rack-saml 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +5 -5
- data/config/rack-saml.yml +2 -0
- data/lib/rack/saml/response/onelogin_response.rb +12 -2
- data/lib/rack/saml.rb +22 -15
- data/lib/rack-saml/version.rb +1 -1
- data/rack-saml.gemspec +1 -0
- metadata +16 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 814e3162772ca1b7deea5751c77af1fa07b969c4
|
|
4
|
+
data.tar.gz: 7ead1385a2a3b93c4e74b269d2f764bca77c8bce
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 06a068a3c5ae379525c365abf7096dec77013be2d722e66baf62019135d93297258b25af3a805b283139d01e125dfb834c5dfe1f47f6d23c7f3f169c15889abb
|
|
7
|
+
data.tar.gz: 71382a6922efbeb60ce3284720c114a1e2e1764ab03115857cb0fed51f2059488413628199c116f09e3bd49aeac4156fa1027fa3026a1cbaf0ca12319fc5b234
|
data/README.md
CHANGED
|
@@ -10,6 +10,7 @@ rack-saml uses external libraries to generate and validate SAML AuthnRequest/Res
|
|
|
10
10
|
## Changes
|
|
11
11
|
|
|
12
12
|
* version 0.0.2: SP session is supported using Rack::Session for Rack applications and ActionDispatch::Session for Rails applications.
|
|
13
|
+
* version 0.1.1: Update to fit newer ruby-saml.
|
|
13
14
|
|
|
14
15
|
## Limitations
|
|
15
16
|
|
|
@@ -19,15 +20,12 @@ Current implementation supports only Onelogin SAML assertion handler. It does no
|
|
|
19
20
|
|
|
20
21
|
## Getting Started
|
|
21
22
|
|
|
22
|
-
### Installation
|
|
23
|
-
|
|
24
|
-
% gem install rack-saml
|
|
25
|
-
|
|
26
|
-
### Setup Gemfile
|
|
23
|
+
### Setup Gemfile and Installation
|
|
27
24
|
|
|
28
25
|
% cd rails-app
|
|
29
26
|
% vi Gemfile
|
|
30
27
|
gem 'rack-saml'
|
|
28
|
+
% bundle install
|
|
31
29
|
|
|
32
30
|
### Setup Rack::Saml middleware
|
|
33
31
|
|
|
@@ -103,6 +101,8 @@ Configuration to set SAML parameters. At least, you must configure saml_idp or s
|
|
|
103
101
|
* *saml_sp*: Set the SAML SP's entity ID
|
|
104
102
|
* *sp_cert*: path to the SAML SP's certificate file, e.g. cert.pem (AuthnRequest Signing and Response Encryption are not supported yet)
|
|
105
103
|
* *sp_key*: path to the SAML SP's key file, e.g. key.pem (AuthnRequest Signing and Response Encryption are not supported yet)
|
|
104
|
+
* *allowed_clock_drift*: A clock margin (second) for checking NotBefore condition specified in a SAML Response (default: 0 seconds, 60 second may be good for local test).
|
|
105
|
+
* *validation_error*: If set to true, a detailed reason of SAML response validation error will be shown on the browser (true/false)
|
|
106
106
|
|
|
107
107
|
If not set explicitly, SAML SP's entity ID (saml_sp) is automatically generated from request URI and /rack-saml-sp (fixed path name). The Assertion Consumer Service URI is generated from request URI and protected_path.
|
|
108
108
|
|
data/config/rack-saml.yml
CHANGED
|
@@ -8,12 +8,22 @@ module Rack
|
|
|
8
8
|
|
|
9
9
|
def initialize(request, config, metadata)
|
|
10
10
|
super(request, config, metadata)
|
|
11
|
-
@response = OneLogin::RubySaml::Response.new(@request.params['SAMLResponse']
|
|
11
|
+
@response = OneLogin::RubySaml::Response.new(@request.params['SAMLResponse'], {
|
|
12
|
+
:allowed_clock_drift => config['allowed_clock_drift']
|
|
13
|
+
})
|
|
12
14
|
@response.settings = saml_settings
|
|
13
15
|
end
|
|
14
16
|
|
|
15
17
|
def is_valid?
|
|
16
|
-
|
|
18
|
+
begin
|
|
19
|
+
if config['validation_error']
|
|
20
|
+
@response.validate!
|
|
21
|
+
else
|
|
22
|
+
@response.is_valid?
|
|
23
|
+
end
|
|
24
|
+
rescue OneLogin::RubySaml::ValidationError => e
|
|
25
|
+
raise ValidationError.new(e.message)
|
|
26
|
+
end
|
|
17
27
|
end
|
|
18
28
|
|
|
19
29
|
def attributes
|
data/lib/rack/saml.rb
CHANGED
|
@@ -18,15 +18,15 @@ module Rack
|
|
|
18
18
|
# 'rack_saml' => {
|
|
19
19
|
# 'ds.session' => {
|
|
20
20
|
# 'sid' => temporally_generated_hash,
|
|
21
|
-
# '
|
|
21
|
+
# 'expires_at' => xxxxx # timestamp
|
|
22
22
|
# }
|
|
23
23
|
# 'saml_authreq.session' => {
|
|
24
24
|
# 'sid' => temporally_generated_hash,
|
|
25
|
-
# '
|
|
25
|
+
# 'expires_at' => xxxxx # timestamp
|
|
26
26
|
# }
|
|
27
27
|
# 'saml_res.session' => {
|
|
28
28
|
# 'sid' => temporally_generated_hash,
|
|
29
|
-
# '
|
|
29
|
+
# 'expires_at' => xxxxx # timestamp,
|
|
30
30
|
# 'env' => {}
|
|
31
31
|
# }
|
|
32
32
|
# }
|
|
@@ -36,6 +36,9 @@ module Rack
|
|
|
36
36
|
autoload "MetadataHandler", 'rack/saml/metadata_handler'
|
|
37
37
|
autoload "ResponseHandler", 'rack/saml/response_handler'
|
|
38
38
|
|
|
39
|
+
class ValidationError < StandardError
|
|
40
|
+
end
|
|
41
|
+
|
|
39
42
|
def default_config_path(config_file)
|
|
40
43
|
::File.expand_path("../../../config/#{config_file}", __FILE__)
|
|
41
44
|
end
|
|
@@ -112,7 +115,7 @@ module Rack
|
|
|
112
115
|
sid = generate_sid
|
|
113
116
|
end
|
|
114
117
|
@session["#{type}.session"]['sid'] = sid
|
|
115
|
-
@session["#{type}.session"]['
|
|
118
|
+
@session["#{type}.session"]['expires_at'] = period
|
|
116
119
|
@session["#{type}.session"]
|
|
117
120
|
end
|
|
118
121
|
|
|
@@ -127,11 +130,11 @@ module Rack
|
|
|
127
130
|
def is_valid?(type, sid = nil)
|
|
128
131
|
session = @session["#{type}.session"]
|
|
129
132
|
return false if session['sid'].nil? # no valid session
|
|
130
|
-
if session['
|
|
133
|
+
if session['expires_at'].nil? # no expiration
|
|
131
134
|
return true if sid.nil? # no sid check
|
|
132
135
|
return true if session['sid'] == sid # sid check
|
|
133
136
|
else
|
|
134
|
-
if Time.now < Time.parse(session['
|
|
137
|
+
if Time.now < Time.parse(session['expires_at'].to_s) # before expiration
|
|
135
138
|
return true if sid.nil? # no sid check
|
|
136
139
|
return true if session['sid'] == sid # sid check
|
|
137
140
|
end
|
|
@@ -190,15 +193,19 @@ module Rack
|
|
|
190
193
|
elsif request.request_method == 'POST' && match_protected_path?(request) # process Response
|
|
191
194
|
if session.is_valid?('saml_authreq')
|
|
192
195
|
handler = ResponseHandler.new(request, @config, @metadata['idp_lists'][@config['saml_idp']])
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
196
|
+
begin
|
|
197
|
+
if handler.response.is_valid?
|
|
198
|
+
session.finish('saml_authreq')
|
|
199
|
+
session.start('saml_res', @config['saml_sess_timeout'] || 1800)
|
|
200
|
+
handler.extract_attrs(env, session, @attribute_map)
|
|
201
|
+
return Rack::Response.new.tap { |r|
|
|
202
|
+
r.redirect request.url
|
|
203
|
+
}.finish
|
|
204
|
+
else
|
|
205
|
+
return create_response(403, 'text/html', 'SAML Error: Invalid SAML response.')
|
|
206
|
+
end
|
|
207
|
+
rescue ValidationError => e
|
|
208
|
+
return create_response(403, 'text/html', "SAML Error: Invalid SAML response.<br/>Reason: #{e.message}")
|
|
202
209
|
end
|
|
203
210
|
else
|
|
204
211
|
return create_response(500, 'text/html', 'No valid AuthnRequest session.')
|
data/lib/rack-saml/version.rb
CHANGED
data/rack-saml.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,15 +1,29 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Toyokazu Akiyama
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-11-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rack
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '0'
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '0'
|
|
13
27
|
- !ruby/object:Gem::Dependency
|
|
14
28
|
name: ruby-saml
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|