saml-kit 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fb58a002fa7488ce7c1baa15239d37f10a92d38e
-  data.tar.gz: 83776e36bb603f5abeca6029342cc3f9bacd6ef2
+  metadata.gz: ea04912ee0a128c6ad73be1006827a0759698b07
+  data.tar.gz: 3a2c7424b611f7c60fd67d55e8df21c7339d9ae6
 SHA512:
-  metadata.gz: a7117ae3e3516159c9ab85a9c964659b677afea39a90638146519d1f770131bc8287170cccbba3b9189ef1ce7d5a245ccaf33e11aeda40771de3d96fdeb8a965
-  data.tar.gz: 510fc88b81a2f485e82fc6eba9146201eb69482e8166ced1659465fdace63dd9176b5887d21b010c3c812909fffe6e2f28d60a335770b3d07c85b497cf0c346e
+  metadata.gz: 7241a12e8e8614289205f12b238208742514e70bd66ce33e42ca7244597d62db1622de32c6ed1e968e2cc5cf9e735bbf3ab78fcd2c15f829b325e518621eb1a7
+  data.tar.gz: 8e280182ced754e6d2120e9c65d04233dc0ea979cbe0e74002d2e9156b4bdb8aa3030e122c21c24b6ca353b14daf83a45a261a4178ffe4cbc992cac716fca4b1

data/exe/saml-kit-create-self-signed-certificate

@@ -3,7 +3,7 @@ require 'saml/kit'
 
 puts "Enter Passphrase:"
 passphrase = STDIN.read.strip
-certificate, private_key = Saml::Kit::SelfSignedCertificate.new(passphrase).create
+certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new(passphrase).create
 
 puts "** BEGIN File Format **"
 print certificate

data/exe/saml-kit-decode-http-post

@@ -2,7 +2,5 @@
 require 'saml/kit'
 
 saml = STDIN.read
-
 binding = Saml::Kit::Bindings::HttpPost.new(location: '')
-xml = binding.deserialize('SAMLRequest' => saml).to_xml
-puts Nokogiri::XML(xml).to_xml(indent: 2)
+puts binding.deserialize('SAMLRequest' => saml).to_xml(pretty: true)

data/exe/saml-kit-decode-http-redirect

@@ -2,6 +2,5 @@
 require 'saml/kit'
 
 saml = STDIN.read
-binding = Saml::Kit::HttpRedirectBinding.new(location: '')
-xml = binding.deserialize('SAMLRequest' => saml).to_xml
-puts Nokogiri::XML(xml).to_xml(indent: 2)
+binding = Saml::Kit::Bindings::HttpRedirectBinding.new(location: '')
+puts binding.deserialize('SAMLRequest' => saml).to_xml(pretty: true)

data/lib/saml/kit.rb

@@ -7,16 +7,13 @@ require "active_support/core_ext/hash/indifferent_access"
 require "active_support/core_ext/numeric/time"
 require "active_support/deprecation"
 require "active_support/duration"
-require "builder"
 require "logger"
 require "net/http"
 require "nokogiri"
 require "securerandom"
-require "tilt"
-require "xmldsig"
+require "xml/kit"
 
 require "saml/kit/buildable"
-require "saml/kit/templatable"
 require "saml/kit/builders"
 require "saml/kit/namespaces"
 require "saml/kit/serializable"
@@ -30,27 +27,17 @@ require "saml/kit/document"
 require "saml/kit/assertion"
 require "saml/kit/authentication_request"
 require "saml/kit/bindings"
-require "saml/kit/certificate"
 require "saml/kit/configuration"
-require "saml/kit/crypto"
 require "saml/kit/default_registry"
-require "saml/kit/fingerprint"
-require "saml/kit/key_pair"
 require "saml/kit/logout_response"
 require "saml/kit/logout_request"
 require "saml/kit/metadata"
 require "saml/kit/composite_metadata"
 require "saml/kit/response"
-require "saml/kit/id"
 require "saml/kit/identity_provider_metadata"
 require "saml/kit/invalid_document"
-require "saml/kit/self_signed_certificate"
 require "saml/kit/service_provider_metadata"
 require "saml/kit/signature"
-require "saml/kit/signatures"
-require "saml/kit/template"
-require "saml/kit/xml"
-require "saml/kit/xml_decryption"
 
 I18n.load_path += Dir[File.expand_path("kit/locales/*.yml", File.dirname(__FILE__))]
 

data/lib/saml/kit/assertion.rb

@@ -72,17 +72,20 @@ module Saml
       attr_reader :configuration
 
       def assertion
-        @assertion ||= if encrypted?
-          decrypted = XmlDecryption.new(configuration: configuration).decrypt(@xml_hash['Response']['EncryptedAssertion'])
-          Saml::Kit.logger.debug(decrypted)
-          Hash.from_xml(decrypted)['Assertion']
-        else
-          result = @xml_hash.fetch('Response', {}).fetch('Assertion', {})
-          return result if result.is_a?(Hash)
-
-          errors[:assertion] << error_message(:must_contain_single_assertion)
-          {}
-        end
+        @assertion ||=
+          if encrypted?
+            private_keys = configuration.private_keys(use: :encryption)
+            decryptor = ::Xml::Kit::Decryption.new(private_keys: private_keys)
+            decrypted = decryptor.decrypt(@xml_hash['Response']['EncryptedAssertion'])
+            Saml::Kit.logger.debug(decrypted)
+            Hash.from_xml(decrypted)['Assertion']
+          else
+            result = @xml_hash.fetch('Response', {}).fetch('Assertion', {})
+            return result if result.is_a?(Hash)
+
+            errors[:assertion] << error_message(:must_contain_single_assertion)
+            {}
+          end
       end
 
       def parse_date(value)

data/lib/saml/kit/bindings/url_builder.rb

@@ -34,7 +34,7 @@ module Saml
           to_query_string(
             saml_document.query_string_parameter => serialize(saml_document.to_xml),
             'RelayState' => relay_state,
-            'SigAlg' => Saml::Kit::Namespaces::SHA256,
+            'SigAlg' => ::Xml::Kit::Namespaces::SHA256,
           )
         end
 

data/lib/saml/kit/builders.rb

@@ -1,13 +1,13 @@
+require 'saml/kit/xml_templatable'
 require 'saml/kit/builders/assertion'
 require 'saml/kit/builders/authentication_request'
+require 'saml/kit/builders/encrypted_assertion'
 require 'saml/kit/builders/identity_provider_metadata'
 require 'saml/kit/builders/logout_request'
 require 'saml/kit/builders/logout_response'
 require 'saml/kit/builders/metadata'
 require 'saml/kit/builders/response'
 require 'saml/kit/builders/service_provider_metadata'
-require 'saml/kit/builders/xml_encryption'
-require 'saml/kit/builders/xml_signature'
 
 module Saml
   module Kit

data/lib/saml/kit/builders/assertion.rb

@@ -1,11 +1,12 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/assertion.builder}
       class Assertion
-        include Templatable
+        include XmlTemplatable
         extend Forwardable
 
-        def_delegators :@response_builder, :encrypt, :embed_signature, :request, :issuer, :reference_id, :now, :configuration, :user, :version, :destination, :encryption_certificate
+        def_delegators :@response_builder, :embed_signature, :request, :issuer, :reference_id, :now, :configuration, :user, :version, :destination
 
         def initialize(response_builder)
           @response_builder = response_builder

data/lib/saml/kit/builders/authentication_request.rb

@@ -1,16 +1,17 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/authentication_request.builder}
       # {include:file:spec/saml/builders/authentication_request_spec.rb}
       class AuthenticationRequest
-        include Saml::Kit::Templatable
+        include XmlTemplatable
         attr_accessor :id, :now, :issuer, :assertion_consumer_service_url, :name_id_format, :destination
         attr_accessor :version
         attr_reader :configuration
 
         def initialize(configuration: Saml::Kit.configuration)
           @configuration = configuration
-          @id = Id.generate
+          @id = ::Xml::Kit::Id.generate
           @issuer = configuration.issuer
           @name_id_format = Namespaces::PERSISTENT
           @now = Time.now.utc

data/lib/saml/kit/builders/encrypted_assertion.rb

@@ -0,0 +1,20 @@
+module Saml
+  module Kit
+    module Builders
+      # {include:file:lib/saml/kit/builders/templates/encrypted_assertion.builder}
+      class EncryptedAssertion
+        include XmlTemplatable
+        extend Forwardable
+
+        attr_reader :assertion
+        def_delegators :@response_builder, :configuration, :encryption_certificate
+
+        def initialize(response_builder, assertion)
+          @response_builder = response_builder
+          @assertion = assertion
+          @encrypt = true
+        end
+      end
+    end
+  end
+end

data/lib/saml/kit/builders/identity_provider_metadata.rb

@@ -1,9 +1,10 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/identity_provider_metadata.builder}
       # {include:file:spec/saml/builders/identity_provider_metadata_spec.rb}
       class IdentityProviderMetadata
-        include Saml::Kit::Templatable
+        include XmlTemplatable
         extend Forwardable
         attr_accessor :attributes, :name_id_formats
         attr_accessor :want_authn_requests_signed
@@ -16,7 +17,7 @@ module Saml
           @attributes = []
           @configuration = configuration
           @entity_id = configuration.issuer
-          @id = Id.generate
+          @id = ::Xml::Kit::Id.generate
           @logout_urls = []
           @name_id_formats = [Namespaces::PERSISTENT]
           @single_sign_on_urls = []
@@ -42,7 +43,7 @@ module Saml
         def entity_descriptor_options
           {
             'xmlns': Namespaces::METADATA,
-            'xmlns:ds': Namespaces::XMLDSIG,
+            'xmlns:ds': ::Xml::Kit::Namespaces::XMLDSIG,
             'xmlns:saml': Namespaces::ASSERTION,
             ID: id,
             entityID: entity_id,

data/lib/saml/kit/builders/logout_request.rb

@@ -1,9 +1,10 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/logout_request.builder}
       # {include:file:spec/saml/builders/logout_request_spec.rb}
       class LogoutRequest
-        include Saml::Kit::Templatable
+        include XmlTemplatable
         attr_accessor :id, :destination, :issuer, :name_id_format, :now
         attr_accessor :version
         attr_reader :user, :configuration
@@ -11,7 +12,7 @@ module Saml
         def initialize(user, configuration: Saml::Kit.configuration)
           @configuration = configuration
           @user = user
-          @id = "_#{SecureRandom.uuid}"
+          @id = ::Xml::Kit::Id.generate
           @issuer = configuration.issuer
           @name_id_format = Saml::Kit::Namespaces::PERSISTENT
           @now = Time.now.utc

data/lib/saml/kit/builders/logout_response.rb

@@ -1,16 +1,17 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/logout_response.builder}
       # {include:file:spec/saml/builders/logout_response_spec.rb}
       class LogoutResponse
-        include Saml::Kit::Templatable
+        include XmlTemplatable
         attr_accessor :id, :issuer, :version, :status_code, :now, :destination
         attr_reader :request
         attr_reader :configuration
 
         def initialize(request, configuration: Saml::Kit.configuration)
           @configuration = configuration
-          @id = Id.generate
+          @id = ::Xml::Kit::Id.generate
           @issuer = configuration.issuer
           @now = Time.now.utc
           @request = request

data/lib/saml/kit/builders/metadata.rb

@@ -1,9 +1,10 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/metadata.builder}
       # {include:file:spec/saml/builders/metadata_spec.rb}
       class Metadata
-        include Templatable
+        include XmlTemplatable
 
         attr_accessor :entity_id
         attr_accessor :id
@@ -13,7 +14,7 @@ module Saml
         attr_reader :configuration
 
         def initialize(configuration: Saml::Kit.configuration)
-          @id = Id.generate
+          @id = ::Xml::Kit::Id.generate
           @entity_id = configuration.issuer
           @configuration = configuration
         end
@@ -39,7 +40,7 @@ module Saml
         def entity_descriptor_options
           {
             'xmlns': Namespaces::METADATA,
-            'xmlns:ds': Namespaces::XMLDSIG,
+            'xmlns:ds': ::Xml::Kit::Namespaces::XMLDSIG,
             'xmlns:saml': Namespaces::ASSERTION,
             ID: id,
             entityID: entity_id,

data/lib/saml/kit/builders/response.rb

@@ -1,20 +1,21 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/response.builder}
       # {include:file:spec/saml/builders/response_spec.rb}
       class Response
-        include Templatable
+        include XmlTemplatable
         attr_reader :user, :request
         attr_accessor :id, :reference_id, :now
         attr_accessor :version, :status_code
-        attr_accessor :issuer, :destination, :encrypt
+        attr_accessor :issuer, :destination
         attr_reader :configuration
 
         def initialize(user, request, configuration: Saml::Kit.configuration)
           @user = user
           @request = request
-          @id = Id.generate
-          @reference_id = Id.generate
+          @id = ::Xml::Kit::Id.generate
+          @reference_id = ::Xml::Kit::Id.generate
           @now = Time.now.utc
           @version = "2.0"
           @status_code = Namespaces::SUCCESS
@@ -37,7 +38,15 @@ module Saml
         private
 
         def assertion
-          @assertion ||= Saml::Kit::Builders::Assertion.new(self)
+          @assertion ||=
+            begin
+              assertion = Saml::Kit::Builders::Assertion.new(self)
+              if encrypt
+                Saml::Kit::Builders::EncryptedAssertion.new(self, assertion)
+              else
+                assertion
+              end
+            end
         end
 
         def response_options

data/lib/saml/kit/builders/service_provider_metadata.rb

@@ -1,9 +1,10 @@
 module Saml
   module Kit
     module Builders
+      # {include:file:lib/saml/kit/builders/templates/service_provider_metadata.builder}
       # {include:file:spec/saml/builders/service_provider_metadata_spec.rb}
       class ServiceProviderMetadata
-        include Saml::Kit::Templatable
+        include XmlTemplatable
         extend Forwardable
         attr_accessor :acs_urls, :logout_urls, :name_id_formats
         attr_accessor :want_assertions_signed

data/lib/saml/kit/builders/templates/assertion.builder

@@ -1,29 +1,27 @@
-encryption_for(xml: xml) do |xml|
-  xml.Assertion(assertion_options) do
-    xml.Issuer issuer
-    signature_for(reference_id: reference_id, xml: xml)
-    xml.Subject do
-      xml.NameID name_id, Format: name_id_format
-      xml.SubjectConfirmation Method: Saml::Kit::Namespaces::BEARER do
-        xml.SubjectConfirmationData "", subject_confirmation_data_options
-      end
+xml.Assertion(assertion_options) do
+  xml.Issuer issuer
+  signature_for(reference_id: reference_id, xml: xml)
+  xml.Subject do
+    xml.NameID name_id, Format: name_id_format
+    xml.SubjectConfirmation Method: Saml::Kit::Namespaces::BEARER do
+      xml.SubjectConfirmationData "", subject_confirmation_data_options
     end
-    xml.Conditions conditions_options do
-      xml.AudienceRestriction do
-        xml.Audience request.issuer
-      end
+  end
+  xml.Conditions conditions_options do
+    xml.AudienceRestriction do
+      xml.Audience request.issuer
     end
-    xml.AuthnStatement authn_statement_options do
-      xml.AuthnContext do
-        xml.AuthnContextClassRef Saml::Kit::Namespaces::PASSWORD
-      end
+  end
+  xml.AuthnStatement authn_statement_options do
+    xml.AuthnContext do
+      xml.AuthnContextClassRef Saml::Kit::Namespaces::PASSWORD
     end
-    if assertion_attributes.any?
-      xml.AttributeStatement do
-        assertion_attributes.each do |key, value|
-          xml.Attribute Name: key, NameFormat: Saml::Kit::Namespaces::URI, FriendlyName: key do
-            xml.AttributeValue value.to_s
-          end
+  end
+  if assertion_attributes.any?
+    xml.AttributeStatement do
+      assertion_attributes.each do |key, value|
+        xml.Attribute Name: key, NameFormat: Saml::Kit::Namespaces::URI, FriendlyName: key do
+          xml.AttributeValue value.to_s
         end
       end
     end

data/lib/saml/kit/builders/templates/encrypted_assertion.builder

@@ -0,0 +1,5 @@
+xml.EncryptedAssertion xmlns: Saml::Kit::Namespaces::ASSERTION do
+  encryption_for(xml: xml) do |xml|
+    render assertion, xml: xml
+  end
+end

data/lib/saml/kit/configuration.rb

@@ -53,7 +53,7 @@ module Saml
       # @param passphrase [String] the password to decrypt the private key.
       # @param use [Symbol] the type of key pair, `:signing` or `:encryption`
       def add_key_pair(certificate, private_key, passphrase: '', use: :signing)
-        @key_pairs.push(KeyPair.new(certificate, private_key, passphrase, use.to_sym))
+        @key_pairs.push(::Xml::Kit::KeyPair.new(certificate, private_key, passphrase, use.to_sym))
       end
 
       # Generates a unique key pair that can be used for signing or encryption.
@@ -61,7 +61,7 @@ module Saml
       # @param use [Symbol] the type of key pair, `:signing` or `:encryption`
       # @param passphrase [String] the private key passphrase to use.
       def generate_key_pair_for(use:, passphrase: SecureRandom.uuid)
-        certificate, private_key = SelfSignedCertificate.new(passphrase).create
+        certificate, private_key = ::Xml::Kit::SelfSignedCertificate.new(passphrase).create
         add_key_pair(certificate, private_key, passphrase: passphrase, use: use)
       end
 

data/lib/saml/kit/document.rb

@@ -2,6 +2,13 @@ module Saml
   module Kit
     class Document
       PROTOCOL_XSD = File.expand_path("./xsd/saml-schema-protocol-2.0.xsd", File.dirname(__FILE__)).freeze
+      NAMESPACES = {
+        "NameFormat": ::Saml::Kit::Namespaces::ATTR_SPLAT,
+        "ds": ::Xml::Kit::Namespaces::XMLDSIG,
+        "md": ::Saml::Kit::Namespaces::METADATA,
+        "saml": ::Saml::Kit::Namespaces::ASSERTION,
+        "samlp": ::Saml::Kit::Namespaces::PROTOCOL,
+      }.freeze
       include ActiveModel::Validations
       include XsdValidatable
       include Translatable
@@ -79,12 +86,15 @@ module Saml
         # @param xml [String] the raw xml string.
         # @param configuration [Saml::Kit::Configuration] the configuration to use for unpacking the document.
         def to_saml_document(xml, configuration: Saml::Kit.configuration)
+          xml_document = ::Xml::Kit::Document.new(xml, namespaces: {
+            "samlp": ::Saml::Kit::Namespaces::PROTOCOL
+          })
           constructor = {
             "AuthnRequest" => Saml::Kit::AuthenticationRequest,
             "LogoutRequest" => Saml::Kit::LogoutRequest,
             "LogoutResponse" => Saml::Kit::LogoutResponse,
             "Response" => Saml::Kit::Response,
-          }[Saml::Kit::Xml.new(xml).find_by(XPATH).name] || InvalidDocument
+          }[xml_document.find_by(XPATH).name] || InvalidDocument
           constructor.new(xml, configuration: configuration)
         rescue => error
           Saml::Kit.logger.error(error)