ruby-saml-idp 0.2.6 → 0.3.0

data/README.md

@@ -72,7 +72,7 @@ The fingerprint to use, if you use the default X.509 certificate of this gem, is
 Service Providers
 -----------------
 
-To act as a Service Provider which generates SAML Requests use the excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
+To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
 
 
 Author

data/app/views/saml_idp/idp/saml_post.html.erb

@@ -4,7 +4,10 @@
 <meta charset="utf-8">
 <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 </head>
-<body onload="document.forms[0].submit();">
-<%= form_tag(@saml_acs_url) { hidden_field_tag("SAMLResponse", @saml_response) } %>
+<body onload="document.forms[0].submit();" style="visibility:hidden;">
+<%= form_tag(@saml_acs_url) do %>
+  <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+  <%= submit_tag "Submit" %>
+<% end %>
 </body>
 </html>

data/lib/ruby-saml-idp.rb

@@ -1,10 +1,10 @@
 # encoding: utf-8
 module SamlIdp
-  require 'saml-idp/configurator'
-  require 'saml-idp/controller'
-  require 'saml-idp/default'
-  require 'saml-idp/version'
-  require 'saml-idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+  require 'saml_idp/configurator'
+  require 'saml_idp/controller'
+  require 'saml_idp/default'
+  require 'saml_idp/version'
+  require 'saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
 
   def self.config=(config)
     @config = config

data/lib/{saml-idp → saml_idp}/configurator.rb

@@ -1,11 +1,12 @@
 # encoding: utf-8
 module SamlIdp
   class Configurator
-    attr_accessor :x509_certificate, :secret_key
+    attr_accessor :x509_certificate, :secret_key, :algorithm
 
     def initialize(config_file = nil)
       self.x509_certificate = Default::X509_CERTIFICATE
       self.secret_key = Default::SECRET_KEY
+      self.algorithm = :sha1
       instance_eval(File.read(config_file), config_file) if config_file
     end
   end

data/lib/{saml-idp → saml_idp}/controller.rb

@@ -5,7 +5,7 @@ module SamlIdp
     require 'base64'
     require 'time'
 
-    attr_accessor :x509_certificate, :secret_key
+    attr_accessor :x509_certificate, :secret_key, :algorithm
     attr_accessor :saml_acs_url
 
     def x509_certificate
@@ -18,6 +18,30 @@ module SamlIdp
       @secret_key = SamlIdp.config.secret_key
     end
 
+    def algorithm
+      return @algorithm if defined?(@algorithm)
+      self.algorithm = SamlIdp.config.algorithm
+      @algorithm
+    end
+
+    def algorithm=(algorithm)
+      @algorithm = algorithm
+      if algorithm.is_a?(Symbol)
+        @algorithm = case algorithm
+        when :sha256 then OpenSSL::Digest::SHA256
+        when :sha384 then OpenSSL::Digest::SHA384
+        when :sha512 then OpenSSL::Digest::SHA512
+        else
+          OpenSSL::Digest::SHA1
+        end
+      end
+      @algorithm
+    end
+
+    def algorithm_name
+      algorithm.to_s.split('::').last.downcase
+    end
+
     protected
 
       def validate_saml_request(saml_request = params[:SAMLRequest])
@@ -26,11 +50,11 @@ module SamlIdp
 
       def decode_SAMLRequest(saml_request)
         zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-        text = zstream.inflate(Base64.decode64(saml_request))
+        @saml_request = zstream.inflate(Base64.decode64(saml_request))
         zstream.finish
         zstream.close
-        @saml_request_id = text[/ID='(.+?)'/, 1]
-        @saml_acs_url = text[/AssertionConsumerServiceURL='(.+?)'/, 1]
+        @saml_request_id = @saml_request[/ID='(.+?)'/, 1]
+        @saml_acs_url = @saml_request[/AssertionConsumerServiceURL='(.+?)'/, 1]
       end
 
       def encode_SAMLResponse(nameID, opts = {})
@@ -41,11 +65,11 @@ module SamlIdp
 
         assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
-        digest_value = Base64.encode64(OpenSSL::Digest::SHA1.digest(assertion)).chomp
+        digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
-        signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_#{reference_id}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
+        signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{reference_id}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
 
-        signature_value = sign(signed_info)
+        signature_value = sign(signed_info).gsub(/\n/, '')
 
         signature = %[<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">#{signed_info}<ds:SignatureValue>#{signature_value}</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>#{self.x509_certificate}</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>]
 
@@ -60,7 +84,7 @@ module SamlIdp
 
       def sign(data)
         key = OpenSSL::PKey::RSA.new(self.secret_key)
-        Base64.encode64(key.sign(OpenSSL::Digest::SHA1.new, data))
+        Base64.encode64(key.sign(algorithm.new, data))
       end
 
   end

data/lib/{saml-idp → saml_idp}/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.2.6'
+  VERSION = '0.3.0'
 end

data/ruby-saml-idp.gemspec

@@ -1,6 +1,6 @@
 # -*- encoding: utf-8 -*-
 $:.push File.expand_path("../lib", __FILE__)
-require "saml-idp/version"
+require "saml_idp/version"
 
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml-idp}
@@ -27,5 +27,7 @@ Gem::Specification.new do |s|
   # s.add_development_dependency "rcov"
   s.add_development_dependency "rspec"
   s.add_development_dependency "ruby-saml"
+  s.add_development_dependency("rails", "~> 3.2")
+  s.add_development_dependency("capybara")
 end
 

data/spec/acceptance/acceptance_helper.rb

@@ -0,0 +1,9 @@
+require File.expand_path(File.dirname(__FILE__) + "/../spec_helper")
+require 'capybara/rspec'
+
+# Put your acceptance spec helpers inside /spec/acceptance/support
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  config.include Rails.application.routes.url_helpers, :type => :request
+end

data/spec/acceptance/idp_controller_spec.rb

@@ -0,0 +1,16 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature 'IdpController' do
+
+  scenario 'Login via default signup page' do
+    saml_request = make_saml_request("http://foo.example.com/saml/consume")
+    visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
+    fill_in 'Email', :with => "brad.copa@example.com"
+    fill_in 'Password', :with => "okidoki"
+    click_button 'Sign in'
+    click_button 'Submit'   # simulating onload
+    current_url.should == 'http://foo.example.com/saml/consume'
+    page.should have_content "brad.copa@example.com"
+  end
+
+end

data/spec/rails_app/.gitignore

@@ -0,0 +1,15 @@
+# See http://help.github.com/ignore-files/ for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile ~/.gitignore_global
+
+# Ignore bundler config
+/.bundle
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+
+# Ignore all logfiles and tempfiles.
+/log/*.log
+/tmp

data/spec/rails_app/README.rdoc

@@ -0,0 +1,261 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create
+database-backed web applications according to the Model-View-Control pattern.
+
+This pattern splits the view (also called the presentation) into "dumb"
+templates that are primarily responsible for inserting pre-built data in between
+HTML tags. The model contains the "smart" domain objects (such as Account,
+Product, Person, Post) that holds all the business logic and knows how to
+persist themselves to a database. The controller handles the incoming requests
+(such as Save New Account, Update Product, Show Post) by manipulating the model
+and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails. You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, create a new Rails application:
+       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
+
+2. Change directory to <tt>myapp</tt> and start the web server:
+       <tt>cd myapp; rails server</tt> (run with --help for options)
+
+3. Go to http://localhost:3000/ and you'll see:
+       "Welcome aboard: You're riding Ruby on Rails!"
+
+4. Follow the guidelines to start developing your application. You can find
+the following resources handy:
+
+* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
+* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong. Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files. Have "tail -f" commands
+running on the server.log and development.log. Rails will automatically display
+debugging and runtime information to these files. Debugging info will also be
+shown in the browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code
+using the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
+several books available online as well:
+
+* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
+* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
+
+These two books will bring you up to speed on the Ruby language and also on
+programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your
+Mongrel or WEBrick server with --debugger. This means that you can break out of
+execution at any point in the code, investigate and change the model, and then,
+resume execution! You need to install ruby-debug to run the server in debugging
+mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.all
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8
+          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
+       #<Post:0x14a6620
+          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better, you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you can enter "cont".
+
+
+== Console
+
+The console is a Ruby shell, which allows you to interact with your
+application's domain model. Here you'll have all parts of the application
+configured, just like it is when the application is running. You can inspect
+domain models, change values, and save to the database. Starting the script
+without arguments will launch it in the development environment.
+
+To start the console, run <tt>rails console</tt> from the application
+directory.
+
+Options:
+
+* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
+  made to the database.
+* Passing an environment name as an argument will load the corresponding
+  environment. Example: <tt>rails console production</tt>.
+
+To reload your controllers and models after launching the console run
+<tt>reload!</tt>
+
+More information about irb can be found at:
+link:http://www.rubycentral.org/pickaxe/irb.html
+
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>rails
+dbconsole</tt>. You would be connected to the database with the credentials
+defined in database.yml. Starting the script without arguments will connect you
+to the development database. Passing an argument will connect you to a different
+database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
+PostgreSQL and SQLite 3.
+
+== Description of Contents
+
+The default directory structure of a generated Ruby on Rails application:
+
+  |-- app
+  |   |-- assets
+  |       |-- images
+  |       |-- javascripts
+  |       `-- stylesheets
+  |   |-- controllers
+  |   |-- helpers
+  |   |-- mailers
+  |   |-- models
+  |   `-- views
+  |       `-- layouts
+  |-- config
+  |   |-- environments
+  |   |-- initializers
+  |   `-- locales
+  |-- db
+  |-- doc
+  |-- lib
+  |   `-- tasks
+  |-- log
+  |-- public
+  |-- script
+  |-- test
+  |   |-- fixtures
+  |   |-- functional
+  |   |-- integration
+  |   |-- performance
+  |   `-- unit
+  |-- tmp
+  |   |-- cache
+  |   |-- pids
+  |   |-- sessions
+  |   `-- sockets
+  `-- vendor
+      |-- assets
+          `-- stylesheets
+      `-- plugins
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/assets
+  Contains subdirectories for images, stylesheets, and JavaScript files.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from
+  ApplicationController which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb. Models descend from
+  ActiveRecord::Base by default.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use
+  eRuby syntax by default.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the
+  common header/footer method of wrapping views. In your views, define a layout
+  using the <tt>layout :default</tt> and create a file named default.html.erb.
+  Inside default.html.erb, call <% yield %> to render the view using this
+  layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are
+  generated for you automatically when using generators for controllers.
+  Helpers can be used to wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database,
+  and other dependencies.
+
+db
+  Contains the database schema in schema.rb. db/migrate contains all the
+  sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when
+  generated using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that
+  doesn't belong under controllers, models, or helpers. This directory is in
+  the load path.
+
+public
+  The directory available for the web server. Also contains the dispatchers and the
+  default HTML files. This should be set as the DOCUMENT_ROOT of your web
+  server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the rails generate
+  command, template test files will be generated for you and placed in this
+  directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins
+  subdirectory. If the app has frozen rails, those gems also go here, under
+  vendor/rails/. This directory is in the load path.