ruby-samlnechotech 0.7.34 → 0.7.35

checksums.yaml

@@ -1,7 +1,15 @@
 ---
-SHA1:
-  metadata.gz: 83acf516a41f0c28c18108b8f5b5ffbcc4698e1a
-  data.tar.gz: f83184add5a75fcf488b2ff879a5816e0298a2e6
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    M2Y3NTY1OWQyMmI4ZmY4YWRjNmI1ZTllNTQ0MzQ0MGYwNDZiZTEzZQ==
+  data.tar.gz: !binary |-
+    ODExYjkyMTg0YWM4NDcyOTRkYjQzZjZiNmNhNTg4YTdhZWExM2MzZQ==
 SHA512:
-  metadata.gz: 6348a6a9abeb1d41a1851351c473aaa0c9643ace578a811ddd3c3090f960da79b37eba635f5a30bf0ea2b8924e65d6f79d2415a96e164569886922522d73e60f
-  data.tar.gz: 45eb2a6a53c8c03977e26038e995a64c544cff803e9a6c47664057889ce383211515ee334af85db7d0ab3bf5bbbb07abfcdeb850daba145af68bb3159dfeb289
+  metadata.gz: !binary |-
+    OWEwMTY0OGY5YmI4ZGM5N2ZlZjRkZDRhZmNkZGY5MWIzZjY2ZTZmNzE2YjJj
+    MTE2OTJiOWU2OGFkZmNlYjg5MzJiZmJmNTg4NDgyM2Q1MjhlZWJmMTY3MjJj
+    N2NiZjQ1NWM2NjY3MWQ0MDJhNTJlNzZjZDBmMzA2NzVkYTFhNmU=
+  data.tar.gz: !binary |-
+    ZGI0OWZmMTU3NWUwNWRlMzI1NmExNTMzOTlhYmI4OWFkNGY0NzdlOGNhNmI4
+    ZTRlYjQ3ZTA3MzY2ZjU2N2VmNGZkOTc5NThjMmI3NThhYmY5NjRlY2NjYzE5
+    M2EyNTVjMmIzMjNjMzI3MzgzMWY5M2U1ZTEzOWRmMmI0MWYxNGI=

data/lib/onelogin/ruby-samlnechotech/saml_message.rb

@@ -0,0 +1,75 @@
+require 'cgi'
+require 'zlib'
+require 'base64'
+
+module Onelogin
+  module Saml
+    class SamlMessage
+
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+
+      def valid_saml?(document, soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), '..', '..', 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+        end
+      end
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+      private
+
+      def decode_raw_saml(saml)
+        if saml =~ /^</
+          return saml
+        elsif (decoded  = decode(saml)) =~ /^</
+          return decoded
+        elsif (inflated = inflate(decoded)) =~ /^</
+          return inflated
+        end
+
+        return nil
+      end
+
+      def encode_raw_saml(saml, settings)
+        saml           = Zlib::Deflate.deflate(saml, 9)[2..-5] if settings.compress_request
+        base64_saml    = Base64.encode64(saml)
+        return CGI.escape(base64_saml)
+      end
+
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.encode64(encoded).gsub(/\n/, "")
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-samlnechotech/slo_logoutrequest.rb

@@ -0,0 +1,66 @@
+require 'zlib'
+require 'time'
+require 'nokogiri'
+
+# Only supports SAML 2.0
+module Onelogin
+  module Saml
+    class SloLogoutrequest < SamlMessage
+      attr_reader :options
+      attr_reader :request
+      attr_reader :document
+
+      def initialize(request, options = {})
+        raise ArgumentError.new("Request cannot be nil") if request.nil?
+        @options  = options
+        @request = decode_raw_saml(request)
+        @document = REXML::Document.new(@request)
+      end
+
+      def is_valid?
+        validate
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      def id
+        return @id if @id
+        element = REXML::XPath.first(document, "/p:LogoutRequest", {
+            "p" => PROTOCOL} )
+        return nil if element.nil?
+        return element.attributes["ID"]
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:LogoutRequest/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validate(soft = true)
+        valid_saml?(document, soft)  && validate_request_state(soft)
+      end
+
+      def validate_request_state(soft = true)
+        if request.empty?
+          return soft ? false : validation_error("Blank request")
+        end
+        true
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-samlnechotech/slo_logoutresponse.rb

@@ -0,0 +1,62 @@
+module Onelogin
+  module Saml
+    class SloLogoutresponse < SamlMessage
+
+      def create(settings, request, logout_message = nil, params = {})
+        params = {} if params.nil?
+
+        response_doc = create_logout_response_xml_doc(settings, request, logout_message)
+        response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+
+        response = ''
+        response_doc.write(response)
+
+        Logging.debug "Created SLO Logout Response: #{response}"
+
+        encoded_response   = encode_raw_saml(response, settings)
+        params_prefix     = (settings.idp_slo_target_url =~ /\?/) ? '&' : '?'
+        response_params    = "#{params_prefix}SAMLResponse=#{encoded_response}"
+
+        params.each_pair do |key, value|
+          response_params << "&#{key.to_s}=#{escape(value.to_s)}"
+        end
+
+        settings.idp_slo_target_url + response_params
+      end
+
+      def create_logout_response_xml_doc(settings, request, logout_message = nil)
+        uuid = '_' + UUID.new.generate
+        time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+        response_doc = REXML::Document.new
+
+        root = response_doc.add_element 'samlp:LogoutResponse', { 'xmlns:samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol' }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = '2.0'
+        root.attributes['InResponseTo'] = request.id unless request.id.nil?
+        root.attributes['Destination'] = settings.idp_slo_target_url unless settings.idp_slo_target_url.nil?
+
+        # add success message
+        status = root.add_element 'samlp:Status'
+
+        # success status code
+        status_code = status.add_element 'samlp:StatusCode'
+        status_code.attributes['Value'] = 'urn:oasis:names:tc:SAML:2.0:status:Success'
+
+        # success status message
+        logout_message ||= 'Successfully Signed Out'
+        status_message = status.add_element 'samlp:StatusMessage'
+        status_message.text = logout_message
+
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          issuer.text = settings.issuer
+        end
+
+        response_doc
+      end
+
+    end
+  end
+end

data/lib/onelogin/ruby-samlnechotech/version.rb

@@ -1,5 +1,5 @@
 module Onelogin
   module Saml
-    VERSION = '0.7.34'
+    VERSION = '0.7.35'
   end
 end

data/lib/ruby-samlnechotech.rb

@@ -7,3 +7,6 @@ require 'onelogin/ruby-samlnechotech/settings'
 require 'onelogin/ruby-samlnechotech/validation_error'
 require 'onelogin/ruby-samlnechotech/metadata'
 require 'onelogin/ruby-samlnechotech/version'
+require 'onelogin/ruby-samlnechotech/saml_message'
+require 'onelogin/ruby-samlnechotech/slo_logoutrequest'
+require 'onelogin/ruby-samlnechotech/slo_logoutresponse'

data/test/requests/logoutrequest_fixtures.rb

@@ -0,0 +1,82 @@
+#encoding: utf-8
+
+def default_request_opts
+  {
+      :uuid => "_28024690-000e-0130-b6d2-38f6b112be8b",
+      :issue_instant => Time.now.strftime('%Y-%m-%dT%H:%M:%SZ'),
+      :settings => settings
+  }
+end
+
+def valid_request(opts = {})
+  opts = default_request_opts.merge!(opts)
+
+  "<samlp:LogoutRequest
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\"
+        IssueInstant=\"#{opts[:issue_instant]}\"
+        Destination=\"#{opts[:settings].assertion_consumer_logout_service_url}\">
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{opts[:settings].issuer}</saml:Issuer>
+      </samlp:LogoutRequest>"
+  "<samlp:LogoutRequest ID=\"f8a62847-92f2-4f0c-936a-df9efe0cc42f\"
+                 Version=\"2.0\"
+                 IssueInstant=\"2013-08-29T20:53:50Z\"
+                 Destination=\"https://server/adfs/ls/\"
+                 Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\"
+                 xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+                 >
+      <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">https://sp.com/</saml:Issuer>
+      <Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\">
+          <SignedInfo>
+              <CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />
+              <SignatureMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#rsa-sha1\" />
+              <Reference URI=\"#f8a62847-92f2-4f0c-936a-df9efe0cc42f\">
+                  <Transforms>
+                      <Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" />
+                      <Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" />
+                  </Transforms>
+                  <DigestMethod Algorithm=\"http://www.w3.org/2000/09/xmldsig#sha1\" />
+                  <DigestValue>W7F1E2U1OAHRXn/ItbnsYZyXw/8=</DigestValue>
+              </Reference>
+          </SignedInfo>
+          <SignatureValue></SignatureValue>
+          <KeyInfo>
+              <X509Data>
+                  <X509Certificate></X509Certificate>
+              </X509Data>
+          </KeyInfo>
+      </Signature>
+      <saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\"
+                   Format=\"http://schemas.xmlsoap.org/claims/UPN\"
+                   >user</saml:NameID>
+      <samlp:SessionIndex>_2537f94b-a150-415e-9a45-3c6fa2b6dd60</samlp:SessionIndex>
+  </samlp:LogoutRequest>"
+end
+
+def invalid_xml_request
+  "<samlp:SomethingAwful
+        xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"
+        ID=\"#{random_id}\" Version=\"2.0\">
+      </samlp:SomethingAwful>"
+end
+
+def settings
+  @settings ||= Onelogin::Saml::Settings.new(
+      {
+          :assertion_consumer_service_url => "http://app.muda.no/sso/consume",
+          :assertion_consumer_logout_service_url => "http://app.muda.no/sso/consume_logout",
+          :issuer => "http://app.muda.no",
+          :sp_name_qualifier => "http://sso.muda.no",
+          :idp_sso_target_url => "http://sso.muda.no/sso",
+          :idp_slo_target_url => "http://sso.muda.no/slo",
+          :idp_cert_fingerprint => "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00",
+          :name_identifier_format => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+      }
+  )
+end
+
+# logoutresponse fixtures
+def random_id
+  "_#{UUID.new.generate}"
+end
+

data/test/slologoutrequest_test.rb

@@ -0,0 +1,42 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'rexml/document'
+require 'requests/logoutrequest_fixtures'
+class RubySamlTest < Test::Unit::TestCase
+
+  context "SloLogoutrequest" do
+    context "#new" do
+      should "raise an exception when request is initialized with nil" do
+        assert_raises(ArgumentError) { Onelogin::Saml::SloLogoutrequest.new(nil) }
+      end
+      should "accept constructor-injected options" do
+        logoutrequest= Onelogin::Saml::SloLogoutrequest.new(valid_request, { :foo => :bar} )
+        assert !logoutrequest.options.empty?
+      end
+      should "support base64 encoded responses" do
+        expected_request = valid_request
+        logoutrequest= Onelogin::Saml::SloLogoutrequest.new(Base64.encode64(expected_request))
+
+        assert_equal expected_request, logoutrequest.request
+      end
+    end
+
+    context "#validate!" do
+      should "validates good requests" do
+        logoutrequest = Onelogin::Saml::SloLogoutrequest.new(valid_request)
+        logoutrequest.validate!
+      end
+
+      should "raise error for invalid xml" do
+        logoutrequest = Onelogin::Saml::SloLogoutrequest.new(invalid_xml_request)
+        assert_raises(Onelogin::Saml::ValidationError) { logoutrequest.validate! }
+      end
+    end
+
+  end
+
+  # logoutresponse fixtures
+  def random_id
+    "_#{UUID.new.generate}"
+  end
+
+end

data/test/slologoutresponse_test.rb

@@ -0,0 +1,44 @@
+require File.expand_path(File.join(File.dirname(__FILE__), "test_helper"))
+require 'requests/logoutrequest_fixtures'
+
+class SloResponseTest < Test::Unit::TestCase
+
+  context "SloLogoutresponse" do
+    settings = Onelogin::Saml::Settings.new
+    settings.idp_slo_target_url = "http://unauth.com/logout"
+    settings.name_identifier_value = "f00f00"
+    logoutrequest = Onelogin::Saml::SloLogoutrequest.new(valid_request)
+
+    should "create the deflated SAMLRequest URL parameter" do
+
+      unauth_url = Onelogin::Saml::SloLogoutresponse.new.create(settings, logoutrequest)
+      assert unauth_url =~ /^http:\/\/unauth\.com\/logout\?SAMLResponse=/
+
+      inflated = decode_saml_response_payload(unauth_url)
+
+      assert_match /^<samlp:LogoutResponse/, inflated
+    end
+
+    should "set InResponseTo" do
+
+      unauth_url = Onelogin::Saml::SloLogoutresponse.new.create(settings, logoutrequest)
+      inflated = decode_saml_response_payload(unauth_url)
+
+      assert_match %r(InResponseTo='#{logoutrequest.id}'), inflated
+
+    end
+
+  end
+
+  def decode_saml_response_payload(unauth_url)
+    payload = CGI.unescape(unauth_url.split("SAMLResponse=").last)
+    decoded = Base64.decode64(payload)
+
+    zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+    inflated = zstream.inflate(decoded)
+    zstream.finish
+    zstream.close
+    inflated
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-samlnechotech
 version: !ruby/object:Gem::Version
-  version: 0.7.34
+  version: 0.7.35
 platform: ruby
 authors:
 - OneLogin LLC, beekermememe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-24 00:00:00.000000000 Z
+date: 2014-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: canonix
@@ -42,14 +42,14 @@ dependencies:
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
 description: SAML toolkit for Ruby on Rails forked and modified by beekermememe
@@ -73,7 +73,10 @@ files:
 - lib/onelogin/ruby-samlnechotech/logoutresponse.rb
 - lib/onelogin/ruby-samlnechotech/metadata.rb
 - lib/onelogin/ruby-samlnechotech/response.rb
+- lib/onelogin/ruby-samlnechotech/saml_message.rb
 - lib/onelogin/ruby-samlnechotech/settings.rb
+- lib/onelogin/ruby-samlnechotech/slo_logoutrequest.rb
+- lib/onelogin/ruby-samlnechotech/slo_logoutresponse.rb
 - lib/onelogin/ruby-samlnechotech/validation_error.rb
 - lib/onelogin/ruby-samlnechotech/version.rb
 - lib/ruby-samlnechotech.rb
@@ -88,6 +91,7 @@ files:
 - test/logoutrequest_test.rb
 - test/logoutresponse_test.rb
 - test/request_test.rb
+- test/requests/logoutrequest_fixtures.rb
 - test/response_test.rb
 - test/responses/adfs_response_sha1.xml
 - test/responses/adfs_response_sha256.xml
@@ -108,6 +112,8 @@ files:
 - test/responses/starfield_response.xml.base64
 - test/responses/wrapped_response_2.xml.base64
 - test/settings_test.rb
+- test/slologoutrequest_test.rb
+- test/slologoutresponse_test.rb
 - test/test_helper.rb
 - test/xml_security_test.rb
 homepage: https://github.com/beekermememe/ruby-saml
@@ -120,17 +126,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: http://www.rubygems.org/gems/ruby-samlnechotech
-rubygems_version: 2.0.3
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: SAML Ruby Tookit
@@ -140,6 +146,7 @@ test_files:
 - test/logoutrequest_test.rb
 - test/logoutresponse_test.rb
 - test/request_test.rb
+- test/requests/logoutrequest_fixtures.rb
 - test/response_test.rb
 - test/responses/adfs_response_sha1.xml
 - test/responses/adfs_response_sha256.xml
@@ -160,5 +167,7 @@ test_files:
 - test/responses/starfield_response.xml.base64
 - test/responses/wrapped_response_2.xml.base64
 - test/settings_test.rb
+- test/slologoutrequest_test.rb
+- test/slologoutresponse_test.rb
 - test/test_helper.rb
 - test/xml_security_test.rb