Release 2.0.2 that uses ruby-saml 1.0.0

pitbulk · pitbulk · commit 6024dac75a48 · 2015-07-02T02:28:40.000+02:00
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'ruby-saml', :git => 'https://github.com/onelogin/ruby-saml.git'
+gem 'ruby-saml', '~> 1.0.0'
 
 gem 'byebug'
 
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,9 +1,8 @@
-GIT
-  remote: https://github.com/onelogin/ruby-saml.git
-  revision: 9627684fc6356c5619e542494601576b751dc76a
+PATH
+  remote: /home/pitbulk/proyectos/ruby-saml
   specs:
-    ruby-saml (0.8.1)
-      nokogiri (>= 1.5.0)
+    ruby-saml (1.0.0)
+      nokogiri (>= 1.5.10)
       uuid (~> 2.3)
 
 GEM
@@ -56,10 +55,10 @@ GEM
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.25.1)
-    mini_portile (0.6.1)
+    mini_portile (0.6.2)
     minitest (5.5.0)
     multi_json (1.10.1)
-    nokogiri (1.6.5)
+    nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
     polyglot (0.3.5)
     rack (1.5.2)
@@ -99,7 +98,7 @@ GEM
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     sqlite3 (1.3.10)
-    systemu (2.6.4)
+    systemu (2.6.5)
     thor (0.19.1)
     thread_safe (0.3.4)
     tilt (1.4.1)
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ link:files/vendor/rails/actionpack/README.html.
 Supported Version
 -----------------
 
-This ruby-saml-example project works with rails4 and uses is compatible with the ruby-saml toolkit >= 0.8.1.
+This ruby-saml-example project works with rails4 and uses is compatible with the ruby-saml toolkit >= 1.0.0.
 
 Getting Started
 ---------------
@@ -143,6 +143,8 @@ Also, Ruby documentation can be found at http://www.ruby-lang.org/ including:
 These two online (and free) books will bring you up to speed on the Ruby language
 and also on programming in general.
 
+Documentation related to configuring logging on ruby-saml can be found at:
+https://github.com/onelogin/ruby-saml#configuring-logging
 
 Debugger
 --------
diff --git a/app/controllers/saml_controller.rb b/app/controllers/saml_controller.rb
@@ -18,17 +18,19 @@ def sso
   end
 
   def acs
-    response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
-    response.settings = Account.get_saml_settings
+    settings = Account.get_saml_settings
+    response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => settings)
 
     if response.is_valid?
-      session[:user_id] = response.name_id
+      session[:nameid] = response.nameid
       session[:attributes] = response.attributes
       @attrs = session[:attributes]
       logger.info "Sucessfully logged"
-      logger.info "NAMEID: #{response.name_id}"
+      logger.info "NAMEID: #{response.nameid}"
       render :action => :index
     else
+      logger.info "Response Invalid. Errors: #{response.errors}"
+      @errors = response.errors
       render :action => :fail
     end
   end
@@ -69,13 +71,13 @@ def sp_logout_request
       # to compare it with the response we get back
       logout_request = OneLogin::RubySaml::Logoutrequest.new()
       session[:transaction_id] = logout_request.uuid
-      logger.info "New SP SLO for User ID: '#{session[:user_id]}', Transaction ID: '#{session[:transaction_id]}'"
+      logger.info "New SP SLO for User ID: '#{session[:nameid]}', Transaction ID: '#{session[:transaction_id]}'"
 
       if settings.name_identifier_value.nil?
-        settings.name_identifier_value = session[:user_id]
+        settings.name_identifier_value = session[:nameid]
       end
 
-      relayState =  url_for controller: 'saml', action: 'index'
+      relayState = url_for controller: 'saml', action: 'index'
       redirect_to(logout_request.create(settings, :RelayState => relayState))
     end
   end
@@ -84,55 +86,39 @@ def sp_logout_request
   # the LogoutResponse, verify it, then actually delete our session.
   def process_logout_response
     settings = Account.get_saml_settings
-
-    if session.has_key? :transation_id
-      logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => session[:transation_id])
-    else
-      logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings)
-    end
-
-    logger.info "LogoutResponse is: #{logout_response.to_s}"
+    request_id = session[:transaction_id]
+    logout_response = OneLogin::RubySaml::Logoutresponse.new(params[:SAMLResponse], settings, :matches_request_id => request_id, :get_params => params)
+    logger.info "LogoutResponse is: #{logout_response.response.to_s}"
 
     # Validate the SAML Logout Response
     if not logout_response.validate
-      logger.error "The SAML Logout Response is invalid"
+      error_msg = "The SAML Logout Response is invalid.  Errors: #{logout_response.errors}"
+      logger.error error_msg
+      render :inline => error_msg
     else
       # Actually log out this session
       if logout_response.success?
-        logger.info "Delete session for '#{session[:user_id]}'"
+        logger.info "Delete session for '#{session[:nameid]}'"
         reset_session
       end
     end
   end
 
- # Method to handle IdP initiated logouts
+  # Method to handle IdP initiated logouts
   def idp_logout_request
     settings = Account.get_saml_settings
-    logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest])
-    if !logout_request.is_valid?
-      logger.error "IdP initiated LogoutRequest was not valid!"
-      render :inline => logger.error
+    logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], :settings => settings)
+    if not logout_request.is_valid?
+      error_msg = "IdP initiated LogoutRequest was not valid!. Errors: #{logout_request.errors}"
+      logger.error error_msg
+      render :inline => error_msg
     end
-    logger.info "IdP initiated Logout for #{logout_request.name_id}"
+    logger.info "IdP initiated Logout for #{logout_request.nameid}"
 
     # Actually log out this session
     reset_session
 
-    # Generate a response to the IdP.  :transaction_id sets the InResponseTo
-    # SAML message to create a reply to the IdP in the LogoutResponse.
-    #action, content = logout_response = OneLogin::RubySaml::Logoutresponse.new(nil, settings).
-    #  create(:transaction_id => logout_request.transaction_id)
-
-    #case action
-    #  when "GET"
-    #    # for GET requests, do a redirect on the content
-    #    redirect_to content
-    #  when "POST"
-    #    # for POST requests (form) render the content as HTML
-    #    render :inline => content
-    #end    logout_request_id = logout_request.id
-
-    logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request_id, nil, :RelayState => params[:RelayState])
+    logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request.id, nil, :RelayState => params[:RelayState])
     redirect_to logout_response
   end
 
diff --git a/app/models/account.rb b/app/models/account.rb
@@ -4,10 +4,17 @@ def self.get_saml_settings
     # should retrieve SAML-settings based on subdomain, IP-address, NameID or similar
     settings = OneLogin::RubySaml::Settings.new
 
+    # When disabled, saml validation errors will raise an exception.
+    settings.soft = true
+
     # Example settings data, replace this values!
+
+    # SP section
     settings.assertion_consumer_service_url = "http://localhost:3000/saml/acs"
     settings.assertion_consumer_logout_service_url = "http://localhost:3000/saml/logout"
     settings.issuer                         = "http://localhost:3000/saml/metadata"
+
+    # IdP section
     settings.idp_entity_id                  = "https://app.onelogin.com/saml/metadata/<onelogin-app-id>"
     settings.idp_sso_target_url             = "https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin-app-id>"
     settings.idp_slo_target_url             = "https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin-app-id>"
@@ -28,7 +35,18 @@ def self.get_saml_settings
 Tc0=
 -----END CERTIFICATE-----"
     # or settings.idp_cert_fingerprint           = "3B:05:BE:0A:EC:84:CC:D4:75:97:B3:A2:22:AC:56:21:44:EF:59:E6"
+    #    settings.idp_cert_fingerprint_algorithm = XMLSecurity::Document::SHA1
+
     settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+    # Security section
+    settings.security[:authn_requests_signed] = false
+    settings.security[:logout_requests_signed] = false
+    settings.security[:logout_responses_signed] = false
+    settings.security[:metadata_signed] = false
+    settings.security[:digest_method] = XMLSecurity::Document::SHA1
+    settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
+
     settings
   end
 end
diff --git a/app/views/saml/fail.html.erb b/app/views/saml/fail.html.erb
@@ -1,5 +1,10 @@
 <html>
 <body>
 <h4>SAML Response invalid</h4>
+<% if @errors %>
+  <% @errors.each do |error| %>  
+    <p><%= error %></p>
+  <% end %>
+<% end %>
 </body>
 </html>
diff --git a/app/views/saml/index.html.erb b/app/views/saml/index.html.erb
@@ -1,5 +1,5 @@
-<% if session[:user_id].present? %>
-  <p>Logged in. <%= session[:user_id] %></p>
+<% if session[:nameid].present? %>
+  <p>NameID: <%= session[:nameid] %></p>
 
   <% if @attrs.any? %>
     <p>Received the following attributes in the SAML Response:</p>
