libsaml 2.0.5

data/lib/saml/authn_request.rb

@@ -0,0 +1,34 @@
+module Saml
+  class AuthnRequest
+    include Saml::ComplexTypes::RequestAbstractType
+
+    tag 'AuthnRequest'
+    attribute :force_authn, Boolean, :tag => "ForceAuthn"
+    attribute :assertion_consumer_service_index, Integer, :tag => "AssertionConsumerServiceIndex"
+    attribute :assertion_consumer_service_url, String, :tag => "AssertionConsumerServiceURL"
+    attribute :attribute_consuming_service_index, Integer, :tag => "AttributeConsumingServiceIndex"
+    attribute :protocol_binding, String, :tag => "ProtocolBinding"
+    attribute :provider_name, String, :tag => "ProviderName"
+
+    has_one :requested_authn_context, Saml::Elements::RequestedAuthnContext
+
+    validates :force_authn, :inclusion => [true, false, nil]
+    validates :assertion_consumer_service_index, :numericality => true, :if => "assertion_consumer_service_index.present?"
+
+    validate :check_assertion_consumer_service
+
+    def assertion_url
+      return assertion_consumer_service_url if assertion_consumer_service_url
+      provider.assertion_consumer_service_url(assertion_consumer_service_index) if assertion_consumer_service_index
+    end
+
+    private
+
+    def check_assertion_consumer_service
+      if assertion_consumer_service_index.present?
+        errors.add(:assertion_consumer_service_url, :must_be_blank) if @assertion_consumer_service_url.present?
+        errors.add(:protocol_binding, :must_be_blank) if protocol_binding.present?
+      end
+    end
+  end
+end

data/lib/saml/base.rb

@@ -0,0 +1,47 @@
+require 'happymapper'
+
+module Saml
+  module Base
+    extend ActiveSupport::Concern
+
+    included do
+      include ::HappyMapper
+      include ::ActiveModel::Validations
+
+      extend HappyMapperClassMethods
+      include HappyMapperInstanceMethods
+    end
+
+    module HappyMapperInstanceMethods
+      def initialize(attributes = {})
+        attributes.each do |key, value|
+          send("#{key}=", value) if respond_to?("#{key}=") && value.present?
+        end
+      end
+
+      def from_xml=(bool)
+        @from_xml = bool
+      end
+
+      def from_xml?
+        @from_xml
+      end
+    end
+
+    module HappyMapperClassMethods
+      def parse(xml, options = {})
+        object = super
+        if object.is_a?(Array)
+          object.map { |x| x.from_xml = true }
+        elsif object
+          object.from_xml = true
+        end
+        object
+      rescue Nokogiri::XML::SyntaxError => e
+        raise Saml::Errors::UnparseableMessage.new(e.message)
+      rescue NoMethodError => e
+        raise Saml::Errors::UnparseableMessage.new(e.message)
+      end
+    end
+  end
+end

data/lib/saml/bindings/http_artifact.rb

@@ -0,0 +1,44 @@
+module Saml
+  module Bindings
+    class HTTPArtifact
+
+      class << self
+        # @param [Saml::ArtifactResponse] artifact_response
+        def create_response_xml(artifact_response)
+          Saml::Util.sign_xml(artifact_response, :soap)
+        end
+
+        def create_url(location, artifact, options = {})
+          uri   = URI.parse(location)
+          query = [uri.query, "SAMLart=#{CGI.escape(artifact.to_s)}"]
+
+          query << "RelayState=#{CGI.escape(options[:relay_state])}" if options[:relay_state]
+
+          uri.query = query.compact.join("&")
+          uri.to_s
+        end
+
+        def receive_message(request)
+          raw_xml          = request.body.dup.read
+          artifact_resolve = Saml::ArtifactResolve.parse(raw_xml, single: true)
+
+          Saml::Util.verify_xml(artifact_resolve, raw_xml)
+        end
+
+        def resolve(request, location)
+          artifact         = request.params["SAMLart"]
+          artifact_resolve = Saml::ArtifactResolve.new(artifact: artifact, destination: location)
+
+          response = Saml::Util.post(location, Saml::Util.sign_xml(artifact_resolve, :soap))
+
+          if response.code == 200
+            artifact_response          = Saml::ArtifactResponse.parse(response.body, single: true)
+            verified_artifact_response = Saml::Util.verify_xml(artifact_response, response.body)
+
+            verified_artifact_response.response if artifact_response.success?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/saml/bindings/http_post.rb

@@ -0,0 +1,29 @@
+module Saml
+  module Bindings
+    class HTTPPost
+      class << self
+        def create_form_attributes(message, options = {})
+          param = message.is_a?(Saml::ComplexTypes::StatusResponseType) ? "SAMLResponse" : "SAMLRequest"
+
+          xml = Saml::Util.sign_xml(message)
+
+          variables        = {}
+          variables[param] = Saml::Encoding.encode_64(xml)
+          variables["RelayState"] = options[:relay_state] if options[:relay_state]
+
+          {
+              location:  message.destination,
+              variables: variables
+          }
+        end
+
+        def receive_message(request, type)
+          message             = Saml::Encoding.decode_64(request.params["SAMLRequest"] || request.params["SAMLResponse"])
+          request_or_response = Saml.parse_message(message, type)
+
+          Saml::Util.verify_xml(request_or_response, message)
+        end
+      end
+    end
+  end
+end

data/lib/saml/bindings/http_redirect.rb

@@ -0,0 +1,100 @@
+module Saml
+  module Bindings
+    class HTTPRedirect
+      class << self
+        def create_url(request_or_response, options = {})
+          options[:signature_algorithm] ||= 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
+          new(request_or_response, options).create_url
+        end
+
+        def receive_message(http_request, options = {})
+          options[:signature]           = Saml::Encoding.decode_64(http_request.params["Signature"] || "")
+          options[:signature_algorithm] = http_request.params["SigAlg"]
+          options[:relay_state]         = http_request.params["RelayState"]
+
+          request_or_response = parse_request_or_response(options.delete(:type), http_request.params)
+
+          redirect_binding = new(request_or_response, options)
+          query_string     = URI.parse(http_request.url).query
+
+          redirect_binding.verify_signature(query_string) if request_or_response.provider.authn_requests_signed?
+
+          request_or_response
+        end
+
+        private
+
+        def parse_request_or_response(type, params)
+          message = decode_message(params["SAMLRequest"])
+
+          Saml.parse_message(message, type)
+        end
+
+        def decode_message(message)
+          Saml::Encoding.decode_gzip(Saml::Encoding.decode_64(message)).gsub("\n", "")
+        end
+      end
+
+      attr_accessor :request_or_response, :signature_algorithm, :relay_state, :signature
+
+      def initialize(request_or_response, options = {})
+        @request_or_response = request_or_response
+        @signature_algorithm = options[:signature_algorithm]
+        @relay_state         = options[:relay_state]
+        @signature           = options[:signature]
+      end
+
+      def verify_signature(query)
+        unless request_or_response.provider.verify(signature_algorithm, signature, parse_signature_params(query))
+          raise Saml::Errors::SignatureInvalid.new
+        end
+      end
+
+      def create_url
+        [request_or_response.destination, signed_params].join("?")
+      end
+
+      private
+
+
+      def parse_signature_params(query)
+        params = {}
+        query.split(/[&;]/).each do |pairs|
+          key, value  = pairs.split('=', 2)
+          params[key] = value
+        end
+
+        relay_state = params["RelayState"] ? "&RelayState=#{params['RelayState']}" : ""
+        "SAMLRequest=#{params['SAMLRequest']}#{relay_state}&SigAlg=#{params['SigAlg']}"
+      end
+
+      def encoded_message
+        Saml::Encoding.encode_64(Saml::Encoding.encode_gzip(request_or_response.to_xml))
+      end
+
+      def encoded_params
+        params.collect do |key, value|
+          "#{key}=#{CGI.escape(value)}"
+        end.join('&')
+      end
+
+      def params
+        params = {}
+
+        params["SAMLRequest"] = encoded_message
+        params["RelayState"] = relay_state if relay_state
+        params["SigAlg"] = signature_algorithm if signature_algorithm
+
+        params
+      end
+
+      def signed_params
+        signature = request_or_response.provider.sign(signature_algorithm, encoded_params)
+
+        encoded_signature = CGI.escape(Saml::Encoding.encode_64(signature))
+
+        "#{encoded_params}&Signature=#{encoded_signature}"
+      end
+    end
+  end
+end

data/lib/saml/bindings/soap.rb

@@ -0,0 +1,31 @@
+module Saml
+  module Bindings
+    class SOAP
+      class << self
+        def create_response_xml(response)
+          Saml::Util.sign_xml(response, :soap)
+        end
+
+        def post_message(message, response_type)
+          signed_message = Saml::Util.sign_xml(message, :soap)
+
+          http_response = Saml::Util.post(message.destination, signed_message)
+
+          if http_response.code == 200
+            response = Saml.parse_message(http_response.body, response_type)
+            Saml::Util.verify_xml(response, http_response.body)
+          else
+            nil
+          end
+        end
+
+        def receive_message(request, type)
+          raw_xml = request.body.dup.read
+          message = Saml.parse_message(raw_xml, type)
+
+          Saml::Util.verify_xml(message, raw_xml)
+        end
+      end
+    end
+  end
+end

data/lib/saml/complex_types/endpoint_type.rb

@@ -0,0 +1,17 @@
+module Saml
+  module ComplexTypes
+    module EndpointType
+      extend ActiveSupport::Concern
+      include Saml::Base
+
+      included do
+        namespace 'md'
+
+        attribute :binding, String, :tag => "Binding"
+        attribute :location, String, :tag => "Location"
+
+        validates :binding, :location, :presence => true
+      end
+    end
+  end
+end

data/lib/saml/complex_types/indexed_endpoint_type.rb

@@ -0,0 +1,15 @@
+module Saml
+  module ComplexTypes
+    module IndexedEndpointType
+      extend ActiveSupport::Concern
+      include EndpointType
+
+      included do
+        attribute :index, Integer, :tag => "index"
+        attribute :is_default, HappyMapper::Boolean, :tag => "isDefault"
+
+        validates :index, :presence => true
+      end
+    end
+  end
+end

data/lib/saml/complex_types/request_abstract_type.rb

@@ -0,0 +1,57 @@
+require 'happymapper'
+
+module Saml
+  module ComplexTypes
+    module RequestAbstractType
+      extend ActiveSupport::Concern
+      include Saml::Base
+      include Saml::XMLHelpers
+
+      included do
+        register_namespace 'samlp', Saml::SAMLP_NAMESPACE
+        register_namespace 'saml', Saml::SAML_NAMESPACE
+        namespace 'samlp'
+
+        attribute :_id, String, :tag => 'ID'
+        attribute :version, String, :tag => "Version"
+        attribute :issue_instant, Time, :tag => "IssueInstant", :on_save => lambda { |val| val.utc.xmlschema }
+
+        attribute :destination, String, :tag => "Destination"
+        element :issuer, String, :namespace => 'saml', :tag => "Issuer"
+
+        has_one :signature, Saml::Elements::Signature, :tag => "Signature"
+
+        validates :_id, :version, :issue_instant, :presence => true
+
+        validates :version, inclusion: %w(2.0)
+        validate :check_issue_instant, :if => "issue_instant.present?"
+      end
+
+      def initialize(*args)
+        super(*args)
+        @_id           ||= Saml.generate_id
+        @issue_instant ||= Time.now
+        @issuer        ||= Saml::Config.entity_id
+        @version       ||= Saml::SAML_VERSION
+      end
+
+      def add_signature
+        self.signature = Saml::Elements::Signature.new(uri: "##{self._id}")
+        x509certificate = OpenSSL::X509::Certificate.new(provider.certificate) rescue nil
+        self.signature.key_info = Saml::Elements::KeyDescriptor::KeyInfo.new(x509certificate.to_pem) if x509certificate
+      end
+
+      # @return [Saml::Provider]
+      def provider
+        Saml.provider(issuer)
+      end
+
+      private
+
+      def check_issue_instant
+        errors.add(:issue_instant, :too_old) if issue_instant < Time.now - Saml::Config.max_issue_instant_offset.minutes
+        errors.add(:issue_instant, :too_new) if issue_instant > Time.now + Saml::Config.max_issue_instant_offset.minutes
+      end
+    end
+  end
+end

data/lib/saml/complex_types/sso_descriptor_type.rb

@@ -0,0 +1,48 @@
+module Saml
+  module ComplexTypes
+    module SSODescriptorType
+      extend ActiveSupport::Concern
+      include Saml::Base
+
+      class ArtifactResolutionService
+        include Saml::ComplexTypes::IndexedEndpointType
+
+        tag 'ArtifactResolutionService'
+        namespace 'md'
+      end
+
+      class SingleLogoutService
+        include Saml::ComplexTypes::EndpointType
+
+        tag 'SingleLogoutService'
+        namespace 'md'
+      end
+
+      included do
+        namespace 'md'
+
+        PROTOCOL_SUPPORT_ENUMERATION = "urn:oasis:names:tc:SAML:2.0:protocol" unless defined?(PROTOCOL_SUPPORT_ENUMERATION)
+
+        attribute :protocol_support_enumeration, String, :tag => "protocolSupportEnumeration"
+        attribute :valid_until, Time, :tag => "validUntil"
+        attribute :cache_duration, Integer, :tag => "cacheDuration"
+        attribute :error_url, String, :tag => "errorURL"
+
+        has_many :key_descriptors, Saml::Elements::KeyDescriptor
+
+        has_many :artifact_resolution_services, ArtifactResolutionService
+        has_many :single_logout_services, SingleLogoutService
+
+        validates :protocol_support_enumeration, :presence => true, :inclusion => [PROTOCOL_SUPPORT_ENUMERATION]
+      end
+
+      def initialize(*args)
+        super(*args)
+        @single_logout_services       ||= []
+        @key_descriptors              ||= []
+        @artifact_resolution_services ||= []
+        @protocol_support_enumeration ||= PROTOCOL_SUPPORT_ENUMERATION
+      end
+    end
+  end
+end

data/lib/saml/complex_types/status_response_type.rb

@@ -0,0 +1,29 @@
+require 'happymapper'
+
+module Saml
+  module ComplexTypes
+    module StatusResponseType
+      extend ActiveSupport::Concern
+
+      include RequestAbstractType
+
+      included do
+        attribute :in_response_to, String, :tag => 'InResponseTo'
+        has_one :status, Saml::Elements::Status
+
+        validates :in_response_to, :status, :presence => true
+      end
+
+      def initialize(*args)
+        options = args.extract_options!
+        @status = Saml::Elements::Status.new(:status_code => Saml::Elements::StatusCode.new(:value            => options.delete(:status_value),
+                                                                                            :sub_status_value => options.delete(:sub_status_value)))
+        super(*(args << options))
+      end
+
+      def success?
+        status.status_code.success?
+      end
+    end
+  end
+end