saml2 1.0.5 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b77541aa53787757d03865855dbbb84da27edaba
-  data.tar.gz: f53032507b4c09f95e1e0f2def917e8760a5f41a
+  metadata.gz: 102b176691a071893741f0bf750836e0bc72e8f0
+  data.tar.gz: afac3ee0941535c504f75c7b24137f55a1021f27
 SHA512:
-  metadata.gz: 2658dc70caec44d8a6b2d8b3e014f419a2887a82a43dc6e2280c1f43437d5d162bc86b9197f144d386709317f4f39b1d692d8bb03d0bd340943fd460ec8d430f
-  data.tar.gz: 5fcd948501794284e79ba05f8296c4d5e9492f4624210b80fafde2edd760f47de26476bed1f67b8f6e8607c682e5f6e732b40a796ba03a47503c324c8d037cfc
+  metadata.gz: 2a982caa3e5e5ac9ad4a392f8b6a680f85e330b0a3ed898a2b9dccf2896f4a282a1aba14e5743466aaac7f4b368ff8b40e75ccb03ef2e89b35c658c9a90b1a16
+  data.tar.gz: 251540ba69cc06316961865d9333b5d4da0a8ebcb3c9622039483c87ce222f9e221280087bcfedc36669c77f6539a27716f228fb0218083c6a590c0b7ed51b75

data/lib/saml2/attribute.rb

@@ -24,7 +24,7 @@ module SAML2
 
       def from_xml(node)
         # pass through for subclasses
-        super unless self == Attribute
+        return super unless self == Attribute
 
         # look for an appropriate subclass
         klass = class_for(node)
@@ -76,7 +76,6 @@ module SAML2
                when 1; values.first
                else; values
                end
-      super
     end
 
     private
@@ -128,8 +127,6 @@ module SAML2
       @attributes = node.xpath('saml:Attribute', Namespaces::ALL).map do |attr|
         Attribute.from_xml(attr)
       end
-
-      super
     end
 
     def build(builder)

data/lib/saml2/attribute_consuming_service.rb

@@ -12,8 +12,8 @@ module SAML2
     end
 
     def from_xml(node)
-      @is_required = node['isRequired'] && node['isRequired'] == 'true'
       super
+      @is_required = node['isRequired'] && node['isRequired'] == 'true'
     end
 
     def required?
@@ -47,13 +47,13 @@ module SAML2
     attr_reader :name, :requested_attributes
 
     def initialize(name = nil, requested_attributes = [])
+      super()
       @name, @requested_attributes = name, requested_attributes
     end
 
     def from_xml(node)
       @name = node['ServiceName']
       @requested_attributes = load_object_array(node, "md:RequestedAttribute", RequestedAttribute)
-      super
     end
 
     def create_statement(attributes)

data/lib/saml2/base.rb

@@ -4,11 +4,12 @@ module SAML2
   class Base
     def self.from_xml(node)
       return nil unless node
-      new.from_xml(node)
+      result = new
+      result.from_xml(node)
+      result
     end
 
-    def from_xml(node)
-      self
+    def from_xml(_node)
     end
 
     def to_s
@@ -17,7 +18,7 @@ module SAML2
     end
 
     def to_xml
-      unless @document
+      unless instance_variable_defined?(:@document)
         builder = Nokogiri::XML::Builder.new
         build(builder)
         @document = builder.doc

data/lib/saml2/endpoint.rb

@@ -11,7 +11,7 @@ module SAML2
 
     attr_reader :location, :binding
 
-    def initialize(location, binding = Bindings::HTTP_POST)
+    def initialize(location = nil, binding = Bindings::HTTP_POST)
       @location, @binding = location, binding
     end
 
@@ -22,7 +22,6 @@ module SAML2
     def from_xml(node)
       @location = node['Location']
       @binding = node['Binding']
-      self
     end
 
     def build(builder, element)

data/lib/saml2/entity.rb

@@ -28,44 +28,91 @@ module SAML2
 
     class Group < Array
       def self.from_xml(node)
-        node && new(node)
+        node && new.from_xml(node)
       end
 
-      def initialize(root)
-        @root = root
+      def initialize
+        @valid_until = nil
+      end
+
+      def from_xml(node)
+        @root = node
+        remove_instance_variable(:@valid_until)
         replace(Base.load_object_array(@root, "md:EntityDescriptor|md:EntitiesDescriptor",
                 'EntityDescriptor' => Entity,
                 'EntitiesDescriptor' => Group))
       end
 
       def valid_schema?
-        Schemas.metadata.valid?(@root.document)
+        Schemas.federation.valid?(@root.document)
+      end
+
+      def signature
+        unless instance_variable_defined?(:@signature)
+          @signature = @root.at_xpath('dsig:Signature', Namespaces::ALL)
+          signed_node = @signature.at_xpath('dsig:SignedInfo/dsig:Reference', Namespaces::ALL)['URI']
+          @root.set_id_attribute('ID')
+          @signature = nil unless signed_node == "##{@root['ID']}"
+        end
+        @signature
+      end
+
+      def signed?
+        !!signature
+      end
+
+      def valid_signature?(*args)
+        signature.verify_with(*args)
+      end
+
+      def valid_until
+        unless instance_variable_defined?(:@valid_until)
+          @valid_until = @root['validUntil'] && Time.parse(@root['validUntil'])
+        end
+        @valid_until
       end
     end
 
-    def self.from_xml(node)
-      node && new(node)
+    def initialize
+      super
+      @valid_until = nil
+      @entity_id = nil
+      @roles = []
     end
 
-    def initialize(root = nil)
+    def from_xml(node)
+      @root = node
+      remove_instance_variable(:@valid_until)
+      @roles = nil
       super
-      @root = root
-      unless @root
-        @roles = []
-      end
     end
 
     def valid_schema?
-      Schemas.metadata.valid?(@root.document)
+      Schemas.federation.valid?(@root.document)
     end
 
     def entity_id
       @entity_id || @root && @root['entityID']
     end
 
+    def valid_until
+      unless instance_variable_defined?(:@valid_until)
+        @valid_until = @root['validUntil'] && Time.parse(@root['validUntil'])
+      end
+      @valid_until
+    end
+
+    def identity_providers
+      roles.select { |r| r.is_a?(IdentityProvider) }
+    end
+
+    def service_providers
+      roles.select { |r| r.is_a?(ServiceProvider) }
+    end
+
     def roles
-      # TODO: load IdPSSODescriptors as well
-      @roles ||= load_object_array(@root, 'md:SPSSODescriptor', ServiceProvider)
+      @roles ||= load_object_array(@root, 'md:IDPSSODescriptor', IdentityProvider) +
+          load_object_array(@root, 'md:SPSSODescriptor', ServiceProvider)
     end
 
     def build(builder)

data/lib/saml2/identity_provider.rb

@@ -5,14 +5,20 @@ module SAML2
   class IdentityProvider < SSO
     attr_writer :want_authn_requests_signed, :single_sign_on_services, :attribute_profiles, :attributes
 
-    def initialize(node = nil)
-      super(node)
-      unless node
-        @want_authn_requests_signed = nil
-        @single_sign_on_services = []
-        @attribute_profiles = []
-        @attributes = []
-      end
+    def initialize
+      super
+      @want_authn_requests_signed = nil
+      @single_sign_on_services = []
+      @attribute_profiles = []
+      @attributes = []
+    end
+
+    def from_xml(node)
+      super
+      remove_instance_variable(:@want_authn_requests_signed)
+      @single_sign_on_services = nil
+      @attribute_profiles = nil
+      @attributes = nil
     end
 
     def want_authn_requests_signed?

data/lib/saml2/indexed_object.rb

@@ -4,6 +4,11 @@ module SAML2
   module IndexedObject
     attr_reader :index
 
+    def initialize(*args)
+      @is_default = nil
+      super
+    end
+
     def eql?(rhs)
       index == rhs.index &&
           default? == rhs.default? &&
@@ -11,7 +16,7 @@ module SAML2
     end
 
     def default?
-      @is_default
+      !!@is_default
     end
 
     def from_xml(node)

data/lib/saml2/key.rb

@@ -29,6 +29,14 @@ module SAML2
       use.nil? || use == Type::SIGNING
     end
 
+    def certificate
+      @certificate ||= OpenSSL::X509::Certificate.new(Base64.decode64(x509))
+    end
+
+    def fingerprint
+      @fingerprint ||= Digest::SHA1.hexdigest(certificate.to_der).gsub(/(\h{2})(?=\h)/, '\1:')
+    end
+
     def build(builder)
       builder['md'].KeyDescriptor do |builder|
         builder.parent['use'] = use if use

data/lib/saml2/organization_and_contacts.rb

@@ -5,11 +5,15 @@ module SAML2
   module OrganizationAndContacts
     attr_writer :organization, :contacts
 
-    def initialize(node = nil)
-      unless node
-        @organization = nil
-        @contacts = []
-      end
+    def initialize
+      @organization = nil
+      @contacts = []
+    end
+
+    def from_xml(node)
+      remove_instance_variable(:@organization)
+      @contacts = nil
+      super
     end
 
     def organization

data/lib/saml2/role.rb

@@ -14,14 +14,18 @@ module SAML2
 
     attr_writer :supported_protocols, :keys
 
-    def initialize(node = nil)
+    def initialize
+      super
+      @supported_protocols = Set.new
+      @supported_protocols << Protocols::SAML2
+      @keys = []
+    end
+
+    def from_xml(node)
       super
       @root = node
-      unless @root
-        @supported_protocols = Set.new
-        @supported_protocols << Protocols::SAML2
-        @keys = []
-      end
+      @supported_protocols = nil
+      @keys = nil
     end
 
     def supported_protocols

data/lib/saml2/schemas.rb

@@ -1,5 +1,9 @@
 module SAML2
   module Schemas
+    def self.federation
+      @federation ||= schema('ws-federation.xsd')
+    end
+
     def self.metadata
       @metadata ||= schema('saml-schema-metadata-2.0.xsd')
     end

data/lib/saml2/service_provider.rb

@@ -5,14 +5,6 @@ require 'saml2/sso'
 
 module SAML2
   class ServiceProvider < SSO
-    class << self
-      alias_method :from_xml, :new
-    end
-
-    def initialize(root)
-      @root = root
-    end
-
     def assertion_consumer_services
       @assertion_consumer_services ||= begin
         nodes = @root.xpath('md:AssertionConsumerService', Namespaces::ALL)

data/lib/saml2/sso.rb

@@ -4,12 +4,16 @@ module SAML2
   class SSO < Role
     attr_reader :single_logout_services, :name_id_formats
 
-    def initialize(node = nil)
+    def initialize
       super
-      unless node
-        @single_logout_services = []
-        @name_id_formats = []
-      end
+      @single_logout_services = []
+      @name_id_formats = []
+    end
+
+    def from_xml(node)
+      super
+      @single_logout_services = nil
+      @name_id_formats = nil
     end
 
     def single_logout_services

data/lib/saml2/version.rb

@@ -1,3 +1,3 @@
 module SAML2
-  VERSION = '1.0.5'
+  VERSION = '1.0.6'
 end

data/schemas/MetadataExchange.xsd

@@ -0,0 +1,112 @@
+<?xml version='1.0' encoding='UTF-8' ?>
+<!--
+(c) 2004-2006 BEA Systems Inc., Computer Associates International, Inc.,
+International Business Machines Corporation, Microsoft Corporation,
+Inc., SAP AG, Sun Microsystems, and webMethods. All rights reserved. 
+
+Permission to copy and display the WS-MetadataExchange Specification
+(the "Specification"), in any medium without fee or royalty is hereby
+granted, provided that you include the following on ALL copies of the
+Specification that you make:
+
+1.	A link or URL to the Specification at this location.
+2.	The copyright notice as shown in the Specification.
+
+BEA Systems, Computer Associates, IBM, Microsoft, SAP, Sun, and
+webMethods (collectively, the "Authors") each agree to grant you a
+license, under royalty-free and otherwise reasonable,
+non-discriminatory terms and conditions, to their respective essential
+patent claims that they deem necessary to implement the
+WS-MetadataExchange Specification.
+
+THE SPECIFICATION IS PROVIDED "AS IS," AND THE AUTHORS MAKE NO
+REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+PURPOSE, NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS OF THE
+SPECIFICATION ARE SUITABLE FOR ANY PURPOSE; NOR THAT THE
+IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY
+PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
+
+THE AUTHORS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL,
+INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING TO ANY
+USE OR DISTRIBUTION OF THE SPECIFICATIONS.
+
+The name and trademarks of the Authors may NOT be used in any manner,
+including advertising or publicity pertaining to the Specifications or
+their contents without specific, written prior permission. Title to
+copyright in the Specifications will at all times remain with the
+Authors.
+
+No other rights are granted by implication, estoppel or otherwise.
+-->
+
+<xs:schema
+    targetNamespace='http://schemas.xmlsoap.org/ws/2004/09/mex'
+    xmlns:tns='http://schemas.xmlsoap.org/ws/2004/09/mex'
+    xmlns:wsa10='http://www.w3.org/2005/08/addressing'
+    xmlns:wsa04='http://schemas.xmlsoap.org/ws/2004/08/addressing'
+    xmlns:xs='http://www.w3.org/2001/XMLSchema'
+    elementFormDefault='qualified'
+    blockDefault='#all' >
+
+  <!-- Get Metadata request -->
+  <xs:element name='GetMetadata' >
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref='tns:Dialect' minOccurs='0' />
+        <xs:element ref='tns:Identifier' minOccurs='0' />
+      </xs:sequence>
+      <xs:anyAttribute namespace='##other' processContents='lax' />
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name='Dialect' type='xs:anyURI' />
+  <xs:element name='Identifier' type='xs:anyURI' />
+
+  <!-- Get Metadata response -->
+  <xs:element name='Metadata' >
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element ref='tns:MetadataSection'
+                    minOccurs='0'
+                    maxOccurs='unbounded' />
+        <xs:any namespace='##other' processContents='lax'
+                minOccurs='0'
+                maxOccurs='unbounded' />
+      </xs:sequence>
+      <xs:anyAttribute namespace='##other' processContents='lax' />
+    </xs:complexType>
+  </xs:element>
+
+  <xs:element name='MetadataSection' >
+    <xs:complexType>
+      <xs:choice>
+        <xs:any namespace='##other' processContents='lax' />
+        <xs:element ref='tns:MetadataReference' />
+        <xs:element ref='tns:Location' />
+      </xs:choice>
+      <xs:attribute name='Dialect' type='xs:anyURI' use='required' />
+      <xs:attribute name='Identifier' type='xs:anyURI' />
+      <xs:anyAttribute namespace='##other' processContents='lax' />
+    </xs:complexType>
+  </xs:element>
+  
+  <!-- 
+       Ideally, the type of the MetadataReference would have been
+       the union of wsa04:EndpointReferenceType and
+       wsa10:EndpointReferenceType but unfortunately xs:union only
+       works for simple types. As a result, we have to define
+       the mex:MetadataReference using xs:any.
+  -->
+
+  <xs:element name='MetadataReference'>
+    <xs:complexType>
+      <xs:sequence>
+        <xs:any minOccurs='1' maxOccurs='unbounded' 
+                processContents='lax' namespace='##other' />
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+  <xs:element name='Location'
+              type='xs:anyURI' />
+</xs:schema>