rack-saml 0.1.0 → 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +5 -5
- data/config/rack-saml.yml +2 -0
- data/lib/rack/saml/response/onelogin_response.rb +12 -2
- data/lib/rack/saml.rb +22 -15
- data/lib/rack-saml/version.rb +1 -1
- data/rack-saml.gemspec +1 -0
- metadata +16 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 814e3162772ca1b7deea5751c77af1fa07b969c4
|
|
4
|
+
data.tar.gz: 7ead1385a2a3b93c4e74b269d2f764bca77c8bce
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 06a068a3c5ae379525c365abf7096dec77013be2d722e66baf62019135d93297258b25af3a805b283139d01e125dfb834c5dfe1f47f6d23c7f3f169c15889abb
|
|
7
|
+
data.tar.gz: 71382a6922efbeb60ce3284720c114a1e2e1764ab03115857cb0fed51f2059488413628199c116f09e3bd49aeac4156fa1027fa3026a1cbaf0ca12319fc5b234
|
data/README.md
CHANGED
|
@@ -10,6 +10,7 @@ rack-saml uses external libraries to generate and validate SAML AuthnRequest/Res
|
|
|
10
10
|
## Changes
|
|
11
11
|
|
|
12
12
|
* version 0.0.2: SP session is supported using Rack::Session for Rack applications and ActionDispatch::Session for Rails applications.
|
|
13
|
+
* version 0.1.1: Update to fit newer ruby-saml.
|
|
13
14
|
|
|
14
15
|
## Limitations
|
|
15
16
|
|
|
@@ -19,15 +20,12 @@ Current implementation supports only Onelogin SAML assertion handler. It does no
|
|
|
19
20
|
|
|
20
21
|
## Getting Started
|
|
21
22
|
|
|
22
|
-
### Installation
|
|
23
|
-
|
|
24
|
-
% gem install rack-saml
|
|
25
|
-
|
|
26
|
-
### Setup Gemfile
|
|
23
|
+
### Setup Gemfile and Installation
|
|
27
24
|
|
|
28
25
|
% cd rails-app
|
|
29
26
|
% vi Gemfile
|
|
30
27
|
gem 'rack-saml'
|
|
28
|
+
% bundle install
|
|
31
29
|
|
|
32
30
|
### Setup Rack::Saml middleware
|
|
33
31
|
|
|
@@ -103,6 +101,8 @@ Configuration to set SAML parameters. At least, you must configure saml_idp or s
|
|
|
103
101
|
* *saml_sp*: Set the SAML SP's entity ID
|
|
104
102
|
* *sp_cert*: path to the SAML SP's certificate file, e.g. cert.pem (AuthnRequest Signing and Response Encryption are not supported yet)
|
|
105
103
|
* *sp_key*: path to the SAML SP's key file, e.g. key.pem (AuthnRequest Signing and Response Encryption are not supported yet)
|
|
104
|
+
* *allowed_clock_drift*: A clock margin (second) for checking NotBefore condition specified in a SAML Response (default: 0 seconds, 60 second may be good for local test).
|
|
105
|
+
* *validation_error*: If set to true, a detailed reason of SAML response validation error will be shown on the browser (true/false)
|
|
106
106
|
|
|
107
107
|
If not set explicitly, SAML SP's entity ID (saml_sp) is automatically generated from request URI and /rack-saml-sp (fixed path name). The Assertion Consumer Service URI is generated from request URI and protected_path.
|
|
108
108
|
|
data/config/rack-saml.yml
CHANGED
|
@@ -8,12 +8,22 @@ module Rack
|
|
|
8
8
|
|
|
9
9
|
def initialize(request, config, metadata)
|
|
10
10
|
super(request, config, metadata)
|
|
11
|
-
@response = OneLogin::RubySaml::Response.new(@request.params['SAMLResponse']
|
|
11
|
+
@response = OneLogin::RubySaml::Response.new(@request.params['SAMLResponse'], {
|
|
12
|
+
:allowed_clock_drift => config['allowed_clock_drift']
|
|
13
|
+
})
|
|
12
14
|
@response.settings = saml_settings
|
|
13
15
|
end
|
|
14
16
|
|
|
15
17
|
def is_valid?
|
|
16
|
-
|
|
18
|
+
begin
|
|
19
|
+
if config['validation_error']
|
|
20
|
+
@response.validate!
|
|
21
|
+
else
|
|
22
|
+
@response.is_valid?
|
|
23
|
+
end
|
|
24
|
+
rescue OneLogin::RubySaml::ValidationError => e
|
|
25
|
+
raise ValidationError.new(e.message)
|
|
26
|
+
end
|
|
17
27
|
end
|
|
18
28
|
|
|
19
29
|
def attributes
|
data/lib/rack/saml.rb
CHANGED
|
@@ -18,15 +18,15 @@ module Rack
|
|
|
18
18
|
# 'rack_saml' => {
|
|
19
19
|
# 'ds.session' => {
|
|
20
20
|
# 'sid' => temporally_generated_hash,
|
|
21
|
-
# '
|
|
21
|
+
# 'expires_at' => xxxxx # timestamp
|
|
22
22
|
# }
|
|
23
23
|
# 'saml_authreq.session' => {
|
|
24
24
|
# 'sid' => temporally_generated_hash,
|
|
25
|
-
# '
|
|
25
|
+
# 'expires_at' => xxxxx # timestamp
|
|
26
26
|
# }
|
|
27
27
|
# 'saml_res.session' => {
|
|
28
28
|
# 'sid' => temporally_generated_hash,
|
|
29
|
-
# '
|
|
29
|
+
# 'expires_at' => xxxxx # timestamp,
|
|
30
30
|
# 'env' => {}
|
|
31
31
|
# }
|
|
32
32
|
# }
|
|
@@ -36,6 +36,9 @@ module Rack
|
|
|
36
36
|
autoload "MetadataHandler", 'rack/saml/metadata_handler'
|
|
37
37
|
autoload "ResponseHandler", 'rack/saml/response_handler'
|
|
38
38
|
|
|
39
|
+
class ValidationError < StandardError
|
|
40
|
+
end
|
|
41
|
+
|
|
39
42
|
def default_config_path(config_file)
|
|
40
43
|
::File.expand_path("../../../config/#{config_file}", __FILE__)
|
|
41
44
|
end
|
|
@@ -112,7 +115,7 @@ module Rack
|
|
|
112
115
|
sid = generate_sid
|
|
113
116
|
end
|
|
114
117
|
@session["#{type}.session"]['sid'] = sid
|
|
115
|
-
@session["#{type}.session"]['
|
|
118
|
+
@session["#{type}.session"]['expires_at'] = period
|
|
116
119
|
@session["#{type}.session"]
|
|
117
120
|
end
|
|
118
121
|
|
|
@@ -127,11 +130,11 @@ module Rack
|
|
|
127
130
|
def is_valid?(type, sid = nil)
|
|
128
131
|
session = @session["#{type}.session"]
|
|
129
132
|
return false if session['sid'].nil? # no valid session
|
|
130
|
-
if session['
|
|
133
|
+
if session['expires_at'].nil? # no expiration
|
|
131
134
|
return true if sid.nil? # no sid check
|
|
132
135
|
return true if session['sid'] == sid # sid check
|
|
133
136
|
else
|
|
134
|
-
if Time.now < Time.parse(session['
|
|
137
|
+
if Time.now < Time.parse(session['expires_at'].to_s) # before expiration
|
|
135
138
|
return true if sid.nil? # no sid check
|
|
136
139
|
return true if session['sid'] == sid # sid check
|
|
137
140
|
end
|
|
@@ -190,15 +193,19 @@ module Rack
|
|
|
190
193
|
elsif request.request_method == 'POST' && match_protected_path?(request) # process Response
|
|
191
194
|
if session.is_valid?('saml_authreq')
|
|
192
195
|
handler = ResponseHandler.new(request, @config, @metadata['idp_lists'][@config['saml_idp']])
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
196
|
+
begin
|
|
197
|
+
if handler.response.is_valid?
|
|
198
|
+
session.finish('saml_authreq')
|
|
199
|
+
session.start('saml_res', @config['saml_sess_timeout'] || 1800)
|
|
200
|
+
handler.extract_attrs(env, session, @attribute_map)
|
|
201
|
+
return Rack::Response.new.tap { |r|
|
|
202
|
+
r.redirect request.url
|
|
203
|
+
}.finish
|
|
204
|
+
else
|
|
205
|
+
return create_response(403, 'text/html', 'SAML Error: Invalid SAML response.')
|
|
206
|
+
end
|
|
207
|
+
rescue ValidationError => e
|
|
208
|
+
return create_response(403, 'text/html', "SAML Error: Invalid SAML response.<br/>Reason: #{e.message}")
|
|
202
209
|
end
|
|
203
210
|
else
|
|
204
211
|
return create_response(500, 'text/html', 'No valid AuthnRequest session.')
|
data/lib/rack-saml/version.rb
CHANGED
data/rack-saml.gemspec
CHANGED
metadata
CHANGED
|
@@ -1,15 +1,29 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Toyokazu Akiyama
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2014-
|
|
11
|
+
date: 2014-11-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rack
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '0'
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '0'
|
|
13
27
|
- !ruby/object:Gem::Dependency
|
|
14
28
|
name: ruby-saml
|
|
15
29
|
requirement: !ruby/object:Gem::Requirement
|