rsaml 0.1.2

data/lib/rsaml/protocol/query/authn_query.rb

@@ -0,0 +1,30 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # An AuthnQuery is used to make the query "What assertions containing authentication statements 
+      # are available for this subject?" A successful response will contain one or more assertions containing 
+      # authentication statements.
+      class AuthnQuery < SubjectQuery
+        # If present, specifies a filter for possible responses. Such a query asks the question "What assertions 
+        # containing authentication statements do you have for this subject within the context of the supplied 
+        # session information?" The value of this attribute MUST be a string.
+        attr_accessor :session_index
+      
+        # If present, specifies a filter for possible responses. Such a query asks the question "What assertions 
+        # containing authentication statements do you have for this subject that satisfy the authentication 
+        # context requirements in this element?" The value of this attribute MUST be a RequestedAuthnContext
+        # instance.
+        attr_accessor :requested_authn_context
+      
+        # Construct an XML fragment representing the authn query
+        def to_xml(xml=Builder::XmlMarkup.new)
+          attributes = {}
+          attributes['SessionIndex'] = session_index unless session_index.nil?
+          xml.tag!('samlp:AuthnQuery', attributes) {
+            xml << subject.to_xml unless subject.nil?
+          }
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query/authz_decision_query.rb

@@ -0,0 +1,40 @@
+# Source code for the RSAML::Protocol::Query::AuthzDecisionQuery class.
+
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # Used to make the query "Should these actions on this resource be allowed for this subject, 
+      # given this evidence?" A successful response will be in the form of assertions containing 
+      # authorization decision statements.
+      class AuthzDecisionQuery < SubjectQuery
+        # A URI reference indicating the resource for which authorization is requested.
+        attr_accessor :resource
+        
+        # The actions for which authorization is requested.
+        def actions
+          @actions ||= []
+        end
+        
+        # A set of assertions that the SAML authority MAY rely on in making its authorization decision.
+        attr_accessor :evidence
+        
+        # Validate the query structure.
+        def validate
+          raise ValidationError, "Resource is required" if resource.nil?
+          raise ValidationError, "At least one action is required" if actions.empty?
+          actions.each { |action| action.validate }
+        end
+        
+        # Construct an XML fragment representing the authorization decision query
+        def to_xml(xml=Builder::XmlMarkup.new)
+          attributes = {'Resource' => resource}
+          xml.tag!('samlp:AuthzDecisionQuery', attributes) {
+            xml << subject.to_xml unless subject.nil?
+            actions.each { |action| xml << action.to_xml }
+            xml << evidence.to_xml unless evidence.nil?
+          }
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/query/subject_query.rb

@@ -0,0 +1,22 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    module Query #:nodoc:
+      # Extension point that allows new SAML queries to be defined that specify a single SAML subject.
+      # This class should not be instantiated directly.
+      class SubjectQuery < RSAML::Protocol::Request
+        # The subject
+        attr_accessor :subject
+      
+        # Initialize the subject query
+        def initialize(subject)
+          @subject = subject
+        end
+      
+        # Validate the subject query structure.
+        def validate
+          raise ValidationError, "Subject is required" if subject.nil?
+        end
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/request.rb

@@ -0,0 +1,27 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A SAML request
+    class Request < Message
+      # Generate a Response instance with the given status code. The response's in_response_to attribute
+      # will be set to the ID of the request.
+      def respond(status)
+        response = Response.new(status)
+        response.in_response_to = id
+        response
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'ID' => id, 'Version' => version, 'IssueInstant' => issue_instant.xmlschema}
+        attributes['Destination'] = destination unless destination.nil?
+        attributes['Consent'] = consent unless consent.nil?
+        attributes = add_xmlns(attributes)
+        xml.tag!('samlp:Request', attributes) {
+          xml << issuer.to_xml unless issuer.nil?
+          xml << signature.to_xml unless signature.nil?
+          # TODO: add extensions support
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/requested_authn_context.rb

@@ -0,0 +1,34 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Specifies the authentication context requirements of authentication statements returned in 
+    # response to a request or query.
+    class RequestedAuthnContext
+      # List of available comparison values
+      def self.comparisons
+        @comparisons ||= ['exact','minimum','maximum','better']
+      end
+      
+      # Authentication context references, either AuthnContextDeclRef or AuthnContextClassRef.
+      def authn_context_refs
+        @authn_context_refs ||= []
+      end
+      
+      # Specifies the comparison method used to evaluate the requested context classes or statements, one 
+      # of "exact", "minimum", "maximum", or "better". The default is "exact"
+      def comparison
+        @comparison ||= 'exact'
+      end
+      
+      # Validate the structure of the requested authn context
+      def validate
+        raise ValidationError, "Unknown comparison type: #{comparison}" unless RequestedAuthContext.comparisons.include?(comparison)
+      end
+      
+      # Construct an XML fragment representing the requested authn context
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Comparison' => comparison}
+        xml.tag!('samlp:RequestedAuthnContext')
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/response.rb

@@ -0,0 +1,56 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A SAML response
+    class Response < Message
+      # A reference to the identifier of the request to which the response corresponds, if any. If the response 
+      # is not generated in response to a request, or if the ID attribute value of a request cannot be 
+      # determined (for example, the request is malformed), then this attribute MUST NOT be present. 
+      # Otherwise, it MUST be present and its value MUST match the value of the corresponding request's 
+      # ID attribute.
+      attr_accessor :in_response_to
+      
+      # A code representing the status of the corresponding request.
+      attr_accessor :status
+      
+      # Initialize the Response instance
+      def initialize(status)
+        super()
+        @status = status
+      end
+      
+      # SAML assertions
+      def assertions
+        @assertions ||= []
+      end
+      
+      # SAML encrypted assertions
+      def encrypted_assertions
+        @encrypted_assertions ||= []
+      end
+      
+      # Validate the request structure
+      def validate
+        super
+        raise ValidationError, "Status must be specified" if status.nil?
+        raise ValidationError, "Status must be a RSAML::Protocol::Status instance" unless status.is_a?(Status)
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'ID' => id, 'Version' => version, 'IssueInstant' => issue_instant.xmlschema}
+        attributes['InResponseTo'] = in_response_to unless in_response_to.nil?
+        attributes['Destination'] = destination unless destination.nil?
+        attributes['Consent'] = consent unless consent.nil?
+        attributes = add_xmlns(attributes)
+        xml.tag!('samlp:Response', attributes) {
+          xml << issuer.to_xml unless issuer.nil?
+          xml << signature.to_xml unless signature.nil?
+          # TODO: add extensions support
+          xml << status.to_xml unless status.nil?
+          assertions.each { |assertion| xml << assertion.to_xml }
+          encrypted_assertions.each { |encrypted_assertion| xml << encrypted_assertion.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/scoping.rb

@@ -0,0 +1,33 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # specifies the identity providers trusted by the requester to authenticate the presenter, as well as 
+    # limitations and context related to proxying of the <AuthnRequest> message to subsequent identity 
+    # providers by the responder.
+    class Scoping
+      # Specifies the number of proxying indirections permissible between the identity provider that receives 
+      # this <AuthnRequest> and the identity provider who ultimately authenticates the principal. A count of 
+      # zero permits no proxying, while omitting this attribute expresses no such restriction.
+      attr_accessor :proxy_count
+      
+      # An advisory list of identity providers and associated information that the requester deems acceptable 
+      # to respond to the request.
+      attr_accessor :idp_list
+      
+      # Identifies the set of requesting entities on whose behalf the requester is acting. Used to communicate 
+      # the chain of requesters when proxying occurs.
+      def requestor_ids
+        @requestor_ids ||= []
+      end
+      
+      # Construct an XML fragment representing the scoping
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['ProxyCount'] = proxy_count if proxy_count
+        xml.tag!('samlp:Scoping', attributes) {
+          xml << idp_list.to_xml if idp_list
+          requestor_ids.each { |requestor_id| xml << requestor_id.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/status.rb

@@ -0,0 +1,38 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A SAML status indicator.
+    class Status
+      # A code representing the status of the activity carried out in response to the corresponding request.
+      attr_accessor :status_code
+      
+      # A message which MAY be returned to an operator.
+      attr_accessor :status_message
+      
+      # Initialize the status with the given status code
+      def initialize(status_code)
+        @status_code = status_code
+      end
+      
+      # Additional information concerning the status of the request. All objects in the collection must
+      # respond to the to_xml method.
+      def status_detail
+        @status_detail ||= []
+      end
+      
+      # Validate the structure of the Status instance
+      def validate
+        raise ValidationError, "Status code required" if status_code.nil?
+        raise ValidationError, "Status code must be a RSAML::Protocol::StatusCode instance" unless status_code.is_a?(StatusCode)
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('samlp:Status') {
+          xml << status_code.to_xml unless status_code.nil?
+          xml.tag!('StatusMessage', status_message) unless status_message.nil?
+          status_detail.each { |status_detail| xml << status_detail.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/status_code.rb

@@ -0,0 +1,84 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # A code or a set of nested codes representing the status of the corresponding request.
+    # 
+    # More information on available status codes may be found in Section 3.2.2.2 of the SAML 2.0 Core
+    # specification.
+    class StatusCode
+      # Initialize the status code with the given value
+      def initialize(value)
+        @value = value
+      end
+      
+      # Constant respresenting the Success status
+      SUCCESS = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:Success')
+      
+      # Constant representing the Requestor status
+      REQUESTOR = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:Requestor')
+      
+      # Constant representing the Responder status
+      RESPONDER = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:Responder')
+      
+      # Constant representing the VersionMismatch status
+      VERSION_MISMATCH = StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:VersionMismatch')
+      
+      # Hash of symbol/StatusCode pairs representing top-level status codes.
+      def self.top_level_status_codes
+        @top_level_status_codes ||= {
+          :success => SUCCESS,
+          :requestor => REQUESTOR,
+          :responder => RESPONDER,
+          :version_mismatch => VERSION_MISMATCH
+        }
+      end
+      
+      # Hash of symbol/StatusCode pairs representing second-level status codes.
+      def self.second_level_status_codes
+        @second_level_status_codes ||= {
+          :authn_failed => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:AuthnFailed'),
+          :invalid_attr_name_or_value => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue'),
+          :invalid_name_id_policy => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'),
+          :no_authn_context => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext'),
+          :no_available_idp => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP'),
+          :no_passive => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoPassive'),
+          :no_supported_idp => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP'),
+          :partial_logout => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:PartialLogout'),
+          :proxy_count_exceeded => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'),
+          :request_denied => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestDenied'),
+          :request_unsupported => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported'),
+          :request_version_deprecated => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated'),
+          :request_version_too_high => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh'),
+          :request_version_too_low => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow'),
+          :resource_not_recognized => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized'),
+          :too_many_responses => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:TooManyResponse'),
+          :unknown_attr_profile => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile'),
+          :unknown_principal => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal'),
+          :unsupported_binding => StatusCode.new('urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding'),
+        }
+      end
+      
+      # The status code value. Value is a URI reference.
+      attr_accessor :value
+      
+      # An optional child status code.
+      attr_accessor :status_code
+      
+      def validate
+        raise ValidationError, "Value is required" if value.nil?
+      end
+      
+      # Construct an XML fragment representing the request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Value' => value}
+        xml.tag!('samlp:StatusCode', attributes) {
+          xml << status_code.to_xml unless status_code.nil?
+        }
+      end
+      
+      # Return the value of the status code as a string.
+      def to_s
+        value
+      end
+    end
+  end
+end

data/lib/rsaml/proxy_restriction.rb

@@ -0,0 +1,30 @@
+module RSAML #:nodoc:
+  # Specifies limitations that the asserting party imposes on relying parties that in turn wish to act as asserting 
+  # parties and issue subsequent assertions of their own on the basis of the information contained in the 
+  # original assertion. A relying party acting as an asserting party MUST NOT issue an assertion that itself 
+  # violates the restrictions specified in this condition on the basis of an assertion containing such a condition.
+  class ProxyRestriction
+    # Specifies the maximum number of indirections that the asserting party permits to exist between this 
+    # assertion and an assertion which has ultimately been issued on the basis of it.
+    attr_accessor :count
+    
+    def audiences
+      @audiences ||= []
+    end
+    
+    # Validate the structure
+    def validate
+      raise ValidationError, "Count must be 0 or more if specified" if !count.nil? && count < 0
+    end
+    
+    # Construct an XML fragment representing the proxy restriction
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Count'] = count unless count.nil?
+      xml.tag!('saml:ProxyRestriction', attributes) {
+        audiences.each { |audience| xml << audience.to_xml }
+      }
+    end
+    
+  end
+end

data/lib/rsaml/statement.rb

@@ -0,0 +1,10 @@
+module RSAML #:nodoc
+  # Module that contain SAML statements.
+  module Statement
+  end
+end
+
+require 'rsaml/statement/base'
+require 'rsaml/statement/authentication_statement'
+require 'rsaml/statement/attribute_statement'
+require 'rsaml/statement/authorization_decision_statement'

data/lib/rsaml/statement/attribute_statement.rb

@@ -0,0 +1,27 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # The assertion subject is associated with the supplied attributes.
+    class AttributeStatement < Base
+      # Specifies attributes of the assertion subject.
+      def attributes
+        @attributes ||= []
+      end
+      
+      # Validate the structure of the attribute statement. Raises a validation error if:
+      #
+      # * Has no attributes specified
+      # * Any of the attributes are invalid
+      def validate
+        raise ValidationError, "At least one attribute must be specified" if @attributes.empty?
+        @attributes.each { |attribute| attribute.validate }
+      end
+      
+      # Construct an XML fragment representing the authentication statement
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('saml:AttributeStatement') {
+          attributes.each { |attribute| xml << attribute.to_xml }
+        }
+      end
+    end
+  end
+end