bin/sp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

#!/usr/bin/env ruby

require "bundler/inline"

gemfile do
  source "https://rubygems.org"

  gem "base64", "~> 0.1"
  gem "erb", "~> 4.0"
  gem "net-hippie", "~> 1.0"
  gem "rack", "~> 3.0"
  gem "rackup", "~> 2.0"
  gem "saml-kit", "~> 1.0"
  gem "webrick", "~> 1.0"
end

class OnDemandRegistry < Saml::Kit::DefaultRegistry
  def metadata_for(entity_id)
    found = super(entity_id)
    return found if found

    register_url(entity_id, verify_ssl: false)
    super(entity_id)
  end
end

Saml::Kit.configure do |x|
  x.entity_id = "http://localhost:8283/metadata.xml"
  x.registry = OnDemandRegistry.new
  x.logger = Logger.new("/dev/stderr")
end

class ServiceProvider
  def initialize
    @storage = {}
  end

  # Download IDP Metadata
  #
  # GET /metadata.xml
  def metadata
    xml = Saml::Kit::Metadata.build_xml do |builder|
      builder.embed_signature = false
      builder.contact_email = 'hi@example.com'
      builder.organization_name = "Acme, Inc"
      builder.organization_url = "https://example.com"
      builder.build_service_provider do |x|
        x.name_id_formats = [Saml::Kit::Namespaces::EMAIL_ADDRESS]
        x.add_assertion_consumer_service("http://localhost:8283/assertions", binding: :http_post)
      end
    end

    [200, { 'Content-Type' => "application/samlmetadata+xml" }, [xml]]
  end

  def call(env)
    path = env['PATH_INFO']
    case env['REQUEST_METHOD']
    when 'GET'
      case path
      when "/metadata.xml"
        return metadata
      when "/openid/new"
        return redirect_to("http://localhost:8282/oauth/authorize?client_id=service-provider&state=example&redirect_uri=http://localhost:8283/oauth/callback&response_type=code&response_mode=query&scope=openid")
      when "/oauth/callback"
        return oauth_callback(Rack::Request.new(env))
      else
        return saml_post_to_idp(Rack::Request.new(env))
      end
    when 'POST'
      case path
      when "/assertions"
        return saml_assertions(Rack::Request.new(env))
      else
        return not_found
      end
    end
    not_found
  end

  private

  def not_found
    [404, { 'X-Backend-Server' => 'SP' }, []]
  end

  def redirect_to(location)
    [302, { 'Location' => location }, []]
  end

  def oauth_callback(request)
    response = Net::Hippie.default_client.post(
      "http://localhost:8282/oauth/token",
      headers: { 'Authorization' => Net::Hippie.basic_auth('client_id', 'secret') },
      body: {
        grant_type: "authorization_code",
        code: request.params['code'],
        code_verifier: "not_implemented"
      }
    )
    [200, { "Content-Type" => "application/json" }, [JSON.pretty_generate(request.params.merge(JSON.parse(response.body)))]]
  end

  def saml_post_to_idp(request)
    idp = Saml::Kit.registry.metadata_for('http://localhost:8282/metadata.xml')
    relay_state = Base64.strict_encode64(JSON.generate(redirect_to: '/dashboard'))

    @saml_builder = nil
    uri, saml_params = idp.login_request_for(binding: :http_post, relay_state: relay_state) do |builder|
      @saml_builder = builder
    end

    template = <<~ERB
      <!doctype html>
      <html>
        <head><title></title></head>
        <body style="background-color: pink;">
          <h2>Sending SAML Request (SP -> IdP)</h2>
          <textarea readonly="readonly" disabled="disabled" cols=225 rows=6><%=- @saml_builder.to_xml(pretty: true) -%></textarea>

          <form action="<%= uri %>" method="post">
            <%- saml_params.each do |(key, value)| -%>
              <input type="hidden" name="<%= key %>" value="<%= value %>" />
            <%- end -%>
            <input type="submit" value="Submit" />
          </form>
        </body>
      </html>
    ERB
    html = ERB.new(template, trim_mode: '-').result(binding)
    [200, { 'Content-Type' => "text/html" }, [html]]
  end

  def saml_assertions(request)
    sp = Saml::Kit.registry.metadata_for('http://localhost:8283/metadata.xml')
    saml_binding = sp.assertion_consumer_service_for(binding: :http_post)
    saml_response = saml_binding.deserialize(request.params)
    raise saml_response.errors unless saml_response.valid?

    template = <<~ERB
      <!doctype html>
      <html>
        <head><title></title></head>
        <body style="background-color: pink;">
          <h2>Received SAML Response</h2>
          <textarea readonly="readonly" disabled="disabled" cols=220 rows=40><%=- saml_response.to_xml(pretty: true) -%></textarea>
        </body>
      </html>
    ERB
    erb = ERB.new(template, trim_mode: '-')
    html = erb.result(binding)
    [200, { 'Content-Type' => "text/html" }, [html]]
  end
end

if __FILE__ == $0
  app = Rack::Builder.new do
    use Rack::Reloader
    run ServiceProvider.new
  end.to_app

  Rackup::Server.start(app: app, Port: 8283)
end