saml-sp 3.1.2

data/lib/saml2/assertion.rb

@@ -0,0 +1,100 @@
+require 'nokogiri'
+require 'saml2/artifact_resolver'
+
+module Saml2
+  class InvalidAssertionError < ArgumentError
+  end
+
+  class Assertion
+    module Parsing
+      def self.item(name, xpath)
+        module_eval(<<-ITEM_METH)
+        def #{name}_from(node)
+          target_node = node.at('#{xpath}')
+          raise InvalidAssertionError, "#{name} missing (xpath: `#{xpath}`)" unless target_node
+          
+          target_node.content.strip
+        end
+        ITEM_METH
+      end
+
+      item :issuer,          '//asrt:Assertion/asrt:Issuer'
+      item :subject_name_id, '//asrt:Assertion/asrt:Subject/asrt:NameID'
+      item :attribute_name,  '@Name'
+      item :attribute_value, './asrt:AttributeValue'
+
+      def each_attribute_node_from(doc, &blk)
+        attribute_nodes = doc.search('//asrt:Assertion/asrt:AttributeStatement/asrt:Attribute')
+         
+        attribute_nodes.each &blk
+      end                          
+    end
+    extend Parsing
+
+    # Resolves an artifact into the Assertion it represents
+    #
+    # @param [Saml2::Type4Artifact, String] artifact The artifact to
+    #   resolve
+    #
+    # @return [Saml2::Assertion] The assertion represented by
+    #   specified artifact
+    def self.new_from_artifact(artifact)
+      artifact = if artifact.respond_to? :resolve
+                   artifact
+                 else
+                   Type4Artifact.new_from_string(artifact)
+                 end
+      
+
+      artifact.resolve
+    end
+
+    def self.logger
+      SamlSp.logger
+    end
+
+    def self.new_from_xml(xml_assertion)
+      doc = case xml_assertion
+            when Nokogiri::XML::Node
+              xml_assertion
+            else
+              Nokogiri::XML.parse(xml_assertion)
+            end
+      logger.debug {"Parsing assertion: \n" + doc.to_xml(:indent => 2).gsub(/^/, "\t")}
+
+
+      doc.root.add_namespace_definition('asrt', 'urn:oasis:names:tc:SAML:2.0:assertion')
+
+      attrs = Hash.new
+      each_attribute_node_from(doc) do |node|
+        attrs[attribute_name_from(node)] = attribute_value_from(node)
+      end
+
+      new(issuer_from(doc), subject_name_id_from(doc), attrs)
+          
+    end
+
+    attr_reader :issuer, :subject_name_id
+
+    def initialize(issuer, subject_name_id, attributes)
+      @issuer = issuer
+      @subject_name_id = subject_name_id
+      @attributes = attributes
+    end
+
+    def [](attr_name)
+      attributes[attr_name.to_s]
+    end
+
+    protected
+    
+    attr_reader :attributes
+
+  end
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/lib/saml2/type4_artifact.rb

@@ -0,0 +1,55 @@
+require 'base64'
+require 'saml2/unexpected_type_code_error'
+
+module Saml2
+  class Type4Artifact
+    attr_reader :endpoint_index, :source_id, :message_handle
+
+    # Parse an type 4 SAML 2.0 artifact such as one received in a
+    # `SAMLart` HTTP request parameter as part of a HTTP artifact
+    # binding SSO handshake.
+    # 
+    # @param [String] artifact_string a base64 encoded SAML 2.0
+    #    artifact
+    # @return [Saml2::Type4Artifact] the parsed artifact
+    def self.new_from_string(artifact_string)
+      unencoded_artifact = Base64.decode64 artifact_string
+
+      type_code, *rest = unencoded_artifact.unpack('nna20a20')
+
+      raise UnexpectedTypeCodeError.new("Incorrect artifact type (expected type code 4 but found #{type_code}") unless type_code == 4
+
+      new *rest
+    end
+
+    def initialize(endpoint_index, source_id, message_handle)
+      @endpoint_index = endpoint_index
+      @source_id = source_id
+      @message_handle = message_handle
+    end
+
+    # The type code of this artifact
+    def type_code 
+      4
+    end
+
+    # @return [String] base64 encoded version of self
+    def to_s
+      Base64.encode64([4, endpoint_index, source_id, message_handle].pack('nna20a20')).strip
+    end
+
+    # Resolve the artifact into an Assertion
+    #
+    # @return [Saml2::Assertion] the assertion to which the artifact
+    #   is a reference
+    def resolve
+      Saml2::ArtifactResolver(source_id).resolve(self)
+    end
+  end
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/lib/saml2/unexpected_type_code_error.rb

@@ -0,0 +1,8 @@
+class UnexpectedTypeCodeError < StandardError
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/lib/saml_sp/config.rb

@@ -0,0 +1,119 @@
+module SamlSp  
+  class ConfigurationError < StandardError
+  end
+
+  class ConfigBlock
+    # Interpret a config block.
+    def interpret(config_block, filename = nil)
+      if filename
+        instance_eval config_block, filename
+      elsif config_block.respond_to? :call
+        instance_eval &config_block
+      else
+        instance_eval config_block
+      end
+      
+      self
+    end
+    
+    def self.inherited(subclass)
+      subclass.extend ClassMethods
+    end
+    
+    NOVAL_MARKER = Object.new
+    
+    module ClassMethods
+      def config_item(name)
+        class_eval(<<METHOD)
+            def #{name}(val=NOVAL_MARKER)
+              if NOVAL_MARKER.equal? val
+                @#{name}
+              else
+                @#{name} = val
+              end
+            end
+METHOD
+      end
+    end
+  end
+
+  class Config < ConfigBlock
+    def self.load_file(filename)
+      SamlSp.logger.info "saml-sp: Loading config file '#{filename}'"
+
+      new.interpret File.read(filename), filename
+    end
+
+    def interpret(config, filename = nil)
+      if filename
+        instance_eval config, filename
+      else
+        instance_eval config
+      end
+    end
+
+    def logger(logger)
+      SamlSp.logger = logger
+    end
+
+    def artifact_resolution_service(&blk)
+      dsl = ResolutionSerivceConfig.new
+      dsl.interpret(blk)
+    end
+  end 
+   
+
+  class ResolutionSerivceConfig < ConfigBlock
+    config_item :source_id
+    config_item :uri
+    config_item :identity_provider
+    config_item :service_provider
+    config_item :logger
+
+    def interpret(config_block, filename = nil)
+      super
+
+      raise ConfigurationError, "Incomplete artifact resolution service information" unless @source_id && @uri && @identity_provider && @service_provider
+      
+      resolver = Saml2::ArtifactResolver.new(@source_id, @uri, @identity_provider, @service_provider)
+      
+      if @auth_info
+        resolver.basic_auth_credentials(@auth_info.user_id, @auth_info.password, @auth_info.realm)
+      end
+
+      resolver
+    end
+    
+    def http_basic_auth(&blk)
+      @auth_info = HttpBasicAuthConfig.new
+      @auth_info.interpret(blk)
+    end
+  end
+
+  class HttpBasicAuthConfig < ConfigBlock
+    config_item :realm
+    config_item :user_id
+    config_item :password
+
+    def promiscuous
+      @promiscuous = true
+    end
+
+    def interpret(blk, filename = nil)
+      super
+
+      raise ConfigurationError, "Incomplete HTTP basic auth credentials" unless valid? 
+
+      self
+    end
+
+    def valid?
+      (@realm || @promiscuous) && @user_id && @password
+    end
+  end
+end
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/rails/init.rb

@@ -0,0 +1,11 @@
+SamlSp.logger = Rails.logger
+
+config_file = File.join(Rails.root, 'config/saml_sp.conf')
+SamlSp::Config.load_file config_file if File.exists? config_file
+
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+

data/spec/saml2/artifact_resolver_spec.rb

@@ -0,0 +1,169 @@
+require File.join(File.dirname(__FILE__), '../spec_helper')
+
+describe Saml2::ArtifactResolver do 
+  describe "lookups" do 
+    before do 
+      @resolver = Saml2::ArtifactResolver.new('a-source-id', 'https://idp.invalid/resolution-service', 'http://idp.invalid', 'http://sp.invalid')
+    end
+
+    it "should have pseudo-class lookup method" do 
+      Saml2::ArtifactResolver('a-source-id').should == @resolver
+    end
+
+    it "should raise error when resolver is not found" do 
+      lambda {
+        Saml2::ArtifactResolver('not-a-known-source-id')
+      }.should raise_error Saml2::NoSuchResolverError
+    end
+  end
+
+
+  describe "successfully resolving artifact" do 
+    before do 
+      @resolver = Saml2::ArtifactResolver.new('a-source-id', 'https://idp.invalid/resolution-service', 'http://idp.invalid', 'http://sp.invalid')
+      @resolver.basic_auth_credentials('myuserid', 'mypasswd', 'myrealm')
+
+      @artifact = Saml2::Type4Artifact.new(0, '01234567890123456789', 'abcdefghijklmnopqrst')
+      FakeWeb.register_uri(:post, 'https://idp.invalid/resolution-service', :body => SUCCESSFUL_SAML_RESP)
+    end
+  
+    it "should parse reponse into an assertion" do 
+      @resolver.resolve(@artifact).should be_kind_of(Saml2::Assertion)
+    end
+
+    it "should extract issuer from response" do 
+      @resolver.resolve(@artifact).issuer.should == 'http://idp.invalid'
+    end
+
+  end
+
+  describe "denied artifact resolution request" do 
+    before do 
+      @resolver = Saml2::ArtifactResolver.new('a-source-id', 'https://idp.invalid/resolution-service', 'http://idp.invalid', 'http://sp.invalid')
+      @resolver.basic_auth_credentials('myuserid', 'mypasswd', 'myrealm')
+
+      @artifact = Saml2::Type4Artifact.new(0, '01234567890123456789', 'abcdefghijklmnopqrst')
+      FakeWeb.register_uri(:post, 'https://idp.invalid/resolution-service', :body => DENIED_SAML_RESP)
+    end
+  
+    it "should raise exception" do
+      lambda {
+        @resolver.resolve(@artifact)
+      }.should raise_error(Saml2::RequestDeniedError)
+    end
+  end
+
+
+  SUCCESSFUL_SAML_RESP = <<-SAML_RESP
+        <SOAP-ENV:Envelope
+            xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+        <SOAP-ENV:Body>
+          <ArtifactResponse
+              ID="_423adb988f2673de74553f9f26ff27eda8af"
+              InResponseTo="_gIPoW.YXQpZj17m.EpboPCp9cT"
+              IssueInstant="2006-11-28T23:07:43.738+00:00"
+              Version="2.0"
+              xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
+            <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
+              http://idp.invalid
+            </ns1:Issuer>
+
+            <Status>
+              <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+            </Status>
+  
+            <Response
+                Destination="https://service_provider/SAMLConsumer"
+                ID="_dcfacebe4f2fca1cbdae749c5f5738995e0"
+                IssueInstant="2006-11-28T23:04:32Z"
+                Version="2.0">
+              <ns2:Issuer
+                  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
+                  xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
+                http://idp.invalid
+              </ns2:Issuer>
+
+              <Status>
+                <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+              </Status>
+
+              <ns3:Assertion
+                  ID="_1ebc0cd2f88ade6396bccb22fc20a42792c4"
+                  IssueInstant="2006-11-28T23:04:32Z"
+                  Version="2.0"
+                  xmlns:ns3="urn:oasis:names:tc:SAML:2.0:assertion">
+                <ns3:Issuer
+                    Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
+                  http://idp.invalid
+                </ns3:Issuer>
+
+                <ns3:Subject>
+                  <ns3:NameID
+                      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
+                    12345678
+                  </ns3:NameID>
+                </ns3:Subject>
+
+                <ns3:Conditions
+                    NotBefore="2006-11-28T22:54:32Z"
+                    NotOnOrAfter="2006-11-28T23:24:32Z">
+                  <ns3:AudienceRestriction>
+                    <ns3:Audience>https://sp.invalid</ns3:Audience>
+                  </ns3:AudienceRestriction>
+                </ns3:Conditions>
+
+                <ns3:AuthnStatement
+                    AuthnInstant="2006-11-28T23:03:14Z"
+                    SessionIndex="MQSnyIps57sm2wRDKP+f9PsY+2A=nFfVrw=="
+                    SessionNotOnOrAfter="2006-11-28T23:24:32Z">
+                  <ns3:AuthnContext>
+                    <ns3:AuthnContextClassRef>
+                      urn:oasis:names:tc:SAML:2.0:ac:classes:Password
+                    </ns3:AuthnContextClassRef>
+                  </ns3:AuthnContext>
+                </ns3:AuthnStatement>
+            
+                <ns3:AttributeStatement>
+                  <ns3:Attribute
+                      Name="cn"
+                      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
+                    <ns3:AttributeValue>Smith, James</ns3:AttributeValue>
+                  </ns3:Attribute>
+                </ns3:AttributeStatement>
+            
+              </ns3:Assertion>
+            </Response>
+          </ArtifactResponse>
+        </SOAP-ENV:Body>
+        </SOAP-ENV:Envelope> 
+      SAML_RESP
+    
+  DENIED_SAML_RESP = <<-SAML_RESP
+        <SOAP-ENV:Envelope
+            xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+        <SOAP-ENV:Body>
+          <ArtifactResponse
+              ID="_423adb988f2673de74553f9f26ff27eda8af"
+              InResponseTo="_gIPoW.YXQpZj17m.EpboPCp9cT"
+              IssueInstant="2006-11-28T23:07:43.738+00:00"
+              Version="2.0"
+              xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
+            <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
+              https://idp.invalid
+            </ns1:Issuer>
+
+            <Status>
+              <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" />
+            </Status>
+            </ArtifactResponse>
+        </SOAP-ENV:Body>
+        </SOAP-ENV:Envelope> 
+      SAML_RESP
+
+end
+
+
+# Copyright (c) 2010 OpenLogic
+#
+# Licensed under MIT license.  See LICENSE.txt
+