ruby-saml-mod 0.1.2 → 0.1.4

data/lib/onelogin/saml.rb

@@ -4,6 +4,12 @@ require "rexml/document"
 require "xml_sec"
 
 module Onelogin
+  NAMESPACES = {
+    "samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+    "saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+    "xenc" => "http://www.w3.org/2001/04/xmlenc#",
+    "ds" => "http://www.w3.org/2000/09/xmldsig#"
+  }
 end
 
 require 'onelogin/saml/auth_request'

data/lib/onelogin/saml/meta_data.rb

@@ -1,17 +1,37 @@
 module Onelogin::Saml
   class MetaData
     def self.create(settings)
-    %{<?xml version="1.0"?>
-<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="#{settings.issuer}">
-  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="#{settings.sp_slo_url}"/>
-    <AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="#{settings.assertion_consumer_service_url}"/>
-  </SPSSODescriptor>
-  <ContactPerson contactType="technical">
-    <SurName>#{settings.tech_contact_name}</SurName>
-    <EmailAddress>mailto:#{settings.tech_contact_email}</EmailAddress>
-  </ContactPerson>
-</EntityDescriptor>}
+      xml = %{<?xml version="1.0"?>
+        <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="#{settings.issuer}">
+          <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      }
+      if settings.encryption_configured?
+        xml += %{
+            <KeyDescriptor use="encryption">
+              <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                <X509Data>
+                  <X509Certificate>
+                    #{File.read(settings.xmlsec_certificate).gsub(/\w*-+(BEGIN|END) CERTIFICATE-+\w*/, "").strip}
+                  </X509Certificate>
+                </X509Data>
+              </KeyInfo>
+              <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
+                <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
+              </EncryptionMethod>
+            </KeyDescriptor>
+        }
+      end
+      xml += %{
+            <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="#{settings.sp_slo_url}"/>
+            <AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="#{settings.assertion_consumer_service_url}"/>
+          </SPSSODescriptor>
+          <ContactPerson contactType="technical">
+            <SurName>#{settings.tech_contact_name}</SurName>
+            <EmailAddress>mailto:#{settings.tech_contact_email}</EmailAddress>
+          </ContactPerson>
+        </EntityDescriptor>
+      }
+      xml
     end
   end
-end
+end

data/lib/onelogin/saml/response.rb

@@ -1,23 +1,22 @@
 module Onelogin::Saml
   class Response
     
-    attr_accessor :settings, :document, :response
+    attr_accessor :settings, :document, :xml, :response
     attr_accessor :name_id, :name_qualifier, :session_index
     attr_accessor :status_code, :status_message
-    def initialize(response)
+    def initialize(response, settings)
       @response = response
-      @document = XMLSecurity::SignedDocument.new(Base64.decode64(@response))
-      @name_id = @document.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].text rescue nil
-      @name_qualifier = @document.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].attributes["NameQualifier"] rescue nil
-      @session_index = @document.elements["/samlp:Response/saml:Assertion/saml:AuthnStatement"].attributes["SessionIndex"] rescue nil
-      @status_code = @document.elements["/samlp:Response/samlp:Status/samlp:StatusCode"].attributes["Value"] rescue nil
-      @status_message = @document.elements["/samlp:Response/samlp:Status/samlp:StatusCode"].text rescue nil
-      # look for saml2 and saml2p tags in Shibboleth assertions
-      @name_id ||= @document.elements["/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID"].text rescue nil
-      @name_qualifier ||= @document.elements["/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID"].attributes["NameQualifier"] rescue nil
-      @session_index ||= @document.elements["/saml2p:Response/saml2:Assertion/saml2:AuthnStatement"].attributes["SessionIndex"] rescue nil
-      @status_code ||= @document.elements["/saml2p:Response/saml2p:Status/saml2p:StatusCode"].attributes["Value"] rescue nil
-      @status_message ||= @document.elements["/saml2p:Response/saml2p:Status/saml2p:StatusCode"].text rescue nil     
+      @settings = settings
+      
+      @xml = Base64.decode64(@response)
+      @document = XMLSecurity::SignedDocument.new(@xml)
+      @document.decrypt(@settings)
+      
+      @name_id = REXML::XPath.first(@document, "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Onelogin::NAMESPACES).text rescue nil
+      @name_qualifier = REXML::XPath.first(@document, "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID", Onelogin::NAMESPACES).attributes["NameQualifier"] rescue nil
+      @session_index = REXML::XPath.first(@document, "/samlp:Response/saml:Assertion/saml:AuthnStatement", Onelogin::NAMESPACES).attributes["SessionIndex"] rescue nil
+      @status_code = REXML::XPath.first(@document, "/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES).attributes["Value"] rescue nil
+      @status_message = REXML::XPath.first(@document, "/samlp:Response/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES).text rescue nil
     end
     
     def logger=(val)

data/lib/onelogin/saml/settings.rb

@@ -41,5 +41,20 @@ module Onelogin::Saml
     
     # The email of the technical contact for your application
     attr_accessor :tech_contact_email
+    
+    ## Attributes for xml encryption
+    
+    # The path to the xmlsec1 binary used for xml decryption
+    attr_accessor :xmlsec1_path
+    
+    # The PEM-encoded certificate
+    attr_accessor :xmlsec_certificate
+    
+    # The PEM-encoded private key
+    attr_accessor :xmlsec_privatekey
+    
+    def encryption_configured?
+      self.xmlsec1_path && self.xmlsec_certificate && self.xmlsec_privatekey
+    end
   end
 end

data/lib/xml_sec.rb

@@ -28,6 +28,8 @@ require "rexml/xpath"
 require "openssl"
 require "xmlcanonicalizer"
 require "digest/sha1"
+require "tempfile"
+require "shellwords"
  
 module XMLSecurity
 
@@ -86,6 +88,28 @@ module XMLSecurity
         
       return valid_flag
     end
-   
+
+    def decrypt(settings)
+      if settings.encryption_configured?
+        REXML::XPath.each(self, "//xenc:EncryptedData", Onelogin::NAMESPACES) do |node|
+          Tempfile.open("ruby-saml-decrypt") do |f|
+            f.puts node.to_s
+            f.close
+            command = [ settings.xmlsec1_path, "decrypt", "--privkey-pem", settings.xmlsec_privatekey, f.path ].shelljoin
+            decrypted_xml = %x{#{command}}
+            if $?.exitstatus != 0
+              @logger.warn "Could not decrypt: #{decrypted_xml}" if @logger
+              return false
+            else
+              decrypted_doc = REXML::Document.new(decrypted_xml)
+              decrypted_node = decrypted_doc.root
+              node.parent.replace_with(decrypted_node)
+            end
+            f.unlink
+          end
+        end
+      end
+      true
+    end
   end
 end

data/ruby-saml-mod.gemspec

@@ -1,9 +1,9 @@
 Gem::Specification.new do |s|
   s.name = %q{ruby-saml-mod}
-  s.version = "0.1.2"
+  s.version = "0.1.4"
 
-  s.authors = ["OneLogin LLC", "Bracken"]
-  s.date = %q{2011-01-26}
+  s.authors = ["OneLogin LLC", "Bracken", "Zach"]
+  s.date = %q{2011-11-05}
   s.extra_rdoc_files = [
     "LICENSE"
   ]

metadata

@@ -1,22 +1,22 @@
 --- !ruby/object:Gem::Specification 
 name: ruby-saml-mod
 version: !ruby/object:Gem::Version 
-  hash: 31
-  prerelease: 
+  prerelease: false
   segments: 
   - 0
   - 1
-  - 2
-  version: 0.1.2
+  - 4
+  version: 0.1.4
 platform: ruby
 authors: 
 - OneLogin LLC
 - Bracken
+- Zach
 autorequire: 
 bindir: bin
 cert_chain: []
 
-date: 2011-01-26 00:00:00 -07:00
+date: 2011-11-05 00:00:00 -06:00
 default_executable: 
 dependencies: []
 
@@ -51,27 +51,23 @@ rdoc_options: []
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      hash: 3
       segments: 
       - 0
       version: "0"
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.6.2
+rubygems_version: 1.3.6
 signing_key: 
 specification_version: 3
 summary: Ruby library for SAML service providers