Commit 775fb09
Changed files (4)
lib
lib/saml/kit/binding.rb
@@ -54,83 +54,5 @@ module Saml
InvalidResponse.new(saml_response)
end
end
-
- class HttpPostBinding < Binding
- def serialize(builder, relay_state: nil)
- builder.sign = true
- builder.destination = location
- document = builder.build
- saml_params = {
- document.query_string_parameter => Base64.strict_encode64(document.to_xml),
- }
- saml_params['RelayState'] = relay_state if relay_state.present?
- [location, saml_params]
- end
-
- def deserialize(params)
- if params['SAMLRequest'].present?
- deserialize_request(params['SAMLRequest'])
- elsif params['SAMLResponse'].present?
- deserialize_response(params['SAMLResponse'])
- else
- raise ArgumentError.new("Missing SAMLRequest or SAMLResponse")
- end
- end
- end
-
- class HttpRedirectBinding < Binding
- def serialize(builder, relay_state: nil)
- builder.sign = false
- builder.destination = location
- document = builder.build
- [UrlBuilder.new.build(document, relay_state: relay_state), {}]
- end
-
- def deserialize(params)
- document = deserialize_document_from!(params)
- ensure_valid_signature!(params, document)
- document
- end
-
- private
-
- def deserialize_document_from!(params)
- if params['SAMLRequest'].present?
- deserialize_request(CGI.unescape(params['SAMLRequest']))
- elsif params['SAMLResponse'].present?
- deserialize_response(CGI.unescape(params['SAMLResponse']))
- else
- raise ArgumentError.new("SAMLRequest or SAMLResponse parameter is required.")
- end
- end
-
- def ensure_valid_signature!(params, document)
- return if params['Signature'].blank? || params['SigAlg'].blank?
-
- signature = Base64.decode64(params['Signature'])
- canonical_form = ['SAMLRequest', 'SAMLResponse', 'RelayState', 'SigAlg'].map do |key|
- value = params[key]
- value.present? ? "#{key}=#{value}" : nil
- end.compact.join('&')
-
- valid = document.provider.verify(algorithm_for(params['SigAlg']), signature, canonical_form)
- raise ArgumentError.new("Invalid Signature") unless valid
- end
-
-
- def algorithm_for(algorithm)
- case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
- when 256
- OpenSSL::Digest::SHA256.new
- when 384
- OpenSSL::Digest::SHA384.new
- when 512
- OpenSSL::Digest::SHA512.new
- else
- OpenSSL::Digest::SHA1.new
- end
- end
-
- end
end
end
lib/saml/kit/http_post_binding.rb
@@ -0,0 +1,26 @@
+module Saml
+ module Kit
+ class HttpPostBinding < Binding
+ def serialize(builder, relay_state: nil)
+ builder.sign = true
+ builder.destination = location
+ document = builder.build
+ saml_params = {
+ document.query_string_parameter => Base64.strict_encode64(document.to_xml),
+ }
+ saml_params['RelayState'] = relay_state if relay_state.present?
+ [location, saml_params]
+ end
+
+ def deserialize(params)
+ if params['SAMLRequest'].present?
+ deserialize_request(params['SAMLRequest'])
+ elsif params['SAMLResponse'].present?
+ deserialize_response(params['SAMLResponse'])
+ else
+ raise ArgumentError.new("Missing SAMLRequest or SAMLResponse")
+ end
+ end
+ end
+ end
+end
lib/saml/kit/http_redirect_binding.rb
@@ -0,0 +1,57 @@
+module Saml
+ module Kit
+ class HttpRedirectBinding < Binding
+ def serialize(builder, relay_state: nil)
+ builder.sign = false
+ builder.destination = location
+ document = builder.build
+ [UrlBuilder.new.build(document, relay_state: relay_state), {}]
+ end
+
+ def deserialize(params)
+ document = deserialize_document_from!(params)
+ ensure_valid_signature!(params, document)
+ document
+ end
+
+ private
+
+ def deserialize_document_from!(params)
+ if params['SAMLRequest'].present?
+ deserialize_request(CGI.unescape(params['SAMLRequest']))
+ elsif params['SAMLResponse'].present?
+ deserialize_response(CGI.unescape(params['SAMLResponse']))
+ else
+ raise ArgumentError.new("SAMLRequest or SAMLResponse parameter is required.")
+ end
+ end
+
+ def ensure_valid_signature!(params, document)
+ return if params['Signature'].blank? || params['SigAlg'].blank?
+
+ signature = Base64.decode64(params['Signature'])
+ canonical_form = ['SAMLRequest', 'SAMLResponse', 'RelayState', 'SigAlg'].map do |key|
+ value = params[key]
+ value.present? ? "#{key}=#{value}" : nil
+ end.compact.join('&')
+
+ valid = document.provider.verify(algorithm_for(params['SigAlg']), signature, canonical_form)
+ raise ArgumentError.new("Invalid Signature") unless valid
+ end
+
+
+ def algorithm_for(algorithm)
+ case algorithm =~ /(rsa-)?sha(.*?)$/i && $2.to_i
+ when 256
+ OpenSSL::Digest::SHA256.new
+ when 384
+ OpenSSL::Digest::SHA384.new
+ when 512
+ OpenSSL::Digest::SHA512.new
+ else
+ OpenSSL::Digest::SHA1.new
+ end
+ end
+ end
+ end
+end
lib/saml/kit.rb
@@ -21,6 +21,8 @@ require "saml/kit/default_registry"
require "saml/kit/fingerprint"
require "saml/kit/logout_response"
require "saml/kit/logout_request"
+require "saml/kit/http_post_binding"
+require "saml/kit/http_redirect_binding"
require "saml/kit/namespaces"
require "saml/kit/metadata"
require "saml/kit/request"