saml_idp 0.7.2 → 0.16.0

data/lib/saml_idp/response_builder.rb

@@ -1,32 +1,45 @@
 require 'builder'
+require 'saml_idp/algorithmable'
+require 'saml_idp/signable'
 module SamlIdp
   class ResponseBuilder
+    include Algorithmable
+    include Signable
     attr_accessor :response_id
     attr_accessor :issuer_uri
     attr_accessor :saml_acs_url
     attr_accessor :saml_request_id
     attr_accessor :assertion_and_signature
+    attr_accessor :raw_algorithm
 
-    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature)
+    alias_method :reference_id, :response_id
+
+    def initialize(response_id, issuer_uri, saml_acs_url, saml_request_id, assertion_and_signature, raw_algorithm)
       self.response_id = response_id
       self.issuer_uri = issuer_uri
       self.saml_acs_url = saml_acs_url
       self.saml_request_id = saml_request_id
       self.assertion_and_signature = assertion_and_signature
+      self.raw_algorithm = raw_algorithm
     end
 
-    def encoded
-      @encoded ||= encode
+    def encoded(signed_message: false, compress: false)
+      @encoded ||= signed_message ? encode_signed_message(compress) : encode_raw_message(compress)
     end
 
     def raw
       build
     end
 
-    def encode
-      Base64.strict_encode64(raw)
+    def encode_raw_message(compress)
+      Base64.strict_encode64(compress ? deflate(raw) : raw)
+    end
+    private :encode_raw_message
+
+    def encode_signed_message(compress)
+      Base64.strict_encode64(compress ? deflate(signed) : signed)
     end
-    private :encode
+    private :encode_signed_message
 
     def build
       resp_options = {}
@@ -41,6 +54,7 @@ module SamlIdp
       builder = Builder::XmlMarkup.new
       builder.tag! "samlp:Response", resp_options do |response|
           response.Issuer issuer_uri, xmlns: Saml::XML::Namespaces::ASSERTION
+          sign response
           response.tag! "samlp:Status" do |status|
             status.tag! "samlp:StatusCode", Value: Saml::XML::Namespaces::Statuses::SUCCESS
           end
@@ -52,11 +66,17 @@ module SamlIdp
     def response_id_string
       "_#{response_id}"
     end
+    alias_method :reference_id, :response_id
     private :response_id_string
 
     def now_iso
       Time.now.utc.iso8601
     end
     private :now_iso
+
+    def deflate(inflated)
+      Zlib::Deflate.deflate(inflated, 9)[2..-5]
+    end
+    private :deflate
   end
 end

data/lib/saml_idp/saml_response.rb

@@ -1,8 +1,9 @@
+# frozen_string_literal: true
+
 require 'saml_idp/assertion_builder'
 require 'saml_idp/response_builder'
 module SamlIdp
   class SamlResponse
-    attr_accessor :assertion_with_signature
     attr_accessor :reference_id
     attr_accessor :response_id
     attr_accessor :issuer_uri
@@ -17,20 +18,32 @@ module SamlIdp
     attr_accessor :expiry
     attr_accessor :encryption_opts
     attr_accessor :session_expiry
+    attr_accessor :name_id_formats_opts
+    attr_accessor :asserted_attributes_opts
+    attr_accessor :signed_message_opts
+    attr_accessor :signed_assertion_opts
+    attr_accessor :compression_opts
+
+    def initialize(
+      reference_id,
+      response_id,
+      issuer_uri,
+      principal,
+      audience_uri,
+      saml_request_id,
+      saml_acs_url,
+      algorithm,
+      authn_context_classref,
+      expiry = 60 * 60,
+      encryption_opts = nil,
+      session_expiry = 0,
+      name_id_formats_opts = nil,
+      asserted_attributes_opts = nil,
+      signed_message_opts = false,
+      signed_assertion_opts = true,
+      compression_opts = false
+    )
 
-    def initialize(reference_id,
-          response_id,
-          issuer_uri,
-          principal,
-          audience_uri,
-          saml_request_id,
-          saml_acs_url,
-          algorithm,
-          authn_context_classref,
-          expiry=60*60,
-          encryption_opts=nil,
-          session_expiry=0
-          )
       self.reference_id = reference_id
       self.response_id = response_id
       self.issuer_uri = issuer_uri
@@ -45,38 +58,59 @@ module SamlIdp
       self.expiry = expiry
       self.encryption_opts = encryption_opts
       self.session_expiry = session_expiry
+      self.signed_message_opts = signed_message_opts
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
+      self.signed_assertion_opts = signed_assertion_opts
+      self.name_id_formats_opts = name_id_formats_opts
+      self.asserted_attributes_opts = asserted_attributes_opts
+      self.compression_opts = compression_opts
     end
 
     def build
-      @built ||= response_builder.encoded
+      @build ||= encoded_message
     end
 
     def signed_assertion
       if encryption_opts
         assertion_builder.encrypt(sign: true)
-      else
+      elsif signed_assertion_opts
         assertion_builder.signed
+      else
+        assertion_builder.raw
       end
     end
     private :signed_assertion
 
+    def encoded_message
+      if signed_message_opts
+        response_builder.encoded(signed_message: true, compress: compression_opts)
+      else
+        response_builder.encoded(signed_message: false, compress: compression_opts)
+      end
+    end
+    private :encoded_message
+
     def response_builder
-      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion)
+      ResponseBuilder.new(response_id, issuer_uri, saml_acs_url, saml_request_id, signed_assertion, algorithm)
     end
     private :response_builder
 
     def assertion_builder
-      @assertion_builder ||= AssertionBuilder.new reference_id,
-        issuer_uri,
-        principal,
-        audience_uri,
-        saml_request_id,
-        saml_acs_url,
-        algorithm,
-        authn_context_classref,
-        expiry,
-        encryption_opts,
-        session_expiry
+      @assertion_builder ||=
+        AssertionBuilder.new SecureRandom.uuid,
+                             issuer_uri,
+                             principal,
+                             audience_uri,
+                             saml_request_id,
+                             saml_acs_url,
+                             algorithm,
+                             authn_context_classref,
+                             expiry,
+                             encryption_opts,
+                             session_expiry,
+                             name_id_formats_opts,
+                             asserted_attributes_opts
     end
     private :assertion_builder
   end

data/lib/saml_idp/service_provider.rb

@@ -13,6 +13,7 @@ module SamlIdp
     attribute :validate_signature
     attribute :acs_url
     attribute :assertion_consumer_logout_service_url
+    attribute :response_hosts
 
     delegate :config, to: :SamlIdp
 
@@ -21,18 +22,13 @@ module SamlIdp
     end
 
     def valid_signature?(doc, require_signature = false)
-      if require_signature || should_validate_signature?
+      if require_signature || attributes[:validate_signature]
         doc.valid_signature?(fingerprint)
       else
         true
       end
     end
 
-    def should_validate_signature?
-      attributes[:validate_signature] ||
-        current_metadata.respond_to?(:sign_assertions?) && current_metadata.sign_assertions?
-    end
-
     def refresh_metadata
       fresh = fresh_incoming_metadata
       if valid_signature?(fresh.document)
@@ -46,6 +42,19 @@ module SamlIdp
       @current_metadata ||= get_current_or_build
     end
 
+    def acceptable_response_hosts
+      hosts = Array(self.response_hosts)
+      hosts.push(metadata_url_host) if metadata_url_host
+
+      hosts
+    end
+
+    def metadata_url_host
+      if metadata_url.present?
+        URI(metadata_url).host
+      end
+    end
+
     def get_current_or_build
       persisted = metadata_getter[identifier, self]
       if persisted.is_a? Hash

data/lib/saml_idp/signable.rb

@@ -108,8 +108,7 @@ module SamlIdp
       canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
       canon_hashed_element = noko_raw.canonicalize(canon_algorithm, inclusive_namespaces)
       digest_algorithm = get_algorithm
-
-      hash                          = digest_algorithm.digest(canon_hashed_element)
+      hash = digest_algorithm.digest(canon_hashed_element)
       Base64.strict_encode64(hash).gsub(/\n/, '')
     end
     private :digest

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.7.2'
+  VERSION = '0.16.0'
 end

data/lib/saml_idp/xml_security.rb

@@ -108,7 +108,7 @@ module SamlIdp
           canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
           canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces)
 
-          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))
+          digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod", {'ds' => DSIG}))
 
           hash                          = digest_algorithm.digest(canon_hashed_element)
           digest_value                  = Base64.decode64(REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>DSIG}).text)

data/lib/saml_idp.rb

@@ -8,7 +8,8 @@ module SamlIdp
   require 'saml_idp/default'
   require 'saml_idp/metadata_builder'
   require 'saml_idp/version'
-  require 'saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+  require 'saml_idp/fingerprint'
+  require 'saml_idp/engine' if defined?(::Rails)
 
   def self.config
     @config ||= SamlIdp::Configurator.new

data/saml_idp.gemspec

@@ -1,59 +1,62 @@
 # -*- encoding: utf-8 -*-
-$:.push File.expand_path("../lib", __FILE__)
-require "saml_idp/version"
+
+$LOAD_PATH.push File.expand_path('lib', __dir__)
+require 'saml_idp/version'
 
 Gem::Specification.new do |s|
   s.name = %q{saml_idp}
   s.version = SamlIdp::VERSION
   s.platform = Gem::Platform::RUBY
-  s.authors = ["Jon Phenow"]
-  s.email = %q{jon.phenow@sportngin.com}
-  s.homepage = %q{http://github.com/sportngin/saml_idp}
-  s.summary = %q{SAML Indentity Provider in ruby}
-  s.description = %q{SAML IdP (Identity Provider) library in ruby}
-  s.date = Time.now.utc.strftime("%Y-%m-%d")
-  s.files = Dir.glob("app/**/*") + Dir.glob("lib/**/*") + [
-     "LICENSE",
-     "README.md",
-     "Gemfile",
-     "saml_idp.gemspec"
-  ]
-  s.required_ruby_version = '>= 2.2'
-  s.license = "LICENSE"
+  s.authors = ['Jon Phenow']
+  s.email = 'jon.phenow@sportngin.com'
+  s.homepage = 'https://github.com/saml-idp/saml_idp'
+  s.summary = 'SAML Indentity Provider for Ruby'
+  s.description = 'SAML IdP (Identity Provider) Library for Ruby'
+  s.date = Time.now.utc.strftime('%Y-%m-%d')
+  s.files = Dir['lib/**/*', 'LICENSE', 'README.md', 'Gemfile', 'saml_idp.gemspec']
+  s.required_ruby_version = '>= 2.5'
+  s.license = 'MIT'
   s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
-  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ['lib']
+  s.rdoc_options = ['--charset=UTF-8']
+  s.metadata = {
+    'homepage_uri' => 'https://github.com/saml-idp/saml_idp',
+    'source_code_uri' => 'https://github.com/saml-idp/saml_idp',
+    'bug_tracker_uri' => 'https://github.com/saml-idp/saml_idp/issues',
+    'documentation_uri' => "http://rdoc.info/gems/saml_idp/#{SamlIdp::VERSION}"
+  }
 
   s.post_install_message = <<-INST
-If you're just recently updating saml_idp - please be aware we've changed the default
-certificate. See the PR and a description of why we've done this here:
-https://github.com/sportngin/saml_idp/pull/29
-
-If you just need to see the certificate `bundle open saml_idp` and go to
-`lib/saml_idp/default.rb`
+    If you're just recently updating saml_idp - please be aware we've changed the default
+    certificate. See the PR and a description of why we've done this here:
+    https://github.com/saml-idp/saml_idp/pull/29
 
-Similarly, please see the README about certificates - you should avoid using the
-defaults in a Production environment. Post any issues you to github.
+    If you just need to see the certificate `bundle open saml_idp` and go to
+    `lib/saml_idp/default.rb`
 
-** New in Version 0.3.0 **
+    Similarly, please see the README about certificates - you should avoid using the
+    defaults in a Production environment. Post any issues you to github.
 
-Encrypted Assertions require the xmlenc gem. See the example in the Controller
-section of the README.
+    ** New in Version 0.3.0 **
+    Encrypted Assertions require the xmlenc gem. See the example in the Controller
+    section of the README.
   INST
 
-  s.add_dependency('activesupport', '>= 3.2')
-  s.add_dependency('uuid', '~> 2.3')
-  s.add_dependency('builder', '~> 3.0')
+  s.add_dependency('activesupport', '>= 5.2')
+  s.add_dependency('builder', '>= 3.0')
   s.add_dependency('nokogiri', '>= 1.6.2')
-
-  s.add_development_dependency('rake', '~> 10.4.2')
-  s.add_development_dependency('simplecov', '~> 0.12')
-  s.add_development_dependency('rspec', '~> 2.5')
-  s.add_development_dependency('ruby-saml', '~> 1.3')
-  s.add_development_dependency('rails', '~> 3.2')
-  s.add_development_dependency('capybara', '~> 2.11.0')
-  s.add_development_dependency('timecop', '~> 0.8')
-  s.add_development_dependency('xmlenc', '>= 0.6.4')
+  s.add_dependency('rexml')
+  s.add_dependency('xmlenc', '>= 0.7.1')
+
+  s.add_development_dependency('activeresource', '>= 5.1')
+  s.add_development_dependency('appraisal')
+  s.add_development_dependency('byebug')
+  s.add_development_dependency('capybara', '>= 2.16')
+  s.add_development_dependency('rails', '>= 5.2')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('rspec', '>= 3.7.0')
+  s.add_development_dependency('ruby-saml', '>= 1.7.2')
+  s.add_development_dependency('simplecov')
+  s.add_development_dependency('timecop', '>= 0.8')
 end
-

data/spec/acceptance/idp_controller_spec.rb

@@ -4,11 +4,12 @@ feature 'IdpController' do
   scenario 'Login via default signup page' do
     saml_request = make_saml_request("http://foo.example.com/saml/consume")
     visit "/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
-    fill_in 'Email', :with => "foo@example.com"
-    fill_in 'Password', :with => "okidoki"
+    expect(status_code).to eq(200)
+    fill_in 'email', :with => "foo@example.com"
+    fill_in 'password', :with => "okidoki"
     click_button 'Sign in'
     click_button 'Submit'   # simulating onload
-    current_url.should == 'http://foo.example.com/saml/consume'
-    page.should have_content "foo@example.com"
+    expect(current_url).to eq('http://foo.example.com/saml/consume')
+    expect(page).to have_content "foo@example.com"
   end
 end

data/spec/lib/saml_idp/algorithmable_spec.rb

@@ -9,11 +9,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA256
+        expect(algorithm).to eq(OpenSSL::Digest::SHA256)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha256"
+        expect(algorithm_name).to eq("sha256")
       end
     end
 
@@ -23,11 +23,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA512
+        expect(algorithm).to eq(OpenSSL::Digest::SHA512)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha512"
+        expect(algorithm_name).to eq("sha512")
       end
     end
 
@@ -37,11 +37,11 @@ module SamlIdp
       end
 
       it "finds algorithm class" do
-        algorithm.should == OpenSSL::Digest::SHA1
+        expect(algorithm).to eq(OpenSSL::Digest::SHA1)
       end
 
       it "finds the name" do
-        algorithm_name.should == "sha1"
+        expect(algorithm_name).to eq("sha1")
       end
     end
   end