RubyGems - devise_duo_sec - Versions diffs - 0.0.7 - Mend

devise_duo_sec 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

checksums.yaml +7 -0
data/MIT-LICENSE +20 -0
data/README.rdoc +3 -0
data/Rakefile +34 -0
data/app/assets/javascripts/devise_duo_security/Duo-Web-v2.js +366 -0
data/app/assets/stylesheets/devise_duo_security/Duo-Frame.css +10 -0
data/app/controllers/devise/duo_security_controller.rb +39 -0
data/app/views/devise/duo_security/_test_iframe_response.html.erb +144 -0
data/app/views/devise/duo_security/show.html.erb +15 -0
data/lib/devise/duo_security/controllers/helpers.rb +41 -0
data/lib/devise/duo_security/engine.rb +14 -0
data/lib/devise/duo_security/version.rb +5 -0
data/lib/devise_duo_sec.rb +43 -0
data/lib/duo_web.rb +107 -0
data/lib/tasks/devise_duo_security_tasks.rake +4 -0
data/test/devise_duo_security_test.rb +16 -0
data/test/dummy/Gemfile +10 -0
data/test/dummy/Gemfile.lock +138 -0
data/test/dummy/README.rdoc +28 -0
data/test/dummy/Rakefile +6 -0
data/test/dummy/app/assets/javascripts/application.js +15 -0
data/test/dummy/app/assets/stylesheets/application.css +15 -0
data/test/dummy/app/controllers/application_controller.rb +5 -0
data/test/dummy/app/controllers/home_controller.rb +13 -0
data/test/dummy/app/helpers/application_helper.rb +2 -0
data/test/dummy/app/models/user.rb +6 -0
data/test/dummy/app/views/layouts/application.html.erb +14 -0
data/test/dummy/bin/bundle +3 -0
data/test/dummy/bin/rails +4 -0
data/test/dummy/bin/rake +4 -0
data/test/dummy/bin/setup +29 -0
data/test/dummy/config.ru +4 -0
data/test/dummy/config/application.rb +26 -0
data/test/dummy/config/boot.rb +5 -0
data/test/dummy/config/database.yml +25 -0
data/test/dummy/config/environment.rb +5 -0
data/test/dummy/config/environments/development.rb +42 -0
data/test/dummy/config/environments/production.rb +78 -0
data/test/dummy/config/environments/test.rb +42 -0
data/test/dummy/config/initializers/assets.rb +11 -0
data/test/dummy/config/initializers/backtrace_silencers.rb +7 -0
data/test/dummy/config/initializers/cookies_serializer.rb +3 -0
data/test/dummy/config/initializers/devise.rb +259 -0
data/test/dummy/config/initializers/filter_parameter_logging.rb +4 -0
data/test/dummy/config/initializers/inflections.rb +16 -0
data/test/dummy/config/initializers/mime_types.rb +4 -0
data/test/dummy/config/initializers/session_store.rb +3 -0
data/test/dummy/config/initializers/wrap_parameters.rb +14 -0
data/test/dummy/config/locales/devise.en.yml +60 -0
data/test/dummy/config/locales/en.yml +23 -0
data/test/dummy/config/routes.rb +7 -0
data/test/dummy/config/secrets.yml +22 -0
data/test/dummy/db/migrate/20150320103707_devise_create_users.rb +42 -0
data/test/dummy/db/schema.rb +34 -0
data/test/dummy/public/404.html +67 -0
data/test/dummy/public/422.html +67 -0
data/test/dummy/public/500.html +66 -0
data/test/dummy/public/favicon.ico +0 -0
data/test/dummy/test/fixtures/users.yml +11 -0
data/test/dummy/test/models/user_test.rb +7 -0
data/test/integration/navigation_test.rb +25 -0
data/test/support/helpers.rb +40 -0
data/test/test_helper.rb +46 -0
metadata +337 -0

data/app/controllers/devise/duo_security_controller.rb ADDED Viewed

@@ -0,0 +1,39 @@
+require 'duo_web'
+class Devise::DuoSecurityController < DeviseController
+  prepend_before_action :set_resource
+  prepend_before_action :authenticate_scope!, only: [:show]
+  skip_before_action :verify_authenticity_token
+  include Devise::Controllers::Helpers
+  include Duo
+  def show
+    @host = DuoSecurity.configuration.host
+    @signature = Duo.sign_request(DuoSecurity.configuration.ikey, DuoSecurity.configuration.skey, DuoSecurity.configuration.app_secret, @resource.email)
+  end
+  def verify
+    authenticated_username = Duo.verify_response(DuoSecurity.configuration.ikey, DuoSecurity.configuration.skey, DuoSecurity.configuration.app_secret, params[:sig_response])
+    if authenticated_username
+      warden.session(resource_name)['duo_authenticated'] = true
+      redirect_to session["user_return_to"] || root_path
+    else
+      redirect_to send("#{resource_name}_duo_security_path")
+    end
+  end
+  private
+  def authenticate_scope!
+    # because we are a type of DeviseController authentication will not run again
+    # hence we need to set force => true to ensure a user is logged in!
+    send(:"authenticate_#{resource_name}!", :force => true)
+    self.resource = send("current_#{resource_name}")
+    @resource = resource
+  end
+  def set_resource
+    @verify_path = send("verify_#{resource_name}_duo_security_path")
+  end
+end

data/app/views/devise/duo_security/_test_iframe_response.html.erb ADDED Viewed

@@ -0,0 +1,144 @@
+    <html lang="en"><!--<![endif]--><head>
+<meta charset="utf-8">
+<title>Two-Factor Authentication</title>
+<!--[if lt IE 9]>
+<script src="&#x2f;frame&#x2f;static&#x2f;js&#x2f;lib&#x2f;html5shiv.js&#x3f;v&#x3d;5a98a"></script>
+<![endif]-->
+<link rel="stylesheet" href="/frame/static/css/normalize.css?v=51888">
+<link rel="stylesheet" href="/frame/static/fonts/opensans/opensans.css?v=f2b1a">
+<link rel="stylesheet" href="/frame/static/fonts/ss-standard/ss-standard.css?v=56373">
+<link rel="stylesheet" href="/frame/static/css/enroll_new/base.css?v=ca42a">
+<link rel="stylesheet" href="/frame/static/css/enroll_new/prompt.css?v=14a67">
+<link rel="stylesheet" href="/frame/static/css/tipsy.css?v=d2369">
+</head>
+<body>
+<div class="base-wrapper">
+<div class="base-header">
+<h1><span class="duo">Duo</span> Two-Factor Authentication</h1>
+<a class="help-link" href="http://guide.duosecurity.com/prompt" target="_blank" title="Need help?" tabindex="-1">
+<i class="ss-help"></i>
+</a>
+</div>
+<div class="base-main">
+<div class="base-body">
+<div class="status hidden">
+</div>
+<form action="/frame/prompt/new" method="post" id="login-form">
+<input type="hidden" name="sid" value="NTljZjRjMDUyOTc4NDRmZjgxNjU2NzkzOGJiOWIzZGU=|95.131.110.106|1426862601|ac35e2db262e05c369d15dd8a1b422cc2ac6609d">
+<label class="device-selector">
+<b>Device:</b>
+<select name="device">
+<option value="phone1">
+Android (+XX XXXX XX5265)
+</option>
+</select>
+</label>
+<fieldset data-device-index="phone1" class="" style="display: block;">
+<label>
+<input type="radio" name="factor" value="phone" checked="">
+<b>Phone call</b>
+<span class="helptext ss-help" title="We'll call your phone. Answer the call and press
+any key
+on your phone's keypad to authenticate."></span>
+</label>
+<div class="label passcode-label">
+<input type="radio" name="factor" value="passcode">
+<b>Passcode</b>
+<input type="text" name="passcode">
+<span class="helptext ss-help" title="Enter a passcode
+sent via SMS or
+provided by an administrator."></span>
+</div>
+<div class="sms-passcodes">
+<p class="sms-provisioned">
+Next SMS passcode starts with
+<b class="next-passcode">2</b>
+(<a href="#" class="need-codes sms-send-more" data-device-index="phone1">send more</a>)
+</p>
+<p class="sms-unprovisioned hidden">
+<a href="#" class="need-codes" data-device-index="phone1">Send SMS passcodes</a>
+</p>
+</div>
+</fieldset>
+</form>
+</div>
+</div>
+<div class="base-footer">
+<button data-form="login-form" id="login-button" class="button button-green ss-navigateright right" type="submit">Log in</button>
+</div>
+</div>
+<script src="/frame/static/shared/lib/jquery/jquery-legacy.min.js?v=65126"></script>
+<script src="/frame/static/js/lib/jquery-postmessage.min.js?v=15c30"></script>
+<!--[if lt IE 10]>
+<script src="&#x2f;frame&#x2f;static&#x2f;js&#x2f;page&#x2f;enroll_new&#x2f;quirks.js&#x3f;v&#x3d;cb16b"></script>
+<!--<![endif]-->
+<script src="/frame/static/js/page/enroll_new/frame.js?v=bd543"></script>
+<script src="/frame/static/js/lib/jquery.tipsy.js?v=cb2d5"></script>
+<script src="/frame/static/js/page/enroll_new/prompt.js?v=3365b"></script>
+</body></html>

data/app/views/devise/duo_security/show.html.erb ADDED Viewed

@@ -0,0 +1,15 @@
+<%= javascript_include_tag "devise_duo_security/Duo-Web-v2" %>
+<%= stylesheet_link_tag "devise_duo_security/Duo-Frame" %>
+<script type="text/javascript" nonce="<%= @content_security_policy_nonce %>">
+</script>
+<iframe id="duo_iframe"
+        width="620"
+        height="330"
+        frameborder="0"
+        data-host="<%= @host %>"
+        data-sig-request="<%= @signature %>"
+        data-post-action="<%= @verify_path %>"
+        >
+</iframe>

data/lib/devise/duo_security/controllers/helpers.rb ADDED Viewed

@@ -0,0 +1,41 @@
+module Devise::DuoSecurity
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+      included do
+        before_filter :handle_two_factor_authentication
+      end
+      private
+      def handle_two_factor_authentication
+        unless devise_controller?
+          Devise.mappings.keys.flatten.each do |scope|
+            if signed_in?(scope)
+              if (warden.session(scope)['duo_authenticated'].nil? or !warden.session(scope)['duo_authenticated'])
+                handle_failed_second_factor(scope)
+              end
+              break
+            end
+          end
+        end
+      end
+      def handle_failed_second_factor(scope)
+        if request.format.present? and request.format.html?
+          session["#{scope}_return_to"] = "#{request.path}?#{request.query_string}" if request.get?
+          redirect_to duo_authentication_path_for(scope)
+        else
+          render nothing: true, status: :unauthorized
+        end
+      end
+      def duo_authentication_path_for(resource_or_scope = nil)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_duo_security_path"
+        send(change_path)
+      end
+    end
+  end
+end

data/lib/devise/duo_security/engine.rb ADDED Viewed

@@ -0,0 +1,14 @@
+require 'jquery-rails'
+module Devise::DuoSecurity
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include Devise::DuoSecurity::Controllers::Helpers
+    end
+    initializer "devise_duo_security.assets.precompile" do |app|
+      app.config.assets.precompile += %w(devise_duo_security/Duo-Web-v2.js)
+      app.config.assets.precompile += %w(devise_duo_security/Duo-Frame.css)
+    end
+  end
+end

data/lib/devise/duo_security/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module Devise
+  module DuoSecurity
+    VERSION = "0.0.7"
+  end
+end

data/lib/devise_duo_sec.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'devise'
+require 'devise/duo_security/controllers/helpers'
+require 'devise/duo_security/engine'
+require 'duo_web'
+module Devise
+  module DuoSecurity
+    class Configuration
+      attr_accessor :app_secret, :ikey, :skey, :host
+    end
+    class << self
+      attr_writer :configuration
+    end
+    def self.configuration
+      @configuration ||= Configuration.new
+    end
+    def self.configure
+      yield(configuration)
+    end
+  end
+end
+# TODO: Isn't there a better way?
+DuoSecurity = Devise::DuoSecurity
+Devise.add_module :duo_security, :model => 'devise_duo_sec', :controller => :duo_security, :route => :duo_security
+module ActionDispatch::Routing
+  class Mapper
+    protected
+      def devise_duo_security(mapping, controllers)
+        resource :duo_security, :only => [:show], :path => mapping.path_names[:duo_security], :controller => controllers[:duo_security] do
+          collection do
+            post :verify
+          end
+        end
+      end
+  end
+end

data/lib/duo_web.rb ADDED Viewed

@@ -0,0 +1,107 @@
+require 'openssl'
+require 'base64'
+##
+# A Ruby implementation of the Duo WebSDK
+#
+module Duo
+  DUO_PREFIX  = 'TX'.freeze
+  APP_PREFIX  = 'APP'.freeze
+  AUTH_PREFIX = 'AUTH'.freeze
+  DUO_EXPIRE = 300
+  APP_EXPIRE = 3600
+  IKEY_LEN = 20
+  SKEY_LEN = 40
+  AKEY_LEN = 40
+  ERR_USER = 'ERR|The username passed to sign_request() is invalid.'.freeze
+  ERR_IKEY = 'ERR|The Duo integration key passed to sign_request() is invalid.'.freeze
+  ERR_SKEY = 'ERR|The Duo secret key passed to sign_request() is invalid.'.freeze
+  ERR_AKEY = "ERR|The application secret key passed to sign_request() must be at least #{Duo::AKEY_LEN} characters.".freeze
+  # Sign a Duo 2FA request
+  # @param ikey [String] The Duo IKEY
+  # @param skey [String] The Duo SKEY
+  # @param akey [String] The Duo AKEY
+  # @param username [String] Username to authenticate as
+  def sign_request(ikey, skey, akey, username)
+    return Duo::ERR_USER if !username || username.empty?
+    return Duo::ERR_USER if username.include? '|'
+    return Duo::ERR_IKEY if !ikey || ikey.to_s.length != Duo::IKEY_LEN
+    return Duo::ERR_SKEY if !skey || skey.to_s.length != Duo::SKEY_LEN
+    return Duo::ERR_AKEY if !akey || akey.to_s.length < Duo::AKEY_LEN
+    vals = [username, ikey]
+    duo_sig = sign_vals(skey, vals, Duo::DUO_PREFIX, Duo::DUO_EXPIRE)
+    app_sig = sign_vals(akey, vals, Duo::APP_PREFIX, Duo::APP_EXPIRE)
+    return [duo_sig, app_sig].join(':')
+  end
+  # Verify a Duo 2FA request
+  # @param ikey [String] The Duo IKEY
+  # @param skey [String] The Duo SKEY
+  # @param akey [String] The Duo AKEY
+  # @param sig_response [String] Response from Duo service
+  def verify_response(ikey, skey, akey, sig_response)
+    begin
+      auth_sig, app_sig = sig_response.to_s.split(':')
+      auth_user = parse_vals(skey, auth_sig, Duo::AUTH_PREFIX, ikey)
+      app_user = parse_vals(akey, app_sig, Duo::APP_PREFIX, ikey)
+    rescue
+      return nil
+    end
+    return nil if auth_user != app_user
+    return auth_user
+  end
+  private
+  def hmac_sha1(key, data)
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), key, data.to_s)
+  end
+  def sign_vals(key, vals, prefix, expire)
+    exp = Time.now.to_i + expire
+    val_list = vals + [exp]
+    val = val_list.join('|')
+    b64 = Base64.encode64(val).delete("\n")
+    cookie = prefix + '|' + b64
+    sig = hmac_sha1(key, cookie)
+    return [cookie, sig].join('|')
+  end
+  def parse_vals(key, val, prefix, ikey)
+    ts = Time.now.to_i
+    parts = val.to_s.split('|')
+    return nil if parts.length != 3
+    u_prefix, u_b64, u_sig = parts
+    sig = hmac_sha1(key, [u_prefix, u_b64].join('|'))
+    return nil if hmac_sha1(key, sig) != hmac_sha1(key, u_sig)
+    return nil if u_prefix != prefix
+    cookie_parts = Base64.decode64(u_b64).to_s.split('|')
+    return nil if cookie_parts.length != 3
+    user, u_ikey, exp = cookie_parts
+    return nil if u_ikey != ikey
+    return nil if ts >= exp.to_i
+    return user
+  end
+  extend self
+end

data/lib/tasks/devise_duo_security_tasks.rake ADDED Viewed

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :devise_duo_security do
+#   # Task goes here
+# end

data/test/devise_duo_security_test.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require 'test_helper'
+class Devise::DuoSecurityTest < ActiveSupport::TestCase
+  test "should be able to set and get configuration" do
+    c = Devise::DuoSecurity.configuration
+    c.app_secret = "secret"
+    c.ikey = "ikey"
+    c.skey = "skey"
+    c.host = "host"
+    assert_equal "secret", c.app_secret
+    assert_equal "ikey", c.ikey
+    assert_equal "skey", c.skey
+    assert_equal "host", c.host
+  end
+end

data/test/dummy/Gemfile ADDED Viewed

@@ -0,0 +1,10 @@
+source "https://rubygems.org"
+gem "rails", "~> 4.x"
+gem 'jquery-rails', '~> 4.0.0'
+gem "sqlite3"
+gem "rake"
+gem 'dotenv-rails'
+gem "devise", "~> 3.x"
+gem "devise_duo_sec", :path => "../.."