icn_saml_idp 0.4.1

data/lib/saml_idp/encryptor.rb

@@ -0,0 +1,86 @@
+require 'xmlenc'
+module SamlIdp
+  class Encryptor
+    attr_accessor :encryption_key
+    attr_accessor :block_encryption
+    attr_accessor :key_transport
+    attr_accessor :cert
+
+    def initialize(opts)
+      self.block_encryption = opts[:block_encryption]
+      self.key_transport = opts[:key_transport]
+      self.cert = opts[:cert]
+    end
+
+    def encrypt(raw_xml) 
+      encryption_template = Nokogiri::XML::Document.parse(build_encryption_template).root
+      encrypted_data = Xmlenc::EncryptedData.new(encryption_template)
+      @encryption_key = encrypted_data.encrypt(raw_xml)
+      encrypted_key_node = encrypted_data.node.at_xpath(
+        '//xenc:EncryptedData/ds:KeyInfo/xenc:EncryptedKey',
+        Xmlenc::NAMESPACES
+      )   
+      encrypted_key = Xmlenc::EncryptedKey.new(encrypted_key_node)
+      encrypted_key.encrypt(openssl_cert.public_key, encryption_key)
+      xml = Builder::XmlMarkup.new
+      xml.EncryptedAssertion xmlns: Saml::XML::Namespaces::ASSERTION do |enc_assert|
+        enc_assert << encrypted_data.node.to_s
+      end 
+    end
+
+    def openssl_cert
+      if cert.is_a?(String)
+        @_openssl_cert ||= OpenSSL::X509::Certificate.new(Base64.decode64(cert))
+      else
+        @_openssl_cert ||= cert
+      end 
+    end 
+    private :openssl_cert
+
+    def block_encryption_ns
+      "http://www.w3.org/2001/04/xmlenc##{block_encryption}"
+    end 
+    private :block_encryption_ns
+
+    def key_transport_ns
+      "http://www.w3.org/2001/04/xmlenc##{key_transport}"
+    end 
+    private :key_transport_ns
+
+    def cipher_algorithm
+      Xmlenc::EncryptedData::ALGORITHMS[block_encryption_ns]
+    end 
+    private :cipher_algorithm
+
+    def build_encryption_template
+      xml = Builder::XmlMarkup.new
+      xml.EncryptedData Id: 'ED', Type: 'http://www.w3.org/2001/04/xmlenc#Element',
+        xmlns: 'http://www.w3.org/2001/04/xmlenc#' do |enc_data|
+        enc_data.EncryptionMethod Algorithm: block_encryption_ns
+        enc_data.tag! 'ds:KeyInfo', 'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#' do |key_info|
+          key_info.EncryptedKey Id: 'EK', xmlns: 'http://www.w3.org/2001/04/xmlenc#' do |enc_key|
+            enc_key.EncryptionMethod Algorithm: key_transport_ns
+            enc_key.tag! 'ds:KeyInfo', 'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#' do |key_info2|
+              key_info2.tag! 'ds:KeyName'
+              key_info2.tag! 'ds:X509Data' do |x509_data|
+                x509_data.tag! 'ds:X509Certificate' do |x509_cert|
+                  x509_cert << cert.to_s.gsub(/-+(BEGIN|END) CERTIFICATE-+/, '') 
+                end
+              end
+            end
+            enc_key.CipherData do |cipher_data|
+              cipher_data.CipherValue
+            end
+            enc_key.ReferenceList do |ref_list|
+              ref_list.DataReference URI: 'ED'
+            end
+          end
+        end
+        enc_data.CipherData do |cipher_data|
+          cipher_data.CipherValue
+        end
+      end
+    end
+    private :build_encryption_template
+  end
+end

data/lib/saml_idp/engine.rb

@@ -0,0 +1,5 @@
+# encoding: utf-8
+module SamlIdp
+  class Engine < Rails::Engine
+  end
+end

data/lib/saml_idp/hashable.rb

@@ -0,0 +1,26 @@
+module SamlIdp
+  module Hashable
+    extend ActiveSupport::Concern
+
+    def hashables
+      self.class.hashables
+    end
+
+    def to_h
+      hashables.reduce({}) do |hash, key|
+        hash[key.to_sym] = send(key)
+        hash
+      end
+    end
+
+    module ClassMethods
+      def hashables
+        @hashables ||= Set.new
+      end
+
+      def hashable(method_name)
+        self.hashables << method_name.to_s
+      end
+    end
+  end
+end

data/lib/saml_idp/incoming_metadata.rb

@@ -0,0 +1,144 @@
+require 'set'
+require 'saml_idp/hashable'
+module SamlIdp
+  class IncomingMetadata
+    include Hashable
+    attr_accessor :raw
+
+    delegate :xpath, to: :document
+    private :xpath
+
+    def initialize(raw = "")
+      self.raw = raw
+    end
+
+    def document
+      @document ||= Saml::XML::Document.parse raw
+    end
+
+    def sign_assertions
+      doc = xpath(
+        "//md:SPSSODescriptor",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first
+      doc ? !!doc["WantAssertionsSigned"] : false
+    end
+    hashable :sign_assertions
+
+    def display_name
+      role_descriptor_document.present? ? role_descriptor_document["ServiceDisplayName"] : ""
+    end
+    hashable :display_name
+
+    def contact_person
+      {
+        given_name: given_name,
+        surname: surname,
+        company: company,
+        telephone_number: telephone_number,
+        email_address: email_address
+      }
+    end
+    hashable :contact_person
+
+    def signing_certificate
+      xpath(
+        "//md:SPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first.try(:content).to_s
+    end
+    hashable :signing_certificate
+
+    def encryption_certificate
+      xpath(
+        "//md:SPSSODescriptor/md:KeyDescriptor[@use='encryption']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first.try(:content).to_s
+    end
+    hashable :encryption_certificate
+
+    def single_logout_services
+      xpath(
+        "//md:SPSSODescriptor/md:SingleLogoutService",
+        md: metadata_namespace
+      ).reduce({}) do |hash, el|
+        hash[el["Binding"].to_s.split(":").last] = el["Location"]
+        hash
+      end
+    end
+    hashable :single_logout_services
+
+    def name_id_formats
+      xpath(
+        "//md:SPSSODescriptor/md:NameIDFormat",
+        md: metadata_namespace
+      ).reduce(Set.new) do |set, el|
+        props = el.content.to_s.match /urn:oasis:names:tc:SAML:(?<version>\S+):nameid-format:(?<name>\S+)/
+        set << props[:name].to_s.underscore if props[:name].present?
+        set
+      end
+    end
+    hashable :name_id_formats
+
+    def assertion_consumer_services
+      xpath(
+        "//md:SPSSODescriptor/md:AssertionConsumerService",
+        md: metadata_namespace
+      ).sort_by { |el| el["index"].to_i }.reduce([]) do |array, el|
+        props = el["Binding"].to_s.match /urn:oasis:names:tc:SAML:(?<version>\S+):bindings:(?<name>\S+)/
+        array << { binding: props[:name], location: el["Location"], default: !!el["isDefault"] }
+        array
+      end
+    end
+    hashable :assertion_consumer_services
+
+    def given_name
+      contact_person_document.xpath("//md:GivenName", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def surname
+      contact_person_document.xpath("//md:SurName", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def company
+      contact_person_document.xpath("//md:Company", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def telephone_number
+      contact_person_document.xpath("//md:TelephoneNumber", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def email_address
+      contact_person_document.xpath("//md:EmailAddress", md: metadata_namespace).first.try(:content).to_s.gsub("mailto:", "")
+    end
+
+    def role_descriptor_document
+      @role_descriptor ||= xpath("//md:RoleDescriptor", md: metadata_namespace).first
+    end
+
+    def service_provider_descriptor_document
+      @service_provider_descriptor ||= xpath("//md:SPSSODescriptor", md: metadata_namespace).first
+    end
+
+    def idp_descriptor_document
+      @idp_descriptor ||= xpath("//md:IDPSSODescriptor", md: metadata_namespace).first
+    end
+
+    def contact_person_document
+      @contact_person_document ||= xpath("//md:ContactPerson", md: metadata_namespace).first
+    end
+
+    def metadata_namespace
+      Saml::XML::Namespaces::METADATA
+    end
+    private :metadata_namespace
+
+    def signature_namespace
+      Saml::XML::Namespaces::SIGNATURE
+    end
+    private :signature_namespace
+  end
+end

data/lib/saml_idp/logout_builder.rb

@@ -0,0 +1,42 @@
+require 'builder'
+module SamlIdp
+  class LogoutBuilder
+    include Signable
+
+    # this is an abstract base class.
+    def build
+      raise "#{self.class} must implement build method"
+    end
+
+    def reference_id
+      UUID.generate
+    end
+
+    def digest
+      algorithm.hexdigest raw
+    end
+
+    def encoded
+      @encoded ||= encode
+    end 
+
+    def raw 
+      build
+    end 
+
+    def encode
+      Base64.strict_encode64(raw)
+    end 
+    private :encode
+
+    def response_id_string
+      "_#{response_id}"
+    end 
+    private :response_id_string
+
+    def now_iso
+      Time.now.utc.iso8601
+    end
+    private :now_iso
+  end
+end

data/lib/saml_idp/logout_request_builder.rb

@@ -0,0 +1,34 @@
+require 'saml_idp/logout_builder'
+module SamlIdp
+  class LogoutRequestBuilder < LogoutBuilder
+    attr_accessor :response_id
+    attr_accessor :issuer_uri
+    attr_accessor :saml_slo_url
+    attr_accessor :name_id
+    attr_accessor :algorithm
+
+    def initialize(response_id, issuer_uri, saml_slo_url, name_id, algorithm)
+      self.response_id = response_id
+      self.issuer_uri = issuer_uri
+      self.saml_slo_url = saml_slo_url
+      self.name_id = name_id
+      self.algorithm = algorithm
+    end
+
+    def build
+      builder = Builder::XmlMarkup.new
+      builder.LogoutRequest ID: response_id_string,
+        Version: "2.0",
+        IssueInstant: now_iso,
+        Destination: saml_slo_url,
+        "xmlns" => Saml::XML::Namespaces::PROTOCOL do |request|
+          request.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign request
+          request.NameID name_id, xmlns: Saml::XML::Namespaces::ASSERTION,
+            Format: Saml::XML::Namespaces::Formats::NameId::PERSISTENT
+          request.SessionIndex response_id_string
+        end
+    end
+    private :build
+  end
+end

data/lib/saml_idp/logout_response_builder.rb

@@ -0,0 +1,35 @@
+require 'saml_idp/logout_builder'
+module SamlIdp
+  class LogoutResponseBuilder < LogoutBuilder
+    attr_accessor :response_id
+    attr_accessor :issuer_uri
+    attr_accessor :saml_slo_url
+    attr_accessor :saml_request_id
+    attr_accessor :algorithm
+
+    def initialize(response_id, issuer_uri, saml_slo_url, saml_request_id, algorithm)
+      self.response_id = response_id
+      self.issuer_uri = issuer_uri
+      self.saml_slo_url = saml_slo_url
+      self.saml_request_id = saml_request_id
+      self.algorithm = algorithm
+    end 
+
+    def build
+      builder = Builder::XmlMarkup.new
+      builder.LogoutResponse ID: response_id_string,
+        Version: "2.0",
+        IssueInstant: now_iso,
+        Destination: saml_slo_url,
+        InResponseTo: saml_request_id,
+        xmlns: Saml::XML::Namespaces::PROTOCOL do |response|
+          response.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign response
+          response.Status xmlns: Saml::XML::Namespaces::PROTOCOL do |status|
+            status.StatusCode Value: Saml::XML::Namespaces::Statuses::SUCCESS 
+          end 
+        end 
+    end
+    private :build
+  end
+end

data/lib/saml_idp/metadata_builder.rb

@@ -0,0 +1,160 @@
+require 'saml_idp/name_id_formatter'
+require 'saml_idp/attribute_decorator'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
+module SamlIdp
+  class MetadataBuilder
+    include Algorithmable
+    include Signable
+    attr_accessor :configurator
+
+    def initialize(configurator = SamlIdp.config)
+      self.configurator = configurator
+    end
+
+    def fresh
+      builder = Builder::XmlMarkup.new
+      generated_reference_id do
+        builder.EntityDescriptor ID: reference_string,
+          xmlns: Saml::XML::Namespaces::METADATA,
+          "xmlns:saml" => Saml::XML::Namespaces::ASSERTION,
+          "xmlns:ds" => Saml::XML::Namespaces::SIGNATURE,
+          entityID: entity_id do |entity|
+            sign entity
+
+            entity.IDPSSODescriptor protocolSupportEnumeration: protocol_enumeration do |descriptor|
+              build_key_descriptor descriptor
+              descriptor.SingleLogoutService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: single_logout_service_post_location
+              build_name_id_formats descriptor
+              descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+                Location: single_service_post_location
+              build_attribute descriptor
+            end
+
+            entity.AttributeAuthorityDescriptor protocolSupportEnumeration: protocol_enumeration do |authority_descriptor|
+              build_key_descriptor authority_descriptor
+              build_organization authority_descriptor
+              build_contact authority_descriptor
+              authority_descriptor.AttributeService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+                Location: attribute_service_location
+              build_name_id_formats authority_descriptor
+              build_attribute authority_descriptor
+            end
+
+            build_organization entity
+            build_contact entity
+          end
+      end
+    end
+    alias_method :raw, :fresh
+
+    def build_key_descriptor(el)
+      el.KeyDescriptor use: "signing" do |key_descriptor|
+        key_descriptor.KeyInfo xmlns: Saml::XML::Namespaces::SIGNATURE do |key_info|
+          key_info.X509Data do |x509|
+            x509.X509Certificate x509_certificate
+          end
+        end
+      end
+    end
+    private :build_key_descriptor
+
+    def build_name_id_formats(el)
+      name_id_formats.each do |format|
+        el.NameIDFormat format
+      end
+    end
+    private :build_name_id_formats
+
+    def build_attribute(el)
+      attributes.each do |attribute|
+        el.tag! "saml:Attribute",
+          NameFormat: attribute.name_format,
+          Name: attribute.name,
+          FriendlyName: attribute.friendly_name do |attribute_xml|
+            attribute.values.each do |value|
+              attribute_xml.tag! "saml:AttributeValue", value
+            end
+          end
+      end
+    end
+    private :build_attribute
+
+    def build_organization(el)
+      el.Organization do |organization|
+        organization.OrganizationName organization_name, "xml:lang" => "en"
+        organization.OrganizationDisplayName organization_name, "xml:lang" => "en"
+        organization.OrganizationURL organization_url, "xml:lang" => "en"
+      end
+    end
+    private :build_organization
+
+    def build_contact(el)
+      el.ContactPerson contactType: "technical" do |contact|
+        %w[company given_name sur_name telephone mail_to_string].each do |section|
+          section_value = technical_contact.public_send(section)
+          contact.Company section_value if section_value.present?
+        end
+      end
+    end
+    private :build_contact
+
+    def reference_string
+      "_#{reference_id}"
+    end
+    private :reference_string
+
+    def entity_id
+      configurator.entity_id.presence || configurator.base_saml_location
+    end
+    private :entity_id
+
+    def protocol_enumeration
+      Saml::XML::Namespaces::PROTOCOL
+    end
+    private :protocol_enumeration
+
+    def attributes
+      @attributes ||= configurator.attributes.inject([]) do |list, (key, opts)|
+        opts[:friendly_name] = key
+        list << AttributeDecorator.new(opts)
+        list
+      end
+    end
+    private :attributes
+
+    def name_id_formats
+      @name_id_formats ||= NameIdFormatter.new(configurator.name_id.formats).all
+    end
+    private :name_id_formats
+
+    def raw_algorithm
+      configurator.algorithm
+    end
+    private :raw_algorithm
+
+    def x509_certificate
+      SamlIdp.config.x509_certificate
+      .to_s
+      .gsub(/-----BEGIN CERTIFICATE-----/,"")
+      .gsub(/-----END CERTIFICATE-----/,"")
+      .gsub(/\n/, "")
+    end
+
+    %w[
+      support_email
+      organization_name
+      organization_url
+      attribute_service_location
+      single_service_post_location
+      single_logout_service_post_location
+      technical_contact
+    ].each do |delegatable|
+      define_method(delegatable) do
+        configurator.public_send delegatable
+      end
+      private delegatable
+    end
+  end
+end