fortifier 0.1.4

data/app/models/fortifier/auth_user.rb

@@ -0,0 +1,256 @@
+require 'attr-csv' # Don't delete! Questions? See Dave.
+
+module Fortifier
+  class AuthUser < ActiveRecord::Base
+    ABAQIS  = 1
+    EMP_SAT = 2
+
+    has_many :secrets
+    has_many :auth_logs
+    has_many :auth_users_auth_rules
+
+    attr_csv :app_uuids, :account_uuids, :search_keywords
+
+    before_create :create_unique_uuid
+    before_create :set_consecutive_failed_login_count
+
+    validate  :login_is_present
+    validate  :login_is_correct_length
+    validate  :login_is_unique
+    validate  :email_is_correct_length
+    validate  :email_is_unique
+    validate  :email_is_correct_format
+    validate  :name_is_correct_format
+    validate  :name_is_correct_length
+    validate  :note_is_correct_length
+
+    # NOTE: These custom validations are used so that symbols/codes
+    # can be returned to applications, rather than explicit text.
+    # Fortifier provides the symbols and the apps are responsible 
+    # for handling error messaging.
+    def login_is_present
+      return if login.present?
+      errors[:base] << :login_blank
+    end
+
+    def login_is_correct_length
+      return if login.blank?
+      return if (login.length >= 3 && login.length <= 60) unless login.blank?
+      errors[:base] << :login_length_incorrect
+    end
+
+    def login_is_unique
+      return if login.blank?
+      return if unique?(:login, login)
+
+      errors[:base] << :login_not_unique
+    end
+
+    def email_is_correct_length
+      return if (email.blank?)
+      return if (email.length >= 6 && email.length <= 100)
+      errors[:base] << :email_length_incorrect
+    end
+
+    def email_is_unique
+      return if (email.blank?)
+      return if unique?(:email, email)
+      errors[:base] << :email_not_unique
+    end
+
+    def email_is_correct_format
+      return if (email.blank?)
+      return if (Fortifier::Authentication::EMAIL_REGEX.match email).present?
+      errors[:base] << :email_format_incorrect
+    end
+
+    def name_is_correct_format
+      return if (name.blank?)
+      return if (Fortifier::Authentication::NAME_REGEX.match name).present?
+      errors[:base] << :name_format_incorrect
+    end
+
+    def name_is_correct_length
+      return if (name.blank? || name.length <= 100)
+      errors[:base] << :name_length_incorrect
+    end
+
+    def note_is_correct_length
+      return if (note.blank? || note.length <= 255)
+      errors[:base] << :note_length_incorrect
+    end
+
+    def current_secret
+      self.secrets.order("created_at, id asc").last
+    end
+
+    def current_secret_non_token
+      self.secrets.where(enc_type: (Secret::BCRYPT || Secret::SHA)).order("created_at, id asc").last
+    end
+
+    def secrets_match?(secret_string)
+      current_secret_model = current_secret_non_token
+    	return false if current_secret_model.blank?
+
+    	auth_result = current_secret_model.matches?(secret_string)
+    	current_secret_model.update_encryption_method(secret_string) if (auth_result && current_secret_model.enc_type == "SHA")
+
+    	return auth_result
+    end
+
+    def authenticated?(secret_string)
+      # TODO: (DK) do not increase consecutive_failed_logins if user is attempting a pw change
+      # move consecutive_failed_logins updates to a different method so this method
+      # doesn't do multiple things (code smell)
+      # TODO: (DK) remove if self
+      if self
+        if self.secrets_match?(secret_string)
+          self.update_column(:consecutive_failed_logins, 0)
+          true
+        else
+          self.update_column(:consecutive_failed_logins, self.consecutive_failed_logins + 1)
+          false
+        end
+      end
+    end
+
+    def self.authenticate_batch_sso(account_uuid, token)
+      return nil if token.blank?
+      AuthUser.
+        joins(:secrets).
+        where("find_in_set(? , account_uuids_csv) 
+          AND (expired IS NULL OR expired = false)
+          AND enc_type = '#{Secret::SSO_TOKEN}' 
+          AND secret_value = ?", account_uuid, token).
+        first
+    end
+
+    def self.authenticate_on_demand_sso(account_uuid, token)
+      return nil if token.blank?
+      AuthUser.
+        joins(:secrets).
+        where("find_in_set(? , account_uuids_csv) 
+          AND (expired IS NULL OR expired = false)
+          AND enc_type = '#{Secret::SSO_TOKEN}' 
+          AND secret_value = ?", account_uuid, token).
+        first
+    end
+
+    def blocked?
+      self.consecutive_failed_logins > 5
+    end
+
+    def disable!
+      self.update_column(:app_uuids_csv, nil)
+      self.update_column(:account_uuids_csv, nil)
+    end
+
+    def disabled?
+      self.app_uuids.blank? && self.account_uuids.blank?
+    end
+
+    def successful_log_in?
+      # TODO: clarify this so there's no confusion (user can be logged out with a count of 0,
+      # so technically they wouldn't be succesfully logged in, even though this method would
+      # say otherwise).
+      self.consecutive_failed_logins == 0
+    end
+
+    def matching_whitelist_ip?(ip)
+      return false if ip.blank?
+      au_auth_rule_ids = AuthUsersAuthRule.where(auth_user_id: self.id).pluck(:auth_rule_id)
+      auth_rule_ips = au_auth_rule_ids.map {|auid| AuthRule.find(auid).rule_value}
+      auth_rule_ips.flatten.include?(ip)
+    end
+
+    def public_attribute_hash
+      auth_log = self.auth_logs.last
+      { 
+        uuid: self.uuid, 
+        email: self.email, 
+        login: self.login, 
+        name: self.name, 
+        note: self.note, 
+        disabled: self.disabled?,
+        last_auth_log: ({user_agent: auth_log.user_agent, status: auth_log.status, created_at: auth_log.created_at.to_time} if auth_log)
+      }
+    end
+
+    def self.paged_and_sorted_search(params)
+      search          = params[:search]
+      sort_col        = params[:sortcol] || 'name'
+      sort_dir        = params[:sortdir] || 'asc'
+      per_page        = (params[:per_page].blank? || params[:per_page]<25) ? 25 : params[:per_page]
+      page            = params[:page] || 1
+      app_uuid        = params[:app_uuid]
+      account_uuid    = params[:account_uuid]
+      search_keywords = params[:search_keywords]
+
+      if search.blank?
+        user_search_query = ''
+      else
+        user_search_query = [:login, :email, :name, :note].map{|f| "#{f} LIKE '%#{search}%'"}.join(" OR ")
+      end
+
+      # aggregate_query is conditional b/c account_uuid isn't always provided (such as the Users page for providigm users in abaqis)
+      app_uuids_query = "app_uuids_csv = '#{app_uuid}'"
+      account_uuids_query = account_uuid ? " AND account_uuids_csv = '#{account_uuid}'" : ""
+      search_keywords_query = search_keywords ? " AND search_keywords_csv = '#{search_keywords}'" : ''
+      aggregate_query = app_uuids_query + account_uuids_query + search_keywords_query
+
+      # b/c there's no 'enabled' field on auth user and abaqis allows this sorting (providigm/users in abaqis)
+      if sort_col=='enabled'
+        Fortifier::AuthUser.where(aggregate_query)
+                            .where(user_search_query)
+                            .order("app_uuids_csv #{sort_dir}, account_uuids_csv #{sort_dir}")
+                            .paginate(:page=>page, :per_page=>per_page)
+      elsif sort_col=='last_login_at'
+        # In other words, pull all users associated with the app in question (if available),
+        # joined with their most recent AuthLog,
+        # sort by the AuthLog created_at date (according to user preference),
+        # then paginate with WillPaginate. Capisce?
+        Fortifier::AuthUser.find_by_sql("SELECT * FROM fortifier_auth_users fau 
+                                          LEFT OUTER JOIN ( select auth_user_id, max(created_at) 
+                                              AS last_login_at 
+                                              FROM fortifier_auth_logs fal 
+                                              GROUP BY auth_user_id) 
+                                            AS last_seen  
+                                          ON fau.id = last_seen.auth_user_id
+                                          #{'WHERE ' + aggregate_query}
+                                          #{'AND ' + user_search_query if user_search_query.present?}
+                                          ORDER BY last_login_at #{sort_dir}")
+                            .paginate(:page=>page, :per_page=>per_page)
+      else
+        Fortifier::AuthUser.where(aggregate_query)
+                             .where(user_search_query)
+                             .order("#{sort_col} #{sort_dir}")
+                             .paginate(:page=>page, :per_page=>per_page)
+      end
+    end
+
+    private
+    
+    def create_unique_uuid
+      self.uuid = loop do
+        uuid = SecureRandom.uuid
+        break uuid unless Fortifier::AuthUser.where(:uuid=>uuid).exists?
+      end
+    end
+
+    def set_consecutive_failed_login_count
+      self.consecutive_failed_logins = 0
+    end
+
+    def unique?(type, value)
+      case type
+      when :login then active_relation = AuthUser.where("login = ?", value)
+      when :email then active_relation = AuthUser.where("email = ?", value)
+      end
+
+      matching_auth_users = active_relation.to_a # converted to an array so the AuthUser isn't deleted from the db
+      matching_auth_users.delete(self) # don't check for uniqueness against self
+      matching_auth_users.blank?
+    end
+
+  end
+end

data/app/models/fortifier/auth_user_api.rb

@@ -0,0 +1,356 @@
+# TODO: (DK) DCI!
+module Fortifier
+
+  class AuthUserApi 
+
+    def authenticate(login, pw, user_agent="IE", request_ip="127.0.0.1", account={})
+      results = AuthenticationSteps.stepper(auth_type: "standard_auth",
+                                              login: login,
+                                              secret: pw, 
+                                              user_agent: user_agent, 
+                                              remote_addr: request_ip,
+                                              account: account)
+      auth_user = results[:auth_user]
+      uuid = auth_user ? auth_user.uuid : nil
+      failed_logins = auth_user ? auth_user.consecutive_failed_logins : nil
+      error_msg = results[:auth_msg]
+
+      if failed_logins==0 && !error_msg #successful authentication
+        { uuid: uuid,
+          status: true }
+      else
+        { uuid: uuid,
+          status: false,
+          errors: [error_msg],
+          consecutive_failed_logins: failed_logins }
+      end
+    end
+
+    def authenticate_uuid(uuid, pw, user_agent="IE", request_ip="127.0.0.1", account={})
+      login = AuthUser.where(uuid: uuid).pluck(:login).first
+      authenticate(login, pw, user_agent, request_ip, account)
+    end
+
+    def authenticate_batch_sso(account_uuid, token, user_agent="IE", request_ip="127.0.0.1")
+      results = Fortifier::AuthenticationSteps.stepper(auth_type: "batch_sso_auth",
+                                                        account_uuid: account_uuid, 
+                                                        token: token, 
+                                                        user_agent: user_agent, 
+                                                        remote_addr: request_ip)
+      auth_user = results[:auth_user]
+
+      if auth_user
+        { uuid: results[:auth_user].uuid,
+          status: true }
+      else
+        { status: false,
+          errors: [results[:auth_msg]] }
+      end
+    end
+
+    def authenticate_on_demand_sso(login_token, user_agent="IE", request_ip="127.0.0.1")
+      results = Fortifier::AuthenticationSteps.stepper(auth_type: "on_demand_sso_auth",
+                                                        token: login_token, 
+                                                        user_agent: user_agent, 
+                                                        remote_addr: request_ip)
+      auth_user = results[:auth_user]
+
+      if auth_user
+        { uuid: results[:auth_user].uuid,
+          status: true }
+      else
+        { status: false,
+          errors: [results[:auth_msg]] }
+      end
+    end
+
+    def validate(params)
+      uuid,login,email,note = params[:uuid],params[:login],params[:email],params[:note]
+      enc_type = params[:sso_user].present? ? Secret::SSO_TOKEN : nil
+      validation_type = params[:validation_type]
+
+      auth_user = (validation_type=='create') ? AuthUser.new() : AuthUser.where("uuid = ?", uuid).first
+
+      if params[:sso_user]
+        secret, secret_confirmation, enc_type = Secret.make_sso_token, secret, Secret::SSO_TOKEN
+      else
+        secret, secret_confirmation, enc_type = params[:password], params[:password_confirmation], nil
+      end
+
+      auth_user.assign_attributes(login:login, email:email, note:note)
+      new_secret = Secret.new(auth_user: auth_user,
+                                secret: secret, 
+                                secret_confirmation: secret_confirmation,
+                                enc_type: enc_type)
+      auth_user.valid?
+      new_secret.valid?
+      
+      if validation_type=='update' && (secret.blank? && secret_confirmation.blank?)
+        secret_errors = []
+      else
+        secret_errors = new_secret.errors.full_messages
+      end
+
+      errors = auth_user.errors.full_messages
+      secret_errors = secret_errors
+
+      validation_status = (errors.blank? && secret_errors.blank?) ? true : false
+
+      { status: validation_status, errors: errors, secret_errors: secret_errors }
+    end
+
+    def batch_update(user_info)
+      updater = BatchUpdater.new(user_info)
+      updater.perform_updates
+      updater.user_status
+    end
+
+    def create(params)
+      auth_user                 = AuthUser.new()
+      auth_user.login           = params[:login]
+      auth_user.email           = params[:email]
+      auth_user.name            = params[:name]
+      auth_user.note            = params[:note]
+      auth_user.app_uuids       = params[:app_uuids]
+      auth_user.account_uuids   = params[:account_uuids]
+      auth_user.search_keywords = params[:search_keywords]
+
+      sso_user        = params[:sso_user]
+      skip_validation = params[:skip_validation]
+
+      secret              = sso_user ? Secret.make_sso_token  : params[:password]
+      secret_confirmation = sso_user ? secret                 : params[:password_confirmation]
+      enc_type            = sso_user ? Secret::SSO_TOKEN      : nil
+
+      new_secret = Secret.new(secret_value:        (params[:crypted_password] if skip_validation),
+                               salt:                (params[:salt] if skip_validation),
+                               secret:              (secret if !skip_validation),
+                               secret_confirmation: (secret_confirmation if !skip_validation),
+                               enc_type:            (skip_validation ? Secret::SHA : enc_type),
+                               skip_validation:     (true if skip_validation))
+
+      valid_auth_user = auth_user.valid?
+      valid_secret = new_secret.valid?
+
+      if valid_auth_user && valid_secret
+        auth_user.save
+        auth_user.secrets << new_secret
+        { uuid: auth_user.uuid, 
+          token: (auth_user.current_secret.secret_value if sso_user),
+          status: true }
+      else
+        { status: false, 
+          errors: auth_user.errors.full_messages,
+          secret_errors: new_secret.errors.full_messages }
+      end
+    end
+
+    def update(params)
+      # TODO: (DK) change user pw by way of email reset rather than admin reset?
+      # could clean some of this code up
+      auth_user = Fortifier::AuthUser.where("uuid = ?", params[:uuid]).first
+      return {status: false, errors: [:auth_user_not_found]} if auth_user.blank?
+
+      auth_user.login = params[:login] if params[:login]
+      auth_user.email = params[:email] if params[:email]
+      auth_user.name  = params[:name]  if params[:name]
+      auth_user.note  = params[:note]  if params[:note]
+      sso_user        = params[:sso_user]
+
+      if params[:password] || sso_user
+        secret              = sso_user ? Secret.make_sso_token : params[:password]
+        secret_confirmation = sso_user ? secret : params[:password_confirmation]
+        enc_type            = sso_user ? Secret::SSO_TOKEN : nil
+      end
+
+      if secret && secret_confirmation
+        new_secret = Secret.new(secret: secret,
+                                 secret_confirmation: secret_confirmation)
+      end
+
+      valid_auth_user = auth_user.valid?
+      valid_secret = new_secret ? new_secret.valid? : true
+      
+      if valid_auth_user && valid_secret
+        auth_user.save
+        auth_user.secrets << new_secret if new_secret
+        { uuid: auth_user.uuid, 
+          token: (auth_user.current_secret.secret_value if sso_user),
+          status: true }
+      else
+        { status: false, 
+          errors: auth_user.errors.full_messages,
+          secret_errors: (new_secret.errors.full_messages if new_secret) }
+      end
+    end
+
+    def change_password(params)
+      return {status: false, errors: [:uuid_not_provided]} if params[:uuid].blank?
+
+      pw  = params[:password]
+      pwc = params[:password_confirmation]
+      auth_user = Fortifier::AuthUser.where("uuid = ?", params[:uuid]).first
+      correct_current_pw = auth_user.authenticated?(params[:current]).present? unless auth_user.blank?
+      
+      return {status: false, errors: [:bad_current_password]} if !correct_current_pw
+      return {status: false, errors: [:auth_user_not_found]} if !auth_user
+
+      new_secret = Secret.new(auth_user: auth_user, secret: pw, secret_confirmation: pwc)
+
+      if new_secret.valid?
+        new_secret.save
+        { status: true }
+      else
+        { status: false, 
+          errors: new_secret.errors.full_messages }
+      end
+    end
+
+    def reset_password(params)
+      return {status: false, errors: [:uuid_not_provided]} if params[:uuid].blank?
+
+      pw  = params[:password]
+      pwc = params[:password_confirmation]
+      auth_user = Fortifier::AuthUser.where("uuid = ?", params[:uuid]).first
+
+      return {status: false, errors: [:auth_user_not_found]} if !auth_user
+
+      new_secret = Secret.new(auth_user: auth_user, secret: pw, secret_confirmation: pwc)
+
+      if new_secret.valid?
+        new_secret.save
+        { status: true }
+      else
+        { status: false, 
+          errors: new_secret.errors.full_messages }
+      end
+    end
+
+    def create_password_reset_token(email)
+      return {status: false, errors: [:email_not_provided]} if email.blank?
+
+      auth_user = Fortifier::AuthUser.where("email = ?", email).first
+      return {status: false, errors: [:auth_user_not_found]} if !auth_user
+
+      pw = Secret.make_token
+
+      new_secret = Secret.new(auth_user: auth_user, secret: pw, secret_confirmation: pw, reset_token: true)
+
+      if new_secret.valid?
+        new_secret.save
+        { status: true, token: pw }
+      else
+        { status: false, 
+          errors: new_secret.errors.full_messages }
+      end
+    end
+
+    def link(params)
+      return {status: false, errors: [:uuid_not_provided]} if params[:uuid].blank?
+
+      app_uuids       = params[:app_uuids] || []
+      account_uuids   = params[:account_uuids] || []
+      search_keywords = params[:search_keywords] || []
+      return {status: false, errors: [:app_and_account_uuids_not_provided]} if (app_uuids.blank? && account_uuids.blank?)
+
+      auth_user = AuthUser.where(uuid: params[:uuid]).first
+      return {status: false, errors: [:auth_user_not_found]} if auth_user.blank?
+
+      auth_user.app_uuids.concat(app_uuids)
+      auth_user.account_uuids.concat(account_uuids)
+      auth_user.search_keywords.concat(search_keywords)
+      result = auth_user.save
+
+      result ? {status: true} : {status: false, errors: (result.errors.full_messages if result)}
+    end
+
+    def unlink(params)
+      return {status: false, errors: [:uuid_not_provided]} if params[:uuid].blank?
+
+      app_uuids       = params[:app_uuids] || []
+      account_uuids   = params[:account_uuids] || []
+      search_keywords = params[:search_keywords] || []
+      return {status: false, errors: [:app_and_account_uuids_not_provided]} if (app_uuids.blank? && account_uuids.blank?)
+
+      auth_user = AuthUser.where(uuid: params[:uuid]).first
+      return {status: false, errors: [:auth_user_not_found]} if auth_user.blank?
+
+      auth_user.app_uuids - app_uuids
+      auth_user.account_uuids - account_uuids
+      auth_user.search_keywords - search_keywords
+      result = auth_user.save
+
+      result ? {status: true} : {status: false, errors: (result.errors.full_messages if result)}
+    end
+      
+    def find_auth_user(field, param)
+      field = field.to_s || ''
+
+      case field 
+      when 'uuid'           then auth_user = AuthUser.where("uuid = ?", param).first
+      when 'login', 'email' then auth_user = AuthUser.where("login = ? OR email = ?", param, param).first
+      when 'token'          then auth_user = AuthUser.joins(:secrets).where("secret_value = ? AND (expired IS NULL OR expired = false)", param).first
+      end
+
+      auth_user.blank? ? {} : auth_user.public_attribute_hash
+    end
+
+    def find_auth_user_emails(array_of_uuids)
+      return {errors: [:no_uuids_provided]} if array_of_uuids.blank?
+      au_uuids_and_emails = {}
+
+      AuthUser.where(uuid: array_of_uuids).inject(au_uuids_and_emails) do |hash, auth_user|
+        hash[auth_user.uuid] = auth_user.email
+        hash
+      end
+
+      {uuids_with_emails: au_uuids_and_emails}
+    end
+
+    def search_for_auth_users(params)
+      act_rel = Fortifier::AuthUser.paged_and_sorted_search(params)
+      hash = {
+        # the following are will_paginate methods
+        total_pages: act_rel.total_pages,
+        current_page: act_rel.current_page,
+        per_page: act_rel.per_page,
+        total_entries: act_rel.total_entries
+      }
+      hash[:auth_users] = act_rel.map do |au|
+        au.public_attribute_hash
+      end
+
+      hash
+    end
+
+    def auth_users_by_uuids(uuids)
+      return [] unless uuids.present?
+
+      formatted_uuids = uuids.map { |uuid| "'#{uuid}'" }.join(',')
+
+      sql = <<-SQL
+        SELECT 
+          fortifier_auth_users.*,
+          latest_secrets.last_password_change 
+        FROM 
+          `fortifier_auth_users` LEFT OUTER JOIN (
+            SELECT 
+              auth_user_id, 
+              MAX(created_at) AS last_password_change 
+            FROM 
+              fortifier_secrets 
+            GROUP BY 
+              auth_user_id) latest_secrets 
+          ON 
+            fortifier_auth_users.id = latest_secrets.auth_user_id 
+        WHERE 
+          `fortifier_auth_users`.`uuid` IN (#{formatted_uuids})
+SQL
+      result = ActiveRecord::Base.connection.execute sql
+      auth_users = [].tap do | arr |
+        result.each(as: :hash) { | row | arr << row }
+      end
+      { auth_users: auth_users }
+    end
+  end
+end

data/app/models/fortifier/auth_users_auth_rule.rb

@@ -0,0 +1,8 @@
+module Fortifier
+  class AuthUsersAuthRule < ActiveRecord::Base
+    # attr_accessible :auth_user_id, :auth_rule_id
+
+    belongs_to :auth_users
+    belongs_to :auth_rules
+  end
+end

data/app/models/fortifier/authentication.rb

@@ -0,0 +1,17 @@
+module Fortifier
+  module Authentication
+    LOGIN_REGEX                      = /\A\w[\w\.\-_@']+\z/                     # ASCII, strict
+
+    NAME_REGEX                       = /\A[^[:cntrl:]\\<>\/&]*\z/              # Unicode, permissive
+
+    EMAIL_NAME_REGEX                 = '[\w\.%\+\-\']+'.freeze
+    DOMAIN_HEAD_REGEX                = '(?:[A-Z0-9\-]+\.)+'.freeze
+    DOMAIN_TLD_REGEX                 = '(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|jobs|museum)'.freeze
+    EMAIL_REGEX                      = /\A#{EMAIL_NAME_REGEX}@#{DOMAIN_HEAD_REGEX}#{DOMAIN_TLD_REGEX}\z/i
+
+    # Custom regex' (IdS)
+    SECRET_REGEX                     = /\A(?=.*\d)(?=.*([a-z]|[A-Z]))([\x20-\x7E]){10,40}\z/
+
+    IP_ADDRESS_REGEX                 = /\A\d{1,3}(\.\d{1,3}){3}\z/
+  end
+end

data/app/models/fortifier/authentication_steps.rb

@@ -0,0 +1,46 @@
+module Fortifier
+	class AuthenticationSteps
+		STEPS               = [
+						                "InitializeAuthAttempt",
+						                "CheckForBlockedUser",
+						                "CheckForBlockedIp",
+						                "CheckForWhitelistedIp",
+                            "CheckForUsExternalIp",
+						              ]
+    BATCH_SSO_STEPS     = [
+                            "InitializeBatchSsoAuthAttempt",
+                            "CheckForWhitelistedIp",
+                          ]
+		ON_DEMAND_SSO_STEPS = [
+                            "InitializeOnDemandSsoAuthAttempt",
+                            "CheckForWhitelistedIp",
+								          ]
+
+		def self.stepper(params={})
+      # TODO: (DK) dry up below code
+      
+      case params[:auth_type]
+      when "standard_auth"
+        STEPS.each do |step|
+        	step_class = ("Fortifier::AuthSteps::" + step).constantize
+        	next if step_class.respond_to?(:skip_step?) && step_class.skip_step?(params)
+        	params = step_class.invoke(params)
+        end
+      when "batch_sso_auth"
+        BATCH_SSO_STEPS.each do |step|
+          step_class = ("Fortifier::AuthSteps::" + step).constantize
+          next if step_class.respond_to?(:skip_step?) && step_class.skip_step?(params)
+          params = step_class.invoke(params)
+        end
+      when "on_demand_sso_auth"
+        ON_DEMAND_SSO_STEPS.each do |step|
+          step_class = ("Fortifier::AuthSteps::" + step).constantize
+          next if step_class.respond_to?(:skip_step?) && step_class.skip_step?(params)
+          params = step_class.invoke(params)
+        end
+      end
+			
+			params
+		end
+	end
+end