scashin133-rsaml 0.1.0

data/lib/rsaml/statement/base.rb

@@ -0,0 +1,9 @@
+module RSAML #:nodoc:
+  module Statement #:nodoc:
+    # Base class for statements.
+    class Base
+      # An xsi:type attribute used to indicate the actual statement type.
+      attr_accessor :type
+    end
+  end
+end

data/lib/rsaml/statement.rb

@@ -0,0 +1,10 @@
+module RSAML #:nodoc
+  # Module that contain SAML statements.
+  module Statement
+  end
+end
+
+require 'rsaml/statement/base'
+require 'rsaml/statement/authentication_statement'
+require 'rsaml/statement/attribute_statement'
+require 'rsaml/statement/authorization_decision_statement'

data/lib/rsaml/subject.rb

@@ -0,0 +1,37 @@
+module RSAML #:nodoc:
+  # Specifies the principal that is the subject of all of the (zero or more) 
+  # statements in an assertion.
+  class Subject
+    
+    # The subject identifier
+    attr_accessor :identifier
+    
+    # Initialize the subject with the given identifier
+    def initialize(identifier=nil)
+      @identifier = identifier
+    end
+    
+    # Information that allows the subject to be confirmed. If more than one subject confirmation is provided, 
+    # then satisfying any one of them is sufficient to confirm the subject for the purpose of applying the 
+    # assertion.
+    def subject_confirmations
+      @subject_confirmations ||= []
+    end
+    
+    # Construct an XML fragment representing the subject
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Subject') {
+        xml << identifier.to_xml unless identifier.nil?
+        xml << subject_confirmations.map { |sc| sc.to_xml }.join
+      }
+    end
+    
+    # Construct a Subject from an XML Element.
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)      
+      element.get_elements('saml:NameID').each do |identifier|
+        return Subject.new(Identifier::Name.from_xml(identifier))
+      end
+    end
+  end
+end

data/lib/rsaml/subject_confirmation.rb

@@ -0,0 +1,34 @@
+module RSAML #:nodoc:
+  # Provides the means for a relying party to verify the correspondence of the subject of the 
+  # assertion with the party with whom the relying party is communicating.
+  class SubjectConfirmation
+    
+    # Hash of available SAML methods for subject confirmation
+    def self.methods
+      {
+        :holder_of_key => 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key',
+        :sender_vouches => 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches',
+        :bearer => 'urn:oasis:names:tc:SAML:2.0:cm:bearer'
+      }
+    end
+    
+    # A URI reference that identifies a protocol or mechanism to be used to confirm the subject.
+    attr_accessor :method
+    
+    # Identifies the entity expected to satisfy the enclosing subject confirmation requirements.
+    attr_accessor :identifier
+    
+    # Additional confirmation information to be used by a specific confirmation method.
+    attr_accessor :subject_confirmation_data
+    
+    def initialize(method)
+      @method = method
+    end
+    
+    # Construct an XML fragment representing the subject confirmation
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Method' => method}
+      xml.tag!('saml:SubjectConfirmation', attributes)
+    end
+  end
+end

data/lib/rsaml/subject_confirmation_data.rb

@@ -0,0 +1,45 @@
+module RSAML #:nodoc:
+  # specifies additional data that allows the subject to be confirmed or constrains the circumstances under 
+  # which the act of subject confirmation can take place. Subject confirmation takes place when a relying 
+  # party seeks to verify the relationship between an entity presenting the assertion (that is, the attesting 
+  # entity) and the subject of the assertion's claims.
+  class SubjectConfirmationData
+    # A time instant before which the subject cannot be confirmed. The time value is encoded in UTC.
+    attr_accessor :not_before
+    
+    # A time instant at which the subject can no longer be confirmed. The time value is encoded in UTC.
+    attr_accessor :not_on_or_after
+    
+    # A URI specifying the entity or location to which an attesting entity can present the assertion. For 
+    # example, this attribute might indicate that the assertion must be delivered to a particular network 
+    # endpoint in order to prevent an intermediary from redirecting it someplace else. 
+    attr_accessor :recipient
+    
+    # The ID of a SAML protocol message in response to which an attesting entity can present the 
+    # assertion. For example, this attribute might be used to correlate the assertion to a SAML request that 
+    # resulted in its presentation.
+    attr_accessor :in_response_to
+    
+    # The network address/location from which an attesting entity can present the assertion. For example, 
+    # this attribute might be used to bind the assertion to particular client addresses to prevent an attacker 
+    # from easily stealing and presenting the assertion from another location.
+    attr_accessor :address
+    
+    # Point for extension attributes
+    def attributes
+      @attributes = []
+    end
+    
+    # Point for extension elements
+    def elements
+      @elements = []
+    end
+    
+    # Confirm the subject confirmation data
+    def confirm
+      raise ConfirmationError, "Subject confirmation failed: not before" if not_before && Time.now < not_before
+      raise ConfirmationError, "Subject confirmation failed: not on or after" if not_on_or_after && Time.now >= not_on_or_after
+      # TODO implement tests for remaining elements such as recipient, in_response_to and address
+    end
+  end
+end

data/lib/rsaml/subject_locality.rb

@@ -0,0 +1,27 @@
+module RSAML #:nodoc:
+  # This element is entirely advisory, since both of these fields are quite easily "spoofed," 
+  # but may be useful information in some applications.
+  class SubjectLocality
+    # The network address of the system from which the principal identified by the subject was 
+    # authenticated.
+    attr_accessor :address
+    
+    # The DNS name of the system from which the principal identified by the subject was authenticated.
+    attr_accessor :dns_name
+    
+    # Raise an error if the subject locality is structurally invalid.
+    def validate
+      unless address =~ /^(\d{1,3}\.){3}\d{1,3}$/
+        raise ValidationError, "Invalid address"
+      end
+    end
+    
+    # Construct an XML fragment representing the subject locality
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Address'] = address unless address.nil?
+      attributes['DNSName'] = dns_name unless dns_name.nil?
+      xml.tag!('saml:SubjectLocality', attributes)
+    end
+  end
+end

data/lib/rsaml/validatable.rb

@@ -0,0 +1,21 @@
+module RSAML
+  # Module that can be mixed in to any class to provide a :valid? method. This method
+  # will look for a :validate method and invoke it, catching any ValidationError exceptions
+  # and return either true if the SAML object is structurally valid or false if it isn't.
+  module Validatable
+    attr_accessor :verbose
+    # Return true if the object is valid. Only objects with a validate method will
+    # be checked for validity.
+    def valid?
+      if respond_to?(:validate)
+        begin
+          validate
+        rescue ValidationError => e
+          puts "Validation failed: #{e.message}" if verbose
+          return false
+        end
+      end
+      return true
+    end
+  end
+end

data/lib/rsaml/version.rb

@@ -0,0 +1,9 @@
+module RSAML#:nodoc:
+  module VERSION #:nodoc:
+    MAJOR = 0
+    MINOR = 1
+    TINY  = 0
+
+    STRING = [MAJOR, MINOR, TINY].join('.')
+  end
+end

data/lib/rsaml.rb

@@ -0,0 +1,51 @@
+$KCODE = 'UTF-8'
+
+module RSAML
+  def saml_namespaces
+    {
+      'saml' => 'urn:oasis:names:tc:SAML:2.0:assertion',
+      'samlp' => 'urn:oasis:names:tc:SAML:2.0:protocol',
+      'ds' => 'http://www.w3.org/2000/09/xmldsig#',
+      'xenc' => 'http://www.w3.org/2001/04/xmlenc#',
+      'xs' => 'http://www.w3.org/2001/XMLSchema',
+      'xsi' => 'http://www.w3.org/2001/XMLSchema-instance'
+    }
+  end
+end
+
+require 'rubygems'
+require 'uuid'
+require 'activesupport'
+
+$:.unshift(File.dirname(__FILE__))
+
+require 'xml_sig'
+require 'xml_enc'
+
+require 'rsaml/ext/string'
+
+require 'rsaml/encrypted'
+require 'rsaml/validatable'
+require 'rsaml/errors'
+
+require 'rsaml/action'
+require 'rsaml/action_namespace'
+require 'rsaml/advice'
+require 'rsaml/assertion'
+require 'rsaml/attribute'
+require 'rsaml/audience'
+require 'rsaml/authentication_context'
+require 'rsaml/condition'
+require 'rsaml/conditions'
+require 'rsaml/evidence'
+require 'rsaml/identifier'
+require 'rsaml/proxy_restriction'
+require 'rsaml/statement'
+require 'rsaml/subject'
+require 'rsaml/subject_confirmation'
+require 'rsaml/subject_confirmation_data'
+require 'rsaml/subject_locality'
+
+require 'rsaml/protocol'
+
+require 'rsaml/parser'

data/lib/xml_enc.rb

@@ -0,0 +1,3 @@
+# Ruby XML Encryption implementation
+module XmlEnc
+end

data/lib/xml_sig/canonicalization_method.rb

@@ -0,0 +1,43 @@
+require 'iconv'
+
+module XmlSig #:nodoc:
+  class CanonicalizationMethod
+    attr_accessor :algorithm
+
+    def validate
+      raise ValidationError, "Algorithm is required" if algorithm.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Algorightm' => algorithm}
+      xml.tag!('ds:CanonicalizationMethod', attributes)
+    end
+  end
+  
+  class XMLC14NBase
+    # Convert the content from the given charset to UTF-8.
+    def convert_to_utf8(content, from)
+      Iconv.iconv('UTF-8', from, content).join
+    end
+    def convert_linebreaks(content)
+      content.gsub(/\r\n/, "\n").gsub(/\r/, "\n")
+    end
+    def normalize_attribute_values(content)
+      
+    end
+  end
+  
+  # Canonicalization algorithm for XML removing comments
+  class XMLC14NWithComments < XMLC14NBase
+    def process(content, charset='UTF-8')
+      content = convert_to_utf8(content) unless charset == 'UTF-8'
+      content
+    end
+  end
+  class XMLC14NWithoutComments < XMLC14NBase
+    def process(content, charset='UTF-8')
+      content = convert_to_utf8(content) unless charset == 'UTF-8'
+      doc = REXML::Document.new(content)
+    end
+  end
+end

data/lib/xml_sig/key_info.rb

@@ -0,0 +1,55 @@
+module XmlSig #:nodoc:
+  class KeyInfo
+    attr_accessor :id
+    attr_accessor :key_name
+    attr_accessor :key_value
+    attr_accessor :retrieval_method
+    attr_accessor :key_data
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('ds:KeyInfo') {
+        xml.tag!('ds:KeyName', key_name)
+        xml.tag!('ds:KeyValue') {
+          xml << key_value.to_xml
+        }
+      }
+    end
+  end
+  
+  class RetrievalMethod
+    attr_accessor :uri
+    attr_accessor :type
+    
+    def transforms
+      @transforms ||= []
+    end
+    
+    def validate
+      raise ValidationError, "URI is required" if uri.nil?
+    end
+    
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'URI' => uri}
+      attributes['Type'] = type unless type.nil?
+      xml.tag!('ds:RetrievalMethod', attributes) {
+        transforms.each { |transform| xml << transform.to_xml }
+      }
+    end
+  end
+
+  # REQUIRED
+  class DSAKeyValue
+  end
+  # OPTIONAL
+  class RSAKeyValue
+  end
+
+  class X509Data
+  end
+  class PGPData
+  end
+  class SPKIData
+  end
+  class MgmtData
+  end
+end

data/lib/xml_sig/reference.rb

@@ -0,0 +1,57 @@
+module XmlSig #:nooc:
+  class Reference
+    attr_accessor :id
+    attr_accessor :uri
+    attr_accessor :type
+
+    attr_accessor :digest_method
+
+    # DigestValue is an element that contains the encoded value of the digest. The 
+    # digest is always encoded using base64
+    attr_accessor :digest_value
+
+    def transforms
+      @transforms ||= []
+    end
+
+    def validate
+      raise ValidationError, "Digest method is required" if digest_method.nil?
+      raise ValidationError, "Digest value is required" if digest_value.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Id'] = id unless id.nil?
+      attributes['URI'] = uri unless uri.nil?
+      attributes['Type'] = type unless type.nil?
+      xml.tag!('ds:Reference', attributes) {
+        xml.tag!('ds:Transforms') {
+          transforms.each { |transform| xml << transform.to_xml }
+        }
+        xml << digest_method.to_xml unless digest_method.nil?
+        xml.tag!('ds:DigestValue', digest_value)
+      }
+    end
+  end
+
+  # DigestMethod is a required element that identifies the digest algorithm to be applied 
+  # to the signed object.
+  class DigestMethod
+    def self.identifiers
+      @identifiers ||= {
+        'SHA-1', 'http://www.w3.org/2000/09/xmldsig#sha1'
+      }
+    end
+    
+    attr_accessor :algorithm
+
+    def validate
+      raise ValidationError, "Algorithm is required" if algorithm.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Algorightm' => algorithm}
+      xml.tag!('ds:DigestMethod', attributes)
+    end
+  end
+end

data/lib/xml_sig/signature.rb

@@ -0,0 +1,29 @@
+module XmlSig #:nodoc:
+  # An XML signature.
+  class Signature
+    attr_accessor :id
+    attr_accessor :signed_info
+    attr_accessor :signature_value
+    attr_accessor :key_info
+
+    def objects
+      @objects ||= []
+    end
+
+    def assert
+      # raise AssertionError, "An assertion signature must be valid"
+    end
+
+    # Construct an XML fragment representing the signature
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Id'] = id unless id.nil?
+      attributes['xmlns:ds'] = "http://www.w3.org/2000/09/xmldsig#"
+      xml.tag!('ds:Signature', attributes) {
+        xml << signed_info.to_xml if signed_info
+        xml.tag!('ds:SignatureValue')
+        xml.tag!('ds:KeyInfo') if key_info
+      }
+    end
+  end
+end

data/lib/xml_sig/signature_method.rb

@@ -0,0 +1,20 @@
+module XmlSig #:nodoc:
+  # SignatureMethod is a required element that specifies the algorithm used for 
+  # signature generation and validation. This algorithm identifies all cryptographic 
+  # functions involved in the signature operation (e.g. hashing, public key 
+  # algorithms, MACs, padding, etc.).
+  class SignatureMethod
+    attr_accessor :algorithm
+
+    def validate
+      raise ValidationError, "Algorithm is required" if algorithm.nil?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Algorightm' => algorithm}
+      xml.tag!('ds:SignatureMethod', attributes) {
+        xml.tag!('ds:HMACOutputLength', hmac_output_length) unless hmac_output_length.nil?
+      }
+    end
+  end
+end

data/lib/xml_sig/signed_info.rb

@@ -0,0 +1,27 @@
+module XmlSig #:nodoc:
+  class SignedInfo
+    attr_accessor :id
+    attr_accessor :canonicalization_method
+    attr_accessor :signature_method
+
+    def references
+      @references ||= []
+    end
+
+    def validate
+      raise ValidationError, "Canonicalization method is required" if canonicalization_method.nil?
+      raise ValidationError, "Signature method is required" if signature_method.nil?
+      raise ValidationError, "At least one reference is required" if references.empty?
+    end
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Id'] = id unless id.nil?
+      xml.tag!('ds:SignedInfo', attributes) {
+        xml << canonicalization_method.to_xml unless canonicalization_method.nil?
+        xml << signature_method.to_xml unless signature_method.nil?
+        references.each { |reference| xml << reference.to_xml }
+      }
+    end
+  end
+end

data/lib/xml_sig/transform.rb

@@ -0,0 +1,37 @@
+module XmlSig #:nodoc:
+    class Transform
+    attr_accessor :algorithm
+    attr_accessor :xpath
+
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Algorightm' => algorithm}
+      xml.tag!('ds:Transform', attributes) {
+        xml.tag!('ds:XPath', xpath) unless xpath.nil?
+      }
+    end
+  end
+  class Base64Transform
+    IDENTIFIER = 'http://www.w3.org/2000/09/xmldsig#base64'
+    def process(content)
+      content # TODO: implement
+    end
+  end
+  class XPathFiltering
+    IDENTIFIER = 'http://www.w3.org/TR/1999/REC-xpath-19991116'
+    def process(content)
+      content # TODO: implement
+    end
+  end
+  class EnvelopedSignatureTransform
+    IDENTIFIER = 'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
+    def process(content)
+      content # TODO: implement
+    end
+  end
+  class XSLTTransform
+    IDENTIFIER = 'http://www.w3.org/TR/1999/REC-xslt-19991116'
+    def process(content)
+      content # TODO: implement
+    end
+  end
+end

data/lib/xml_sig.rb

@@ -0,0 +1,11 @@
+# Ruby XML Signature implementation
+module XmlSig
+end
+
+require 'xml_sig/signature'
+require 'xml_sig/signature_method'
+require 'xml_sig/canonicalization_method'
+require 'xml_sig/reference'
+require 'xml_sig/signed_info'
+require 'xml_sig/key_info'
+require 'xml_sig/transform'