saml_idp 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 33d61d6767a79ea9158672fd6ef93c08c70bf4e6
-  data.tar.gz: a2160be6f4da871e04811e6568695328c2e226e9
+  metadata.gz: 939a5fa00a7b08a69488c4e8c1b70d80134f5382
+  data.tar.gz: 74e7af28ec947ef5b89e346bade1d801920361ec
 SHA512:
-  metadata.gz: 3675637b4e2c170f3d2c14a9920e61584b95cdfbaf32d8e93492a45c59bd3df32d2c546e6b819b6712c8c039906f527facad0ecff511a7379b4167a2d28e1104
-  data.tar.gz: ba1f8db3b4f1e994b8b07ceb455c9bfc76de28b476ef727d6eecf59418d7df3c089a328fdac0c42dfbe94fcdeea27022a2999dad7341e25ad08cda60faf8cf88
+  metadata.gz: 4faba1443485f5eb1636fce1c0b6e24300530619eefc232f5d468cf093fec1b3db70427c6ec91fd9ceaead7ac59666322795fc98e2423cb4be3f914bf0646c7f
+  data.tar.gz: 153a2d258b1c5510e70999b4e76840d4b757894322ab5b2e990e2fa11610f4f31e6f9a661e5af3313f5aabd496a73623dfc79f85d392c054a9f63c2bc3af5b00

data/README.md

@@ -92,9 +92,10 @@ CERT
   # config.organization_name = "Your Organization"
   # config.organization_url = "http://example.com"
   # config.base_saml_location = "#{base}/saml"
-  # config.reference_id_generator                   # Default: -> { UUID.generate }
+  # config.reference_id_generator                                 # Default: -> { UUID.generate }
   # config.attribute_service_location = "#{base}/saml/attributes"
   # config.single_service_post_location = "#{base}/saml/auth"
+  # config.session_expiry = 86400                                 # Default: 0 which means never
 
   # Principal (e.g. User) is passed in when you `encode_response`
   #

data/lib/saml_idp/assertion_builder.rb

@@ -15,10 +15,11 @@ module SamlIdp
     attr_accessor :authn_context_classref
     attr_accessor :expiry
     attr_accessor :encryption_opts
+    attr_accessor :session_expiry
 
     delegate :config, to: :SamlIdp
 
-    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil)
+    def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil)
       self.reference_id = reference_id
       self.issuer_uri = issuer_uri
       self.principal = principal
@@ -29,6 +30,7 @@ module SamlIdp
       self.authn_context_classref = authn_context_classref
       self.expiry = expiry
       self.encryption_opts = encryption_opts
+      self.session_expiry = session_expiry.nil? ? config.session_expiry : session_expiry
     end
 
     def fresh
@@ -55,7 +57,14 @@ module SamlIdp
               restriction.Audience audience_uri
             end
           end
-          assertion.AuthnStatement AuthnInstant: now_iso, SessionIndex: reference_string do |statement|
+          authn_statement_props = {
+            AuthnInstant: now_iso,
+            SessionIndex: reference_string,
+          }
+          unless session_expiry.zero?
+            authn_statement_props[:SessionNotOnOrAfter] = session_not_on_or_after
+          end
+          assertion.AuthnStatement authn_statement_props do |statement|
             statement.AuthnContext do |context|
               context.AuthnContextClassRef authn_context_classref
             end
@@ -164,6 +173,11 @@ module SamlIdp
     end
     private :not_on_or_after_subject
 
+    def session_not_on_or_after
+      iso { now + session_expiry }
+    end
+    private :session_not_on_or_after
+
     def iso
       yield.iso8601
     end

data/lib/saml_idp/configurator.rb

@@ -17,6 +17,7 @@ module SamlIdp
     attr_accessor :single_logout_service_redirect_location
     attr_accessor :attributes
     attr_accessor :service_provider
+    attr_accessor :session_expiry
 
     def initialize
       self.x509_certificate = Default::X509_CERTIFICATE
@@ -27,6 +28,7 @@ module SamlIdp
       self.service_provider.finder = ->(_) { Default::SERVICE_PROVIDER }
       self.service_provider.metadata_persister = ->(id, settings) {  }
       self.service_provider.persisted_metadata_getter = ->(id, service_provider) {  }
+      self.session_expiry = 0
       self.attributes = {}
     end
 

data/lib/saml_idp/controller.rb

@@ -35,7 +35,13 @@ module SamlIdp
 
     def validate_saml_request(raw_saml_request = params[:SAMLRequest])
       decode_request(raw_saml_request)
-      render nothing: true, status: :forbidden unless valid_saml_request?
+      unless valid_saml_request?
+        if Rails::VERSION::MAJOR >= 4
+          head :forbidden
+        else
+          render nothing: true, status: :forbidden
+        end
+      end
     end
 
     def decode_request(raw_saml_request)
@@ -54,6 +60,7 @@ module SamlIdp
       my_authn_context_classref = opts[:authn_context_classref] || authn_context_classref
       acs_url = opts[:acs_url] || saml_acs_url
       expiry = opts[:expiry] || 60*60
+      session_expiry = opts[:session_expiry]
       encryption_opts = opts[:encryption] || nil
 
       SamlResponse.new(
@@ -67,7 +74,8 @@ module SamlIdp
         (opts[:algorithm] || algorithm || default_algorithm),
         my_authn_context_classref,
         expiry,
-        encryption_opts
+        encryption_opts,
+        session_expiry
       ).build
     end
 

data/lib/saml_idp/saml_response.rb

@@ -16,6 +16,7 @@ module SamlIdp
     attr_accessor :authn_context_classref
     attr_accessor :expiry
     attr_accessor :encryption_opts
+    attr_accessor :session_expiry
 
     def initialize(reference_id,
           response_id,
@@ -27,7 +28,8 @@ module SamlIdp
           algorithm,
           authn_context_classref,
           expiry=60*60,
-          encryption_opts=nil
+          encryption_opts=nil,
+          session_expiry=0
           )
       self.reference_id = reference_id
       self.response_id = response_id
@@ -42,6 +44,7 @@ module SamlIdp
       self.authn_context_classref = authn_context_classref
       self.expiry = expiry
       self.encryption_opts = encryption_opts
+      self.session_expiry = session_expiry
     end
 
     def build
@@ -72,7 +75,8 @@ module SamlIdp
         algorithm,
         authn_context_classref,
         expiry,
-        encryption_opts
+        encryption_opts,
+        session_expiry
     end
     private :assertion_builder
   end

data/lib/saml_idp/service_provider.rb

@@ -1,4 +1,5 @@
-require 'httparty'
+require 'net/http'
+require 'uri'
 require 'saml_idp/attributeable'
 require 'saml_idp/incoming_metadata'
 require 'saml_idp/persisted_metadata'
@@ -69,7 +70,7 @@ module SamlIdp
     private :fresh_incoming_metadata
 
     def request_metadata
-      metadata_url.present? ? HTTParty.get(metadata_url).body : ""
+      metadata_url.present? ? Net::HTTP.get(URI.parse(metadata_url)) : ""
     end
     private :request_metadata
   end

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.6.0'
+  VERSION = '0.7.0'
 end

data/saml_idp.gemspec

@@ -45,7 +45,6 @@ section of the README.
   s.add_dependency('activesupport', '>= 3.2')
   s.add_dependency('uuid', '~> 2.3')
   s.add_dependency('builder', '~> 3.0')
-  s.add_dependency('httparty', '~> 0.14')
   s.add_dependency('nokogiri', '>= 1.6.2')
 
   s.add_development_dependency('rake', '~> 10.4.2')

data/spec/lib/saml_idp/assertion_builder_spec.rb

@@ -102,5 +102,29 @@ module SamlIdp
       encrypted_xml = builder.encrypt
       encrypted_xml.should_not match(audience_uri)
     end
+
+    describe "with custom session_expiry configuration" do
+      let(:config) { SamlIdp::Configurator.new }
+      before do
+        config.session_expiry = 8
+        SamlIdp.stub(config: config)
+      end
+
+      it "sets default session_expiry from config" do
+        builder = described_class.new(
+          reference_id,
+          issuer_uri,
+          name_id,
+          audience_uri,
+          saml_request_id,
+          saml_acs_url,
+          algorithm,
+          authn_context_classref,
+          expiry,
+          encryption_opts
+        )
+        builder.session_expiry.should == 8
+      end
+    end
   end
 end

data/spec/lib/saml_idp/configurator_spec.rb

@@ -15,6 +15,7 @@ module SamlIdp
     it { should respond_to :name_id }
     it { should respond_to :attributes }
     it { should respond_to :service_provider }
+    it { should respond_to :session_expiry }
 
     it "has a valid x509_certificate" do
       subject.x509_certificate.should == Default::X509_CERTIFICATE
@@ -40,5 +41,9 @@ module SamlIdp
     it "can call service provider metadata persister" do
       subject.service_provider.metadata_persister.should respond_to :call
     end
+
+    it 'has a valid session_expiry' do
+      subject.session_expiry.should == 0
+    end
   end
 end

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -16,6 +16,7 @@ module SamlIdp
       Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
     }
     let(:expiry) { 3 * 60 * 60 }
+    let(:session_expiry) { 24 * 60 * 60 }
     let (:encryption_opts) do
       {
         cert: Default::X509_CERTIFICATE,
@@ -33,7 +34,8 @@ module SamlIdp
                                   algorithm,
                                   authn_context_classref,
                                   expiry,
-                                  encryption_opts
+                                  encryption_opts,
+                                  session_expiry
                                  )
     }
 
@@ -46,10 +48,20 @@ module SamlIdp
                                   saml_acs_url,
                                   algorithm,
                                   authn_context_classref,
-                                  expiry
+                                  expiry,
+                                  nil,
+                                  session_expiry
                                  )
     }
 
+    before do
+      Timecop.freeze(Time.local(1990, "jan", 1))
+    end
+
+    after do
+      Timecop.return
+    end
+
     it "has a valid build" do
       subject.build.should be_present
     end
@@ -64,5 +76,28 @@ module SamlIdp
       saml_resp.soft = false
       saml_resp.is_valid?.should == true
     end
+
+    it "sets session expiration" do
+      saml_resp = OneLogin::RubySaml::Response.new(subject.build)
+      saml_resp.session_expires_at.should == Time.local(1990, "jan", 2).iso8601
+    end
+
+    context "session expiration is set to 0" do
+      let(:session_expiry) { 0 }
+
+      it "builds a valid request" do
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.issuer = audience_uri
+        saml_resp = OneLogin::RubySaml::Response.new(subject.build, settings: resp_settings)
+        saml_resp.is_valid?.should == true
+      end
+
+      it "doesn't set a session expiration" do
+        resp_settings = saml_settings(saml_acs_url)
+        resp_settings.issuer = audience_uri
+        saml_resp = OneLogin::RubySaml::Response.new(subject.build, settings: resp_settings)
+        saml_resp.session_expires_at.should be_nil
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_idp
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Jon Phenow
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-22 00:00:00.000000000 Z
+date: 2017-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,20 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: httparty
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.14'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.14'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -234,6 +220,7 @@ files:
 - saml_idp.gemspec
 - spec/acceptance/acceptance_helper.rb
 - spec/acceptance/idp_controller_spec.rb
+- spec/lib/saml_idp/.assertion_builder_spec.rb.swp
 - spec/lib/saml_idp/algorithmable_spec.rb
 - spec/lib/saml_idp/assertion_builder_spec.rb
 - spec/lib/saml_idp/attribute_decorator_spec.rb
@@ -367,6 +354,7 @@ summary: SAML Indentity Provider in ruby
 test_files:
 - spec/acceptance/acceptance_helper.rb
 - spec/acceptance/idp_controller_spec.rb
+- spec/lib/saml_idp/.assertion_builder_spec.rb.swp
 - spec/lib/saml_idp/algorithmable_spec.rb
 - spec/lib/saml_idp/assertion_builder_spec.rb
 - spec/lib/saml_idp/attribute_decorator_spec.rb