ruby-saml-mod 0.1.0

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README

@@ -0,0 +1,7 @@
+== SAML toolkit for Ruby on Rails
+
+Documentation from onelogin: http://support.onelogin.com/entries/165434-saml-toolkit-for-ruby-on-rails
+
+The example folder has a rails 2.3.5 example application.
+
+A Gem will eventually be created.

data/lib/onelogin/saml.rb

@@ -0,0 +1,15 @@
+require 'zlib'
+require "base64"
+require "rexml/document"
+require "xml_sec"
+
+module Onelogin
+end
+
+require 'onelogin/saml/auth_request'
+require 'onelogin/saml/response'
+require 'onelogin/saml/settings'
+require 'onelogin/saml/name_identifiers'
+require 'onelogin/saml/status_codes'
+require 'onelogin/saml/meta_data'
+require 'onelogin/saml/log_out_request'

data/lib/onelogin/saml/auth_request.rb

@@ -0,0 +1,36 @@
+module Onelogin::Saml
+  class AuthRequest
+    def self.create(settings)
+      id                = Onelogin::Saml::AuthRequest.generate_unique_id(42)
+      issue_instant     = Onelogin::Saml::AuthRequest.get_timestamp
+
+      request = 
+        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{id}\" Version=\"2.0\" IssueInstant=\"#{issue_instant}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings.assertion_consumer_service_url}\">" +
+        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings.issuer}</saml:Issuer>\n" +
+        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings.name_identifier_format}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
+        "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
+        "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
+        "</samlp:AuthnRequest>"
+
+      deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]     
+      base64_request    = Base64.encode64(deflated_request)  
+      encoded_request   = CGI.escape(base64_request)  
+  
+      settings.idp_sso_target_url + "?SAMLRequest=" + encoded_request
+    end
+    
+    private 
+    
+    def self.generate_unique_id(length)
+      chars = ("a".."f").to_a + ("0".."9").to_a
+      chars_len = chars.size
+      unique_id = ""
+      1.upto(length) { |i| unique_id << chars[rand(chars_len-1)] }
+      unique_id
+    end
+    
+    def self.get_timestamp
+      Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+  end
+end

data/lib/onelogin/saml/log_out_request.rb

@@ -0,0 +1,22 @@
+module Onelogin::Saml
+  class LogOutRequest
+    def self.create(settings, session)
+      id                = Onelogin::Saml::AuthRequest.generate_unique_id(42)
+      issue_instant     = Onelogin::Saml::AuthRequest.get_timestamp
+      
+      logout_request = "<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{id}\" Version=\"2.0\" IssueInstant=\"#{issue_instant}\"> " +
+          "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings.issuer}</saml:Issuer>" +
+          "<saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"#{session[:name_qualifier]}\" SPNameQualifier=\"#{settings.issuer}\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">#{session[:name_id]}</saml:NameID>" + 
+          "<samlp:SessionIndex xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">#{session[:session_index]}</samlp:SessionIndex>" +
+          "</samlp:LogoutRequest>";
+
+      deflated_logout_request = Zlib::Deflate.deflate(logout_request, 9)[2..-5]     
+      base64_logout_request = Base64.encode64(deflated_logout_request)  
+      encoded_logout_request = CGI.escape(base64_logout_request)  
+
+      redirect_url = settings.idp_slo_target_url + "?SAMLRequest=" + encoded_logout_request 
+  
+      return redirect_url
+    end
+  end
+end

data/lib/onelogin/saml/meta_data.rb

@@ -0,0 +1,17 @@
+module Onelogin::Saml
+  class MetaData
+    def self.create(settings)
+    %{<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="#{settings.issuer}">
+  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="#{settings.sp_slo_url}"/>
+    <AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="#{settings.assertion_consumer_service_url}"/>
+  </SPSSODescriptor>
+  <ContactPerson contactType="technical">
+    <SurName>#{settings.tech_contact_name}</SurName>
+    <EmailAddress>mailto:#{settings.tech_contact_email}</EmailAddress>
+  </ContactPerson>
+</EntityDescriptor>}
+    end
+  end
+end

data/lib/onelogin/saml/name_identifiers.rb

@@ -0,0 +1,15 @@
+module Onelogin::Saml
+  module NameIdentifiers
+    # See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for further documentation
+    EMAIL = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    ENTITY = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+    KERBEROS = "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"
+    PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+    TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    UNSPECIFIED = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+    WINDOWS_DOMAIN = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"
+    X509 = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
+    
+    ALL_IDENTIFIERS = [EMAIL, ENTITY, KERBEROS, PERSISTENT, TRANSIENT, UNSPECIFIED, WINDOWS_DOMAIN, X509]
+  end
+end

data/lib/onelogin/saml/response.rb

@@ -0,0 +1,35 @@
+module Onelogin::Saml
+  class Response
+    
+    attr_accessor :settings, :document, :response
+    attr_accessor :name_id, :name_qualifier, :session_index
+    attr_accessor :status_code, :status_message
+    def initialize(response)
+      @response = response
+      @document = XMLSecurity::SignedDocument.new(Base64.decode64(@response))
+      @name_id = @document.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].text rescue nil
+      @name_qualifier = @document.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].attributes["NameQualifier"] rescue nil
+      @session_index = @document.elements["/samlp:Response/saml:Assertion/saml:AuthnStatement"].attributes["SessionIndex"] rescue nil
+      @status_code = @document.elements["/samlp:Response/samlp:Status/samlp:StatusCode"].attributes["Value"] rescue nil
+      @status_message = @document.elements["/samlp:Response/samlp:Status/samlp:StatusCode"].text rescue nil
+    end
+    
+    def logger=(val)
+      @logger = val
+    end
+    
+    def is_valid?
+      unless @response.blank?
+        @document.validate(@settings.idp_cert_fingerprint, @logger) unless !@settings.idp_cert_fingerprint
+      end
+    end
+    
+    def success_status?
+      @status_code == Onelogin::Saml::StatusCodes::SUCCESS_URI
+    end
+    
+    def auth_failure?
+      @status_code == Onelogin::Saml::StatusCodes::AUTHN_FAILED_URI
+    end
+  end
+end

data/lib/onelogin/saml/settings.rb

@@ -0,0 +1,45 @@
+module Onelogin::Saml
+  class Settings
+    
+    def initialize(atts={})
+      atts.each do |key, val|
+        if self.respond_to? "#{key}="
+          self.send "#{key}=", val
+        end
+      end
+    end
+    
+    # The URL at which the SAML assertion should be received.
+    attr_accessor :assertion_consumer_service_url
+    
+    # The name of your application.
+    attr_accessor :issuer
+    
+    # 
+    attr_accessor :sp_name_qualifier
+    
+    # The IdP URL to which the authentication request should be sent.
+    attr_accessor :idp_sso_target_url
+    
+    # The IdP URL to which the logout request should be sent.
+    attr_accessor :idp_slo_target_url
+    
+    # The certificate fingerprint. This is provided from the identity provider when setting up the relationship.
+    attr_accessor :idp_cert_fingerprint
+    
+    # Describes the format of the username required by this application.
+    # For email: Onelogin::Saml::NameIdentifiers::EMAIL
+    attr_accessor :name_identifier_format
+    
+    ## Attributes for the metadata
+    
+    # The logout url of your application
+    attr_accessor :sp_slo_url
+    
+    # The name of the technical contact for your application 
+    attr_accessor :tech_contact_name
+    
+    # The email of the technical contact for your application
+    attr_accessor :tech_contact_email
+  end
+end

data/lib/onelogin/saml/status_codes.rb

@@ -0,0 +1,28 @@
+module Onelogin::Saml
+  module StatusCodes
+    # See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 3.2.2 for further documentation
+    SUCCESS_URI = "urn:oasis:names:tc:SAML:2.0:status:Success"
+    REQUESTER_URI = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+    RESPONDER_URI = "urn:oasis:names:tc:SAML:2.0:status:Responder"
+    VERSION_MISMATCH_URI = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
+    AUTHN_FAILED_URI = "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"
+    INVALID_ATTR_NAME_VALUE_URI = "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue"
+    INVALID_NAMEID_POLICY_URI = "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"
+    NO_AUTHN_CONTEXT_URI = "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"
+    NO_AVAILABLE_IDP_URI = "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"
+    NO_PASSIVE_URI = "urn:oasis:names:tc:SAML:2.0:status:NoPassive"
+    NO_SUPPORTED_IDP_URI = "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"
+    PARTIAL_LOGOUT_URI = "urn:oasis:names:tc:SAML:2.0:status:PartialLogout"
+    PROXY_COUNT_EXCEEDED_URI = "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded"
+    REQUEST_DENIED_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestDenied"
+    REQUEST_UNSUPPORTED_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"
+    REQUEST_VERSION_DEPRECATED_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated"
+    REQUEST_VERSION_TOO_HIGH_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh"
+    REQUEST_VERSION_TOO_LOW_URI = "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow"
+    RESOURCE_NOT_RECOGNIZED_URI = "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized"
+    TOO_MANY_RESPONSES = "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses"
+    UNKNOWN_ATTR_PROFILE_URI = "urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile"
+    UNKNOWN_PRINCIPAL_URI = "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"
+    UNSUPPORTED_BINDING_URI = "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"
+  end
+end

data/lib/xml_sec.rb

@@ -0,0 +1,91 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+ 
+module XMLSecurity
+
+  class SignedDocument < REXML::Document
+
+    def validate (idp_cert_fingerprint, logger = nil)
+      # get cert from response
+      base64_cert             = self.elements["//ds:X509Certificate"].text
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      
+      # check cert matches registered idp cert
+      fingerprint             = Digest::SHA1.hexdigest(cert.to_der)
+      valid_flag              = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
+      
+      return valid_flag if !valid_flag 
+      
+      validate_doc(base64_cert, logger)
+    end
+    
+    def validate_doc(base64_cert, logger)
+      # validate references
+      
+      # remove signature node
+      sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      sig_element.remove
+      
+      #check digests
+      REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |          
+        
+        uri                   = ref.attributes.get_attribute("URI").value
+        hashed_element        = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
+        canon_hashed_element  = canoner.canonicalize(hashed_element)
+        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+        digest_value          = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+        
+        valid_flag            = hash == digest_value 
+        
+        return valid_flag if !valid_flag
+      end
+ 
+      # verify signature
+      canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+      signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      canon_string            = canoner.canonicalize(signed_info_element)
+
+      base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+      signature               = Base64.decode64(base64_signature)
+      
+      # get certificate object
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      
+      valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+        
+      return valid_flag
+    end
+   
+  end
+end

data/ruby-saml-mod.gemspec

@@ -0,0 +1,28 @@
+Gem::Specification.new do |s|
+  s.name = %q{ruby-saml-mod}
+  s.version = "0.1.0"
+
+  s.authors = ["OneLogin LLC", "Bracken"]
+  s.date = %q{2011-01-26}
+  s.extra_rdoc_files = [
+    "LICENSE"
+  ]
+  s.files = [
+    "LICENSE",
+    "README",
+    "lib/onelogin/saml.rb",
+    "lib/onelogin/saml/auth_request.rb",
+    "lib/onelogin/saml/log_out_request.rb",
+    "lib/onelogin/saml/meta_data.rb",
+    "lib/onelogin/saml/name_identifiers.rb",
+    "lib/onelogin/saml/response.rb",
+    "lib/onelogin/saml/settings.rb",
+    "lib/onelogin/saml/status_codes.rb",
+    "lib/xml_sec.rb",
+    "ruby-saml-mod.gemspec"
+  ]
+  s.homepage = %q{http://github.com/bracken/ruby-saml}
+  s.require_paths = ["lib"]
+  s.summary = %q{Ruby library for SAML service providers}
+  s.description = %q{This is an early fork from https://github.com/onelogin/ruby-saml - I plan to "rebase" these changes ontop of their current version eventually. }
+end

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification 
+name: ruby-saml-mod
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- OneLogin LLC
+- Bracken
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-01-26 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: "This is an early fork from https://github.com/onelogin/ruby-saml - I plan to \"rebase\" these changes ontop of their current version eventually. "
+email: 
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+files: 
+- LICENSE
+- README
+- lib/onelogin/saml.rb
+- lib/onelogin/saml/auth_request.rb
+- lib/onelogin/saml/log_out_request.rb
+- lib/onelogin/saml/meta_data.rb
+- lib/onelogin/saml/name_identifiers.rb
+- lib/onelogin/saml/response.rb
+- lib/onelogin/saml/settings.rb
+- lib/onelogin/saml/status_codes.rb
+- lib/xml_sec.rb
+- ruby-saml-mod.gemspec
+has_rdoc: true
+homepage: http://github.com/bracken/ruby-saml
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Ruby library for SAML service providers
+test_files: []
+