Class: OneLogin::RubySaml::IdpMetadataParser::IdpMetadata

Inherits:

Object

• Object
• OneLogin::RubySaml::IdpMetadataParser::IdpMetadata

Defined in:

lib/onelogin/ruby-saml/idp_metadata_parser.rb

Instance Attribute Summary

• #entity_id ⇒ Object readonly

  Returns the value of attribute entity_id.

• #idpsso_descriptor ⇒ Object readonly

  Returns the value of attribute idpsso_descriptor.

Instance Method Summary

• #attribute_names ⇒ Array

  The names of all SAML attributes if any exist.

• #cache_duration ⇒ String|nil

  ‘cacheDuration’ attribute of metadata.

• #certificates ⇒ String|nil

  Unformatted Certificate if exists.

• #certificates_has_one(key) ⇒ Object
• #fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1) ⇒ String|nil

  The fingerpint of the X509Certificate if it exists.

• #idp_name_id_format ⇒ String|nil

  IdP Name ID Format value if exists.

• #initialize(idpsso_descriptor, entity_id) ⇒ IdpMetadata constructor

  A new instance of IdpMetadata.

• #merge_certificates_into(parsed_metadata) ⇒ Object
• #single_logout_response_service_url(options = {}) ⇒ String|nil

  SingleLogoutService response url if exists.

• #single_logout_service_binding(binding_priority = nil) ⇒ String|nil

  SingleLogoutService binding if exists.

• #single_logout_service_url(options = {}) ⇒ String|nil

  SingleLogoutService endpoint if exists.

• #single_signon_service_binding(binding_priority = nil) ⇒ String|nil

  SingleSignOnService binding if exists.

• #single_signon_service_url(options = {}) ⇒ String|nil

  SingleSignOnService endpoint if exists.

• #to_hash(options = {}) ⇒ Object
• #valid_until ⇒ String|nil

  ‘validUntil’ attribute of metadata.

Constructor Details

#initialize(idpsso_descriptor, entity_id) ⇒ IdpMetadata

Returns a new instance of IdpMetadata.

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 214

def initialize(idpsso_descriptor, entity_id)
  @idpsso_descriptor = idpsso_descriptor
  @entity_id = entity_id
end

Instance Attribute Details

#entity_id ⇒ Object (readonly)

Returns the value of attribute entity_id.

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 212

def entity_id
  @entity_id
end

#idpsso_descriptor ⇒ Object (readonly)

Returns the value of attribute idpsso_descriptor.

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 212

def idpsso_descriptor
  @idpsso_descriptor
end

Instance Method Details

#attribute_names ⇒ Array

Returns the names of all SAML attributes if any exist.

Returns:

• (Array) —

  the names of all SAML attributes if any exist

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 392

def attribute_names
  nodes = REXML::XPath.match(
    @idpsso_descriptor  ,
    "saml:Attribute/@Name",
    SamlMetadata::NAMESPACE
  )
  nodes.map(&:value)
end

#cache_duration ⇒ String|nil

Returns ‘cacheDuration’ attribute of metadata.

Returns:

• (String|nil) —

  ‘cacheDuration’ attribute of metadata

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 257

def cache_duration
  root = @idpsso_descriptor.root
  root.attributes['cacheDuration'] if root && root.attributes
end

#certificates ⇒ String|nil

Returns Unformatted Certificate if exists.

Returns:

• (String|nil) —

  Unformatted Certificate if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 343

def certificates
  @certificates ||= begin
    signing_nodes = REXML::XPath.match(
      @idpsso_descriptor,
      "md:KeyDescriptor[not(contains(@use, 'encryption'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
      SamlMetadata::NAMESPACE
    )

    encryption_nodes = REXML::XPath.match(
      @idpsso_descriptor,
      "md:KeyDescriptor[not(contains(@use, 'signing'))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate",
      SamlMetadata::NAMESPACE
    )

    return nil if signing_nodes.empty? && encryption_nodes.empty?

    certs = {}
    unless signing_nodes.empty?
      certs['signing'] = []
      signing_nodes.each do |cert_node|
        certs['signing'] << Utils.element_text(cert_node)
      end
    end

    unless encryption_nodes.empty?
      certs['encryption'] = []
      encryption_nodes.each do |cert_node|
        certs['encryption'] << Utils.element_text(cert_node)
      end
    end
    certs
  end
end

#certificates_has_one(key) ⇒ Object

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 426

def certificates_has_one(key)
  certificates.key?(key) && certificates[key].size == 1
end

#fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1) ⇒ String|nil

Returns the fingerpint of the X509Certificate if it exists.

Returns:

• (String|nil) —

  the fingerpint of the X509Certificate if it exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 379

def fingerprint(certificate, fingerprint_algorithm = XMLSecurity::Document::SHA1)
  @fingerprint ||= begin
    return unless certificate

    cert = OpenSSL::X509::Certificate.new(Base64.decode64(certificate))

    fingerprint_alg = XMLSecurity::BaseDocument.new.algorithm(fingerprint_algorithm).new
    fingerprint_alg.hexdigest(cert.to_der).upcase.scan(/../).join(":")
  end
end

#idp_name_id_format ⇒ String|nil

Returns IdP Name ID Format value if exists.

Returns:

• (String|nil) —

  IdP Name ID Format value if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 239

def idp_name_id_format
  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:NameIDFormat",
    SamlMetadata::NAMESPACE
  )
  Utils.element_text(node)
end

#merge_certificates_into(parsed_metadata) ⇒ Object

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 401

def merge_certificates_into(parsed_metadata)
  if (certificates.size == 1 &&
      (certificates_has_one('signing') || certificates_has_one('encryption'))) ||
      (certificates_has_one('signing') && certificates_has_one('encryption') &&
      certificates["signing"][0] == certificates["encryption"][0])

    if certificates.key?("signing")
      parsed_metadata[:idp_cert] = certificates["signing"][0]
      parsed_metadata[:idp_cert_fingerprint] = fingerprint(
        parsed_metadata[:idp_cert],
        parsed_metadata[:idp_cert_fingerprint_algorithm]
      )
    else
      parsed_metadata[:idp_cert] = certificates["encryption"][0]
      parsed_metadata[:idp_cert_fingerprint] = fingerprint(
        parsed_metadata[:idp_cert],
        parsed_metadata[:idp_cert_fingerprint_algorithm]
      )
    end
  else
    # symbolize keys of certificates and pass it on
    parsed_metadata[:idp_cert_multi] = Hash[certificates.map { |k, v| [k.to_sym, v] }]
  end
end

#single_logout_response_service_url(options = {}) ⇒ String|nil

Returns SingleLogoutService response url if exists.

Parameters:

• options (Hash) (defaults to: {})

Returns:

• (String|nil) —

  SingleLogoutService response url if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 329

def single_logout_response_service_url(options = {})
  binding = single_logout_service_binding(options[:slo_binding])
  return if binding.nil?

  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:SingleLogoutService[@Binding=\"#{binding}\"]/@ResponseLocation",
    SamlMetadata::NAMESPACE
  )
  return node.value if node
end

#single_logout_service_binding(binding_priority = nil) ⇒ String|nil

Returns SingleLogoutService binding if exists.

Parameters:

• binding_priority (Array) (defaults to: nil)

Returns:

• (String|nil) —

  SingleLogoutService binding if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 297

def single_logout_service_binding(binding_priority = nil)
  nodes = REXML::XPath.match(
    @idpsso_descriptor,
    "md:SingleLogoutService/@Binding",
    SamlMetadata::NAMESPACE
  )
  if binding_priority
    values = nodes.map(&:value)
    binding_priority.detect{ |binding| values.include? binding }
  else
    nodes.first.value if nodes.any?
  end
end

#single_logout_service_url(options = {}) ⇒ String|nil

Returns SingleLogoutService endpoint if exists.

Parameters:

• options (Hash) (defaults to: {})

Returns:

• (String|nil) —

  SingleLogoutService endpoint if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 314

def single_logout_service_url(options = {})
  binding = single_logout_service_binding(options[:slo_binding])
  return if binding.nil?

  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:SingleLogoutService[@Binding=\"#{binding}\"]/@Location",
    SamlMetadata::NAMESPACE
  )
  return node.value if node
end

#single_signon_service_binding(binding_priority = nil) ⇒ String|nil

Returns SingleSignOnService binding if exists.

Parameters:

• binding_priority (Array) (defaults to: nil)

Returns:

• (String|nil) —

  SingleSignOnService binding if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 265

def single_signon_service_binding(binding_priority = nil)
  nodes = REXML::XPath.match(
    @idpsso_descriptor,
    "md:SingleSignOnService/@Binding",
    SamlMetadata::NAMESPACE
  )
  if binding_priority
    values = nodes.map(&:value)
    binding_priority.detect{ |binding| values.include? binding }
  else
    nodes.first.value if nodes.any?
  end
end

#single_signon_service_url(options = {}) ⇒ String|nil

Returns SingleSignOnService endpoint if exists.

Parameters:

• options (Hash) (defaults to: {})

Returns:

• (String|nil) —

  SingleSignOnService endpoint if exists

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 282

def single_signon_service_url(options = {})
  binding = single_signon_service_binding(options[:sso_binding])
  return if binding.nil?

  node = REXML::XPath.first(
    @idpsso_descriptor,
    "md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location",
    SamlMetadata::NAMESPACE
  )
  return node.value if node
end

#to_hash(options = {}) ⇒ Object

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 219

def to_hash(options = {})
  {
    :idp_entity_id => @entity_id,
    :name_identifier_format => idp_name_id_format,
    :idp_sso_service_url => single_signon_service_url(options),
    :idp_slo_service_url => single_logout_service_url(options),
    :idp_slo_response_service_url => single_logout_response_service_url(options),
    :idp_attribute_names => attribute_names,
    :idp_cert => nil,
    :idp_cert_fingerprint => nil,
    :idp_cert_multi => nil,
    :valid_until => valid_until,
    :cache_duration => cache_duration,
  }.tap do |response_hash|
    merge_certificates_into(response_hash) unless certificates.nil?
  end
end

#valid_until ⇒ String|nil

Returns ‘validUntil’ attribute of metadata.

Returns:

• (String|nil) —

  ‘validUntil’ attribute of metadata

# File 'lib/onelogin/ruby-saml/idp_metadata_parser.rb', line 250

def valid_until
  root = @idpsso_descriptor.root
  root.attributes['validUntil'] if root && root.attributes
end