saml-kit 0.1.0

data/lib/saml/kit/namespaces.rb

@@ -0,0 +1,47 @@
+module Saml
+  module Kit
+    module Namespaces
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      ATTR_SPLAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:*"
+      BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+      BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+      EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
+      HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'
+      HTTP_POST = POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
+      PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+      PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
+      REQUESTER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Requester"
+      RESPONDER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Responder"
+      RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
+      RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+      RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+      RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
+      SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
+      SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
+      SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+      SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
+      SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+      TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+      UNSPECIFIED_NAMEID = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+      URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+      VERSION_MISMATCH_ERROR = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
+      XMLDSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+      def self.binding_for(binding)
+        if :post == binding
+          Namespaces::HTTP_POST
+        elsif :http_redirect == binding
+          Namespaces::HTTP_REDIRECT
+        else
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/requestable.rb

@@ -0,0 +1,14 @@
+module Saml
+  module Kit
+    module Requestable
+      extend ActiveSupport::Concern
+
+      included do
+      end
+
+      def query_string_parameter
+        'SAMLRequest'
+      end
+    end
+  end
+end

data/lib/saml/kit/respondable.rb

@@ -0,0 +1,35 @@
+module Saml
+  module Kit
+    module Respondable
+      extend ActiveSupport::Concern
+      attr_reader :request_id
+
+      included do
+        validates_inclusion_of :status_code, in: [Namespaces::SUCCESS]
+        validate :must_match_request_id
+      end
+
+      def query_string_parameter
+        'SAMLResponse'
+      end
+
+      def status_code
+        to_h.fetch(name, {}).fetch('Status', {}).fetch('StatusCode', {}).fetch('Value', nil)
+      end
+
+      def in_response_to
+        to_h.fetch(name, {}).fetch('InResponseTo', nil)
+      end
+
+      private
+
+      def must_match_request_id
+        return if request_id.nil?
+
+        if in_response_to != request_id
+          errors[:in_response_to] << error_message(:invalid_response_to)
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/response.rb

@@ -0,0 +1,197 @@
+module Saml
+  module Kit
+    class Response < Document
+      include Respondable
+
+      validate :must_be_active_session
+      validate :must_match_issuer
+
+      def initialize(xml, request_id: nil)
+        @request_id = request_id
+        super(xml, name: "Response")
+      end
+
+      def name_id
+        to_h.fetch(name, {}).fetch('Assertion', {}).fetch('Subject', {}).fetch('NameID', nil)
+      end
+
+      def [](key)
+        attributes[key]
+      end
+
+      def attributes
+        @attributes ||= Hash[to_h.fetch(name, {}).fetch('Assertion', {}).fetch('AttributeStatement', {}).fetch('Attribute', []).map do |item|
+          [item['Name'].to_sym, item['AttributeValue']]
+        end].with_indifferent_access
+      end
+
+
+      def started_at
+        parse_date(to_h.fetch(name, {}).fetch('Assertion', {}).fetch('Conditions', {}).fetch('NotBefore', nil))
+      end
+
+      def expired_at
+        parse_date(to_h.fetch(name, {}).fetch('Assertion', {}).fetch('Conditions', {}).fetch('NotOnOrAfter', nil))
+      end
+
+      def expired?
+        Time.current > expired_at
+      end
+
+      def active?
+        Time.current > started_at && !expired?
+      end
+
+      private
+
+      def must_be_active_session
+        return unless expected_type?
+        errors[:base] << error_message(:expired) unless active?
+      end
+
+      def must_match_issuer
+        return unless expected_type?
+
+        unless audiences.include?(Saml::Kit.configuration.issuer)
+          errors[:audience] << error_message(:must_match_issuer)
+        end
+      end
+
+      def audiences
+        Array(to_h[name]['Assertion']['Conditions']['AudienceRestriction']['Audience'])
+      rescue => error
+        Saml::Kit.logger.error(error)
+        []
+      end
+
+      def parse_date(value)
+        DateTime.parse(value)
+      rescue => error
+        Saml::Kit.logger.error(error)
+        Time.at(0).to_datetime
+      end
+
+      class Builder
+        attr_reader :user, :request
+        attr_accessor :id, :reference_id, :now
+        attr_accessor :version, :status_code
+        attr_accessor :issuer, :sign, :destination
+
+        def initialize(user, request)
+          @user = user
+          @request = request
+          @id = SecureRandom.uuid
+          @reference_id = SecureRandom.uuid
+          @now = Time.now.utc
+          @version = "2.0"
+          @status_code = Namespaces::SUCCESS
+          @issuer = configuration.issuer
+          @destination = request.acs_url
+          @sign = want_assertions_signed
+        end
+
+        def want_assertions_signed
+          request.provider.want_assertions_signed
+        rescue => error
+          Saml::Kit.logger.error(error)
+          true
+        end
+
+        def to_xml
+          Signature.sign(id, sign: sign) do |xml, signature|
+            xml.Response response_options do
+              xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
+              signature.template(xml)
+              xml.Status do
+                xml.StatusCode Value: status_code
+              end
+              xml.Assertion(assertion_options) do
+                xml.Issuer issuer
+                xml.Subject do
+                  xml.NameID user.name_id_for(request.name_id_format), Format: request.name_id_format
+                  xml.SubjectConfirmation Method: Namespaces::BEARER do
+                    xml.SubjectConfirmationData "", subject_confirmation_data_options
+                  end
+                end
+                xml.Conditions conditions_options do
+                  xml.AudienceRestriction do
+                    xml.Audience request.issuer
+                  end
+                end
+                xml.AuthnStatement authn_statement_options do
+                  xml.AuthnContext do
+                    xml.AuthnContextClassRef Namespaces::PASSWORD
+                  end
+                end
+                assertion_attributes = user.assertion_attributes_for(request)
+                if assertion_attributes.any?
+                  xml.AttributeStatement do
+                    assertion_attributes.each do |key, value|
+                      xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
+                        xml.AttributeValue value.to_s
+                      end
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        def build
+          Response.new(to_xml, request_id: request.id)
+        end
+
+        private
+
+        def configuration
+          Saml::Kit.configuration
+        end
+
+        def response_options
+          {
+            ID: id.present? ? "_#{id}" : nil,
+            Version: version,
+            IssueInstant: now.iso8601,
+            Destination: destination,
+            Consent: Namespaces::UNSPECIFIED,
+            InResponseTo: request.id,
+            xmlns: Namespaces::PROTOCOL,
+          }
+        end
+
+        def assertion_options
+          {
+            ID: "_#{reference_id}",
+            IssueInstant: now.iso8601,
+            Version: "2.0",
+            xmlns: Namespaces::ASSERTION,
+          }
+        end
+
+        def subject_confirmation_data_options
+          {
+            InResponseTo: request.id,
+            NotOnOrAfter: 3.hours.since(now).utc.iso8601,
+            Recipient: request.acs_url,
+          }
+        end
+
+        def conditions_options
+          {
+            NotBefore: now.utc.iso8601,
+            NotOnOrAfter: Saml::Kit.configuration.session_timeout.from_now.utc.iso8601,
+          }
+        end
+
+        def authn_statement_options
+          {
+            AuthnInstant: now.iso8601,
+            SessionIndex: assertion_options[:ID],
+            SessionNotOnOrAfter: 3.hours.since(now).utc.iso8601,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/self_signed_certificate.rb

@@ -0,0 +1,30 @@
+module Saml
+  module Kit
+    class SelfSignedCertificate
+      def initialize(password)
+        @password = password
+      end
+
+      def create
+        rsa_key = OpenSSL::PKey::RSA.new(2048)
+        public_key = rsa_key.public_key
+        certificate = OpenSSL::X509::Certificate.new
+        certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse("/C=CA/ST=Alberta/L=Calgary/O=Xsig/OU=Xsig/CN=Xsig")
+        certificate.not_before = DateTime.now.beginning_of_day
+        certificate.not_after = 1.year.from_now.end_of_day
+        certificate.public_key = public_key
+        certificate.serial = 0x0
+        certificate.version = 2
+        factory = OpenSSL::X509::ExtensionFactory.new
+        factory.subject_certificate = factory.issuer_certificate = certificate
+        certificate.extensions = [ factory.create_extension("basicConstraints","CA:TRUE", true), factory.create_extension("subjectKeyIdentifier", "hash"), ]
+        certificate.add_extension(factory.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always"))
+        certificate.sign(rsa_key, OpenSSL::Digest::SHA256.new)
+        [
+          certificate.to_pem,
+          rsa_key.to_pem(OpenSSL::Cipher::Cipher.new('des3'), @password)
+        ]
+      end
+    end
+  end
+end

data/lib/saml/kit/serializable.rb

@@ -0,0 +1,31 @@
+module Saml
+  module Kit
+    module Serializable
+      def decode(value)
+        Base64.decode64(value)
+      end
+
+      def encode(value)
+        Base64.strict_encode64(value)
+      end
+
+      def inflate(value)
+        inflater = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        inflater.inflate(value)
+      end
+
+      # drop header and checksum as per spec.
+      def deflate(value, level: Zlib::BEST_COMPRESSION)
+        Zlib::Deflate.deflate(value, level)[2..-5]
+      end
+
+      def unescape(value)
+        CGI.unescape(value)
+      end
+
+      def escape(value)
+        CGI.escape(value)
+      end
+    end
+  end
+end

data/lib/saml/kit/service_provider_metadata.rb

@@ -0,0 +1,99 @@
+module Saml
+  module Kit
+    class ServiceProviderMetadata < Metadata
+      def initialize(xml)
+        super("SPSSODescriptor", xml)
+      end
+
+      def assertion_consumer_services
+        services('AssertionConsumerService')
+      end
+
+      def assertion_consumer_service_for(binding:)
+        service_for(binding: binding, type: 'AssertionConsumerService')
+      end
+
+      def want_assertions_signed
+        attribute = find_by("/md:EntityDescriptor/md:#{name}").attribute("WantAssertionsSigned")
+        attribute.text.downcase == "true"
+      end
+
+      private
+
+      class Builder
+        attr_accessor :id, :entity_id, :acs_urls, :logout_urls, :name_id_formats, :sign
+        attr_accessor :want_assertions_signed
+
+        def initialize(configuration = Saml::Kit.configuration)
+          @id = SecureRandom.uuid
+          @configuration = configuration
+          @entity_id = configuration.issuer
+          @acs_urls = []
+          @logout_urls = []
+          @name_id_formats = [Namespaces::PERSISTENT]
+          @sign = true
+          @want_assertions_signed = true
+        end
+
+        def add_assertion_consumer_service(url, binding: :post)
+          @acs_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        end
+
+        def add_single_logout_service(url, binding: :post)
+          @logout_urls.push(location: url, binding: Namespaces.binding_for(binding))
+        end
+
+        def to_xml
+          Signature.sign(id, sign: sign) do |xml, signature|
+            xml.instruct!
+            xml.EntityDescriptor entity_descriptor_options do
+              signature.template(xml)
+              xml.SPSSODescriptor descriptor_options do
+                if @configuration.signing_certificate_pem.present?
+                  xml.KeyDescriptor use: "signing" do
+                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
+                      xml.X509Data do
+                        xml.X509Certificate @configuration.stripped_signing_certificate
+                      end
+                    end
+                  end
+                end
+                logout_urls.each do |item|
+                  xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
+                end
+                name_id_formats.each do |format|
+                  xml.NameIDFormat format
+                end
+                acs_urls.each_with_index do |item, index|
+                  xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
+                end
+              end
+            end
+          end
+        end
+
+        def build
+          ServiceProviderMetadata.new(to_xml)
+        end
+
+        private
+
+        def entity_descriptor_options
+          {
+            'xmlns': Namespaces::METADATA,
+            ID: "_#{id}",
+            entityID: entity_id,
+          }
+        end
+
+        def descriptor_options
+          {
+            AuthnRequestsSigned: sign,
+            WantAssertionsSigned: want_assertions_signed,
+            protocolSupportEnumeration: Namespaces::PROTOCOL,
+          }
+        end
+      end
+    end
+  end
+end