saml_idp 0.12.0 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73712903d3949f895e57a13b138c007e0ae74715d7d546b4415f278829e59054
-  data.tar.gz: fbab7e28d01ea3fc7624e52e20a234f6f997a51643905170e6809cb3f7beeec7
+  metadata.gz: 4da444f25fd4d8cb2b53d847ee3ffa44adab3b2c4b64be57a6935c0922acf1a8
+  data.tar.gz: ff0beb64e76c37a0bbcb098f0bd5a50b4d15ff124d63d9c01d421f4693f6fa2d
 SHA512:
-  metadata.gz: 80a4683963e04b8b7f68051d15b12a5f0a098300cbfba9b72c4ed3940338ab3505c47cda0b091a9a36c1605f4396b5f1732bed7d3356438dd944f83541573a47
-  data.tar.gz: b01be29f645e31f9987afef74bb8b368ccfc86340b67e29524f582fe139e99b56cd827315d5a4e73d34b69e2c3c5b89d881c89f6d29b68c4b3cd2ff5499a39c3
+  metadata.gz: 1fe91e27e817106e66738c73c670ce064c18b18e9528f7aef3c2a4dc87658c9262877b7a62f491c29ff371d39e0306721bc1f97af7ec3fb6fd1d23b8550b32ce
+  data.tar.gz: d6ee196976da4fe1af818bca3183632372ef2e1e3059891e75a13dc39caa9fb86c3d312c384d926877f9e14cfbd751d566d517742e72e0bb77e276e446a88aed

data/README.md

@@ -1,6 +1,6 @@
 # Ruby SAML Identity Provider (IdP)
 
-Forked from https://github.com/lawrencepit/ruby-saml-idp
+Forked from <https://github.com/lawrencepit/ruby-saml-idp>
 
 [![Build Status](https://travis-ci.org/saml-idp/saml_idp.svg)](https://travis-ci.org/saml-idp/saml_idp)
 [![Gem Version](https://badge.fury.io/rb/saml_idp.svg)](http://badge.fury.io/rb/saml_idp)
@@ -13,13 +13,15 @@ protocol. It provides a means for managing authentication requests and confirmat
 This was originally setup by @lawrencepit to test SAML Clients. I took it closer to a real
 SAML IDP implementation.
 
-# Installation and Usage
+## Installation and Usage
 
 Add this to your Gemfile:
 
+```ruby
     gem 'saml_idp'
+```
 
-## Not using rails?
+### Not using rails?
 
 Include `SamlIdp::Controller` and see the examples that use rails. It should be straightforward for you.
 
@@ -27,57 +29,24 @@ Basically you call `decode_request(params[:SAMLRequest])` on an incoming request
 `saml_acs_url` to determine the source for which you need to authenticate a user. How you authenticate
 a user is entirely up to you.
 
-Once a user has successfully authenticated on your system send the Service Provider a SAMLReponse by
+Once a user has successfully authenticated on your system send the Service Provider a SAMLResponse by
 posting to `saml_acs_url` the parameter `SAMLResponse` with the return value from a call to
 `encode_response(user_email)`.
 
-## Using rails?
+### Using rails?
 
-Add to your `routes.rb` file, for example:
-
-```ruby
-get '/saml/auth' => 'saml_idp#new'
-get '/saml/metadata' => 'saml_idp#show'
-post '/saml/auth' => 'saml_idp#create'
-match '/saml/logout' => 'saml_idp#logout', via: [:get, :post, :delete]
-```
+Check out our Wiki page for Rails integration
+[Rails Integration guide](https://github.com/saml-idp/saml_idp/wiki/Rails_Integration)
 
-Create a controller that looks like this, customize to your own situation:
-
-```ruby
-class SamlIdpController < SamlIdp::IdpController
-  def idp_authenticate(email, password) # not using params intentionally
-    user = User.by_email(email).first
-    user && user.valid_password?(password) ? user : nil
-  end
-  private :idp_authenticate
-
-  def idp_make_saml_response(found_user) # not using params intentionally
-    # NOTE encryption is optional
-    encode_response found_user, encryption: {
-      cert: saml_request.service_provider.cert,
-      block_encryption: 'aes256-cbc',
-      key_transport: 'rsa-oaep-mgf1p'
-    }
-  end
-  private :idp_make_saml_response
-
-  def idp_logout
-    user = User.by_email(saml_request.name_id)
-    user.logout
-  end
-  private :idp_logout
-end
-```
-
-## Configuration
+### Configuration
 
 #### Signed assertions and Signed Response
 
-By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`. Because SAML assertions contain secure information used for authentication such as NameID.
+By default SAML Assertion will be signed with an algorithm which defined to `config.algorithm`, because SAML assertions contain secure information used for authentication such as NameID.
+Besides that, signing assertions could be optional and can be defined with `config.signed_assertion` option. Setting this configuration flag to `false` will add raw assertions on the response instead of signed ones. If the response is encrypted the `config.signed_assertion` will be ignored and all assertions will be signed.
 
 Signing SAML Response is optional, but some security perspective SP services might require Response message itself must be signed.
-For that, you can enable it with `config.signed_message` option. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
+For that, you can enable it with `signed_message: true` option for `encode_response(user_email, signed_message: true)` method. [More about SAML spec](https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=68)
 
 #### Signing algorithm
 
@@ -117,7 +86,9 @@ CERT
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
   # config.session_expiry = 86400                                 # Default: 0 which means never
-  # config.signed_message = true                                  # Default: false which means unsigned SAML Response
+  # config.signed_assertion = false                               # Default: true which means signed assertions on the SAML Response
+  # config.compress = true                                        # Default: false which means the SAML Response is not being compressed
+  # config.logger = ::Logger.new($stdout)                         # Default: if in Rails context - Rails.logger, else ->(msg) { puts msg }. Works with either a Ruby Logger or a lambda
 
   # Principal (e.g. User) is passed in when you `encode_response`
   #
@@ -230,7 +201,7 @@ CERT
 end
 ```
 
-# Keys and Secrets
+## Keys and Secrets
 
 To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret.
 You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032.
@@ -241,31 +212,31 @@ and `SamlIdp.config.secret_key` properties.
 
 The fingerprint to use, if you use the default X.509 certificate of this gem, is:
 
-```
-9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
+```bash
+  9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
 ```
 
-# Fingerprint
+## Fingerprint
 
 The gem provides an helper to generate a fingerprint for a X.509 certificate.
 The second parameter is optional and default to your configuration `SamlIdp.config.algorithm`
 
 ```ruby
-Fingerprint.certificate_digest(x509_cert, :sha512)
+  SamlIdp::Fingerprint.certificate_digest(x509_cert, :sha512)
 ```
 
-# Service Providers
+## Service Providers
 
 To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the
 excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
 
-# Author
+## Author
 
 Jon Phenow, jon@jphenow.com, jphenow.com, @jphenow
 
 Lawrence Pit, lawrence.pit@gmail.com, lawrencepit.com, @lawrencepit
 
-# Copyright
+## Copyright
 
 Copyright (c) 2012 Sport Ngin.
 Portions Copyright (c) 2010 OneLogin, LLC

data/lib/saml_idp/assertion_builder.rb

@@ -16,10 +16,26 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :name_id_formats_opts
+    attr_accessor :asserted_attributes_opts
 
     delegate :config, to: :SamlIdp
 
-    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil)
+    def initialize(
+        reference_id,
+        issuer_uri,
+        principal,
+        audience_uri,
+        saml_request_id,
+        saml_acs_url,
+        raw_algorithm,
+        authn_context_classref,
+        expiry=60*60,
+        encryption_opts=nil,
+        session_expiry=nil,
+        name_id_formats_opts = nil,
+        asserted_attributes_opts = nil
+    )
       self.reference_id = reference_id
       self.issuer_uri = issuer_uri
       self.principal = principal
@@ -31,6 +47,8 @@ module SamlIdp
       self.expiry = expiry
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry.nil? ? config.session_expiry : session_expiry
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
     end
 
     def fresh
@@ -98,7 +116,9 @@ module SamlIdp
     end
 
     def asserted_attributes
-      if principal.respond_to?(:asserted_attributes)
+      if asserted_attributes_opts.present? && !asserted_attributes_opts.empty?
+        asserted_attributes_opts
+      elsif principal.respond_to?(:asserted_attributes)
         principal.send(:asserted_attributes)
       elsif !config.attributes.nil? && !config.attributes.empty?
         config.attributes
@@ -139,10 +159,15 @@ module SamlIdp
     private :name_id_getter
 
     def name_id_format
-      @name_id_format ||= NameIdFormatter.new(config.name_id.formats).chosen
+      @name_id_format ||= NameIdFormatter.new(name_id_formats).chosen
     end
     private :name_id_format
 
+    def name_id_formats
+      @name_id_formats ||= (name_id_formats_opts || config.name_id.formats)
+    end
+    private :name_id_formats
+
     def reference_string
       "_#{reference_id}"
     end

data/lib/saml_idp/configurator.rb

@@ -22,6 +22,7 @@ module SamlIdp
     attr_accessor :service_provider
     attr_accessor :assertion_consumer_service_hosts
     attr_accessor :session_expiry
+    attr_accessor :logger
 
     def initialize
       self.x509_certificate = Default::X509_CERTIFICATE
@@ -34,6 +35,7 @@ module SamlIdp
       self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
       self.session_expiry = 0
       self.attributes = {}
+      self.logger = defined?(::Rails) ? Rails.logger : ->(msg) { puts msg }
     end
 
     # formats

data/lib/saml_idp/controller.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 require 'openssl'
 require 'base64'
 require 'time'
@@ -36,13 +35,8 @@ module SamlIdp
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
       decode_request(raw_saml_request)
       return true if valid_saml_request?
-      if defined?(::Rails)
-        if Rails::VERSION::MAJOR >= 4
-          head :forbidden
-        else
-          render nothing: true, status: :forbidden
-        end
-      end
+
+      head :forbidden if defined?(::Rails)
       false
     end
 
@@ -64,7 +58,13 @@ module SamlIdp
       expiry = opts[:expiry] || 60*60
       session_expiry = opts[:session_expiry]
       encryption_opts = opts[:encryption] || nil
+      name_id_formats_opts = opts[:name_id_formats] || nil
+      asserted_attributes_opts = opts[:attributes] || nil
       signed_message_opts = opts[:signed_message] || false
+      name_id_formats_opts = opts[:name_id_formats] || nil
+      asserted_attributes_opts = opts[:attributes] || nil
+      signed_assertion_opts = opts[:signed_assertion] || true
+      compress_opts = opts[:compress] || false
 
       SamlResponse.new(
         reference_id,
@@ -79,11 +79,15 @@ module SamlIdp
         expiry,
         encryption_opts,
         session_expiry,
-        signed_message_opts
+        name_id_formats_opts,
+        asserted_attributes_opts,
+        signed_assertion_opts,
+        signed_message_opts,
+        compress_opts
       ).build
     end
 
-    def encode_logout_response(principal, opts = {})
+    def encode_logout_response(_principal, opts = {})
       SamlIdp::LogoutResponseBuilder.new(
         get_saml_response_id,
         (opts[:issuer_uri] || issuer_uri),

data/lib/saml_idp/encryptor.rb

@@ -61,7 +61,6 @@ module SamlIdp
           key_info.EncryptedKey Id: 'EK', xmlns: 'http://www.w3.org/2001/04/xmlenc#' do |enc_key|
             enc_key.EncryptionMethod Algorithm: key_transport_ns
             enc_key.tag! 'ds:KeyInfo', 'xmlns:ds' => 'http://www.w3.org/2000/09/xmldsig#' do |key_info2|
-              key_info2.tag! 'ds:KeyName'
               key_info2.tag! 'ds:X509Data' do |x509_data|
                 x509_data.tag! 'ds:X509Certificate' do |x509_cert|
                   x509_cert << cert.to_s.gsub(/-+(BEGIN|END) CERTIFICATE-+/, '') 

data/lib/saml_idp/request.rb

@@ -1,5 +1,6 @@
 require 'saml_idp/xml_security'
 require 'saml_idp/service_provider'
+require 'logger'
 module SamlIdp
   class Request
     def self.from_deflated_request(raw)
@@ -77,10 +78,10 @@ module SamlIdp
     end
 
     def log(msg)
-      if defined?(::Rails) && Rails.logger
-        Rails.logger.info msg
+      if config.logger.class <= ::Logger
+        config.logger.info msg
       else
-        puts msg
+        config.logger.call msg
       end
     end
 

data/lib/saml_idp/response_builder.rb

@@ -23,21 +23,21 @@ module SamlIdp
       self.raw_algorithm = raw_algorithm
     end
 
-    def encoded(signed_message: false)
-      @encoded ||= signed_message ? encode_signed_message : encode_raw_message
+    def encoded(signed_message: false, compress: false)
+      @encoded ||= signed_message ? encode_signed_message(compress) : encode_raw_message(compress)
     end
 
     def raw
       build
     end
 
-    def encode_raw_message
-      Base64.strict_encode64(raw)
+    def encode_raw_message(compress)
+      Base64.strict_encode64(compress ? deflate(raw) : raw)
     end
     private :encode_raw_message
 
-    def encode_signed_message
-      Base64.strict_encode64(signed)
+    def encode_signed_message(compress)
+      Base64.strict_encode64(compress ? deflate(signed) : signed)
     end
     private :encode_signed_message
 
@@ -66,11 +66,17 @@ module SamlIdp
     def response_id_string
       "_#{response_id}"
     end
+    alias_method :reference_id, :response_id
     private :response_id_string
 
     def now_iso
       Time.now.utc.iso8601
     end
     private :now_iso
+
+    def deflate(inflated)
+      Zlib::Deflate.deflate(inflated, 9)[2..-5]
+    end
+    private :deflate
   end
 end

data/lib/saml_idp/saml_response.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
+
 require 'saml_idp/assertion_builder'
 require 'saml_idp/response_builder'
 module SamlIdp
   class SamlResponse
-    attr_accessor :assertion_with_signature
     attr_accessor :reference_id
     attr_accessor :response_id
     attr_accessor :issuer_uri
@@ -17,22 +18,32 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :name_id_formats_opts
+    attr_accessor :asserted_attributes_opts
     attr_accessor :signed_message_opts
+    attr_accessor :signed_assertion_opts
+    attr_accessor :compression_opts
+
+    def initialize(
+      reference_id,
+      response_id,
+      issuer_uri,
+      principal,
+      audience_uri,
+      saml_request_id,
+      saml_acs_url,
+      algorithm,
+      authn_context_classref,
+      expiry = 60 * 60,
+      encryption_opts = nil,
+      session_expiry = 0,
+      name_id_formats_opts = nil,
+      asserted_attributes_opts = nil,
+      signed_message_opts = false,
+      signed_assertion_opts = true,
+      compression_opts = false
+    )
 
-    def initialize(reference_id,
-          response_id,
-          issuer_uri,
-          principal,
-          audience_uri,
-          saml_request_id,
-          saml_acs_url,
-          algorithm,
-          authn_context_classref,
-          expiry=60*60,
-          encryption_opts=nil,
-          session_expiry=0,
-          signed_message_opts
-          )
       self.reference_id = reference_id
       self.response_id = response_id
       self.issuer_uri = issuer_uri
@@ -48,26 +59,34 @@ module SamlIdp
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry
       self.signed_message_opts = signed_message_opts
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
+      self.signed_assertion_opts = signed_assertion_opts
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
+      self.compression_opts = compression_opts
     end
 
     def build
-      @built ||= encoded_message
+      @build ||= encoded_message
     end
 
     def signed_assertion
       if encryption_opts
         assertion_builder.encrypt(sign: true)
-      else
+      elsif signed_assertion_opts
         assertion_builder.signed
+      else
+        assertion_builder.raw
       end
     end
     private :signed_assertion
 
     def encoded_message
       if signed_message_opts
-        response_builder.encoded(signed_message: true)
+        response_builder.encoded(signed_message: true, compress: compression_opts)
       else
-        response_builder.encoded(signed_message: false)
+        response_builder.encoded(signed_message: false, compress: compression_opts)
       end
     end
     private :encoded_message
@@ -78,17 +97,20 @@ module SamlIdp
     private :response_builder
 
     def assertion_builder
-      @assertion_builder ||= AssertionBuilder.new reference_id,
-        issuer_uri,
-        principal,
-        audience_uri,
-        saml_request_id,
-        saml_acs_url,
-        algorithm,
-        authn_context_classref,
-        expiry,
-        encryption_opts,
-        session_expiry
+      @assertion_builder ||=
+        AssertionBuilder.new SecureRandom.uuid,
+                             issuer_uri,
+                             principal,
+                             audience_uri,
+                             saml_request_id,
+                             saml_acs_url,
+                             algorithm,
+                             authn_context_classref,
+                             expiry,
+                             encryption_opts,
+                             session_expiry,
+                             name_id_formats_opts,
+                             asserted_attributes_opts
     end
     private :assertion_builder
   end

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.12.0'
+  VERSION = '0.15.0'
 end

data/lib/saml_idp.rb

@@ -9,7 +9,7 @@ module SamlIdp
   require 'saml_idp/metadata_builder'
   require 'saml_idp/version'
   require 'saml_idp/fingerprint'
-  require 'saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+  require 'saml_idp/engine' if defined?(::Rails)
 
   def self.config
     @config ||= SamlIdp::Configurator.new

data/saml_idp.gemspec

@@ -1,61 +1,62 @@
 # -*- encoding: utf-8 -*-
-$:.push File.expand_path("../lib", __FILE__)
-require "saml_idp/version"
+
+$LOAD_PATH.push File.expand_path('lib', __dir__)
+require 'saml_idp/version'
 
 Gem::Specification.new do |s|
   s.name = %q{saml_idp}
   s.version = SamlIdp::VERSION
   s.platform = Gem::Platform::RUBY
-  s.authors = ["Jon Phenow"]
+  s.authors = ['Jon Phenow']
   s.email = 'jon.phenow@sportngin.com'
   s.homepage = 'https://github.com/saml-idp/saml_idp'
   s.summary = 'SAML Indentity Provider for Ruby'
   s.description = 'SAML IdP (Identity Provider) Library for Ruby'
-  s.date = Time.now.utc.strftime("%Y-%m-%d")
-  s.files = Dir['app/**/*', 'lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
-  s.required_ruby_version = '>= 2.2'
+  s.date = Time.now.utc.strftime('%Y-%m-%d')
+  s.files = Dir['lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
+  s.required_ruby_version = '>= 2.5'
   s.license = 'MIT'
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
+  s.require_paths = ['lib']
   s.rdoc_options = ['--charset=UTF-8']
   s.metadata = {
-    'homepage_uri'      => 'https://github.com/saml-idp/saml_idp',
-    'source_code_uri'   => 'https://github.com/saml-idp/saml_idp',
-    'bug_tracker_uri'   => 'https://github.com/saml-idp/saml_idp/issues',
+    'homepage_uri' => 'https://github.com/saml-idp/saml_idp',
+    'source_code_uri' => 'https://github.com/saml-idp/saml_idp',
+    'bug_tracker_uri' => 'https://github.com/saml-idp/saml_idp/issues',
     'documentation_uri' => "http://rdoc.info/gems/saml_idp/#{SamlIdp::VERSION}"
   }
 
   s.post_install_message = <<-INST
-If you're just recently updating saml_idp - please be aware we've changed the default
-certificate. See the PR and a description of why we've done this here:
-https://github.com/saml-idp/saml_idp/pull/29
-
-If you just need to see the certificate `bundle open saml_idp` and go to
-`lib/saml_idp/default.rb`
+    If you're just recently updating saml_idp - please be aware we've changed the default
+    certificate. See the PR and a description of why we've done this here:
+    https://github.com/saml-idp/saml_idp/pull/29
 
-Similarly, please see the README about certificates - you should avoid using the
-defaults in a Production environment. Post any issues you to github.
+    If you just need to see the certificate `bundle open saml_idp` and go to
+    `lib/saml_idp/default.rb`
 
-** New in Version 0.3.0 **
+    Similarly, please see the README about certificates - you should avoid using the
+    defaults in a Production environment. Post any issues you to github.
 
-Encrypted Assertions require the xmlenc gem. See the example in the Controller
-section of the README.
+    ** New in Version 0.3.0 **
+    Encrypted Assertions require the xmlenc gem. See the example in the Controller
+    section of the README.
   INST
 
-  s.add_dependency('activesupport', '>= 3.2')
+  s.add_dependency('activesupport', '>= 5.2')
   s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
+  s.add_dependency('rexml')
+  s.add_dependency('xmlenc', '>= 0.7.1')
 
+  s.add_development_dependency('activeresource', '>= 5.1')
+  s.add_development_dependency('appraisal')
+  s.add_development_dependency('byebug')
+  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('rails', '>= 5.2')
   s.add_development_dependency('rake')
-  s.add_development_dependency('simplecov')
   s.add_development_dependency('rspec', '>= 3.7.0')
   s.add_development_dependency('ruby-saml', '>= 1.7.2')
-  s.add_development_dependency('rails', '>= 3.2')
-  s.add_development_dependency('activeresource', '>= 3.2')
-  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('simplecov')
   s.add_development_dependency('timecop', '>= 0.8')
-  s.add_development_dependency('xmlenc', '>= 0.6.4')
-  s.add_development_dependency('appraisal')
-  s.add_development_dependency('byebug')
 end