maestrano-ruby-test 0.8.3

data/lib/maestrano/api/operation/update.rb

@@ -0,0 +1,59 @@
+module Maestrano
+  module API
+    module Operation
+      module Update
+        def save(opts={})
+          values = serialize_params(self).merge(opts)
+
+          if @values[:metadata]
+            values[:metadata] = serialize_metadata
+          end
+
+          if values.length > 0
+            values.delete(:id)
+
+            response, api_token = Maestrano::API::Operation::Base.request(:put, url, @api_token, values)
+            refresh_from(response, api_token)
+          end
+          self
+        end
+
+        def serialize_metadata
+          if @unsaved_values.include?(:metadata)
+            # the metadata object has been reassigned
+            # i.e. as object.metadata = {key => val}
+            metadata_update = @values[:metadata]  # new hash
+            new_keys = metadata_update.keys.map(&:to_sym)
+            # remove keys at the server, but not known locally
+            keys_to_unset = @previous_metadata.keys - new_keys
+            keys_to_unset.each {|key| metadata_update[key] = ''}
+
+            metadata_update
+          else
+            # metadata is a Maestrano::API::Object, and can be serialized normally
+            serialize_params(@values[:metadata])
+          end
+        end
+
+        def serialize_params(obj)
+          case obj
+          when nil
+            ''
+          when Maestrano::API::Object
+            unsaved_keys = obj.instance_variable_get(:@unsaved_values)
+            obj_values = obj.instance_variable_get(:@values)
+            update_hash = {}
+
+            unsaved_keys.each do |k|
+              update_hash[k] = serialize_params(obj_values[k])
+            end
+
+            update_hash
+          else
+            obj
+          end
+        end
+      end
+    end
+  end
+end

data/lib/maestrano/api/resource.rb

@@ -0,0 +1,47 @@
+module Maestrano
+  module API
+    class Resource < Maestrano::API::Object
+      def self.class_name
+        self.name.split('::').reject { |w| w.to_s == "Maestrano" }
+      end
+
+      def self.url
+        if self == Maestrano::API::Resource
+          raise NotImplementedError.new('Maestrano::API::Resource is an abstract class.  You should perform actions on its subclasses (Bill, Customer, etc.)')
+        end
+        if class_name.is_a?(Array)
+          class_name.map { |w| CGI.escape(self.underscore(w)) }.join("/") + 's'
+        else
+          "#{CGI.escape(self.underscore(class_name))}s"
+        end
+      end
+
+      def url
+        unless id = self['id']
+          raise Maestrano::API::Error::InvalidRequestError.new("Could not determine which URL to request: #{self.class} instance has invalid ID: #{id.inspect}", 'id')
+        end
+        "#{self.class.url}/#{CGI.escape(id)}"
+      end
+
+      def refresh
+        response, api_token = Maestrano::API::Operation::Base.request(:get, url, @api_token, @retrieve_options)
+        refresh_from(response, api_token)
+        self
+      end
+
+      def self.retrieve(id, api_token=nil)
+        instance = self.new(id, api_token)
+        instance.refresh
+        instance
+      end
+      
+      def self.underscore(string_val)
+        string_val.gsub(/::/, '/').
+        gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+        gsub(/([a-z\d])([A-Z])/,'\1_\2').
+        tr("-", "_").
+        downcase
+      end
+    end
+  end
+end

data/lib/maestrano/api/util.rb

@@ -0,0 +1,122 @@
+module Maestrano
+  module API
+    module Util
+      def self.objects_to_ids(h)
+        case h
+        when Maestrano::API::Resource
+          h.id
+        when Hash
+          res = {}
+          h.each { |k, v| res[k] = objects_to_ids(v) unless v.nil? }
+          res
+        when Array
+          h.map { |v| objects_to_ids(v) }
+        when Time
+          h.iso8601
+        else
+          h
+        end
+      end
+
+      def self.object_classes
+        @object_classes ||= {
+          'account_bill'           => Maestrano::Account::Bill,
+          'account_recurring_bill' => Maestrano::Account::RecurringBill,
+          'internal_list_object'   => Maestrano::API::ListObject
+        }
+      end
+
+      def self.convert_to_maestrano_object(resp, api_token)
+        case resp
+        when Array
+          if resp.empty? || !resp.first[:object]
+            resp
+          else
+            list = convert_to_maestrano_object({
+              object: 'internal_list_object', 
+              data:[],
+              url: convert_to_maestrano_object(resp.first, api_token).class.url
+            },api_token)
+            
+            resp.each do |i|
+              list.data.push(convert_to_maestrano_object(i, api_token))
+            end
+            list
+          end
+        when Hash
+          # Try converting to a known object class.  If none available, fall back to generic Maestrano::API::Object
+          object_classes.fetch(resp[:object], Maestrano::API::Object).construct_from(resp, api_token)
+        else
+          # Automatically parse iso8601 dates
+          if resp =~ /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/
+            Time.iso8601(resp).utc
+          else
+            resp
+          end
+        end
+      end
+
+      def self.file_readable(file)
+        # This is nominally equivalent to File.readable?, but that can
+        # report incorrect results on some more oddball filesystems
+        # (such as AFS)
+        begin
+          File.open(file) { |f| }
+        rescue
+          false
+        else
+          true
+        end
+      end
+
+      def self.symbolize_names(object)
+        case object
+        when Hash
+          new = {}
+          object.each do |key, value|
+            key = (key.to_sym rescue key) || key
+            new[key] = symbolize_names(value)
+          end
+          new
+        when Array
+          object.map { |value| symbolize_names(value) }
+        else
+          object
+        end
+      end
+
+      def self.url_encode(key)
+        URI.escape(key.to_s, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+      end
+
+      def self.flatten_params(params, parent_key=nil)
+        result = []
+        params.each do |key, value|
+          calculated_key = parent_key ? "#{parent_key}[#{url_encode(key)}]" : url_encode(key)
+          if value.is_a?(Hash)
+            result += flatten_params(value, calculated_key)
+          elsif value.is_a?(Array)
+            result += flatten_params_array(value, calculated_key)
+          else
+            result << [calculated_key, value]
+          end
+        end
+        result
+      end
+
+      def self.flatten_params_array(value, calculated_key)
+        result = []
+        value.each do |elem|
+          if elem.is_a?(Hash)
+            result += flatten_params(elem, calculated_key)
+          elsif elem.is_a?(Array)
+            result += flatten_params_array(elem, calculated_key)
+          else
+            result << ["#{calculated_key}[]", elem]
+          end
+        end
+        result
+      end
+    end
+  end
+end

data/lib/maestrano/open_struct.rb

@@ -0,0 +1,11 @@
+module Maestrano
+
+  # Extebd OpenStruct to include a 'attributes'
+  # method
+  class OpenStruct < ::OpenStruct
+    # Return all object defined attributes
+    def attributes
+      (self.methods - self.class.new.methods).reject {|method| method =~ /=$/ }
+    end
+  end
+end

data/lib/maestrano/saml/attribute_value.rb

@@ -0,0 +1,15 @@
+module Maestrano
+  module Saml
+
+    # Wrapper for AttributeValue with multiple values
+    # It is subclass of String to be backwards compatible
+    # Use AttributeValue#values to get all values as an array
+    class AttributeValue < String
+      attr_accessor :values
+      def initialize(str="", values=[])
+        @values = values
+        super(str.to_s)
+      end
+    end
+  end
+end

data/lib/maestrano/saml/metadata.rb

@@ -0,0 +1,64 @@
+require "rexml/document"
+require "rexml/xpath"
+require "uri"
+
+# Class to return SP metadata based on the settings requested.
+# Return this XML in a controller, then give that URL to the the
+# IdP administrator.  The IdP will poll the URL and your settings
+# will be updated automatically
+module Maestrano
+  module Saml
+    include REXML
+    class Metadata
+      def generate(settings)
+        meta_doc = REXML::Document.new
+        root = meta_doc.add_element "md:EntityDescriptor", {
+            "xmlns:md" => "urn:oasis:names:tc:SAML:2.0:metadata"
+        }
+        sp_sso = root.add_element "md:SPSSODescriptor", {
+            "protocolSupportEnumeration" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            # Metadata request need not be signed (as we don't publish our cert)
+            "AuthnRequestsSigned" => false,
+            # However we would like assertions signed if idp_cert_fingerprint or idp_cert is set
+            "WantAssertionsSigned" => (!settings.idp_cert_fingerprint.nil? || !settings.idp_cert.nil?)
+        }
+        if settings.issuer != nil
+          root.attributes["entityID"] = settings.issuer
+        end
+        if settings.assertion_consumer_logout_service_url != nil
+          sp_sso.add_element "md:SingleLogoutService", {
+              # Add this as a setting to create different bindings?
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+              "Location" => settings.assertion_consumer_logout_service_url,
+              "ResponseLocation" => settings.assertion_consumer_logout_service_url,
+              "isDefault" => true,
+              "index" => 0
+          }
+        end
+        if settings.name_identifier_format != nil
+          name_id = sp_sso.add_element "md:NameIDFormat"
+          name_id.text = settings.name_identifier_format
+        end
+        if settings.assertion_consumer_service_url != nil
+          sp_sso.add_element "md:AssertionConsumerService", {
+              # Add this as a setting to create different bindings?
+              "Binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+              "Location" => settings.assertion_consumer_service_url,
+              "isDefault" => true,
+              "index" => 0
+          }
+        end
+        # With OpenSSO, it might be required to also include
+        #  <md:RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+        #  <md:XACMLAuthzDecisionQueryDescriptor WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"/>
+
+        meta_doc << REXML::XMLDecl.new
+        ret = ""
+        # pretty print the XML so IdP administrators can easily see what the SP supports
+        meta_doc.write(ret, 1)
+
+        ret
+      end
+    end
+  end
+end

data/lib/maestrano/saml/request.rb

@@ -0,0 +1,93 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+require "rexml/document"
+require "rexml/xpath"
+
+module Maestrano
+  module Saml
+  include REXML
+    class Request
+      attr_accessor :settings, :params, :session
+      
+      def initialize(params = {}, session = {})
+        self.settings = Maestrano::SSO.saml_settings
+        self.params = params
+        self.session = session
+      end
+      
+      def redirect_url
+        request_doc = create_authentication_xml_doc(settings)
+        request_doc.context[:attribute_quote] = :quote if self.settings.double_quote_xml_attribute_values
+
+        request = ""
+        request_doc.write(request)
+
+        request           = Zlib::Deflate.deflate(request, 9)[2..-5] if self.settings.compress_request
+        base64_request    = Base64.encode64(request)
+        encoded_request   = CGI.escape(base64_request)
+        params_prefix     = (self.settings.idp_sso_target_url =~ /\?/) ? '&' : '?'
+        request_params    = "#{params_prefix}SAMLRequest=#{encoded_request}"
+
+        self.params.each_pair do |key, value|
+          request_params << "&#{key.to_s}=#{CGI.escape(value.to_s)}"
+        end
+        
+        if (request_params !~ /group_id=/) && (group_id = (self.session[:mno_group_uid] || self.session['mno_group_uid']))
+          request_params << "&group_id=#{CGI.escape(group_id.to_s)}"
+        end
+
+        self.settings.idp_sso_target_url + request_params
+      end
+
+      def create_authentication_xml_doc(settings)
+        uuid = "_" + UUID.new.generate
+        time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+        # Create AuthnRequest root element using REXML
+        request_doc = REXML::Document.new
+
+        root = request_doc.add_element "samlp:AuthnRequest", { "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol" }
+        root.attributes['ID'] = uuid
+        root.attributes['IssueInstant'] = time
+        root.attributes['Version'] = "2.0"
+        root.attributes['Destination'] = self.settings.idp_sso_target_url unless self.settings.idp_sso_target_url.nil?
+        root.attributes['IsPassive'] = self.settings.passive unless self.settings.passive.nil?
+        root.attributes['ProtocolBinding'] = self.settings.protocol_binding unless self.settings.protocol_binding.nil?
+
+        # Conditionally defined elements based on settings
+        if self.settings.assertion_consumer_service_url != nil
+          root.attributes["AssertionConsumerServiceURL"] = self.settings.assertion_consumer_service_url
+        end
+        if self.settings.issuer != nil
+          issuer = root.add_element "saml:Issuer", { "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion" }
+          issuer.text = self.settings.issuer
+        end
+        if self.settings.name_identifier_format != nil
+          root.add_element "samlp:NameIDPolicy", {
+              "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+              # Might want to make AllowCreate a setting?
+              "AllowCreate" => "true",
+              "Format" => self.settings.name_identifier_format
+          }
+        end
+
+        # BUG fix here -- if an authn_context is defined, add the tags with an "exact"
+        # match required for authentication to succeed.  If this is not defined,
+        # the IdP will choose default rules for authentication.  (Shibboleth IdP)
+        if self.settings.authn_context != nil
+          requested_context = root.add_element "samlp:RequestedAuthnContext", {
+            "xmlns:samlp" => "urn:oasis:names:tc:SAML:2.0:protocol",
+            "Comparison" => "exact",
+          }
+          class_ref = requested_context.add_element "saml:AuthnContextClassRef", {
+            "xmlns:saml" => "urn:oasis:names:tc:SAML:2.0:assertion",
+          }
+          class_ref.text = self.settings.authn_context
+        end
+        request_doc
+      end
+
+    end
+  end
+end

data/lib/maestrano/saml/response.rb

@@ -0,0 +1,201 @@
+require "time"
+require "nokogiri"
+
+# Only supports SAML 2.0
+module Maestrano
+  module Saml
+
+    class Response
+      ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+      PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+      DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+      # TODO: This should probably be ctor initialized too... WDYT?
+      attr_accessor :settings
+
+      attr_reader :options
+      attr_reader :response
+      attr_reader :document
+
+      def initialize(response, options = {})
+        raise ArgumentError.new("Response cannot be nil") if response.nil?
+        @options  = options
+        @response = (response =~ /^</) ? response : Base64.decode64(response)
+        @document = Maestrano::XMLSecurity::SignedDocument.new(@response)
+        @settings = Maestrano::SSO.saml_settings
+      end
+
+      def is_valid?
+        validate
+      end
+
+      def validate!
+        validate(false)
+      end
+
+      # The value of the user identifier as designated by the initialization request response
+      def name_id
+        @name_id ||= begin
+          node = xpath_first_from_signed_assertion('/a:Subject/a:NameID')
+          node.nil? ? nil : node.text
+        end
+      end
+
+      def sessionindex
+        @sessionindex ||= begin
+          node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          node.nil? ? nil : node.attributes['SessionIndex']
+        end
+      end
+
+      # A hash of all the attributes with the response.
+      # Multiple values will be returned in the AttributeValue#values array
+      # in reverse order, when compared to XML
+      def attributes
+        @attr_statements ||= begin
+          result = {}
+
+          stmt_element = xpath_first_from_signed_assertion('/a:AttributeStatement')
+          return {} if stmt_element.nil?
+
+          stmt_element.elements.each do |attr_element|
+            name  = attr_element.attributes["Name"]
+            values = attr_element.elements.collect(&:text)
+
+            # Set up a string-like wrapper for the values array
+            attr_value = AttributeValue.new(values.first, values.reverse)
+            # Merge values if the Attribute has already been seen
+            if result[name]
+              attr_value.values += result[name].values
+            end
+
+            result[name] = attr_value
+          end
+
+          result.keys.each do |key|
+            result[key.intern] = result[key]
+          end
+
+          result
+        end
+      end
+
+      # When this user session should expire at latest
+      def session_expires_at
+        @expires_at ||= begin
+          node = xpath_first_from_signed_assertion('/a:AuthnStatement')
+          parse_time(node, "SessionNotOnOrAfter")
+        end
+      end
+
+      # Checks the status of the response for a "Success" code
+      def success?
+        @status_code ||= begin
+          node = REXML::XPath.first(document, "/p:Response/p:Status/p:StatusCode", { "p" => PROTOCOL, "a" => ASSERTION })
+          node.attributes["Value"] == "urn:oasis:names:tc:SAML:2.0:status:Success"
+        end
+      end
+
+      # Conditions (if any) for the assertion to run
+      def conditions
+        @conditions ||= xpath_first_from_signed_assertion('/a:Conditions')
+      end
+
+      def not_before
+        @not_before ||= parse_time(conditions, "NotBefore")
+      end
+
+      def not_on_or_after
+        @not_on_or_after ||= parse_time(conditions, "NotOnOrAfter")
+      end
+
+      def issuer
+        @issuer ||= begin
+          node = REXML::XPath.first(document, "/p:Response/a:Issuer", { "p" => PROTOCOL, "a" => ASSERTION })
+          node ||= xpath_first_from_signed_assertion('/a:Issuer')
+          node.nil? ? nil : node.text
+        end
+      end
+
+      private
+
+      def validation_error(message)
+        raise ValidationError.new(message)
+      end
+
+      def validate(soft = true)
+        validate_structure(soft)      &&
+        validate_response_state(soft) &&
+        validate_conditions(soft)     &&
+        document.validate_document(get_fingerprint, soft) &&
+        success?
+      end
+
+      def validate_structure(soft = true)
+        Dir.chdir(File.expand_path(File.join(File.dirname(__FILE__), 'schemas'))) do
+          @schema = Nokogiri::XML::Schema(IO.read('saml20protocol_schema.xsd'))
+          @xml = Nokogiri::XML(self.document.to_s)
+        end
+        if soft
+          @schema.validate(@xml).map{ return false }
+        else
+          @schema.validate(@xml).map{ |error| validation_error("#{error.message}\n\n#{@xml.to_s}") }
+        end
+      end
+
+      def validate_response_state(soft = true)
+        if response.empty?
+          return soft ? false : validation_error("Blank response")
+        end
+
+        if settings.nil?
+          return soft ? false : validation_error("No settings on response")
+        end
+
+        if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+          return soft ? false : validation_error("No fingerprint or certificate on settings")
+        end
+
+        true
+      end
+
+      def xpath_first_from_signed_assertion(subelt=nil)
+        node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id}']#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
+        node ||= REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id}']/a:Assertion#{subelt}", { "p" => PROTOCOL, "a" => ASSERTION })
+        node
+      end
+
+      def get_fingerprint
+        if settings.idp_cert
+          cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        else
+          settings.idp_cert_fingerprint
+        end
+      end
+
+      def validate_conditions(soft = true)
+        return true if conditions.nil?
+        return true if options[:skip_conditions]
+
+        now = Time.now.utc
+
+        if not_before && (now + (options[:allowed_clock_drift] || 0)) < not_before
+          return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+        end
+
+        if not_on_or_after && now >= not_on_or_after
+          return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+        end
+
+        true
+      end
+
+      def parse_time(node, attribute)
+        if node && node.attributes[attribute]
+          Time.parse(node.attributes[attribute])
+        end
+      end
+    end
+  end
+end