scashin133-rsaml 0.1.0

data/.autotest

@@ -0,0 +1,10 @@
+module Autotest::CustomTestMatch
+  Autotest.add_hook :initialize do |at|
+    at.add_mapping(/test/) do |f, _|
+      at.files_matching(/_test\.rb$/)
+    end
+    at.add_mapping(/lib\/.*/) do |f, _|
+      at.files_matching(/_test\.rb$/)
+    end
+  end
+end

data/.gitignore

@@ -0,0 +1,2 @@
+uuid.state
+rdoc

data/README

@@ -0,0 +1,13 @@
+== About
+
+RSAML is a SAML implementation in Ruby. RSAML currently implements the elements defined in the SAML-Core 2.0 specification by defining an object model that mimics the structure of SAML. Method names and attributes have been made ruby-friendly and documentation is provided for each class and method. In certain cases the SAML specification is referenced directly and should be considered the final say whenever a question arises regarding SAML implementation.
+
+Concrete requests:
+
+* RSAML::Protocol::Query::AuthnQuery (Authentication query)
+* RSAML::Protocol::Query::AttributeQuery (Attribute query)
+* RSAML::Protocol::Query::AuthzDecisionQuery (Authorization query)
+
+== A note on the implementation
+
+RSAML is implemented in a very verbose fashion. While there are probably ways to reduce the code footprint using meta programming and other Rubyisms, I've attempted to stick to an implementation style that is easy to follow for non-rubyists and rubyists alike. Additionally I am striving for a comprehensive test suite that can be used to verify conformance to the SAML 2.0 specification.

data/Rakefile

@@ -0,0 +1,141 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+require 'rake/packagetask'
+require 'rake/gempackagetask'
+
+require File.join(File.dirname(__FILE__), '/lib/rsaml/version')
+
+PKG_BUILD       = ENV['PKG_BUILD'] ? '.' + ENV['PKG_BUILD'] : ''
+PKG_NAME        = 'rsaml'
+PKG_VERSION     = RSAML::VERSION::STRING + PKG_BUILD
+PKG_FILE_NAME   = "#{PKG_NAME}-#{PKG_VERSION}"
+PKG_DESTINATION = ENV["PKG_DESTINATION"] || "../#{PKG_NAME}"
+
+RELEASE_NAME  = "REL #{PKG_VERSION}"
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "scashin133-rsaml"
+    gemspec.summary = "Ruby implementation of the SAML 2.0 Specification"
+    gemspec.description = %Q{RSAML is a SAML implementation in Ruby. RSAML currently implements the elements defined in the SAML-Core 2.0 
+    specification by defining an object model that mimics the structure of SAML. Method names and attributes have been made 
+    ruby-friendly and documentation is provided for each class and method. In certain cases the SAML specification is 
+    referenced directly and should be considered the final say whenever a question arises regarding SAML implementation.
+    }
+    gemspec.email = ["anthonyeden@gmail.com", "scashin133@gmail.com"]
+    gemspec.homepage = "http://github.com/scashin133/rsaml"
+    gemspec.authors = ["Anthony Eden"]
+    gemspec.add_dependency('activesupport', '>=2.3.4')
+    gemspec.add_dependency('uuid', '>=2.1.1')
+    gemspec.version = PKG_VERSION
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available.  Install it with: gem install jeweler"
+end
+
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the library.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  test_files = FileList['test/**/*_test.rb']
+  t.test_files = test_files
+  t.verbose = true
+end
+
+desc 'Generate documentation for the library.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RSAML'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+namespace :rcov do
+  desc 'Measures test coverage'
+  task :test do
+    rm_f 'coverage.data'
+    mkdir 'coverage' unless File.exist?('coverage')
+    rcov = "rcov --aggregate coverage.data --text-summary -Ilib"
+    system("#{rcov} test/*_test.rb")
+    #system("open coverage/index.html") if PLATFORM['darwin']
+  end
+end
+
+PKG_FILES = FileList[
+  #'CHANGELOG',
+  #'LICENSE',
+  'README',
+  #'TODO',
+  'Rakefile',
+  'bin/**/*',
+  'doc/**/*',
+  'lib/**/*',
+] - [ 'test' ]
+
+spec = Gem::Specification.new do |s|
+  s.name = 'rsaml'
+  s.version = PKG_VERSION
+  s.summary = "RSAML - SAML implementation in Ruby."
+  s.description = <<-EOF
+    An implementation of SAML in Ruby.
+  EOF
+
+  s.add_dependency('rake', '>= 0.7.1')
+  s.add_dependency('uuid', '>= 1.0.4')
+
+  s.rdoc_options << '--exclude' << '.'
+  s.has_rdoc = false
+
+  s.files = PKG_FILES.to_a.delete_if {|f| f.include?('.svn')}
+  s.require_path = 'lib'
+
+  s.author = "Anthony Eden"
+  s.email = "anthonyeden@gmail.com"
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+  pkg.need_tar = true
+  pkg.need_zip = true
+end
+
+desc "Generate code statistics"
+task :lines do
+  lines, codelines, total_lines, total_codelines = 0, 0, 0, 0
+
+  for file_name in FileList["lib/**/*.rb"]
+    next if file_name =~ /vendor/
+    f = File.open(file_name)
+
+    while line = f.gets
+      lines += 1
+      next if line =~ /^\s*$/
+      next if line =~ /^\s*#/
+      codelines += 1
+    end
+    puts "L: #{sprintf("%4d", lines)}, LOC #{sprintf("%4d", codelines)} | #{file_name}"
+    
+    total_lines     += lines
+    total_codelines += codelines
+    
+    lines, codelines = 0, 0
+  end
+
+  puts "Total: Lines #{total_lines}, LOC #{total_codelines}"
+end
+
+desc "Reinstall the gem from a local package copy"
+task :reinstall => [:package] do
+  windows = RUBY_PLATFORM =~ /mswin/
+  sudo = windows ? '' : 'sudo'
+  gem = windows ? 'gem.bat' : 'gem'
+  `#{sudo} #{gem} uninstall -x -i #{PKG_NAME}`
+  `#{sudo} #{gem} install pkg/#{PKG_NAME}-#{PKG_VERSION}`
+end

data/lib/rsaml/action.rb

@@ -0,0 +1,57 @@
+module RSAML #:nodoc:
+  # Specifies an action on the specified resource for which permission is sought. Its value provides the 
+  # label for an action sought to be performed on the specified resource.
+  class Action
+    include Validatable
+    
+    # Identifiers that MAY be used in the namespace attribute of the Action element to refer to 
+    # common sets of actions to perform on resources.
+    #
+    # Each namespace provides a defined set of actions. Please refer to the SAML 2.0 specification
+    # for additional information.
+    def self.namespaces
+      ActionNamespace.namespaces
+    end
+    
+    # A URI reference representing the namespace in which the name of the specified action is to be 
+    # interpreted. If this element is absent, the namespace 
+    # urn:oasis:names:tc:SAML:1.0:action:rwedc-negation is in effect.
+    attr_accessor :namespace
+    
+    # The action value
+    attr_accessor :value
+    
+    # Initialize the action with the given value.
+    def initialize(value)
+      @value = value
+    end
+    
+    # The action namespace.
+    def namespace
+      @namespace ||= Action.namespaces[:rwedc_negation]
+    end
+    
+    # Validate the structure
+    def validate
+      raise ValidationError, "Action value must be specified" if value.nil?
+      raise ValidationError, "Action value not in given namespace" unless namespace.valid_action?(value)
+    end
+    
+    # Construct an XML fragment representing the action.
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {}
+      attributes['Namespace'] = namespace unless namespace.nil?
+      xml.tag!('saml:Action', attributes, value)
+    end
+    
+    # Construct an Action instance from the given XML Element or fragment.
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      action = Action.new(element.text)
+      if (namespace_attribute = element.attribute('Namespace'))
+        action.namespace = ActionNamespace.namespace_for_uri(namespace_attribute.value)
+      end
+      action
+    end
+  end
+end

data/lib/rsaml/action_namespace.rb

@@ -0,0 +1,63 @@
+module RSAML #:nodoc:
+  # Namespaces for actions.
+  class ActionNamespace
+    # A Hash of predefined namespaces from the SAML 2.0 specification. The value for each
+    # key/value pair is an ActionNamespace instance with a URI and set of action names.
+    def self.namespaces
+      @namespaces ||= {
+        :rwedc => ActionNamespace.new('urn:oasis:names:tc:SAML:1.0:action:rwedc', [
+          'Read','Write','Execute','Delete','Control'
+        ]),
+        :rwedc_negation => ActionNamespace.new('urn:oasis:names:tc:SAML:1.0:action:rwedc-negation', [
+          'Read','Write','Execute','Delete','Control','~Read','~Write','~Execute','~Delete','~Control'
+        ]),
+        :ghpp => ActionNamespace.new('urn:oasis:names:tc:SAML:1.0:action:ghpp', [
+          'GET','HEAD','PUT','POST'
+        ]),
+        :unix => UnixActionNamespace.new
+      }
+    end
+    
+    # Get an ActionNamespace instance for the given namespace URI. This method will
+    # return nil if no namespace is found for the given URI
+    def self.namespace_for_uri(uri)
+      namespaces.values.find { |ns| ns.uri == uri }
+    end
+
+    # URI identifying this action namespace
+    attr_accessor :uri
+    
+    # Common sets of actions to perform on resources.
+    attr_accessor :action_names
+    
+    # Initialize the action namespace with the given URI and action names
+    def initialize(uri, action_names)
+      @uri = uri
+      @action_names = action_names
+    end
+    
+    # Return true if the given value is a valid action in the namespace.
+    def valid_action?(value)
+      action_names.include?(value)
+    end
+    
+    # Return a string representation, specifically the URI for the namespace.
+    def to_s
+      uri
+    end
+  end
+  
+  # Unix Action namespace implementation
+  class UnixActionNamespace < ActionNamespace
+    # Initialize
+    def initialize
+      super('urn:oasis:names:tc:SAML:1.0:action:unix', [])
+    end
+    
+    # Return true if the given value is a valid action
+    def valid_action?(value)
+      # TODO: implement octal check
+      false
+    end
+  end
+end

data/lib/rsaml/advice.rb

@@ -0,0 +1,34 @@
+module RSAML #:nodoc:
+  # Contains any additional information that the SAML authority wishes to provide. This information MAY be 
+  # ignored by applications without affecting either the semantics or the validity of the assertion.
+  class Advice
+    include Validatable
+    # Contains a mixture of zero or more Assertion, EncryptedAssertion, assertion IDs, and assertion URIs.
+    # May also contain custom objects that produce namespace-qualified XML for non-SAML elements.
+    def assertions
+      @assertions ||= []
+    end
+    
+    # Validate the advice structure.
+    def validate
+      assertions.each { |assertion| assertion.validate }
+    end
+    
+    # Construct an XML fragment representing the assertion
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Advice') {
+        assertions.each { |assertion| xml << assertion.to_xml }
+      }
+    end
+    
+    # Construct an Advice instance from the given XML Element or fragment
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      advice = Advice.new
+      element.get_elements('saml:Assertion').each do |assertion_element|
+        advice.assertions << Assertion.from_xml(assertion_element)
+      end
+      advice
+    end
+  end
+end

data/lib/rsaml/assertion.rb

@@ -0,0 +1,192 @@
+module RSAML #:nodoc:
+  # Reference to an assertion via URI
+  class AssertionURIRef
+    include Validatable
+    
+    # The URI reference
+    attr_accessor :uri
+    
+    # Initialize the AssertionURIRef with the given URI
+    def initialize(uri)
+      @uri = uri
+    end
+    
+    # Validate that the AssertionURIRef is structurally valid
+    def validate
+      raise ValidationError, "A URI is required" if uri.nil?
+    end
+    
+    # Construct an XML fragment representing the assertion uri ref
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:AssertionURIRef', uri)
+    end
+    
+    # Construct an Action instance from the given XML Element or fragment.
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      AssertionURIRef.new(element.text)
+    end
+  end
+  
+  # Reference to an assertion via ID
+  class AssertionIDRef
+    include Validatable
+    
+    # The ID reference
+    attr_accessor :id
+    
+    # Initialize the AssertionIDRef with the given assertion ID
+    def initialize(id)
+      @id = id
+    end
+    
+    # Validate that the AssertionIDRef is structurally valid
+    def validate
+      raise ValidationError, "An id is required" if id.nil?
+    end
+    
+    # Construct an XML fragment representing the assertion ID ref
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:AssertionIDRef', id)
+    end
+    
+    # Construct an Action instance from the given XML Element or fragment.
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      AssertionIDRef.new(element.text)
+    end
+  end
+  
+  # An encrypted assertion
+  class EncryptedAssertion < Encrypted
+    # Construct an XML fragment representing the encrypted assertion
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:EncryptedAssertion') {
+        xml.tag!('xenc:EncryptedData', encrypted_data)
+        encrypted_keys.each { |key| xml << encrypted_key.to_xml }
+      }
+    end
+  end
+  
+  # An assertion is a package of information that supplies zero or more statements made by a SAML 
+  # authority.
+  class Assertion
+    include Validatable
+    
+    # SAML assertions are usually made about a subject, however the subject is optional
+    attr_accessor :subject
+    
+    # The version of this assertion.
+    attr_accessor :version
+    
+    # The identifier for this assertion.
+    attr_accessor :id
+    
+    # The time instant of issue in UTC
+    attr_accessor :issue_instant
+    
+    # The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD be unambiguous 
+    # to the intended relying parties.  
+    attr_accessor :issuer
+    
+    # A signature that protects the integrity of and authenticates the issuer of the assertion.
+    attr_accessor :signature
+    
+    # The subject of the statement(s) in the assertion.
+    attr_accessor :subject
+    
+    # Conditions that MUST be evaluated when assessing the validity of and/or when using the assertion. 
+    # Note: conditions should contain a single Conditions instance, not an array of Condition instances.
+    attr_accessor :conditions
+    
+    # Construct a new assertion from the given issuer
+    def initialize(issuer)
+      @issuer = issuer
+      @version = "2.0"
+      @id = UUID.new
+      @issue_instant = Time.now.utc
+    end
+    
+    # Conditions collection
+    def conditions
+      @conditions ||= Conditions.new
+    end
+    
+    # Assertion statements
+    def statements
+      @statements ||= []
+    end
+    
+    # Additional information related to the assertion that assists processing in certain situations but which 
+    # MAY be ignored by applications that do not understand the advice or do not wish to make use of it.
+    def advice
+      @advice ||= []
+    end
+        
+    # Assert the assertion.
+    def assert
+      # rule: if there is a signature it must be asserted
+      signature.assert if signature
+      
+      # rule: if there are conditions then they must be asserted
+      if conditions
+        # rule: an assertion cache should be kept if conditions allow it
+        assertion_cache << self unless conditions.cache?
+        conditions.assert
+      end
+    end
+    
+    # Validate the assertion. This validates the structural integrity of the assertion, not the
+    # validity of the assertion itself. To "assert" the assertion use the assert method.
+    def validate
+      # rule: if there are no statements there must be a subject
+      if statements.length == 0 && subject.nil?
+        raise ValidationError, "An assertion with no statements must have a subject"
+      end
+      
+      # rule: if there is an authentication then there must be a subject
+      statements.each do |statement|           
+        if statement_classes.include?(statement.class)
+          if subject.nil?
+            raise ValidationError, "An assertion with an #{statement.class.name} must have a subject"
+          else
+            break
+          end
+        end
+      end
+    end
+    
+    # Construct an XML fragment representing the assertion
+    def to_xml(xml=Builder::XmlMarkup.new)
+      attributes = {'Version' => version, 'ID' => id, 'IssueInstant' => issue_instant.xmlschema}
+      xml.tag!('saml:Assertion', attributes) {
+        xml << issuer.to_xml
+        xml << signature.to_xml unless signature.nil?
+        xml << subject.to_xml unless subject.nil?
+        xml << conditions.to_xml unless conditions.nil? || conditions.empty?
+        advice.each { |a| xml << a.to_xml }
+        statements.each { |s| xml << s.to_xml }
+      }
+    end
+    
+    # Construct an Action instance from the given XML Element or fragment.
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      issuer = Identifier::Issuer.from_xml(element.get_elements('saml:Issuer').first)
+      assertion = Assertion.new(issuer)
+      if (subject = element.get_elements('saml:Subject').first)
+        assertion.subject = Subject.from_xml(subject)
+      end
+      assertion
+    end
+    
+    protected
+    def assertion_cache
+      @assertion_cache ||= []
+    end
+    
+    def statement_classes
+      [AuthenticationStatement, AttributeStatement, AuthorizationDecisionStatement]
+    end
+  end
+end

data/lib/rsaml/attribute.rb

@@ -0,0 +1,76 @@
+module RSAML #:nodoc:
+  # Identifies an attribute by name and optionally includes its value(s).
+  class Attribute
+    # The name of the attribute.
+    attr_accessor :name
+    
+    # A URI reference representing the classification of the attribute name for purposes of 
+    # interpreting the name
+    attr_accessor :name_format
+    
+    # A string that provides a more human-readable form of the attribute's name, which may 
+    # be useful in cases in which the actual Name is complex or opaque, such as an OID or a UUID.
+    attr_accessor :friendly_name
+    
+    # Initialize the attribute with the given name. Optionally pass an array of values.
+    def initialize(name, *values)
+      @name = name
+      @values = values      
+    end
+    
+    # An array of values for the attribute.
+    def values
+      @values ||= []
+    end
+    
+    # Validate the structure of the attribute.
+    def validate
+      raise ValidationError, "Name is required" unless name
+    end
+    
+    # extension point to allow arbitrary XML attributes to be added to <Attribute> constructs 
+    # without the need for an explicit schema extension. This allows additional fields to be 
+    # added as needed to supply additional parameters to be used, for example, in an attribute 
+    # query. This attribute is a Hash of name/value pairs that is output directly with the
+    # <Attribute> XML element.
+    def extra_xml_attributes
+      @extra_xml_attributes ||= {}
+    end
+    
+    # Construct an XML fragment representing the attribute
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml_attributes = {'Name' => name}
+      xml_attributes['NameFormat'] = name_format unless name_format.nil?
+      xml_attributes['FriendlyName'] = friendly_name unless friendly_name.nil?
+      xml.tag!('saml:Attribute', xml_attributes.merge(extra_xml_attributes)) {
+        values.each { |value| xml.tag!('saml:AttributeValue', value.to_s) }
+      }
+    end
+    
+    def self.from_xml(element)
+      element = REXML::Document.new(element).root if element.is_a?(String)
+      attribute = Attribute.new(element.attribute('Name').value)
+      if element.attribute('NameFormat')
+        attribute.name_format = element.attribute('NameFormat').value
+      end
+      attribute
+    end
+  end
+  
+  # An encrypted attribute.
+  class EncryptedAttribute < Encrypted
+    
+    # Validate the structure
+    def validate
+      raise ValidationError, "Encrypted data is required" if encrypted_data.nil?
+    end
+    
+    # Construct an XML fragment representing the encrypted attribute
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:EncryptedAttribute') {
+        xml.tag!('xenc:EncryptedData', encrypted_data)
+        encrypted_keys.each { |key| xml << key.to_xml }
+      }
+    end
+  end
+end

data/lib/rsaml/audience.rb

@@ -0,0 +1,19 @@
+module RSAML #:nodoc:
+  # A URI reference that identifies an intended audience. The URI reference MAY identify a document 
+  # that describes the terms and conditions of audience membership. It MAY also contain the unique 
+  # identifier URI from a SAML name identifier that describes a system entity.
+  class Audience
+    # URI for the audience
+    attr_accessor :uri
+    
+    # Initialize the Audience instance with the given URI
+    def initialize(uri)
+      @uri = uri
+    end
+    
+    # Construct an XML fragment representing the audience
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:Audience', uri)
+    end
+  end
+end

data/lib/rsaml/authentication_context.rb

@@ -0,0 +1,34 @@
+module RSAML #:nodoc:
+  # Specifies the context of an authentication event. The element can contain 
+  # an authentication context class reference, an authentication context declaration 
+  # or declaration reference, or both.
+  class AuthenticationContext
+    # A URI reference identifying an authentication context class that describes the authentication context 
+    # declaration that follows.
+    attr_accessor :class_reference
+    
+    # An authentication context declaration provided by value.
+    attr_accessor :context_declaration
+    
+    # A URI reference that identifies a declaration. The URI reference MAY directly resolve into 
+    # an XML document containing the referenced declaration.
+    attr_accessor :context_declaration_ref
+    
+    # Zero or more unique identifiers of authentication authorities that were involved in the 
+    # authentication of the principal
+    def authenticating_authority
+      @authenticating_authority ||= []
+    end
+    
+    # Construct an XML fragment representing the authentication statement
+    def to_xml(xml=Builder::XmlMarkup.new)
+      xml.tag!('saml:AuthnContext') {
+        xml.tag!('saml:AuthnContextClassRef', class_reference) unless class_reference.nil?
+        xml.tag!('saml:AuthnContextDecl', context_declaration) unless context_declaration.nil?
+        xml.tag!('saml:AuthnContextDeclRef', context_declaration_ref) unless context_declaration_ref.nil?
+      }
+    end
+  end
+end
+
+require 'rsaml/authn_context/authentication_context_declaration'

data/lib/rsaml/authn_context/README

@@ -0,0 +1 @@
+Implementation of the AuthnContext 2.0 specification.