saml-kit 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitlab-ci.yml +15 -0
- data/lib/saml/kit.rb +1 -0
- data/lib/saml/kit/certificate.rb +59 -0
- data/lib/saml/kit/configuration.rb +2 -2
- data/lib/saml/kit/fingerprint.rb +1 -4
- data/lib/saml/kit/identity_provider_metadata.rb +15 -4
- data/lib/saml/kit/metadata.rb +6 -16
- data/lib/saml/kit/response.rb +1 -1
- data/lib/saml/kit/service_provider_metadata.rb +0 -2
- data/lib/saml/kit/version.rb +1 -1
- data/lib/saml/kit/xml.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0a54e04d0c915cf2ed6df1ffa201fca9abea800e
|
4
|
+
data.tar.gz: f38bb36f287bc9f9b7c185eb00b7c87641f99f23
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9bf0e3a075afb0fb4b1038b265a39382a3463cf4b4c490d45cd605534341a4b2227fdf09709af556da2b94e25ca0d50fecd440b5e0ff2e68076fd2584010b110
|
7
|
+
data.tar.gz: ed750eb4bf73f1f631b83c4b17d2ddb1e15907955ce686b9ddaaa591a27c22a79fcac0b76a86ac3898e7c59b2d23e12616965286de614e1cd2b7f118ffd96f0f
|
data/.gitlab-ci.yml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
image: ruby:2.2
|
2
|
+
|
3
|
+
before_script:
|
4
|
+
- apt-get update && apt-get install -y locales
|
5
|
+
- echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
6
|
+
- locale-gen
|
7
|
+
- export LC_ALL=en_US.UTF-8
|
8
|
+
- ruby -v
|
9
|
+
- which ruby
|
10
|
+
- gem install bundler --no-ri --no-rdoc
|
11
|
+
- bundle install --jobs $(nproc) "${FLAGS[@]}"
|
12
|
+
|
13
|
+
rspec:
|
14
|
+
script:
|
15
|
+
- bundle exec rspec
|
data/lib/saml/kit.rb
CHANGED
@@ -0,0 +1,59 @@
|
|
1
|
+
module Saml
|
2
|
+
module Kit
|
3
|
+
class Certificate
|
4
|
+
attr_reader :value, :use
|
5
|
+
|
6
|
+
def initialize(value, use:)
|
7
|
+
@value = value
|
8
|
+
@use = use.downcase.to_sym
|
9
|
+
end
|
10
|
+
|
11
|
+
def fingerprint
|
12
|
+
Fingerprint.new(value)
|
13
|
+
end
|
14
|
+
|
15
|
+
def for?(use)
|
16
|
+
self.use == use.to_sym
|
17
|
+
end
|
18
|
+
|
19
|
+
def encryption?
|
20
|
+
:encryption == use
|
21
|
+
end
|
22
|
+
|
23
|
+
def signing?
|
24
|
+
:signing == use
|
25
|
+
end
|
26
|
+
|
27
|
+
def x509
|
28
|
+
self.class.to_x509(value)
|
29
|
+
end
|
30
|
+
|
31
|
+
def public_key
|
32
|
+
x509.public_key
|
33
|
+
end
|
34
|
+
|
35
|
+
def ==(other)
|
36
|
+
self.to_s == other.to_s
|
37
|
+
end
|
38
|
+
|
39
|
+
def eql?(other)
|
40
|
+
self == other
|
41
|
+
end
|
42
|
+
|
43
|
+
def hash
|
44
|
+
value.hash
|
45
|
+
end
|
46
|
+
|
47
|
+
def to_s
|
48
|
+
value
|
49
|
+
end
|
50
|
+
|
51
|
+
def self.to_x509(value)
|
52
|
+
OpenSSL::X509::Certificate.new(Base64.decode64(value))
|
53
|
+
rescue OpenSSL::X509::CertificateError => error
|
54
|
+
Saml::Kit.logger.warn(error)
|
55
|
+
OpenSSL::X509::Certificate.new(value)
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
@@ -32,11 +32,11 @@ module Saml
|
|
32
32
|
end
|
33
33
|
|
34
34
|
def signing_x509
|
35
|
-
|
35
|
+
Certificate.to_x509(signing_certificate_pem)
|
36
36
|
end
|
37
37
|
|
38
38
|
def encryption_x509
|
39
|
-
|
39
|
+
Certificate.to_x509(encryption_certificate_pem)
|
40
40
|
end
|
41
41
|
|
42
42
|
def signing_private_key
|
data/lib/saml/kit/fingerprint.rb
CHANGED
@@ -4,10 +4,7 @@ module Saml
|
|
4
4
|
attr_reader :x509
|
5
5
|
|
6
6
|
def initialize(raw_certificate)
|
7
|
-
@x509 =
|
8
|
-
rescue OpenSSL::X509::CertificateError => error
|
9
|
-
Saml::Kit.logger.warn(error)
|
10
|
-
@x509 = OpenSSL::X509::Certificate.new(Base64.decode64(raw_certificate))
|
7
|
+
@x509 = Certificate.to_x509(raw_certificate)
|
11
8
|
end
|
12
9
|
|
13
10
|
def algorithm(algorithm)
|
@@ -62,10 +62,21 @@ module Saml
|
|
62
62
|
xml.EntityDescriptor entity_descriptor_options do
|
63
63
|
signature.template(id)
|
64
64
|
xml.IDPSSODescriptor idp_sso_descriptor_options do
|
65
|
-
|
66
|
-
xml.
|
67
|
-
xml.
|
68
|
-
xml.
|
65
|
+
if @configuration.signing_certificate_pem.present?
|
66
|
+
xml.KeyDescriptor use: "signing" do
|
67
|
+
xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
|
68
|
+
xml.X509Data do
|
69
|
+
xml.X509Certificate @configuration.stripped_signing_certificate
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
if @configuration.encryption_certificate_pem.present?
|
75
|
+
xml.KeyDescriptor use: "encryption" do
|
76
|
+
xml.KeyInfo "xmlns": Namespaces::XMLDSIG do
|
77
|
+
xml.X509Data do
|
78
|
+
xml.X509Certificate @configuration.stripped_encryption_certificate
|
79
|
+
end
|
69
80
|
end
|
70
81
|
end
|
71
82
|
end
|
data/lib/saml/kit/metadata.rb
CHANGED
@@ -30,20 +30,16 @@ module Saml
|
|
30
30
|
def certificates
|
31
31
|
@certificates ||= document.find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
|
32
32
|
cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", Xml::NAMESPACES).text
|
33
|
-
|
34
|
-
text: cert,
|
35
|
-
fingerprint: Fingerprint.new(cert).algorithm(hash_algorithm),
|
36
|
-
use: item.attribute('use').value.to_sym,
|
37
|
-
}
|
33
|
+
Certificate.new(cert, use: item.attribute('use').value.to_sym)
|
38
34
|
end
|
39
35
|
end
|
40
36
|
|
41
37
|
def encryption_certificates
|
42
|
-
certificates.find_all
|
38
|
+
certificates.find_all(&:encryption?)
|
43
39
|
end
|
44
40
|
|
45
41
|
def signing_certificates
|
46
|
-
certificates.find_all
|
42
|
+
certificates.find_all(&:signing?)
|
47
43
|
end
|
48
44
|
|
49
45
|
def services(type)
|
@@ -68,12 +64,8 @@ module Saml
|
|
68
64
|
end
|
69
65
|
|
70
66
|
def matches?(fingerprint, use: :signing)
|
71
|
-
|
72
|
-
|
73
|
-
signing_certificates.find do |signing_certificate|
|
74
|
-
Saml::Kit.logger.debug [hash_value, signing_certificate[:fingerprint]].inspect
|
75
|
-
hash_value == signing_certificate[:fingerprint]
|
76
|
-
end
|
67
|
+
certificates.find do |certificate|
|
68
|
+
certificate.for?(use) && certificate.fingerprint == fingerprint
|
77
69
|
end
|
78
70
|
end
|
79
71
|
|
@@ -91,9 +83,7 @@ module Saml
|
|
91
83
|
|
92
84
|
def verify(algorithm, signature, data)
|
93
85
|
signing_certificates.find do |cert|
|
94
|
-
|
95
|
-
public_key = x509.public_key
|
96
|
-
public_key.verify(algorithm, signature, data)
|
86
|
+
cert.public_key.verify(algorithm, signature, data)
|
97
87
|
end
|
98
88
|
end
|
99
89
|
|
data/lib/saml/kit/response.rb
CHANGED
@@ -186,7 +186,7 @@ module Saml
|
|
186
186
|
yield temp
|
187
187
|
raw_xml_to_encrypt = temp.target!
|
188
188
|
|
189
|
-
encryption_certificate =
|
189
|
+
encryption_certificate = request.provider.encryption_certificates.first
|
190
190
|
public_key = encryption_certificate.public_key
|
191
191
|
|
192
192
|
cipher = OpenSSL::Cipher.new('AES-256-CBC')
|
data/lib/saml/kit/version.rb
CHANGED
data/lib/saml/kit/xml.rb
CHANGED
@@ -22,7 +22,7 @@ module Saml
|
|
22
22
|
def x509_certificates
|
23
23
|
xpath = "//ds:KeyInfo/ds:X509Data/ds:X509Certificate"
|
24
24
|
document.search(xpath, Xmldsig::NAMESPACES).map do |item|
|
25
|
-
|
25
|
+
Certificate.to_x509(item.text)
|
26
26
|
end
|
27
27
|
end
|
28
28
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: saml-kit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- mo khan
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-11-
|
11
|
+
date: 2017-11-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activemodel
|
@@ -160,6 +160,7 @@ extensions: []
|
|
160
160
|
extra_rdoc_files: []
|
161
161
|
files:
|
162
162
|
- ".gitignore"
|
163
|
+
- ".gitlab-ci.yml"
|
163
164
|
- ".rspec"
|
164
165
|
- ".travis.yml"
|
165
166
|
- Gemfile
|
@@ -177,6 +178,7 @@ files:
|
|
177
178
|
- lib/saml/kit/bindings/http_post.rb
|
178
179
|
- lib/saml/kit/bindings/http_redirect.rb
|
179
180
|
- lib/saml/kit/bindings/url_builder.rb
|
181
|
+
- lib/saml/kit/certificate.rb
|
180
182
|
- lib/saml/kit/configuration.rb
|
181
183
|
- lib/saml/kit/crypto.rb
|
182
184
|
- lib/saml/kit/crypto/oaep_cipher.rb
|