samlsso 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +50 -0
  3. data/CODE_OF_CONDUCT.md +49 -0
  4. data/Gemfile +4 -0
  5. data/LICENSE +21 -0
  6. data/README.md +36 -0
  7. data/Rakefile +2 -0
  8. data/bin/console +14 -0
  9. data/bin/setup +8 -0
  10. data/lib/samlsso.rb +16 -0
  11. data/lib/samlsso/attribute_service.rb +32 -0
  12. data/lib/samlsso/attributes.rb +107 -0
  13. data/lib/samlsso/authrequest.rb +124 -0
  14. data/lib/samlsso/idp_metadata_parser.rb +85 -0
  15. data/lib/samlsso/logging.rb +20 -0
  16. data/lib/samlsso/logoutrequest.rb +100 -0
  17. data/lib/samlsso/logoutresponse.rb +110 -0
  18. data/lib/samlsso/metadata.rb +94 -0
  19. data/lib/samlsso/response.rb +271 -0
  20. data/lib/samlsso/saml_message.rb +117 -0
  21. data/lib/samlsso/settings.rb +115 -0
  22. data/lib/samlsso/slo_logoutrequest.rb +64 -0
  23. data/lib/samlsso/slo_logoutresponse.rb +99 -0
  24. data/lib/samlsso/utils.rb +42 -0
  25. data/lib/samlsso/validation_error.rb +5 -0
  26. data/lib/samlsso/version.rb +3 -0
  27. data/lib/schemas/saml-schema-assertion-2.0.xsd +283 -0
  28. data/lib/schemas/saml-schema-authn-context-2.0.xsd +23 -0
  29. data/lib/schemas/saml-schema-authn-context-types-2.0.xsd +821 -0
  30. data/lib/schemas/saml-schema-metadata-2.0.xsd +339 -0
  31. data/lib/schemas/saml-schema-protocol-2.0.xsd +302 -0
  32. data/lib/schemas/sstc-metadata-attr.xsd +35 -0
  33. data/lib/schemas/sstc-saml-attribute-ext.xsd +25 -0
  34. data/lib/schemas/sstc-saml-metadata-algsupport-v1.0.xsd +41 -0
  35. data/lib/schemas/sstc-saml-metadata-ui-v1.0.xsd +89 -0
  36. data/lib/schemas/xenc-schema.xsd +136 -0
  37. data/lib/schemas/xml.xsd +287 -0
  38. data/lib/schemas/xmldsig-core-schema.xsd +309 -0
  39. data/lib/xml_security.rb +276 -0
  40. data/samlsso.gemspec +44 -0
  41. metadata +168 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 6eef1ff2931908247fa908b45369820de85c56e6
4
+ data.tar.gz: 5fe581ce6f74f9dbcb4ffefab1f39055bb814301
5
+ SHA512:
6
+ metadata.gz: f8f60a37d9608b41a040cba0b178c8a2696e6f67aee0341944f39622e8bb167acef85299342325d2b0929d2935d43060d244ad26763477d2a124a585bf8cbfbf
7
+ data.tar.gz: 0ba87a05251f4b3bbfce53fefdcd5b5ebecdbc0074631c634d9b63e151918a8a5a5143e76123cfdbe8b43df0b9674d84f3188c8fbee4e1d5811710662c4c15d4
data/.gitignore ADDED
@@ -0,0 +1,50 @@
1
+ *.rbc
2
+ capybara-*.html
3
+ .rspec
4
+ /log
5
+ /tmp
6
+ /db/*.sqlite3
7
+ /db/*.sqlite3-journal
8
+ /public/system
9
+ /coverage/
10
+ /spec/tmp
11
+ /pkg/
12
+ /.yardoc
13
+ /_yardoc/
14
+ /doc/
15
+ /spec/reports/
16
+ **.orig
17
+ rerun.txt
18
+ pickle-email-*.html
19
+
20
+
21
+ # TODO Comment out these rules if you are OK with secrets being uploaded to the repo
22
+ config/initializers/secret_token.rb
23
+ config/secrets.yml
24
+
25
+ # dotenv
26
+ # TODO Comment out this rule if environment variables can be committed
27
+ .env
28
+
29
+ ## Environment normalization:
30
+ /.bundle
31
+ /vendor/bundle
32
+
33
+ # these should all be checked in to normalize the environment:
34
+ Gemfile.lock
35
+ .ruby-version
36
+ .ruby-gemset
37
+
38
+ # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
39
+ .rvmrc
40
+
41
+ # if using bower-rails ignore default bower_components path bower.json files
42
+ /vendor/assets/bower_components
43
+ *.bowerrc
44
+ bower.json
45
+
46
+ # Ignore pow environment settings
47
+ .powenv
48
+
49
+ # Ignore Byebug command history file.
50
+ .byebug_history
@@ -0,0 +1,49 @@
1
+ # Contributor Code of Conduct
2
+
3
+ As contributors and maintainers of this project, and in the interest of
4
+ fostering an open and welcoming community, we pledge to respect all people who
5
+ contribute through reporting issues, posting feature requests, updating
6
+ documentation, submitting pull requests or patches, and other activities.
7
+
8
+ We are committed to making participation in this project a harassment-free
9
+ experience for everyone, regardless of level of experience, gender, gender
10
+ identity and expression, sexual orientation, disability, personal appearance,
11
+ body size, race, ethnicity, age, religion, or nationality.
12
+
13
+ Examples of unacceptable behavior by participants include:
14
+
15
+ * The use of sexualized language or imagery
16
+ * Personal attacks
17
+ * Trolling or insulting/derogatory comments
18
+ * Public or private harassment
19
+ * Publishing other's private information, such as physical or electronic
20
+ addresses, without explicit permission
21
+ * Other unethical or unprofessional conduct
22
+
23
+ Project maintainers have the right and responsibility to remove, edit, or
24
+ reject comments, commits, code, wiki edits, issues, and other contributions
25
+ that are not aligned to this Code of Conduct, or to ban temporarily or
26
+ permanently any contributor for other behaviors that they deem inappropriate,
27
+ threatening, offensive, or harmful.
28
+
29
+ By adopting this Code of Conduct, project maintainers commit themselves to
30
+ fairly and consistently applying these principles to every aspect of managing
31
+ this project. Project maintainers who do not follow or enforce the Code of
32
+ Conduct may be permanently removed from the project team.
33
+
34
+ This code of conduct applies both within project spaces and in public spaces
35
+ when an individual is representing the project or its community.
36
+
37
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
38
+ reported by contacting a project maintainer at mukherjee.siddhartha@gmail.com. All
39
+ complaints will be reviewed and investigated and will result in a response that
40
+ is deemed necessary and appropriate to the circumstances. Maintainers are
41
+ obligated to maintain confidentiality with regard to the reporter of an
42
+ incident.
43
+
44
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage],
45
+ version 1.3.0, available at
46
+ [http://contributor-covenant.org/version/1/3/0/][version]
47
+
48
+ [homepage]: http://contributor-covenant.org
49
+ [version]: http://contributor-covenant.org/version/1/3/0/
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in samlsso.gemspec
4
+ gemspec
data/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2016 Siddhartha Mukherjee
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,36 @@
1
+ # Samlsso
2
+
3
+ SAML SSO for Ruby
4
+
5
+ (Fork of a old version of https://github.com/onelogin/ruby-saml, but then customized/enhanced to support encrypted SAML and some more)
6
+
7
+ ## Installation
8
+
9
+ Add this line to your application's Gemfile:
10
+
11
+ ```ruby
12
+ gem 'samlsso'
13
+ ```
14
+
15
+ And then execute:
16
+
17
+ $ bundle
18
+
19
+ Or install it yourself as:
20
+
21
+ $ gem install samlsso
22
+
23
+ ## Development
24
+
25
+ After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
26
+
27
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
28
+
29
+ ## Contributing
30
+
31
+ Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/samlsso. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
32
+
33
+
34
+ ## License
35
+
36
+ The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
data/Rakefile ADDED
@@ -0,0 +1,2 @@
1
+ require "bundler/gem_tasks"
2
+ task :default => :spec
data/bin/console ADDED
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "samlsso"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
data/lib/samlsso.rb ADDED
@@ -0,0 +1,16 @@
1
+ require 'samlsso/logging'
2
+ require 'samlsso/saml_message'
3
+ require 'samlsso/authrequest'
4
+ require 'samlsso/logoutrequest'
5
+ require 'samlsso/logoutresponse'
6
+ require 'samlsso/attributes'
7
+ require 'samlsso/slo_logoutrequest'
8
+ require 'samlsso/slo_logoutresponse'
9
+ require 'samlsso/response'
10
+ require 'samlsso/settings'
11
+ require 'samlsso/attribute_service'
12
+ require 'samlsso/validation_error'
13
+ require 'samlsso/metadata'
14
+ require 'samlsso/idp_metadata_parser'
15
+ require 'samlsso/utils'
16
+ require 'samlsso/version'
@@ -0,0 +1,32 @@
1
+ module Samlsso
2
+ class AttributeService
3
+ attr_reader :attributes
4
+ attr_reader :name
5
+ attr_reader :index
6
+
7
+ def initialize
8
+ @index = "1"
9
+ @attributes = []
10
+ end
11
+
12
+ def configure(&block)
13
+ instance_eval &block
14
+ end
15
+
16
+ def configured?
17
+ @attributes.length > 0 && !@name.nil?
18
+ end
19
+
20
+ def service_name(name)
21
+ @name = name
22
+ end
23
+
24
+ def service_index(index)
25
+ @index = index
26
+ end
27
+
28
+ def add_attribute(options={})
29
+ attributes << options
30
+ end
31
+ end
32
+ end
@@ -0,0 +1,107 @@
1
+ module Samlsso
2
+ # Wraps all attributes and provides means to query them for single or multiple values.
3
+ #
4
+ # For backwards compatibility Attributes#[] returns *first* value for the attribute.
5
+ # Turn off compatibility to make it return all values as an array:
6
+ # Attributes.single_value_compatibility = false
7
+ class Attributes
8
+ include Enumerable
9
+
10
+ # By default Attributes#[] is backwards compatible and
11
+ # returns only the first value for the attribute
12
+ # Setting this to `false` returns all values for an attribute
13
+ @@single_value_compatibility = true
14
+
15
+ # Get current status of backwards compatibility mode.
16
+ def self.single_value_compatibility
17
+ @@single_value_compatibility
18
+ end
19
+
20
+ # Sets the backwards compatibility mode on/off.
21
+ def self.single_value_compatibility=(value)
22
+ @@single_value_compatibility = value
23
+ end
24
+
25
+ # Initialize Attributes collection, optionally taking a Hash of attribute names and values.
26
+ #
27
+ # The +attrs+ must be a Hash with attribute names as keys and **arrays** as values:
28
+ # Attributes.new({
29
+ # 'name' => ['value1', 'value2'],
30
+ # 'mail' => ['value1'],
31
+ # })
32
+ def initialize(attrs = {})
33
+ @attributes = attrs
34
+ end
35
+
36
+
37
+ # Iterate over all attributes
38
+ def each
39
+ attributes.each{|name, values| yield name, values}
40
+ end
41
+
42
+ # Test attribute presence by name
43
+ def include?(name)
44
+ attributes.has_key?(canonize_name(name))
45
+ end
46
+
47
+ # Return first value for an attribute
48
+ def single(name)
49
+ attributes[canonize_name(name)].first if include?(name)
50
+ end
51
+
52
+ # Return all values for an attribute
53
+ def multi(name)
54
+ attributes[canonize_name(name)]
55
+ end
56
+
57
+ # By default returns first value for an attribute.
58
+ #
59
+ # Depending on the single value compatibility status this returns first value
60
+ # Attributes.single_value_compatibility = true # Default
61
+ # response.attributes['mail'] # => 'user@example.com'
62
+ #
63
+ # Or all values:
64
+ # Attributes.single_value_compatibility = false
65
+ # response.attributes['mail'] # => ['user@example.com','user@example.net']
66
+ def [](name)
67
+ self.class.single_value_compatibility ? single(canonize_name(name)) : multi(canonize_name(name))
68
+ end
69
+
70
+ # Return all attributes as an array
71
+ def all
72
+ attributes
73
+ end
74
+
75
+ # Set values for an attribute, overwriting all existing values
76
+ def set(name, values)
77
+ attributes[canonize_name(name)] = values
78
+ end
79
+ alias_method :[]=, :set
80
+
81
+ # Add new attribute or new value(s) to an existing attribute
82
+ def add(name, values = [])
83
+ attributes[canonize_name(name)] ||= []
84
+ attributes[canonize_name(name)] += Array(values)
85
+ end
86
+
87
+ # Make comparable to another Attributes collection based on attributes
88
+ def ==(other)
89
+ if other.is_a?(Attributes)
90
+ all == other.all
91
+ else
92
+ super
93
+ end
94
+ end
95
+
96
+ protected
97
+
98
+ # stringifies all names so both 'email' and :email return the same result
99
+ def canonize_name(name)
100
+ name.to_s
101
+ end
102
+
103
+ def attributes
104
+ @attributes
105
+ end
106
+ end
107
+ end
@@ -0,0 +1,124 @@
1
+ require "uuid"
2
+
3
+ require "samlsso/logging"
4
+
5
+ module Samlsso
6
+ include REXML
7
+ class Authrequest < SamlMessage
8
+
9
+ attr_reader :uuid # Can be obtained if neccessary
10
+
11
+ def initialize
12
+ @uuid = "_" + UUID.new.generate
13
+ end
14
+
15
+ def create(settings, params = {})
16
+ params = create_params(settings, params)
17
+ params_prefix = (settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
18
+ saml_request = CGI.escape(params.delete("SAMLRequest"))
19
+ request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
20
+ params.each_pair do |key, value|
21
+ request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
22
+ end
23
+ @login_url = settings.idp_sso_target_url + request_params
24
+ end
25
+
26
+ def create_params(settings, params={})
27
+ params = {} if params.nil?
28
+
29
+ request_doc = create_authentication_xml_doc(settings)
30
+ request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
31
+
32
+ request = ""
33
+ request_doc.write(request)
34
+
35
+ Logging.debug "Created AuthnRequest: #{request}"
36
+
37
+ request = deflate(request) if settings.compress_request
38
+ base64_request = encode(request)
39
+ request_params = {"SAMLRequest" => base64_request}
40
+
41
+ if settings.security[:authn_requests_signed] && !settings.security[:embed_sign] && settings.private_key
42
+ params['SigAlg'] = XMLSecurity::Document::SHA1
43
+ url_string = "SAMLRequest=#{CGI.escape(base64_request)}"
44
+ url_string += "&RelayState=#{CGI.escape(params['RelayState'])}" if params['RelayState']
45
+ url_string += "&SigAlg=#{CGI.escape(params['SigAlg'])}"
46
+ private_key = settings.get_sp_key()
47
+ signature = private_key.sign(XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method]).new, url_string)
48
+ params['Signature'] = encode(signature)
49
+ end
50
+
51
+ params.each_pair do |key, value|
52
+ request_params[key] = value.to_s
53
+ end
54
+
55
+ request_params
56
+ end
57
+
58
+ def create_authentication_xml_doc(settings)
59
+ time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
60
+
61
+ request_doc = XMLSecurity::Document.new
62
+ request_doc.uuid = uuid
63
+
64
+ root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
65
+ root.attributes['ID'] = uuid
66
+ root.attributes['IssueInstant'] = time
67
+ root.attributes['Version'] = "2.0"
68
+ root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
69
+ root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
70
+ root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
71
+ root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
72
+ root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
73
+
74
+ # Conditionally defined elements based on settings
75
+ if settings.assertion_consumer_service_url != nil
76
+ root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
77
+ end
78
+ if settings.issuer != nil
79
+ issuer = root.add_element "saml:Issuer"
80
+ issuer.text = settings.issuer
81
+ end
82
+ if settings.name_identifier_format != nil
83
+ root.add_element "samlp:NameIDPolicy", {
84
+ # Might want to make AllowCreate a setting?
85
+ "AllowCreate" => "true",
86
+ "Format" => settings.name_identifier_format
87
+ }
88
+ end
89
+
90
+ if settings.authn_context || settings.authn_context_decl_ref
91
+
92
+ if settings.authn_context_comparison != nil
93
+ comparison = settings.authn_context_comparison
94
+ else
95
+ comparison = 'exact'
96
+ end
97
+
98
+ requested_context = root.add_element "samlp:RequestedAuthnContext", {
99
+ "Comparison" => comparison,
100
+ }
101
+
102
+ if settings.authn_context != nil
103
+ class_ref = requested_context.add_element "saml:AuthnContextClassRef"
104
+ class_ref.text = settings.authn_context
105
+ end
106
+ # add saml:AuthnContextDeclRef element
107
+ if settings.authn_context_decl_ref != nil
108
+ class_ref = requested_context.add_element "saml:AuthnContextDeclRef"
109
+ class_ref.text = settings.authn_context_decl_ref
110
+ end
111
+ end
112
+
113
+ # embebed sign
114
+ if settings.security[:authn_requests_signed] && settings.private_key && settings.certificate && settings.security[:embed_sign]
115
+ private_key = settings.get_sp_key()
116
+ cert = settings.get_sp_cert()
117
+ request_doc.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
118
+ end
119
+
120
+ request_doc
121
+ end
122
+
123
+ end
124
+ end