spid-es 0.0.1

data/lib/schemas/xmldsig_schema.xsd

@@ -0,0 +1,318 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE schema
+  PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
+ [
+   <!ATTLIST schema 
+     xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
+   <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
+   <!ENTITY % p ''>
+   <!ENTITY % s ''>
+  ]>
+
+<!-- Schema for XML Signatures
+    http://www.w3.org/2000/09/xmldsig#
+    $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $
+
+    Copyright 2001 The Internet Society and W3C (Massachusetts Institute
+    of Technology, Institut National de Recherche en Informatique et en
+    Automatique, Keio University). All Rights Reserved.
+    http://www.w3.org/Consortium/Legal/
+
+    This document is governed by the W3C Software License [1] as described
+    in the FAQ [2].
+
+    [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
+    [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
+-->
+
+
+<schema xmlns="http://www.w3.org/2001/XMLSchema"
+        xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+        targetNamespace="http://www.w3.org/2000/09/xmldsig#"
+        version="0.1" elementFormDefault="qualified"> 
+
+<!-- Basic Types Defined for Signatures -->
+
+<simpleType name="CryptoBinary">
+  <restriction base="base64Binary">
+  </restriction>
+</simpleType>
+
+<!-- Start Signature -->
+
+<element name="Signature" type="ds:SignatureType"/>
+<complexType name="SignatureType">
+  <sequence> 
+    <element ref="ds:SignedInfo"/> 
+    <element ref="ds:SignatureValue"/> 
+    <element ref="ds:KeyInfo" minOccurs="0"/> 
+    <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> 
+  </sequence>  
+  <attribute name="Id" type="ID" use="optional"/>
+</complexType>
+
+  <element name="SignatureValue" type="ds:SignatureValueType"/> 
+  <complexType name="SignatureValueType">
+    <simpleContent>
+      <extension base="base64Binary">
+        <attribute name="Id" type="ID" use="optional"/>
+      </extension>
+    </simpleContent>
+  </complexType>
+
+<!-- Start SignedInfo -->
+
+<element name="SignedInfo" type="ds:SignedInfoType"/>
+<complexType name="SignedInfoType">
+  <sequence> 
+    <element ref="ds:CanonicalizationMethod"/> 
+    <element ref="ds:SignatureMethod"/> 
+    <element ref="ds:Reference" maxOccurs="unbounded"/> 
+  </sequence>  
+  <attribute name="Id" type="ID" use="optional"/> 
+</complexType>
+
+  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> 
+  <complexType name="CanonicalizationMethodType" mixed="true">
+    <sequence>
+      <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
+      <!-- (0,unbounded) elements from (1,1) namespace -->
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/> 
+  </complexType>
+
+  <element name="SignatureMethod" type="ds:SignatureMethodType"/>
+  <complexType name="SignatureMethodType" mixed="true">
+    <sequence>
+      <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
+      <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
+      <!-- (0,unbounded) elements from (1,1) external namespace -->
+    </sequence>
+    <attribute name="Algorithm" type="anyURI" use="required"/> 
+  </complexType>
+
+<!-- Start Reference -->
+
+<element name="Reference" type="ds:ReferenceType"/>
+<complexType name="ReferenceType">
+  <sequence> 
+    <element ref="ds:Transforms" minOccurs="0"/> 
+    <element ref="ds:DigestMethod"/> 
+    <element ref="ds:DigestValue"/> 
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="URI" type="anyURI" use="optional"/> 
+  <attribute name="Type" type="anyURI" use="optional"/> 
+</complexType>
+
+  <element name="Transforms" type="ds:TransformsType"/>
+  <complexType name="TransformsType">
+    <sequence>
+      <element ref="ds:Transform" maxOccurs="unbounded"/>  
+    </sequence>
+  </complexType>
+
+  <element name="Transform" type="ds:TransformType"/>
+  <complexType name="TransformType" mixed="true">
+    <choice minOccurs="0" maxOccurs="unbounded"> 
+      <any namespace="##other" processContents="lax"/>
+      <!-- (1,1) elements from (0,unbounded) namespaces -->
+      <element name="XPath" type="string"/> 
+    </choice>
+    <attribute name="Algorithm" type="anyURI" use="required"/> 
+  </complexType>
+
+<!-- End Reference -->
+
+<element name="DigestMethod" type="ds:DigestMethodType"/>
+<complexType name="DigestMethodType" mixed="true"> 
+  <sequence>
+    <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
+  </sequence>    
+  <attribute name="Algorithm" type="anyURI" use="required"/> 
+</complexType>
+
+<element name="DigestValue" type="ds:DigestValueType"/>
+<simpleType name="DigestValueType">
+  <restriction base="base64Binary"/>
+</simpleType>
+
+<!-- End SignedInfo -->
+
+<!-- Start KeyInfo -->
+
+<element name="KeyInfo" type="ds:KeyInfoType"/> 
+<complexType name="KeyInfoType" mixed="true">
+  <choice maxOccurs="unbounded">     
+    <element ref="ds:KeyName"/> 
+    <element ref="ds:KeyValue"/> 
+    <element ref="ds:RetrievalMethod"/> 
+    <element ref="ds:X509Data"/> 
+    <element ref="ds:PGPData"/> 
+    <element ref="ds:SPKIData"/>
+    <element ref="ds:MgmtData"/>
+    <any processContents="lax" namespace="##other"/>
+    <!-- (1,1) elements from (0,unbounded) namespaces -->
+  </choice>
+  <attribute name="Id" type="ID" use="optional"/> 
+</complexType>
+
+  <element name="KeyName" type="string"/>
+  <element name="MgmtData" type="string"/>
+
+  <element name="KeyValue" type="ds:KeyValueType"/> 
+  <complexType name="KeyValueType" mixed="true">
+   <choice>
+     <element ref="ds:DSAKeyValue"/>
+     <element ref="ds:RSAKeyValue"/>
+     <any namespace="##other" processContents="lax"/>
+   </choice>
+  </complexType>
+
+  <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> 
+  <complexType name="RetrievalMethodType">
+    <sequence>
+      <element ref="ds:Transforms" minOccurs="0"/> 
+    </sequence>  
+    <attribute name="URI" type="anyURI"/>
+    <attribute name="Type" type="anyURI" use="optional"/>
+  </complexType>
+
+<!-- Start X509Data -->
+
+<element name="X509Data" type="ds:X509DataType"/> 
+<complexType name="X509DataType">
+  <sequence maxOccurs="unbounded">
+    <choice>
+      <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
+      <element name="X509SKI" type="base64Binary"/>
+      <element name="X509SubjectName" type="string"/>
+      <element name="X509Certificate" type="base64Binary"/>
+      <element name="X509CRL" type="base64Binary"/>
+      <any namespace="##other" processContents="lax"/>
+    </choice>
+  </sequence>
+</complexType>
+
+<complexType name="X509IssuerSerialType"> 
+  <sequence> 
+    <element name="X509IssuerName" type="string"/> 
+    <element name="X509SerialNumber" type="integer"/> 
+  </sequence>
+</complexType>
+
+<!-- End X509Data -->
+
+<!-- Begin PGPData -->
+
+<element name="PGPData" type="ds:PGPDataType"/> 
+<complexType name="PGPDataType"> 
+  <choice>
+    <sequence>
+      <element name="PGPKeyID" type="base64Binary"/> 
+      <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> 
+      <any namespace="##other" processContents="lax" minOccurs="0"
+       maxOccurs="unbounded"/>
+    </sequence>
+    <sequence>
+      <element name="PGPKeyPacket" type="base64Binary"/> 
+      <any namespace="##other" processContents="lax" minOccurs="0"
+       maxOccurs="unbounded"/>
+    </sequence>
+  </choice>
+</complexType>
+
+<!-- End PGPData -->
+
+<!-- Begin SPKIData -->
+
+<element name="SPKIData" type="ds:SPKIDataType"/> 
+<complexType name="SPKIDataType">
+  <sequence maxOccurs="unbounded">
+    <element name="SPKISexp" type="base64Binary"/>
+    <any namespace="##other" processContents="lax" minOccurs="0"/>
+  </sequence>
+</complexType> 
+
+<!-- End SPKIData -->
+
+<!-- End KeyInfo -->
+
+<!-- Start Object (Manifest, SignatureProperty) -->
+
+<element name="Object" type="ds:ObjectType"/> 
+<complexType name="ObjectType" mixed="true">
+  <sequence minOccurs="0" maxOccurs="unbounded">
+    <any namespace="##any" processContents="lax"/>
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/> 
+  <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet -->
+  <attribute name="Encoding" type="anyURI" use="optional"/> 
+</complexType>
+
+<element name="Manifest" type="ds:ManifestType"/> 
+<complexType name="ManifestType">
+  <sequence>
+    <element ref="ds:Reference" maxOccurs="unbounded"/> 
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/> 
+</complexType>
+
+<element name="SignatureProperties" type="ds:SignaturePropertiesType"/> 
+<complexType name="SignaturePropertiesType">
+  <sequence>
+    <element ref="ds:SignatureProperty" maxOccurs="unbounded"/> 
+  </sequence>
+  <attribute name="Id" type="ID" use="optional"/> 
+</complexType>
+
+   <element name="SignatureProperty" type="ds:SignaturePropertyType"/> 
+   <complexType name="SignaturePropertyType" mixed="true">
+     <choice maxOccurs="unbounded">
+       <any namespace="##other" processContents="lax"/>
+       <!-- (1,1) elements from (1,unbounded) namespaces -->
+     </choice>
+     <attribute name="Target" type="anyURI" use="required"/> 
+     <attribute name="Id" type="ID" use="optional"/> 
+   </complexType>
+
+<!-- End Object (Manifest, SignatureProperty) -->
+
+<!-- Start Algorithm Parameters -->
+
+<simpleType name="HMACOutputLengthType">
+  <restriction base="integer"/>
+</simpleType>
+
+<!-- Start KeyValue Element-types -->
+
+<element name="DSAKeyValue" type="ds:DSAKeyValueType"/>
+<complexType name="DSAKeyValueType">
+  <sequence>
+    <sequence minOccurs="0">
+      <element name="P" type="ds:CryptoBinary"/>
+      <element name="Q" type="ds:CryptoBinary"/>
+    </sequence>
+    <element name="G" type="ds:CryptoBinary" minOccurs="0"/>
+    <element name="Y" type="ds:CryptoBinary"/>
+    <element name="J" type="ds:CryptoBinary" minOccurs="0"/>
+    <sequence minOccurs="0">
+      <element name="Seed" type="ds:CryptoBinary"/>
+      <element name="PgenCounter" type="ds:CryptoBinary"/>
+    </sequence>
+  </sequence>
+</complexType>
+
+<element name="RSAKeyValue" type="ds:RSAKeyValueType"/>
+<complexType name="RSAKeyValueType">
+  <sequence>
+    <element name="Modulus" type="ds:CryptoBinary"/> 
+    <element name="Exponent" type="ds:CryptoBinary"/> 
+  </sequence>
+</complexType> 
+
+<!-- End KeyValue Element-types -->
+
+<!-- End Signature -->
+
+</schema>

data/lib/spid/ruby-saml/authrequest.rb

@@ -0,0 +1,196 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+require "rubygems"
+require "addressable/uri"
+
+module Spid::Saml
+  include REXML
+  class Authrequest
+    # a few symbols for SAML class names
+    HTTP_POST = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+    HTTP_GET = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+    
+    attr_accessor :uuid, :request
+
+    def initialize( settings )
+      @settings = settings
+      @request_params = Hash.new
+    end
+    
+    def create(params = {})
+      uuid = "_" + UUID.new.generate
+      self.uuid = uuid
+      time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      # Create AuthnRequest root element using REXML 
+      request_doc = REXML::Document.new
+      request_doc.context[:attribute_quote] = :quote
+      root = request_doc.add_element "saml2p:AuthnRequest", { "xmlns:saml2p" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+      root.attributes['ID'] = uuid
+      root.attributes['IssueInstant'] = time
+      root.attributes['Version'] = "2.0"
+      root.attributes['ProtocolBinding'] = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      root.attributes['AttributeConsumingServiceIndex'] = "1"
+      root.attributes['ForceAuthn'] = "false"
+      #root.attributes['IsPassive'] = "false"
+      #usato AssertionConsumerServiceURL e ProtocolBinding in alternativa, pag 8 regole tecniche
+      #root.attributes['AssertionConsumerServiceIndex'] = 1
+
+      # Conditionally defined elements based on settings
+      if @settings.assertion_consumer_service_url != nil
+        root.attributes["AssertionConsumerServiceURL"] = @settings.assertion_consumer_service_url
+      end
+
+       if @settings.destination_service_url != nil
+        root.attributes["Destination"] = @settings.destination_service_url
+      end
+
+      if @settings.issuer != nil
+        issuer = root.add_element "saml2:Issuer", { "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        issuer.attributes['NameQualifier'] =  @settings.issuer
+        issuer.attributes['Format'] =  "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+        issuer.text = @settings.issuer
+      end
+
+      #opzionale
+      if @settings.sp_name_qualifier != nil
+        subject = root.add_element "saml2:Subject", { "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        name_id = subject.add_element "saml2:NameID", { "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        name_id.attributes['Format'] = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        name_id.attributes['NameQualifier'] = @settings.sp_name_qualifier
+      end
+
+
+
+      if @settings.name_identifier_format != nil
+        root.add_element "saml2p:NameIDPolicy", { 
+            # Might want to make AllowCreate a setting?
+            #{}"AllowCreate"     => "true",
+            "Format"          => @settings.name_identifier_format[1],
+            "SPNameQualifier" => @settings.sp_name_qualifier
+        }
+      end
+
+      # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+      # match required for authentication to succeed.  If this is not defined, 
+      # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+      if @settings.authn_context != nil
+        requested_context = root.add_element "saml2p:RequestedAuthnContext", { 
+          "Comparison" => "exact"
+        }
+        context_class = []
+        @settings.authn_context.each_with_index{ |context, index|
+          context_class[index] = requested_context.add_element "saml2:AuthnContextClassRef", {
+            "xmlns:saml2" => "urn:oasis:names:tc:SAML:2.0:assertion"
+          }
+          context_class[index].text = context
+        }
+        
+      end
+
+      if @settings.requester_identificator != nil
+        requester_identificator = root.add_element "saml2p:Scoping", { 
+          "ProxyCount" => "0"
+        }
+        identificators = []
+        @settings.requester_identificator.each_with_index{ |requester, index|
+          identificators[index] = requester_identificator.add_element "saml2p:RequesterID"
+          identificators[index].text = requester
+        }
+        
+      end
+
+      request_doc << REXML::XMLDecl.new(version='1.0', encoding='UTF-8')
+      ret = ""
+      # pretty print the XML so IdP administrators can easily see what the SP supports
+      request_doc.write(ret, 1)
+
+      @request = ""
+      request_doc.write(@request)
+
+      #Logging.debug "Created AuthnRequest: #{@request}"
+
+      return self
+
+    end
+  
+    # get the IdP metadata, and select the appropriate SSO binding
+    # that we can support.  Currently this is HTTP-Redirect and HTTP-POST
+    # but more could be added in the future
+    def binding_select
+      # first check if we're still using the old hard coded method for 
+      # backwards compatability
+      if @settings.idp_metadata == nil && @settings.idp_sso_target_url != nil
+        @URL = @settings.idp_sso_target_url
+        return "GET", content_get
+      end
+      # grab the metadata
+      metadata = Metadata::new
+      meta_doc = metadata.get_idp_metadata(@settings)
+      
+      # first try POST
+      sso_element = REXML::XPath.first(meta_doc,
+        "/EntityDescriptor/IDPSSODescriptor/SingleSignOnService[@Binding='#{HTTP_POST}']")
+      if sso_element 
+        @URL = sso_element.attributes["Location"]
+        #Logging.debug "binding_select: POST to #{@URL}"
+        return "POST", content_post
+      end
+      
+      # next try GET
+      sso_element = REXML::XPath.first(meta_doc,
+        "/EntityDescriptor/IDPSSODescriptor/SingleSignOnService[@Binding='#{HTTP_GET}']")
+      if sso_element 
+        @URL = sso_element.attributes["Location"]
+        Logging.debug "binding_select: GET from #{@URL}"
+        return "GET", content_get
+      end
+      # other types we might want to add in the future:  SOAP, Artifact
+    end
+    
+    # construct the the parameter list on the URL and return
+    def content_get
+      # compress GET requests to try and stay under that 8KB request limit
+      deflated_request  = Zlib::Deflate.deflate(@request, 9)[2..-5]
+      # strict_encode64() isn't available?  sub out the newlines
+      @request_params["SAMLRequest"] = Base64.encode64(deflated_request).gsub(/\n/, "")
+      
+      Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+      uri = Addressable::URI.parse(@URL)
+      if uri.query_values == nil
+        uri.query_values = @request_params
+      else
+        # solution to stevenwilkin's parameter merge
+        uri.query_values = @request_params.merge(uri.query_values)
+      end
+      url = uri.to_s
+      #Logging.debug "Sending to URL #{url}"
+      return url
+    end
+    # construct an HTML form (POST) and return the content
+    def content_post
+      # POST requests seem to bomb out when they're deflated
+      # and they probably don't need to be compressed anyway
+      @request_params["SAMLRequest"] = Base64.encode64(@request).gsub(/\n/, "")
+      
+      #Logging.debug "SAMLRequest=#{@request_params["SAMLRequest"]}"
+      # kind of a cheesy method of building an HTML, form since we can't rely on Rails too much,
+      # and REXML doesn't work well with quote characters
+      str = "<html><body onLoad=\"document.getElementById('form').submit();\">\n"
+      str += "<form id='form' name='form' method='POST' action=\"#{@URL}\">\n"
+      # we could change this in the future to associate a temp auth session ID
+      str += "<input name='RelayState' value='ruby-saml' type='hidden' />\n"
+      @request_params.each_pair do |key, value|
+        str += "<input name=\"#{key}\" value=\"#{value}\" type='hidden' />\n"
+        #str += "<input name=\"#{key}\" value=\"#{CGI.escape(value)}\" type='hidden' />\n"
+      end
+      str += "</form></body></html>\n"
+      
+      #Logging.debug "Created form:\n#{str}"
+      return str
+    end
+  end
+end

data/lib/spid/ruby-saml/coding.rb

@@ -0,0 +1,34 @@
+require "cgi"
+require 'zlib'
+
+module Spid
+  module Saml
+    module Coding
+      def decode(encoded)
+        Base64.decode64(encoded)
+      end
+
+      def encode(encoded)
+        Base64.encode64(encoded).gsub(/\n/, "")
+      end
+
+      def escape(unescaped)
+        CGI.escape(unescaped)
+      end
+
+      def unescape(escaped)
+        CGI.unescape(escaped)
+      end
+
+      def inflate(deflated)
+        zlib = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+        zlib.inflate(deflated)
+      end
+
+      def deflate(inflated)
+        Zlib::Deflate.deflate(inflated, 9)[2..-5]
+      end
+
+    end
+  end
+end

data/lib/spid/ruby-saml/logging.rb

@@ -0,0 +1,26 @@
+# Simplistic log class when we're running in Rails
+module Spid
+  module Saml
+    class Logging
+      def self.debug(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        if defined? Rails
+          Rails.logger.debug message
+        else
+          puts message
+        end
+      end
+
+      def self.info(message)
+        return if !!ENV["ruby-saml/testing"]
+
+        if defined? Rails
+          Rails.logger.info message
+        else
+          puts message
+        end
+      end
+    end
+  end
+end