saml-kit 0.2.1 → 0.2.2

data/lib/saml/kit/builders/response.rb

@@ -0,0 +1,182 @@
+module Saml
+  module Kit
+    module Builders
+      class Response
+        attr_reader :user, :request
+        attr_accessor :id, :reference_id, :now
+        attr_accessor :version, :status_code
+        attr_accessor :issuer, :sign, :destination, :encrypt
+
+        def initialize(user, request)
+          @user = user
+          @request = request
+          @id = Id.generate
+          @reference_id = Id.generate
+          @now = Time.now.utc
+          @version = "2.0"
+          @status_code = Namespaces::SUCCESS
+          @issuer = configuration.issuer
+          @destination = destination_for(request)
+          @sign = want_assertions_signed
+          @encrypt = false
+        end
+
+        def want_assertions_signed
+          request.provider.want_assertions_signed
+        rescue => error
+          Saml::Kit.logger.error(error)
+          true
+        end
+
+        def to_xml
+          Signature.sign(sign: sign) do |xml, signature|
+            xml.Response response_options do
+              xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
+              signature.template(id)
+              xml.Status do
+                xml.StatusCode Value: status_code
+              end
+              assertion(xml, signature)
+            end
+          end
+        end
+
+        def build
+          Saml::Kit::Response.new(to_xml, request_id: request.id)
+        end
+
+        private
+
+        def assertion(xml, signature)
+          with_encryption(xml) do |xml|
+            xml.Assertion(assertion_options) do
+              xml.Issuer issuer
+              signature.template(reference_id) unless encrypt
+              xml.Subject do
+                xml.NameID user.name_id_for(request.name_id_format), Format: request.name_id_format
+                xml.SubjectConfirmation Method: Namespaces::BEARER do
+                  xml.SubjectConfirmationData "", subject_confirmation_data_options
+                end
+              end
+              xml.Conditions conditions_options do
+                xml.AudienceRestriction do
+                  xml.Audience request.issuer
+                end
+              end
+              xml.AuthnStatement authn_statement_options do
+                xml.AuthnContext do
+                  xml.AuthnContextClassRef Namespaces::PASSWORD
+                end
+              end
+              assertion_attributes = user.assertion_attributes_for(request)
+              if assertion_attributes.any?
+                xml.AttributeStatement do
+                  assertion_attributes.each do |key, value|
+                    xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
+                      xml.AttributeValue value.to_s
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        def with_encryption(xml)
+          if encrypt
+            temp = ::Builder::XmlMarkup.new
+            yield temp
+            raw_xml_to_encrypt = temp.target!
+
+            encryption_certificate = request.provider.encryption_certificates.first
+            public_key = encryption_certificate.public_key
+
+            cipher = OpenSSL::Cipher.new('AES-256-CBC')
+            cipher.encrypt
+            key = cipher.random_key
+            iv = cipher.random_iv
+            encrypted = cipher.update(raw_xml_to_encrypt) + cipher.final
+
+            Saml::Kit.logger.debug ['+iv', iv].inspect
+            Saml::Kit.logger.debug ['+key', key].inspect
+
+            xml.EncryptedAssertion xmlns: Namespaces::ASSERTION do
+              xml.EncryptedData xmlns: Namespaces::XMLENC do
+                xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
+                xml.KeyInfo xmlns: Namespaces::XMLDSIG do
+                  xml.EncryptedKey xmlns: Namespaces::XMLENC do
+                    xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
+                    xml.CipherData do
+                      xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
+                    end
+                  end
+                end
+                xml.CipherData do
+                  xml.CipherValue Base64.encode64(iv + encrypted)
+                end
+              end
+            end
+          else
+            yield xml
+          end
+        end
+
+        def destination_for(request)
+          if request.signed? && request.trusted?
+            request.assertion_consumer_service_url || request.provider.assertion_consumer_service_for(binding: :http_post).try(:location)
+          else
+            request.provider.assertion_consumer_service_for(binding: :http_post).try(:location)
+          end
+        end
+
+        def configuration
+          Saml::Kit.configuration
+        end
+
+        def response_options
+          {
+            ID: id,
+            Version: version,
+            IssueInstant: now.iso8601,
+            Destination: destination,
+            Consent: Namespaces::UNSPECIFIED,
+            InResponseTo: request.id,
+            xmlns: Namespaces::PROTOCOL,
+          }
+        end
+
+        def assertion_options
+          {
+            ID: reference_id,
+            IssueInstant: now.iso8601,
+            Version: "2.0",
+            xmlns: Namespaces::ASSERTION,
+          }
+        end
+
+        def subject_confirmation_data_options
+          {
+            InResponseTo: request.id,
+            NotOnOrAfter: 3.hours.since(now).utc.iso8601,
+            Recipient: request.assertion_consumer_service_url,
+          }
+        end
+
+        def conditions_options
+          {
+            NotBefore: now.utc.iso8601,
+            NotOnOrAfter: Saml::Kit.configuration.session_timeout.from_now.utc.iso8601,
+          }
+        end
+
+        def authn_statement_options
+          {
+            AuthnInstant: now.iso8601,
+            SessionIndex: assertion_options[:ID],
+            SessionNotOnOrAfter: 3.hours.since(now).utc.iso8601,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/builders/service_provider_metadata.rb

@@ -0,0 +1,89 @@
+module Saml
+  module Kit
+    module Builders
+      class ServiceProviderMetadata
+        attr_accessor :id, :entity_id, :acs_urls, :logout_urls, :name_id_formats, :sign
+        attr_accessor :want_assertions_signed
+
+        def initialize(configuration = Saml::Kit.configuration)
+          @id = Id.generate
+          @configuration = configuration
+          @entity_id = configuration.issuer
+          @acs_urls = []
+          @logout_urls = []
+          @name_id_formats = [Namespaces::PERSISTENT]
+          @sign = true
+          @want_assertions_signed = true
+        end
+
+        def add_assertion_consumer_service(url, binding: :http_post)
+          @acs_urls.push(location: url, binding: Bindings.binding_for(binding))
+        end
+
+        def add_single_logout_service(url, binding: :http_post)
+          @logout_urls.push(location: url, binding: Bindings.binding_for(binding))
+        end
+
+        def to_xml
+          Signature.sign(sign: sign) do |xml, signature|
+            xml.instruct!
+            xml.EntityDescriptor entity_descriptor_options do
+              signature.template(id)
+              xml.SPSSODescriptor descriptor_options do
+                if @configuration.signing_certificate_pem.present?
+                  xml.KeyDescriptor use: "signing" do
+                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
+                      xml.X509Data do
+                        xml.X509Certificate @configuration.stripped_signing_certificate
+                      end
+                    end
+                  end
+                end
+                if @configuration.encryption_certificate_pem.present?
+                  xml.KeyDescriptor use: "encryption" do
+                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
+                      xml.X509Data do
+                        xml.X509Certificate @configuration.stripped_encryption_certificate
+                      end
+                    end
+                  end
+                end
+                logout_urls.each do |item|
+                  xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
+                end
+                name_id_formats.each do |format|
+                  xml.NameIDFormat format
+                end
+                acs_urls.each_with_index do |item, index|
+                  xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
+                end
+              end
+            end
+          end
+        end
+
+        def build
+          Saml::Kit::ServiceProviderMetadata.new(to_xml)
+        end
+
+        private
+
+        def entity_descriptor_options
+          {
+            'xmlns': Namespaces::METADATA,
+            ID: id,
+            entityID: entity_id,
+          }
+        end
+
+        def descriptor_options
+          {
+            AuthnRequestsSigned: sign,
+            WantAssertionsSigned: want_assertions_signed,
+            protocolSupportEnumeration: Namespaces::PROTOCOL,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/document.rb

@@ -5,6 +5,7 @@ module Saml
       include XsdValidatable
       include ActiveModel::Validations
       include Trustable
+      include Buildable
       validates_presence_of :content
       validates_presence_of :id
       validate :must_match_xsd
@@ -76,6 +77,21 @@ module Saml
           Saml::Kit.logger.error(error)
           InvalidDocument.new(xml)
         end
+
+        def builder_class
+          case name
+          when Saml::Kit::Response.to_s
+            Saml::Kit::Builders::Response
+          when Saml::Kit::LogoutResponse.to_s
+            Saml::Kit::Builders::LogoutResponse
+          when Saml::Kit::AuthenticationRequest.to_s
+            Saml::Kit::Builders::AuthenticationRequest
+          when Saml::Kit::LogoutRequest.to_s
+            Saml::Kit::Builders::LogoutRequest
+          else
+            raise ArgumentError.new("Unknown SAML Document #{name}")
+          end
+        end
       end
 
       private

data/lib/saml/kit/id.rb

@@ -0,0 +1,9 @@
+module Saml
+  module Kit
+    class Id
+      def self.generate
+        "_#{SecureRandom.uuid}"
+      end
+    end
+  end
+end

data/lib/saml/kit/identity_provider_metadata.rb

@@ -29,105 +29,20 @@ module Saml
         end
       end
 
-      private
-
-      class Builder
-        attr_accessor :id, :organization_name, :organization_url, :contact_email, :entity_id, :attributes, :name_id_formats
-        attr_accessor :want_authn_requests_signed, :sign
-        attr_reader :logout_urls, :single_sign_on_urls
-
-        def initialize(configuration = Saml::Kit.configuration)
-          @id = SecureRandom.uuid
-          @entity_id = configuration.issuer
-          @attributes = []
-          @name_id_formats = [Namespaces::PERSISTENT]
-          @single_sign_on_urls = []
-          @logout_urls = []
-          @configuration = configuration
-          @sign = true
-          @want_authn_requests_signed = true
-        end
-
-        def add_single_sign_on_service(url, binding: :http_post)
-          @single_sign_on_urls.push(location: url, binding: Bindings.binding_for(binding))
-        end
-
-        def add_single_logout_service(url, binding: :http_post)
-          @logout_urls.push(location: url, binding: Bindings.binding_for(binding))
-        end
-
-        def to_xml
-          Signature.sign(sign: sign) do |xml, signature|
-            xml.instruct!
-            xml.EntityDescriptor entity_descriptor_options do
-              signature.template(id)
-              xml.IDPSSODescriptor idp_sso_descriptor_options do
-                if @configuration.signing_certificate_pem.present?
-                  xml.KeyDescriptor use: "signing" do
-                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
-                      xml.X509Data do
-                        xml.X509Certificate @configuration.stripped_signing_certificate
-                      end
-                    end
-                  end
-                end
-                if @configuration.encryption_certificate_pem.present?
-                  xml.KeyDescriptor use: "encryption" do
-                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
-                      xml.X509Data do
-                        xml.X509Certificate @configuration.stripped_encryption_certificate
-                      end
-                    end
-                  end
-                end
-                logout_urls.each do |item|
-                  xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
-                end
-                name_id_formats.each do |format|
-                  xml.NameIDFormat format
-                end
-                single_sign_on_urls.each do |item|
-                  xml.SingleSignOnService Binding: item[:binding], Location: item[:location]
-                end
-                attributes.each do |attribute|
-                  xml.tag! 'saml:Attribute', Name: attribute
-                end
-              end
-              xml.Organization do
-                xml.OrganizationName organization_name, 'xml:lang': "en"
-                xml.OrganizationDisplayName organization_name, 'xml:lang': "en"
-                xml.OrganizationURL organization_url, 'xml:lang': "en"
-              end
-              xml.ContactPerson contactType: "technical" do
-                xml.Company "mailto:#{contact_email}"
-              end
-            end
-          end
-        end
-
-        def build
-          IdentityProviderMetadata.new(to_xml)
-        end
-
-        private
-
-        def entity_descriptor_options
-          {
-            'xmlns': Namespaces::METADATA,
-            'xmlns:ds': Namespaces::XMLDSIG,
-            'xmlns:saml': Namespaces::ASSERTION,
-            ID: "_#{id}",
-            entityID: entity_id,
-          }
+      def login_request_for(binding:, relay_state: nil)
+        builder = Saml::Kit::AuthenticationRequest.builder do |x|
+          x.sign = want_authn_requests_signed
+          yield x if block_given?
         end
+        request_binding = single_sign_on_service_for(binding: binding)
+        request_binding.serialize(builder, relay_state: relay_state)
+      end
 
-        def idp_sso_descriptor_options
-          {
-            WantAuthnRequestsSigned: want_authn_requests_signed,
-            protocolSupportEnumeration: Namespaces::PROTOCOL,
-          }
-        end
+      def self.builder_class
+        Saml::Kit::Builders::IdentityProviderMetadata
       end
+
+      Builder = ActiveSupport::Deprecation::DeprecatedConstantProxy.new('Saml::Kit::IdentityProviderMetadata::Builder', 'Saml::Kit::Builders::IdentityProviderMetadata')
     end
   end
 end

data/lib/saml/kit/logout_request.rb

@@ -18,61 +18,15 @@ module Saml
         urls.first
       end
 
-      def response_for(user)
-        LogoutResponse::Builder.new(user, self)
-      end
-
-      private
-
-      class Builder
-        attr_accessor :id, :destination, :issuer, :name_id_format, :now
-        attr_accessor :sign, :version
-        attr_reader :user
-
-        def initialize(user, configuration: Saml::Kit.configuration, sign: true)
-          @user = user
-          @id = SecureRandom.uuid
-          @issuer = configuration.issuer
-          @name_id_format = Saml::Kit::Namespaces::PERSISTENT
-          @now = Time.now.utc
-          @version = "2.0"
-          @sign = sign
-        end
-
-        def to_xml
-          Signature.sign(sign: sign) do |xml, signature|
-            xml.instruct!
-            xml.LogoutRequest logout_request_options do
-              xml.Issuer({ xmlns: Namespaces::ASSERTION }, issuer)
-              signature.template(id)
-              xml.NameID name_id_options, user.name_id_for(name_id_format)
-            end
-          end
-        end
-
-        def build
-          Saml::Kit::LogoutRequest.new(to_xml)
-        end
-
-        private
-
-        def logout_request_options
-          {
-            ID: "_#{id}",
-            Version: version,
-            IssueInstant: now.utc.iso8601,
-            Destination: destination,
-            xmlns: Namespaces::PROTOCOL,
-          }
-        end
-
-        def name_id_options
-          {
-            Format: name_id_format,
-            xmlns: Namespaces::ASSERTION,
-          }
+      def response_for(user, binding:, relay_state: nil)
+        builder = Saml::Kit::LogoutResponse.builder(user, self) do |x|
+          yield x if block_given?
         end
+        response_binding = provider.single_logout_service_for(binding: binding)
+        response_binding.serialize(builder, relay_state: relay_state)
       end
+
+      Builder = ActiveSupport::Deprecation::DeprecatedConstantProxy.new('Saml::Kit::LogoutRequest::Builder', 'Saml::Kit::Builders::LogoutRequest')
     end
   end
 end