spid 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 960e16fa23660bf794d8569793c49f01671883612e6e96c56d9cc9ec7584c887
-  data.tar.gz: 18aa49e2bd0173eb7aaae0141fd199c73fc97f4f9538e04e998fd459f4406e1f
+  metadata.gz: 8d65f97b5bd606942de9c2bba4a7fe60fadb90de3bf8526d8c80bec3a2ce29ff
+  data.tar.gz: 72d85f52db6688edb9f90f3176af9889b15052b8bc7a45b3eee1c61e269cb825
 SHA512:
-  metadata.gz: 294072c36735dd72f29e0b66a5d8df0118637079223faa7a9f8b71778cd2b871b639174267b775c6505d1723d1b5e4126b4e243941a6a6f9cecdf4a028c87394
-  data.tar.gz: 18525e552a24740ad2f51bc73f7d7e96c1f1ab583ea96372c04f6560a6df8efe7af2cb802b0631e68b61594e010f9c6790a40d8f0b17b5575207ce4fafe5bb83
+  metadata.gz: 7c0ed6e05c1b45a9a395ea4f4c41c6b45279adc712546bd167ed17a0a3dfba4f28367b287394c22078e95abe561253903153e253a1a967ac4adcf669393a0448
+  data.tar.gz: a8f863472e7f5dcd85abbdb514b3aa8509ac42d7eab1c76eac53aa5eab9af5ae4bef44d159855a0d4cdb609f085a58d878299390243cfde3bb9d9754d96ed316

data/.rubocop.yml

@@ -3,6 +3,7 @@ require: rubocop-rspec
 AllCops:
   Exclude:
     - bin/stubs/*
+    - lib/spid/saml2/idp_metadata_parser.rb
   TargetRubyVersion: 2.3
 
 Layout/DotPosition:
@@ -22,6 +23,8 @@ RSpec/FilePath:
   Exclude:
     - spec/integration/**/*.rb
     - spec/requests/**/*.rb
+RSpec/MultipleExpectations:
+  Max: 2
 RSpec/NestedGroups:
   Enabled: false
 RSpec/SubjectStub:

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+## [0.11.0] - 2018-08-23
+### Changed
+- Use custom Saml2 library instead of ruby-saml gem
+
 ## [0.10.0] - 2018-08-02
 ### Added
 - Handled Relay State in sso/slo responses
@@ -89,7 +93,8 @@
 - Coveralls Integration
 - Rubygems version badge in README
 
-[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.10.0...HEAD
+[Unreleased]: https://github.com/italia/spid-ruby/compare/v0.11.0...HEAD
+[0.11.0]: https://github.com/italia/spid-ruby/compare/v0.10.0...v0.11.0
 [0.10.0]: https://github.com/italia/spid-ruby/compare/v0.9.0...v0.10.0
 [0.9.0]: https://github.com/italia/spid-ruby/compare/v0.8.0...v0.9.0
 [0.8.0]: https://github.com/italia/spid-ruby/compare/v0.7.0...v0.8.0

data/Gemfile

@@ -2,11 +2,5 @@
 
 source "https://rubygems.org"
 
-git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
-
 # Specify your gem's dependencies in spid.gemspec
 gemspec
-
-gem "ruby-saml",
-    github: "davidlibrera/ruby-saml",
-    ref: "4204afc2439f712db8909bccfd8d6e15f9320c34"

data/README.md

@@ -17,9 +17,6 @@ Ruby library for SPID authentication
 Add into your Gemfile
 
 ```ruby
-gem "ruby-saml",
-  github: "davidlibrera/ruby-saml",
-  ref: "571e280031883abe3aad7c5b856353f94354fd06"
 gem "spid"
 ```
 
@@ -29,19 +26,19 @@ gem "spid"
 |<img src="https://github.com/italia/spid-graphics/blob/master/spid-logos/spid-logo-c-lb.png?raw=true" width="100" /><br />_Compliance with [SPID regulations](http://www.agid.gov.it/sites/default/files/circolari/spid-regole_tecniche_v1.pdf) (for Service Providers)_||
 |:---|:---|
 |**Metadata:**||
-|parsing of IdP XML metadata (1.2.2.4)||
+|parsing of IdP XML metadata (1.2.2.4)|✓|
 |parsing of AA XML metadata (2.2.4)||
-|SP XML metadata generation (1.3.2)||
+|SP XML metadata generation (1.3.2)|✓|
 |**AuthnRequest generation (1.2.2.1):**||
 |generation of AuthnRequest XML|✓|
-|HTTP-Redirect binding||
-|HTTP-POST binding|✓|
-|`AssertionConsumerServiceURL` customization||
+|HTTP-Redirect binding|✓|
+|HTTP-POST binding||
+|`AssertionConsumerServiceURL` customization|✓|
 |`AssertionConsumerServiceIndex` customization||
 |`AttributeConsumingServiceIndex` customization||
 |`AuthnContextClassRef` (SPID level) customization|✓|
-|`RequestedAuthnContext/@Comparison` customization|✓|
-|`RelayState` customization (1.2.2)||
+|`RequestedAuthnContext/@Comparison` customization||
+|`RelayState` customization (1.2.2)|✓|
 |**Response/Assertion parsing**||
 |verification of `Response/Signature` value (if any)||
 |verification of `Response/Signature` certificate (if any) against IdP/AA metadata||
@@ -62,13 +59,13 @@ gem "spid"
 |parsing of `AuthnContextClassRef` (SPID level)||
 |parsing of attributes||
 |**Response/Assertion parsing for attribute query (2.2.2.2, 2.3.1):**||
-|parsing of attributes||
+|parsing of attributes|✓|
 |**LogoutRequest generation (for SP-initiated logout):**||
-|generation of LogoutRequest XML||
-|HTTP-Redirect binding||
+|generation of LogoutRequest XML|✓|
+|HTTP-Redirect binding|✓|
 |HTTP-POST binding||
 |**LogoutResponse parsing (for SP-initiated logout):**||
-|parsing of LogoutResponse XML||
+|parsing of LogoutResponse XML|✓|
 |verification of `Response/Signature` value (if any)||
 |verification of `Response/Signature` certificate (if any) against IdP metadata||
 |verification of `Issuer`||

data/lib/spid.rb

@@ -1,15 +1,12 @@
 # frozen_string_literal: true
 
-require "spid/authn_request"
-require "spid/logout_request"
+require "spid/saml2"
 require "spid/sso"
 require "spid/slo"
 require "spid/rack"
 require "spid/metadata"
 require "spid/version"
 require "spid/configuration"
-require "spid/identity_provider"
-require "spid/service_provider"
 require "spid/identity_provider_manager"
 
 module Spid # :nodoc:
@@ -33,9 +30,9 @@ module Spid # :nodoc:
     MAXIMUM_COMPARISON
   ].freeze
 
-  SHA256 = XMLSecurity::Document::SHA256
-  SHA384 = XMLSecurity::Document::SHA384
-  SHA512 = XMLSecurity::Document::SHA512
+  SHA256 = "http://www.w3.org/2001/04/xmlenc#sha256"
+  SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384"
+  SHA512 = "http://www.w3.org/2001/04/xmlenc#sha512"
 
   DIGEST_METHODS = [
     SHA256,
@@ -43,9 +40,9 @@ module Spid # :nodoc:
     SHA512
   ].freeze
 
-  RSA_SHA256 = XMLSecurity::Document::RSA_SHA256
-  RSA_SHA384 = XMLSecurity::Document::RSA_SHA384
-  RSA_SHA512 = XMLSecurity::Document::RSA_SHA512
+  RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+  RSA_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
+  RSA_SHA512 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
 
   SIGNATURE_METHODS = [
     RSA_SHA256,
@@ -53,6 +50,15 @@ module Spid # :nodoc:
     RSA_SHA512
   ].freeze
 
+  SIGNATURE_ALGORITHMS = {
+    SHA256 => OpenSSL::Digest::SHA256.new,
+    SHA384 => OpenSSL::Digest::SHA384.new,
+    SHA512 => OpenSSL::Digest::SHA512.new,
+    RSA_SHA256 => OpenSSL::Digest::SHA256.new,
+    RSA_SHA384 => OpenSSL::Digest::SHA384.new,
+    RSA_SHA512 => OpenSSL::Digest::SHA512.new
+  }.freeze
+
   L1 = "https://www.spid.gov.it/SpidL1"
   L2 = "https://www.spid.gov.it/SpidL2"
   L3 = "https://www.spid.gov.it/SpidL3"

data/lib/spid/configuration.rb

@@ -18,43 +18,51 @@ module Spid
     attr_accessor :acs_binding
     attr_accessor :slo_binding
 
-    # rubocop:disable Metrics/MethodLength
     def initialize
       @idp_metadata_dir_path    = "idp_metadata"
+      @attribute_service_name   = nil
+      init_endpoint
+      init_bindings
+      init_dig_sig_methods
+      init_openssl_keys
+    end
+
+    def init_endpoint
+      @hostname                 = nil
       @metadata_path            = "/spid/metadata"
       @start_sso_path           = "/spid/login"
       @start_slo_path           = "/spid/logout"
       @acs_path                 = "/spid/sso"
       @slo_path                 = "/spid/slo"
+      @default_relay_state_path = "/"
+    end
+
+    def init_bindings
+      @acs_binding              = Spid::BINDINGS_HTTP_POST
+      @slo_binding              = Spid::BINDINGS_HTTP_REDIRECT
+    end
+
+    def init_dig_sig_methods
       @digest_method            = Spid::SHA256
       @signature_method         = Spid::RSA_SHA256
-      @attribute_service_name   = nil
-      @hostname                 = nil
+    end
+
+    def init_openssl_keys
       @private_key              = nil
       @certificate              = nil
-      @default_relay_state_path = "/"
-      @acs_binding              = Spid::BINDINGS_HTTP_POST
-      @slo_binding              = Spid::BINDINGS_HTTP_REDIRECT
     end
-    # rubocop:enable Metrics/MethodLength
 
-    # rubocop:disable Metrics/MethodLength
     def service_provider
       @service_provider ||=
         begin
-          Spid::ServiceProvider.new(
-            host: hostname,
-            acs_path: acs_path,
-            slo_path: slo_path,
-            metadata_path: metadata_path,
-            private_key: private_key,
-            certificate: certificate,
-            digest_method: digest_method,
-            signature_method: signature_method,
-            attribute_service_name: attribute_service_name
+          Spid::Saml2::ServiceProvider.new(
+            acs_binding: acs_binding, acs_path: acs_path, slo_path: slo_path,
+            slo_binding: slo_binding, metadata_path: metadata_path,
+            private_key: private_key, certificate: certificate,
+            digest_method: digest_method, signature_method: signature_method,
+            attribute_service_name: attribute_service_name, host: hostname
           )
         end
     end
-    # rubocop:enable Metrics/MethodLength
   end
 end

data/lib/spid/identity_provider_manager.rb

@@ -9,7 +9,7 @@ module Spid
         begin
           Dir.chdir(Spid.configuration.idp_metadata_dir_path) do
             Dir.glob("*.xml").map do |metadata_filepath|
-              generate_identity_provider_from_file(
+              self.class.generate_identity_provider_from_file(
                 File.expand_path(metadata_filepath)
               )
             end
@@ -29,12 +29,22 @@ module Spid
       end
     end
 
-    private
+    def self.parse_from_xml(name:, metadata:)
+      idp_metadata_parser = ::Spid::Saml2::IdpMetadataParser.new
+      idp_settings = idp_metadata_parser.parse_to_hash(metadata)
+      ::Spid::Saml2::IdentityProvider.new(
+        name: name,
+        entity_id: idp_settings[:idp_entity_id],
+        sso_target_url: idp_settings[:idp_sso_target_url],
+        slo_target_url: idp_settings[:idp_slo_target_url],
+        cert_fingerprint: idp_settings[:idp_cert_fingerprint]
+      )
+    end
 
-    def generate_identity_provider_from_file(metadata_filepath)
+    def self.generate_identity_provider_from_file(metadata_filepath)
       idp_name = File.basename(metadata_filepath, "-metadata.xml")
       metadata = File.read(metadata_filepath)
-      IdentityProvider.parse_from_xml(
+      parse_from_xml(
         metadata: metadata,
         name: idp_name
       )

data/lib/spid/metadata.rb

@@ -1,93 +1,26 @@
 # frozen_string_literal: true
 
-require "onelogin/ruby-saml/metadata"
-require "onelogin/ruby-saml/settings"
-
 module Spid
   class Metadata # :nodoc:
-    attr_reader :metadata_attributes
-
-    # rubocop:disable Metrics/MethodLength
-    def initialize(
-          digest_method: Spid::SHA256,
-          signature_method: Spid::RSA_SHA256
-        )
-      @metadata_attributes = {
-        issuer: issuer,
-        private_key: private_key_content,
-        certificate: certificate_content,
-        assertion_consumer_service_url: assertion_consumer_service_url,
-        assertion_consumer_service_binding: Spid.configuration.acs_binding,
-        single_logout_service_url: single_logout_service_url,
-        single_logout_service_binding: Spid.configuration.slo_binding,
-        security: {
-          authn_requests_signed:     true,
-          logout_requests_signed:    false,
-          logout_responses_signed:   false,
-          want_assertions_signed:    false,
-          want_assertions_encrypted: false,
-          want_name_id:              false,
-          metadata_signed:           true,
-          embed_sign:                false,
-          digest_method:             digest_method,
-          signature_method:          signature_method
-        }
-      }
-    end
-    # rubocop:enable Metrics/MethodLength
-
-    def to_xml
-      metadata.generate(saml_settings)
-    end
+    attr_reader :sp_metadata
 
-    def issuer
-      service_provider.host
+    def initialize
+      @sp_metadata = Spid::Saml2::SPMetadata.new(settings: settings)
     end
 
-    def private_key_content
-      service_provider.private_key
+    def settings
+      @settings ||= Spid::Saml2::Settings.new(
+        service_provider: service_provider,
+        identity_provider: nil
+      )
     end
 
-    def certificate_content
-      service_provider.certificate
-    end
-
-    def assertion_consumer_service_url
-      service_provider.acs_url
-    end
-
-    def single_logout_service_url
-      service_provider.slo_url
-    end
-
-    def attribute_service_name
-      service_provider.attribute_service_name
+    def to_xml
+      sp_metadata.to_saml
     end
 
     def service_provider
       @service_provider ||= Spid.configuration.service_provider
     end
-
-    private
-
-    def metadata
-      ::OneLogin::RubySaml::Metadata.new
-    end
-
-    def saml_settings
-      @saml_settings = ::OneLogin::RubySaml::Settings.new metadata_attributes
-
-      outer_self = self
-
-      @saml_settings.attribute_consuming_service.configure do
-        service_index 0
-        service_name outer_self.attribute_service_name
-        add_attribute name: "Name",
-                      name_format: "Name Format",
-                      friendly_name: "Friendly Name"
-      end
-
-      @saml_settings
-    end
   end
 end

data/lib/spid/rack/login.rb

@@ -38,7 +38,7 @@ module Spid
           Spid::Sso::Request.new(
             idp_name: idp_name,
             relay_state: relay_state
-          ).to_saml
+          ).url
         end
 
         def valid_request?

data/lib/spid/rack/logout.rb

@@ -39,7 +39,7 @@ module Spid
             idp_name: idp_name,
             relay_state: relay_state,
             session_index: spid_session["session-index"]
-          ).to_saml
+          ).url
         end
 
         def valid_request?

data/lib/spid/saml2.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal:true
+
+require "spid/saml2/service_provider"
+require "spid/saml2/identity_provider"
+require "spid/saml2/settings"
+require "spid/saml2/authn_request"
+require "spid/saml2/response"
+require "spid/saml2/logout_request"
+require "spid/saml2/logout_response"
+require "spid/saml2/sp_metadata"
+require "spid/saml2/utils"
+require "spid/saml2/idp_metadata_parser"
+
+module Spid
+  module Saml2 # :nodoc:
+  end
+end

data/lib/spid/saml2/authn_request.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+require "rexml/document"
+
+module Spid
+  module Saml2
+    class AuthnRequest # :nodoc:
+      attr_reader :document
+      attr_reader :uuid
+      attr_reader :settings
+
+      def initialize(uuid: nil, settings:)
+        @document = REXML::Document.new
+        @uuid = uuid || SecureRandom.uuid
+        @settings = settings
+      end
+
+      def to_saml
+        document.add_element(authn_request)
+        document.to_s
+      end
+
+      def authn_request
+        @authn_request ||=
+          begin
+            element = REXML::Element.new("samlp:AuthnRequest")
+            element.add_attributes(authn_request_attributes)
+            element.add_element(issuer)
+            element.add_element(name_id_policy)
+            element.add_element(requested_authn_context)
+            element
+          end
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      def authn_request_attributes
+        @authn_request_attributes ||=
+          begin
+            attributes = {
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+              "ID" => "_#{uuid}",
+              "Version" => "2.0",
+              "IssueInstant" => issue_instant,
+              "Destination" => settings.idp_sso_target_url,
+              "AssertionConsumerServiceIndex" => settings.acs_index
+            }
+            attributes["ForceAuthn"] = true if settings.force_authn?
+            attributes
+          end
+      end
+      # rubocop:enable Metrics/MethodLength
+
+      def issuer
+        @issuer ||=
+          begin
+            element = REXML::Element.new("saml:Issuer")
+            element.add_attributes(
+              "Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
+              "NameQualifier" => settings.sp_entity_id
+            )
+            element.text = settings.sp_entity_id
+            element
+          end
+      end
+
+      def name_id_policy
+        @name_id_policy ||=
+          begin
+            element = REXML::Element.new("samlp:NameIDPolicy")
+            element.add_attributes(
+              "Format" => "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+            )
+            element
+          end
+      end
+
+      def requested_authn_context
+        @requested_authn_context ||=
+          begin
+            element = REXML::Element.new("samlp:RequestedAuthnContext")
+            element.add_attributes(
+              "Comparison" => Spid::MINIMUM_COMPARISON
+            )
+            element.add_element(authn_context_class_ref)
+            element
+          end
+      end
+
+      def authn_context_class_ref
+        @authn_context_class_ref ||=
+          begin
+            element = REXML::Element.new("saml:AuthnContextClassRef")
+            element.text = settings.authn_context
+            element
+          end
+      end
+
+      def issue_instant
+        @issue_instant ||= Time.now.utc.iso8601
+      end
+    end
+  end
+end