rsaml 0.1.2

data/lib/rsaml/attribute.rb

@@ -0,0 +1,76 @@
+module RSAML #:nodoc:
+  # Identifies an attribute by name and optionally includes its value(s).
+  class Attribute
+    # The name of the attribute.
+    attr_accessor :name
+    
+    # A URI reference representing the classification of the attribute name for purposes of 
+    # interpreting the name
+    attr_accessor :name_format
+    
+    # A string that provides a more human-readable form of the attribute's name, which may 
+    # be useful in cases in which the actual Name is complex or opaque, such as an OID or a UUID.
+    attr_accessor :friendly_name
+    
+    # Initialize the attribute with the given name. Optionally pass an array of values.
+    def initialize(name, *values)
+      @name = name
+      @values = values      
+    end
+    
+    # An array of values for the attribute.
+    def values
+      @values ||= []
+    end
+    
+    # Validate the structure of the attribute.
+    def validate
+      raise ValidationError, "Name is required" unless name
+    end
+    
+    # extension point to allow arbitrary XML attributes to be added to <Attribute> constructs 
+    # without the need for an explicit schema extension. This allows additional fields to be 
+    # added as needed to supply additional parameters to be used, for example, in an attribute 
+    # query. This attribute is a Hash of name/value pairs that is output directly with the
+    # <Attribute> XML element.
+    def extra_xml_attributes
+      @extra_xml_attributes ||= {}
+    end
+    
+    # Construct an XML fragment representing the attribute
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml_attributes = {'Name' => name}
+      xml_attributes['NameFormat'] = name_format unless name_format.nil?
+      xml_attributes['FriendlyName'] = friendly_name unless friendly_name.nil?
+      xml.tag!('saml:Attribute', xml_attributes.merge(extra_xml_attributes)) {
+        values.each { |value| xml.tag!('saml:AttributeValue', value.to_s) }
+      }
+    end
+    
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      attribute = Attribute.new(element.attribute('Name').value)
+      if element.attribute('NameFormat')
+        attribute.name_format = element.attribute('NameFormat').value
+      end
+      attribute
+    end
+  end
+  
+  # An encrypted attribute.
+  class EncryptedAttribute < Encrypted
+    
+    # Validate the structure
+    def validate
+      raise ValidationError, "Encrypted data is required" if encrypted_data.nil?
+    end
+    
+    # Construct an XML fragment representing the encrypted attribute
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:EncryptedAttribute') {
+        xml.tag!('xenc:EncryptedData', encrypted_data)
+        encrypted_keys.each { |key| xml << key.to_xml }
+      }
+    end
+  end
+end

data/lib/rsaml/audience.rb

@@ -0,0 +1,19 @@
+module RSAML #:nodoc:
+  # A URI reference that identifies an intended audience. The URI reference MAY identify a document 
+  # that describes the terms and conditions of audience membership. It MAY also contain the unique 
+  # identifier URI from a SAML name identifier that describes a system entity.
+  class Audience
+    # URI for the audience
+    attr_accessor :uri
+    
+    # Initialize the Audience instance with the given URI
+    def initialize(uri)
+      @uri = uri
+    end
+    
+    # Construct an XML fragment representing the audience
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Audience', uri)
+    end
+  end
+end

data/lib/rsaml/authentication_context.rb

@@ -0,0 +1,34 @@
+module RSAML #:nodoc:
+  # Specifies the context of an authentication event. The element can contain 
+  # an authentication context class reference, an authentication context declaration 
+  # or declaration reference, or both.
+  class AuthenticationContext
+    # A URI reference identifying an authentication context class that describes the authentication context 
+    # declaration that follows.
+    attr_accessor :class_reference
+    
+    # An authentication context declaration provided by value.
+    attr_accessor :context_declaration
+    
+    # A URI reference that identifies a declaration. The URI reference MAY directly resolve into 
+    # an XML document containing the referenced declaration.
+    attr_accessor :context_declaration_ref
+    
+    # Zero or more unique identifiers of authentication authorities that were involved in the 
+    # authentication of the principal
+    def authenticating_authority
+      @authenticating_authority ||= []
+    end
+    
+    # Construct an XML fragment representing the authentication statement
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:AuthnContext') {
+        xml.tag!('saml:AuthnContextClassRef', class_reference) unless class_reference.nil?
+        xml.tag!('saml:AuthnContextDecl', context_declaration) unless context_declaration.nil?
+        xml.tag!('saml:AuthnContextDeclRef', context_declaration_ref) unless context_declaration_ref.nil?
+      }
+    end
+  end
+end
+
+require 'rsaml/authn_context/authentication_context_declaration'

data/lib/rsaml/authn_context/README

@@ -0,0 +1 @@
+Implementation of the AuthnContext 2.0 specification.

data/lib/rsaml/authn_context/authentication_context_declaration.rb

@@ -0,0 +1,42 @@
+module RSAML #:nodoc:
+  module AuthnContext #:nodoc:
+    # A particular assertion on an identity provider's part with respect to the authentication
+    # context associated with an authentication assertion.
+    class AuthenticationContextDeclaration
+      # Authentication method, a required attribute
+      attr_accessor :authn_method
+      
+      # Optional ID for the authentication context declaration
+      attr_accessor :id
+      
+      def initialize(authn_method)
+        @authn_method = authn_method
+      end
+      
+      def identification
+        @identification ||= []
+      end
+      
+      def technical_protection
+        @technical_protection ||= []
+      end
+      
+      def operational_protection
+        @operational_protection ||= []
+      end
+      
+      def governing_agreements
+        @governing_agreements ||= []
+      end
+      
+      def extensions
+        @extensions ||= []
+      end
+      
+      # Construct an XML fragment representing the assertion
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('AuthContextDecl')
+      end
+    end
+  end
+end

data/lib/rsaml/authn_context/identification.rb

@@ -0,0 +1,10 @@
+module RSAML #:nodoc:
+  module AuthnContext #:nodoc:
+    # Refers to those characteristics that describe the processes and mechanisms the 
+    # Authentication Authority uses to initially create an association between a Principal 
+    # and the identity (or name) by which the Principal will be known
+    class Identification
+      
+    end
+  end
+end

data/lib/rsaml/authn_context/physical_verification.rb

@@ -0,0 +1,24 @@
+module RSAML #:nodoc:
+  module AuthnContext #:nodoc:
+    # This element indicates that identification has been performed in a physical 
+    # face-to-face meeting with the principal and not in an online manner.
+    class PhysicalVerification
+      # Hash of available credential levels
+      def self.credential_levels
+        {
+          :primary => 'primary',
+          :secondary => 'secondary'
+        }
+      end
+      
+      attr_accessor :credential_level
+      
+      # Create an XML representation
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['credentialLevel'] = credential_level unless credential_level.nil?
+        xml.tag!('PhysicalVerification', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/condition.rb

@@ -0,0 +1,13 @@
+module RSAML #:nodoc
+  # Base class for conditions
+  class Condition
+    # Assert that the condition evaluates to true, raise an AssertionError if not
+    def assert
+    end
+    
+    # Construct an XML fragment representing the condition
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Condition')
+    end
+  end
+end

data/lib/rsaml/conditions.rb

@@ -0,0 +1,107 @@
+module RSAML #:nodoc:
+  # Constraints on the acceptable use of SAML assertions.
+  class Conditions
+    # Specifies the earliest time instant at which the assertion is valid. The time value is encoded in UTC.
+    attr_accessor :not_before
+    
+    # Specifies the time instant at which the assertion has expired. The time value is encoded in UTC.
+    attr_accessor :not_on_or_after
+    
+    # Specifies that the assertion SHOULD be used immediately and MUST NOT be retained for future 
+    # use.
+    attr_accessor :one_time_use
+    
+    # Specifies limitations that the asserting party imposes on relying parties that wish to subsequently act 
+    # as asserting parties themselves and issue assertions of their own on the basis of the information 
+    # contained in the original assertion.
+    attr_accessor :proxy_restriction
+    
+    # The conditions
+    def conditions
+      @conditions ||= []
+    end
+    
+    # Alias to access the embedded conditions array.
+    def []
+      conditions
+    end
+    
+    # Append a condition to the conditions
+    def <<(condition)
+      conditions << condition
+    end
+    
+    # The number of conditions
+    def length
+      conditions.length
+    end
+    
+    # Return true if the conditions collection is empty
+    def empty?
+      conditions.length == 0 && audience_restrictions.empty?
+    end
+    
+    # Specifies that the assertion is addressed to a particular audience.
+    # Audiences are represented as A URI reference that identifies an intended audience.
+    # A URI may reference a document that describes the terms of service for audience
+    # membership.
+    def audience_restrictions
+      @audience_restrictions ||= []
+    end
+    
+    # Assert the conditions
+    def assert
+      assert_time_limits
+      assert_elements
+    end
+    
+    # Validate the structure of the conditions model
+    def validate
+      if not_before && not_on_or_after && not_before >= not_on_or_after
+        raise ValidationError, "NotBefore after NotOnOrAfter"
+      end
+    end
+    
+    # Return true if the condition allows caching of the assertion
+    def cache?
+      one_time_use.nil?
+    end
+    
+    # Construct an XML fragment representing the conditions collection
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['NotBefore'] = not_before.xmlschema unless not_before.nil?
+      attributes['NotOnOrAfter'] = not_on_or_after.xmlschema unless not_on_or_after.nil?
+      xml.tag!('saml:Conditions', attributes) {
+        conditions.each { |condition| xml << condition.to_xml }
+        audience_restrictions.each do |audience|
+          xml.tag!('saml:AudienceRestriction') { xml << audience.to_xml }
+        end
+        xml.tag!('OneTimeUse') if one_time_use
+        xml << proxy_restriction.to_xml unless proxy_restriction.nil?
+      }
+    end
+    
+    protected
+    # Check the the current time falls within the allowed time constraints
+    def assert_time_limits
+      raise AssertionError, "Condition failed: not before" if not_before && Time.now < not_before
+      raise AssertionError, "Condition failed: not on or after" if not_on_or_after && Time.now >= not_on_or_after
+    end
+    
+    # Assert that the conditions evaluate to true
+    def assert_elements
+      # Rule 1
+      if conditions.empty? && audience_restrictions.empty? && proxy_restriction.nil? && one_time_use.nil?
+        return
+      end
+      
+      # Rule 2
+      conditions.all { |c| c.assert }
+      
+      # Rule 3
+      
+      # Rule 4
+    end
+  end
+end

data/lib/rsaml/encrypted.rb

@@ -0,0 +1,12 @@
+module RSAML #:nodoc:
+  # Base for encrypted elements
+  class Encrypted
+    # Encrypted data
+    attr_accessor :encrypted_data
+    
+    # Encrypted keys
+    def encrypted_keys
+      @encrypted_keys ||= []
+    end
+  end
+end

data/lib/rsaml/errors.rb

@@ -0,0 +1,16 @@
+module RSAML #:nodoc:
+  # An error that is raised when a validation error occurs. Note that validity in the case
+  # of this library is for validity of the structure of the model according to the rules
+  # of the SAML 2.0 specification.
+  class ValidationError < StandardError
+  end
+  # An error that is raised when an assertion fails.
+  class AssertionError < StandardError
+  end
+  # An error that is raised when a confirmation fails.
+  class ConfirmationError < StandardError
+  end
+  # An error that is raised when parsing fails.
+  class ParseError < StandardError
+  end
+end

data/lib/rsaml/evidence.rb

@@ -0,0 +1,21 @@
+module RSAML #:nodoc:
+  # Contains one or more assertions or assertion references that the SAML authority relied 
+  # on in issuing the authorization decision.
+  class Evidence
+    # Specifies an assertion either by reference or by value.
+    def assertions
+      @assertions ||= []
+    end
+    
+    def validate
+      raise ValidationError, "At least one assertion is required" if assertions.empty?
+    end
+    
+    # Construct an XML fragment representing the authentication statement
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Evidence') {
+        assertions.each { |assertion| xml << assertion.to_xml }
+      }
+    end
+  end
+end

data/lib/rsaml/ext/string.rb

@@ -0,0 +1,5 @@
+class String #:nodoc:
+  def to_xml
+    to_s
+  end
+end

data/lib/rsaml/identifier.rb

@@ -0,0 +1,9 @@
+module RSAML #:nodoc:
+  # Module that contains various SAML identifier types.
+  module Identifier
+  end
+end
+
+require 'rsaml/identifier/base'
+require 'rsaml/identifier/name'
+require 'rsaml/identifier/issuer'

data/lib/rsaml/identifier/base.rb

@@ -0,0 +1,23 @@
+module RSAML #:nodoc:
+  module Identifier # :nodoc:
+    # An extension point that allows applications to add new kinds of identifiers.
+    class Base
+      # The security or administrative domain that qualifies the name. This attribute provides a means to 
+      # federate names from disparate user stores without collision.
+      attr_accessor :name_qualifier
+    
+      # Further qualifies a name with the name of a service provider or affiliation of providers. This 
+      # attribute provides an additional means to federate names on the basis of the relying party or 
+      # parties.
+      attr_accessor :sp_name_qualifier
+    
+      # Create an XML fragment representing the identifier
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['NameQualifier'] = name_qualifier unless name_qualifier.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        xml.tag!('saml:BaseID', '', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/identifier/issuer.rb

@@ -0,0 +1,28 @@
+module RSAML #:nodoc:
+  module Identifier #:nodoc:
+    # provides information about the issuer of a SAML assertion or protocol message. T
+    # Requires the use of a string to carry the issuer's name  
+    class Issuer < Name
+      # If no Format value is provided with this element, then the value
+      # urn:oasis:names:tc:SAML:2.0:nameid-format:entity is in effect
+      def format
+        @format ||= Name.formats[:entity]
+      end
+      
+      # Construct an XML fragment representing the issuer
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Format' => format}
+        attributes['NameQualifier'] = name_qualifier unless name_qualifier.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        attributes['SPProvidedID'] = sp_provided_id unless sp_provided_id.nil?
+        xml.tag!('saml:Issuer', value, attributes)
+      end
+      
+      # Construct an Issuer instance from the given XML Element or fragment.
+      def self.from_xml(element)
+        element = REXML::Document.new(element).root if element.is_a?(String)
+        Issuer.new(element.text)
+      end
+    end
+  end
+end