Skip to content

Commit

Permalink
Merge pull request #1 from OnetapInc/inject-cert
Browse files Browse the repository at this point in the history
saml response生成時に外から証明書および秘密鍵を注入できるようにする
  • Loading branch information
zoi-aoba authored Sep 17, 2020
2 parents 8bc113e + c4ed7ae commit 88a5bc6
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 17 deletions.
8 changes: 6 additions & 2 deletions lib/saml_idp/assertion_builder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@ class AssertionBuilder
attr_accessor :expiry
attr_accessor :encryption_opts
attr_accessor :session_expiry
attr_accessor :x509_certificate
attr_accessor :secret_key

delegate :config, to: :SamlIdp

def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil)
def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil, cert=nil, sec_key=nil)
self.reference_id = reference_id
self.issuer_uri = issuer_uri
self.principal = principal
Expand All @@ -31,6 +33,8 @@ def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_i
self.expiry = expiry
self.encryption_opts = encryption_opts
self.session_expiry = session_expiry.nil? ? config.session_expiry : session_expiry
self.x509_certificate = cert
self.secret_key = sec_key
end

def fresh
Expand All @@ -40,7 +44,7 @@ def fresh
IssueInstant: now_iso,
Version: "2.0" do |assertion|
assertion.Issuer issuer_uri
sign assertion
sign(assertion, self.x509_certificate, self.secret_key)
assertion.Subject do |subject|
subject.NameID name_id, Format: name_id_format[:name]
subject.SubjectConfirmation Method: Saml::XML::Namespaces::Methods::BEARER do |confirmation|
Expand Down
6 changes: 5 additions & 1 deletion lib/saml_idp/controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ def encode_authn_response(principal, opts = {})
expiry = opts[:expiry] || 60*60
session_expiry = opts[:session_expiry]
encryption_opts = opts[:encryption] || nil
certificate = opts[:certificate]
secret_key = opts[:secret_key]

SamlResponse.new(
reference_id,
Expand All @@ -77,7 +79,9 @@ def encode_authn_response(principal, opts = {})
my_authn_context_classref,
expiry,
encryption_opts,
session_expiry
session_expiry,
certificate,
secret_key
).build
end

Expand Down
12 changes: 8 additions & 4 deletions lib/saml_idp/saml_response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ def initialize(reference_id,
authn_context_classref,
expiry=60*60,
encryption_opts=nil,
session_expiry=0
session_expiry=0,
cert=nil,
sec_key=nil
)
self.reference_id = reference_id
self.response_id = response_id
Expand All @@ -39,8 +41,8 @@ def initialize(reference_id,
self.saml_request_id = saml_request_id
self.saml_acs_url = saml_acs_url
self.algorithm = algorithm
self.secret_key = secret_key
self.x509_certificate = x509_certificate
self.secret_key = sec_key || secret_key
self.x509_certificate = cert || x509_certificate
self.authn_context_classref = authn_context_classref
self.expiry = expiry
self.encryption_opts = encryption_opts
Expand Down Expand Up @@ -76,7 +78,9 @@ def assertion_builder
authn_context_classref,
expiry,
encryption_opts,
session_expiry
session_expiry,
x509_certificate,
secret_key
end
private :assertion_builder
end
Expand Down
12 changes: 6 additions & 6 deletions lib/saml_idp/signable.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ def signed
end
end

def sign(el)
el << signature if sign?
def sign(el, cert=nil, sec_key=nil)
el << signature(cert, sec_key) if sign?
end

def generated_reference_id
Expand Down Expand Up @@ -64,13 +64,13 @@ def sign?
end
private :sign?

def signature
SignatureBuilder.new(signed_info_builder).raw
def signature(cert=nil, sec_key=nil)
SignatureBuilder.new(signed_info_builder(sec_key), cert).raw
end
private :signature

def signed_info_builder
SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm)
def signed_info_builder(sec_key=nil)
SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm, sec_key)
end
private :signed_info_builder

Expand Down
6 changes: 4 additions & 2 deletions lib/saml_idp/signature_builder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@
module SamlIdp
class SignatureBuilder
attr_accessor :signed_info_builder
attr_accessor :x509_certificate

def initialize(signed_info_builder)
def initialize(signed_info_builder, cert=nil)
self.signed_info_builder = signed_info_builder
@x509_certificate = cert
end

def raw
Expand All @@ -21,7 +23,7 @@ def raw
end

def x509_certificate
SamlIdp.config.x509_certificate
(@x509_certificate || SamlIdp.config.x509_certificate)
.to_s
.gsub(/-----BEGIN CERTIFICATE-----/,"")
.gsub(/-----END CERTIFICATE-----/,"")
Expand Down
5 changes: 3 additions & 2 deletions lib/saml_idp/signed_info_builder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,11 @@ class SignedInfoBuilder
attr_accessor :digest_value
attr_accessor :raw_algorithm

def initialize(reference_id, digest_value, raw_algorithm)
def initialize(reference_id, digest_value, raw_algorithm, sec_key=nil)
self.reference_id = reference_id
self.digest_value = digest_value
self.raw_algorithm = raw_algorithm
@sec_key = sec_key
end

def raw
Expand Down Expand Up @@ -65,7 +66,7 @@ def clean_algorithm_name
private :clean_algorithm_name

def secret_key
SamlIdp.config.secret_key
@sec_key || SamlIdp.config.secret_key
end
private :secret_key

Expand Down

0 comments on commit 88a5bc6

Please sign in to comment.