rack-saml 0.0.2 → 0.0.3

data/Gemfile.lock

@@ -0,0 +1,24 @@
+PATH
+  remote: .
+  specs:
+    rack-saml (0.0.3)
+      ruby-saml (~> 0.4.7)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    canonix (0.1.5)
+    macaddr (1.5.0)
+      systemu (>= 2.4.0)
+    ruby-saml (0.4.7)
+      canonix (~> 0.1)
+      uuid (~> 2.3)
+    systemu (2.5.0)
+    uuid (2.3.5)
+      macaddr (~> 1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rack-saml!

data/README.md

@@ -1,6 +1,6 @@
-# SAML (Shibboleth SP) middleware for Rack
+# SAML (Shibboleth) SP middleware for Rack
 
-This project is deeply inspired by rack-shibboleth and ruby-saml. It is recommended to use the defact SAML implementation such as OpenSAML from the security or the functional aspect. However, there are also requirements to use SAML for light weight applications implemented by Ruby. rack-shibboleth may be a candidate to support such kind of objective. However it lacks the configurability to fit OmniAuth and OmniAuth Shibboleth Strategy. It also lacks the upgrade path to the secure and the stable SAML implementation like OpenSAML. So thus I just implemented a prototype to support SAML (Shibboleth SP) for Rack middleware.
+This project is deeply inspired by rack-shibboleth and ruby-saml. It is recommended to use the de facto SAML implementation such as OpenSAML from the security or the functional aspect. However, there are also requirements to use SAML for light weight applications implemented by Ruby. rack-shibboleth may be a candidate to support such kind of objective. However it lacks the configurability to fit OmniAuth and OmniAuth Shibboleth Strategy. It also lacks the upgrade path to the secure and the stable SAML implementation like OpenSAML. So thus I just implemented a prototype to support SAML (Shibboleth SP) for Rack middleware.
 
 OmniAuth Shibboleth Strategy
 https://github.com/toyokazu/omniauth-shibboleth
@@ -33,7 +33,7 @@ Current implementation supports only Onelogin SAML assertion handler. It does no
 
 Rack::Saml uses Rack::Session functions. You have to insert Rack::Session before Rack::Saml middleware. Rack::Session::Cookie is used in the following examples because it is easiest to setup and scale. You can use the other Rack::Session implementation. In a Rails application, it uses ActionDispatch::Session which is compatible with Rack::Session by default. So thus, you do not need to add Rack::Session in the Rails application.
 
-#### For Rack applicaitons
+**For Rack applicaitons**
 
 In the following example, config.ru is used to add Rack::Saml middleware into a Rails application.
 
@@ -43,7 +43,7 @@ In the following example, config.ru is used to add Rack::Saml middleware into a
                      :metadata => "#{Rails.root}/config/metadata.yml",
                      :attribute_map => "#{Rails.root}/config/attribute-map.yml"}
 
-#### For Ralis applications
+**For Ralis applications**
 
 In the following example, config/application.rb is used to Rack::Saml middleware into a Rails application.
 
@@ -55,11 +55,11 @@ In the following example, config/application.rb is used to Rack::Saml middleware
                                        :attribute_map => "#{Rails.root}/config/attribute-map.yml"}
     ...
 
-#### Middleware options
+**Middleware options**
 
-* *:config* path to rack-saml.yml file
-* *:metadata* path to metadata.yml file
-* *:attribute_map* path to attribute-map.yml file
+* *:config*: path to rack-saml.yml file
+* *:metadata*: path to metadata.yml file
+* *:attribute_map*: path to attribute-map.yml file
 
 If you just want to test Rack::Saml, you can ommit middleware options in the both example (config.ru or config/application.rb).
 
@@ -73,25 +73,25 @@ Rack::Saml uses default configurations located in the rack-saml gem path.
 
 Please copy them to an arbitrary directory and edit them if you need. If you want to use your customized configuration file, do not forget to specify the configuration file path by middleware options.
 
-#### Configuration files
+**Configuration files**
 
 You can find default configuration files at
 
     $GEM_HOME/rack-saml-x.x.x/config/xxx.yml
 
-##### rack-saml.yml
+**rack-saml.yml**
 
 Configuration to set SAML parameters. At least, you must configure saml_idp or shib_ds. They depends on your environments.
 
-* *protected_path* path name where rack-saml protects, e.g. /auth/shibboleth/callback (default path for OmniAuth Shibboleth Strategy)
-* *metadata_path* the path name where SP's metadata is generated
-* *assertion_handler* 'onelogin' / 'opensaml' (not implemented yet)
-* *saml_idp* IdP's entity ID which is used to authenticate user. This parameter can be omitted when you use Shibboleth Discovery Service (shib_ds).
-* *saml_sess_timeout* SP session timeout (default: 1800 seconds)
-* *shib_app_id* If you want to use the middleware as Shibboleth SP, you should specify an application ID. In the Shibboleth SP default configuration, 'default' is used as the application ID.
-* *shib_ds* If you want to use the middleware as Shibboleth SP and use discovery service, specify the uri of the Discovery Service.
-* *sp_cert* path to the SAML SP's certificate file, e.g. cert.pem (AuthnRequest Signing and Response Encryption are not supported yet)
-* *sp_key* path to the SAML SP's key file, e.g. key.pem (AuthnRequest Signing and Response Encryption are not supported yet)
+* *protected_path*: path name where rack-saml protects, e.g. /auth/shibboleth/callback (default path for OmniAuth Shibboleth Strategy)
+* *metadata_path*: the path name where SP's metadata is generated
+* *assertion_handler*: 'onelogin' / 'opensaml' (not implemented yet)
+* *saml_idp*: IdP's entity ID which is used to authenticate user. This parameter can be omitted when you use Shibboleth Discovery Service (shib_ds).
+* *saml_sess_timeout*: SP session timeout (default: 1800 seconds)
+* *shib_app_id*: If you want to use the middleware as Shibboleth SP, you should specify an application ID. In the Shibboleth SP default configuration, 'default' is used as the application ID.
+* *shib_ds*: If you want to use the middleware as Shibboleth SP and use discovery service, specify the uri of the Discovery Service.
+* *sp_cert*: path to the SAML SP's certificate file, e.g. cert.pem (AuthnRequest Signing and Response Encryption are not supported yet)
+* *sp_key*: path to the SAML SP's key file, e.g. key.pem (AuthnRequest Signing and Response Encryption are not supported yet)
 
 SAML SP's entity ID (saml_sp) is automatically generated from request URI and /rack-saml-sp (fixed path name). The Assertion Consumer Service URI is generated from request URI and protected_path.
 
@@ -99,30 +99,30 @@ SAML SP's entity ID (saml_sp) is automatically generated from request URI and /r
     @config['saml_sp'] = "#{saml_sp_prefix}/rack-saml-sp"
     @config['assertion_consumer_service_uri'] = "#{saml_sp_prefix}#{@config['protected_path']}"
 
-##### metadata.yml
+**metadata.yml**
 
 To connect to an IdP, you must describe IdP's specification. In rack-saml, it should be written in metadata.yml. metadata.yml file include the following lists. You must generate your own metadata.yml by using conv_metadata.rb.
 
-* *idp_lists* list of IdP metadata
-* *sp_lists* list of SP metadata
+* *idp_lists*: list of IdP metadata
+* *sp_lists*: list of SP metadata
 
 idp_lists and sp_lists are hashes which have entity ids as key values.
 
 parameters of the idp_lists:
 
-* *certificate* base64 encoded certificate of IdP
-* *saml2_http_redirect* Location attribute of the IdP's assertion handler uri with HTTP Redirect Binding
+* *certificate*: base64 encoded certificate of IdP
+* *saml2_http_redirect*: Location attribute of the IdP's assertion handler uri with HTTP Redirect Binding
 
 parameters of the sp_lists (currently not used):
 
-* *certificate* base64 encoded certificate of SP
-* *saml2_http_post* Location attribute of the SP's assertion consumer uri with HTTP POST Binding
+* *certificate*: base64 encoded certificate of SP
+* *saml2_http_post*: Location attribute of the SP's assertion consumer uri with HTTP POST Binding
 
 These parameters are automatically extracted from SAML metadata (XML). You can use conv_metadata.rb command for extraction.
 
     % $GEM_HOME/rack-saml-x.x.x/bin/conv_metadata.rb metadata.xml > metadata.yml
 
-##### attribute-map.yml
+**attribute-map.yml**
 
 attribute-map.yml can extract attributes from SAML Response and put attributes on request environment variables. It is useful to pass attributes into applications. The configuration file format is as follows:
 
@@ -134,15 +134,15 @@ You can use default attribute-map.yml file. If you want to add new attributes, p
 
 ### Setup IdP to accept rack-saml SP
 
-#### SP Metadata generation
+**SP Metadata generation**
 
 To connect a new SP to the existing IdP, you need to import SP's metadata into the IdP. rack-saml provides metadata generation function. It is generated at '/Shibboleth.sso/Metadata' by default.
 
-#### IdP configuration examples not to encrypt assertion
+**IdP configuration examples not to encrypt assertion**
 
 Current rack-saml implementation does not support assertion encryption because Onelogin::Saml does not support AuthnRequest signing and Response encryption. So thus, in the followings, we would like to show sample configurations to disable encryption in IdP assertion processing. These are not recommended for sensitive applications.
 
-##### Shibboleth IdP example
+**Shibboleth IdP example**
 
 Add the following configuration after <rp:DefaultRelyingParty> in relying-party.xml. You should specify sp entity id at the 'id' and the 'provider' attributes.
 
@@ -157,7 +157,7 @@ Add the following configuration after <rp:DefaultRelyingParty> in relying-party.
 * write spec files
 * ruby-opensaml (I hope someone implement it :)
 
-## License
+## License (MIT License)
 
 Copyright (C) 2011 by Toyokazu Akiyama.
 

data/bin/conv_metadata.rb

@@ -15,7 +15,7 @@ file = File.new(ARGV[0])
 doc = REXML::Document.new(file)
 
 def get_list_type(elem)
-  if !elem.elements["IDPSSODescriptor"].nil?
+  if elem.elements.any? {|el| el.has_name?("IDPSSODescriptor")}
     return "idp_lists"
   end
   "sp_lists"
@@ -24,11 +24,17 @@ end
 def create_entity_hash(elem, list_type)
   case list_type
   when "idp_lists"
-    idp_elem = elem.elements["IDPSSODescriptor"]
+    idp_elem = elem.elements.find {|el| el.has_name?("IDPSSODescriptor")}
     # the first certificate is used
-    certificate = "-----BEGIN CERTIFICATE-----#{REXML::XPath.first(idp_elem, './/ds:X509Certificate', 'ds' => DS).text.gsub(/\s*$/, "")}\n-----END CERTIFICATE-----"
+    cert_elem = REXML::XPath.first(idp_elem, './/ds:X509Certificate', 'ds' => DS)
+    # reject an IdP without a certificate
+    if cert_elem.nil?
+      puts "specified metadata has an IdP without certificate!"
+      exit 1
+    end
+    certificate = "-----BEGIN CERTIFICATE-----#{cert_elem.text.gsub(/\s+$/, "")}\n-----END CERTIFICATE-----"
     saml2_http_redirect = nil
-    idp_elem.elements.each("SingleSignOnService") do |e|
+    idp_elem.elements.find_all {|el| el.has_name?("SingleSignOnService")}.each do |e|
       if e.attributes["Binding"] == "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         saml2_http_redirect = e.attributes["Location"]
       end
@@ -36,11 +42,14 @@ def create_entity_hash(elem, list_type)
     return {"certificate" => certificate,
             "saml2_http_redirect" => saml2_http_redirect}
   when "sp_lists"
-    sp_elem = elem.elements["SPSSODescriptor"]
+    sp_elem = elem.elements.find {|el| el.has_name?("SPSSODescriptor")}
+    #puts sp_elem.attributes["entityID"]
     # the first certificate is used
-    certificate = REXML::XPath.first(sp_elem, './/ds:X509Certificate', 'ds' => DS).text
+    # permit a SP without a certificate
+    cert_elem = REXML::XPath.first(sp_elem, './/ds:X509Certificate', 'ds' => DS)
+    certificate = cert_elem.nil? ? "" : "-----BEGIN CERTIFICATE-----\n#{cert_elem.text.gsub(/\s+$/, "")}\n-----END CERTIFICATE-----"
     saml2_http_post = nil
-    sp_elem.elements.each("AssertionConsumerService") do |e|
+    sp_elem.elements.find_all {|el| el.has_name?("AssertionConsumerService")}.each do |e|
       if e.attributes["Binding"] == "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         saml2_http_post = e.attributes["Location"]
       end
@@ -57,12 +66,14 @@ def add_entities(entities, elem)
 end
 
 entities = {"idp_lists" => {}, "sp_lists" => {}}
-doc.elements.each("EntityDescriptor") do |elem|
+doc.elements.find_all {|el| el.has_name?("EntityDescriptor")}.each do |elem|
   add_entities(entities, elem)
 end
 
-doc.elements.each("EntitiesDescriptor/EntityDescriptor") do |elem|
-  add_entities(entities, elem)
+doc.elements.find_all {|el| el.has_name?("EntitiesDescriptor")}.each do |elem1|
+  elem1.elements.find_all {|el| el.has_name?("EntityDescriptor")}.each do |elem2|
+    add_entities(entities, elem2)
+  end
 end
 
 puts entities.to_yaml

data/lib/rack-saml/version.rb

@@ -1,6 +1,6 @@
 require 'rack'
 module Rack
   module Saml
-    VERSION = "0.0.2"
+    VERSION = "0.0.3"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-saml
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-01-06 00:00:00.000000000Z
+date: 2012-04-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-saml
-  requirement: &2154954560 !ruby/object:Gem::Requirement
+  requirement: &70354144248580 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,7 +21,7 @@ dependencies:
         version: 0.4.7
   type: :runtime
   prerelease: false
-  version_requirements: *2154954560
+  version_requirements: *70354144248580
 description: SAML middleware for Rack (using ruby-saml)
 email:
 - toyokazu@gmail.com
@@ -29,13 +29,13 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .README.md.swp
 - bin/conv_metadata.rb
 - config/attribute-map.yml
 - config/attribute-map.yml.sample
 - config/metadata.yml
 - config/rack-saml.yml
 - Gemfile
+- Gemfile.lock
 - lib/rack/saml/metadata/abstract_metadata.rb
 - lib/rack/saml/metadata/onelogin_metadata.rb
 - lib/rack/saml/metadata/opensaml_metadata.rb
@@ -75,9 +75,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.12
+rubygems_version: 1.8.17
 signing_key: 
 specification_version: 3
 summary: SAML middleware for Rack (using ruby-saml)
 test_files: []
-has_rdoc: