integration_pal 0.1.6 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 80040423f29a4fcef6b0484d692b920d8adf1733
-  data.tar.gz: a46fcfbf475673dd23a9a731606ed89ad75477a9
+  metadata.gz: 74caae0c072309e715b66419e74685509269ea75
+  data.tar.gz: 4091c879c8b127dc76941f33826b69747f06511e
 SHA512:
-  metadata.gz: c10ff705ba4bbb3c0d92dce046a03a7255e101502abd98bf78f7c0c6444edb86156be076231d2836b23bafe2a6d3f79f2a84d7648c72e1f7a32aaf93c07c7cc8
-  data.tar.gz: e3f33b7bfef7e922e909ec13174ec026c791c789a9ff454df2e457116f5fbe7aa279063b400aa30b01c9a043fb11801409adf92516c63f624f916d467b9cc905
+  metadata.gz: ebd076d4c5f3e5d5a72babca42402fedf3f558d3696f9af342edae583dace2642c4aef323a1a352d6b25f4d9fdd156ca92bdabfffc7181a15541c7f401d1868f
+  data.tar.gz: '0987932589a5431135b3625f491f01df1ce6d08ec3ed481c2584579319092e58fd4b1f775694fb7862670a885c796263b3973c1416d753d1ac1decc2c9e562f9'

data/README.md

@@ -4,44 +4,104 @@ This engine is meant to contain the elements of big_sis that can be shared acros
 - job starting
 - job monitoring
 - error capturing
-- cas authentication
+- Okta SAML2 authentication
 
 ## Usage
   1) Create an active job
     `bin/rails generate job example_job`
 
 ## Installation
-Add this line to your application's Gemfile:
-
-```ruby
-gem 'integration_pal'
-```
+1. Add `integration_pal` to your application's Gemfile:
+    ```ruby
+    gem 'integration_pal'
+    ```
+
+    And install the bundle:
+    ```bash
+    $ bundle install
+    ```
+    ---
+    Or install the Gem manually:
+    ```bash
+    $ gem install integration_pal
+    ```
+2. Define Environment variables
+    ```bash
+    ENCRYPTION_KEY=... # must be 32 chars
+    SALT_KEY=... # must be 32 chars
+
+    OKTA_APP=okta_app_key
+    OKTA_ID=xxxxxxxxxxx # Usually Base64
+    SAML_DOMAIN=https://example-app-test.herokuapp.com/
+    SAML_AUDIENCE=https://example-app.herokuapp.com/login # If using a single Okta app for all environments, this should be set to the prod instance + /login
+    ```
+
+3. Generate template files for your project:
+    ```
+    $ bundle exec rails g integration_pal:install
+    ```
+
+4. Set active job
+  config.active_job.queue_adapter = :sidekiq # If you are using sidekiq
 
-And then execute:
-```bash
-$ bundle
+4. Configure app.
+    Include `sp_metadata.xml[.erb]` in `config/saml`:
+    ```xml
+    <?xml version="1.0"?>
+    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<%= ENV['SAML_AUDIENCE'] || URI.join(ENV['SAML_DOMAIN'], saml2_meta_path) %>">
+      <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+        <md:AssertionConsumerService Location="<%= URI.join(ENV['SAML_DOMAIN'], saml2_login_path) %>" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" index="0"/>
+      </md:SPSSODescriptor>
+    </md:EntityDescriptor>
+    ```
+
+    Also include `idp_metadata.xml[.erb]` in `config/saml`:
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/<%= ENV['OKTA_ID'] %>">
+        <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+            <md:KeyDescriptor use="signing">
+                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                    <ds:X509Data>
+                        <ds:X509Certificate>
+    {{ INSERT OKTA CERTIFICATE HERE }}
+                        </ds:X509Certificate>
+                    </ds:X509Data>
+                </ds:KeyInfo>
+            </md:KeyDescriptor>
+            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
+            <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://instructure.okta.com/app/<%= ENV['OKTA_APP'] %>/<%= ENV['OKTA_ID'] %>/sso/saml"/>
+            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://instructure.okta.com/app/<%= ENV['OKTA_APP'] %>/<%= ENV['OKTA_ID'] %>/sso/saml"/>
+        </md:IDPSSODescriptor>
+    </md:EntityDescriptor>
+    ```
+
+    Metadata file names can be overriden from within an initializer:
+    ```ruby
+    IntegrationPal.saml_idp_metadata = 'idp_metadata.xml'
+    IntegrationPal.saml_sp_metadata = 'sp_metadata.xml'
+    ```
+
+    To validate or begin Okta authentication within a controller, use:
+    ```ruby
+    session[:saml_username] ||= ENV['USER'] if Rails.env.in?(%w(development test))
+    redirect_to saml2_login_url unless session[:saml_username]
+    ```
+
+### Deploying to Heroku
+The SAML2 Authentication library that this tool uses requires `libxmlsec1-dev`. In order to ensure that it is installed on the Heroku dyno, add https://github.com/ABASystems/heroku-buildpack-apt as the first buildpack in Heroku, followed by `heroku/ruby`. Also include an `Aptfile` in the root of your project:
 ```
-
-Or install it yourself as:
-```bash
-$ gem install integration_pal
+libxmlsec1-dev
 ```
-
-1) SET ENV VARS
-  ENV['ENCRYPTION_KEY'] # this must be 32 chars
-  ENV['SALT_KEY'] # this must be 32 chars
-
-2) run `bundle exec rails g integration_pal:install`
-
-3)set active job
-  config.active_job.queue_adapter = :sidekiq # If you are using sidekiq
+! - Double check this if Heroku fails to build Gem native extensions for `nokogiri-xmlsec-instructure` during deployment.
 
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 
-## EXAMPLE API REQUEST
-# Note how we sign the requesting using ApiAuth
-
+## Example API Request
+Note how we sign the request using ApiAuth
+```ruby
 require "uri"
 require "net/https"
 require "time"
@@ -71,4 +131,5 @@ request.body = {
 ApiAuth.sign!(request, access_key_id, secret_access_key)
 
 response = http.request(request)
-puts response.body
+puts response.body
+```

data/app/controllers/integration_pal/application_controller.rb

@@ -1,8 +1,16 @@
-require "rack-cas-rails"
-
 module IntegrationPal
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception
-    before_action :authenticate!
+    before_action :require_user, unless: :skip_authentication?
+
+    def skip_authentication?
+      return false
+    end
+
+    def require_user
+      # pretend to be logged in; you can still go directly to /login if you want to test the SAML flow
+      session[:saml_username] ||= ENV['USER'] if Rails.env.in?(%w(development test))
+      redirect_to saml2_login_url unless session[:saml_username]
+    end
   end
 end

data/app/controllers/integration_pal/saml_controller.rb

@@ -0,0 +1,69 @@
+module IntegrationPal
+  class SamlController < ApplicationController
+    class << self
+      def parse_meta_file(filename)
+        possible_names = ['.erb', ''].map { |ext| filename+ext }
+        possible_paths = []
+
+        ['config/saml', 'config'].each do |prefix|
+          possible_names.each do |filename|
+            possible_paths << Rails.root.join(prefix, filename)
+          end
+        end
+
+        meta_path = possible_paths.find &:exist?
+
+        meta_file = File.read(meta_path)
+        if meta_path.extname == '.erb'
+          meta_file = ERB.new(meta_file).result(ERBContext.new.get_binding)
+        end
+        SAML2::Entity.parse(meta_file)
+      end
+
+      def idp_metadata
+        @idp_metadata ||= parse_meta_file(IntegrationPal.saml_idp_metadata)
+      end
+
+      def sp_metadata
+        @sp_metadata ||= parse_meta_file(IntegrationPal.saml_sp_metadata)
+      end
+
+      class ERBContext
+        include Rails.application.routes.url_helpers
+
+        def get_binding
+          binding
+        end
+      end
+    end
+
+    protect_from_forgery except: [:create]
+
+    def skip_authentication?
+      true
+    end
+
+    def new
+      authn_request = self.class.sp_metadata.initiate_authn_request(self.class.idp_metadata)
+      redirect_to SAML2::Bindings::HTTPRedirect.encode(authn_request)
+    end
+
+    def create
+      response, _relay_state = SAML2::Bindings::HTTP_POST.decode(request.request_parameters)
+      unless self.class.sp_metadata.valid_response?(response, self.class.idp_metadata)
+        logger.error("Failed to validate SAML response: #{response.errors}")
+        raise ActionController::RoutingError.new('Not Found')
+      end
+
+      reset_session
+      session[:saml_username] = response.assertions.first.subject.name_id.id
+      logger.info("Logged in using SAML2 as #{session[:saml_username]}")
+
+      redirect_to root_url
+    end
+
+    def metadata
+      render xml: self.class.sp_metadata.to_xml
+    end
+  end
+end

data/config/routes.rb

@@ -1,4 +1,10 @@
 IntegrationPal::Engine.routes.draw do
+  scope as: 'saml2' do
+    get 'login' => 'saml#new'
+    post 'login' => 'saml#create'
+    get 'SAML2' => 'saml#metadata', as: 'meta'
+  end
+
   root to: 'workers#index'
   resources :workers
   resources :jobs

data/lib/generators/integration_pal/install/install_generator.rb

@@ -2,12 +2,6 @@ module IntegrationPal
   class InstallGenerator < Rails::Generators::Base
     source_root File.expand_path('../templates', __FILE__)
 
-    desc "Add CAS config to application.rb"
-    def update_application_config
-      application "@cas_server_url = 'https://cas-sso.instructure.com/'"
-      application  "config.rack_cas.server_url = @cas_server_url"
-    end
-
     desc "Mount the engine"
     def add_routes
       route "mount IntegrationPal::Engine, at: IntegrationPal::Engine.mounted_path"
@@ -21,5 +15,16 @@ module IntegrationPal
       end
     end
 
+    desc "Add an initializer"
+    def add_initializer
+      initializer "integration_pal.rb" do
+        content = <<-'RUBY'
+# SAML XML Metadata files. Looked for in config/saml. Automatically looks for an existing *.erb version as well.
+# IntegrationPal.saml_idp_metadata = 'idp_metadata.xml'
+# IntegrationPal.saml_sp_metadata = 'sp_metadata.xml'
+        RUBY
+      end
+    end
+
   end
 end

data/lib/integration_pal.rb

@@ -1,5 +1,6 @@
 require "integration_pal/engine"
 
 module IntegrationPal
-  # Your code goes here...
+  saml_idp_metadata = 'idp_metadata.xml'
+  saml_sp_metadata = 'sp_metadata.xml'
 end

data/lib/integration_pal/engine.rb

@@ -1,8 +1,6 @@
 module IntegrationPal
   class Engine < ::Rails::Engine
     require 'api-auth'
-    require 'rack-cas'
-    require 'rack-cas-rails'
     require 'attr_encrypted'
     require 'jquery-rails'
 

data/lib/integration_pal/version.rb

@@ -1,3 +1,3 @@
 module IntegrationPal
-  VERSION = '0.1.6'
+  VERSION = '0.2.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: integration_pal
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.2.0
 platform: ruby
 authors:
 - Cody Tanner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-02 00:00:00.000000000 Z
+date: 2018-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -52,20 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.0.3
-- !ruby/object:Gem::Dependency
-  name: rack-cas-rails
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.0.2
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.0.2
 - !ruby/object:Gem::Dependency
   name: sentry-raven
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 4.3.1
+- !ruby/object:Gem::Dependency
+  name: saml2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.1
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
@@ -211,6 +211,7 @@ files:
 - app/controllers/integration_pal/api_controller.rb
 - app/controllers/integration_pal/application_controller.rb
 - app/controllers/integration_pal/jobs_controller.rb
+- app/controllers/integration_pal/saml_controller.rb
 - app/controllers/integration_pal/tasks_controller.rb
 - app/controllers/integration_pal/workers_controller.rb
 - app/helpers/integration_pal/application_helper.rb
@@ -314,8 +315,6 @@ files:
 - spec/dummy/config/secrets.yml
 - spec/dummy/config/spring.rb
 - spec/dummy/db/schema.rb
-- spec/dummy/log/development.log
-- spec/dummy/log/test.log
 - spec/dummy/package.json
 - spec/dummy/public/404.html
 - spec/dummy/public/422.html
@@ -351,73 +350,71 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.5.2.1
 signing_key: 
 specification_version: 4
 summary: Mountable engine for SIS integrations
 test_files:
-- spec/controllers/integration_pal/api/v1/jobs_controller_spec.rb
-- spec/controllers/integration_pal/jobs_controller_spec.rb
-- spec/controllers/integration_pal/workers_controller_spec.rb
-- spec/dummy/app/assets/config/manifest.js
-- spec/dummy/app/assets/javascripts/application.js
-- spec/dummy/app/assets/javascripts/cable.js
-- spec/dummy/app/assets/stylesheets/application.css
-- spec/dummy/app/channels/application_cable/channel.rb
-- spec/dummy/app/channels/application_cable/connection.rb
-- spec/dummy/app/controllers/application_controller.rb
-- spec/dummy/app/helpers/application_helper.rb
-- spec/dummy/app/jobs/application_job.rb
-- spec/dummy/app/jobs/test_job.rb
+- spec/spec_helper.rb
 - spec/dummy/app/mailers/application_mailer.rb
 - spec/dummy/app/models/application_record.rb
+- spec/dummy/app/jobs/application_job.rb
+- spec/dummy/app/jobs/test_job.rb
+- spec/dummy/app/controllers/application_controller.rb
 - spec/dummy/app/views/layouts/application.html.erb
 - spec/dummy/app/views/layouts/mailer.html.erb
 - spec/dummy/app/views/layouts/mailer.text.erb
-- spec/dummy/bin/bundle
-- spec/dummy/bin/rails
+- spec/dummy/app/assets/config/manifest.js
+- spec/dummy/app/assets/javascripts/cable.js
+- spec/dummy/app/assets/javascripts/application.js
+- spec/dummy/app/assets/stylesheets/application.css
+- spec/dummy/app/helpers/application_helper.rb
+- spec/dummy/app/channels/application_cable/connection.rb
+- spec/dummy/app/channels/application_cable/channel.rb
+- spec/dummy/bin/update
 - spec/dummy/bin/rake
 - spec/dummy/bin/setup
-- spec/dummy/bin/update
+- spec/dummy/bin/bundle
 - spec/dummy/bin/yarn
-- spec/dummy/config/application.rb
-- spec/dummy/config/boot.rb
+- spec/dummy/bin/rails
+- spec/dummy/config/secrets.yml
+- spec/dummy/config/routes.rb
+- spec/dummy/config/locales/en.yml
 - spec/dummy/config/cable.yml
-- spec/dummy/config/database.yml
-- spec/dummy/config/environment.rb
-- spec/dummy/config/environments/development.rb
 - spec/dummy/config/environments/production.rb
+- spec/dummy/config/environments/development.rb
 - spec/dummy/config/environments/test.rb
+- spec/dummy/config/spring.rb
+- spec/dummy/config/environment.rb
+- spec/dummy/config/application.rb
+- spec/dummy/config/puma.rb
+- spec/dummy/config/database.yml
+- spec/dummy/config/boot.rb
 - spec/dummy/config/initializers/application_controller_renderer.rb
-- spec/dummy/config/initializers/assets.rb
 - spec/dummy/config/initializers/backtrace_silencers.rb
-- spec/dummy/config/initializers/cookies_serializer.rb
-- spec/dummy/config/initializers/filter_parameter_logging.rb
-- spec/dummy/config/initializers/inflections.rb
 - spec/dummy/config/initializers/mime_types.rb
+- spec/dummy/config/initializers/filter_parameter_logging.rb
 - spec/dummy/config/initializers/wrap_parameters.rb
-- spec/dummy/config/locales/en.yml
-- spec/dummy/config/puma.rb
-- spec/dummy/config/routes.rb
-- spec/dummy/config/secrets.yml
-- spec/dummy/config/spring.rb
+- spec/dummy/config/initializers/assets.rb
+- spec/dummy/config/initializers/cookies_serializer.rb
+- spec/dummy/config/initializers/inflections.rb
 - spec/dummy/config.ru
-- spec/dummy/db/schema.rb
-- spec/dummy/log/development.log
-- spec/dummy/log/test.log
-- spec/dummy/package.json
-- spec/dummy/public/404.html
+- spec/dummy/Rakefile
+- spec/dummy/public/favicon.ico
 - spec/dummy/public/422.html
+- spec/dummy/public/apple-touch-icon.png
 - spec/dummy/public/500.html
+- spec/dummy/public/404.html
 - spec/dummy/public/apple-touch-icon-precomposed.png
-- spec/dummy/public/apple-touch-icon.png
-- spec/dummy/public/favicon.ico
-- spec/dummy/Rakefile
-- spec/factories/integration_pal_jobs.rb
-- spec/factories/integration_pal_tasks.rb
-- spec/factories/integration_pal_workers.rb
-- spec/models/integration_pal/job_spec.rb
+- spec/dummy/package.json
+- spec/dummy/db/schema.rb
 - spec/models/integration_pal/task_spec.rb
+- spec/models/integration_pal/job_spec.rb
 - spec/models/integration_pal/worker_spec.rb
+- spec/factories/integration_pal_tasks.rb
+- spec/factories/integration_pal_jobs.rb
+- spec/factories/integration_pal_workers.rb
+- spec/controllers/integration_pal/workers_controller_spec.rb
+- spec/controllers/integration_pal/jobs_controller_spec.rb
+- spec/controllers/integration_pal/api/v1/jobs_controller_spec.rb
 - spec/rails_helper.rb
-- spec/spec_helper.rb