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.2
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.4.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.4.3
+- !ruby/object:Gem::Dependency
+  name: xmlenc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.2
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: ruby-saml-idp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.11.0
+description:
+email:
+- engineering@healthify.us
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".env.example"
+- ".gitignore"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/console
+- bin/server
+- bin/setup
+- config.ru
+- fake_idp.gemspec
+- lib/fake_idp.rb
+- lib/fake_idp/application.rb
+- lib/fake_idp/configuration.rb
+- lib/fake_idp/encryptor.rb
+- lib/fake_idp/saml_response.rb
+- lib/fake_idp/version.rb
+- lib/fake_idp/views/auth.erb
+- license.txt
+homepage:
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.6
+signing_key:
+specification_version: 4
+summary: Fake IDP to test SAML authentication
+test_files: []