openlogic-saml-sp 3.1.3

data/History.txt

@@ -0,0 +1,43 @@
+3.1.2 / 2010-06-39
+---
+
+* OSS release (Yay!)
+
+3.0.4 / 2010-04-26
+---
+
+* Improved error messages when unable to interpret assertions documents properly.
+* Improved debug logging around parsing assertion documents.
+
+3.0.2 / 2010-04-26
+---
+
+* Fixed ArtifaceResolve request document such that it is valid against
+  the SAML schema.
+
+3.0.0 / 2010-04-23
+---
+
+* Added way to specify both the IdP and SP identifiers in the config file.
+
+2.1.0 / 2010-03-26
+----
+
+* Improved logging of artifact resolver registration.
+* Promiscuous basic auth support.
+
+2.0.0 / 2010-01-29
+----
+
+* Added issuer verification to artifact resolution to protect against
+  spoofing.
+* Removed attempt to load config file from non-existent directory for
+  Rails apps.
+
+1.0.0 / 2010-01-22
+------
+
+* 1 major enhancement
+  * Birthday!
+
+

data/LICENSE.txt

@@ -0,0 +1,21 @@
+
+(The MIT License)
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,126 @@
+saml-sp
+====
+
+by OpenLogic  
+http://openlogic.com  
+peter.williams@openlogic.com
+
+## STATUS:
+
+This library is stable and under active development.  
+
+Version identifiers follow
+[rational version ](http://docs.rubygems.org/read/chapter/7#page26).
+The major version number does not indicate this library is complete.
+
+## DESCRIPTION:
+
+Support for being a SAML 2.0 service provider in an HTTP artifact
+binding SSO conversation.
+
+## SYNOPSIS:
+
+This library provides parsing of SAML 2.0 artifacts.  For example.
+    
+    artifact = Saml2::Type4Artifact.new_from_string(params['SAMLart'])  # => #<Saml2::Type4Artifact ...>
+    artifact.source_id                                                  # => 'a314Xc8KaSd4fEJAd8R'
+    artifact.type_code                                                  # => 4
+
+Once you have an artifact you can resolve it into it's associated assertion:
+
+    assertion = artifact.resolve     # => #<Saml2::Assertion>
+
+With the assertion you can identify the user and retrieve attributes:
+
+    assertion.subject_name_id        # => '1234'
+    assertion['mail']                # => 'john.doe@idp.example'
+
+### Configuration
+        
+If you are using Rails the SamlSp will automatically load
+configuration info from `config/saml_sp.conf`.
+
+For non-Rails apps the saml-sp configuration file can be place in the
+application configuration directory and loaded using the following
+code during application startup.
+
+    SamlSp::Config.load_file(APP_ROOT + "/config/saml_sp.conf")
+
+#### Logging
+
+If you are using saml-sp in a rails app it will automatically log to
+the Rails default logger.  For non-Rails apps you can specify a Logger
+object to be used in the config file.
+
+    logger MY_APP_LOGGER
+
+
+#### Artifact Resolution Service
+        
+For artifact resolution to take place you need to configure an
+artifact resolution service for the artifacts source.  This is done by
+adding block similar to the following to your saml-sp config file.
+
+    artifact_resolution_service {
+      source_id         'opaque-id-of-the-idp'
+      uri               'https://samlar.idp.example/resolve-artifact'
+      identity_provider 'http://idp.example/'
+      service_provider  'http://your-domain.example/'
+      http_basic_auth {
+        realm    'the-idp-realm'
+        user_id  'my-user-id'
+        password 'my-password'
+      }
+    }
+
+The configuration details are:
+
+ * source_id: 
+   The id of the source that this resolution service can
+   resolve.  This is a 20 octet binary string.
+ 
+ * uri:
+   The endpoint to which artifact resolve requests should be sent.
+ 
+ * identity_provider:
+   The URI identifying the identity provider that issues assertions 
+   using the source id specified.
+   
+ * service_provider:
+   The URI identifying the your software (the service provider) to 
+   the identity provider.
+   
+ * http_basic_auth:
+   (Optional) The credentials needed to authenticate with the IdP
+   using HTTP basic authentication.  
+
+#### Promiscuous Auth
+
+If the IdP does not provide proper HTTP challenge responses you can
+specify the HTTP auth in promiscuous mode. For example,
+
+    http_basic_auth {
+      promiscuous
+      user_id  'my-user-id'
+      password 'my-password'
+    }
+
+In promiscuous mode the credentials are sent with every request to
+this resolutions service regardless of it's realm.
+
+
+## REQUIREMENTS:
+
+ * Nokogiri
+ * Resourcful
+ * uuidtools
+ 
+## INSTALL:
+
+ * sudo gem install openlogic-saml-sp
+
+## LICENSE:
+
+Copyright (c) 2010 OpenLogic
+
+Licensed under the MIT License.  See LICENSE.txt

data/Rakefile

@@ -0,0 +1,29 @@
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = 'openlogic-saml-sp'
+    gemspec.summary = 'SAML 2.0 SSO Sevice Provider Library'
+    gemspec.email = 'gbettridge@openlogic.com'
+    gemspec.authors = ["OpenLogic", "Peter Williams","Glen Aultman-Bettridge"]
+    gemspec.add_dependency 'nokogiri'
+    gemspec.add_dependency 'openlogic-resourceful'
+    gemspec.add_dependency 'uuidtools'
+    gemspec.add_development_dependency 'rspec'
+    gemspec.files = FileList["[A-Z]*", "{bin,generators,lib,test,spec,rails}/**/*"]
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available. Install it with: gem install jeweler"
+end
+
+# require 'spec/rake/spectask'
+# Spec::Rake::SpecTask.new
+# 
+# task 'test:run' => :spec 
+# EOF
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/VERSION

@@ -0,0 +1 @@
+3.1.3

data/lib/saml-sp.rb

@@ -0,0 +1,70 @@
+require 'logger'
+
+module SamlSp
+
+  # :stopdoc:
+  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
+  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
+  VERSION = ::File.read(PATH + 'VERSION').strip
+  # :startdoc:
+
+  # Returns the version string for the library.
+  #
+  def self.version
+    VERSION
+  end
+
+  # Returns the library path for the module. If any arguments are given,
+  # they will be joined to the end of the libray path using
+  # <tt>File.join</tt>.
+  #
+  def self.libpath( *args )
+    args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten)
+  end
+
+  # Returns the lpath for the module. If any arguments are given,
+  # they will be joined to the end of the path using
+  # <tt>File.join</tt>.
+  #
+  def self.path( *args )
+    args.empty? ? PATH : ::File.join(PATH, args.flatten)
+  end
+
+  # Logger that does nothing
+  BITBUCKET_LOGGER =  Logger.new(nil)
+  class << BITBUCKET_LOGGER
+    def add(*args)
+    end
+  end
+
+  # The logger saml-sp should use
+  def self.logger
+    @@logger ||= BITBUCKET_LOGGER
+  end
+
+  # Set the logger for saml-sp
+  def self.logger=(a_logger)
+    @@logger = a_logger
+  end
+  
+  module Logging
+    def logger
+      SamlSp.logger
+    end
+    
+    def self.included(base)
+      base.extend(self)
+    end
+  end
+
+  autoload :Config,    'saml_sp/config'
+end  # module SamlSp
+
+require 'rubygems'
+
+autoload :Saml2, 'saml2'
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt

data/lib/saml2.rb

@@ -0,0 +1,11 @@
+module Saml2
+  autoload :Type4Artifact,             'saml2/type4_artifact'
+  autoload :Assertion,                 'saml2/assertion'
+  autoload :ArtifactResolver,          'saml2/artifact_resolver'
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/lib/saml2/artifact_resolver.rb

@@ -0,0 +1,192 @@
+require 'addressable/uri'
+gem 'openlogic-resourceful'
+require 'resourceful'
+require 'nokogiri'
+require 'uuidtools'
+
+module Saml2
+  class NoSuchResolverError < StandardError
+  end
+
+  class RequestDeniedError < StandardError
+  end
+
+  class AnomalousResponseIssuerError < StandardError
+    def self.new_from_issuers(expected, actual)
+      new "Issuer should have been <#{expected}> but was <#{actual}>"
+    end
+  end
+
+  class ArtifactResolver
+    attr_reader :source_id, :resolution_service_uri, :idp_id, :sp_id
+    attr_reader :basic_auth_realm, :basic_auth_user_id, :basic_auth_password
+
+    # Initialize and register a new artifact resolver.
+    #
+    # @param [string] source_id An opaque identifier used by the IDP
+    #   to identify artifact that can be resolved by this service.
+    #
+    # @param [string] resolution_service_uri The URI that will resolve
+    #   artifacts into assertions.  
+    #
+    # @param [String] idp_id The URI identifying the assertion issuer at this
+    #   source.
+    #
+    # @param [String] sp_id The URI identifying (for this source) the service 
+    #    provider.  IOW, the id of your application.
+    def initialize(source_id, resolution_service_uri, idp_id, sp_id)
+      @source_id = source_id
+      @resolution_service_uri = Addressable::URI.parse(resolution_service_uri) 
+      @idp_id = idp_id
+      @sp_id = sp_id
+      ArtifactResolverRegistry.register self  
+    end
+
+    # Set HTTP basic authentication credentials
+    def basic_auth_credentials(user_id, password, realm = nil)
+      @basic_auth_realm = realm
+      @basic_auth_user_id = user_id
+      @basic_auth_password = password
+    end
+
+    def logger
+      SamlSp.logger
+    end
+
+    def http
+      @http ||= Resourceful::HttpAccessor.new(:authenticators => authenticator, :logger => logger)
+    end
+
+    def authenticator
+      return nil unless basic_auth_user_id
+
+      if basic_auth_realm
+        Resourceful::BasicAuthenticator.new(basic_auth_realm, basic_auth_user_id, basic_auth_password)
+      else
+        Resourceful::PromiscuousBasicAuthenticator.new(basic_auth_user_id, basic_auth_password)
+      end
+    end
+    
+    # Resolve `artifact` into an Assertion.  
+    #
+    # @param [Saml2::Type4Artifact] The artifact to resolve.
+    #
+    # @return [Saml2::Assertion]
+    #
+    # @raise [RequestDeniedError] When the resolution service refuses
+    #   to resolve the artifact.
+    #
+    # @raise [AnomalousResponseIssuerError] When the issuer of the
+    #   response do not match the idp_id for this source.
+    def resolve(artifact)
+      soap_body = request_document_for(artifact)
+      logger.info{"ArtifactResolve request body:\n#{soap_body.gsub(/^/, "\t")}"}
+      resp = http.resource(resolution_service_uri).post(soap_body,
+                                                        'Accept' => 'application/soap+xml', 
+                                                        'Content-Type' => 'application/soap+xml')
+
+      logger.info{"ArtifactResolve response body:\n#{resp.gsub(/^/, "\t")}"}
+      doc = Nokogiri::XML.parse(resp.body)
+      assert_successful_response(doc)
+
+      assertion = Assertion.new_from_xml(doc)
+
+      raise AnomalousResponseIssuerError.new_from_issuers(idp_id, assertion.issuer) unless 
+        assertion.issuer == idp_id
+
+      assertion
+
+    rescue Resourceful::UnsuccessfulHttpRequestError => e
+
+      logger.debug { 
+        body = e.http_request.body
+        body.rewind
+        "Artifact resolution request:\n" + body.read.gsub(/^/, '    ')}
+      logger.debug {"Artifact resolution response:\n" + e.http_response.body.gsub(/^/, '    ')}
+      raise
+    end
+
+    def to_s
+      "Resolver for <#{idp_id}> (#{Base64.encode64(source_id).strip})"
+    end
+
+    protected
+
+    def assert_successful_response(resp_doc)
+      response_code = resp_doc.at("//sp:StatusCode/@Value", namespaces).content.strip
+      return if response_code == 'urn:oasis:names:tc:SAML:2.0:status:Success'
+      
+      # Request was not handled successfully
+      err_message =  "Request failed"
+
+      status_message_elem = resp_doc.at("//sp:StatusMessage", namespaces) 
+      if status_message_elem
+        err_message << " because \"#{status_message_elem.content.strip}\""
+      end
+      
+      err_message << ". (status code: #{response_code})"
+
+      if status_details_elem = resp_doc.at("//sp:StatusDetail", namespaces) 
+        logger.debug "Details for resolve artifact failure (status code: #{response_code}):\n" + status_details_elem.content
+      end
+
+      raise RequestDeniedError, err_message
+    end
+
+    def namespaces
+      {'sp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
+        'sa' => 'urn:oasis:names:tc:SAML:2.0:assertion'}
+    end
+    def request_document_for(artifact)
+      <<XML
+<?xml version="1.0"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+  <SOAP-ENV:Body>
+    <ArtifactResolve IssueInstant="2006-12-15T15:35:12.068Z" 
+                     Version="2.0"
+                     ID="_#{UUIDTools::UUID.random_create}"
+                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
+                     xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
+      <saml:Issuer>#{sp_id}</saml:Issuer>
+      <Artifact>#{artifact.to_s}</Artifact>
+    </ArtifactResolve>
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+XML
+    end
+  end
+
+  # Returns an artifact resolver that can be used to resolve artifacts
+  # from the specified source.
+  #
+  # @param [String] source_id The id of the source of interest.
+  def self.ArtifactResolver(source_id)
+    ArtifactResolverRegistry.lookup_by_source_id(source_id)
+  end
+
+  ArtifactResolverRegistry = Class.new do
+    include SamlSp::Logging
+
+    def register(resolver)
+      resolvers_table[resolver.source_id] = resolver
+
+      logger.info "saml-sp: #{resolver}' registered"
+    end
+    
+    def lookup_by_source_id(source_id)
+      resolvers_table[source_id] || raise(NoSuchResolverError, "No resolver registered for source `#{Base64.encode64(source_id).strip}`")
+    end
+    
+    protected
+    
+    def resolvers_table
+      @resolvers_table ||= {}
+    end
+  end.new
+
+end
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+