ruby-saml-mod 0.1.30 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: de2dcfe3e3d9c2993dac7f1a06bc809fb52cfcf9
-  data.tar.gz: 3465736cf3a7146a3abd0b573e28ddeb3003f54d
+  metadata.gz: c9b8339af98b853334c4cd343eff1454a9ed537a
+  data.tar.gz: 7702ec985b556013a1d812f646e415ec16cfe58f
 SHA512:
-  metadata.gz: 7ad9d8d8e2c97650b4bae20abd37917c028b9c085aebd47a56e3c1b2c7aab8490db419d0f620a66622f9e0eb4cb0621f577d8f96b84b31c0d07fa07f819935f7
-  data.tar.gz: 18d63098d79fffee7efcfe843ea5585d2c2e57ba6f92091315de12390d717b475e4eb89b32587e902ee67c3893fdf1ace5898f313d0c44d1634dc36d25dbd5e2
+  metadata.gz: 1e1accc268ecc2fad5023f99552d8c2a53cca7ddd548092236534bcb0d6016ec51a40d0960b8706afceacd9fe5ecfeb204751985f0b15c90e78e1bbaeeb5cade
+  data.tar.gz: 868e76914f77d9766ebc31449b9262c28dd689a4ea815ed23c6269ada3a0e4422ec2941e73c87bfd3e9d53671ee0e5c0c1f6b58ab2151ba969cee116a3599f7d

data/lib/onelogin/saml.rb

@@ -35,12 +35,13 @@ module Onelogin
   }
 end
 
+require 'onelogin/saml/base_assertion'
 require 'onelogin/saml/auth_request'
-require 'onelogin/saml/authn_contexts.rb'
+require 'onelogin/saml/authn_contexts'
 require 'onelogin/saml/response'
 require 'onelogin/saml/settings'
 require 'onelogin/saml/name_identifiers'
 require 'onelogin/saml/status_codes'
 require 'onelogin/saml/meta_data'
-require 'onelogin/saml/log_out_request'
+require 'onelogin/saml/logout_request'
 require 'onelogin/saml/logout_response'

data/lib/onelogin/saml/auth_request.rb

@@ -1,53 +1,47 @@
 module Onelogin::Saml
-  class AuthRequest
-    
-    attr_reader :settings, :id, :request_xml, :forward_url
-    
-    def initialize(settings)
-      @settings = settings
+  class AuthRequest < BaseAssertion
+    attr_accessor :requested_authn_context,
+                  :assertion_consumer_service_url,
+                  :name_identifier_format
+
+    def self.parse(raw_assertion, settings = nil)
+      raise NotImplementedError
     end
-    
-    def self.create(settings)
-      ar = AuthRequest.new(settings)
-      ar.generate_request
+
+    def self.generate(settings)
+      super(settings, {
+        destination: settings.idp_sso_target_url,
+        requested_authn_context: settings.requested_authn_context,
+        assertion_consumer_service_url: Array(settings.assertion_consumer_service_url).first,
+        name_identifier_format: settings.name_identifier_format
+      })
     end
-    
-    def generate_request
-      @id = Onelogin::Saml::AuthRequest.generate_unique_id(42)
-      issue_instant = Onelogin::Saml::AuthRequest.get_timestamp
 
-      @request_xml = 
-        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{@id}\" Version=\"2.0\" IssueInstant=\"#{issue_instant}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{Array(settings.assertion_consumer_service_url).first}\">" +
-        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{@settings.issuer}</saml:Issuer>\n" +
-        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{@settings.name_identifier_format}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n"
-      
-      if @settings.requested_authn_context
-        @request_xml += "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">"
-        @request_xml += "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{@settings.requested_authn_context}</saml:AuthnContextClassRef>"
-        @request_xml += "</samlp:RequestedAuthnContext>\n"
+    def generate
+      if self.requested_authn_context
+        xml = <<-XML
+          <samlp:RequestedAuthnContext Comparison="exact">
+            <saml:AuthnContextClassRef>#{self.requested_authn_context}</saml:AuthnContextClassRef>
+          </samlp:RequestedAuthnContext>
+        XML
       end
-        
-      @request_xml += "</samlp:AuthnRequest>"
 
-      deflated_request  = Zlib::Deflate.deflate(@request_xml, 9)[2..-5]     
-      base64_request    = Base64.strict_encode64(deflated_request)
-      encoded_request   = CGI.escape(base64_request)
+      <<-XML
+        <samlp:AuthnRequest
+          xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}"
+          xmlns:saml="#{Onelogin::NAMESPACES['saml']}"
+          ID="#{self.id}"
+          Version="2.0"
+          ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+          AssertionConsumerServiceURL=\"#{self.assertion_consumer_service_url}\"
+          IssueInstant="#{self.issue_instant}">
 
-      @forward_url = @settings.idp_sso_target_url + (@settings.idp_sso_target_url.include?("?") ? "&" : "?") + "SAMLRequest=" + encoded_request
-    end
-    
-    private 
-    
-    def self.generate_unique_id(length)
-      chars = ("a".."f").to_a + ("0".."9").to_a
-      chars_len = chars.size
-      unique_id = ("a".."f").to_a[rand(6)]
-      2.upto(length) { |i| unique_id << chars[rand(chars_len)] }
-      unique_id
-    end
-    
-    def self.get_timestamp
-      Time.new.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+          <saml:Issuer>#{self.issuer}</saml:Issuer>
+          <samlp:NameIDPolicy Format="#{self.name_identifier_format}" AllowCreate="true"></samlp:NameIDPolicy>
+
+          #{xml}
+        </samlp:AuthnRequest>
+      XML
     end
   end
 end

data/lib/onelogin/saml/base_assertion.rb

@@ -0,0 +1,159 @@
+module Onelogin::Saml
+  class BaseAssertion
+    attr_accessor :settings
+    attr_reader :xml
+    attr_writer :id,
+                :issuer,
+                :issue_instant,
+                :destination,
+                :in_response_to,
+                :base64_assertion
+    def id
+      @id ||= root_attribute_value('ID')
+    end
+
+    def issue_instant
+      @issue_instant ||= root_attribute_value('IssueInstance')
+    end
+
+    def issuer
+      @issuer ||= node_content('saml:Issuer')
+    end
+
+    def destination
+      @destination ||= root_attribute_value('Destination')
+    end
+
+    def in_response_to
+      @in_response_to ||= root_attribute_value('InResponseTo')
+    end
+
+    def document
+      @document ||= LibXML::XML::Document.string(xml) if xml
+    end
+
+    def xml=(value)
+      @xml = value.strip
+    end
+
+    def base64_assertion
+      @base64_assertion ||= begin
+        deflated_assertion = Zlib::Deflate.deflate(self.xml, 9)[2..-5]
+        Base64.strict_encode64(deflated_assertion)
+      end
+    end
+
+    def assertion_type
+      return unless document
+
+      if document.root.name =~ /Request$/
+        :request
+      elsif document.root.name =~ /Response$/
+        :response
+      end
+    end
+
+    def process(settings)
+      # TODO: Verify signature and decrypt.
+    end
+
+    def self.parse(raw_assertion, settings = nil)
+      assertion = new
+      assertion.base64_assertion = raw_assertion
+
+      decoded_xml = Base64.decode64(raw_assertion)
+      zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+
+      assertion.xml = zlib.inflate(decoded_xml)
+
+      assertion.process(settings) if settings
+      assertion
+    end
+
+    def self.generate(settings, attributes = {})
+      assertion = new
+
+      assertion.settings = settings
+      assertion.id = generate_unique_id
+      assertion.issue_instant = get_timestamp
+      assertion.issuer = settings.issuer
+
+      attributes.each do |key, value|
+        if assertion.respond_to? "#{key}="
+          assertion.send "#{key}=", value
+        end
+      end
+
+      assertion.xml = assertion.generate
+
+      assertion
+    end
+
+    def forward_url
+      @forward_url ||= begin
+        url, existing_query_string = destination.split('?')
+        query_string = query_string_append(existing_query_string, query_string_param, base64_assertion)
+
+        if settings.sign?
+          query_string = query_string_append(query_string, "SigAlg", "http://www.w3.org/2000/09/xmldsig#rsa-sha1")
+          signature =  generate_signature(query_string, settings.xmlsec_privatekey)
+          query_string = query_string_append(query_string, "Signature", signature)
+        end
+
+        if settings.relay_state
+          query_string = query_string_append(query_string, "RelayState", settings.relay_state)
+        end
+
+        [url, query_string].join("?")
+      end
+    end
+
+    def generate
+      raise "Subclass does not implement abstract method generate."
+    end
+
+    def root_attribute_value(attribute)
+      document.root[attribute] if document
+    end
+
+    def node_attribute_value(xpath, attribute)
+      document.root.find_first(xpath, Onelogin::NAMESPACES)[attribute] rescue nil
+    end
+
+    def node_content(xpath)
+      document.root.find_first(xpath, Onelogin::NAMESPACES).content rescue nil
+    end
+
+    def self.generate_unique_id(length = 42)
+      chars = ("a".."f").to_a + ("0".."9").to_a
+      chars_len = chars.size
+      unique_id = ("a".."f").to_a[rand(6)]
+      2.upto(length) { |i| unique_id << chars[rand(chars_len)] }
+      unique_id
+    end
+
+    def self.get_timestamp
+      Time.new.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+
+    private
+
+    def query_string_param
+      if assertion_type == :request
+        'SAMLRequest'
+      elsif assertion_type == :response
+        'SAMLResponse'
+      end
+    end
+
+    def generate_signature(string, private_key)
+      pkey = OpenSSL::PKey::RSA.new(File.read(private_key))
+      sign = pkey.sign(OpenSSL::Digest::SHA1.new, string)
+      Base64.encode64(sign).gsub(/\s/, '')
+    end
+
+    def query_string_append(query_string, key, value)
+      [query_string, "#{CGI.escape(key)}=#{CGI.escape(value)}"].compact.join('&')
+    end
+  end
+end

data/lib/onelogin/saml/logout_request.rb

@@ -0,0 +1,44 @@
+module Onelogin::Saml
+  class LogoutRequest < BaseAssertion
+    attr_writer :name_id,
+                :session_index,
+                :name_qualifier,
+                :name_identifier_format
+
+    def name_id
+      @name_id ||= node_content('saml:NameID')
+    end
+
+    def name_identifier_format
+      @name_identifier_format ||= node_attribute_value('samlp:NameID', 'Format')
+    end
+
+    def name_qualifier
+      @name_qualifier ||= node_attribute_value('samlp:NameID', 'NameQualifier')
+    end
+
+    def session_index
+      @session_index ||= node_content('samlp:SessionIndex')
+    end
+
+    def self.generate(name_qualifier, name_id, session_index, settings)
+      super(settings, {
+        destination: settings.idp_slo_target_url,
+        name_identifier_format: settings.name_identifier_format,
+        name_id: name_id,
+        name_qualifier: name_qualifier,
+        session_index: session_index
+      })
+    end
+
+    def generate
+      <<-XML
+        <samlp:LogoutRequest xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}" xmlns:saml="#{Onelogin::NAMESPACES['saml']}" ID="#{self.id}" Version="2.0" IssueInstant="#{self.issue_instant}" Destination="#{self.destination}">
+          <saml:Issuer>#{self.issuer}</saml:Issuer>
+          <saml:NameID NameQualifier="#{self.name_qualifier}" SPNameQualifier="#{self.issuer}" Format="#{self.name_identifier_format}">#{self.name_id}</saml:NameID>
+          <samlp:SessionIndex>#{self.session_index}</samlp:SessionIndex>
+        </samlp:LogoutRequest>
+      XML
+    end
+  end
+end

data/lib/onelogin/saml/logout_response.rb

@@ -1,38 +1,37 @@
 module Onelogin::Saml
-  class LogoutResponse
-    
-    attr_reader :settings, :document, :xml, :response
-    attr_reader :status_code, :status_message, :issuer
-    attr_reader :in_response_to, :destination, :request_id
-    def initialize(response, settings=nil)
-      @response = response
+  class LogoutResponse < BaseAssertion
 
-      @xml = Base64.decode64(@response)
-      zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      @xml = zlib.inflate(@xml)
-      @document = LibXML::XML::Document.string(@xml)
+    STATUS_MESSAGE = 'Successfully Signed Out'
 
-      @request_id = @document.find_first("/samlp:LogoutResponse", Onelogin::NAMESPACES)['ID'] rescue nil
-      @issuer = @document.find_first("/samlp:LogoutResponse/saml:Issuer", Onelogin::NAMESPACES).content rescue nil
-      @in_response_to = @document.find_first("/samlp:LogoutResponse", Onelogin::NAMESPACES)['InResponseTo'] rescue nil
-      @destination = @document.find_first("/samlp:LogoutResponse", Onelogin::NAMESPACES)['Destination'] rescue nil
-      @status_code = @document.find_first("/samlp:LogoutResponse/samlp:Status/samlp:StatusCode", Onelogin::NAMESPACES)['Value'] rescue nil
-      @status_message = @document.find_first("/samlp:LogoutResponse/samlp:Status/samlp:StatusMessage", Onelogin::NAMESPACES).content rescue nil
+    attr_writer :status_code,
+                :status_message
 
-      process(settings) if settings
+    def status_code
+      @status_code ||= node_attribute_value('samlp:Status/samlp:StatusCode', 'Value')
     end
 
-    def process(settings)
-      @settings = settings
-      return unless @response
+    def status_message
+      @status_message ||= node_content("samlp:Status/samlp:StatusMessage")
     end
 
-    def logger=(val)
-      @logger = val
+    def self.generate(in_response_to, settings)
+      super(settings, in_response_to: in_response_to, destination: settings.idp_slo_target_url)
     end
-    
+
+    def generate
+      <<-XML
+        <samlp:LogoutResponse xmlns:samlp="#{Onelogin::NAMESPACES['samlp']}" xmlns:saml="#{Onelogin::NAMESPACES['saml']}" ID="#{self.id}" Version="2.0" IssueInstant="#{self.issue_instant}" Destination="#{self.destination}" InResponseTo="#{self.in_response_to}">
+          <saml:Issuer>#{self.issuer}</saml:Issuer>
+          <samlp:Status>
+            <samlp:StatusCode Value="#{Onelogin::Saml::StatusCodes::SUCCESS_URI}"></samlp:StatusCode>
+            <samlp:StatusMessage>#{STATUS_MESSAGE}</samlp:StatusMessage>
+          </samlp:Status>
+        </samlp:LogoutResponse>
+      XML
+    end
+
     def success_status?
-      @status_code == Onelogin::Saml::StatusCodes::SUCCESS_URI
+      self.status_code == Onelogin::Saml::StatusCodes::SUCCESS_URI
     end
   end
 end

data/lib/onelogin/saml/response.rb

@@ -7,6 +7,7 @@ module Onelogin::Saml
     attr_reader :status_code, :status_message
     attr_reader :in_response_to, :destination, :issuer
     attr_reader :validation_error
+
     def initialize(response, settings=nil)
       @response = response
 
@@ -28,6 +29,7 @@ module Onelogin::Saml
 
     def process(settings)
       @settings = settings
+      @logger = settings.logger
       return unless @response
 
       @in_response_to = untrusted_find_first("/samlp:Response")['InResponseTo'] rescue nil
@@ -72,10 +74,6 @@ module Onelogin::Saml
       end.flatten.compact
     end
 
-    def logger=(val)
-      @logger = val
-    end
-
     def is_valid?
       @is_valid ||= validate
     end

data/lib/onelogin/saml/settings.rb

@@ -1,6 +1,6 @@
 module Onelogin::Saml
   class Settings
-    
+
     def initialize(atts={})
       atts.each do |key, val|
         if self.respond_to? "#{key}="
@@ -8,48 +8,54 @@ module Onelogin::Saml
         end
       end
     end
-    
+
     # The URL at which the SAML assertion should be received.
     attr_accessor :assertion_consumer_service_url
-    
+
     # The name of your application.
     attr_accessor :issuer
-    
-    # 
+
+    # Logger
+    attr_accessor :logger
+
+    #
     attr_accessor :sp_name_qualifier
-    
+
     # The IdP URL to which the authentication request should be sent.
     attr_accessor :idp_sso_target_url
-    
+
     # The IdP URL to which the logout request should be sent.
     attr_accessor :idp_slo_target_url
-    
+
     # The certificate fingerprint. This is provided from the identity provider when setting up the relationship.
     attr_accessor :idp_cert_fingerprint
-    
+
     # Describes the format of the username required by this application.
     # For email: Onelogin::Saml::NameIdentifiers::EMAIL
     attr_accessor :name_identifier_format
-    
+
     # The type of authentication requested (see Onelogin::Saml::AuthnContexts)
     attr_accessor :requested_authn_context
-    
+
+    # The relay state to use when generating assertions.
+    attr_accessor :relay_state
+
     ## Attributes for the metadata
-    
+
     # The logout url of your application
     attr_accessor :sp_slo_url
-    
-    # The name of the technical contact for your application 
+
+    # The name of the technical contact for your application
     attr_accessor :tech_contact_name
-    
+
     # The email of the technical contact for your application
     attr_accessor :tech_contact_email
-    
+
     ## Attributes for xml encryption
 
     # The PEM-encoded certificate
     attr_accessor :xmlsec_certificate
-    
+
     # The PEM-encoded private key
     attr_accessor :xmlsec_privatekey