Skip to content

Instantly share code, notes, and snippets.

View RackerWilliams's full-sized avatar

Jorge Williams RackerWilliams

14 followers · 3 following
View GitHub Profile
@RackerWilliams
RackerWilliams / change-link.xsl
Created March 27, 2018 18:24
@RackerWilliams
RackerWilliams / test.yaml
Last active March 8, 2018 21:20
one
mapping:
version: "RAX-1"
rules:
- local:
faws:
groups:
multiValue: true
value: "{Ats(http://schemas.xmlsoap.org/claims/Group)}"
user:
domain: "797028"
@RackerWilliams
RackerWilliams / GetOut.yaml
Created January 29, 2018 18:08
---
mapping:
rules:
- local:
user:
domain: '5821006'
name: "{D}"
email: "{At(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)}"
roles:
>-
@RackerWilliams
RackerWilliams / more_changes.md
Created October 22, 2017 21:43

Old Behavior

There was no way to tell whether or not a SAML attribute should be rendered as an array or not. For example given the flowing SAML attributes:

 <saml2:Attribute Name="faws/canAddAWSAccount">
   <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
@RackerWilliams
RackerWilliams / changes.md
Last active October 21, 2017 18:55

Old Behavior

Suppose that the SAML assertion did not contain roles. Then then policy:

---
mapping:
  rules:
  - local:
@RackerWilliams
RackerWilliams / test.yaml
Created September 27, 2017 18:14
---
mapping:
version: RAX-1
rules:
- local:
user:
domain: '1025468' # Can eventually just be {D}
email: "{At(urn:oid:1.2.840.113549.1.9.1.1)}" # Can also be {D}
expire: "{Pt(/saml2p:Response/saml2:Assertion/saml2:Conditions/@NotOnOrAfter[1])}" # Ditto {D} unless you specifically want it from cond
name: "{D}"
@RackerWilliams
RackerWilliams / mkpolicy.yaml
Last active September 26, 2017 21:24
MK Policy
---
mapping:
version: RAX-1
rules:
- local:
user:
domain: '1025468' # Can eventually just be {D}
email: "{At(urn:oid:1.2.840.113549.1.9.1.1)}" # Can also be {D}
expire: "{Pt(/saml2p:Response/saml2:Assertion/saml2:Conditions/@NotOnOrAfter[1])}" # Ditto {D} unless you specifically want it from cond
name: "{D}"
@RackerWilliams
RackerWilliams / test-times.org
Created August 11, 2017 14:24
Saxon 9.7 vs Saxon 9.8 all Feeds WADL

Saxon 9.7

COLD (First Run)

time wadl2checker -dgxlpjHbr -t 20 -S SaxonEE -E XalanC allfeeds.wadl allfeeds.checker

[parseWADL : 17 Millis]
[schematronWADL : [compile /xsl/wadl-links.xsl : 369 Millis] 6749 Millis]
[svrlHandler : [compile /xsl/svrl-handler.xsl : 11 Millis] 31 Millis]
[Check Additional SRVL Reports : [compile XVRLCheck XPath : 3 Millis] 11 Millis]
[validateWADL : [SaxonEE wadl schema compile : 71 Millis] 102 Millis]
@RackerWilliams
RackerWilliams / xpath-rule.xml
Last active June 29, 2017 21:16
XML attribute mapping rule with complex XPath
<?xml version="1.0" encoding="UTF-8"?>
<mapping xmlns="http://docs.rackspace.com/identity/api/ext/MappingRules"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
version="RAX-1">
<rules>
<rule>
<remote>
<attribute multiValue="true"
@RackerWilliams
RackerWilliams / xpath-rule.js
Created June 29, 2017 21:11
JSON attribute mapping rule with a complex XPath
{
"mapping": {
"rules": [
{
"remote": [
{
"path": "(:\n If the number of seconds is even, then the role should be\n nova:admin and lbaas:admin\n\n Otherwise the roles should be nova:observe and lbaas:observer.\n:)\nif ((xs:integer(seconds-from-time(current-time())) mod 2) = 0)\n then ('nova:admin','lbaas:admin')\n else ('nova:observer','lbaas:observer')\n",
"multiValue": true
}
],