saml-kit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0515744b0635a50a555fd60c1f85bce1852d0ce2
+  data.tar.gz: 8326c0666b2734045c89b8d7454677037b3af01f
+SHA512:
+  metadata.gz: 6e1648fdcab73f9b17a64632d884ab12ceb7ef92e1df7d6dc0e71371fbc74fd693ae6280373efe83ba80916cfe04dc0fb4357bd4b591c62885aa5c29c1cd06a4
+  data.tar.gz: c07432a96634cf785e6a36bef6e690d098863ebc24c311872c021ffc72fa070ff55b69d3b143527e41fdf26bae3696a286d7dff90ef101f48dff6c89db3ac149

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.2
+before_install: gem install bundler -v 1.15.4

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in saml-kit.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 mo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,39 @@
+# Saml::Kit
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/saml/kit`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'saml-kit'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install saml-kit
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/saml-kit.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "saml/kit"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/saml-kit-decode-http-redirect

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+require 'saml/kit'
+
+saml = STDIN.read
+binding = Saml::Kit::HttpRedirectBinding.new(location: '')
+xml = binding.deserialize('SAMLRequest' => saml).to_xml
+puts Nokogiri::XML(xml).to_xml(indent: 2)

data/lib/saml/kit.rb

@@ -0,0 +1,60 @@
+require "saml/kit/version"
+
+require "active_model"
+require "active_support/core_ext/date/calculations"
+require "active_support/core_ext/hash/conversions"
+require "active_support/core_ext/numeric/time"
+require "active_support/duration"
+require "builder"
+require "logger"
+require "net/http"
+require "nokogiri"
+require "securerandom"
+require "xmldsig"
+
+require "saml/kit/namespaces"
+require "saml/kit/serializable"
+require "saml/kit/xsd_validatable"
+require "saml/kit/respondable"
+require "saml/kit/requestable"
+require "saml/kit/trustable"
+require "saml/kit/document"
+
+require "saml/kit/authentication_request"
+require "saml/kit/binding"
+require "saml/kit/configuration"
+require "saml/kit/default_registry"
+require "saml/kit/fingerprint"
+require "saml/kit/logout_response"
+require "saml/kit/logout_request"
+require "saml/kit/http_post_binding"
+require "saml/kit/http_redirect_binding"
+require "saml/kit/metadata"
+require "saml/kit/response"
+require "saml/kit/identity_provider_metadata"
+require "saml/kit/invalid_document"
+require "saml/kit/self_signed_certificate"
+require "saml/kit/service_provider_metadata"
+require "saml/kit/signature"
+require "saml/kit/url_builder"
+require "saml/kit/xml"
+
+I18n.load_path += Dir[File.expand_path("kit/locales/*.yml", File.dirname(__FILE__))]
+
+module Saml
+  module Kit
+    class << self
+      def configuration
+        @config ||= Saml::Kit::Configuration.new
+      end
+
+      def configure
+        yield configuration
+      end
+
+      def logger
+        configuration.logger
+      end
+    end
+  end
+end

data/lib/saml/kit/authentication_request.rb

@@ -0,0 +1,78 @@
+module Saml
+  module Kit
+    class AuthenticationRequest < Document
+      include Requestable
+      validates_presence_of :acs_url, if: :expected_type?
+
+      def initialize(xml)
+        super(xml, name: "AuthnRequest")
+      end
+
+      def acs_url
+        #if signed? && trusted?
+          to_h[name]['AssertionConsumerServiceURL'] || registered_acs_url(binding: :post)
+        #else
+          #registered_acs_url
+        #end
+      end
+
+      def name_id_format
+        to_h[name]['NameIDPolicy']['Format']
+      end
+
+      def response_for(user)
+        Response::Builder.new(user, self)
+      end
+
+      private
+
+      def registered_acs_url(binding:)
+        return if provider.nil?
+        provider.assertion_consumer_service_for(binding: binding).try(:location)
+      end
+
+      class Builder
+        attr_accessor :id, :now, :issuer, :acs_url, :name_id_format, :sign, :destination
+        attr_accessor :version
+
+        def initialize(configuration: Saml::Kit.configuration, sign: true)
+          @id = SecureRandom.uuid
+          @issuer = configuration.issuer
+          @name_id_format = Namespaces::PERSISTENT
+          @now = Time.now.utc
+          @version = "2.0"
+          @sign = sign
+        end
+
+        def to_xml
+          Signature.sign(id, sign: sign) do |xml, signature|
+            xml.tag!('samlp:AuthnRequest', request_options) do
+              xml.tag!('saml:Issuer', issuer)
+              signature.template(xml)
+              xml.tag!('samlp:NameIDPolicy', Format: name_id_format)
+            end
+          end
+        end
+
+        def build
+          AuthenticationRequest.new(to_xml)
+        end
+
+        private
+
+        def request_options
+          options = {
+            "xmlns:samlp" => Namespaces::PROTOCOL,
+            "xmlns:saml" => Namespaces::ASSERTION,
+            ID: "_#{id}",
+            Version: version,
+            IssueInstant: now.utc.iso8601,
+            Destination: destination,
+          }
+          options[:AssertionConsumerServiceURL] = acs_url if acs_url.present?
+          options
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/binding.rb

@@ -0,0 +1,40 @@
+module Saml
+  module Kit
+    class Binding
+      attr_reader :binding, :location
+
+      def initialize(binding:, location:)
+        @binding = binding
+        @location = location
+      end
+
+      def binding?(other)
+        binding == other
+      end
+
+      def serialize(builder, relay_state: nil)
+        []
+      end
+
+      def deserialize(params)
+        raise ArgumentError.new("Unsupported binding")
+      end
+
+      def to_h
+        { binding: binding, location: location }
+      end
+
+      protected
+
+      def saml_param_from(params)
+        if params['SAMLRequest'].present?
+          params['SAMLRequest']
+        elsif params['SAMLResponse'].present?
+          params['SAMLResponse']
+        else
+          raise ArgumentError.new("SAMLRequest or SAMLResponse parameter is required.")
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/configuration.rb

@@ -0,0 +1,36 @@
+module Saml
+  module Kit
+    class Configuration
+      BEGIN_CERT=/-----BEGIN CERTIFICATE-----/
+      END_CERT=/-----END CERTIFICATE-----/
+
+      attr_accessor :issuer
+      attr_accessor :signature_method, :digest_method
+      attr_accessor :signing_certificate_pem, :signing_private_key_pem, :signing_private_key_password
+      attr_accessor :registry, :session_timeout
+      attr_accessor :logger
+
+      def initialize
+        @signature_method = :SHA256
+        @digest_method = :SHA256
+        @signing_private_key_password = SecureRandom.uuid
+        @signing_certificate_pem, @signing_private_key_pem = SelfSignedCertificate.new(@signing_private_key_password).create
+        @registry = DefaultRegistry.new
+        @session_timeout = 3.hours
+        @logger = Logger.new(STDOUT)
+      end
+
+      def stripped_signing_certificate
+        signing_certificate_pem.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
+      end
+
+      def signing_x509
+        OpenSSL::X509::Certificate.new(signing_certificate_pem)
+      end
+
+      def signing_private_key
+        OpenSSL::PKey::RSA.new(signing_private_key_pem, signing_private_key_password)
+      end
+    end
+  end
+end

data/lib/saml/kit/default_registry.rb

@@ -0,0 +1,49 @@
+module Saml
+  module Kit
+    class DefaultRegistry
+      def initialize(items = {})
+        @items = items
+      end
+
+      def register(metadata)
+        @items[metadata.entity_id] = metadata
+      end
+
+      def register_url(url, verify_ssl: true)
+        content = HttpApi.new(url, verify_ssl: verify_ssl).get
+        register(Saml::Kit::Metadata.from(content))
+      end
+
+      def metadata_for(entity_id)
+        @items[entity_id]
+      end
+
+      class HttpApi
+        attr_reader :uri, :verify_ssl
+
+        def initialize(url, verify_ssl: true)
+          @uri = URI.parse(url)
+          @verify_ssl = verify_ssl
+        end
+
+        def get
+          execute(Net::HTTP::Get.new(uri.request_uri)).body
+        end
+
+        def execute(request)
+          http.request(request)
+        end
+
+        private
+
+        def http
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.read_timeout = 30
+          http.use_ssl = uri.is_a?(URI::HTTPS)
+          http.verify_mode = OpenSSL::SSL::VERIFY_NONE unless verify_ssl
+          http
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/document.rb

@@ -0,0 +1,96 @@
+module Saml
+  module Kit
+    class Document
+      PROTOCOL_XSD = File.expand_path("./xsd/saml-schema-protocol-2.0.xsd", File.dirname(__FILE__)).freeze
+      include XsdValidatable
+      include ActiveModel::Validations
+      include Trustable
+      validates_presence_of :content
+      validates_presence_of :id
+      validate :must_match_xsd
+      validate :must_be_expected_type
+      validate :must_be_valid_version
+
+      attr_reader :content, :name
+
+      def initialize(xml, name:)
+        @content = xml
+        @name = name
+        @xml_hash = Hash.from_xml(xml) || {}
+      end
+
+      def id
+        to_h.fetch(name, {}).fetch('ID', nil)
+      end
+
+      def issuer
+        to_h.fetch(name, {}).fetch('Issuer', nil)
+      end
+
+      def version
+        to_h.fetch(name, {}).fetch('Version', {})
+      end
+
+      def destination
+        to_h.fetch(name, {}).fetch('Destination', nil)
+      end
+
+      def issue_instant
+        to_h[name]['IssueInstant']
+      end
+
+      def expected_type?
+        return false if to_xml.blank?
+        to_h[name].present?
+      end
+
+      def to_h
+        @xml_hash
+      end
+
+      def to_xml
+        content
+      end
+
+      def to_s
+        to_xml
+      end
+
+      class << self
+        def to_saml_document(xml)
+          hash = Hash.from_xml(xml)
+          if hash['Response'].present?
+            Response.new(xml)
+          elsif hash['LogoutResponse'].present?
+            LogoutResponse.new(xml)
+          elsif hash['AuthnRequest'].present?
+            AuthenticationRequest.new(xml)
+          elsif hash['LogoutRequest'].present?
+            LogoutRequest.new(xml)
+          end
+        rescue => error
+          Saml::Kit.logger.error(error)
+          InvalidDocument.new(xml)
+        end
+      end
+
+      private
+
+      def must_match_xsd
+        matches_xsd?(PROTOCOL_XSD)
+      end
+
+      def must_be_expected_type
+        return if to_h.nil?
+
+        errors[:base] << error_message(:invalid) unless expected_type?
+      end
+
+      def must_be_valid_version
+        return unless expected_type?
+        return if "2.0" == version
+        errors[:version] << error_message(:invalid_version)
+      end
+    end
+  end
+end