openlogic-saml-sp 3.1.3 → 4.0.0.alpha.1

data/README.md

@@ -117,7 +117,7 @@ this resolutions service regardless of it's realm.
  
 ## INSTALL:
 
- * sudo gem install openlogic-saml-sp
+ * sudo gem install saml-sp
 
 ## LICENSE:
 

data/Rakefile

@@ -3,12 +3,15 @@ begin
   Jeweler::Tasks.new do |gemspec|
     gemspec.name = 'openlogic-saml-sp'
     gemspec.summary = 'SAML 2.0 SSO Sevice Provider Library'
-    gemspec.email = 'gbettridge@openlogic.com'
-    gemspec.authors = ["OpenLogic", "Peter Williams","Glen Aultman-Bettridge"]
+    gemspec.email = ['gbettridge@openlogic.com', 'todd.thomas@openlogic.com']
+    gemspec.authors = ["OpenLogic", "Peter Williams", "Glen Aultman-Bettridge", "Todd Thomas"]
+    gemspec.homepage = 'https://github.com/openlogic/saml-sp'
     gemspec.add_dependency 'nokogiri'
+    gemspec.add_dependency 'signed_xml', '~> 1.0'
     gemspec.add_dependency 'openlogic-resourceful'
     gemspec.add_dependency 'uuidtools'
-    gemspec.add_development_dependency 'rspec'
+    gemspec.add_development_dependency 'rspec', '~> 2.12'
+    gemspec.add_development_dependency 'fakeweb'
     gemspec.files = FileList["[A-Z]*", "{bin,generators,lib,test,spec,rails}/**/*"]
   end
   Jeweler::GemcutterTasks.new
@@ -16,10 +19,10 @@ rescue LoadError
   puts "Jeweler not available. Install it with: gem install jeweler"
 end
 
-# require 'spec/rake/spectask'
-# Spec::Rake::SpecTask.new
-# 
-# task 'test:run' => :spec 
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
 # EOF
 
 

data/VERSION

@@ -1 +1 @@
-3.1.3
+4.0.0.alpha.1

data/lib/saml-sp.rb

@@ -1,3 +1,4 @@
+require 'digest'
 require 'logger'
 
 module SamlSp
@@ -57,6 +58,26 @@ module SamlSp
     end
   end
 
+  CertificateStore = Class.new(Hash) do
+    include Logging
+
+    def load_certificates(glob)
+      logger.info "loading certificates from #{glob}"
+      Dir[glob].each do |file|
+        begin
+          next unless File.file?(file)
+          logger.info "reading #{file}"
+          cert = OpenSSL::X509::Certificate.new(File.read(file))
+          fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+          self[fingerprint] = cert
+          logger.info "loaded certificate #{cert.inspect} with fingerprint #{fingerprint}"
+        rescue StandardError => e
+          logger.warn "unable to read X.509 cert from #{file}: #{e.message}"
+        end
+      end
+    end
+  end.new
+
   autoload :Config,    'saml_sp/config'
 end  # module SamlSp
 

data/lib/saml2/artifact_resolver.rb

@@ -23,7 +23,7 @@ module Saml2
 
     # Initialize and register a new artifact resolver.
     #
-    # @param [string] source_id An opaque identifier used by the IDP
+    # @param [string] source_id An opacque identifier used by the IDP
     #   to identify artifact that can be resolved by this service.
     #
     # @param [string] resolution_service_uri The URI that will resolve
@@ -80,12 +80,11 @@ module Saml2
     #   response do not match the idp_id for this source.
     def resolve(artifact)
       soap_body = request_document_for(artifact)
-      logger.info{"ArtifactResolve request body:\n#{soap_body.gsub(/^/, "\t")}"}
+      logger.debug{"ArtifactResolve request body:\n#{soap_body.gsub(/^/, "\t")}"}
       resp = http.resource(resolution_service_uri).post(soap_body,
                                                         'Accept' => 'application/soap+xml', 
                                                         'Content-Type' => 'application/soap+xml')
 
-      logger.info{"ArtifactResolve response body:\n#{resp.gsub(/^/, "\t")}"}
       doc = Nokogiri::XML.parse(resp.body)
       assert_successful_response(doc)
 

data/lib/saml2/assertion.rb

@@ -1,5 +1,6 @@
 require 'nokogiri'
 require 'saml2/artifact_resolver'
+require 'signed_xml'
 
 module Saml2
   class InvalidAssertionError < ArgumentError
@@ -60,8 +61,13 @@ module Saml2
             else
               Nokogiri::XML.parse(xml_assertion)
             end
-      logger.debug {"Parsing assertion: \n" + doc.to_xml(:indent => 2).gsub(/^/, "\t")}
+      logger.info {"Parsing assertion: \n" + doc.to_xml(:indent => 2).gsub(/^/, "\t")}
 
+      # We can't use the helpful #issuer_from until the 'asrt' namespace is defined,
+      # but we can't add that definition without breaking signature verification.
+      # This is sad.
+      issuer = doc.at_xpath('//saml2:Assertion/saml2:Issuer', saml2: "urn:oasis:names:tc:SAML:2.0:assertion").text.strip
+      verify(doc) if Saml2::Issuer(issuer).verify_signatures?
 
       doc.root.add_namespace_definition('asrt', 'urn:oasis:names:tc:SAML:2.0:assertion')
 
@@ -86,6 +92,11 @@ module Saml2
       attributes[attr_name.to_s]
     end
 
+    def self.verify(doc)
+      signed_doc = SignedXml::Document(doc)
+      raise "SAML assertion failed verification" unless signed_doc.is_verified?(SamlSp::CertificateStore)
+    end
+
     protected
     
     attr_reader :attributes

data/lib/saml2/authn_request.rb

@@ -0,0 +1,26 @@
+module Saml2
+  class AuthnRequest
+    attr_reader :issuer, :id, :issue_instant, :assertion_consumer_service_url
+
+    def initialize(attrs = {})
+      @issuer = attrs.fetch(:issuer)
+      @id = SecureRandom.uuid
+      @issue_instant = Time.now.utc.strftime('%FT%TZ')
+      @assertion_consumer_service_url = attrs[:assertion_consumer_service_url]
+    end
+
+    def to_xml
+      Nokogiri::XML::Builder.new do |xml|
+        xml.AuthnRequest('xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
+                         'xmlns:saml' => 'urn:oasis:names:tc:SAML:2.0:assertion',
+                         'ID' => id,
+                         'Version' => '2.0',
+                         'IssueInstant' => issue_instant,
+                         'AssertionConsumerServiceURL' => assertion_consumer_service_url) do
+          xml.parent.namespace = xml.parent.namespace_definitions.find {|ns| ns.prefix == 'samlp'} # Necessary to output namespace prefix on root element.
+          xml['saml'].Issuer issuer
+        end
+      end.to_xml
+    end
+  end
+end

data/lib/saml2/issuer.rb

@@ -0,0 +1,35 @@
+module Saml2
+  NoSuchIssuerError = Class.new(StandardError)
+
+  class Issuer
+    attr_reader :id, :verify_signatures
+
+    def initialize(id, verify_signatures)
+      @id = id
+      @verify_signatures = verify_signatures
+
+      IssuerRegistry.register self
+    end
+
+    def verify_signatures?
+      verify_signatures
+    end
+  end
+
+  def self.Issuer(id)
+    if IssuerRegistry.has_key? id
+      IssuerRegistry[id]
+    else
+      raise NoSuchIssuerError, "No Issuer registered with id [#{id}]"
+    end
+  end
+
+  IssuerRegistry = Class.new(Hash) do
+    include SamlSp::Logging
+
+    def register(issuer)
+      self[issuer.id] = issuer
+      logger.info "saml-sp: #{issuer.inspect}' registered"
+    end
+  end.new
+end

data/lib/saml2.rb

@@ -2,6 +2,8 @@ module Saml2
   autoload :Type4Artifact,             'saml2/type4_artifact'
   autoload :Assertion,                 'saml2/assertion'
   autoload :ArtifactResolver,          'saml2/artifact_resolver'
+  autoload :AuthnRequest,              'saml2/authn_request'
+  autoload :Issuer,                    'saml2/issuer'
 end
 
 

data/lib/saml_sp/config.rb

@@ -60,6 +60,11 @@ METHOD
       dsl = ResolutionSerivceConfig.new
       dsl.interpret(blk)
     end
+
+    def issuer(&blk)
+      dsl = IssuerConfig.new
+      dsl.interpret(blk)
+    end
   end 
    
 
@@ -111,6 +116,23 @@ METHOD
       (@realm || @promiscuous) && @user_id && @password
     end
   end
+
+  class IssuerConfig < ConfigBlock
+    config_item :id
+    config_item :verify_signatures
+
+    def interpret(blk, filename = nil)
+      super
+
+      raise ConfigurationError, "Incomplete Issuer configuration" unless valid?
+
+      Saml2::Issuer.new(@id, @verify_signatures)
+    end
+
+    def valid?
+      @id && !@verify_signatures.nil?
+    end
+  end
 end
 
 # Copyright (c) 2010 OpenLogic

data/spec/saml2/artifact_resolver_spec.rb

@@ -22,6 +22,8 @@ describe Saml2::ArtifactResolver do
     before do 
       @resolver = Saml2::ArtifactResolver.new('a-source-id', 'https://idp.invalid/resolution-service', 'http://idp.invalid', 'http://sp.invalid')
       @resolver.basic_auth_credentials('myuserid', 'mypasswd', 'myrealm')
+      # register issuer which doesn't require verification
+      Saml2::Issuer.new(@resolver.idp_id, false)
 
       @artifact = Saml2::Type4Artifact.new(0, '01234567890123456789', 'abcdefghijklmnopqrst')
       FakeWeb.register_uri(:post, 'https://idp.invalid/resolution-service', :body => SUCCESSFUL_SAML_RESP)

data/spec/saml2/assertion_spec.rb

@@ -146,6 +146,9 @@ describe Saml2::Assertion do
         </SOAP-ENV:Body>
         </SOAP-ENV:Envelope> 
       XML
+
+      # register issuer which doesn't require verification
+      Saml2::Issuer.new('https://idp.invalid', false)
     end
 
     def self.it_should_extract(prop, expected_value)

data/spec/saml_sp/config_spec.rb

@@ -201,6 +201,30 @@ describe SamlSp::Config do
     end
   end
 
+  describe "valid issuer description" do
+    before do
+      @dsl = SamlSp::Config.new
+      @issuer = @dsl.interpret(<<-CONFIG)
+          issuer {
+            id "http://sso.example.org"
+            verify_signatures true
+          }
+        CONFIG
+    end
+
+    it "should build an issuer" do 
+      @issuer.should be_kind_of(Saml2::Issuer)
+    end
+
+    it "should build an issuer with correct id" do
+      @issuer.id.should == 'http://sso.example.org'
+    end
+
+    it "should build an issuer with correct verify_signatures setting" do
+      @issuer.verify_signatures?.should be true
+    end
+  end
+
   it "should raise error on missing source_id" do  
     lambda {
       @dsl.interpret(<<-CONFIG)
@@ -290,6 +314,26 @@ describe SamlSp::Config do
     }.should raise_error SamlSp::ConfigurationError
   end
 
+  it "should raise error on missing issuer id" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          issuer {
+            verify_signatures true
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
+  it "should raise error on missing verify_signatures setting" do 
+    lambda {
+      @dsl.interpret(<<-CONFIG)
+          issuer {
+            id "http://sso.example.org"
+          }
+        CONFIG
+    }.should raise_error SamlSp::ConfigurationError
+  end
+
 end
 
 

metadata

@@ -1,17 +1,18 @@
 --- !ruby/object:Gem::Specification
 name: openlogic-saml-sp
 version: !ruby/object:Gem::Version
-  version: 3.1.3
-  prerelease: 
+  version: 4.0.0.alpha.1
+  prerelease: 6
 platform: ruby
 authors:
 - OpenLogic
 - Peter Williams
 - Glen Aultman-Bettridge
+- Todd Thomas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-27 00:00:00.000000000 Z
+date: 2013-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -29,6 +30,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: signed_xml
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: openlogic-resourceful
   requirement: !ruby/object:Gem::Requirement
@@ -63,6 +80,22 @@ dependencies:
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.12'
+- !ruby/object:Gem::Dependency
+  name: fakeweb
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
@@ -78,7 +111,9 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 description: 
-email: gbettridge@openlogic.com
+email:
+- gbettridge@openlogic.com
+- todd.thomas@openlogic.com
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -94,6 +129,8 @@ files:
 - lib/saml2.rb
 - lib/saml2/artifact_resolver.rb
 - lib/saml2/assertion.rb
+- lib/saml2/authn_request.rb
+- lib/saml2/issuer.rb
 - lib/saml2/type4_artifact.rb
 - lib/saml2/unexpected_type_code_error.rb
 - lib/saml_sp/config.rb
@@ -103,7 +140,7 @@ files:
 - spec/saml2/type4_artifact_spec.rb
 - spec/saml_sp/config_spec.rb
 - spec/spec_helper.rb
-homepage: 
+homepage: https://github.com/openlogic/saml-sp
 licenses: []
 post_install_message: 
 rdoc_options: []
@@ -118,12 +155,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: SAML 2.0 SSO Sevice Provider Library