saml_idp 0.0.1

data/lib/saml_idp/attribute_decorator.rb

@@ -0,0 +1,27 @@
+require 'delegate'
+module SamlIdp
+  class AttributeDecorator < SimpleDelegator
+    alias_method :source, :__getobj__
+
+    def initialize(*)
+      super
+      __setobj__((source || {}).with_indifferent_access)
+    end
+
+    def name
+      source[:name]
+    end
+
+    def friendly_name
+      source[:friendly_name]
+    end
+
+    def name_format
+      source[:name_format] || Saml::XML::Namespaces::Formats::Attr::URI
+    end
+
+    def values
+      Array(source[:values])
+    end
+  end
+end

data/lib/saml_idp/attributeable.rb

@@ -0,0 +1,24 @@
+module SamlIdp
+  module Attributeable
+    extend ActiveSupport::Concern
+
+    def initialize(attributes = {})
+      self.attributes = attributes
+    end
+
+    def attributes
+      @attributes ||= {}.with_indifferent_access
+    end
+
+    def attributes=(new_attributes)
+      @attributes = (new_attributes || {}).with_indifferent_access
+    end
+
+    module ClassMethods
+      def attribute(att)
+        define_method(att) { attributes[att] }
+        define_method("#{att}=") { |new_value| self.attributes[att] = new_value }
+      end
+    end
+  end
+end

data/lib/saml_idp/configurator.rb

@@ -0,0 +1,45 @@
+# encoding: utf-8
+require 'ostruct'
+module SamlIdp
+  class Configurator
+    attr_accessor :x509_certificate
+    attr_accessor :secret_key
+    attr_accessor :algorithm
+    attr_accessor :organization_name
+    attr_accessor :organization_url
+    attr_accessor :base_saml_location
+    attr_accessor :reference_id_generator
+    attr_accessor :attribute_service_location
+    attr_accessor :single_service_post_location
+    attr_accessor :attributes
+    attr_accessor :service_provider
+
+    def initialize
+      self.x509_certificate = Default::X509_CERTIFICATE
+      self.secret_key = Default::SECRET_KEY
+      self.algorithm = :sha1
+      self.reference_id_generator = ->() { UUID.generate }
+      self.service_provider = OpenStruct.new
+      self.service_provider.finder = ->(_) { Default::SERVICE_PROVIDER }
+      self.service_provider.metadata_persister = ->(id, settings) {  }
+      self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
+      self.attributes = {}
+    end
+
+    # formats
+    # getter
+    def name_id
+      @name_id ||= OpenStruct.new
+    end
+
+    def technical_contact
+      @technical_contact ||= TechnicalContact.new
+    end
+
+    class TechnicalContact < OpenStruct
+      def mail_to_string
+        "mailto:#{email_address}" if email_address.to_s.length > 0
+      end
+    end
+  end
+end

data/lib/saml_idp/controller.rb

@@ -0,0 +1,71 @@
+# encoding: utf-8
+require 'openssl'
+require 'base64'
+require 'time'
+require 'uuid'
+require 'saml_idp/request'
+module SamlIdp
+  module Controller
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :saml_acs_url if respond_to? :helper_method
+    end
+
+    attr_accessor :algorithm
+    attr_accessor :saml_request
+
+    protected
+
+    def validate_saml_request(raw_saml_request = params[:SAMLRequest])
+      decode_request(raw_saml_request)
+      render nothing: true, status: :forbidden unless valid_service_provider?
+    end
+
+    def decode_request(raw_saml_request)
+      self.saml_request = Request.from_deflated_request(raw_saml_request)
+    end
+
+    def encode_response(principal, opts = {})
+      response_id, reference_id = get_saml_response_id, get_saml_reference_id
+      audience_uri = opts[:audience_uri] || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
+      opt_issuer_uri = opts[:issuer_uri] || issuer_uri
+
+      SamlResponse.new(
+        reference_id,
+        response_id,
+        issuer_uri,
+        principal,
+        audience_uri,
+        saml_request_id,
+        saml_acs_url,
+        algorithm
+      ).build
+    end
+
+    def issuer_uri
+      issuer_uri = (defined?(request) && request.url.to_s.split("?").first) || "http://example.com"
+    end
+
+    def valid_service_provider?
+      saml_request.service_provider? &&
+        saml_request.valid_signature?
+    end
+
+    def saml_request_id
+      saml_request.request_id
+    end
+
+    def saml_acs_url
+      saml_request.acs_url
+    end
+
+    def get_saml_response_id
+      UUID.generate
+    end
+
+    def get_saml_reference_id
+      UUID.generate
+    end
+  end
+end

data/lib/saml_idp/default.rb

@@ -0,0 +1,28 @@
+# encoding: utf-8
+module SamlIdp
+  module Default
+    NAME_ID_FORMAT = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    X509_CERTIFICATE = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF5T0RBeU1qSXlPRm9YRFRNeU1EUXkKTXpBeU1qSXlPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXVCeXdQTmxDMUZvcEdMWWZGOTZTb3RpSwo4Tmo2L25XMDg0TzRvbVJNaWZ6eTd4OTU1UkxFeTY3M3EyYWlKTkIzTHZFNlh2a3Q5Y0d0eHROb09YdzFnMlV2CkhLcGxkUWJyNmJPRWpMTmVETlc3ajBvYitKclJ2QVVPSzlDUmdkeXc1TUM2bHdxVlFRNUMxRG5hVC8yZlNCRmoKYXNCRlRSMjRkRXBmVHk4SGZLRUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRTkJHbW10M3l0S3BjSmFCYVlOYm55VTJ4a2F6QVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVEUVJwcHJkOHJTcVhDV2dXbURXNThsTnNaR3VoZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FBRQpjVlVQQlg3dVptenFaSmZ5K3RVUE9UNUltTlFqOFZFMmxlcmhuRmpuR1BIbUhJcWhwemdud0hRdWpKZnMvYTMwCjlXbTVxd2NDYUMxZU81Y1dqY0cweDNPamRsbHNnWURhdGw1R0F1bXRCeDhKM05oV1JxTlVnaXRDSWtRbHhISXcKVWZnUWFDdXNoWWdEREw1WWJJUWErK2VnQ2dwSVorVDBEajVvUmV3Ly9BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
+    FINGERPRINT = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    SECRET_KEY = <<EOS
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC4HLA82ULUWikYth8X3pKi2Irw2Pr+dbTzg7iiZEyJ/PLvH3nl
+EsTLrverZqIk0Hcu8Tpe+S31wa3G02g5fDWDZS8cqmV1Buvps4SMs14M1buPShv4
+mtG8BQ4r0JGB3LDkwLqXCpVBDkLUOdpP/Z9IEWNqwEVNHbh0Sl9PLwd8oQIDAQAB
+AoGAQmUGIUtwUEgbXe//kooPc26H3IdDLJSiJtcvtFBbUb/Ik/dT7AoysgltA4DF
+pGURNfqERE+0BVZNJtCCW4ixew4uEhk1XowYXHCzjkzyYoFuT9v5SP4cu4q3t1kK
+51JF237F0eCY3qC3k96CzPGG67bwOu9EeXAu4ka/plLdsAECQQDkg0uhR/vsJffx
+tiWxcDRNFoZpCpzpdWfQBnHBzj9ZC0xrdVilxBgBpupCljO2Scy4MeiY4S1Mleel
+CWRqh7RBAkEAzkIjUnllEkr5sjVb7pNy+e/eakuDxvZck0Z8X3USUki/Nm3E/GPP
+c+CwmXR4QlpMpJr3/Prf1j59l/LAK9AwYQJBAL9eRSQYCJ3HXlGKXR6v/NziFEY7
+oRTSQdIw02ueseZ8U89aQpbwFbqsclq5Ny1duJg5E7WUPj94+rl3mCSu6QECQBVh
+0duY7htpXl1VHsSq0H6MmVgXn/+eRpaV9grHTjDtjbUMyCEKD9WJc4VVB6qJRezC
+i/bT4ySIsehwp+9i08ECQEH03lCpHpbwiWH4sD25l/z3g2jCbIZ+RTV6yHIz7Coh
+gAbBqA04wh64JhhfG69oTBwqwj3imlWF8+jDzV9RNNw=
+-----END RSA PRIVATE KEY-----
+EOS
+    SERVICE_PROVIDER = {
+      fingerprint: FINGERPRINT
+    }
+  end
+end

data/lib/saml_idp/engine.rb

@@ -0,0 +1,5 @@
+# encoding: utf-8
+module SamlIdp
+  class Engine < Rails::Engine
+  end
+end

data/lib/saml_idp/hashable.rb

@@ -0,0 +1,26 @@
+module SamlIdp
+  module Hashable
+    extend ActiveSupport::Concern
+
+    def hashables
+      self.class.hashables
+    end
+
+    def to_h
+      hashables.reduce({}) do |hash, key|
+        hash[key.to_sym] = send(key)
+        hash
+      end
+    end
+
+    module ClassMethods
+      def hashables
+        @hashables ||= Set.new
+      end
+
+      def hashable(method_name)
+        self.hashables << method_name.to_s
+      end
+    end
+  end
+end

data/lib/saml_idp/incoming_metadata.rb

@@ -0,0 +1,144 @@
+require 'set'
+require 'saml_idp/hashable'
+module SamlIdp
+  class IncomingMetadata
+    include Hashable
+    attr_accessor :raw
+
+    delegate :xpath, to: :document
+    private :xpath
+
+    def initialize(raw = "")
+      self.raw = raw
+    end
+
+    def document
+      @document ||= Saml::XML::Document.parse raw
+    end
+
+    def sign_assertions
+      doc = xpath(
+        "//md:SPSSODescriptor",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first
+      doc ? !!doc["WantAssertionsSigned"] : false
+    end
+    hashable :sign_assertions
+
+    def display_name
+      role_descriptor_document.present? ? role_descriptor_document["ServiceDisplayName"] : ""
+    end
+    hashable :display_name
+
+    def contact_person
+      {
+        given_name: given_name,
+        surname: surname,
+        company: company,
+        telephone_number: telephone_number,
+        email_address: email_address
+      }
+    end
+    hashable :contact_person
+
+    def signing_certificate
+      xpath(
+        "//md:SPSSODescriptor/md:KeyDescriptor[@use='signing']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first.try(:content).to_s
+    end
+    hashable :signing_certificate
+
+    def encryption_certificate
+      xpath(
+        "//md:SPSSODescriptor/md:KeyDescriptor[@use='encryption']/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
+        ds: signature_namespace,
+        md: metadata_namespace
+      ).first.try(:content).to_s
+    end
+    hashable :encryption_certificate
+
+    def single_logout_services
+      xpath(
+        "//md:SPSSODescriptor/md:SingleLogoutService",
+        md: metadata_namespace
+      ).reduce({}) do |hash, el|
+        hash[el["Binding"].to_s.split(":").last] = el["Location"]
+        hash
+      end
+    end
+    hashable :single_logout_services
+
+    def name_id_formats
+      xpath(
+        "//md:SPSSODescriptor/md:NameIDFormat",
+        md: metadata_namespace
+      ).reduce(Set.new) do |set, el|
+        props = el.content.to_s.match /urn:oasis:names:tc:SAML:(?<version>\S+):nameid-format:(?<name>\S+)/
+        set << props[:name].to_s.underscore if props[:name].present?
+        set
+      end
+    end
+    hashable :name_id_formats
+
+    def assertion_consumer_services
+      xpath(
+        "//md:SPSSODescriptor/md:AssertionConsumerService",
+        md: metadata_namespace
+      ).sort_by { |el| el["index"].to_i }.reduce([]) do |array, el|
+        props = el["Binding"].to_s.match /urn:oasis:names:tc:SAML:(?<version>\S+):bindings:(?<name>\S+)/
+        array << { binding: props[:name], location: el["Location"], default: !!el["isDefault"] }
+        array
+      end
+    end
+    hashable :assertion_consumer_services
+
+    def given_name
+      contact_person_document.xpath("//md:GivenName", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def surname
+      contact_person_document.xpath("//md:SurName", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def company
+      contact_person_document.xpath("//md:Company", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def telephone_number
+      contact_person_document.xpath("//md:TelephoneNumber", md: metadata_namespace).first.try(:content).to_s
+    end
+
+    def email_address
+      contact_person_document.xpath("//md:EmailAddress", md: metadata_namespace).first.try(:content).to_s.gsub("mailto:", "")
+    end
+
+    def role_descriptor_document
+      @role_descriptor ||= xpath("//md:RoleDescriptor", md: metadata_namespace).first
+    end
+
+    def service_provider_descriptor_document
+      @service_provider_descriptor ||= xpath("//md:SPSSODescriptor", md: metadata_namespace).first
+    end
+
+    def idp_descriptor_document
+      @idp_descriptor ||= xpath("//md:IDPSSODescriptor", md: metadata_namespace).first
+    end
+
+    def contact_person_document
+      @contact_person_document ||= xpath("//md:ContactPerson", md: metadata_namespace).first
+    end
+
+    def metadata_namespace
+      Saml::XML::Namespaces::METADATA
+    end
+    private :metadata_namespace
+
+    def signature_namespace
+      Saml::XML::Namespaces::SIGNATURE
+    end
+    private :signature_namespace
+  end
+end

data/lib/saml_idp/metadata_builder.rb

@@ -0,0 +1,158 @@
+require 'saml_idp/name_id_formatter'
+require 'saml_idp/attribute_decorator'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
+module SamlIdp
+  class MetadataBuilder
+    include Algorithmable
+    include Signable
+    attr_accessor :configurator
+
+    def initialize(configurator = SamlIdp.config)
+      self.configurator = configurator
+    end
+
+    def fresh
+      builder = Builder::XmlMarkup.new
+      generated_reference_id do
+        builder.EntityDescriptor ID: reference_string,
+          xmlns: Saml::XML::Namespaces::METADATA,
+          "xmlns:saml" => Saml::XML::Namespaces::ASSERTION,
+          "xmlns:ds" => Saml::XML::Namespaces::SIGNATURE,
+          entityID: entity_id do |entity|
+            sign entity
+            build_organization entity
+            build_contact entity
+
+            entity.IDPSSODescriptor protocolSupportEnumeration: protocol_enumeration do |descriptor|
+              build_key_descriptor descriptor
+              build_name_id_formats descriptor
+              descriptor.SingleSignOnService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: single_service_post_location
+              build_attribute descriptor
+            end
+
+            entity.AttributeAuthorityDescriptor ID: reference_string,
+              protocolSupportEnumeration: protocol_enumeration do |authority_descriptor|
+              build_key_descriptor authority_descriptor
+              build_organization authority_descriptor
+              build_contact authority_descriptor
+              authority_descriptor.AttributeService Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: attribute_service_location
+              build_name_id_formats authority_descriptor
+              build_attribute authority_descriptor
+            end
+          end
+      end
+    end
+    alias_method :raw, :fresh
+
+    def build_key_descriptor(el)
+      el.KeyDescriptor use: "signing" do |key_descriptor|
+        key_descriptor.KeyInfo xmlns: Saml::XML::Namespaces::SIGNATURE do |key_info|
+          key_info.X509Data do |x509|
+            x509.X509Certificate x509_certificate
+          end
+        end
+      end
+    end
+    private :build_key_descriptor
+
+    def build_name_id_formats(el)
+      name_id_formats.each do |format|
+        el.NameIDFormat format
+      end
+    end
+    private :build_name_id_formats
+
+    def build_attribute(el)
+      attributes.each do |attribute|
+        el.tag! "saml:Attribute",
+          NameFormat: attribute.name_format,
+          Name: attribute.name,
+          FriendlyName: attribute.friendly_name do |attribute_xml|
+            attribute.values.each do |value|
+              attribute_xml.tag! "saml:AttributeValue", value
+            end
+          end
+      end
+    end
+    private :build_attribute
+
+    def build_organization(el)
+      el.Organization do |organization|
+        organization.OrganizationName organization_name, "xml:lang" => "en"
+        organization.OrganizationDisplayName organization_name, "xml:lang" => "en"
+        organization.OrganizationURL organization_url, "xml:lang" => "en"
+      end
+    end
+    private :build_organization
+
+    def build_contact(el)
+      el.ContactPerson contactType: "technical" do |contact|
+        contact.Company technical_contact.company if technical_contact.company.present?
+        contact.GivenName technical_contact.given_name if technical_contact.given_name.present?
+        contact.SurName technical_contact.sur_name if technical_contact.sur_name.present?
+        contact.TelephoneNumber technical_contact.telephone if technical_contact.telephone.present?
+        contact.EmailAddress technical_contact.mail_to_string if technical_contact.mail_to_string.present?
+      end
+    end
+    private :build_contact
+
+    def reference_string
+      "_#{reference_id}"
+    end
+    private :reference_string
+
+    def entity_id
+      configurator.base_saml_location
+    end
+    private :entity_id
+
+    def protocol_enumeration
+      Saml::XML::Namespaces::PROTOCOL
+    end
+    private :protocol_enumeration
+
+    def attributes
+      @attributes ||= configurator.attributes.inject([]) do |list, (key, opts)|
+        opts[:friendly_name] = key
+        list << AttributeDecorator.new(opts)
+        list
+      end
+    end
+    private :attributes
+
+    def name_id_formats
+      @name_id_formats ||= NameIdFormatter.new(configurator.name_id.formats).all
+    end
+    private :name_id_formats
+
+    def raw_algorithm
+      configurator.algorithm
+    end
+    private :raw_algorithm
+
+    def x509_certificate
+      SamlIdp.config.x509_certificate
+      .to_s
+      .gsub(/-----BEGIN CERTIFICATE-----/,"")
+      .gsub(/-----END CERTIFICATE-----/,"")
+      .gsub(/\n/, "")
+    end
+
+    %w[
+      support_email
+      organization_name
+      organization_url
+      attribute_service_location
+      single_service_post_location
+      technical_contact
+    ].each do |delegatable|
+      define_method(delegatable) do
+        configurator.public_send delegatable
+      end
+      private delegatable
+    end
+  end
+end