icn_saml_idp 0.4.1

data/saml_idp.gemspec

@@ -0,0 +1,65 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "saml_idp/version"
+
+Gem::Specification.new do |s|
+  s.name = %q{icn_saml_idp}
+  s.version = SamlIdp::VERSION
+  s.platform = Gem::Platform::RUBY
+  s.authors = ["Jon Phenow"]
+  s.email = %q{jon.phenow@sportngin.com}
+  s.homepage = %q{http://github.com/icapitalnetwork/saml_idp}
+  s.summary = %q{SAML Indentity Provider in ruby}
+  s.description = %q{SAML IdP (Identity Provider) library in ruby}
+  s.date = Time.now.utc.strftime("%Y-%m-%d")
+  s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
+     "LICENSE",
+     "README.md",
+     "Gemfile",
+     "saml_idp.gemspec"
+  ]
+  s.required_ruby_version = '>= 2.2'
+  s.license = "LICENSE"
+  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  s.rdoc_options = ["--charset=UTF-8"]
+
+  s.post_install_message = <<-INST
+If you're just recently updating saml_idp - please be aware we've changed the default
+certificate. See the PR and a description of why we've done this here:
+https://github.com/sportngin/saml_idp/pull/29
+
+If you just need to see the certificate `bundle open saml_idp` and go to
+`lib/saml_idp/default.rb`
+
+Similarly, please see the README about certificates - you should avoid using the
+defaults in a Production environment. Post any issues you to github.
+
+** New in Version 0.3.0 **
+
+Encrypted Assertions require the xmlenc gem. See the example in the Controller
+section of the README.
+
+** New in Version 0.4.1 **
+
+Some standards were not being followed, so the repo was forked to increase compliance.
+
+  INST
+
+  s.add_dependency('activesupport', '>= 3.2')
+  s.add_dependency('uuid', '~> 2.3')
+  s.add_dependency('builder', '~> 3.0')
+  s.add_dependency('httparty', '~> 0.14')
+  s.add_dependency('nokogiri', '>= 1.6.2')
+
+  s.add_development_dependency('rake', '~> 10.4.2')
+  s.add_development_dependency('simplecov', '~> 0.12')
+  s.add_development_dependency('rspec', '~> 2.5')
+  s.add_development_dependency('ruby-saml', '~> 1.3')
+  s.add_development_dependency('rails', '~> 3.2')
+  s.add_development_dependency('capybara', '~> 2.11.0')
+  s.add_development_dependency('timecop', '~> 0.8')
+  s.add_development_dependency('xmlenc', '>= 0.6.4')
+end
+

data/spec/acceptance/acceptance_helper.rb

@@ -0,0 +1,9 @@
+require File.expand_path(File.dirname(__FILE__) + "/../spec_helper")
+require 'capybara/rspec'
+
+# Put your acceptance spec helpers inside /spec/acceptance/support
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  config.include Rails.application.routes.url_helpers, :type => :request
+end

data/spec/acceptance/idp_controller_spec.rb

@@ -0,0 +1,16 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature 'IdpController' do
+
+  scenario 'Login via default signup page' do
+    saml_request = make_saml_request("http://foo.example.com/saml/consume")
+    visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
+    fill_in 'Email', :with => "foo@example.com"
+    fill_in 'Password', :with => "okidoki"
+    click_button 'Sign in'
+    click_button 'Submit'   # simulating onload
+    current_url.should == 'http://foo.example.com/saml/consume'
+    page.should have_content "foo@example.com"
+  end
+
+end

data/spec/lib/saml_idp/algorithmable_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+module SamlIdp
+  describe "Algorithmable" do
+    include Algorithmable
+
+    describe "named raw algorithm" do
+      def raw_algorithm
+        :sha256
+      end
+
+      it "finds algorithm class" do
+        algorithm.should == OpenSSL::Digest::SHA256
+      end
+
+      it "finds the name" do
+        algorithm_name.should == "sha256"
+      end
+    end
+
+    describe "class raw algorithm" do
+      def raw_algorithm
+        OpenSSL::Digest::SHA512
+      end
+
+      it "finds algorithm class" do
+        algorithm.should == OpenSSL::Digest::SHA512
+      end
+
+      it "finds the name" do
+        algorithm_name.should == "sha512"
+      end
+    end
+
+    describe "nonexistent raw algorithm" do
+      def raw_algorithm
+        :sha1024
+      end
+
+      it "finds algorithm class" do
+        algorithm.should == OpenSSL::Digest::SHA1
+      end
+
+      it "finds the name" do
+        algorithm_name.should == "sha1"
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -0,0 +1,106 @@
+require 'spec_helper'
+module SamlIdp
+  describe AssertionBuilder do
+    let(:reference_id) { "abc" }
+    let(:issuer_uri) { "http://sportngin.com" }
+    let(:name_id) { "jon.phenow@sportngin.com" }
+    let(:audience_uri) { "http://example.com" }
+    let(:saml_request_id) { "123" }
+    let(:saml_acs_url) { "http://saml.acs.url" }
+    let(:algorithm) { :sha256 }
+    let(:authn_context_classref) {
+      Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
+    }
+    let(:expiry) { 3*60*60 }
+    let (:encryption_opts) do
+      {
+        cert: Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }
+    end
+    subject { described_class.new(
+      reference_id,
+      issuer_uri,
+      name_id,
+      audience_uri,
+      saml_request_id,
+      saml_acs_url,
+      algorithm,
+      authn_context_classref,
+      expiry
+    ) }
+
+    context "No Request ID" do
+      let(:saml_request_id) { nil }
+
+      it "builds a legit raw XML file" do
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+        end
+      end
+    end
+
+    it "builds a legit raw XML file" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"email-address\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+      end
+    end
+
+    describe "without attributes" do
+      let(:config) { SamlIdp::Configurator.new }
+      before do
+        config.name_id.formats = {
+          "1.1" => {
+            email_address: ->(p) { "foo@example.com" }
+          }
+        }
+        SamlIdp.stub(config: config)
+      end
+
+      it "doesn't include attribute statement" do
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          subject.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+        end
+      end
+    end
+
+    describe "with principal.asserted_attributes" do
+      it "delegates attributes to principal" do
+        Principal = Struct.new(:email, :asserted_attributes)
+        principal = Principal.new('foo@example.com', { emailAddress: { getter: :email } })
+        builder = described_class.new(
+          reference_id,
+          issuer_uri,
+          principal,
+          audience_uri,
+          saml_request_id,
+          saml_acs_url,
+          algorithm,
+          authn_context_classref,
+          expiry
+        )
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          builder.raw.should == "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2010-06-01T13:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">foo@example.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2010-06-01T13:03:00Z\" Recipient=\"http://saml.acs.url\"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore=\"2010-06-01T12:59:55Z\" NotOnOrAfter=\"2010-06-01T16:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"emailAddress\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" FriendlyName=\"emailAddress\"><AttributeValue>foo@example.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=\"2010-06-01T13:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>"
+        end
+      end
+    end
+
+    it "builds encrypted XML" do
+      builder = described_class.new(
+        reference_id,
+        issuer_uri,
+        name_id,
+        audience_uri,
+        saml_request_id,
+        saml_acs_url,
+        algorithm,
+        authn_context_classref,
+        expiry,
+        encryption_opts
+      )
+      encrypted_xml = builder.encrypt
+      encrypted_xml.should_not match(audience_uri)
+    end
+  end
+end

data/spec/lib/saml_idp/attribute_decorator_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+module SamlIdp
+  describe AttributeDecorator do
+    subject { described_class.new name: name,
+              friendly_name: friendly_name,
+              name_format: name_format,
+              values: values
+    }
+    let(:name) { nil }
+    let(:friendly_name) { nil }
+    let(:name_format) { nil }
+    let(:values) { nil }
+
+    it "has a valid name" do
+      subject.name.should be_nil
+    end
+
+    it "has a valid friendly_name" do
+      subject.friendly_name.should be_nil
+    end
+
+    it "has a valid name_format" do
+      subject.name_format.should == Saml::XML::Namespaces::Formats::Attr::URI
+    end
+
+    it "has a valid values" do
+      subject.values.should == []
+    end
+
+    describe "with values set" do
+      let(:name) { "test" }
+      let(:friendly_name) { "test too" }
+      let(:name_format) { "some format" }
+      let(:values) { :val }
+
+      it "has a valid name" do
+        subject.name.should == name
+      end
+
+      it "has a valid friendly_name" do
+        subject.friendly_name.should == friendly_name
+      end
+
+      it "has a valid name_format" do
+        subject.name_format.should == name_format
+      end
+
+      it "has a valid values" do
+        subject.values.should == [values]
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+module SamlIdp
+  describe Configurator do
+    it { should respond_to :x509_certificate }
+    it { should respond_to :secret_key }
+    it { should respond_to :algorithm }
+    it { should respond_to :organization_name }
+    it { should respond_to :organization_url }
+    it { should respond_to :base_saml_location }
+    it { should respond_to :reference_id_generator }
+    it { should respond_to :attribute_service_location }
+    it { should respond_to :single_service_post_location }
+    it { should respond_to :single_logout_service_post_location }
+    it { should respond_to :name_id }
+    it { should respond_to :attributes }
+    it { should respond_to :service_provider }
+
+    it "has a valid x509_certificate" do
+      subject.x509_certificate.should == Default::X509_CERTIFICATE
+    end
+
+    it "has a valid secret_key" do
+      subject.secret_key.should == Default::SECRET_KEY
+    end
+
+    it "has a valid algorithm" do
+      subject.algorithm.should == :sha1
+    end
+
+    it "has a valid reference_id_generator" do
+      subject.reference_id_generator.should respond_to :call
+    end
+
+
+    it "can call service provider finder" do
+      subject.service_provider.finder.should respond_to :call
+    end
+
+    it "can call service provider metadata persister" do
+      subject.service_provider.metadata_persister.should respond_to :call
+    end
+  end
+end

data/spec/lib/saml_idp/controller_spec.rb

@@ -0,0 +1,94 @@
+# encoding: utf-8
+require 'spec_helper'
+
+describe SamlIdp::Controller do
+  include SamlIdp::Controller
+
+  def render(*)
+  end
+
+  def params
+    @params ||= {}
+  end
+
+  it "should find the SAML ACS URL" do
+    requested_saml_acs_url = "https://example.com/saml/consume"
+    params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
+    validate_saml_request
+    saml_acs_url.should == requested_saml_acs_url
+  end
+
+  context "SAML Responses" do
+    let(:principal) { double email_address: "foo@example.com" }
+    let (:encryption_opts) do
+      {
+        cert: SamlIdp::Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }
+    end
+
+    context "unsolicited Response" do
+      it "should create a SAML Response" do
+        saml_response = encode_response(principal, { audience_uri: 'http://example.com/issuer', issuer_uri: 'http://example.com', acs_url: 'https://foo.example.com/saml/consume' })
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        response.name_id.should == "foo@example.com"
+        response.issuers.first.should == "http://example.com"
+        response.settings = saml_settings
+        response.is_valid?.should be_truthy
+      end
+    end
+
+    context "solicited Response" do
+      before(:each) do
+        params[:SAMLRequest] = make_saml_request
+        validate_saml_request
+      end
+
+      it "should create a SAML Response" do
+        saml_response = encode_response(principal)
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        response.name_id.should == "foo@example.com"
+        response.issuers.first.should == "http://example.com"
+        response.settings = saml_settings
+        response.is_valid?.should be_truthy
+      end
+
+      it "should create a SAML Logout Response" do
+        params[:SAMLRequest] = make_saml_logout_request
+        validate_saml_request
+        expect(saml_request.logout_request?).to eq true
+        saml_response = encode_response(principal)
+        response = OneLogin::RubySaml::Logoutresponse.new(saml_response, saml_settings)
+        response.validate.should == true
+        response.issuer.should == "http://example.com"
+      end
+
+
+      [:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
+        it "should create a SAML Response using the #{algorithm_name} algorithm" do
+          self.algorithm = algorithm_name
+          saml_response = encode_response(principal)
+          response = OneLogin::RubySaml::Response.new(saml_response)
+          response.name_id.should == "foo@example.com"
+          response.issuers.first.should == "http://example.com"
+          response.settings = saml_settings
+          response.is_valid?.should be_truthy
+        end
+
+        it "should encrypt SAML Response assertion" do
+          self.algorithm = algorithm_name
+          saml_response = encode_response(principal, encryption: encryption_opts)
+          resp_settings = saml_settings
+          resp_settings.private_key = SamlIdp::Default::SECRET_KEY
+          response = OneLogin::RubySaml::Response.new(saml_response, settings: resp_settings)
+          response.document.to_s.should_not match("foo@example.com")
+          response.decrypted_document.to_s.should match("foo@example.com")
+          response.name_id.should == "foo@example.com"
+          response.issuers.first.should == "http://example.com"
+          response.is_valid?.should be_truthy
+        end
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/encryptor_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+require 'saml_idp/encryptor'
+
+module SamlIdp
+  describe Encryptor do
+    let (:encryption_opts) do
+      {   
+        cert: Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }   
+    end
+
+    subject { described_class.new encryption_opts }
+
+    it "encrypts XML" do
+      raw_xml = '<foo>bar</foo>'
+      encrypted_xml = subject.encrypt(raw_xml)
+      encrypted_xml.should_not match 'bar'
+      encrypted_doc = Nokogiri::XML::Document.parse(encrypted_xml)
+      encrypted_data = Xmlenc::EncryptedData.new(encrypted_doc.at_xpath('//xenc:EncryptedData', Xmlenc::NAMESPACES))
+      decrypted_xml = encrypted_data.decrypt(subject.encryption_key)
+      decrypted_xml.should == raw_xml
+    end
+  end
+end