libsaml 2.0.5

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NzdjMGJhZTcxYTc2MTUxMmNlMTdhNzEzNDlmOGI4ODEyZDQxMTBhNg==
+  data.tar.gz: !binary |-
+    NTY3YjkxMDI3OTQyNjUyYTViZDc5MTAxZTBjYzM4ZjllOGVkYzM0Mg==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    NDcwYjA1YTZmZDcyZGVhZmVmNDlhMjhmMWQ1ZDRiNGIzNzU0YzIzMTE2Y2U5
+    ZmUxYmUyYTBkNGVkN2ZhMTZlYjNjZjgzNjE2ZmZmOTIwMzIyNzA0MWQxMjdh
+    M2FkY2NjODEyYjdkMTIwNzY5NzVmYmI3MmJhZTIyMzdhZTM2MTE=
+  data.tar.gz: !binary |-
+    ODdjOTk5ZjJhZWZjMmFiN2M3NWFlYzA4N2Y3Njk2OWUxYTk3YzFmMGZjNTZj
+    Y2YwYzcwYzI2YWM0YzNhZjc4NzE4Y2UzYTRjZjBhMzZmNjQ4NjgzNWY4NDU2
+    Y2ZjODYxNWE4YTBkMDhmNjY5ZDJjZjQ1NGIzN2E2NzM4ZDJhNWY=

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 Digidentity
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,91 @@
+{<img src="https://travis-ci.org/digidentity/libsaml.png?branch=master" alt="Build Status" />}[https://travis-ci.org/digidentity/libsaml]
+= libsaml
+Libsaml is a Ruby gem to easily create SAML 2.0 messages. This gem was written because other SAML gems were missing functionality such as XML signing.
+
+Libsaml's features include:
+- Bindings: HTTP-Post, HTTP-Redirect, HTTP-Artifact, SOAP
+- XML signing and verification
+- Pluggable backend for providers (FileStore backend included)
+
+Copyright Digidentity BV, released under the MIT license. This gem was written by Benoist Claassen.
+
+= Installation
+
+Place in your Gemfile:
+  gem 'libsaml', require: 'saml'
+
+= Usage
+Below follows how to configure the SAML gem in a service provider.
+
+Store the private key in:
+config/ssl/key.pem
+
+Store the public key of the identity provider in:
+config/ssl/trust-federate.cert
+
+Add the Identity Provider web container configuration file to config/metadata/service_provider.xml.
+This contains an encoded version of the public key, generate this in the ruby console by typing:
+  irb
+  require 'openssl'
+  require 'base64'
+  pem = File.open("config/ssl/trust-federate.cert").read
+  cert = OpenSSL::X509::Certificate.new(pem)
+  output = Base64.encode64(cert.to_der).gsub("\n", "")
+
+Add the Service Provider configuration file to config/metadata/service_provider.xml:
+  <?xml version="1.0" encoding="UTF-8"?>
+  <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"   ID="_052c51476c9560a429e1171e8c9528b96b69fb57" entityID="my:very:original:entityid">
+    <md:SPSSODescriptor>
+      <md:KeyDescriptor use="signing">
+        <ds:KeyInfo>
+          <ds:X509Data>
+            <ds:X509Certificate>SAME_KEY_AS_GENERATED_IN_THE_CONSOLE_BEFORE</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </md:KeyDescriptor>
+      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post" index="0" Location="http://localhost:3000/saml/receive_response" isDefault="true"/>
+    </md:SPSSODescriptor>
+  </md:EntityDescriptor>
+
+Set up an intializer in config/initializers/saml_config.rb:
+  Saml.setup do |config|
+    config.entity_id = "my:very:original:entityid"
+    config.provider_store = Saml::ProviderStore::File.new("config/metadata", "config/ssl/key.pem")
+    # config.provider_store = SamlProvider
+  end
+
+By default this will use a SamlProvider model that uses the filestore, if you want a database driven model comment out the #provider_store function in the initializer and make a model that defines #find_by_entity_id:
+  class SamlProvider < ActiveRecord::Base
+    include Saml::Provider
+
+    def self.find_by_entity_id(entity_id)
+      where(entity_id: entity_id).first!
+    end
+  end
+
+
+Now you can make a SAML controller in app/controllers/saml_controller.rb:
+  class SamlController < ApplicationController
+    def request_authentication
+      provider = Saml.provider("my:very:original:entityid")
+      destination = provider.single_sign_on_service_url(Saml::ProtocolBindings::HTTP_POST)
+
+      authn_request = Saml::AuthnRequest.new(:destination => destination)
+
+      @saml_attributes = Saml::Bindings::HTTPPost.create_form_attributes(authn_request)
+
+      render text: @saml_attributes.to_yaml
+    end
+
+    def receive_response
+    end
+  end
+
+Don't forget to define the routes in config/routes.rb:
+  get "/saml/request_authentication" => "saml#request_authentication"
+  get "/saml/receive_response" => "saml#receive_response"
+
+= Contributing
+- Fork the project
+- Contribute your changes. Please make sure your changes are properly documented and covered by tests.
+- Send a pull request

data/Rakefile

@@ -0,0 +1,33 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Saml'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:core) do |spec|
+  spec.rspec_opts = ['--backtrace']
+end
+
+task :default => [:core]
+
+
+Bundler::GemHelper.install_tasks
+

data/lib/saml.rb

@@ -0,0 +1,142 @@
+require 'active_support/all'
+require 'active_model'
+require 'saml/base'
+require 'saml/xml_helpers'
+require 'saml/encoding'
+require 'saml/util'
+require 'xmldsig'
+require 'httpi'
+
+module Saml
+  MD_NAMESPACE       = 'urn:oasis:names:tc:SAML:2.0:metadata'
+  SAML_NAMESPACE     = 'urn:oasis:names:tc:SAML:2.0:assertion'
+  SAMLP_NAMESPACE    = 'urn:oasis:names:tc:SAML:2.0:protocol'
+  XML_DSIG_NAMESPACE = 'http://www.w3.org/2000/09/xmldsig#'
+  SAML_VERSION       = '2.0'
+
+  module Errors
+    class SamlError < StandardError;
+    end
+
+    class SignatureInvalid < SamlError;
+    end
+    class InvalidProvider < SamlError;
+    end
+    class UnparseableMessage < SamlError;
+    end
+  end
+
+  module TopLevelCodes
+    SUCCESS          = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+    REQUESTER        = 'urn:oasis:names:tc:SAML:2.0:status:Requester'
+    RESPONDER        = 'urn:oasis:names:tc:SAML:2.0:status:Responder'
+    VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'
+
+    ALL = [SUCCESS, REQUESTER, RESPONDER, VERSION_MISMATCH]
+  end
+
+  module SubStatusCodes
+    AUTHN_FAILED     = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed'
+    NO_AUTHN_CONTEXT = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext'
+    PARTIAL_LOGOUT   = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'
+    REQUEST_DENIED   = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied'
+
+    ALL = [AUTHN_FAILED, NO_AUTHN_CONTEXT, PARTIAL_LOGOUT, REQUEST_DENIED]
+  end
+
+  module Bindings
+    require 'saml/bindings/http_artifact'
+    require 'saml/bindings/http_redirect'
+    require 'saml/bindings/http_post'
+    require 'saml/bindings/soap'
+  end
+
+  module ClassRefs
+    PASSWORD_PROTECTED         = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+    MOBILE_TWO_FACTOR_CONTRACT = 'urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract'
+    MOBILE_SMARTCARD_PKI       = 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'
+
+    ALL_CLASS_REFS     = [PASSWORD_PROTECTED,
+                          MOBILE_TWO_FACTOR_CONTRACT,
+                          MOBILE_SMARTCARD_PKI]
+    ORDERED_CLASS_REFS = ALL_CLASS_REFS
+  end
+
+  module ComplexTypes
+    require 'saml/complex_types/request_abstract_type'
+    require 'saml/complex_types/status_response_type'
+    require 'saml/complex_types/endpoint_type'
+    require 'saml/complex_types/indexed_endpoint_type'
+    require 'saml/complex_types/sso_descriptor_type'
+  end
+
+  module Elements
+    require 'saml/elements/signature'
+    require 'saml/elements/subject_locality'
+    require 'saml/elements/authn_context'
+    require 'saml/elements/audience_restriction'
+    require 'saml/elements/sub_status_code'
+    require 'saml/elements/status_code'
+    require 'saml/elements/status'
+    require 'saml/elements/subject_confirmation_data'
+    require 'saml/elements/subject_confirmation'
+    require 'saml/elements/attribute'
+    require 'saml/elements/attribute_statement'
+    require 'saml/elements/name_id'
+    require 'saml/elements/subject'
+    require 'saml/elements/conditions'
+    require 'saml/elements/authn_statement'
+    require 'saml/elements/requested_authn_context'
+    require 'saml/elements/key_descriptor'
+    require 'saml/elements/organization'
+    require 'saml/elements/contact_person'
+    require 'saml/elements/idp_sso_descriptor'
+    require 'saml/elements/sp_sso_descriptor'
+    require 'saml/elements/entity_descriptor'
+    require 'saml/elements/entities_descriptor'
+  end
+
+  require 'saml/assertion'
+  require 'saml/authn_request'
+  require 'saml/artifact'
+  require 'saml/response'
+  require 'saml/artifact_resolve'
+  require 'saml/artifact_response'
+  require 'saml/logout_request'
+  require 'saml/logout_response'
+  require 'saml/provider'
+
+  module ProviderStores
+    require 'saml/provider_stores/file'
+  end
+
+  module ProtocolBinding
+    HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
+    HTTP_POST     = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+    HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+    SOAP          = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
+  end
+
+  def self.setup
+    yield Saml::Config
+  end
+
+  def self.generate_id
+    "_#{::SecureRandom.hex(20)}"
+  end
+
+  def self.provider(entity_id)
+    Saml::Config.provider_store.find_by_entity_id(entity_id) || raise(Saml::Errors::InvalidProvider.new)
+  end
+
+  def self.parse_message(message, type)
+    if %w(authn_request response logout_request logout_response artifact_resolve artifact_response).include?(type.to_s)
+      klass = "Saml::#{type.to_s.camelize}".constantize
+      klass.parse(message, single: true)
+    else
+      nil
+    end
+  end
+end
+
+require 'saml/config'

data/lib/saml/artifact.rb

@@ -0,0 +1,51 @@
+module Saml
+  class Artifact
+    include ::HappyMapper
+
+    TYPE_CODE       = "\000\004"
+    END_POINT_INDEX = "\000\000"
+
+    tag "Artifact"
+    namespace 'samlp'
+
+    content :artifact, String
+
+    def initialize(artifact = nil)
+      if artifact
+        @artifact = artifact
+      else
+        source_id       = ::Digest::SHA1.digest(Saml::Config.entity_id)
+        message_handle  = ::SecureRandom.random_bytes(20)
+        @type_code      = TYPE_CODE
+        @endpoint_index = END_POINT_INDEX
+        @artifact   = Saml::Encoding.encode_64 [@type_code, @endpoint_index, source_id, message_handle].join
+      end
+    end
+
+    def type_code
+      decoded_value[0, 2]
+    end
+
+    def endpoint_index
+      decoded_value[2, 2]
+    end
+
+    def source_id
+      decoded_value[4, 20]
+    end
+
+    def message_handle
+      decoded_value[24, 20]
+    end
+
+    def to_s
+      artifact
+    end
+
+    private
+
+    def decoded_value
+      ::Base64.decode64(artifact)
+    end
+  end
+end

data/lib/saml/artifact_resolve.rb

@@ -0,0 +1,10 @@
+module Saml
+  class ArtifactResolve
+    include Saml::ComplexTypes::RequestAbstractType
+
+    tag "ArtifactResolve"
+    has_one :artifact, Saml::Artifact
+
+    validates :artifact, :presence => true
+  end
+end

data/lib/saml/artifact_response.rb

@@ -0,0 +1,9 @@
+module Saml
+  class ArtifactResponse
+    include Saml::ComplexTypes::StatusResponseType
+
+    tag "ArtifactResponse"
+
+    has_one :response, Saml::Response
+  end
+end

data/lib/saml/assertion.rb

@@ -0,0 +1,67 @@
+module Saml
+  class Assertion
+    include Saml::Base
+    include Saml::XMLHelpers
+
+    register_namespace 'samlp', Saml::SAMLP_NAMESPACE
+    register_namespace 'saml', Saml::SAML_NAMESPACE
+
+    tag "Assertion"
+    namespace 'saml'
+
+    attribute :_id, String, :tag => 'ID'
+    attribute :version, String, :tag => "Version"
+    attribute :issue_instant, Time, :tag => "IssueInstant", :on_save => lambda { |val| val.utc.xmlschema }
+
+    element :issuer, String, :namespace => 'saml', :tag => "Issuer"
+
+    has_one   :signature, Saml::Elements::Signature
+    has_one   :subject, Saml::Elements::Subject
+    has_one   :conditions, Saml::Elements::Conditions
+    has_many  :authn_statement, Saml::Elements::AuthnStatement
+    has_one   :attribute_statement, Saml::Elements::AttributeStatement
+
+    validates :_id, :version, :issue_instant, :issuer, :presence => true
+
+    validates :version, inclusion: %w(2.0)
+    validate :check_issue_instant, :if => "issue_instant.present?"
+
+    def initialize(*args)
+      options          = args.extract_options!
+      @subject         = Saml::Elements::Subject.new(:name_id        => options.delete(:name_id),
+                                                     :name_id_format => options.delete(:name_id_format),
+                                                     :recipient      => options.delete(:recipient),
+                                                     :in_response_to => options.delete(:in_response_to))
+      @conditions      = Saml::Elements::Conditions.new(:audience => options.delete(:audience))
+      @authn_statement = Saml::Elements::AuthnStatement.new(:authn_instant           => Time.now,
+                                                            :address                 => options.delete(:address),
+                                                            :authn_context_class_ref => options.delete(:authn_context_class_ref),
+                                                            :session_index           => options.delete(:session_index))
+      super(*(args << options))
+      @_id           ||= Saml.generate_id
+      @issue_instant ||= Time.now
+      @issuer        ||= Saml::Config.entity_id
+      @version       ||= Saml::SAML_VERSION
+    end
+
+    def add_attribute(key, value)
+      self.attribute_statement ||= Saml::Elements::AttributeStatement.new
+      self.attribute_statement.attribute ||= []
+      self.attribute_statement.attribute << Saml::Elements::Attribute.new(name: key, attribute_value: value)
+    end
+
+    def fetch_attribute(key)
+      return unless self.attribute_statement
+      return unless self.attribute_statement.attribute
+      attribute_statement.fetch_attribute(key)
+    end
+
+    private
+
+    def check_issue_instant
+      errors.add(:issue_instant, :too_old) if issue_instant < Time.now - Saml::Config.max_issue_instant_offset.minutes
+      errors.add(:issue_instant, :too_new) if issue_instant > Time.now + Saml::Config.max_issue_instant_offset.minutes
+    end
+
+  end
+end