google-sso 1.0.2

data/Manifest.txt

@@ -0,0 +1,10 @@
+Manifest.txt
+README.txt
+Rakefile
+lib/SamlResponseTemplate.xml
+lib/SignatureTemplate.xml
+lib/google-sso.rb
+lib/google-sso/version.rb
+lib/processresponse.rb
+lib/xmlcanonicalizer.rb
+test/test_GoogleSSO.rb

data/README.txt

@@ -0,0 +1,41 @@
+Google SSO gem supported by ELC Technologies. Read more about our Ruby on Rails development services and commitment to the Rails community at elctech.com
+
+GoogleSSO
+    by Thomas Ormerod
+
+== DESCRIPTION:
+  
+Provides single-sign-on to Google premier services.
+
+== FEATURES/PROBLEMS:
+  
+Uses an incomplete xml canonicalizer.
+
+== REQUIREMENTS:
+
+Core classes only
+
+== INSTALL:
+
+sudo gem install google-sso
+
+== USAGE:
+
+1. Generate an RSA key (DSA has issues with ruby/openssl)
+  1. openssl genrsa -out privkey.pem [strength ie. 1024, 2048]
+2. Create a self-signed certificate (or signed your choice)
+  1. openssl req -new -x509 -key privkey.pem -out cacert.pem [optional -days ie. 1095]
+3. Go to https://www.google.com/a/YOUR-DOMAIN and login as administrator
+  1. Advanced tools > Single sign-on
+  2. Enable Single Sign-on
+  3. Set your Sign-in page URL to your sites login page
+  4. Set your other URL's
+  5. Save
+  6. Upload your certificate (cacert.pem)
+  7. Logout
+  8. You have now enabled single sign on.
+
+
+Anytime a user attempts to access a Google service with /a/[your domain]
+on the end they will first have to authenticate through you, unless they 
+previously authenticated and a cookie is set.

data/Rakefile

@@ -0,0 +1,17 @@
+require 'rubygems'
+require 'hoe'
+$:.unshift File.join(File.dirname(__FILE__), 'lib')
+# Gem::manage_gems
+# require 'rake/gempackagetask'
+require 'google-sso'
+
+Hoe.new('GoogleSSO', GoogleSSO::VERSION::STRING) do |p|
+  p.rubyforge_name = 'google-sso'
+  p.name = 'google-sso'
+  p.author = 'Thomas Ormerod, David Palm, and Ryan Garver'
+  p.description = 'Google Apps Single Sign-on (SSO) support.'
+  p.email = 'google-sso@elctech.com'
+  p.summary = 'Google Apps Single Sign-on'
+  p.url = 'http://elctech.com'
+	p.rdoc_pattern = /\.txt$|lib\/.*\.rb$/
+end

data/lib/SamlResponseTemplate.xml

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><samlp:Response ID="<RESPONSE_ID>" IssueInstant="<ISSUE_INSTANT>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><Assertion ID="<ASSERTION_ID>" IssueInstant="<ISSUE_INSTANT>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>https://www.opensaml.org/IDP</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"><USERNAME_STRING></NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></Subject><Conditions NotBefore="<NOT_BEFORE>" NotOnOrAfter="<NOT_ON_OR_AFTER>"/><AuthnStatement AuthnInstant="<AUTHN_INSTANT>"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

data/lib/SignatureTemplate.xml

@@ -0,0 +1,19 @@
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+<SignedInfo>
+<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
+<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<Reference URI="">
+<Transforms>
+<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+</Transforms>
+<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<DigestValue></DigestValue>
+</Reference>
+</SignedInfo>
+<SignatureValue></SignatureValue>
+<KeyInfo>
+<X509Data>
+<X509Certificate></X509Certificate>
+</X509Data>
+</KeyInfo>
+</Signature>

data/lib/google-sso.rb

@@ -0,0 +1,3 @@
+require 'xmlcanonicalizer'
+require 'processresponse'
+require 'google-sso/version'

data/lib/google-sso/version.rb

@@ -0,0 +1,9 @@
+module GoogleSSO #:nodoc:
+  module VERSION #:nodoc:
+    MAJOR = 1
+    MINOR = 0
+    TINY  = 2
+
+    STRING = [MAJOR, MINOR, TINY].join('.')
+  end
+end

data/lib/processresponse.rb

@@ -0,0 +1,221 @@
+require "openssl"
+require "openssl/x509"
+require "base64"
+require "rexml/document"
+require "rexml/xpath"
+require "zlib"
+require "digest/sha1"
+require "xmlcanonicalizer"
+require 'log4r'
+
+include Log4r
+include REXML
+include OpenSSL
+
+  class XmlProcessResponse
+    attr_reader :acs, :signed_response, :acs_form
+      
+		# Create an XmlProcessResponse object
+		#
+		# certificate_path: path to the site certificate, previously uploaded to Google using the SSO admin panel
+		# private_key_path: path to the private key that will be used to sign the SAML Response
+    def initialize(certificate_path, private_key_path)
+      @certificate_path = certificate_path
+      @private_key_path = private_key_path
+
+      libpath = "#{Gem.dir}/gems/google-sso-#{GoogleSSO::VERSION::STRING}/lib" # FIXME: uses hardcoded gemname. Bad bad bad.
+      @signature_template_path	=	"#{libpath}/SignatureTemplate.xml"
+      @response_template_path		=	"#{libpath}/SamlResponseTemplate.xml"
+      
+      @issue_instant		=	""
+      @provider_name		=	""
+      
+      @acs							=	""
+      @acs_form					=	""
+
+      @signed_response	=	""
+
+      @logger = Logger.new("response.log")
+      @logger.level = Logger::DEBUG
+    end
+    
+
+		# Builds a response SAML document to send back to Google.
+		#
+		# Takes three parameters: a SAMLRequest-document, the RelayState 
+		# variable and the username to authenticate.
+		# samlRequest: a string containing the SAML request Google sends out when a user tries to login to a SSO enabled domain.
+		# relayState: a string containing various state parameters regarding the Google domain and the service required.
+		# username: a string with the username that needs to be authenticated.
+		#
+		# The method returns an HTML snippet containing a form with two 
+		# <tt><textarea></tt> elements with the SAML response signed using the key, and 
+		# the RelayState and the form action set to the Google Assertion Consumer Service URL.
+		# Both the SAMLResponse and the RelayState parameters has to be Base64 encoded when submited to Google; this is automatically 
+		# handled for text inserted into <tt>textarea</tt> elements.
+		#
+		# The form should be inserted in the resulting page and submit()-ed by a onload javascript function such as:
+		# 	window.onload = function(){
+		#			var f = document.getElementById('acsForm'); 
+		#			if(f.nodeName=='FORM'){
+		#				f.submit();
+		#			}
+		#		}
+    def process_response(raw_saml_request, relay_state, username)
+      saml_request = decode_authn_request(raw_saml_request)
+      get_request_attributes(saml_request)
+      
+      saml_response = create_saml_response(username)   
+      
+      @logger.debug("\nSAML Response\n" + saml_response.to_s()) if @logger
+      
+      @signed_response = sign_XML(saml_response)
+
+      @logger.debug("\nSigned Response\n" + signed_response.to_s()) if @logger
+      
+      @acs_form	=	<<-ACSFORM
+										<form name="acsForm" id="acsForm" action="#{@acs}" method="post">
+											<textarea name="SAMLResponse">#{signed_response}</textarea>
+											<textarea name="RelayState">#{relay_state}</textarea>
+										</form>
+								ACSFORM
+    end
+    
+    private
+    
+		# The SAMLRequest is zipped and Base64 encoded. This method unzips and decodes the request.
+    def decode_authn_request(encoded_saml_request)	#:doc:
+      unzipper = Zlib::Inflate.new( -Zlib::MAX_WBITS )
+      unzipper.inflate(Base64.decode64(encoded_saml_request))
+    end
+    
+		# Extracts three attributes from the SAMLRequest sent by Google and sets the corresponding ivars:
+		# - issueinstant: when was the request issued (resent in the SAMLResponse in order to establish validity in time of the auth request/response to assure the response cannot be used before the request was issued)
+		# - providername: this is the name of the service provider requesting authentication from us.
+		# - acs: the URL at the service provider site to which our SAMLResponse doc should be sent.
+		#
+		# Takes an XML string (the SAML Request) in input.
+    def get_request_attributes(xmlString)	#:doc:
+      doc = Document.new( xmlString )
+      @issue_instant = doc.root.attributes["IssueInstant"]
+      @provider_name = doc.root.attributes["ProviderName"]	# FIXME: This is not really used anywhere; is set to "google.com". Should we check for this? Or remove the ivar?
+      @acs = doc.root.attributes["AssertionConsumerServiceURL"]
+    end
+    
+		# Create the SAMLResponse
+		# 
+		# Loads the template and substitutes the markers USERNAME_STRING, RESPONSE_ID, ISSUE_INSTANT, AUTHN_INSTANT, NOT_BEFORE, NOT_ON_OR_AFTER and ASSERTION_ID.
+		#
+		# Takes a string in input with the username of the user requesting authentication.
+		# The SAMLResponse is valid for 20 minutes.
+    def create_saml_response(username)	#:doc:
+      current_time = Time.new().utc().strftime("%Y-%m-%dT%H:%M:%SZ")
+      # 20 minutes after issued time
+      not_on_or_after = (Time.new().utc()+60*20).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+			saml_response	=	File.read @response_template_path
+      
+      saml_response.sub!("<USERNAME_STRING>", username)
+      saml_response.sub!("<RESPONSE_ID>",  generate_unique_hexcode(42))
+      saml_response.gsub!("<ISSUE_INSTANT>",  current_time)
+      saml_response.sub!("<AUTHN_INSTANT>",  current_time)
+      saml_response.sub!("<NOT_BEFORE>",  @issue_instant)
+      saml_response.sub!("<NOT_ON_OR_AFTER>",  not_on_or_after)
+      saml_response.sub!("<ASSERTION_ID>",  generate_unique_hexcode(42))
+      
+      return saml_response
+    end
+    
+		# Takes an XML string built from the SAMLResponse template and inserts a digest, signature and certificate into the SignatureTemplate. Returns a string rappresentation of the XML document.
+    def sign_XML(saml_response)	#:doc:
+    	signature	=	File.read @signature_template_path
+
+      saml_response_doc	=	Document.new(saml_response)
+      sig_doc						=	Document.new(signature)
+
+      # 3. Apply digesting algorithms over the resource, and calculate the digest value.
+      digest_value = calculate_digest(saml_response_doc)
+  
+      # 4. Enclose the details in the <Reference> element.
+      # 5. Collect all <Reference> elements inside the <SignedInfo> element. Indicate the canonicalization and signature methodologies.
+      digest_element = XPath.first( sig_doc, "//DigestValue" )
+      digest_element.add_text( digest_value )
+
+      # 6. Canonicalize contents of <SignedInfo>, apply the signature algorithm, and generate the XML Digital signature.
+      signed_element	=	XPath.first( sig_doc, "//SignedInfo" )
+      signature_value	=	calculate_signature_value( signed_element )
+
+      # 7. Enclose the signature within the <SignatureValue> element.
+      signature_value_element = XPath.first( sig_doc, "//SignatureValue" )
+      signature_value_element.add_text( signature_value )
+
+      # 8. Add relevant key information, if any, and produce the <Signature> element.
+			cert	=	File.read @certificate_path
+
+      cert.sub!(/.*BEGIN CERTIFICATE-----\s*(.*)\s*-----END CERT.*/m, '\1')
+  
+      cert_node = XPath.first(sig_doc, "//X509Certificate")
+      cert_node.add_text(cert)
+
+      # 9. put it all together
+      status_child = saml_response_doc.elements["//samlp:Status"]
+      status_child.parent.insert_before(status_child, sig_doc.root)
+      retval = saml_response_doc.to_s()
+
+      return retval
+    end
+		
+		# Builds a canonicalized version of the passed DOM element, signs it and returns a Base64-encoded version.
+		# The element is temporarily provided with the following namespaces:
+		# - http://www.w3.org/2000/09/xmldsig#
+		# - urn:oasis:names:tc:SAML:2.0:protocol
+		# - http://www.w3.org/2001/04/xmlenc#
+		# 
+    def calculate_signature_value(element)
+      element.add_namespace "http://www.w3.org/2000/09/xmldsig#"
+      element.add_namespace "xmlns:samlp", "urn:oasis:names:tc:SAML:2.0:protocol"
+      element.add_namespace "xmlns:xenc", "http://www.w3.org/2001/04/xmlenc#"
+
+      canoner = XmlCanonicalizer.new(false, true)
+      canon_element = canoner.canonicalize( element )
+  
+      pkey = PKey::RSA.new( File::read( @private_key_path ) )
+      signature = Base64.encode64( pkey.sign( OpenSSL::Digest::SHA1.new, canon_element.to_s.chomp ).chomp ).chomp
+
+      element.delete_attribute "xmlns"
+      element.delete_attribute "xmlns:samlp"
+      element.delete_attribute "xmlns:xenc"
+      return signature
+    end
+    
+		# Builds a canonicalized version of the passed DOM element and returns a 
+		# SHA1-digest of the element (Base64 encoded string).
+    def calculate_digest(element)		#:doc:
+      canoner = XmlCanonicalizer.new(false, true)
+      canon_element = canoner.canonicalize( element )
+			Base64.encode64( Digest::SHA1.digest( canon_element.to_s.chomp ).chomp ).chomp
+    end
+
+  	# Generate an ID string for use in two attributes in the SAMLResponse 
+		# (response ID and assertion ID); these has to obey specific rules 
+		# (see Google SSO documentation).
+		#
+		# Returns a random hexadecimal string <tt>code_length</tt> long.
+    def generate_unique_hexcode( code_length ) #:doc:
+      valid_chars = ("A".."F").to_a + ("0".."9").to_a
+      length = valid_chars.size
+      
+      valid_start_chars = ("A".."F").to_a
+      start_length = valid_start_chars.size
+      
+      hexcode = ""
+      hexcode << valid_start_chars[rand(start_length-1)]
+      
+      1.upto(code_length-1){|i| 
+				hexcode << valid_chars[rand(length-1)] 
+			}
+        
+      return hexcode
+    end
+ 
+  end

data/lib/xmlcanonicalizer.rb

@@ -0,0 +1,405 @@
+require "rexml/document"
+require "base64"
+
+include REXML
+
+ 
+  class REXML::Instruction
+    def write(writer, indent=-1, transitive=false, ie_hack=false)
+      indent(writer, indent)
+      writer << START.sub(/\\/u, '')
+      writer << @target
+      writer << ' '
+      writer << @content if @content != nil
+      writer << STOP.sub(/\\/u, '')
+    end
+  end
+  
+  class REXML::Attribute
+    def <=>(a2)
+      if (self === a2)
+        return 0
+      elsif (self == nil)
+        return -1
+      elsif (a2 == nil)
+        return 1
+      elsif (self.prefix() == a2.prefix())
+        return self.name()<=>a2.name()
+      end
+      if (self.prefix() == nil)
+        return -1
+      elsif (a2.prefix() == nil)
+        return 1
+      end
+      ret = self.namespace()<=>a2.namespace()
+      if (ret == 0)
+        ret = self.prefix()<=>a2.prefix()
+      end
+      return ret
+    end
+  end
+  
+  class REXML::Element
+    def search_namespace(prefix)
+      if (self.namespace(prefix) == nil)
+        return (self.parent().search_namespace(prefix)) if (self.parent() != nil)
+      else
+        return self.namespace(prefix)
+      end
+    end
+    def rendered=(rendered)
+    	@rendered = rendered
+    end
+    def rendered?()
+    	return @rendered
+    end
+    def node_namespaces()
+      ns = Array.new()
+      ns.push(self.prefix())
+      self.attributes().each_attribute{|a|
+        if (a.prefix() == "xmlns" or (a.prefix() == "" && a.local_name() == "xmlns"))
+          ns.push("xmlns")
+        end
+      }
+      self.prefixes().each { |prefix| ns.push(prefix) }
+      ns
+    end
+  end
+  
+  class NamespaceNode
+    attr_reader :prefix, :uri	
+    def initialize(prefix, uri)
+      @prefix = prefix
+      @uri = uri
+    end
+  end
+
+	# From the IBM DeveloperWorks website[http://www.ibm.com/developerworks/xml/library/x-c14n/]:
+	# 
+	# <em>XML is careful to separate details of a file or other data source, bit-by-bit, from the
+	# abstract model of an XML document. This can be an inconvenience when comparing two 
+	# XML documents for equality -- either directly (for instance, as part of a test suite)
+	# or by comparing digital signatures for security purposes -- to determine whether an 
+	# XML document has been tampered with in some way. The W3C addresses this problem with the
+	# XML Canonicalization spec (c14n), which defines a standard form for an XML document that
+	# is guaranteed to provide proper bit-wise comparisons and thus consistent digital signatures.</em>
+  
+  class XmlCanonicalizer
+    attr_accessor :prefix_list, :logger
+    
+    BEFORE_DOC_ELEMENT = 0
+    INSIDE_DOC_ELEMENT = 1
+    AFTER_DOC_ELEMENT  = 2
+    
+    NODE_TYPE_ATTRIBUTE  = 3
+    NODE_TYPE_WHITESPACE = 4
+    NODE_TYPE_COMMENT    = 5
+    NODE_TYPE_PI         = 6
+    NODE_TYPE_TEXT       = 7
+    
+    
+    def initialize(with_comments, excl_c14n)
+      @with_comments = with_comments
+      @exclusive = excl_c14n
+      @res = ""
+      @state = BEFORE_DOC_ELEMENT
+      @xnl = Array.new()
+      @prevVisibleNamespacesStart = 0
+      @prevVisibleNamespacesEnd = 0
+      @visibleNamespaces = Array.new()
+      @inclusive_namespaces = Array.new()
+      @prefix_list = nil
+      @rendered_prefixes = Array.new()
+      @logger = Logger.new("xmlcanonicalizer.log")
+      @logger.level = Logger::DEBUG
+    end
+    
+    def add_inclusive_namespaces(prefix_list, element, visible_namespaces)
+      namespaces = element.attributes()
+      namespaces.each_attribute{|ns|
+        if (ns.prefix=="xmlns")
+          if (prefix_list.include?(ns.local_name()))
+            visible_namespaces.push(NamespaceNode.new("xmlns:"+ns.local_name(), ns.value()))
+          end
+        end
+      }
+      parent = element.parent()
+      add_inclusive_namespaces(prefix_list, parent, visible_namespaces) if (parent)
+      visible_namespaces
+    end
+    
+    def canonicalize(document)
+      write_document_node(document)
+      @logger.debug("\nCanonicalized result\n" + @res.to_s()) if @logger
+      @res
+    end
+    
+    def canonicalize_element(element, logging = true)
+      @logger.debug("Canonicalize element:\n" + element.to_s()) if @logger
+      @inclusive_namespaces = add_inclusive_namespaces(@prefix_list, element, @inclusive_namespaces) if (@prefix_list)
+      @preserve_document = element.document()
+      tmp_parent = element.parent()
+      body_string = remove_whitespace(element.to_s().gsub("\n","").gsub("\t","").gsub("\r",""))
+      document = Document.new(body_string)
+      tmp_parent.delete_element(element)
+      element = tmp_parent.add_element(document.root())
+      @preserve_element = element
+      document = Document.new(element.to_s())
+      ns = element.namespace(element.prefix())
+      document.root().add_namespace(element.prefix(), ns)
+      write_document_node(document)
+      @logger.debug("Canonicalized result:\n" + @res.to_s()) if @logger
+      @res
+    end
+    
+    def write_document_node(document)
+      @state = BEFORE_DOC_ELEMENT
+      if (document.class().to_s() == "REXML::Element")
+        write_node(document)
+      else
+        document.each_child{|child|
+          write_node(child)
+        }
+      end
+      @res
+    end
+    
+    def write_node(node)
+      visible = is_node_visible(node)
+      if ((node.node_type() == :text) && white_text?(node.value()))
+        res = node.value()
+        res.gsub("\r\n","\n")
+        #res = res.delete(" ").delete("\t")
+        res.delete("\r")
+        @res = @res + res
+        #write_text_node(node,visible) if (@state == INSIDE_DOC_ELEMENT)
+        return
+      end
+      if (node.node_type() == :text)
+        write_text_node(node, visible)
+        return
+      end		
+      if (node.node_type() == :element)
+        write_element_node(node, visible) if (!node.rendered?())
+		    node.rendered=(true)
+      end
+      if (node.node_type() == :processing_instruction)
+      end
+      if (node.node_type() == :comment)
+      end
+    end
+    
+    def write_element_node(node, visible)
+      savedPrevVisibleNamespacesStart = @prevVisibleNamespacesStart
+      savedPrevVisibleNamespacesEnd = @prevVisibleNamespacesEnd
+      savedVisibleNamespacesSize = @visibleNamespaces.size()
+      state = @state
+      state = INSIDE_DOC_ELEMENT if (visible && state == BEFORE_DOC_ELEMENT)
+      @res = @res + "<" + node.expanded_name() if (visible)
+      write_namespace_axis(node, visible)
+      write_attribute_axis(node)
+      @res = @res + ">" if (visible)
+      node.each_child{|child|
+    	 	write_node(child)
+    	}
+      @res = @res + "</" +node.expanded_name() + ">" if (visible)
+      @state = AFTER_DOC_ELEMENT if (visible && state == BEFORE_DOC_ELEMENT)
+      @prevVisibleNamespacesStart = savedPrevVisibleNamespacesStart
+      @prevVisibleNamespacesEnd = savedPrevVisibleNamespacesEnd
+      @visibleNamespaces.slice!(savedVisibleNamespacesSize, @visibleNamespaces.size() - savedVisibleNamespacesSize) 		if (@visibleNamespaces.size() > savedVisibleNamespacesSize)
+    end
+    
+    def write_namespace_axis(node, visible)
+      doc = node.document()
+      has_empty_namespace = false
+      list = Array.new()
+      cur = node
+      #while ((cur != nil) && (cur != doc) && (cur.node_type() != :document)) 
+      namespaces = cur.node_namespaces()
+      namespaces.each{|prefix|
+        next if ((prefix == "xmlns") && (node.namespace(prefix) == "")) 
+        namespace = cur.namespace(prefix)
+        next if (is_namespace_node(namespace))
+        next if (node.namespace(prefix) != cur.namespace(prefix))
+        next if (prefix == "xml" && namespace == "http://www.w3.org/XML/1998/namespace")
+        next if (!is_node_visible(cur))
+        rendered = is_namespace_rendered(prefix, namespace)
+        @visibleNamespaces.push(NamespaceNode.new("xmlns:"+prefix,namespace)) if (visible)
+        if ((!rendered) && !list.include?(prefix))
+          list.push(prefix)
+        end
+        has_empty_namespace = true if (prefix == nil)
+      }
+      if (visible && !has_empty_namespace && !is_namespace_rendered(nil, nil)) 
+        @res = @res + ' xmlns=""'
+      end
+      #TODO: ns of inclusive_list
+#=begin
+      if ((@prefix_list) && (node.to_s() == node.parent().to_s()))
+        #list.push(node.prefix())
+        @inclusive_namespaces.each{|ns|
+          prefix = ns.prefix().split(":")[1]
+          list.push(prefix) if (!list.include?(prefix) && (!node.attributes.prefixes.include?(prefix))) 
+        }
+		@prefix_list = nil
+      end
+#=end
+      list.sort!()
+      list.insert(0, "xmlns") unless list.delete("xmlns").nil?
+      list.each{|prefix|
+        next if (prefix == "")
+    		next if (@rendered_prefixes.include?(prefix))
+    		@rendered_prefixes.push(prefix)
+        ns = node.namespace(prefix)
+        ns = @preserve_element.namespace(prefix) if (ns == nil)
+        @res = @res + normalize_string(" " + prefix + '="' + ns + '"', NODE_TYPE_TEXT) if (prefix == "xmlns")
+        @res = @res + normalize_string(" xmlns:" + prefix + '="' + ns + '"', NODE_TYPE_TEXT) if (prefix != nil && prefix != "xmlns")
+      }
+      if (visible)
+        @prevVisibleNamespacesStart = @prevVisibleNamespacesEnd
+        @prevVisibleNamespacesEnd = @visibleNamespaces.size()	
+      end
+    end
+    
+    def write_attribute_axis(node)
+      list = Array.new()
+      node.attributes().sort.each{|key, attr|
+        list.push(attr) if (!is_namespace_node(attr.value()) && !is_namespace_decl(attr)) # && is_node_visible(
+      }
+      if (!@exclusive && node.parent() != nil && node.parent().parent() != nil)
+        cur = node.parent()
+        while (cur != nil)
+          #next if (cur.attributes() == nil)
+          cur.each_attribute{|attribute|
+            next if (attribute.prefix() != "xml")
+            next if (attribute.prefix().index("xmlns") == 0)
+            next if (node.namespace(attribute.prefix()) == attribute.value())
+            found = true
+            list.each{|n|
+              if (n.prefix() == "xml" && n.value() == attritbute.value())
+                found = true
+                break
+              end
+            }
+            next if (found)
+            list.push(attribute)
+          }
+        end
+      end
+      list.each{|attribute|
+        if (attribute != nil)
+          if (attribute.name() != "xmlns")
+            @res = @res + " " + normalize_string(attribute.to_string(), NODE_TYPE_ATTRIBUTE).gsub("'",'"')
+          end
+          #	else
+          #	@res = @res + " " + normalize_string(attribute.name()+'="'+attribute.to_s()+'"', NODE_TYPE_ATTRIBUTE).gsub("'",'"')
+          #end
+        end
+      }
+    end
+    
+    def is_namespace_node(namespace_uri)
+      return (namespace_uri == "http://www.w3.org/2000/xmlns/")
+    end
+    
+    def is_namespace_rendered(prefix, uri)
+      is_empty_ns = prefix == nil && uri == nil
+      if (is_empty_ns)
+        start = 0
+      else
+        start = @prevVisibleNamespacesStart
+      end
+      @visibleNamespaces.each{|ns|
+        if (ns.prefix() == "xmlns:"+prefix.to_s() && ns.uri() == uri)
+          return true
+        end
+      }
+      return is_empty_ns
+      #(@visibleNamespaces.size()-1).downto(start) {|i|
+      #   ns = @visibleNamespaces[i]
+      #	return true if (ns.prefix() == "xmlns:"+prefix.to_s() && ns.uri() == uri)
+      #	#p = ns.prefix() if (ns.prefix().index("xmlns") == 0) 
+      #	#return ns.uri() == uri if (p == prefix) 
+      #}
+      #return is_empty_ns
+    end
+    
+    def is_node_visible(node)
+      return true if (@xnl.size() == 0)
+      @xnl.each{|element|
+        return true if (element == node)
+      }
+      return false
+    end
+    
+    def normalize_string(input, type)
+      sb = ""
+      return input
+    end
+    #input.each_byte{|b|
+    #	if (b ==60 && (type == NODE_TYPE_ATTRIBUTE || is_text_node(type)))
+    #		sb = sb + "&lt;"
+    #	elsif (b == 62 && is_text_node(type))
+    #		sb = sb + "&gt;"
+    #	elsif (b == 38 && (is_text_node(type) || is_text_node(type))) #Ampersand
+    #		sb = sb + "&amp;"
+    #	elsif (b == 34 && is_text_node(type)) #Quote
+    #		sb = sb + "&quot;"
+    #	elsif (b == 9 && is_text_node(type)) #Tabulator
+    #		sb = sb + "&#x9;"
+    #	elsif (b == 11 && is_text_node(type)) #CR
+    #		sb = sb + "&#xA;"
+    #	elsif (b == 13 && (type == NODE_TYPE_ATTRIBUTE || (is_text_node(type) && type != NODE_TYPE_WHITESPACE) || type == NODE_TYPE_COMMENT || type == NODE_TYPE_PI))
+    #		sb = sb + "&#xD;"
+    #	elsif (b == 13)
+    #		next
+    #	else
+    #		sb = sb.concat(b)
+    #	end
+    #}
+    #sb
+    #end
+    
+    def write_text_node(node, visible)
+      if (visible)
+        @res = @res + normalize_string(node.value(), node.node_type())
+      end
+    end
+    
+    def white_text?(text)
+      return true if ((text.strip() == "") || (text.strip() == nil))
+      return false
+    end
+    
+    def is_namespace_decl(attribute)
+      #return true if (attribute.name() == "xmlns")
+      return true if (attribute.prefix().index("xmlns") == 0)
+      return false
+    end
+    
+    def is_text_node(type)
+      return true if (type == NODE_TYPE_TEXT || type == NODE_TYPE_CDATA || type == NODE_TYPE_WHITESPACE)
+      return false
+    end
+    
+    def remove_whitespace(string)
+      new_string = ""
+      in_white = false
+      string.each_byte{|b|
+        #if (in_white && b == 32)
+        #else
+        if !(in_white && b == 32)
+          new_string = new_string + b.chr()
+        end
+        if (b == 62) #>
+          in_white = true
+        end
+        if (b == 60) #<
+          in_white = false
+        end
+      }
+      new_string
+    end
+  end
+
+

data/test/test_GoogleSSO.rb

@@ -0,0 +1,46 @@
+#!/usr/bin/env ruby
+
+require 'google-sso'
+require 'test/unit'
+
+class TestSSO < Test::Unit::TestCase
+	RelayState			= 'https://www.google.com/a/davidpalm.net/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fa%2Fdavidpalm.net&ltmpl=default&ltmplcache=2'
+	SAMLRequest_encoded			=	'fVJLT8MwDL4j8R+i3NeuIAREa6cBQkziUW2FA7cscduMNC5xusG/p+tAwAGknJzP38P2ZPrWWLYBTwZdypNozBk4hdq4KuWPxfXojE+zw4MJyca2YtaF2i3gtQMKrO90JIaPlHfeCZRkSDjZAImgxHJ2dyuOorFoPQZUaDmbX6X8RSqrDSpnpUZZrY0tS21rXFftql6bF12ZtqwVcvb0ZetoZ2tO1MHcUZAu9KXx+HQ0vCJJxPGJOD5/5iz/VLowbp/gP1urPYjETVHko/xhWQwEG6PB3/folFeIlYVIYcPZjAh86O1coqOuAb8EvzEKHhe3Ka9DaEnE8Xa7jb6bYhlr2dO10jaRgxBLRbscuSQym56/lJaAZ8NwxZDP/5jq/+7llx+efStO4h9U2efSdlnmVzlao97ZzFrcXnqQodcPvgPOrtE3MvytlkTJUDF6VA5Q0TlqQZnSgOYszvaqv6+jv5kP'
+	SAMLRequest_decoded			=	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"kacldiocnladoagjilffdlhojgpbhjikdgipfhco\" Version=\"2.0\" IssueInstant=\"2007-07-07T11:35:39Z\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" ProviderName=\"google.com\" AssertionConsumerServiceURL=\"https://www.google.com/a/davidpalm.net/acs\" IsPassive=\"false\"><saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">google.com</saml:Issuer><samlp:NameIDPolicy AllowCreate=\"true\" Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\" /></samlp:AuthnRequest>\r\n"
+	
+	SAMLResponse		=	'<?xml version=\"1.0\" encoding=\"UTF-8\"?><samlp:Response ID=\"E4B3A6F788CA08C40ED6DC62B8B1A1CF026C05CA51\" IssueInstant=\"2007-07-07T13:54:39Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\"><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion ID=\"CB811AFE287D86586677DF7B7BCA7F278840330164\" IssueInstant=\"2007-07-07T13:54:39Z\" Version=\"2.0\" xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"><Issuer>https://www.opensaml.org/IDP</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress\">sso</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"/></Subject><Conditions NotBefore=\"2007-07-07T11:35:39Z\" NotOnOrAfter=\"2007-07-07T14:14:39Z\"/><AuthnStatement AuthnInstant=\"2007-07-07T13:54:39Z\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>'
+
+	SAMLResponse_re	=	/<\?xml version=\"1\.0\" encoding=\"UTF-8\"\?><samlp:Response ID=\"[A-Z]{1}[A-Z0-9]{41}\" IssueInstant=\"[\d]{4}-[\d]{2}-[\d]{2}[A-Z]{1}[\d]{2}:[\d]{2}:[\d]{2}[A-Z]{1}\" Version=\"2\.0\" xmlns=\"urn:oasis:names:tc:SAML:2\.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2\.0:protocol\" xmlns:xenc=\"http:\/\/www\.w3\.org\/2001\/04\/xmlenc#\"><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2\.0:status:Success\"\/><\/samlp:Status><Assertion ID=\"[A-Z]{1}[A-Z0-9]{41}\" IssueInstant=\"[\d]{4}-[\d]{2}-[\d]{2}[A-Z]{1}[\d]{2}:[\d]{2}:[\d]{2}[A-Z]{1}\" Version=\"2\.0\" xmlns=\"urn:oasis:names:tc:SAML:2\.0:assertion\"><Issuer>https:\/\/www\.opensaml\.org\/IDP<\/Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:2\.0:nameid-format:emailAddress\">sso<\/NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2\.0:cm:bearer\"\/><\/Subject><Conditions NotBefore=\"\" NotOnOrAfter=\"[\d]{4}-[\d]{2}-[\d]{2}[A-Z]{1}[\d]{2}:[\d]{2}:[\d]{2}[A-Z]{1}\"\/><AuthnStatement AuthnInstant=\"[\d]{4}-[\d]{2}-[\d]{2}[A-Z]{1}[\d]{2}:[\d]{2}:[\d]{2}[A-Z]{1}\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2\.0:ac:classes:Password<\/AuthnContextClassRef><\/AuthnContext><\/AuthnStatement><\/Assertion><\/samlp:Response>/
+
+	Signature_re	=	/<Signature xmlns='http:\/\/www\.w3\.org\/2000\/09\/xmldsig#'>\n<SignedInfo>\n<CanonicalizationMethod Algorithm='http:\/\/www\.w3\.org\/TR\/2001\/REC-xml-c14n-20010315#WithComments'\/>\n<SignatureMethod Algorithm='http:\/\/www\.w3\.org\/2000\/09\/xmldsig#rsa-sha1'\/>\n<Reference URI=''>\n<Transforms>\n<Transform Algorithm='http:\/\/www\.w3\.org\/2000\/09\/xmldsig#enveloped-signature'\/>\n<\/Transforms>\n<DigestMethod Algorithm='http:\/\/www\.w3\.org\/2000\/09\/xmldsig#sha1'\/>\n<DigestValue>.{28}<\/DigestValue>\n<\/Reference>\n<\/SignedInfo>\n<SignatureValue>.*<\/SignatureValue>\n<KeyInfo>\n<X509Data>\n<X509Certificate>.*=\n<\/X509Certificate>\n<\/X509Data>\n<\/KeyInfo>\n<\/Signature>/m
+
+	Username	=	'sso'
+	
+	FakeCACertPath		=	File.dirname(__FILE__)+'/fake_cacert.pem'
+	FakePrivKeyPath	=	File.dirname(__FILE__)+'/fake_privkey.pem'
+	
+	def setup
+		@sso	=	XmlProcessResponse.new(FakeCACertPath, FakePrivKeyPath)
+	end
+	
+	def test_decode_authn_request
+		saml_request_decoded	=	@sso.send :decode_authn_request, SAMLRequest_encoded
+		assert_equal saml_request_decoded, SAMLRequest_decoded
+	end
+	
+	def test_get_request_attributes
+		acs	=	@sso.send(:get_request_attributes, (@sso.send :decode_authn_request, SAMLRequest_encoded))
+		assert_match(/https:\/\/www.google.com\/a\/.*\/acs/, acs)
+	end
+
+	def test_create_saml_response
+		saml_response	=	@sso.send(:create_saml_response, Username)
+		assert_match SAMLResponse_re, saml_response
+	end
+	
+	def test_sign_XML
+		signed	=	@sso.send(:sign_XML, @sso.send(:create_saml_response, Username))
+		assert_match  Signature_re, signed
+	end
+	
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification 
+rubygems_version: 0.9.2
+specification_version: 1
+name: google-sso
+version: !ruby/object:Gem::Version 
+  version: 1.0.2
+date: 2007-07-07 00:00:00 +02:00
+summary: Google Apps Single Sign-on
+require_paths: 
+- lib
+email: google-sso@elctech.com
+homepage: http://elctech.com
+rubyforge_project: google-sso
+description: Google Apps Single Sign-on (SSO) support.
+autorequire: 
+default_executable: 
+bindir: bin
+has_rdoc: true
+required_ruby_version: !ruby/object:Gem::Version::Requirement 
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      version: 0.0.0
+  version: 
+platform: ruby
+signing_key: 
+cert_chain: 
+post_install_message: 
+authors: 
+- Thomas Ormerod, David Palm, and Ryan Garver
+files: 
+- Manifest.txt
+- README.txt
+- Rakefile
+- lib/SamlResponseTemplate.xml
+- lib/SignatureTemplate.xml
+- lib/google-sso.rb
+- lib/google-sso/version.rb
+- lib/processresponse.rb
+- lib/xmlcanonicalizer.rb
+- test/test_GoogleSSO.rb
+test_files: 
+- test/test_GoogleSSO.rb
+rdoc_options: 
+- --main
+- README.txt
+extra_rdoc_files: 
+- Manifest.txt
+- README.txt
+executables: []
+
+extensions: []
+
+requirements: []
+
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Version::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.2.1
+    version: