custom-adal 1.0.1

data/lib/adal/mex_response.rb

@@ -0,0 +1,141 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './logging'
+require_relative './xml_namespaces'
+
+require 'nokogiri'
+require 'uri'
+
+module ADAL
+  # Relevant fields from a Mex response.
+  class MexResponse
+    include XmlNamespaces
+
+    class << self
+      include Logging
+    end
+
+    class MexError < StandardError; end
+
+    POLICY_ID_XPATH =
+      '//wsdl:definitions/wsp:Policy[./wsp:ExactlyOne/wsp:All/sp:SignedSuppor' \
+      'tingTokens/wsp:Policy/sp:UsernameToken/wsp:Policy/sp:WssUsernameToken1' \
+      '0]/@u:Id|//wsdl:definitions/wsp:Policy[./wsp:ExactlyOne/wsp:All/ssp:Si' \
+      'gnedEncryptedSupportingTokens/wsp:Policy/ssp:UsernameToken/wsp:Policy/' \
+      'ssp:WssUsernameToken10]/@u:Id'
+    BINDING_XPATH = '//wsdl:definitions/wsdl:binding[./wsp:PolicyReference]'
+    PORT_XPATH = '//wsdl:definitions/wsdl:service/wsdl:port'
+    ADDRESS_XPATH = './soap12:address/@location'
+
+    ##
+    # Parses the XML string response from the Metadata Exchange endpoint into
+    # a MexResponse object.
+    #
+    # @param String response
+    # @return MexResponse
+    def self.parse(response)
+      xml = Nokogiri::XML(response)
+      policy_ids = parse_policy_ids(xml)
+      bindings = parse_bindings(xml, policy_ids)
+      endpoint, binding = parse_endpoint_and_binding(xml, bindings)
+      MexResponse.new(endpoint, binding)
+    end
+
+    # @param Nokogiri::XML::Document xml
+    # @param Array[String] policy_ids
+    # @return Array[String]
+    def self.parse_bindings(xml, policy_ids)
+      matching_bindings = xml.xpath(BINDING_XPATH, NAMESPACES).map do |node|
+        reference_uri = node.xpath('./wsp:PolicyReference/@URI', NAMESPACES)
+        node.xpath('./@name').to_s if policy_ids.include? reference_uri.to_s
+      end.compact
+      fail MexError, 'No matching bindings found.' if matching_bindings.empty?
+      matching_bindings
+    end
+    private_class_method :parse_bindings
+
+    # @param Nokogiri::XML::Document xml
+    # @param Array[String] bindings
+    # @return Array[[String, String]]
+    def self.parse_all_endpoints(xml, bindings)
+      endpoints = xml.xpath(PORT_XPATH, NAMESPACES).map do |node|
+        binding = node.attr('binding').split(':').last
+        if bindings.include? binding
+          [node.xpath(ADDRESS_XPATH, NAMESPACES).to_s, binding]
+        end
+      end.compact
+      endpoints
+    end
+    private_class_method :parse_all_endpoints
+
+    # @param Nokogiri::XML::Document xml
+    # @param Array[String] bindings
+    # @return [String, String]
+    def self.parse_endpoint_and_binding(xml, bindings)
+      endpoints = parse_all_endpoints(xml, bindings)
+      case endpoints.size
+      when 0
+        fail MexError, 'No valid WS-Trust endpoints found.'
+      when 1
+      else
+        logger.info('Multiple WS-Trust endpoints were found in the mex ' \
+                    'response. Only one was used.')
+      end
+      prefer_13(endpoints).first
+    end
+    private_class_method :parse_endpoint_and_binding
+
+    # @param Nokogiri::XML::Document xml
+    # @return Array[String]
+    def self.parse_policy_ids(xml)
+      policy_ids = xml.xpath(POLICY_ID_XPATH, NAMESPACES)
+                   .map { |attr| "\##{attr.value}" }
+      fail MexError, 'No username token policy nodes.' if policy_ids.empty?
+      policy_ids
+    end
+    private_class_method :parse_policy_ids
+
+    # @param Array[String, String] endpoints
+    # @return Array[String, String] endpoints
+    def self.prefer_13(endpoints)
+      only13 = endpoints.select { |_, b| BINDING_TO_ACTION[b] == WSTRUST_13 }
+      only13.empty? ? endpoints : only13
+    end
+    private_class_method :prefer_13
+
+    attr_reader :action
+    attr_reader :wstrust_url
+
+    ##
+    # Constructs a new MexResponse.
+    #
+    # @param String|URI wstrust_url
+    # @param String action
+    def initialize(wstrust_url, binding)
+      @action = BINDING_TO_ACTION[binding]
+      @wstrust_url = URI.parse(wstrust_url.to_s)
+      return if @wstrust_url.instance_of? URI::HTTPS
+      fail ArgumentError, 'Mex is only done over HTTPS.'
+    end
+  end
+end

data/lib/adal/noop_cache.rb

@@ -0,0 +1,38 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # A cache implementation that holds no values and ignores all method calls.
+  class NoopCache
+    # Swallows any number of parameters and returns nil.
+    def noop(*); end
+
+    alias_method :add, :noop
+    alias_method :add_many, :noop
+    alias_method :remove, :noop
+    alias_method :remove_many, :noop
+
+    def find(*)
+      []
+    end
+  end
+end

data/lib/adal/oauth_request.rb

@@ -0,0 +1,76 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './logging'
+require_relative './request_parameters'
+require_relative './util'
+
+require 'net/http'
+require 'uri'
+
+module ADAL
+  # A request that can be made to an authentication or token server.
+  class OAuthRequest
+    include RequestParameters
+    include Util
+
+    DEFAULT_CONTENT_TYPE = 'application/x-www-form-urlencoded'
+    DEFAULT_ENCODING = 'utf8'
+    SSL_SCHEME = 'https'
+
+    def initialize(endpoint, params)
+      @endpoint_uri = URI.parse(endpoint.to_s)
+      @params = params
+    end
+
+    def params
+      default_parameters.merge(@params)
+    end
+
+    ##
+    # Requests and waits for a token from the endpoint.
+    # @return TokenResponse
+    def execute
+      request = Net::HTTP::Post.new(@endpoint_uri.path)
+      add_headers(request)
+      request.body = URI.encode_www_form(string_hash(params))
+      TokenResponse.parse(http(@endpoint_uri).request(request).body)
+    end
+
+    private
+
+    ##
+    # Adds the necessary OAuth headers.
+    #
+    # @param Net::HTTPGenericRequest
+    def add_headers(request)
+      return if Logging.correlation_id.nil?
+      request.add_field(CLIENT_REQUEST_ID.to_s, Logging.correlation_id)
+      request.add_field(CLIENT_RETURN_CLIENT_REQUEST_ID.to_s, true)
+    end
+
+    def default_parameters
+      { encoding: DEFAULT_ENCODING,
+        AAD_API_VERSION => '1.0' }
+    end
+  end
+end

data/lib/adal/request_parameters.rb

@@ -0,0 +1,48 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # Names of parameters in OAuth requests. This module can be included in any
+  # class to reference the parameters instead of referring to them as strings
+  # or symbols
+  module RequestParameters
+    AAD_API_VERSION = 'api-version'.to_sym
+    ASSERTION = 'assertion'.to_sym
+    CLIENT_ASSERTION = 'client_assertion'.to_sym
+    CLIENT_ASSERTION_TYPE = 'client_assertion_type'.to_sym
+    CLIENT_ID = 'client_id'.to_sym
+    CLIENT_REQUEST_ID = 'client-request-id'.to_sym
+    CLIENT_RETURN_CLIENT_REQUEST_ID = 'client-return-client-request-id'.to_sym
+    CLIENT_SECRET = 'client_secret'.to_sym
+    CODE = 'code'.to_sym
+    FORM_POST = 'form_post'.to_sym
+    GRANT_TYPE = 'grant_type'.to_sym
+    PASSWORD = 'password'.to_sym
+    REDIRECT_URI = 'redirect_uri'.to_sym
+    REFRESH_TOKEN = 'refresh_token'.to_sym
+    RESOURCE = 'resource'.to_sym
+    SCOPE = 'scope'.to_sym
+    UNIQUE_ID = 'unique_id'.to_sym
+    USER_INFO = 'user_info'.to_sym
+    USERNAME = 'username'.to_sym
+  end
+end

data/lib/adal/self_signed_jwt_factory.rb

@@ -0,0 +1,96 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './jwt_parameters'
+require_relative './logging'
+
+require 'jwt'
+require 'openssl'
+require 'securerandom'
+
+module ADAL
+  # Converts client certificates into self signed JWTs.
+  class SelfSignedJwtFactory
+    include JwtParameters
+    include Logging
+
+    ##
+    # Constructs a new SelfSignedJwtFactory.
+    #
+    # @param String client_id
+    #   The client id of the calling application.
+    # @param String token_endpoint
+    #   The token endpoint that will accept the certificate.
+    def initialize(client_id, token_endpoint)
+      @client_id = client_id
+      @token_endpoint = token_endpoint
+    end
+
+    ##
+    # Creates a JWT from a client certificate and signs it with a private key.
+    #
+    # @param OpenSSL::X509::Certificate certificate
+    #   The certifcate object to be converted to a JWT and signed for use
+    #   in an authentication flow.
+    # @param OpenSSL::PKey::RSA private_key
+    #   The private key used to sign the certificate.
+    # @return String
+    def create_and_sign_jwt(certificate, private_key)
+      JWT.encode(payload, private_key, RS256, header(certificate))
+    end
+
+    private
+
+    # The JWT header for a certificate to be encoded.
+    def header(certificate)
+      x5t = thumbprint(certificate)
+      logger.verbose("Creating self signed JWT header with thumbprint: #{x5t}.")
+      { TYPE => TYPE_JWT,
+        ALGORITHM => RS256,
+        THUMBPRINT => x5t }
+    end
+
+    # The JWT payload.
+    def payload
+      now = Time.now - 1
+      expires = now + 60 * SELF_SIGNED_JWT_LIFETIME
+      logger.verbose("Creating self signed JWT payload. Expires: #{expires}. " \
+                     "NotBefore: #{now}.")
+      { AUDIENCE => @token_endpoint,
+        ISSUER => @client_id,
+        SUBJECT => @client_id,
+        NOT_BEFORE => now.to_i,
+        EXPIRES_ON => expires.to_i,
+        JWT_ID => SecureRandom.uuid }
+    end
+
+    ##
+    # Base 64 encoded thumbprint AKA fingerprint AKA SHA1 hash of the
+    # DER representation of the cert.
+    #
+    # @param OpenSSL::X509::Certificate certificate
+    # @return String
+    def thumbprint(certificate)
+      OpenSSL::Digest::SHA1.new(certificate.to_der).base64digest
+    end
+  end
+end

data/lib/adal/templates/rst.13.xml.erb

@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
+    <a:messageID>urn:uuid:<%= message_id %></a:messageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <a:To s:mustUnderstand="1"><%= @endpoint %></a:To>
+    <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <u:Timestamp u:Id="_0">
+        <u:Created><%= created.utc.iso8601 %></u:Created>
+        <u:Expires><%= expires.utc.iso8601 %></u:Expires>
+      </u:Timestamp>
+      <o:UsernameToken u:Id="ADALUsernameToken">
+        <o:Username><%= username.encode(xml: :text) %></o:Username>
+        <o:Password><%= password.encode(xml: :text) %></o:Password>
+      </o:UsernameToken>
+    </o:Security>
+  </s:Header>
+  <s:Body>
+    <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+        <a:EndpointReference>
+          <a:Address><%= @applies_to %></a:Address>
+        </a:EndpointReference>
+      </wsp:AppliesTo>
+      <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
+      <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
+    </trust:RequestSecurityToken>
+  </s:Body>
+</s:Envelope>
+
+
+

data/lib/adal/templates/rst.2005.xml.erb

@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+  <s:Header>
+    <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
+    <a:messageID>urn:uuid:<%= message_id %></a:messageID>
+    <a:ReplyTo>
+      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
+    </a:ReplyTo>
+    <a:To s:mustUnderstand="1"><%= @endpoint %></a:To>
+    <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
+      <u:Timestamp u:Id="_0">
+        <u:Created><%= created.utc.iso8601 %></u:Created>
+        <u:Expires><%= expires.utc.iso8601 %></u:Expires>
+      </u:Timestamp>
+      <o:UsernameToken u:Id="ADALUsernameToken">
+        <o:Username><%= username.encode(xml: :text) %></o:Username>
+        <o:Password><%= password.encode(xml: :text) %></o:Password>
+      </o:UsernameToken>
+    </o:Security>
+  </s:Header>
+  <s:Body>
+    <trust:RequestSecurityToken xmlns:trust="http://schemas.xmlsoap.org/ws/2005/02/trust">
+      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+        <a:EndpointReference>
+          <a:Address><%= @applies_to %></a:Address>
+        </a:EndpointReference>
+      </wsp:AppliesTo>
+      <trust:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</trust:KeyType>
+      <trust:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</trust:RequestType>
+    </trust:RequestSecurityToken>
+  </s:Body>
+</s:Envelope>