spid 0.14.0 → 0.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +5 -5
- data/lib/spid/rack/login.rb +4 -4
- data/lib/spid/rack/logout.rb +4 -4
- data/lib/spid/rack/slo.rb +52 -11
- data/lib/spid/rack/sso.rb +6 -6
- data/lib/spid/saml2.rb +1 -0
- data/lib/spid/saml2/idp_logout_request.rb +4 -0
- data/lib/spid/saml2/idp_logout_request_validator.rb +17 -0
- data/lib/spid/slo.rb +1 -0
- data/lib/spid/slo/idp_request.rb +78 -0
- data/lib/spid/slo/response.rb +4 -0
- data/lib/spid/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a69cfce2f0a7c237e36061186e9dfda86bdecc85c91163105518b4daebc6cc5c
|
4
|
+
data.tar.gz: 31aba1da1bab837c92fe3245754f1b6cb158dfb860ead66384dcf915a1fb5e4f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bac0ea1030e71bef7980e019b54bce8ee9dee96aa324cc2001be28b9cbf01676b699311fb412527633dedf3c3b28ef20b7c13da6aee32b43faae53d0c3f9415c
|
7
|
+
data.tar.gz: 8b4ddc12d9566e40f9622dba9d276ea413e0fb1e7bd2c715e2b0aed0d7f593327c83e27413748400c42d9d2b273049d6e341cb67d752e9ea9bc7a9428808aa92
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -72,14 +72,14 @@ gem "spid"
|
|
72
72
|
|verification of `Destination`|✓|
|
73
73
|
|PartialLogout detection||
|
74
74
|
|**LogoutRequest parsing (for third-party-initiated logout):**||
|
75
|
-
|parsing of LogoutRequest XML
|
75
|
+
|parsing of LogoutRequest XML|✓|
|
76
76
|
|verification of `Response/Signature` value (if any)||
|
77
77
|
|verification of `Response/Signature` certificate (if any) against IdP metadata||
|
78
|
-
|verification of `Issuer
|
79
|
-
|verification of `Destination
|
80
|
-
|parsing of `NameID
|
78
|
+
|verification of `Issuer`|✓|
|
79
|
+
|verification of `Destination`|✓|
|
80
|
+
|parsing of `NameID`|✓|
|
81
81
|
|**LogoutResponse generation (for third-party-initiated logout):**||
|
82
|
-
|generation of LogoutResponse XML
|
82
|
+
|generation of LogoutResponse XML|✓|
|
83
83
|
|HTTP-Redirect binding||
|
84
84
|
|HTTP-POST binding||
|
85
85
|
|PartialLogout customization||
|
data/lib/spid/rack/login.rb
CHANGED
@@ -30,7 +30,7 @@ module Spid
|
|
30
30
|
end
|
31
31
|
|
32
32
|
def response
|
33
|
-
session["sso_request_uuid"] =
|
33
|
+
session["sso_request_uuid"] = responser.uuid
|
34
34
|
[
|
35
35
|
302,
|
36
36
|
{ "Location" => sso_url },
|
@@ -39,11 +39,11 @@ module Spid
|
|
39
39
|
end
|
40
40
|
|
41
41
|
def sso_url
|
42
|
-
|
42
|
+
responser.url
|
43
43
|
end
|
44
44
|
|
45
|
-
def
|
46
|
-
@
|
45
|
+
def responser
|
46
|
+
@responser ||=
|
47
47
|
begin
|
48
48
|
Spid::Sso::Request.new(
|
49
49
|
idp_name: idp_name,
|
data/lib/spid/rack/logout.rb
CHANGED
@@ -26,7 +26,7 @@ module Spid
|
|
26
26
|
end
|
27
27
|
|
28
28
|
def response
|
29
|
-
session["slo_request_uuid"] =
|
29
|
+
session["slo_request_uuid"] = responser.uuid
|
30
30
|
[
|
31
31
|
302,
|
32
32
|
{ "Location" => slo_url },
|
@@ -39,11 +39,11 @@ module Spid
|
|
39
39
|
end
|
40
40
|
|
41
41
|
def slo_url
|
42
|
-
|
42
|
+
responser.url
|
43
43
|
end
|
44
44
|
|
45
|
-
def
|
46
|
-
@
|
45
|
+
def responser
|
46
|
+
@responser ||=
|
47
47
|
begin
|
48
48
|
Spid::Slo::Request.new(
|
49
49
|
idp_name: idp_name,
|
data/lib/spid/rack/slo.rb
CHANGED
@@ -35,22 +35,35 @@ module Spid
|
|
35
35
|
end
|
36
36
|
|
37
37
|
def store_session_failure
|
38
|
-
session["errors"] =
|
38
|
+
session["errors"] = responser.errors
|
39
39
|
end
|
40
40
|
|
41
|
-
def
|
42
|
-
if valid_response?
|
43
|
-
clear_session
|
44
|
-
else
|
45
|
-
store_session_failure
|
46
|
-
end
|
41
|
+
def response_sp_initiated
|
47
42
|
[
|
48
43
|
302,
|
49
44
|
{ "Location" => relay_state },
|
50
|
-
|
45
|
+
responser.response
|
46
|
+
]
|
47
|
+
end
|
48
|
+
|
49
|
+
def response_idp_initiated
|
50
|
+
[
|
51
|
+
200,
|
52
|
+
{},
|
53
|
+
responser.response
|
51
54
|
]
|
52
55
|
end
|
53
56
|
|
57
|
+
def validate_session
|
58
|
+
valid_response? ? clear_session : store_session_failure
|
59
|
+
end
|
60
|
+
|
61
|
+
def response
|
62
|
+
validate_session
|
63
|
+
return response_idp_initiated if idp_initiated?
|
64
|
+
response_sp_initiated
|
65
|
+
end
|
66
|
+
|
54
67
|
def relay_state
|
55
68
|
if !request.params["RelayState"].nil? &&
|
56
69
|
request.params["RelayState"] != ""
|
@@ -79,7 +92,7 @@ module Spid
|
|
79
92
|
end
|
80
93
|
|
81
94
|
def valid_response?
|
82
|
-
|
95
|
+
responser.valid?
|
83
96
|
end
|
84
97
|
|
85
98
|
def valid_request?
|
@@ -90,8 +103,36 @@ module Spid
|
|
90
103
|
request.params["SAMLResponse"]
|
91
104
|
end
|
92
105
|
|
93
|
-
def
|
94
|
-
|
106
|
+
def saml_request
|
107
|
+
request.params["SAMLRequest"]
|
108
|
+
end
|
109
|
+
|
110
|
+
def idp_initiated?
|
111
|
+
!saml_request.nil?
|
112
|
+
end
|
113
|
+
|
114
|
+
def responser
|
115
|
+
@responser ||=
|
116
|
+
begin
|
117
|
+
if idp_initiated?
|
118
|
+
idp_initiated_slo_request
|
119
|
+
else
|
120
|
+
sp_initiated_slo_response
|
121
|
+
end
|
122
|
+
end
|
123
|
+
end
|
124
|
+
|
125
|
+
private
|
126
|
+
|
127
|
+
def idp_initiated_slo_request
|
128
|
+
::Spid::Slo::IdpRequest.new(
|
129
|
+
body: saml_request,
|
130
|
+
session_index: session["session_index"]
|
131
|
+
)
|
132
|
+
end
|
133
|
+
|
134
|
+
def sp_initiated_slo_response
|
135
|
+
::Spid::Slo::Response.new(
|
95
136
|
body: saml_response,
|
96
137
|
request_uuid: session["slo_request_uuid"],
|
97
138
|
session_index: session["session_index"]
|
data/lib/spid/rack/sso.rb
CHANGED
@@ -31,13 +31,13 @@ module Spid
|
|
31
31
|
end
|
32
32
|
|
33
33
|
def store_session_success
|
34
|
-
session["attributes"] =
|
35
|
-
session["session_index"] =
|
34
|
+
session["attributes"] = responser.attributes
|
35
|
+
session["session_index"] = responser.session_index
|
36
36
|
session.delete("sso_request_uuid")
|
37
37
|
end
|
38
38
|
|
39
39
|
def store_session_failure
|
40
|
-
session["errors"] =
|
40
|
+
session["errors"] = responser.errors
|
41
41
|
end
|
42
42
|
|
43
43
|
def response
|
@@ -85,15 +85,15 @@ module Spid
|
|
85
85
|
end
|
86
86
|
|
87
87
|
def valid_response?
|
88
|
-
|
88
|
+
responser.valid?
|
89
89
|
end
|
90
90
|
|
91
91
|
def valid_request?
|
92
92
|
valid_path? && valid_http_verb?
|
93
93
|
end
|
94
94
|
|
95
|
-
def
|
96
|
-
@
|
95
|
+
def responser
|
96
|
+
@responser ||= ::Spid::Sso::Response.new(
|
97
97
|
body: saml_response,
|
98
98
|
request_uuid: session["sso_request_uuid"]
|
99
99
|
)
|
data/lib/spid/saml2.rb
CHANGED
data/lib/spid/slo.rb
CHANGED
@@ -0,0 +1,78 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Spid
|
4
|
+
module Slo
|
5
|
+
class IdpRequest # :nodoc:
|
6
|
+
include Spid::Saml2::Utils
|
7
|
+
|
8
|
+
attr_reader :body
|
9
|
+
attr_reader :saml_message
|
10
|
+
attr_reader :session_index
|
11
|
+
|
12
|
+
def initialize(body:, session_index:)
|
13
|
+
@body = body
|
14
|
+
@saml_message = decode_and_inflate(body)
|
15
|
+
@session_index = session_index
|
16
|
+
end
|
17
|
+
|
18
|
+
def response
|
19
|
+
[
|
20
|
+
idp_logout_response.to_saml
|
21
|
+
]
|
22
|
+
end
|
23
|
+
|
24
|
+
def valid?
|
25
|
+
validator.call
|
26
|
+
end
|
27
|
+
|
28
|
+
def identity_provider
|
29
|
+
@identity_provider ||=
|
30
|
+
IdentityProviderManager.find_by_entity(issuer)
|
31
|
+
end
|
32
|
+
|
33
|
+
def service_provider
|
34
|
+
@service_provider ||=
|
35
|
+
Spid.configuration.service_provider
|
36
|
+
end
|
37
|
+
|
38
|
+
def issuer
|
39
|
+
idp_logout_request.issuer
|
40
|
+
end
|
41
|
+
|
42
|
+
def settings
|
43
|
+
@settings ||= Spid::Saml2::Settings.new(
|
44
|
+
service_provider: service_provider,
|
45
|
+
identity_provider: identity_provider
|
46
|
+
)
|
47
|
+
end
|
48
|
+
|
49
|
+
def validator
|
50
|
+
@validator ||=
|
51
|
+
begin
|
52
|
+
Spid::Saml2::IdpLogoutRequestValidator.new(
|
53
|
+
request: idp_logout_request
|
54
|
+
)
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
def idp_logout_request
|
59
|
+
@idp_logout_request ||=
|
60
|
+
begin
|
61
|
+
Spid::Saml2::IdpLogoutRequest.new(
|
62
|
+
saml_message: saml_message
|
63
|
+
)
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def idp_logout_response
|
68
|
+
@idp_logout_response ||=
|
69
|
+
begin
|
70
|
+
Spid::Saml2::IdpLogoutResponse.new(
|
71
|
+
settings: settings,
|
72
|
+
request_uuid: idp_logout_request.id
|
73
|
+
)
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
data/lib/spid/slo/response.rb
CHANGED
data/lib/spid/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: spid
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.15.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- David Librera
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-08-
|
11
|
+
date: 2018-08-31 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -325,6 +325,7 @@ files:
|
|
325
325
|
- lib/spid/saml2/authn_request.rb
|
326
326
|
- lib/spid/saml2/identity_provider.rb
|
327
327
|
- lib/spid/saml2/idp_logout_request.rb
|
328
|
+
- lib/spid/saml2/idp_logout_request_validator.rb
|
328
329
|
- lib/spid/saml2/idp_logout_response.rb
|
329
330
|
- lib/spid/saml2/idp_metadata_parser.rb
|
330
331
|
- lib/spid/saml2/logout_request.rb
|
@@ -338,6 +339,7 @@ files:
|
|
338
339
|
- lib/spid/saml2/utils.rb
|
339
340
|
- lib/spid/saml2/utils/query_params_signer.rb
|
340
341
|
- lib/spid/slo.rb
|
342
|
+
- lib/spid/slo/idp_request.rb
|
341
343
|
- lib/spid/slo/request.rb
|
342
344
|
- lib/spid/slo/response.rb
|
343
345
|
- lib/spid/sso.rb
|