saml-kit 0.2.1 → 0.2.2

data/lib/saml/kit/logout_response.rb

@@ -8,56 +8,7 @@ module Saml
         super(xml, name: "LogoutResponse")
       end
 
-      private
-
-      class Builder
-        attr_accessor :id, :issuer, :version, :status_code, :sign, :now, :destination
-        attr_reader :request
-
-        def initialize(user, request, configuration: Saml::Kit.configuration, sign: true)
-          @user = user
-          @now = Time.now.utc
-          @request = request
-          @id = SecureRandom.uuid
-          @version = "2.0"
-          @status_code = Namespaces::SUCCESS
-          @sign = sign
-          @issuer = configuration.issuer
-          provider = configuration.registry.metadata_for(@issuer)
-          if provider
-            @destination = provider.single_logout_service_for(binding: :http_post).try(:location)
-          end
-        end
-
-        def to_xml
-          Signature.sign(sign: sign) do |xml, signature|
-            xml.LogoutResponse logout_response_options do
-              xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
-              signature.template(id)
-              xml.Status do
-                xml.StatusCode Value: status_code
-              end
-            end
-          end
-        end
-
-        def build
-          LogoutResponse.new(to_xml, request_id: request.id)
-        end
-
-        private
-
-        def logout_response_options
-          {
-            xmlns: Namespaces::PROTOCOL,
-            ID: "_#{id}",
-            Version: version,
-            IssueInstant: now.utc.iso8601,
-            Destination: destination,
-            InResponseTo: request.id,
-          }
-        end
-      end
+      Builder = ActiveSupport::Deprecation::DeprecatedConstantProxy.new('Saml::Kit::LogoutResponse::Builder', 'Saml::Kit::Builders::LogoutResponse')
     end
   end
 end

data/lib/saml/kit/metadata.rb

@@ -3,6 +3,7 @@ module Saml
     class Metadata
       include ActiveModel::Validations
       include XsdValidatable
+      include Buildable
       METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
 
       validates_presence_of :metadata
@@ -63,6 +64,14 @@ module Saml
         service_for(binding: binding, type: 'SingleLogoutService')
       end
 
+      def logout_request_for(user, binding: :http_post, relay_state: nil)
+        builder = Saml::Kit::LogoutRequest.builder(user) do |x|
+          yield x if block_given?
+        end
+        request_binding = single_logout_service_for(binding: binding)
+        request_binding.serialize(builder, relay_state: relay_state)
+      end
+
       def matches?(fingerprint, use: :signing)
         certificates.find do |certificate|
           certificate.for?(use) && certificate.fingerprint == fingerprint

data/lib/saml/kit/response.rb

@@ -20,11 +20,16 @@ module Saml
       end
 
       def attributes
-        @attributes ||= Hash[
-          assertion.fetch('AttributeStatement', {}).fetch('Attribute', []).map do |item|
-            [item['Name'].to_sym, item['AttributeValue']]
+        @attributes ||=
+          begin
+            attrs = assertion.fetch('AttributeStatement', {}).fetch('Attribute', [])
+            items = if attrs.is_a? Hash
+              [[attrs["Name"], attrs["AttributeValue"]]]
+            else
+              attrs.map { |item| [item['Name'], item['AttributeValue']] }
+            end
+            Hash[items].with_indifferent_access
           end
-        ].with_indifferent_access
       end
 
       def started_at
@@ -51,7 +56,7 @@ module Saml
         @assertion =
           begin
             if encrypted?
-              decrypted = Cryptography.new.decrypt(to_h.fetch(name, {}).fetch('EncryptedAssertion', {}))
+              decrypted = XmlDecryption.new.decrypt(to_h.fetch(name, {}).fetch('EncryptedAssertion', {}))
               Saml::Kit.logger.debug(decrypted)
               Hash.from_xml(decrypted)['Assertion']
             else
@@ -99,182 +104,7 @@ module Saml
         Time.at(0).to_datetime
       end
 
-      class Builder
-        attr_reader :user, :request
-        attr_accessor :id, :reference_id, :now
-        attr_accessor :version, :status_code
-        attr_accessor :issuer, :sign, :destination, :encrypt
-
-        def initialize(user, request)
-          @user = user
-          @request = request
-          @id = SecureRandom.uuid
-          @reference_id = SecureRandom.uuid
-          @now = Time.now.utc
-          @version = "2.0"
-          @status_code = Namespaces::SUCCESS
-          @issuer = configuration.issuer
-          @destination = destination_for(request)
-          @sign = want_assertions_signed
-          @encrypt = false
-        end
-
-        def want_assertions_signed
-          request.provider.want_assertions_signed
-        rescue => error
-          Saml::Kit.logger.error(error)
-          true
-        end
-
-        def to_xml
-          Signature.sign(sign: sign) do |xml, signature|
-            xml.Response response_options do
-              xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
-              signature.template(id)
-              xml.Status do
-                xml.StatusCode Value: status_code
-              end
-              assertion(xml, signature)
-            end
-          end
-        end
-
-        def build
-          Response.new(to_xml, request_id: request.id)
-        end
-
-        private
-
-        def assertion(xml, signature)
-          with_encryption(xml) do |xml|
-            xml.Assertion(assertion_options) do
-              xml.Issuer issuer
-              signature.template(reference_id) unless encrypt
-              xml.Subject do
-                xml.NameID user.name_id_for(request.name_id_format), Format: request.name_id_format
-                xml.SubjectConfirmation Method: Namespaces::BEARER do
-                  xml.SubjectConfirmationData "", subject_confirmation_data_options
-                end
-              end
-              xml.Conditions conditions_options do
-                xml.AudienceRestriction do
-                  xml.Audience request.issuer
-                end
-              end
-              xml.AuthnStatement authn_statement_options do
-                xml.AuthnContext do
-                  xml.AuthnContextClassRef Namespaces::PASSWORD
-                end
-              end
-              assertion_attributes = user.assertion_attributes_for(request)
-              if assertion_attributes.any?
-                xml.AttributeStatement do
-                  assertion_attributes.each do |key, value|
-                    xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
-                      xml.AttributeValue value.to_s
-                    end
-                  end
-                end
-              end
-            end
-          end
-        end
-
-        def with_encryption(xml)
-          if encrypt
-            temp = ::Builder::XmlMarkup.new
-            yield temp
-            raw_xml_to_encrypt = temp.target!
-
-            encryption_certificate = request.provider.encryption_certificates.first
-            public_key = encryption_certificate.public_key
-
-            cipher = OpenSSL::Cipher.new('AES-256-CBC')
-            cipher.encrypt
-            key = cipher.random_key
-            iv = cipher.random_iv
-            encrypted = cipher.update(raw_xml_to_encrypt) + cipher.final
-
-            Saml::Kit.logger.debug ['+iv', iv].inspect
-            Saml::Kit.logger.debug ['+key', key].inspect
-
-            xml.EncryptedAssertion xmlns: Namespaces::ASSERTION do
-              xml.EncryptedData xmlns: Namespaces::XMLENC do
-                xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
-                xml.KeyInfo xmlns: Namespaces::XMLDSIG do
-                  xml.EncryptedKey xmlns: Namespaces::XMLENC do
-                    xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
-                    xml.CipherData do
-                      xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
-                    end
-                  end
-                end
-                xml.CipherData do
-                  xml.CipherValue Base64.encode64(iv + encrypted)
-                end
-              end
-            end
-          else
-            yield xml
-          end
-        end
-
-        def destination_for(request)
-          if request.signed? && request.trusted?
-            request.acs_url || request.provider.assertion_consumer_service_for(binding: :http_post).try(:location)
-          else
-            request.provider.assertion_consumer_service_for(binding: :http_post).try(:location)
-          end
-        end
-
-        def configuration
-          Saml::Kit.configuration
-        end
-
-        def response_options
-          {
-            ID: id.present? ? "_#{id}" : nil,
-            Version: version,
-            IssueInstant: now.iso8601,
-            Destination: destination,
-            Consent: Namespaces::UNSPECIFIED,
-            InResponseTo: request.id,
-            xmlns: Namespaces::PROTOCOL,
-          }
-        end
-
-        def assertion_options
-          {
-            ID: "_#{reference_id}",
-            IssueInstant: now.iso8601,
-            Version: "2.0",
-            xmlns: Namespaces::ASSERTION,
-          }
-        end
-
-        def subject_confirmation_data_options
-          {
-            InResponseTo: request.id,
-            NotOnOrAfter: 3.hours.since(now).utc.iso8601,
-            Recipient: request.acs_url,
-          }
-        end
-
-        def conditions_options
-          {
-            NotBefore: now.utc.iso8601,
-            NotOnOrAfter: Saml::Kit.configuration.session_timeout.from_now.utc.iso8601,
-          }
-        end
-
-        def authn_statement_options
-          {
-            AuthnInstant: now.iso8601,
-            SessionIndex: assertion_options[:ID],
-            SessionNotOnOrAfter: 3.hours.since(now).utc.iso8601,
-          }
-        end
-      end
+      Builder = ActiveSupport::Deprecation::DeprecatedConstantProxy.new('Saml::Kit::Response::Builder', 'Saml::Kit::Builders::Response')
     end
   end
 end

data/lib/saml/kit/self_signed_certificate.rb

@@ -1,6 +1,8 @@
 module Saml
   module Kit
     class SelfSignedCertificate
+      SUBJECT="/C=CA/ST=Alberta/L=Calgary/O=SamlKit/OU=SamlKit/CN=SamlKit"
+
       def initialize(password)
         @password = password
       end
@@ -9,20 +11,25 @@ module Saml
         rsa_key = OpenSSL::PKey::RSA.new(2048)
         public_key = rsa_key.public_key
         certificate = OpenSSL::X509::Certificate.new
-        certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse("/C=CA/ST=Alberta/L=Calgary/O=Xsig/OU=Xsig/CN=Xsig")
+        certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse(SUBJECT)
         certificate.not_before = DateTime.now.beginning_of_day
-        certificate.not_after = 1.year.from_now.end_of_day
+        certificate.not_after = 30.days.from_now
         certificate.public_key = public_key
         certificate.serial = 0x0
         certificate.version = 2
         factory = OpenSSL::X509::ExtensionFactory.new
         factory.subject_certificate = factory.issuer_certificate = certificate
-        certificate.extensions = [ factory.create_extension("basicConstraints","CA:TRUE", true), factory.create_extension("subjectKeyIdentifier", "hash"), ]
-        certificate.add_extension(factory.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always"))
+        certificate.extensions = [
+          factory.create_extension("basicConstraints","CA:TRUE", true),
+          factory.create_extension("subjectKeyIdentifier", "hash"),
+        ]
+        certificate.add_extension(
+          factory.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+        )
         certificate.sign(rsa_key, OpenSSL::Digest::SHA256.new)
         [
           certificate.to_pem,
-          rsa_key.to_pem(OpenSSL::Cipher::Cipher.new('des3'), @password)
+          rsa_key.to_pem(OpenSSL::Cipher.new('AES-256-CBC'), @password)
         ]
       end
     end

data/lib/saml/kit/service_provider_metadata.rb

@@ -15,92 +15,15 @@ module Saml
 
       def want_assertions_signed
         attribute = document.find_by("/md:EntityDescriptor/md:#{name}").attribute("WantAssertionsSigned")
+        return true if attribute.nil?
         attribute.text.downcase == "true"
       end
 
-      class Builder
-        attr_accessor :id, :entity_id, :acs_urls, :logout_urls, :name_id_formats, :sign
-        attr_accessor :want_assertions_signed
-
-        def initialize(configuration = Saml::Kit.configuration)
-          @id = SecureRandom.uuid
-          @configuration = configuration
-          @entity_id = configuration.issuer
-          @acs_urls = []
-          @logout_urls = []
-          @name_id_formats = [Namespaces::PERSISTENT]
-          @sign = true
-          @want_assertions_signed = true
-        end
-
-        def add_assertion_consumer_service(url, binding: :http_post)
-          @acs_urls.push(location: url, binding: Bindings.binding_for(binding))
-        end
-
-        def add_single_logout_service(url, binding: :http_post)
-          @logout_urls.push(location: url, binding: Bindings.binding_for(binding))
-        end
-
-        def to_xml
-          Signature.sign(sign: sign) do |xml, signature|
-            xml.instruct!
-            xml.EntityDescriptor entity_descriptor_options do
-              signature.template(id)
-              xml.SPSSODescriptor descriptor_options do
-                if @configuration.signing_certificate_pem.present?
-                  xml.KeyDescriptor use: "signing" do
-                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
-                      xml.X509Data do
-                        xml.X509Certificate @configuration.stripped_signing_certificate
-                      end
-                    end
-                  end
-                end
-                if @configuration.encryption_certificate_pem.present?
-                  xml.KeyDescriptor use: "encryption" do
-                    xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
-                      xml.X509Data do
-                        xml.X509Certificate @configuration.stripped_encryption_certificate
-                      end
-                    end
-                  end
-                end
-                logout_urls.each do |item|
-                  xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
-                end
-                name_id_formats.each do |format|
-                  xml.NameIDFormat format
-                end
-                acs_urls.each_with_index do |item, index|
-                  xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
-                end
-              end
-            end
-          end
-        end
-
-        def build
-          ServiceProviderMetadata.new(to_xml)
-        end
-
-        private
-
-        def entity_descriptor_options
-          {
-            'xmlns': Namespaces::METADATA,
-            ID: "_#{id}",
-            entityID: entity_id,
-          }
-        end
-
-        def descriptor_options
-          {
-            AuthnRequestsSigned: sign,
-            WantAssertionsSigned: want_assertions_signed,
-            protocolSupportEnumeration: Namespaces::PROTOCOL,
-          }
-        end
+      def self.builder_class
+        Saml::Kit::Builders::ServiceProviderMetadata
       end
+
+      Builder = ActiveSupport::Deprecation::DeprecatedConstantProxy.new('Saml::Kit::ServiceProviderMetadata::Builder', 'Saml::Kit::Builders::ServiceProviderMetadata')
     end
   end
 end

data/lib/saml/kit/signature.rb

@@ -34,7 +34,7 @@ module Saml
           xml.SignedInfo do
             xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
             xml.SignatureMethod Algorithm: SIGNATURE_METHODS[configuration.signature_method]
-            xml.Reference URI: "#_#{reference_id}" do
+            xml.Reference URI: "##{reference_id}" do
               xml.Transforms do
                 xml.Transform Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
                 xml.Transform Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"

data/lib/saml/kit/trustable.rb

@@ -30,11 +30,7 @@ module Saml
       end
 
       def provider
-        registry.metadata_for(issuer)
-      end
-
-      def registry
-        Saml::Kit.configuration.registry
+        Saml::Kit.registry.metadata_for(issuer)
       end
 
       def signature_verified!