spid 0.7.0 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +8 -0
- data/CHANGELOG.md +11 -1
- data/README.md +1 -1
- data/lib/spid.rb +24 -12
- data/lib/spid/configuration.rb +54 -0
- data/lib/spid/identity_provider.rb +60 -0
- data/lib/spid/identity_provider_manager.rb +43 -0
- data/lib/spid/metadata.rb +14 -12
- data/lib/spid/service_provider.rb +107 -0
- data/lib/spid/slo.rb +10 -0
- data/lib/spid/slo/request.rb +50 -0
- data/lib/spid/slo/response.rb +72 -0
- data/lib/spid/slo/settings.rb +53 -0
- data/lib/spid/sso.rb +10 -0
- data/lib/spid/sso/request.rb +53 -0
- data/lib/spid/sso/response.rb +80 -0
- data/lib/spid/sso/settings.rb +78 -0
- data/lib/spid/version.rb +1 -1
- metadata +14 -12
- data/lib/spid/identity_provider_configuration.rb +0 -34
- data/lib/spid/identity_providers.rb +0 -57
- data/lib/spid/idp_metadata.rb +0 -38
- data/lib/spid/service_provider_configuration.rb +0 -73
- data/lib/spid/slo_request.rb +0 -24
- data/lib/spid/slo_response.rb +0 -27
- data/lib/spid/slo_settings.rb +0 -59
- data/lib/spid/sso_request.rb +0 -24
- data/lib/spid/sso_response.rb +0 -48
- data/lib/spid/sso_settings.rb +0 -77
data/lib/spid/slo.rb
ADDED
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "spid/logout_request"
|
|
4
|
+
require "onelogin/ruby-saml/settings"
|
|
5
|
+
|
|
6
|
+
module Spid
|
|
7
|
+
module Slo
|
|
8
|
+
class Request # :nodoc:
|
|
9
|
+
attr_reader :idp_name
|
|
10
|
+
attr_reader :session_index
|
|
11
|
+
|
|
12
|
+
def initialize(idp_name:, session_index:)
|
|
13
|
+
@idp_name = idp_name
|
|
14
|
+
@session_index = session_index
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def to_saml
|
|
18
|
+
logout_request.create(saml_settings)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def saml_settings
|
|
22
|
+
slo_settings.saml_settings
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def slo_settings
|
|
26
|
+
Settings.new(
|
|
27
|
+
service_provider: service_provider,
|
|
28
|
+
identity_provider: identity_provider,
|
|
29
|
+
session_index: session_index
|
|
30
|
+
)
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def identity_provider
|
|
34
|
+
@identity_provider ||=
|
|
35
|
+
IdentityProviderManager.find_by_name(idp_name)
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def service_provider
|
|
39
|
+
@service_provider ||=
|
|
40
|
+
Spid.configuration.service_provider
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
private
|
|
44
|
+
|
|
45
|
+
def logout_request
|
|
46
|
+
LogoutRequest.new
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
end
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "onelogin/ruby-saml/logoutresponse"
|
|
4
|
+
|
|
5
|
+
module Spid
|
|
6
|
+
module Slo
|
|
7
|
+
class Response # :nodoc:
|
|
8
|
+
attr_reader :body
|
|
9
|
+
attr_reader :session_index
|
|
10
|
+
attr_reader :matches_request_id
|
|
11
|
+
|
|
12
|
+
def initialize(body:, session_index:, matches_request_id:)
|
|
13
|
+
@body = body
|
|
14
|
+
@session_index = session_index
|
|
15
|
+
@matches_request_id = matches_request_id
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def valid?
|
|
19
|
+
validated_saml_response.validate
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def errors
|
|
23
|
+
validated_saml_response.errors
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def saml_settings
|
|
27
|
+
slo_settings.saml_settings
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def slo_settings
|
|
31
|
+
Settings.new(
|
|
32
|
+
service_provider: service_provider,
|
|
33
|
+
identity_provider: identity_provider,
|
|
34
|
+
session_index: session_index
|
|
35
|
+
)
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def identity_provider
|
|
39
|
+
@identity_provider ||=
|
|
40
|
+
IdentityProviderManager.find_by_entity(issuer)
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def service_provider
|
|
44
|
+
@service_provider ||=
|
|
45
|
+
Spid.configuration.service_provider
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def issuer
|
|
49
|
+
saml_response.issuer.strip
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
private
|
|
53
|
+
|
|
54
|
+
def saml_response
|
|
55
|
+
::OneLogin::RubySaml::Logoutresponse.new(
|
|
56
|
+
body,
|
|
57
|
+
nil,
|
|
58
|
+
matches_request_id: matches_request_id
|
|
59
|
+
)
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def validated_saml_response
|
|
63
|
+
@validated_saml_response ||=
|
|
64
|
+
begin
|
|
65
|
+
response = saml_response
|
|
66
|
+
response.settings = saml_settings
|
|
67
|
+
response
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "onelogin/ruby-saml/settings"
|
|
4
|
+
|
|
5
|
+
module Spid
|
|
6
|
+
module Slo
|
|
7
|
+
class Settings # :nodoc:
|
|
8
|
+
attr_reader :service_provider,
|
|
9
|
+
:identity_provider,
|
|
10
|
+
:session_index
|
|
11
|
+
|
|
12
|
+
def initialize(
|
|
13
|
+
service_provider:,
|
|
14
|
+
identity_provider:,
|
|
15
|
+
session_index:
|
|
16
|
+
)
|
|
17
|
+
@service_provider = service_provider
|
|
18
|
+
@identity_provider = identity_provider
|
|
19
|
+
@session_index = session_index
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def saml_settings
|
|
23
|
+
::OneLogin::RubySaml::Settings.new(slo_attributes)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def slo_attributes
|
|
27
|
+
[
|
|
28
|
+
service_provider.slo_attributes,
|
|
29
|
+
identity_provider.slo_attributes,
|
|
30
|
+
inner_slo_attributes
|
|
31
|
+
].inject(:merge)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def inner_slo_attributes
|
|
35
|
+
{
|
|
36
|
+
name_identifier_value: generated_name_identifier_value,
|
|
37
|
+
name_identifier_format: name_identifier_format_value,
|
|
38
|
+
sessionindex: session_index
|
|
39
|
+
}
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
private
|
|
43
|
+
|
|
44
|
+
def generated_name_identifier_value
|
|
45
|
+
::OneLogin::RubySaml::Utils.uuid
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def name_identifier_format_value
|
|
49
|
+
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
data/lib/spid/sso.rb
ADDED
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "spid/authn_request"
|
|
4
|
+
require "onelogin/ruby-saml/settings"
|
|
5
|
+
|
|
6
|
+
module Spid
|
|
7
|
+
module Sso
|
|
8
|
+
class Request # :nodoc:
|
|
9
|
+
attr_reader :idp_name
|
|
10
|
+
attr_reader :authn_context
|
|
11
|
+
attr_reader :authn_context_comparison
|
|
12
|
+
|
|
13
|
+
def initialize(idp_name:, authn_context:, authn_context_comparison:)
|
|
14
|
+
@idp_name = idp_name
|
|
15
|
+
@authn_context = authn_context
|
|
16
|
+
@authn_context_comparison = authn_context_comparison
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def to_saml
|
|
20
|
+
authn_request.create(saml_settings)
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def saml_settings
|
|
24
|
+
sso_settings.saml_settings
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def sso_settings
|
|
28
|
+
Settings.new(
|
|
29
|
+
service_provider: service_provider,
|
|
30
|
+
identity_provider: identity_provider,
|
|
31
|
+
authn_context: authn_context,
|
|
32
|
+
authn_context_comparison: authn_context_comparison
|
|
33
|
+
)
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def identity_provider
|
|
37
|
+
@identity_provider ||=
|
|
38
|
+
IdentityProviderManager.find_by_name(idp_name)
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def service_provider
|
|
42
|
+
@service_provider ||=
|
|
43
|
+
Spid.configuration.service_provider
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
private
|
|
47
|
+
|
|
48
|
+
def authn_request
|
|
49
|
+
AuthnRequest.new
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
end
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "onelogin/ruby-saml/response"
|
|
4
|
+
require "active_support/inflector/methods"
|
|
5
|
+
|
|
6
|
+
module Spid
|
|
7
|
+
module Sso
|
|
8
|
+
class Response # :nodoc:
|
|
9
|
+
attr_reader :body
|
|
10
|
+
|
|
11
|
+
def initialize(body:)
|
|
12
|
+
@body = body
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def valid?
|
|
16
|
+
validated_saml_response.is_valid?
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def saml_settings
|
|
20
|
+
sso_settings.saml_settings
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def sso_settings
|
|
24
|
+
Settings.new(
|
|
25
|
+
service_provider: service_provider,
|
|
26
|
+
identity_provider: identity_provider
|
|
27
|
+
)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def attributes
|
|
31
|
+
raw_attributes.each_with_object({}) do |(key, value), acc|
|
|
32
|
+
acc[normalize_key(key)] = value
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def issuer
|
|
37
|
+
saml_response.issuers.first
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def session_index
|
|
41
|
+
saml_response.sessionindex
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def raw_attributes
|
|
45
|
+
saml_response.attributes.attributes
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def identity_provider
|
|
49
|
+
@identity_provider ||=
|
|
50
|
+
IdentityProviderManager.find_by_entity(issuer)
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def service_provider
|
|
54
|
+
@service_provider ||=
|
|
55
|
+
Spid.configuration.service_provider
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
private
|
|
59
|
+
|
|
60
|
+
def normalize_key(key)
|
|
61
|
+
ActiveSupport::Inflector.underscore(
|
|
62
|
+
key.to_s
|
|
63
|
+
).to_sym
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def saml_response
|
|
67
|
+
::OneLogin::RubySaml::Response.new(body)
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def validated_saml_response
|
|
71
|
+
@validated_saml_response ||=
|
|
72
|
+
begin
|
|
73
|
+
response = saml_response
|
|
74
|
+
response.settings = saml_settings
|
|
75
|
+
response
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Spid
|
|
4
|
+
module Sso
|
|
5
|
+
class Settings # :nodoc:
|
|
6
|
+
attr_reader :service_provider,
|
|
7
|
+
:identity_provider,
|
|
8
|
+
:authn_context,
|
|
9
|
+
:authn_context_comparison
|
|
10
|
+
|
|
11
|
+
# rubocop:disable Metrics/MethodLength
|
|
12
|
+
def initialize(
|
|
13
|
+
service_provider:,
|
|
14
|
+
identity_provider:,
|
|
15
|
+
authn_context: Spid::L1,
|
|
16
|
+
authn_context_comparison: Spid::EXACT_COMPARISON
|
|
17
|
+
)
|
|
18
|
+
|
|
19
|
+
unless AUTHN_CONTEXTS.include?(authn_context)
|
|
20
|
+
raise Spid::UnknownAuthnContextError,
|
|
21
|
+
"Provided authn_context is not valid:" \
|
|
22
|
+
" use one of #{AUTHN_CONTEXTS.join(', ')}"
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
unless COMPARISON_METHODS.include?(authn_context_comparison)
|
|
26
|
+
raise Spid::UnknownAuthnComparisonMethodError,
|
|
27
|
+
"Provided authn_context_comparison_method is not valid:" \
|
|
28
|
+
" use one of #{COMPARISON_METHODS.join(', ')}"
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
@service_provider = service_provider
|
|
32
|
+
@identity_provider = identity_provider
|
|
33
|
+
@authn_context = authn_context
|
|
34
|
+
@authn_context_comparison = authn_context_comparison
|
|
35
|
+
end
|
|
36
|
+
# rubocop:enable Metrics/MethodLength
|
|
37
|
+
|
|
38
|
+
def saml_settings
|
|
39
|
+
::OneLogin::RubySaml::Settings.new(sso_attributes)
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def sso_attributes
|
|
43
|
+
[
|
|
44
|
+
service_provider.sso_attributes,
|
|
45
|
+
identity_provider.sso_attributes,
|
|
46
|
+
inner_sso_attributes,
|
|
47
|
+
force_authn_attributes
|
|
48
|
+
].inject(:merge)
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def inner_sso_attributes
|
|
52
|
+
{
|
|
53
|
+
protocol_binding: protocol_binding_value,
|
|
54
|
+
name_identifier_format: name_identifier_format_value,
|
|
55
|
+
authn_context: authn_context,
|
|
56
|
+
authn_context_comparison: authn_context_comparison
|
|
57
|
+
}
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
def force_authn_attributes
|
|
61
|
+
return {} if authn_context <= Spid::L1
|
|
62
|
+
{
|
|
63
|
+
force_authn: true
|
|
64
|
+
}
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
private
|
|
68
|
+
|
|
69
|
+
def protocol_binding_value
|
|
70
|
+
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def name_identifier_format_value
|
|
74
|
+
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
data/lib/spid/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: spid
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- David Librera
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-07-
|
|
11
|
+
date: 2018-07-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: ruby-saml
|
|
@@ -278,18 +278,20 @@ files:
|
|
|
278
278
|
- idp_metadata/.gitkeep
|
|
279
279
|
- lib/spid.rb
|
|
280
280
|
- lib/spid/authn_request.rb
|
|
281
|
-
- lib/spid/
|
|
282
|
-
- lib/spid/
|
|
283
|
-
- lib/spid/
|
|
281
|
+
- lib/spid/configuration.rb
|
|
282
|
+
- lib/spid/identity_provider.rb
|
|
283
|
+
- lib/spid/identity_provider_manager.rb
|
|
284
284
|
- lib/spid/logout_request.rb
|
|
285
285
|
- lib/spid/metadata.rb
|
|
286
|
-
- lib/spid/
|
|
287
|
-
- lib/spid/
|
|
288
|
-
- lib/spid/
|
|
289
|
-
- lib/spid/
|
|
290
|
-
- lib/spid/
|
|
291
|
-
- lib/spid/
|
|
292
|
-
- lib/spid/
|
|
286
|
+
- lib/spid/service_provider.rb
|
|
287
|
+
- lib/spid/slo.rb
|
|
288
|
+
- lib/spid/slo/request.rb
|
|
289
|
+
- lib/spid/slo/response.rb
|
|
290
|
+
- lib/spid/slo/settings.rb
|
|
291
|
+
- lib/spid/sso.rb
|
|
292
|
+
- lib/spid/sso/request.rb
|
|
293
|
+
- lib/spid/sso/response.rb
|
|
294
|
+
- lib/spid/sso/settings.rb
|
|
293
295
|
- lib/spid/version.rb
|
|
294
296
|
- spid.gemspec
|
|
295
297
|
homepage: https://github.com/italia/spid-ruby
|