libsaml 2.0.6 → 2.1.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    OWIyNTBiNGEzODgxNmY2NjkxNzIwMmU1MzlhY2Y2Yzg2Y2U4ZmZmZg==
+    OGYxNjQ4ZDFiYTBiNWNkODE0NWZkOTIxZWUwZjU2ODk0YmQxNGE2OA==
   data.tar.gz: !binary |-
-    MjNkYzcwNTc0YjBjYmY4OTE3OGMxNTZhNjcwZTUyNDk1ZGVkMDQ4MA==
+    ZTcxMjVjMDJkNzA2NjRhMDcyNDQ3ZmVkNjBmZjFjYWEzYTFhOTE4NQ==
 !binary "U0hBNTEy":
   metadata.gz: !binary |-
-    Y2EwZDZmZTJhODU3NTU1N2IwY2FkYzJjNGZlYTZkZDQ1MWNjNGY4NTE0NThm
-    ZTcxMTk5NDUyZjZjZjI1YjgzYWU3MTk5YTc4MzQ4OTRjNDQyY2Q4YzdhMmEz
-    N2YyOTNhY2ViOTFiODZjMDlhYmJkYjEyYjE4Yzc5YWE1ZGI5ZWQ=
+    ZGFjMzNhNmM2ODViOTAyMjAwYjQ1ZWE4YjYzOTU3MjQwNmUwNmY0YjNiNzU1
+    NjcxNmRhNGMyNGI2NzlkMzc4ZGM2MTlhNGFjNWIwZDNiYWU2M2FiZTIzY2Vh
+    Nzg0MmIxZDc4NTFiZTY0MGIwMzc4ZTgxZTY0YTRkMWI4ZWZjMjc=
   data.tar.gz: !binary |-
-    NzI2ZmJhNTk0MTZjZjBkNmY4OGIwYTFhOTBiYTU3MTJhMTA4NGJjMTU1OGZm
-    ZGZiNWJiYTc5NTk5ZjhiNjA4MzRjZmUxZWE4NmYwNDI1OWJlNGIxNWFiOTZm
-    MzQ5NDlhMmJhNWZjMTc5MGVkN2FlYTE2MGZhYTJmOWRjM2NhZDU=
+    NGQ5YWMwM2I3OWExODk4ZmUzMGMyMTM0NzdjNzM2MGIwY2FiM2U2MTg5ZGMz
+    ZDJhNDIyZWEwMzM4MzIzZDA3Y2MyN2RjNGU0MzExYjEyYjhiNDI4OGY5NWE4
+    ZjJiOWM1NjUwZDgyMDJmYmY2ZWY5MzEzMWNmMmU2NzhlZTZjOWQ=

data/README.rdoc

@@ -49,9 +49,7 @@ Add the Service Provider configuration file to config/metadata/service_provider.
 
 Set up an intializer in config/initializers/saml_config.rb:
   Saml.setup do |config|
-    config.entity_id = "my:very:original:entityid"
-    config.provider_store = Saml::ProviderStore::File.new("config/metadata", "config/ssl/key.pem")
-    # config.provider_store = SamlProvider
+    config.register_store :file, Saml::ProviderStore::File.new("config/metadata", "config/ssl/key.pem"), default: true
   end
 
 By default this will use a SamlProvider model that uses the filestore, if you want a database driven model comment out the #provider_store function in the initializer and make a model that defines #find_by_entity_id:
@@ -66,6 +64,9 @@ By default this will use a SamlProvider model that uses the filestore, if you wa
 
 Now you can make a SAML controller in app/controllers/saml_controller.rb:
   class SamlController < ApplicationController
+    extend Saml::Rails::ControllerHelper
+    current_provider "entity_id"
+
     def request_authentication
       provider = Saml.provider("my:very:original:entityid")
       destination = provider.single_sign_on_service_url(Saml::ProtocolBindings::HTTP_POST)

data/lib/saml.rb

@@ -4,25 +4,39 @@ require 'saml/base'
 require 'saml/xml_helpers'
 require 'saml/encoding'
 require 'saml/util'
+require 'xmlenc'
 require 'xmldsig'
 require 'httpi'
 
 module Saml
   MD_NAMESPACE       = 'urn:oasis:names:tc:SAML:2.0:metadata'
+  MD_ATTR_NAMESPACE  = 'urn:oasis:names:tc:SAML:metadata:attribute'
   SAML_NAMESPACE     = 'urn:oasis:names:tc:SAML:2.0:assertion'
   SAMLP_NAMESPACE    = 'urn:oasis:names:tc:SAML:2.0:protocol'
   XML_DSIG_NAMESPACE = 'http://www.w3.org/2000/09/xmldsig#'
   SAML_VERSION       = '2.0'
 
   module Errors
-    class SamlError < StandardError;
+    class SamlError < StandardError
     end
-
-    class SignatureInvalid < SamlError;
+    class SignatureInvalid < SamlError
+    end
+    class InvalidProvider < SamlError
     end
-    class InvalidProvider < SamlError;
+    class UnparseableMessage < SamlError
     end
-    class UnparseableMessage < SamlError;
+    class InvalidStore < SamlError
+      def initialize(store = '')
+        @store = store
+      end
+
+      def message
+        if @store.nil? || @store == ''
+          'Store cannot be blank'
+        else
+          "Store #{@store} not registered"
+        end
+      end
     end
   end
 
@@ -52,11 +66,15 @@ module Saml
   end
 
   module ClassRefs
-    PASSWORD_PROTECTED         = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
-    MOBILE_TWO_FACTOR_CONTRACT = 'urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract'
-    MOBILE_SMARTCARD_PKI       = 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'
-
-    ALL_CLASS_REFS     = [PASSWORD_PROTECTED,
+    UNSPECIFIED                    = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'
+    PASSWORD_PROTECTED             = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+    MOBILE_TWO_FACTOR_UNREGISTERED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered'
+    MOBILE_TWO_FACTOR_CONTRACT     = 'urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract'
+    MOBILE_SMARTCARD_PKI           = 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'
+
+    ALL_CLASS_REFS     = [UNSPECIFIED,
+                          PASSWORD_PROTECTED,
+                          MOBILE_TWO_FACTOR_UNREGISTERED,
                           MOBILE_TWO_FACTOR_CONTRACT,
                           MOBILE_SMARTCARD_PKI]
     ORDERED_CLASS_REFS = ALL_CLASS_REFS
@@ -68,10 +86,14 @@ module Saml
     require 'saml/complex_types/endpoint_type'
     require 'saml/complex_types/indexed_endpoint_type'
     require 'saml/complex_types/sso_descriptor_type'
+    require 'saml/complex_types/attribute_type'
+    require 'saml/complex_types/localized_name_type'
+    require 'saml/complex_types/statement_abstract_type'
   end
 
   module Elements
     require 'saml/elements/signature'
+    require 'saml/elements/authenticating_authority'
     require 'saml/elements/subject_locality'
     require 'saml/elements/authn_context'
     require 'saml/elements/audience_restriction'
@@ -80,14 +102,25 @@ module Saml
     require 'saml/elements/status'
     require 'saml/elements/subject_confirmation_data'
     require 'saml/elements/subject_confirmation'
+    require 'saml/elements/encrypted_attribute'
     require 'saml/elements/attribute'
     require 'saml/elements/attribute_statement'
+    require 'saml/elements/entity_attributes'
+    require 'saml/elements/md_extensions'
+    require 'saml/elements/samlp_extensions'
+    require 'saml/elements/service_name'
+    require 'saml/elements/service_description'
+    require 'saml/elements/requested_attribute'
+    require 'saml/elements/attribute_consuming_service'
     require 'saml/elements/name_id'
     require 'saml/elements/subject'
     require 'saml/elements/conditions'
     require 'saml/elements/authn_statement'
     require 'saml/elements/requested_authn_context'
     require 'saml/elements/key_descriptor'
+    require 'saml/elements/organization_name'
+    require 'saml/elements/organization_display_name'
+    require 'saml/elements/organization_url'
     require 'saml/elements/organization'
     require 'saml/elements/contact_person'
     require 'saml/elements/idp_sso_descriptor'
@@ -96,6 +129,10 @@ module Saml
     require 'saml/elements/entities_descriptor'
   end
 
+  module Rails
+    require 'saml/rails/controller_helper'
+  end
+
   require 'saml/assertion'
   require 'saml/authn_request'
   require 'saml/artifact'
@@ -105,6 +142,8 @@ module Saml
   require 'saml/logout_request'
   require 'saml/logout_response'
   require 'saml/provider'
+  require 'saml/basic_provider'
+  require 'saml/null_provider'
 
   module ProviderStores
     require 'saml/provider_stores/file'
@@ -117,6 +156,25 @@ module Saml
     SOAP          = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'
   end
 
+  def self.current_provider
+    Thread.current['saml_current_provider'] || NullProvider.new
+  end
+
+  def self.current_provider=(provider)
+    Thread.current['saml_current_provider'] = provider
+  end
+
+  def self.current_store
+    store_name = Thread.current['saml_current_store']
+    Saml::Config.registered_stores[store_name] ||
+        Saml::Config.registered_stores[Saml::Config.default_store] ||
+        raise(Errors::InvalidStore.new(store_name))
+  end
+
+  def self.current_store=(store_name)
+    Thread.current['saml_current_store'] = store_name
+  end
+
   def self.setup
     yield Saml::Config
   end
@@ -126,7 +184,11 @@ module Saml
   end
 
   def self.provider(entity_id)
-    Saml::Config.provider_store.find_by_entity_id(entity_id) || raise(Saml::Errors::InvalidProvider.new)
+    if current_provider.entity_id == entity_id
+      current_provider
+    else
+      current_store.find_by_entity_id(entity_id) || raise(Saml::Errors::InvalidProvider.new)
+    end
   end
 
   def self.parse_message(message, type)

data/lib/saml/artifact.rb

@@ -14,7 +14,7 @@ module Saml
       if artifact
         @artifact = artifact
       else
-        source_id       = ::Digest::SHA1.digest(Saml::Config.entity_id)
+        source_id       = ::Digest::SHA1.digest(Saml.current_provider.entity_id)
         message_handle  = ::SecureRandom.random_bytes(20)
         @type_code      = TYPE_CODE
         @endpoint_index = END_POINT_INDEX

data/lib/saml/artifact_resolve.rb

@@ -6,5 +6,12 @@ module Saml
     has_one :artifact, Saml::Artifact
 
     validates :artifact, :presence => true
+
+    def initialize(*args)
+      options   = args.extract_options!
+      artifact  = options.delete(:artifact)
+      @artifact = artifact.is_a?(Saml::Artifact) ? artifact : Saml::Artifact.new(artifact)
+      super(*(args << options))
+    end
   end
 end

data/lib/saml/assertion.rb

@@ -18,6 +18,7 @@ module Saml
     has_one   :signature, Saml::Elements::Signature
     has_one   :subject, Saml::Elements::Subject
     has_one   :conditions, Saml::Elements::Conditions
+    has_many  :statements, Saml::ComplexTypes::StatementAbstractType
     has_many  :authn_statement, Saml::Elements::AuthnStatement
     has_one   :attribute_statement, Saml::Elements::AttributeStatement
 
@@ -40,7 +41,7 @@ module Saml
       super(*(args << options))
       @_id           ||= Saml.generate_id
       @issue_instant ||= Time.now
-      @issuer        ||= Saml::Config.entity_id
+      @issuer        ||= Saml.current_provider.entity_id
       @version       ||= Saml::SAML_VERSION
     end
 

data/lib/saml/authn_request.rb

@@ -4,6 +4,7 @@ module Saml
 
     tag 'AuthnRequest'
     attribute :force_authn, Boolean, :tag => "ForceAuthn"
+    attribute :is_passive, Boolean, :tag => "IsPassive"
     attribute :assertion_consumer_service_index, Integer, :tag => "AssertionConsumerServiceIndex"
     attribute :assertion_consumer_service_url, String, :tag => "AssertionConsumerServiceURL"
     attribute :attribute_consuming_service_index, Integer, :tag => "AttributeConsumingServiceIndex"

data/lib/saml/basic_provider.rb

@@ -0,0 +1,12 @@
+module Saml
+  class BasicProvider
+    include Provider
+    attr_accessor :entity_descriptor, :private_key, :type
+
+    def initialize(entity_descriptor, private_key, type)
+      @entity_descriptor = entity_descriptor
+      @private_key       = private_key
+      @type              = type
+    end
+  end
+end

data/lib/saml/complex_types/attribute_type.rb

@@ -0,0 +1,24 @@
+module Saml
+  module ComplexTypes
+    module AttributeType
+      extend ActiveSupport::Concern
+      include Saml::Base
+
+      included do
+        register_namespace "saml", Saml::SAML_NAMESPACE
+
+        attribute :name, String, :tag => 'Name'
+        attribute :format, String, tag: 'NameFormat'
+        attribute :friendly_name, String, tag: 'FriendlyName'
+        element :attribute_value, String, :namespace => 'saml', :tag => "AttributeValue"
+
+        validates :name, :presence => true
+      end
+
+      def initialize(*args)
+        options = args.extract_options!
+        super(*(args << options))
+      end
+    end
+  end
+end

data/lib/saml/complex_types/localized_name_type.rb

@@ -0,0 +1,14 @@
+module Saml
+  module ComplexTypes
+    module LocalizedNameType
+      extend ActiveSupport::Concern
+      include Saml::Base
+
+      included do
+        attribute :language, String, :tag => 'xml:lang'
+
+        validates :language, :presence => true
+      end
+    end
+  end
+end

data/lib/saml/complex_types/request_abstract_type.rb

@@ -14,12 +14,14 @@ module Saml
 
         attribute :_id, String, :tag => 'ID'
         attribute :version, String, :tag => "Version"
-        attribute :issue_instant, Time, :tag => "IssueInstant", :on_save => lambda { |val| val.utc.xmlschema }
+        attribute :issue_instant, Time, :tag => "IssueInstant", :on_save => lambda { |val| val.utc.xmlschema if val.present? }
+        attribute :consent, String, :tag => "Consent"
 
         attribute :destination, String, :tag => "Destination"
         element :issuer, String, :namespace => 'saml', :tag => "Issuer"
 
-        has_one :signature, Saml::Elements::Signature, :tag => "Signature"
+        has_one :signature, Saml::Elements::Signature
+        has_one :extensions, Saml::Elements::SAMLPExtensions
 
         validates :_id, :version, :issue_instant, :presence => true
 
@@ -31,16 +33,10 @@ module Saml
         super(*args)
         @_id           ||= Saml.generate_id
         @issue_instant ||= Time.now
-        @issuer        ||= Saml::Config.entity_id
+        @issuer        ||= Saml.current_provider.entity_id
         @version       ||= Saml::SAML_VERSION
       end
 
-      def add_signature
-        self.signature = Saml::Elements::Signature.new(uri: "##{self._id}")
-        x509certificate = OpenSSL::X509::Certificate.new(provider.certificate) rescue nil
-        self.signature.key_info = Saml::Elements::KeyDescriptor::KeyInfo.new(x509certificate.to_pem) if x509certificate
-      end
-
       # @return [Saml::Provider]
       def provider
         Saml.provider(issuer)

data/lib/saml/complex_types/sso_descriptor_type.rb

@@ -43,6 +43,22 @@ module Saml
         @artifact_resolution_services ||= []
         @protocol_support_enumeration ||= PROTOCOL_SUPPORT_ENUMERATION
       end
+
+      def find_key_descriptor(key_name, use)
+        key_descriptors_by_use = find_key_descriptors_by_use(use)
+
+        if key_name.present?
+          key_descriptors_by_use.find { |key| key.key_info.key_name == key_name }
+        else
+          key_descriptors_by_use.first
+        end
+      end
+
+      private
+
+      def find_key_descriptors_by_use(use)
+        key_descriptors.select { |key| key.use == use || key.use == "" }
+      end
     end
   end
 end

data/lib/saml/complex_types/statement_abstract_type.rb

@@ -0,0 +1,34 @@
+module Saml
+  module ComplexTypes
+    class StatementAbstractType
+      include HappyMapper
+
+      register_namespace 'xsi', 'http://www.w3.org/2001/XMLSchema-instance'
+
+      tag 'Statement'
+      namespace 'saml'
+
+      attribute :type, String, tag: 'xsi:type'
+
+      def self.register_type(type, klass)
+        types[type] = klass
+      end
+
+      def self.types
+        @types ||= {}
+      end
+
+      # TODO: handle multiple statements with different types
+      def self.parse(xml, options = {})
+        statements = Array(super)
+        statements.collect do |statement|
+          if (type = types[statement.type])
+            type.parse(xml, options.merge(single: true))
+          else
+            statement
+          end
+        end
+      end
+    end
+  end
+end

data/lib/saml/config.rb

@@ -3,40 +3,9 @@ module Saml
     mattr_accessor :provider_type
     @@provider_type = "service_provider"
 
-    mattr_accessor :provider_store
-    @@provider_store = Saml::ProviderStores::File.new
-
-    mattr_accessor :entity_id
-    @@entity_id = 'SamlEntity'
-
-    mattr_accessor :authn_context_levels
-    @@authn_context_levels = {}
-
-    mattr_accessor :artifact_ttl
-    @@artifact_ttl = 15
-
-    mattr_accessor :private_key
-    @@private_key = 'PRIVATE_KEY'
-
-    mattr_accessor :private_key_file
-    @@private_key_file = 'PRIVATE_KEY_FILE'
-
     mattr_accessor :max_issue_instant_offset
     @@max_issue_instant_offset = 2
 
-    mattr_accessor :absolute_timeout
-    @@absolute_timeout = 8*60
-
-    mattr_accessor :graceperiod_timeout
-    @@graceperiod_timeout = 15
-
-    mattr_accessor :session_timeout
-    @@session_timeout = 15
-
-    # SSL
-    mattr_accessor :ssl_private_key
-    @@ssl_private_key = 'SSL_PRIVATE_KEY'
-
     mattr_accessor :ssl_private_key_file
     @@ssl_private_key_file = 'SSL_PRIVATE_KEY_FILE'
 
@@ -45,5 +14,18 @@ module Saml
 
     mattr_accessor :ssl_certificate_file
     @@ssl_certificate_file = 'SSL_CERTIFICATE_FILE'
+
+    mattr_accessor :registered_stores
+    @@registered_stores = {}
+
+    mattr_accessor :default_store
+
+    def register_store(name, store, options = {})
+      registered_stores[name] = store
+      self.default_store = name if options[:default]
+    end
+
+    module_function :register_store
+
   end
 end

data/lib/saml/elements/attribute.rb

@@ -1,24 +1,12 @@
 module Saml
   module Elements
     class Attribute
+      include Saml::ComplexTypes::AttributeType
       include Saml::Base
 
       tag "Attribute"
       register_namespace 'saml', Saml::SAML_NAMESPACE
       namespace 'saml'
-
-      attribute :name, String, :tag => 'Name'
-      attribute :format, String, tag: 'NameFormat'
-      attribute :friendly_name, String, tag: 'FriendlyName'
-      element :attribute_value, String, :namespace => 'saml', :tag => "AttributeValue"
-
-      validates :name, :presence => true
-
-      def initialize(*args)
-        options = args.extract_options!
-        super(*(args << options))
-      end
-
     end
   end
 end

data/lib/saml/elements/attribute_consuming_service.rb

@@ -0,0 +1,20 @@
+module Saml
+  module Elements
+    class AttributeConsumingService
+      include Saml::Base
+
+      tag "AttributeConsumingService"
+      register_namespace "md", Saml::MD_NAMESPACE
+      namespace "md"
+
+      attribute :index, Integer, :tag => "index"
+      attribute :is_default, HappyMapper::Boolean, :tag => "isDefault"
+
+      has_many :service_names, ServiceName
+      has_many :service_descriptions, ServiceDescription
+      has_many :requested_attributes, RequestedAttribute
+
+      validates :index, :service_names, :requested_attributes, :presence => true
+    end
+  end
+end

data/lib/saml/elements/attribute_statement.rb

@@ -8,11 +8,7 @@ module Saml
       namespace 'saml'
 
       has_many :attribute, Saml::Elements::Attribute
-
-      def initialize(*args)
-        options     = args.extract_options!
-        super(*(args << options))
-      end
+      has_many :encrypted_attributes, Saml::Elements::EncryptedAttribute
 
       def fetch_attribute(key)
         attribute = self.attribute.find do |attr|
@@ -20,7 +16,6 @@ module Saml
         end
         attribute.attribute_value if attribute
       end
-
     end
   end
 end

data/lib/saml/elements/authenticating_authority.rb

@@ -0,0 +1,14 @@
+module Saml
+  module Elements
+    class AuthenticatingAuthority
+      include Saml::Base
+
+      tag "AuthenticatingAuthority"
+
+      register_namespace "saml", ::Saml::SAML_NAMESPACE
+      namespace "saml"
+
+      content :value, String
+    end
+  end
+end

data/lib/saml/elements/authn_context.rb

@@ -7,6 +7,8 @@ module Saml
       namespace 'saml'
       element :authn_context_class_ref, String, :tag => "AuthnContextClassRef"
 
+      has_many :authenticating_authorities, ::Saml::Elements::AuthenticatingAuthority
+
       validates :authn_context_class_ref, :inclusion => ClassRefs::ALL_CLASS_REFS + [nil]
     end
   end

data/lib/saml/elements/contact_person.rb

@@ -16,7 +16,7 @@ module Saml
         ALL = [TECHNICAL, SUPPORT, ADMINISTRATIVE, BILLING, OTHER]
       end
 
-      attribute :contact_type, String, :tag => "ContactType"
+      attribute :contact_type, String, :tag => "contactType"
 
       element :company, String, :tag => "Company"
       element :given_name, String, :tag => "GivenName"

data/lib/saml/elements/encrypted_attribute.rb

@@ -0,0 +1,18 @@
+module Saml
+  module Elements
+    class EncryptedAttribute
+      include Saml::Base
+
+      tag "EncryptedAttribute"
+
+      register_namespace "saml", Saml::SAML_NAMESPACE
+      namespace "saml"
+
+      element :encrypted_data, Xmlenc::Builder::EncryptedData
+
+      has_many :encrypted_keys, Xmlenc::Builder::EncryptedKey, xpath: "./"
+
+      validates :encrypted_data, presence: true
+    end
+  end
+end

data/lib/saml/elements/entity_attributes.rb

@@ -0,0 +1,15 @@
+module Saml
+  module Elements
+    class EntityAttributes
+      include Saml::Base
+      include Saml::XMLHelpers
+
+      register_namespace "mdattr", Saml::MD_ATTR_NAMESPACE
+
+      tag "EntityAttributes"
+      namespace "mdattr"
+
+      has_many :attributes, Saml::Elements::Attribute
+    end
+  end
+end

data/lib/saml/elements/entity_descriptor.rb

@@ -4,7 +4,6 @@ module Saml
       include Saml::Base
       include Saml::XMLHelpers
 
-
       register_namespace 'md', Saml::MD_NAMESPACE
 
       tag 'EntityDescriptor'
@@ -18,12 +17,14 @@ module Saml
 
       has_one :signature, Saml::Elements::Signature
 
-      has_one :organization, Saml::Elements::Organization
-      has_many :contact_persons, Saml::Elements::ContactPerson
+      has_one :extensions, Saml::Elements::MDExtensions
 
       has_one :idp_sso_descriptor, Saml::Elements::IDPSSODescriptor
       has_one :sp_sso_descriptor, Saml::Elements::SPSSODescriptor
 
+      has_one :organization, Saml::Elements::Organization
+      has_many :contact_persons, Saml::Elements::ContactPerson
+
       validates :entity_id, :presence => true
 
       def initialize(*args)

data/lib/saml/elements/idp_sso_descriptor.rb

@@ -10,6 +10,8 @@ module Saml
 
       tag 'IDPSSODescriptor'
 
+      attribute :want_authn_requests_signed, HappyMapper::Boolean, :tag => "WantAuthnRequestsSigned", :default => false
+
       has_many :single_sign_on_services, SingleSignOnService
 
       validates :single_sign_on_services, :presence => true

data/lib/saml/elements/md_extensions.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class MDExtensions
+      include Saml::Base
+      include Saml::XMLHelpers
+
+      tag "Extensions"
+      namespace "md"
+
+      has_one :entity_attributes, Saml::Elements::EntityAttributes
+    end
+  end
+end

data/lib/saml/elements/name_id.rb

@@ -8,6 +8,8 @@ module Saml
       namespace 'saml'
 
       attribute :format, String, :tag => "Format"
+      attribute :name_qualifier, String, :tag => "NameQualifier"
+
       content :value, String
     end
   end

data/lib/saml/elements/organization.rb

@@ -6,9 +6,9 @@ module Saml
       tag 'Organization'
       namespace 'md'
 
-      has_many :organization_names, String, :tag => "OrganizationName"
-      has_many :organization_display_names, String, :tag => "OrganizationDisplayName"
-      has_many :organization_urls, String, :tag => "OrganizationURL"
+      has_many :organization_names, Saml::Elements::OrganizationName
+      has_many :organization_display_names, Saml::Elements::OrganizationDisplayName
+      has_many :organization_urls, Saml::Elements::OrganizationUrl
 
       validates :organization_names, :organization_display_names, :organization_urls, :presence => true
     end

data/lib/saml/elements/organization_display_name.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class OrganizationDisplayName
+      include Saml::ComplexTypes::LocalizedNameType
+      include Saml::Base
+
+      tag 'OrganizationDisplayName'
+      namespace 'md'
+
+      content :value, String
+    end
+  end
+end

data/lib/saml/elements/organization_name.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class OrganizationName
+      include Saml::ComplexTypes::LocalizedNameType
+      include Saml::Base
+
+      tag 'OrganizationName'
+      namespace 'md'
+
+      content :value, String
+    end
+  end
+end

data/lib/saml/elements/organization_url.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class OrganizationUrl
+      include Saml::ComplexTypes::LocalizedNameType
+      include Saml::Base
+
+      tag 'OrganizationURL'
+      namespace 'md'
+
+      content :value, String
+    end
+  end
+end

data/lib/saml/elements/requested_attribute.rb

@@ -0,0 +1,14 @@
+module Saml
+  module Elements
+    class RequestedAttribute
+      include Saml::ComplexTypes::AttributeType
+      include Saml::Base
+
+      tag "RequestedAttribute"
+      register_namespace "md", Saml::MD_NAMESPACE
+      namespace "md"
+
+      attribute :is_required, HappyMapper::Boolean, :tag => "isRequired"
+    end
+  end
+end

data/lib/saml/elements/samlp_extensions.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class SAMLPExtensions
+      include Saml::Base
+      include Saml::XMLHelpers
+
+      tag "Extensions"
+      namespace "samlp"
+
+      has_many :attributes, Saml::Elements::Attribute
+    end
+  end
+end

data/lib/saml/elements/service_description.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class ServiceDescription
+      include Saml::Base
+
+      tag "ServiceDescription"
+      register_namespace "md", Saml::MD_NAMESPACE
+      namespace "md"
+
+      content :value, String
+    end
+  end
+end

data/lib/saml/elements/service_name.rb

@@ -0,0 +1,13 @@
+module Saml
+  module Elements
+    class ServiceName
+      include Saml::Base
+
+      tag "ServiceName"
+      register_namespace "md", Saml::MD_NAMESPACE
+      namespace "md"
+
+      content :value, String
+    end
+  end
+end

data/lib/saml/elements/signature.rb

@@ -21,13 +21,16 @@ module Saml
       element :signature_value, String, :tag => "SignatureValue", :state_when_nil => true
       has_one :key_info, KeyInfo
 
-
       def initialize(*args)
         super(*args)
         options       = args.extract_options!
         @signed_info  ||= SignedInfo.new(:uri => options.delete(:uri), :digest_value => options.delete(:digest_value))
         @key_info     ||= KeyInfo.new
       end
+
+      def key_name
+        @key_info.try(:key_name)
+      end
     end
   end
 end

data/lib/saml/elements/sp_sso_descriptor.rb

@@ -14,6 +14,7 @@ module Saml
       attribute :want_assertions_signed, Boolean, :tag => "WantAssertionsSigned", :default => false
 
       has_many :assertion_consumer_services, AssertionConsumerService
+      has_many :attribute_consuming_services, Saml::Elements::AttributeConsumingService
 
       validates :assertion_consumer_services, :presence => true
 
@@ -22,6 +23,13 @@ module Saml
         self.assertion_consumer_services ||= []
       end
 
+      def add_assertion_consumer_service(binding, location, index, default = false)
+        assertion_consumer_services << AssertionConsumerService.new(binding:    binding,
+                                                                    location:   location,
+                                                                    index:      index,
+                                                                    is_default: default)
+      end
+
     end
   end
 end

data/lib/saml/null_provider.rb

@@ -0,0 +1,9 @@
+module Saml
+  class NullProvider
+    include Provider
+
+    def entity_id
+      nil
+    end
+  end
+end

data/lib/saml/provider.rb

@@ -3,11 +3,23 @@ module Saml
     extend ActiveSupport::Concern
 
     def assertion_consumer_service_url(index = nil)
-      find_indexed_service(descriptor.assertion_consumer_services, index)
+      find_indexed_service_url(descriptor.assertion_consumer_services, index)
     end
 
     def artifact_resolution_service_url(index = nil)
-      find_indexed_service(descriptor.artifact_resolution_services, index)
+      find_indexed_service_url(descriptor.artifact_resolution_services, index)
+    end
+
+    def attribute_consuming_service(index = nil)
+      find_indexed_service(descriptor.attribute_consuming_services, index)
+    end
+
+    def assertion_consumer_service_indices
+      if descriptor.assertion_consumer_services.present?
+        descriptor.assertion_consumer_services.map(&:index)
+      else
+        []
+      end
     end
 
     def entity_descriptor
@@ -18,8 +30,8 @@ module Saml
       entity_descriptor.entity_id
     end
 
-    def certificate(use = "signing")
-      key_descriptor = descriptor.key_descriptors.find { |key| key.use == use || key.use == "" }
+    def certificate(key_name, use = "signing")
+      key_descriptor = descriptor.find_key_descriptor(key_name, use)
       key_descriptor.certificate if key_descriptor
     end
 
@@ -43,8 +55,8 @@ module Saml
       descriptor.is_a?(Saml::Elements::SPSSODescriptor) ? "service_provider" : "identity_provider"
     end
 
-    def verify(signature_algorithm, signature, data)
-      certificate.public_key.verify(digest_method(signature_algorithm).new, signature, data) rescue nil
+    def verify(signature_algorithm, signature, data, key_name = nil)
+      certificate(key_name).public_key.verify(digest_method(signature_algorithm).new, signature, data) rescue nil
     end
 
     def authn_requests_signed?
@@ -68,13 +80,17 @@ module Saml
       entity_descriptor.sp_sso_descriptor || entity_descriptor.idp_sso_descriptor
     end
 
+    def find_indexed_service_url(service_list, index)
+      service = find_indexed_service(service_list, index)
+      service.location if service
+    end
+
     def find_indexed_service(service_list, index)
-      service = if index
+      if index
         service_list.find { |service| service.index == index }
       else
         service_list.find { |service| service.is_default }
       end
-      service.location if service
     end
 
     def find_binding_service(service_list, binding)

data/lib/saml/provider_stores/file.rb

@@ -1,17 +1,6 @@
 module Saml
   module ProviderStores
     class File
-      class Provider
-        include Saml::Provider
-        attr_accessor :entity_descriptor, :private_key, :type
-
-        def initialize(entity_descriptor, private_key, type)
-          @entity_descriptor = entity_descriptor
-          @private_key       = private_key
-          @type              = type
-        end
-      end
-
       attr_accessor :providers
 
       def initialize(metadata_dir = "config/metadata", key_file = "config/ssl/key.pem")
@@ -21,7 +10,7 @@ module Saml
           private_key       = OpenSSL::PKey::RSA.new(::File.read(key_file))
           type              = entity_descriptor.sp_sso_descriptor.present? ? "service_provider" : "identity_provider"
 
-          self.providers << Provider.new(entity_descriptor, private_key, type)
+          self.providers << BasicProvider.new(entity_descriptor, private_key, type)
         end
       end
 
@@ -30,4 +19,4 @@ module Saml
       end
     end
   end
-end
+end

data/lib/saml/rails/controller_helper.rb

@@ -0,0 +1,30 @@
+module Saml
+  module Rails
+    module ControllerHelper
+      def current_provider(entity_id_or_method = nil, &block)
+        if block_given?
+          before_action &block
+        else
+          case entity_id_or_method
+            when Symbol
+              before_action { Saml.current_provider = send(entity_id_or_method) }
+            else
+              before_action { Saml.current_provider = Saml.provider("#{entity_id_or_method}") }
+          end
+        end
+      end
+
+      def current_store(store_or_symbol = nil)
+        case store_or_symbol
+          when Symbol
+            before_action { Saml.current_store = store_or_symbol }
+          else
+            before_action do
+              Saml::Config.register_store klass.name.underscore, klass_or_symbol
+              Saml.current_store = klass.name.underscore
+            end
+        end
+      end
+    end
+  end
+end

data/lib/saml/response.rb

@@ -3,7 +3,6 @@ module Saml
     include Saml::ComplexTypes::StatusResponseType
 
     tag "Response"
-    has_one :assertion, Saml::Assertion, :tag => "Assertion"
     has_many :assertions, Saml::Assertion, :tag => "Assertion"
 
     def authn_failed?
@@ -17,5 +16,13 @@ module Saml
     def no_authn_context?
       !success? && status.status_code.no_authn_context?
     end
+
+    def assertion
+      assertions.first
+    end
+
+    def assertion=(assertion)
+      (self.assertions ||= []) << assertion
+    end
   end
 end

data/lib/saml/util.rb

@@ -26,12 +26,16 @@ module Saml
         HTTPI.post request
       end
 
-      def sign_xml(message, format = :xml)
+      def sign_xml(message, format = :xml, &block)
         message.add_signature
 
         document = Xmldsig::SignedDocument.new(message.send("to_#{format}"))
-        document.sign do |data, signature_algorithm|
-          message.provider.sign(signature_algorithm, data)
+        if block_given?
+          document.sign(&block)
+        else
+          document.sign do |data, signature_algorithm|
+            message.provider.sign(signature_algorithm, data)
+          end
         end
       end
 
@@ -39,12 +43,14 @@ module Saml
         document = Xmldsig::SignedDocument.new(raw_body)
 
         signature_valid = document.validate do |signature, data, signature_algorithm|
-          message.provider.verify(signature_algorithm, signature, data)
+          message.provider.verify(signature_algorithm, signature, data, message.signature.key_name)
         end
 
         raise Saml::Errors::SignatureInvalid.new unless signature_valid
 
-        message.class.parse(document.signed_nodes.first.to_xml, single: true)
+        signed_node = document.signed_nodes.find { |node| node['ID'] == message._id }
+
+        message.class.parse(signed_node.to_xml, single: true)
       end
     end
   end

data/lib/saml/version.rb

@@ -1,3 +1,3 @@
 module Saml
-  VERSION = "2.0.6"
+  VERSION = '2.1.0'
 end

data/lib/saml/xml_helpers.rb

@@ -2,6 +2,12 @@ module Saml
   module XMLHelpers
     extend ActiveSupport::Concern
 
+    def add_signature
+      self.signature = Saml::Elements::Signature.new(uri: "##{self._id}")
+      x509certificate = OpenSSL::X509::Certificate.new(provider.certificate) rescue nil
+      self.signature.key_info = Saml::Elements::KeyDescriptor::KeyInfo.new(x509certificate.to_pem) if x509certificate
+    end
+
     def to_xml(builder = nil, default_namespace = nil, instruct = true)
       write_xml            = builder.nil? ? true : false
       builder              ||= Nokogiri::XML::Builder.new

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libsaml
 version: !ruby/object:Gem::Version
-  version: 2.0.6
+  version: 2.1.0
 platform: ruby
 authors:
 - Benoist Claassen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-08-14 00:00:00.000000000 Z
+date: 2013-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -66,6 +66,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: 0.2.1
+- !ruby/object:Gem::Dependency
+  name: xmlenc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: curb
   requirement: !ruby/object:Gem::Requirement
@@ -110,32 +124,48 @@ files:
 - lib/saml/assertion.rb
 - lib/saml/authn_request.rb
 - lib/saml/base.rb
+- lib/saml/basic_provider.rb
 - lib/saml/bindings/http_artifact.rb
 - lib/saml/bindings/http_post.rb
 - lib/saml/bindings/http_redirect.rb
 - lib/saml/bindings/soap.rb
+- lib/saml/complex_types/attribute_type.rb
 - lib/saml/complex_types/endpoint_type.rb
 - lib/saml/complex_types/indexed_endpoint_type.rb
+- lib/saml/complex_types/localized_name_type.rb
 - lib/saml/complex_types/request_abstract_type.rb
 - lib/saml/complex_types/sso_descriptor_type.rb
+- lib/saml/complex_types/statement_abstract_type.rb
 - lib/saml/complex_types/status_response_type.rb
 - lib/saml/config.rb
 - lib/saml/elements/attribute.rb
+- lib/saml/elements/attribute_consuming_service.rb
 - lib/saml/elements/attribute_statement.rb
 - lib/saml/elements/audience_restriction.rb
+- lib/saml/elements/authenticating_authority.rb
 - lib/saml/elements/authn_context.rb
 - lib/saml/elements/authn_statement.rb
 - lib/saml/elements/conditions.rb
 - lib/saml/elements/contact_person.rb
+- lib/saml/elements/encrypted_attribute.rb
 - lib/saml/elements/entities_descriptor.rb
+- lib/saml/elements/entity_attributes.rb
 - lib/saml/elements/entity_descriptor.rb
 - lib/saml/elements/idp_sso_descriptor.rb
 - lib/saml/elements/key_descriptor/key_info/x509_data.rb
 - lib/saml/elements/key_descriptor/key_info.rb
 - lib/saml/elements/key_descriptor.rb
+- lib/saml/elements/md_extensions.rb
 - lib/saml/elements/name_id.rb
 - lib/saml/elements/organization.rb
+- lib/saml/elements/organization_display_name.rb
+- lib/saml/elements/organization_name.rb
+- lib/saml/elements/organization_url.rb
+- lib/saml/elements/requested_attribute.rb
 - lib/saml/elements/requested_authn_context.rb
+- lib/saml/elements/samlp_extensions.rb
+- lib/saml/elements/service_description.rb
+- lib/saml/elements/service_name.rb
 - lib/saml/elements/signature/canonicalization_method.rb
 - lib/saml/elements/signature/digest_method.rb
 - lib/saml/elements/signature/inclusive_namespaces.rb
@@ -157,8 +187,10 @@ files:
 - lib/saml/encoding.rb
 - lib/saml/logout_request.rb
 - lib/saml/logout_response.rb
+- lib/saml/null_provider.rb
 - lib/saml/provider.rb
 - lib/saml/provider_stores/file.rb
+- lib/saml/rails/controller_helper.rb
 - lib/saml/response.rb
 - lib/saml/util.rb
 - lib/saml/version.rb