ruby-saml-bm 0.6.1

data/Gemfile

@@ -0,0 +1,12 @@
+source 'http://rubygems.org'
+
+gemspec
+
+group :test do
+  gem "ruby-debug", "~> 0.10.4", :require => nil, :platforms => [:ruby_18, :jruby]
+  gem "debugger",   "~> 1.1.1",  :require => nil, :platforms => :ruby_19
+  gem "shoulda"
+  gem "rake"
+  gem "mocha"
+  gem "nokogiri"
+end

data/Gemfile.lock

@@ -0,0 +1,51 @@
+PATH
+  remote: .
+  specs:
+    ruby-saml-bm (0.6.0)
+      canonix (= 0.1.1)
+      nokogiri
+      uuid (~> 2.3)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (3.2.9)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    canonix (0.1.1)
+    columnize (0.3.6)
+    i18n (0.6.1)
+    macaddr (1.6.1)
+      systemu (~> 2.5.0)
+    metaclass (0.0.1)
+    mocha (0.13.0)
+      metaclass (~> 0.0.1)
+    multi_json (1.3.7)
+    nokogiri (1.5.5)
+    nokogiri (1.5.5-java)
+    rake (10.0.2)
+    ruby-debug (0.10.4)
+      columnize (>= 0.1)
+      ruby-debug-base (~> 0.10.4.0)
+    ruby-debug-base (0.10.4-java)
+    shoulda (3.3.2)
+      shoulda-context (~> 1.0.1)
+      shoulda-matchers (~> 1.4.1)
+    shoulda-context (1.0.1)
+    shoulda-matchers (1.4.1)
+      activesupport (>= 3.0.0)
+    systemu (2.5.2)
+    uuid (2.3.6)
+      macaddr (~> 1.0)
+
+PLATFORMS
+  java
+
+DEPENDENCIES
+  debugger (~> 1.1.1)
+  mocha
+  nokogiri
+  rake
+  ruby-debug (~> 0.10.4)
+  ruby-saml-bm!
+  shoulda

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,126 @@
+# Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml-bm.png)](http://travis-ci.org/onelogin/ruby-saml-bm)
+
+The Ruby SAML library is for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.
+
+SAML authorization is a two step process and you are expected to implement support for both.
+
+## The initialization phase
+
+This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
+
+```ruby
+    def init
+      request = Onelogin::Saml::Authrequest.new
+      redirect_to(request.create(saml_settings))
+    end
+```
+
+Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
+
+```ruby
+    def consume
+      response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+      response.settings = saml_settings
+
+      if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+        authorize_success(user)
+      else
+        authorize_failure(user)
+      end
+    end
+```
+
+In the above there are a few assumptions in place, one being that the response.name_id is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
+
+```ruby
+  def saml_settings
+    settings = Onelogin::Saml::Settings.new
+
+    settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
+    settings.issuer                         = request.host
+    settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+    settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+    settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    # Optional for most SAML IdPs
+    settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+    settings
+  end
+```
+
+What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this:
+
+```ruby
+  # This controller expects you to use the URLs /saml/init and /saml/consume in your OneLogin application.
+  class SamlController < ApplicationController
+    def init
+      request = Onelogin::Saml::Authrequest.new
+      redirect_to(request.create(saml_settings))
+    end
+
+    def consume
+      response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+      response.settings = saml_settings
+
+      if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+        authorize_success(user)
+      else
+        authorize_failure(user)
+      end
+    end
+
+    private
+
+    def saml_settings
+      settings = Onelogin::Saml::Settings.new
+
+      settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+      settings.issuer                         = request.host
+      settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+      settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+      settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      # Optional for most SAML IdPs
+      settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+
+      settings
+    end
+  end
+```
+
+If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through response.attributes. It
+contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
+
+  response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+  response.settings = saml_settings
+
+  response.attributes[:username]
+
+## Service Provider Metadata
+
+To form a trusted pair relationship with the IdP, the SP (you) need to provide metadata XML
+to the IdP for various good reasons.  (Caching, certificate lookups, relying party permissions, etc)
+
+The class Onelogin::Saml::Metdata takes care of this by reading the Settings and returning XML.  All
+you have to do is add a controller to return the data, then give this URL to the IdP administrator.
+The metdata will be polled by the IdP every few minutes, so updating your settings should propagate
+to the IdP settings.
+
+```ruby
+  class SamlController < ApplicationController
+    # ... the rest of your controller definitions ...
+    def metadata
+      settings = Account.get_saml_settings
+      meta = Onelogin::Saml::Metadata.new
+      render :xml => meta.generate(settings)
+    end
+  end
+```
+
+## Note on Patches/Pull Requests
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.

data/Rakefile

@@ -0,0 +1,41 @@
+require 'rubygems'
+require 'rake'
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test
+
+task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml-bm #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/lib/onelogin/ruby-saml-bm/authrequest.rb

@@ -0,0 +1,79 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+
+module Onelogin
+  module Saml
+  include REXML
+    class Authrequest
+      def create(settings, params = {})
+        request_doc = create_authentication_xml_doc(settings)
+
+        request = ""
+        request_doc.write(request)
+
+        Logging.debug "Created AuthnRequest: #{request}"
+
+        deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+        base64_request    = Base64.encode64(deflated_request)
+        encoded_request   = CGI.escape(base64_request)
+        params_prefix     = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
+
+        params.each_pair do |key, value|
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+        end
+
+        settings.idp_sso_target_url + request_params
+      end
+
+      def create_authentication_xml_doc(settings)
+        uuid = "_" + UUID.new.generate
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%S")
+        # Create AuthnRequest root element using REXML 
+        request_doc = REXML::Document.new
+
+        root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+
+        # Conditionally defined elements based on settings
+        if settings.assertion_consumer_service_url != nil
+          root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
+        end
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          issuer.text = settings.issuer
+        end
+        if settings.name_identifier_format != nil
+          root.add_element "samlp:NameIDPolicy", { 
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              # Might want to make AllowCreate a setting?
+              "AllowCreate" => "true",
+              "Format" => settings.name_identifier_format
+          }
+        end
+
+        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+        # match required for authentication to succeed.  If this is not defined, 
+        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+        if settings.authn_context != nil
+          requested_context = root.add_element "samlp:RequestedAuthnContext", { 
+            "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "Comparison" => "exact",
+          }
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", { 
+            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          }
+          class_ref.text = settings.authn_context
+        end
+        request_doc
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-saml-bm/logging.rb

@@ -0,0 +1,26 @@
+# Simplistic log class when we're running in Rails
+module Onelogin
+  module Saml
+    class Logging
+      def self.debug(message)
+        return if !!ENV["ruby-saml-bm/testing"]
+
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+
+      def self.info(message)
+        return if !!ENV["ruby-saml-bm/testing"]
+
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml-bm/logoutrequest.rb

@@ -0,0 +1,80 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+
+module Onelogin
+  module Saml
+    include REXML
+    class Logoutrequest
+
+      attr_reader :uuid # Can be obtained if neccessary
+
+      def initialize
+        @uuid = "_" + UUID.new.generate
+      end
+
+      def create(settings, params={})
+        request_doc = create_unauth_xml_doc(settings, params)
+        request = ""
+        request_doc.write(request)
+
+        deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+        base64_request    = Base64.encode64(deflated_request)
+        encoded_request   = CGI.escape(base64_request)
+
+        params_prefix     = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
+
+        params.each_pair do |key, value|
+          request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+        end
+
+        @logout_url = settings.idp_slo_target_url + request_params
+      end
+
+      def create_unauth_xml_doc(settings, params)
+
+        time = Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+
+        request_doc = REXML::Document.new
+        root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root.attributes['ID'] = @uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+
+        if settings.issuer
+          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          issuer.text = settings.issuer
+        end
+
+        if settings.name_identifier_value
+          name_id = root.add_element "saml:NameID", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          name_id.attributes['NameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
+          name_id.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
+          name_id.text = settings.name_identifier_value
+        end
+
+        if settings.sessionindex
+          sessionindex = root.add_element "samlp:SessionIndex", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+          sessionindex.text = settings.sessionindex
+        end
+
+        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+        # match required for authentication to succeed.  If this is not defined,
+        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+        if settings.authn_context != nil
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "Comparison" => "exact",
+          }
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
+              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          }
+          class_ref.text = settings.authn_context
+        end
+        request_doc
+      end
+    end
+  end
+end

data/lib/onelogin/ruby-saml-bm/metadata.rb

@@ -0,0 +1,47 @@
+require "rexml/document"
+require "rexml/xpath"
+require "uri"
+
+# Class to return SP metadata based on the settings requested.
+# Return this XML in a controller, then give that URL to the the 
+# IdP administrator.  The IdP will poll the URL and your settings
+# will be updated automatically
+module Onelogin
+  module Saml
+    include REXML
+    class Metadata
+      def generate(settings)
+        meta_doc = REXML::Document.new
+        root = meta_doc.add_element "md:EntityDescriptor", { 
+            "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata" 
+        }
+        sp_sso = root.add_element "md:SPSSODescriptor", { 
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol"
+        }
+        if settings.issuer != nil
+          root.attributes["entityID"] = settings.issuer
+        end
+        if settings.name_identifier_format != nil
+          name_id = sp_sso.add_element "md:NameIDFormat"
+          name_id.text = settings.name_identifier_format
+        end
+        if settings.assertion_consumer_service_url != nil
+          sp_sso.add_element "md:AssertionConsumerService", {
+              # Add this as a setting to create different bindings?
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Location" => settings.assertion_consumer_service_url
+          }
+        end
+        meta_doc << REXML::XMLDecl.new
+        ret = ""
+        # pretty print the XML so IdP administrators can easily see what the SP supports
+        meta_doc.write(ret, 1)
+
+        Logging.debug "Generated metadata:\n#{ret}"
+
+        return ret
+
+      end
+    end
+  end
+end