ruby-saml-for-portal 0.3.3

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,99 @@
+It's a fork of Christian Pedersen and Christian M. Weis . Made for personal usage by Sycheva Elena.
+= Ruby SAML
+
+The Ruby SAML library is for implementing the client side of a SAML authorization, i.e. it provides a means for managing authorization initialization and confirmation requests from identity providers.
+
+SAML authorization is a two step process and you are expected to implement support for both.
+
+== The initialization phase
+
+This is the first request you will get from the identity provider. It will hit your application at a specific URL (that you've announced as being your SAML initialization point). The response to this initialization, is a redirect back to the identity provider, which can look something like this (ignore the saml_settings method call for now):
+
+    def initialize
+      request = Onelogin::Saml::Authrequest.new
+      redirect_to(request.create(saml_settings))
+    end
+
+Once you've redirected back to the identity provider, it will ensure that the user has been authorized and redirect back to your application for final consumption, this is can look something like this (the authorize_success and authorize_failure methods are specific to your application):
+
+    def consume
+      response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+      response.settings = saml_settings
+
+      if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+        authorize_success(user)
+      else
+        authorize_failure(user)
+      end
+    end
+
+In the above there are a few assumptions in place, one being that the response.name_id is an email address. This is all handled with how you specify the settings that are in play via the saml_settings method. That could be implemented along the lines of this:
+
+    def saml_settings
+      settings = Onelogin::Saml::Settings.new
+
+      settings.assertion_consumer_service_url = "http://#{request.host}/saml/finalize"
+      settings.issuer                         = request.host
+      settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+      settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+      settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+      settings
+    end
+
+What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this:
+
+  # This controller expects you to use the URLs /saml/initialize and /saml/consume in your OneLogin application.
+  class SamlController < ApplicationController
+    def initialize
+      request = Onelogin::Saml::Authrequest.new
+      redirect_to(request.create(saml_settings))
+    end
+
+    def consume
+      response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+      response.settings = saml_settings
+
+      if response.is_valid? && user = current_account.users.find_by_email(response.name_id)
+        authorize_success(user)
+      else
+        authorize_failure(user)
+      end
+    end
+
+    private
+
+    def saml_settings
+      settings = Onelogin::Saml::Settings.new
+
+      settings.assertion_consumer_service_url = "http://#{request.host}/saml/consume"
+      settings.issuer                         = request.host
+      settings.idp_sso_target_url             = "https://app.onelogin.com/saml/signon/#{OneLoginAppId}"
+      settings.idp_cert_fingerprint           = OneLoginAppCertFingerPrint
+      settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+      settings
+    end
+  end
+
+If are using saml:AttributeStatement to transfare metadata, like the user name, you can access all the attributes through response.attributes. It
+contains all the saml:AttributeStatement with its 'Name' as a indifferent key and the one saml:AttributeValue as value.
+
+  response          = Onelogin::Saml::Response.new(params[:SAMLResponse])
+  response.settings = saml_settings
+
+  response.attributes[:username]
+
+
+= Full Example
+
+Please check https://github.com/onelogin/ruby-saml-example for a very basic sample Rails application using this gem.
+
+== Note on Patches/Pull Requests
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.

data/Rakefile

@@ -0,0 +1,63 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "ruby-saml"
+    gem.summary = %Q{SAML Ruby Tookit}
+    gem.description = %Q{SAML toolkit for Ruby on Rails}
+    gem.email = "support@onelogin.com"
+    gem.homepage = "http://github.com/onelogin/ruby-saml"
+    gem.authors = ["OneLogin LLC"]
+    gem.add_dependency("xmlcanonicalizer","= 0.1.0")
+    gem.add_dependency("uuid","= 2.3.1")
+    gem.add_dependency("rsa", "~> 0.1.4")
+    gem.add_dependency("systemu", "~> 2.2.0")
+    gem.add_development_dependency "shoulda"
+    gem.add_development_dependency "mocha"
+    #gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/VERSION

@@ -0,0 +1 @@
+0.3.2 p

data/lib/onelogin/saml.rb

@@ -0,0 +1,5 @@
+require 'onelogin/saml/authrequest'
+require 'onelogin/saml/response'
+require 'onelogin/saml/settings'
+require 'onelogin/saml/logout_request'
+

data/lib/onelogin/saml/authrequest.rb

@@ -0,0 +1,33 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+
+module Onelogin::Saml
+  class Authrequest
+    def create(settings, params = {})
+      uuid = "_" + UUID.new.generate
+      time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+      request =
+        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{uuid}\" Version=\"2.0\" IssueInstant=\"#{time}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings.assertion_consumer_service_url}\">" +
+        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings.issuer}</saml:Issuer>\n" +
+        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings.name_identifier_format}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
+        "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
+        "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
+        "</samlp:AuthnRequest>"
+      
+      deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+      base64_request    = Base64.encode64(deflated_request)
+      encoded_request   = CGI.escape(base64_request)
+      request_params    = "?SAMLRequest=" + encoded_request
+
+      params.each_pair do |key, value|
+        request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+      end
+
+      settings.idp_sso_target_url + request_params
+    end
+
+  end
+end

data/lib/onelogin/saml/response.rb

@@ -0,0 +1,46 @@
+require "xml_security"
+require "time"
+
+module Onelogin::Saml
+  class Response
+    attr_accessor :response, :document, :logger, :settings
+
+    def initialize(response)
+      raise ArgumentError.new("Response cannot be nil") if response.nil?
+      self.response = response
+      self.document = XMLSecurity::SignedDocument.new(Base64.decode64(response))
+    end
+
+    def is_valid?
+      return false if response.empty?
+      return false if settings.nil?
+      return true if document.validate_doc(settings.idp_public_cert, nil)
+      return false
+    end
+
+    def decode
+      body = document.decode(settings.private_key)
+      self.document = body
+    end
+
+    # The value of the user identifier as designated by the initialization request response
+    def name_id
+      @name_id ||= document.elements["saml2:Assertion/saml2:Subject/saml2:NameID"].text
+    end
+
+    def session_index
+      @session_index ||= document.elements["saml2:Assertion/saml2:AuthnStatement"].attributes["SessionIndex"]
+    end
+
+    # A hash of attributes and values
+    def attributes
+      result = {}
+      document.elements.each("saml2:Assertion/saml2:AttributeStatement/saml2:Attribute") do |element|
+        result.merge!(element.attributes["FriendlyName"] => element.elements.first.text)
+      end
+      result.merge!("name_id" => name_id)
+      result.merge!("session_index" => session_index)
+      result
+    end
+  end
+end

data/lib/onelogin/saml/settings.rb

@@ -0,0 +1,30 @@
+module Onelogin::Saml
+  class Settings
+    attr_accessor :assertion_consumer_service_url, :issuer, :sp_name_qualifier
+    attr_accessor :idp_sso_target_url, :idp_ssl_target_url, :idp_cert_fingerprint, :name_identifier_format
+
+    def private_key=(private_key_path)
+      @private_key =  OpenSSL::PKey::RSA.new(File.read(private_key_path))
+    end
+
+    def private_key
+      @private_key
+    end
+
+    def idp_public_cert=(idp_public_cert_path)
+      @idp_public_cert = OpenSSL::X509::Certificate.new(File.read(idp_public_cert_path))
+    end
+
+    def idp_public_cert
+      @idp_public_cert
+    end
+
+#    def private_key_logout_sign=(private_key_path)
+#      @private_key_logout_sign = OpenSSL::PKey::RSA.new(File.read(private_key_path))
+#    end
+#
+#    def private_key_logout_sign
+#      @private_key_logout_sign
+#    end
+  end
+end

data/lib/rsa_ext.rb

@@ -0,0 +1,115 @@
+require 'digest/sha1'
+require 'rsa'
+
+module RSA
+  module OAEP
+    extend self
+
+    # Represents an error that occurs during decoding when using
+    # RSA::OAEP.decode or RSA::OAEP.eme_decode. There is one argument which is
+    # a brief message detailing the error
+    class DecodeError < StandardError; end
+
+    # The algorithms below need the HLEN variable. This is the length of the
+    # hashes generated by the hashing function. For now, this only supports SHA1
+    # as the hashing function, and this has a hash length of 20
+    HLEN = 20
+
+    # Performs the rsa-oaep-mgf1 decrypt algorithm. This is specified in section
+    # 7.1.2 of http://www.ietf.org/rfc/rfc2437.txt.
+    #
+    # This implementation assumes that the sha1 hashing algorithm was used.
+    #
+    # @param [RSA::Key] k the private key whose public key was used to
+    #        encrypt the data
+    # @param [String] c a string of raw bytes representing the text to be
+    #        decoded
+    # @param [String] p the options which were used in the original encoding of
+    #        the string. By default this is the empty string.
+    #
+    # @return [String] the decoded string of bytes
+    # @raise [DecodeError] If decoding cannot occur, an error is raised
+    def decode k, c, p = ''
+      # First, generate how many bytes the key's modulus is
+      n = k.modulus
+      bytes = 0
+      while n > 0
+        bytes += 1
+        n /= 2
+      end
+      bytes /= 8
+
+      raise DecodeError, 'input is wrong length!' unless c.length == bytes
+
+      enc = RSA::PKCS1.os2ip c
+      m   = RSA::PKCS1.rsadp k, enc
+      em  = RSA::PKCS1.i2osp m, bytes - 1
+
+      eme_decode em, p
+    end
+
+    # Decodes the encrypted message as specified by the algorithm listed on
+    # http://www.ietf.org/rfc/rfc2437.txt in section 9.1.1.2
+    #
+    # @param [String] em the encoded message that needs to be decoded
+    # @param [String] p the flags used in the original encoding scheme.
+    #
+    # @return [String] the decoded byte string of the supplied message
+    # @raise [DecodeError] if decoding goes awry or the message does not pass
+    #        sanity checks during decoding
+    def eme_decode em, p = ''
+      raise DecodeError, 'message is too short!' if em.length < HLEN * 2 + 1
+
+      maskedSeed = em[0...HLEN]
+      maskedDB   = em[HLEN..-1]
+      seedMask   = mgf1 maskedDB, HLEN
+      seed       = xor maskedSeed, seedMask
+      dbMask     = mgf1 seed, em.size - HLEN
+      db         = xor maskedDB, dbMask
+      pHash      = Digest::SHA1.digest p
+
+      ind = db.index("\x01", HLEN)
+      raise DecodeError, 'message is invalid!' if ind.nil?
+
+      pHash2 = db[0...HLEN]
+      ps     = db[HLEN...ind]
+      m      = db[(ind + 1)..-1]
+
+      raise DecodeError, 'message is invalid!' unless ps.bytes.all?(&:zero?)
+      raise DecodeError, "specified p = #{p.inspect} is wrong!" unless pHash2 == pHash
+
+      m
+    end
+
+    # Defined in seciton 10.2.1 of http://www.ietf.org/rfc/rfc2437.txt, this
+    # is the mask generation function used in the eme_decode function
+    #
+    # @param [String] z this is the seed which the mask function runs off of
+    # @param [Integer] l the desired length of the resultant hash
+    #
+    # @return [String] the mask generated
+    def mgf1 z, l
+      t = ''
+
+      (0..(l / HLEN)).each{ |i|
+        t += Digest::SHA1.digest(z + RSA::PKCS1.i2osp(i, 4))
+      }
+
+      t[0...l]
+    end
+
+    private
+
+    def xor s1, s2
+      b1 = s1.unpack('c*')
+      b2 = s2.unpack('c*')
+
+      if b1.length != b2.length
+        raise DecodeError, 'cannot xor strings of different lengths!'
+      end
+
+      b1.zip(b2).map{ |a, b| a ^ b }.pack('c*')
+    end
+
+  end
+end

data/lib/ruby-saml.rb

@@ -0,0 +1,5 @@
+module Onelogin
+end
+
+require 'onelogin/saml'
+

data/lib/xml_security.rb

@@ -0,0 +1,144 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+require 'rsa_ext'
+
+module XMLSecurity
+
+  class SignedDocument < REXML::Document
+
+    def validate (idp_cert_fingerprint, logger = nil, private_key = nil)
+      # get cert from response
+      base64_cert             = self.elements["//ds:X509Certificate"].text
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+      # check cert matches registered idp cert
+      fingerprint             = Digest::SHA1.hexdigest(cert.to_der)
+      valid_flag              = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
+
+      return valid_flag if !valid_flag
+
+      if validate_doc(base64_cert, logger)
+        return true
+      # elsif private_key
+      #   return decode(private_key)
+      else
+        return false
+      end
+    end
+
+    def validate_doc(cert, logger)
+      # validate references
+
+      # remove signature node
+      sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      return false unless sig_element
+      sig_element.remove
+
+       #временно выключили проверку дайджеста
+
+#      #check digests
+#      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |
+#
+#        uri                   = ref.attributes.get_attribute("URI").value
+#        hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+#        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
+#        canon_hashed_element  = canoner.canonicalize(hashed_element)
+#        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+#        digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+#
+#        valid_flag            = hash == digest_value
+#
+#        return valid_flag if !valid_flag
+#      end
+
+      # verify signature
+      canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+      signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      canon_string            = canoner.canonicalize(signed_info_element)
+
+      base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+      signature               = Base64.decode64(base64_signature)
+
+      # get certificate object
+      valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+
+      return valid_flag
+    end
+    
+    def decode private_key
+      # This is the public key which encrypted the first CipherValue
+      certs = REXML::XPath.match(self, '//ds:X509Certificate')#, 'ds' => "http://www.w3.org/2000/09/xmldsig#") array two elements    dcert   = REXML::XPath.first(self, '//ds:X509Certificate')#, 'ds' => "http://www.w3.org/2000/09/xmldsig#")
+
+      #Find the certificate for the private key
+      cert = certs.select{|c| OpenSSL::X509::Certificate.new(Base64.decode64(c.text)).check_private_key(private_key)}
+      unless cert.empty?
+        cert = cert[0]
+      else
+        return false
+      end
+      c1, c2 = REXML::XPath.match(self, '//xenc:CipherValue', 'xenc' => 'http://www.w3.org/2001/04/xmlenc#')
+
+      # Generate the key used for the cipher below via the RSA::OAEP algo
+      rsak      = RSA::Key.new private_key.n, private_key.d
+      v1s       = Base64.decode64(c1.text)
+
+      begin
+        cipherkey = RSA::OAEP.decode rsak, v1s
+      rescue RSA::OAEP::DecodeError
+        return false
+      end
+
+      # The aes-128-cbc cipher has a 128 bit initialization vector (16 bytes)
+      # and this is the first 16 bytes of the raw string.
+      bytes  = Base64.decode64(c2.text).bytes.to_a
+      iv     = bytes[0...16].pack('c*')
+      others = bytes[16..-1].pack('c*')
+
+      cipher = OpenSSL::Cipher.new('aes-128-cbc')
+      cipher.decrypt
+      cipher.iv  = iv
+      cipher.key = cipherkey
+
+      out = cipher.update(others)
+
+      # The encrypted string's length might not be a multiple of the block
+      # length of aes-128-cbc (16), so add in another block and then trim
+      # off the padding. More info about padding is available at
+      # http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html in
+      # Section 5.2
+      out << cipher.update("\x00" * 16)
+      padding = out.bytes.to_a.last
+      self.class.new(out[0..-(padding + 1)])
+    end
+
+  end
+end

data/ruby-saml.gemspec

@@ -0,0 +1,76 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{ruby-saml-for-portal}
+  s.version = "0.3.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["OneLogin LLC"]
+  s.date = %q{2011-03-08}
+  s.description = %q{SAML toolkit for Ruby on Rails}
+  s.email = %q{support@onelogin.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/onelogin/saml.rb",
+     "lib/onelogin/saml/authrequest.rb",
+     "lib/onelogin/saml/response.rb",
+     "lib/onelogin/saml/settings.rb",
+     "lib/ruby-saml.rb",
+     "lib/xml_security.rb",
+     "lib/rsa_ext.rb",
+     "ruby-saml.gemspec",
+     "test/response.txt",
+     "test/ruby-saml_test.rb",
+     "test/test_helper.rb",
+     "test/xml_security_test.rb"
+  ]
+  s.homepage = %q{http://github.com/onelogin/ruby-saml}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{SAML Ruby Tookit}
+  s.test_files = [
+    "test/ruby-saml_test.rb",
+     "test/test_helper.rb",
+     "test/xml_security_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<xmlcanonicalizer>, ["~> 0.1.1"])
+      s.add_runtime_dependency(%q<uuid>, ["~> 2.3.3"])
+      s.add_runtime_dependency(%q<systemu>, ["~> 2.2.0"])
+      s.add_runtime_dependency(%q<rsa>, ["~> 0.1.4"])
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<mocha>, [">= 0"])
+    else
+      s.add_dependency(%q<xmlcanonicalizer>, ["~> 0.1.1"])
+      s.add_dependency(%q<uuid>, ["~> 2.3.3"])
+      s.add_dependency(%q<systemu>, ["~> 2.2.0"])
+      s.add_dependency(%q<rsa>, ["~> 0.1.4"])
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<mocha>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<xmlcanonicalizer>, ["~> 0.1.1"])
+    s.add_dependency(%q<uuid>, ["~> 2.3.3"])
+    s.add_dependency(%q<systemu>, ["~> 2.2.0"])
+    s.add_dependency(%q<rsa>, ["~> 0.1.4"])
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<mocha>, [">= 0"])
+  end
+end
+

data/test/response.txt

@@ -0,0 +1 @@
+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgSUQ9IkdPU0FNTFIxMjkwMTE3NDU3MTc5NCIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTAtMTEtMThUMjE6NTc6MzdaIiBEZXN0aW5hdGlvbj0ie3JlY2lwaWVudH0iPg0KICA8c2FtbHA6U3RhdHVzPg0KICAgIDxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz4NCiAgPHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgVmVyc2lvbj0iMi4wIiBJRD0icGZ4YTQ2NTc0ZGYtYjNiMC1hMDZhLTIzYzgtNjM2NDEzMTk4NzcyIiBJc3N1ZUluc3RhbnQ9IjIwMTAtMTEtMThUMjE6NTc6MzdaIj4NCiAgICA8c2FtbDpJc3N1ZXI+aHR0cHM6Ly9hcHAub25lbG9naW4uY29tL3NhbWwvbWV0YWRhdGEvMTM1OTA8L3NhbWw6SXNzdWVyPg0KICAgIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KICAgICAgPGRzOlNpZ25lZEluZm8+DQogICAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4NCiAgICAgICAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZnhhNDY1NzRkZi1iM2IwLWEwNmEtMjNjOC02MzY0MTMxOTg3NzIiPg0KICAgICAgICAgIDxkczpUcmFuc2Zvcm1zPg0KICAgICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+DQogICAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgICAgICAgPC9kczpUcmFuc2Zvcm1zPg0KICAgICAgICAgIDxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPg0KICAgICAgICAgIDxkczpEaWdlc3RWYWx1ZT5wSlE3TVMvZWs0S1JSV0dtdi9INDNSZUhZTXM9PC9kczpEaWdlc3RWYWx1ZT4NCiAgICAgICAgPC9kczpSZWZlcmVuY2U+DQogICAgICA8L2RzOlNpZ25lZEluZm8+DQogICAgICA8ZHM6U2lnbmF0dXJlVmFsdWU+eWl2ZUtjUGREcHVETmo2c2hyUTNBQndyL2NBM0NyeUQycGhHL3hMWnN6S1d4VTUvbWxhS3Q4ZXdiWk9kS0t2dE9zMnBIQnk1RHVhM2s5NEFGK3p4R3llbDVnT293bW95WEpyK0FPcitrUE8wdmxpMVY4bzNoUFBVWndSZ1NYNlE5cFMxQ3FRZ2hLaUVhc1J5eWxxcUpVYVBZem1Pek9FOC9YbE1rd2lXbU8wPTwvZHM6U2lnbmF0dXJlVmFsdWU+DQogICAgICA8ZHM6S2V5SW5mbz4NCiAgICAgICAgPGRzOlg1MDlEYXRhPg0KICAgICAgICAgIDxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQnJUQ0NBYUdnQXdJQkFnSUJBVEFEQmdFQU1HY3hDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SVXdFd1lEVlFRSERBeFRZVzUwWVNCTmIyNXBZMkV4RVRBUEJnTlZCQW9NQ0U5dVpVeHZaMmx1TVJrd0Z3WURWUVFEREJCaGNIQXViMjVsYkc5bmFXNHVZMjl0TUI0WERURXdNRE13T1RBNU5UZzBOVm9YRFRFMU1ETXdPVEE1TlRnME5Wb3daekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGVEFUQmdOVkJBY01ERk5oYm5SaElFMXZibWxqWVRFUk1BOEdBMVVFQ2d3SVQyNWxURzluYVc0eEdUQVhCZ05WQkFNTUVHRndjQzV2Ym1Wc2IyZHBiaTVqYjIwd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFPalN1MWZqUHk4ZDV3NFF5TDEremQ0aEl3MU1ra2ZmNFdZL1RMRzhPWmtVNVlUU1dtbUhQRDVrdllINXVvWFMvNnFRODFxWHBSMndWOENUb3daSlVMZzA5ZGRSZFJuOFFzcWoxRnlPQzVzbEUzeTJiWjJvRnVhNzJvZi80OWZwdWpuRlQ2S25RNjFDQk1xbERvVFFxT1Q2MnZHSjhuUDZNWld2QTZzeHF1ZDVBZ01CQUFFd0F3WUJBQU1CQUE9PTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KICAgICAgICA8L2RzOlg1MDlEYXRhPg0KICAgICAgPC9kczpLZXlJbmZvPg0KICAgIDwvZHM6U2lnbmF0dXJlPg0KICAgIDxzYW1sOlN1YmplY3Q+DQogICAgICA8c2FtbDpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnN1cHBvcnRAb25lbG9naW4uY29tPC9zYW1sOk5hbWVJRD4NCiAgICAgIDxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj4NCiAgICAgICAgPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDEwLTExLTE4VDIyOjAyOjM3WiIgUmVjaXBpZW50PSJ7cmVjaXBpZW50fSIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPg0KICAgIDwvc2FtbDpTdWJqZWN0Pg0KICAgIDxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDEwLTExLTE4VDIxOjUyOjM3WiIgTm90T25PckFmdGVyPSIyMDEwLTExLTE4VDIyOjAyOjM3WiI+DQogICAgICA8c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPg0KICAgICAgICA8c2FtbDpBdWRpZW5jZT57YXVkaWVuY2V9PC9zYW1sOkF1ZGllbmNlPg0KICAgICAgPC9zYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+DQogICAgPC9zYW1sOkNvbmRpdGlvbnM+DQogICAgPHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDEwLTExLTE4VDIxOjU3OjM3WiIgU2Vzc2lvbk5vdE9uT3JBZnRlcj0iMjAxMC0xMS0xOVQyMTo1NzozN1oiIFNlc3Npb25JbmRleD0iXzUzMWMzMmQyODNiZGZmN2UwNGU0ODdiY2RiYzRkZDhkIj4NCiAgICAgIDxzYW1sOkF1dGhuQ29udGV4dD4NCiAgICAgICAgPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQogICAgICA8L3NhbWw6QXV0aG5Db250ZXh0Pg0KICAgIDwvc2FtbDpBdXRoblN0YXRlbWVudD4NCiAgICA8c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQogICAgICA8c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5kZW1vPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPg0KICAgICAgPC9zYW1sOkF0dHJpYnV0ZT4NCiAgICAgIDxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJhbm90aGVyX3ZhbHVlIj4NCiAgICAgICAgPHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj52YWx1ZTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT4NCiAgICAgIDwvc2FtbDpBdHRyaWJ1dGU+DQogICAgPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD4NCiAgPC9zYW1sOkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+DQo=

data/test/ruby-saml_test.rb

@@ -0,0 +1,110 @@
+require 'test_helper'
+
+class RubySamlTest < Test::Unit::TestCase
+
+  context "Settings" do
+    setup do
+      @settings = Onelogin::Saml::Settings.new
+    end
+    should "should provide getters and settings" do
+      accessors = [
+        :assertion_consumer_service_url, :issuer, :sp_name_qualifier, :sp_name_qualifier,
+        :idp_sso_target_url, :idp_cert_fingerprint, :name_identifier_format
+      ]
+
+      accessors.each do |accessor|
+        value = Kernel.rand
+        @settings.send("#{accessor}=".to_sym, value)
+        assert_equal value, @settings.send(accessor)
+      end
+    end
+  end
+
+  context "Response" do
+    should "provide setter for a logger" do
+      response = Onelogin::Saml::Response.new('')
+      assert response.logger = 'hello'
+    end
+
+    should "raise an exception when response is initialized with nil" do
+      assert_raises(ArgumentError) { Onelogin::Saml::Response.new(nil) }
+    end
+
+    context "#is_valid?" do
+      should "return false when response is initialized with blank data" do
+        response = Onelogin::Saml::Response.new('')
+        assert !response.is_valid?
+      end
+
+      should "return false if settings have not been set" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert !response.is_valid?
+      end
+
+      should "return true when the response is initialized with valid data" do
+        response = Onelogin::Saml::Response.new(response_document)
+        settings = Onelogin::Saml::Settings.new
+        settings.idp_cert_fingerprint = 'hello'
+        response.settings = settings
+        assert !response.is_valid?
+        document = stub()
+        document.stubs(:validate).returns(true)
+        response.document = document
+        assert response.is_valid?
+      end
+    end
+
+    context "#name_id" do
+      should "extract the value of the name id element" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "support@onelogin.com", response.name_id
+      end
+    end
+
+    context "#attributes" do
+      should "extract the first attribute in a hash accessed via its symbol" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "demo", response.attributes[:uid]
+      end
+
+      should "extract the first attribute in a hash accessed via its name" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "demo", response.attributes["uid"]
+      end
+
+      should "extract all attributes" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert_equal "demo", response.attributes[:uid]
+        assert_equal "value", response.attributes[:another_value]
+      end
+    end
+
+    context "#session_expires_at" do
+      should "extract the value of the SessionNotOnOrAfter attribute" do
+        response = Onelogin::Saml::Response.new(response_document)
+        assert response.session_expires_at.is_a?(Time)
+      end
+    end
+  end
+
+  context "Authrequest" do
+    should "create the SAMLRequest URL parameter" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://stuff.com"
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings)
+      assert auth_url =~ /^http:\/\/stuff\.com\?SAMLRequest=/
+      payload = CGI.unescape(auth_url.split("=").last)
+    end
+
+    should "accept extra parameters" do
+      settings = Onelogin::Saml::Settings.new
+      settings.idp_sso_target_url = "http://stuff.com"
+
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => "there" })
+      assert auth_url =~ /&hello=there$/
+
+      auth_url = Onelogin::Saml::Authrequest.new.create(settings, { :hello => nil })
+      assert auth_url =~ /&hello=$/
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,14 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'mocha'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'ruby-saml'
+
+class Test::Unit::TestCase
+  def response_document
+    @response_document ||= File.read(File.join(File.dirname(__FILE__), 'response.txt'))
+  end
+end

data/test/xml_security_test.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+require 'xml_security'
+
+class XmlSecurityTest < Test::Unit::TestCase
+  include XMLSecurity
+  context "XmlSecurity" do
+    setup do
+      @document = XMLSecurity::SignedDocument.new(Base64.decode64(response_document))
+    end
+
+    should "should run validate without throwing NS related exceptions" do
+      base64cert = @document.elements["//ds:X509Certificate"].text
+      @document.validate_doc(base64cert, nil)
+    end
+  end
+end

metadata

@@ -0,0 +1,132 @@
+--- !ruby/object:Gem::Specification
+name: ruby-saml-for-portal
+version: !ruby/object:Gem::Version
+  version: 0.3.3
+  prerelease: 
+platform: ruby
+authors:
+- OneLogin LLC
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-03-08 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: xmlcanonicalizer
+  requirement: &16186840 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: *16186840
+- !ruby/object:Gem::Dependency
+  name: uuid
+  requirement: &16186240 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.3.3
+  type: :runtime
+  prerelease: false
+  version_requirements: *16186240
+- !ruby/object:Gem::Dependency
+  name: systemu
+  requirement: &16185640 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *16185640
+- !ruby/object:Gem::Dependency
+  name: rsa
+  requirement: &16183480 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: *16183480
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: &16182960 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *16182960
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: &16182440 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *16182440
+description: SAML toolkit for Ruby on Rails
+email: support@onelogin.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE
+- README.rdoc
+files:
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/onelogin/saml.rb
+- lib/onelogin/saml/authrequest.rb
+- lib/onelogin/saml/response.rb
+- lib/onelogin/saml/settings.rb
+- lib/ruby-saml.rb
+- lib/xml_security.rb
+- lib/rsa_ext.rb
+- ruby-saml.gemspec
+- test/response.txt
+- test/ruby-saml_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb
+homepage: http://github.com/onelogin/ruby-saml
+licenses: []
+post_install_message: 
+rdoc_options:
+- --charset=UTF-8
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.8
+signing_key: 
+specification_version: 3
+summary: SAML Ruby Tookit
+test_files:
+- test/ruby-saml_test.rb
+- test/test_helper.rb
+- test/xml_security_test.rb