RubyGems - icn_saml_idp - Versions diffs - 0.4.1 - Mend

icn_saml_idp 0.4.1

Files changed (129) hide show

checksums.yaml +7 -0
data/Gemfile +2 -0
data/LICENSE +22 -0
data/README.md +238 -0
data/app/controllers/saml_idp/idp_controller.rb +53 -0
data/app/views/saml_idp/idp/new.html.erb +22 -0
data/app/views/saml_idp/idp/saml_post.html.erb +14 -0
data/lib/saml_idp.rb +92 -0
data/lib/saml_idp/algorithmable.rb +19 -0
data/lib/saml_idp/assertion_builder.rb +172 -0
data/lib/saml_idp/attribute_decorator.rb +27 -0
data/lib/saml_idp/attributeable.rb +24 -0
data/lib/saml_idp/configurator.rb +48 -0
data/lib/saml_idp/controller.rb +128 -0
data/lib/saml_idp/default.rb +49 -0
data/lib/saml_idp/encryptor.rb +86 -0
data/lib/saml_idp/engine.rb +5 -0
data/lib/saml_idp/hashable.rb +26 -0
data/lib/saml_idp/incoming_metadata.rb +144 -0
data/lib/saml_idp/logout_builder.rb +42 -0
data/lib/saml_idp/logout_request_builder.rb +34 -0
data/lib/saml_idp/logout_response_builder.rb +35 -0
data/lib/saml_idp/metadata_builder.rb +160 -0
data/lib/saml_idp/name_id_formatter.rb +68 -0
data/lib/saml_idp/persisted_metadata.rb +10 -0
data/lib/saml_idp/request.rb +180 -0
data/lib/saml_idp/response_builder.rb +62 -0
data/lib/saml_idp/saml_response.rb +79 -0
data/lib/saml_idp/service_provider.rb +76 -0
data/lib/saml_idp/signable.rb +131 -0
data/lib/saml_idp/signature_builder.rb +42 -0
data/lib/saml_idp/signed_info_builder.rb +88 -0
data/lib/saml_idp/version.rb +4 -0
data/lib/saml_idp/xml_security.rb +181 -0
data/saml_idp.gemspec +65 -0
data/spec/acceptance/acceptance_helper.rb +9 -0
data/spec/acceptance/idp_controller_spec.rb +16 -0
data/spec/lib/saml_idp/algorithmable_spec.rb +48 -0
data/spec/lib/saml_idp/assertion_builder_spec.rb +106 -0
data/spec/lib/saml_idp/attribute_decorator_spec.rb +53 -0
data/spec/lib/saml_idp/configurator_spec.rb +43 -0
data/spec/lib/saml_idp/controller_spec.rb +94 -0
data/spec/lib/saml_idp/encryptor_spec.rb +27 -0
data/spec/lib/saml_idp/logout_request_builder_spec.rb +41 -0
data/spec/lib/saml_idp/logout_response_builder_spec.rb +41 -0
data/spec/lib/saml_idp/metadata_builder_spec.rb +19 -0
data/spec/lib/saml_idp/name_id_formatter_spec.rb +42 -0
data/spec/lib/saml_idp/request_spec.rb +106 -0
data/spec/lib/saml_idp/response_builder_spec.rb +42 -0
data/spec/lib/saml_idp/saml_response_spec.rb +68 -0
data/spec/lib/saml_idp/service_provider_spec.rb +27 -0
data/spec/lib/saml_idp/signable_spec.rb +77 -0
data/spec/lib/saml_idp/signature_builder_spec.rb +19 -0
data/spec/lib/saml_idp/signed_info_builder_spec.rb +25 -0
data/spec/rails_app/.gitignore +15 -0
data/spec/rails_app/README.rdoc +261 -0
data/spec/rails_app/Rakefile +7 -0
data/spec/rails_app/app/assets/images/rails.png +0 -0
data/spec/rails_app/app/assets/javascripts/application.js +15 -0
data/spec/rails_app/app/assets/stylesheets/application.css +13 -0
data/spec/rails_app/app/controllers/application_controller.rb +3 -0
data/spec/rails_app/app/controllers/saml_controller.rb +8 -0
data/spec/rails_app/app/controllers/saml_idp_controller.rb +11 -0
data/spec/rails_app/app/helpers/application_helper.rb +2 -0
data/spec/rails_app/app/mailers/.gitkeep +0 -0
data/spec/rails_app/app/models/.gitkeep +0 -0
data/spec/rails_app/app/views/layouts/application.html.erb +14 -0
data/spec/rails_app/config.ru +4 -0
data/spec/rails_app/config/application.rb +60 -0
data/spec/rails_app/config/boot.rb +6 -0
data/spec/rails_app/config/database.yml +25 -0
data/spec/rails_app/config/environment.rb +5 -0
data/spec/rails_app/config/environments/development.rb +37 -0
data/spec/rails_app/config/environments/production.rb +67 -0
data/spec/rails_app/config/environments/test.rb +37 -0
data/spec/rails_app/config/initializers/backtrace_silencers.rb +7 -0
data/spec/rails_app/config/initializers/inflections.rb +15 -0
data/spec/rails_app/config/initializers/mime_types.rb +5 -0
data/spec/rails_app/config/initializers/secret_token.rb +7 -0
data/spec/rails_app/config/initializers/session_store.rb +8 -0
data/spec/rails_app/config/initializers/wrap_parameters.rb +14 -0
data/spec/rails_app/config/locales/en.yml +5 -0
data/spec/rails_app/config/routes.rb +6 -0
data/spec/rails_app/db/seeds.rb +7 -0
data/spec/rails_app/doc/README_FOR_APP +2 -0
data/spec/rails_app/lib/assets/.gitkeep +0 -0
data/spec/rails_app/lib/tasks/.gitkeep +0 -0
data/spec/rails_app/log/.gitkeep +0 -0
data/spec/rails_app/public/404.html +26 -0
data/spec/rails_app/public/422.html +26 -0
data/spec/rails_app/public/500.html +25 -0
data/spec/rails_app/public/favicon.ico +0 -0
data/spec/rails_app/public/index.html +241 -0
data/spec/rails_app/public/robots.txt +5 -0
data/spec/rails_app/script/rails +6 -0
data/spec/rails_app/test/fixtures/.gitkeep +0 -0
data/spec/rails_app/test/functional/.gitkeep +0 -0
data/spec/rails_app/test/integration/.gitkeep +0 -0
data/spec/rails_app/test/performance/browsing_test.rb +12 -0
data/spec/rails_app/test/test_helper.rb +13 -0
data/spec/rails_app/test/unit/.gitkeep +0 -0
data/spec/rails_app/vendor/assets/javascripts/.gitkeep +0 -0
data/spec/rails_app/vendor/assets/stylesheets/.gitkeep +0 -0
data/spec/rails_app/vendor/plugins/.gitkeep +0 -0
data/spec/spec_helper.rb +49 -0
data/spec/support/certificates/certificate1 +12 -0
data/spec/support/certificates/r1_certificate2_base64 +1 -0
data/spec/support/responses/adfs_response_sha1.xml +46 -0
data/spec/support/responses/adfs_response_sha256.xml +46 -0
data/spec/support/responses/adfs_response_sha384.xml +46 -0
data/spec/support/responses/adfs_response_sha512.xml +46 -0
data/spec/support/responses/logoutresponse_fixtures.rb +67 -0
data/spec/support/responses/no_signature_ns.xml +48 -0
data/spec/support/responses/open_saml_response.xml +56 -0
data/spec/support/responses/r1_response6.xml.base64 +1 -0
data/spec/support/responses/response1.xml.base64 +1 -0
data/spec/support/responses/response2.xml.base64 +79 -0
data/spec/support/responses/response3.xml.base64 +66 -0
data/spec/support/responses/response4.xml.base64 +93 -0
data/spec/support/responses/response5.xml.base64 +102 -0
data/spec/support/responses/response_with_ampersands.xml +139 -0
data/spec/support/responses/response_with_ampersands.xml.base64 +93 -0
data/spec/support/responses/simple_saml_php.xml +71 -0
data/spec/support/responses/starfield_response.xml.base64 +1 -0
data/spec/support/responses/wrapped_response_2.xml.base64 +150 -0
data/spec/support/saml_request_macros.rb +38 -0
data/spec/support/security_helpers.rb +61 -0
data/spec/xml_security_spec.rb +137 -0
metadata +465 -0

data/lib/saml_idp/name_id_formatter.rb ADDED

@@ -0,0 +1,68 @@
+module SamlIdp
+  class NameIdFormatter
+    attr_accessor :list
+    def initialize(list)
+      self.list = (list || {})
+    end
+    def all
+      if split?
+        one_one.map { |key_val| build("1.1", key_val)[:name] } +
+        two_zero.map { |key_val| build("2.0", key_val)[:name] }
+      else
+        list.map { |key_val| build("2.0", key_val)[:name] }
+      end
+    end
+    def chosen
+      if split?
+        version, choose = "1.1", one_one.first
+        version, choose = "2.0", two_zero.first unless choose
+        version, choose = "2.0", "persistent" unless choose
+        build(version, choose)
+      else
+        choose = list.first || "persistent"
+        build("2.0", choose)
+      end
+    end
+    def build(version, key_val)
+      key_val = Array(key_val)
+      name = key_val.first.to_s.underscore
+      getter = build_getter key_val.last || name
+      {
+        name: "urn:oasis:names:tc:SAML:#{version}:nameid-format:#{name.camelize(:lower)}",
+        getter: getter
+      }
+    end
+    private :build
+    def build_getter(getter_val)
+      if getter_val.respond_to?(:call)
+        getter_val
+      else
+        ->(p) { p.public_send getter_val.to_s }
+      end
+    end
+    private :build_getter
+    def split?
+      list.is_a?(Hash) && (list.key?("2.0") || list.key?("1.1"))
+    end
+    private :split?
+    def one_one
+      list["1.1"] || {}
+    rescue TypeError
+      {}
+    end
+    private :one_one
+    def two_zero
+      list["2.0"] || {}
+    rescue TypeError
+      {}
+    end
+    private :two_zero
+  end
+end

data/lib/saml_idp/persisted_metadata.rb ADDED

@@ -0,0 +1,10 @@
+require 'saml_idp/attributeable'
+module SamlIdp
+  class PersistedMetadata
+    include Attributeable
+    def sign_assertions?
+      !!attributes[:sign_assertions]
+    end
+  end
+end

data/lib/saml_idp/request.rb ADDED

@@ -0,0 +1,180 @@
+require 'saml_idp/xml_security'
+require 'saml_idp/service_provider'
+module SamlIdp
+  class Request
+    def self.from_deflated_request(raw)
+      if raw
+        decoded = Base64.decode64(raw)
+        zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        begin
+          inflated = zstream.inflate(decoded).tap do
+            zstream.finish
+            zstream.close
+          end
+        rescue Zlib::BufError, Zlib::DataError # not compressed
+          inflated = decoded
+        end
+      else
+        inflated = ""
+      end
+      new(inflated)
+    end
+    attr_accessor :raw_xml
+    delegate :config, to: :SamlIdp
+    private :config
+    delegate :xpath, to: :document
+    private :xpath
+    def initialize(raw_xml = "")
+      self.raw_xml = raw_xml
+    end
+    def logout_request?
+      logout_request.nil? ? false : true
+    end
+    def authn_request?
+      authn_request.nil? ? false : true
+    end
+    def request_id
+      request["ID"]
+    end
+    def request
+      if authn_request?
+        authn_request
+      elsif logout_request?
+        logout_request
+      end
+    end
+    def requested_authn_context
+      if authn_request? && authn_context_node
+        authn_context_node.content
+      else
+        nil
+      end
+    end
+    def acs_url
+      service_provider.acs_url ||
+        authn_request["AssertionConsumerServiceURL"].to_s
+    end
+    def logout_url
+      service_provider.assertion_consumer_logout_service_url
+    end
+    def response_url
+      if authn_request?
+        acs_url
+      elsif logout_request?
+        logout_url
+      end
+    end
+    def log(msg)
+      if Rails && Rails.logger
+        Rails.logger.info msg
+      else
+        puts msg
+      end
+    end
+    def valid?
+      unless service_provider?
+        log "Unable to find service provider for issuer #{issuer}"
+        return false
+      end
+      unless (authn_request? ^ logout_request?)
+        log "One and only one of authnrequest and logout request is required. authnrequest: #{authn_request?} logout_request: #{logout_request?} "
+        return false
+      end
+      unless valid_signature?
+        log "Signature is invalid in #{raw_xml}"
+        return false
+      end
+      if response_url.nil?
+        log "Unable to find response url for #{issuer}: #{raw_xml}"
+        return false
+      end
+      return true
+    end
+    def valid_signature?
+      # Force signatures for logout requests because there is no other
+      # protection against a cross-site DoS.
+      service_provider.valid_signature?(document, logout_request?)
+    end
+    def service_provider?
+      service_provider.valid?
+    end
+    def service_provider
+      @_service_provider ||= ServiceProvider.new((service_provider_finder[issuer] || {}).merge(identifier: issuer))
+    end
+    def issuer
+      @_issuer ||= xpath("//saml:Issuer", saml: assertion).first.try(:content)
+      @_issuer if @_issuer.present?
+    end
+    def name_id
+      @_name_id ||= xpath("//saml:NameID", saml: assertion).first.try(:content)
+    end
+    def session_index
+      @_session_index ||= xpath("//samlp:SessionIndex", samlp: samlp).first.try(:content)
+    end
+    def document
+      @_document ||= Saml::XML::Document.parse(raw_xml)
+    end
+    private :document
+    def authn_context_node
+      @_authn_context_node ||= xpath("//samlp:AuthnRequest/samlp:RequestedAuthnContext/saml:AuthnContextClassRef",
+        samlp: samlp,
+        saml: assertion).first
+    end
+    private :authn_context_node
+    def authn_request
+      @_authn_request ||= xpath("//samlp:AuthnRequest", samlp: samlp).first
+    end
+    private :authn_request
+    def logout_request
+      @_logout_request ||= xpath("//samlp:LogoutRequest", samlp: samlp).first
+    end
+    private :logout_request
+    def samlp
+      Saml::XML::Namespaces::PROTOCOL
+    end
+    private :samlp
+    def assertion
+      Saml::XML::Namespaces::ASSERTION
+    end
+    private :assertion
+    def signature_namespace
+      Saml::XML::Namespaces::SIGNATURE
+    end
+    private :signature_namespace
+    def service_provider_finder
+      config.service_provider.finder
+    end
+    private :service_provider_finder
+  end
+end

data/lib/saml_idp/response_builder.rb ADDED

@@ -0,0 +1,62 @@
+require 'builder'
+module SamlIdp
+  class ResponseBuilder
+    attr_accessor :response_id
+    attr_accessor :issuer_uri
+    attr_accessor :saml_acs_url
+    attr_accessor :saml_request_id
+    attr_accessor :assertion_and_signature
+    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature)
+      self.response_id = response_id
+      self.issuer_uri = issuer_uri
+      self.saml_acs_url = saml_acs_url
+      self.saml_request_id = saml_request_id
+      self.assertion_and_signature = assertion_and_signature
+    end
+    def encoded
+      @encoded ||= encode
+    end
+    def raw
+      build
+    end
+    def encode
+      Base64.strict_encode64(raw)
+    end
+    private :encode
+    def build
+      resp_options = {}
+      resp_options[:ID] = response_id_string
+      resp_options[:Version] =  "2.0"
+      resp_options[:IssueInstant] = now_iso
+      resp_options[:Destination] = saml_acs_url
+      resp_options[:Consent] = Saml::XML::Namespaces::Consents::UNSPECIFIED
+      resp_options[:InResponseTo] = saml_request_id unless saml_request_id.nil?
+      resp_options["xmlns:samlp"] = Saml::XML::Namespaces::PROTOCOL
+      builder = Builder::XmlMarkup.new
+      builder.tag! "samlp:Response", resp_options do |response|
+          response.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          response.tag! "samlp:Status" do |status|
+            status.tag! "samlp:StatusCode", Value: Saml::XML::Namespaces::Statuses::SUCCESS
+          end
+          response << assertion_and_signature
+        end
+    end
+    private :build
+    def response_id_string
+      "_#{response_id}"
+    end
+    private :response_id_string
+    def now_iso
+      Time.now.utc.iso8601
+    end
+    private :now_iso
+  end
+end

data/lib/saml_idp/saml_response.rb ADDED

@@ -0,0 +1,79 @@
+require 'saml_idp/assertion_builder'
+require 'saml_idp/response_builder'
+module SamlIdp
+  class SamlResponse
+    attr_accessor :assertion_with_signature
+    attr_accessor :reference_id
+    attr_accessor :response_id
+    attr_accessor :issuer_uri
+    attr_accessor :principal
+    attr_accessor :audience_uri
+    attr_accessor :saml_request_id
+    attr_accessor :saml_acs_url
+    attr_accessor :algorithm
+    attr_accessor :secret_key
+    attr_accessor :x509_certificate
+    attr_accessor :authn_context_classref
+    attr_accessor :expiry
+    attr_accessor :encryption_opts
+    def initialize(reference_id,
+          response_id,
+          issuer_uri,
+          principal,
+          audience_uri,
+          saml_request_id,
+          saml_acs_url,
+          algorithm,
+          authn_context_classref,
+          expiry=60*60,
+          encryption_opts=nil
+          )
+      self.reference_id = reference_id
+      self.response_id = response_id
+      self.issuer_uri = issuer_uri
+      self.principal = principal
+      self.audience_uri = audience_uri
+      self.saml_request_id = saml_request_id
+      self.saml_acs_url = saml_acs_url
+      self.algorithm = algorithm
+      self.secret_key = secret_key
+      self.x509_certificate = x509_certificate
+      self.authn_context_classref = authn_context_classref
+      self.expiry = expiry
+      self.encryption_opts = encryption_opts
+    end
+    def build
+      @built ||= response_builder.encoded
+    end
+    def signed_assertion
+      if encryption_opts
+        assertion_builder.encrypt(sign: true)
+      else
+        assertion_builder.signed
+      end
+    end
+    private :signed_assertion
+    def response_builder
+      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion)
+    end
+    private :response_builder
+    def assertion_builder
+      @assertion_builder ||= AssertionBuilder.new reference_id,
+        issuer_uri,
+        principal,
+        audience_uri,
+        saml_request_id,
+        saml_acs_url,
+        algorithm,
+        authn_context_classref,
+        expiry,
+        encryption_opts
+    end
+    private :assertion_builder
+  end
+end

data/lib/saml_idp/service_provider.rb ADDED

@@ -0,0 +1,76 @@
+require 'httparty'
+require 'saml_idp/attributeable'
+require 'saml_idp/incoming_metadata'
+require 'saml_idp/persisted_metadata'
+module SamlIdp
+  class ServiceProvider
+    include Attributeable
+    attribute :identifier
+    attribute :cert
+    attribute :fingerprint
+    attribute :metadata_url
+    attribute :validate_signature
+    attribute :acs_url
+    attribute :assertion_consumer_logout_service_url
+    delegate :config, to: :SamlIdp
+    def valid?
+      attributes.present?
+    end
+    def valid_signature?(doc, require_signature = false)
+      if require_signature || should_validate_signature?
+        doc.valid_signature?(fingerprint)
+      else
+        true
+      end
+    end
+    def should_validate_signature?
+      attributes[:validate_signature] ||
+        current_metadata.respond_to?(:sign_assertions?) && current_metadata.sign_assertions?
+    end
+    def refresh_metadata
+      fresh = fresh_incoming_metadata
+      if valid_signature?(fresh.document)
+        metadata_persister[identifier, fresh]
+        @current_metadata = nil
+        fresh
+      end
+    end
+    def current_metadata
+      @current_metadata ||= get_current_or_build
+    end
+    def get_current_or_build
+      persisted = metadata_getter[identifier, self]
+      if persisted.is_a? Hash
+        PersistedMetadata.new(persisted)
+      end
+    end
+    private :get_current_or_build
+    def metadata_getter
+      config.service_provider.persisted_metadata_getter
+    end
+    private :metadata_getter
+    def metadata_persister
+      config.service_provider.metadata_persister
+    end
+    private :metadata_persister
+    def fresh_incoming_metadata
+      IncomingMetadata.new request_metadata
+    end
+    private :fresh_incoming_metadata
+    def request_metadata
+      metadata_url.present? ? HTTParty.get(metadata_url).body : ""
+    end
+    private :request_metadata
+  end
+end