saml-kit 0.3.0 → 0.3.1

data/lib/saml/kit/metadata.rb

@@ -24,6 +24,13 @@ module Saml
     # {include:file:spec/examples/metadata_spec.rb}
     class Metadata
       METADATA_XSD = File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze
+      NAMESPACES = {
+        "NameFormat": Namespaces::ATTR_SPLAT,
+        "ds": ::Xml::Kit::Namespaces::XMLDSIG,
+        "md": Namespaces::METADATA,
+        "saml": Namespaces::ASSERTION,
+        "samlp": Namespaces::PROTOCOL,
+      }.freeze
       include ActiveModel::Validations
       include XsdValidatable
       include Translatable
@@ -69,8 +76,8 @@ module Saml
       # Returns each of the X509 certificates.
       def certificates
         @certificates ||= document.find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
-          cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", Xml::NAMESPACES).text
-          Certificate.new(cert, use: item.attribute('use').value.to_sym)
+          cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NAMESPACES).text
+          ::Xml::Kit::Certificate.new(cert, use: item.attribute('use').value.to_sym)
         end
       end
 
@@ -134,7 +141,7 @@ module Saml
       #
       # @param fingerprint [Saml::Kit::Fingerprint] the fingerprint to search for.
       # @param use [Symbol] the type of certificates to look at. Can be `:signing` or `:encryption`.
-      # @return [Saml::Kit::Certificate] returns the matching `{Saml::Kit::Certificate}`
+      # @return [Xml::Kit::Certificate] returns the matching `{Xml::Kit::Certificate}`
       def matches?(fingerprint, use: :signing)
         certificates.find do |certificate|
           certificate.for?(use) && certificate.fingerprint == fingerprint
@@ -163,7 +170,7 @@ module Saml
       # @param algorithm [OpenSSL::Digest] the digest algorithm to use. E.g. `OpenSSL::Digest::SHA256`
       # @param signature [String] the signature to verify
       # @param data [String] the data that is used to produce the signature.
-      # @return [Saml::Kit::Certificate] the certificate that was used to produce the signature.
+      # @return [Xml::Kit::Certificate] the certificate that was used to produce the signature.
       def verify(algorithm, signature, data)
         signing_certificates.find do |certificate|
           certificate.public_key.verify(algorithm, signature, data)
@@ -196,7 +203,7 @@ module Saml
       attr_reader :xml
 
       def document
-        @document ||= Xml.new(xml)
+        @document ||= ::Xml::Kit::Document.new(xml, namespaces: NAMESPACES)
       end
 
       def metadata
@@ -220,7 +227,7 @@ module Saml
       end
 
       def valid_signature?
-        xml = Saml::Kit::Xml.new(to_xml)
+        xml = document
         result = xml.valid?
         xml.errors.each do |error|
           errors[:base] << error

data/lib/saml/kit/namespaces.rb

@@ -6,7 +6,6 @@ module Saml
       BASIC = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
       BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
       EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
-      ENVELOPED_SIG = "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
       METADATA = "urn:oasis:names:tc:SAML:2.0:metadata"
       PASSWORD = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
       PASSWORD_PROTECTED = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
@@ -14,22 +13,12 @@ module Saml
       PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
       REQUESTER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Requester"
       RESPONDER_ERROR = "urn:oasis:names:tc:SAML:2.0:status:Responder"
-      RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
-      RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
-      RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
-      RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
-      SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"
-      SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256'
-      SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
-      SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512'
       SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
       TRANSIENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:consent:unspecified"
       UNSPECIFIED_NAMEID = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
       URI = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
       VERSION_MISMATCH_ERROR = "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"
-      XMLDSIG = "http://www.w3.org/2000/09/xmldsig#"
-      XMLENC = "http://www.w3.org/2001/04/xmlenc#"
     end
   end
 end

data/lib/saml/kit/signature.rb

@@ -9,7 +9,7 @@ module Saml
       def certificate
         value = to_h.fetch('KeyInfo', {}).fetch('X509Data', {}).fetch('X509Certificate', nil)
         return if value.nil?
-        Saml::Kit::Certificate.new(value, use: :signing)
+        ::Xml::Kit::Certificate.new(value, use: :signing)
       end
 
       # Returns true when the fingerprint of the certificate matches one of the certificates registered in the metadata.

data/lib/saml/kit/trustable.rb

@@ -44,7 +44,13 @@ module Saml
       def must_have_valid_signature
         return if to_xml.blank?
 
-        xml = Saml::Kit::Xml.new(to_xml)
+        xml = ::Xml::Kit::Document.new(to_xml, namespaces: {
+          "NameFormat": Namespaces::ATTR_SPLAT,
+          "ds": ::Xml::Kit::Namespaces::XMLDSIG,
+          "md": Namespaces::METADATA,
+          "saml": Namespaces::ASSERTION,
+          "samlp": Namespaces::PROTOCOL,
+        })
         xml.valid?
         xml.errors.each do |error|
           errors[:base] << error

data/lib/saml/kit/version.rb

@@ -1,5 +1,5 @@
 module Saml
   module Kit
-    VERSION = "0.3.0"
+    VERSION = "0.3.1"
   end
 end

data/lib/saml/kit/xml_templatable.rb

@@ -0,0 +1,37 @@
+module Saml
+  module Kit
+    module XmlTemplatable
+      include ::Xml::Kit::Templatable
+
+      def template_path
+        root_path = File.expand_path(File.dirname(__FILE__))
+        template_name = "#{self.class.name.split("::").last.underscore}.builder"
+        File.join(root_path, "builders/templates/", template_name)
+      end
+
+      # Returns true if an embedded signature is requested and at least one signing certificate is available via the configuration.
+      def sign?
+        return configuration.sign? if embed_signature.nil?
+        embed_signature && configuration.sign?
+      end
+
+      # @deprecated Use {#embed_signature=} instead of this method.
+      def sign=(value)
+        Saml::Kit.deprecate("sign= is deprecated. Use embed_signature= instead.")
+        self.embed_signature = value
+      end
+
+      def digest_method
+        configuration.digest_method
+      end
+
+      def signature_method
+        configuration.signature_method
+      end
+
+      def signing_key_pair
+        configuration.key_pairs(use: :signing).last
+      end
+    end
+  end
+end

data/saml-kit.gemspec

@@ -24,10 +24,8 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "activemodel", ">= 4.2.0"
-  spec.add_dependency "builder", "~> 3.2"
   spec.add_dependency "nokogiri", "~> 1.8"
-  spec.add_dependency "tilt", "~> 2.0"
-  spec.add_dependency "xmldsig", "~> 0.6"
+  spec.add_dependency "xml-kit", "0.1.0"
   spec.add_development_dependency "bundler", "~> 1.15"
   spec.add_development_dependency "ffaker", "~> 2.7"
   spec.add_development_dependency "rake", "~> 10.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml-kit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - mo khan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-12-24 00:00:00.000000000 Z
+date: 2017-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -24,20 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 4.2.0
-- !ruby/object:Gem::Dependency
-  name: builder
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -53,33 +39,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.8'
 - !ruby/object:Gem::Dependency
-  name: tilt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: xmldsig
+  name: xml-kit
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: 0.1.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -199,6 +171,7 @@ files:
 - lib/saml/kit/builders.rb
 - lib/saml/kit/builders/assertion.rb
 - lib/saml/kit/builders/authentication_request.rb
+- lib/saml/kit/builders/encrypted_assertion.rb
 - lib/saml/kit/builders/identity_provider_metadata.rb
 - lib/saml/kit/builders/logout_request.rb
 - lib/saml/kit/builders/logout_response.rb
@@ -207,33 +180,19 @@ files:
 - lib/saml/kit/builders/service_provider_metadata.rb
 - lib/saml/kit/builders/templates/assertion.builder
 - lib/saml/kit/builders/templates/authentication_request.builder
-- lib/saml/kit/builders/templates/certificate.builder
+- lib/saml/kit/builders/templates/encrypted_assertion.builder
 - lib/saml/kit/builders/templates/identity_provider_metadata.builder
 - lib/saml/kit/builders/templates/logout_request.builder
 - lib/saml/kit/builders/templates/logout_response.builder
 - lib/saml/kit/builders/templates/metadata.builder
-- lib/saml/kit/builders/templates/nil_class.builder
 - lib/saml/kit/builders/templates/response.builder
 - lib/saml/kit/builders/templates/service_provider_metadata.builder
-- lib/saml/kit/builders/templates/xml_encryption.builder
-- lib/saml/kit/builders/templates/xml_signature.builder
-- lib/saml/kit/builders/xml_encryption.rb
-- lib/saml/kit/builders/xml_signature.rb
-- lib/saml/kit/certificate.rb
 - lib/saml/kit/composite_metadata.rb
 - lib/saml/kit/configuration.rb
-- lib/saml/kit/crypto.rb
-- lib/saml/kit/crypto/oaep_cipher.rb
-- lib/saml/kit/crypto/rsa_cipher.rb
-- lib/saml/kit/crypto/simple_cipher.rb
-- lib/saml/kit/crypto/unknown_cipher.rb
 - lib/saml/kit/default_registry.rb
 - lib/saml/kit/document.rb
-- lib/saml/kit/fingerprint.rb
-- lib/saml/kit/id.rb
 - lib/saml/kit/identity_provider_metadata.rb
 - lib/saml/kit/invalid_document.rb
-- lib/saml/kit/key_pair.rb
 - lib/saml/kit/locales/en.yml
 - lib/saml/kit/logout_request.rb
 - lib/saml/kit/logout_response.rb
@@ -242,18 +201,13 @@ files:
 - lib/saml/kit/requestable.rb
 - lib/saml/kit/respondable.rb
 - lib/saml/kit/response.rb
-- lib/saml/kit/self_signed_certificate.rb
 - lib/saml/kit/serializable.rb
 - lib/saml/kit/service_provider_metadata.rb
 - lib/saml/kit/signature.rb
-- lib/saml/kit/signatures.rb
-- lib/saml/kit/templatable.rb
-- lib/saml/kit/template.rb
 - lib/saml/kit/translatable.rb
 - lib/saml/kit/trustable.rb
 - lib/saml/kit/version.rb
-- lib/saml/kit/xml.rb
-- lib/saml/kit/xml_decryption.rb
+- lib/saml/kit/xml_templatable.rb
 - lib/saml/kit/xsd/MetadataExchange.xsd
 - lib/saml/kit/xsd/oasis-200401-wss-wssecurity-secext-1.0.xsd
 - lib/saml/kit/xsd/oasis-200401-wss-wssecurity-utility-1.0.xsd

data/lib/saml/kit/builders/templates/certificate.builder

@@ -1,7 +0,0 @@
-xml.KeyDescriptor use: use do
-  xml.KeyInfo "xmlns": Saml::Kit::Namespaces::XMLDSIG do
-    xml.X509Data do
-      xml.X509Certificate stripped
-    end
-  end
-end

data/lib/saml/kit/builders/templates/xml_encryption.builder

@@ -1,16 +0,0 @@
-xml.EncryptedAssertion xmlns: Saml::Kit::Namespaces::ASSERTION do
-  xml.EncryptedData xmlns: Saml::Kit::Namespaces::XMLENC do
-    xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
-    xml.KeyInfo xmlns: Saml::Kit::Namespaces::XMLDSIG do
-      xml.EncryptedKey xmlns: Saml::Kit::Namespaces::XMLENC do
-        xml.EncryptionMethod Algorithm: "http://www.w3.org/2001/04/xmlenc#rsa-1_5"
-        xml.CipherData do
-          xml.CipherValue Base64.encode64(public_key.public_encrypt(key))
-        end
-      end
-    end
-    xml.CipherData do
-      xml.CipherValue Base64.encode64(iv + encrypted)
-    end
-  end
-end

data/lib/saml/kit/builders/templates/xml_signature.builder

@@ -1,20 +0,0 @@
-xml.Signature "xmlns" => Saml::Kit::Namespaces::XMLDSIG do
-  xml.SignedInfo do
-    xml.CanonicalizationMethod Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
-    xml.SignatureMethod Algorithm: signature_method
-    xml.Reference URI: "##{reference_id}" do
-      xml.Transforms do
-        xml.Transform Algorithm: "http://www.w3.org/2000/09/xmldsig#enveloped-signature"
-        xml.Transform Algorithm: "http://www.w3.org/2001/10/xml-exc-c14n#"
-      end
-      xml.DigestMethod Algorithm: digest_method
-      xml.DigestValue ""
-    end
-  end
-  xml.SignatureValue ""
-  xml.KeyInfo do
-    xml.X509Data do
-      xml.X509Certificate certificate.stripped
-    end
-  end
-end

data/lib/saml/kit/builders/xml_encryption.rb

@@ -1,20 +0,0 @@
-module Saml
-  module Kit
-    module Builders
-      class XmlEncryption
-        attr_reader :public_key
-        attr_reader :key, :iv, :encrypted
-
-        def initialize(raw_xml, public_key)
-          @public_key = public_key
-          cipher = OpenSSL::Cipher.new('AES-256-CBC')
-          cipher.encrypt
-          @key = cipher.random_key
-          @iv = cipher.random_iv
-          @encrypted = cipher.update(raw_xml) + cipher.final
-        end
-      end
-    end
-  end
-end
-

data/lib/saml/kit/builders/xml_signature.rb

@@ -1,40 +0,0 @@
-module Saml
-  module Kit
-    module Builders
-      class XmlSignature
-        SIGNATURE_METHODS = {
-          SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-          SHA224: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224",
-          SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-          SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
-          SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-        }.freeze
-        DIGEST_METHODS = {
-          SHA1: "http://www.w3.org/2000/09/xmldsig#SHA1",
-          SHA224: "http://www.w3.org/2001/04/xmldsig-more#sha224",
-          SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
-          SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
-          SHA512: "http://www.w3.org/2001/04/xmlenc#sha512",
-        }.freeze
-
-        attr_reader :embed_signature, :configuration
-        attr_reader :reference_id
-        attr_reader :certificate
-
-        def initialize(reference_id, configuration:, certificate: )
-          @configuration = configuration
-          @reference_id = reference_id
-          @certificate = certificate
-        end
-
-        def signature_method
-          SIGNATURE_METHODS[configuration.signature_method]
-        end
-
-        def digest_method
-          DIGEST_METHODS[configuration.digest_method]
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/certificate.rb

@@ -1,96 +0,0 @@
-module Saml
-  module Kit
-    # {include:file:spec/saml/certificate_spec.rb}
-    class Certificate
-      BEGIN_CERT=/-----BEGIN CERTIFICATE-----/
-      END_CERT=/-----END CERTIFICATE-----/
-      # The use can be `:signing` or `:encryption`
-      attr_reader :use
-
-      def initialize(value, use:)
-        @value = value
-        @use = use.downcase.to_sym
-      end
-
-      # @return [Saml::Kit::Fingerprint] the certificate fingerprint.
-      def fingerprint
-        Fingerprint.new(value)
-      end
-
-      # Returns true if this certificate is for the specified use.
-      #
-      # @param use [Symbol] `:signing` or `:encryption`.
-      # @return [Boolean] true or false.
-      def for?(use)
-        self.use == use.to_sym
-      end
-
-      # Returns true if this certificate is used for encryption.
-      #
-      # return [Boolean] true or false.
-      def encryption?
-        for?(:encryption)
-      end
-
-      # Returns true if this certificate is used for signing.
-      #
-      # return [Boolean] true or false.
-      def signing?
-        for?(:signing)
-      end
-
-      # Returns the x509 form.
-      #
-      # return [OpenSSL::X509::Certificate] the OpenSSL equivalent.
-      def x509
-        self.class.to_x509(value)
-      end
-
-      # Returns the public key.
-      #
-      # @return [OpenSSL::PKey::RSA] the RSA public key.
-      def public_key
-        x509.public_key
-      end
-
-      def ==(other)
-        self.fingerprint == other.fingerprint
-      end
-
-      def eql?(other)
-        self == other
-      end
-
-      def hash
-        value.hash
-      end
-
-      def to_s
-        value
-      end
-
-      def to_h
-        { use: @use, fingerprint: fingerprint.to_s }
-      end
-
-      def inspect
-        to_h.inspect
-      end
-
-      def stripped
-        value.to_s.gsub(BEGIN_CERT, '').gsub(END_CERT, '').gsub(/\n/, '')
-      end
-
-      def self.to_x509(value)
-        OpenSSL::X509::Certificate.new(Base64.decode64(value))
-      rescue OpenSSL::X509::CertificateError => error
-        Saml::Kit.logger.warn(error)
-        OpenSSL::X509::Certificate.new(value)
-      end
-
-      private
-
-      attr_reader :value
-    end
-  end
-end