saml 0.1

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.3
+# uncomment this line if your project needs to run something other than `rake`:
+script: bundle exec rspec spec

data/README.md

@@ -0,0 +1,71 @@
+[![Build Status](https://secure.travis-ci.org/kjellm/saml.png)](http://travis-ci.org/kjellm/saml)
+
+SAML implementation for Ruby
+============================
+
+SAML - Security Assertion Markup Language
+
+
+Install
+-------
+
+gem install skeleton
+
+
+Usage
+-----
+
+For an example of how it can be used, take a look at the feide gem
+hosted at github https://github.com/kjellm/feide.
+
+
+Documents describing SAML
+-------------------------
+
+# Technical overview
+
+Read this first:
+
+http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
+
+# The specification
+
+Located at http://docs.oasis-open.org/security/saml/v2.0/
+
+* http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+* http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
+* http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
+* http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
+
+
+Author
+------
+
+Kjell-Magne Øierud <kjellm AT oierud DOT net>
+	
+Bugs
+----
+
+Report bugs to http://github.com/kjellm/saml/issues
+	
+License
+-------
+
+(The MIT License)
+
+Copyright © 2012 Kjell-Magne Øierud
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the ‘Software’), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/saml.rb

@@ -0,0 +1,30 @@
+require 'saml/bindings'
+require 'saml/bindings/http_post'
+require 'saml/bindings/http_redirect'
+
+require 'saml/core/assertion'
+require 'saml/core/attribute'
+require 'saml/core/attribute_statement'
+require 'saml/core/authn_statement'
+require 'saml/core/document'
+require 'saml/core/request_abstract'
+require 'saml/core/logout_request'
+require 'saml/core/authn_request'
+require 'saml/core/status_response'
+require 'saml/core/status'
+require 'saml/core/subject'
+require 'saml/core/response'
+require 'saml/core/xml_namespaces'
+
+require 'saml/metadata/document'
+require 'saml/metadata/entities_descriptor'
+require 'saml/metadata/entity_descriptor'
+require 'saml/metadata/endpoint'
+require 'saml/metadata/indexed_endpoint'
+require 'saml/metadata/key_descriptor'
+require 'saml/metadata/sso_descriptor'
+require 'saml/metadata/idp_sso_descriptor'
+require 'saml/metadata/sp_sso_descriptor'
+require 'saml/metadata/xml_namespaces'
+
+require 'saml/version'

data/lib/saml/bindings.rb

@@ -0,0 +1,17 @@
+module SAML
+  module Bindings
+
+    def self.from_endpoint(endpoint)
+      klass = case endpoint.binding
+              when "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                Bindings::HTTPPost
+              when "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                Bindings::HTTPRedirect
+              else
+                nil
+              end
+      klass.new
+    end
+
+  end
+end

data/lib/saml/bindings/http_post.rb

@@ -0,0 +1,18 @@
+module SAML
+  module Bindings
+    class HTTPPost
+
+      def build_response(rack_request)
+        xml = Core::Document.new(decode(rack_request.params["SAMLResponse"])).root
+        Core::Response.from_xml(xml)
+      end
+
+      private
+
+      def decode(str)
+        Base64.decode64(str)
+      end
+
+    end
+  end
+end

data/lib/saml/bindings/http_redirect.rb

@@ -0,0 +1,72 @@
+require "base64"
+require "zlib"
+require "cgi"
+
+module SAML
+  module Bindings
+    class HTTPRedirect
+
+      def build_request(rack_response, endpoint, saml_request, relay_state=nil)
+        unless relay_state.nil?
+          raise ArgumentError.new("relay_state must not exceed 80 bytes") if relay_state.bytesize > 80
+        end
+        request = saml_request.to_xml.to_s
+        deflated_saml_request = deflate(request)
+        query = "SAMLRequest=#{deflated_saml_request}"
+        query += "&RelayState=#{url_enc(relay_state)}" unless relay_state.nil?
+        url = "#{endpoint.location}?#{query}"
+        rack_response.redirect url
+      end
+
+      def build_response(rack_request)
+        xml_str = inflate(rack_request.params["SAMLResponse"])
+        xml = Core::Document.new(xml_str).root
+        Core::Response.from_xml(xml)
+      end
+
+      private
+      
+      # Described in section 3.4.4.1
+      def deflate(str)
+        url_enc(base64_enc(compress(str)))
+      end
+
+      def inflate(str)
+        # FIXME do we never need to URL.decode?
+        decompress(base64_dec(str))
+      end
+
+
+      def compress(str)
+        z = Zlib::Deflate.deflate(str, Zlib::BEST_COMPRESSION)
+        # The SAML standard requires RFC1951 compliance. Zlib::Deflate
+        # are RFC1950 compliant. By removing the 2 byte header and the
+        # 4 byte tail (checksum), what's left is a deflate stream as
+        # described in RFC1951.
+        z[2..-5]
+      end
+
+      def decompress(str)
+        z = Zlib::Inflate.new(-Zlib::MAX_WBITS) # Raw processing (no head or tail)
+        z.inflate(str)
+      end
+
+      def base64_enc(str)
+        Base64.encode64(str)
+      end
+
+      def base64_dec(str)
+        Base64.decode64(str)
+      end
+
+      def url_enc(str)
+        CGI.escape(str)
+      end
+
+      def url_dec(str)
+        CGI.unescape(str)
+      end
+
+    end
+  end
+end

data/lib/saml/core/assertion.rb

@@ -0,0 +1,45 @@
+module SAML
+  module Core
+    class Assertion
+      
+      attr_reader :id
+      attr_reader :version
+      attr_reader :issue_instant
+      attr_reader :issuer
+
+      attr_reader :subject
+      attr_reader :attribute_statement
+      attr_reader :authn_statements
+      attr_reader :conditions
+
+      def self.from_xml(xml); new.from_xml(xml); end
+
+      def initialize
+        @authn_statements = []
+      end
+
+      def from_xml(xml)
+        @id            = xml.attributes['ID']
+        @version       = xml.attributes['Version']
+        @issue_instant = xml.attributes['IssueInstant']
+        
+        subject_element = xml.get_elements('saml:Subject')
+        unless subject_element.empty?
+          # @subject = Subject.from_xml(subject_element.first)
+        end
+
+        attribute_statements = xml.get_elements('saml:AttributeStatement')
+        unless attribute_statements.empty?
+          @attribute_statement = AttributeStatement.from_xml(attribute_statements.first)
+        end
+
+        xml.get_elements('saml:AuthnStatement').each do |as|
+          @authn_statements << AuthnStatement.from_xml(as)
+        end
+
+        self
+      end
+
+    end
+  end
+end

data/lib/saml/core/attribute.rb

@@ -0,0 +1,25 @@
+module SAML
+  module Core
+    class Attribute
+
+      attr_accessor :name
+      attr_accessor :name_format
+      attr_accessor :attribute_values
+
+      def self.from_xml(xml)
+        attribute = new
+        attribute.name = xml.attributes['Name']
+        
+        nf = xml.attributes['NameFormat']
+        attribute.name_format = nf.nil? ? 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified' : nf
+        
+        values = []
+        xml.each_element() do |av|
+          values << av.to_s
+        end
+        attribute.attribute_values = values
+        attribute
+      end
+    end
+  end
+end

data/lib/saml/core/attribute_statement.rb

@@ -0,0 +1,20 @@
+module SAML
+  module Core
+    class AttributeStatement
+
+      attr_accessor :attributes
+
+      def self.from_xml(xml)
+        statement = new
+        attrs = []
+        xml.each_element('saml:Attribute') do |a|
+          attrs << Attribute.from_xml(a)
+        end
+        statement.attributes = attrs
+
+        statement
+      end
+
+    end
+  end
+end

data/lib/saml/core/authn_request.rb

@@ -0,0 +1,15 @@
+require "rexml/document"
+require "rexml/xpath"
+
+module SAML
+  module Core
+    class AuthnRequest < RequestAbstract
+
+      def xml_document
+        xml = Document.new
+        root = xml.add_element("samlp:AuthnRequest")
+      end
+
+    end
+  end
+end

data/lib/saml/core/authn_statement.rb

@@ -0,0 +1,23 @@
+module SAML
+  module Core
+    class AuthnStatement
+
+      attr_reader :authn_instant
+      attr_reader :session_not_on_or_after
+      attr_reader :session_index
+
+      attr_reader :authn_context
+
+      def self.from_xml(xml); new.from_xml(xml); end
+
+      def from_xml(xml)
+        @authn_instant           = xml.attributes['AuthnInstant']
+        @session_not_on_or_after = xml.attributes['SessionNotOnOrAfter']
+        @session_index           = xml.attributes['SessionIndex']
+
+        self
+      end
+
+    end
+  end
+end

data/lib/saml/core/document.rb

@@ -0,0 +1,25 @@
+require 'rexml/document'
+
+module SAML
+  module Core
+    class Document < REXML::Document
+
+
+      def initialize(*args)
+        super(*args)
+        XMLNamespaces.each {|k,v| add_namespace(k, v)}
+      end
+      
+      # See REXML::Document#add_element
+      #
+      # Makes sure that all namespaces are added to the root element.
+      def add_element(name, attrs={})
+        ns = XMLNamespaces.map {|k, v| ["xmlns:#{k}", v]}
+        ns = Hash[*ns.flatten]
+        attrs.merge!(ns)
+        super(name, attrs)
+      end
+
+    end
+  end
+end

data/lib/saml/core/logout_request.rb

@@ -0,0 +1,24 @@
+module SAML
+  module Core
+    class LogoutRequest < RequestAbstract
+
+      attr_accessor :name_id
+      
+      def xml_document
+        xml = Document.new
+        root = xml.add_element("samlp:LogoutRequest")
+      end
+
+      def to_xml
+        xml = super
+
+        unless @name_id.nil?
+          name_id_node = xml.root.add_element("saml:NameID")
+          name_id_node.text = @name_id
+        end
+        
+        xml
+      end
+    end
+  end
+end

data/lib/saml/core/request_abstract.rb

@@ -0,0 +1,42 @@
+require 'uuid'
+
+module SAML
+  module Core
+    class RequestAbstract
+
+      attr_reader :id
+      attr_reader :version
+      attr_reader :issue_instant
+
+      attr_accessor :issuer
+
+      def initialize(clock_class=Time)
+        @id            = UUID.new.generate
+        @version       = '2.0'
+        @issue_instant = clock_class.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+      end
+
+      def xml_document
+        xml = Document.new
+        root = xml.add_element("samlp:RequestAbstract")
+      end
+
+
+      def to_xml
+        xml = xml_document
+        root = xml.root
+        root.attributes['ID']           = @id
+        root.attributes['IssueInstant'] = @issue_instant
+        root.attributes['Version']      = @version
+
+        unless @issuer.nil?
+          issuer_node = root.add_element("saml:Issuer")
+          issuer_node.text = @issuer
+        end
+        
+        xml
+      end
+
+    end
+  end
+end