icn_saml_idp 0.4.1

data/lib/saml_idp/algorithmable.rb

@@ -0,0 +1,19 @@
+module SamlIdp
+  module Algorithmable
+    def algorithm
+      algorithm_check = raw_algorithm || SamlIdp.config.algorithm
+      return algorithm_check if algorithm_check.respond_to?(:digest)
+      begin
+        OpenSSL::Digest.const_get(algorithm_check.to_s.upcase)
+      rescue NameError
+        OpenSSL::Digest::SHA1
+      end
+    end
+    private :algorithm
+
+    def algorithm_name
+      algorithm.to_s.split('::').last.downcase
+    end
+    private :algorithm_name
+  end
+end

data/lib/saml_idp/assertion_builder.rb

@@ -0,0 +1,172 @@
+require 'builder'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
+module SamlIdp
+  class AssertionBuilder
+    include Algorithmable
+    include Signable
+    attr_accessor :reference_id
+    attr_accessor :issuer_uri
+    attr_accessor :principal
+    attr_accessor :audience_uri
+    attr_accessor :saml_request_id
+    attr_accessor :saml_acs_url
+    attr_accessor :raw_algorithm
+    attr_accessor :authn_context_classref
+    attr_accessor :expiry
+    attr_accessor :encryption_opts
+
+    delegate :config, to: :SamlIdp
+
+    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil)
+      self.reference_id = reference_id
+      self.issuer_uri = issuer_uri
+      self.principal = principal
+      self.audience_uri = audience_uri
+      self.saml_request_id = saml_request_id
+      self.saml_acs_url = saml_acs_url
+      self.raw_algorithm = raw_algorithm
+      self.authn_context_classref = authn_context_classref
+      self.expiry = expiry
+      self.encryption_opts = encryption_opts
+    end
+
+    def fresh
+      builder = Builder::XmlMarkup.new
+      builder.Assertion xmlns: Saml::XML::Namespaces::ASSERTION,
+        ID: reference_string,
+        IssueInstant: now_iso,
+        Version: "2.0" do |assertion|
+          assertion.Issuer issuer_uri
+          sign assertion
+          assertion.Subject do |subject|
+            subject.NameID name_id, Format: name_id_format[:name]
+            subject.SubjectConfirmation Method: Saml::XML::Namespaces::Methods::BEARER do |confirmation|
+              confirmation_hash = {}
+              confirmation_hash[:InResponseTo] = saml_request_id unless saml_request_id.nil?
+              confirmation_hash[:NotOnOrAfter] = not_on_or_after_subject
+              confirmation_hash[:Recipient] = saml_acs_url
+
+              confirmation.SubjectConfirmationData "", confirmation_hash
+            end
+          end
+          assertion.Conditions NotBefore: not_before, NotOnOrAfter: not_on_or_after_condition do |conditions|
+            conditions.AudienceRestriction do |restriction|
+              restriction.Audience audience_uri
+            end
+          end
+          if asserted_attributes
+            assertion.AttributeStatement do |attr_statement|
+              asserted_attributes.each do |friendly_name, attrs|
+                attrs = (attrs || {}).with_indifferent_access
+                attr_statement.Attribute Name: attrs[:name] || friendly_name,
+                  NameFormat: attrs[:name_format] || Saml::XML::Namespaces::Formats::Attr::URI,
+                  FriendlyName: friendly_name.to_s do |attr|
+                    values = get_values_for friendly_name, attrs[:getter]
+                    values.each do |val|
+                      attr.AttributeValue val.to_s
+                    end
+                  end
+              end
+            end
+          end
+          assertion.AuthnStatement AuthnInstant: now_iso, SessionIndex: reference_string do |statement|
+            statement.AuthnContext do |context|
+              context.AuthnContextClassRef authn_context_classref
+            end
+          end
+        end
+    end
+    alias_method :raw, :fresh
+    private :fresh
+
+    def encrypt(opts = {})
+      raise "Must set encryption_opts to encrypt" unless encryption_opts
+      raw_xml = opts[:sign] ? signed : raw
+      require 'saml_idp/encryptor'
+      encryptor = Encryptor.new encryption_opts
+      encryptor.encrypt(raw_xml)
+    end
+
+    def asserted_attributes
+      if principal.respond_to?(:asserted_attributes)
+        principal.send(:asserted_attributes)
+      elsif !config.attributes.nil? && !config.attributes.empty?
+        config.attributes
+      end
+    end
+    private :asserted_attributes
+
+    def get_values_for(friendly_name, getter)
+      result = nil
+      if getter.present?
+        if getter.respond_to?(:call)
+          result = getter.call(principal)
+        else
+          message = getter.to_s.underscore
+          result = principal.public_send(message) if principal.respond_to?(message)
+        end
+      elsif getter.nil?
+        message = friendly_name.to_s.underscore
+        result = principal.public_send(message) if principal.respond_to?(message)
+      end
+      Array(result)
+    end
+    private :get_values_for
+
+    def name_id
+      name_id_getter.call principal
+    end
+    private :name_id
+
+    def name_id_getter
+      getter = name_id_format[:getter]
+      if getter.respond_to? :call
+        getter
+      else
+        ->(principal) { principal.public_send getter.to_s }
+      end
+    end
+    private :name_id_getter
+
+    def name_id_format
+      @name_id_format ||= NameIdFormatter.new(config.name_id.formats).chosen
+    end
+    private :name_id_format
+
+    def reference_string
+      "_#{reference_id}"
+    end
+    private :reference_string
+
+    def now
+      @now ||= Time.now.utc
+    end
+    private :now
+
+    def now_iso
+      iso { now }
+    end
+    private :now_iso
+
+    def not_before
+      iso { now - 5 }
+    end
+    private :not_before
+
+    def not_on_or_after_condition
+      iso { now + expiry }
+    end
+    private :not_on_or_after_condition
+
+    def not_on_or_after_subject
+      iso { now + 3 * 60 }
+    end
+    private :not_on_or_after_subject
+
+    def iso
+      yield.iso8601
+    end
+    private :iso
+  end
+end

data/lib/saml_idp/attribute_decorator.rb

@@ -0,0 +1,27 @@
+require 'delegate'
+module SamlIdp
+  class AttributeDecorator < SimpleDelegator
+    alias_method :source, :__getobj__
+
+    def initialize(*)
+      super
+      __setobj__((source || {}).with_indifferent_access)
+    end
+
+    def name
+      source[:name]
+    end
+
+    def friendly_name
+      source[:friendly_name]
+    end
+
+    def name_format
+      source[:name_format] || Saml::XML::Namespaces::Formats::Attr::URI
+    end
+
+    def values
+      Array(source[:values])
+    end
+  end
+end

data/lib/saml_idp/attributeable.rb

@@ -0,0 +1,24 @@
+module SamlIdp
+  module Attributeable
+    extend ActiveSupport::Concern
+
+    def initialize(attributes = {})
+      self.attributes = attributes
+    end
+
+    def attributes
+      @attributes ||= {}.with_indifferent_access
+    end
+
+    def attributes=(new_attributes)
+      @attributes = (new_attributes || {}).with_indifferent_access
+    end
+
+    module ClassMethods
+      def attribute(att)
+        define_method(att) { attributes[att] }
+        define_method("#{att}=") { |new_value| self.attributes[att] = new_value }
+      end
+    end
+  end
+end

data/lib/saml_idp/configurator.rb

@@ -0,0 +1,48 @@
+# encoding: utf-8
+require 'ostruct'
+module SamlIdp
+  class Configurator
+    attr_accessor :x509_certificate
+    attr_accessor :secret_key
+    attr_accessor :password
+    attr_accessor :algorithm
+    attr_accessor :organization_name
+    attr_accessor :organization_url
+    attr_accessor :base_saml_location
+    attr_accessor :entity_id
+    attr_accessor :reference_id_generator
+    attr_accessor :attribute_service_location
+    attr_accessor :single_service_post_location
+    attr_accessor :single_logout_service_post_location
+    attr_accessor :attributes
+    attr_accessor :service_provider
+
+    def initialize
+      self.x509_certificate = Default::X509_CERTIFICATE
+      self.secret_key = Default::SECRET_KEY
+      self.algorithm = :sha1
+      self.reference_id_generator = ->() { UUID.generate }
+      self.service_provider = OpenStruct.new
+      self.service_provider.finder = ->(_) { Default::SERVICE_PROVIDER }
+      self.service_provider.metadata_persister = ->(id, settings) {  }
+      self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
+      self.attributes = {}
+    end
+
+    # formats
+    # getter
+    def name_id
+      @name_id ||= OpenStruct.new
+    end
+
+    def technical_contact
+      @technical_contact ||= TechnicalContact.new
+    end
+
+    class TechnicalContact < OpenStruct
+      def mail_to_string
+        "mailto:#{email_address}" if email_address.to_s.length > 0
+      end
+    end
+  end
+end

data/lib/saml_idp/controller.rb

@@ -0,0 +1,128 @@
+# encoding: utf-8
+require 'openssl'
+require 'base64'
+require 'time'
+require 'uuid'
+require 'saml_idp/request'
+require 'saml_idp/logout_response_builder'
+module SamlIdp
+  module Controller
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :saml_acs_url if respond_to? :helper_method
+    end
+
+    attr_accessor :algorithm
+
+    protected
+
+    def saml_request
+      @saml_request ||= Struct.new(:request_id) do
+        def authn_request?
+          true
+        end
+
+        def issuer
+          nil
+        end
+
+        def acs_url
+          nil
+        end
+      end.new(nil)
+    end
+
+    def validate_saml_request(raw_saml_request = params[:SAMLRequest])
+      decode_request(raw_saml_request)
+      render nothing: true, status: :forbidden unless valid_saml_request?
+    end
+
+    def decode_request(raw_saml_request)
+      @saml_request = Request.from_deflated_request(raw_saml_request)
+    end
+
+    def authn_context_classref
+      Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
+    end
+
+    def encode_authn_response(principal, opts = {})
+      response_id = get_saml_response_id
+      reference_id = opts[:reference_id] || get_saml_reference_id
+      audience_uri = opts[:audience_uri] || saml_request.issuer || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
+      opt_issuer_uri = opts[:issuer_uri] || issuer_uri
+      my_authn_context_classref = opts[:authn_context_classref] || authn_context_classref
+      acs_url = opts[:acs_url] || saml_acs_url
+      expiry = opts[:expiry] || 60*60
+      encryption_opts = opts[:encryption] || nil
+
+      SamlResponse.new(
+        reference_id,
+        response_id,
+        opt_issuer_uri,
+        principal,
+        audience_uri,
+        saml_request_id,
+        acs_url,
+        (opts[:algorithm] || algorithm || default_algorithm),
+        my_authn_context_classref,
+        expiry,
+        encryption_opts
+      ).build
+    end
+
+    def encode_logout_response(principal, opts = {})
+      SamlIdp::LogoutResponseBuilder.new(
+        get_saml_response_id,
+        (opts[:issuer_uri] || issuer_uri),
+        saml_logout_url,
+        saml_request_id,
+        (opts[:algorithm] || algorithm || default_algorithm)
+      ).signed
+    end
+
+    def encode_response(principal, opts = {})
+      if saml_request.authn_request?
+        encode_authn_response(principal, opts)
+      elsif saml_request.logout_request?
+        encode_logout_response(principal, opts)
+      else
+        raise "Unknown request: #{saml_request}"
+      end
+    end
+
+    def issuer_uri
+      (SamlIdp.config.base_saml_location.present? && SamlIdp.config.base_saml_location) ||
+        (defined?(request) && request.url.to_s.split("?").first) ||
+        "http://example.com"
+    end
+
+    def valid_saml_request?
+      saml_request.valid?
+    end
+
+    def saml_request_id
+      saml_request.request_id
+    end
+
+    def saml_acs_url
+      saml_request.acs_url
+    end
+
+    def saml_logout_url
+      saml_request.logout_url
+    end
+
+    def get_saml_response_id
+      UUID.generate
+    end
+
+    def get_saml_reference_id
+      UUID.generate
+    end
+
+    def default_algorithm
+      OpenSSL::Digest::SHA256
+    end
+  end
+end

data/lib/saml_idp/default.rb

@@ -0,0 +1,49 @@
+# encoding: utf-8
+module SamlIdp
+  module Default
+    NAME_ID_FORMAT = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    X509_CERTIFICATE = <<EOS.strip
+MIIDqzCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCQVUx
+DDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MQwwCgYDVQQKDANQSVQxCTAH
+BgNVBAsMADEYMBYGA1UEAwwPbGF3cmVuY2VwaXQuY29tMSUwIwYJKoZIhvcNAQkB
+DBZsYXdyZW5jZS5waXRAZ21haWwuY29tMB4XDTEyMDQyODAyMjIyOFoXDTMyMDQy
+MzAyMjIyOFowgYYxCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcT
+BlN5ZG5leTEMMAoGA1UECgwDUElUMQkwBwYDVQQLDAAxGDAWBgNVBAMMD2xhd3Jl
+bmNlcGl0LmNvbTElMCMGCSqGSIb3DQEJAQwWbGF3cmVuY2UucGl0QGdtYWlsLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuBywPNlC1FopGLYfF96SotiK
+8Nj6/nW084O4omRMifzy7x955RLEy673q2aiJNB3LvE6Xvkt9cGtxtNoOXw1g2Uv
+HKpldQbr6bOEjLNeDNW7j0ob+JrRvAUOK9CRgdyw5MC6lwqVQQ5C1DnaT/2fSBFj
+asBFTR24dEpfTy8HfKECAwEAAaOCASUwggEhMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgUgMB0GA1UdDgQWBBQNBGmmt3ytKpcJaBaYNbnyU2xkazATBgNVHSUEDDAKBggr
+BgEFBQcDATAdBglghkgBhvhCAQ0EEBYOVGVzdCBYNTA5IGNlcnQwgbMGA1UdIwSB
+qzCBqIAUDQRpprd8rSqXCWgWmDW58lNsZGuhgYykgYkwgYYxCzAJBgNVBAYTAkFV
+MQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTEMMAoGA1UECgwDUElUMQkw
+BwYDVQQLDAAxGDAWBgNVBAMMD2xhd3JlbmNlcGl0LmNvbTElMCMGCSqGSIb3DQEJ
+AQwWbGF3cmVuY2UucGl0QGdtYWlsLmNvbYIBATANBgkqhkiG9w0BAQsFAAOBgQAE
+cVUPBX7uZmzqZJfy+tUPOT5ImNQj8VE2lerhnFjnGPHmHIqhpzgnwHQujJfs/a30
+9Wm5qwcCaC1eO5cWjcG0x3OjdllsgYDatl5GAumtBx8J3NhWRqNUgitCIkQlxHIw
+UfgQaCushYgDDL5YbIQa++egCgpIZ+T0Dj5oRew//A==
+EOS
+    FINGERPRINT = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    SECRET_KEY = <<EOS
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC4HLA82ULUWikYth8X3pKi2Irw2Pr+dbTzg7iiZEyJ/PLvH3nl
+EsTLrverZqIk0Hcu8Tpe+S31wa3G02g5fDWDZS8cqmV1Buvps4SMs14M1buPShv4
+mtG8BQ4r0JGB3LDkwLqXCpVBDkLUOdpP/Z9IEWNqwEVNHbh0Sl9PLwd8oQIDAQAB
+AoGAQmUGIUtwUEgbXe//kooPc26H3IdDLJSiJtcvtFBbUb/Ik/dT7AoysgltA4DF
+pGURNfqERE+0BVZNJtCCW4ixew4uEhk1XowYXHCzjkzyYoFuT9v5SP4cu4q3t1kK
+51JF237F0eCY3qC3k96CzPGG67bwOu9EeXAu4ka/plLdsAECQQDkg0uhR/vsJffx
+tiWxcDRNFoZpCpzpdWfQBnHBzj9ZC0xrdVilxBgBpupCljO2Scy4MeiY4S1Mleel
+CWRqh7RBAkEAzkIjUnllEkr5sjVb7pNy+e/eakuDxvZck0Z8X3USUki/Nm3E/GPP
+c+CwmXR4QlpMpJr3/Prf1j59l/LAK9AwYQJBAL9eRSQYCJ3HXlGKXR6v/NziFEY7
+oRTSQdIw02ueseZ8U89aQpbwFbqsclq5Ny1duJg5E7WUPj94+rl3mCSu6QECQBVh
+0duY7htpXl1VHsSq0H6MmVgXn/+eRpaV9grHTjDtjbUMyCEKD9WJc4VVB6qJRezC
+i/bT4ySIsehwp+9i08ECQEH03lCpHpbwiWH4sD25l/z3g2jCbIZ+RTV6yHIz7Coh
+gAbBqA04wh64JhhfG69oTBwqwj3imlWF8+jDzV9RNNw=
+-----END RSA PRIVATE KEY-----
+EOS
+    SERVICE_PROVIDER = {
+      fingerprint: FINGERPRINT
+    }
+  end
+end