saml2 1.0.10 → 1.1.0

data/lib/saml2/identity_provider.rb

@@ -23,21 +23,21 @@ module SAML2
 
     def want_authn_requests_signed?
       unless instance_variable_defined?(:@want_authn_requests_signed)
-        @want_authn_requests_signed = @root['WantAuthnRequestsSigned'] && @root['WantAuthnRequestsSigned'] == 'true'
+        @want_authn_requests_signed = xml['WantAuthnRequestsSigned'] && xml['WantAuthnRequestsSigned'] == 'true'
       end
       @want_authn_requests_signed
     end
 
     def single_sign_on_services
-      @single_sign_on_services ||= load_object_array(@root, 'md:SingleSignOnService', Endpoint)
+      @single_sign_on_services ||= load_object_array(xml, 'md:SingleSignOnService', Endpoint)
     end
 
     def attribute_profiles
-      @attribute_profiles ||= load_string_array(@root, 'md:AttributeProfile')
+      @attribute_profiles ||= load_string_array(xml, 'md:AttributeProfile')
     end
 
     def attributes
-      @attributes ||= load_object_array(@root, 'saml:Attribute', Attribute)
+      @attributes ||= load_object_array(xml, 'saml:Attribute', Attribute)
     end
 
     def build(builder)

data/lib/saml2/indexed_object.rb

@@ -19,6 +19,10 @@ module SAML2
       !!@is_default
     end
 
+    def default_defined?
+      !@is_default.nil?
+    end
+
     def from_xml(node)
       @index = node['index'] && node['index'].to_i
       @is_default = node['isDefault'] && node['isDefault'] == 'true'
@@ -50,10 +54,10 @@ module SAML2
       end
     end
 
-    def build(builder)
+    def build(builder, *)
       super
-      builder.parent.last['index'] = index
-      builder.parent.last['isDefault'] = default? unless default?.nil?
+      builder.parent.children.last['index'] = index
+      builder.parent.children.last['isDefault'] = default? if default_defined?
     end
 
     private

data/lib/saml2/key.rb

@@ -7,6 +7,24 @@ module SAML2
       SIGNING    = 'signing'.freeze
     end
 
+    class EncryptionMethod
+      module Algorithm
+        AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'.freeze
+      end
+
+      attr_accessor :algorithm, :key_size
+
+      def initialize(algorithm = Algorithm::AES128_CBC, key_size = 128)
+        @algorithm, @key_size = algorithm, key_size
+      end
+
+      def build(builder)
+        builder['md'].EncryptionMethod('Algorithm' => algorithm) do |encryption_method|
+          encryption_method['xenc'].KeySize(key_size) if key_size
+        end
+      end
+    end
+
     attr_accessor :use, :x509, :encryption_methods
 
     def self.from_xml(node)
@@ -46,7 +64,7 @@ module SAML2
           end
         end
         encryption_methods.each do |method|
-          key_descriptor['xenc'].EncryptionMethod('Algorithm' => method)
+          method.build(key_descriptor)
         end
       end
     end

data/lib/saml2/logout_request.rb

@@ -0,0 +1,43 @@
+require 'saml2/name_id'
+require 'saml2/request'
+
+module SAML2
+  class LogoutRequest < Request
+    attr_accessor :name_id, :session_index
+
+    def self.initiate(sso, issuer, name_id, session_index = nil)
+      logout_request = new
+      logout_request.issuer = issuer
+      logout_request.destination = sso.single_logout_services.first.location
+      logout_request.name_id = name_id
+      logout_request.session_index = session_index
+
+      logout_request
+    end
+
+    def name_id
+      @name_id ||= (NameID.from_xml(xml.at_xpath('saml:NameID', Namespaces::ALL)) if xml)
+    end
+
+    def session_index
+      @session_index ||= (load_string_array(xml,'samlp:SessionIndex') if xml)
+    end
+
+    private
+
+    def build(builder)
+      builder['samlp'].LogoutRequest(
+          'xmlns:samlp' => Namespaces::SAMLP,
+          'xmlns:saml' => Namespaces::SAML
+      ) do |logout_request|
+        super(logout_request)
+
+        name_id.build(logout_request)
+
+        Array(session_index).each do |session_index_instance|
+          logout_request['samlp'].SessionIndex(session_index_instance)
+        end
+      end
+    end
+  end
+end

data/lib/saml2/logout_response.rb

@@ -0,0 +1,23 @@
+require 'saml2/status_response'
+
+module SAML2
+  class LogoutResponse < StatusResponse
+    def self.respond_to(logout_request, sso, issuer, status_code = Status::SUCCESS)
+      logout_response = new
+      logout_response.issuer = issuer
+      logout_response.destination = sso.single_logout_services.first.location
+      logout_response.in_response_to = logout_request.id
+      logout_response.status.code = status_code
+      logout_response
+    end
+
+    def build(builder)
+      builder['samlp'].LogoutResponse(
+                          'xmlns:samlp' => Namespaces::SAMLP,
+                          'xmlns:saml' => Namespaces::SAML
+      ) do |logout_response|
+        super(logout_response)
+      end
+    end
+  end
+end

data/lib/saml2/message.rb

@@ -0,0 +1,109 @@
+require 'securerandom'
+require 'time'
+
+require 'saml2/base'
+
+module SAML2
+  class InvalidMessage < RuntimeError
+  end
+
+  class MissingMessage < InvalidMessage
+  end
+
+  class CorruptMessage < InvalidMessage
+  end
+
+  class MessageTooLarge < InvalidMessage
+  end
+
+  class UnknownMessage < InvalidMessage
+  end
+
+  class UnexpectedMessage < InvalidMessage
+  end
+
+  class UnsupportedEncoding < InvalidMessage
+  end
+
+  class UnsupportedSignatureAlgorithm < InvalidMessage
+  end
+
+  class InvalidSignature < InvalidMessage
+  end
+
+  class UnsignedMessage < InvalidMessage
+  end
+
+  # In the SAML Schema, Request and Response don't technically share a common
+  # ancestor, but they have several things in common so it's useful to represent
+  # that here
+  class Message < Base
+    attr_reader :id, :issue_instant
+    attr_accessor :issuer, :destination
+
+    class << self
+      def inherited(klass)
+        # explicitly keep track of all messages in this base class
+        Message.known_messages[klass.name.sub(/^SAML2::/, '')] = klass
+      end
+
+      def from_xml(node)
+        return super unless self == Message
+        klass = Message.known_messages[node.name]
+        raise UnknownMessage.new("Unknown message #{node.name}") unless klass
+        klass.from_xml(node)
+      end
+
+      def parse(xml)
+        result = Message.from_xml(Nokogiri::XML(xml) { |config| config.strict }.root)
+        raise UnexpectedMessage.new("Expected a #{self.name}, but got a #{result.class.name}") unless self == Message || result.class == self
+        result
+      rescue Nokogiri::XML::SyntaxError
+        raise CorruptMessage
+      end
+
+      protected
+
+      def known_messages
+        @known_messages ||= {}
+      end
+    end
+
+    def initialize
+      @id = "_#{SecureRandom.uuid}"
+      @issue_instant = Time.now.utc
+    end
+
+    def from_xml(node)
+      super
+      @id = nil
+      @issue_instant = nil
+    end
+
+    def valid_schema?
+      return false unless Schemas.protocol.valid?(xml.document)
+
+      true
+    end
+
+    def issuer
+      @issuer ||= NameID.from_xml(xml.at_xpath('saml:Issuer', Namespaces::ALL))
+    end
+
+    def id
+      @id ||= xml['ID']
+    end
+
+    protected
+
+    # should be called from inside the specific request element
+    def build(message)
+      message.parent['ID'] = id
+      message.parent['Version'] = '2.0'
+      message.parent['IssueInstant'] = issue_instant.iso8601
+      message.parent['Destination'] = destination if destination
+
+      issuer.build(message, element: 'Issuer') if issuer
+    end
+  end
+end

data/lib/saml2/name_id.rb

@@ -36,25 +36,33 @@ module SAML2
       end
     end
 
-    attr_reader :id, :format
+    attr_accessor :id, :format, :name_qualifier, :sp_name_qualifier
 
     def self.from_xml(node)
-      node && new(node.content.strip, node['Format'])
+      node && new(node.content.strip,
+                  node['Format'],
+                  name_qualifier: node['NameQualifier'],
+                  sp_name_qualifier: node['SPNameQualifier'])
     end
 
-    def initialize(id = nil, format = nil)
-      @id, @format = id, format
+    def initialize(id = nil, format = nil, name_qualifier: nil, sp_name_qualifier: nil)
+      @id, @format, @name_qualifier, @sp_name_qualifier =
+          id, format, name_qualifier, sp_name_qualifier
     end
 
     def ==(rhs)
-      id == rhs.id && format == rhs.format
+      id == rhs.id &&
+          format == rhs.format &&
+          name_qualifier == rhs.name_qualifier &&
+          sp_name_qualifier == rhs.sp_name_qualifier
     end
 
-    def build(builder, options = {})
+    def build(builder, element: nil)
       args = {}
       args['Format'] = format if format
-      args['xmlns:saml'] = Namespaces::SAML if options[:include_namespace]
-      builder['saml'].__send__(options.delete(:element) || 'NameID', id, args)
+      args['NameQualifier'] = name_qualifier if name_qualifier
+      args['SPNameQualifier'] = sp_name_qualifier if sp_name_qualifier
+      builder['saml'].__send__(element || 'NameID', id, args)
     end
   end
 end

data/lib/saml2/organization_and_contacts.rb

@@ -18,13 +18,13 @@ module SAML2
 
     def organization
       unless instance_variable_defined?(:@organization)
-        @organization = Organization.from_xml(@root.at_xpath('md:Organization', Namespaces::ALL))
+        @organization = Organization.from_xml(xml.at_xpath('md:Organization', Namespaces::ALL))
       end
       @organization
     end
 
     def contacts
-      @contacts ||= load_object_array(@root, 'md:ContactPerson', Contact)
+      @contacts ||= load_object_array(xml, 'md:ContactPerson', Contact)
     end
 
     protected

data/lib/saml2/request.rb

@@ -0,0 +1,8 @@
+require 'saml2/message'
+require 'saml2/name_id'
+require 'saml2/namespaces'
+
+module SAML2
+  class Request < Message
+  end
+end

data/lib/saml2/response.rb

@@ -1,20 +1,14 @@
 require 'nokogiri-xmlsec'
-require 'securerandom'
 require 'time'
 
 require 'saml2/assertion'
 require 'saml2/authn_statement'
-require 'saml2/base'
+require 'saml2/status_response'
 require 'saml2/subject'
 
 module SAML2
-  class Response < Base
-    module Status
-      SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success".freeze
-    end
-
-    attr_reader :id, :issue_instant, :assertions
-    attr_accessor :issuer, :in_response_to, :destination, :status_code
+  class Response < StatusResponse
+    attr_reader :assertions
 
     def self.respond_to(authn_request, issuer, name_id, attributes = nil)
       response = initiate(nil, issuer, name_id)
@@ -59,9 +53,7 @@ module SAML2
     end
 
     def initialize
-      @id = "_#{SecureRandom.uuid}"
-      @status_code = Status::SUCCESS
-      @issue_instant = Time.now.utc
+      super
       @assertions = []
     end
 
@@ -70,21 +62,13 @@ module SAML2
     end
 
     private
+
     def build(builder)
       builder['samlp'].Response(
         'xmlns:samlp' => Namespaces::SAMLP,
-        ID: id,
-        Version: '2.0',
-        IssueInstant: issue_instant.iso8601,
-        Destination: destination
+        'xmlns:saml' => Namespaces::SAML
       ) do |response|
-        response.parent['InResponseTo'] = in_response_to if in_response_to
-
-        issuer.build(response, element: 'Issuer', include_namespace: true) if issuer
-
-        response['samlp'].Status do |status|
-          status['samlp'].StatusCode(Value: status_code)
-          end
+        super(response)
 
         assertions.each do |assertion|
           response.parent << assertion.to_xml

data/lib/saml2/role.rb

@@ -23,17 +23,16 @@ module SAML2
 
     def from_xml(node)
       super
-      @root = node
       @supported_protocols = nil
       @keys = nil
     end
 
     def supported_protocols
-      @supported_protocols ||= @root['protocolSupportEnumeration'].split
+      @supported_protocols ||= xml['protocolSupportEnumeration'].split
     end
 
     def keys
-      @keys ||= load_object_array(@root, 'md:KeyDescriptor', Key)
+      @keys ||= load_object_array(xml, 'md:KeyDescriptor', Key)
     end
 
     def signing_keys

data/lib/saml2/service_provider.rb

@@ -5,18 +5,40 @@ require 'saml2/sso'
 
 module SAML2
   class ServiceProvider < SSO
+    def initialize
+      super
+      @assertion_consumer_services = []
+      @attribute_consuming_services = []
+    end
+
+    def from_xml(node)
+      super
+      @assertion_consumer_services = nil
+      @attribute_consuming_services = nil
+    end
+
     def assertion_consumer_services
       @assertion_consumer_services ||= begin
-        nodes = @root.xpath('md:AssertionConsumerService', Namespaces::ALL)
+        nodes = xml.xpath('md:AssertionConsumerService', Namespaces::ALL)
         Endpoint::Indexed::Array.from_xml(nodes)
       end
     end
 
     def attribute_consuming_services
       @attribute_consuming_services ||= begin
-        nodes = @root.xpath('md:AttributeConsumingService', Namespaces::ALL)
+        nodes = xml.xpath('md:AttributeConsumingService', Namespaces::ALL)
         AttributeConsumingService::Array.from_xml(nodes)
       end
     end
+
+    def build(builder)
+      builder['md'].SPSSODescriptor do |sp_sso_descriptor|
+        super(sp_sso_descriptor)
+
+        assertion_consumer_services.each do |acs|
+          acs.build(sp_sso_descriptor, 'AssertionConsumerService')
+        end
+      end
+    end
   end
 end