From bf85c0944516b1db31374cc7ed4513121c9e924a Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 15:24:39 +0900 Subject: [PATCH 1/8] inject cert and key --- lib/saml_idp/controller.rb | 6 +++++- lib/saml_idp/saml_response.rb | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/lib/saml_idp/controller.rb b/lib/saml_idp/controller.rb index 0c8381ad..6ce24a1c 100644 --- a/lib/saml_idp/controller.rb +++ b/lib/saml_idp/controller.rb @@ -64,6 +64,8 @@ def encode_authn_response(principal, opts = {}) expiry = opts[:expiry] || 60*60 session_expiry = opts[:session_expiry] encryption_opts = opts[:encryption] || nil + certificate = opts[:certificate] + secret_key = opts[:secret_key] SamlResponse.new( reference_id, @@ -77,7 +79,9 @@ def encode_authn_response(principal, opts = {}) my_authn_context_classref, expiry, encryption_opts, - session_expiry + session_expiry, + certificate, + secret_key ).build end diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb index ceac0ac1..b127fd3c 100644 --- a/lib/saml_idp/saml_response.rb +++ b/lib/saml_idp/saml_response.rb @@ -29,7 +29,9 @@ def initialize(reference_id, authn_context_classref, expiry=60*60, encryption_opts=nil, - session_expiry=0 + session_expiry=0, + cert=nil, + sec_key=nil ) self.reference_id = reference_id self.response_id = response_id @@ -39,8 +41,8 @@ def initialize(reference_id, self.saml_request_id = saml_request_id self.saml_acs_url = saml_acs_url self.algorithm = algorithm - self.secret_key = secret_key - self.x509_certificate = x509_certificate + self.secret_key = secret_key(sec_key) + self.x509_certificate = x509_certificate(cert) self.authn_context_classref = authn_context_classref self.expiry = expiry self.encryption_opts = encryption_opts @@ -51,6 +53,14 @@ def build @built ||= response_builder.encoded end + def x509_certificate(cert) + cert || super + end + + def secret_key(sec_key) + sec_key || super + end + def signed_assertion if encryption_opts assertion_builder.encrypt(sign: true) From 434215aaa79374497f63c9c10038ceea14e5d5b0 Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 16:07:50 +0900 Subject: [PATCH 2/8] update params --- lib/saml_idp/saml_response.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb index b127fd3c..c7f58d71 100644 --- a/lib/saml_idp/saml_response.rb +++ b/lib/saml_idp/saml_response.rb @@ -41,8 +41,8 @@ def initialize(reference_id, self.saml_request_id = saml_request_id self.saml_acs_url = saml_acs_url self.algorithm = algorithm - self.secret_key = secret_key(sec_key) - self.x509_certificate = x509_certificate(cert) + self.secret_key = sec_key || secret_key + self.x509_certificate = cert || x509_certificate self.authn_context_classref = authn_context_classref self.expiry = expiry self.encryption_opts = encryption_opts @@ -53,13 +53,13 @@ def build @built ||= response_builder.encoded end - def x509_certificate(cert) - cert || super - end + # def x509_certificate(cert) + # cert || super + # end - def secret_key(sec_key) - sec_key || super - end + # def secret_key(sec_key) + # sec_key || super + # end def signed_assertion if encryption_opts From 22583adf554f458812e655f194f76329b13a06fb Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 17:05:20 +0900 Subject: [PATCH 3/8] fix signaturebuilder --- lib/saml_idp/assertion_builder.rb | 6 ++++-- lib/saml_idp/saml_response.rb | 4 +++- lib/saml_idp/signable.rb | 8 ++++---- lib/saml_idp/signature_builder.rb | 7 ++++--- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/lib/saml_idp/assertion_builder.rb b/lib/saml_idp/assertion_builder.rb index 39e43e08..c7d11450 100644 --- a/lib/saml_idp/assertion_builder.rb +++ b/lib/saml_idp/assertion_builder.rb @@ -19,7 +19,7 @@ class AssertionBuilder delegate :config, to: :SamlIdp - def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil) + def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_id, saml_acs_url, raw_algorithm, authn_context_classref, expiry=60*60, encryption_opts=nil, session_expiry=nil, cert=nil, sec_key=nil) self.reference_id = reference_id self.issuer_uri = issuer_uri self.principal = principal @@ -31,6 +31,8 @@ def initialize(reference_id, issuer_uri, principal, audience_uri, saml_request_i self.expiry = expiry self.encryption_opts = encryption_opts self.session_expiry = session_expiry.nil? ? config.session_expiry : session_expiry + self.x509_certificate = cert + self.secret_key = sec_key end def fresh @@ -40,7 +42,7 @@ def fresh IssueInstant: now_iso, Version: "2.0" do |assertion| assertion.Issuer issuer_uri - sign assertion + sign(assertion, self.x509_certificate) assertion.Subject do |subject| subject.NameID name_id, Format: name_id_format[:name] subject.SubjectConfirmation Method: Saml::XML::Namespaces::Methods::BEARER do |confirmation| diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb index c7f58d71..fed6c949 100644 --- a/lib/saml_idp/saml_response.rb +++ b/lib/saml_idp/saml_response.rb @@ -86,7 +86,9 @@ def assertion_builder authn_context_classref, expiry, encryption_opts, - session_expiry + session_expiry, + x509_certificate, + secret_key end private :assertion_builder end diff --git a/lib/saml_idp/signable.rb b/lib/saml_idp/signable.rb index b6259486..7db05f97 100644 --- a/lib/saml_idp/signable.rb +++ b/lib/saml_idp/signable.rb @@ -20,8 +20,8 @@ def signed end end - def sign(el) - el << signature if sign? + def sign(el, cert=nil) + el << signature(cert) if sign? end def generated_reference_id @@ -64,8 +64,8 @@ def sign? end private :sign? - def signature - SignatureBuilder.new(signed_info_builder).raw + def signature(cert=nil) + SignatureBuilder.new(signed_info_builder, cert).raw end private :signature diff --git a/lib/saml_idp/signature_builder.rb b/lib/saml_idp/signature_builder.rb index 83183f23..f607663d 100644 --- a/lib/saml_idp/signature_builder.rb +++ b/lib/saml_idp/signature_builder.rb @@ -3,8 +3,9 @@ module SamlIdp class SignatureBuilder attr_accessor :signed_info_builder - def initialize(signed_info_builder) + def initialize(signed_info_builder, cert=nil) self.signed_info_builder = signed_info_builder + self.x509_certificate = x509_certificate(cert) end def raw @@ -20,8 +21,8 @@ def raw end end - def x509_certificate - SamlIdp.config.x509_certificate + def x509_certificate(cert) + (cert || SamlIdp.config.x509_certificate) .to_s .gsub(/-----BEGIN CERTIFICATE-----/,"") .gsub(/-----END CERTIFICATE-----/,"") From cfffb6a2340707375e6cc048a10ac7461bde1f66 Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 17:20:50 +0900 Subject: [PATCH 4/8] add accessor --- lib/saml_idp/assertion_builder.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/saml_idp/assertion_builder.rb b/lib/saml_idp/assertion_builder.rb index c7d11450..080e4a7f 100644 --- a/lib/saml_idp/assertion_builder.rb +++ b/lib/saml_idp/assertion_builder.rb @@ -16,6 +16,8 @@ class AssertionBuilder attr_accessor :expiry attr_accessor :encryption_opts attr_accessor :session_expiry + attr_accessor :x509_certificate + attr_accessor :secret_key delegate :config, to: :SamlIdp From f2c0b4526ac8f7d4199792abf2f976a248de4f5c Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 17:23:47 +0900 Subject: [PATCH 5/8] fix signature builder --- lib/saml_idp/signature_builder.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/saml_idp/signature_builder.rb b/lib/saml_idp/signature_builder.rb index f607663d..e416b6f2 100644 --- a/lib/saml_idp/signature_builder.rb +++ b/lib/saml_idp/signature_builder.rb @@ -2,6 +2,7 @@ module SamlIdp class SignatureBuilder attr_accessor :signed_info_builder + attr_accessor :x509_certificate def initialize(signed_info_builder, cert=nil) self.signed_info_builder = signed_info_builder From 3ae1a58aa053c70b0e9fd7e1d3f9cc7e2cbca642 Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 17:28:46 +0900 Subject: [PATCH 6/8] fix getter --- lib/saml_idp/signature_builder.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/saml_idp/signature_builder.rb b/lib/saml_idp/signature_builder.rb index e416b6f2..ed68a186 100644 --- a/lib/saml_idp/signature_builder.rb +++ b/lib/saml_idp/signature_builder.rb @@ -6,7 +6,7 @@ class SignatureBuilder def initialize(signed_info_builder, cert=nil) self.signed_info_builder = signed_info_builder - self.x509_certificate = x509_certificate(cert) + @x509_certificate = cert end def raw @@ -22,8 +22,8 @@ def raw end end - def x509_certificate(cert) - (cert || SamlIdp.config.x509_certificate) + def x509_certificate + (@x509_certificate || SamlIdp.config.x509_certificate) .to_s .gsub(/-----BEGIN CERTIFICATE-----/,"") .gsub(/-----END CERTIFICATE-----/,"") From d2c43c50937923d04dcd4e2fef40f6be526375a9 Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 17:42:23 +0900 Subject: [PATCH 7/8] add secret_key injection --- lib/saml_idp/assertion_builder.rb | 2 +- lib/saml_idp/signable.rb | 12 ++++++------ lib/saml_idp/signed_info_builder.rb | 5 +++-- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/lib/saml_idp/assertion_builder.rb b/lib/saml_idp/assertion_builder.rb index 080e4a7f..00dc7a99 100644 --- a/lib/saml_idp/assertion_builder.rb +++ b/lib/saml_idp/assertion_builder.rb @@ -44,7 +44,7 @@ def fresh IssueInstant: now_iso, Version: "2.0" do |assertion| assertion.Issuer issuer_uri - sign(assertion, self.x509_certificate) + sign(assertion, self.x509_certificate, self.secret_key) assertion.Subject do |subject| subject.NameID name_id, Format: name_id_format[:name] subject.SubjectConfirmation Method: Saml::XML::Namespaces::Methods::BEARER do |confirmation| diff --git a/lib/saml_idp/signable.rb b/lib/saml_idp/signable.rb index 7db05f97..0dc039f3 100644 --- a/lib/saml_idp/signable.rb +++ b/lib/saml_idp/signable.rb @@ -20,8 +20,8 @@ def signed end end - def sign(el, cert=nil) - el << signature(cert) if sign? + def sign(el, cert=nil, sec_key=nil) + el << signature(cert, sec_key) if sign? end def generated_reference_id @@ -64,13 +64,13 @@ def sign? end private :sign? - def signature(cert=nil) - SignatureBuilder.new(signed_info_builder, cert).raw + def signature(cert=nil, sec_key=nil) + SignatureBuilder.new(signed_info_builder(sec_key), cert).raw end private :signature - def signed_info_builder - SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm) + def signed_info_builder(sec_key=nil) + SignedInfoBuilder.new(get_reference_id, get_digest, get_algorithm, sec_key) end private :signed_info_builder diff --git a/lib/saml_idp/signed_info_builder.rb b/lib/saml_idp/signed_info_builder.rb index 81380666..f9120f0b 100644 --- a/lib/saml_idp/signed_info_builder.rb +++ b/lib/saml_idp/signed_info_builder.rb @@ -23,10 +23,11 @@ class SignedInfoBuilder attr_accessor :digest_value attr_accessor :raw_algorithm - def initialize(reference_id, digest_value, raw_algorithm) + def initialize(reference_id, digest_value, raw_algorithm, sec_key=nil) self.reference_id = reference_id self.digest_value = digest_value self.raw_algorithm = raw_algorithm + @sec_key = sec_key end def raw @@ -65,7 +66,7 @@ def clean_algorithm_name private :clean_algorithm_name def secret_key - SamlIdp.config.secret_key + @sec_key || SamlIdp.config.secret_key end private :secret_key From c4ed7aebe8de343836432b81ccd47ade5e0d7e86 Mon Sep 17 00:00:00 2001 From: gumpen Date: Thu, 17 Sep 2020 18:01:13 +0900 Subject: [PATCH 8/8] delete comments --- lib/saml_idp/saml_response.rb | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/saml_idp/saml_response.rb b/lib/saml_idp/saml_response.rb index fed6c949..cea8657f 100644 --- a/lib/saml_idp/saml_response.rb +++ b/lib/saml_idp/saml_response.rb @@ -53,14 +53,6 @@ def build @built ||= response_builder.encoded end - # def x509_certificate(cert) - # cert || super - # end - - # def secret_key(sec_key) - # sec_key || super - # end - def signed_assertion if encryption_opts assertion_builder.encrypt(sign: true)