saml2ruby 1.1.0

data/README

@@ -0,0 +1,19 @@
+=Ruby SAML2
+
+Grabbed from https://opensso.dev.java.net/source/browse/opensso/extensions/saml2ruby/source/
+
+A Ruby library for SAML 2.0
+
+==Features
+* Easy to use API for acting as a SAML 2.0 relying party.
+
+
+
+
+
+
+
+
+
+
+

data/Rakefile

@@ -0,0 +1,111 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+require 'rake/packagetask'
+require 'rake/gempackagetask'
+
+require File.join(File.dirname(__FILE__), '/lib/saml_2_ruby/version')
+
+PKG_BUILD       = ENV['PKG_BUILD'] ? '.' + ENV['PKG_BUILD'] : ''
+PKG_NAME        = 'saml2ruby'
+PKG_VERSION     = SAML::VERSION::STRING + PKG_BUILD
+PKG_FILE_NAME   = "#{PKG_NAME}-#{PKG_VERSION}"
+PKG_DESTINATION = ENV["PKG_DESTINATION"] || "../#{PKG_NAME}"
+
+RELEASE_NAME  = "REL #{PKG_VERSION}"
+
+PKG_FILES = FileList[
+  #'CHANGELOG',
+  #'LICENSE',
+  'README',
+  #'TODO',
+  'Rakefile',
+  'bin/**/*',
+  'doc/**/*',
+  'lib/**/*',
+] - [ 'test' ]
+
+require 'rubygems'
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "saml2ruby"
+    gemspec.summary = "Ruby implementation of the SAML 2.0 Specification"
+    gemspec.description = %Q{Part of the OpenSSO extension set.  Writting by the wonderful guys over at Sun.  Moved it over to a github repo and turned it into a rubygem.}
+    gemspec.email = ["scashin133@gmail.com"]
+    gemspec.homepage = "http://github.com/scashin133/saml2ruby"
+    gemspec.authors = ["Sean Cashin"]
+    gemspec.add_dependency('XMLCanonicalizer', '>=1.0.1')
+    gemspec.version = PKG_VERSION
+    gemspec.files = PKG_FILES.to_a
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available.  Install it with: gem install jeweler"
+end
+
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the library.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  test_files = FileList['test/**/*_test.rb']
+  t.test_files = test_files
+  t.verbose = true
+end
+
+desc 'Generate documentation for the library.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RSAML'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+namespace :rcov do
+  desc 'Measures test coverage'
+  task :test do
+    rm_f 'coverage.data'
+    mkdir 'coverage' unless File.exist?('coverage')
+    rcov = "rcov --aggregate coverage.data --text-summary -Ilib"
+    system("#{rcov} test/*_test.rb")
+    #system("open coverage/index.html") if PLATFORM['darwin']
+  end
+end
+
+desc "Generate code statistics"
+task :lines do
+  lines, codelines, total_lines, total_codelines = 0, 0, 0, 0
+
+  for file_name in FileList["lib/**/*.rb"]
+    next if file_name =~ /vendor/
+    f = File.open(file_name)
+
+    while line = f.gets
+      lines += 1
+      next if line =~ /^\s*$/
+      next if line =~ /^\s*#/
+      codelines += 1
+    end
+    puts "L: #{sprintf("%4d", lines)}, LOC #{sprintf("%4d", codelines)} | #{file_name}"
+    
+    total_lines     += lines
+    total_codelines += codelines
+    
+    lines, codelines = 0, 0
+  end
+
+  puts "Total: Lines #{total_lines}, LOC #{total_codelines}"
+end
+
+desc "Reinstall the gem from a local package copy"
+task :reinstall => [:package] do
+  windows = RUBY_PLATFORM =~ /mswin/
+  sudo = windows ? '' : 'sudo'
+  gem = windows ? 'gem.bat' : 'gem'
+  `#{sudo} #{gem} uninstall -x -i #{PKG_NAME}`
+  `#{sudo} #{gem} install pkg/#{PKG_NAME}-#{PKG_VERSION}`
+end

data/TODO

@@ -0,0 +1,3 @@
+
+
+

data/examples/rails/SimpleSAMLRP/app/controllers/account_controller.rb

@@ -0,0 +1,74 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: account_controller.rb,v 1.1 2007/03/20 05:26:56 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require "pathname"
+require "cgi"
+require "saml2ruby"
+
+
+class AccountController < ApplicationController
+  
+  def login
+      relying_party = SAML::RelyingParty.new(
+        :assertion_consumer_service_URL => "http://localhost:3008/account/complete",
+        :issuer => "localhost_ruby",
+        :sp_name_qualifier => "localhost_ruby",
+        :idp_sso_target_url => "http://localhost:8080/openfm-samples-ip/SSORedirect/metaAlias/ip_meta_alias",
+        :idp_slo_target_url => "http://localhost:8080/openfm-samples-ip/IDPSloRedirect/metaAlias/ip_meta_alias",
+        :idp_cert_fingerprint => "93:bd:43:a4:60:65:a4:05:95:98:a9:d8:f4:8b:4c:c8:5f:31:87:e9" 
+      )
+      relying_party.logger = logger
+      session[:relying_party] = relying_party
+      request = relying_party.create_auth_request      
+      redirect_to(request)
+  end
+
+  def complete    
+
+    if params[:SAMLResponse].empty?
+        flash[:notice] = 'Unknown response from SAML server.'
+        redirect_to :action => 'index' 
+    end
+
+    valid_flag = session[:relying_party].process_auth_response(params[:SAMLResponse])
+    
+    if valid_flag
+      redirect_to :action => "welcome"
+    else
+      flash[:notice] = 'invalid SAML Response.'
+      redirect_to :action => "index"
+    end
+    
+  end
+  
+  def logout
+  
+    request = session[:relying_party].create_logout_request
+    session[:relying_party] = nil
+
+    redirect_to(request)
+    
+  end
+     
+end

data/examples/rails/SimpleSAMLRP/app/controllers/application.rb

@@ -0,0 +1,7 @@
+# Filters added to this controller apply to all controllers in the application.
+# Likewise, all the methods added will be available for all controllers.
+
+class ApplicationController < ActionController::Base
+  # Pick a unique cookie name to distinguish our session data from others'
+  session :session_key => '_SimpleSAMLRP_session_id'
+end

data/examples/rails/SimpleSAMLRP/app/helpers/account_helper.rb

@@ -0,0 +1,2 @@
+module AccountHelper
+end

data/examples/rails/SimpleSAMLRP/app/helpers/application_helper.rb

@@ -0,0 +1,3 @@
+# Methods added to this helper will be available to all templates in the application.
+module ApplicationHelper
+end

data/examples/rails/SimpleSAMLRP/config/boot.rb

@@ -0,0 +1,45 @@
+# Don't change this file. Configuration is done in config/environment.rb and config/environments/*.rb
+
+unless defined?(RAILS_ROOT)
+  root_path = File.join(File.dirname(__FILE__), '..')
+
+  unless RUBY_PLATFORM =~ /mswin32/
+    require 'pathname'
+    root_path = Pathname.new(root_path).cleanpath(true).to_s
+  end
+
+  RAILS_ROOT = root_path
+end
+
+unless defined?(Rails::Initializer)
+  if File.directory?("#{RAILS_ROOT}/vendor/rails")
+    require "#{RAILS_ROOT}/vendor/rails/railties/lib/initializer"
+  else
+    require 'rubygems'
+
+    environment_without_comments = IO.readlines(File.dirname(__FILE__) + '/environment.rb').reject { |l| l =~ /^#/ }.join
+    environment_without_comments =~ /[^#]RAILS_GEM_VERSION = '([\d.]+)'/
+    rails_gem_version = $1
+
+    if version = defined?(RAILS_GEM_VERSION) ? RAILS_GEM_VERSION : rails_gem_version
+      # Asking for 1.1.6 will give you 1.1.6.5206, if available -- makes it easier to use beta gems
+      rails_gem = Gem.cache.search('rails', "~>#{version}.0").sort_by { |g| g.version.version }.last
+
+      if rails_gem
+        require_gem "rails", "=#{rails_gem.version.version}"
+        require rails_gem.full_gem_path + '/lib/initializer'
+      else
+        STDERR.puts %(Cannot find gem for Rails ~>#{version}.0:
+    Install the missing gem with 'gem install -v=#{version} rails', or
+    change environment.rb to define RAILS_GEM_VERSION with your desired version.
+  )
+        exit 1
+      end
+    else
+      require_gem "rails"
+      require 'initializer'
+    end
+  end
+
+  Rails::Initializer.run(:set_load_path)
+end

data/examples/rails/SimpleSAMLRP/config/environment.rb

@@ -0,0 +1,56 @@
+# Be sure to restart your web server when you modify this file.
+
+# Uncomment below to force Rails into production mode when 
+# you don't control web/app server and can't set it the proper way
+# ENV['RAILS_ENV'] ||= 'production'
+
+# Specifies gem version of Rails to use when vendor/rails is not present
+RAILS_GEM_VERSION = '1.1.6' unless defined? RAILS_GEM_VERSION
+
+# Bootstrap the Rails environment, frameworks, and default configuration
+require File.join(File.dirname(__FILE__), 'boot')
+
+Rails::Initializer.run do |config|
+  # Settings in config/environments/* take precedence over those specified here
+  
+  # Skip frameworks you're not going to use (only works if using vendor/rails)
+  # config.frameworks -= [ :action_web_service, :action_mailer ]
+
+  # Only load the plugins named here, by default all plugins in vendor/plugins are loaded
+  # config.plugins = %W( exception_notification ssl_requirement )
+
+  # Add additional load paths for your own custom dirs
+  # config.load_paths += %W( #{RAILS_ROOT}/extras )
+
+  # Force all environments to use the same logger level 
+  # (by default production uses :info, the others :debug)
+  # config.log_level = :debug
+
+  # Use the database for sessions instead of the file system
+  # (create the session table with 'rake db:sessions:create')
+  # config.action_controller.session_store = :active_record_store
+
+  # Use SQL instead of Active Record's schema dumper when creating the test database.
+  # This is necessary if your schema can't be completely dumped by the schema dumper, 
+  # like if you have constraints or database-specific column types
+  # config.active_record.schema_format = :sql
+
+  # Activate observers that should always be running
+  # config.active_record.observers = :cacher, :garbage_collector
+
+  # Make Active Record use UTC-base instead of local time
+  # config.active_record.default_timezone = :utc
+  
+  # See Rails::Configuration for more options
+end
+
+# Add new inflection rules using the following format 
+# (all these examples are active by default):
+# Inflector.inflections do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# Include your application configuration below

data/examples/rails/SimpleSAMLRP/config/environments/development.rb

@@ -0,0 +1,21 @@
+# Settings specified here will take precedence over those in config/environment.rb
+
+# In the development environment your application's code is reloaded on
+# every request.  This slows down response time but is perfect for development
+# since you don't have to restart the webserver when you make code changes.
+config.cache_classes = false
+
+# Log error messages when you accidentally call methods on nil.
+config.whiny_nils = true
+
+# Enable the breakpoint server that script/breakpointer connects to
+config.breakpoint_server = true
+
+# Show full error reports and disable caching
+config.action_controller.consider_all_requests_local = true
+config.action_controller.perform_caching             = false
+config.action_view.cache_template_extensions         = false
+config.action_view.debug_rjs                         = true
+
+# Don't care if the mailer can't send
+config.action_mailer.raise_delivery_errors = false

data/examples/rails/SimpleSAMLRP/config/environments/production.rb

@@ -0,0 +1,18 @@
+# Settings specified here will take precedence over those in config/environment.rb
+
+# The production environment is meant for finished, "live" apps.
+# Code is not reloaded between requests
+config.cache_classes = true
+
+# Use a different logger for distributed setups
+# config.logger = SyslogLogger.new
+
+# Full error reports are disabled and caching is turned on
+config.action_controller.consider_all_requests_local = false
+config.action_controller.perform_caching             = true
+
+# Enable serving of images, stylesheets, and javascripts from an asset server
+# config.action_controller.asset_host                  = "http://assets.example.com"
+
+# Disable delivery errors, bad email addresses will be ignored
+# config.action_mailer.raise_delivery_errors = false

data/examples/rails/SimpleSAMLRP/config/environments/test.rb

@@ -0,0 +1,19 @@
+# Settings specified here will take precedence over those in config/environment.rb
+
+# The test environment is used exclusively to run your application's
+# test suite.  You never need to work with it otherwise.  Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs.  Don't rely on the data there!
+config.cache_classes = true
+
+# Log error messages when you accidentally call methods on nil.
+config.whiny_nils = true
+
+# Show full error reports and disable caching
+config.action_controller.consider_all_requests_local = true
+config.action_controller.perform_caching             = false
+
+# Tell ActionMailer not to deliver emails to the real world.
+# The :test delivery method accumulates sent emails in the
+# ActionMailer::Base.deliveries array.
+config.action_mailer.delivery_method = :test

data/examples/rails/SimpleSAMLRP/config/routes.rb

@@ -0,0 +1,23 @@
+ActionController::Routing::Routes.draw do |map|
+  # The priority is based upon order of creation: first created -> highest priority.
+  
+  # Sample of regular route:
+  # map.connect 'products/:id', :controller => 'catalog', :action => 'view'
+  # Keep in mind you can assign values other than :controller and :action
+
+  # Sample of named route:
+  # map.purchase 'products/:id/purchase', :controller => 'catalog', :action => 'purchase'
+  # This route can be invoked with purchase_url(:id => product.id)
+
+  # You can have the root of your site routed by hooking up '' 
+  # -- just remember to delete public/index.html.
+  # map.connect '', :controller => "welcome"
+
+  # Allow downloading Web Service WSDL as a file with an extension
+  # instead of a file named 'wsdl'
+  map.connect ':controller/service.wsdl', :action => 'wsdl'
+
+  # Install the default route as the lowest priority.
+  map.connect ':controller/:action/:id.:format'
+  map.connect ':controller/:action/:id'
+end

data/examples/rails/SimpleSAMLRP/public/dispatch.rb

@@ -0,0 +1,10 @@
+#!c:/ruby/bin/ruby
+
+require File.dirname(__FILE__) + "/../config/environment" unless defined?(RAILS_ROOT)
+
+# If you're using RubyGems and mod_ruby, this require should be changed to an absolute path one, like:
+# "/usr/local/lib/ruby/gems/1.8/gems/rails-0.8.0/lib/dispatcher" -- otherwise performance is severely impaired
+require "dispatcher"
+
+ADDITIONAL_LOAD_PATHS.reverse.each { |dir| $:.unshift(dir) if File.directory?(dir) } if defined?(Apache::RubyRun)
+Dispatcher.dispatch

data/examples/rails/SimpleSAMLRP/test/functional/account_controller_test.rb

@@ -0,0 +1,18 @@
+require File.dirname(__FILE__) + '/../test_helper'
+require 'account_controller'
+
+# Re-raise errors caught by the controller.
+class AccountController; def rescue_action(e) raise e end; end
+
+class AccountControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = AccountController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+  end
+
+  # Replace this with your real tests.
+  def test_truth
+    assert true
+  end
+end

data/examples/rails/SimpleSAMLRP/test/test_helper.rb

@@ -0,0 +1,28 @@
+ENV["RAILS_ENV"] = "test"
+require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
+require 'test_help'
+
+class Test::Unit::TestCase
+  # Transactional fixtures accelerate your tests by wrapping each test method
+  # in a transaction that's rolled back on completion.  This ensures that the
+  # test database remains unchanged so your fixtures don't have to be reloaded
+  # between every test method.  Fewer database queries means faster tests.
+  #
+  # Read Mike Clark's excellent walkthrough at
+  #   http://clarkware.com/cgi/blosxom/2005/10/24#Rails10FastTesting
+  #
+  # Every Active Record database supports transactions except MyISAM tables
+  # in MySQL.  Turn off transactional fixtures in this case; however, if you
+  # don't care one way or the other, switching from MyISAM to InnoDB tables
+  # is recommended.
+  self.use_transactional_fixtures = true
+
+  # Instantiated fixtures are slow, but give you @david where otherwise you
+  # would need people(:david).  If you don't want to migrate your existing
+  # test cases which use the @david style and don't mind the speed hit (each
+  # instantiated fixtures translates to a database query per test method),
+  # then set this back to true.
+  self.use_instantiated_fixtures  = false
+
+  # Add more helper methods to be used by all tests here...
+end

data/lib/saml2ruby.rb

@@ -0,0 +1 @@
+require 'saml_2_ruby'

data/lib/saml_2_ruby.rb

@@ -0,0 +1,5 @@
+
+$:.unshift(File.dirname(__FILE__))
+
+require "saml_2_ruby/xml_sec" 
+require 'saml_2_ruby/relying_party'

data/lib/saml_2_ruby/relying_party.rb

@@ -0,0 +1,170 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: relying_party.rb,v 1.1 2007/03/19 22:45:54 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+
+require "base64"
+require "rexml/document"
+
+module SAML
+
+  class RelyingParty
+  
+    cattr_accessor :logger
+    attr_accessor :name_id
+          
+    def initialize(metadata)
+      @assertion_consumer_service_URL = metadata[:assertion_consumer_service_URL]
+      @issuer = metadata[:issuer]
+      @sp_name_qualifier = metadata[:sp_name_qualifier]
+      @idp_sso_target_url = metadata[:idp_sso_target_url]
+      @idp_slo_target_url = metadata[:idp_slo_target_url]
+      @idp_cert_fingerprint = metadata[:idp_cert_fingerprint]
+    end
+    
+    def create_auth_request
+
+      id = generateUniqueHexCode(42)
+      issue_instant = Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+      
+      auth_request = "<samlp:AuthnRequest  " +
+        "xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\n" +
+        "ID=\"" + id + "\" " +
+        "Version=\"2.0\" " +
+        "IssueInstant=\"" + issue_instant + "\" " +
+        "ForceAuthn=\"false\" " +
+        "isPassive=\"false\" " +
+        "ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" " +
+        "AssertionConsumerServiceURL=\"" + @assertion_consumer_service_URL + "\">\n" +
+          "<saml:Issuer " +
+          "xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" +
+            @issuer +
+          "</saml:Issuer>\n" +
+          "<samlp:NameIDPolicy  " +
+          "xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
+          "Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\" " +
+          "SPNameQualifier=\"" + @sp_name_qualifier + "\" " +
+          "AllowCreate=\"true\">\n" +
+          "</samlp:NameIDPolicy>\n" +
+          "<samlp:RequestedAuthnContext " +
+          "xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " +
+          "Comparison=\"exact\">" +
+            "<saml:AuthnContextClassRef " +
+            "xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" +
+              "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" +
+            "</saml:AuthnContextClassRef>" +
+          "</samlp:RequestedAuthnContext>\n" +
+        "</samlp:AuthnRequest>"
+      
+      logger.info(auth_request) if !logger.nil?
+      
+      deflated_auth_request = Zlib::Deflate.deflate(auth_request, 9)[2..-5]     
+      base64_auth_request = Base64.encode64(deflated_auth_request)  
+      encoded_auth_request = CGI.escape(base64_auth_request)  
+    
+
+      redirect_url = @idp_sso_target_url + "?SAMLRequest=" + encoded_auth_request 
+  
+      return redirect_url
+      
+    end
+
+    def process_auth_response(raw_response)
+    
+        logger.info("Raw Response: " + raw_response ) if !logger.nil?
+
+        # raw_response is all ready URL decoded...
+        @saml_response = Base64.decode64( raw_response )
+        logger.info("Authn response = " + @saml_response) if !logger.nil?
+
+        saml_response_doc = XMLSecurity::SignedDocument.new @saml_response
+                  
+        if valid_flag = saml_response_doc.validate(@idp_cert_fingerprint, logger)
+          self.name_id = saml_response_doc.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].text
+        else
+          # error
+          logger.error("Invalid SAML response")
+        end          
+
+        return valid_flag
+    end
+    
+
+
+    def create_logout_request
+
+      saml_response_doc = REXML::Document.new @saml_response      
+      id = generateUniqueHexCode(42)
+      issue_instant = Time.new().strftime("%Y-%m-%dT%H:%M:%SZ")
+      name_id = saml_response_doc.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].text
+      name_qualifier = saml_response_doc.elements["/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"].attributes["NameQualifier"]
+      session_index = saml_response_doc.elements["/samlp:Response/saml:Assertion/saml:AuthnStatement"].attributes["SessionIndex"]
+      
+      logout_request = "<samlp:LogoutRequest " +
+        "xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" " + 
+        "ID=\"" + id + "\" " +
+        "Version=\"2.0\" " +
+        "IssueInstant=\"" + issue_instant + "\"> " +
+          "<saml:Issuer " + 
+          "xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" +
+            @issuer +
+          "</saml:Issuer>" +
+          "<saml:NameID " + 
+          "xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" " + 
+          "NameQualifier=\"" + name_qualifier + "\" " + 
+          "SPNameQualifier=\"" + @sp_name_qualifier + "\" " + 
+          "Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:transient\">" + 
+            name_id +
+          "</saml:NameID>" + 
+          "<samlp:SessionIndex " +
+          "xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\">" + 
+            session_index +
+          "</samlp:SessionIndex>" +
+        "</samlp:LogoutRequest>";
+  
+      logger.info("Logout request = " + logout_request) if !logger.nil?
+  
+      deflated_logout_request = Zlib::Deflate.deflate(logout_request, 9)[2..-5]     
+      base64_logout_request = Base64.encode64(deflated_logout_request)  
+      encoded_logout_request = CGI.escape(base64_logout_request)  
+
+      redirect_url = @idp_slo_target_url + "?SAMLRequest=" + encoded_logout_request 
+  
+      return redirect_url
+      
+    end
+    
+    private
+    
+    def generateUniqueHexCode( codeLength )
+        validChars = ("A".."F").to_a + ("0".."9").to_a
+        length = validChars.size
+    
+        hexCode = ""
+        1.upto(codeLength) { |i| hexCode << validChars[rand(length-1)] }
+    
+        hexCode
+    end
+  end
+  
+end

data/lib/saml_2_ruby/version.rb

@@ -0,0 +1,9 @@
+module SAML#:nodoc:
+  module VERSION #:nodoc:
+    MAJOR = 1
+    MINOR = 1
+    TINY  = 0
+
+    STRING = [MAJOR, MINOR, TINY].join('.')
+  end
+end

data/lib/saml_2_ruby/xml_sec.rb

@@ -0,0 +1,111 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+ 
+#
+# WARNING, WARNING: VERY rudimentary
+#
+#
+module XMLSecurity
+
+  class SignedDocument < REXML::Document
+
+    def validate (idp_cert_fingerprint, logger)
+        
+      # get cert from response
+      base64_cert = self.elements["//X509Certificate"].text
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
+      
+      # check cert matches registered idp cert
+      fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+      logger.info("fingerprint = " + fingerprint) if !logger.nil?
+      valid_flag = fingerprint == idp_cert_fingerprint.gsub(":", "").downcase
+      
+      return valid_flag if !valid_flag 
+      
+      validate_doc(base64_cert, logger)
+    end
+    
+    def validate_doc(base64_cert, logger)
+      
+      #        
+      #validate references
+      #
+      
+      # remove signature node
+      sig_element = XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      sig_element.remove
+      
+      #check digests
+      logger.info("checking digests") if !logger.nil?
+      XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do | ref |          
+        uri = ref.attributes.get_attribute("URI").value
+        logger.info("URI = " + uri[1,uri.size]) if !logger.nil?
+        hashed_element = XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+        logger.info("hashed element = " + hashed_element.to_s) if !logger.nil?
+        canoner = XML::Util::XmlCanonicalizer.new(false, true)
+        canon_hashed_element = canoner.canonicalize_element(hashed_element)
+        logger.info("canon hashed element = " + canon_hashed_element) if !logger.nil?
+        hash = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+        digest_value = XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+        logger.info("hashed_element_hash = " + hash) if !logger.nil?
+        logger.info("digest_value_element = " + digest_value) if !logger.nil?
+        
+        valid_flag = hash == digest_value 
+        return valid_flag if !valid_flag
+      end
+ 
+      #
+      # verify dig sig
+      # 
+      logger.info("checking dig sig") if !logger.nil?
+
+      # signed_info_element.add_namespace("http://www.w3.org/2000/09/xmldsig#") if signed_info_element.namespace.nil? || signed_info_element.namespace.empty?
+      canoner = XML::Util::XmlCanonicalizer.new(false, true)
+      signed_info_element = XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+      canon_string = canoner.canonicalize_element(signed_info_element)
+      logger.info("canon INFO = " + canon_string) if !logger.nil?
+
+      base64_signature = XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+      logger.info("base 64 SIG = " + base64_signature) if !logger.nil?
+      signature = Base64.decode64(base64_signature)
+      logger.info("SIG = " + signature) if !logger.nil?
+      
+      # get cert object
+      cert_text = Base64.decode64(base64_cert)
+      cert = OpenSSL::X509::Certificate.new(cert_text)
+      
+      valid_flag = cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+        
+      return valid_flag
+    end
+   
+  end
+end

data/test/xml_sec_test.rb

@@ -0,0 +1,62 @@
+$LOAD_PATH.insert(0, File.expand_path(File.dirname(__FILE__)) + "/../lib")
+load "xml_sec.rb"
+require "logger"
+require "test/unit"
+
+class XMLSecurityTest < Test::Unit::TestCase
+
+  
+  def setup
+    @log = Logger.new("test_output.log")
+    @log.level = Logger::DEBUG
+    @log.info "starting"
+  end
+  
+  def test_open_fed_response
+    puts "Processing OpenFederation file"
+    @log.info "Processing OpenFederation file"
+    File.open("test/authNResponseOpenFed.xml", aModeString="r") {|file| 
+    
+      saml_response_doc = XMLSecurity::SignedDocument.new(file)
+               
+      base64_cert = saml_response_doc.elements["//X509Certificate"].text
+      assert saml_response_doc.validate_doc(base64_cert, @log) 
+    }
+  end
+  
+  def test_rsa_fim_response
+    puts "Processing RSA file"
+    @log.info "Processing RSA file"
+    File.open("test/authNResponseRSAFIM.xml", aModeString="r") {|file| 
+    
+      saml_response_doc = XMLSecurity::SignedDocument.new(file)
+               
+      base64_cert = "MIICODCCAaECBEatbN8wDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCTloxEDAOBgNVBAgTB1Vua25vd24xEzARBgNVBAcTCldlbGxpbmd0b24xDDAKBgNVBAoTA1NTQzEMMAoGA1UECxMDU1NDMREwDwYDVQQDEwhHTFMgU0FNTDAeFw0wNzA3MzAwNDQ1MTlaFw0xMjA3MjgwNDQ1MTlaMGMxCzAJBgNVBAYTAk5aMRAwDgYDVQQIEwdVbmtub3duMRMwEQYDVQQHEwpXZWxsaW5ndG9uMQwwCgYDVQQKEwNTU0MxDDAKBgNVBAsTA1NTQzERMA8GA1UEAxMIR0xTIFNBTUwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOy62p6wMNRRVCSs7/4fnPrHqFehVBaYeg9yayD1I/yqYXvmOgbYX/OnuIE+RylVDwkzmKHgNsLpw8jfw1Ee2f0qmZY1rs6x+jmE4yDLDR1eKNGCkB4hSep2cVknWCBBzvmrk1nKet8Aw460FU2+C5H67Iwj5sVqshi5noLXSckTAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAL2ebLISFR6F0RzeEpLOjv4kSfDhsELSzEi4vVqlmCm+YcRWH0ASik3Ynl1B/K05cosqD5RMJG71t6ZWNf/s5F4NX0blU0ZAWewQXIUS4CUZPcQT3K/WXbpWBjRDIY0Cj6Dim/yBdmYSxZV51sDAIfOq4FXb5bEPSCopKK1YQRLE="     
+      assert saml_response_doc.validate_doc(base64_cert, @log)
+    }
+  end
+  
+  def test_rsa_fim_response_after_enc
+    puts "Processing RSA file after encryption"
+    @log.info "Processing RSA file after encryption"
+    File.open("test/authNResponseRSAFIMAfterEncryption.xml", aModeString="r") {|file| 
+    
+      saml_response_doc = XMLSecurity::SignedDocument.new(file)
+               
+      base64_cert = "MIICODCCAaECBEatbN8wDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCTloxEDAOBgNVBAgTB1Vua25vd24xEzARBgNVBAcTCldlbGxpbmd0b24xDDAKBgNVBAoTA1NTQzEMMAoGA1UECxMDU1NDMREwDwYDVQQDEwhHTFMgU0FNTDAeFw0wNzA3MzAwNDQ1MTlaFw0xMjA3MjgwNDQ1MTlaMGMxCzAJBgNVBAYTAk5aMRAwDgYDVQQIEwdVbmtub3duMRMwEQYDVQQHEwpXZWxsaW5ndG9uMQwwCgYDVQQKEwNTU0MxDDAKBgNVBAsTA1NTQzERMA8GA1UEAxMIR0xTIFNBTUwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOy62p6wMNRRVCSs7/4fnPrHqFehVBaYeg9yayD1I/yqYXvmOgbYX/OnuIE+RylVDwkzmKHgNsLpw8jfw1Ee2f0qmZY1rs6x+jmE4yDLDR1eKNGCkB4hSep2cVknWCBBzvmrk1nKet8Aw460FU2+C5H67Iwj5sVqshi5noLXSckTAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAL2ebLISFR6F0RzeEpLOjv4kSfDhsELSzEi4vVqlmCm+YcRWH0ASik3Ynl1B/K05cosqD5RMJG71t6ZWNf/s5F4NX0blU0ZAWewQXIUS4CUZPcQT3K/WXbpWBjRDIY0Cj6Dim/yBdmYSxZV51sDAIfOq4FXb5bEPSCopKK1YQRLE="     
+      assert saml_response_doc.validate_doc(base64_cert, @log)
+    }
+  end
+  
+  def test_ak_assertion
+    puts "Processing AK file"
+    @log.info "Processing AK file"
+    File.open("test/assertion_from_AK.xml", aModeString="r") {|file| 
+    
+      saml_response_doc = XMLSecurity::SignedDocument.new(file)
+               
+      base64_cert = saml_response_doc.elements["//X509Certificate"].text
+      assert saml_response_doc.validate_doc(base64_cert, @log)
+    }
+  end
+end

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification 
+name: saml2ruby
+version: !ruby/object:Gem::Version 
+  version: 1.1.0
+platform: ruby
+authors: 
+- Sean Cashin
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-02-16 00:00:00 -08:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: XMLCanonicalizer
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.0.1
+    version: 
+description: Part of the OpenSSO extension set.  Writting by the wonderful guys over at Sun.  Moved it over to a github repo and turned it into a rubygem.
+email: 
+- scashin133@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+- TODO
+files: 
+- README
+- Rakefile
+- lib/saml2ruby.rb
+- lib/saml_2_ruby.rb
+- lib/saml_2_ruby/relying_party.rb
+- lib/saml_2_ruby/version.rb
+- lib/saml_2_ruby/xml_sec.rb
+- TODO
+has_rdoc: true
+homepage: http://github.com/scashin133/saml2ruby
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Ruby implementation of the SAML 2.0 Specification
+test_files: 
+- test/xml_sec_test.rb
+- examples/rails/SimpleSAMLRP/app/controllers/account_controller.rb
+- examples/rails/SimpleSAMLRP/app/controllers/application.rb
+- examples/rails/SimpleSAMLRP/app/helpers/account_helper.rb
+- examples/rails/SimpleSAMLRP/app/helpers/application_helper.rb
+- examples/rails/SimpleSAMLRP/config/boot.rb
+- examples/rails/SimpleSAMLRP/config/environment.rb
+- examples/rails/SimpleSAMLRP/config/environments/development.rb
+- examples/rails/SimpleSAMLRP/config/environments/production.rb
+- examples/rails/SimpleSAMLRP/config/environments/test.rb
+- examples/rails/SimpleSAMLRP/config/routes.rb
+- examples/rails/SimpleSAMLRP/public/dispatch.rb
+- examples/rails/SimpleSAMLRP/test/functional/account_controller_test.rb
+- examples/rails/SimpleSAMLRP/test/test_helper.rb