saml-kit 0.2.2 → 0.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/saml/kit.rb +10 -0
- data/lib/saml/kit/bindings/binding.rb +20 -0
- data/lib/saml/kit/builders.rb +3 -0
- data/lib/saml/kit/builders/assertion.rb +62 -0
- data/lib/saml/kit/builders/authentication_request.rb +15 -10
- data/lib/saml/kit/builders/identity_provider_metadata.rb +7 -54
- data/lib/saml/kit/builders/logout_request.rb +3 -12
- data/lib/saml/kit/builders/logout_response.rb +8 -17
- data/lib/saml/kit/builders/response.rb +8 -120
- data/lib/saml/kit/builders/service_provider_metadata.rb +5 -40
- data/lib/saml/kit/builders/templates/assertion.builder +29 -0
- data/lib/saml/kit/builders/templates/authentication_request.builder +6 -0
- data/lib/saml/kit/builders/templates/certificate.builder +7 -0
- data/lib/saml/kit/builders/templates/identity_provider_metadata.builder +32 -0
- data/lib/saml/kit/builders/templates/logout_request.builder +6 -0
- data/lib/saml/kit/builders/templates/logout_response.builder +8 -0
- data/lib/saml/kit/builders/templates/response.builder +11 -0
- data/lib/saml/kit/builders/templates/service_provider_metadata.builder +29 -0
- data/lib/saml/kit/builders/templates/xml_encryption.builder +16 -0
- data/lib/saml/kit/builders/templates/xml_signature.builder +20 -0
- data/lib/saml/kit/builders/xml_encryption.rb +20 -0
- data/lib/saml/kit/builders/xml_signature.rb +41 -0
- data/lib/saml/kit/certificate.rb +14 -0
- data/lib/saml/kit/composite_metadata.rb +36 -0
- data/lib/saml/kit/configuration.rb +4 -21
- data/lib/saml/kit/metadata.rb +3 -1
- data/lib/saml/kit/requestable.rb +0 -3
- data/lib/saml/kit/signature.rb +8 -50
- data/lib/saml/kit/signatures.rb +28 -0
- data/lib/saml/kit/templatable.rb +33 -0
- data/lib/saml/kit/template.rb +29 -0
- data/lib/saml/kit/version.rb +1 -1
- data/lib/saml/kit/xml_decryption.rb +5 -5
- data/saml-kit.gemspec +1 -0
- metadata +33 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 68d768bf760de038c1d2509056882bdd822d6d9d81449e9b6b3ee55b1f0061b0
|
|
4
|
+
data.tar.gz: 36ddb0f1d8f7692518e43604bed5505ff5503235b99644e83923049cbc86cf0d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 03dec61510539ae84a0fa52e64f0b522d75ae2388a289f657a47480d716913e16d2c52e369b761581c32467e812aec22eb78b50e311518d877a9a891d1d0a2a0
|
|
7
|
+
data.tar.gz: 687f187faeb6e73c31abe59ec6734f30cb41213262b4c5fdd0fd4dd4ada9d712a7bce27959e92a03ee8ccbe6efc75d2ce8d9ff75d8595e5e87c15e54da0525ba
|
data/lib/saml/kit.rb
CHANGED
|
@@ -12,9 +12,11 @@ require "logger"
|
|
|
12
12
|
require "net/http"
|
|
13
13
|
require "nokogiri"
|
|
14
14
|
require "securerandom"
|
|
15
|
+
require "tilt"
|
|
15
16
|
require "xmldsig"
|
|
16
17
|
|
|
17
18
|
require "saml/kit/buildable"
|
|
19
|
+
require "saml/kit/templatable"
|
|
18
20
|
require "saml/kit/builders"
|
|
19
21
|
require "saml/kit/namespaces"
|
|
20
22
|
require "saml/kit/serializable"
|
|
@@ -34,6 +36,7 @@ require "saml/kit/fingerprint"
|
|
|
34
36
|
require "saml/kit/logout_response"
|
|
35
37
|
require "saml/kit/logout_request"
|
|
36
38
|
require "saml/kit/metadata"
|
|
39
|
+
require "saml/kit/composite_metadata"
|
|
37
40
|
require "saml/kit/response"
|
|
38
41
|
require "saml/kit/id"
|
|
39
42
|
require "saml/kit/identity_provider_metadata"
|
|
@@ -41,6 +44,8 @@ require "saml/kit/invalid_document"
|
|
|
41
44
|
require "saml/kit/self_signed_certificate"
|
|
42
45
|
require "saml/kit/service_provider_metadata"
|
|
43
46
|
require "saml/kit/signature"
|
|
47
|
+
require "saml/kit/signatures"
|
|
48
|
+
require "saml/kit/template"
|
|
44
49
|
require "saml/kit/xml"
|
|
45
50
|
require "saml/kit/xml_decryption"
|
|
46
51
|
|
|
@@ -64,6 +69,11 @@ module Saml
|
|
|
64
69
|
def registry
|
|
65
70
|
configuration.registry
|
|
66
71
|
end
|
|
72
|
+
|
|
73
|
+
def deprecate(message)
|
|
74
|
+
@deprecation ||= ActiveSupport::Deprecation.new('next-release', 'saml-kit')
|
|
75
|
+
@deprecation.deprecation_warning(message)
|
|
76
|
+
end
|
|
67
77
|
end
|
|
68
78
|
end
|
|
69
79
|
end
|
|
@@ -25,6 +25,26 @@ module Saml
|
|
|
25
25
|
{ binding: binding, location: location }
|
|
26
26
|
end
|
|
27
27
|
|
|
28
|
+
def ==(other)
|
|
29
|
+
self.to_s == other.to_s
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def eql?(other)
|
|
33
|
+
self == other
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def hash
|
|
37
|
+
to_s.hash
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def to_s
|
|
41
|
+
"#{location}#{binding}"
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def inspect
|
|
45
|
+
to_h.inspect
|
|
46
|
+
end
|
|
47
|
+
|
|
28
48
|
protected
|
|
29
49
|
|
|
30
50
|
def saml_param_from(params)
|
data/lib/saml/kit/builders.rb
CHANGED
|
@@ -1,9 +1,12 @@
|
|
|
1
|
+
require 'saml/kit/builders/assertion'
|
|
1
2
|
require 'saml/kit/builders/authentication_request'
|
|
2
3
|
require 'saml/kit/builders/identity_provider_metadata'
|
|
3
4
|
require 'saml/kit/builders/logout_request'
|
|
4
5
|
require 'saml/kit/builders/logout_response'
|
|
5
6
|
require 'saml/kit/builders/response'
|
|
6
7
|
require 'saml/kit/builders/service_provider_metadata'
|
|
8
|
+
require 'saml/kit/builders/xml_encryption'
|
|
9
|
+
require 'saml/kit/builders/xml_signature'
|
|
7
10
|
|
|
8
11
|
module Saml
|
|
9
12
|
module Kit
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
module Builders
|
|
4
|
+
class Assertion
|
|
5
|
+
include Templatable
|
|
6
|
+
extend Forwardable
|
|
7
|
+
|
|
8
|
+
def_delegators :@response_builder, :encrypt, :sign, :request, :issuer, :reference_id, :now, :configuration, :user, :version
|
|
9
|
+
|
|
10
|
+
def initialize(response_builder)
|
|
11
|
+
@response_builder = response_builder
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def name_id_format
|
|
15
|
+
request.name_id_format
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def name_id
|
|
19
|
+
user.name_id_for(name_id_format)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def assertion_attributes
|
|
23
|
+
user.assertion_attributes_for(request)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
def assertion_options
|
|
29
|
+
{
|
|
30
|
+
ID: reference_id,
|
|
31
|
+
IssueInstant: now.iso8601,
|
|
32
|
+
Version: version,
|
|
33
|
+
xmlns: Namespaces::ASSERTION,
|
|
34
|
+
}
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def subject_confirmation_data_options
|
|
38
|
+
{
|
|
39
|
+
InResponseTo: request.id,
|
|
40
|
+
NotOnOrAfter: 3.hours.since(now).utc.iso8601,
|
|
41
|
+
Recipient: request.assertion_consumer_service_url,
|
|
42
|
+
}
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def conditions_options
|
|
46
|
+
{
|
|
47
|
+
NotBefore: now.utc.iso8601,
|
|
48
|
+
NotOnOrAfter: configuration.session_timeout.from_now.utc.iso8601,
|
|
49
|
+
}
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def authn_statement_options
|
|
53
|
+
{
|
|
54
|
+
AuthnInstant: now.iso8601,
|
|
55
|
+
SessionIndex: reference_id,
|
|
56
|
+
SessionNotOnOrAfter: 3.hours.since(now).utc.iso8601,
|
|
57
|
+
}
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
end
|
|
@@ -2,26 +2,29 @@ module Saml
|
|
|
2
2
|
module Kit
|
|
3
3
|
module Builders
|
|
4
4
|
class AuthenticationRequest
|
|
5
|
+
include Saml::Kit::Templatable
|
|
5
6
|
attr_accessor :id, :now, :issuer, :assertion_consumer_service_url, :name_id_format, :sign, :destination
|
|
6
7
|
attr_accessor :version
|
|
8
|
+
attr_reader :configuration
|
|
7
9
|
|
|
8
10
|
def initialize(configuration: Saml::Kit.configuration, sign: true)
|
|
11
|
+
@configuration = configuration
|
|
9
12
|
@id = Id.generate
|
|
10
13
|
@issuer = configuration.issuer
|
|
11
14
|
@name_id_format = Namespaces::PERSISTENT
|
|
12
15
|
@now = Time.now.utc
|
|
13
|
-
@version = "2.0"
|
|
14
16
|
@sign = sign
|
|
17
|
+
@version = "2.0"
|
|
15
18
|
end
|
|
16
19
|
|
|
17
|
-
def
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
20
|
+
def acs_url
|
|
21
|
+
Saml::Kit.deprecate("acs_url is deprecated. Use assertion_consumer_service_url instead")
|
|
22
|
+
self.assertion_consumer_service_url
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def acs_url=(value)
|
|
26
|
+
Saml::Kit.deprecate("acs_url= is deprecated. Use assertion_consumer_service_url= instead")
|
|
27
|
+
self.assertion_consumer_service_url = value
|
|
25
28
|
end
|
|
26
29
|
|
|
27
30
|
def build
|
|
@@ -39,7 +42,9 @@ module Saml
|
|
|
39
42
|
IssueInstant: now.utc.iso8601,
|
|
40
43
|
Destination: destination,
|
|
41
44
|
}
|
|
42
|
-
|
|
45
|
+
if assertion_consumer_service_url.present?
|
|
46
|
+
options[:AssertionConsumerServiceURL] = assertion_consumer_service_url
|
|
47
|
+
end
|
|
43
48
|
options
|
|
44
49
|
end
|
|
45
50
|
end
|
|
@@ -2,19 +2,21 @@ module Saml
|
|
|
2
2
|
module Kit
|
|
3
3
|
module Builders
|
|
4
4
|
class IdentityProviderMetadata
|
|
5
|
+
include Saml::Kit::Templatable
|
|
5
6
|
attr_accessor :id, :organization_name, :organization_url, :contact_email, :entity_id, :attributes, :name_id_formats
|
|
6
7
|
attr_accessor :want_authn_requests_signed, :sign
|
|
7
8
|
attr_reader :logout_urls, :single_sign_on_urls
|
|
9
|
+
attr_reader :configuration
|
|
8
10
|
|
|
9
11
|
def initialize(configuration = Saml::Kit.configuration)
|
|
10
|
-
@id = Id.generate
|
|
11
|
-
@entity_id = configuration.issuer
|
|
12
12
|
@attributes = []
|
|
13
|
-
@name_id_formats = [Namespaces::PERSISTENT]
|
|
14
|
-
@single_sign_on_urls = []
|
|
15
|
-
@logout_urls = []
|
|
16
13
|
@configuration = configuration
|
|
14
|
+
@entity_id = configuration.issuer
|
|
15
|
+
@id = Id.generate
|
|
16
|
+
@logout_urls = []
|
|
17
|
+
@name_id_formats = [Namespaces::PERSISTENT]
|
|
17
18
|
@sign = true
|
|
19
|
+
@single_sign_on_urls = []
|
|
18
20
|
@want_authn_requests_signed = true
|
|
19
21
|
end
|
|
20
22
|
|
|
@@ -26,55 +28,6 @@ module Saml
|
|
|
26
28
|
@logout_urls.push(location: url, binding: Bindings.binding_for(binding))
|
|
27
29
|
end
|
|
28
30
|
|
|
29
|
-
def to_xml
|
|
30
|
-
Signature.sign(sign: sign) do |xml, signature|
|
|
31
|
-
xml.instruct!
|
|
32
|
-
xml.EntityDescriptor entity_descriptor_options do
|
|
33
|
-
signature.template(id)
|
|
34
|
-
xml.IDPSSODescriptor idp_sso_descriptor_options do
|
|
35
|
-
if @configuration.signing_certificate_pem.present?
|
|
36
|
-
xml.KeyDescriptor use: "signing" do
|
|
37
|
-
xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
|
|
38
|
-
xml.X509Data do
|
|
39
|
-
xml.X509Certificate @configuration.stripped_signing_certificate
|
|
40
|
-
end
|
|
41
|
-
end
|
|
42
|
-
end
|
|
43
|
-
end
|
|
44
|
-
if @configuration.encryption_certificate_pem.present?
|
|
45
|
-
xml.KeyDescriptor use: "encryption" do
|
|
46
|
-
xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
|
|
47
|
-
xml.X509Data do
|
|
48
|
-
xml.X509Certificate @configuration.stripped_encryption_certificate
|
|
49
|
-
end
|
|
50
|
-
end
|
|
51
|
-
end
|
|
52
|
-
end
|
|
53
|
-
logout_urls.each do |item|
|
|
54
|
-
xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
|
|
55
|
-
end
|
|
56
|
-
name_id_formats.each do |format|
|
|
57
|
-
xml.NameIDFormat format
|
|
58
|
-
end
|
|
59
|
-
single_sign_on_urls.each do |item|
|
|
60
|
-
xml.SingleSignOnService Binding: item[:binding], Location: item[:location]
|
|
61
|
-
end
|
|
62
|
-
attributes.each do |attribute|
|
|
63
|
-
xml.tag! 'saml:Attribute', Name: attribute
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
xml.Organization do
|
|
67
|
-
xml.OrganizationName organization_name, 'xml:lang': "en"
|
|
68
|
-
xml.OrganizationDisplayName organization_name, 'xml:lang': "en"
|
|
69
|
-
xml.OrganizationURL organization_url, 'xml:lang': "en"
|
|
70
|
-
end
|
|
71
|
-
xml.ContactPerson contactType: "technical" do
|
|
72
|
-
xml.Company "mailto:#{contact_email}"
|
|
73
|
-
end
|
|
74
|
-
end
|
|
75
|
-
end
|
|
76
|
-
end
|
|
77
|
-
|
|
78
31
|
def build
|
|
79
32
|
Saml::Kit::IdentityProviderMetadata.new(to_xml)
|
|
80
33
|
end
|
|
@@ -2,11 +2,13 @@ module Saml
|
|
|
2
2
|
module Kit
|
|
3
3
|
module Builders
|
|
4
4
|
class LogoutRequest
|
|
5
|
+
include Saml::Kit::Templatable
|
|
5
6
|
attr_accessor :id, :destination, :issuer, :name_id_format, :now
|
|
6
7
|
attr_accessor :sign, :version
|
|
7
|
-
attr_reader :user
|
|
8
|
+
attr_reader :user, :configuration
|
|
8
9
|
|
|
9
10
|
def initialize(user, configuration: Saml::Kit.configuration, sign: true)
|
|
11
|
+
@configuration = configuration
|
|
10
12
|
@user = user
|
|
11
13
|
@id = "_#{SecureRandom.uuid}"
|
|
12
14
|
@issuer = configuration.issuer
|
|
@@ -16,17 +18,6 @@ module Saml
|
|
|
16
18
|
@sign = sign
|
|
17
19
|
end
|
|
18
20
|
|
|
19
|
-
def to_xml
|
|
20
|
-
Signature.sign(sign: sign) do |xml, signature|
|
|
21
|
-
xml.instruct!
|
|
22
|
-
xml.LogoutRequest logout_request_options do
|
|
23
|
-
xml.Issuer({ xmlns: Namespaces::ASSERTION }, issuer)
|
|
24
|
-
signature.template(id)
|
|
25
|
-
xml.NameID name_id_options, user.name_id_for(name_id_format)
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
end
|
|
29
|
-
|
|
30
21
|
def build
|
|
31
22
|
Saml::Kit::LogoutRequest.new(to_xml)
|
|
32
23
|
end
|
|
@@ -2,30 +2,21 @@ module Saml
|
|
|
2
2
|
module Kit
|
|
3
3
|
module Builders
|
|
4
4
|
class LogoutResponse
|
|
5
|
+
include Saml::Kit::Templatable
|
|
5
6
|
attr_accessor :id, :issuer, :version, :status_code, :sign, :now, :destination
|
|
6
7
|
attr_reader :request
|
|
8
|
+
attr_reader :configuration
|
|
7
9
|
|
|
8
10
|
def initialize(user, request, configuration: Saml::Kit.configuration, sign: true)
|
|
9
|
-
@
|
|
11
|
+
@configuration = configuration
|
|
12
|
+
@id = Id.generate
|
|
13
|
+
@issuer = configuration.issuer
|
|
10
14
|
@now = Time.now.utc
|
|
11
15
|
@request = request
|
|
12
|
-
@id = Id.generate
|
|
13
|
-
@version = "2.0"
|
|
14
|
-
@status_code = Namespaces::SUCCESS
|
|
15
16
|
@sign = sign
|
|
16
|
-
@
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
def to_xml
|
|
20
|
-
Signature.sign(sign: sign) do |xml, signature|
|
|
21
|
-
xml.LogoutResponse logout_response_options do
|
|
22
|
-
xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
|
|
23
|
-
signature.template(id)
|
|
24
|
-
xml.Status do
|
|
25
|
-
xml.StatusCode Value: status_code
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
end
|
|
17
|
+
@status_code = Namespaces::SUCCESS
|
|
18
|
+
@user = user
|
|
19
|
+
@version = "2.0"
|
|
29
20
|
end
|
|
30
21
|
|
|
31
22
|
def build
|
|
@@ -2,12 +2,14 @@ module Saml
|
|
|
2
2
|
module Kit
|
|
3
3
|
module Builders
|
|
4
4
|
class Response
|
|
5
|
+
include Templatable
|
|
5
6
|
attr_reader :user, :request
|
|
6
7
|
attr_accessor :id, :reference_id, :now
|
|
7
8
|
attr_accessor :version, :status_code
|
|
8
9
|
attr_accessor :issuer, :sign, :destination, :encrypt
|
|
10
|
+
attr_reader :configuration
|
|
9
11
|
|
|
10
|
-
def initialize(user, request)
|
|
12
|
+
def initialize(user, request, configuration: Saml::Kit.configuration)
|
|
11
13
|
@user = user
|
|
12
14
|
@request = request
|
|
13
15
|
@id = Id.generate
|
|
@@ -19,6 +21,7 @@ module Saml
|
|
|
19
21
|
@destination = destination_for(request)
|
|
20
22
|
@sign = want_assertions_signed
|
|
21
23
|
@encrypt = false
|
|
24
|
+
@configuration = configuration
|
|
22
25
|
end
|
|
23
26
|
|
|
24
27
|
def want_assertions_signed
|
|
@@ -28,97 +31,18 @@ module Saml
|
|
|
28
31
|
true
|
|
29
32
|
end
|
|
30
33
|
|
|
31
|
-
def to_xml
|
|
32
|
-
Signature.sign(sign: sign) do |xml, signature|
|
|
33
|
-
xml.Response response_options do
|
|
34
|
-
xml.Issuer(issuer, xmlns: Namespaces::ASSERTION)
|
|
35
|
-
signature.template(id)
|
|
36
|
-
xml.Status do
|
|
37
|
-
xml.StatusCode Value: status_code
|
|
38
|
-
end
|
|
39
|
-
assertion(xml, signature)
|
|
40
|
-
end
|
|
41
|
-
end
|
|
42
|
-
end
|
|
43
|
-
|
|
44
34
|
def build
|
|
45
35
|
Saml::Kit::Response.new(to_xml, request_id: request.id)
|
|
46
36
|
end
|
|
47
37
|
|
|
48
38
|
private
|
|
49
39
|
|
|
50
|
-
def assertion
|
|
51
|
-
|
|
52
|
-
xml.Assertion(assertion_options) do
|
|
53
|
-
xml.Issuer issuer
|
|
54
|
-
signature.template(reference_id) unless encrypt
|
|
55
|
-
xml.Subject do
|
|
56
|
-
xml.NameID user.name_id_for(request.name_id_format), Format: request.name_id_format
|
|
57
|
-
xml.SubjectConfirmation Method: Namespaces::BEARER do
|
|
58
|
-
xml.SubjectConfirmationData "", subject_confirmation_data_options
|
|
59
|
-
end
|
|
60
|
-
end
|
|
61
|
-
xml.Conditions conditions_options do
|
|
62
|
-
xml.AudienceRestriction do
|
|
63
|
-
xml.Audience request.issuer
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
xml.AuthnStatement authn_statement_options do
|
|
67
|
-
xml.AuthnContext do
|
|
68
|
-
xml.AuthnContextClassRef Namespaces::PASSWORD
|
|
69
|
-
end
|
|
70
|
-
end
|
|
71
|
-
assertion_attributes = user.assertion_attributes_for(request)
|
|
72
|
-
if assertion_attributes.any?
|
|
73
|
-
xml.AttributeStatement do
|
|
74
|
-
assertion_attributes.each do |key, value|
|
|
75
|
-
xml.Attribute Name: key, NameFormat: Namespaces::URI, FriendlyName: key do
|
|
76
|
-
xml.AttributeValue value.to_s
|
|
77
|
-
end
|
|
78
|
-
end
|
|
79
|
-
end
|
|
80
|
-
end
|
|
81
|
-
end
|
|
82
|
-
end
|
|
40
|
+
def assertion
|
|
41
|
+
@assertion ||= Saml::Kit::Builders::Assertion.new(self)
|
|
83
42
|
end
|
|
84
43
|
|
|
85
|
-
def
|
|
86
|
-
|
|
87
|
-
temp = ::Builder::XmlMarkup.new
|
|
88
|
-
yield temp
|
|
89
|
-
raw_xml_to_encrypt = temp.target!
|
|
90
|
-
|
|
91
|
-
encryption_certificate = request.provider.encryption_certificates.first
|
|
92
|
-
public_key = encryption_certificate.public_key
|
|
93
|
-
|
|
94
|
-
cipher = OpenSSL::Cipher.new('AES-256-CBC')
|
|
95
|
-
cipher.encrypt
|
|
96
|
-
key = cipher.random_key
|
|
97
|
-
iv = cipher.random_iv
|
|
98
|
-
encrypted = cipher.update(raw_xml_to_encrypt) + cipher.final
|
|
99
|
-
|
|
100
|
-
Saml::Kit.logger.debug ['+iv', iv].inspect
|
|
101
|
-
Saml::Kit.logger.debug ['+key', key].inspect
|
|
102
|
-
|
|
103
|
-
xml.EncryptedAssertion xmlns: Namespaces::ASSERTION do
|
|
104
|
-
xml.EncryptedData xmlns: Namespaces::XMLENC do
|
|
105
|
-
xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
|
|
106
|
-
xml.KeyInfo xmlns: Namespaces::XMLDSIG do
|
|
107
|
-
xml.EncryptedKey xmlns: Namespaces::XMLENC do
|
|
108
|
-
xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
|
|
109
|
-
xml.CipherData do
|
|
110
|
-
xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
|
|
111
|
-
end
|
|
112
|
-
end
|
|
113
|
-
end
|
|
114
|
-
xml.CipherData do
|
|
115
|
-
xml.CipherValue Base64.encode64(iv + encrypted)
|
|
116
|
-
end
|
|
117
|
-
end
|
|
118
|
-
end
|
|
119
|
-
else
|
|
120
|
-
yield xml
|
|
121
|
-
end
|
|
44
|
+
def encryption_certificate
|
|
45
|
+
request.provider.encryption_certificates.first
|
|
122
46
|
end
|
|
123
47
|
|
|
124
48
|
def destination_for(request)
|
|
@@ -129,10 +53,6 @@ module Saml
|
|
|
129
53
|
end
|
|
130
54
|
end
|
|
131
55
|
|
|
132
|
-
def configuration
|
|
133
|
-
Saml::Kit.configuration
|
|
134
|
-
end
|
|
135
|
-
|
|
136
56
|
def response_options
|
|
137
57
|
{
|
|
138
58
|
ID: id,
|
|
@@ -144,38 +64,6 @@ module Saml
|
|
|
144
64
|
xmlns: Namespaces::PROTOCOL,
|
|
145
65
|
}
|
|
146
66
|
end
|
|
147
|
-
|
|
148
|
-
def assertion_options
|
|
149
|
-
{
|
|
150
|
-
ID: reference_id,
|
|
151
|
-
IssueInstant: now.iso8601,
|
|
152
|
-
Version: "2.0",
|
|
153
|
-
xmlns: Namespaces::ASSERTION,
|
|
154
|
-
}
|
|
155
|
-
end
|
|
156
|
-
|
|
157
|
-
def subject_confirmation_data_options
|
|
158
|
-
{
|
|
159
|
-
InResponseTo: request.id,
|
|
160
|
-
NotOnOrAfter: 3.hours.since(now).utc.iso8601,
|
|
161
|
-
Recipient: request.assertion_consumer_service_url,
|
|
162
|
-
}
|
|
163
|
-
end
|
|
164
|
-
|
|
165
|
-
def conditions_options
|
|
166
|
-
{
|
|
167
|
-
NotBefore: now.utc.iso8601,
|
|
168
|
-
NotOnOrAfter: Saml::Kit.configuration.session_timeout.from_now.utc.iso8601,
|
|
169
|
-
}
|
|
170
|
-
end
|
|
171
|
-
|
|
172
|
-
def authn_statement_options
|
|
173
|
-
{
|
|
174
|
-
AuthnInstant: now.iso8601,
|
|
175
|
-
SessionIndex: assertion_options[:ID],
|
|
176
|
-
SessionNotOnOrAfter: 3.hours.since(now).utc.iso8601,
|
|
177
|
-
}
|
|
178
|
-
end
|
|
179
67
|
end
|
|
180
68
|
end
|
|
181
69
|
end
|
|
@@ -2,14 +2,17 @@ module Saml
|
|
|
2
2
|
module Kit
|
|
3
3
|
module Builders
|
|
4
4
|
class ServiceProviderMetadata
|
|
5
|
+
include Saml::Kit::Templatable
|
|
5
6
|
attr_accessor :id, :entity_id, :acs_urls, :logout_urls, :name_id_formats, :sign
|
|
7
|
+
attr_accessor :organization_name, :organization_url, :contact_email
|
|
6
8
|
attr_accessor :want_assertions_signed
|
|
9
|
+
attr_reader :configuration
|
|
7
10
|
|
|
8
11
|
def initialize(configuration = Saml::Kit.configuration)
|
|
9
|
-
@
|
|
12
|
+
@acs_urls = []
|
|
10
13
|
@configuration = configuration
|
|
11
14
|
@entity_id = configuration.issuer
|
|
12
|
-
@
|
|
15
|
+
@id = Id.generate
|
|
13
16
|
@logout_urls = []
|
|
14
17
|
@name_id_formats = [Namespaces::PERSISTENT]
|
|
15
18
|
@sign = true
|
|
@@ -24,44 +27,6 @@ module Saml
|
|
|
24
27
|
@logout_urls.push(location: url, binding: Bindings.binding_for(binding))
|
|
25
28
|
end
|
|
26
29
|
|
|
27
|
-
def to_xml
|
|
28
|
-
Signature.sign(sign: sign) do |xml, signature|
|
|
29
|
-
xml.instruct!
|
|
30
|
-
xml.EntityDescriptor entity_descriptor_options do
|
|
31
|
-
signature.template(id)
|
|
32
|
-
xml.SPSSODescriptor descriptor_options do
|
|
33
|
-
if @configuration.signing_certificate_pem.present?
|
|
34
|
-
xml.KeyDescriptor use: "signing" do
|
|
35
|
-
xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
|
|
36
|
-
xml.X509Data do
|
|
37
|
-
xml.X509Certificate @configuration.stripped_signing_certificate
|
|
38
|
-
end
|
|
39
|
-
end
|
|
40
|
-
end
|
|
41
|
-
end
|
|
42
|
-
if @configuration.encryption_certificate_pem.present?
|
|
43
|
-
xml.KeyDescriptor use: "encryption" do
|
|
44
|
-
xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
|
|
45
|
-
xml.X509Data do
|
|
46
|
-
xml.X509Certificate @configuration.stripped_encryption_certificate
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
|
-
end
|
|
50
|
-
end
|
|
51
|
-
logout_urls.each do |item|
|
|
52
|
-
xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
|
|
53
|
-
end
|
|
54
|
-
name_id_formats.each do |format|
|
|
55
|
-
xml.NameIDFormat format
|
|
56
|
-
end
|
|
57
|
-
acs_urls.each_with_index do |item, index|
|
|
58
|
-
xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
|
|
59
|
-
end
|
|
60
|
-
end
|
|
61
|
-
end
|
|
62
|
-
end
|
|
63
|
-
end
|
|
64
|
-
|
|
65
30
|
def build
|
|
66
31
|
Saml::Kit::ServiceProviderMetadata.new(to_xml)
|
|
67
32
|
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
xml.Assertion(assertion_options) do
|
|
2
|
+
xml.Issuer issuer
|
|
3
|
+
signature_for(reference_id: reference_id, xml: xml) unless encrypt
|
|
4
|
+
xml.Subject do
|
|
5
|
+
xml.NameID name_id, Format: name_id_format
|
|
6
|
+
xml.SubjectConfirmation Method: Saml::Kit::Namespaces::BEARER do
|
|
7
|
+
xml.SubjectConfirmationData "", subject_confirmation_data_options
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
xml.Conditions conditions_options do
|
|
11
|
+
xml.AudienceRestriction do
|
|
12
|
+
xml.Audience request.issuer
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
xml.AuthnStatement authn_statement_options do
|
|
16
|
+
xml.AuthnContext do
|
|
17
|
+
xml.AuthnContextClassRef Saml::Kit::Namespaces::PASSWORD
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
if assertion_attributes.any?
|
|
21
|
+
xml.AttributeStatement do
|
|
22
|
+
assertion_attributes.each do |key, value|
|
|
23
|
+
xml.Attribute Name: key, NameFormat: Saml::Kit::Namespaces::URI, FriendlyName: key do
|
|
24
|
+
xml.AttributeValue value.to_s
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
xml.instruct!
|
|
2
|
+
xml.EntityDescriptor entity_descriptor_options do
|
|
3
|
+
signature_for(reference_id: id, xml: xml)
|
|
4
|
+
xml.IDPSSODescriptor idp_sso_descriptor_options do
|
|
5
|
+
if configuration.signing_certificate_pem.present?
|
|
6
|
+
render configuration.signing_certificate, xml: xml
|
|
7
|
+
end
|
|
8
|
+
if configuration.encryption_certificate_pem.present?
|
|
9
|
+
render configuration.encryption_certificate, xml: xml
|
|
10
|
+
end
|
|
11
|
+
logout_urls.each do |item|
|
|
12
|
+
xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
|
|
13
|
+
end
|
|
14
|
+
name_id_formats.each do |format|
|
|
15
|
+
xml.NameIDFormat format
|
|
16
|
+
end
|
|
17
|
+
single_sign_on_urls.each do |item|
|
|
18
|
+
xml.SingleSignOnService Binding: item[:binding], Location: item[:location]
|
|
19
|
+
end
|
|
20
|
+
attributes.each do |attribute|
|
|
21
|
+
xml.tag! 'saml:Attribute', Name: attribute
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
xml.Organization do
|
|
25
|
+
xml.OrganizationName organization_name, 'xml:lang': "en"
|
|
26
|
+
xml.OrganizationDisplayName organization_name, 'xml:lang': "en"
|
|
27
|
+
xml.OrganizationURL organization_url, 'xml:lang': "en"
|
|
28
|
+
end
|
|
29
|
+
xml.ContactPerson contactType: "technical" do
|
|
30
|
+
xml.Company "mailto:#{contact_email}"
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
xml.instruct!
|
|
2
|
+
xml.Response response_options do
|
|
3
|
+
xml.Issuer(issuer, xmlns: Saml::Kit::Namespaces::ASSERTION)
|
|
4
|
+
signature_for(reference_id: id, xml: xml)
|
|
5
|
+
xml.Status do
|
|
6
|
+
xml.StatusCode Value: status_code
|
|
7
|
+
end
|
|
8
|
+
encryption_for(xml: xml) do |xml|
|
|
9
|
+
render assertion, xml: xml
|
|
10
|
+
end
|
|
11
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
xml.instruct!
|
|
2
|
+
xml.EntityDescriptor entity_descriptor_options do
|
|
3
|
+
signature_for(reference_id: id, xml: xml)
|
|
4
|
+
xml.SPSSODescriptor descriptor_options do
|
|
5
|
+
if configuration.signing_certificate_pem.present?
|
|
6
|
+
render configuration.signing_certificate, xml: xml
|
|
7
|
+
end
|
|
8
|
+
if configuration.encryption_certificate_pem.present?
|
|
9
|
+
render configuration.encryption_certificate, xml: xml
|
|
10
|
+
end
|
|
11
|
+
logout_urls.each do |item|
|
|
12
|
+
xml.SingleLogoutService Binding: item[:binding], Location: item[:location]
|
|
13
|
+
end
|
|
14
|
+
name_id_formats.each do |format|
|
|
15
|
+
xml.NameIDFormat format
|
|
16
|
+
end
|
|
17
|
+
acs_urls.each_with_index do |item, index|
|
|
18
|
+
xml.AssertionConsumerService Binding: item[:binding], Location: item[:location], index: index, isDefault: index == 0 ? true : false
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
xml.Organization do
|
|
22
|
+
xml.OrganizationName organization_name, 'xml:lang': "en"
|
|
23
|
+
xml.OrganizationDisplayName organization_name, 'xml:lang': "en"
|
|
24
|
+
xml.OrganizationURL organization_url, 'xml:lang': "en"
|
|
25
|
+
end
|
|
26
|
+
xml.ContactPerson contactType: "technical" do
|
|
27
|
+
xml.Company "mailto:#{contact_email}"
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
xml.EncryptedAssertion xmlns: Saml::Kit::Namespaces::ASSERTION do
|
|
2
|
+
xml.EncryptedData xmlns: Saml::Kit::Namespaces::XMLENC do
|
|
3
|
+
xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
|
|
4
|
+
xml.KeyInfo xmlns: Saml::Kit::Namespaces::XMLDSIG do
|
|
5
|
+
xml.EncryptedKey xmlns: Saml::Kit::Namespaces::XMLENC do
|
|
6
|
+
xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
|
|
7
|
+
xml.CipherData do
|
|
8
|
+
xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
xml.CipherData do
|
|
13
|
+
xml.CipherValue Base64.encode64(iv + encrypted)
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
xml.Signature "xmlns" => Saml::Kit::Namespaces::XMLDSIG do
|
|
2
|
+
xml.SignedInfo do
|
|
3
|
+
xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
|
|
4
|
+
xml.SignatureMethod Algorithm: signature_method
|
|
5
|
+
xml.Reference URI: "##{reference_id}" do
|
|
6
|
+
xml.Transforms do
|
|
7
|
+
xml.Transform Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
|
|
8
|
+
xml.Transform Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
|
|
9
|
+
end
|
|
10
|
+
xml.DigestMethod Algorithm: digest_method
|
|
11
|
+
xml.DigestValue ""
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
xml.SignatureValue ""
|
|
15
|
+
xml.KeyInfo do
|
|
16
|
+
xml.X509Data do
|
|
17
|
+
xml.X509Certificate x509_certificate
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
module Builders
|
|
4
|
+
class XmlEncryption
|
|
5
|
+
attr_reader :public_key
|
|
6
|
+
attr_reader :key, :iv, :encrypted
|
|
7
|
+
|
|
8
|
+
def initialize(raw_xml, public_key)
|
|
9
|
+
@public_key = public_key
|
|
10
|
+
cipher = OpenSSL::Cipher.new('AES-256-CBC')
|
|
11
|
+
cipher.encrypt
|
|
12
|
+
@key = cipher.random_key
|
|
13
|
+
@iv = cipher.random_iv
|
|
14
|
+
@encrypted = cipher.update(raw_xml) + cipher.final
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
module Builders
|
|
4
|
+
class XmlSignature
|
|
5
|
+
SIGNATURE_METHODS = {
|
|
6
|
+
SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
|
|
7
|
+
SHA224: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224",
|
|
8
|
+
SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
|
|
9
|
+
SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
|
|
10
|
+
SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
|
|
11
|
+
}.freeze
|
|
12
|
+
DIGEST_METHODS = {
|
|
13
|
+
SHA1: "http://www.w3.org/2000/09/xmldsig#SHA1",
|
|
14
|
+
SHA224: "http://www.w3.org/2001/04/xmldsig-more#sha224",
|
|
15
|
+
SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
|
|
16
|
+
SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
|
|
17
|
+
SHA512: "http://www.w3.org/2001/04/xmlenc#sha512",
|
|
18
|
+
}.freeze
|
|
19
|
+
|
|
20
|
+
attr_reader :sign, :configuration
|
|
21
|
+
attr_reader :reference_id
|
|
22
|
+
attr_reader :x509_certificate
|
|
23
|
+
|
|
24
|
+
def initialize(reference_id, configuration:, sign: true)
|
|
25
|
+
@configuration = configuration
|
|
26
|
+
@reference_id = reference_id
|
|
27
|
+
@sign = sign
|
|
28
|
+
@x509_certificate = configuration.signing_certificate.stripped
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def signature_method
|
|
32
|
+
SIGNATURE_METHODS[configuration.signature_method]
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def digest_method
|
|
36
|
+
DIGEST_METHODS[configuration.digest_method]
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
data/lib/saml/kit/certificate.rb
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
module Saml
|
|
2
2
|
module Kit
|
|
3
3
|
class Certificate
|
|
4
|
+
BEGIN_CERT=/-----BEGIN CERTIFICATE-----/
|
|
5
|
+
END_CERT=/-----END CERTIFICATE-----/
|
|
4
6
|
attr_reader :value, :use
|
|
5
7
|
|
|
6
8
|
def initialize(value, use:)
|
|
@@ -48,6 +50,18 @@ module Saml
|
|
|
48
50
|
value
|
|
49
51
|
end
|
|
50
52
|
|
|
53
|
+
def to_h
|
|
54
|
+
{ use: @use, x509: @value }
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def inspect
|
|
58
|
+
to_h.inspect
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
def stripped
|
|
62
|
+
value.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
|
|
63
|
+
end
|
|
64
|
+
|
|
51
65
|
def self.to_x509(value)
|
|
52
66
|
OpenSSL::X509::Certificate.new(Base64.decode64(value))
|
|
53
67
|
rescue OpenSSL::X509::CertificateError => error
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
class CompositeMetadata < Metadata
|
|
4
|
+
attr_reader :service_provider, :identity_provider
|
|
5
|
+
|
|
6
|
+
def initialize(xml)
|
|
7
|
+
super("IDPSSODescriptor", xml)
|
|
8
|
+
@service_provider = Saml::Kit::ServiceProviderMetadata.new(xml)
|
|
9
|
+
@identity_provider = Saml::Kit::IdentityProviderMetadata.new(xml)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def services(type)
|
|
13
|
+
xpath = "//md:EntityDescriptor/md:SPSSODescriptor/md:#{type}|//md:EntityDescriptor/md:IDPSSODescriptor/md:#{type}"
|
|
14
|
+
document.find_all(xpath).map do |item|
|
|
15
|
+
binding = item.attribute("Binding").value
|
|
16
|
+
location = item.attribute("Location").value
|
|
17
|
+
Saml::Kit::Bindings.create_for(binding, location)
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def certificates
|
|
22
|
+
identity_provider.certificates + service_provider.certificates
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def method_missing(name, *args)
|
|
26
|
+
if identity_provider.respond_to?(name)
|
|
27
|
+
identity_provider.public_send(name, *args)
|
|
28
|
+
elsif service_provider.respond_to?(name)
|
|
29
|
+
service_provider.public_send(name, *args)
|
|
30
|
+
else
|
|
31
|
+
super
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
@@ -1,9 +1,6 @@
|
|
|
1
1
|
module Saml
|
|
2
2
|
module Kit
|
|
3
3
|
class Configuration
|
|
4
|
-
BEGIN_CERT=/-----BEGIN CERTIFICATE-----/
|
|
5
|
-
END_CERT=/-----END CERTIFICATE-----/
|
|
6
|
-
|
|
7
4
|
attr_accessor :issuer
|
|
8
5
|
attr_accessor :signature_method, :digest_method
|
|
9
6
|
attr_accessor :signing_certificate_pem, :signing_private_key_pem, :signing_private_key_password
|
|
@@ -23,20 +20,12 @@ module Saml
|
|
|
23
20
|
@logger = Logger.new(STDOUT)
|
|
24
21
|
end
|
|
25
22
|
|
|
26
|
-
def
|
|
27
|
-
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
def stripped_encryption_certificate
|
|
31
|
-
normalize(encryption_certificate_pem)
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
def signing_x509
|
|
35
|
-
Certificate.to_x509(signing_certificate_pem)
|
|
23
|
+
def signing_certificate
|
|
24
|
+
Saml::Kit::Certificate.new(signing_certificate_pem, use: :signing)
|
|
36
25
|
end
|
|
37
26
|
|
|
38
|
-
def
|
|
39
|
-
Certificate.
|
|
27
|
+
def encryption_certificate
|
|
28
|
+
Saml::Kit::Certificate.new(encryption_certificate_pem, use: :encryption)
|
|
40
29
|
end
|
|
41
30
|
|
|
42
31
|
def signing_private_key
|
|
@@ -46,12 +35,6 @@ module Saml
|
|
|
46
35
|
def encryption_private_key
|
|
47
36
|
OpenSSL::PKey::RSA.new(encryption_private_key_pem, encryption_private_key_password)
|
|
48
37
|
end
|
|
49
|
-
|
|
50
|
-
private
|
|
51
|
-
|
|
52
|
-
def normalize(certificate)
|
|
53
|
-
certificate.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
|
|
54
|
-
end
|
|
55
38
|
end
|
|
56
39
|
end
|
|
57
40
|
end
|
data/lib/saml/kit/metadata.rb
CHANGED
|
@@ -99,7 +99,9 @@ module Saml
|
|
|
99
99
|
def self.from(content)
|
|
100
100
|
hash = Hash.from_xml(content)
|
|
101
101
|
entity_descriptor = hash["EntityDescriptor"]
|
|
102
|
-
if entity_descriptor.
|
|
102
|
+
if entity_descriptor.key?("SPSSODescriptor") && entity_descriptor.key?("IDPSSODescriptor")
|
|
103
|
+
Saml::Kit::CompositeMetadata.new(content)
|
|
104
|
+
elsif entity_descriptor.keys.include?("SPSSODescriptor")
|
|
103
105
|
Saml::Kit::ServiceProviderMetadata.new(content)
|
|
104
106
|
elsif entity_descriptor.keys.include?("IDPSSODescriptor")
|
|
105
107
|
Saml::Kit::IdentityProviderMetadata.new(content)
|
data/lib/saml/kit/requestable.rb
CHANGED
data/lib/saml/kit/signature.rb
CHANGED
|
@@ -1,65 +1,23 @@
|
|
|
1
1
|
module Saml
|
|
2
2
|
module Kit
|
|
3
3
|
class Signature
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
SHA224: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224",
|
|
7
|
-
SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
|
|
8
|
-
SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
|
|
9
|
-
SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
|
|
10
|
-
}.freeze
|
|
11
|
-
DIGEST_METHODS = {
|
|
12
|
-
SHA1: "http://www.w3.org/2000/09/xmldsig#SHA1",
|
|
13
|
-
SHA224: "http://www.w3.org/2001/04/xmldsig-more#sha224",
|
|
14
|
-
SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
|
|
15
|
-
SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
|
|
16
|
-
SHA512: "http://www.w3.org/2001/04/xmlenc#sha512",
|
|
17
|
-
}.freeze
|
|
18
|
-
|
|
19
|
-
attr_reader :configuration, :sign, :xml
|
|
4
|
+
attr_reader :sign, :xml
|
|
5
|
+
attr_reader :configuration
|
|
20
6
|
|
|
21
7
|
def initialize(xml, configuration:, sign: true)
|
|
22
|
-
@xml = xml
|
|
23
8
|
@configuration = configuration
|
|
24
9
|
@sign = sign
|
|
25
|
-
@
|
|
10
|
+
@xml = xml
|
|
26
11
|
end
|
|
27
12
|
|
|
28
13
|
def template(reference_id)
|
|
29
14
|
return unless sign
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
xml.Signature "xmlns" => Namespaces::XMLDSIG do
|
|
34
|
-
xml.SignedInfo do
|
|
35
|
-
xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
|
|
36
|
-
xml.SignatureMethod Algorithm: SIGNATURE_METHODS[configuration.signature_method]
|
|
37
|
-
xml.Reference URI: "##{reference_id}" do
|
|
38
|
-
xml.Transforms do
|
|
39
|
-
xml.Transform Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
|
|
40
|
-
xml.Transform Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
|
|
41
|
-
end
|
|
42
|
-
xml.DigestMethod Algorithm: DIGEST_METHODS[configuration.digest_method]
|
|
43
|
-
xml.DigestValue ""
|
|
44
|
-
end
|
|
45
|
-
end
|
|
46
|
-
xml.SignatureValue ""
|
|
47
|
-
xml.KeyInfo do
|
|
48
|
-
xml.X509Data do
|
|
49
|
-
xml.X509Certificate configuration.stripped_signing_certificate
|
|
50
|
-
end
|
|
51
|
-
end
|
|
52
|
-
end
|
|
15
|
+
signature = signatures.build(reference_id)
|
|
16
|
+
Template.new(signature).to_xml(xml: xml)
|
|
53
17
|
end
|
|
54
18
|
|
|
55
19
|
def finalize
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
raw_xml = xml.target!
|
|
59
|
-
@reference_ids.each do |reference_id|
|
|
60
|
-
raw_xml = Xmldsig::SignedDocument.new(raw_xml).sign(private_key)
|
|
61
|
-
end
|
|
62
|
-
raw_xml
|
|
20
|
+
signatures.complete(xml.target!)
|
|
63
21
|
end
|
|
64
22
|
|
|
65
23
|
def self.sign(sign: true, xml: ::Builder::XmlMarkup.new, configuration: Saml::Kit.configuration)
|
|
@@ -70,8 +28,8 @@ module Saml
|
|
|
70
28
|
|
|
71
29
|
private
|
|
72
30
|
|
|
73
|
-
def
|
|
74
|
-
configuration
|
|
31
|
+
def signatures
|
|
32
|
+
@signatures ||= Saml::Kit::Signatures.new(configuration: configuration, sign: sign)
|
|
75
33
|
end
|
|
76
34
|
end
|
|
77
35
|
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
class Signatures
|
|
4
|
+
attr_reader :sign, :configuration
|
|
5
|
+
|
|
6
|
+
def initialize(configuration:, sign: true)
|
|
7
|
+
@configuration = configuration
|
|
8
|
+
@sign = sign
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def build(reference_id)
|
|
12
|
+
Saml::Kit::Builders::XmlSignature.new(reference_id, configuration: configuration, sign: sign)
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def complete(raw_xml)
|
|
16
|
+
return raw_xml unless sign
|
|
17
|
+
|
|
18
|
+
Xmldsig::SignedDocument.new(raw_xml).sign(private_key)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
private
|
|
22
|
+
|
|
23
|
+
def private_key
|
|
24
|
+
configuration.signing_private_key
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
module Templatable
|
|
4
|
+
def to_xml(xml: ::Builder::XmlMarkup.new)
|
|
5
|
+
signatures.complete(render(self, xml: xml))
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def signature_for(reference_id:, xml:)
|
|
9
|
+
return unless sign
|
|
10
|
+
render(signatures.build(reference_id), xml: xml)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def signatures
|
|
14
|
+
@signatures ||= Saml::Kit::Signatures.new(configuration: configuration, sign: sign)
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def encryption_for(xml:)
|
|
18
|
+
if encrypt && encryption_certificate
|
|
19
|
+
temp = ::Builder::XmlMarkup.new
|
|
20
|
+
yield temp
|
|
21
|
+
xml_encryption = Saml::Kit::Builders::XmlEncryption.new(temp.target!, encryption_certificate.public_key)
|
|
22
|
+
render(xml_encryption, xml: xml)
|
|
23
|
+
else
|
|
24
|
+
yield xml
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def render(model, options)
|
|
29
|
+
Saml::Kit::Template.new(model).to_xml(options)
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Saml
|
|
2
|
+
module Kit
|
|
3
|
+
class Template
|
|
4
|
+
attr_reader :target
|
|
5
|
+
|
|
6
|
+
def initialize(target)
|
|
7
|
+
@target = target
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def to_xml(options)
|
|
11
|
+
template.render(target, options)
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
private
|
|
15
|
+
|
|
16
|
+
def template_name
|
|
17
|
+
"#{target.class.name.split("::").last.underscore}.builder"
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def template_path
|
|
21
|
+
File.join(File.expand_path(File.dirname(__FILE__)), "builders/templates/#{template_name}")
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def template
|
|
25
|
+
Tilt.new(template_path)
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
data/lib/saml/kit/version.rb
CHANGED
|
@@ -8,10 +8,10 @@ module Saml
|
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def decrypt(data)
|
|
11
|
-
|
|
12
|
-
symmetric_key = symmetric_key_from(
|
|
13
|
-
cipher_text = Base64.decode64(
|
|
14
|
-
to_plaintext(cipher_text, symmetric_key,
|
|
11
|
+
encrypted_data = data['EncryptedData']
|
|
12
|
+
symmetric_key = symmetric_key_from(encrypted_data)
|
|
13
|
+
cipher_text = Base64.decode64(encrypted_data["CipherData"]["CipherValue"])
|
|
14
|
+
to_plaintext(cipher_text, symmetric_key, encrypted_data["EncryptionMethod"]['Algorithm'])
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
private
|
|
@@ -23,7 +23,7 @@ module Saml
|
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
def to_plaintext(cipher_text, symmetric_key, algorithm)
|
|
26
|
-
|
|
26
|
+
Crypto.decryptor_for(algorithm, symmetric_key).decrypt(cipher_text)
|
|
27
27
|
end
|
|
28
28
|
end
|
|
29
29
|
end
|
data/saml-kit.gemspec
CHANGED
|
@@ -25,6 +25,7 @@ Gem::Specification.new do |spec|
|
|
|
25
25
|
spec.add_dependency "activemodel", ">= 4.2.0"
|
|
26
26
|
spec.add_dependency "builder", "~> 3.2"
|
|
27
27
|
spec.add_dependency "nokogiri", "~> 1.8"
|
|
28
|
+
spec.add_dependency "tilt", "~> 2.0"
|
|
28
29
|
spec.add_dependency "xmldsig", "~> 0.6"
|
|
29
30
|
spec.add_development_dependency "bundler", "~> 1.15"
|
|
30
31
|
spec.add_development_dependency "ffaker", "~> 2.7"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: saml-kit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- mo khan
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-12-
|
|
11
|
+
date: 2017-12-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activemodel
|
|
@@ -52,6 +52,20 @@ dependencies:
|
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '1.8'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: tilt
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '2.0'
|
|
62
|
+
type: :runtime
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - "~>"
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '2.0'
|
|
55
69
|
- !ruby/object:Gem::Dependency
|
|
56
70
|
name: xmldsig
|
|
57
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -182,13 +196,27 @@ files:
|
|
|
182
196
|
- lib/saml/kit/bindings/url_builder.rb
|
|
183
197
|
- lib/saml/kit/buildable.rb
|
|
184
198
|
- lib/saml/kit/builders.rb
|
|
199
|
+
- lib/saml/kit/builders/assertion.rb
|
|
185
200
|
- lib/saml/kit/builders/authentication_request.rb
|
|
186
201
|
- lib/saml/kit/builders/identity_provider_metadata.rb
|
|
187
202
|
- lib/saml/kit/builders/logout_request.rb
|
|
188
203
|
- lib/saml/kit/builders/logout_response.rb
|
|
189
204
|
- lib/saml/kit/builders/response.rb
|
|
190
205
|
- lib/saml/kit/builders/service_provider_metadata.rb
|
|
206
|
+
- lib/saml/kit/builders/templates/assertion.builder
|
|
207
|
+
- lib/saml/kit/builders/templates/authentication_request.builder
|
|
208
|
+
- lib/saml/kit/builders/templates/certificate.builder
|
|
209
|
+
- lib/saml/kit/builders/templates/identity_provider_metadata.builder
|
|
210
|
+
- lib/saml/kit/builders/templates/logout_request.builder
|
|
211
|
+
- lib/saml/kit/builders/templates/logout_response.builder
|
|
212
|
+
- lib/saml/kit/builders/templates/response.builder
|
|
213
|
+
- lib/saml/kit/builders/templates/service_provider_metadata.builder
|
|
214
|
+
- lib/saml/kit/builders/templates/xml_encryption.builder
|
|
215
|
+
- lib/saml/kit/builders/templates/xml_signature.builder
|
|
216
|
+
- lib/saml/kit/builders/xml_encryption.rb
|
|
217
|
+
- lib/saml/kit/builders/xml_signature.rb
|
|
191
218
|
- lib/saml/kit/certificate.rb
|
|
219
|
+
- lib/saml/kit/composite_metadata.rb
|
|
192
220
|
- lib/saml/kit/configuration.rb
|
|
193
221
|
- lib/saml/kit/crypto.rb
|
|
194
222
|
- lib/saml/kit/crypto/oaep_cipher.rb
|
|
@@ -213,6 +241,9 @@ files:
|
|
|
213
241
|
- lib/saml/kit/serializable.rb
|
|
214
242
|
- lib/saml/kit/service_provider_metadata.rb
|
|
215
243
|
- lib/saml/kit/signature.rb
|
|
244
|
+
- lib/saml/kit/signatures.rb
|
|
245
|
+
- lib/saml/kit/templatable.rb
|
|
246
|
+
- lib/saml/kit/template.rb
|
|
216
247
|
- lib/saml/kit/trustable.rb
|
|
217
248
|
- lib/saml/kit/version.rb
|
|
218
249
|
- lib/saml/kit/xml.rb
|