diff --git a/lib/saml_idp/assertion_builder.rb b/lib/saml_idp/assertion_builder.rb index 39e43e08..00dc7a99 100644 --- a/lib/saml_idp/assertion_builder.rb +++ b/lib/saml_idp/assertion_builder.rb @@ -16,10 +16,12 @@ class AssertionBuilder attr_accessor :expiry attr_accessor :encryption_opts attr_accessor :session_expiry + attr_accessor :x509_certificate + attr_accessor :secret_key delegate :config, to: :SamlIdp - def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil) + def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil, cert=nil, sec_key=nil) self.reference_id = reference_id self.issuer_uri = issuer_uri self.principal = principal @@ -31,6 +33,8 @@ def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_i self.expiry = expiry self.encryption_opts = encryption_opts self.session_expiry = session_expiry.nil? ? config.session_expiry : session_expiry + self.x509_certificate = cert + self.secret_key = sec_key end def fresh @@ -40,7 +44,7 @@ def fresh IssueInstant: now_iso, Version: "2.0" do |assertion| assertion.Issuer issuer_uri - sign assertion + sign(assertion, self.x509_certificate, self.secret_key) assertion.Subject do |subject| subject.NameID name_id, Format: name_id_format[:name] subject.SubjectConfirmation Method: Saml::XML::Namespaces::Methods::BEARER do |confirmation| diff --git a/lib/saml_idp/controller.rb b/lib/saml_idp/controller.rb index 0c8381ad..6ce24a1c 100644 --- a/lib/saml_idp/controller.rb +++ b/lib/saml_idp/controller.rb @@ -64,6 +64,8 @@ def encode_authn_response(principal, opts = {}) expiry = opts[:expiry] || 60*60 session_expiry = opts[:session_expiry] encryption_opts = opts[:encryption] || nil + certificate = opts[:certificate] + secret_key = opts[:secret_key] SamlResponse.new( reference_id, @@ -77,7 +79,9 @@ def encode_authn_response(principal, opts = {}) my_authn_context_classref, expiry, encryption_opts, - session_expiry + session_expiry, + certificate, + secret_key ).build end diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb index ceac0ac1..cea8657f 100644 --- a/lib/saml_idp/saml_response.rb +++ b/lib/saml_idp/saml_response.rb @@ -29,7 +29,9 @@ def initialize(reference_id, authn_context_classref, expiry=60*60, encryption_opts=nil, - session_expiry=0 + session_expiry=0, + cert=nil, + sec_key=nil ) self.reference_id = reference_id self.response_id = response_id @@ -39,8 +41,8 @@ def initialize(reference_id, self.saml_request_id = saml_request_id self.saml_acs_url = saml_acs_url self.algorithm = algorithm - self.secret_key = secret_key - self.x509_certificate = x509_certificate + self.secret_key = sec_key || secret_key + self.x509_certificate = cert || x509_certificate self.authn_context_classref = authn_context_classref self.expiry = expiry self.encryption_opts = encryption_opts @@ -76,7 +78,9 @@ def assertion_builder authn_context_classref, expiry, encryption_opts, - session_expiry + session_expiry, + x509_certificate, + secret_key end private :assertion_builder end diff --git a/lib/saml_idp/signable.rb b/lib/saml_idp/signable.rb index b6259486..0dc039f3 100644 --- a/lib/saml_idp/signable.rb +++ b/lib/saml_idp/signable.rb @@ -20,8 +20,8 @@ def signed end end - def sign(el) - el << signature if sign? + def sign(el, cert=nil, sec_key=nil) + el << signature(cert, sec_key) if sign? end def generated_reference_id @@ -64,13 +64,13 @@ def sign? end private :sign? - def signature - SignatureBuilder.new(signed_info_builder).raw + def signature(cert=nil, sec_key=nil) + SignatureBuilder.new(signed_info_builder(sec_key), cert).raw end private :signature - def signed_info_builder - SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm) + def signed_info_builder(sec_key=nil) + SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm, sec_key) end private :signed_info_builder diff --git a/lib/saml_idp/signature_builder.rb b/lib/saml_idp/signature_builder.rb index 83183f23..ed68a186 100644 --- a/lib/saml_idp/signature_builder.rb +++ b/lib/saml_idp/signature_builder.rb @@ -2,9 +2,11 @@ module SamlIdp class SignatureBuilder attr_accessor :signed_info_builder + attr_accessor :x509_certificate - def initialize(signed_info_builder) + def initialize(signed_info_builder, cert=nil) self.signed_info_builder = signed_info_builder + @x509_certificate = cert end def raw @@ -21,7 +23,7 @@ def raw end def x509_certificate - SamlIdp.config.x509_certificate + (@x509_certificate || SamlIdp.config.x509_certificate) .to_s .gsub(/-----BEGIN CERTIFICATE-----/,"") .gsub(/-----END CERTIFICATE-----/,"") diff --git a/lib/saml_idp/signed_info_builder.rb b/lib/saml_idp/signed_info_builder.rb index 81380666..f9120f0b 100644 --- a/lib/saml_idp/signed_info_builder.rb +++ b/lib/saml_idp/signed_info_builder.rb @@ -23,10 +23,11 @@ class SignedInfoBuilder attr_accessor :digest_value attr_accessor :raw_algorithm - def initialize(reference_id, digest_value, raw_algorithm) + def initialize(reference_id, digest_value, raw_algorithm, sec_key=nil) self.reference_id = reference_id self.digest_value = digest_value self.raw_algorithm = raw_algorithm + @sec_key = sec_key end def raw @@ -65,7 +66,7 @@ def clean_algorithm_name private :clean_algorithm_name def secret_key - SamlIdp.config.secret_key + @sec_key || SamlIdp.config.secret_key end private :secret_key