rack-saml 0.0.1

data/Gemfile

@@ -0,0 +1,7 @@
+source 'http://rubygems.org'
+
+gemspec
+
+#group :example do
+#  gem 'sinatra'
+#end

data/README.md

@@ -0,0 +1,171 @@
+# SAML (Shibboleth SP) middleware for Rack
+
+This project is deeply inspired by rack-shibboleth and ruby-saml. It is recommended to use the defact SAML implementation such as OpenSAML from the security or the functional aspect. However, there are also requirements to use SAML for light weight applications implemented by Ruby. rack-shibboleth may be a candidate to support such kind of objective. However it lacks the configurability to fit OmniAuth and the upgrade path to secure and stable middleware as OpenSAML. So thus I just implemented a prototype to support SAML (Shibboleth SP) for Rack middleware.
+
+OmniAuth Shibboleth Strategy
+https://github.com/toyokazu/omniauth-shibboleth
+
+## Limitations
+
+### Signing AuthnRequest
+
+Current implementation supports only Onelogin SAML assertion handler. It does not support to sign AuthnRequest.
+
+### Encrypted Assertion
+
+Current implementation does not support assertion encryption. So thus, assertion encription function should be disabled for rack-saml SPs.
+
+### SP Session
+
+Current implementation does not support keeping session at SP side.
+
+## Getting Started
+
+### Installation
+
+    % gem install rack-saml
+
+### Setup Gemfile
+
+    % cd rails-app
+    % vi Gemfile
+    gem 'rack-saml'
+
+### Setup Rack::Saml middleware
+
+#### For Rack applicaitons
+
+In the following example, config.ru is used to add Rack::Saml middleware into a Rails application.
+
+    % vi config.ru
+    use Rack::Saml, {:saml_config => "#{Rails.root}/config/saml.yml",
+                     :metadata => "#{Rails.root}/config/metadata.yml",
+                     :attribute_map => "#{Rails.root}/config/attribute-map.yml",
+                     :shib_app_id => "default"}
+
+#### For Ralis applications
+
+In the following example, config/application.rb is used to Rack::Saml middleware into a Rails application.
+
+    % vi config/application.rb
+    module TestRackSaml
+    class Application < Rails::Application
+    config.middleware.use Rack::Saml, {:saml_config => "#{Rails.root}/config/saml.yml",
+                                       :metadata => "#{Rails.root}/config/metadata.yml",
+                                       :attribute_map => "#{Rails.root}/config/attribute-map.yml"
+                                       :shib_app_id => "default"}
+    ...
+
+If you just want to test Rack::Saml, you can ommit middleware options in the both example (config.ru or config/application.rb).
+
+    use Rack::Saml
+
+However, you can not omit :shib_app_id option if you want to use this middleware with OmniAuth::Shibboleth Strategy.
+
+Rack::Saml uses default configurations located in the rack-saml gem path.
+
+    $GEM_HOME/rack-saml-x.x.x/config/xxx.yml
+
+#### Middleware options
+
+* *:saml_config* path to saml.yml file
+* *:metadata* path to metadata.yml file
+* *:attribute_map* path to attribute-map.yml file
+* *:shib_app_id* If you want to use the middleware as Shibboleth SP, you should specify an application ID. In the Shibboleth SP default configuration, 'default' is used as the application ID.
+
+
+#### Configuration files
+
+You can find default configuration files at
+
+    $GEM_HOME/rack-saml-x.x.x/config/
+
+##### saml.yml
+
+Configuration to set SAML parameters.
+
+* *protected_path* string or regular expression of the path name where SAML protects, e.g. /auth/shibboleth/callback or '^\/secure\/[^\s]*'
+* *protected_path_regexp* use regular expression to match protected_path or not e.g. true / false
+* *metadata_path* the path name where SP's metadata is generated
+* *assertion_handler* 'onelogin' / 'opensaml' (not implemented yet)
+* *saml_idp* idp_entity_id
+* *saml_sp* sp_entity_id (self id)
+* *sp_cert* path to the SAML SP's certificate file, e.g. cert.pem (signing AuthnRequest is not supported yet)
+* *sp_key* path to the SAML SP's key file, e.g. key.pem (signing AuthnRequest is not supported yet)
+
+##### metadata.yml
+
+To connect to an IdP, you must describe IdP's specification. In rack-saml, it should be written in metadata.yml. metadata.yml file include the following lists.
+
+* *idp_lists* list of IdP metadata
+* *sp_lists* list of SP metadata
+
+idp_lists and sp_lists are hashes which have entity ids as key values.
+
+parameters of the idp_lists:
+
+* *certificate* base64 encoded certificate of IdP
+* *saml2_http_redirect* Location attribute of the IdP's assertion handler uri with HTTP Redirect Binding
+
+parameters of the sp_lists (currently not used):
+
+* *certificate* base64 encoded certificate of SP
+* *saml2_http_post* Location attribute of the SP's assertion consumer uri with HTTP POST Binding
+
+These parameters are automatically extracted from SAML metadata. You can use conv_metadata.rb command for extraction.
+
+    % $GEM_HOME/rack-saml-x.x.x/bin/conv_metadata.rb metadata.xml > metadata.yml
+
+##### attribute-map.yml
+
+attribute-map.yml can extract attributes from SAML Response and put attributes on request environment variables. It is useful to pass attributes into applications. The configuration file format is as follows:
+
+    "Attribute Name": "Environment Variable Name"
+    "urn:oid:0.9.2342.19200300.100.1.1": "uid"
+    ...
+
+### Setup IdP to accept rack-saml SP
+
+#### SP Metadata generation
+
+To connect a new SP to the existing IdP, you need to import SP's metadata into the IdP. rack-saml provides metadata generation function. It is generated at '/Shibboleth.sso/Metadata' by default.
+
+#### IdP configuration examples not to encrypt assertion
+
+Current rack-saml implementation does not support assertion encryption because Onelogin::Saml does not support signature and encryption of assertion. So thus, in the followings, we would like to show sample configurations to disable encryption in IdP assertion processing. These are not recommended for sensitive applications.
+
+##### Shibboleth IdP example
+
+Add the following configuration after <rp:DefaultRelyingParty> in relying-party.xml. You should specify sp entity id at the 'id' and the 'provider' attributes.
+
+    % vi $IDP_HOME/conf/relying-party.xml
+    ...
+    <rp:RelyingParty id="http://example.com:3000/auth/shibboleth/callback" provider="http://example.com:3000/auth/shibboleth/callback" defaultSigningCredentialRef="IdPCredential">
+      <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="never" signAssertions="always" encryptAssertions="never" encryptNameIds="never"/>
+    </rp:RelyingParty>
+
+## TODO
+
+* ruby-opensaml (I hope someone implement it :)
+
+## License
+
+Copyright (C) 2011 by Toyokazu Akiyama.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec
+task :test => :spec
+

data/bin/conv_metadata.rb

@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+require 'rexml/document'
+require 'uri'
+require 'yaml'
+
+DS = 'http://www.w3.org/2000/09/xmldsig#'
+
+if ARGV.size < 1
+  puts "outputs yaml format metadata file"
+  puts "usage: conv_metadata.rb metadata_file"
+  exit(1)
+end
+
+file = File.new(ARGV[0])
+doc = REXML::Document.new(file)
+
+def get_list_type(elem)
+  if !elem.elements["IDPSSODescriptor"].nil?
+    return "idp_lists"
+  end
+  "sp_lists"
+end
+
+def create_entity_hash(elem, list_type)
+  case list_type
+  when "idp_lists"
+    idp_elem = elem.elements["IDPSSODescriptor"]
+    # the first certificate is used
+    certificate = "-----BEGIN CERTIFICATE-----#{REXML::XPath.first(idp_elem, './/ds:X509Certificate', 'ds' => DS).text.gsub(/\s*$/, "")}\n-----END CERTIFICATE-----"
+    saml2_http_redirect = nil
+    idp_elem.elements.each("SingleSignOnService") do |e|
+      if e.attributes["Binding"] == "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        saml2_http_redirect = e.attributes["Location"]
+      end
+    end
+    return {"certificate" => certificate,
+            "saml2_http_redirect" => saml2_http_redirect}
+  when "sp_lists"
+    sp_elem = elem.elements["SPSSODescriptor"]
+    # the first certificate is used
+    certificate = REXML::XPath.first(sp_elem, './/ds:X509Certificate', 'ds' => DS).text
+    saml2_http_post = nil
+    sp_elem.elements.each("AssertionConsumerService") do |e|
+      if e.attributes["Binding"] == "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        saml2_http_post = e.attributes["Location"]
+      end
+    end
+    return {"certificate" => certificate,
+            "saml2_http_post" => saml2_http_post}
+  end
+end
+
+def add_entities(entities, elem)
+  list_type = get_list_type(elem)
+  entity_id = elem.attributes["entityID"]
+  entities[list_type][entity_id] = create_entity_hash(elem, list_type)
+end
+
+entities = {"idp_lists" => {}, "sp_lists" => {}}
+doc.elements.each("EntityDescriptor") do |elem|
+  add_entities(entities, elem)
+end
+
+doc.elements.each("EntitiesDescriptor/EntityDescriptor") do |elem|
+  add_entities(entities, elem)
+end
+
+puts entities.to_yaml

data/config/attribute-map.yml

@@ -0,0 +1,8 @@
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eppn"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "affiliation"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.1": "unscoped-affiliation"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.7": "entitlement"
+"urn:oid:0.9.2342.19200300.100.1.1": "uid"
+"urn:oid:0.9.2342.19200300.100.1.3": "mail"
+"urn:oid:2.16.840.1.113730.3.1.241": "displayName"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.10": "persistent-id"

data/config/attribute-map.yml.sample

@@ -0,0 +1,15 @@
+"urn:mace:dir:attribute-def:eduPersonPrincipalName": "eppn"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eppn"
+"urn:mace:dir:attribute-def:eduPersonScopedAffiliation": "affiliation"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "affiliation"
+"urn:mace:dir:attribute-def:eduPersonAffiliation": "unscoped-affiliation"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.1": "unscoped-affiliation"
+"urn:mace:dir:attribute-def:eduPersonEntitlement": "entitlement"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.7": "entitlement"
+"urn:mace:dir:attribute-def:uid": "uid"
+"urn:oid:0.9.2342.19200300.100.1.1": "uid"
+"urn:mace:dir:attribute-def:mail": "mail"
+"urn:oid:0.9.2342.19200300.100.1.3": "mail"
+"urn:mace:dir:attribute-def:displayName": "displayName"
+"urn:oid:2.16.840.1.113730.3.1.241": "displayName"
+"urn:oid:1.3.6.1.4.1.5923.1.1.1.10": "persistent-id"

data/config/metadata.yml

@@ -0,0 +1,32 @@
+--- 
+idp_lists: 
+  https://localhost/idp/shibboleth: 
+    certificate: |-
+      -----BEGIN CERTIFICATE-----
+      MIIEKDCCAxCgAwIBAgIJALh5qhU6z0gMMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYD
+      VQQGEwJKUDERMA8GA1UEBwwIQWNhZGVtZTIxIDAeBgNVBAoMF0t5b3RvIFNhbmd5
+      byBVbml2ZXJzaXR5MTQwMgYDVQQLDCtGYWN1bHR5IG9mIENvbXB1dGVyIFNjaWVu
+      Y2UgYW5kIEVuZ2luZWVyaW5nMRAwDgYDVQQDDAdUZXN0IENBMB4XDTExMDgxMDA3
+      MTY1OFoXDTEyMDgwOTA3MTY1OFowgZ4xCzAJBgNVBAYTAkpQMREwDwYDVQQHDAhB
+      Y2FkZW1lMjEgMB4GA1UECgwXS3lvdG8gU2FuZ3lvIFVuaXZlcnNpdHkxNDAyBgNV
+      BAsMK0ZhY3VsdHkgb2YgQ29tcHV0ZXIgU2NpZW5jZSBhbmQgRW5naW5lZXJpbmcx
+      JDAiBgNVBAMMG2lkcC50ZXN0LmNzZS5reW90by1zdS5hYy5qcDCCASIwDQYJKoZI
+      hvcNAQEBBQADggEPADCCAQoCggEBAN1/g5HoajtIFLrFGEt6z6vyWS7CNhz/nOw9
+      7Ei0R7TYg/iwz3CuJdowlz7VnVTi/Oi2kz+YxuLw3RDwl5r16AKRCePyc0F63xSv
+      5rc6kJkXBqGZlKtSn5OeSa+w18c4MOtu4zSZP7wHhS5bMABUL8UBX1P021bPd7Ad
+      6gMt9mCF+0giIyTWMP8PH8EoDTMPq+ko1QosxSxPSaERB2+OEmwBa4NnKyBmB9lU
+      NrWN5tB+BJ8qD9C+5EU+miWFzY59GC1JPc7TmQ28frobmgc22pUc6d/0+uBELEbx
+      v7G942PYDCdF1V0chRyGAP4/7IAH77B5t6wIqhLBffawb993mi8CAwEAAaN7MHkw
+      CQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
+      dGlmaWNhdGUwHQYDVR0OBBYEFDpB4W//bAwVauJd/pvUOfZl72eqMB8GA1UdIwQY
+      MBaAFINIlekZI9dBQNn6x8vCKxS3h6CSMA0GCSqGSIb3DQEBBQUAA4IBAQBZwuZp
+      TyczweI8L68yzkq//5ORzkoJtW29aftSfWrXIO4/ckydyqYNHW1H62J4QtMxljHG
+      ZK+GAALGKIAYQTD805Ha4tezY/bpXB1HTu+E2e2jL6AmYEP62WcFdCmnPS7DSQ78
+      LDLDDmrPBRfNTVxgjEq1GRS1JfQJb8JrNipG+YqCinNVKuEx4wsc7bIRbY0YZrVp
+      +sRk6BB3HrOY1p+F/83in45wyNxGfgZpmdAvk9yB8ubzBhDaaNSqeU33iOGsqSBH
+      jD2RyhOELbPlOMEHn+q2vSZdlo4hqRpamhahSBsuiQFbcwpTkWJ3SJyjYYn845Xw
+      Uq9SgXh2ssVUFkni
+      -----END CERTIFICATE-----
+    saml2_http_redirect: https://localhost/idp/profile/SAML2/Redirect/SSO
+sp_lists: {}
+

data/config/saml.yml

@@ -0,0 +1,6 @@
+protected_path: /auth/shibboleth/callback
+# protected_path_regexp: true
+metadata_path: /Shibboleth.sso/Metadata
+assertion_handler: onelogin
+saml_idp: https://localhost/idp/shibboleth
+saml_sp: http://localhost:3000/auth/shibboleth/callback

data/lib/rack-saml.rb

@@ -0,0 +1 @@
+require 'rack/saml'

data/lib/rack-saml/version.rb

@@ -0,0 +1,6 @@
+require 'rack'
+module Rack
+  module Saml
+    VERSION = "0.0.1"
+  end
+end

data/lib/rack/saml.rb

@@ -0,0 +1,108 @@
+require 'rack'
+require 'yaml'
+
+module Rack
+  # Rack::Saml
+  #
+  # As the Shibboleth SP, Rack::Saml::Base adopts :protected_path
+  # as an :assertion_consumer_path. It is easy to configure and
+  # support omniauth-shibboleth.
+  # To establish single path behavior, it currently supports only
+  # HTTP Redirect Binding from SP to Idp
+  # HTTP POST Binding from IdP to SP
+  class Saml
+    autoload "RequestHandler", 'rack/saml/request_handler'
+    autoload "MetadataHandler", 'rack/saml/metadata_handler'
+    autoload "ResponseHandler", 'rack/saml/response_handler'
+
+    class SamlAssertionError < StandardError
+    end
+
+    def default_config_path(config_file)
+      ::File.expand_path("../../../config/#{config_file}", __FILE__)
+    end
+
+    def default_saml_config
+      default_config_path('saml.yml')
+    end
+
+    def default_metadata
+      default_config_path('metadata.yml')
+    end
+
+    def default_attribute_map
+      default_config_path('attribute-map.yml')
+    end
+
+    def initialize app, opts = {}
+      @app = app
+      @opts = opts
+
+      if @opts[:saml_config].nil? || !::File.exists?(@opts[:saml_config])
+        @opts[:saml_config] = default_saml_config
+      end
+      @saml_config = YAML.load_file(@opts[:saml_config])
+      if @saml_config['assertion_handler'].nil?
+        raise ArgumentError, "'assertion_handler' parameter should be specified in the :saml_config file"
+      end
+      if @opts[:metadata].nil? || !::File.exists?(@opts[:metadata])
+        @opts[:metadata] = default_metadata
+      end
+      @metadata = YAML.load_file(@opts[:metadata])
+      if @opts[:attribute_map].nil? || !::File.exists?(@opts[:attribute_map])
+        @opts[:attribute_map] = default_attribute_map
+      end
+      @attribute_map = YAML.load_file(@opts[:attribute_map])
+    end
+
+    def call env
+      request = Rack::Request.new env
+      #return [
+      #  403,
+      #  {
+      #    'Content-Type' => 'text/plain'
+      #  },
+      #  ["Forbidden." + request.inspect]
+      #  ["Forbidden." + env.to_a.map {|i| "#{i[0]}: #{i[1]}"}.join("\n")]
+      #]
+      if request.request_method == 'GET'
+        if match_protected_path?(request) # generate AuthnRequest
+          handler = RequestHandler.new(request, @saml_config, @metadata['idp_lists'][@saml_config['saml_idp']])
+          return Rack::Response.new.tap { |r|
+            r.redirect handler.authn_request.redirect_uri
+          }.finish
+        elsif match_metadata_path?(request) # generate Metadata
+          handler = MetadataHandler.new(request, @saml_config, @metadata['idp_lists'][@saml_config['saml_idp']])
+          return [
+            200,
+            {
+              'Content-Type' => 'application/samlmetadata+xml'
+            },
+            [handler.sp_metadata.generate]
+          ]
+        end
+      elsif request.request_method == 'POST' && match_protected_path?(request) # process Response
+        handler = ResponseHandler.new(request, @saml_config, @metadata['idp_lists'][@saml_config['saml_idp']])
+        if handler.response.is_valid?
+          handler.extract_attrs(env, @attribute_map, @opts)
+        else
+          raise SamlAssertionError, "Invalid SAML response."
+        end
+      end
+
+      @app.call env
+    end
+
+    def match_protected_path?(request)
+      if @saml_config['protected_path_regexp']
+        # to be fixed (Regexp)
+        return (request.path_info =~ Regexp.new(@saml_config['protected_path']))
+      end
+      request.path_info == @saml_config['protected_path']
+    end
+
+    def match_metadata_path?(request)
+      request.path_info == @saml_config['metadata_path']
+    end
+  end
+end

data/lib/rack/saml/metadata/abstract_metadata.rb

@@ -0,0 +1,16 @@
+module Rack
+  class Saml
+    class AbstractMetadata
+      attr_reader :request, :saml_config, :metadata
+
+      def initialize(request, saml_config, metadata)
+        @request = request
+        @saml_config = saml_config
+        @metadata = metadata
+      end
+
+      def generate
+      end
+    end
+  end
+end

data/lib/rack/saml/metadata/onelogin_metadata.rb

@@ -0,0 +1,18 @@
+module Rack
+  class Saml
+    require 'rack/saml/misc/onelogin_setting'
+
+    class OneloginMetadata < AbstractMetadata
+      include OneloginSetting
+
+      def initialize(request, saml_config, metadata)
+        super(request, saml_config, metadata)
+        @sp_metadata = Onelogin::Saml::Metadata.new
+      end
+
+      def generate
+        @sp_metadata.generate(saml_settings)
+      end
+    end
+  end
+end

data/lib/rack/saml/metadata/opensaml_metadata.rb

@@ -0,0 +1,12 @@
+module Rack
+  class Saml
+    class OpensamlMetadata < AbstractMetadata
+      # to be implemented
+      def initialize(request, saml_config, metadata)
+      end
+
+      def generate
+      end
+    end
+  end
+end

data/lib/rack/saml/metadata_handler.rb

@@ -0,0 +1,19 @@
+module Rack
+  class Saml
+    require 'rack/saml/metadata/abstract_metadata'
+    autoload "OneloginMetadata", 'rack/saml/metadata/onelogin_metadata'
+    autoload "OpensamlMetadata", 'rack/saml/metadata/opensaml_metadata'
+
+    class MetadataHandler
+      attr_reader :sp_metadata
+
+      # Rack::Saml::MetadataHandler
+      # request: Rack current request instance
+      # saml_config: config/saml.yml 
+      # metadata: specified idp entity in the config/metadata.yml
+      def initialize(request, saml_config, metadata)
+        @sp_metadata = (eval "Rack::Saml::#{saml_config['assertion_handler'].to_s.capitalize}Metadata").new(request, saml_config, metadata)
+      end
+    end
+  end
+end

data/lib/rack/saml/misc/onelogin_setting.rb

@@ -0,0 +1,18 @@
+module Rack
+  class Saml
+    module OneloginSetting
+      require 'ruby-saml'
+
+      def saml_settings
+        settings = Onelogin::Saml::Settings.new
+        settings.assertion_consumer_service_url = "#{@request.scheme}://#{@request.host}#{":#{@request.port}" if @request.port}#{request.script_name}#{@saml_config['protected_path']}"
+        settings.issuer = @saml_config['saml_sp']
+        settings.idp_sso_target_url = @metadata['saml2_http_redirect']
+        settings.idp_cert = @metadata['certificate']
+        settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+        #settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+        settings
+      end
+    end
+  end
+end

data/lib/rack/saml/request/abstract_request.rb

@@ -0,0 +1,16 @@
+module Rack
+  class Saml
+    class AbstractRequest
+      attr_reader :request, :saml_config, :metadata
+
+      def initialize(request, saml_config, metadata)
+        @request = request
+        @saml_config = saml_config
+        @metadata = metadata
+      end
+
+      def redirect_uri
+      end
+    end
+  end
+end

data/lib/rack/saml/request/onelogin_request.rb

@@ -0,0 +1,18 @@
+module Rack
+  class Saml
+    require 'rack/saml/misc/onelogin_setting'
+
+    class OneloginRequest < AbstractRequest
+      include OneloginSetting
+
+      def initialize(request, saml_config, metadata)
+        super(request, saml_config, metadata)
+        @authrequest = Onelogin::Saml::Authrequest.new
+      end
+
+      def redirect_uri
+        @authrequest.create(saml_settings)
+      end
+    end
+  end
+end

data/lib/rack/saml/request/opensaml_request.rb

@@ -0,0 +1,12 @@
+module Rack
+  class Saml
+    class OpensamlRequest < AbstractRequest
+      # To be implemented
+      def initialize(request, saml_config, metadata)
+      end
+
+      def redirect_uri
+      end
+    end
+  end
+end

data/lib/rack/saml/request_handler.rb

@@ -0,0 +1,19 @@
+module Rack
+  class Saml
+    require 'rack/saml/request/abstract_request'
+    autoload "OneloginRequest", 'rack/saml/request/onelogin_request'
+    autoload "OpensamlRequest", 'rack/saml/request/opensaml_request'
+
+    class RequestHandler
+      attr_reader :authn_request 
+
+      # Rack::Saml::RequestHandler
+      # request: Rack current request instance
+      # saml_config: config/saml.yml 
+      # metadata: specified idp entity in the config/metadata.yml
+      def initialize(request, saml_config, metadata)
+        @authn_request = (eval "Rack::Saml::#{saml_config['assertion_handler'].to_s.capitalize}Request").new(request, saml_config, metadata)
+      end
+    end
+  end
+end

data/lib/rack/saml/response/abstract_response.rb

@@ -0,0 +1,16 @@
+module Rack
+  class Saml
+    class AbstractResponse
+      attr_reader :request, :saml_config, :metadata
+
+      def initialize(request, saml_config, metadata)
+        @request = request
+        @saml_config = saml_config
+        @metadata = metadata
+      end
+
+      def is_valid?
+      end
+    end
+  end
+end

data/lib/rack/saml/response/onelogin_response.rb

@@ -0,0 +1,26 @@
+module Rack
+  class Saml
+    require 'rack/saml/misc/onelogin_setting'
+
+    class OneloginResponse < AbstractResponse
+      include OneloginSetting
+      #extend Forwardable
+
+      def initialize(request, saml_config, metadata)
+        super(request, saml_config, metadata)
+        @response = Onelogin::Saml::Response.new(@request.params['SAMLResponse'])
+        @response.settings = saml_settings
+      end
+
+      def is_valid?
+        @response.is_valid?
+      end
+
+      def attributes
+        @response.attributes
+      end
+
+      #def_delegator :@response, :is_valid?, :attributes
+    end
+  end
+end

data/lib/rack/saml/response/opensaml_response.rb

@@ -0,0 +1,12 @@
+module Rack
+  class Saml
+    class OpensamlResponse < AbstractResponse
+      # To be implemented
+      def initialize(request, saml_config, metadata)
+      end
+
+      def redirect_uri
+      end
+    end
+  end
+end

data/lib/rack/saml/response_handler.rb

@@ -0,0 +1,29 @@
+module Rack
+  class Saml
+    require 'rack/saml/response/abstract_response'
+    autoload "OneloginResponse", 'rack/saml/response/onelogin_response'
+    autoload "OpensamlResponse", 'rack/saml/response/opensaml_response'
+
+    class ResponseHandler
+      attr_reader :response
+
+      # Rack::Saml::ResponseHandler
+      # request: Rack current request instance
+      # saml_config: config/saml.yml 
+      # metadata: specified idp entity in the config/metadata.yml
+      def initialize(request, saml_config, metadata)
+        @response = (eval "Rack::Saml::#{saml_config['assertion_handler'].to_s.capitalize}Response").new(request, saml_config, metadata)
+      end
+
+      def extract_attrs(env, attribute_map, opts = {})
+        attribute_map.each do |attr_name, env_name|
+          attribute = @response.attributes[attr_name]
+          env[env_name] = attribute if !attribute.nil?
+        end
+        if !opts[:shib_app_id].nil?
+          env['Shib-Application-ID'] = opts[:shib_app_id]
+        end
+      end
+    end
+  end
+end

data/rack-saml.gemspec

@@ -0,0 +1,20 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/rack-saml/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.add_dependency 'ruby-saml', '~> 0.4.7'
+
+  gem.authors       = ["Toyokazu Akiyama"]
+  gem.email         = ["toyokazu@gmail.com"]
+  gem.description   = %q{SAML middleware for Rack (using ruby-saml)}
+  gem.summary       = %q{SAML middleware for Rack (using ruby-saml)}
+  gem.homepage      = ""
+
+  gem.files         = `find . -not \\( -regex ".*\\.git.*" -o -regex "\\./pkg.*" -o -regex "\\./spec.*" \\)`.split("\n").map{ |f| f.gsub(/^.\//, '') }
+  #gem.files         = `find .`.split("\n").map{ |f| f.gsub(/^.\//, '') }
+  gem.test_files    = `find spec/*`.split("\n")
+  #gem.test_files    = `find test/* spec/* features/*`.split("\n")
+  gem.name          = "rack-saml"
+  gem.require_paths = ["lib"]
+  gem.version       = Rack::Saml::VERSION
+end

metadata

@@ -0,0 +1,82 @@
+--- !ruby/object:Gem::Specification
+name: rack-saml
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Toyokazu Akiyama
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-29 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: &2153190660 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.4.7
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153190660
+description: SAML middleware for Rack (using ruby-saml)
+email:
+- toyokazu@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/conv_metadata.rb
+- config/attribute-map.yml
+- config/attribute-map.yml.sample
+- config/metadata.yml
+- config/saml.yml
+- Gemfile
+- lib/rack/saml/metadata/abstract_metadata.rb
+- lib/rack/saml/metadata/onelogin_metadata.rb
+- lib/rack/saml/metadata/opensaml_metadata.rb
+- lib/rack/saml/metadata_handler.rb
+- lib/rack/saml/misc/onelogin_setting.rb
+- lib/rack/saml/request/abstract_request.rb
+- lib/rack/saml/request/onelogin_request.rb
+- lib/rack/saml/request/opensaml_request.rb
+- lib/rack/saml/request_handler.rb
+- lib/rack/saml/response/abstract_response.rb
+- lib/rack/saml/response/onelogin_response.rb
+- lib/rack/saml/response/opensaml_response.rb
+- lib/rack/saml/response_handler.rb
+- lib/rack/saml.rb
+- lib/rack-saml/version.rb
+- lib/rack-saml.rb
+- rack-saml.gemspec
+- Rakefile
+- README.md
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.12
+signing_key: 
+specification_version: 3
+summary: SAML middleware for Rack (using ruby-saml)
+test_files: []
+has_rdoc: