saml2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e6cca9457d5ec3880dd5e3972e96c9275973e3b1
+  data.tar.gz: 2c2276cd951f78f8d6fb34eb0322e019a1de152b
+SHA512:
+  metadata.gz: cdb33be918597518b11aa3ebfb3e8ddcbb788f517dd53282e24305d71070398bcc9ff0d4045c1ec0e61dafbe42d7866a89ef2ed16cfd97219a13d139beac640d
+  data.tar.gz: 74e237a2935f8b8cef4bf8f32a768d10947f8eee1bcd5f6c84df0fdf61318f1d5d7a6e73a185c66ce6d8c48992d1ba83091d04f4f545ce3350192d0d26907f36

data/Rakefile

@@ -0,0 +1,13 @@
+require 'rubygems'
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.name = "spec"
+  t.pattern = "spec/**/*_spec.rb"
+end
+
+task :default => :spec

data/app/views/saml2/http_post.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+</head>
+<body onload="document.forms[0].submit();" style="visibility:hidden;">
+<%= form_tag(@saml_acs_url) do %>
+  <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+  <%= hidden_field_tag("RelayState", @relay_state) if @relay_state %>
+  <%= submit_tag "Submit" %>
+<% end %>
+</body>
+</html>

data/lib/saml2.rb

@@ -0,0 +1,9 @@
+require 'saml2/authn_request'
+require 'saml2/entity'
+require 'saml2/response'
+require 'saml2/version'
+
+require 'saml2/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+
+module SAML2
+end

data/lib/saml2/assertion.rb

@@ -0,0 +1,37 @@
+module SAML2
+  class Assertion
+    attr_reader :id, :issue_instant, :statements
+    attr_accessor :issuer, :subject
+
+    def initialize
+      @id = "_#{SecureRandom.uuid}"
+      @issue_instant = Time.now.utc
+      @statements = []
+    end
+
+    def sign(x509_certificate, private_key, algorithm_name = :sha256)
+      to_xml
+
+      @xml.set_id_attribute('ID')
+      @xml.sign!(cert: x509_certificate, key: private_key, digest_alg: algorithm_name.to_s, signature_alg: "rsa-#{algorithm_name}", uri: "##{id}")
+      self
+    end
+
+    def to_xml
+      @xml ||= Nokogiri::XML::Builder.new do |builder|
+        builder['saml'].Assertion(
+            'xmlns:saml' => Namespaces::SAML,
+            ID: id,
+            Version: '2.0',
+            IssueInstant: issue_instant.iso8601
+        ) do |builder|
+          issuer.build(builder, element: 'Issuer')
+
+          subject.build(builder)
+
+          statements.each { |stmt| stmt.build(builder) }
+        end
+      end.doc.root
+    end
+  end
+end

data/lib/saml2/attribute.rb

@@ -0,0 +1,127 @@
+require 'saml2/base'
+require 'saml2/namespaces'
+
+module SAML2
+  class AttributeType < Base
+    attr_accessor :name, :friendly_name, :name_format
+
+    def initialize(name = nil, friendly_name = nil, name_format = nil)
+      @name, @friendly_name, @name_format = name, friendly_name, name_format
+    end
+
+    def from_xml(node)
+      @name = node['Name']
+      @friendly_name = node['FriendlyName']
+      @name_format = node['NameFormat']
+      self
+    end
+  end
+
+  class Attribute < AttributeType
+    module NameFormats
+      BASIC       = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic".freeze
+      UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified".freeze
+      URI         = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri".freeze
+    end
+
+    class << self
+      def subclasses
+        @subclasses ||= []
+      end
+
+      def inherited(klass)
+        subclasses << klass
+      end
+
+      def from_xml(node)
+        # pass through for subclasses
+        super unless self == Attribute
+
+        # look for an appropriate subclass
+        klass = subclasses.find { |klass| klass.recognizes?(node) }
+        if klass
+          klass.from_xml(node)
+        else
+          super
+        end
+      end
+
+      def create(name, value = nil)
+        klass = subclasses.find { |klass| klass.recognizes?(name) } || self
+        klass.new(name, value)
+      end
+    end
+
+    attr_accessor :value
+
+    def initialize(name = nil, value = nil, friendly_name = nil, name_format = nil)
+      super(name, friendly_name, name_format)
+      @value = value
+    end
+
+    def build(builder)
+      builder['saml'].Attribute('Name' => name) do |builder|
+        builder.parent['FriendlyName'] = friendly_name if friendly_name
+        builder.parent['NameFormat'] = name_format if name_format
+        Array(value).each do |val|
+          xsi_type, val = convert_to_xsi(value)
+          builder['saml'].AttributeValue(val) do |builder|
+            builder.parent['xsi:type'] = xsi_type if xsi_type
+          end
+        end
+      end
+    end
+
+    def from_xml(node)
+      @value = node.xpath('saml:AttributeValue', Namespaces::ALL).map do |node|
+        convert_from_xsi(node['xsi:type'], node.content && node.content.strip)
+      end
+      @value = @value.first if @value.length == 1
+      super
+    end
+
+    private
+    XSI_TYPES = {
+        'xsd:string' => [String, nil, nil],
+        nil => [DateTime, ->(v) { v.iso8601 }, ->(v) { DateTime.parse(v) if v }]
+    }.freeze
+
+    def convert_to_xsi(value)
+      xsi_type = nil
+      converter = nil
+      XSI_TYPES.each do |type, (klass, to_xsi, from_xsi)|
+        if klass === value
+          xsi_type = type
+          converter = to_xsi
+          break
+        end
+      end
+      value = converter.call(value) if converter
+      [xsi_type, value]
+    end
+
+    def convert_from_xsi(type, value)
+      info = XSI_TYPES[type]
+      if info && info.last
+        value = info.last.call(value)
+      end
+      value
+    end
+  end
+
+  class AttributeStatement
+    attr_reader :attributes
+
+    def initialize(attributes)
+      @attributes = attributes
+    end
+
+    def build(builder)
+      builder['saml'].AttributeStatement('xmlns:xsi' => Namespaces::XSI) do |builder|
+        @attributes.each { |attr| attr.build(builder) }
+      end
+    end
+  end
+end
+
+require 'saml2/attribute/x500'

data/lib/saml2/attribute/x500.rb

@@ -0,0 +1,79 @@
+module SAML2
+  class Attribute
+    class X500 < Attribute
+      GIVEN_NAME             = 'urn:oid:2.5.4.42'.freeze
+      SN = SURNAME           = 'urn:oid:2.5.4.4'.freeze
+      # https://www.ietf.org/rfc/rfc2798.txt
+      module InetOrgPerson
+        DISPLAY_NAME         = 'urn:oid:2.16.840.1.113730.3.1.241'.freeze
+        EMPLOYEE_NUMBER      = 'urn:oid:2.16.840.1.113730.3.1.3'.freeze
+        EMPLOYEE_TYPE        = 'urn:oid:2.16.840.1.113730.3.1.4'.freeze
+        PREFERRED_LANGUAGE   = 'urn:oid:2.16.840.1.113730.3.1.39'.freeze
+      end
+      # https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html
+      module EduPerson
+        AFFILIATION          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1'.freeze
+        ASSURANCE            = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.11'.freeze
+        ENTITLEMENT          = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7'.freeze
+        NICKNAME             = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2'.freeze
+        ORG_D_N              = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3'.freeze
+        PRIMARY_AFFILIATION  = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.5'.freeze
+        PRIMARY_ORG_UNIT_D_N = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.8'.freeze
+        PRINCIPAL_NAME       = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6'.freeze
+        SCOPED_AFFILIATION   = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9'.freeze
+        TARGETED_I_D         = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'.freeze
+        UNIT_D_N             = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4'.freeze
+      end
+      # http://www.ietf.org/rfc/rfc4524.txt
+      MAIL                   = 'urn:oid:0.9.2342.19200300.100.1.3'.freeze
+
+      def self.recognizes?(name_or_node)
+        if name_or_node.is_a?(Nokogiri::XML::Element)
+          !!name_or_node.at_xpath("@x500:Encoding", Namespaces::ALL)
+        else
+          FRIENDLY_NAMES.include?(name_or_node) || OIDS.include?(name_or_node)
+        end
+      end
+
+      def initialize(name = nil, value = nil)
+        # if they pass an OID, infer the friendly name
+        friendly_name = OIDS[name]
+        unless friendly_name
+          # if they pass a friendly name, infer the OID
+          proper_name = FRIENDLY_NAMES[name]
+          if proper_name
+            name, friendly_name = proper_name, name
+          end
+        end
+
+        super(name, value, friendly_name, NameFormats::URI)
+      end
+
+      def build(builder)
+        super
+        attr = builder.parent.last_element_child
+        attr.add_namespace_definition('x500', Namespaces::X500)
+        attr['x500:Encoding'] = 'LDAP'
+      end
+
+      # build hashes out of our known attribute names for quick lookup
+      FRIENDLY_NAMES = ([self] + constants).inject({}) do |hash, mod|
+        mod = const_get(mod) unless mod.is_a?(Module)
+        next hash unless mod.is_a?(Module)
+        # Don't look in modules inherited from parent classes
+        next hash unless mod.name.start_with?(self.name)
+        mod.constants.each do |key|
+          value = mod.const_get(key)
+          next unless value.is_a?(String)
+          key = key.to_s.downcase.gsub(/_\w/) { |c| c[1].upcase }
+          # eduPerson prefixes all of their names
+          key = "eduPerson#{key.sub(/^\w/) { |c| c.upcase }}" if mod == EduPerson
+          hash[key] = value
+        end
+        hash
+      end.freeze
+      OIDS = FRIENDLY_NAMES.invert.freeze
+      private_constant :FRIENDLY_NAMES, :OIDS
+    end
+  end
+end

data/lib/saml2/attribute_consuming_service.rb

@@ -0,0 +1,76 @@
+require 'saml2/attribute'
+require 'saml2/indexed_object'
+require 'saml2/namespaces'
+
+module SAML2
+  class RequestedAttribute < AttributeType
+    def initialize(name = nil, is_required = nil, name_format = nil)
+      super(name, name_format)
+      @is_required = is_required
+    end
+
+    def from_xml(node)
+      @is_required = node['isRequired'] && node['isRequired'] == 'true'
+      super
+    end
+
+    def required?
+      @is_required
+    end
+  end
+
+  class RequiredAttributeMissing < RuntimeError
+    attr_reader :requested_attribute
+
+    def initialize(requested_attribute)
+      super("Required attribute #{requested_attribute.name} not provided")
+      @requested_attribute = requested_attribute
+    end
+  end
+
+  class AttributeConsumingService < Base
+    include IndexedObject
+
+    attr_reader :name, :requested_attributes
+
+    def initialize(name = nil, requested_attributes = [])
+      @name, @requested_attributes = name, requested_attributes
+    end
+
+    def from_xml(node)
+      @name = node['ServiceName']
+      @requested_attributes = load_object_array(node, "md:RequestedAttribute", RequestedAttribute)
+      super
+    end
+
+    def create_statement(attributes)
+      if attributes.is_a?(Hash)
+        attributes = attributes.map { |k, v| Attribute.create(k, v) }
+      end
+
+      attributes_hash = {}
+      attributes.each do |attr|
+        attr.value = attr.value.call if attr.value.respond_to?(:call)
+        attributes_hash[[attr.name, attr.name_format]] = attr
+        if attr.name_format
+          attributes_hash[[attr.name, nil]] = attr
+        end
+      end
+
+      attributes = []
+      requested_attributes.each do |requested_attr|
+        attr = attributes_hash[[requested_attr.name, requested_attr.name_format]]
+        if requested_attr.name_format
+          attr ||= attributes_hash[[requested_attr.name, nil]]
+        end
+        if attr
+          attributes << attr
+        elsif requested_attr.required?
+          raise RequiredAttributeMissing.new(requested_attr)
+        end
+      end
+      return nil if attributes.empty?
+      AttributeStatement.new(attributes)
+    end
+  end
+end

data/lib/saml2/authn_request.rb

@@ -0,0 +1,116 @@
+require 'base64'
+require 'zlib'
+
+require 'saml2/attribute_consuming_service'
+require 'saml2/endpoint'
+require 'saml2/name_id'
+require 'saml2/namespaces'
+require 'saml2/schemas'
+require 'saml2/subject'
+
+module SAML2
+  class AuthnRequest
+    def self.decode(authnrequest)
+      begin
+        zstream  = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        authnrequest = zstream.inflate(Base64.decode64(authnrequest))
+        zstream.finish
+        zstream.close
+      rescue Zlib::BufError
+      end
+      parse(authnrequest)
+    end
+
+    def self.parse(authnrequest)
+      new(Nokogiri::XML(authnrequest))
+    end
+
+    def initialize(document)
+      @document = document
+    end
+
+    def valid_schema?
+      return false unless Schemas.protocol.valid?(@document)
+      # Check for the correct root element
+      return false unless @document.at_xpath('/samlp:AuthnRequest', Namespaces::ALL)
+
+      true
+    end
+
+    def valid_web_browser_sso_profile?
+      return false unless issuer
+      return false if issuer.format && issuer.format != NameID::Format::ENTITY
+
+      true
+    end
+
+    def valid_interoperable_profile?
+      # It's a subset of Web Browser SSO profile
+      return false unless valid_web_browser_sso_profile?
+
+      return false unless assertion_consumer_service_url
+      return false if protocol_binding && protocol_binding != Endpoint::Bindings::HTTP_POST
+      return false if subject
+
+      true
+    end
+
+    def resolve(service_provider)
+      # TODO: check signature if present
+
+      if assertion_consumer_service_url
+        @assertion_consumer_service = service_provider.assertion_consumer_services.find { |acs| acs.location == assertion_consumer_service_url }
+      else
+        @assertion_consumer_service  = service_provider.assertion_consumer_services.resolve(assertion_consumer_service_index)
+      end
+      @attribute_consuming_service = service_provider.attribute_consuming_services.resolve(attribute_consuming_service_index)
+
+      return false unless @assertion_consumer_service
+      return false if attribute_consuming_service_index && !@attribute_consuming_service
+
+      true
+    end
+
+    def issuer
+      @issuer ||= NameID.from_xml(@document.root.at_xpath('saml:Issuer', Namespaces::ALL))
+    end
+
+    def name_id_policy
+      @name_id_policy ||= NameID::Policy.from_xml(@document.root.at_xpath('samlp:NameIDPolicy', Namespaces::ALL))
+    end
+
+    def id
+      @document.root['ID']
+    end
+
+    attr_reader :assertion_consumer_service, :attribute_consuming_service
+
+    def assertion_consumer_service_url
+      @document.root['AssertionConsumerServiceURL']
+    end
+
+    def assertion_consumer_service_index
+      @document.root['AssertionConsumerServiceIndex'] && @document.root['AssertionConsumerServiceIndex'].to_i
+    end
+
+    def attribute_consuming_service_index
+      @document.root['AttributeConsumerServiceIndex'] && @document.root['AttributeConsumerServiceIndex'].to_i
+    end
+
+    def force_authn?
+      @document.root['ForceAuthn']
+    end
+
+    def passive?
+      @document.root['IsPassive']
+    end
+
+    def protocol_binding
+      @document.root['ProtocolBinding']
+    end
+
+    def subject
+      @subject ||= Subject.from_xml(@document.at_xpath('saml:Subject', Namespaces::ALL))
+    end
+  end
+end