identizer 0.1.0

data/lib/identizer/ldap/handler.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Ldap
+    # Turns the directory into LDAP semantics: simple-bind authentication and
+    # subtree search with attribute projection. Protocol-agnostic — the Server
+    # handles BER; this handler only deals in DNs, attributes and result codes.
+    class Handler
+      SUCCESS = 0
+      INVALID_CREDENTIALS = 49
+
+      OBJECT_CLASSES = %w[top person organizationalPerson inetOrgPerson].freeze
+
+      def initialize(config)
+        @config = config
+      end
+
+      # Simple bind: anonymous (empty dn+password) succeeds; otherwise the DN must
+      # resolve to a directory entry and the password must match the shared one.
+      def bind(dn, password)
+        return SUCCESS if dn.to_s.empty? && password.to_s.empty?
+        return INVALID_CREDENTIALS unless password == @config.shared_password
+
+        entry_for_dn(dn) ? SUCCESS : INVALID_CREDENTIALS
+      end
+
+      # Returns [{ dn:, attributes: }] for entries under `base` matching `filter`.
+      def search(base, filter)
+        base = base.to_s.downcase
+        store.entries.filter_map do |entry|
+          attributes = attributes_for(entry)
+          next unless within_base?(entry, base)
+          next unless Filter.match?(filter, attributes)
+
+          { dn: entry.dn, attributes: attributes }
+        end
+      end
+
+      private
+
+      def store
+        @config.identity_store
+      end
+
+      def entry_for_dn(dn)
+        dn = dn.to_s.downcase
+        store.entries.find { |entry| entry.dn.casecmp?(dn) }
+      end
+
+      def within_base?(entry, base)
+        base.empty? || entry.dn.downcase.end_with?(base)
+      end
+
+      def attributes_for(entry)
+        attributes = {
+          "objectClass" => OBJECT_CLASSES,
+          "uid" => [entry.uid], "cn" => [entry["cn"]], "mail" => [entry.mail],
+          "ou" => [entry.ou], "givenName" => [entry["givenName"]], "sn" => [entry["sn"]],
+          "memberOf" => entry.groups
+        }
+        attributes.transform_values { |values| Array(values).compact.map(&:to_s) }
+                  .reject { |_, values| values.empty? }
+      end
+    end
+  end
+end

data/lib/identizer/ldap/server.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Ldap
+    # A minimal LDAP v3 listener so apps that authenticate via LDAP can bind and
+    # search against the directory. Speaks BER over a plain TCP socket using
+    # Net::LDAP's codec. Supports simple bind, search (with the filters in
+    # Identizer::Ldap::Filter) and unbind — enough to develop LDAP auth locally.
+    class Server
+      # protocolOp application tags (request side).
+      BIND_REQUEST = 0x60
+      SEARCH_REQUEST = 0x63
+      UNBIND_REQUEST = 0x42
+      EXTENDED_REQUEST = 0x77
+
+      # protocolOp application tags (response side).
+      BIND_RESPONSE = 1
+      SEARCH_ENTRY = 4
+      SEARCH_DONE = 5
+      EXTENDED_RESPONSE = 24
+
+      PROTOCOL_ERROR = 2
+      STARTTLS_OID = "1.3.6.1.4.1.1466.20037"
+
+      # Net::LDAP's client syntax doesn't map the ExtendedRequest tag, so add it
+      # (as an array) — otherwise read_ber raises on a StartTLS request.
+      SYNTAX = Net::LDAP::AsnSyntax.dup.tap { |syntax| syntax[EXTENDED_REQUEST] = :array }.freeze
+
+      def initialize(config, host: nil, port: nil, tls: false)
+        @config = config
+        @host = host || config.ldap_host || config.host
+        @port = port || config.ldap_port || 1389
+        @tls = tls
+        @handler = Handler.new(config)
+      end
+
+      attr_reader :host, :port
+
+      def start
+        @socket = TCPServer.new(@host, @port)
+        @ssl_context = build_ssl_context if @tls
+        @running = true
+        accept_loop
+      end
+
+      def stop
+        @running = false
+        @socket&.close
+      rescue IOError
+        nil
+      end
+
+      private
+
+      def accept_loop
+        while @running
+          # accept returns nil when the socket is closed by stop (then @running is
+          # false and the loop exits) or when a TLS handshake fails (skip, keep serving).
+          client = accept
+          next unless client
+
+          Thread.new(client) { |connection| serve(connection) }
+        end
+      end
+
+      def accept
+        client = @socket.accept
+        @tls ? wrap_tls(client) : client
+      rescue IOError, Errno::EBADF
+        nil
+      end
+
+      def wrap_tls(client)
+        ssl = OpenSSL::SSL::SSLSocket.new(client, ssl_context)
+        ssl.sync_close = true
+        ssl.accept
+        ssl
+      rescue OpenSSL::SSL::SSLError, IOError
+        client.close
+        nil
+      end
+
+      def ssl_context
+        @ssl_context ||= build_ssl_context
+      end
+
+      def build_ssl_context
+        cert, key, = TLS.resolve(@config)
+        context = OpenSSL::SSL::SSLContext.new
+        context.cert = cert
+        context.key = key
+        context
+      end
+
+      def serve(connection)
+        readable(connection)
+        while (pdu = connection.read_ber(SYNTAX))
+          case dispatch(connection, pdu[0], pdu[1])
+          when :close then break
+          when :starttls
+            connection = upgrade_to_tls(connection)
+            break if connection.nil?
+          end
+        end
+      rescue StandardError
+        nil
+      ensure
+        connection.close if connection && !connection.closed?
+      end
+
+      # Net::BER's read_ber is mixed into IO/StringIO; an SSLSocket needs it added.
+      def readable(connection)
+        connection.extend(Net::BER::BERParser) unless connection.respond_to?(:read_ber)
+      end
+
+      def dispatch(connection, message_id, operation)
+        case operation.ber_identifier
+        when BIND_REQUEST then handle_bind(connection, message_id, operation)
+        when SEARCH_REQUEST then handle_search(connection, message_id, operation)
+        when EXTENDED_REQUEST then handle_extended(connection, message_id, operation)
+        when UNBIND_REQUEST then :close
+        else write(connection, message_id, result(PROTOCOL_ERROR, SEARCH_DONE))
+        end
+      end
+
+      # StartTLS (RFC 4513): acknowledge, then upgrade the plain socket to TLS.
+      def handle_extended(connection, message_id, operation)
+        if operation[0].to_s == STARTTLS_OID
+          write(connection, message_id, result(Handler::SUCCESS, EXTENDED_RESPONSE))
+          :starttls
+        else
+          write(connection, message_id, result(PROTOCOL_ERROR, EXTENDED_RESPONSE))
+        end
+      end
+
+      def upgrade_to_tls(connection)
+        ssl = OpenSSL::SSL::SSLSocket.new(connection, ssl_context)
+        ssl.sync_close = true
+        ssl.accept
+        readable(ssl)
+        ssl
+      rescue OpenSSL::SSL::SSLError, IOError
+        nil
+      end
+
+      def handle_bind(connection, message_id, operation)
+        code = @handler.bind(operation[1].to_s, operation[2].to_s)
+        write(connection, message_id, result(code, BIND_RESPONSE))
+      end
+
+      def handle_search(connection, message_id, operation)
+        base = operation[0].to_s
+        filter = operation[6]
+        @handler.search(base, filter).each do |entry|
+          write(connection, message_id, search_entry(entry))
+        end
+        write(connection, message_id, result(Handler::SUCCESS, SEARCH_DONE))
+      end
+
+      def search_entry(entry)
+        attributes = entry[:attributes].map do |name, values|
+          [name.to_ber, values.map(&:to_ber).to_ber_set].to_ber_sequence
+        end
+        [entry[:dn].to_ber, attributes.to_ber_sequence].to_ber_appsequence(SEARCH_ENTRY)
+      end
+
+      # An LDAPResult (resultCode, matchedDN, diagnosticMessage) under a tag.
+      def result(code, tag)
+        [code.to_ber_enumerated, "".to_ber, "".to_ber].to_ber_appsequence(tag)
+      end
+
+      def write(connection, message_id, operation_ber)
+        connection.write([message_id.to_ber, operation_ber].to_ber_sequence)
+        nil
+      end
+    end
+  end
+end

data/lib/identizer/ldap.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Optional LDAP listener. Required on demand (e.g. by the CLI when --ldap-port is
+# set) so the net-ldap dependency is only loaded when the feature is used.
+require "net/ldap"
+require "socket"
+
+module Identizer
+  # A minimal LDAP v3 server backed by the identity directory.
+  module Ldap
+  end
+end
+
+require_relative "ldap/filter"
+require_relative "ldap/handler"
+require_relative "ldap/server"

data/lib/identizer/providers.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Identizer
+  # The default provider cheatsheet rendered on the dashboard. Kept out of
+  # Configuration so the config object stays about settings, not view copy.
+  module Providers
+    module_function
+
+    def default(base_url)
+      [
+        {
+          title: "OpenID Connect",
+          note: nil,
+          fields: [
+            ["Issuer URL", base_url],
+            ["Authorization endpoint", "#{base_url}/v1/authorize"],
+            ["Token endpoint", "#{base_url}/v1/token"],
+            ["Discovery", "#{base_url}/.well-known/openid-configuration"],
+            ["Client ID", "dev-client"],
+            ["Client secret", "dev-secret"]
+          ]
+        },
+        {
+          title: "OAuth2 / Auth0-style",
+          note: "Exchange the code at /oauth/token, then fetch the profile at /userinfo.",
+          fields: [
+            ["Authorization endpoint", "#{base_url}/authorize"],
+            ["Token endpoint", "#{base_url}/oauth/token"],
+            ["Userinfo endpoint", "#{base_url}/userinfo"],
+            ["Domain (bare, no scheme)", base_url.sub(%r{\Ahttps?://}, "")]
+          ]
+        },
+        {
+          title: "SAML 2.0",
+          note: "A real signed IdP. Point your SP at the SSO endpoint and metadata below.",
+          fields: [
+            ["Metadata URL", "#{base_url}/metadata"],
+            ["SSO URL (Redirect/POST)", "#{base_url}/saml/sso"],
+            ["NameID", "emailAddress"]
+          ]
+        },
+        {
+          title: "AWS Cognito broker",
+          note: "Point COGNITO_ENDPOINT at this server so the management API is stubbed.",
+          fields: [
+            ["Endpoint", base_url],
+            ["Hosted UI login", "#{base_url}/login"],
+            ["Token endpoint", "#{base_url}/oauth2/token"]
+          ]
+        }
+      ]
+    end
+  end
+end

data/lib/identizer/renderer.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "erb"
+
+module Identizer
+  # Minimal ERB renderer with a shared layout. Templates live under web/views and
+  # are rendered in a Context that exposes the passed locals plus an `h` escaping
+  # helper. No template-engine dependency — stdlib ERB only.
+  class Renderer
+    VIEWS_DIR = File.expand_path("web/views", __dir__)
+
+    def initialize(layout: "layout")
+      @layout = layout
+      @cache = {}
+    end
+
+    def render(template, **locals)
+      content = render_template(template, locals)
+      render_template(@layout, locals.merge(content: content))
+    end
+
+    # Render a standalone template without the admin layout (e.g. the login form).
+    def render_bare(template, **locals)
+      render_template(template, locals)
+    end
+
+    private
+
+    def render_template(name, locals)
+      template(name).result(Context.new(locals).binding_for)
+    end
+
+    def template(name)
+      @cache[name] ||= ERB.new(File.read(File.join(VIEWS_DIR, "#{name}.html.erb")), trim_mode: "-")
+    end
+
+    # Evaluation context: locals become reader methods; `h` escapes HTML.
+    class Context
+      def initialize(locals)
+        locals.each { |key, value| define_singleton_method(key) { value } }
+      end
+
+      def h(value)
+        CGI.escapeHTML(value.to_s)
+      end
+
+      def binding_for
+        binding
+      end
+    end
+  end
+end

data/lib/identizer/responses.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Identizer
+  # Tiny helpers for building Rack responses ([status, headers, body]).
+  module Responses
+    def json(status, payload)
+      [status, { "content-type" => "application/json" }, [JSON.generate(payload)]]
+    end
+
+    # AWS SDK expects this content type back from the Cognito management API.
+    def amz_json(payload)
+      [200, { "content-type" => "application/x-amz-json-1.1" }, [JSON.generate(payload)]]
+    end
+
+    def html(body, status: 200)
+      [status, { "content-type" => "text/html; charset=utf-8" }, [body]]
+    end
+
+    def xml(body, headers: {})
+      [200, { "content-type" => "application/xml; charset=utf-8" }.merge(headers), [body]]
+    end
+
+    def redirect(location, status: 302)
+      [status, { "location" => location }, []]
+    end
+
+    def not_found(message)
+      json(404, { error: message })
+    end
+
+    def no_content
+      [204, {}, []]
+    end
+
+    def escape_html(value)
+      CGI.escapeHTML(value.to_s)
+    end
+
+    # A small standalone HTML page (errors/notices). `body_html` is inserted raw,
+    # so callers must escape any user-controlled values they put in it.
+    def notice_page(heading, body_html)
+      html("<!doctype html><html><body style=\"font-family:sans-serif;max-width:480px;margin:64px auto\">" \
+           "<h2>#{escape_html(heading)}</h2><p>#{body_html}</p></body></html>")
+    end
+  end
+end

data/lib/identizer/saml/encryptor.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "openssl"
+require "base64"
+
+module Identizer
+  module Saml
+    # XML-Encryption of a (signed) SAML Assertion into an <EncryptedAssertion>:
+    # AES-256-CBC for the assertion, RSA-OAEP key transport of the AES key under
+    # the SP's certificate. Decryptable by standard SPs (validated with ruby-saml).
+    class Encryptor
+      XENC = "http://www.w3.org/2001/04/xmlenc#"
+      AES256_CBC = "#{XENC}aes256-cbc".freeze
+      RSA_OAEP = "#{XENC}rsa-oaep-mgf1p".freeze
+
+      def initialize(certificate)
+        @certificate = certificate
+      end
+
+      # Replaces `assertion` in its document with an <EncryptedAssertion> node.
+      def encrypt!(assertion)
+        document = assertion.document
+        plaintext = assertion.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML)
+
+        cipher = OpenSSL::Cipher.new("aes-256-cbc").encrypt
+        key = cipher.random_key
+        iv = cipher.random_iv
+        ciphertext = cipher.update(plaintext) + cipher.final
+
+        encrypted = encrypted_assertion_node(
+          document,
+          cipher_value: Base64.strict_encode64(iv + ciphertext),
+          encrypted_key: Base64.strict_encode64(transport_key(key)),
+          certificate: Base64.strict_encode64(@certificate.to_der)
+        )
+        assertion.replace(encrypted)
+        encrypted
+      end
+
+      private
+
+      # RSA-OAEP (SHA-1 / MGF1, i.e. rsa-oaep-mgf1p) wrap of the AES key.
+      def transport_key(key)
+        @certificate.public_key.public_encrypt(key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+      end
+
+      def encrypted_assertion_node(document, cipher_value:, encrypted_key:, certificate:)
+        fragment = [
+          %(<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">),
+          %(<xenc:EncryptedData xmlns:xenc="#{XENC}" Type="#{XENC}Element">),
+          %(<xenc:EncryptionMethod Algorithm="#{AES256_CBC}"/>),
+          %(<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey>),
+          %(<xenc:EncryptionMethod Algorithm="#{RSA_OAEP}"/>),
+          %(<ds:KeyInfo><ds:X509Data><ds:X509Certificate>#{certificate}</ds:X509Certificate>),
+          %(</ds:X509Data></ds:KeyInfo>),
+          %(<xenc:CipherData><xenc:CipherValue>#{encrypted_key}</xenc:CipherValue></xenc:CipherData>),
+          %(</xenc:EncryptedKey></ds:KeyInfo>),
+          %(<xenc:CipherData><xenc:CipherValue>#{cipher_value}</xenc:CipherValue></xenc:CipherData>),
+          %(</xenc:EncryptedData></saml:EncryptedAssertion>)
+        ].join
+        document.parse(fragment).first
+      end
+    end
+  end
+end

data/lib/identizer/saml/keypair.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Saml
+    # The RSA key + self-signed certificate the IdP signs assertions with,
+    # persisted under the config dir so metadata stays stable across restarts.
+    class Keypair
+      def self.load_or_generate(config_dir)
+        key_path = File.join(config_dir, "saml_signing_key.pem")
+        cert_path = File.join(config_dir, "saml_signing_cert.pem")
+
+        if File.exist?(key_path) && File.exist?(cert_path)
+          return new(OpenSSL::PKey::RSA.new(File.read(key_path)),
+                     OpenSSL::X509::Certificate.new(File.read(cert_path)))
+        end
+
+        key = OpenSSL::PKey::RSA.new(2048)
+        certificate = self_signed(key)
+        FileUtils.mkdir_p(config_dir)
+        File.write(key_path, key.to_pem)
+        File.chmod(0o600, key_path)
+        File.write(cert_path, certificate.to_pem)
+        new(key, certificate)
+      end
+
+      def self.self_signed(key)
+        name = OpenSSL::X509::Name.parse("/CN=identizer-saml")
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.serial = 1
+        cert.subject = name
+        cert.issuer = name
+        cert.public_key = key.public_key
+        cert.not_before = Time.now - 60
+        cert.not_after = Time.now + (10 * 365 * 24 * 60 * 60)
+        cert.sign(key, OpenSSL::Digest.new("SHA256"))
+        cert
+      end
+
+      attr_reader :key, :certificate
+
+      def initialize(key, certificate)
+        @key = key
+        @certificate = certificate
+      end
+
+      # Base64 DER, the form embedded in SAML metadata and <ds:X509Certificate>.
+      def certificate_base64
+        Base64.strict_encode64(@certificate.to_der)
+      end
+    end
+  end
+end

data/lib/identizer/saml/response_builder.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "securerandom"
+
+module Identizer
+  module Saml
+    # Builds a SAML 2.0 Response containing a signed Assertion for a signed-in
+    # identity, ready to POST to the SP's assertion consumer service.
+    class ResponseBuilder
+      PROTOCOL = "urn:oasis:names:tc:SAML:2.0:protocol"
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"
+      BEARER = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+      EMAIL_FORMAT = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      BASIC_FORMAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+      URI_FORMAT = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+      PASSWORD_CONTEXT = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      VALIDITY = 300
+
+      def initialize(config, keypair)
+        @config = config
+        @keypair = keypair
+      end
+
+      # Returns the signed Response XML string.
+      def build(identity:, acs_url:, audience:, in_response_to: nil, now: Time.now)
+        document = document_for(identity, acs_url, audience, in_response_to, now)
+        signer = Signer.new(@keypair)
+        signer.sign!(document.at_xpath("//saml:Assertion", "saml" => ASSERTION))
+        encrypt_assertion(document) if encrypt?
+        signer.sign!(document.root) if @config.saml_sign_response # sign the Response too
+        document.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML |
+                                   Nokogiri::XML::Node::SaveOptions::NO_DECLARATION)
+      end
+
+      def build_base64(**)
+        Base64.strict_encode64(build(**))
+      end
+
+      private
+
+      def encrypt?
+        @config.saml_encrypt_assertion && @config.saml_sp_certificate
+      end
+
+      def encrypt_assertion(document)
+        assertion = document.at_xpath("//saml:Assertion", "saml" => ASSERTION)
+        Encryptor.new(@config.saml_sp_certificate).encrypt!(assertion)
+      end
+
+      def document_for(identity, acs_url, audience, in_response_to, now)
+        response_id = "_#{SecureRandom.hex(16)}"
+        assertion_id = "_#{SecureRandom.hex(16)}"
+
+        builder = Nokogiri::XML::Builder.new do |xml|
+          xml["samlp"].Response(response_attributes(response_id, acs_url, in_response_to, now)) do
+            xml["saml"].Issuer(@config.issuer)
+            xml["samlp"].Status { xml["samlp"].StatusCode(Value: SUCCESS) }
+            assertion(xml, identity, assertion_id, acs_url, audience, in_response_to, now)
+          end
+        end
+        builder.doc
+      end
+
+      def assertion(xml, identity, assertion_id, acs_url, audience, in_response_to, now)
+        xml["saml"].Assertion(ID: assertion_id, Version: "2.0", IssueInstant: iso(now)) do
+          xml["saml"].Issuer(@config.issuer)
+          subject(xml, identity, acs_url, in_response_to, now)
+          conditions(xml, audience, now)
+          authn_statement(xml, assertion_id, now)
+          attribute_statement(xml, identity)
+        end
+      end
+
+      def subject(xml, identity, acs_url, in_response_to, now)
+        xml["saml"].Subject do
+          xml["saml"].NameID(identity.email, Format: EMAIL_FORMAT)
+          xml["saml"].SubjectConfirmation(Method: BEARER) do
+            xml["saml"].SubjectConfirmationData(confirmation_attributes(acs_url, in_response_to, now))
+          end
+        end
+      end
+
+      def conditions(xml, audience, now)
+        xml["saml"].Conditions(NotBefore: iso(now - VALIDITY), NotOnOrAfter: iso(now + VALIDITY)) do
+          xml["saml"].AudienceRestriction { xml["saml"].Audience(audience) }
+        end
+      end
+
+      def authn_statement(xml, assertion_id, now)
+        xml["saml"].AuthnStatement(AuthnInstant: iso(now), SessionIndex: assertion_id) do
+          xml["saml"].AuthnContext { xml["saml"].AuthnContextClassRef(PASSWORD_CONTEXT) }
+        end
+      end
+
+      def attribute_statement(xml, identity)
+        names = @config.saml_attribute_names
+        xml["saml"].AttributeStatement do
+          identity.to_h.each do |claim, value|
+            xml["saml"].Attribute(attribute_naming(claim, names)) do
+              Array(value).each { |item| xml["saml"].AttributeValue(item.to_s) }
+            end
+          end
+        end
+      end
+
+      # Map a claim to its SAML Attribute name/format, keeping the short claim
+      # name as FriendlyName when a URI name is configured.
+      def attribute_naming(claim, names)
+        mapped = names[claim]
+        return { Name: claim, NameFormat: BASIC_FORMAT } unless mapped
+
+        { Name: mapped, FriendlyName: claim, NameFormat: URI_FORMAT }
+      end
+
+      def response_attributes(response_id, acs_url, in_response_to, now)
+        attributes = {
+          "xmlns:samlp" => PROTOCOL, "xmlns:saml" => ASSERTION,
+          "ID" => response_id, "Version" => "2.0",
+          "IssueInstant" => iso(now), "Destination" => acs_url
+        }
+        attributes["InResponseTo"] = in_response_to if in_response_to
+        attributes
+      end
+
+      def confirmation_attributes(acs_url, in_response_to, now)
+        attributes = { "NotOnOrAfter" => iso(now + VALIDITY), "Recipient" => acs_url }
+        attributes["InResponseTo"] = in_response_to if in_response_to
+        attributes
+      end
+
+      def iso(time)
+        time.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      end
+    end
+  end
+end