rsaml 0.1.2

data/lib/rsaml/identifier/name.rb

@@ -0,0 +1,55 @@
+module RSAML #:nodoc:
+  module Identifier #:nodoc:
+    # A Name identifier.
+    class Name < Base
+      # The following identifiers MAY be used to refer to the classification of the attribute name 
+      # for purposes of interpreting the name.
+      def self.formats
+        {
+          :unspecified => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+          :email_address => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+          :x509_subject_name => 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName',
+          :windows_domain_qualified_name => 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName',
+          :kerberos => 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos',
+          :entity => 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity',
+          :persistent => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+          :transient => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        }
+      end
+    
+      # A URI reference representing the classification of string-based identifier information.
+      attr_accessor :format
+    
+      # A name identifier established by a service provider or affiliation of providers for the entity, if 
+      # different from the primary name identifier given
+      attr_accessor :sp_provided_id
+    
+      # The value of the identifier
+      attr_accessor :value
+    
+      # Initialize the identifier with the given value
+      def initialize(value)
+        @value = value
+      end
+    
+      # The format of the name.
+      def format
+        @format ||= Name.formats[:unspecified]
+      end
+    
+      # Construct an XML fragment representing the name
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Format' => format}
+        attributes['NameQualifier'] = name_qualifier unless name_qualifier.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        attributes['SPProvidedID'] = sp_provided_id unless sp_provided_id.nil?
+        xml.tag!('saml:NameID', value, attributes)
+      end
+      
+      def self.from_xml(element)
+        Name.new(element.text)
+      end
+    
+    end
+  end
+end

data/lib/rsaml/parser.rb

@@ -0,0 +1,23 @@
+module RSAML #:nodoc:
+  class Parser
+    # Parse the given SAML message and return a Ruby object structure representing
+    # the message. This may include protocol and core classes.
+    def parse(xml)
+      messages = []
+      xml = REXML::Document.new(xml) if xml.is_a?(String)
+      
+      if attribute_query_elements = xml.get_elements('samlp:AttributeQuery')
+        attribute_query_elements.each do |attribute_query_element|
+          messages << Protocol::Query::AttributeQuery.from_xml(attribute_query_element)
+        end
+      end
+      
+      case messages.length
+      when 1: messages.first
+      when 0: nil
+      else
+        messages
+      end
+    end
+  end
+end

data/lib/rsaml/protocol.rb

@@ -0,0 +1,21 @@
+module RSAML #:nodoc:
+  # The protocol module contains request and response classes for the SAML protocol implementation
+  module Protocol 
+  end
+end
+
+require 'rsaml/protocol/message'
+require 'rsaml/protocol/status_code'
+require 'rsaml/protocol/status'
+require 'rsaml/protocol/request'
+require 'rsaml/protocol/response'
+
+require 'rsaml/protocol/name_id_policy'
+require 'rsaml/protocol/scoping'
+require 'rsaml/protocol/idp_list'
+require 'rsaml/protocol/idp_entry'
+
+require 'rsaml/protocol/assertion_id_request'
+require 'rsaml/protocol/authn_request'
+
+require 'rsaml/protocol/query'

data/lib/rsaml/protocol/artifact_resolve.rb

@@ -0,0 +1,14 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # The ArtifactResolve message is used to request that a SAML protocol message be returned in an 
+    # <ArtifactResponse> message by specifying an artifact that represents the SAML protocol message. 
+    # The original transmission of the artifact is governed by the specific protocol binding that is 
+    # being used; see [SAMLBind] for more information on the use of artifacts in bindings. 
+    #
+    # The <ArtifactResolve> message SHOULD be signed or otherwise authenticated and integrity 
+    # protected by the protocol binding used to deliver the message.
+    class ArtifactResolve
+      
+    end
+  end
+end

data/lib/rsaml/protocol/assertion_id_request.rb

@@ -0,0 +1,18 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Request to return assertions with the given ids
+    class AssertionIDRequest
+      # Specify each assertion to return.
+      def assertion_id_refs
+        @assertion_id_refs ||= []
+      end
+      
+      # Construct an XML fragment representing the assertion id request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('samlp:AssertionIDRequest') {
+          assertion_id_refs.each { |assertion_id_ref| xml << assertion_id_ref.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/authn_request.rb

@@ -0,0 +1,91 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # To request that an identity provider issue an assertion with an authentication statement, a presenter 
+    # authenticates to that identity provider (or relies on an existing security context) and sends it an 
+    # <AuthnRequest> message that describes the properties that the resulting assertion needs to have to 
+    # satisfy its purpose. Among these properties may be information that relates to the content of the assertion 
+    # and/or information that relates to how the resulting <Response> message should be delivered to the 
+    # requester. The process of authentication of the presenter may take place before, during, or after the initial 
+    # delivery of the <AuthnRequest> message. 
+    #
+    # The requester might not be the same as the presenter of the request if, for example, the requester is a 
+    # relying party that intends to use the resulting assertion to authenticate or authorize the requested subject 
+    # so that the relying party can decide whether to provide a service.
+    class AuthnRequest < Request
+      # Specifies the requested subject of the resulting assertion(s).
+      attr_accessor :subject
+      
+      # Specifies constraints on the name identifier to be used to represent the requested subject. If omitted, 
+      # then any type of identifier supported by the identity provider for the requested subject can be used, 
+      # constrained by any relevant deployment-specific policies, with respect to privacy, for example.
+      attr_accessor :name_id_policy
+      
+      # Specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting 
+      # assertion(s). The responder MAY modify or supplement this set as it deems necessary. The 
+      # information in this element is used as input to the process of constructing the assertion, rather than as 
+      # conditions on the use of the request itself.
+      attr_accessor :conditions
+      
+      # Specifies the requirements, if any, that the requester places on the authentication context that applies 
+      # to the responding provider's authentication of the presenter.  
+      attr_accessor :requested_authn_context
+      
+      # Specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as 
+      # limitations and context related to proxying of the <Au message to subsequent identity providers by the 
+      # responder.
+      attr_accessor :scoping
+      
+      # A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than 
+      # rely on a previous security context. If a value is not provided, the default is "false". However, if both 
+      # ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the 
+      # presenter unless the constraints of IsPassive can be met.
+      attr_accessor :force_authn
+      
+      # A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control 
+      # of the user interface from the requester and interact with the presenter in a noticeable fashion. If a 
+      # value is not provided, the default is "false".
+      attr_accessor :is_passive
+      
+      attr_accessor :assertion_consumer_service_index
+      
+      attr_accessor :assertion_consumer_service_url
+      
+      # A URI reference that identifies a SAML protocol binding to be used when returning the response message.
+      attr_accessor :protocol_binding
+      
+      # Indirectly identifies information associated with the requester describing the SAML attributes the 
+      # requester desires or requires to be supplied by the identity provider in the <Response> message. The 
+      # identity provider MUST have a trusted means to map the index value in the attribute to information 
+      # associated with the requester.
+      attr_accessor :attribute_consuming_service_url
+      
+      # Specifies the human-readable name of the requester for use by the presenter's user agent or the 
+      # identity provider
+      attr_accessor :provider_name
+      
+      # Validate the authentication request.
+      def validate
+        raise ValidationError, "Conditions must be of type Conditions" if conditions && !conditions.is_a?(Conditions)
+      end
+      
+      # Construct an XML fragment representing the authentication request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['ForceAuthn'] = force_authn unless force_authn.nil?
+        attributes['IsPassive'] = is_passive unless is_passive.nil?
+        # TODO implement assertion consumer service index
+        # TODO implement assertion consumer service URL
+        attributes['ProtocolBinding'] = protocol_binding unless protocol_binding.nil?
+        attributes['AttributeConsumingServiceURL'] = attribute_consuming_service_url unless attribute_consuming_service_url.nil?
+        attributes['ProviderName'] = provider_name unless provider_name.nil?
+        xml.tag!('samlp:AuthnRequest', attributes) {
+          xml << subject.to_xml unless subject.nil?
+          xml << name_id_policy.to_xml unless name_id_policy.nil?
+          xml << conditions.to_xml unless conditions.nil?
+          xml << requested_authn_context unless requested_authn_context.nil?
+          xml << scoping.to_xml unless scoping.nil?
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/idp_entry.rb

@@ -0,0 +1,18 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    class IDPEntry
+      attr_accessor :provider_id
+      
+      # Initialize the IDP entry
+      def initialize(provider_id)
+        @provider_id = provider_id
+      end
+      
+      # Construct an XML fragment representing the idp list
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'ProviderID' => provider_id}
+        xml.tag!('samlp:IDPEntry', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/idp_list.rb

@@ -0,0 +1,28 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Specifies the identity providers trusted by the requester to authenticate the presenter.
+    class IDPList
+      # Initialize the IDP list
+      def initialize(*idp_entries)
+        @idp_entries = idp_entries
+      end
+      
+      # Information about identity providers.
+      def idp_entries
+        @idp_entries ||= []
+      end
+      
+      # Validate the IDPList structure.
+      def validate
+        raise ValidationError, "At least one IDP entry is required" if idp_entries.empty?
+      end
+      
+      # Construct an XML fragment representing the idp list
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('samlp:IDPList') {
+          idp_entries.each { |idp_entry| xml << idp_entry.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/message.rb

@@ -0,0 +1,65 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Base class for messages. This class should not be instantiated directly, rather the Request and Response
+    # classes should be used.
+    class Message
+      
+      # An identifier for the message. It is of type xs:ID and MUST follow the requirements specified in Section 
+      # 1.3.4 of the SAML 2.0 specification for identifier uniqueness.
+      attr_accessor :id
+      
+      # The version of this message. The identifier for the version of SAML defined in this specification is "2.0".
+      attr_accessor :version
+      
+      # The time instant of issue of the message. The time value must be encoded in UTC.
+      attr_accessor :issue_instant
+      
+      # A URI reference indicating the address to which this message has been sent. This is useful to prevent 
+      # malicious forwarding of messages to unintended recipients, a protection that is required by some 
+      # protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the 
+      # location at which the message was sent or received. If it does not, the response MUST be discarded. Some 
+      # protocol bindings may require the use of this attribute.
+      attr_accessor :destination
+      
+      # Indicates whether or not (and under what conditions) consent has been obtained from a principal in 
+      # the sending of this message.  If no Consent value is provided, the identifier  
+      # urn:oasis:names:tc:SAML:2.0:consent:unspecified is in effect.
+      attr_accessor :consent
+      
+      # Identifies the entity that generated the message.
+      attr_accessor :issuer
+      
+      # An XML Signature that authenticates the requestor or responder and provides message integrity.
+      attr_accessor :signature
+      
+      # Initialize the message instance
+      def initialize
+        @id = UUID.new.generate
+        @version = "2.0"
+        @issue_instant = Time.now.utc
+      end
+      
+      # This extension point contains optional protocol message extension elements that are agreed on 
+      # between the communicating parties.
+      def extensions
+        @extionsion ||= []
+      end
+      
+      # Validate the request structure
+      def validate
+        raise ValidationError, "ID is required" if id.nil?
+        raise ValidationError, "Version is required" if version.nil?
+        raise ValidationError, "Issue instant is required" if issue_instant.nil?
+        raise ValidationError, "Issue instant must be UTC" unless issue_instant.utc?
+      end
+      
+      protected
+      # Add XML Namespace attributes
+      def add_xmlns(attributes)
+        attributes['xmlns:samlp'] = "urn:oasis:names:tc:SAML:2.0:protocol" 
+        attributes['xmlns:saml'] = "urn:oasis:names:tc:SAML:2.0:assertion"
+        attributes
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/name_id_policy.rb

@@ -0,0 +1,31 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Tailors the name identifier in the subjects of assertions resulting from an authentication request.
+    class NameIdPolicy
+      # Specifies the URI reference corresponding to a name identifier format
+      attr_accessor :format
+      
+      # Optionally specifies that the assertion subject's identifier be returned (or created) in the namespace of 
+      # a service provider other than the requester, or in the namespace of an affiliation group of service 
+      # providers.
+      attr_accessor :sp_name_qualifier
+      
+      # A Boolean value used to indicate whether the identity provider is allowed, in the course of fulfilling the 
+      # request, to create a new identifier to represent the principal. Defaults to "false". When "false", the 
+      # requester constrains the identity provider to only issue an assertion to it if an acceptable identifier for 
+      # the principal has already been established. Note that this does not prevent the identity provider from 
+      # creating such identifiers outside the context of this specific request (for example, in advance for a 
+      # large number of principals).
+      attr_accessor :allow_create
+      
+      # Construct an XML fragment representing the name id policy
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['Format'] = format unless format.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        attributes['AllowCreate'] = allow_create unless allow_create.nil?
+        xml.tag!('samlp:NameIDPolicy', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query.rb

@@ -0,0 +1,12 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Module containing SAML query classes.
+    module Query
+    end
+  end
+end
+
+require 'rsaml/protocol/query/subject_query'
+require 'rsaml/protocol/query/authn_query'
+require 'rsaml/protocol/query/attribute_query'
+require 'rsaml/protocol/query/authz_decision_query'

data/lib/rsaml/protocol/query/attribute_query.rb

@@ -0,0 +1,56 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # used to make the query "Return the requested attributes for this subject." A successful response 
+      # will be in the form of assertions containing attribute statements, to the extent allowed by policy.
+      class AttributeQuery < SubjectQuery
+        # Each attribute element specifies an attribute whose value(s) are to be returned. If no 
+        # attributes are specified, it indicates that all attributes allowed by policy are requested. 
+        # If a given attribute element contains one or more AttributeValue elements, then if that attribute 
+        # is returned in the response, it MUST NOT contain any values that are not equal to the values 
+        # specified in the query. In the absence of equality rules specified by particular profiles or 
+        # attributes, equality is defined as an identical XML representation of the value. Each value in 
+        # the array MUST be an Attribute instance.
+        def attributes
+          @attributes ||= []
+        end
+      
+        # Validate the structure of the attribute query.
+        def validate
+          matched = {}
+          duplicated_attributes = []
+          attributes.each do |attribute|
+            if matched.has_key?(attribute.name) && matched[attribute.name] == attribute.name_format
+              duplicated_attributes << attribute.name unless duplicated_attributes.include?(attribute.name)
+            else
+              matched[attribute.name] = attribute.name_format
+            end
+          end
+          if !duplicated_attributes.empty?
+            raise ValidationError, "An attribute with the same name and name format may only be specified once. The following attributes were specified multiple times: #{duplicated_attributes.join(',')}"
+          end
+        end
+      
+        # Construct an XML fragment representing the attribute query
+        def to_xml(xml=Builder::XmlMarkup.new)
+          xml_attributes = {}
+          xml.tag!('samlp:AttributeQuery', xml_attributes) {
+            xml << subject.to_xml unless subject.nil?
+            attributes.each { |attribute| xml << attribute.to_xml }
+          }
+        end
+        
+        # Construct an AttributeQuery instance from the XML Element.
+        def self.from_xml(element)
+          element = REXML::Document.new(element).root if element.is_a?(String)
+          subject = Subject.from_xml(element.get_elements('saml:Subject').first)
+          attribute_query = AttributeQuery.new(subject)
+          element.get_elements('saml:Attribute').each do |attribute_element|
+            attribute_query.attributes << Attribute.from_xml(attribute_element)
+          end
+          attribute_query
+        end
+      end
+    end
+  end
+end