Class: RbVmomi::SSO
- Inherits:
-
Object
- Object
- RbVmomi::SSO
- Defined in:
- lib/rbvmomi/sso.rb
Overview
Provides access to vCenter Single Sign-On
Constant Summary collapse
- BST_PROFILE =
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'.freeze
- C14N_CLASS =
Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
- C14N_METHOD =
'http://www.w3.org/2001/10/xml-exc-c14n#'.freeze
- DIGEST_METHOD =
'http://www.w3.org/2001/04/xmlenc#sha512'.freeze
- ENCODING_METHOD =
'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'.freeze
- SIGNATURE_METHOD =
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'.freeze
- STS_PATH =
'/sts/STSService'.freeze
- TOKEN_TYPE =
'urn:oasis:names:tc:SAML:2.0:assertion'.freeze
- TOKEN_PROFILE =
'http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0'.freeze
- NAMESPACES =
{ ds: 'http://www.w3.org/2000/09/xmldsig#', soap: 'http://schemas.xmlsoap.org/soap/envelope/', wsse: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd', wsse11: 'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd', wst: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512', wsu: 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' }.freeze
Instance Attribute Summary collapse
-
#assertion ⇒ Object
readonly
Returns the value of attribute assertion.
-
#assertion_id ⇒ Object
readonly
Returns the value of attribute assertion_id.
-
#certificate ⇒ Object
readonly
Returns the value of attribute certificate.
-
#host ⇒ Object
readonly
Returns the value of attribute host.
-
#password ⇒ Object
readonly
Returns the value of attribute password.
-
#path ⇒ Object
readonly
Returns the value of attribute path.
-
#port ⇒ Object
readonly
Returns the value of attribute port.
-
#private_key ⇒ Object
readonly
Returns the value of attribute private_key.
-
#user ⇒ Object
readonly
Returns the value of attribute user.
Instance Method Summary collapse
-
#initialize(opts = {}) ⇒ SSO
constructor
Creates an instance of an SSO object.
- #request_token ⇒ Object
- #sign_request(request) ⇒ Object
-
#sso_call(body) ⇒ Object
We default to Issue, since that’s all we currently need.
Constructor Details
#initialize(opts = {}) ⇒ SSO
Creates an instance of an SSO object
51 52 53 54 55 56 57 58 59 60 |
# File 'lib/rbvmomi/sso.rb', line 51 def initialize(opts = {}) @host = opts[:host] @insecure = opts.fetch(:insecure, false) @password = opts[:password] @path = opts.fetch(:path, STS_PATH) @port = opts.fetch(:port, 443) @user = opts[:user] load_x509(opts[:private_key], opts[:certificate]) end |
Instance Attribute Details
#assertion ⇒ Object (readonly)
Returns the value of attribute assertion.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def assertion @assertion end |
#assertion_id ⇒ Object (readonly)
Returns the value of attribute assertion_id.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def assertion_id @assertion_id end |
#certificate ⇒ Object (readonly)
Returns the value of attribute certificate.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def certificate @certificate end |
#host ⇒ Object (readonly)
Returns the value of attribute host.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def host @host end |
#password ⇒ Object (readonly)
Returns the value of attribute password.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def password @password end |
#path ⇒ Object (readonly)
Returns the value of attribute path.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def path @path end |
#port ⇒ Object (readonly)
Returns the value of attribute port.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def port @port end |
#private_key ⇒ Object (readonly)
Returns the value of attribute private_key.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def private_key @private_key end |
#user ⇒ Object (readonly)
Returns the value of attribute user.
30 31 32 |
# File 'lib/rbvmomi/sso.rb', line 30 def user @user end |
Instance Method Details
#request_token ⇒ Object
62 63 64 65 66 67 68 69 70 71 72 |
# File 'lib/rbvmomi/sso.rb', line 62 def request_token req = sso_call(hok_token_request) unless req.is_a?(Net::HTTPSuccess) resp = Nokogiri::XML(req.body) resp.remove_namespaces! raise(resp.at_xpath('//Envelope/Body/Fault/faultstring/text()')) end extract_assertion(req.body) end |
#sign_request(request) ⇒ Object
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/rbvmomi/sso.rb', line 74 def sign_request(request) raise('Need SAML2 assertion') unless @assertion raise('No SAML2 assertion ID') unless @assertion_id request_id = generate_id = generate_id request = request.is_a?(String) ? Nokogiri::XML(request) : request builder = Nokogiri::XML::Builder.new do |xml| xml[:soap].Header(Hash[NAMESPACES.map { |ns, uri| ["xmlns:#{ns}", uri] }]) do xml[:wsse].Security do (xml, ) ds_signature(xml, request_id, ) do |x| x[:wsse].SecurityTokenReference('wsse11:TokenType' => TOKEN_PROFILE) do x[:wsse].KeyIdentifier( @assertion_id, 'ValueType' => 'http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID' ) end end end end end # To avoid Nokogiri mangling the token, we replace it as a string # later on. Figure out a way around this. builder.doc.at_xpath('//soap:Header/wsse:Security/wsu:Timestamp').add_previous_sibling(Nokogiri::XML::Text.new('SAML_ASSERTION_PLACEHOLDER', builder.doc)) request.at_xpath('//soap:Envelope', NAMESPACES).tap do |e| NAMESPACES.each do |ns, uri| e.add_namespace(ns.to_s, uri) end end request.xpath('//soap:Envelope/soap:Body').each do |body| body.add_previous_sibling(builder.doc.root) body.add_namespace('wsu', NAMESPACES[:wsu]) body['wsu:Id'] = request_id end signed = sign(request) signed.gsub!('SAML_ASSERTION_PLACEHOLDER', @assertion.to_xml(indent: 0, save_with: Nokogiri::XML::Node::SaveOptions::AS_XML).strip) signed end |
#sso_call(body) ⇒ Object
We default to Issue, since that’s all we currently need.
120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'lib/rbvmomi/sso.rb', line 120 def sso_call(body) sso_url = URI::HTTPS.build(host: @host, port: @port, path: @path) http = Net::HTTP.new(sso_url.host, sso_url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @insecure req = Net::HTTP::Post.new(sso_url.request_uri) req.add_field('Accept', 'text/xml, multipart/related') req.add_field('User-Agent', "VMware/RbVmomi #{RbVmomi::VERSION}") req.add_field('SOAPAction', 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue') req.content_type = 'text/xml; charset="UTF-8"' req.body = body http.request(req) end |