oa-enterprise 0.2.6 → 0.3.0.rc3

data/Gemfile

@@ -1,5 +1,9 @@
+require File.expand_path('../lib/omniauth/version', __FILE__)
+
 source 'http://rubygems.org'
 
+gem 'oa-core', OmniAuth::Version::STRING, :path => '../oa-core'
+
 platforms :jruby do
   gem 'jruby-openssl', '~> 0.7'
 end

data/README.rdoc

@@ -66,7 +66,40 @@ are not familiar with these authentication methods, please just avoid them.
 
 Direct users to '/auth/ldap' to have them authenticated via your
 company's LDAP server.
-    
+
+== SAML
+
+Use the SAML strategy as a middleware in your application:
+
+    require 'omniauth/enterprise'
+    use OmniAuth::Strategies::SAML, 
+        :assertion_consumer_service_url => "consumer_service_url",
+        :issuer                         => "issuer",
+        :idp_sso_target_url             => "idp_sso_target_url",
+        :idp_cert_fingerprint           => "E7:91:B2:E1:...",
+        :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+
+:assertion_consumer_service_url 
+  The URL at which the SAML assertion should be received. 
+
+:issuer
+  The name of your application. Some identity providers might need this to establish the 
+  identity of the service provider requesting the login.
+
+:idp_sso_target_url
+  The URL to which the authentication request should be sent. This would be on the identity provider.
+
+:idp_cert_fingerprint
+  The certificate fingerprint, e.g. "90:CC:16:F0:8D:A6:D1:C6:BB:27:2D:BA:93:80:1A:1F:16:8E:4E:08".
+  This is provided from the identity provider when setting up the relationship.
+
+:name_identifier_format
+  Describes the format of the username required by this application. 
+  If you need the email address, use "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". 
+  See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for 
+  other options. Note that the identity provider might not support all options.  
+
+
 == Multiple Strategies
 
 If you're using multiple strategies together, use OmniAuth's Builder. That's

data/lib/omniauth/enterprise.rb

@@ -4,5 +4,6 @@ module OmniAuth
   module Strategies
     autoload :CAS, 'omniauth/strategies/cas'
     autoload :LDAP, 'omniauth/strategies/ldap'
+    autoload :SAML, 'omniauth/strategies/saml'
   end
 end

data/lib/omniauth/strategies/ldap.rb

@@ -9,19 +9,21 @@ module OmniAuth
       include OmniAuth::Strategy
 
       autoload :Adaptor, 'omniauth/strategies/ldap/adaptor'
-      @@config   = {'name' => 'cn',
-                    'first_name' => 'givenName',
-                    'last_name' => 'sn',
-                    'email' => ['mail', "email", 'userPrincipalName'],
-					'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
-					'mobile_number' => ['mobile', 'mobileTelephoneNumber'],
-					'nickname' => ['uid', 'userid', 'sAMAccountName'],
-					'title' => 'title',
-					'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
-					'uid' => 'dn',
-					'url' => ['wwwhomepage'],
-					'image' => 'jpegPhoto',
-					'description' => 'description'}
+      @@config = {
+        'name' => 'cn',
+        'first_name' => 'givenName',
+        'last_name' => 'sn',
+        'email' => ['mail', "email", 'userPrincipalName'],
+        'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
+        'mobile_number' => ['mobile', 'mobileTelephoneNumber'],
+        'nickname' => ['uid', 'userid', 'sAMAccountName'],
+        'title' => 'title',
+        'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
+        'uid' => 'dn',
+        'url' => ['wwwhomepage'],
+        'image' => 'jpegPhoto',
+        'description' => 'description'
+      }
 
       # Initialize the LDAP Middleware
       #
@@ -44,7 +46,7 @@ module OmniAuth
         end
       end
 
-  	  def get_credentials
+      def get_credentials
         OmniAuth::Form.build(:title => (options[:title] || "LDAP Authentication")) do
           text_field 'Login', 'username'
           password_field 'Password', 'password'
@@ -52,28 +54,28 @@ module OmniAuth
       end
 
       def callback_phase
-      	begin
+        begin
         creds = session['omniauth.ldap']
         session.delete 'omniauth.ldap'
-				@ldap_user_info = {}
+        @ldap_user_info = {}
         begin
-        	(@adaptor.bind(:allow_anonymous => true) unless @adaptor.bound?)
+          (@adaptor.bind(:allow_anonymous => true) unless @adaptor.bound?)
         rescue Exception => e
-        	puts "failed to bind with the default credentials: " + e.message
-       	end
+          puts "failed to bind with the default credentials: " + e.message
+         end
         @ldap_user_info = @adaptor.search(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @name_proc.call(creds['username'])),:limit => 1) if @adaptor.bound?
-				bind_dn = creds['username']
-				bind_dn = @ldap_user_info[:dn].to_a.first if @ldap_user_info[:dn]
+        bind_dn = creds['username']
+        bind_dn = @ldap_user_info[:dn].to_a.first if @ldap_user_info[:dn]
         @adaptor.bind(:bind_dn => bind_dn, :password => creds['password'])
         @ldap_user_info = @adaptor.search(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @name_proc.call(creds['username'])),:limit => 1) if @ldap_user_info.empty?
-    	  @user_info = self.class.map_user(@@config, @ldap_user_info)
+        @user_info = self.class.map_user(@@config, @ldap_user_info)
 
         @env['omniauth.auth'] = auth_hash
 
-      	rescue Exception => e
-      	  return fail!(:invalid_credentials, e)
-      	end
-	      call_app!
+        rescue Exception => e
+          return fail!(:invalid_credentials, e)
+        end
+        call_app!
       end
 
       def auth_hash
@@ -84,28 +86,28 @@ module OmniAuth
         })
       end
 
-	  def self.map_user(mapper, object)
-		user = {}
-		mapper.each do |key, value|
-		  case value
-		  when String
-		    user[key] = object[value.downcase.to_sym].to_s if object[value.downcase.to_sym]
-		  when Array
-		    value.each {|v| (user[key] = object[v.downcase.to_sym].to_s; break;) if object[v.downcase.to_sym]}
-		  when Hash
-		    value.map do |key1, value1|
-			  pattern = key1.dup
-			  value1.each_with_index do |v,i|
-			    part = '';
-			    v.each {|v1| (part = object[v1.downcase.to_sym].to_s; break;) if object[v1.downcase.to_sym]}
-			    pattern.gsub!("%#{i}",part||'')
-			  end
-			  user[key] = pattern
-		    end
-		  end
-		end
-		user
-	  end
+    def self.map_user(mapper, object)
+      user = {}
+      mapper.each do |key, value|
+        case value
+        when String
+          user[key] = object[value.downcase.to_sym].to_s if object[value.downcase.to_sym]
+        when Array
+          value.each {|v| (user[key] = object[v.downcase.to_sym].to_s; break;) if object[v.downcase.to_sym]}
+        when Hash
+          value.map do |key1, value1|
+            pattern = key1.dup
+            value1.each_with_index do |v,i|
+              part = '';
+              v.each {|v1| (part = object[v1.downcase.to_sym].to_s; break;) if object[v1.downcase.to_sym]}
+              pattern.gsub!("%#{i}",part||'')
+            end
+            user[key] = pattern
+          end
+        end
+      end
+      user
+      end
     end
   end
 end

data/lib/omniauth/strategies/ldap/adaptor.rb

@@ -14,14 +14,13 @@ module OmniAuth
         class AuthenticationError < StandardError; end
         class ConnectionError < StandardError; end
 
-        VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password,
-	                                        :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous]
+        VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous]
 
         MUST_HAVE_KEYS = [:host, :port, :method, :uid, :base]
 
         METHOD = {
-	        :ssl => :simple_tls,
-	        :tls => :start_tls,
+          :ssl => :simple_tls,
+          :tls => :start_tls,
           :plain => nil,
         }
 
@@ -63,7 +62,6 @@ module OmniAuth
           @connection, @uri, @with_start_tls = begin
             uri = construct_uri(host, port, method == :simple_tls)
             with_start_tls = method == :start_tls
-            puts ({:uri => uri, :with_start_tls => with_start_tls}).inspect
             [Net::LDAP::Connection.new(config), uri, with_start_tls]
           rescue Net::LDAP::LdapError
             raise ConnectionError, $!.message
@@ -91,9 +89,9 @@ module OmniAuth
           # Attempt 2: SIMPLE with credentials if password block
           # Attempt 3: SIMPLE ANONYMOUS if 1 and 2 fail and allow anonymous is set to true
           if try_sasl and sasl_bind(bind_dn, options)
-              puts "bound with sasl"
+            puts "bound with sasl"
           elsif simple_bind(bind_dn, options)
-              puts "bound with simple"
+            puts "bound with simple"
           elsif allow_anonymous and bind_as_anonymous(options)
             puts "bound as anonymous"
           else
@@ -127,12 +125,12 @@ module OmniAuth
         end
 
         def search(options={}, &block)
-          base = options[:base]
+          base = options[:base] || @base
           filter = options[:filter]
           limit = options[:limit]
 
           args = {
-            :base => @base,
+            :base => base,
             :filter => filter,
             :size => limit
           }
@@ -226,7 +224,6 @@ module OmniAuth
         end
 
         def sasl_bind_setup_gss_spnego(bind_dn, options)
-          puts options.inspect
           user,psw = [bind_dn, options[:password]||@password]
           raise LdapError.new( "invalid binding information" ) unless (user && psw)
 

data/lib/omniauth/strategies/saml.rb

@@ -0,0 +1,50 @@
+require 'omniauth/enterprise'
+
+module OmniAuth
+  module Strategies
+    class SAML
+      include OmniAuth::Strategy
+      autoload :AuthRequest,      'omniauth/strategies/saml/auth_request'
+      autoload :AuthResponse,     'omniauth/strategies/saml/auth_response'
+      autoload :ValidationError,  'omniauth/strategies/saml/validation_error'
+      autoload :XMLSecurity,      'omniauth/strategies/saml/xml_security'
+      
+      @@settings = {}
+      
+      def initialize(app, options={})
+        super(app, :saml)
+        @@settings = {
+          :assertion_consumer_service_url => options[:assertion_consumer_service_url],
+          :issuer                         => options[:issuer],
+          :idp_sso_target_url             => options[:idp_sso_target_url],
+          :idp_cert_fingerprint           => options[:idp_cert_fingerprint],
+          :name_identifier_format         => options[:name_identifier_format] || "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+        }
+      end
+          
+      def request_phase
+        request = OmniAuth::Strategies::SAML::AuthRequest.new
+        redirect(request.create(@@settings))
+      end
+      
+      def callback_phase
+        begin
+          response = OmniAuth::Strategies::SAML::AuthResponse.new(request.params['SAMLResponse'])
+          response.settings = @@settings
+          @name_id  = response.name_id
+          return fail!(:invalid_ticket, 'Invalid SAML Ticket') if @name_id.nil? || @name_id.empty?
+          super
+        rescue ArgumentError => e
+          fail!(:invalid_ticket, 'Invalid SAML Response')
+        end        
+      end
+      
+      def auth_hash
+        OmniAuth::Utils.deep_merge(super, {
+          'uid' => @name_id
+        })
+      end  
+            
+    end
+  end
+end

data/lib/omniauth/strategies/saml/auth_request.rb

@@ -0,0 +1,38 @@
+require "base64"
+require "uuid"
+require "zlib"
+require "cgi"
+
+module OmniAuth
+  module Strategies
+    class SAML
+      class AuthRequest
+        
+        def create(settings, params = {})
+          uuid = "_" + UUID.new.generate
+          time = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+          request =
+            "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"#{uuid}\" Version=\"2.0\" IssueInstant=\"#{time}\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"#{settings[:assertion_consumer_service_url]}\">" +
+            "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">#{settings[:issuer]}</saml:Issuer>\n" +
+            "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"#{settings[:name_identifier_format]}\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" +
+            "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" +
+            "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" +
+            "</samlp:AuthnRequest>"
+
+          deflated_request  = Zlib::Deflate.deflate(request, 9)[2..-5]
+          base64_request    = Base64.encode64(deflated_request)
+          encoded_request   = CGI.escape(base64_request)
+          request_params    = "?SAMLRequest=" + encoded_request
+
+          params.each_pair do |key, value|
+            request_params << "&#{key}=#{CGI.escape(value.to_s)}"
+          end
+
+          settings[:idp_sso_target_url] + request_params
+        end
+        
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/saml/auth_response.rb

@@ -0,0 +1,141 @@
+require "time"
+
+module OmniAuth
+  module Strategies
+    class SAML
+      class AuthResponse
+        
+        ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
+        PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
+        DSIG      = "http://www.w3.org/2000/09/xmldsig#"
+
+        attr_accessor :options, :response, :document, :settings
+
+        def initialize(response, options = {})
+          raise ArgumentError.new("Response cannot be nil") if response.nil?
+          self.options  = options
+          self.response = response
+          self.document = OmniAuth::Strategies::SAML::XMLSecurity::SignedDocument.new(Base64.decode64(response))
+        end
+
+        def is_valid?
+          validate(soft = true)
+        end
+
+        def validate!
+          validate(soft = false)
+        end
+
+        # The value of the user identifier as designated by the initialization request response
+        def name_id
+          @name_id ||= begin
+            node = REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+            node ||=  REXML::XPath.first(document, "/p:Response[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Assertion/a:Subject/a:NameID", { "p" => PROTOCOL, "a" => ASSERTION })
+            node.nil? ? nil : node.text
+          end
+        end
+
+        # A hash of alle the attributes with the response. Assuming there is only one value for each key
+        def attributes
+          @attr_statements ||= begin
+            result = {}
+
+            stmt_element = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AttributeStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+            return {} if stmt_element.nil?
+
+            stmt_element.elements.each do |attr_element|
+              name  = attr_element.attributes["Name"]
+              value = attr_element.elements.first.text
+
+              result[name] = value
+            end
+
+            result.keys.each do |key|
+              result[key.intern] = result[key]
+            end
+
+            result
+          end
+        end
+
+        # When this user session should expire at latest
+        def session_expires_at
+          @expires_at ||= begin
+            node = REXML::XPath.first(document, "/p:Response/a:Assertion/a:AuthnStatement", { "p" => PROTOCOL, "a" => ASSERTION })
+            parse_time(node, "SessionNotOnOrAfter")
+          end
+        end
+
+        # Conditions (if any) for the assertion to run
+        def conditions
+          @conditions ||= begin
+            REXML::XPath.first(document, "/p:Response/a:Assertion[@ID='#{document.signed_element_id[1,document.signed_element_id.size]}']/a:Conditions", { "p" => PROTOCOL, "a" => ASSERTION })
+          end
+        end
+
+        private
+
+        def validation_error(message)
+          raise OmniAuth::Strategies::SAML::ValidationError.new(message)
+        end
+
+        def validate(soft = true)
+          validate_response_state(soft) &&
+          validate_conditions(soft)     &&
+          document.validate(get_fingerprint, soft)
+        end
+
+        def validate_response_state(soft = true)
+          if response.empty?
+            return soft ? false : validation_error("Blank response")
+          end
+
+          if settings.nil?
+            return soft ? false : validation_error("No settings on response")
+          end
+
+          if settings.idp_cert_fingerprint.nil? && settings.idp_cert.nil?
+            return soft ? false : validation_error("No fingerprint or certificate on settings")
+          end
+
+          true
+        end
+
+        def get_fingerprint
+          if settings.idp_cert
+            cert = OpenSSL::X509::Certificate.new(settings.idp_cert)
+            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          else
+            settings.idp_cert_fingerprint
+          end
+        end
+
+        def validate_conditions(soft = true)
+          return true if conditions.nil?
+          return true if options[:skip_conditions]
+
+          if not_before = parse_time(conditions, "NotBefore")
+            if Time.now.utc < not_before
+              return soft ? false : validation_error("Current time is earlier than NotBefore condition")
+            end
+          end
+
+          if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
+            if Time.now.utc >= not_on_or_after
+              return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
+            end
+          end
+
+          true
+        end
+
+        def parse_time(node, attribute)
+          if node && node.attributes[attribute]
+            Time.parse(node.attributes[attribute])
+          end
+        end
+        
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/saml/validation_error.rb

@@ -0,0 +1,8 @@
+module OmniAuth
+  module Strategies
+    class SAML
+      class ValidationError < Exception
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/saml/xml_security.rb

@@ -0,0 +1,126 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+require 'rubygems'
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+
+module OmniAuth
+  module Strategies
+    class SAML
+      
+      module XMLSecurity
+
+        class SignedDocument < REXML::Document
+          DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+          attr_accessor :signed_element_id
+
+          def initialize(response)
+            super(response)
+            extract_signed_element_id
+          end
+
+          def validate(idp_cert_fingerprint, soft = true)
+            # get cert from response
+            base64_cert = self.elements["//ds:X509Certificate"].text
+            cert_text   = Base64.decode64(base64_cert)
+            cert        = OpenSSL::X509::Certificate.new(cert_text)
+
+            # check cert matches registered idp cert
+            fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+            if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+              return soft ? false : (raise OmniAuth::Strategies::SAML::ValidationError.new("Fingerprint mismatch"))
+            end
+
+            validate_doc(base64_cert, soft)
+          end
+
+          def validate_doc(base64_cert, soft = true)
+            # validate references
+
+            # check for inclusive namespaces
+
+            inclusive_namespaces            = []
+            inclusive_namespace_element     = REXML::XPath.first(self, "//ec:InclusiveNamespaces")
+
+            if inclusive_namespace_element
+              prefix_list                   = inclusive_namespace_element.attributes.get_attribute('PrefixList').value
+              inclusive_namespaces          = prefix_list.split(" ")
+            end
+
+            # remove signature node
+            sig_element = REXML::XPath.first(self, "//ds:Signature", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+            sig_element.remove
+
+            # check digests
+            REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
+              uri                           = ref.attributes.get_attribute("URI").value
+              hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+              canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
+              canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
+              canon_hashed_element          = canoner.canonicalize(hashed_element)
+              hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+              digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+
+              if hash != digest_value
+                return soft ? false : (raise OmniAuth::Strategies::SAML::ValidationError.new("Digest mismatch"))
+              end
+            end
+
+            # verify signature
+            canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+            signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"})
+            canon_string            = canoner.canonicalize(signed_info_element)
+
+            base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}).text
+            signature               = Base64.decode64(base64_signature)
+
+            # get certificate object
+            cert_text               = Base64.decode64(base64_cert)
+            cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+            if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+              return soft ? false : (raise OmniAuth::Strategies::SAML::ValidationError.new("Key validation error"))
+            end
+
+            return true
+          end
+
+          private
+
+          def extract_signed_element_id
+            reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", {"ds"=>DSIG})
+            self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+          end
+        end
+      end
+      
+    end
+  end
+end

data/lib/omniauth/version.rb

@@ -4,13 +4,13 @@ module OmniAuth
       MAJOR = 0
     end
     unless defined?(::OmniAuth::Version::MINOR)
-      MINOR = 2
+      MINOR = 3
     end
     unless defined?(::OmniAuth::Version::PATCH)
-      PATCH = 6
+      PATCH = 0
     end
     unless defined?(::OmniAuth::Version::PRE)
-      PRE   = nil
+      PRE   = "rc3"
     end
     unless defined?(::OmniAuth::Version::STRING)
       STRING = [MAJOR, MINOR, PATCH, PRE].compact.join('.')

data/oa-enterprise.gemspec

@@ -1,31 +1,31 @@
-# -*- encoding: utf-8 -*-
+# encoding: utf-8
 require File.expand_path('../lib/omniauth/version', __FILE__)
 
 Gem::Specification.new do |gem|
-  gem.add_runtime_dependency 'addressable', '2.2.4'
-  gem.add_runtime_dependency 'nokogiri', '~> 1.4.2'
-  gem.add_runtime_dependency 'net-ldap', '~> 0.2.2'
-  gem.add_runtime_dependency 'oa-core', OmniAuth::Version::STRING
-  gem.add_runtime_dependency 'pyu-ruby-sasl', '~> 0.0.3.1'
-  gem.add_runtime_dependency 'rubyntlm', '~> 0.1.1'
-  gem.add_development_dependency 'maruku', '~> 0.6'
-  gem.add_development_dependency 'simplecov', '~> 0.4'
+  gem.add_dependency 'addressable', '~> 2.2.6'
+  gem.add_dependency 'net-ldap', '~> 0.2.2'
+  gem.add_dependency 'nokogiri', '~> 1.5.0'
+  gem.add_dependency 'oa-core', OmniAuth::Version::STRING
+  gem.add_dependency 'pyu-ruby-sasl', '~> 0.0.3.1'
+  gem.add_dependency 'rubyntlm', '~> 0.1.1'
+  gem.add_dependency 'uuid'
+  gem.add_dependency 'XMLCanonicalizer', '~> 1.0.1'
   gem.add_development_dependency 'rack-test', '~> 0.5'
   gem.add_development_dependency 'rake', '~> 0.8'
+  gem.add_development_dependency 'rdiscount', '~> 1.6'
   gem.add_development_dependency 'rspec', '~> 2.5'
-  gem.add_development_dependency 'webmock', '~> 1.6'
+  gem.add_development_dependency 'simplecov', '~> 0.4'
+  gem.add_development_dependency 'webmock', '~> 1.7'
   gem.add_development_dependency 'yard', '~> 0.7'
-  gem.add_development_dependency 'ZenTest', '~> 4.5'
-  gem.name = 'oa-enterprise'
-  gem.version = OmniAuth::Version::STRING
+  gem.authors = ['James A. Rosen', 'Ping Yu', 'Michael Bleigh', 'Erik Michaels-Ober', 'Raecoo Cao']
   gem.description = %q{Enterprise strategies for OmniAuth.}
-  gem.summary = gem.description
-  gem.email = ['james.a.rosen@gmail.com', 'ping@intridea.com', 'michael@intridea.com', 'sferik@gmail.com']
-  gem.homepage = 'http://github.com/intridea/omniauth'
-  gem.authors = ['James A. Rosen', 'Ping Yu', 'Michael Bleigh', 'Erik Michaels-Ober']
-  gem.executables = `git ls-files -- bin/*`.split("\n").map{|f| File.basename(f)}
+  gem.email = ['james.a.rosen@gmail.com', 'ping@intridea.com', 'michael@intridea.com', 'sferik@gmail.com', 'raecoo@intridea.com']
   gem.files = `git ls-files`.split("\n")
-  gem.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.homepage = 'http://github.com/intridea/omniauth'
+  gem.name = 'oa-enterprise'
   gem.require_paths = ['lib']
   gem.required_rubygems_version = Gem::Requirement.new('>= 1.3.6') if gem.respond_to? :required_rubygems_version=
+  gem.summary = gem.description
+  gem.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.version = OmniAuth::Version::STRING
 end

data/spec/omniauth/strategies/saml_spec.rb

@@ -0,0 +1,37 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+describe OmniAuth::Strategies::SAML, :type => :strategy do
+  
+  include OmniAuth::Test::StrategyTestCase
+  
+  def strategy
+    [OmniAuth::Strategies::SAML, {
+      :assertion_consumer_service_url => "http://consumer.service.url/auth/saml/callback",
+      :issuer                         => "https://saml.issuer.url/issuers/29490",
+      :idp_sso_target_url             => "https://idp.sso.target_url/signon/29490",
+      :idp_cert_fingerprint           => "E7:91:B2:E1:4C:65:2C:49:F3:33:74:0A:58:5A:7E:55:F7:15:7A:33",
+      :name_identifier_format         => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    }]
+  end
+
+  describe 'GET /auth/saml' do
+    before do
+      get '/auth/saml'
+    end
+
+    it 'should get authentication page' do
+      last_response.should be_redirect
+    end
+  end
+
+  describe 'POST /auth/saml/callback' do
+
+    it 'should raise ArgumentError exception without the SAMLResponse parameter' do
+      post '/auth/saml/callback'
+      last_response.should be_redirect
+      last_response.location.should == '/auth/failure?message=invalid_ticket'
+    end
+
+  end
+  
+end

metadata

@@ -1,19 +1,27 @@
 --- !ruby/object:Gem::Specification 
 name: oa-enterprise
 version: !ruby/object:Gem::Version 
-  prerelease: 
-  version: 0.2.6
+  hash: 15424035
+  prerelease: 6
+  segments: 
+  - 0
+  - 3
+  - 0
+  - rc
+  - 3
+  version: 0.3.0.rc3
 platform: ruby
 authors: 
 - James A. Rosen
 - Ping Yu
 - Michael Bleigh
 - Erik Michaels-Ober
+- Raecoo Cao
 autorequire: 
 bindir: bin
 cert_chain: []
 
-date: 2011-05-20 00:00:00 Z
+date: 2011-09-03 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: addressable
@@ -21,31 +29,46 @@ dependencies:
   requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
-    - - "="
+    - - ~>
       - !ruby/object:Gem::Version 
-        version: 2.2.4
+        hash: 11
+        segments: 
+        - 2
+        - 2
+        - 6
+        version: 2.2.6
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
-  name: nokogiri
+  name: net-ldap
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: 1.4.2
+        hash: 19
+        segments: 
+        - 0
+        - 2
+        - 2
+        version: 0.2.2
   type: :runtime
   version_requirements: *id002
 - !ruby/object:Gem::Dependency 
-  name: net-ldap
+  name: nokogiri
   prerelease: false
   requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: 0.2.2
+        hash: 3
+        segments: 
+        - 1
+        - 5
+        - 0
+        version: 1.5.0
   type: :runtime
   version_requirements: *id003
 - !ruby/object:Gem::Dependency 
@@ -56,7 +79,14 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        version: 0.2.6
+        hash: 15424035
+        segments: 
+        - 0
+        - 3
+        - 0
+        - rc
+        - 3
+        version: 0.3.0.rc3
   type: :runtime
   version_requirements: *id004
 - !ruby/object:Gem::Dependency 
@@ -67,6 +97,12 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 65
+        segments: 
+        - 0
+        - 0
+        - 3
+        - 1
         version: 0.0.3.1
   type: :runtime
   version_requirements: *id005
@@ -78,30 +114,43 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 1
+        - 1
         version: 0.1.1
   type: :runtime
   version_requirements: *id006
 - !ruby/object:Gem::Dependency 
-  name: maruku
+  name: uuid
   prerelease: false
   requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version 
-        version: "0.6"
-  type: :development
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
   version_requirements: *id007
 - !ruby/object:Gem::Dependency 
-  name: simplecov
+  name: XMLCanonicalizer
   prerelease: false
   requirement: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: "0.4"
-  type: :development
+        hash: 21
+        segments: 
+        - 1
+        - 0
+        - 1
+        version: 1.0.1
+  type: :runtime
   version_requirements: *id008
 - !ruby/object:Gem::Dependency 
   name: rack-test
@@ -111,6 +160,10 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 0
+        - 5
         version: "0.5"
   type: :development
   version_requirements: *id009
@@ -122,59 +175,95 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 8
         version: "0.8"
   type: :development
   version_requirements: *id010
 - !ruby/object:Gem::Dependency 
-  name: rspec
+  name: rdiscount
   prerelease: false
   requirement: &id011 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: "2.5"
+        hash: 3
+        segments: 
+        - 1
+        - 6
+        version: "1.6"
   type: :development
   version_requirements: *id011
 - !ruby/object:Gem::Dependency 
-  name: webmock
+  name: rspec
   prerelease: false
   requirement: &id012 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: "1.6"
+        hash: 9
+        segments: 
+        - 2
+        - 5
+        version: "2.5"
   type: :development
   version_requirements: *id012
 - !ruby/object:Gem::Dependency 
-  name: yard
+  name: simplecov
   prerelease: false
   requirement: &id013 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: "0.7"
+        hash: 3
+        segments: 
+        - 0
+        - 4
+        version: "0.4"
   type: :development
   version_requirements: *id013
 - !ruby/object:Gem::Dependency 
-  name: ZenTest
+  name: webmock
   prerelease: false
   requirement: &id014 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        version: "4.5"
+        hash: 1
+        segments: 
+        - 1
+        - 7
+        version: "1.7"
   type: :development
   version_requirements: *id014
+- !ruby/object:Gem::Dependency 
+  name: yard
+  prerelease: false
+  requirement: &id015 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 5
+        segments: 
+        - 0
+        - 7
+        version: "0.7"
+  type: :development
+  version_requirements: *id015
 description: Enterprise strategies for OmniAuth.
 email: 
 - james.a.rosen@gmail.com
 - ping@intridea.com
 - michael@intridea.com
 - sferik@gmail.com
+- raecoo@intridea.com
 executables: []
 
 extensions: []
@@ -196,12 +285,18 @@ files:
 - lib/omniauth/strategies/cas/service_ticket_validator.rb
 - lib/omniauth/strategies/ldap.rb
 - lib/omniauth/strategies/ldap/adaptor.rb
+- lib/omniauth/strategies/saml.rb
+- lib/omniauth/strategies/saml/auth_request.rb
+- lib/omniauth/strategies/saml/auth_response.rb
+- lib/omniauth/strategies/saml/validation_error.rb
+- lib/omniauth/strategies/saml/xml_security.rb
 - lib/omniauth/version.rb
 - oa-enterprise.gemspec
 - spec/fixtures/cas_failure.xml
 - spec/fixtures/cas_success.xml
 - spec/omniauth/strategies/cas_spec.rb
 - spec/omniauth/strategies/ldap_spec.rb
+- spec/omniauth/strategies/saml_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/intridea/omniauth
 licenses: []
@@ -216,17 +311,25 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version 
-      version: 1.3.6
+      hash: 25
+      segments: 
+      - 1
+      - 3
+      - 1
+      version: 1.3.1
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.2
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: Enterprise strategies for OmniAuth.
@@ -235,4 +338,5 @@ test_files:
 - spec/fixtures/cas_success.xml
 - spec/omniauth/strategies/cas_spec.rb
 - spec/omniauth/strategies/ldap_spec.rb
+- spec/omniauth/strategies/saml_spec.rb
 - spec/spec_helper.rb