Class: OneLogin::RubySaml::IdpMetadataParser::IdpMetadata

Inherits:
Object
  • Object
show all
Defined in:
lib/onelogin/ruby-saml/idp_metadata_parser.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(idpsso_descriptor, entity_id) ⇒ IdpMetadata

Returns a new instance of IdpMetadata.


203
204
205
206
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 203

def initialize(idpsso_descriptor, entity_id)
  @idpsso_descriptor = idpsso_descriptor
  @entity_id = entity_id
end

Instance Attribute Details

#entity_idObject (readonly)

Returns the value of attribute entity_id


201
202
203
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 201

def entity_id
  @entity_id
end

#idpsso_descriptorObject (readonly)

Returns the value of attribute idpsso_descriptor


201
202
203
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 201

def idpsso_descriptor
  @idpsso_descriptor
end

Instance Method Details

#attribute_namesArray

Returns the names of all SAML attributes if any exist.

Returns:

  • (Array)

    the names of all SAML attributes if any exist


357
358
359
360
361
362
363
364
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 357

def attribute_names
  nodes = REXML::XPath.match(
    @idpsso_descriptor  ,
    "saml:Attribute/@Name",
    SamlMetadata::NAMESPACE
  )
  nodes.map(&:value)
end

#certificatesString|nil

Returns Unformatted Certificate if exists.

Returns:

  • (String|nil)

    Unformatted Certificate if exists


308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 308

def certificates
  @certificates ||= begin
    signing_nodes = REXML::XPath.match(
      @idpsso_descriptor,
      "md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
      SamlMetadata::NAMESPACE
    )

    encryption_nodes = REXML::XPath.match(
      @idpsso_descriptor,
      "md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
      SamlMetadata::NAMESPACE
    )

    return nil if signing_nodes.empty? && encryption_nodes.empty?

    certs = {}
    unless signing_nodes.empty?
      certs['signing'] = []
      signing_nodes.each do |cert_node|
        certs['signing'] << Utils.element_text(cert_node)
      end
    end

    unless encryption_nodes.empty?
      certs['encryption'] = []
      encryption_nodes.each do |cert_node|
        certs['encryption'] << Utils.element_text(cert_node)
      end
    end
    certs
  end
end

#certificates_has_one(key) ⇒ Object


391
392
393
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 391

def certificates_has_one(key)
  certificates.key?(key) && certificates[key].size == 1
end

#fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1) ⇒ String|nil

Returns the fingerpint of the X509Certificate if it exists.

Returns:

  • (String|nil)

    the fingerpint of the X509Certificate if it exists


344
345
346
347
348
349
350
351
352
353
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 344

def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1)
  @fingerprint ||= begin
    return unless certificate

    cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))

    fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
    fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
  end
end

#idp_name_id_formatString|nil

Returns IdP Name ID Format value if exists.

Returns:

  • (String|nil)

    IdP Name ID Format value if exists


226
227
228
229
230
231
232
233
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 226

def idp_name_id_format
  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:NameIDFormat",
    SamlMetadata::NAMESPACE
  )
  Utils.element_text(node)
end

#merge_certificates_into(parsed_metadata) ⇒ Object


366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 366

def merge_certificates_into()
  if (certificates.size == 1 &&
      (certificates_has_one('signing') || certificates_has_one('encryption'))) ||
      (certificates_has_one('signing') && certificates_has_one('encryption') &&
      certificates["signing"][0] == certificates["encryption"][0])

    if certificates.key?("signing")
      [:idp_cert] = certificates["signing"][0]
      [:idp_cert_fingerprint] = fingerprint(
        [:idp_cert],
        [:idp_cert_fingerprint_algorithm]
      )
    else
      [:idp_cert] = certificates["encryption"][0]
      [:idp_cert_fingerprint] = fingerprint(
        [:idp_cert],
        [:idp_cert_fingerprint_algorithm]
      )
    end
  else
    # symbolize keys of certificates and pass it on
    [:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
  end
end

#single_logout_service_binding(binding_priority = nil) ⇒ String|nil

Returns SingleLogoutService binding if exists.

Parameters:

  • binding_priority (Array) (defaults to: nil)

Returns:

  • (String|nil)

    SingleLogoutService binding if exists


277
278
279
280
281
282
283
284
285
286
287
288
289
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 277

def single_logout_service_binding(binding_priority = nil)
  nodes = REXML::XPath.match(
    @idpsso_descriptor,
    "md:SingleLogoutService/@Binding",
    SamlMetadata::NAMESPACE
  )
  if binding_priority
    values = nodes.map(&:value)
    binding_priority.detect{ |binding| values.include? binding }
  else
    nodes.first.value if nodes.any?
  end
end

#single_logout_service_url(options = {}) ⇒ String|nil

Returns SingleLogoutService endpoint if exists.

Parameters:

  • options (Hash) (defaults to: {})

Returns:

  • (String|nil)

    SingleLogoutService endpoint if exists


294
295
296
297
298
299
300
301
302
303
304
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 294

def single_logout_service_url(options = {})
  binding = single_logout_service_binding(options[:slo_binding])
  return if binding.nil?

  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
    SamlMetadata::NAMESPACE
  )
  return node.value if node
end

#single_signon_service_binding(binding_priority = nil) ⇒ String|nil

Returns SingleSignOnService binding if exists.

Parameters:

  • binding_priority (Array) (defaults to: nil)

Returns:

  • (String|nil)

    SingleSignOnService binding if exists


245
246
247
248
249
250
251
252
253
254
255
256
257
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 245

def single_signon_service_binding(binding_priority = nil)
  nodes = REXML::XPath.match(
    @idpsso_descriptor,
    "md:SingleSignOnService/@Binding",
    SamlMetadata::NAMESPACE
  )
  if binding_priority
    values = nodes.map(&:value)
    binding_priority.detect{ |binding| values.include? binding }
  else
    nodes.first.value if nodes.any?
  end
end

#single_signon_service_url(options = {}) ⇒ String|nil

Returns SingleSignOnService endpoint if exists.

Parameters:

  • options (Hash) (defaults to: {})

Returns:

  • (String|nil)

    SingleSignOnService endpoint if exists


262
263
264
265
266
267
268
269
270
271
272
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 262

def single_signon_service_url(options = {})
  binding = single_signon_service_binding(options[:sso_binding])
  return if binding.nil?

  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
    SamlMetadata::NAMESPACE
  )
  return node.value if node
end

#to_hash(options = {}) ⇒ Object


208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 208

def to_hash(options = {})
  {
    :idp_entity_id => @entity_id,
    :name_identifier_format => idp_name_id_format,
    :idp_sso_target_url => single_signon_service_url(options),
    :idp_slo_target_url => single_logout_service_url(options),
    :idp_attribute_names => attribute_names,
    :idp_cert => nil,
    :idp_cert_fingerprint => nil,
    :idp_cert_multi => nil,
    :valid_until => valid_until
  }.tap do |response_hash|
    merge_certificates_into(response_hash) unless certificates.nil?
  end
end

#valid_untilString|nil

Returns 'validUntil' attribute of metadata.

Returns:

  • (String|nil)

    'validUntil' attribute of metadata


237
238
239
240
# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 237

def valid_until
  root = @idpsso_descriptor.root
  root.attributes['validUntil'] if root && root.attributes
end