identikey 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d5a041647bdeb7baf1d5eee22d75c1c19039f7f2a95ed2f72919ce1a62a3c27e
+  data.tar.gz: 36b979cf4c32041377b4ab0b881afcca1fd880f8153ac1060447069c47658169
+SHA512:
+  metadata.gz: 1bf5928570adb64247b63c0fd9b61cd02711db99c6591fdbedea4d013693dbf8d6cd13edfe06e1c9a77680f20ac95303e4870472e55026a28daff24e2a5f36d6
+  data.tar.gz: 7bcea676a24e5ddecbce9895796f5525f4b1ec2f96c27ef993718e7fcc8f1879acad082f88dca88fb154199283d01d87f253760fa1f970b0bca06a4c06d3bdec

data/.gitignore

@@ -0,0 +1,20 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/log/
+
+Gemfile.lock
+
+.byebug_history
+
+# vim swap files
+
+.*.sw?
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in identikey.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Marcello Barnaba <m.barnaba@ifad.org>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,180 @@
+# Identikey
+
+This library is a thin and incomplete wrapper of the VASCO Identikey SOAP API.
+
+Vasco Identikey has been recently re-branded as OneSpan Authentication Server.
+
+## Requirements
+
+The gem requires the Vasco SDK, that is private intellectual property and
+cannot be redistributed here. You have to obtain it from VASCO / OneSpan
+as part of your subscription.
+
+The gem interfaces against a running Identikey server, communicating on
+port 8888/TCP the SOAP protocol over HTTPS.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'identikey', github: 'ifad/identikey'
+```
+
+And then execute:
+
+    $ bundle
+
+## Configuration
+
+By default the client expects WSDL files in the current working directory,
+into `./sdk/wsdl` and it connects to an Identikey API endpoint on localhost
+port 8888 using TLSv1.2. Great for development, but definitely not good for
+production.
+
+To configure the client, you should at least define where your WSDL files are
+and where the SOAP endpoint is. Given the WSDL file is different for the two
+API sets (Authentication and Administration), you need to configure the two
+classes separately.
+
+Use the `.configure` method, that will run the block you give to it in the
+context of the [Savon::Globals](http://savonrb.com/version2/globals.html)
+object as such all available configuration parameters are available as
+instance methods.
+
+Example:
+
+```ruby
+Identikey::Authentication.configure do
+  wsdl     './path/to/your/authentication.wsdl'
+  endpoint 'https://your-identikey.example.com:8888'
+
+  # ... more configuration options as needed ...
+end
+
+Identikey::Administration.configure do
+  wsdl     './path/to/your/administrtaion.wsdl'
+  endpoint 'https://your-identikey.example.com:8888'
+
+  # ... more configuration options as needed ...
+end
+```
+
+By default, all SOAP requests and responses are logged to `log/identikey.log`.
+
+If you want to reduce the logging level please use:
+
+```
+Identikey::Authentication.configure do
+  log_level :info # or one of [:debug, :warn, :error, :fatal]
+end
+```
+
+Or to disable it altogether (not recommended):
+
+```
+Identikey::Authentication.configure do
+  log false
+end
+```
+
+The `configure` block accepts all Savon options, for which documentation
+is available here: http://savonrb.com/version2/globals.html feel free to
+amend it to suit your needs.
+
+The only option whose semantics differ from the default is `filters`, as
+it adds handling the faulty parameter passing design in Identikey, where
+the same elements are used to transmit different business informatios.
+
+By default, sensitive values attribute are filtered out from the logs.
+Other attributes to filter out can be specified by prefixing them with
+`identikey:`. Example, filter out `CREDFLD_PASSWORD` and `CREDFLD_USERID`:
+
+Example, filter out `CREDFLD_PASSWORD` and `CREDFLD_USERID`:
+
+```
+Identikey::Authentication.configure do
+  filters [ 'identikey:CREDFLD_PASSWORD', 'identikey:CREDFLD_USERID' ]
+end
+```
+
+Please note that the following attributes are filtered out by default:
+
+* CREDFLD_PASSWORD
+* CREDFLD_STATIC_PASSWORD
+* CREDFLD_SESSION_ID
+
+Please note that if you set your custom filters, these will override the
+defaults and you should also take care of filtering the above parameters
+in addition to the ones you want to filter out.
+
+## Usage
+
+This is still in alpha stage, as such there is not much documentation. Have a
+look at the specs for sample usage.
+
+* Verify an end user OTP
+
+```ruby
+Identikey::Authentication.valid_otp?('username', 'otp')
+```
+
+* Start an administration session
+
+```ruby
+s = Identikey::Administration::Session.new(username: 'admin', password: 'foobar')
+s.logon
+```
+
+* Find a digipass
+
+```ruby
+d = s.find_digipass('serial')
+```
+
+* Perform an OTP test
+
+```ruby
+d = d.test_otp('1234567890')
+```
+
+* Assign a digipass to an user
+
+```ruby
+d.assign! 'username'
+```
+
+* Unassign a digipass
+
+```ruby
+d.unassign!
+```
+
+* End an administrative session
+
+```ruby
+s.logoff
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then,
+run `rake` to run the tests. You can also run `bin/console` for an interactive
+prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+To release a new version, update the version number in `version.rb`, and then
+run `bundle exec rake release`, which will create a git tag for the version,
+push git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/ifad/identikey.
+
+## License
+
+The gem is available as open source under the terms of the [MIT
+License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.rspec_opts = '-f doc'
+end
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'identikey'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "pry"
+Pry.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/identikey.gemspec

@@ -0,0 +1,34 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "identikey/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "identikey"
+  spec.version       = Identikey::VERSION
+  spec.authors       = ["Marcello Barnaba"]
+  spec.email         = ["vjt@openssl.it"]
+
+  spec.summary       = %q{OneSpan Authentication Server (former VASCO Identikey) wrapper for Ruby}
+  spec.description   = %q{This gem contains a SOAP client to consume Identikey API}
+  spec.homepage      = "https://github.com/ifad/identikey"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "savon", "~> 2.0"
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'hirb'
+  spec.add_development_dependency 'byebug'
+  spec.add_development_dependency 'simplecov'
+end

data/lib/identikey/administration/digipass.rb

@@ -0,0 +1,103 @@
+module Identikey
+  class Administration < Base
+
+    class Digipass
+      def self.find(session:, serial_no:)
+        new(session).find(serial_no)
+      end
+
+      def initialize(session, digipass = nil)
+        @session = session
+
+        replace(digipass) if digipass
+      end
+
+      def replace(digipass)
+        @attributes = {
+          serial:             digipass['DIGIPASSFLD_SERNO'],
+          domain:             digipass['DIGIPASSFLD_DOMAIN'],
+          ou:                 digipass['DIGIPASSFLD_ORGANIZATIONAL_UNIT'],
+          type:               digipass['DIGIPASSFLD_DPTYPE'],
+          application:        digipass['DIGIPASSFLD_ACTIVE_APPL_NAMES'],
+          status:             digipass['DIGIPASSFLD_ASSIGN_STATUS'],
+          userid:             digipass['DIGIPASSFLD_ASSIGNED_USERID'],
+          assigned_at:        digipass['DIGIPASSFLD_ASSIGNED_DATE'],
+          grace_expires_at:   digipass['DIGIPASSFLD_GRACE_PERIOD_EXPIRES'],
+          created_at:         digipass['DIGIPASSFLD_CREATE_TIME'],
+          updated_at:         digipass['DIGIPASSFLD_MODIFY_TIME'],
+          activation_count:   digipass['DIGIPASSFLD_ACTIV_COUNT'],
+          last_activation_at: digipass['DIGIPASSFLD_LAST_ACTIV_TIME'],
+          bind_status:        digipass['DIGIPASSFLD_BIND_STATUS'],
+          max_activations:    digipass['DIGIPASSFLD_MAX_ACTIVATIONS'],
+          expired:            digipass['DIGIPASSFLD_EXPIRED'],
+          grace_expired:      digipass['DIGIPASSFLD_GRACE_PERIOD_EXPIRED']
+        }.freeze
+
+        self
+      end
+
+      def assigned?
+        self.status == 'Assigned'
+      end
+
+      def find(serial_no)
+        stat, digipass, error = @session.execute(
+          :digipass_execute_VIEW, serial_no: serial_no)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Find digipass failed: #{stat} - #{error}"
+        end
+
+        replace(digipass)
+      end
+
+      def reload
+        find(self.serial)
+      end
+
+      def unassign!
+        stat, digipass, error = @session.execute(
+          :digipass_execute_UNASSIGN, serial_no: self.serial)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Assign digipass failed: #{stat} - #{error}"
+        end
+
+        replace(digipass)
+      end
+
+      def assign!(username, domain)
+        stat, digipass, error = @session.execute(
+          :digipass_execute_ASSIGN, serial_no: self.serial, username: username, domain: domain)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Unassign digipass failed: #{stat} - #{error}"
+        end
+
+        replace(digipass)
+      end
+
+      def test_otp(otp)
+        stat, appl, error = @session.execute(
+          :digipassappl_execute_TEST_OTP, serial_no: self.serial, appl: self.application, otp: otp)
+
+        # Stat is useless here - it reports whether the call or not has
+        # succeeded, not whether the OTP is valid
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Test OTP failed: #{stat} - #{error}"
+        end
+
+        appl['DIGIPASSAPPLFLD_RESULT_CODE'] == '0'
+      end
+
+      def method_missing(name, *args, &block)
+        if @attributes.key?(name)
+          @attributes.fetch(name)
+        else
+          super(name, *args, &block)
+        end
+      end
+    end
+
+  end
+end

data/lib/identikey/administration/session.rb

@@ -0,0 +1,119 @@
+module Identikey
+  class Administration < Base
+
+    class Session
+      attr_reader :username, :password, :domain
+      attr_reader :session_id, :product, :version
+      attr_reader :privileges, :location
+
+      def initialize(username:, password:, domain: 'master')
+        @client = Identikey::Administration.new
+
+        @username = username
+        @password = password
+        @domain   = domain
+      end
+
+      def endpoint
+        @client.endpoint
+      end
+
+      def wsdl
+        @client.wsdl
+      end
+
+      def logon
+        stat, sess, error = @client.logon(username: @username, password: @password, domain: @domain)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "logon failed: #{stat} - #{error}"
+        end
+
+        @privileges = parse_privileges sess['CREDFLD_LOGICAL_ADMIN_PRIVILEGES']
+
+        @session_id = sess['CREDFLD_SESSION_ID'].freeze
+        @location   = sess['CREDFLD_USER_LOCATION'].freeze
+        @last_logon = sess['CREDFLD_LAST_LOGON_TIME'].freeze
+
+        @product    = sess['CREDFLD_PRODUCT_NAME'].freeze
+        @version    = sess['CREDFLD_PRODUCT_VERSION'].freeze
+
+        self
+      end
+
+      def logoff
+        require_logged_on!
+
+        stat, _, error = @client.logoff session_id: @session_id
+
+        unless stat == 'STAT_ADMIN_SESSION_STOPPED' || stat == 'STAT_SUCCESS'
+          raise Identikey::Error, "logoff failed: #{stat} - #{error}"
+        end
+
+        @privileges = nil
+        @session_id = nil
+        @product    = nil
+        @version    = nil
+        @last_logon = nil
+
+        stat == 'STAT_SUCCESS'
+      end
+
+      def alive?
+        return false unless logged_on?
+
+        stat, _ = @client.sessionalive session_id: @session_id
+
+        stat == 'STAT_SUCCESS'
+      end
+
+      def execute(command, *args)
+        kwargs = args.first || {}
+        kwargs.update(session_id: @session_id)
+        @client.public_send(command, kwargs)
+      end
+
+      def all
+        require_logged_on!
+
+        SessionQuery.all session: self
+      end
+
+      def find_digipass(serial_no)
+        require_logged_on!
+
+        Digipass.find session: self, serial_no: serial_no
+      end
+
+      def find_user(username, domain = nil)
+        require_logged_on!
+
+        User.find session: self, username: username, domain: domain || self.domain
+      end
+
+      def inspect
+        "#<#{self.class.name} sid=#@session_id username=#@username domain=#@domain product=#@product>"
+      end
+
+      alias sid session_id
+
+      def logged_on?
+        !@session_id.nil?
+      end
+
+      def require_logged_on!
+        unless logged_on?
+          raise Identikey::Error, "Session is not logged on at the moment"
+        end
+      end
+
+      def parse_privileges(privileges)
+        privileges.split(', ').inject({}) do |h, priv|
+          privilege, status = priv.split(' ')
+          h.update(privilege => status == 'true')
+        end.freeze
+      end
+    end
+
+  end
+end

data/lib/identikey/administration/session_query.rb

@@ -0,0 +1,35 @@
+module Identikey
+  class Administration < Base
+
+    class SessionQuery
+      def self.all(session:)
+        stat, sessions, error = session.execute(:admin_session_query)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "query failed: #{stat} - #{error}"
+        end
+
+        sessions.map do |sess|
+          new(
+            idx:        sess['ADMINSESSIONFLD_SESSION_IDX'],
+            username:   sess['ADMINSESSIONFLD_LOGIN_NAME'],
+            domain:     sess['ADMINSESSIONFLD_DOMAIN'],
+            location:   sess['ADMINSESSIONFLD_LOCATION'],
+            start_time: sess['ADMINSESSIONFLD_START_TIME']
+          )
+        end
+      end
+
+      attr_reader :idx, :username, :domain, :location, :start_time
+
+      def initialize(idx:, username:, domain:, location:, start_time:)
+        @idx        = idx
+        @username   = username
+        @domain     = domain
+        @location   = location
+        @start_time = start_time
+      end
+    end
+
+  end
+end

data/lib/identikey/administration/user.rb

@@ -0,0 +1,127 @@
+module Identikey
+  class Administration < Base
+
+    class User
+      def self.find(session:, username:, domain:)
+        new(session).find(username, domain)
+      end
+
+      attr_accessor :username
+      attr_accessor :email
+      attr_accessor :mobile
+      attr_accessor :phone
+      attr_accessor :created_at
+      attr_accessor :updated_at
+      attr_accessor :has_digipass
+      attr_accessor :domain
+      attr_accessor :ou
+      attr_accessor :digipass
+      attr_accessor :local_auth
+      attr_accessor :backend_auth
+      attr_accessor :disabled
+      attr_accessor :lock_count
+      attr_accessor :locked
+      attr_accessor :last_auth_success_at
+      attr_accessor :expires_at
+      attr_accessor :expired
+      attr_accessor :last_auth_attempt_at
+
+      def initialize(session, user = nil)
+        @session = session
+
+        replace(user) if user
+      end
+
+      def find(username, domain)
+        stat, user, error = @session.execute(
+          :user_execute_VIEW, username: username, domain: domain)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Find user failed: #{stat} - #{error}"
+        end
+
+        replace(user, persisted: true)
+      end
+
+      def persisted?
+        @persisted || false
+      end
+
+      def reload
+        find(self.username, self.domain)
+      end
+
+      def save!
+        method = persisted? ? :user_execute_UPDATE : :user_execute_CREATE
+
+        stat, user, error = @session.execute(method, attributes: {
+          USERFLD_BACKEND_AUTH:        self.backend_auth,
+          USERFLD_DISABLED:            self.disabled,
+          USERFLD_DOMAIN:              self.domain,
+          USERFLD_EMAIL:               self.email,
+          USERFLD_LOCAL_AUTH:          self.local_auth,
+          USERFLD_LOCKED:              self.locked,
+          USERFLD_MOBILE:              self.mobile,
+          USERFLD_ORGANIZATIONAL_UNIT: self.ou,
+          USERFLD_PHONE:               self.phone,
+          USERFLD_USERID:              self.username
+        })
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Save user failed: #{stat} - #{error}"
+        end
+
+        replace(user, persisted: true)
+      end
+
+      def destroy!
+        unless self.persisted?
+          raise Identikey::Error, "User #{self.username} is not persisted"
+        end
+
+        unless self.username && self.domain
+          raise Identikey::Error, "User #{self} is missing username and/or domain"
+        end
+
+        stat, _, error = @session.execute(
+          :user_execute_DELETE, username: username, domain: domain)
+
+        if stat != 'STAT_SUCCESS'
+          raise Identikey::Error, "Delete user failed: #{stat} - #{error}"
+        end
+
+        @persisted = false
+
+        self
+      end
+
+      protected
+        def replace(user, persisted: false)
+          self.username             = user['USERFLD_USERID']
+          self.email                = user['USERFLD_EMAIL']
+          self.mobile               = user['USERFLD_MOBILE']
+          self.phone                = user['USERFLD_PHONE']
+          self.created_at           = user['USERFLD_CREATE_TIME']
+          self.updated_at           = user['USERFLD_MODIFY_TIME']
+          self.has_digipass         = user['USERFLD_HAS_DP'] == 'Assigned'
+          self.domain               = user['USERFLD_DOMAIN']
+          self.ou                   = user['USERFLD_ORGANIZATIONAL_UNIT']
+          self.digipass             = user['USERFLD_ASSIGNED_DIGIPASS']&.split(',') || [ ]
+          self.local_auth           = user['USERFLD_LOCAL_AUTH']
+          self.backend_auth         = user['USERFLD_BACKEND_AUTH']
+          self.disabled             = user['USERFLD_DISABLED']
+          self.lock_count           = user['USERFLD_LOCK_COUNT']
+          self.locked               = user['USERFLD_LOCKED']
+          self.last_auth_success_at = user['USERFLD_LASTAUTH_TIME']
+          self.expires_at           = user['USERFLD_EXPIRATION_TIME']
+          self.expired              = user['USERFLD_EXPIRED']
+          self.last_auth_attempt_at = user['USERFLD_LASTAUTHREQ_TIME']
+
+          @persisted = persisted
+
+          self
+        end
+    end
+
+  end
+end