152 lines
6.0 KiB
Ruby
152 lines
6.0 KiB
Ruby
require "onelogin/ruby-saml/logging"
|
|
require "onelogin/ruby-saml/saml_message"
|
|
require "onelogin/ruby-saml/utils"
|
|
require "onelogin/ruby-saml/setting_error"
|
|
|
|
# Only supports SAML 2.0
|
|
module OneLogin
|
|
module RubySaml
|
|
|
|
# SAML2 Logout Request (SLO SP initiated, Builder)
|
|
#
|
|
class Logoutrequest < SamlMessage
|
|
|
|
# Logout Request ID
|
|
attr_accessor :uuid
|
|
|
|
# Initializes the Logout Request. A Logoutrequest Object that is an extension of the SamlMessage class.
|
|
# Asigns an ID, a random uuid.
|
|
#
|
|
def initialize
|
|
@uuid = OneLogin::RubySaml::Utils.uuid
|
|
end
|
|
|
|
def request_id
|
|
@uuid
|
|
end
|
|
|
|
# Creates the Logout Request string.
|
|
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
|
# @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
|
|
# @return [String] Logout Request string that includes the SAMLRequest
|
|
#
|
|
def create(settings, params={})
|
|
params = create_params(settings, params)
|
|
params_prefix = (settings.idp_slo_service_url =~ /\?/) ? '&' : '?'
|
|
saml_request = CGI.escape(params.delete("SAMLRequest"))
|
|
request_params = "#{params_prefix}SAMLRequest=#{saml_request}"
|
|
params.each_pair do |key, value|
|
|
request_params << "&#{key}=#{CGI.escape(value.to_s)}"
|
|
end
|
|
raise SettingError.new "Invalid settings, idp_slo_service_url is not set!" if settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
|
|
@logout_url = settings.idp_slo_service_url + request_params
|
|
end
|
|
|
|
# Creates the Get parameters for the logout request.
|
|
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
|
# @param params [Hash] Some extra parameters to be added in the GET for example the RelayState
|
|
# @return [Hash] Parameters
|
|
#
|
|
def create_params(settings, params={})
|
|
# The method expects :RelayState but sometimes we get 'RelayState' instead.
|
|
# Based on the HashWithIndifferentAccess value in Rails we could experience
|
|
# conflicts so this line will solve them.
|
|
relay_state = params[:RelayState] || params['RelayState']
|
|
|
|
if relay_state.nil?
|
|
params.delete(:RelayState)
|
|
params.delete('RelayState')
|
|
end
|
|
|
|
request_doc = create_logout_request_xml_doc(settings)
|
|
request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
|
|
|
|
request = ""
|
|
request_doc.write(request)
|
|
|
|
Logging.debug "Created SLO Logout Request: #{request}"
|
|
|
|
request = deflate(request) if settings.compress_request
|
|
base64_request = encode(request)
|
|
request_params = {"SAMLRequest" => base64_request}
|
|
|
|
if settings.idp_slo_service_binding == Utils::BINDINGS[:redirect] && settings.security[:logout_requests_signed] && settings.private_key
|
|
params['SigAlg'] = settings.security[:signature_method]
|
|
url_string = OneLogin::RubySaml::Utils.build_query(
|
|
:type => 'SAMLRequest',
|
|
:data => base64_request,
|
|
:relay_state => relay_state,
|
|
:sig_alg => params['SigAlg']
|
|
)
|
|
sign_algorithm = XMLSecurity::BaseDocument.new.algorithm(settings.security[:signature_method])
|
|
signature = settings.get_sp_key.sign(sign_algorithm.new, url_string)
|
|
params['Signature'] = encode(signature)
|
|
end
|
|
|
|
params.each_pair do |key, value|
|
|
request_params[key] = value.to_s
|
|
end
|
|
|
|
request_params
|
|
end
|
|
|
|
# Creates the SAMLRequest String.
|
|
# @param settings [OneLogin::RubySaml::Settings|nil] Toolkit settings
|
|
# @return [String] The SAMLRequest String.
|
|
#
|
|
def create_logout_request_xml_doc(settings)
|
|
document = create_xml_document(settings)
|
|
sign_document(document, settings)
|
|
end
|
|
|
|
def create_xml_document(settings)
|
|
time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
|
|
|
request_doc = XMLSecurity::Document.new
|
|
request_doc.uuid = uuid
|
|
|
|
root = request_doc.add_element "samlp:LogoutRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol", "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
|
|
root.attributes['ID'] = uuid
|
|
root.attributes['IssueInstant'] = time
|
|
root.attributes['Version'] = "2.0"
|
|
root.attributes['Destination'] = settings.idp_slo_service_url unless settings.idp_slo_service_url.nil? or settings.idp_slo_service_url.empty?
|
|
|
|
if settings.sp_entity_id
|
|
issuer = root.add_element "saml:Issuer"
|
|
issuer.text = settings.sp_entity_id
|
|
end
|
|
|
|
nameid = root.add_element "saml:NameID"
|
|
if settings.name_identifier_value
|
|
nameid.attributes['NameQualifier'] = settings.idp_name_qualifier if settings.idp_name_qualifier
|
|
nameid.attributes['SPNameQualifier'] = settings.sp_name_qualifier if settings.sp_name_qualifier
|
|
nameid.attributes['Format'] = settings.name_identifier_format if settings.name_identifier_format
|
|
nameid.text = settings.name_identifier_value
|
|
else
|
|
# If no NameID is present in the settings we generate one
|
|
nameid.text = OneLogin::RubySaml::Utils.uuid
|
|
nameid.attributes['Format'] = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
|
|
end
|
|
|
|
if settings.sessionindex
|
|
sessionindex = root.add_element "samlp:SessionIndex"
|
|
sessionindex.text = settings.sessionindex
|
|
end
|
|
|
|
request_doc
|
|
end
|
|
|
|
def sign_document(document, settings)
|
|
# embed signature
|
|
if settings.idp_slo_service_binding == Utils::BINDINGS[:post] && settings.security[:logout_requests_signed] && settings.private_key && settings.certificate
|
|
private_key = settings.get_sp_key
|
|
cert = settings.get_sp_cert
|
|
document.sign_document(private_key, cert, settings.security[:signature_method], settings.security[:digest_method])
|
|
end
|
|
|
|
document
|
|
end
|
|
end
|
|
end
|
|
end
|