saml2 1.0.0

data/lib/saml2/authn_statement.rb

@@ -0,0 +1,26 @@
+module SAML2
+  class AuthnStatement
+    module Classes
+      INTERNET_PROTOCOL            = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol".freeze # IP address
+      INTERNET_PROTOCOL_PASSWORD   = "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword".freeze # IP address, as well as username/password
+      KERBEROS                     = "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos".freeze
+      PASSWORD                     = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password".freeze # username/password, NOT over SSL
+      PASSWORD_PROTECTED_TRANSPORT = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport".freeze # username/password over SSL
+      PREVIOUS_SESSION             = "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession".freeze # remember me
+      SMARTCARD                    = "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard".freeze
+      SMARTCARD_PKI                = "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI".freeze # smartcard with a private key on it
+      TLS_CLIENT                   = "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient".freeze # SSL client certificate
+      UNSPECIFIED                  = "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified".freeze
+    end
+
+    attr_accessor :authn_instant, :authn_context_class_ref
+
+    def build(builder)
+      builder['saml'].AuthnStatement('AuthnInstant' => authn_instant.iso8601) do |builder|
+        builder['saml'].AuthnContext do |builder|
+          builder['saml'].AuthnContextClassRef(authn_context_class_ref) if authn_context_class_ref
+        end
+      end
+    end
+  end
+end

data/lib/saml2/base.rb

@@ -0,0 +1,53 @@
+require 'saml2/namespaces'
+
+module SAML2
+  class Base
+    def self.from_xml(node)
+      return nil unless node
+      new.from_xml(node)
+    end
+
+    def from_xml(node)
+      self
+    end
+
+    def to_s
+      # make sure to not FORMAT it - it breaks signatures!
+      to_xml.to_xml(save_with: Nokogiri::XML::Node::SaveOptions::AS_XML)
+    end
+
+    def to_xml
+      unless @document
+        builder = Nokogiri::XML::Builder.new
+        build(builder)
+        @document = builder.doc
+      end
+      @document
+    end
+
+    def self.load_string_array(node, element)
+      node.xpath(element, Namespaces::ALL).map do |node|
+        node.content && node.content.strip
+      end
+    end
+
+    def self.load_object_array(node, element, klass)
+      node.xpath(element, Namespaces::ALL).map do |node|
+        if klass.is_a?(Hash)
+          klass[node.name].from_xml(node)
+        else
+          klass.from_xml(node)
+        end
+      end
+    end
+
+    protected
+    def load_string_array(node, element)
+      self.class.load_string_array(node, element)
+    end
+
+    def load_object_array(node, element, klass)
+      self.class.load_object_array(node, element, klass)
+    end
+  end
+end

data/lib/saml2/contact.rb

@@ -0,0 +1,50 @@
+require 'saml2/base'
+
+module SAML2
+  class Contact
+    module Type
+      ADMINISTRATIVE = 'administrative'.freeze
+      BILLING        = 'billing'.freeze
+      OTHER          = 'other'.freeze
+      SUPPORT        = 'support'.freeze
+      TECHNICAL      = 'technical'.freeze
+    end
+
+    attr_accessor :type, :company, :given_name, :surname, :email_addresses, :telephone_numbers
+
+    def self.from_xml(node)
+      return nil unless node
+
+      result = new(node['contactType'])
+      company = node.at_xpath('md:Company', Namespaces::ALL)
+      result.company = company && company.content && company.content.strip
+      given_name = node.at_xpath('md:GivenName', Namespaces::ALL)
+      result.given_name = given_name && given_name.content && given_name.content.strip
+      surname = node.at_xpath('md:SurName', Namespaces::ALL)
+      result.surname = surname && surname.content && surname.content.strip
+      result.email_addresses = Base.load_string_array(node, 'md:EmailAddress')
+      result.telephone_numbers = Base.load_string_array(node, 'md:TelephoneNumber')
+      result
+    end
+
+    def initialize(type = Type::OTHER)
+      @type = type
+      @email_addresses = []
+      @telephone_numbers = []
+    end
+
+    def build(builder)
+      builder['md'].ContactPerson('contactType' => type) do |builder|
+        builder['md'].Company(company) if company
+        builder['md'].GivenName(given_name) if given_name
+        builder['md'].SurName(surname) if surname
+        email_addresses.each do |email|
+          builder['md'].EmailAddress(email)
+        end
+        telephone_numbers.each do |tel|
+          builder['md'].TelephoneNumber(tel)
+        end
+      end
+    end
+  end
+end

data/lib/saml2/endpoint.rb

@@ -0,0 +1,46 @@
+module SAML2
+  class Endpoint < Base
+    module Bindings
+      HTTP_POST     = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".freeze
+      HTTP_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".freeze
+    end
+
+    module Encodings
+      DEFLATE= "urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE".freeze
+    end
+
+    attr_reader :location, :binding
+
+    def initialize(location, binding = Bindings::HTTP_POST)
+      @location, @binding = location, binding
+    end
+
+    def ==(rhs)
+      location == rhs.location && binding == rhs.binding
+    end
+
+    def from_xml(node)
+      @location = node['Location']
+      @binding = node['Binding']
+      self
+    end
+
+    def build(builder, element)
+      builder['md'].__send__(element, 'Location' => location, 'Binding' => binding)
+    end
+
+    class Indexed < Endpoint
+      include IndexedObject
+
+      def initialize(location = nil, index = nil, is_default = false, binding = Bindings::HTTP_POST)
+        super(location, binding)
+        @index, @is_default = index, is_default
+      end
+
+      def eql?(rhs)
+        location == rhs.location &&
+            binding == rhs.binding && super
+      end
+    end
+  end
+end

data/lib/saml2/engine.rb

@@ -0,0 +1,4 @@
+module SAML2
+  class Engine < Rails::Engine
+  end
+end

data/lib/saml2/entity.rb

@@ -0,0 +1,84 @@
+require 'nokogiri'
+
+require 'saml2/base'
+require 'saml2/identity_provider'
+require 'saml2/organization_and_contacts'
+require 'saml2/service_provider'
+
+module SAML2
+  class Entity < Base
+    include OrganizationAndContacts
+
+    attr_writer :entity_id
+
+    def self.parse(xml)
+      document = Nokogiri::XML(xml)
+
+      # Root can be an array (EntitiesDescriptor), or a single Entity (EntityDescriptor)
+      entities = document.at_xpath("/md:EntitiesDescriptor", Namespaces::ALL)
+      entity = document.at_xpath("/md:EntityDescriptor", Namespaces::ALL)
+      if entities
+        Group.from_xml(entities)
+      elsif entity
+        from_xml(entity)
+      else
+        nil
+      end
+    end
+
+    class Group < Array
+      def self.from_xml(node)
+        node && new(node)
+      end
+
+      def initialize(root)
+        @root = root
+        replace(Base.load_object_array(@root, "md:EntityDescriptor|md:EntitiesDescriptor",
+                'EntityDescriptor' => Entity,
+                'EntitiesDescriptor' => Group))
+      end
+
+      def valid_schema?
+        Schemas.metadata.valid?(@root.document)
+      end
+    end
+
+    def self.from_xml(node)
+      node && new(node)
+    end
+
+    def initialize(root = nil)
+      super
+      @root = root
+      unless @root
+        @roles = []
+      end
+    end
+
+    def valid_schema?
+      Schemas.metadata.valid?(@root.document)
+    end
+
+    def entity_id
+      @entity_id || @root && @root['entityID']
+    end
+
+    def roles
+      # TODO: load IdPSSODescriptors as well
+      @roles ||= load_object_array(@root, 'md:SPSSODescriptor', ServiceProvider)
+    end
+
+    def build(builder)
+      builder['md'].EntityDescriptor('entityID' => entity_id,
+                                     'xmlns:md' => Namespaces::METADATA,
+                                     'xmlns:dsig' => Namespaces::DSIG,
+                                     'xmlns:xenc' => Namespaces::XENC) do |builder|
+        roles.each do |role|
+          role.build(builder)
+        end
+
+        super
+      end
+    end
+  end
+end

data/lib/saml2/identity_provider.rb

@@ -0,0 +1,57 @@
+require 'saml2/attribute'
+require 'saml2/sso'
+
+module SAML2
+  class IdentityProvider < SSO
+    attr_writer :want_authn_requests_signed, :single_sign_on_services, :attribute_profiles, :attributes
+
+    def initialize(node = nil)
+      super(node)
+      unless node
+        @want_authn_requests_signed = nil
+        @single_sign_on_services = []
+        @attribute_profiles = []
+        @attributes = []
+      end
+    end
+
+    def want_authn_requests_signed?
+      unless instance_variable_defined?(:@want_authn_requests_signed)
+        @want_authn_requests_signed = @root['WantAuthnRequestsSigned'] && @root['WantAuthnRequestsSigned'] == 'true'
+      end
+      @want_authn_requests_signed
+    end
+
+    def single_sign_on_services
+      @single_sign_on_services ||= load_object_array(@root, 'md:SingleSignOnService', Endpoint)
+    end
+
+    def attribute_profiles
+      @attribute_profiles ||= load_string_array(@root, 'md:AttributeProfile')
+    end
+
+    def attributes
+      @attributes ||= load_object_array(@root, 'saml:Attribute', Attribute)
+    end
+
+    def build(builder)
+      builder['md'].IDPSSODescriptor do |builder|
+        super(builder)
+
+        builder['WantAuthnRequestsSigned'] = want_authn_requests_signed? unless want_authn_requests_signed?.nil?
+
+        single_sign_on_services.each do |sso|
+          sso.build(builder, 'SingleSignOnService')
+        end
+
+        attribute_profiles.each do |ap|
+          builder['md'].AttributeProfile(ap)
+        end
+
+        attributes.each do |attr|
+          attr.build(builder)
+        end
+      end
+    end
+  end
+end

data/lib/saml2/indexed_object.rb

@@ -0,0 +1,59 @@
+require 'saml2/base'
+
+module SAML2
+  module IndexedObject
+    attr_reader :index
+
+    def eql?(rhs)
+      index == rhs.index &&
+          default? == rhs.default? &&
+          super
+    end
+
+    def default?
+      @is_default
+    end
+
+    def from_xml(node)
+      @index = node['index'] && node['index'].to_i
+      @is_default = node['isDefault'] && node['isDefault'] == 'true'
+      super
+    end
+
+    class Array < ::Array
+      attr_reader :default
+
+      def self.from_xml(nodes)
+        new(nodes.map { |node| name.split('::')[1..-2].inject(SAML2) { |mod, klass| mod.const_get(klass) }.from_xml(node) })
+      end
+
+      def initialize(objects)
+        replace(objects.sort_by { |object| object.index || 0 })
+        @index = {}
+        each { |object| @index[object.index] = object }
+        @default = find { |object| object.default? } || first
+
+        freeze
+      end
+
+      def [](index)
+        @index[index]
+      end
+
+      def resolve(index)
+        index ? self[index] : default
+      end
+    end
+
+    def build(builder)
+      super
+      builder.parent.last['index'] = index
+      builder.parent.last['isDefault'] = default? unless default?.nil?
+    end
+
+    private
+    def self.included(klass)
+      klass.const_set(:Array, Array.dup)
+    end
+  end
+end

data/lib/saml2/key.rb

@@ -0,0 +1,46 @@
+require 'saml2/namespaces'
+
+module SAML2
+  class Key
+    module Type
+      ENCRYPTION = 'encryption'.freeze
+      SIGNING    = 'signing'.freeze
+    end
+
+    attr_accessor :use, :x509, :encryption_methods
+
+    def self.from_xml(node)
+      return nil unless node
+
+      x509 = node.at_xpath('dsig:KeyInfo/dsig:X509Data/dsig:X509Certificate', Namespaces::ALL)
+      methods = node.xpath('xenc:EncryptionMethod', Namespaces::ALL)
+      new(x509 && x509.content.strip, node['use'], methods.map { |m| m['Algorithm'] })
+    end
+
+    def initialize(x509, use = nil, encryption_methods = [])
+      @use, @x509, @encryption_methods = use, x509, encryption_methods
+    end
+
+    def encryption?
+      use.nil? || use == Type::ENCRYPTION
+    end
+
+    def signing?
+      use.nil? || use == Type::SIGNING
+    end
+
+    def build(builder)
+      builder['md'].KeyDescriptor do |builder|
+        builder.parent['use'] = use if use
+        builder['dsig'].KeyInfo do |builder|
+          builder['dsig'].X509Data do |builder|
+            builder['dsig'].X509Certificate(x509)
+          end
+        end
+        encryption_methods.each do |method|
+          builder['xenc'].EncryptionMethod('Algorithm' => method)
+        end
+      end
+    end
+  end
+end

data/lib/saml2/name_id.rb

@@ -0,0 +1,60 @@
+require 'saml2/namespaces'
+
+module SAML2
+  class NameID
+    module Format
+      EMAIL_ADDRESS                 = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress".freeze
+      ENTITY                        = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity".freeze
+      KERBEROS                      = "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos".freeze # name[/instance]@REALM
+      PERSISTENT                    = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent".freeze # opaque, pseudo-random, unique per SP-IdP pair
+      TRANSIENT                     = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient".freeze # opaque, will likely change
+      UNSPECIFIED                   = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".freeze
+      WINDOWS_DOMAIN_QUALIFIED_NAME = "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName".freeze # [DomainName\]UserName
+      X509_SUBJECT_NAME             = "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName".freeze
+    end
+
+    class Policy
+      attr_reader :format
+
+      def self.from_xml(node)
+        if node
+          allow_create = node['AllowCreate'].nil? ? nil : node['AllowCreate'] == 'true'
+          NameID::Policy.new(allow_create, node['Format'])
+        end
+      end
+
+      def initialize(allow_create, format)
+        @allow_create, @format = allow_create, format
+      end
+
+      def allow_create?
+        @allow_create
+      end
+
+      def ==(rhs)
+        format == rhs.format && allow_create? == rhs.allow_create?
+      end
+    end
+
+    attr_reader :id, :format
+
+    def self.from_xml(node)
+      node && new(node.content.strip, node['Format'])
+    end
+
+    def initialize(id = nil, format = nil)
+      @id, @format = id, format
+    end
+
+    def ==(rhs)
+      id == rhs.id && format == rhs.format
+    end
+
+    def build(builder, options = {})
+      args = {}
+      args['Format'] = format if format
+      args['xmlns:saml'] = Namespaces::SAML if options[:include_namespace]
+      builder['saml'].__send__(options.delete(:element) || 'NameID', id, args)
+    end
+  end
+end