Class: Saml::Util
- Inherits:
-
Object
- Object
- Saml::Util
- Defined in:
- lib/saml/util.rb
Class Method Summary collapse
- .collect_extra_namespaces(raw_xml) ⇒ Object
- .decrypt_assertion(encrypted_assertion, private_key) ⇒ Object
- .decrypt_encrypted_id(encrypted_id, private_key, fail_silent = false) ⇒ Object
- .download_metadata_xml(location) ⇒ Object
- .encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false) ⇒ Object
- .encrypt_element(element, target_element, encrypted_key_data, encrypted_data_options) ⇒ Object
- .encrypt_encrypted_id(encrypted_id, key_descriptor, key_options = {}) ⇒ Object
- .encrypt_name_id(name_id, key_descriptor, key_options = {}) ⇒ Object
- .parse_params(url) ⇒ Object
- .post(location, message, additional_headers = {}, proxy = {}) ⇒ Object
- .sign_xml(message, format = :xml, include_nested_prefixlist = false, &block) ⇒ Object
- .verify_xml(message, raw_body) ⇒ Object
Class Method Details
.collect_extra_namespaces(raw_xml) ⇒ Object
168 169 170 171 |
# File 'lib/saml/util.rb', line 168 def collect_extra_namespaces(raw_xml) doc = Nokogiri::XML(raw_xml, nil, nil, Nokogiri::XML::ParseOptions::STRICT) doc.collect_namespaces.each_with_object({}) { |(prefix, path), hash| hash[prefix.gsub('xmlns:', '')] = path } end |
.decrypt_assertion(encrypted_assertion, private_key) ⇒ Object
98 99 100 101 102 103 104 |
# File 'lib/saml/util.rb', line 98 def decrypt_assertion(encrypted_assertion, private_key) encrypted_assertion_xml = encrypted_assertion.is_a?(Saml::Elements::EncryptedAssertion) ? encrypted_assertion.to_xml : encrypted_assertion.to_s encrypted_document = Xmlenc::EncryptedDocument.new(encrypted_assertion_xml) Saml::Assertion.parse(encrypted_document.decrypt(private_key), single: true) end |
.decrypt_encrypted_id(encrypted_id, private_key, fail_silent = false) ⇒ Object
142 143 144 145 146 147 |
# File 'lib/saml/util.rb', line 142 def decrypt_encrypted_id(encrypted_id, private_key, fail_silent = false) encrypted_id_xml = encrypted_id.is_a?(Saml::Elements::EncryptedID) ? encrypted_id.to_xml : encrypted_id.to_s encrypted_document = Xmlenc::EncryptedDocument.new(encrypted_id_xml) Saml::Elements::EncryptedID.parse(encrypted_document.decrypt(private_key, fail_silent)) end |
.download_metadata_xml(location) ⇒ Object
173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 |
# File 'lib/saml/util.rb', line 173 def (location) uri = URI.parse(location) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = uri.scheme == 'https' http.verify_mode = OpenSSL::SSL::VERIFY_PEER add_cacert_file(http) request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) if response.code == '200' response.body else fail Saml::Errors::MetadataDownloadFailed, "Cannot download metadata for: #{location}: #{response.body}" end rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError => error raise Saml::Errors::MetadataDownloadFailed, "Cannot download metadata for: #{location}: #{error.}" end |
.encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false) ⇒ Object
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
# File 'lib/saml/util.rb', line 63 def encrypt_assertion(assertion, key_descriptor_or_certificate, include_certificate: false, include_key_retrieval_method: false) case key_descriptor_or_certificate when OpenSSL::X509::Certificate certificate = key_descriptor_or_certificate key_name = nil when Saml::Elements::KeyDescriptor certificate = key_descriptor_or_certificate.certificate key_name = key_descriptor_or_certificate.key_info.key_name else fail ArgumentError, "Expecting Certificate or KeyDescriptor got: #{key_descriptor_or_certificate.class}" end assertion = assertion.to_xml(nil, nil, false) if assertion.is_a?(Assertion) # create xml without instruct encrypted_data = Xmlenc::Builder::EncryptedData.new encrypted_data.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#aes128-cbc') encrypted_key = encrypted_data.encrypt(assertion.to_s) encrypted_key.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1') encrypted_key.key_info = if include_certificate || key_name key_info = Saml::Elements::KeyInfo.new(include_certificate ? certificate.to_pem : nil) key_info.key_name = key_name key_info end encrypted_key.encrypt(certificate.public_key) if include_key_retrieval_method encrypted_key.id = '_' + SecureRandom.uuid encrypted_data.set_key_retrieval_method (Xmlenc::Builder::RetrievalMethod.new(uri: "##{encrypted_key.id}")) end Saml::Elements::EncryptedAssertion.new(encrypted_data: encrypted_data, encrypted_keys: encrypted_key) end |
.encrypt_element(element, target_element, encrypted_key_data, encrypted_data_options) ⇒ Object
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
# File 'lib/saml/util.rb', line 106 def encrypt_element(element, target_element, encrypted_key_data, ) key_name = .fetch(:key_name, Saml.generate_id) element.encrypted_data = Xmlenc::Builder::EncryptedData.new() element.encrypted_data.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc') element.encrypted_data.set_key_name key_name original_encrypted_key = element.encrypted_data.encrypt(Nokogiri::XML(target_element.to_xml).root.to_xml, ) encrypted_key_data.each do |key_descriptor, = {}| = .merge(id: Saml.generate_id, data: original_encrypted_key.data) encrypted_key = Xmlenc::Builder::EncryptedKey.new() encrypted_key.add_data_reference(element.encrypted_data.id) encrypted_key.set_key_name(key_descriptor.key_info.key_name) encrypted_key.carried_key_name = key_name encrypted_key.set_encryption_method(algorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p', digest_method_algorithm: 'http://www.w3.org/2000/09/xmldsig#sha1') encrypted_key.encrypt(key_descriptor.certificate.public_key) element.encrypted_keys ||= [] element.encrypted_keys << encrypted_key end element end |
.encrypt_encrypted_id(encrypted_id, key_descriptor, key_options = {}) ⇒ Object
137 138 139 140 |
# File 'lib/saml/util.rb', line 137 def encrypt_encrypted_id(encrypted_id, key_descriptor, = {}) encrypted_id.encrypt(key_descriptor, ) encrypted_id end |
.encrypt_name_id(name_id, key_descriptor, key_options = {}) ⇒ Object
132 133 134 135 |
# File 'lib/saml/util.rb', line 132 def encrypt_name_id(name_id, key_descriptor, = {}) encrypted_id = Saml::Elements::EncryptedID.new(name_id: name_id) encrypt_encrypted_id(encrypted_id, key_descriptor, ) end |
.parse_params(url) ⇒ Object
4 5 6 7 8 9 10 11 12 13 14 15 |
# File 'lib/saml/util.rb', line 4 def parse_params(url) query = URI.parse(url).query return {} unless query params = {} query.split(/[&;]/).each do |pairs| key, value = pairs.split('=', 2) params[key] = value end params end |
.post(location, message, additional_headers = {}, proxy = {}) ⇒ Object
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# File 'lib/saml/util.rb', line 17 def post(location, , additional_headers = {}, proxy = {}) uri = URI.parse(location) default_proxy_settings = { addr: :ENV, port: nil, user: nil, pass: nil } proxy = default_proxy_settings.merge(proxy) http = Net::HTTP.new(uri.host, uri.port, proxy[:addr], proxy[:port], proxy[:user], proxy[:pass]) http.use_ssl = uri.scheme == 'https' http.verify_mode = OpenSSL::SSL::VERIFY_PEER add_cacert_file(http) add_ssl_certificate_and_key(http) request = Net::HTTP::Post.new(uri.request_uri, merged_headers(additional_headers)) request.body = http.request(request) end |
.sign_xml(message, format = :xml, include_nested_prefixlist = false, &block) ⇒ Object
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
# File 'lib/saml/util.rb', line 35 def sign_xml(, format = :xml, include_nested_prefixlist = false, &block) .add_signature document = Xmldsig::SignedDocument.new(.send("to_#{format}")) if Saml::Config.include_nested_prefixlist || include_nested_prefixlist document.signatures.reverse.each_with_object([]) do |signature, nested_prefixlist| inclusive_namespaces = signature.signature.at_xpath('descendant::ec:InclusiveNamespaces', Xmldsig::NAMESPACES) if inclusive_namespaces nested_prefixlist.concat(inclusive_namespaces.get_attribute('PrefixList').to_s.split(' ')) if signature.unsigned? inclusive_namespaces.set_attribute('PrefixList', nested_prefixlist.uniq.join(' ')) end end end end if block_given? document.sign(&block) else document.sign do |data, signature_algorithm| .provider.sign(signature_algorithm, data) end end end |
.verify_xml(message, raw_body) ⇒ Object
149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 |
# File 'lib/saml/util.rb', line 149 def verify_xml(, raw_body) document = Xmldsig::SignedDocument.new(raw_body) signature_valid = document.validate do |signature, data, signature_algorithm| node = document.signatures.find { |s| s.signature_value == signature }.signature.at_xpath('descendant::ds:KeyName', Xmldsig::NAMESPACES) key_name = node.present? ? node.content : nil .provider.verify(signature_algorithm, signature, data, key_name) end fail Saml::Errors::SignatureInvalid unless signature_valid signed_node = document.signed_nodes.find { |node| node['ID'] == ._id } fail Saml::Errors::SignatureMissing unless signed_node .class.parse(signed_node.canonicalize, single: true) end |