libsaml 2.15.8 → 2.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1dd09c45a2c831a6112b6023a25f8fb2deca6513
-  data.tar.gz: 028e34efefeb590965b21a468755614675ec4989
+  metadata.gz: 3fe168b0b5d962fce3379f08bf9b6e06c74825a6
+  data.tar.gz: 639c97ef468c1daf2b9410babc217e41c8c8f36a
 SHA512:
-  metadata.gz: 19239eed4cb96c32583dfdb9214a85080ffca88ea6c2c6b71a6a64c5412b5384f2bf7fd1d361ca6f13da3359b210bbeed7c7247fbe98c7fabce753110c085430
-  data.tar.gz: 32d75f484cd6410afc093455f8dc40334256e59da42b504f603fc8a226522f7043af60d338733461eed0c22e077447b79f5bdd3f75c8dce56e98e47fe3a04f00
+  metadata.gz: dbcd598c7e93aa9434c40fd62a452e76d29036acc6458df9939c46961f44297d968e714ffe66e8a327bdb85bbad9a23c969d7744998e533b51fc8e3d24cab9dc
+  data.tar.gz: 475f4a722b652995dcc2e3f7bba9f3226679d8f7d6cb280f9bdc4ad674ae1b9690fd4ca84b8986e74f8b00e2d43b6670714bb56ed7c5e1c68d3486751d9aa101

data/lib/saml/config.rb

@@ -12,6 +12,9 @@ module Saml
     mattr_accessor :ssl_certificate_file
     @@ssl_certificate_file = nil
 
+    mattr_accessor :http_ca_file
+    @@http_ca_file = nil
+
     mattr_accessor :registered_stores
     @@registered_stores = {}
 
@@ -23,6 +26,5 @@ module Saml
     end
 
     module_function :register_store
-
   end
 end

data/lib/saml/provider_stores/file.rb

@@ -3,32 +3,46 @@ module Saml
     class File
       attr_accessor :providers
 
-      def initialize(metadata_dir = "config/metadata", key_file = "config/ssl/key.pem")
+      def initialize(metadata_dir = "config/metadata", key_file = "config/ssl/key.pem", key_password = nil)
         @mutex         = Mutex.new
         self.providers = {}
 
-        load_files(metadata_dir, key_file)
+        load_files(metadata_dir, key_file, key_password)
       end
 
       def find_by_entity_id(entity_id)
-        self.providers[entity_id]
+        providers[entity_id]
       end
 
-      def load_files(metadata_dir, key_file)
-        Dir[::File.join(metadata_dir, "*.xml")].each do |file|
-          add_metadata(::File.read(file), OpenSSL::PKey::RSA.new(::File.read(key_file)))
+      # Returns provider by source_id or nil if not found.
+      def find_by_source_id(source_id)
+        providers.find do |entity_id, _|
+          Digest::SHA1.digest(entity_id) == source_id
+        end.to_a[1]
+      end
+
+      def load_files(metadata_dir, key_file, key_password = nil)
+        Dir[::File.join(metadata_dir, '*.xml')].each do |file|
+          add_metadata(::File.read(file), get_private_key(key_file, key_password))
         end
       end
 
       def add_metadata(metadata_xml, private_key = nil)
         entity_descriptor = Saml::Elements::EntityDescriptor.parse(metadata_xml, single: true)
-        type              = entity_descriptor.sp_sso_descriptor.present? ? "service_provider" : "identity_provider"
+        type              = entity_descriptor.sp_sso_descriptor.present? ? 'service_provider' : 'identity_provider'
         provider          = BasicProvider.new(entity_descriptor, private_key, type)
 
         @mutex.synchronize do
-          self.providers[provider.entity_id] = provider
+          providers[provider.entity_id] = provider
         end
       end
+
+      private
+
+      def get_private_key(file, password)
+        return OpenSSL::PKey::RSA.new(::File.read(file)) unless password.present?
+        OpenSSL::PKey::RSA.new(::File.read(file), password)
+      end
     end
   end
 end

data/lib/saml/util.rb

@@ -21,22 +21,10 @@ module Saml
         http.use_ssl     = uri.scheme == 'https'
         http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 
-        if Saml::Config.ssl_certificate_file.present? && Saml::Config.ssl_private_key_file.present?
-          cert = File.read(Saml::Config.ssl_certificate_file)
-          key  = File.read(Saml::Config.ssl_private_key_file)
+        add_cacert_file(http)
+        add_ssl_certificate_and_key(http)
 
-          http.cert = OpenSSL::X509::Certificate.new(cert)
-          http.key  = OpenSSL::PKey::RSA.new(key)
-        end
-
-        headers = {
-            'Content-Type'  => 'text/xml',
-            'Cache-Control' => 'no-cache, no-store',
-            'Pragma'        => 'no-cache'
-        }
-        headers.merge! additional_headers
-
-        request      = Net::HTTP::Post.new(uri.request_uri, headers)
+        request      = Net::HTTP::Post.new(uri.request_uri, merged_headers(additional_headers))
         request.body = message
 
         http.request(request)
@@ -57,14 +45,14 @@ module Saml
 
       def encrypt_assertion(assertion, key_descriptor_or_certificate)
         case key_descriptor_or_certificate
-          when OpenSSL::X509::Certificate
-            certificate = key_descriptor_or_certificate
-            key_name    = nil
-          when Saml::Elements::KeyDescriptor
-            certificate = key_descriptor_or_certificate.certificate
-            key_name    = key_descriptor_or_certificate.key_info.key_name
-          else
-            raise ArgumentError.new("Expecting Certificate or KeyDescriptor got: #{key_descriptor_or_certificate.class}")
+        when OpenSSL::X509::Certificate
+          certificate = key_descriptor_or_certificate
+          key_name    = nil
+        when Saml::Elements::KeyDescriptor
+          certificate = key_descriptor_or_certificate.certificate
+          key_name    = key_descriptor_or_certificate.key_info.key_name
+        else
+          fail ArgumentError, "Expecting Certificate or KeyDescriptor got: #{key_descriptor_or_certificate.class}"
         end
 
         assertion = assertion.to_xml(nil, nil, false) if assertion.is_a?(Assertion) # create xml without instruct
@@ -113,7 +101,7 @@ module Saml
           message.provider.verify(signature_algorithm, signature, data, message.signature.key_name)
         end
 
-        raise Saml::Errors::SignatureInvalid.new unless signature_valid
+        fail Saml::Errors::SignatureInvalid unless signature_valid
 
         signed_node = document.signed_nodes.find { |node| node['ID'] == message._id }
 
@@ -132,17 +120,45 @@ module Saml
         http.use_ssl     = uri.scheme == 'https'
         http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 
+        add_cacert_file(http)
+
         request = Net::HTTP::Get.new(uri.request_uri)
 
         response = http.request(request)
         if response.code == '200'
           response.body
         else
-          raise Saml::Errors::MetadataDownloadFailed.new("Cannot download metadata for: #{location}: #{response.body}")
+          fail Saml::Errors::MetadataDownloadFailed, "Cannot download metadata for: #{location}: #{response.body}"
         end
       rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse,
           Net::HTTPHeaderSyntaxError, Net::ProtocolError => error
-        raise Saml::Errors::MetadataDownloadFailed.new("Cannot download metadata for: #{location}: #{error.message}")
+        raise Saml::Errors::MetadataDownloadFailed, "Cannot download metadata for: #{location}: #{error.message}"
+      end
+
+      private
+
+      def merged_headers(headers)
+        { 'Content-Type' => 'text/xml',
+          'Cache-Control' => 'no-cache, no-store',
+          'Pragma' => 'no-cache' }.merge(headers)
+      end
+
+      def add_cacert_file(http)
+        return http unless Saml::Config.http_ca_file.present?
+        http.cert_store = OpenSSL::X509::Store.new
+        http.cert_store.set_default_paths
+        http.cert_store.add_file(Saml::Config.http_ca_file)
+        http
+      end
+
+      def add_ssl_certificate_and_key(http)
+        return http unless Saml::Config.ssl_certificate_file.present?
+        return http unless Saml::Config.ssl_private_key_file.present?
+        cert = File.read(Saml::Config.ssl_certificate_file)
+        key  = File.read(Saml::Config.ssl_private_key_file)
+        http.cert = OpenSSL::X509::Certificate.new(cert)
+        http.key  = OpenSSL::PKey::RSA.new(key)
+        http
       end
     end
   end

data/lib/saml/version.rb

@@ -1,3 +1,3 @@
 module Saml
-  VERSION = "2.15.8"
+  VERSION = "2.16.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: libsaml
 version: !ruby/object:Gem::Version
-  version: 2.15.8
+  version: 2.16.0
 platform: ruby
 authors:
 - Benoist Claassen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-01 00:00:00.000000000 Z
+date: 2015-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport