ruby-saml-bekk 0.2.4 → 0.3.1

data/README.rdoc

@@ -83,6 +83,23 @@ contains all the saml:AttributeStatement with its 'Name' as a indifferent key an
 
   response.attributes[:username]
 
+Logout is also supported via Onelogin::Saml::Logoutrequest and Onelogin::Saml::Logoutresponse
+
+== EntityDescriptor generation
+
+To install metadata about your SP(service provider) at the SAML IDP(identity provider) you
+have to install a EntityDescriptor containing some metadata for your SP. To generate
+thise files you can follow this example
+
+    config = {
+      entity_id => "https://someaddress.com/",
+      name_id_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+      assertion_consumer_service_location => "https://someaddress/your/saml/consume/action"
+    }
+    entity_descriptor = Onelogin::Saml::EntityDescription.new
+    puts entity_descriptor.generate(config)
+
+
 
 = Full Example
 

data/VERSION

@@ -1 +1 @@
-0.2.4
+0.3.1

data/lib/onelogin/saml.rb

@@ -1,4 +1,7 @@
+require 'onelogin/saml/codeing'
 require 'onelogin/saml/authrequest'
+require 'onelogin/saml/logoutrequest'
+require 'onelogin/saml/logoutresponse'
 require 'onelogin/saml/response'
 require 'onelogin/saml/settings'
 require 'onelogin/saml/entity_descriptor'

data/lib/onelogin/saml/authrequest.rb

@@ -1,12 +1,13 @@
 require "base64"
 require "uuid"
 require "zlib"
-require "cgi"
+
 
 module Onelogin::Saml
   class Authrequest
+    include Codeing
     def create(settings, params = {})
-      uuid = UUID.new.generate
+      uuid = "_".UUID.new.generate
       time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
 
       request =
@@ -17,13 +18,13 @@ module Onelogin::Saml
         "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
         "</samlp:AuthnRequest>"
 
-      deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
-      base64_request    = Base64.encode64(deflated_request)
-      encoded_request   = CGI.escape(base64_request)
+      deflated_request  = deflate(request)
+      base64_request    = encode(deflated_request)
+      encoded_request   = escape(base64_request)
       request_params    = "?SAMLRequest=" + encoded_request
 
       params.each_pair do |key, value|
-        request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+        request_params << "&#{key}=#{escape(value.to_s)}"
       end
 
       settings.idp_sso_target_url + request_params

data/lib/onelogin/saml/codeing.rb

@@ -0,0 +1,34 @@
+require "cgi"
+require 'zlib'
+
+module Onelogin
+  module Saml
+    module Codeing
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.encode64(encoded)
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+  end
+end

data/lib/onelogin/saml/entity_descriptor.rb

@@ -12,6 +12,9 @@ module Onelogin::Saml
       name_id_format = values["name_id_format"]
       assertion_consumer_service_location = values["assertion_consumer_service_location"]
 
+      single_logout_service_location = values["single_logout_service_location"]
+      single_logout_service_response_location = values["single_logout_service_response_location"]
+
       erb = ERB.new(@template)
       erb.result(binding)
     end

data/lib/onelogin/saml/entity_descriptor.xml.erb

@@ -2,6 +2,12 @@
 
 <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<%= entity_id %>">
  <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+   <% if single_logout_service_location && single_logout_service_response_location %>
+     <SingleLogoutService
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      Location="<%= single_logout_service_location %>"
+      ResponseLocation="<%= single_logout_service_response_location %>"/>
+   <% end %>
    <NameIDFormat><%= name_id_format %></NameIDFormat>
    <AssertionConsumerService
     isDefault="true"

data/lib/onelogin/saml/logoutrequest.rb

@@ -0,0 +1,46 @@
+require 'base64'
+require 'uuid'
+require 'cgi'
+
+module Onelogin::Saml
+  class Logoutrequest
+    attr_reader :transaction_id
+
+    def initialize
+      @transaction_id = UUID.new.generate
+    end
+
+    def create(settings,nameid,params={})
+      issue_instant = Onelogin::Saml::Logoutrequest.timestamp
+
+      request = xml(settings, nameid, issue_instant)
+ 
+      deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+      base64_request    = Base64.encode64(deflated_request)  
+      params["SAMLRequest"] = base64_request
+      query_string = params.map {|key, value| "#{key}=#{CGI.escape(value)}"}.join("&")
+
+      settings.idp_slo_target_url + "?#{query_string}"
+     end
+
+    def xml(settings, nameid, issue_instant)
+      request = <<-EOF
+        <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+            ID="#{transaction_id}" Version="2.0" IssueInstant="#{issue_instant}">
+                <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#{settings.issuer}</saml:Issuer>
+                <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                    NameQualifier="#{settings.sp_name_qualifier}"
+                    Format="#{settings.name_identifier_format}">#{nameid}</saml:NameID>
+        </samlp:LogoutRequest>
+      EOF
+
+      request
+    end
+
+    private 
+    
+    def self.timestamp
+      Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+  end
+end

data/lib/onelogin/saml/logoutresponse.rb

@@ -0,0 +1,33 @@
+#encoding: utf-8
+
+require "rexml/document"
+
+module Onelogin
+  module Saml
+    class Logoutresponse
+      include Codeing
+
+      def initialize(response)
+        begin
+          @response = decode(response)
+          document
+        rescue
+          @response = inflate(decode(response))
+        end
+      end
+
+      def issuer
+        document.elements["/samlp:LogoutResponse/saml:Issuer"].text
+      end
+
+      def in_response_to
+        document.elements["/samlp:LogoutResponse"].attributes["InResponseTo"]
+      end
+
+    protected
+      def document
+        REXML::Document.new(@response)
+      end
+    end
+  end
+end

data/lib/onelogin/saml/response.rb

@@ -3,12 +3,13 @@ require "time"
 
 module Onelogin::Saml
   class Response
+    include Codeing
     attr_accessor :response, :document, :logger, :settings
 
     def initialize(response)
       raise ArgumentError.new("Response cannot be nil") if response.nil?
       self.response = response
-      self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+      self.document = XMLSecurity::SignedDocument.new(decode(response))
     end
 
     def is_valid?

data/lib/onelogin/saml/settings.rb

@@ -2,5 +2,8 @@ module Onelogin::Saml
   class Settings
     attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
     attr_accessor :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format
+    attr_accessor :idp_slo_target_url
+
+    SLO_ELEMENT_PATH = "/EntityDescriptor/IDPSSODescriptor/SingleLogoutService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']"
   end
 end

data/ruby-saml.gemspec

@@ -4,12 +4,12 @@
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{ruby-saml-bekk}
-  s.version = "0.2.3"
+  s.name = %q{ruby-saml}
+  s.version = "0.3.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["OneLogin LLC"]
-  s.date = %q{2011-02-21}
+  s.date = %q{2011-03-07}
   s.description = %q{SAML toolkit for Ruby on Rails}
   s.email = %q{support@onelogin.com}
   s.extra_rdoc_files = [

data/test/ruby-saml_test.rb

@@ -1,6 +1,9 @@
+#encoding: utf-8
 require 'test_helper'
 
 class RubySamlTest < Test::Unit::TestCase
+  include Onelogin::Saml::Codeing
+
 
   context "Settings" do
     setup do
@@ -108,6 +111,75 @@ class RubySamlTest < Test::Unit::TestCase
     end
   end
 
+  context "Logoutrequest" do
+
+    setup do
+      UUID.expects(:new).returns(stub(:generate => "da64beb0-2ac4-012e-a9c9-48bcc8e9f44d"))
+      @settings = Onelogin::Saml::Settings.new
+      @settings.issuer = "issuer"
+      @settings.sp_name_qualifier ="sp name"
+      @settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      @settings.idp_slo_target_url ="http://slotarget.com/"
+
+      Onelogin::Saml::Logoutrequest.stubs(:timestamp).returns("timestamb")
+    end
+
+    should "generate a correct logout request" do
+      logoutrequest = Onelogin::Saml::Logoutrequest.new
+
+      logout_xml = logoutrequest.xml(@settings, "demo", "test")
+
+      expected_xml = <<-EOF
+    <samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+            ID=\"da64beb0-2ac4-012e-a9c9-48bcc8e9f44d\" Version=\"2.0\" IssueInstant=\"test\">
+                <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">issuer</saml:Issuer>
+                <saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"
+                    NameQualifier=\"sp name\"
+                    Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">demo</saml:NameID>
+        </samlp:LogoutRequest>
+      EOF
+
+      assert_equal expected_xml.strip, logout_xml.strip
+    end
+
+
+    should "generate a correct request" do
+      logoutrequest = Onelogin::Saml::Logoutrequest.new
+      logout_url = logoutrequest.create(@settings, "demo")
+
+      expected_url = "http://slotarget.com/?SAMLRequest=nZFbS8QwEIXf91eEea%2FWUmQbtgVhEQqroILv03S6BJqkZqbgz7cX0fW2D57H%0Aycl35jBKrdoxun7Qh3AMozzSy0gs6tX1nvXyUsIYvQ7IlrVHR6zF6Kebu4PO%0ALlI9xCDBhB426kT1voQWr%2FOGmjTJ0ORJepVRgoUpknzbGLOlosvzFtQzRbbB%0AlzDBQNXMI9WeBb2UIHZKE3QNVF%2FoH1vrxR9Ptj2%2FLDJTlCkOKrv83F2eYP4K%0AuZ849f4fIT94s2baw4i97SzFEnhQM%2BJ3722IDuV83DyxbdItVi0RPVvyAlVL%0ALrz3Wxt89lvH325ebd4A%0A"
+      assert_equal expected_url, logout_url
+    end
+
+  end
+
+  context "Logoutresponse" do
+    should "validate the response" do
+      
+      issuer = "https://test-idp.test.no:443/issuer"
+      transaction_id = "adflkjalkfjalsdfjlaskjdf"
+      params = {}
+      logout_xml = "<samlp:LogoutResponse  xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+                          ID=\"sedf164edc2121a23d4ca4b31d35261e5563dc352\" Version=\"2.0\" 
+                          IssueInstant=\"2011-03-07T14:43:34Z\" Destination=\"http://localhost:3000/saml/consume_logout\" 
+                          InResponseTo=\"#{transaction_id}\">
+                          <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{issuer}</saml:Issuer>
+                          <samlp:Status xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+                          <samlp:StatusCode  xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+                          Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\">
+                          </samlp:StatusCode>
+                          </samlp:Status>
+                          </samlp:LogoutResponse>"
+
+
+      params["SAMLResponse"] = encode(deflate(logout_xml))
+      logoutresponse = Onelogin::Saml::Logoutresponse.new(params["SAMLResponse"])
+
+      assert_equal logoutresponse.issuer, issuer
+      assert_equal logoutresponse.in_response_to, transaction_id
+    end
+  end
+
   context "EntityDescription" do
     should "generate a correct entity descriptor" do
       descriptor = Onelogin::Saml::EntityDescription.new
@@ -117,10 +189,11 @@ class RubySamlTest < Test::Unit::TestCase
         "assertion_consumer_service_location" => "http://localhost:3000/saml/consume"
       })
 
-      assert_equal xml, "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
+      expected_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
 
 <EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://test.no/\">
  <SPSSODescriptor AuthnRequestsSigned=\"false\" WantAssertionsSigned=\"true\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">
+
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <AssertionConsumerService
     isDefault=\"true\"
@@ -128,9 +201,35 @@ class RubySamlTest < Test::Unit::TestCase
     Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
     Location=\"http://localhost:3000/saml/consume\"/>
  </SPSSODescriptor>
- <RoleDescriptor xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:query=\"urn:oasis:names:tc:SAML:metadata:ext:query\" xsi:type=\"query:AttributeQueryDescriptorType\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"/>
- <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"/>
+ <RoleDescriptor xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:query=\"urn:oasis:names:tc:SAML:metadata:ext:query\" xsi:type=\"query:AttributeQueryDescriptorType\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"/>\n <XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"/>
 </EntityDescriptor>"
+
+      assert_equal expected_xml.gsub(" ", ""), xml.gsub(" ", "")
+    end
+
+    context "with slo" do
+      should "generate correct xml part" do
+        descriptor = Onelogin::Saml::EntityDescription.new
+      xml = descriptor.generate({
+        "entity_id" => "http://test.no/",
+        "name_id_format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        "assertion_consumer_service_location" => "http://localhost:3000/saml/consume",
+
+        "single_logout_service_location" => "slo_location",
+        "single_logout_service_response_location" => "response_location"
+      })
+
+      expected_xml = "     <SingleLogoutService
+      Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
+      Location=\"slo_location\"
+      ResponseLocation=\"response_location\"/>"
+
+        assert xml.include?(expected_xml), "Xml does not include\nfull:#{xml}\n\nincluded: #{expected_xml}"
+      end
     end
   end
+
+
+
+  
 end

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 2
-  - 4
-  version: 0.2.4
+  - 3
+  - 1
+  version: 0.3.1
 platform: ruby
 authors: 
 - OneLogin LLC
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-04 00:00:00 +01:00
+date: 2011-03-07 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -90,8 +90,11 @@ files:
 - VERSION
 - lib/onelogin/saml.rb
 - lib/onelogin/saml/authrequest.rb
+- lib/onelogin/saml/codeing.rb
 - lib/onelogin/saml/entity_descriptor.rb
 - lib/onelogin/saml/entity_descriptor.xml.erb
+- lib/onelogin/saml/logoutrequest.rb
+- lib/onelogin/saml/logoutresponse.rb
 - lib/onelogin/saml/response.rb
 - lib/onelogin/saml/settings.rb
 - lib/ruby-saml.rb