ruby-saml 0.0.5

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,5 @@
+*.sw?
+.DS_Store
+coverage
+rdoc
+pkg

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2010 OneLogin, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,15 @@
+= ruby-saml
+
+* To build the gem run rake build
+* To install the gem run sudo gem install pkg/ruby-saml-x.x.x.gem
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but
+   bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.

data/Rakefile

@@ -0,0 +1,58 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "ruby-saml"
+    gem.summary = %Q{SAML Ruby Tookit}
+    gem.description = %Q{SAML toolkit for Ruby on Rails}
+    gem.email = "support@onelogin.com"
+    gem.homepage = "http://github.com/onelogin/ruby-saml"
+    gem.authors = ["OneLogin LLC"]
+    gem.add_dependency("XMLCanonicalizer",">= 1.0.1")
+    #gem.add_development_dependency "thoughtbot-shoulda"
+    #gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+#not being used yet.
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+# require 'rake/rdoctask'
+# Rake::RDocTask.new do |rdoc|
+#   if File.exist?('VERSION')
+#     version = File.read('VERSION')
+#   else
+#     version = ""
+#   end
+
+#   rdoc.rdoc_dir = 'rdoc'
+#   rdoc.title = "ruby-saml #{version}"
+#   rdoc.rdoc_files.include('README*')
+#   rdoc.rdoc_files.include('lib/**/*.rb')
+#end

data/VERSION

@@ -0,0 +1 @@
+0.0.4

data/lib/onelogin/saml.rb

@@ -0,0 +1 @@
+require 'onelogin/saml'

data/lib/onelogin/saml/authrequest.rb

@@ -0,0 +1,35 @@
+require "base64"
+require "uuid"
+
+module Onelogin::Saml
+  class Authrequest
+    def create(settings)
+      id                = Onelogin::Saml::Authrequest.generateUniqueID(42)
+      issue_instant     = Onelogin::Saml::Authrequest.getTimestamp
+
+      request = 
+        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{id}\" Version=\"2.0\" IssueInstant=\"#{issue_instant}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings.assertion_consumer_service_url}\">" +
+        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings.issuer}</saml:Issuer>\n" +
+        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings.name_identifier_format}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
+        "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
+        "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
+        "</samlp:AuthnRequest>"
+
+      deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]     
+      base64_request    = Base64.encode64(deflated_request)  
+      encoded_request   = CGI.escape(base64_request)  
+  
+      settings.idp_sso_target_url + "?SAMLRequest=" + encoded_request
+    end
+    
+    private 
+    
+    def self.generateUniqueID(length)
+      UUID.new.generate
+    end
+    
+    def self.getTimestamp
+      Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+    end
+  end
+end

data/lib/onelogin/saml/response.rb

@@ -0,0 +1,29 @@
+require "rexml/document"
+require "xml_sec" 
+
+module Onelogin::Saml
+  class Response
+    def initialize(response)
+      @response = response
+      @document = XMLSecurity::SignedDocument.new(Base64.decode64(@response))
+    end
+    
+    def logger=(val)
+      @logger = val
+    end
+    
+    def settings=(_settings)
+      @settings = _settings
+    end
+    
+    def is_valid?
+      unless @response.blank?
+        @document.validate(@settings.idp_cert_fingerprint, @logger) unless !@settings.idp_cert_fingerprint
+      end
+    end
+
+    def name_id
+      @document.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].text
+    end
+  end
+end

data/lib/onelogin/saml/settings.rb

@@ -0,0 +1,45 @@
+module Onelogin::Saml
+  class Settings
+    def assertion_consumer_service_url
+      @assertion_consumer_service_url
+    end
+    def assertion_consumer_service_url=(val)
+      @assertion_consumer_service_url = val
+    end
+    
+    def issuer
+      @issuer
+    end
+    def issuer=(val)
+      @issuer = val
+    end
+    
+    def sp_name_qualifier
+      @sp_name_qualifier
+    end
+    def sp_name_qualifier=(val)
+      @sp_name_qualifier = val
+    end
+    
+    def idp_sso_target_url
+      @idp_sso_target_url
+    end
+    def idp_sso_target_url=(val)
+      @idp_sso_target_url = val
+    end
+    
+    def idp_cert_fingerprint
+      @idp_cert_fingerprint
+    end
+    def idp_cert_fingerprint=(val)
+      @idp_cert_fingerprint = val
+    end
+    
+    def name_identifier_format
+      @name_identifier_format
+    end
+    def name_identifier_format=(val)
+      @name_identifier_format = val
+    end
+  end
+end

data/lib/ruby-saml.rb

@@ -0,0 +1,5 @@
+module Onelogin
+end
+
+require 'onelogin/saml'
+

data/lib/xml_sec.rb

@@ -0,0 +1,91 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+ 
+module XMLSecurity
+
+  class SignedDocument < REXML::Document
+
+    def validate (idp_cert_fingerprint, logger = nil)
+      # get cert from response
+      base64_cert             = self.elements["//ds:X509Certificate"].text
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      
+      # check cert matches registered idp cert
+      fingerprint             = Digest::SHA1.hexdigest(cert.to_der)
+      valid_flag              = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
+      
+      return valid_flag if !valid_flag 
+      
+      validate_doc(base64_cert, logger)
+    end
+    
+    def validate_doc(base64_cert, logger)
+      # validate references
+      
+      # remove signature node
+      sig_element = XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      sig_element.remove
+      
+      #check digests
+      XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |          
+        
+        uri                   = ref.attributes.get_attribute("URI").value
+        hashed_element        = XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+        canoner               = XML::Util::XmlCanonicalizer.new(false, true)
+        canon_hashed_element  = canoner.canonicalize(hashed_element)
+        hash                  = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+        digest_value          = XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+        
+        valid_flag            = hash == digest_value 
+        
+        return valid_flag if !valid_flag
+      end
+ 
+      # verify signature
+      canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+      signed_info_element     = XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      canon_string            = canoner.canonicalize(signed_info_element)
+
+      base64_signature        = XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+      signature               = Base64.decode64(base64_signature)
+      
+      # get certificate object
+      cert_text               = Base64.decode64(base64_cert)
+      cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      
+      valid_flag              = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+        
+      return valid_flag
+    end
+   
+  end
+end

data/ruby-saml.gemspec

@@ -0,0 +1,58 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE
+# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{ruby-saml}
+  s.version = "0.0.5"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["OneLogin LLC"]
+  s.date = %q{2010-08-10}
+  s.description = %q{SAML toolkit for Ruby on Rails}
+  s.email = %q{support@onelogin.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/onelogin/saml.rb",
+     "lib/onelogin/saml/authrequest.rb",
+     "lib/onelogin/saml/response.rb",
+     "lib/onelogin/saml/settings.rb",
+     "lib/ruby-saml.rb",
+     "lib/xml_sec.rb",
+     "ruby-saml.gemspec",
+     "test/ruby-saml_test.rb",
+     "test/test_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/onelogin/ruby-saml}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.6}
+  s.summary = %q{SAML Ruby Tookit}
+  s.test_files = [
+    "test/ruby-saml_test.rb",
+     "test/test_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<XMLCanonicalizer>, [">= 1.0.1"])
+    else
+      s.add_dependency(%q<XMLCanonicalizer>, [">= 1.0.1"])
+    end
+  else
+    s.add_dependency(%q<XMLCanonicalizer>, [">= 1.0.1"])
+  end
+end

data/test/ruby-saml_test.rb

@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class RubySamlTest < Test::Unit::TestCase
+  should "probably rename this file and start testing for real" do
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'ruby-saml'
+
+class Test::Unit::TestCase
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification 
+name: ruby-saml
+version: !ruby/object:Gem::Version 
+  hash: 21
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 5
+  version: 0.0.5
+platform: ruby
+authors: 
+- OneLogin LLC
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-08-10 00:00:00 -05:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: XMLCanonicalizer
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 21
+        segments: 
+        - 1
+        - 0
+        - 1
+        version: 1.0.1
+  type: :runtime
+  version_requirements: *id001
+description: SAML toolkit for Ruby on Rails
+email: support@onelogin.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/onelogin/saml.rb
+- lib/onelogin/saml/authrequest.rb
+- lib/onelogin/saml/response.rb
+- lib/onelogin/saml/settings.rb
+- lib/ruby-saml.rb
+- lib/xml_sec.rb
+- ruby-saml.gemspec
+- test/ruby-saml_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: http://github.com/onelogin/ruby-saml
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: SAML Ruby Tookit
+test_files: 
+- test/ruby-saml_test.rb
+- test/test_helper.rb