scashin133-rsaml 0.1.0

data/lib/rsaml/authn_context/authentication_context_declaration.rb

@@ -0,0 +1,42 @@
+module RSAML #:nodoc:
+  module AuthnContext #:nodoc:
+    # A particular assertion on an identity provider's part with respect to the authentication
+    # context associated with an authentication assertion.
+    class AuthenticationContextDeclaration
+      # Authentication method, a required attribute
+      attr_accessor :authn_method
+      
+      # Optional ID for the authentication context declaration
+      attr_accessor :id
+      
+      def initialize(authn_method)
+        @authn_method = authn_method
+      end
+      
+      def identification
+        @identification ||= []
+      end
+      
+      def technical_protection
+        @technical_protection ||= []
+      end
+      
+      def operational_protection
+        @operational_protection ||= []
+      end
+      
+      def governing_agreements
+        @governing_agreements ||= []
+      end
+      
+      def extensions
+        @extensions ||= []
+      end
+      
+      # Construct an XML fragment representing the assertion
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('AuthContextDecl')
+      end
+    end
+  end
+end

data/lib/rsaml/authn_context/identification.rb

@@ -0,0 +1,10 @@
+module RSAML #:nodoc:
+  module AuthnContext #:nodoc:
+    # Refers to those characteristics that describe the processes and mechanisms the 
+    # Authentication Authority uses to initially create an association between a Principal 
+    # and the identity (or name) by which the Principal will be known
+    class Identification
+      
+    end
+  end
+end

data/lib/rsaml/authn_context/physical_verification.rb

@@ -0,0 +1,24 @@
+module RSAML #:nodoc:
+  module AuthnContext #:nodoc:
+    # This element indicates that identification has been performed in a physical 
+    # face-to-face meeting with the principal and not in an online manner.
+    class PhysicalVerification
+      # Hash of available credential levels
+      def self.credential_levels
+        {
+          :primary => 'primary',
+          :secondary => 'secondary'
+        }
+      end
+      
+      attr_accessor :credential_level
+      
+      # Create an XML representation
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['credentialLevel'] = credential_level unless credential_level.nil?
+        xml.tag!('PhysicalVerification', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/condition.rb

@@ -0,0 +1,13 @@
+module RSAML #:nodoc
+  # Base class for conditions
+  class Condition
+    # Assert that the condition evaluates to true, raise an AssertionError if not
+    def assert
+    end
+    
+    # Construct an XML fragment representing the condition
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Condition')
+    end
+  end
+end

data/lib/rsaml/conditions.rb

@@ -0,0 +1,107 @@
+module RSAML #:nodoc:
+  # Constraints on the acceptable use of SAML assertions.
+  class Conditions
+    # Specifies the earliest time instant at which the assertion is valid. The time value is encoded in UTC.
+    attr_accessor :not_before
+    
+    # Specifies the time instant at which the assertion has expired. The time value is encoded in UTC.
+    attr_accessor :not_on_or_after
+    
+    # Specifies that the assertion SHOULD be used immediately and MUST NOT be retained for future 
+    # use.
+    attr_accessor :one_time_use
+    
+    # Specifies limitations that the asserting party imposes on relying parties that wish to subsequently act 
+    # as asserting parties themselves and issue assertions of their own on the basis of the information 
+    # contained in the original assertion.
+    attr_accessor :proxy_restriction
+    
+    # The conditions
+    def conditions
+      @conditions ||= []
+    end
+    
+    # Alias to access the embedded conditions array.
+    def []
+      conditions
+    end
+    
+    # Append a condition to the conditions
+    def <<(condition)
+      conditions << condition
+    end
+    
+    # The number of conditions
+    def length
+      conditions.length
+    end
+    
+    # Return true if the conditions collection is empty
+    def empty?
+      conditions.length == 0
+    end
+    
+    # Specifies that the assertion is addressed to a particular audience.
+    # Audiences are represented as A URI reference that identifies an intended audience.
+    # A URI may reference a document that describes the terms of service for audience
+    # membership.
+    def audience_restrictions
+      @audience_restrictions ||= []
+    end
+    
+    # Assert the conditions
+    def assert
+      assert_time_limits
+      assert_elements
+    end
+    
+    # Validate the structure of the conditions model
+    def validate
+      if not_before && not_on_or_after && not_before >= not_on_or_after
+        raise ValidationError, "NotBefore after NotOnOrAfter"
+      end
+    end
+    
+    # Return true if the condition allows caching of the assertion
+    def cache?
+      one_time_use.nil?
+    end
+    
+    # Construct an XML fragment representing the conditions collection
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['NotBefore'] = not_before.xmlschema unless not_before.nil?
+      attributes['NotOnOrAfter'] = not_on_or_after.xmlschema unless not_on_or_after.nil?
+      xml.tag!('saml:Conditions', attributes) {
+        conditions.each { |condition| xml << condition.to_xml }
+        audience_restrictions.each do |audience|
+          xml.tag!('saml:AudienceRestriction') { xml << audience.to_xml }
+        end
+        xml.tag!('OneTimeUse') if one_time_use
+        xml << proxy_restriction.to_xml unless proxy_restriction.nil?
+      }
+    end
+    
+    protected
+    # Check the the current time falls within the allowed time constraints
+    def assert_time_limits
+      raise AssertionError, "Condition failed: not before" if not_before && Time.now < not_before
+      raise AssertionError, "Condition failed: not on or after" if not_on_or_after && Time.now >= not_on_or_after
+    end
+    
+    # Assert that the conditions evaluate to true
+    def assert_elements
+      # Rule 1
+      if conditions.empty? && audience_restrictions.empty? && proxy_restriction.nil? && one_time_use.nil?
+        return
+      end
+      
+      # Rule 2
+      conditions.all { |c| c.assert }
+      
+      # Rule 3
+      
+      # Rule 4
+    end
+  end
+end

data/lib/rsaml/encrypted.rb

@@ -0,0 +1,12 @@
+module RSAML #:nodoc:
+  # Base for encrypted elements
+  class Encrypted
+    # Encrypted data
+    attr_accessor :encrypted_data
+    
+    # Encrypted keys
+    def encrypted_keys
+      @encrypted_keys ||= []
+    end
+  end
+end

data/lib/rsaml/errors.rb

@@ -0,0 +1,16 @@
+module RSAML #:nodoc:
+  # An error that is raised when a validation error occurs. Note that validity in the case
+  # of this library is for validity of the structure of the model according to the rules
+  # of the SAML 2.0 specification.
+  class ValidationError < StandardError
+  end
+  # An error that is raised when an assertion fails.
+  class AssertionError < StandardError
+  end
+  # An error that is raised when a confirmation fails.
+  class ConfirmationError < StandardError
+  end
+  # An error that is raised when parsing fails.
+  class ParseError < StandardError
+  end
+end

data/lib/rsaml/evidence.rb

@@ -0,0 +1,21 @@
+module RSAML #:nodoc:
+  # Contains one or more assertions or assertion references that the SAML authority relied 
+  # on in issuing the authorization decision.
+  class Evidence
+    # Specifies an assertion either by reference or by value.
+    def assertions
+      @assertions ||= []
+    end
+    
+    def validate
+      raise ValidationError, "At least one assertion is required" if assertions.empty?
+    end
+    
+    # Construct an XML fragment representing the authentication statement
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Evidence') {
+        assertions.each { |assertion| xml << assertion.to_xml }
+      }
+    end
+  end
+end

data/lib/rsaml/ext/string.rb

@@ -0,0 +1,5 @@
+class String #:nodoc:
+  def to_xml
+    to_s
+  end
+end

data/lib/rsaml/identifier/base.rb

@@ -0,0 +1,23 @@
+module RSAML #:nodoc:
+  module Identifier # :nodoc:
+    # An extension point that allows applications to add new kinds of identifiers.
+    class Base
+      # The security or administrative domain that qualifies the name. This attribute provides a means to 
+      # federate names from disparate user stores without collision.
+      attr_accessor :name_qualifier
+    
+      # Further qualifies a name with the name of a service provider or affiliation of providers. This 
+      # attribute provides an additional means to federate names on the basis of the relying party or 
+      # parties.
+      attr_accessor :sp_name_qualifier
+    
+      # Create an XML fragment representing the identifier
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['NameQualifier'] = name_qualifier unless name_qualifier.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        xml.tag!('saml:BaseID', '', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/identifier/issuer.rb

@@ -0,0 +1,28 @@
+module RSAML #:nodoc:
+  module Identifier #:nodoc:
+    # provides information about the issuer of a SAML assertion or protocol message. T
+    # Requires the use of a string to carry the issuer's name  
+    class Issuer < Name
+      # If no Format value is provided with this element, then the value
+      # urn:oasis:names:tc:SAML:2.0:nameid-format:entity is in effect
+      def format
+        @format ||= Name.formats[:entity]
+      end
+      
+      # Construct an XML fragment representing the issuer
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Format' => format}
+        attributes['NameQualifier'] = name_qualifier unless name_qualifier.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        attributes['SPProvidedID'] = sp_provided_id unless sp_provided_id.nil?
+        xml.tag!('saml:Issuer', value, attributes)
+      end
+      
+      # Construct an Issuer instance from the given XML Element or fragment.
+      def self.from_xml(element)
+        element = REXML::Document.new(element).root if element.is_a?(String)
+        Issuer.new(element.text)
+      end
+    end
+  end
+end

data/lib/rsaml/identifier/name.rb

@@ -0,0 +1,55 @@
+module RSAML #:nodoc:
+  module Identifier #:nodoc:
+    # A Name identifier.
+    class Name < Base
+      # The following identifiers MAY be used to refer to the classification of the attribute name 
+      # for purposes of interpreting the name.
+      def self.formats
+        {
+          :unspecified => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+          :email_address => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+          :x509_subject_name => 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName',
+          :windows_domain_qualified_name => 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName',
+          :kerberos => 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos',
+          :entity => 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity',
+          :persistent => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+          :transient => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+        }
+      end
+    
+      # A URI reference representing the classification of string-based identifier information.
+      attr_accessor :format
+    
+      # A name identifier established by a service provider or affiliation of providers for the entity, if 
+      # different from the primary name identifier given
+      attr_accessor :sp_provided_id
+    
+      # The value of the identifier
+      attr_accessor :value
+    
+      # Initialize the identifier with the given value
+      def initialize(value)
+        @value = value
+      end
+    
+      # The format of the name.
+      def format
+        @format ||= Name.formats[:unspecified]
+      end
+    
+      # Construct an XML fragment representing the name
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'Format' => format}
+        attributes['NameQualifier'] = name_qualifier unless name_qualifier.nil?
+        attributes['SPNameQualifier'] = sp_name_qualifier unless sp_name_qualifier.nil?
+        attributes['SPProvidedID'] = sp_provided_id unless sp_provided_id.nil?
+        xml.tag!('saml:NameID', value, attributes)
+      end
+      
+      def self.from_xml(element)
+        Name.new(element.text)
+      end
+    
+    end
+  end
+end

data/lib/rsaml/identifier.rb

@@ -0,0 +1,9 @@
+module RSAML #:nodoc:
+  # Module that contains various SAML identifier types.
+  module Identifier
+  end
+end
+
+require 'rsaml/identifier/base'
+require 'rsaml/identifier/name'
+require 'rsaml/identifier/issuer'

data/lib/rsaml/parser.rb

@@ -0,0 +1,23 @@
+module RSAML #:nodoc:
+  class Parser
+    # Parse the given SAML message and return a Ruby object structure representing
+    # the message. This may include protocol and core classes.
+    def parse(xml)
+      messages = []
+      xml = REXML::Document.new(xml) if xml.is_a?(String)
+      
+      if attribute_query_elements = xml.get_elements('samlp:AttributeQuery')
+        attribute_query_elements.each do |attribute_query_element|
+          messages << Protocol::Query::AttributeQuery.from_xml(attribute_query_element)
+        end
+      end
+      
+      case messages.length
+      when 1: messages.first
+      when 0: nil
+      else
+        messages
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/artifact_resolve.rb

@@ -0,0 +1,14 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # The ArtifactResolve message is used to request that a SAML protocol message be returned in an 
+    # <ArtifactResponse> message by specifying an artifact that represents the SAML protocol message. 
+    # The original transmission of the artifact is governed by the specific protocol binding that is 
+    # being used; see [SAMLBind] for more information on the use of artifacts in bindings. 
+    #
+    # The <ArtifactResolve> message SHOULD be signed or otherwise authenticated and integrity 
+    # protected by the protocol binding used to deliver the message.
+    class ArtifactResolve
+      
+    end
+  end
+end

data/lib/rsaml/protocol/assertion_id_request.rb

@@ -0,0 +1,18 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Request to return assertions with the given ids
+    class AssertionIDRequest
+      # Specify each assertion to return.
+      def assertion_id_refs
+        @assertion_id_refs ||= []
+      end
+      
+      # Construct an XML fragment representing the assertion id request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('samlp:AssertionIDRequest') {
+          assertion_id_refs.each { |assertion_id_ref| xml << assertion_id_ref.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/authn_request.rb

@@ -0,0 +1,91 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # To request that an identity provider issue an assertion with an authentication statement, a presenter 
+    # authenticates to that identity provider (or relies on an existing security context) and sends it an 
+    # <AuthnRequest> message that describes the properties that the resulting assertion needs to have to 
+    # satisfy its purpose. Among these properties may be information that relates to the content of the assertion 
+    # and/or information that relates to how the resulting <Response> message should be delivered to the 
+    # requester. The process of authentication of the presenter may take place before, during, or after the initial 
+    # delivery of the <AuthnRequest> message. 
+    #
+    # The requester might not be the same as the presenter of the request if, for example, the requester is a 
+    # relying party that intends to use the resulting assertion to authenticate or authorize the requested subject 
+    # so that the relying party can decide whether to provide a service.
+    class AuthnRequest < Request
+      # Specifies the requested subject of the resulting assertion(s).
+      attr_accessor :subject
+      
+      # Specifies constraints on the name identifier to be used to represent the requested subject. If omitted, 
+      # then any type of identifier supported by the identity provider for the requested subject can be used, 
+      # constrained by any relevant deployment-specific policies, with respect to privacy, for example.
+      attr_accessor :name_id_policy
+      
+      # Specifies the SAML conditions the requester expects to limit the validity and/or use of the resulting 
+      # assertion(s). The responder MAY modify or supplement this set as it deems necessary. The 
+      # information in this element is used as input to the process of constructing the assertion, rather than as 
+      # conditions on the use of the request itself.
+      attr_accessor :conditions
+      
+      # Specifies the requirements, if any, that the requester places on the authentication context that applies 
+      # to the responding provider's authentication of the presenter.  
+      attr_accessor :requested_authn_context
+      
+      # Specifies a set of identity providers trusted by the requester to authenticate the presenter, as well as 
+      # limitations and context related to proxying of the <Au message to subsequent identity providers by the 
+      # responder.
+      attr_accessor :scoping
+      
+      # A Boolean value. If "true", the identity provider MUST authenticate the presenter directly rather than 
+      # rely on a previous security context. If a value is not provided, the default is "false". However, if both 
+      # ForceAuthn and IsPassive are "true", the identity provider MUST NOT freshly authenticate the 
+      # presenter unless the constraints of IsPassive can be met.
+      attr_accessor :force_authn
+      
+      # A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control 
+      # of the user interface from the requester and interact with the presenter in a noticeable fashion. If a 
+      # value is not provided, the default is "false".
+      attr_accessor :is_passive
+      
+      attr_accessor :assertion_consumer_service_index
+      
+      attr_accessor :assertion_consumer_service_url
+      
+      # A URI reference that identifies a SAML protocol binding to be used when returning the response message.
+      attr_accessor :protocol_binding
+      
+      # Indirectly identifies information associated with the requester describing the SAML attributes the 
+      # requester desires or requires to be supplied by the identity provider in the <Response> message. The 
+      # identity provider MUST have a trusted means to map the index value in the attribute to information 
+      # associated with the requester.
+      attr_accessor :attribute_consuming_service_url
+      
+      # Specifies the human-readable name of the requester for use by the presenter's user agent or the 
+      # identity provider
+      attr_accessor :provider_name
+      
+      # Validate the authentication request.
+      def validate
+        raise ValidationError, "Conditions must be of type Conditions" if conditions && !conditions.is_a?(Conditions)
+      end
+      
+      # Construct an XML fragment representing the authentication request
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {}
+        attributes['ForceAuthn'] = force_authn unless force_authn.nil?
+        attributes['IsPassive'] = is_passive unless is_passive.nil?
+        # TODO implement assertion consumer service index
+        # TODO implement assertion consumer service URL
+        attributes['ProtocolBinding'] = protocol_binding unless protocol_binding.nil?
+        attributes['AttributeConsumingServiceURL'] = attribute_consuming_service_url unless attribute_consuming_service_url.nil?
+        attributes['ProviderName'] = provider_name unless provider_name.nil?
+        xml.tag!('samlp:AuthnRequest', attributes) {
+          xml << subject.to_xml unless subject.nil?
+          xml << name_id_policy.to_xml unless name_id_policy.nil?
+          xml << conditions.to_xml unless conditions.nil?
+          xml << requested_authn_context unless requested_authn_context.nil?
+          xml << scoping.to_xml unless scoping.nil?
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/idp_entry.rb

@@ -0,0 +1,18 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    class IDPEntry
+      attr_accessor :provider_id
+      
+      # Initialize the IDP entry
+      def initialize(provider_id)
+        @provider_id = provider_id
+      end
+      
+      # Construct an XML fragment representing the idp list
+      def to_xml(xml=Builder::XmlMarkup.new)
+        attributes = {'ProviderID' => provider_id}
+        xml.tag!('samlp:IDPEntry', attributes)
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/idp_list.rb

@@ -0,0 +1,28 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Specifies the identity providers trusted by the requester to authenticate the presenter.
+    class IDPList
+      # Initialize the IDP list
+      def initialize(*idp_entries)
+        @idp_entries = idp_entries
+      end
+      
+      # Information about identity providers.
+      def idp_entries
+        @idp_entries ||= []
+      end
+      
+      # Validate the IDPList structure.
+      def validate
+        raise ValidationError, "At least one IDP entry is required" if idp_entries.empty?
+      end
+      
+      # Construct an XML fragment representing the idp list
+      def to_xml(xml=Builder::XmlMarkup.new)
+        xml.tag!('samlp:IDPList') {
+          idp_entries.each { |idp_entry| xml << idp_entry.to_xml }
+        }
+      end
+    end
+  end
+end

data/lib/rsaml/protocol/message.rb

@@ -0,0 +1,65 @@
+module RSAML #:nodoc:
+  module Protocol #:nodoc:
+    # Base class for messages. This class should not be instantiated directly, rather the Request and Response
+    # classes should be used.
+    class Message
+      
+      # An identifier for the message. It is of type xs:ID and MUST follow the requirements specified in Section 
+      # 1.3.4 of the SAML 2.0 specification for identifier uniqueness.
+      attr_accessor :id
+      
+      # The version of this message. The identifier for the version of SAML defined in this specification is "2.0".
+      attr_accessor :version
+      
+      # The time instant of issue of the message. The time value must be encoded in UTC.
+      attr_accessor :issue_instant
+      
+      # A URI reference indicating the address to which this message has been sent. This is useful to prevent 
+      # malicious forwarding of messages to unintended recipients, a protection that is required by some 
+      # protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the 
+      # location at which the message was sent or received. If it does not, the response MUST be discarded. Some 
+      # protocol bindings may require the use of this attribute.
+      attr_accessor :destination
+      
+      # Indicates whether or not (and under what conditions) consent has been obtained from a principal in 
+      # the sending of this message.  If no Consent value is provided, the identifier  
+      # urn:oasis:names:tc:SAML:2.0:consent:unspecified is in effect.
+      attr_accessor :consent
+      
+      # Identifies the entity that generated the message.
+      attr_accessor :issuer
+      
+      # An XML Signature that authenticates the requestor or responder and provides message integrity.
+      attr_accessor :signature
+      
+      # Initialize the message instance
+      def initialize
+        @id = UUID.new
+        @version = "2.0"
+        @issue_instant = Time.now.utc
+      end
+      
+      # This extension point contains optional protocol message extension elements that are agreed on 
+      # between the communicating parties.
+      def extensions
+        @extionsion ||= []
+      end
+      
+      # Validate the request structure
+      def validate
+        raise ValidationError, "ID is required" if id.nil?
+        raise ValidationError, "Version is required" if version.nil?
+        raise ValidationError, "Issue instant is required" if issue_instant.nil?
+        raise ValidationError, "Issue instant must be UTC" unless issue_instant.utc?
+      end
+      
+      protected
+      # Add XML Namespace attributes
+      def add_xmlns(attributes)
+        attributes['xmlns:samlp'] = "urn:oasis:names:tc:SAML:2.0:protocol" 
+        attributes['xmlns:saml'] = "urn:oasis:names:tc:SAML:2.0:assertion"
+        attributes
+      end
+    end
+  end
+end