swt_federation 0.0.1

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in swt_federation.gemspec
+gemspec

data/README.rdoc

@@ -0,0 +1,39 @@
+= SWT Federation for Ruby
+
+This library provides SWT-based federation for Ruby applications (ruby 1.9)
+
+The entry point of this library is the TokenHandler class. Before using it you have to set some class instance 
+variables that hold configuration information.
+
+
+TokenHandler.realm = 'http://0.0.0.0:8080/login/'
+TokenHandler.token_type = 'http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0'
+TokenHandler.issuer = 'https://southworksinc.accesscontrol.windows.net/'
+TokenHandler.toke_key = 'your key here'
+
+The lines above can be placed in the config.ru file.
+Below you can find an example of how to use it with Sinatra.
+
+  before do
+
+    next if request.path_info == '/swt' 
+    if(session['user']==nil)
+      redirect ("<your_identity_provider_url>")
+    end
+  end
+
+  post '/swt' do
+    response = TokenHandler.new(params[:wresult])
+    if (response.is_valid?)
+      session['user'] = response.claims['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']
+      target_url = params[:wctx]
+      if (target_url != nil)   
+        redirect(target_url)
+      else
+        redirect('/home') 
+      end
+    else
+      status(403)
+      halt('access denied')
+    end
+  end

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/swt_federation.rb

@@ -0,0 +1,101 @@
+# http://blog.thepete.net/2010/11/creating-and-publishing-your-first-ruby.html
+require "swt_federation/version"
+
+require 'nokogiri'
+require 'time'
+require 'base64'
+require 'cgi'
+require 'openssl'
+
+
+module SwtFederation
+
+  class TokenHandler
+    class << self; attr_accessor :realm, :issuer, :token_key, :token_type end
+    
+    attr_reader :validation_errors, :claims
+
+    def initialize(wresult)
+      @validation_errors = []
+      @claims={}
+      @wresult=Nokogiri::XML(wresult)
+
+      parse_response()
+    end
+  
+    def is_valid?
+      @validation_errors.empty?
+    end
+  
+    #parse through the document, performing validation & pulling out claims
+    def parse_response
+      parse_address()
+      parse_expires()
+      parse_token_type()
+      parse_token()
+    end
+ 
+    #does the address field have the expected address?
+    def parse_address
+      address = get_element('//t:RequestSecurityTokenResponse/wsp:AppliesTo/addr:EndpointReference/addr:Address')
+      @validation_errors << "Address field is empty." and return if address.nil?
+      @validation_errors << "Address field is incorrect." unless address == self.class.realm
+    end
+  
+    #is the expire value valid?
+    def parse_expires
+      expires = get_element('//t:RequestSecurityTokenResponse/t:Lifetime/wsu:Expires')
+      @validation_errors << "Expiration field is empty." and return if expires.nil?
+      @validation_errors << "Invalid format for expiration field." and return unless /^(-?(?:[1-9][0-9]*)?[0-9]{4})-(1[0-2]|0[1-9])-(3[0-1]|0[1-9]|[1-2][0-9])T(2[0-3]|[0-1][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-](?:2[0-3]|[0-1][0-9]):[0-5][0-9])?$/.match(expires)
+      @validation_errors << "Expiration date occurs in the past." unless Time.now.utc.iso8601 < Time.iso8601(expires).iso8601
+    end
+  
+    #is the token type what we expected?
+    def parse_token_type
+      token_type = get_element('//t:RequestSecurityTokenResponse/t:TokenType')
+      @validation_errors << "TokenType field is empty." and return if token_type.nil?
+      @validation_errors << "Invalid token type." unless token_type == self.class.token_type
+    end
+  
+    #parse the binary token
+    def parse_token
+      binary_token = get_element('//t:RequestSecurityTokenResponse/t:RequestedSecurityToken/wsse:BinarySecurityToken')
+      @validation_errors << "No binary token exists." and return if binary_token.nil?
+    
+      decoded_token = Base64.decode64(binary_token)
+      name_values={}
+      decoded_token.split('&').each do |entry|
+        pair=entry.split('=') 
+        name_values[CGI.unescape(pair[0]).chomp] = CGI.unescape(pair[1]).chomp
+      end
+
+      @validation_errors << "Response token is expired." if Time.now.to_i > name_values["ExpiresOn"].to_i
+      @validation_errors << "Invalid token issuer." unless name_values["Issuer"]=="#{self.class.issuer}"
+      @validation_errors << "Invalid audience." unless name_values["Audience"] =="#{self.class.realm}"
+ 
+      # is HMAC valid?
+      token_hmac = decoded_token.split("&HMACSHA256=")
+      swt=token_hmac[0]
+      @validation_errors << "HMAC does not match computed value." unless name_values['HMACSHA256'] == Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha256'),Base64.decode64(self.class.token_key),swt)).chomp
+    
+      # remove non-claims from collection and make claims available
+
+      @claims = name_values.reject {|key, value| !key.include? '/claims/'}
+    end
+  
+    #given an path, return the content of the first matching element
+    def get_element(xpath_statement)
+      begin
+        @wresult.xpath(xpath_statement,
+                't'=>'http://schemas.xmlsoap.org/ws/2005/02/trust',
+                'wsu'=>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd',
+                'wsp'=>'http://schemas.xmlsoap.org/ws/2004/09/policy',
+                'wsse'=>'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd',
+                'addr'=>'http://www.w3.org/2005/08/addressing')[0].content
+      rescue
+        nil
+      end
+    end
+  end
+
+end

data/lib/swt_federation/version.rb

@@ -0,0 +1,3 @@
+module SwtFederation
+  VERSION = "0.0.1"
+end

data/swt_federation.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "swt_federation/version"
+
+Gem::Specification.new do |s|
+  s.name        = "swt_federation"
+  s.version     = SwtFederation::VERSION
+  s.authors     = ["NicoPaez"]
+  s.email       = ["nicopaez@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{This gem provides website federation based on Simple Web Tokens (SWT)}
+  s.description = %q{It is inspired on this post (http://blogs.msdn.com/b/silverlining/archive/2011/10/03/ruby-web-sites-and-windows-azure-appfabric-access-control.aspx) by Larry Franks.}
+
+  s.rubyforge_project = "swt_federation"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  #s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  # s.add_runtime_dependency "rest-client"
+  s.add_dependency "nokogiri"
+
+end

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification
+name: swt_federation
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- NicoPaez
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-21 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: &11839000 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *11839000
+description: It is inspired on this post (http://blogs.msdn.com/b/silverlining/archive/2011/10/03/ruby-web-sites-and-windows-azure-appfabric-access-control.aspx)
+  by Larry Franks.
+email:
+- nicopaez@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.rdoc
+- Rakefile
+- lib/swt_federation.rb
+- lib/swt_federation/version.rb
+- swt_federation.gemspec
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: swt_federation
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: This gem provides website federation based on Simple Web Tokens (SWT)
+test_files: []