stub_saml_idp 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a3f6ac356bfc0056773af0a5521b971242a78dcae4988d5dd1a11e7c185457fc
+  data.tar.gz: 4e0cee21a7d101f93279a6c3692a5e632c9847ae55a0ab0be1d1cab6b8a603b8
+SHA512:
+  metadata.gz: a5719837b97827677c41461a987899847460ab0904092e98962320d19144b550df1426b8ea7be09bc1120e0ec0ee3c58a5879c31c95f8c954dd77177c072b82e
+  data.tar.gz: 345e07b9e5da8a4f31c82954a9cf564402911d995e4da75d105ef3d5cefb1deb880820d91aed2ac61cdbdede20505a67cdd8fe2c10fb1cc9f097ac37657b6dc1

data/Gemfile

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec
+
+group :development, :test do
+  gem 'rails', '~> 7.0.0'
+  gem 'rubocop'
+  gem 'rubocop-rspec'
+  gem 'ruby-saml'
+end
+
+group :test do
+  gem 'capybara'
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rspec-rails', '~> 5.0'
+  gem 'selenium-webdriver'
+  gem 'timecop'
+end
+
+if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('3.1')
+  gem 'net-imap', require: false
+  gem 'net-pop', require: false
+  gem 'net-smtp', require: false
+end

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2022 Peter M. Goldstein (https://github.com/petergoldstein/stub_saml_idp)
+Copyright (c) 2012 Lawrence Pit (https://github.com/lawrencepit/ruby-saml-idp)
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,94 @@
+# Stub SAML Identity Provider (IdP)
+
+The Stub SAML Identity Provider library allows users to easily spin up stub SAML IdP
+servers in test environments.    
+
+This is not a "real" IdP and should not be used in production environments.  It is intended
+only for use in testing environments.
+
+
+Installation and Usage
+----------------------
+
+Add this to the Gemfile of your Rails app in your test environment:
+
+    gem 'stub_saml_idp'
+
+Add to your `routes.rb` file, for example:
+
+``` ruby
+get '/saml/auth' => 'saml_idp#new'
+post '/saml/auth' => 'saml_idp#create'
+```
+
+Create a controller that looks like this, customize to your own situation:
+
+``` ruby
+class SamlIdpController < StubSamlIdp::IdpController
+  before_action :find_account
+  # layout 'saml_idp'
+
+  def idp_authenticate(email, password)
+    user = @account.users.where(:email => params[:email]).first
+    user && user.valid_password?(params[:password]) ? user : nil
+  end
+
+  def idp_make_saml_response(user)
+    encode_SAMLResponse(user.email)
+  end
+
+  private
+
+    def find_account
+      @subdomain = saml_acs_url[/https?:\/\/(.+?)\.example.com/, 1]
+      @account = Account.find_by_subdomain(@subdomain)
+      render :status => :forbidden unless @account.saml_enabled?
+    end
+
+end
+```
+
+The most minimal example controller would look like:
+
+``` ruby
+class SamlIdpController < StubSamlIdp::IdpController
+
+  def idp_authenticate(email, password)
+    true
+  end
+
+  def idp_make_saml_response(user)
+    encode_SAMLResponse("you@example.com")
+  end
+
+end
+```
+
+Keys and Secrets
+----------------
+
+To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret. You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032. You can customize these values by setting the properties `x509_certificate` and `secret_key` using a `prepend_before_action` callback within the current request context or setting them globally via the `SamlIdp.config.x509_certificate` and `SamlIdp.config.secret_key` properties.
+
+The fingerprint to use, if you use the default X.509 certificate of this gem, is:
+
+```
+9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D
+```
+
+
+Service Providers
+-----------------
+
+To act as a Service Provider which generates SAML Requests and can react to SAML Responses use the excellent [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
+
+
+Contributors
+-------------
+
+This is an updated version of the stub SAML IDP originally published by [Lawrence Pit](https://github.com/lawrencepit).  The updated gem would not have been possible without his contribution.
+
+Copyright
+-----------
+
+Copyright (c) 2022 Peter M. Goldstein See MIT-LICENSE for details.
+Copyright (c) 2012 Lawrence Pit. See MIT-LICENSE for details.

data/app/controllers/stub_saml_idp/idp_controller.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module StubSamlIdp
+  class IdpController < ActionController::Base
+    include StubSamlIdp::Controller
+
+    protect_from_forgery
+
+    before_action :validate_saml_request
+
+    def new
+      render template: 'stub_saml_idp/idp/new'
+    end
+
+    def create
+      render_no_params && return unless auth_params?
+
+      if person.nil?
+        render_auth_failure
+      else
+        @saml_response = idp_make_saml_response(person)
+        render template: 'stub_saml_idp/idp/saml_post', layout: false
+      end
+    end
+
+    def render_no_params
+      render template: 'stub_saml_idp/idp/new'
+    end
+
+    def render_auth_failure
+      @saml_idp_fail_msg = 'Incorrect email or password.'
+      render template: 'stub_saml_idp/idp/new'
+    end
+
+    def person
+      return nil unless auth_params?
+
+      @person ||= idp_authenticate(params[:email], params[:password])
+    end
+
+    def auth_params?
+      !(params[:email].blank? || params[:password].blank?)
+    end
+
+    protected
+
+    def idp_authenticate(_email, _password)
+      raise 'Not implemented'
+    end
+
+    def idp_make_saml_response(_person)
+      raise 'Not implemented'
+    end
+  end
+end

data/app/views/stub_saml_idp/idp/new.html.erb

@@ -0,0 +1,21 @@
+<% if @saml_idp_fail_msg %>
+  <div id="saml_idp_fail_msg" class="flash error"><%= @saml_idp_fail_msg %></div>
+<% end %>
+
+<%= form_tag do %>
+  <%= hidden_field_tag("SAMLRequest", params[:SAMLRequest]) %>
+
+  <p>
+    <%= label_tag :email %>
+    <%= email_field_tag :email, params[:email], :autocapitalize => "off", :autocorrect => "off", :autofocus => "autofocus", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
+  </p>
+
+  <p>
+    <%= label_tag :password %>
+    <%= password_field_tag :password, params[:password], :autocapitalize => "off", :autocorrect => "off", :spellcheck => "false", :size => 30, :class => "email_pwd txt" %>
+  </p>
+
+  <p>
+    <%= submit_tag "Sign in", :class => "button big blueish" %>
+  </p>
+<% end %>

data/app/views/stub_saml_idp/idp/saml_post.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+</head>
+<body onload="document.forms[0].submit();" style="visibility:hidden;">
+<%= form_tag(@saml_acs_url) do %>
+  <%= hidden_field_tag("SAMLResponse", @saml_response) %>
+  <%= submit_tag "Submit" %>
+<% end %>
+</body>
+</html>

data/lib/stub_saml_idp/configurator.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module StubSamlIdp
+  class Configurator
+    attr_accessor :x509_certificate, :secret_key, :algorithm, :expires_in
+
+    def initialize(config_file = nil)
+      self.x509_certificate = Default::X509_CERTIFICATE
+      self.secret_key = Default::SECRET_KEY
+      self.algorithm = :sha1
+      self.expires_in = nil
+      instance_eval(File.read(config_file), config_file) if config_file
+    end
+  end
+end

data/lib/stub_saml_idp/controller.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+require 'time'
+require 'securerandom'
+
+module StubSamlIdp
+  module Controller
+    attr_accessor :saml_acs_url
+    attr_writer :expires_in, :secret_key, :x509_certificate
+
+    def x509_certificate
+      @x509_certificate ||= StubSamlIdp.config.x509_certificate
+    end
+
+    def secret_key
+      @secret_key ||= StubSamlIdp.config.secret_key
+    end
+
+    def algorithm
+      @algorithm ||= algorithm_from_symbol(StubSamlIdp.config.algorithm)
+    end
+
+    def algorithm=(alg)
+      @algorithm = if alg.is_a?(Symbol)
+                     algorithm_from_symbol(alg)
+                   else
+                     alg
+                   end
+    end
+
+    def algorithm_from_symbol(alg_sym = nil)
+      case alg_sym
+      when :sha256 then OpenSSL::Digest::SHA256
+      when :sha384 then OpenSSL::Digest::SHA384
+      when :sha512 then OpenSSL::Digest::SHA512
+      else
+        OpenSSL::Digest::SHA1
+      end
+    end
+
+    def algorithm_name
+      algorithm.to_s.split('::').last.downcase
+    end
+
+    def expires_in
+      return @expires_in if defined?(@expires_in)
+
+      @expires_in ||= StubSamlIdp.config.expires_in
+    end
+
+    protected
+
+    def validate_saml_request(saml_request = params[:SAMLRequest])
+      decode_SAMLRequest(saml_request)
+    rescue StandardError
+      false
+    end
+
+    def decode_SAMLRequest(saml_request)
+      zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      @saml_request = zstream.inflate(Base64.decode64(saml_request))
+      zstream.finish
+      zstream.close
+      @saml_request_id = @saml_request[/ID=['"](.+?)['"]/, 1]
+      @saml_acs_url = @saml_request[/AssertionConsumerServiceURL=['"](.+?)['"]/, 1]
+    end
+
+    def encode_SAMLResponse(name_id, opts = {})
+      now = Time.now.utc
+      response_id = SecureRandom.uuid
+      reference_id = SecureRandom.uuid
+      audience_uri = opts[:audience_uri] || saml_acs_url[%r{^(.*?//.*?/)}, 1]
+      issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || 'http://example.com'
+      attributes_statement = attributes(opts[:attributes_provider], name_id)
+
+      session_expiration = ''
+      session_expiration = %( SessionNotOnOrAfter="#{(now + expires_in).iso8601}") if expires_in
+
+      assertion = %(<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><saml:Issuer Format="urn:oasis:names:SAML:2.0:nameid-format:entity">#{issuer_uri}</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{name_id}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData#{@saml_request_id ? %( InResponseTo="#{@saml_request_id}") : ''} NotOnOrAfter="#{(now + (3 * 60)).iso8601}" Recipient="#{@saml_acs_url}"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="#{(now - 5).iso8601}" NotOnOrAfter="#{(now + (60 * 60)).iso8601}"><saml:AudienceRestriction><saml:Audience>#{audience_uri}</saml:Audience></saml:AudienceRestriction></saml:Conditions>#{attributes_statement}<saml:AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"#{session_expiration}><saml:AuthnContext><saml:AuthnContextClassRef>urn:federation:authentication:windows</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>)
+
+      digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
+
+      signed_info = %(<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{reference_id}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>)
+
+      signature_value = sign(signed_info).gsub(/\n/, '')
+
+      signature = %(<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">#{signed_info}<ds:SignatureValue>#{signature_value}</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>#{x509_certificate}</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>)
+
+      assertion_and_signature = assertion.sub(/Issuer><saml:Subject/, "Issuer>#{signature}<saml:Subject")
+
+      xml = %(<samlp:Response ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{@saml_acs_url}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"#{@saml_request_id ? %( InResponseTo="#{@saml_request_id}") : ''} xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:Response>)
+
+      Base64.encode64(xml)
+    end
+
+    private
+
+    def sign(data)
+      key = OpenSSL::PKey::RSA.new(secret_key)
+      Base64.encode64(key.sign(algorithm.new, data))
+    end
+
+    def attributes(provider, name_id)
+      provider || %(<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>#{name_id}</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>)
+    end
+  end
+end

data/lib/stub_saml_idp/default.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module StubSamlIdp
+  module Default
+    NAME_ID_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+
+    X509_CERTIFICATE = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxekNDQXhTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaGpFTE1Ba0dBMVVFQmhNQ1FWVXgKRERBS0JnTlZCQWdUQTA1VFZ6RVBNQTBHQTFVRUJ4TUdVM2xrYm1WNU1Rd3dDZ1lEVlFRS0RBTlFTVlF4Q1RBSApCZ05WQkFzTUFERVlNQllHQTFVRUF3d1BiR0YzY21WdVkyVndhWFF1WTI5dE1TVXdJd1lKS29aSWh2Y05BUWtCCkRCWnNZWGR5Wlc1alpTNXdhWFJBWjIxaGFXd3VZMjl0TUI0WERURXlNRFF5T0RBeU1qSXlPRm9YRFRNeU1EUXkKTXpBeU1qSXlPRm93Z1lZeEN6QUpCZ05WQkFZVEFrRlZNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVApCbE41Wkc1bGVURU1NQW9HQTFVRUNnd0RVRWxVTVFrd0J3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psCmJtTmxjR2wwTG1OdmJURWxNQ01HQ1NxR1NJYjNEUUVKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnYKYlRDQm56QU5CZ2txaGtpRzl3MEJBUUVGQUFPQmpRQXdnWWtDZ1lFQXVCeXdQTmxDMUZvcEdMWWZGOTZTb3RpSwo4Tmo2L25XMDg0TzRvbVJNaWZ6eTd4OTU1UkxFeTY3M3EyYWlKTkIzTHZFNlh2a3Q5Y0d0eHROb09YdzFnMlV2CkhLcGxkUWJyNmJPRWpMTmVETlc3ajBvYitKclJ2QVVPSzlDUmdkeXc1TUM2bHdxVlFRNUMxRG5hVC8yZlNCRmoKYXNCRlRSMjRkRXBmVHk4SGZLRUNBd0VBQWFPQ0FTVXdnZ0VoTUFrR0ExVWRFd1FDTUFBd0N3WURWUjBQQkFRRApBZ1VnTUIwR0ExVWREZ1FXQkJRTkJHbW10M3l0S3BjSmFCYVlOYm55VTJ4a2F6QVRCZ05WSFNVRUREQUtCZ2dyCkJnRUZCUWNEQVRBZEJnbGdoa2dCaHZoQ0FRMEVFQllPVkdWemRDQllOVEE1SUdObGNuUXdnYk1HQTFVZEl3U0IKcXpDQnFJQVVEUVJwcHJkOHJTcVhDV2dXbURXNThsTnNaR3VoZ1l5a2dZa3dnWVl4Q3pBSkJnTlZCQVlUQWtGVgpNUXd3Q2dZRFZRUUlFd05PVTFjeER6QU5CZ05WQkFjVEJsTjVaRzVsZVRFTU1Bb0dBMVVFQ2d3RFVFbFVNUWt3CkJ3WURWUVFMREFBeEdEQVdCZ05WQkFNTUQyeGhkM0psYm1ObGNHbDBMbU52YlRFbE1DTUdDU3FHU0liM0RRRUoKQVF3V2JHRjNjbVZ1WTJVdWNHbDBRR2R0WVdsc0xtTnZiWUlCQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9CZ1FBRQpjVlVQQlg3dVptenFaSmZ5K3RVUE9UNUltTlFqOFZFMmxlcmhuRmpuR1BIbUhJcWhwemdud0hRdWpKZnMvYTMwCjlXbTVxd2NDYUMxZU81Y1dqY0cweDNPamRsbHNnWURhdGw1R0F1bXRCeDhKM05oV1JxTlVnaXRDSWtRbHhISXcKVWZnUWFDdXNoWWdEREw1WWJJUWErK2VnQ2dwSVorVDBEajVvUmV3Ly9BPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo='
+
+    FINGERPRINT = '9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D'
+
+    SECRET_KEY = <<~PEM
+      -----BEGIN RSA PRIVATE KEY-----
+      MIICXAIBAAKBgQC4HLA82ULUWikYth8X3pKi2Irw2Pr+dbTzg7iiZEyJ/PLvH3nl
+      EsTLrverZqIk0Hcu8Tpe+S31wa3G02g5fDWDZS8cqmV1Buvps4SMs14M1buPShv4
+      mtG8BQ4r0JGB3LDkwLqXCpVBDkLUOdpP/Z9IEWNqwEVNHbh0Sl9PLwd8oQIDAQAB
+      AoGAQmUGIUtwUEgbXe//kooPc26H3IdDLJSiJtcvtFBbUb/Ik/dT7AoysgltA4DF
+      pGURNfqERE+0BVZNJtCCW4ixew4uEhk1XowYXHCzjkzyYoFuT9v5SP4cu4q3t1kK
+      51JF237F0eCY3qC3k96CzPGG67bwOu9EeXAu4ka/plLdsAECQQDkg0uhR/vsJffx
+      tiWxcDRNFoZpCpzpdWfQBnHBzj9ZC0xrdVilxBgBpupCljO2Scy4MeiY4S1Mleel
+      CWRqh7RBAkEAzkIjUnllEkr5sjVb7pNy+e/eakuDxvZck0Z8X3USUki/Nm3E/GPP
+      c+CwmXR4QlpMpJr3/Prf1j59l/LAK9AwYQJBAL9eRSQYCJ3HXlGKXR6v/NziFEY7
+      oRTSQdIw02ueseZ8U89aQpbwFbqsclq5Ny1duJg5E7WUPj94+rl3mCSu6QECQBVh
+      0duY7htpXl1VHsSq0H6MmVgXn/+eRpaV9grHTjDtjbUMyCEKD9WJc4VVB6qJRezC
+      i/bT4ySIsehwp+9i08ECQEH03lCpHpbwiWH4sD25l/z3g2jCbIZ+RTV6yHIz7Coh
+      gAbBqA04wh64JhhfG69oTBwqwj3imlWF8+jDzV9RNNw=
+      -----END RSA PRIVATE KEY-----
+    PEM
+  end
+end

data/lib/stub_saml_idp/engine.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module StubSamlIdp
+  class Engine < Rails::Engine
+  end
+end

data/lib/stub_saml_idp/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module StubSamlIdp
+  VERSION = '0.1.0'
+end

data/lib/stub_saml_idp.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module StubSamlIdp
+  require 'stub_saml_idp/configurator'
+  require 'stub_saml_idp/controller'
+  require 'stub_saml_idp/default'
+  require 'stub_saml_idp/version'
+  require 'stub_saml_idp/engine' if defined?(::Rails) && Rails::VERSION::MAJOR > 2
+
+  def self.config=(config)
+    @config = config
+  end
+
+  def self.config
+    @config ||= StubSamlIdp::Configurator.new
+  end
+end

data/spec/acceptance/acceptance_helper.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative '../spec_helper'
+require_relative '../support/rails_app'
+require 'rails'
+
+require 'selenium-webdriver'
+
+Capybara.register_driver :chrome do |app|
+  options = Selenium::WebDriver::Chrome::Options.new
+  options.add_argument('--headless')
+  options.add_argument('--allow-insecure-localhost')
+  options.add_argument('--ignore-certificate-errors')
+
+  Capybara::Selenium::Driver.new(
+    app,
+    browser: :chrome,
+    capabilities: [options]
+  )
+end
+Capybara.default_driver = :chrome
+Capybara.server = :webrick

data/spec/acceptance/idp_controller_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative 'acceptance_helper'
+
+describe 'IdpController', type: :feature do
+  let(:idp_port) { 8009 }
+  let(:sp_port) { 8022 }
+
+  let(:idp_pid) do
+    create_app('idp')
+    start_app('idp', idp_port)
+  end
+
+  let(:sp_pid) do
+    create_app('sp')
+    start_app('sp', sp_port)
+  end
+
+  before do
+    idp_pid
+    sp_pid
+  end
+
+  after do
+    stop_app('sp', sp_pid)
+    stop_app('idp', idp_pid)
+  end
+
+  it 'Login via default signup page' do
+    saml_request = make_saml_request("http://localhost:#{sp_port}/saml/consume")
+    visit "http://localhost:#{idp_port}/saml/auth?SAMLRequest=#{CGI.escape(saml_request)}"
+    fill_in 'Email', with: 'brad.copa@example.com'
+    fill_in 'Password', with: 'okidoki'
+    click_button 'Sign in'
+    expect(current_url).to eq("http://localhost:#{sp_port}/saml/consume")
+    expect(page).to have_content('brad.copa@example.com')
+  end
+end

data/spec/rails_helper.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative './spec_helper'

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+warn("Running Specs under Ruby Version #{RUBY_VERSION}")
+
+require 'rspec'
+require 'capybara/rspec'
+
+require 'ruby-saml'
+require 'stub_saml_idp'
+require 'support/saml_request_macros'
+
+Capybara.default_host = 'https://app.example.com'
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+  config.include SamlRequestMacros
+end

data/spec/stub_saml_idp/controller_spec.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'timecop'
+
+describe StubSamlIdp::Controller do
+  include StubSamlIdp::Controller
+
+  def params
+    @params ||= {}
+  end
+
+  it 'finds the SAML ACS URL' do
+    requested_saml_acs_url = 'https://example.com/saml/consume'
+    params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
+    validate_saml_request
+    expect(saml_acs_url).to eq(requested_saml_acs_url)
+  end
+
+  context 'SAML Responses' do
+    before do
+      params[:SAMLRequest] = make_saml_request
+      validate_saml_request
+    end
+
+    it 'creates a SAML Response' do
+      saml_response = encode_SAMLResponse('foo@example.com')
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      expect(response.name_id).to eq('foo@example.com')
+      expect(response.issuers).to eq(['http://example.com'])
+      response.settings = saml_settings
+      expect(response.is_valid?).to be_truthy
+    end
+
+    it 'handles custom attribute objects' do
+      provider = double(to_s: %(<saml:AttributeStatement><saml:Attribute Name="organization"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Organization name</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>))
+
+      default_attributes = %(<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>foo@example.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>)
+
+      saml_response = encode_SAMLResponse('foo@example.com', { attributes_provider: provider })
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      expect(response.response).to include provider.to_s
+      expect(response.response).not_to include default_attributes
+    end
+
+    %i[sha1 sha256 sha384 sha512].each do |algorithm_name|
+      it "creates a SAML Response using the #{algorithm_name} algorithm" do
+        self.algorithm = algorithm_name
+        saml_response = encode_SAMLResponse('foo@example.com')
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        expect(response.name_id).to eq('foo@example.com')
+        expect(response.issuers).to eq(['http://example.com'])
+        response.settings = saml_settings
+        expect(response.is_valid?).to be true
+      end
+    end
+
+    it 'does not set SessionNotOnOrAfter when expires_in is nil' do
+      Timecop.freeze
+      self.expires_in = nil
+      saml_response = encode_SAMLResponse('foo@example.com')
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      expect(response.session_expires_at).to be_nil
+    end
+
+    it 'sets SessionNotOnOrAfter when expires_in is specified' do
+      self.expires_in = 86_400 # 1 day
+      now = Time.now.utc
+      saml_response = Timecop.freeze(now) { encode_SAMLResponse('foo@example.com') }
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      expect(response.session_expires_at).to eq(Time.at(now.to_i + 86_400))
+    end
+  end
+end

data/spec/support/idp_template.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# Set up a SAML IdP
+
+gem 'stub_saml_idp', path: File.expand_path('../..', __dir__)
+
+if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('3.1')
+  gem 'net-smtp', require: false
+  gem 'net-imap', require: false
+  gem 'net-pop', require: false
+end
+
+route "get '/saml/auth' => 'saml_idp#new'"
+route "post '/saml/auth' => 'saml_idp#create'"
+
+file 'app/controllers/saml_idp_controller.rb', <<-CODE
+  # frozen_string_literal: true
+
+  class SamlIdpController < StubSamlIdp::IdpController
+    def idp_authenticate(email, _password)
+      { email: email }
+    end
+
+    def idp_make_saml_response(user)
+      encode_SAMLResponse(user[:email])
+    end
+  end
+CODE

data/spec/support/rails_app.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+require 'English'
+require 'open3'
+require 'socket'
+require 'tempfile'
+require 'timeout'
+
+APP_READY_TIMEOUT = 30
+
+def sh!(cmd)
+  raise "[#{cmd}] failed with exit code #{$CHILD_STATUS.exitstatus}" unless system(cmd)
+end
+
+def app_ready?(pid, port)
+  Process.getpgid(pid) && port_open?(port)
+rescue Errno::ESRCH
+  false
+end
+
+def create_app(name = 'idp', env = {})
+  puts "[#{name}] Creating Rails app"
+  rails_new_options = %w[-A -C -G -J -M -S -T --skip-keeps --skip-spring --skip-listen --skip-bootsnap --skip-action-mailbox --skip-action-text --skip-active-job --skip-active-storage --skip-hotwire --skip-jbuilder]
+  env.merge!('RUBY_SAML_VERSION' => OneLogin::RubySaml::VERSION)
+  Dir.chdir(working_directory) do
+    FileUtils.rm_rf(name)
+    puts("[#{working_directory}] rails _#{Rails.version}_ new #{name} #{rails_new_options.join(' ')} -m #{File.expand_path(
+      "../#{name}_template.rb", __FILE__
+    )}")
+    system(env, 'rails', "_#{Rails.version}_", 'new', name, *rails_new_options, '-m',
+           File.expand_path("../#{name}_template.rb", __FILE__))
+  end
+end
+
+def start_app(name, port, _options = {})
+  puts "[#{name}] Starting Rails app"
+  pid = nil
+  app_bundle_install(name)
+
+  with_clean_env do
+    Dir.chdir(app_dir(name)) do
+      pid = Process.spawn(app_env(name), "bundle exec rails server -p #{port} -e production", chdir: app_dir(name),
+                                                                                              out: "log/#{name}.log", err: "log/#{name}.err.log")
+      begin
+        Timeout.timeout(APP_READY_TIMEOUT) do
+          sleep 1 until app_ready?(pid, port)
+        end
+        raise "#{name} failed after starting" unless app_ready?(pid, port)
+
+        puts "[#{name}] Launched #{name} on port #{port} (pid #{pid})..."
+      rescue Timeout::Error
+        raise "#{name} failed to start"
+      end
+    end
+  end
+  pid
+rescue RuntimeError => e
+  warn "=== #{name}"
+  Dir.chdir(app_dir(name)) do
+    warn File.read("log/#{name}.log") if File.exist?("log/#{name}.log")
+    warn File.read("log/#{name}.err.log") if File.exist?("log/#{name}.err.log")
+  end
+  raise e
+end
+
+def stop_app(name, pid)
+  if pid
+    Process.kill(:INT, pid)
+    Process.wait(pid)
+  end
+  Dir.chdir(app_dir(name)) do
+    if File.exist?("log/#{name}.log")
+      puts "=== [#{name}] stdout"
+      puts File.read("log/#{name}.log")
+    end
+    if File.exist?("log/#{name}.err.log")
+      warn "=== [#{name}] stderr"
+      warn File.read("log/#{name}.err.log")
+    end
+    if File.exist?('log/production.log')
+      puts "=== [#{name}] Rails logs"
+      puts File.read('log/production.log')
+    end
+  end
+end
+
+def port_open?(port)
+  Timeout.timeout(1) do
+    begin
+      s = TCPSocket.new('localhost', port)
+      s.close
+      return true
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::EADDRNOTAVAIL
+      # try 127.0.0.1
+    end
+    begin
+      s = TCPSocket.new('127.0.0.1', port)
+      s.close
+      return true
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+      return false
+    end
+  end
+rescue Timeout::Error
+  false
+end
+
+def app_bundle_install(name)
+  with_clean_env do
+    Open3.popen3(app_env(name), 'bundle install', chdir: app_dir(name)) do |stdin, stdout, stderr, thread|
+      stdin.close
+      exit_status = thread.value
+
+      puts stdout.read
+      warn stderr.read
+      raise 'bundle install failed' unless exit_status.success?
+    end
+  end
+end
+
+def app_dir(name)
+  File.join(working_directory, name)
+end
+
+def app_env(name)
+  { 'BUNDLE_GEMFILE' => File.join(app_dir(name), 'Gemfile'), 'RAILS_ENV' => 'production' }
+end
+
+def working_directory
+  $working_directory ||= Dir.mktmpdir('idp_test')
+end
+
+def with_clean_env(&blk)
+  if Bundler.respond_to?(:with_original_env)
+    Bundler.with_original_env(&blk)
+  else
+    Bundler.with_clean_env(&blk)
+  end
+end

data/spec/support/saml_request_macros.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module SamlRequestMacros
+  def make_saml_request(requested_saml_acs_url = 'https://foo.example.com/saml/consume')
+    auth_request = ::OneLogin::RubySaml::Authrequest.new
+    auth_url = auth_request.create(saml_settings(saml_acs_url: requested_saml_acs_url))
+    CGI.unescape(auth_url.split('=').last)
+  end
+
+  def saml_settings(options = {})
+    settings = ::OneLogin::RubySaml::Settings.new
+    settings.assertion_consumer_service_url = options[:saml_acs_url] || 'https://foo.example.com/saml/consume'
+    settings.issuer = options[:issuer] || 'https://foo.example.com/'
+    settings.idp_sso_target_url = options[:idp_sso_target_url] || 'http://idp.com/saml/idp'
+    settings.idp_cert_fingerprint = StubSamlIdp::Default::FINGERPRINT
+    settings.name_identifier_format = StubSamlIdp::Default::NAME_ID_FORMAT
+    settings
+  end
+end

data/spec/support/sp_template.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+# Set up a SAML SP
+
+gem 'ruby-saml'
+gem 'stub_saml_idp', path: File.expand_path('../..', __dir__)
+
+if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('3.1')
+  gem 'net-smtp', require: false
+  gem 'net-imap', require: false
+  gem 'net-pop', require: false
+end
+
+route "post '/saml/consume' => 'saml#consume'"
+
+file 'app/controllers/saml_controller.rb', <<-CODE
+  # frozen_string_literal: true
+
+  class SamlController < ApplicationController
+    skip_before_action :verify_authenticity_token
+
+    def consume
+      response = ::OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+      render plain: response.name_id
+    end
+  end
+CODE

data/stub_saml_idp.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.push File.expand_path('lib', __dir__)
+require 'stub_saml_idp/version'
+
+Gem::Specification.new do |s|
+  s.name = 'stub_saml_idp'
+  s.version = StubSamlIdp::VERSION
+  s.platform = Gem::Platform::RUBY
+  s.authors = ['Peter M. Goldstein']
+  s.email = 'peter.m.goldstein@gmail.com'
+  s.homepage = 'http://github.com/petergoldstein/stub_saml_idp'
+  s.summary = 'Stub SAML Identity Provider'
+  s.description = 'Stub SAML IdP (Identity Provider) library'
+  s.license = 'MIT'
+
+  s.required_ruby_version = '>= 2.5'
+  s.metadata['rubygems_mfa_required'] = 'true'
+
+  s.files = Dir.glob('app/**/*') + Dir.glob('lib/**/*') + [
+    'MIT-LICENSE',
+    'README.md',
+    'Gemfile',
+    'stub_saml_idp.gemspec'
+  ]
+  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = ['lib']
+  s.rdoc_options = ['--charset=UTF-8']
+  s.add_development_dependency('nokogiri')
+  s.add_development_dependency('rails', '>= 5.2')
+  s.add_development_dependency('rake')
+  s.add_development_dependency('rspec', '~> 3.0')
+  s.add_development_dependency('ruby-saml')
+  s.add_development_dependency('timecop', '~> 0.9.0')
+end

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: stub_saml_idp
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Peter M. Goldstein
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-01-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.2'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+description: Stub SAML IdP (Identity Provider) library
+email: peter.m.goldstein@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- MIT-LICENSE
+- README.md
+- app/controllers/stub_saml_idp/idp_controller.rb
+- app/views/stub_saml_idp/idp/new.html.erb
+- app/views/stub_saml_idp/idp/saml_post.html.erb
+- lib/stub_saml_idp.rb
+- lib/stub_saml_idp/configurator.rb
+- lib/stub_saml_idp/controller.rb
+- lib/stub_saml_idp/default.rb
+- lib/stub_saml_idp/engine.rb
+- lib/stub_saml_idp/version.rb
+- spec/acceptance/acceptance_helper.rb
+- spec/acceptance/idp_controller_spec.rb
+- spec/rails_helper.rb
+- spec/spec_helper.rb
+- spec/stub_saml_idp/controller_spec.rb
+- spec/support/idp_template.rb
+- spec/support/rails_app.rb
+- spec/support/saml_request_macros.rb
+- spec/support/sp_template.rb
+- stub_saml_idp.gemspec
+homepage: http://github.com/petergoldstein/stub_saml_idp
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.4
+signing_key:
+specification_version: 4
+summary: Stub SAML Identity Provider
+test_files:
+- spec/acceptance/acceptance_helper.rb
+- spec/acceptance/idp_controller_spec.rb
+- spec/rails_helper.rb
+- spec/spec_helper.rb
+- spec/stub_saml_idp/controller_spec.rb
+- spec/support/idp_template.rb
+- spec/support/rails_app.rb
+- spec/support/saml_request_macros.rb
+- spec/support/sp_template.rb