RubyGems - spid - Versions diffs - 0.10.0 → 0.11.0 - Mend

spid 0.10.0 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

checksums.yaml +4 -4
data/.rubocop.yml +3 -0
data/CHANGELOG.md +6 -1
data/Gemfile +0 -6
data/README.md +11 -14
data/lib/spid.rb +16 -10
data/lib/spid/configuration.rb +27 -19
data/lib/spid/identity_provider_manager.rb +14 -4
data/lib/spid/metadata.rb +10 -77
data/lib/spid/rack/login.rb +1 -1
data/lib/spid/rack/logout.rb +1 -1
data/lib/spid/saml2.rb +17 -0
data/lib/spid/saml2/authn_request.rb +104 -0
data/lib/spid/saml2/identity_provider.rb +27 -0
data/lib/spid/saml2/idp_metadata_parser.rb +283 -0
data/lib/spid/saml2/logout_request.rb +88 -0
data/lib/spid/saml2/logout_response.rb +33 -0
data/lib/spid/saml2/response.rb +58 -0
data/lib/spid/saml2/service_provider.rb +78 -0
data/lib/spid/saml2/settings.rb +85 -0
data/lib/spid/saml2/sp_metadata.rb +104 -0
data/lib/spid/saml2/utils.rb +62 -0
data/lib/spid/saml2/utils/query_params_signer.rb +75 -0
data/lib/spid/slo.rb +0 -1
data/lib/spid/slo/request.rb +29 -20
data/lib/spid/slo/response.rb +5 -32
data/lib/spid/sso.rb +0 -1
data/lib/spid/sso/request.rb +26 -19
data/lib/spid/sso/response.rb +9 -30
data/lib/spid/version.rb +1 -1
data/spid.gemspec +1 -1
metadata +28 -28
data/lib/spid/authn_request.rb +0 -28
data/lib/spid/identity_provider.rb +0 -60
data/lib/spid/logout_request.rb +0 -21
data/lib/spid/service_provider.rb +0 -107
data/lib/spid/slo/settings.rb +0 -53
data/lib/spid/sso/settings.rb +0 -62

data/lib/spid/saml2/service_provider.rb ADDED

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+require "uri"
+module Spid
+  module Saml2
+    class ServiceProvider # :nodoc:
+      attr_reader :host
+      attr_reader :acs_path
+      attr_reader :acs_binding
+      attr_reader :slo_path
+      attr_reader :slo_binding
+      attr_reader :metadata_path
+      attr_reader :private_key
+      attr_reader :certificate
+      attr_reader :digest_method
+      attr_reader :signature_method
+      attr_reader :attribute_service_name
+      # rubocop:disable Metrics/ParameterLists
+      # rubocop:disable Metrics/MethodLength
+      def initialize(
+            host:,
+            acs_path:,
+            acs_binding:,
+            slo_path:,
+            slo_binding:,
+            metadata_path:,
+            private_key:,
+            certificate:,
+            digest_method:,
+            signature_method:,
+            attribute_service_name:
+          )
+        @host = host
+        @acs_path               = acs_path
+        @acs_binding            = acs_binding
+        @slo_path               = slo_path
+        @slo_binding            = slo_binding
+        @metadata_path          = metadata_path
+        @private_key            = private_key
+        @certificate            = certificate
+        @digest_method          = digest_method
+        @signature_method       = signature_method
+        @attribute_service_name = attribute_service_name
+        validate_attributes
+      end
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/ParameterLists
+      def acs_url
+        @acs_url ||= URI.join(host, acs_path).to_s
+      end
+      def slo_url
+        @slo_url ||= URI.join(host, slo_path).to_s
+      end
+      def metadata_url
+        @metadata_url ||= URI.join(host, metadata_path).to_s
+      end
+      private
+      def validate_attributes
+        if !DIGEST_METHODS.include?(digest_method)
+          raise UnknownDigestMethodError,
+                "Provided digest method is not valid:" \
+                " use one of #{DIGEST_METHODS.join(', ')}"
+        elsif !SIGNATURE_METHODS.include?(signature_method)
+          raise UnknownSignatureMethodError,
+                "Provided digest method is not valid:" \
+                " use one of #{SIGNATURE_METHODS.join(', ')}"
+        end
+      end
+    end
+  end
+end

data/lib/spid/saml2/settings.rb ADDED

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require "base64"
+module Spid
+  module Saml2
+    class Settings # :nodoc:
+      attr_reader :identity_provider
+      attr_reader :service_provider
+      attr_reader :authn_context
+      def initialize(identity_provider:, service_provider:, authn_context: nil)
+        @authn_context = authn_context || Spid::L1
+        unless AUTHN_CONTEXTS.include?(@authn_context)
+          raise Spid::UnknownAuthnContextError,
+                "Provided authn_context '#{@authn_context}' is not valid:" \
+                " use one of #{AUTHN_CONTEXTS.join(', ')}"
+        end
+        @identity_provider = identity_provider
+        @service_provider = service_provider
+      end
+      def idp_entity_id
+        identity_provider.entity_id
+      end
+      def idp_sso_target_url
+        identity_provider.sso_target_url
+      end
+      def idp_slo_target_url
+        identity_provider.slo_target_url
+      end
+      def sp_entity_id
+        service_provider.host
+      end
+      def sp_acs_url
+        service_provider.acs_url
+      end
+      def sp_acs_binding
+        service_provider.acs_binding
+      end
+      def sp_slo_service_url
+        service_provider.slo_url
+      end
+      def sp_slo_service_binding
+        service_provider.slo_binding
+      end
+      def private_key
+        service_provider.private_key
+      end
+      def certificate
+        service_provider.certificate
+      end
+      def signature_method
+        service_provider.signature_method
+      end
+      def acs_index
+        "0"
+      end
+      def force_authn?
+        authn_context > Spid::L1
+      end
+      def x509_certificate_der
+        @x509_certificate_der ||=
+          begin
+            cert = OpenSSL::X509::Certificate.new(certificate)
+            Base64.encode64(cert.to_der).delete("\n")
+          end
+      end
+    end
+  end
+end

data/lib/spid/saml2/sp_metadata.rb ADDED

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+module Spid
+  module Saml2
+    class SPMetadata # :nodoc:
+      attr_reader :document
+      attr_reader :settings
+      attr_reader :uuid
+      def initialize(settings:, uuid: nil)
+        @document = REXML::Document.new
+        @settings = settings
+        @uuid = uuid || SecureRandom.uuid
+      end
+      def to_saml
+        document.add_element(entity_descriptor)
+        document.to_s
+      end
+      def entity_descriptor
+        @entity_descriptor ||=
+          begin
+            element = REXML::Element.new("md:EntityDescriptor")
+            element.add_attributes(entity_descriptor_attributes)
+            element.add_element sp_sso_descriptor
+            element
+          end
+      end
+      def entity_descriptor_attributes
+        @entity_descriptor_attributes ||= {
+          "xmlns:ds" => "http://www.w3.org/2000/09/xmldsig#",
+          "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata",
+          "entityID" => settings.sp_entity_id,
+          "ID" => "_#{uuid}"
+        }
+      end
+      def sp_sso_descriptor
+        @sp_sso_descriptor ||=
+          begin
+            element = REXML::Element.new("md:SPSSODescriptor")
+            element.add_attributes(sp_sso_descriptor_attributes)
+            element.add_element key_descriptor
+            element.add_element ac_service
+            element.add_element slo_service
+            element
+          end
+      end
+      def sp_sso_descriptor_attributes
+        @sp_sso_descriptor_attributes ||= {
+          "protocolSupportEnumeration" =>
+            "urn:oasis:names:tc:SAML:2.0:protocol",
+          "AuthnRequestsSigned" => true
+        }
+      end
+      def ac_service
+        @ac_service ||=
+          begin
+            element = REXML::Element.new("md:AssertionConsumerService")
+            element.add_attributes(ac_service_attributes)
+            element
+          end
+      end
+      def ac_service_attributes
+        @ac_service_attributes ||= {
+          "Binding" => settings.sp_acs_binding,
+          "Location" => settings.sp_acs_url,
+          "index" => 0,
+          "isDefault" => true
+        }
+      end
+      def slo_service
+        @slo_service ||=
+          begin
+            element = REXML::Element.new("md:SingleLogoutService")
+            element.add_attributes(
+              "Binding" => settings.sp_slo_service_binding,
+              "Location" => settings.sp_slo_service_url
+            )
+            element
+          end
+      end
+      def key_descriptor
+        @key_descriptor ||=
+          begin
+            kd = REXML::Element.new("md:KeyDescriptor")
+            kd.add_attributes("use" => "signing")
+            ki = kd.add_element "ds:KeyInfo"
+            data = ki.add_element "ds:X509Data"
+            certificate = data.add_element "ds:X509Certificate"
+            certificate.text = settings.x509_certificate_der
+            kd
+          end
+      end
+    end
+  end
+end

data/lib/spid/saml2/utils.rb ADDED

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+require "base64"
+require "zlib"
+require "cgi"
+require "spid/saml2/utils/query_params_signer"
+module Spid
+  module Saml2
+    module Utils # :nodoc:
+      def decode(message)
+        Base64.decode64(message)
+      end
+      def encode(message)
+        Base64.encode64(message)
+      end
+      def deflate(message)
+        Zlib::Deflate.deflate(message, 9)[2..-5]
+      end
+      def inflate(message)
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(message)
+      rescue Zlib::DataError => _e
+        message
+      end
+      def deflate_and_encode(message)
+        encode(deflate(message)).delete("\n")
+      end
+      def decode_and_inflate(message)
+        inflate(decode(message))
+      end
+      def escaped_params(params)
+        params.each_with_object({}) do |(key, value), acc|
+          acc[key] = CGI.escape(value)
+        end
+      end
+      def query_param(key, value)
+        "#{key}=#{value}"
+      end
+      def query_params(params)
+        params.map do |key, value|
+          query_param(key, value)
+        end
+      end
+      def query_string(params)
+        query_params(params).join("&")
+      end
+      def escaped_query_string(params)
+        query_string(escaped_params(params))
+      end
+    end
+  end
+end

data/lib/spid/saml2/utils/query_params_signer.rb ADDED

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+require "base64"
+module Spid
+  module Saml2
+    module Utils
+      class QueryParamsSigner # :nodoc:
+        include Spid::Saml2::Utils
+        attr_reader :saml_message
+        attr_reader :private_key
+        attr_reader :signature_method
+        attr_reader :relay_state
+        def initialize(
+              saml_message:,
+              private_key:,
+              signature_method:,
+              relay_state: nil
+            )
+          @saml_message = saml_message.delete("\n")
+          @private_key = OpenSSL::PKey::RSA.new(private_key)
+          @signature_method = signature_method
+          @relay_state = relay_state
+        end
+        def signature_algorithm
+          @signature_algorithm ||= Spid::SIGNATURE_ALGORITHMS[signature_method]
+        end
+        def signature
+          @signature ||=
+            begin
+              encode(raw_signature)
+            end
+        end
+        def signed_query_params
+          params_for_signature.merge(
+            "Signature" => signature
+          )
+        end
+        def escaped_signed_query_string
+          @escaped_signed_query_string ||=
+            escaped_query_string(signed_query_params)
+        end
+        def raw_signature
+          @raw_signature ||=
+            begin
+              private_key.sign(
+                signature_algorithm,
+                escaped_query_string(params_for_signature)
+              )
+            end
+        end
+        def params_for_signature
+          @params_for_signature ||=
+            begin
+              params = {
+                "SAMLRequest" => deflate_and_encode(saml_message),
+                "RelayState" => relay_state,
+                "SigAlg" => signature_method
+              }
+              params.delete("RelayState") if params["RelayState"].nil?
+              params
+            end
+        end
+      end
+    end
+  end
+end

data/lib/spid/slo.rb CHANGED

@@ -2,7 +2,6 @@
 require "spid/slo/request"
 require "spid/slo/response"
-require "spid/slo/settings"
 module Spid
   module Slo # :nodoc:

data/lib/spid/slo/request.rb CHANGED

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
-require "spid/logout_request"
-require "onelogin/ruby-saml/settings"
 module Spid
   module Slo
     class Request # :nodoc:
@@ -19,25 +16,43 @@ module Spid
           end
       end
-      def to_saml
-        logout_request.create(
-          saml_settings,
-          "RelayState" => relay_state
-        )
+      def url
+        [
+          settings.idp_slo_target_url,
+          query_params_signer.escaped_signed_query_string
+        ].join("?")
+      end
+      def query_params_signer
+        @query_params_signer ||=
+          begin
+            Spid::Saml2::Utils::QueryParamsSigner.new(
+              saml_message: saml_message,
+              relay_state: relay_state,
+              private_key: settings.private_key,
+              signature_method: settings.signature_method
+            )
+          end
       end
-      def saml_settings
-        slo_settings.saml_settings
+      def saml_message
+        @saml_message ||= logout_request.to_saml
       end
-      def slo_settings
-        Settings.new(
-          service_provider: service_provider,
-          identity_provider: identity_provider,
+      def logout_request
+        @logout_request ||= Spid::Saml2::LogoutRequest.new(
+          settings: settings,
           session_index: session_index
         )
       end
+      def settings
+        @settings ||= Spid::Saml2::Settings.new(
+          service_provider: service_provider,
+          identity_provider: identity_provider
+        )
+      end
       def identity_provider
         @identity_provider ||=
           IdentityProviderManager.find_by_name(idp_name)
@@ -47,12 +62,6 @@ module Spid
         @service_provider ||=
           Spid.configuration.service_provider
       end
-      private
-      def logout_request
-        LogoutRequest.new
-      end
     end
   end
 end