saml-kit 0.3.0 → 0.3.1

data/lib/saml/kit/crypto.rb

@@ -1,17 +0,0 @@
-require 'saml/kit/crypto/oaep_cipher'
-require 'saml/kit/crypto/rsa_cipher'
-require 'saml/kit/crypto/simple_cipher'
-require 'saml/kit/crypto/unknown_cipher'
-
-module Saml
-  module Kit
-    module Crypto
-      DECRYPTORS = [ SimpleCipher, RsaCipher, OaepCipher, UnknownCipher ]
-
-      # @!visibility private
-      def self.decryptor_for(algorithm, key)
-        DECRYPTORS.find { |x| x.matches?(algorithm) }.new(algorithm, key)
-      end
-    end
-  end
-end

data/lib/saml/kit/crypto/oaep_cipher.rb

@@ -1,22 +0,0 @@
-module Saml
-  module Kit
-    module Crypto
-      class OaepCipher
-        ALGORITHMS = {
-          'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' => true,
-        }
-        def initialize(algorithm, key)
-          @key = key
-        end
-
-        def self.matches?(algorithm)
-          ALGORITHMS[algorithm]
-        end
-
-        def decrypt(cipher_text)
-          @key.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/crypto/rsa_cipher.rb

@@ -1,23 +0,0 @@
-module Saml
-  module Kit
-    module Crypto
-      class RsaCipher
-        ALGORITHMS = {
-          'http://www.w3.org/2001/04/xmlenc#rsa-1_5' => true,
-        }
-
-        def initialize(algorithm, key)
-          @key = key
-        end
-
-        def self.matches?(algorithm)
-          ALGORITHMS[algorithm]
-        end
-
-        def decrypt(cipher_text)
-          @key.private_decrypt(cipher_text)
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/crypto/simple_cipher.rb

@@ -1,38 +0,0 @@
-module Saml
-  module Kit
-    module Crypto
-      class SimpleCipher
-        ALGORITHMS = {
-          'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' => 'DES-EDE3-CBC',
-          'http://www.w3.org/2001/04/xmlenc#aes128-cbc' => 'AES-128-CBC',
-          'http://www.w3.org/2001/04/xmlenc#aes192-cbc' => 'AES-192-CBC',
-          'http://www.w3.org/2001/04/xmlenc#aes256-cbc' => 'AES-256-CBC',
-        }
-
-        def initialize(algorithm, private_key)
-          @algorithm = algorithm
-          @private_key = private_key
-        end
-
-        def self.matches?(algorithm)
-          ALGORITHMS[algorithm]
-        end
-
-        def decrypt(cipher_text)
-          cipher = OpenSSL::Cipher.new(ALGORITHMS[@algorithm])
-          cipher.decrypt
-          iv = cipher_text[0..cipher.iv_len-1]
-          data = cipher_text[cipher.iv_len..-1]
-          #cipher.padding = 0
-          cipher.key = @private_key
-          cipher.iv = iv
-
-          Saml::Kit.logger.debug ['-key', @private_key].inspect
-          Saml::Kit.logger.debug ['-iv', iv].inspect
-
-          cipher.update(data) + cipher.final
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/crypto/unknown_cipher.rb

@@ -1,18 +0,0 @@
-module Saml
-  module Kit
-    module Crypto
-      class UnknownCipher
-        def initialize(algorithm, key)
-        end
-
-        def self.matches?(algorithm)
-          true
-        end
-
-        def decrypt(cipher_text)
-          cipher_text
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/fingerprint.rb

@@ -1,50 +0,0 @@
-module Saml
-  module Kit
-    # This generates a fingerprint for an X509 Certificate.
-    #
-    #   certificate, _ = Saml::Kit::SelfSignedCertificate.new("password").create
-    #
-    #   puts Saml::Kit::Fingerprint.new(certificate).to_s
-    #   # B7:AB:DC:BD:4D:23:58:65:FD:1A:99:0C:5F:89:EA:87:AD:F1:D7:83:34:7A:E9:E4:88:12:DD:46:1F:38:05:93
-    #
-    # {include:file:spec/saml/fingerprint_spec.rb}
-    class Fingerprint
-      # The OpenSSL::X509::Certificate
-      attr_reader :x509
-
-      def initialize(raw_certificate)
-        @x509 = Certificate.to_x509(raw_certificate)
-      end
-
-      # Generates a formatted fingerprint using the specified hash algorithm.
-      #
-      # @param algorithm [OpenSSL::Digest] the openssl algorithm to use `OpenSSL::Digest::SHA256`, `OpenSSL::Digest::SHA1`.
-      # @return [String] in the format of `"BF:ED:C5:F1:6C:AB:F5:B2:15:1F:BF:BD:7D:68:1A:F9:A5:4E:4C:19:30:BC:6D:25:B1:8E:98:D4:23:FD:B4:09"`
-      def algorithm(algorithm)
-        pretty_fingerprint(algorithm.new.hexdigest(x509.to_der))
-      end
-
-      def ==(other)
-        self.to_s == other.to_s
-      end
-
-      def eql?(other)
-        self == other
-      end
-
-      def hash
-        to_s.hash
-      end
-
-      def to_s
-        algorithm(OpenSSL::Digest::SHA256)
-      end
-
-      private
-
-      def pretty_fingerprint(fingerprint)
-        fingerprint.upcase.scan(/../).join(":")
-      end
-    end
-  end
-end

data/lib/saml/kit/id.rb

@@ -1,14 +0,0 @@
-module Saml
-  module Kit
-    # This class is used primary for generating ID.
-    #https://www.w3.org/2001/XMLSchema.xsd
-    class Id
-
-     # Generate an ID that conforms to the XML Schema.
-      # https://www.w3.org/2001/XMLSchema.xsd
-      def self.generate
-        "_#{SecureRandom.uuid}"
-      end
-    end
-  end
-end

data/lib/saml/kit/key_pair.rb

@@ -1,29 +0,0 @@
-module Saml
-  module Kit
-    class KeyPair # :nodoc:
-      attr_reader :certificate, :private_key, :use
-
-      def initialize(certificate, private_key, passphrase, use)
-        @use = use
-        @certificate = Saml::Kit::Certificate.new(certificate, use: use)
-        @private_key = OpenSSL::PKey::RSA.new(private_key, passphrase)
-      end
-
-      # Returns true if the key pair is the designated use.
-      #
-      # @param use [Symbol] Can be either `:signing` or `:encryption`.
-      def for?(use)
-        @use == use
-      end
-
-      # Returns a generated self signed certificate with private key.
-      #
-      # @param use [Symbol] Can be either `:signing` or `:encryption`.
-      # @param passphrase [String] the passphrase to use to encrypt the private key.
-      def self.generate(use:, passphrase: SecureRandom.uuid)
-        certificate, private_key = SelfSignedCertificate.new(passphrase).create
-        new(certificate, private_key, passphrase, use)
-      end
-    end
-  end
-end

data/lib/saml/kit/self_signed_certificate.rb

@@ -1,28 +0,0 @@
-module Saml
-  module Kit
-    class SelfSignedCertificate
-      SUBJECT="/C=CA/ST=Alberta/L=Calgary/O=SamlKit/OU=SamlKit/CN=SamlKit"
-
-      def initialize(passphrase)
-        @passphrase = passphrase
-      end
-
-      def create
-        rsa_key = OpenSSL::PKey::RSA.new(2048)
-        public_key = rsa_key.public_key
-        certificate = OpenSSL::X509::Certificate.new
-        certificate.subject = certificate.issuer = OpenSSL::X509::Name.parse(SUBJECT)
-        certificate.not_before = DateTime.now.beginning_of_day
-        certificate.not_after = 30.days.from_now
-        certificate.public_key = public_key
-        certificate.serial = 0x0
-        certificate.version = 2
-        certificate.sign(rsa_key, OpenSSL::Digest::SHA256.new)
-        [
-          certificate.to_pem,
-          rsa_key.to_pem(OpenSSL::Cipher.new('AES-256-CBC'), @passphrase)
-        ]
-      end
-    end
-  end
-end

data/lib/saml/kit/signatures.rb

@@ -1,57 +0,0 @@
-module Saml
-  module Kit
-    # @!visibility private
-    class Signatures # :nodoc:
-      # @!visibility private
-      attr_reader :configuration
-
-      # @!visibility private
-      def initialize(configuration:)
-        @configuration = configuration
-        @key_pair = configuration.key_pairs(use: :signing).last
-      end
-
-      # @!visibility private
-      def sign_with(key_pair)
-        @key_pair = key_pair
-      end
-
-      # @!visibility private
-      def build(reference_id)
-        return nil unless configuration.sign?
-        certificate = @key_pair.certificate
-        Saml::Kit::Builders::XmlSignature.new(reference_id, configuration: configuration, certificate: certificate)
-      end
-
-      # @!visibility private
-      def complete(raw_xml)
-        return raw_xml unless configuration.sign?
-        private_key = @key_pair.private_key
-        Xmldsig::SignedDocument.new(raw_xml).sign(private_key)
-      end
-
-      # @!visibility private
-      def self.sign(xml: ::Builder::XmlMarkup.new, configuration: Saml::Kit.configuration)
-        signatures = Saml::Kit::Signatures.new(configuration: configuration)
-        yield xml, XmlSignatureTemplate.new(xml, signatures)
-        signatures.complete(xml.target!)
-      end
-
-      class XmlSignatureTemplate # :nodoc:
-        # @!visibility private
-        attr_reader :signatures, :xml
-
-        # @!visibility private
-        def initialize(xml, signatures)
-          @signatures = signatures
-          @xml = xml
-        end
-
-        # @!visibility private
-        def template(reference_id)
-          Template.new(signatures.build(reference_id)).to_xml(xml: xml)
-        end
-      end
-    end
-  end
-end

data/lib/saml/kit/templatable.rb

@@ -1,67 +0,0 @@
-module Saml
-  module Kit
-    module Templatable
-      # Can be used to disable embeding a signature.
-      # By default a signature will be embedded if a signing
-      # certificate is available via the configuration.
-      attr_accessor :embed_signature
-
-      # @deprecated Use {#embed_signature=} instead of this method.
-      def sign=(value)
-        Saml::Kit.deprecate("sign= is deprecated. Use embed_signature= instead")
-        self.embed_signature = value
-      end
-
-      # Returns the generated XML document with an XML Digital Signature and XML Encryption.
-      def to_xml(xml: ::Builder::XmlMarkup.new)
-        signatures.complete(render(self, xml: xml))
-      end
-
-      # @!visibility private
-      def signature_for(reference_id:, xml:)
-        return unless sign?
-        render(signatures.build(reference_id), xml: xml)
-      end
-
-      # Allows you to specify which key pair to use for generating an XML digital signature.
-      #
-      # @param key_pair [Saml::Kit::KeyPair] the key pair to use for signing.
-      def sign_with(key_pair)
-        signatures.sign_with(key_pair)
-      end
-
-      # Returns true if an embedded signature is requested and at least one signing certificate is available via the configuration.
-      def sign?
-        embed_signature.nil? ? configuration.sign? : embed_signature && configuration.sign?
-      end
-
-      # @!visibility private
-      def signatures
-        @signatures ||= Saml::Kit::Signatures.new(configuration: configuration)
-      end
-
-      # @!visibility private
-      def encryption_for(xml:)
-        if encrypt?
-          temp = ::Builder::XmlMarkup.new
-          yield temp
-          signed_xml = signatures.complete(temp.target!)
-          xml_encryption = Saml::Kit::Builders::XmlEncryption.new(signed_xml, encryption_certificate.public_key)
-          render(xml_encryption, xml: xml)
-        else
-          yield xml
-        end
-      end
-
-      # @!visibility private
-      def encrypt?
-        encrypt && encryption_certificate
-      end
-
-      # @!visibility private
-      def render(model, options)
-        Saml::Kit::Template.new(model).to_xml(options)
-      end
-    end
-  end
-end

data/lib/saml/kit/template.rb

@@ -1,33 +0,0 @@
-module Saml
-  module Kit
-    class Template
-      attr_reader :target
-
-      def initialize(target)
-        @target = target
-      end
-
-      # Returns the compiled template as a [String].
-      #
-      # @param options [Hash] The options hash to pass to the template engine.
-      def to_xml(options)
-        template.render(target, options)
-      end
-
-      private
-
-      def template_name
-        "#{target.class.name.split("::").last.underscore}.builder"
-      end
-
-      def template_path
-        root_path = File.expand_path(File.dirname(__FILE__))
-        File.join(root_path, "builders/templates/", template_name)
-      end
-
-      def template
-        Tilt.new(template_path)
-      end
-    end
-  end
-end

data/lib/saml/kit/xml.rb

@@ -1,80 +0,0 @@
-module Saml
-  module Kit
-    # {include:file:spec/saml/xml_spec.rb}
-    class Xml # :nodoc:
-      include ActiveModel::Validations
-      NAMESPACES = {
-        "NameFormat": Namespaces::ATTR_SPLAT,
-        "ds": Namespaces::XMLDSIG,
-        "md": Namespaces::METADATA,
-        "saml": Namespaces::ASSERTION,
-        "samlp": Namespaces::PROTOCOL,
-      }.freeze
-
-      validate :validate_signatures
-      validate :validate_certificates
-
-      def initialize(raw_xml)
-        @raw_xml = raw_xml
-        @document = Nokogiri::XML(raw_xml)
-      end
-
-      # Returns the first XML node found by searching the document with the provided XPath.
-      #
-      # @param xpath [String] the XPath to use to search the document
-      def find_by(xpath)
-        document.at_xpath(xpath, NAMESPACES)
-      end
-
-      # Returns all XML nodes found by searching the document with the provided XPath.
-      #
-      # @param xpath [String] the XPath to use to search the document
-      def find_all(xpath)
-        document.search(xpath, NAMESPACES)
-      end
-
-      # Return the XML document as a [String].
-      #
-      # @param pretty [Boolean] return the XML string in a human readable format if true.
-      def to_xml(pretty: true)
-        pretty ? document.to_xml(indent: 2) : raw_xml
-      end
-
-      private
-
-      attr_reader :raw_xml, :document
-
-      def validate_signatures
-        invalid_signatures.flat_map(&:errors).uniq.each do |error|
-          errors.add(error, "is invalid")
-        end
-      end
-
-      def invalid_signatures
-        signed_document = Xmldsig::SignedDocument.new(document, id_attr: 'ID=$uri or @Id')
-        signed_document.signatures.find_all do |signature|
-          x509_certificates.all? do |certificate|
-            !signature.valid?(certificate)
-          end
-        end
-      end
-
-      def validate_certificates(now = Time.current)
-        return if find_by('//ds:Signature').nil?
-
-        x509_certificates.each do |certificate|
-          inactive = now < certificate.not_before
-          errors.add(:certificate, "Not valid before #{certificate.not_before}") if inactive
-
-          expired = now > certificate.not_after
-          errors.add(:certificate, "Not valid after #{certificate.not_after}") if expired
-        end
-      end
-
-      def x509_certificates
-        xpath = "//ds:KeyInfo/ds:X509Data/ds:X509Certificate"
-        find_all(xpath).map { |item| Certificate.to_x509(item.text) }
-      end
-    end
-  end
-end