rack-oauth2-provider 0.0.1

data/lib/rack/oauth2/assertion_profile.rb

@@ -0,0 +1,58 @@
+require 'rack/auth/abstract/handler'
+require 'rack/auth/abstract/request'
+require 'rack/auth/wrap'
+$LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(__FILE__), "../../")))
+require 'simple_web_token_builder'
+require  File.expand_path(File.join(File.dirname(__FILE__), "../../../vendor/information_card"))
+
+module Rack
+  module OAuth2
+    class AssertionProfile < Rack::Auth::AbstractHandler
+      def initialize(app, opts = {})
+        @app = app
+        @opts = opts
+      end
+    
+      def call(env)
+        request = Request.new(env)
+        
+        if (request.assertion_profile? && request.format == :saml)
+          InformationCard::Config.audience_scope,  InformationCard::Config.audiences = :site, [@opts[:scope]]
+          token = InformationCard::SamlToken.create(request.token)
+          
+          unless token.valid?
+            return [400, {'Content-Type' => "application/x-www-form-urlencoded"}, "error=unauthorized_client"] 
+          end 
+          
+          # conver the received claims into SWT
+          swt = token_builder.build(token.claims)
+          return [200, {'Content-Type' => "application/x-www-form-urlencoded"}, "access_token=#{CGI.escape(swt)}"]
+        end
+        
+        return @app.call(env)
+      end
+  
+      def token_builder
+        @token_builder ||= SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+      end
+    
+      class Request < Rack::Request
+        def initialize(env)
+          super(env)
+        end
+     
+        def assertion_profile?
+          self.params["type"] =~ /assertion/i
+        end
+        
+        def format
+          (self.params["format"] or "saml").downcase.to_sym
+        end
+        
+        def token
+          self.params["assertion"]
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/provider.rb

@@ -0,0 +1,5 @@
+module Rack
+  module OAuth2
+    VERSION = "0.0.1"
+  end
+end

data/lib/simple_web_token_builder.rb

@@ -0,0 +1,44 @@
+require 'cgi'
+require 'base64'
+require 'hmac-sha2'
+
+module SimpleWebToken
+  class SimpleWebTokenBuilder
+    attr_accessor :shared_secret, :issuer, :audience, :expiration
+    
+    def initialize(opts = {})
+      raise InvalidOption, :shared_secret unless opts[:shared_secret]
+      self.shared_secret = opts[:shared_secret]
+      self.issuer = opts[:issuer]
+      self.audience = opts[:audience]
+      self.expiration = (opts[:expiration] or 3600)
+    end
+    
+    def build(claims)
+      token = (convert(claims) + default_claim_set).join("&")
+      return token += "&HMACSHA256=#{CGI.escape(sign(token))}"
+    end
+
+    def sign(bare_token)
+      signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(self.shared_secret)).update(bare_token.toutf8).digest).strip
+    end
+
+    def convert(claims)
+      claims.map{|k, v| claim_pair(k, v)}
+    end
+
+    def default_claim_set
+      default_claims = []
+      default_claims << claim_pair(:issuer, self.issuer) if(self.issuer)
+      default_claims << claim_pair(:audience, self.audience) if(self.audience)
+      default_claims << claim_pair(:expires_on, Time.now.to_i + self.expiration) 
+      return default_claims
+    end
+    
+    def claim_pair(key, value)
+      new_key = key.to_s.downcase.split("_").map{|l| l.capitalize.strip}.join("")
+      value = [value].flatten.uniq.join(",")
+      [new_key, value.to_s].map{|s| CGI.escape(s)}.join("=")
+    end
+  end
+end

data/rakefile

@@ -0,0 +1,51 @@
+require 'rake'
+require 'rubygems'
+require 'spec/rake/spectask'
+require 'rake/gempackagetask'
+require 'rake/rdoctask'
+
+require 'lib/rack/oauth2/provider'
+
+task :default => ["run_with_rcov"]
+
+Spec::Rake::SpecTask.new('run_with_rcov') do |t|
+  t.spec_files = FileList['spec/**/*.rb'].reject{|f| f.include?('functional')}
+  t.rcov = true
+  t.rcov_opts = ['--text-report', '--exclude', "exclude.*/.gem,spec,Library,#{ENV['GEM_HOME']}", '--sort', 'coverage' ]
+  t.spec_opts = ["--colour",  "--loadby random",  "--format progress", "--backtrace"]
+end
+
+namespace :docs do
+  Rake::RDocTask.new do |t|
+  	t.rdoc_dir = 'sdk/public/'
+  	t.options << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
+  	t.options << '--charset' << 'utf-8'
+  	t.rdoc_files.include('README.rdoc')
+  	t.rdoc_files.include('lib/**/*.rb')
+  end
+end
+
+
+namespace :dist do  
+  spec = Gem::Specification.new do |s|
+    s.name              = 'rack-oauth2-provider'
+    s.version           =  Gem::Version.new(Rack::OAuth2::VERSION)
+    s.summary           = "Rack Middleware that authenticates users based on the different profiles of oAuth 2.0 standard"
+    s.description       = "A simple implementation of provider protocols of oAuth 2.0 (right now just AssertionProfile)."
+    s.email             = 'johnny.halife@me.com'
+    s.author            = 'Johnny G. Halife & Ezequiel Morito'
+    s.require_paths     = ["lib"]
+    s.files             = FileList['rakefile', 'lib/**/*.rb', 'vendor/**/*.rb']
+    s.test_files        = Dir['spec/**/*']
+    s.has_rdoc          = true
+    s.rdoc_options      << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
+    
+    # Dependencies
+    s.add_dependency 'ruby-hmac'
+    s.add_dependency 'information_card'
+  end
+  
+  Rake::GemPackageTask.new(spec) do |pkg|
+    pkg.need_tar = true
+  end
+end

data/spec/rack/oauth2/assertion_profile.test.rb

@@ -0,0 +1,72 @@
+$LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(__FILE__), "../../")))
+require 'specs_config.rb'
+require 'lib/rack/oauth2/assertion_profile'
+
+describe "Rack middleware behavior for oAuth 2.0 Assertion Profile" do
+  before do
+    @opts = {:audience => "http://localhost", 
+             :issuer => "http://localhost/issue", 
+             :shared_secret => "N4QeKa3c062VBjnVK6fb+rnwURkcwGXh7EoNK34n0uM="}
+  end
+  
+  it "should do anything if it's not an authentication request for AssertionProfile'" do
+    env = Rack::MockRequest.env_for("/", {})
+    
+    (mock_app = mock).expects(:call).with(env).once
+    SimpleWebToken::SimpleWebTokenBuilder.any_instance.expects(:build).never
+    InformationCard::SamlToken.expects(:create).never
+    
+    response_code, headers, body = Rack::OAuth2::AssertionProfile.new(mock_app, @opts).call(env)
+  end
+  
+  it "should return 400 when the given assertion isn't well-formed nor valid" do
+    env = Rack::MockRequest.env_for("/", {'rack.input' => "type=assertion&format=saml&assertion=very_invalid_assertion"})
+
+    (mock_app = mock).expects(:call).with(env).never
+
+    mock_request = mock do 
+      expects(:assertion_profile?).returns(true)
+      expects(:format).returns(:saml)
+      expects(:token).returns("invalid_token")
+    end
+    
+    (invalid_token = mock).expects(:valid?).returns(false)
+    InformationCard::SamlToken.expects(:create).returns(invalid_token)
+    Rack::OAuth2::AssertionProfile::Request.expects(:new).with(env).returns(mock_request)    
+
+    response_code, headers, body = Rack::OAuth2::AssertionProfile.new(mock_app, @opts).call(env)
+
+    response_code.should == 400
+    headers['Content-Type'].should == "application/x-www-form-urlencoded"
+    body.should == "error=unauthorized_client"
+  end
+  
+  it "should return 200 when the given assertion is valid and include the access_token on the body" do
+    env = Rack::MockRequest.env_for("/", {'rack.input' => "type=assertion&format=saml&assertion=very_valid_assertion"})
+
+    (mock_app = mock).expects(:call).with(env).never
+
+    mock_request = mock do 
+      expects(:assertion_profile?).returns(true)
+      expects(:format).returns(:saml)
+      expects(:token).returns("very_valid_assertion")
+    end
+    
+    valid_token = mock do
+      expects(:valid?).returns(true)
+      expects(:claims).returns({})
+    end
+    
+    InformationCard::SamlToken.expects(:create).with("very_valid_assertion").returns(valid_token)
+    Rack::OAuth2::AssertionProfile::Request.expects(:new).with(env).returns(mock_request)
+    
+    (mock_builder = mock).expects(:build).with({}).returns("token")
+    SimpleWebToken::SimpleWebTokenBuilder.expects(:new).with(@opts).returns(mock_builder)
+    
+    response_code, headers, body = Rack::OAuth2::AssertionProfile.new(mock_app, @opts).call(env)
+
+    response_code.should == 200
+    headers['Content-Type'].should == "application/x-www-form-urlencoded"
+    body.should == "access_token=token"
+  end
+end

data/spec/simple_web_token_builder_test.rb

@@ -0,0 +1,54 @@
+require 'spec/specs_config'
+require 'lib/simple_web_token_builder'
+
+describe "The Simple Web Token Builder behavior" do
+  before do
+    @opts = {:audience => "http://localhost", 
+             :issuer => "http://localhost/issue", 
+             :shared_secret => "N4QeKa3c062VBjnVK6fb+rnwURkcwGXh7EoNK34n0uM="}
+  end
+  
+  it "turn the given key into pascal case and encode both key and value" do
+    builder = SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+    builder.claim_pair(:given_name, "johnny halife").should == "GivenName=johnny+halife"
+  end
+
+  it "should turn values that are arrays into csv" do
+    builder = SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+    builder.claim_pair(:projects, ["*", "foo"]).should == "Projects=#{CGI.escape("*,foo")}"
+  end
+
+  
+  it "should generate each value pair for the given dictionary" do
+    builder = SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+    result = builder.convert({:age => 24})
+    result[0].should == "Age=24"
+  end
+  
+  it "should return default claims" do
+    (mock_time ||= mock).expects(:to_i).returns(1)
+    Time.expects(:now).returns(mock_time)
+    
+    builder = SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+    default_claims_set = builder.default_claim_set
+    default_claims_set[0].should == "Issuer=#{CGI.escape("http://localhost/issue")}"
+    default_claims_set[1].should == "Audience=#{CGI.escape("http://localhost")}"
+    default_claims_set[2].should == "ExpiresOn=#{CGI.escape("3601")}"
+  end
+  
+  it "should sign the token" do
+    builder = SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+    expected_signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@opts[:shared_secret])).update("Foo=Bar".toutf8).digest).strip
+    builder.sign("Foo=Bar").should == expected_signature
+  end
+  
+  it "should build the token" do
+    builder = SimpleWebToken::SimpleWebTokenBuilder.new(@opts)
+    
+    builder.expects(:convert).with({:name => "johnny"}).returns(["Name=johnny"])
+    builder.expects(:default_claim_set).returns([])
+    builder.expects(:sign).with("Name=johnny").returns("foo")
+    
+    builder.build({:name => "johnny"}).should == "Name=johnny&HMACSHA256=foo"
+  end
+end

data/spec/specs_config.rb

@@ -0,0 +1,11 @@
+require 'rubygems'
+require 'spec'
+require 'mocha'
+require 'rack/test'
+require 'rack/mock'
+
+Spec::Runner.configure do |config|
+  config.mock_with :mocha
+end
+
+$LOAD_PATH.unshift(File.dirname __FILE__)

data/vendor/information_card.rb

@@ -0,0 +1,11 @@
+# dependency 
+require 'information_card'
+
+# standard items
+require 'rexml/document'
+require 'rexml/xpath'
+
+# vendored items
+require 'vendor/information_card/saml_token'
+require 'vendor/information_card/xml_canonicalizer'
+require 'vendor/rexml/parsers'

data/vendor/information_card/saml_token.rb

@@ -0,0 +1,142 @@
+# monkeypatching the SamlToken class to verify token signatures with X509 Certificates
+require 'time'
+
+module InformationCard
+  include REXML
+
+  # added first the tree claim types
+  class ClaimTypes
+      @@claims = {
+        :name => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+        :email => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+        :upn => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
+        :group => "http://schemas.xmlsoap.org/claims/Group",
+        :given_name => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+        :surname => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+        :street_address => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress",
+        :locality => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality",
+        :state_province => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince",
+        :postal_code => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode",
+        :country => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country",
+        :home_phone => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone",
+        :other_phone => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone",
+        :mobile_phone => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone",
+        :date_of_birth => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth",
+        :gender => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender",
+        :ppid => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier",
+        :webpage => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage",
+        :project => "http://schemas.southworksinc.com/project", 
+        :organization => "http://schemas.microsoft.com/ws/2008/06/identity/claims/organization"
+      }
+  end
+
+  class SamlToken < IdentityToken
+    def errors
+      return @errors
+    end
+    
+    def verify_digest     
+      working_doc = REXML::Document.new(@doc.to_s)
+      
+      assertion_node = XPath.first(working_doc, "saml:Assertion", {"saml" => Namespaces::SAML_ASSERTION}) 
+      signature_node =  XPath.first(assertion_node, "ds:Signature", {"ds" => Namespaces::DS}) 
+      signed_info_node = XPath.first(signature_node, "ds:SignedInfo", {"ds" => Namespaces::DS})    
+      digest_value_node = XPath.first(signed_info_node, "ds:Reference/ds:DigestValue", {"ds" => Namespaces::DS})
+      
+      digest_value = digest_value_node.text
+
+      signature_node.remove
+      digest_errors = []
+      canonicalizer = InformationCard::XmlCanonicalizer.new
+      
+      reference_nodes = XPath.match(signed_info_node, "ds:Reference", {"ds" => Namespaces::DS})
+      # TODO: Check specification to see if digest is required.
+      @errors[:digest] = "No reference nodes to check digest" and return if reference_nodes.nil? or reference_nodes.empty?
+      
+      reference_nodes.each do |node|
+        uri = node.attributes['URI']
+        nodes_to_verify = XPath.match(working_doc, "saml:Assertion[@AssertionID='#{uri[1..uri.size]}']", {"saml" => Namespaces::SAML_ASSERTION})
+  
+        nodes_to_verify.each do |node|
+          canonicalized_signed_info = canonicalizer.canonicalize(node)
+          signed_node_hash_sha1 = Base64.encode64(Digest::SHA1.digest(canonicalized_signed_info)).chomp                    
+          signed_node_hash_sha256 = Base64.encode64(Digest::SHA256.digest(canonicalized_signed_info)).chomp                              
+          unless signed_node_hash_sha1 == digest_value
+            unless signed_node_hash_sha256 == digest_value
+              digest_errors << "Invalid Digest for #{uri}. Expected #{signed_node_hash} but was #{digest_value}"
+            end
+          end
+        end
+                       
+        @errors[:digest] = digest_errors unless digest_errors.empty?
+      end  
+    end
+    
+    def verify_signature    
+      working_doc = REXML::Document.new(@doc.to_s)
+
+      assertion_node = XPath.first(working_doc, "saml:Assertion", {"saml" => Namespaces::SAML_ASSERTION})
+      signature_node =  XPath.first(assertion_node, "ds:Signature", {"ds" => Namespaces::DS})            
+      certificate_value_node = XPath.first(signature_node, "KeyInfo/X509Data/X509Certificate")
+      certificate = get_X509Certificate(certificate_value_node.text)
+
+      # TODO: here you should validate that the presented certificate is valid
+
+      public_key_string = certificate.public_key      
+      signed_info_node = XPath.first(signature_node, "ds:SignedInfo", {"ds" => Namespaces::DS})
+      signature_value_node = XPath.first(signature_node, "ds:SignatureValue", {"ds" => Namespaces::DS})
+      canonicalized_signed_info = InformationCard::XmlCanonicalizer.new.canonicalize(signed_info_node)
+      signature = Base64.decode64(signature_value_node.text)
+      
+      unless public_key_string.verify(OpenSSL::Digest::SHA1.new, signature, canonicalized_signed_info) 
+        unless public_key_string.verify(OpenSSL::Digest::SHA256.new, signature, canonicalized_signed_info) 
+          @errors[:signature] = "Invalid Signature" 
+        end
+      end
+    end
+  
+    def validate_conditions
+      conditions = XPath.first(@doc, "//saml:Conditions", "saml" => Namespaces::SAML_ASSERTION)
+      
+      condition_errors = {}
+      not_before_time = Time.parse(conditions.attributes['NotBefore'])
+      condition_errors[:not_before] = "Time is before #{not_before_time}" if Time.now.utc < not_before_time 
+  
+      not_on_or_after_time = Time.parse(conditions.attributes['NotOnOrAfter'])
+      condition_errors[:not_on_or_after] = "Time is on or after #{not_on_or_after_time}" if Time.now.utc >= not_on_or_after_time
+
+      @errors[:conditions] = condition_errors unless condition_errors.empty?    
+    end
+    
+    def process_claims            
+      attribute_nodes = XPath.match(@doc, "//saml:AttributeStatement/saml:Attribute", {"saml" => Namespaces::SAML_ASSERTION})
+      attribute_nodes.each do |node|
+        key = ClaimTypes.lookup(node.attributes['AttributeNamespace'], node.attributes['AttributeName'])      
+        value_nodes = XPath.match(node, "saml:AttributeValue", "saml" => Namespaces::SAML_ASSERTION)
+        
+        if (value_nodes.length < 2 or value_nodes.empty?)
+            @claims[key] = value_nodes[0].text
+        else
+          claim_values = []
+          value_nodes.each{ |value_node|
+              claim_values << value_node.text
+          }
+          @claims[key] = claim_values
+        end
+      end
+    end
+  
+    def get_X509Certificate(certificate)
+      encoding = "-----BEGIN CERTIFICATE-----\n"
+      offset = 0;
+      # strip out the newlines
+      certificate.delete!("=\n") 
+      while (segment = certificate[offset, 64])
+         encoding = encoding + segment + "\n"
+         offset += 64
+      end
+      encoding = encoding + "-----END CERTIFICATE-----\n"        
+      OpenSSL::X509::Certificate.new(encoding)
+    end
+  end
+end

data/vendor/information_card/xml_canonicalizer.rb

@@ -0,0 +1,99 @@
+# Portions of this class were inspired by the XML::Util::XmlCanonicalizer class written by Roland Schmitt
+
+module InformationCard
+  include REXML
+  
+  class XmlCanonicalizer
+    def initialize
+      @canonicalized_xml = ''
+    end
+        
+    def canonicalize(element)
+      document = REXML::Document.new(element.to_s)
+      
+      #TODO: Do we need this check?
+      if element.instance_of?(REXML::Element)
+        namespace = element.namespace(element.prefix)
+        if not namespace.empty?
+          if not element.prefix.empty?
+            document.root.add_namespace(element.prefix, namespace)            
+          else
+            document.root.add_namespace(namespace)            
+          end 
+        end
+      end
+      
+      document.each_child{ |node| write_node(node, nil) } 
+               
+      @canonicalized_xml.strip
+    end
+
+    private  
+      
+    def write_node(node, scoped_prefixes)
+      case node.node_type
+        when :text
+          write_text(node)
+        when :element
+          write_element(node, scoped_prefixes)
+      end
+    end
+    
+    def write_text(node)
+      if node.value.strip.empty?
+        @canonicalized_xml << node.value
+      else
+        @canonicalized_xml << normalize_whitespace(node.value) 
+      end
+    end
+    
+    def write_element(node, scoped_prefixes)
+      scoped_prefixes ||= []
+      @canonicalized_xml << "<#{node.expanded_name}"
+      write_namespaces(node, scoped_prefixes)
+      write_attributes(node)
+      @canonicalized_xml << ">"
+      node.each_child{ |child|
+                            prefixes = Array.new(scoped_prefixes)
+                            write_node(child, prefixes) }
+      @canonicalized_xml << "</#{node.expanded_name}>"
+    end
+    
+    def write_namespaces(node,  scoped_prefixes)
+      scoped_prefixes ||= []
+
+      prefixes = ["xmlns"] + node.prefixes.uniq
+
+      prefixes.sort!.each do |prefix|
+        namespace = node.namespace(prefix)
+        
+        unless prefix.empty? or (prefix == 'xmlns' and namespace.empty?) or scoped_prefixes.include?(prefix)
+    		  scoped_prefixes << prefix
+        
+          @canonicalized_xml << " "
+          @canonicalized_xml << "xmlns:" if not prefix == 'xmlns'
+          @canonicalized_xml << normalize_whitespace("#{prefix}=\"#{namespace}\"")
+        end
+      end    
+    end
+    
+    def write_attributes(node)
+      attributes = []
+      
+      node.attributes.sort.each do |key, attribute|
+        attributes << attribute if not attribute.prefix =~ /^xmlns/
+      end
+      
+      attributes.each do |attribute|
+        unless attribute.nil? or attribute.name == "xmlns"
+          prefix = (attribute.prefix == "saml" || attribute.prefix == "ds") ? nil : attribute.prefix + ":"
+          @canonicalized_xml << " #{prefix}#{attribute.name}=\"#{normalize_whitespace(attribute.to_s)}\"" 
+        end
+      end
+    end
+
+    def normalize_whitespace(input)      
+      input.gsub(/\s+/, ' ').strip
+    end
+  end
+end

data/vendor/rexml/parsers.rb

@@ -0,0 +1,244 @@
+# monkeypatching the whole pull method, only to comment out the lines 205 to 210
+# because an error when trying to load a XML by calling REXML::Document.new(element)
+# and this element has in the root node a namespace
+
+module REXML
+  module Parsers
+    class BaseParser
+      def pull
+        if @closed
+          x, @closed = @closed, nil
+          return [ :end_element, x ]
+        end
+        return [ :end_document ] if empty?
+        return @stack.shift if @stack.size > 0
+        #STDERR.puts @source.encoding
+        @source.read if @source.buffer.size<2
+        #STDERR.puts "BUFFER = #{@source.buffer.inspect}"
+        if @document_status == nil
+          #@source.consume( /^\s*/um )
+          word = @source.match( /^((?:\s+)|(?:<[^>]*>))/um )
+          word = word[1] unless word.nil?
+          #STDERR.puts "WORD = #{word.inspect}"
+          case word
+          when COMMENT_START
+            return [ :comment, @source.match( COMMENT_PATTERN, true )[1] ]
+          when XMLDECL_START
+            #STDERR.puts "XMLDECL"
+            results = @source.match( XMLDECL_PATTERN, true )[1]
+            version = VERSION.match( results )
+            version = version[1] unless version.nil?
+            encoding = ENCODING.match(results)
+            encoding = encoding[1] unless encoding.nil?
+            @source.encoding = encoding
+            standalone = STANDALONE.match(results)
+            standalone = standalone[1] unless standalone.nil?
+            return [ :xmldecl, version, encoding, standalone ]
+          when INSTRUCTION_START
+            return [ :processing_instruction, *@source.match(INSTRUCTION_PATTERN, true)[1,2] ]
+          when DOCTYPE_START
+            md = @source.match( DOCTYPE_PATTERN, true )
+            @nsstack.unshift(curr_ns=Set.new)
+            identity = md[1]
+            close = md[2]
+            identity =~ IDENTITY
+            name = $1
+            raise REXML::ParseException.new("DOCTYPE is missing a name") if name.nil?
+            pub_sys = $2.nil? ? nil : $2.strip
+            long_name = $4.nil? ? nil : $4.strip
+            uri = $6.nil? ? nil : $6.strip
+            args = [ :start_doctype, name, pub_sys, long_name, uri ]
+            if close == ">"
+              @document_status = :after_doctype
+              @source.read if @source.buffer.size<2
+              md = @source.match(/^\s*/um, true)
+              @stack << [ :end_doctype ]
+            else
+              @document_status = :in_doctype
+            end
+            return args
+          when /^\s+/
+          else
+            @document_status = :after_doctype
+            @source.read if @source.buffer.size<2
+            md = @source.match(/\s*/um, true)
+          end
+        end
+        if @document_status == :in_doctype
+          md = @source.match(/\s*(.*?>)/um)
+          case md[1]
+          when SYSTEMENTITY 
+            match = @source.match( SYSTEMENTITY, true )[1]
+            return [ :externalentity, match ]
+
+          when ELEMENTDECL_START
+            return [ :elementdecl, @source.match( ELEMENTDECL_PATTERN, true )[1] ]
+
+          when ENTITY_START
+            match = @source.match( ENTITYDECL, true ).to_a.compact
+            match[0] = :entitydecl
+            ref = false
+            if match[1] == '%'
+              ref = true
+              match.delete_at 1
+            end
+            # Now we have to sort out what kind of entity reference this is
+            if match[2] == 'SYSTEM'
+              # External reference
+              match[3] = match[3][1..-2] # PUBID
+              match.delete_at(4) if match.size > 4 # Chop out NDATA decl
+              # match is [ :entity, name, SYSTEM, pubid(, ndata)? ]
+            elsif match[2] == 'PUBLIC'
+              # External reference
+              match[3] = match[3][1..-2] # PUBID
+              match[4] = match[4][1..-2] # HREF
+              # match is [ :entity, name, PUBLIC, pubid, href ]
+            else
+              match[2] = match[2][1..-2]
+              match.pop if match.size == 4
+              # match is [ :entity, name, value ]
+            end
+            match << '%' if ref
+            return match
+          when ATTLISTDECL_START
+            md = @source.match( ATTLISTDECL_PATTERN, true )
+            raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil?
+            element = md[1]
+            contents = md[0]
+
+            pairs = {}
+            values = md[0].scan( ATTDEF_RE )
+            values.each do |attdef|
+              unless attdef[3] == "#IMPLIED"
+                attdef.compact!
+                val = attdef[3]
+                val = attdef[4] if val == "#FIXED "
+                pairs[attdef[0]] = val
+                if attdef[0] =~ /^xmlns:(.*)/
+                  @nsstack[0] << $1
+                end
+              end
+            end
+            return [ :attlistdecl, element, pairs, contents ]
+          when NOTATIONDECL_START
+            md = nil
+            if @source.match( PUBLIC )
+              md = @source.match( PUBLIC, true )
+              vals = [md[1],md[2],md[4],md[6]]
+            elsif @source.match( SYSTEM )
+              md = @source.match( SYSTEM, true )
+              vals = [md[1],md[2],nil,md[4]]
+            else
+              raise REXML::ParseException.new( "error parsing notation: no matching pattern", @source )
+            end
+            return [ :notationdecl, *vals ]
+          when CDATA_END
+            @document_status = :after_doctype
+            @source.match( CDATA_END, true )
+            return [ :end_doctype ]
+          end
+        end
+        begin
+          if @source.buffer[0] == ?<
+            if @source.buffer[1] == ?/
+              @nsstack.shift
+              last_tag = @tags.pop
+              #md = @source.match_to_consume( '>', CLOSE_MATCH)
+              md = @source.match( CLOSE_MATCH, true )
+              raise REXML::ParseException.new( "Missing end tag for "+
+                "'#{last_tag}' (got \"#{md[1]}\")", 
+                @source) unless last_tag == md[1]
+              return [ :end_element, last_tag ]
+            elsif @source.buffer[1] == ?!
+              md = @source.match(/\A(\s*[^>]*>)/um)
+              #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
+              raise REXML::ParseException.new("Malformed node", @source) unless md
+              if md[0][2] == ?-
+                md = @source.match( COMMENT_PATTERN, true )
+                return [ :comment, md[1] ] if md
+              else
+                md = @source.match( CDATA_PATTERN, true )
+                return [ :cdata, md[1] ] if md
+              end
+              raise REXML::ParseException.new( "Declarations can only occur "+
+                "in the doctype declaration.", @source)
+            elsif @source.buffer[1] == ??
+              md = @source.match( INSTRUCTION_PATTERN, true )
+              return [ :processing_instruction, md[1], md[2] ] if md
+              raise REXML::ParseException.new( "Bad instruction declaration",
+                @source)
+            else
+              # Get the next tag
+              md = @source.match(TAG_MATCH, true)
+              unless md
+                # Check for missing attribute quotes
+                raise REXML::ParseException.new("missing attribute quote", @source) if @source.match(MISSING_ATTRIBUTE_QUOTES )
+                raise REXML::ParseException.new("malformed XML: missing tag start", @source) 
+              end
+              attributes = {}
+              prefixes = Set.new
+              prefixes << md[2] if md[2]
+              @nsstack.unshift(curr_ns=Set.new)
+              if md[4].size > 0
+                attrs = md[4].scan( ATTRIBUTE_PATTERN )
+                raise REXML::ParseException.new( "error parsing attributes: [#{attrs.join ', '}], excess = \"#$'\"", @source) if $' and $'.strip.size > 0
+                attrs.each { |a,b,c,d,e| 
+                  if b == "xmlns"
+                    if c == "xml"
+                      if d != "http://www.w3.org/XML/1998/namespace"
+                        msg = "The 'xml' prefix must not be bound to any other namespace "+
+                        "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
+                        raise REXML::ParseException.new( msg, @source, self )
+                      end
+                    elsif c == "xmlns"
+                      msg = "The 'xmlns' prefix must not be declared "+
+                      "(http://www.w3.org/TR/REC-xml-names/#ns-decl)"
+                      raise REXML::ParseException.new( msg, @source, self)
+                    end
+                    curr_ns << c
+                  elsif b
+                    prefixes << b unless b == "xml"
+                  end
+                  attributes[a] = e 
+                }
+              end
+
+              # Verify that all of the prefixes have been defined
+              #for prefix in prefixes
+              #  unless @nsstack.find{|k| k.member?(prefix)}
+              #    raise UndefinedNamespaceException.new(prefix,@source,self)
+              #  end
+              #end
+
+              if md[6]
+                @closed = md[1]
+                @nsstack.shift
+              else
+                @tags.push( md[1] )
+              end
+              return [ :start_element, md[1], attributes ]
+            end
+          else
+            md = @source.match( TEXT_PATTERN, true )
+            if md[0].length == 0
+              @source.match( /(\s+)/, true )
+            end
+            #STDERR.puts "GOT #{md[1].inspect}" unless md[0].length == 0
+            #return [ :text, "" ] if md[0].length == 0
+            # unnormalized = Text::unnormalize( md[1], self )
+            # return PullEvent.new( :text, md[1], unnormalized )
+            return [ :text, md[1] ]
+          end
+        rescue REXML::UndefinedNamespaceException
+          raise
+        rescue REXML::ParseException
+          raise
+        rescue Exception, NameError => error
+          raise REXML::ParseException.new( "Exception parsing",
+            @source, self, (error ? error : $!) )
+        end
+        return [ :dummy ]
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification 
+name: rack-oauth2-provider
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Johnny G. Halife & Ezequiel Morito
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-04-20 00:00:00 -03:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: ruby-hmac
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: information_card
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+description: A simple implementation of provider protocols of oAuth 2.0 (right now just AssertionProfile).
+email: johnny.halife@me.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- rakefile
+- lib/rack/oauth2/assertion_profile.rb
+- lib/rack/oauth2/provider.rb
+- lib/simple_web_token_builder.rb
+- vendor/information_card/saml_token.rb
+- vendor/information_card/xml_canonicalizer.rb
+- vendor/information_card.rb
+- vendor/rexml/parsers.rb
+has_rdoc: true
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- -A cattr_accessor=object
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Rack Middleware that authenticates users based on the different profiles of oAuth 2.0 standard
+test_files: 
+- spec/rack/oauth2/assertion_profile.test.rb
+- spec/simple_web_token_builder_test.rb
+- spec/specs_config.rb