spid-rails 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8aecb3b0eb7abdba6750c9bb4df29868dfa5f64b
+  data.tar.gz: 2ac156310a32d15632dffcfb48e8c88519357515
+SHA512:
+  metadata.gz: 9a57490aa21db27b99b68ed58f4fc6985fca5d25ff7326ce532334eb10be361d82ebf876f0f2bf4204f56b1287fecbe47b41078c6744aba91f91c09db2a7125b
+  data.tar.gz: 672ffaccb4f92ebfab71a8fd1c04de0f526a54365935b860096d3b1e88ffa6f6097e983035b0c03afaa3ce3d3f6f867b56f99bc2445b1235a7ea40ce05535b03

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 Alessandro Descovi
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,156 @@
+# spid-rails 0.1.1
+Autenticazione SPID per Ruby on Rails.  
+Questa gemma si appoggia alla gemma [ruby-saml](https://github.com/onelogin/ruby-saml).
+
+## Cosa c'è e cosa manca
+- [x] Creazione gemma
+- [x] Applicazione demo funzionante con login tramite il server test idp.spid.gov.it
+repository: https://github.com/rubynetti/rubynetti-rails
+- [x] Login tramite redirect
+- [ ] Login tramite post
+- [ ] Sistema di testing automatico - WIP
+- [X] Sistema di configurazione
+- [ ] Integrazione con omniauth
+- [ ] Integrazione o esempio di integrazione con devise
+
+
+## Installazione
+All'interno del Gemfile indicare questa gemma:
+
+```ruby
+gem 'spid-rails', require: 'spid_rails'
+```
+
+Eseguire
+
+```bash
+$ bundle
+```
+
+
+## Come si usa?
+La gemma può essere aggiunta a qualunque applicazione Rails al fine di utilizzare il sistema di login Spid.
+Il metadata generato può essere utilizzato per farsi accreditare e in seguito dialogare con qualunque Identity Provider Spid accreditato.
+
+
+### Configurazione
+
+Per creare il file di configurazione:
+
+```bash
+$ rails g spid_rails:config
+```
+
+Il file viene aggiunto agli initializer dell'applicazione e permette il settaggio personalizzato del mount-point dell'engine e i relativi end-point per le procedure Spid di login, logout e visualizzazione del metadata del Service Provider.
+
+Le restanti impostazioni permettono di configurare il percorso di sistema dove reperire la coppia chiave privata/certificato e il livello di crittografia per l'eventuale signature.
+
+```ruby
+# config/initializers/spid_rails.rb
+
+# Impostazioni di default dello Spid Engine
+
+SpidRails.tap do |config|
+
+  # Mount point di Spid sull'applicazione
+  # default: 'spid'
+  # config.mount_point = 'spid'
+
+  # Url alla quale è disponibile il metadata del provider
+  # default: 'metadata'
+  # config.metadata_path = 'metadata'
+
+  # Url alla quale ricevere le risposte di autenticazione Saml
+  # default: 'sso'
+  # config.sso_path = 'sso'
+
+  # Url alla quale ricevere le risposte di logout Saml
+  # default: 'slo'
+  # config.slo_path = 'slo'
+
+  # Percorso relativo alla root dell'app
+  # al quale reperire la coppia chiave privata - certificato
+  # default: 'lib/.keys'
+  # config.keys_path = 'lib/.keys/'
+
+  # Livello di crittografia SHA per la generazione delle signature
+  # default: 256
+  # config.sha = 256
+
+end
+```
+
+
+### Nelle view
+
+Una volta installata la gemma, verranno creati una serie di helper utilizzabili nelle view e nei controller.
+
+```spid_rails.metadata_path``` e ```spid_rails.metadata_url``` restituiscono il percorso al quale è reperibile il metadata del Service Provider.
+```ruby
+# Esempio di link al metadata del ServiceProvider
+link_to "Metadata SP", spid_rails.metadata_path
+```
+
+
+```spid_rails.new_sso_path``` e ```spid_rails.new_sso_url``` restituiscono il percorso tramite il quale inizializzare una richiesa di autenticazione all'Identity Provider.
+E' necessario fornire come parametro l'Idp cui indirizzare la richiesta, facoltativo il livello di autenticazione Spid (default: '1') e i bindings della richiesta all' Idp (default: ['redirect']).
+```ruby
+# Esempio di link al login tramite l'Idp di test https:://idp.spid.gov.it
+link_to "Login con Spid", spid_rails.new_sso_path(sso: { idp: :agid_test, spid_level: 2 })
+```
+
+Gli Identity Provider attualmente supportati sono:
+- 'aruba'      : servizio Idp di Aruba Pec S.p.A.
+- 'infocert'   : servizio Idp di Infocert S.p.A
+- 'namirial'   : servizio Idp di Namirial S.p.A.
+- 'poste'      : servizio Idp di Poste Italiane S.p.A.
+- 'spiditalia' : servizio Idp di REGISTER.IT S.p.A.
+- 'sielte'     : servizio Idp di Sielte S.p.A.
+- 'tim'        : servizio Idp di TI Trust Technologies S.r.l.
+- 'agid_test'  : servizio idp di test di Agid
+- 'poste_test' : servizio Idp di test di Poste Italiane S.p.A.
+
+
+```spid_rails.new_slo_path``` e ```spid_rails.new_slo_url``` infine restituiscono il percorso tramite il quale inizializzare una richiesa di logout all'Identity Provider che ha autenticato la sessione corrente.
+```ruby
+# Esempio di link al logout
+link_to "Logout", spid_rails.new_slo_path
+```
+
+
+### Nei controller
+
+Avvenuta con successo l'autenticazione e fino al logout della stessa vengono aggiunte alla sessione le seguenti variabili:
+
+```session[:sso_params]``` restituisce i parametri coi quali è stata effettuata l'ultima richiesta di autenticazione, in particolare l'idp
+
+```session[:spid_index]```        restituisce l'identificativo dell'attuale sessione Spid, viene utilizzato nella procedura di logout
+
+```session[:spid_login_time]``` l'istante in cui è avvenuto il login
+
+E' inoltre possibile settare la variabile ```session[:spid_relay_state]```, contenente l'indirizzo al quale si vuole essere reindirizzati in caso l'autenticazione abbia successo
+
+Un esempio rudimentale di verifica del login dell'utente all'interno di un'azione del controller potrebbe essere il seguente
+```ruby
+# app/controllers/my_controller.rb
+class MyController < Application controller
+  before_action :validate_spid_session
+
+  ...
+
+  private
+
+  def validate_spid_session
+    if session[:spid_index].blank?
+      session[:spid_relay_state] = request.path
+      redirect_to login_path
+    end
+  end
+
+end
+```
+ove login_path indirizzi alla pagina in cui è posizionato il pulsante Spid
+
+
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,36 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SpidRails'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+load 'rails/tasks/statistics.rake'
+
+
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/app/assets/config/spid_rails_manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts/spid_rails .js
+//= link_directory ../stylesheets/spid_rails .css

data/app/assets/javascripts/spid_rails/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/javascripts/spid_rails/metadata.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/stylesheets/spid_rails/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/assets/stylesheets/spid_rails/metadata.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/controllers/spid_rails/application_controller.rb

@@ -0,0 +1,5 @@
+module SpidRails
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+  end
+end

data/app/controllers/spid_rails/metadata_controller.rb

@@ -0,0 +1,15 @@
+require_dependency "spid_rails/application_controller"
+
+# Metadata del Service Provider
+module SpidRails
+
+  class MetadataController < ApplicationController
+
+    def show
+      metadata = SpidRails::Metadata.create(host: main_app.root_url)
+      render xml: metadata.to_xml
+    end
+
+  end
+
+end

data/app/controllers/spid_rails/single_logout_operations_controller.rb

@@ -0,0 +1,43 @@
+require_dependency "spid_rails/application_controller"
+
+module SpidRails
+
+  class SingleLogoutOperationsController < ApplicationController
+    skip_before_action :verify_authenticity_token, only: :create
+
+    def new
+      logout_request = SpidRails::SloRequest.new(slo_params)
+      redirect_to logout_request.to_saml
+      session[:spid_slo_id] = logout_request.uuid
+    end
+
+    def create
+      logout_response = SpidRails::SloResponse.new(params[:SAMLResponse],
+                                                  session[:spid_slo_id],
+                                                  slo_params)
+      # TODO: approfondire validazione logout
+      destroy_spid_session
+      redirect_to main_app.root_path, notice: 'Logout utente eseguito con successo'
+    end
+
+    private
+
+    def slo_params
+      {
+        host: main_app.root_url,
+        idp: session[:sso_params]['idp'],
+        session_index: session[:spid_index]
+      }
+    end
+
+    def destroy_spid_session
+      session[:sso_params] = nil
+      session[:spid_index] = nil
+      session[:spid_slo_id] = nil
+      session[:spid_relay_state] = nil
+      session[:spid_login_time] = nil
+    end
+
+  end
+
+end

data/app/controllers/spid_rails/single_sign_ons_controller.rb

@@ -0,0 +1,36 @@
+require_dependency "spid_rails/application_controller"
+
+module SpidRails
+
+  class SingleSignOnsController < ApplicationController
+    skip_before_action :verify_authenticity_token, only: :create
+
+    def new
+      request = SpidRails::SsoRequest.new(sso_params)
+      redirect_to request.to_saml
+      session[:sso_params] = sso_params
+    end
+
+    def create
+      response = SpidRails::SsoResponse.new(params[:SAMLResponse], session[:sso_params])
+      if response.valid?
+        session[:spid_index] = response.session_index
+        session[:spid_login_time] = Time.now
+        redirect_to session[:relay_state] || main_app.root_path, notice: 'Utente autenticato con successo'
+      else
+        redirect_to main_app.root_path, notice: 'Autenticazione fallita'
+      end
+    end
+
+    private
+
+    def sso_params
+      sso_params = params.require(:sso).permit(:idp, :spid_level, bindings: [])
+      sso_params[:host] = main_app.root_url
+      sso_params[:relay_state] = session[:spid_relay_state] || main_app.root_url
+      sso_params
+    end
+
+  end
+
+end

data/app/helpers/spid_rails/application_helper.rb

@@ -0,0 +1,4 @@
+module SpidRails
+  module ApplicationHelper
+  end
+end

data/app/jobs/spid_rails/application_job.rb

@@ -0,0 +1,4 @@
+module SpidRails
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/spid_rails/application_mailer.rb

@@ -0,0 +1,6 @@
+module SpidRails
+  class ApplicationMailer < ActionMailer::Base
+    default from: 'from@example.com'
+    layout 'mailer'
+  end
+end

data/app/models/spid_rails/application_record.rb

@@ -0,0 +1,5 @@
+module SpidRails
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/spid_rails/certificate.rb

@@ -0,0 +1,45 @@
+module SpidRails
+
+  class Certificate
+
+    def self.signature_algorithm sha
+      case sha.to_s
+      when '256'
+        XMLSecurity::Document::RSA_SHA256
+      when '384'
+        XMLSecurity::Document::RSA_SHA384
+      when '512'
+        XMLSecurity::Document::RSA_SHA512
+      end
+    end
+
+    def self.digest_algorithm sha
+      case sha.to_s
+      when '256'
+        XMLSecurity::Document::SHA256
+      when '384'
+        XMLSecurity::Document::SHA384
+      when '512'
+        XMLSecurity::Document::SHA512
+      end
+    end
+
+    def self.signature_algorithms
+      [
+        XMLSecurity::Document::RSA_SHA256,
+        XMLSecurity::Document::RSA_SHA384,
+        XMLSecurity::Document::RSA_SHA512,
+      ]
+    end
+
+    def self.digest_algorithms
+      [
+        XMLSecurity::Document::SHA256,
+        XMLSecurity::Document::SHA384,
+        XMLSecurity::Document::SHA512,
+      ]
+    end
+
+  end
+
+end

data/app/models/spid_rails/idp.rb

@@ -0,0 +1,21 @@
+module SpidRails
+
+  class Idp
+
+    def self.metadata_urls
+      {
+        'agid_test'  => 'http://localhost:3000/metadata-idp-gov.xml',
+        'aruba'      => 'https://loginspid.aruba.it/metadata',
+        'infocert'   => 'https://identity.infocert.it/metadata/metadata.xml',
+        'namirial'   => 'https://idp.namirialtsp.com/idp/metadata',
+        'poste'      => 'http://posteid.poste.it/jod-fs/metadata/metadata.xml',
+        'poste_test' => 'http://spidposte.test.poste.it/jod-fs/metadata/idp.xml',
+        'spiditalia' => 'https://spid.register.it/login/metadata',
+        'sielte'     => 'https://identity.sieltecloud.it/simplesaml/metadata.xml',
+        'tim'        => 'https://login.id.tim.it/spid-services/MetadataBrowser/idp'
+      }
+    end
+
+  end
+
+end

data/app/models/spid_rails/metadata.rb

@@ -0,0 +1,76 @@
+module SpidRails
+
+  class Metadata
+    attr_accessor :settings
+
+    def self.create **settings
+      obj = self.new(**settings)
+      obj.save if obj.valid?
+    end
+
+    def initialize spid_params
+      spid_settings = SpidRails::Settings::Metadata.new(spid_params)
+      @settings = spid_settings.to_hash
+    end
+
+    def valid?
+      raise 'EntityID deve essere presente (impostare issuer)' if settings[:issuer].blank?
+      raise 'Signature deve essere presente (impostare private_key)' if settings[:private_key].blank?
+      raise 'Signature deve essere presente (impostare certificate)' if settings[:certificate].blank?
+      validate_signature_encryption
+      validate_digest_encryption
+      validate_key_size
+
+      true
+    end
+
+    def validate_signature_encryption
+      signature_algorithms = SpidRails::Certificate.signature_algorithms
+      if signature_algorithms.exclude?(settings[:security][:signature_method])
+        raise 'Signature deve essere presente (impostare encryption sha a 256, 384, 512)'
+      end
+    end
+
+    def validate_digest_encryption
+      digest_algorithms = SpidRails::Certificate.digest_algorithms
+      if digest_algorithms.exclude?(settings[:security][:digest_method])
+        raise 'Signature deve essere presente (impostare encryption sha a 256, 384, 512)'
+      end
+    end
+
+    def validate_key_size
+      key = OpenSSL::PKey::RSA.new settings[:private_key]
+      key_size = key.n.num_bytes * 8
+      if key_size < 1024
+        raise "Signature deve essere presente (impostare una chiave di almeno a 1024 bit"
+      end
+    end
+
+    def save
+      valid?
+      metadata = OneLogin::RubySaml::Metadata.new
+      saml_settings = OneLogin::RubySaml::Settings.new @settings
+      @to_xml = metadata.generate(saml_settings)
+      self
+    end
+
+    def to_xml
+      save and @to_xml
+    end
+
+
+    def self.xml_namespaces
+      {
+        saml: 'urn:oasis:names:tc:SAML:2.0:assertion',
+        samlp: 'urn:oasis:names:tc:SAML:2.0:protocol',
+        md: 'urn:oasis:names:tc:SAML:2.0:metadata',
+        ds: 'http://www.w3.org/2000/09/xmldsig#',
+        xenc: 'http://www.w3.org/2001/04/xmlenc#',
+        xs: 'http://www.w3.org/2001/XMLSchema'
+      }
+
+    end
+
+  end
+
+end

data/app/models/spid_rails/settings.rb

@@ -0,0 +1,93 @@
+module SpidRails
+
+  class Settings
+
+
+    attr_accessor :host
+
+    attr_accessor :metadata_path
+
+    attr_accessor :sso_path
+
+    attr_accessor :slo_path
+
+    attr_accessor :keys_path
+
+    attr_accessor :sha
+
+    attr_accessor :idp
+
+    attr_accessor :bindings
+
+    attr_accessor :spid_level
+
+    attr_accessor :session_index
+
+    attr_accessor :relay_state
+
+
+    def initialize spid_params
+      @metadata_path  = SpidRails.app_metadata_path
+      @sso_path       = SpidRails.app_sso_path
+      @slo_path       = SpidRails.app_slo_path
+      @keys_path      = SpidRails.keys_path
+      @sha            = SpidRails.sha
+      @bindings       = [:redirect]
+      @spid_level     = 1
+      spid_params.each do |k, v|
+        send("#{k}=", v)
+      end
+    end
+
+    def security_attributes
+      dig_alg = SpidRails::Certificate.digest_algorithm(@sha)
+      sig_alg = SpidRails::Certificate.signature_algorithm(@sha)
+      {
+        metadata_signed: true,
+        digest_method: dig_alg,
+        signature_method: sig_alg,
+        want_assertions_signed: true
+      }
+    end
+
+
+    def sp_attributes
+      {
+        issuer: host + metadata_path,
+        assertion_consumer_service_url: host + sso_path,
+        single_logout_service_url: host + slo_path,
+        private_key: File.read("#{Rails.root}/#{keys_path}/private_key.pem"),
+        certificate: File.read("#{Rails.root}/#{keys_path}/certificate.pem"),
+        security: security_attributes
+      }
+    end
+
+    def idp_attributes
+      idp_bindings = @bindings.map{ |b| self.class.saml_bindings[b] }
+      parser = OneLogin::RubySaml::IdpMetadataParser.new
+      parser.parse_remote_to_hash Idp.metadata_urls[@idp.to_s],
+                                  true,
+                                  sso_binding: idp_bindings
+    end
+
+    private
+
+    def authn_context
+      "https://www.spid.gov.it/SpidL#{@spid_level}"
+    end
+
+    def force_authn
+      return true if @spid_level != 1
+    end
+
+    # TODO spostare in utils
+    def self.saml_bindings
+      {
+        post: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+        redirect: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+      }
+    end
+
+  end
+
+end

data/app/models/spid_rails/settings/metadata.rb

@@ -0,0 +1,11 @@
+module SpidRails
+
+  class Settings::Metadata < Settings
+
+    def to_hash
+      sp_attributes
+    end
+
+  end
+  
+end

data/app/models/spid_rails/settings/slo.rb

@@ -0,0 +1,13 @@
+module SpidRails
+
+  class Settings::Slo < Settings
+
+    def to_hash
+      sso_attributes = sp_attributes.merge(idp_attributes)
+      sso_attributes[:sessionindex] = @session_index
+      sso_attributes
+    end
+
+  end
+
+end

data/app/models/spid_rails/settings/sso.rb

@@ -0,0 +1,17 @@
+module SpidRails
+
+  class Settings::Sso < Settings
+
+    def to_hash
+      sso_attributes = sp_attributes.merge(idp_attributes)
+      sso_attributes[:authn_context] = authn_context
+      sso_attributes[:authn_context_comparison] = 'minimum'
+      sso_attributes[:force_authn] = force_authn
+      sso_attributes[:protocol_binding] = self.class.saml_bindings[:post]
+      sso_attributes[:relay_state] = relay_state
+      sso_attributes
+    end
+
+  end
+
+end

data/app/models/spid_rails/slo_request.rb

@@ -0,0 +1,22 @@
+module SpidRails
+
+  class SloRequest
+
+    def initialize slo_params
+      spid_settings = SpidRails::Settings::Slo.new(slo_params)
+      @settings = spid_settings.to_hash
+      @request = OneLogin::RubySaml::Logoutrequest.new
+    end
+
+    def uuid
+      @request.uuid
+    end
+
+    def to_saml
+      saml_settings = OneLogin::RubySaml::Settings.new(@settings)
+      @request.create(saml_settings)
+    end
+
+  end
+
+end

data/app/models/spid_rails/slo_response.rb

@@ -0,0 +1,27 @@
+module SpidRails
+
+  class SloResponse
+
+    def initialize saml_response, slo_id, slo_params
+      spid_settings = SpidRails::Settings::Slo.new(slo_params)
+      settings = OneLogin::RubySaml::Settings.new(spid_settings.to_hash)
+      @response = OneLogin::RubySaml::Logoutresponse.new(saml_response,
+                                                         settings,
+                                                         matches_request_id: slo_id)
+    end
+
+    def valid?
+      @response.validate
+    end
+
+    def inspect
+      @response.inspect
+    end
+
+    def errors
+      @response.errors
+    end
+
+  end
+
+end

data/app/models/spid_rails/sso_request.rb

@@ -0,0 +1,46 @@
+module SpidRails
+
+  class SsoRequest
+
+    attr_accessor :settings
+
+    def initialize spid_params
+      spid_settings = SpidRails::Settings::Sso.new(spid_params)
+      @settings = spid_settings.to_hash
+    end
+
+    def valid?
+      if settings[:idp_sso_target_url].blank?
+        raise "Destination deve essere presente (impostare idp_sso_target_url)"
+      end
+      if settings[:authn_context].last != '1' && settings[:force_authn] != true
+        raise "ForceAuthn deve essere presente per livelli di aitenticazione diversi da SPIDL1 (impostare force_authn a true)"
+      end
+      if settings[:authn_context_comparison] != 'minimum'
+        raise "AuthnContextComparison deve essere settato a 'minimum' (impostare authn_context_comparison a 'minimum')"
+      end
+      if settings[:protocol_binding] != SpidRails::Settings.saml_bindings[:post]
+        raise "Issuer deve contenere l'attributo ProtocolBinding con binding POST (impostare protocl_binding a ':post')"
+      end
+    end
+
+    def save
+      valid?
+      request = OneLogin::RubySaml::Authrequest.new
+      saml_settings = OneLogin::RubySaml::Settings.new @settings
+      @to_saml = request.create(saml_settings)
+      self
+    end
+
+    def to_saml
+      save and @to_saml
+    end
+
+    def self.create **settings
+      obj = self.new(**settings)
+      obj.save
+    end
+
+  end
+
+end

data/app/models/spid_rails/sso_response.rb

@@ -0,0 +1,31 @@
+module SpidRails
+
+  class SsoResponse
+
+    def initialize saml_response, sso_params
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      settings = SpidRails::Settings::Sso.new(sso_params)
+      saml_settings = OneLogin::RubySaml::Settings.new(settings.to_hash)
+      response.settings = saml_settings
+      @response = response
+    end
+
+    def valid?
+      @response.is_valid?
+    end
+
+    def inspect
+      @response.inspect
+    end
+
+    def session_index
+      @response.sessionindex
+    end
+
+    def errors
+      @response.errors
+    end
+
+  end
+
+end

data/app/views/layouts/spid_rails/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Spid rails</title>
+  <%= stylesheet_link_tag    "spid_rails/application", media: "all" %>
+  <%= javascript_include_tag "spid_rails/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,12 @@
+Rails.application.routes.draw do
+  mount SpidRails::Engine, at: SpidRails.mount_point
+end
+
+SpidRails::Engine.routes.draw do
+  resource :metadata, only: :show,
+            path: SpidRails.metadata_path
+  resource :sso, only: [:new, :create], controller: :single_sign_ons,
+            path: SpidRails.sso_path
+  resource :slo, only: [:new, :create], controller: :single_logout_operations,
+            path: SpidRails.slo_path
+end

data/lib/generators/spid_rails/config_generator.rb

@@ -0,0 +1,18 @@
+module SpidRails
+  module Generators
+
+    # Chiamato tramite rails g spid_rails:config
+    class ConfigGenerator < Rails::Generators::Base
+
+      source_root File.expand_path("../templates", __FILE__)
+
+      desc "Crea il file di configurazione di spid (config/initializers/rumby_saml.rb)."
+
+      def create_initializer_file
+        template "spid_rails.rb", "./config/initializers/spid_rails.rb"
+      end
+
+    end
+
+  end
+end

data/lib/generators/spid_rails/templates/spid_rails.rb

@@ -0,0 +1,30 @@
+# Impostazioni di default dello Spid Engine
+
+SpidRails.tap do |config|
+
+  # Mount point di Spid sull'applicazione
+  # default: 'spid'
+  # config.mount_point = 'spid'
+
+  # Url alla quale è disponibile il metadata del provider
+  # default: 'metadata'
+  # config.metadata_path = 'metadata'
+
+  # Url alla quale ricevere le risposte di autenticazione Saml
+  # default: 'sso'
+  # config.sso_path = 'sso'
+
+  # Url alla quale ricevere le risposte di logout Saml
+  # default: 'slo'
+  # config.slo_path = 'slo'
+
+  # Percorso relativo alla root dell'app
+  # al quale reperire la coppia chiave privata - certificato
+  # default: 'lib/.keys'
+  # config.keys_path = 'lib/.keys/'
+
+  # Livello di crittografia SHA per la generazione delle signature
+  # default: 256
+  # config.sha = 256
+
+end

data/lib/spid_rails.rb

@@ -0,0 +1,42 @@
+require "spid_rails/engine"
+
+module SpidRails
+
+  # Mount point di Spid sull'applicazione
+  mattr_accessor :mount_point
+  @@mount_point = 'spid'
+
+  # Url alla quale è disponibile il metadata del provider
+  mattr_accessor :metadata_path
+  @@metadata_path = 'metadata'
+
+  # Url alla quale ricevere le risposte di autenticazione Saml
+  mattr_accessor :sso_path
+  @@sso_path = 'sso'
+
+  # Url alla quale ricevere le risposte di logout Saml
+  mattr_accessor :slo_path
+  @@slo_path = 'slo'
+
+  # Percorso relativo alla root dell'app
+  # al quale reperire la coppia chiave privata - certificato
+  mattr_accessor :keys_path
+  @@keys_path = 'lib/.keys/'
+
+  # Livello di crittografia SHA per la generazione delle signature
+  mattr_accessor :sha
+  @@sha = 256
+
+  def self.app_metadata_path
+    "#{mount_point}/#{@@metadata_path}"
+  end
+
+  def self.app_sso_path
+    "#{mount_point}/#{@@sso_path}"
+  end
+
+  def self.app_slo_path
+    "#{mount_point}/#{@@slo_path}"
+  end
+
+end

data/lib/spid_rails/engine.rb

@@ -0,0 +1,8 @@
+require 'onelogin/ruby-saml'
+require 'spid_rails/onelogin/rubysaml/authrequest'
+
+module SpidRails
+  class Engine < ::Rails::Engine
+    isolate_namespace SpidRails
+  end
+end

data/lib/spid_rails/onelogin/rubysaml/authrequest.rb

@@ -0,0 +1,79 @@
+# Necessario override della classe originaria della libreria,
+# al fine di rendere conforme il nodo Issuer alle regole tecniche SPID,
+# (aggiunte righe 32 e 33)
+
+module OneLogin
+  module RubySaml
+    class Authrequest
+
+      def create_xml_document(settings)
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+        request_doc = XMLSecurity::Document.new
+        request_doc.uuid = uuid
+
+        root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = settings.idp_sso_target_url unless settings.idp_sso_target_url.nil?
+        root.attributes['IsPassive'] = settings.passive unless settings.passive.nil?
+        root.attributes['ProtocolBinding'] = settings.protocol_binding unless settings.protocol_binding.nil?
+        root.attributes["AttributeConsumingServiceIndex"] = settings.attributes_index unless settings.attributes_index.nil?
+        root.attributes['ForceAuthn'] = settings.force_authn unless settings.force_authn.nil?
+
+        # Conditionally defined elements based on settings
+        if settings.assertion_consumer_service_url != nil
+          root.attributes["AssertionConsumerServiceURL"] = settings.assertion_consumer_service_url
+        end
+        #NameQualifier e Format da requisiti SPID
+        if settings.issuer != nil
+          issuer = root.add_element "saml:Issuer",{
+            "NameQualifier" => settings.issuer,
+            "Format" => 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'
+          }
+          issuer.text = settings.issuer
+        end
+        if settings.name_identifier_format != nil
+          root.add_element "samlp:NameIDPolicy", {
+              # Might want to make AllowCreate a setting?
+              "AllowCreate" => "true",
+              "Format" => settings.name_identifier_format
+          }
+        end
+
+        if settings.authn_context || settings.authn_context_decl_ref
+
+          if settings.authn_context_comparison != nil
+            comparison = settings.authn_context_comparison
+          else
+            comparison = 'exact'
+          end
+
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
+            "Comparison" => comparison,
+          }
+
+          if settings.authn_context != nil
+            authn_contexts_class_ref = settings.authn_context.is_a?(Array) ? settings.authn_context : [settings.authn_context]
+            authn_contexts_class_ref.each do |authn_context_class_ref|
+              class_ref = requested_context.add_element "saml:AuthnContextClassRef"
+              class_ref.text = authn_context_class_ref
+            end
+          end
+
+          if settings.authn_context_decl_ref != nil
+            authn_contexts_decl_refs = settings.authn_context_decl_ref.is_a?(Array) ? settings.authn_context_decl_ref : [settings.authn_context_decl_ref]
+            authn_contexts_decl_refs.each do |authn_context_decl_ref|
+              decl_ref = requested_context.add_element "saml:AuthnContextDeclRef"
+              decl_ref.text = authn_context_decl_ref
+            end
+          end
+        end
+
+        request_doc
+      end
+
+    end
+  end
+end

data/lib/spid_rails/version.rb

@@ -0,0 +1,3 @@
+module SpidRails
+  VERSION = '0.1'
+end

data/lib/tasks/spid_rails_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :spid_rails do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,128 @@
+--- !ruby/object:Gem::Specification
+name: spid-rails
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Alessandro Descovi, Giacomo Bertoldi
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-12-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.1.4
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Soluzione per poter effettuare il login tramite SPID
+email:
+- descovi@gmail.com, bertoldi.giacomo@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/assets/config/spid_rails_manifest.js
+- app/assets/javascripts/spid_rails/application.js
+- app/assets/javascripts/spid_rails/metadata.js
+- app/assets/stylesheets/spid_rails/application.css
+- app/assets/stylesheets/spid_rails/metadata.css
+- app/controllers/spid_rails/application_controller.rb
+- app/controllers/spid_rails/metadata_controller.rb
+- app/controllers/spid_rails/single_logout_operations_controller.rb
+- app/controllers/spid_rails/single_sign_ons_controller.rb
+- app/helpers/spid_rails/application_helper.rb
+- app/jobs/spid_rails/application_job.rb
+- app/mailers/spid_rails/application_mailer.rb
+- app/models/spid_rails/application_record.rb
+- app/models/spid_rails/certificate.rb
+- app/models/spid_rails/idp.rb
+- app/models/spid_rails/metadata.rb
+- app/models/spid_rails/settings.rb
+- app/models/spid_rails/settings/metadata.rb
+- app/models/spid_rails/settings/slo.rb
+- app/models/spid_rails/settings/sso.rb
+- app/models/spid_rails/slo_request.rb
+- app/models/spid_rails/slo_response.rb
+- app/models/spid_rails/sso_request.rb
+- app/models/spid_rails/sso_response.rb
+- app/views/layouts/spid_rails/application.html.erb
+- config/routes.rb
+- lib/generators/spid_rails/config_generator.rb
+- lib/generators/spid_rails/templates/spid_rails.rb
+- lib/spid_rails.rb
+- lib/spid_rails/engine.rb
+- lib/spid_rails/onelogin/rubysaml/authrequest.rb
+- lib/spid_rails/version.rb
+- lib/tasks/spid_rails_tasks.rake
+homepage: https://github.com/italia/spid-rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: SPID, il Sistema Pubblico di Identità Digitale
+test_files: []