Created
November 3, 2016 10:03
-
-
Save peterwake/18349642f8f16397d1812461bac11aff to your computer and use it in GitHub Desktop.
A utility snippet to check metadata for use in Devise Omniauth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'rest_client' | |
require 'uri/http' | |
require 'nokogiri' | |
require 'base64' | |
puts | |
puts | |
puts 'Federation Metadata Checker' | |
puts '===========================' | |
puts | |
uri = 'https://federation.[sitename.com]/federationmetadata/2007-06/federationmetadata.xml' | |
puts "Reading from #{uri} ..." | |
file_content = RestClient.get(uri) | |
file_encoding = file_content.encoding.to_s | |
if file_encoding != 'UTF-8' | |
file_content = file_content.force_encoding(file_encoding).encode('UTF-8') | |
end | |
puts 'Reading file into XML node tree ...' | |
xml_node_tree = Nokogiri::XML(file_content) | |
puts 'Extracting key info ...' | |
puts | |
login_location = xml_node_tree.css('IDPSSODescriptor SingleSignOnService[Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"]').first.attr('Location') | |
logout_location = xml_node_tree.css('IDPSSODescriptor SingleLogoutService[Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"]').first.attr('Location') | |
x509 = xml_node_tree.css('IDPSSODescriptor KeyDescriptor[use="signing"]').xpath('xmlns:KeyInfo/xmlns:X509Data/xmlns:X509Certificate', 'xmlns' => 'http://www.w3.org/2000/09/xmldsig#').text | |
attribute_nodes = xml_node_tree.css('IDPSSODescriptor').xpath('xmlns:Attribute', 'xmlns' => 'urn:oasis:names:tc:SAML:2.0:assertion') | |
puts 'Login location:' | |
puts login_location | |
puts | |
puts 'Logout location:' | |
puts logout_location | |
decoded_content = Base64.decode64(x509) | |
certificate = OpenSSL::X509::Certificate.new decoded_content | |
puts | |
puts certificate | |
puts | |
puts 'Checking certificate details ...' | |
puts 'Issuer: ' + certificate.issuer.to_s | |
puts 'Expiry: ' + certificate.not_after.to_s | |
# this is from StorIQ setup requirements | |
attribute_statements = { | |
email: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"], | |
first_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"], | |
last_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"] | |
} | |
puts | |
puts 'Checking for attribute statements required ...' | |
attribute_statements.each do |key, arr| | |
arr.each do |name| | |
matching_node_count = attribute_nodes.css('[Name="' + name + '"]').count | |
puts "#{name}: #{matching_node_count}" | |
end | |
end | |
puts | |
puts 'Listing NameIDFormat options' | |
name_id_nodes = xml_node_tree.css('IDPSSODescriptor NameIDFormat') | |
name_id_nodes.each do |n| | |
puts n.text | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment