Class: Saml::Kit::Metadata

Inherits:

Object

• Object
• Saml::Kit::Metadata

Includes:

ActiveModel::Validations, Buildable, Translatable, XsdValidatable

Defined in:

lib/saml/kit/metadata.rb

Overview

The Metadata object can be used to parse an XML string of metadata.

metadata = Saml::Kit::Metadata.from(raw_xml)

It can also be used to generate a new metadata string.

metadata = Saml::Kit::Metadata.build do |builder|
  builder.entity_id = "my-issuer"
  builder.build_service_provider do |x|
    x.add_assertion_consumer_service(assertions_url, binding: :http_post)
    x.add_single_logout_service(logout_url, binding: :http_post)
  end
  builder.build_identity_provider do |x|
    x.add_single_sign_on_service(login_url, binding: :http_redirect)
    x.add_single_logout_service(logout_url, binding: :http_post)
  end
end
puts metadata.to_xml(pretty: true)

See Builders::ServiceProviderMetadata and Builders::IdentityProviderMetadata for a list of options that can be specified.

Direct Known Subclasses

CompositeMetadata, IdentityProviderMetadata, ServiceProviderMetadata

Constant Summary

METADATA_XSD =

File.expand_path("./xsd/saml-schema-metadata-2.0.xsd", File.dirname(__FILE__)).freeze

NAMESPACES =

{
  "NameFormat": Namespaces::ATTR_SPLAT,
  "ds": ::Xml::Kit::Namespaces::XMLDSIG,
  "md": Namespaces::METADATA,
  "saml": Namespaces::ASSERTION,
  "samlp": Namespaces::PROTOCOL,
}.freeze

Instance Attribute Summary

• #name ⇒ Object readonly

  Returns the value of attribute name.

Class Method Summary

• .from(content) ⇒ Saml::Kit::Metadata

  Creates a ‘Metadata` object from a raw XML [String].

Instance Method Summary

• #certificates ⇒ Object

  Returns each of the X509 certificates.

• #contact_person_company ⇒ Object

  Returns the Company.

• #encryption_certificates ⇒ Object

  Returns the encryption certificates.

• #entity_id ⇒ Object

  Returns the /EntityDescriptor/@entityID.

• #initialize(name, xml) ⇒ Metadata constructor

  A new instance of Metadata.

• #logout_request_for(user, binding: :http_post, relay_state: nil) ⇒ Array

  Creates a serialized LogoutRequest.

• #matches?(fingerprint, use: :signing) ⇒ Xml::Kit::Certificate

  Returns the certificate that matches the fingerprint.

• #name_id_formats ⇒ Object

  Returns the supported NameIDFormats.

• #organization_name ⇒ Object

  Returns the Organization Name.

• #organization_url ⇒ Object

  Returns the Organization URL.

• #service_for(binding:, type:) ⇒ Object

  Returns a specifing service binding.

• #services(type) ⇒ Object

  Returns each of the service endpoints supported by this metadata.

• #signing_certificates ⇒ Object

  Returns the signing certificates.

• #single_logout_service_for(binding:) ⇒ Object

  Returns the SingleLogoutService that matches the specified binding.

• #single_logout_services ⇒ Object

  Returns each of the SingleLogoutService bindings.

• #to_h ⇒ Object

  Returns the XML document converted to a Hash.

• #to_s ⇒ Object

  Returns the XML document as a [String].

• #to_xml(pretty: false) ⇒ Object

  Returns the XML document as a String.

• #verify(algorithm, signature, data) ⇒ Xml::Kit::Certificate

  Verifies the signature and data using the signing certificates.

Constructor Details

#initialize(name, xml) ⇒ Metadata

Returns a new instance of Metadata.

# File 'lib/saml/kit/metadata.rb', line 46

def initialize(name, xml)
  @name = name
  @xml = xml
end

Instance Attribute Details

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/saml/kit/metadata.rb', line 44

def name
  @name
end

Class Method Details

.from(content) ⇒ Saml::Kit::Metadata

Creates a ‘Saml::Kit::Metadata` object from a raw XML [String].

Parameters:

• content (String) —

  the raw metadata XML.

Returns:

• (Saml::Kit::Metadata) —

  the metadata document or subclass.

# File 'lib/saml/kit/metadata.rb', line 184

def self.from(content)
  hash = Hash.from_xml(content)
  entity_descriptor = hash["EntityDescriptor"]
  if entity_descriptor.key?("SPSSODescriptor") && entity_descriptor.key?("IDPSSODescriptor")
    Saml::Kit::CompositeMetadata.new(content)
  elsif entity_descriptor.keys.include?("SPSSODescriptor")
    Saml::Kit::ServiceProviderMetadata.new(content)
  elsif entity_descriptor.keys.include?("IDPSSODescriptor")
    Saml::Kit::IdentityProviderMetadata.new(content)
  end
end

Instance Method Details

#certificates ⇒ Object

Returns each of the X509 certificates.

# File 'lib/saml/kit/metadata.rb', line 77

def certificates
  @certificates ||= document.find_all("/md:EntityDescriptor/md:#{name}/md:KeyDescriptor").map do |item|
    cert = item.at_xpath("./ds:KeyInfo/ds:X509Data/ds:X509Certificate", NAMESPACES).text
    ::Xml::Kit::Certificate.new(cert, use: item.attribute('use').value.to_sym)
  end
end

#contact_person_company ⇒ Object

Returns the Company

# File 'lib/saml/kit/metadata.rb', line 72

def contact_person_company
  document.find_by("/md:EntityDescriptor/md:ContactPerson/md:Company").try(:text)
end

#encryption_certificates ⇒ Object

Returns the encryption certificates

# File 'lib/saml/kit/metadata.rb', line 85

def encryption_certificates
  certificates.find_all(&:encryption?)
end

#entity_id ⇒ Object

Returns the /EntityDescriptor/@entityID

# File 'lib/saml/kit/metadata.rb', line 52

def entity_id
  document.find_by("/md:EntityDescriptor/@entityID").value
end

#logout_request_for(user, binding: :http_post, relay_state: nil) ⇒ Array

Creates a serialized LogoutRequest.

Parameters:

• user (Object) —

  a user object that responds to name_id_for and assertion_attributes_for.

• binding (Symbol) (defaults to: :http_post) —

  can be :http_post or :http_redirect.

• relay_state (String) (defaults to: nil) —

  the relay state to have echo’d back.

Returns:

• (Array) —

  Returns an array with a url and Hash of parameters to send to the other party.

# File 'lib/saml/kit/metadata.rb', line 132

def logout_request_for(user, binding: :http_post, relay_state: nil)
  builder = Saml::Kit::LogoutRequest.builder(user) do |x|
    yield x if block_given?
  end
  request_binding = single_logout_service_for(binding: binding)
  request_binding.serialize(builder, relay_state: relay_state)
end

#matches?(fingerprint, use: :signing) ⇒ Xml::Kit::Certificate

Returns the certificate that matches the fingerprint

Parameters:

• fingerprint (Saml::Kit::Fingerprint) —

  the fingerprint to search for.

• use (Symbol) (defaults to: :signing) —

  the type of certificates to look at. Can be :signing or :encryption.

Returns:

• (Xml::Kit::Certificate) —

  returns the matching ‘Xml::Kit::Certificate`

# File 'lib/saml/kit/metadata.rb', line 145

def matches?(fingerprint, use: :signing)
  certificates.find do |certificate|
    certificate.for?(use) && certificate.fingerprint == fingerprint
  end
end

#name_id_formats ⇒ Object

Returns the supported NameIDFormats.

# File 'lib/saml/kit/metadata.rb', line 57

def name_id_formats
  document.find_all("/md:EntityDescriptor/md:#{name}/md:NameIDFormat").map(&:text)
end

#organization_name ⇒ Object

Returns the Organization Name

# File 'lib/saml/kit/metadata.rb', line 62

def organization_name
  document.find_by("/md:EntityDescriptor/md:Organization/md:OrganizationName").try(:text)
end

#organization_url ⇒ Object

Returns the Organization URL

# File 'lib/saml/kit/metadata.rb', line 67

def organization_url
  document.find_by("/md:EntityDescriptor/md:Organization/md:OrganizationURL").try(:text)
end

#service_for(binding:, type:) ⇒ Object

Returns a specifing service binding.

Parameters:

• binding (Symbol) —

  can be :http_post or :http_redirect.

• type (Symbol) —

  can be on the service element like AssertionConsumerServiceURL, SingleSignOnService or SingleLogoutService.

# File 'lib/saml/kit/metadata.rb', line 109

def service_for(binding:, type:)
  binding = Saml::Kit::Bindings.binding_for(binding)
  services(type).find { |x| x.binding?(binding) }
end

#services(type) ⇒ Object

Returns each of the service endpoints supported by this metadata.

Parameters:

• type (String) —

  the type of service. .E.g. AssertionConsumerServiceURL

# File 'lib/saml/kit/metadata.rb', line 97

def services(type)
  document.find_all("/md:EntityDescriptor/md:#{name}/md:#{type}").map do |item|
    binding = item.attribute("Binding").value
    location = item.attribute("Location").value
    Saml::Kit::Bindings.create_for(binding, location)
  end
end

#signing_certificates ⇒ Object

Returns the signing certificates.

# File 'lib/saml/kit/metadata.rb', line 90

def signing_certificates
  certificates.find_all(&:signing?)
end

#single_logout_service_for(binding:) ⇒ Object

Returns the SingleLogoutService that matches the specified binding.

Parameters:

• binding (Symbol) —

  can be :http_post or :http_redirect.

# File 'lib/saml/kit/metadata.rb', line 122

def single_logout_service_for(binding:)
  service_for(binding: binding, type: 'SingleLogoutService')
end

#single_logout_services ⇒ Object

Returns each of the SingleLogoutService bindings

# File 'lib/saml/kit/metadata.rb', line 115

def single_logout_services
  services('SingleLogoutService')
end

#to_h ⇒ Object

Returns the XML document converted to a Hash.

# File 'lib/saml/kit/metadata.rb', line 152

def to_h
  @xml_hash ||= Hash.from_xml(to_xml)
end

#to_s ⇒ Object

Returns the XML document as a [String].

# File 'lib/saml/kit/metadata.rb', line 164

def to_s
  to_xml
end

#to_xml(pretty: false) ⇒ Object

Returns the XML document as a String.

Parameters:

• pretty (Symbol) (defaults to: false) —

  true to return a human friendly version of the XML.

# File 'lib/saml/kit/metadata.rb', line 159

def to_xml(pretty: false)
  document.to_xml(pretty: pretty)
end

#verify(algorithm, signature, data) ⇒ Xml::Kit::Certificate

Verifies the signature and data using the signing certificates.

Parameters:

• algorithm (OpenSSL::Digest) —

  the digest algorithm to use. E.g. OpenSSL::Digest::SHA256

• signature (String) —

  the signature to verify

• data (String) —

  the data that is used to produce the signature.

Returns:

• (Xml::Kit::Certificate) —

  the certificate that was used to produce the signature.

# File 'lib/saml/kit/metadata.rb', line 174

def verify(algorithm, signature, data)
  signing_certificates.find do |certificate|
    certificate.public_key.verify(algorithm, signature, data)
  end
end