rsaml 0.1.2

data/lib/rsaml/statement/authentication_statement.rb

@@ -0,0 +1,57 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # The assertion subject was authenticated by a particular means at a particular time.
+    class AuthenticationStatement < Base
+      # Specifies the time at which the authentication took place. The time value is encoded in UTC
+      attr_accessor :authn_instant
+    
+      # Specifies the index of a particular session between the principal identified by the subject and the 
+      # authenticating authority. In general, any string value MAY be used as a SessionIndex value. 
+      # However, when privacy is a consideration, care must be taken to ensure that the SessionIndex 
+      # value does not invalidate other privacy mechanisms. Accordingly, the value SHOULD NOT be usable 
+      # to correlate activity by a principal across different session participants.
+      attr_accessor :session_index
+    
+      # Specifies a time instant at which the session between the principal identified by the subject and the 
+      # SAML authority issuing this statement MUST be considered ended. The time value is encoded in 
+      # UTCSpecifies
+      attr_accessor :session_not_on_or_after
+    
+      # Specifies the DNS domain name and IP address for the system from which the assertion subject was 
+      # apparently authenticated.
+      attr_accessor :subject_locality
+    
+      # The authentication context.
+      attr_accessor :authn_context
+    
+      # Initialize the statement
+      def initialize(authn_context)
+        @authn_context = authn_context
+        @authn_instant = Time.now.utc
+      end
+      
+      # Validate the structure of the authentication statement. Raise a ValidationError if the 
+      # statement is invalid.
+      def validate
+        if session_not_on_or_after && !session_not_on_or_after.utc?
+          raise ValidationError, "Session not on or after must be UTC"
+        end
+        raise ValidationError, "Authn context required" unless authn_context
+        raise ValidationError, "Authn instant required" unless authn_instant
+        raise ValidationError, "Authn instant must be UTC" unless authn_instant.utc?
+      end
+      
+      # Construct an XML fragment representing the authentication statement
+      def to_xml(xml=Builder::XmlMarkup.new)
+        validate
+        attributes = {'AuthnInstant' => authn_instant.xmlschema}
+        attributes['SessionIndex'] = session_index unless session_index.nil?
+        attributes['SessionNotOnOrAfter'] = session_not_on_or_after.xmlschema unless session_not_on_or_after.nil?
+        xml.tag!('saml:AuthnStatement', attributes) {
+          xml << authn_context.to_xml
+          xml << subject_locality.to_xml unless subject_locality.nil?
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/statement/authorization_decision_statement.rb

@@ -0,0 +1,53 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # A request to allow the assertion subject to access the specified resource 
+    # has been granted or denied.
+    class AuthorizationDecisionStatement < Base
+      # defines the possible values to be reported as the status of an authorization decision statement. 
+      # 
+      # Possible values are:
+      # * <tt>Permit</tt>: The specified action is permitted. 
+      # * <tt>Deny</tt>: The specified action is denied. 
+      # * <tt>Indeterminate</tt> The SAML authority cannot determine whether the specified action 
+      #   is permitted or denied.
+      def self.decision_types
+        %w(Permit Deny Indeterminate)
+      end
+      
+      # A URI reference identifying the resource to which access authorization is sought. 
+      # This attribute MAY have the value of the empty URI reference (""), and the meaning 
+      # is defined to be "the start of the current document"
+      attr_accessor :resource
+      
+      # The decision rendered by the SAML authority with respect to the specified resource.
+      attr_accessor :decision
+      
+      # The set of actions authorized to be performed on the specified resource.
+      def actions
+        @actions ||= []
+      end
+      
+      # A set of assertions that the SAML authority relied on in making the decision.
+      def evidence
+        @evidence ||= []
+      end
+      
+      # Validate the structure
+      def validate
+        raise ValidationError, "Resource is required" if resource.nil?
+        raise ValidationError, "Decision is required" if decision.nil?
+        raise ValidationError, "One or more actions must be specified" if actions.empty?
+        actions.each { |action| action.validate }
+      end
+      
+      # Construct an XML fragment representing the authorization decision statement
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Resource' => resource, 'Decision' => decision}
+        xml.tag!('saml:AuthzStatement', attributes) {
+          actions.each { |action| xml << action.to_xml }
+          evidence.each { |e| xml << e.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/statement/base.rb

@@ -0,0 +1,9 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # Base class for statements.
+    class Base
+      # An xsi:type attribute used to indicate the actual statement type.
+      attr_accessor :type
+    end
+  end
+end

data/lib/rsaml/subject.rb

@@ -0,0 +1,37 @@
+module RSAML #:nodoc:
+  # Specifies the principal that is the subject of all of the (zero or more) 
+  # statements in an assertion.
+  class Subject
+    
+    # The subject identifier
+    attr_accessor :identifier
+    
+    # Initialize the subject with the given identifier
+    def initialize(identifier=nil)
+      @identifier = identifier
+    end
+    
+    # Information that allows the subject to be confirmed. If more than one subject confirmation is provided, 
+    # then satisfying any one of them is sufficient to confirm the subject for the purpose of applying the 
+    # assertion.
+    def subject_confirmations
+      @subject_confirmations ||= []
+    end
+    
+    # Construct an XML fragment representing the subject
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Subject') {
+        xml << identifier.to_xml unless identifier.nil?
+        xml << subject_confirmations.map { |sc| sc.to_xml }.join
+      }
+    end
+    
+    # Construct a Subject from an XML Element.
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)      
+      element.get_elements('saml:NameID').each do |identifier|
+        return Subject.new(Identifier::Name.from_xml(identifier))
+      end
+    end
+  end
+end

data/lib/rsaml/subject_confirmation.rb

@@ -0,0 +1,35 @@
+module RSAML #:nodoc:
+  # Provides the means for a relying party to verify the correspondence of the subject of the 
+  # assertion with the party with whom the relying party is communicating.
+  class SubjectConfirmation
+    
+    # Hash of available SAML methods for subject confirmation
+    def self.methods
+      {
+        :holder_of_key => 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key',
+        :sender_vouches => 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches',
+        :bearer => 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
+      }
+    end
+    
+    # A URI reference that identifies a protocol or mechanism to be used to confirm the subject.
+    attr_accessor :method
+    
+    # Identifies the entity expected to satisfy the enclosing subject confirmation requirements.
+    attr_accessor :identifier
+    
+    # Additional confirmation information to be used by a specific confirmation method.
+    attr_accessor :subject_confirmation_data
+    
+    def initialize(method)
+      @method = method
+    end
+    
+    # Construct an XML fragment representing the subject confirmation
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Method' => method}
+      subject_confirmation_data_block = Proc.new { xml << subject_confirmation_data.to_xml} if subject_confirmation_data
+      xml.tag!('saml:SubjectConfirmation', attributes, &subject_confirmation_data_block)
+    end
+  end
+end

data/lib/rsaml/subject_confirmation_data.rb

@@ -0,0 +1,55 @@
+module RSAML #:nodoc:
+  # specifies additional data that allows the subject to be confirmed or constrains the circumstances under 
+  # which the act of subject confirmation can take place. Subject confirmation takes place when a relying 
+  # party seeks to verify the relationship between an entity presenting the assertion (that is, the attesting 
+  # entity) and the subject of the assertion's claims.
+  class SubjectConfirmationData
+    # A time instant before which the subject cannot be confirmed. The time value is encoded in UTC.
+    attr_accessor :not_before
+    
+    # A time instant at which the subject can no longer be confirmed. The time value is encoded in UTC.
+    attr_accessor :not_on_or_after
+    
+    # A URI specifying the entity or location to which an attesting entity can present the assertion. For 
+    # example, this attribute might indicate that the assertion must be delivered to a particular network 
+    # endpoint in order to prevent an intermediary from redirecting it someplace else. 
+    attr_accessor :recipient
+    
+    # The ID of a SAML protocol message in response to which an attesting entity can present the 
+    # assertion. For example, this attribute might be used to correlate the assertion to a SAML request that 
+    # resulted in its presentation.
+    attr_accessor :in_response_to
+    
+    # The network address/location from which an attesting entity can present the assertion. For example, 
+    # this attribute might be used to bind the assertion to particular client addresses to prevent an attacker 
+    # from easily stealing and presenting the assertion from another location.
+    attr_accessor :address
+    
+    # Point for extension attributes
+    def attributes
+      @attributes = []
+    end
+    
+    # Point for extension elements
+    def elements
+      @elements = []
+    end
+    
+    # Confirm the subject confirmation data
+    def confirm
+      raise ConfirmationError, "Subject confirmation failed: not before" if not_before && Time.now < not_before
+      raise ConfirmationError, "Subject confirmation failed: not on or after" if not_on_or_after && Time.now >= not_on_or_after
+      # TODO implement tests for remaining elements such as recipient, in_response_to and address
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+     attributes = {}
+     attributes['Recipient'] = recipient unless recipient.nil?
+     attributes['NotOnOrAfter'] = not_on_or_after.xmlschema unless not_on_or_after.nil?
+     attributes['NotBefore'] = not_before.xmlschema unless not_before.nil?
+     attributes['InResponseTo'] = in_response_to unless in_response_to.nil?
+     attributes[ 'Address'] = address unless address.nil?
+     xml.tag!('saml:SubjectConfirmationData', attributes)
+    end
+  end
+end

data/lib/rsaml/subject_locality.rb

@@ -0,0 +1,27 @@
+module RSAML #:nodoc:
+  # This element is entirely advisory, since both of these fields are quite easily "spoofed," 
+  # but may be useful information in some applications.
+  class SubjectLocality
+    # The network address of the system from which the principal identified by the subject was 
+    # authenticated.
+    attr_accessor :address
+    
+    # The DNS name of the system from which the principal identified by the subject was authenticated.
+    attr_accessor :dns_name
+    
+    # Raise an error if the subject locality is structurally invalid.
+    def validate
+      unless address =~ /^(\d{1,3}\.){3}\d{1,3}$/
+        raise ValidationError, "Invalid address"
+      end
+    end
+    
+    # Construct an XML fragment representing the subject locality
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Address'] = address unless address.nil?
+      attributes['DNSName'] = dns_name unless dns_name.nil?
+      xml.tag!('saml:SubjectLocality', attributes)
+    end
+  end
+end

data/lib/rsaml/validatable.rb

@@ -0,0 +1,21 @@
+module RSAML
+  # Module that can be mixed in to any class to provide a :valid? method. This method
+  # will look for a :validate method and invoke it, catching any ValidationError exceptions
+  # and return either true if the SAML object is structurally valid or false if it isn't.
+  module Validatable
+    attr_accessor :verbose
+    # Return true if the object is valid. Only objects with a validate method will
+    # be checked for validity.
+    def valid?
+      if respond_to?(:validate)
+        begin
+          validate
+        rescue ValidationError => e
+          puts "Validation failed: #{e.message}" if verbose
+          return false
+        end
+      end
+      return true
+    end
+  end
+end

data/lib/rsaml/version.rb

@@ -0,0 +1,9 @@
+module RSAML#:nodoc:
+  module VERSION #:nodoc:
+    MAJOR = 0
+    MINOR = 1
+    TINY  = 2
+
+    STRING = [MAJOR, MINOR, TINY].join('.')
+  end
+end

data/lib/xml_enc.rb

@@ -0,0 +1,3 @@
+# Ruby XML Encryption implementation
+module XmlEnc
+end

data/lib/xml_sig.rb

@@ -0,0 +1,11 @@
+# Ruby XML Signature implementation
+module XmlSig
+end
+
+require 'xml_sig/signature'
+require 'xml_sig/signature_method'
+require 'xml_sig/canonicalization_method'
+require 'xml_sig/reference'
+require 'xml_sig/signed_info'
+require 'xml_sig/key_info'
+require 'xml_sig/transform'

data/lib/xml_sig/canonicalization_method.rb

@@ -0,0 +1,43 @@
+require 'iconv'
+
+module XmlSig #:nodoc:
+  class CanonicalizationMethod
+    attr_accessor :algorithm
+
+    def validate
+      raise ValidationError, "Algorithm is required" if algorithm.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Algorightm' => algorithm}
+      xml.tag!('ds:CanonicalizationMethod', attributes)
+    end
+  end
+  
+  class XMLC14NBase
+    # Convert the content from the given charset to UTF-8.
+    def convert_to_utf8(content, from)
+      Iconv.iconv('UTF-8', from, content).join
+    end
+    def convert_linebreaks(content)
+      content.gsub(/\r\n/, "\n").gsub(/\r/, "\n")
+    end
+    def normalize_attribute_values(content)
+      
+    end
+  end
+  
+  # Canonicalization algorithm for XML removing comments
+  class XMLC14NWithComments < XMLC14NBase
+    def process(content, charset='UTF-8')
+      content = convert_to_utf8(content) unless charset == 'UTF-8'
+      content
+    end
+  end
+  class XMLC14NWithoutComments < XMLC14NBase
+    def process(content, charset='UTF-8')
+      content = convert_to_utf8(content) unless charset == 'UTF-8'
+      doc = REXML::Document.new(content)
+    end
+  end
+end

data/lib/xml_sig/key_info.rb

@@ -0,0 +1,55 @@
+module XmlSig #:nodoc:
+  class KeyInfo
+    attr_accessor :id
+    attr_accessor :key_name
+    attr_accessor :key_value
+    attr_accessor :retrieval_method
+    attr_accessor :key_data
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('ds:KeyInfo') {
+        xml.tag!('ds:KeyName', key_name)
+        xml.tag!('ds:KeyValue') {
+          xml << key_value.to_xml
+        }
+      }
+    end
+  end
+  
+  class RetrievalMethod
+    attr_accessor :uri
+    attr_accessor :type
+    
+    def transforms
+      @transforms ||= []
+    end
+    
+    def validate
+      raise ValidationError, "URI is required" if uri.nil?
+    end
+    
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'URI' => uri}
+      attributes['Type'] = type unless type.nil?
+      xml.tag!('ds:RetrievalMethod', attributes) {
+        transforms.each { |transform| xml << transform.to_xml }
+      }
+    end
+  end
+
+  # REQUIRED
+  class DSAKeyValue
+  end
+  # OPTIONAL
+  class RSAKeyValue
+  end
+
+  class X509Data
+  end
+  class PGPData
+  end
+  class SPKIData
+  end
+  class MgmtData
+  end
+end

data/lib/xml_sig/reference.rb

@@ -0,0 +1,57 @@
+module XmlSig #:nooc:
+  class Reference
+    attr_accessor :id
+    attr_accessor :uri
+    attr_accessor :type
+
+    attr_accessor :digest_method
+
+    # DigestValue is an element that contains the encoded value of the digest. The 
+    # digest is always encoded using base64
+    attr_accessor :digest_value
+
+    def transforms
+      @transforms ||= []
+    end
+
+    def validate
+      raise ValidationError, "Digest method is required" if digest_method.nil?
+      raise ValidationError, "Digest value is required" if digest_value.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Id'] = id unless id.nil?
+      attributes['URI'] = uri unless uri.nil?
+      attributes['Type'] = type unless type.nil?
+      xml.tag!('ds:Reference', attributes) {
+        xml.tag!('ds:Transforms') {
+          transforms.each { |transform| xml << transform.to_xml }
+        }
+        xml << digest_method.to_xml unless digest_method.nil?
+        xml.tag!('ds:DigestValue', digest_value)
+      }
+    end
+  end
+
+  # DigestMethod is a required element that identifies the digest algorithm to be applied 
+  # to the signed object.
+  class DigestMethod
+    def self.identifiers
+      @identifiers ||= {
+        'SHA-1', 'http://www.w3.org/2000/09/xmldsig#sha1'
+      }
+    end
+    
+    attr_accessor :algorithm
+
+    def validate
+      raise ValidationError, "Algorithm is required" if algorithm.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Algorightm' => algorithm}
+      xml.tag!('ds:DigestMethod', attributes)
+    end
+  end
+end