icn_saml_idp 0.4.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ea7921102fe43bfbba0086ee40cfd65f7783e1ad
+  data.tar.gz: 542bc9cc6358ccb222f47a164506354afa70e0ab
+SHA512:
+  metadata.gz: 0602eb253d25f4dac6106ff2dc1f2a8ebd2eb4cab128d4ec588ce1e528427374d7a8f44d44d888266548f3c035ecc44eb735cb6e16e83be3d3cccfdc9a2d30df
+  data.tar.gz: 10aa55f5cdc46f505910a8fcb1b86c4a843ec046be75d33ca29ea3baacb4cea1e3b1bb8518120fc22079a19f7365bfc86d47675bcd75927c673386c56905169a

data/Gemfile

@@ -0,0 +1,2 @@
+source "http://rubygems.org"
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Sport Ngin (http://sportngin.com)
+Portions Copyright (c) 2010 OneLogin, LLC
+Portions Copyright (c) 2012 Lawrence Pit (http://lawrencepit.com)
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,238 @@
+# Ruby SAML Identity Provider (IdP)
+Forked from https://github.com/lawrencepit/ruby-saml-idp
+
+[![Build Status](https://travis-ci.org/sportngin/saml_idp.png)](https://travis-ci.org/sportngin/saml_idp)
+[![Gem Version](https://badge.fury.io/rb/saml_idp.png)](http://badge.fury.io/rb/saml_idp)
+
+The ruby SAML Identity Provider library is for implementing the server side of SAML authentication. It allows
+your application to act as an IdP (Identity Provider) using the
+[SAML v2.0](http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language)
+protocol. It provides a means for managing authentication requests and confirmation responses for SPs (Service Providers).
+
+This was originally setup by @lawrencepit to test SAML Clients. I took it closer to a real
+SAML IDP implementation.
+
+# Installation and Usage
+
+Add this to your Gemfile:
+
+    gem 'saml_idp'
+
+## Not using rails?
+Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
+
+Basically you call `decode_request(params[:SAMLRequest])` on an incoming request and then use the value
+`saml_acs_url` to determine the source for which you need to authenticate a user. How you authenticate
+a user is entirely up to you.
+
+Once a user has successfully authenticated on your system send the Service Provider a SAMLReponse by
+posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to
+`encode_response(user_email)`.
+
+## Using rails?
+Add to your `routes.rb` file, for example:
+
+``` ruby
+get '/saml/auth' => 'saml_idp#new'
+get '/saml/metadata' => 'saml_idp#show'
+post '/saml/auth' => 'saml_idp#create'
+match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
+```
+
+Create a controller that looks like this, customize to your own situation:
+
+``` ruby
+class SamlIdpController
+  include SamlIdp::IdpController
+
+  def idp_authenticate(email, password) # not using params intentionally
+    user = User.by_email(email).first
+    user && user.valid_password?(password) ? user : nil
+  end
+  private :idp_authenticate
+
+  def idp_make_saml_response(found_user) # not using params intentionally
+    # NOTE encryption is optional
+    encode_response found_user, encryption: {
+      cert: saml_request.service_provider.cert,
+      block_encryption: 'aes256-cbc',
+      key_transport: 'rsa-oaep-mgf1p'
+    }
+  end
+  private :idp_make_saml_response
+
+  def idp_logout
+    user = User.by_email(saml_request.name_id)
+    user.logout
+  end
+  private :idp_logout
+end
+```
+
+## Configuration
+
+Be sure to load a file like this during your app initialization:
+
+```ruby
+SamlIdp.configure do |config|
+  base = "http://example.com"
+
+  config.x509_certificate = <<-CERT
+-----BEGIN CERTIFICATE-----
+CERTIFICATE DATA
+-----END CERTIFICATE-----
+CERT
+
+  config.secret_key = <<-CERT
+-----BEGIN RSA PRIVATE KEY-----
+KEY DATA
+-----END RSA PRIVATE KEY-----
+CERT
+
+  # config.password = "secret_key_password"
+  # config.algorithm = :sha256
+  # config.organization_name = "Your Organization"
+  # config.organization_url = "http://example.com"
+  # config.base_saml_location = "#{base}/saml"
+  # config.reference_id_generator                   # Default: -> { UUID.generate }
+  # config.attribute_service_location = "#{base}/saml/attributes"
+  # config.single_service_post_location = "#{base}/saml/auth"
+
+  # Principal (e.g. User) is passed in when you `encode_response`
+  #
+  # config.name_id.formats # =>
+  #   {                         # All 2.0
+  #     email_address: -> (principal) { principal.email_address },
+  #     transient: -> (principal) { principal.id },
+  #     persistent: -> (p) { p.id },
+  #   }
+  #   OR
+  #
+  #   {
+  #     "1.1" => {
+  #       email_address: -> (principal) { principal.email_address },
+  #     },
+  #     "2.0" => {
+  #       transient: -> (principal) { principal.email_address },
+  #       persistent: -> (p) { p.id },
+  #     },
+  #   }
+
+  # If Principal responds to a method called `asserted_attributes`
+  # the return value of that method will be used in lieu of the
+  # attributes defined here in the global space. This allows for
+  # per-user attribute definitions.
+  #
+  ## EXAMPLE **
+  # class User
+  #   def asserted_attributes
+  #     {
+  #       phone: { getter: :phone },
+  #       email: {
+  #         getter: :email,
+  #         name_format: Saml::XML::Namespaces::Formats::NameId::EMAIL_ADDRESS,
+  #         name_id_format: Saml::XML::Namespaces::Formats::NameId::EMAIL_ADDRESS
+  #       }
+  #     }
+  #   end
+  # end
+  #
+  # If you have a method called `asserted_attributes` in your Principal class,
+  # there is no need to define it here in the config.
+
+  # config.attributes # =>
+  #   {
+  #     <friendly_name> => {                                                  # required (ex "eduPersonAffiliation")
+  #       "name" => <attrname>                                                # required (ex "urn:oid:1.3.6.1.4.1.5923.1.1.1.1")
+  #       "name_format" => "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", # not required
+  #       "getter" => ->(principal) {                                         # not required
+  #         principal.get_eduPersonAffiliation                                # If no "getter" defined, will try
+  #       }                                                                   # `principal.eduPersonAffiliation`, or no values will
+  #    }                                                                      # be output
+  #
+  ## EXAMPLE ##
+  # config.attributes = {
+  #   GivenName: {
+  #     getter: :first_name,
+  #   },
+  #   SurName: {
+  #     getter: :last_name,
+  #   },
+  # }
+  ## EXAMPLE ##
+
+  # config.technical_contact.company = "Example"
+  # config.technical_contact.given_name = "Jonny"
+  # config.technical_contact.sur_name = "Support"
+  # config.technical_contact.telephone = "55555555555"
+  # config.technical_contact.email_address = "example@example.com"
+
+  service_providers = {
+    "some-issuer-url.com/saml" => {
+      fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D",
+      metadata_url: "http://some-issuer-url.com/saml/metadata"
+    },
+  }
+
+  # `identifier` is the entity_id or issuer of the Service Provider,
+  # settings is an IncomingMetadata object which has a to_h method that needs to be persisted
+  config.service_provider.metadata_persister = ->(identifier, settings) {
+    fname = identifier.to_s.gsub(/\/|:/,"_")
+    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    File.open Rails.root.join("cache/saml/metadata/#{fname}"), "r+b" do |f|
+      Marshal.dump settings.to_h, f
+    end
+  }
+
+  # `identifier` is the entity_id or issuer of the Service Provider,
+  # `service_provider` is a ServiceProvider object. Based on the `identifier` or the
+  # `service_provider` you should return the settings.to_h from above
+  config.service_provider.persisted_metadata_getter = ->(identifier, service_provider){
+    fname = identifier.to_s.gsub(/\/|:/,"_")
+    `mkdir -p #{Rails.root.join("cache/saml/metadata")}`
+    full_filename = Rails.root.join("cache/saml/metadata/#{fname}")
+    if File.file?(full_filename)
+      File.open full_filename, "rb" do |f|
+        Marshal.load f
+      end
+    end
+  }
+
+  # Find ServiceProvider metadata_url and fingerprint based on our settings
+  config.service_provider.finder = ->(issuer_or_entity_id) do
+    service_providers[issuer_or_entity_id]
+  end
+end
+```
+
+# Keys and Secrets
+To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret.
+You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032.
+Obviously you shouldn't use these if you intend to use this in production environments. In that case,
+within the controller set the properties `x509_certificate` and `secret_key` using a `prepend_before_filter`
+callback within the current request context or set them globally via the `SamlIdp.config.x509_certificate`
+and `SamlIdp.config.secret_key` properties.
+
+The fingerprint to use, if you use the default X.509 certificate of this gem, is:
+
+```
+9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
+```
+
+
+# Service Providers
+To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the
+excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
+
+
+# Author
+Jon Phenow, me@jphenow.com
+
+Lawrence Pit, lawrence.pit@gmail.com, lawrencepit.com, @lawrencepit
+
+# Copyright
+Copyright (c) 2012 Sport Ngin.
+Portions Copyright (c) 2010 OneLogin, LLC
+Portions Copyright (c) 2012 Lawrence Pit (http://lawrencepit.com)
+
+See LICENSE for details.

data/app/controllers/saml_idp/idp_controller.rb

@@ -0,0 +1,53 @@
+# encoding: utf-8
+module SamlIdp
+  class IdpController < ActionController::Base
+    include SamlIdp::Controller
+
+    unloadable unless Rails::VERSION::MAJOR >= 4
+    protect_from_forgery
+    before_filter :validate_saml_request, only: [:new, :create]
+
+    def new
+      render template: "saml_idp/idp/new"
+    end
+
+    def show
+      render xml: SamlIdp.metadata.signed
+    end
+
+    def create
+      unless params[:email].blank? && params[:password].blank?
+        person = idp_authenticate(params[:email], params[:password])
+        if person.nil?
+          @saml_idp_fail_msg = "Incorrect email or password."
+        else
+          @saml_response = idp_make_saml_response(person)
+          render :template => "saml_idp/idp/saml_post", :layout => false
+          return
+        end
+      end
+      render :template => "saml_idp/idp/new"
+    end
+
+    def logout
+      idp_logout
+      @saml_response = idp_make_saml_response(nil)
+      render :template => "saml_idp/idp/saml_post", :layout => false
+    end
+
+    def idp_logout
+      raise NotImplementedError
+    end
+    private :idp_logout
+
+    def idp_authenticate(email, password)
+      raise NotImplementedError
+    end
+    protected :idp_authenticate
+
+    def idp_make_saml_response(person)
+      raise NotImplementedError
+    end
+    protected :idp_make_saml_response
+  end
+end

data/app/views/saml_idp/idp/new.html.erb

@@ -0,0 +1,22 @@
+<% if @saml_idp_fail_msg %>
+  <div id="saml_idp_fail_msg" class="flash error"><%= @saml_idp_fail_msg %></div>
+<% end %>
+
+<%= form_tag do %>
+  <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
+  <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+
+  <p>
+    <%= label_tag :email %>
+    <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
+  </p>
+
+  <p>
+    <%= label_tag :password %>
+    <%= password_field_tag :password, params[:password], :autocapitalize => "off", :autocorrect => "off", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
+  </p>
+
+  <p>
+    <%= submit_tag "Sign in", :class => "button big blueish" %>
+  </p>
+<% end %>

data/app/views/saml_idp/idp/saml_post.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+  </head>
+  <body onload="document.forms[0].submit();" style="visibility:hidden;">
+    <%= form_tag(saml_acs_url) do %>
+      <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+      <%= hidden_field_tag("RelayState", params[:RelayState]) %>
+      <%= submit_tag "Submit" %>
+    <% end %>
+  </body>
+</html>

data/lib/saml_idp.rb

@@ -0,0 +1,92 @@
+# encoding: utf-8
+module SamlIdp
+  require 'active_support/all'
+  require 'saml_idp/saml_response'
+  require 'saml_idp/xml_security'
+  require 'saml_idp/configurator'
+  require 'saml_idp/controller'
+  require 'saml_idp/default'
+  require 'saml_idp/metadata_builder'
+  require 'saml_idp/version'
+  require 'saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+
+  def self.config
+    @config ||= SamlIdp::Configurator.new
+  end
+
+  def self.configure
+    yield config
+  end
+
+  def self.metadata
+    @metadata ||= MetadataBuilder.new(config)
+  end
+end
+
+# TODO Needs extraction out
+module Saml
+  module XML
+    module Namespaces
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      SIGNATURE = "http://www.w3.org/2000/09/xmldsig#"
+      PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      module Statuses
+        SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+      end
+
+      module Consents
+        UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+      end
+
+      module AuthnContext
+        module ClassRef
+          PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+          PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+        end
+      end
+
+      module Methods
+        BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+      end
+
+      module Formats
+        module Attr
+          URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+        end
+
+        module NameId
+          EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+          TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+          PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+        end
+      end
+    end
+
+    class Document < Nokogiri::XML::Document
+      def signed?
+        !!xpath("//ds:Signature", ds: signature_namespace).first
+      end
+
+      def valid_signature?(fingerprint)
+        signed? &&
+          signed_document.validate(fingerprint, :soft)
+      end
+
+      def signed_document
+        SamlIdp::XMLSecurity::SignedDocument.new(to_xml)
+      end
+
+      def signature_namespace
+        Namespaces::SIGNATURE
+      end
+
+      def to_xml
+        super(
+          save_with: Nokogiri::XML::Node::SaveOptions::AS_XML | Nokogiri::XML::Node::SaveOptions::NO_DECLARATION
+        ).strip
+      end
+    end
+  end
+end