saml-kit 0.2.4 → 0.2.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 13c5ee20e28acd63c6ec3dde99cd1fea092be3db550dca1bd129a4b0e1fb83d3
-  data.tar.gz: 0337c7d33845d4fbfb9dd6cc817cfde1dc620c3745cfd83b96f246e29ec30dc3
+  metadata.gz: b98601350af83c7090bc7fead240f7fabb4736f642a262502a96c48e533f3203
+  data.tar.gz: a51e398301b1115654dbe0a8a31bf61b029456c12302bb42512b7dac716d38e8
 SHA512:
-  metadata.gz: cc09a60391991a964b3f6114e6c039da70eb917ba268787abe8940bc00a8883449f5e751aeb2365b9cae5f693d177ded5fd2d9d152ae766569a9feb5a8198ad2
-  data.tar.gz: e6cd00b9f963348a4b9cce442d09fe7b5819c0b970334ccff01c6fcfcce54e60cfff7692878f5603a6e54061c2b75b0df61364e2eaa1717547fdc079efbe588c
+  metadata.gz: 1d032fb605d2c62e45e491ddde0e90274f3ae0ddab82c7e4daa72cfcc7c992483abcd5151399c67d7205bcb0de2ebe1fb1e1953fe416c9efac333e1dba86ab56
+  data.tar.gz: d330dc2cc0a7dfd9d7fb29e9ec9da4b9549739160f77bc6de73f1d6bd9ca15851faa595a3ccf7a75064479751b81123beaf4fb0dd6b31f5f193fbc4fd0ce182e

data/lib/saml/kit.rb

@@ -24,6 +24,7 @@ require "saml/kit/xsd_validatable"
 require "saml/kit/respondable"
 require "saml/kit/requestable"
 require "saml/kit/trustable"
+require "saml/kit/translatable"
 require "saml/kit/document"
 
 require "saml/kit/assertion"

data/lib/saml/kit/assertion.rb

@@ -1,7 +1,15 @@
 module Saml
   module Kit
     class Assertion
+      include ActiveModel::Validations
+      include Translatable
+
+      validate :must_match_issuer
+      validate :must_be_active_session
+      attr_reader :name
+
       def initialize(xml_hash, configuration:)
+        @name = "Assertion"
         @xml_hash = xml_hash
         @configuration = configuration
       end
@@ -11,7 +19,20 @@ module Saml
       end
 
       def signed?
-        assertion.fetch('Signature', nil).present?
+        signature.present?
+      end
+
+      def signature
+        xml_hash = assertion.fetch('Signature', nil)
+        xml_hash ? Signature.new(xml_hash) : nil
+      end
+
+      def expired?
+        Time.current > expired_at
+      end
+
+      def active?
+        Time.current > started_at && !expired?
       end
 
       def attributes
@@ -35,10 +56,6 @@ module Saml
         parse_date(assertion.fetch('Conditions', {}).fetch('NotOnOrAfter', nil))
       end
 
-      def certificate
-        assertion.fetch('Signature', {}).fetch('KeyInfo', {}).fetch('X509Data', {}).fetch('X509Certificate', nil)
-      end
-
       def audiences
         Array(assertion['Conditions']['AudienceRestriction']['Audience'])
       rescue => error
@@ -68,6 +85,17 @@ module Saml
         Saml::Kit.logger.error(error)
         Time.at(0).to_datetime
       end
+
+      def must_match_issuer
+        unless audiences.include?(@configuration.issuer)
+          errors[:audience] << error_message(:must_match_issuer)
+        end
+      end
+
+      def must_be_active_session
+        return if active?
+        errors[:base] << error_message(:expired)
+      end
     end
   end
 end

data/lib/saml/kit/bindings/url_builder.rb

@@ -21,7 +21,7 @@ module Saml
         private
 
         def signature_for(payload)
-          private_key = configuration.private_keys(use: :signing).sample
+          private_key = configuration.private_keys(use: :signing).last
           encode(private_key.sign(OpenSSL::Digest::SHA256.new, payload))
         end
 

data/lib/saml/kit/buildable.rb

@@ -8,6 +8,10 @@ module Saml
           builder(*args, &block).build
         end
 
+        def build_xml(*args, &block)
+          builder(*args, &block).to_xml
+        end
+
         def builder(*args)
           builder_class.new(*args).tap do |builder|
             yield builder if block_given?

data/lib/saml/kit/builders/xml_signature.rb

@@ -24,7 +24,7 @@ module Saml
         def initialize(reference_id, configuration:)
           @configuration = configuration
           @reference_id = reference_id
-          @x509_certificate = configuration.certificates(use: :signing).sample.stripped
+          @x509_certificate = configuration.certificates(use: :signing).last.stripped
         end
 
         def signature_method

data/lib/saml/kit/certificate.rb

@@ -19,11 +19,11 @@ module Saml
       end
 
       def encryption?
-        :encryption == use
+        for?(:encryption)
       end
 
       def signing?
-        :signing == use
+        for?(:signing)
       end
 
       def x509

data/lib/saml/kit/document.rb

@@ -2,8 +2,9 @@ module Saml
   module Kit
     class Document
       PROTOCOL_XSD = File.expand_path("./xsd/saml-schema-protocol-2.0.xsd", File.dirname(__FILE__)).freeze
-      include XsdValidatable
       include ActiveModel::Validations
+      include XsdValidatable
+      include Translatable
       include Trustable
       include Buildable
       validates_presence_of :content

data/lib/saml/kit/locales/en.yml

@@ -2,6 +2,8 @@
 en:
   saml/kit:
     errors:
+      Assertion:
+        expired: "must not be expired."
       AuthnRequest:
         invalid: "must contain AuthnRequest."
         invalid_fingerprint: "does not match."
@@ -17,7 +19,6 @@ en:
       LogoutResponse:
         unregistered: "is unregistered."
       Response:
-        expired: "must not be expired."
         invalid: "must contain Response."
         invalid_fingerprint: "does not match."
         invalid_response_to: "must match request id."

data/lib/saml/kit/metadata.rb

@@ -1,10 +1,11 @@
 module Saml
   module Kit
     class Metadata
+      METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
       include ActiveModel::Validations
       include XsdValidatable
+      include Translatable
       include Buildable
-      METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
 
       validates_presence_of :metadata
       validate :must_contain_descriptor

data/lib/saml/kit/response.rb

@@ -4,50 +4,25 @@ module Saml
       include Respondable
       extend Forwardable
 
-      def_delegators :assertion, :name_id, :[], :attributes, :started_at, :expired_at, :audiences
+      def_delegators :assertion, :name_id, :[], :attributes
 
-      validate :must_be_active_session
-      validate :must_match_issuer
+      validate :must_be_valid_assertion
 
       def initialize(xml, request_id: nil, configuration: Saml::Kit.configuration)
         @request_id = request_id
         super(xml, name: "Response", configuration: configuration)
       end
 
-      def expired?
-        Time.current > expired_at
-      end
-
-      def active?
-        Time.current > started_at && !expired?
-      end
-
       def assertion
-        @assertion = Saml::Kit::Assertion.new(to_h, configuration: @configuration)
-      end
-
-      def signed?
-        super || assertion.signed?
-      end
-
-      def certificate
-        super || assertion.certificate
+        @assertion ||= Saml::Kit::Assertion.new(to_h, configuration: @configuration)
       end
 
       private
 
-      def must_be_active_session
-        return unless expected_type?
-        return unless success?
-        errors[:base] << error_message(:expired) unless active?
-      end
-
-      def must_match_issuer
-        return unless expected_type?
-        return unless success?
-
-        unless audiences.include?(configuration.issuer)
-          errors[:audience] << error_message(:must_match_issuer)
+      def must_be_valid_assertion
+        assertion.valid?
+        assertion.errors.each do |attribute, error|
+          self.errors[attribute] << error
         end
       end
 

data/lib/saml/kit/signature.rb

@@ -1,22 +1,23 @@
 module Saml
   module Kit
     class Signature
-      attr_reader :signatures
-      attr_reader :xml
+      def initialize(xml_hash)
+        @xml_hash = xml_hash
+      end
 
-      def initialize(xml, signatures)
-        @signatures = signatures
-        @xml = xml
+      def certificate
+        value = to_h.fetch('KeyInfo', {}).fetch('X509Data', {}).fetch('X509Certificate', nil)
+        return if value.nil?
+        Saml::Kit::Certificate.new(value, use: :signing)
       end
 
-      def template(reference_id)
-        Template.new(signatures.build(reference_id)).to_xml(xml: xml)
+      def trusted?(metadata)
+        return false if metadata.nil?
+        metadata.matches?(certificate.fingerprint, use: :signing)
       end
 
-      def self.sign(xml: ::Builder::XmlMarkup.new, configuration: Saml::Kit.configuration)
-        signatures = Saml::Kit::Signatures.new(configuration: configuration)
-        yield xml, new(xml, signatures)
-        signatures.complete(xml.target!)
+      def to_h
+        @xml_hash
       end
     end
   end

data/lib/saml/kit/signatures.rb

@@ -14,9 +14,28 @@ module Saml
 
       def complete(raw_xml)
         return raw_xml unless configuration.sign?
-        private_key = configuration.private_keys(use: :signing).sample
+        private_key = configuration.private_keys(use: :signing).last
         Xmldsig::SignedDocument.new(raw_xml).sign(private_key)
       end
+
+      def self.sign(xml: ::Builder::XmlMarkup.new, configuration: Saml::Kit.configuration)
+        signatures = Saml::Kit::Signatures.new(configuration: configuration)
+        yield xml, XmlSignatureTemplate.new(xml, signatures)
+        signatures.complete(xml.target!)
+      end
+
+      class XmlSignatureTemplate
+        attr_reader :signatures, :xml
+
+        def initialize(xml, signatures)
+          @signatures = signatures
+          @xml = xml
+        end
+
+        def template(reference_id)
+          Template.new(signatures.build(reference_id)).to_xml(xml: xml)
+        end
+      end
     end
   end
 end

data/lib/saml/kit/templatable.rb

@@ -21,7 +21,7 @@ module Saml
       end
 
       def encryption_for(xml:)
-        if encrypt && encryption_certificate
+        if encrypt?
           temp = ::Builder::XmlMarkup.new
           yield temp
           xml_encryption = Saml::Kit::Builders::XmlEncryption.new(temp.target!, encryption_certificate.public_key)
@@ -31,6 +31,10 @@ module Saml
         end
       end
 
+      def encrypt?
+        encrypt && encryption_certificate
+      end
+
       def render(model, options)
         Saml::Kit::Template.new(model).to_xml(options)
       end

data/lib/saml/kit/translatable.rb

@@ -0,0 +1,9 @@
+module Saml
+  module Kit
+    module Translatable
+      def error_message(attribute, type: :invalid)
+        I18n.translate(attribute, scope: "saml/kit.errors.#{name}")
+      end
+    end
+  end
+end

data/lib/saml/kit/trustable.rb

@@ -9,24 +9,18 @@ module Saml
         validate :must_be_trusted, unless: :signature_manually_verified
       end
 
-      def certificate
-        return unless signed?
-        to_h.fetch(name, {}).fetch('Signature', {}).fetch('KeyInfo', {}).fetch('X509Data', {}).fetch('X509Certificate', nil)
-      end
-
-      def fingerprint
-        return if certificate.blank?
-        Fingerprint.new(certificate)
+      def signed?
+        signature.present?
       end
 
-      def signed?
-        to_h.fetch(name, {}).fetch('Signature', nil).present?
+      def signature
+        xml_hash = to_h.fetch(name, {}).fetch('Signature', nil)
+        xml_hash ? Signature.new(xml_hash) : nil
       end
 
       def trusted?
-        return false if provider.nil?
         return false unless signed?
-        provider.matches?(fingerprint, use: :signing)
+        signature.trusted?(provider)
       end
 
       def provider
@@ -59,6 +53,7 @@ module Saml
 
       def must_be_trusted
         return if trusted?
+        return if provider.present? && !signed?
         errors[:fingerprint] << error_message(:invalid_fingerprint)
       end
     end

data/lib/saml/kit/version.rb

@@ -1,5 +1,5 @@
 module Saml
   module Kit
-    VERSION = "0.2.4"
+    VERSION = "0.2.5"
   end
 end

data/lib/saml/kit/xml_decryption.rb

@@ -4,7 +4,7 @@ module Saml
       attr_reader :private_key
 
       def initialize(configuration: Saml::Kit.configuration)
-        @private_key = configuration.private_keys(use: :encryption).sample
+        @private_key = configuration.private_keys(use: :encryption).last
       end
 
       def decrypt(data)

data/lib/saml/kit/xsd_validatable.rb

@@ -10,10 +10,6 @@ module Saml
           end
         end
       end
-
-      def error_message(key)
-        I18n.translate(key, scope: "saml/kit.errors.#{name}")
-      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: saml-kit
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.2.5
 platform: ruby
 authors:
 - mo khan
@@ -246,6 +246,7 @@ files:
 - lib/saml/kit/signatures.rb
 - lib/saml/kit/templatable.rb
 - lib/saml/kit/template.rb
+- lib/saml/kit/translatable.rb
 - lib/saml/kit/trustable.rb
 - lib/saml/kit/version.rb
 - lib/saml/kit/xml.rb