spid 0.7.0 → 0.8.0

data/lib/spid/identity_provider_configuration.rb

@@ -1,34 +0,0 @@
-# frozen_string_literal: true
-
-module Spid
-  class IdentityProviderConfiguration # :nodoc:
-    attr_reader :idp_metadata, :idp_metadata_hash
-
-    def initialize(idp_metadata:)
-      @idp_metadata = idp_metadata
-      @idp_metadata_hash = idp_metadata_parser.parse_to_hash(idp_metadata)
-    end
-
-    def entity_id
-      @entity_id ||= idp_metadata_hash[:idp_entity_id]
-    end
-
-    def sso_target_url
-      @sso_target_url ||= idp_metadata_hash[:idp_sso_target_url]
-    end
-
-    def slo_target_url
-      @slo_target_url ||= idp_metadata_hash[:idp_slo_target_url]
-    end
-
-    def cert_fingerprint
-      @cert_fingerprint ||= idp_metadata_hash[:idp_cert_fingerprint]
-    end
-
-    private
-
-    def idp_metadata_parser
-      @idp_metadata_parser ||= ::OneLogin::RubySaml::IdpMetadataParser.new
-    end
-  end
-end

data/lib/spid/identity_providers.rb

@@ -1,57 +0,0 @@
-# frozen_string_literal: true
-
-require "faraday"
-require "faraday_middleware"
-
-module Spid
-  class IdentityProviders # :nodoc:
-    class MetadataFetchError < StandardError; end
-
-    def self.fetch_all
-      new.fetch_all
-    end
-
-    def fetch_all
-      spid_idp_entities.map do |idp|
-        metadata_url = check_for_final_metadata_url(idp["metadata_url"])
-        {
-          name: idp["entity_name"].gsub(/ ID$/, "").downcase,
-          metadata_url: metadata_url,
-          entity_id: idp["entity_id"]
-        }
-      end
-    end
-
-    private
-
-    def check_for_final_metadata_url(metadata_url)
-      response = Faraday.get(metadata_url)
-      case response.status
-      when 200
-        metadata_url
-      when 301, 302
-        response["Location"]
-      end
-    end
-
-    def spid_idp_entities
-      return [] if response.body["spidFederationRegistry"].nil?
-      response.body["spidFederationRegistry"]["entities"]
-    end
-
-    def response
-      connection.get do |req|
-        req.url "/api/identity-providers"
-        req.headers["Accept"] = "application/json"
-      end
-    end
-
-    def connection
-      Faraday.new("https://registry.spid.gov.it") do |conn|
-        conn.response :json, content_type: /\bjson$/
-
-        conn.adapter Faraday.default_adapter
-      end
-    end
-  end
-end

data/lib/spid/idp_metadata.rb

@@ -1,38 +0,0 @@
-# frozen_string_literal: true
-
-require "singleton"
-require "onelogin/ruby-saml/idp_metadata_parser"
-
-module Spid
-  class IdpMetadata # :nodoc:
-    include Singleton
-
-    def initialize
-      @identity_providers = Spid::IdentityProviders.fetch_all
-      @metadata = {}
-    end
-
-    def [](idp_name)
-      return @metadata[idp_name] unless @metadata[idp_name].nil?
-      idp_hash = identity_provider_hash(idp_name)
-
-      @metadata[idp_name] = parser.parse_remote_to_hash(
-        idp_hash[:metadata_url],
-        idp_hash[:metadata_url].start_with?("https://")
-      )
-      @metadata[idp_name]
-    end
-
-    def identity_provider_hash(idp_name)
-      @identity_providers.find do |idp|
-        idp[:name] == idp_name.to_s
-      end
-    end
-
-    private
-
-    def parser
-      @parser ||= ::OneLogin::RubySaml::IdpMetadataParser.new
-    end
-  end
-end

data/lib/spid/service_provider_configuration.rb

@@ -1,73 +0,0 @@
-# frozen_string_literal: true
-
-require "uri"
-
-module Spid
-  class ServiceProviderConfiguration # :nodoc:
-    attr_reader :host,
-                :sso_path,
-                :slo_path,
-                :metadata_path,
-                :private_key_file_path,
-                :certificate_file_path,
-                :digest_method,
-                :signature_method
-
-    # rubocop:disable Metrics/ParameterLists
-    def initialize(
-          host:,
-          sso_path:,
-          slo_path:,
-          metadata_path:,
-          private_key_file_path:,
-          certificate_file_path:,
-          digest_method:,
-          signature_method:
-        )
-      @host = host
-      @sso_path = sso_path
-      @slo_path = slo_path
-      @metadata_path = metadata_path
-      @private_key_file_path = private_key_file_path
-      @certificate_file_path = certificate_file_path
-      @digest_method = digest_method
-      @signature_method = signature_method
-      validate_attributes
-    end
-    # rubocop:enable Metrics/ParameterLists
-
-    def sso_url
-      @sso_url ||= URI.join(host, sso_path).to_s
-    end
-
-    def slo_url
-      @slo_url ||= URI.join(host, slo_path).to_s
-    end
-
-    def metadata_url
-      @metadata_url ||= URI.join(host, metadata_path).to_s
-    end
-
-    def private_key
-      @private_key ||= File.read(private_key_file_path)
-    end
-
-    def certificate
-      @certificate ||= File.read(certificate_file_path)
-    end
-
-    private
-
-    def validate_attributes
-      if !DIGEST_METHODS.include?(digest_method)
-        raise UnknownDigestMethodError,
-              "Provided digest method is not valid:" \
-              " use one of #{DIGEST_METHODS.join(', ')}"
-      elsif !SIGNATURE_METHODS.include?(signature_method)
-        raise UnknownSignatureMethodError,
-              "Provided digest method is not valid:" \
-              " use one of #{SIGNATURE_METHODS.join(', ')}"
-      end
-    end
-  end
-end

data/lib/spid/slo_request.rb

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-require "spid/logout_request"
-require "onelogin/ruby-saml/settings"
-
-module Spid
-  class SloRequest # :nodoc:
-    attr_reader :slo_settings
-
-    def initialize(slo_settings:)
-      @slo_settings = slo_settings
-    end
-
-    def to_saml
-      logout_request.create(slo_settings)
-    end
-
-    private
-
-    def logout_request
-      LogoutRequest.new
-    end
-  end
-end

data/lib/spid/slo_response.rb

@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-require "onelogin/ruby-saml/logoutresponse"
-
-module Spid
-  class SloResponse # :nodoc:
-    attr_reader :body, :slo_settings
-
-    def initialize(body:, slo_settings:)
-      @body = body
-      @slo_settings = slo_settings
-    end
-
-    def valid?
-      saml_response.validate
-    end
-
-    private
-
-    def saml_response
-      @saml_response ||= ::OneLogin::RubySaml::Logoutresponse.new(
-        body,
-        slo_settings
-      )
-    end
-  end
-end

data/lib/spid/slo_settings.rb

@@ -1,59 +0,0 @@
-# frozen_string_literal: true
-
-require "onelogin/ruby-saml/settings"
-
-module Spid
-  class SloSettings < ::OneLogin::RubySaml::Settings # :nodoc:
-    attr_reader :service_provider_configuration,
-                :identity_provider_configuration,
-                :session_index
-
-    def initialize(
-          service_provider_configuration:,
-          identity_provider_configuration:,
-          session_index:
-        )
-      @service_provider_configuration = service_provider_configuration
-      @identity_provider_configuration = identity_provider_configuration
-      @session_index = session_index
-
-      super(slo_attributes)
-    end
-
-    # rubocop:disable Metrics/MethodLength
-    # rubocop:disable Metrics/AbcSize
-    def slo_attributes
-      return @slo_attributes if @slo_attributes.present?
-      @slo_attributes = {
-        idp_slo_target_url: identity_provider_configuration.slo_target_url,
-        issuer: service_provider_configuration.host,
-        idp_name_qualifier: identity_provider_configuration.entity_id,
-        name_identifier_value: generated_name_identifier_value,
-        name_identifier_format: name_identifier_format_value,
-        private_key: service_provider_configuration.private_key,
-        certificate: service_provider_configuration.certificate,
-        idp_cert_fingerprint: identity_provider_configuration.cert_fingerprint,
-        sessionindex: session_index,
-        security: {
-          logout_requests_signed: true,
-          embed_sign: true,
-          digest_method: service_provider_configuration.digest_method,
-          signature_method: service_provider_configuration.signature_method
-        }
-      }
-      @slo_attributes
-    end
-    # rubocop:enable Metrics/AbcSize
-    # rubocop:enable Metrics/MethodLength
-
-    private
-
-    def generated_name_identifier_value
-      ::OneLogin::RubySaml::Utils.uuid
-    end
-
-    def name_identifier_format_value
-      "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-    end
-  end
-end

data/lib/spid/sso_request.rb

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-require "spid/authn_request"
-require "onelogin/ruby-saml/settings"
-
-module Spid
-  class SsoRequest # :nodoc:
-    attr_reader :sso_settings
-
-    def initialize(sso_settings:)
-      @sso_settings = sso_settings
-    end
-
-    def to_saml
-      authn_request.create(sso_settings)
-    end
-
-    private
-
-    def authn_request
-      AuthnRequest.new
-    end
-  end
-end

data/lib/spid/sso_response.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-
-require "onelogin/ruby-saml/response"
-require "active_support/inflector/methods"
-
-module Spid
-  class SsoResponse # :nodoc:
-    attr_reader :body, :sso_settings
-
-    def initialize(body:, sso_settings:)
-      @body = body
-      @sso_settings = sso_settings
-    end
-
-    def valid?
-      saml_response.is_valid?
-    end
-
-    def attributes
-      raw_attributes.each_with_object({}) do |(key, value), acc|
-        acc[normalize_key(key)] = value
-      end
-    end
-
-    def session_index
-      saml_response.sessionindex
-    end
-
-    def raw_attributes
-      saml_response.attributes.attributes
-    end
-
-    private
-
-    def normalize_key(key)
-      ActiveSupport::Inflector.underscore(
-        key.to_s
-      ).to_sym
-    end
-
-    def saml_response
-      @saml_response ||= ::OneLogin::RubySaml::Response.new(
-        body,
-        settings: sso_settings
-      )
-    end
-  end
-end

data/lib/spid/sso_settings.rb

@@ -1,77 +0,0 @@
-# frozen_string_literal: true
-
-module Spid
-  class SsoSettings < ::OneLogin::RubySaml::Settings # :nodoc:
-    attr_reader :service_provider_configuration,
-                :identity_provider_configuration,
-                :authn_context,
-                :authn_context_comparison
-
-    # rubocop:disable Metrics/MethodLength
-    def initialize(
-          service_provider_configuration:,
-          identity_provider_configuration:,
-          authn_context: Spid::L1,
-          authn_context_comparison: Spid::EXACT_COMPARISON
-        )
-
-      unless AUTHN_CONTEXTS.include?(authn_context)
-        raise Spid::UnknownAuthnContextError,
-              "Provided authn_context is not valid:" \
-              " use one of #{AUTHN_CONTEXTS.join(', ')}"
-      end
-
-      unless COMPARISON_METHODS.include?(authn_context_comparison)
-        raise Spid::UnknownAuthnComparisonMethodError,
-              "Provided authn_context_comparison_method is not valid:" \
-              " use one of #{COMPARISON_METHODS.join(', ')}"
-      end
-
-      @service_provider_configuration = service_provider_configuration
-      @identity_provider_configuration = identity_provider_configuration
-      @authn_context = authn_context
-      @authn_context_comparison = authn_context_comparison
-
-      super(sso_attributes)
-    end
-    # rubocop:enable Metrics/MethodLength
-
-    # rubocop:disable Metrics/MethodLength
-    # rubocop:disable Metrics/AbcSize
-    def sso_attributes
-      return @sso_attributes if @sso_attributes.present?
-      @sso_attributes = {
-        idp_sso_target_url: identity_provider_configuration.sso_target_url,
-        assertion_consumer_service_url: service_provider_configuration.sso_url,
-        protocol_binding: protocol_binding_value,
-        issuer: service_provider_configuration.host,
-        private_key: service_provider_configuration.private_key,
-        certificate: service_provider_configuration.certificate,
-        name_identifier_format: name_identifier_format_value,
-        authn_context: authn_context,
-        authn_context_comparison: authn_context_comparison,
-        idp_cert_fingerprint: identity_provider_configuration.cert_fingerprint,
-        security: {
-          authn_requests_signed: true,
-          embed_sign: true,
-          digest_method: service_provider_configuration.digest_method,
-          signature_method: service_provider_configuration.signature_method
-        }
-      }
-      @sso_attributes[:force_authn] = true if authn_context > Spid::L1
-      @sso_attributes
-    end
-    # rubocop:enable Metrics/AbcSize
-    # rubocop:enable Metrics/MethodLength
-
-    private
-
-    def protocol_binding_value
-      "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-    end
-
-    def name_identifier_format_value
-      "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-    end
-  end
-end