saml-kit 0.2.17 → 0.2.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2e7c4ec8a1921995d89ce16ce8161b20763cb0b3
-  data.tar.gz: fc40b97c8a0da3edd71c1470867087cde7a11750
+  metadata.gz: 1523b17e9ef3134f4d110be787f4a63f600fcaff
+  data.tar.gz: f69357bc2618c53524aab2061fb1dec4044f210c
 SHA512:
-  metadata.gz: 192bc0456858f0efefd328fdf666cb335aeb84c8e1b83bc993925526263381e5ee5d5547bc6fc47dcaee72f2b4fa46dfc386abcc8adb560f07d87f0c09618a5f
-  data.tar.gz: be310f063a48d7108c2d6ed35090ccc5d7fcbc9858941e5ec9f5571a1e369ed90e2991a20025bb9e58a3f4a0bab836005be9652a7ab55f4192022c85ed66a982
+  metadata.gz: e2cd4dc82b98c2c763edf356607efda096740760b131c89b9a249bee156d9e0dc314c321a087047a99a36850c561d44cb3f3fe3c7b761fa8e9ad265236eba1b2
+  data.tar.gz: f7c66a56428fd31d7919881b8c55f0711068ef33c0afc1db30cdf2cbb110766fdf5a80c279b62d2143ee88cdaaa1b867c71fb62fb6f1932f27ceebe0b94a96b8

data/README.md

@@ -1,4 +1,8 @@
-# Saml::Kit
+![SAML-Kit](https://github.com/saml-kit/saml-kit/raw/master/spec/examples/saml-kit.gif)
+
+[![Gem Version](https://badge.fury.io/rb/saml-kit.svg)](https://rubygems.org/gems/saml-kit)
+[![Code Climate](https://codeclimate.com/github/saml-kit/saml-kit.svg)](https://codeclimate.com/github/saml-kit/saml-kit)
+[![Build Status](https://travis-ci.org/saml-kit/saml-kit.svg)](https://travis-ci.org/saml-kit/saml-kit)
 
 Saml::Kit is a library with the purpose of creating and consuming SAML
 documents. It supports the HTTP Post and HTTP Redirect bindings. It can
@@ -30,7 +34,8 @@ To specify a global configuration: (useful for a rails application)
 Saml::Kit.configure do |configuration|
   configuration.issuer = ENV['ISSUER']
   configuration.generate_key_pair_for(use: :signing)
-  configuration.generate_key_pair_for(use: :signing)
+  configuration.add_key_pair(ENV["CERTIFICATE"], ENV["PRIVATE_KEY"], passphrase: ENV['PASSPHRASE'], use: :signing)
+  configuration.generate_key_pair_for(use: :encryption)
 end
 ```
 
@@ -216,8 +221,8 @@ class User
 end
 
 user = User.new(id: SecureRandom.uuid, email: "hello@example.com")
-sp = Saml::Kit::IdentityProviderMetadata.new(xml)
-url, saml_params = sp.logout_request_for(user, binding: :http_post)
+idp = Saml::Kit::IdentityProviderMetadata.new(xml)
+url, saml_params = idp.logout_request_for(user, binding: :http_post)
 puts [url, saml_params].inspect
 # ["https://www.example.com/logout", {"SAMLRequest"=>"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48TG9nb3V0UmVxdWVzdCBJRD0iXzg3NjZiNTYyLTc2MzQtNDU4Zi04MzJmLTE4ODkwMjRlZDQ0MyIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTctMTItMTlUMDQ6NTg6MThaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20vbG9nb3V0IiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48SXNzdWVyIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIi8+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5kODc3YWEzZS01YTUyLTRhODAtYTA3ZC1lM2U5YzBjNTA1Nzk8L05hbWVJRD48L0xvZ291dFJlcXVlc3Q+"}]
 ```

data/lib/saml/kit/assertion.rb

@@ -27,12 +27,12 @@ module Saml
         xml_hash ? Signature.new(xml_hash) : nil
       end
 
-      def expired?
-        Time.current > expired_at
+      def expired?(now = Time.current)
+        now > expired_at
       end
 
-      def active?
-        Time.current > started_at && !expired?
+      def active?(now = Time.current)
+        now > configuration.clock_drift.before(started_at) && !expired?
       end
 
       def attributes
@@ -69,9 +69,11 @@ module Saml
 
       private
 
+      attr_reader :configuration
+
       def assertion
         @assertion ||= if encrypted?
-          decrypted = XmlDecryption.new(configuration: @configuration).decrypt(@xml_hash['Response']['EncryptedAssertion'])
+          decrypted = XmlDecryption.new(configuration: configuration).decrypt(@xml_hash['Response']['EncryptedAssertion'])
           Saml::Kit.logger.debug(decrypted)
           Hash.from_xml(decrypted)['Assertion']
         else
@@ -91,7 +93,7 @@ module Saml
       end
 
       def must_match_issuer
-        unless audiences.include?(@configuration.issuer)
+        unless audiences.include?(configuration.issuer)
           errors[:audience] << error_message(:must_match_issuer)
         end
       end

data/lib/saml/kit/authentication_request.rb

@@ -13,6 +13,10 @@ module Saml
     #      <saml:Issuer>Day of the Dangerous Cousins</saml:Issuer>
     #      <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
     #    </samlp:AuthnRequest>
+    #
+    # Example:
+    #
+    # {include:file:spec/examples/authentication_request_spec.rb}
     class AuthenticationRequest < Document
       include Requestable
 

data/lib/saml/kit/bindings/binding.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Bindings
+      # {include:file:spec/saml/bindings/binding_spec.rb}
       class Binding
         attr_reader :binding, :location
 

data/lib/saml/kit/bindings/http_post.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Bindings
+      # {include:file:spec/saml/bindings/http_post_spec.rb}
       class HttpPost < Binding
         include Serializable
 

data/lib/saml/kit/bindings/http_redirect.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Bindings
+      # {include:file:spec/saml/bindings/http_redirect_spec.rb}
       class HttpRedirect < Binding
         include Serializable
 
@@ -31,21 +32,26 @@ module Saml
 
         def ensure_valid_signature!(params, document)
           return if params[:Signature].blank? || params[:SigAlg].blank?
-
-          signature = decode(params[:Signature])
-          canonical_form = [:SAMLRequest, :SAMLResponse, :RelayState, :SigAlg].map do |key|
-            value = params[key]
-            value.present? ? "#{key}=#{value}" : nil
-          end.compact.join('&')
-
           return if document.provider.nil?
-          if document.provider.verify(algorithm_for(params[:SigAlg]), signature, canonical_form)
+
+          if document.provider.verify(
+              algorithm_for(params[:SigAlg]),
+              decode(params[:Signature]),
+              canonicalize(params)
+          )
             document.signature_verified!
           else
             raise ArgumentError.new("Invalid Signature")
           end
         end
 
+        def canonicalize(params)
+          [:SAMLRequest, :SAMLResponse, :RelayState, :SigAlg].map do |key|
+            value = params[key]
+            value.present? ? "#{key}=#{value}" : nil
+          end.compact.join('&')
+        end
+
         def algorithm_for(algorithm)
           case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
           when 256
@@ -60,20 +66,13 @@ module Saml
         end
 
         def normalize(params)
-          if params.respond_to? :inject
-            params.inject({}) do |memo, (key, value)|
-              memo[key.to_sym] = value
-              memo
-            end
-          else
-            {
-              SAMLRequest: params['SAMLRequest'] || params[:SAMLRequest],
-              SAMLResponse: params['SAMLResponse'] || params[:SAMLResponse],
-              RelayState: params['RelayState'] || params[:RelayState],
-              Signature: params['Signature'] || params[:Signature],
-              SigAlg: params['SigAlg'] || params[:SigAlg],
-            }
-          end
+          {
+            SAMLRequest: params['SAMLRequest'] || params[:SAMLRequest],
+            SAMLResponse: params['SAMLResponse'] || params[:SAMLResponse],
+            RelayState: params['RelayState'] || params[:RelayState],
+            Signature: params['Signature'] || params[:Signature],
+            SigAlg: params['SigAlg'] || params[:SigAlg],
+          }
         end
       end
     end

data/lib/saml/kit/bindings/url_builder.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Bindings
+      # {include:file:spec/saml/bindings/url_builder_spec.rb}
       class UrlBuilder
         include Serializable
         attr_reader :configuration

data/lib/saml/kit/builders/authentication_request.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/authentication_request_spec.rb}
       class AuthenticationRequest
         include Saml::Kit::Templatable
         attr_accessor :id, :now, :issuer, :assertion_consumer_service_url, :name_id_format, :destination

data/lib/saml/kit/builders/identity_provider_metadata.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/identity_provider_metadata_spec.rb}
       class IdentityProviderMetadata
         include Saml::Kit::Templatable
         extend Forwardable

data/lib/saml/kit/builders/logout_request.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/logout_request_spec.rb}
       class LogoutRequest
         include Saml::Kit::Templatable
         attr_accessor :id, :destination, :issuer, :name_id_format, :now

data/lib/saml/kit/builders/logout_response.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/logout_response_spec.rb}
       class LogoutResponse
         include Saml::Kit::Templatable
         attr_accessor :id, :issuer, :version, :status_code, :now, :destination

data/lib/saml/kit/builders/metadata.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/metadata_spec.rb}
       class Metadata
         include Templatable
 

data/lib/saml/kit/builders/response.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/response_spec.rb}
       class Response
         include Templatable
         attr_reader :user, :request

data/lib/saml/kit/builders/service_provider_metadata.rb

@@ -1,6 +1,7 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:spec/saml/builders/service_provider_metadata_spec.rb}
       class ServiceProviderMetadata
         include Saml::Kit::Templatable
         extend Forwardable

data/lib/saml/kit/certificate.rb

@@ -1,5 +1,6 @@
 module Saml
   module Kit
+    # {include:file:spec/saml/certificate_spec.rb}
     class Certificate
       BEGIN_CERT=/-----BEGIN CERTIFICATE-----/
       END_CERT=/-----END CERTIFICATE-----/

data/lib/saml/kit/configuration.rb

@@ -32,14 +32,17 @@ module Saml
       attr_accessor :session_timeout
       # The logger to write log messages to.
       attr_accessor :logger
+      # The total allowable clock drift for session timeout validation.
+      attr_accessor :clock_drift
 
       def initialize # :yields configuration
-        @signature_method = :SHA256
+        @clock_drift = 30.seconds
         @digest_method = :SHA256
+        @key_pairs = []
+        @logger = Logger.new(STDOUT)
         @registry = DefaultRegistry.new
         @session_timeout = 3.hours
-        @logger = Logger.new(STDOUT)
-        @key_pairs = []
+        @signature_method = :SHA256
         yield self if block_given?
       end
 

data/lib/saml/kit/default_registry.rb

@@ -26,7 +26,8 @@ module Saml
     #     configuration.registry = OnDemandRegistry.new(configuration.registry)
     #     configuration.logger = Rails.logger
     #   end
-
+    #
+    # {include:file:spec/saml/default_registry.rb}
     class DefaultRegistry
       def initialize(items = {})
         @items = items

data/lib/saml/kit/document.rb

@@ -17,37 +17,36 @@ module Saml
         @configuration = configuration
         @content = xml
         @name = name
-        @xml_hash = Hash.from_xml(xml) || {}
       end
 
       # Returns the ID for the SAML document.
       def id
-        to_h.fetch(name, {}).fetch('ID', nil)
+        root.fetch('ID', nil)
       end
 
       # Returns the Issuer for the SAML document.
       def issuer
-        to_h.fetch(name, {}).fetch('Issuer', nil)
+        root.fetch('Issuer', nil)
       end
 
       # Returns the Version of the SAML document.
       def version
-        to_h.fetch(name, {}).fetch('Version', {})
+        root.fetch('Version', {})
       end
 
       # Returns the Destination of the SAML document.
       def destination
-        to_h.fetch(name, {}).fetch('Destination', nil)
+        root.fetch('Destination', nil)
       end
 
       # Returns the Destination of the SAML document.
       def issue_instant
-        Time.parse(to_h[name]['IssueInstant'])
+        Time.parse(root['IssueInstant'])
       end
 
       # Returns the SAML document returned as a Hash.
       def to_h
-        @xml_hash
+        @xml_hash ||= Hash.from_xml(content) || {}
       end
 
       # Returns the SAML document as an XML string.
@@ -68,24 +67,28 @@ module Saml
       end
 
       class << self
+        XPATH = [
+          "/samlp:AuthnRequest",
+          "/samlp:LogoutRequest",
+          "/samlp:LogoutResponse",
+          "/samlp:Response",
+        ].join("|")
+
         # Returns the raw xml as a Saml::Kit SAML document.
         #
         # @param xml [String] the raw xml string.
         # @param configuration [Saml::Kit::Configuration] the configuration to use for unpacking the document.
         def to_saml_document(xml, configuration: Saml::Kit.configuration)
-          hash = Hash.from_xml(xml)
-          if hash['Response'].present?
-            Response.new(xml, configuration: configuration)
-          elsif hash['LogoutResponse'].present?
-            LogoutResponse.new(xml, configuration: configuration)
-          elsif hash['AuthnRequest'].present?
-            AuthenticationRequest.new(xml, configuration: configuration)
-          elsif hash['LogoutRequest'].present?
-            LogoutRequest.new(xml, configuration: configuration)
-          end
+          constructor = {
+            "AuthnRequest" => Saml::Kit::AuthenticationRequest,
+            "LogoutRequest" => Saml::Kit::LogoutRequest,
+            "LogoutResponse" => Saml::Kit::LogoutResponse,
+            "Response" => Saml::Kit::Response,
+          }[Saml::Kit::Xml.new(xml).find_by(XPATH).name] || InvalidDocument
+          constructor.new(xml, configuration: configuration)
         rescue => error
           Saml::Kit.logger.error(error)
-          InvalidDocument.new(xml)
+          InvalidDocument.new(xml, configuration: configuration)
         end
 
         # @!visibility private
@@ -109,18 +112,19 @@ module Saml
 
       attr_reader :content, :name, :configuration
 
+      def root
+        to_h.fetch(name, {})
+      end
+
       def must_match_xsd
         matches_xsd?(PROTOCOL_XSD)
       end
 
       def must_be_expected_type
-        return if to_h.nil?
-
         errors[:base] << error_message(:invalid) unless expected_type?
       end
 
       def expected_type?
-        return false if to_xml.blank?
         to_h[name].present?
       end
 

data/lib/saml/kit/fingerprint.rb

@@ -6,6 +6,8 @@ module Saml
     #
     #   puts Saml::Kit::Fingerprint.new(certificate).to_s
     #   # B7:AB:DC:BD:4D:23:58:65:FD:1A:99:0C:5F:89:EA:87:AD:F1:D7:83:34:7A:E9:E4:88:12:DD:46:1F:38:05:93
+    #
+    # {include:file:spec/saml/fingerprint_spec.rb}
     class Fingerprint
       # The OpenSSL::X509::Certificate
       attr_reader :x509

data/lib/saml/kit/identity_provider_metadata.rb

@@ -26,6 +26,10 @@ module Saml
     #   puts metadata.to_xml
     #
     # For more details on generating metadata see {Saml::Kit::Metadata}.
+    #
+    # Example:
+    #
+    # {include:file:spec/examples/identity_provider_metadata_spec.rb}
     class IdentityProviderMetadata < Metadata
       def initialize(xml)
         super("IDPSSODescriptor", xml)

data/lib/saml/kit/invalid_document.rb

@@ -1,13 +1,20 @@
 module Saml
   module Kit
+    # {include:file:spec/saml/invalid_document_spec.rb}
     class InvalidDocument < Document
       validate do |model|
         model.errors[:base] << model.error_message(:invalid)
       end
 
-      def initialize(xml)
+      def initialize(xml, configuration: nil)
         super(xml, name: "InvalidDocument")
       end
+
+      def to_h
+        super
+      rescue
+        {}
+      end
     end
   end
 end

data/lib/saml/kit/logout_request.rb

@@ -20,6 +20,8 @@ module Saml
     #   url, saml_params = document.response_for(binding: :http_post)
     #
     # See {#response_for} for more information.
+    #
+    # {include:file:spec/examples/logout_request_spec.rb}
     class LogoutRequest < Document
       include Requestable
       validates_presence_of :single_logout_service, if: :expected_type?

data/lib/saml/kit/logout_response.rb

@@ -3,6 +3,8 @@ module Saml
     # This class is used to parse a LogoutResponse SAML document.
     #
     #   document = Saml::Kit::LogoutResponse.new(raw_xml)
+    #
+    # {include:file:spec/examples/logout_response_spec.rb}
     class LogoutResponse < Document
       include Respondable
 

data/lib/saml/kit/metadata.rb

@@ -21,6 +21,7 @@ module Saml
     #
     # See {Saml::Kit::Builders::ServiceProviderMetadata} and {Saml::Kit::Builders::IdentityProviderMetadata}
     # for a list of options that can be specified.
+    # {include:file:spec/examples/metadata_spec.rb}
     class Metadata
       METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
       include ActiveModel::Validations

data/lib/saml/kit/response.rb

@@ -1,5 +1,6 @@
 module Saml
   module Kit
+    # {include:file:spec/examples/response_spec.rb}
     class Response < Document
       include Respondable
       extend Forwardable

data/lib/saml/kit/service_provider_metadata.rb

@@ -1,5 +1,6 @@
 module Saml
   module Kit
+    # {include:file:spec/examples/service_provider_metadata_spec.rb}
     class ServiceProviderMetadata < Metadata
       def initialize(xml)
         super("SPSSODescriptor", xml)

data/lib/saml/kit/version.rb

@@ -1,5 +1,5 @@
 module Saml
   module Kit
-    VERSION = "0.2.17"
+    VERSION = "0.2.18"
   end
 end

data/lib/saml/kit/xml.rb

@@ -1,5 +1,6 @@
 module Saml
   module Kit
+    # {include:file:spec/saml/xml_spec.rb}
     class Xml # :nodoc:
       include ActiveModel::Validations
       NAMESPACES = {
@@ -59,24 +60,20 @@ module Saml
       end
 
       def validate_certificates(now = Time.current)
-        return unless document.at_xpath('//ds:Signature', Xmldsig::NAMESPACES).present?
+        return if find_by('//ds:Signature').nil?
 
         x509_certificates.each do |certificate|
-          if now < certificate.not_before
-            errors.add(:certificate, "Not valid before #{certificate.not_before}")
-          end
+          inactive = now < certificate.not_before
+          errors.add(:certificate, "Not valid before #{certificate.not_before}") if inactive
 
-          if now > certificate.not_after
-            errors.add(:certificate, "Not valid after #{certificate.not_after}")
-          end
+          expired = now > certificate.not_after
+          errors.add(:certificate, "Not valid after #{certificate.not_after}") if expired
         end
       end
 
       def x509_certificates
         xpath = "//ds:KeyInfo/ds:X509Data/ds:X509Certificate"
-        document.search(xpath, Xmldsig::NAMESPACES).map do |item|
-          Certificate.to_x509(item.text)
-        end
+        find_all(xpath).map { |item| Certificate.to_x509(item.text) }
       end
     end
   end

data/lib/saml/kit/xml_decryption.rb

@@ -1,5 +1,6 @@
 module Saml
   module Kit
+    # {include:file:spec/saml/xml_decryption_spec.rb}
     class XmlDecryption
       # The list of private keys to use to attempt to decrypt the document.
       attr_reader :private_keys

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml-kit
 version: !ruby/object:Gem::Version
-  version: 0.2.17
+  version: 0.2.18
 platform: ruby
 authors:
 - mo khan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-12-22 00:00:00.000000000 Z
+date: 2017-12-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel