ruby-saml-bekk 0.2.4

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,98 @@
+= Ruby SAML
+
+The Ruby SAML library is for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.
+
+SAML authorization is a two step process and you are expected to implement support for both.
+
+== The initialization phase
+
+This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
+
+    def initialize
+      request = Onelogin::Saml::Authrequest.new
+      redirect_to(request.create(saml_settings))
+    end
+
+Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
+
+    def consume
+      response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+      response.settings = saml_settings
+
+      if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+        authorize_success(user)
+      else
+        authorize_failure(user)
+      end
+    end
+
+In the above there are a few assumptions in place, one being that the response.name_id is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
+
+    def saml_settings
+      settings = Onelogin::Saml::Settings.new
+
+      settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
+      settings.issuer                         = request.host
+      settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+      settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+      settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+      settings
+    end
+
+What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this:
+
+  # This controller expects you to use the URLs /saml/initialize and /saml/consume in your OneLogin application.
+  class SamlController < ApplicationController
+    def initialize
+      request = Onelogin::Saml::Authrequest.new
+      redirect_to(request.create(saml_settings))
+    end
+
+    def consume
+      response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+      response.settings = saml_settings
+
+      if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+        authorize_success(user)
+      else
+        authorize_failure(user)
+      end
+    end
+
+    private
+
+    def saml_settings
+      settings = Onelogin::Saml::Settings.new
+
+      settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+      settings.issuer                         = request.host
+      settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+      settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+      settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+      settings
+    end
+  end
+
+If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through response.attributes. It
+contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
+
+  response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+  response.settings = saml_settings
+
+  response.attributes[:username]
+
+
+= Full Example
+
+Please check https://github.com/onelogin/ruby-saml-example for a very basic sample Rails application using this gem.
+
+== Note on Patches/Pull Requests
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.

data/Rakefile

@@ -0,0 +1,61 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "ruby-saml-bekk"
+    gem.summary = %Q{SAML Ruby Tookit}
+    gem.description = %Q{SAML toolkit for Ruby on Rails}
+    gem.email = "support@onelogin.com"
+    gem.homepage = "http://github.com/onelogin/ruby-saml"
+    gem.authors = ["OneLogin LLC"]
+    gem.add_dependency("xmlcanonicalizer","= 0.1.0")
+    gem.add_dependency("uuid","= 2.3.1")
+    gem.add_development_dependency "shoulda"
+    gem.add_development_dependency "mocha"
+    #gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/VERSION

@@ -0,0 +1 @@
+0.2.4

data/lib/onelogin/saml.rb

@@ -0,0 +1,6 @@
+require 'onelogin/saml/authrequest'
+require 'onelogin/saml/response'
+require 'onelogin/saml/settings'
+require 'onelogin/saml/entity_descriptor'
+
+

data/lib/onelogin/saml/authrequest.rb

@@ -0,0 +1,33 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+
+module Onelogin::Saml
+  class Authrequest
+    def create(settings, params = {})
+      uuid = UUID.new.generate
+      time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+      request =
+        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{uuid}\" Version=\"2.0\" IssueInstant=\"#{time}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings.assertion_consumer_service_url}\">" +
+        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings.issuer}</saml:Issuer>\n" +
+        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings.name_identifier_format}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
+        "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
+        "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
+        "</samlp:AuthnRequest>"
+
+      deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+      base64_request    = Base64.encode64(deflated_request)
+      encoded_request   = CGI.escape(base64_request)
+      request_params    = "?SAMLRequest=" + encoded_request
+
+      params.each_pair do |key, value|
+        request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+      end
+
+      settings.idp_sso_target_url + request_params
+    end
+
+  end
+end

data/lib/onelogin/saml/entity_descriptor.rb

@@ -0,0 +1,19 @@
+require 'erb'
+
+module Onelogin::Saml
+  class EntityDescription
+    def initialize()
+      url = "entity_descriptor.xml.erb"
+      @template = File.read(File.join(File.dirname(__FILE__), url))
+    end
+
+    def generate(values)
+      entity_id = values["entity_id"]
+      name_id_format = values["name_id_format"]
+      assertion_consumer_service_location = values["assertion_consumer_service_location"]
+
+      erb = ERB.new(@template)
+      erb.result(binding)
+    end
+  end
+end

data/lib/onelogin/saml/entity_descriptor.xml.erb

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<%= entity_id %>">
+ <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+   <NameIDFormat><%= name_id_format %></NameIDFormat>
+   <AssertionConsumerService
+    isDefault="true"
+    index="0"
+    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+    Location="<%= assertion_consumer_service_location %>"/>
+ </SPSSODescriptor>
+ <RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+ <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+</EntityDescriptor>

data/lib/onelogin/saml/response.rb

@@ -0,0 +1,56 @@
+require "xml_security"
+require "time"
+
+module Onelogin::Saml
+  class Response
+    attr_accessor :response, :document, :logger, :settings
+
+    def initialize(response)
+      raise ArgumentError.new("Response cannot be nil") if response.nil?
+      self.response = response
+      self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+    end
+
+    def is_valid?
+      return false if response.empty?
+      return false if settings.nil?
+      return false if settings.idp_cert_fingerprint.nil?
+
+      document.validate(settings.idp_cert_fingerprint, logger)
+    end
+
+    # The value of the user identifier as designated by the initialization request response
+    def name_id
+      @name_id ||= document.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].text
+    end
+
+    # A hash of alle the attributes with the response. Assuming there is onlye one value for each key
+    def attributes
+      saml_attribute_statements = document.elements["/samlp:Response/saml:Assertion/saml:AttributeStatement"].elements
+      statements = saml_attribute_statements.map do |child|
+        child.attributes.map do |key, attribute|
+          [attribute, child.elements.first.text]
+        end
+      end
+
+      hash = Hash[statements.flatten(1)]
+      @attributes ||= make_hash_access_indiferent(hash)
+    end
+
+    # When this user session should expire at latest
+    def session_expires_at
+      @expires_at ||= Time.parse(document.elements["/samlp:Response/saml:Assertion/saml:AuthnStatement"].attributes["SessionNotOnOrAfter"])
+    end
+
+  private
+
+    def make_hash_access_indiferent(hash)
+      sym_hash = {}
+      hash.each  do |key, value|
+        sym_hash[key.intern] = value
+      end
+
+      sym_hash.merge(hash)
+    end
+  end
+end

data/lib/onelogin/saml/settings.rb

@@ -0,0 +1,6 @@
+module Onelogin::Saml
+  class Settings
+    attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
+    attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format
+  end
+end

data/lib/ruby-saml.rb

@@ -0,0 +1,5 @@
+module Onelogin
+end
+
+require 'onelogin/saml'
+

data/lib/xml_security.rb

@@ -0,0 +1,91 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+
+module XMLSecurity
+
+  class SignedDocument < REXML::Document
+
+    def validate (idp_cert_fingerprint, logger = nil)
+      # get cert from response
+      base64_cert             = self.elements["//ds:X509Certificate"].text
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+      # check cert matches registered idp cert
+      fingerprint             = Digest::SHA1.hexdigest(cert.to_der)
+      valid_flag              = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
+
+      return valid_flag if !valid_flag
+
+      validate_doc(base64_cert, logger)
+    end
+
+    def validate_doc(base64_cert, logger)
+      # validate references
+
+      # remove signature node
+      sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      sig_element.remove
+
+      #check digests
+      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |
+
+        uri                   = ref.attributes.get_attribute("URI").value
+        hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
+        canon_hashed_element  = canoner.canonicalize(hashed_element)
+        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+        digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+
+        valid_flag            = hash == digest_value
+
+        return valid_flag if !valid_flag
+      end
+
+      # verify signature
+      canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+      signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      canon_string            = canoner.canonicalize(signed_info_element)
+
+      base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+      signature               = Base64.decode64(base64_signature)
+
+      # get certificate object
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+      valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+
+      return valid_flag
+    end
+
+  end
+end

data/ruby-saml.gemspec

@@ -0,0 +1,71 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{ruby-saml-bekk}
+  s.version = "0.2.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["OneLogin LLC"]
+  s.date = %q{2011-02-21}
+  s.description = %q{SAML toolkit for Ruby on Rails}
+  s.email = %q{support@onelogin.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/onelogin/saml.rb",
+     "lib/onelogin/saml/authrequest.rb",
+     "lib/onelogin/saml/response.rb",
+     "lib/onelogin/saml/settings.rb",
+     "lib/ruby-saml.rb",
+     "lib/xml_security.rb",
+     "ruby-saml.gemspec",
+     "test/response.txt",
+     "test/ruby-saml_test.rb",
+     "test/test_helper.rb",
+     "test/xml_security_test.rb"
+  ]
+  s.homepage = %q{http://github.com/onelogin/ruby-saml}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{SAML Ruby Tookit}
+  s.test_files = [
+    "test/ruby-saml_test.rb",
+     "test/test_helper.rb",
+     "test/xml_security_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<xmlcanonicalizer>, ["= 0.1.0"])
+      s.add_runtime_dependency(%q<uuid>, ["= 2.3.1"])
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<mocha>, [">= 0"])
+    else
+      s.add_dependency(%q<xmlcanonicalizer>, ["= 0.1.0"])
+      s.add_dependency(%q<uuid>, ["= 2.3.1"])
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<mocha>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<xmlcanonicalizer>, ["= 0.1.0"])
+    s.add_dependency(%q<uuid>, ["= 2.3.1"])
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<mocha>, [">= 0"])
+  end
+end
+

data/test/response.txt

@@ -0,0 +1 @@
+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9IkdPU0FNTFIxMjkwMTE3NDU3MTc5NCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTAtMTEtMThUMjE6NTc6MzdaIiBEZXN0aW5hdGlvbj0ie3JlY2lwaWVudH0iPg0KICA8c2FtbHA6U3RhdHVzPg0KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIiBJc3N1ZUluc3RhbnQ9IjIwMTAtMTEtMThUMjE6NTc6MzdaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvMTM1OTA8L3NhbWw6SXNzdWVyPg0KICAgIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICAgICAgPGRzOlNpZ25lZEluZm8+DQogICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgICAgICAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhhNDY1NzRkZi1iM2IwLWEwNmEtMjNjOC02MzY0MTMxOTg3NzIiPg0KICAgICAgICAgIDxkczpUcmFuc2Zvcm1zPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+DQogICAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgICAgICAgPC9kczpUcmFuc2Zvcm1zPg0KICAgICAgICAgIDxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPg0KICAgICAgICAgIDxkczpEaWdlc3RWYWx1ZT5wSlE3TVMvZWs0S1JSV0dtdi9INDNSZUhZTXM9PC9kczpEaWdlc3RWYWx1ZT4NCiAgICAgICAgPC9kczpSZWZlcmVuY2U+DQogICAgICA8L2RzOlNpZ25lZEluZm8+DQogICAgICA8ZHM6U2lnbmF0dXJlVmFsdWU+eWl2ZUtjUGREcHVETmo2c2hyUTNBQndyL2NBM0NyeUQycGhHL3hMWnN6S1d4VTUvbWxhS3Q4ZXdiWk9kS0t2dE9zMnBIQnk1RHVhM2s5NEFGK3p4R3llbDVnT293bW95WEpyK0FPcitrUE8wdmxpMVY4bzNoUFBVWndSZ1NYNlE5cFMxQ3FRZ2hLaUVhc1J5eWxxcUpVYVBZem1Pek9FOC9YbE1rd2lXbU8wPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQogICAgICA8ZHM6S2V5SW5mbz4NCiAgICAgICAgPGRzOlg1MDlEYXRhPg0KICAgICAgICAgIDxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQnJUQ0NBYUdnQXdJQkFnSUJBVEFEQmdFQU1HY3hDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SVXdFd1lEVlFRSERBeFRZVzUwWVNCTmIyNXBZMkV4RVRBUEJnTlZCQW9NQ0U5dVpVeHZaMmx1TVJrd0Z3WURWUVFEREJCaGNIQXViMjVsYkc5bmFXNHVZMjl0TUI0WERURXdNRE13T1RBNU5UZzBOVm9YRFRFMU1ETXdPVEE1TlRnME5Wb3daekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGVEFUQmdOVkJBY01ERk5oYm5SaElFMXZibWxqWVRFUk1BOEdBMVVFQ2d3SVQyNWxURzluYVc0eEdUQVhCZ05WQkFNTUVHRndjQzV2Ym1Wc2IyZHBiaTVqYjIwd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFPalN1MWZqUHk4ZDV3NFF5TDEremQ0aEl3MU1ra2ZmNFdZL1RMRzhPWmtVNVlUU1dtbUhQRDVrdllINXVvWFMvNnFRODFxWHBSMndWOENUb3daSlVMZzA5ZGRSZFJuOFFzcWoxRnlPQzVzbEUzeTJiWjJvRnVhNzJvZi80OWZwdWpuRlQ2S25RNjFDQk1xbERvVFFxT1Q2MnZHSjhuUDZNWld2QTZzeHF1ZDVBZ01CQUFFd0F3WUJBQU1CQUE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgIDwvZHM6U2lnbmF0dXJlPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnN1cHBvcnRAb25lbG9naW4uY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEwLTExLTE4VDIyOjAyOjM3WiIgUmVjaXBpZW50PSJ7cmVjaXBpZW50fSIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTExLTE4VDIxOjUyOjM3WiIgTm90T25PckFmdGVyPSIyMDEwLTExLTE4VDIyOjAyOjM3WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT57YXVkaWVuY2V9PC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOVQyMTo1NzozN1oiIFNlc3Npb25JbmRleD0iXzUzMWMzMmQyODNiZGZmN2UwNGU0ODdiY2RiYzRkZDhkIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5kZW1vPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhbm90aGVyX3ZhbHVlIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj52YWx1ZTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+DQo=

data/test/ruby-saml_test.rb

@@ -0,0 +1,136 @@
+require 'test_helper'
+
+class RubySamlTest < Test::Unit::TestCase
+
+  context "Settings" do
+    setup do
+      @settings = Onelogin::Saml::Settings.new
+    end
+    should "should provide getters and settings" do
+      accessors = [
+        :assertion_consumer_service_url, :issuer, :sp_name_qualifier, :sp_name_qualifier,
+        :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format
+      ]
+
+      accessors.each do |accessor|
+        value = Kernel.rand
+        @settings.send("#{accessor}=".to_sym, value)
+        assert_equal value, @settings.send(accessor)
+      end
+    end
+  end
+
+  context "Response" do
+    should "provide setter for a logger" do
+      response = Onelogin::Saml::Response.new('')
+      assert response.logger = 'hello'
+    end
+
+    should "raise an exception when response is initialized with nil" do
+      assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
+    end
+
+    context "#is_valid?" do
+      should "return false when response is initialized with blank data" do
+        response = Onelogin::Saml::Response.new('')
+        assert !response.is_valid?
+      end
+
+      should "return false if settings have not been set" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert !response.is_valid?
+      end
+
+      should "return true when the response is initialized with valid data" do
+        response = Onelogin::Saml::Response.new(response_document)
+        settings = Onelogin::Saml::Settings.new
+        settings.idp_cert_fingerprint = 'hello'
+        response.settings = settings
+        assert !response.is_valid?
+        document = stub()
+        document.stubs(:validate).returns(true)
+        response.document = document
+        assert response.is_valid?
+      end
+    end
+
+    context "#name_id" do
+      should "extract the value of the name id element" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "support@onelogin.com", response.name_id
+      end
+    end
+
+    context "#attributes" do
+      should "extract the first attribute in a hash accessed via its symbol" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "demo", response.attributes[:uid]
+      end
+
+      should "extract the first attribute in a hash accessed via its name" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "demo", response.attributes["uid"]
+      end
+
+      should "extract all attributes" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "demo", response.attributes[:uid]
+        assert_equal "value", response.attributes[:another_value]
+      end
+    end
+
+    context "#session_expires_at" do
+      should "extract the value of the SessionNotOnOrAfter attribute" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert response.session_expires_at.is_a?(Time)
+      end
+    end
+  end
+
+  context "Authrequest" do
+    should "create the SAMLRequest URL parameter" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://stuff.com"
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings)
+      assert auth_url =~ /^http:\/\/stuff\.com\?SAMLRequest=/
+      payload = CGI.unescape(auth_url.split("=").last)
+    end
+
+    should "accept extra parameters" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://stuff.com"
+
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
+      assert auth_url =~ /&hello=there$/
+
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
+      assert auth_url =~ /&hello=$/
+    end
+  end
+
+  context "EntityDescription" do
+    should "generate a correct entity descriptor" do
+      descriptor = Onelogin::Saml::EntityDescription.new
+      xml = descriptor.generate({
+        "entity_id" => "http://test.no/",
+        "name_id_format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        "assertion_consumer_service_location" => "http://localhost:3000/saml/consume"
+      })
+
+      assert_equal xml, "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
+
+<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://test.no/\">
+ <SPSSODescriptor AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+   <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+   <AssertionConsumerService
+    isDefault=\"true\"
+    index=\"0\"
+    Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
+    Location=\"http://localhost:3000/saml/consume\"/>
+ </SPSSODescriptor>
+ <RoleDescriptor xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:query=\"urn:oasis:names:tc:SAML:metadata:ext:query\" xsi:type=\"query:AttributeQueryDescriptorType\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"/>
+ <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"/>
+</EntityDescriptor>"
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,14 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'mocha'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'ruby-saml'
+
+class Test::Unit::TestCase
+  def response_document
+    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'response.txt'))
+  end
+end

data/test/xml_security_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+require 'xml_security'
+
+class XmlSecurityTest < Test::Unit::TestCase
+  include XMLSecurity
+  context "XmlSecurity" do
+    setup do
+      @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
+    end
+
+    should "should run validate without throwing NS related exceptions" do
+      base64cert = @document.elements["//ds:X509Certificate"].text
+      @document.validate_doc(base64cert, nil)
+    end
+  end
+end

metadata

@@ -0,0 +1,139 @@
+--- !ruby/object:Gem::Specification 
+name: ruby-saml-bekk
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 2
+  - 4
+  version: 0.2.4
+platform: ruby
+authors: 
+- OneLogin LLC
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-03-04 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: xmlcanonicalizer
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        - 1
+        - 0
+        version: 0.1.0
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: uuid
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 2
+        - 3
+        - 1
+        version: 2.3.1
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: shoulda
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: mocha
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id004
+description: SAML toolkit for Ruby on Rails
+email: support@onelogin.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/onelogin/saml.rb
+- lib/onelogin/saml/authrequest.rb
+- lib/onelogin/saml/entity_descriptor.rb
+- lib/onelogin/saml/entity_descriptor.xml.erb
+- lib/onelogin/saml/response.rb
+- lib/onelogin/saml/settings.rb
+- lib/ruby-saml.rb
+- lib/xml_security.rb
+- ruby-saml.gemspec
+- test/response.txt
+- test/ruby-saml_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb
+has_rdoc: true
+homepage: http://github.com/onelogin/ruby-saml
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: SAML Ruby Tookit
+test_files: 
+- test/ruby-saml_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb