decidim-msad 0.22.0

data/lib/decidim/msad/verification/engine.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module Verification
+      # This is an engine that performs user authorization.
+      class Engine < ::Rails::Engine
+        isolate_namespace Decidim::Msad::Verification
+
+        paths["db/migrate"] = nil
+        paths["lib/tasks"] = nil
+
+        routes do
+          resource :authorizations, only: [:new], as: :authorization
+
+          root to: "authorizations#new"
+        end
+
+        initializer "decidim_msad.verification_workflow", after: :load_config_initializers do
+          next unless Decidim::Msad.configured?
+
+          # We cannot use the name `:msad` for the verification workflow
+          # because otherwise the route namespace (decidim_msad) would
+          # conflict with the main engine controlling the authentication flows.
+          # The main problem that this would bring is that the root path for
+          # this engine would not be found.
+          Decidim::Verifications.register_workflow(:msad_identity) do |workflow|
+            workflow.engine = Decidim::Msad::Verification::Engine
+
+            Decidim::Msad::Verification::Manager.configure_workflow(workflow)
+          end
+        end
+
+        def load_seed
+          # Enable the `:msad_identity` authorization
+          org = Decidim::Organization.first
+          org.available_authorizations << :msad_identity
+          org.save!
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/verification/manager.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module Verification
+      class Manager
+        def self.configure_workflow(workflow)
+          Decidim::Msad.workflow_configurator.call(workflow)
+        end
+
+        def self.metadata_collector_for(saml_attributes)
+          Decidim::Msad.metadata_collector_class.new(saml_attributes)
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/verification/metadata_collector.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    module Verification
+      class MetadataCollector
+        def initialize(saml_attributes)
+          @saml_attributes = saml_attributes
+        end
+
+        def metadata
+          return nil unless Decidim::Msad.metadata_attributes.is_a?(Hash)
+          return nil if Decidim::Msad.metadata_attributes.blank?
+
+          collect.delete_if { |_k, v| v.nil? }
+        end
+
+        protected
+
+        attr_reader :saml_attributes
+
+        def collect
+          Decidim::Msad.metadata_attributes.map do |key, defs|
+            value = begin
+              case defs
+              when Hash
+                saml_attributes.public_send(defs[:type], defs[:name])
+              when String
+                saml_attributes.single(defs)
+              end
+            end
+
+            [key, value]
+          end.to_h
+        end
+      end
+    end
+  end
+end

data/lib/decidim/msad/version.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Msad
+    VERSION = "0.22.0"
+    DECIDIM_VERSION = "~> 0.22.0"
+  end
+end

data/lib/generators/decidim/msad/install_generator.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module Decidim
+  module Msad
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        source_root File.expand_path("../../templates", __dir__)
+
+        desc "Creates a Devise initializer and copy locale files to your application."
+
+        class_option(
+          :dummy_cert,
+          desc: "Defines whether to create a dummy certificate for localhost.",
+          type: :boolean,
+          default: false
+        )
+
+        class_option(
+          :test_initializer,
+          desc: "Copies the test initializer instead of the actual one (for test dummy app).",
+          type: :boolean,
+          default: false,
+          hide: true
+        )
+
+        def copy_initializer
+          if options[:test_initializer]
+            copy_file "msad_initializer_test.rb", "config/initializers/msad.rb"
+          else
+            copy_file "msad_initializer.rb", "config/initializers/msad.rb"
+          end
+        end
+
+        def enable_authentication
+          secrets_path = Rails.application.root.join("config", "secrets.yml")
+          secrets = YAML.safe_load(File.read(secrets_path), [], [], true)
+
+          if secrets["default"]["omniauth"]["msad"]
+            say_status :identical, "config/secrets.yml", :blue
+          else
+            mod = SecretsModifier.new(secrets_path)
+            final = mod.modify
+
+            target_path = Rails.application.root.join("config", "secrets.yml")
+            File.open(target_path, "w") { |f| f.puts final }
+
+            say_status :insert, "config/secrets.yml", :green
+          end
+        end
+
+        class SecretsModifier
+          def initialize(filepath)
+            @filepath = filepath
+          end
+
+          def modify
+            self.inside_config = false
+            self.inside_omniauth = false
+            self.config_branch = nil
+            @final = ""
+
+            @empty_line_count = 0
+            File.readlines(filepath).each do |line|
+              if line =~ /^$/
+                @empty_line_count += 1
+                next
+              else
+                handle_line line
+                insert_empty_lines
+              end
+
+              @final += line
+            end
+            insert_empty_lines
+
+            @final
+          end
+
+          private
+
+          attr_accessor :filepath, :empty_line_count, :inside_config, :inside_omniauth, :config_branch
+
+          def handle_line(line)
+            if inside_config && line =~ /^  omniauth:/
+              self.inside_omniauth = true
+            elsif inside_omniauth && (line =~ /^(  )?[a-z]+/ || line =~ /^#.*/)
+              inject_msad_config
+              self.inside_omniauth = false
+            end
+
+            return unless line =~ /^[a-z]+/
+
+            # A new root configuration block starts
+            self.inside_config = false
+            self.inside_omniauth = false
+
+            branch = line[/^(default|development|test):/, 1]
+            if branch
+              self.inside_config = true
+              self.config_branch = branch.to_sym
+            end
+          end
+
+          def insert_empty_lines
+            @final += "\n" * empty_line_count
+            @empty_line_count = 0
+          end
+
+          def inject_msad_config
+            @final += "    msad:\n"
+            case config_branch
+            when :development, :test
+              @final += "      enabled: true\n"
+            else
+              @final += "      enabled: false\n"
+            end
+            @final += "      metadata_url:\n"
+            @final += "      icon: account-login\n"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/generators/templates/msad_initializer.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+Decidim::Msad.configure do |config|
+  # Define the IdP metadata URL through the secrets
+  config.idp_metadata_url = Rails.application.secrets.omniauth[:msad][:metadata_url]
+
+  # Define the service provider entity ID:
+  # config.sp_entity_id = "https://www.example.org/users/auth/msad/metadata"
+  # Or define it in your application configuration and apply it here:
+  # config.sp_entity_id = Rails.application.config.msad_entity_id
+  # Enable automatically assigned emails
+  config.auto_email_domain = "example.org"
+
+  # Subscribe new users automatically to newsletters (default false).
+  #
+  # IMPORANT NOTE:
+  # Legally it should be always a user's own decision if the want to subscribe
+  # to any newsletters or not. Before enabling this, make sure you have your
+  # legal basis covered for enabling it. E.g. for internal instances within
+  # organizations, it should be generally acceptable but please confirm that
+  # from the legal department first!
+  # config.registration_newsletter_subscriptions = true
+
+  # Configure the SAML attributes that will be stored in the user's
+  # authorization metadata.
+  # config.metadata_attributes = {
+  #   display_name: "http://schemas.microsoft.com/identity/claims/displayname",
+  #   given_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+  #   surname: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+  #   birthday: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth",
+  #   postal_code: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode",
+  #   mobile_phone: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone",
+  #   groups: { name: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", type: :multi }
+  # }
+
+  # You can define extra service provider metadata that will show up in the
+  # metadata URL.
+  # config.sp_metadata = [
+  #   {
+  #     name: "Organization",
+  #     children: [
+  #       {
+  #         name: "OrganizationName",
+  #         attributes: { "xml:lang" => "en-US" },
+  #         content: "Acme"
+  #       },
+  #       {
+  #         name: "OrganizationDisplayName",
+  #         attributes: { "xml:lang" => "en-US" },
+  #         content: "Acme Corporation"
+  #       },
+  #       {
+  #         name: "OrganizationURL",
+  #         attributes: { "xml:lang" => "en-US" },
+  #         content: "https://en.wikipedia.org/wiki/Acme_Corporation"
+  #       }
+  #     ]
+  #   },
+  #   {
+  #     name: "ContactPerson",
+  #     attributes: { "contactType" => "technical" },
+  #     children: [
+  #       {
+  #         name: "GivenName",
+  #         content: "John Doe"
+  #       },
+  #       {
+  #         name: "EmailAddress",
+  #         content: "jdoe@acme.org"
+  #       }
+  #     ]
+  #   }
+  # ]
+end

data/lib/generators/templates/msad_initializer_test.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require "decidim/msad/test/runtime"
+
+Decidim::Msad::Test::Runtime.initialize

data/lib/omniauth/msad/metadata.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module MSAD
+    class Metadata < OneLogin::RubySaml::Metadata
+      def generate(settings, pretty_print = false)
+        metadata_signed = settings.security.delete(:metadata_signed)
+        settings.security[:metadata_signed] = false
+
+        meta_xml = super(settings)
+        meta_doc = XMLSecurity::Document.new(meta_xml)
+        add_tags_to(meta_doc.root, settings.sp_metadata) if settings.sp_metadata
+
+        sign_document!(meta_doc, settings) if metadata_signed
+        return meta_doc.write("", 1) if pretty_print
+
+        meta_doc.to_s
+      end
+
+      private
+
+      def add_tags_to(parent, tags)
+        tags.each do |tag|
+          element = parent.add_element "md:#{tag[:name]}", tag[:attributes]
+          element.text = tag[:content] if tag[:content]
+          add_tags_to(element, tag[:children]) if tag[:children].is_a?(Array)
+        end
+      end
+
+      def sign_document!(document, settings)
+        return unless settings.security[:metadata_signed]
+        return unless settings.private_key
+        return unless settings.certificate
+
+        # embed signature
+        private_key = settings.get_sp_key
+        document.sign_document(
+          private_key,
+          cert,
+          settings.security[:signature_method],
+          settings.security[:digest_method]
+        )
+      end
+    end
+  end
+end

data/lib/omniauth/msad/settings.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module MSAD
+    class Settings < OneLogin::RubySaml::Settings
+      attr_accessor :sp_metadata
+    end
+  end
+end

data/lib/omniauth/msad/test.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require_relative "test/certificate_generator"
+
+module OmniAuth
+  module Msad
+    module Test
+    end
+  end
+end

data/lib/omniauth/msad/test/certificate_generator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Msad
+    module Test
+      class CertificateGenerator
+        def private_key
+          @private_key ||= OpenSSL::PKey::RSA.new(2048)
+        end
+
+        def certificate
+          @certificate ||= begin
+            public_key = private_key.public_key
+
+            subject = "/C=FI/O=Test/OU=Test/CN=Test"
+
+            cert = OpenSSL::X509::Certificate.new
+            cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+            cert.not_before = Time.now
+            cert.not_after = Time.now + 365 * 24 * 60 * 60
+            cert.public_key = public_key
+            cert.serial = 0x0
+            cert.version = 2
+
+            inject_certificate_extensions(cert)
+
+            cert.sign(private_key, OpenSSL::Digest::SHA1.new)
+
+            cert
+          end
+        end
+
+        private
+
+        def inject_certificate_extensions(cert)
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.subject_certificate = cert
+          ef.issuer_certificate = cert
+          cert.extensions = [
+            ef.create_extension("basicConstraints", "CA:TRUE", true),
+            ef.create_extension("subjectKeyIdentifier", "hash")
+          ]
+          cert.add_extension ef.create_extension(
+            "authorityKeyIdentifier",
+            "keyid:always,issuer:always"
+          )
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/msad.rb

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+
+require "omniauth-saml"
+require "omniauth/msad/metadata"
+require "omniauth/msad/settings"
+
+module OmniAuth
+  module Strategies
+    class MSAD < SAML
+      # The IdP metadata URL.
+      option :idp_metadata_url, nil
+
+      # These are the requested attributes that could be defined for the
+      # metadata. However, these can be already defined at the federation side,
+      # so they are not generally needed with AD based federations.
+      option :request_attributes, []
+
+      # Maps the SAML attributes to OmniAuth info schema:
+      # https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later
+      option(
+        :attribute_statements,
+        name: %w(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name),
+        email: %w(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress),
+        first_name: %w(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname),
+        last_name: %w(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname),
+        nickname: %w(http://schemas.microsoft.com/identity/claims/displayname)
+      )
+
+      option(:sp_metadata, [])
+
+      info do
+        found_attributes = options.attribute_statements.map do |key, values|
+          attribute = find_attribute_by(values)
+          [key, attribute]
+        end
+        info_hash = Hash[found_attributes]
+
+        # The name attribute is overridden if the first name and last name are
+        # defined because otherwise it could be the principal name which is not
+        # a user readable name as expected by OmniAuth.
+        name = "#{info_hash["first_name"]} #{info_hash["last_name"]}".strip
+        info_hash["name"] = name unless name.blank?
+
+        info_hash
+      end
+
+      def initialize(app, *args, &block)
+        super
+
+        # Add the request attributes to the options.
+        options[:sp_name_qualifier] = options[:sp_entity_id] if options[:sp_name_qualifier].nil?
+
+        # Remove the nil options from the origianl options array that will be
+        # defined by the MSAD options
+        [
+          :idp_name_qualifier,
+          :name_identifier_format,
+          :security
+        ].each do |key|
+          options.delete(key) if options[key].nil?
+        end
+
+        # Add the MSAD options to the local options, most of which are fetched
+        # from the metadata. The options array is the one that gets priority in
+        # case it overrides some of the metadata or locally defined option
+        # values.
+        @options = OmniAuth::Strategy::Options.new(
+          msad_options.merge(options)
+        )
+      end
+
+      # This method can be used externally to fetch information about the
+      # response, e.g. in case of failures.
+      def response_object
+        return nil unless request.params["SAMLResponse"]
+
+        with_settings do |settings|
+          response = OneLogin::RubySaml::Response.new(
+            request.params["SAMLResponse"],
+            options_for_response_object.merge(settings: settings)
+          )
+          response.attributes["fingerprint"] = settings.idp_cert_fingerprint
+          response
+        end
+      end
+
+      private
+
+      def msad_options
+        idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+        # Returns OneLogin::RubySaml::Settings prepopulated with idp metadata
+        settings = begin
+          begin
+            idp_metadata_parser.parse_remote_to_hash(
+              options.idp_metadata_url,
+              true
+            )
+          rescue ::URI::InvalidURIError
+            # Allow the OmniAuth strategy to be configured with empty settings
+            # in order to provide the metadata URL even when the authentication
+            # endpoint is not configured.
+            {}
+          end
+        end
+
+        # Define the security settings as there are some defaults that need to be
+        # modified
+        security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
+        settings[:security] = security_defaults.merge(
+          authn_requests_signed: options.certificate.present?,
+          want_assertions_signed: true,
+          digest_method: XMLSecurity::Document::SHA256,
+          signature_method: XMLSecurity::Document::RSA_SHA256
+        )
+
+        # Add some extra information that is necessary for correctly formatted
+        # logout requests.
+        settings[:idp_name_qualifier] = settings[:idp_entity_id]
+
+        if !options.name_identifier_format.blank?
+          # If the name identifier format has been configured, use that instead
+          # of the IdP metadata value. Otherwise the first format available in
+          # the IdP metadata would be used.
+          settings[:name_identifier_format] = options.name_identifier_format
+        elsif settings[:name_identifier_format].blank?
+          # If the name identifier format is not defined in the IdP metadata,
+          # add the persistent format to the SP metadata.
+          settings[:name_identifier_format] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+        end
+
+        settings
+      end
+
+      def with_settings
+        options[:assertion_consumer_service_url] ||= callback_url
+        yield OmniAuth::MSAD::Settings.new(options)
+      end
+
+      # Customize the metadata class in order to add custom nodes to the
+      # metadata.
+      def other_phase_for_metadata
+        with_settings do |settings|
+          response = OmniAuth::MSAD::Metadata.new
+
+          add_request_attributes_to(settings) if options.request_attributes.length.positive?
+
+          Rack::Response.new(
+            response.generate(settings),
+            200,
+            "Content-Type" => "application/xml"
+          ).finish
+        end
+      end
+
+      # End the local user session BEFORE sending the logout request to the
+      # identity provider.
+      def other_phase_for_spslo
+        return super unless options.idp_slo_target_url
+
+        with_settings do |settings|
+          # Some session variables are needed when generating the logout request
+          request = generate_logout_request(settings)
+          # Destroy the local user session
+          options[:idp_slo_session_destroy].call @env, session
+          # Send the logout request to the identity provider
+          redirect(request)
+        end
+      end
+
+      # Overridden to disable passing the relay state with a request parameter
+      # which is possible in the default implementation.
+      def slo_relay_state
+        state = super
+
+        # Ensure that we are only using the relay states to redirect the user
+        # within the current website. This forces the relay state to always
+        # start with a single forward slash character (/).
+        return "/" unless state =~ %r{^/[^/].*}
+
+        state
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "msad", "MSAD"