masq2 1.0.0

data/app/controllers/masq/base_controller.rb

@@ -0,0 +1,78 @@
+module Masq
+  class BaseController < ActionController::Base
+    include OpenidServerSystem
+    include AuthenticatedSystem
+
+    protect_from_forgery
+
+    rescue_from ::ActiveRecord::RecordNotFound, with: :render_404
+    rescue_from ::ActionController::InvalidAuthenticityToken, with: :render_422
+
+    helper_method :extract_host,
+      :extract_login_from_identifier,
+      :checkid_request,
+      :identifier,
+      :endpoint_url,
+      :scheme,
+      :email_as_login?
+
+    protected
+
+    def endpoint_url
+      server_url(protocol: scheme)
+    end
+
+    # Returns the OpenID identifier for an account
+    def identifier(account)
+      identity_url(account: account, protocol: scheme)
+    end
+
+    # Extracts the hostname from the given url, which is used to
+    # display the name of the requesting website to the user
+    def extract_host(u)
+      URI.split(u).compact[1]
+    end
+
+    def extract_login_from_identifier(openid_url)
+      openid_url.gsub(/^https?:\/\/.*\//, "")
+    end
+
+    def checkid_request
+      unless @checkid_request ||= nil
+        req = openid_server.decode_request(current_openid_request.parameters) if current_openid_request
+        @checkid_request = req.is_a?(OpenID::Server::CheckIDRequest) ? req : false
+      end
+      @checkid_request
+    end
+
+    def current_openid_request
+      @current_openid_request ||= OpenIdRequest.find_by(token: session[:request_token]) if session[:request_token]
+    end
+
+    def render_404
+      render_error(404)
+    end
+
+    def render_422
+      render_error(422)
+    end
+
+    def render_500
+      render_error(500)
+    end
+
+    def render_error(status_code)
+      render(file: "#{Rails.root}/public/#{status_code}.html", formats: [:html], status: status_code, layout: false)
+    end
+
+    private
+
+    def scheme
+      Masq::Engine.config.masq["use_ssl"] ? "https" : "http"
+    end
+
+    def email_as_login?
+      Masq::Engine.config.masq["email_as_login"]
+    end
+  end
+end

data/app/controllers/masq/consumer_controller.rb

@@ -0,0 +1,144 @@
+module Masq
+  class ConsumerController < BaseController
+    skip_before_action :verify_authenticity_token
+
+    def index
+    end
+
+    def start
+      begin
+        open_id_req = openid_consumer.begin(params[:openid_identifier])
+      rescue OpenID::OpenIDError => e
+        redirect_to(consumer_path, alert: "Discovery failed for #{params[:openid_identifier]}: #{e}")
+        return
+      end
+      if params[:use_sreg]
+        open_id_sreg_req = OpenID::SReg::Request.new
+        open_id_sreg_req.policy_url = "http://www.policy-url.com"
+        open_id_sreg_req.request_fields(["nickname", "email"], true) # required
+        open_id_sreg_req.request_fields(["fullname", "dob"], false) # optional
+        open_id_req.add_extension(open_id_sreg_req)
+        open_id_req.return_to_args["did_sreg"] = "y"
+      end
+      if params[:use_ax_fetch]
+        axreq = OpenID::AX::FetchRequest.new
+        requested_attrs = [
+          ["https://openid.tzi.de/spec/schema", "uid", true],
+          ["http://axschema.org/namePerson/friendly", "nickname", true],
+          ["http://axschema.org/contact/email", "email", true],
+          ["http://axschema.org/namePerson", "fullname"],
+          ["http://axschema.org/contact/web/default", "website", false, 2],
+          ["http://axschema.org/contact/postalCode/home", "postcode"],
+          ["http://axschema.org/person/gender", "gender"],
+          ["http://axschema.org/birthDate", "birth_date"],
+          ["http://axschema.org/contact/country/home", "country"],
+          ["http://axschema.org/pref/language", "language"],
+          ["http://axschema.org/pref/timezone", "timezone"],
+        ]
+        requested_attrs.each { |a| axreq.add(OpenID::AX::AttrInfo.new(a[0], a[1], a[2] || false, a[3] || 1)) }
+        open_id_req.add_extension(axreq)
+        open_id_req.return_to_args["did_ax_fetch"] = "y"
+      end
+      if params[:use_ax_store]
+        ax_store_req = OpenID::AX::StoreRequest.new
+        ax_store_req.set_values("http://axschema.org/contact/email", %w(email@example.com))
+        ax_store_req.set_values("http://axschema.org/birthDate", %w(1976-08-07))
+        ax_store_req.set_values("http://axschema.org/customValueThatIsNotSupported", %w(unsupported))
+        open_id_req.add_extension(ax_store_req)
+        open_id_req.return_to_args["did_ax_store"] = "y"
+      end
+      if params[:use_pape]
+        open_id_pape_req = OpenID::PAPE::Request.new
+        open_id_pape_req.add_policy_uri(OpenID::PAPE::AUTH_PHISHING_RESISTANT)
+        open_id_pape_req.max_auth_age = 60
+        open_id_req.add_extension(open_id_pape_req)
+        open_id_req.return_to_args["did_pape"] = "y"
+      end
+      if params[:force_post]
+        open_id_req.return_to_args["force_post"] = "x" * 2048
+      end
+      if open_id_req.send_redirect?(consumer_url, consumer_complete_url, params[:immediate])
+        redirect_to(open_id_req.redirect_url(consumer_url, consumer_complete_url, params[:immediate]))
+      else
+        @form_text = open_id_req.form_markup(consumer_url, consumer_complete_url, params[:immediate], {"id" => "checkid_form"})
+      end
+    end
+
+    def complete
+      parameters = params.to_unsafe_h.reject { |k, _v| request.path_parameters[k.to_sym] }
+      open_id_req = openid_consumer.complete(parameters, url_for({}))
+      case open_id_req.status
+      when OpenID::Consumer::SETUP_NEEDED
+        flash[:alert] = t(:immediate_request_failed_setup_needed)
+      when OpenID::Consumer::CANCEL
+        flash[:alert] = t(:openid_transaction_cancelled)
+      when OpenID::Consumer::FAILURE
+        flash[:alert] = open_id_req.display_identifier ?
+          t(:verification_of_identifier_failed, identifier: open_id_req.display_identifier, message: open_id_req.message) :
+          t(:verification_failed_message, message: open_id_req.message)
+      when OpenID::Consumer::SUCCESS
+        flash[:notice] = t(:verification_of_identifier_succeeded, identifier: open_id_req.display_identifier)
+        if params[:did_sreg]
+          sreg_resp = OpenID::SReg::Response.from_success_response(open_id_req)
+          sreg_message = "\n\n" + t(:simple_registration_data_requested)
+          if sreg_resp.empty?
+            sreg_message << ", " + t(:but_none_was_returned)
+          else
+            sreg_message << ". " + t(:the_following_data_were_sent) + "\n"
+            sreg_resp.data.each { |k, v| sreg_message << "#{k}: #{v}\n" }
+          end
+          flash[:notice] += sreg_message
+        end
+        if params[:did_ax_fetch]
+          ax_fetch_resp = OpenID::AX::FetchResponse.from_success_response(open_id_req)
+          ax_fetch_message = "\n\n" + t(:attribute_exchange_data_requested)
+          if ax_fetch_resp
+            ax_fetch_message << ". " + t(:the_following_data_were_sent) + "\n"
+            ax_fetch_resp.data.each { |k, v| ax_fetch_message << "#{k}: #{v}\n" }
+          else
+            ax_fetch_message << ", " + t(:but_none_was_returned)
+          end
+          flash[:notice] += ax_fetch_message
+        end
+        if params[:did_ax_store]
+          ax_store_resp = OpenID::AX::StoreResponse.from_success_response(open_id_req)
+          ax_store_message = "\n\n" + t(:attribute_exchange_store_requested)
+          ax_store_message << if ax_store_resp
+            if ax_store_resp.succeeded?
+              " " + t(:and_saved_at_the_identity_provider)
+            else
+              ", " + t(:but_an_error_occured, error_message: ax_store_resp.error_message)
+            end
+          else
+            ", " + t(:but_got_no_response)
+          end
+          flash[:notice] += ax_store_message
+        end
+        if params[:did_pape]
+          pape_resp = OpenID::PAPE::Response.from_success_response(open_id_req)
+          pape_message = "\n\n" + t(:authentication_policies_requested)
+          if pape_resp.auth_policies.empty?
+            pape_message << ", " + t(:but_the_server_did_not_report_one)
+          else
+            pape_message << ", " + t(:and_server_reported_the_following) + "\n"
+            pape_resp.auth_policies.each { |p| pape_message << "#{p}\n" }
+          end
+          pape_message << "\n" + t(:authentication_time) + ": #{pape_resp.auth_time}" if pape_resp.auth_time
+          pape_message << "\nNIST Auth Level: #{pape_resp.nist_auth_level}" if pape_resp.nist_auth_level
+          flash[:notice] += pape_message
+        end
+      else
+        # NOOP
+        # This should never happen.
+      end
+      redirect_to(action: "index")
+    end
+
+    private
+
+    # OpenID consumer reader, used to access the consumer functionality
+    def openid_consumer
+      @openid_consumer ||= OpenID::Consumer.new(session, ActiveRecordStore.new)
+    end
+  end
+end

data/app/controllers/masq/info_controller.rb

@@ -0,0 +1,23 @@
+module Masq
+  class InfoController < BaseController
+    # The yadis discovery header tells incoming OpenID
+    # requests where to find the server endpoint.
+    def index
+      response.headers["X-XRDS-Location"] = server_url(format: :xrds, protocol: scheme)
+    end
+
+    # This page is to prevent phishing attacks. It should
+    # not contain any links, the user has to navigate to
+    # the right login page manually.
+    def safe_login
+      if !Masq::Engine.config.masq.include?("protect_phishing") or Masq::Engine.config.masq["protect_phishing"]
+        render(layout: false)
+      else
+        redirect_to(login_url)
+      end
+    end
+
+    def help
+    end
+  end
+end

data/app/controllers/masq/passwords_controller.rb

@@ -0,0 +1,42 @@
+module Masq
+  class PasswordsController < BaseController
+    before_action :check_can_change_password, only: [:create, :edit, :update]
+    before_action :find_account_by_reset_code, only: [:edit, :update]
+
+    # Forgot password
+    def create
+      if account = Account.find_by(email: params[:email], activation_code: nil)
+        account.forgot_password!
+        redirect_to(login_path, notice: t(:password_reset_link_has_been_sent))
+      else
+        flash[:alert] = t(:could_not_find_user_with_email_address)
+        render(action: "new")
+      end
+    end
+
+    # Reset password
+    def update
+      if params[:password].blank?
+        flash[:alert] = t(:password_cannot_be_blank)
+        render(action: "edit")
+      elsif @account.update(password: params[:password], password_confirmation: params[:password_confirmation])
+        redirect_to(login_path, notice: t(:password_reset))
+      else
+        flash[:alert] = t(:password_mismatch)
+        render(action: "edit")
+      end
+    end
+
+    private
+
+    def find_account_by_reset_code
+      @reset_code = params[:id]
+      @account = @reset_code.blank? ? nil : Account.find_by(password_reset_code: @reset_code)
+      redirect_to(forgot_password_path, alert: t(:reset_code_invalid_try_again)) unless @account
+    end
+
+    def check_can_change_password
+      render_404 unless Masq::Engine.config.masq["can_change_password"]
+    end
+  end
+end

data/app/controllers/masq/personas_controller.rb

@@ -0,0 +1,75 @@
+module Masq
+  class PersonasController < BaseController
+    before_action :login_required
+    before_action :store_return_url, only: [:new, :edit]
+
+    helper_method :persona
+
+    def index
+      @personas = current_account.personas
+
+      respond_to do |format|
+        format.html
+      end
+    end
+
+    def new
+      @persona = current_account.personas.new
+    end
+
+    def create
+      respond_to do |format|
+        if persona.save!
+          flash[:notice] = t(:persona_successfully_created)
+          format.html { redirect_back_or_default(account_personas_path) }
+        else
+          format.html { render(action: "new") }
+        end
+      end
+    end
+
+    def update
+      respond_to do |format|
+        if persona.update(persona_params)
+          flash[:notice] = t(:persona_updated)
+          format.html { redirect_back_or_default(account_personas_path) }
+        else
+          format.html { render(action: "edit") }
+        end
+      end
+    end
+
+    def destroy
+      respond_to do |format|
+        unless persona.destroy
+          flash[:alert] = t(:persona_cannot_be_deleted)
+        end
+        format.html { redirect_to(account_personas_path) }
+      end
+    end
+
+    protected
+
+    def persona
+      @persona ||= params[:id].present? ?
+        current_account.personas.find(params[:id]) :
+        current_account.personas.new(persona_params)
+    end
+
+    def persona_params
+      rejected_keys = [:created_at, :updated_at, :account_id, :deletable]
+      params.require(:persona).permit!.except(rejected_keys)
+    end
+
+    def redirect_back_or_default(default)
+      case session[:return_to]
+      when decide_path then redirect_to(decide_path(persona_id: persona.id))
+      else super
+      end
+    end
+
+    def store_return_url
+      store_location(params[:return]) unless params[:return].blank?
+    end
+  end
+end

data/app/controllers/masq/server_controller.rb

@@ -0,0 +1,247 @@
+module Masq
+  class ServerController < BaseController
+    # CSRF-protection must be skipped, because incoming
+    # OpenID requests lack an authenticity token
+    skip_before_action :verify_authenticity_token
+    # Error handling
+    rescue_from OpenID::Server::ProtocolError, with: :render_openid_error
+    # Actions other than index require a logged-in user
+    before_action :login_required, except: %i[index cancel seatbelt_config seatbelt_login_state]
+    before_action :ensure_valid_checkid_request, except: %i[index cancel seatbelt_config seatbelt_login_state]
+    after_action :clear_checkid_request, only: %i[cancel complete]
+    # These methods are used to display information about the request to the user
+    helper_method :sreg_request, :ax_fetch_request, :ax_store_request
+
+    # This is the server endpoint which handles all incoming OpenID requests.
+    # Associate and CheckAuth requests are answered directly - functionality
+    # therefor is provided by the ruby-openid gem. Handling of CheckId requests
+    # dependents on the users login state (see handle_checkid_request).
+    # Yadis requests return information about this endpoint.
+    def index
+      clear_checkid_request
+      respond_to do |format|
+        format.html do
+          if openid_request.is_a?(OpenID::Server::CheckIDRequest)
+            handle_checkid_request
+          elsif openid_request
+            handle_non_checkid_request
+          else
+            render(plain: t(:this_is_openid_not_a_human_resource))
+          end
+        end
+        format.xrds
+      end
+    end
+
+    # This action decides how to process the current request and serves as
+    # dispatcher and re-entry in case the request could not be processed
+    # directly (for instance if the user had to log in first).
+    # When the user has already trusted the relying party, the request will
+    # be answered based on the users release policy. If the request is immediate
+    # (relying party wants no user interaction, used e.g. for ajax requests)
+    # the request can only be answered if no further information (like simple
+    # registration data) is requested. Otherwise, the user will be redirected
+    # to the decision page.
+    def proceed
+      identity = identifier(current_account)
+      @site = current_account.sites.find_by(url: checkid_request.trust_root)
+      if @site
+        resp = checkid_request.answer(true, nil, identity)
+        resp = add_sreg(resp, @site.sreg_properties) if sreg_request
+        resp = add_ax(resp, @site.ax_properties) if ax_fetch_request
+        resp = add_pape(resp, auth_policies, auth_level, auth_time)
+        render_response(resp)
+      elsif checkid_request.immediate && (sreg_request || ax_store_request || ax_fetch_request)
+        render_response(checkid_request.answer(false))
+      elsif checkid_request.immediate
+        render_response(checkid_request.answer(true, nil, identity))
+      else
+        redirect_to(decide_path)
+      end
+    end
+
+    # Displays the decision page on that the user can confirm the request and
+    # choose which data should be transferred to the relying party.
+    def decide
+      @site = current_account.sites.where(url: checkid_request.trust_root).first_or_initialize
+      @site.persona = current_account.personas.find_by(params[:persona_id]) || current_account.personas.first if sreg_request || ax_store_request || ax_fetch_request
+    end
+
+    # This action is called by submitting the decision form, the information entered by
+    # the user is used to answer the request. If the user decides to always trust the
+    # relying party, a new site according to the release policies will be created.
+    def complete
+      if params[:cancel]
+        cancel
+      else
+        resp = checkid_request.answer(true, nil, identifier(current_account))
+        if params[:always]
+          @site = current_account.sites.where(persona_id: params[:site][:persona_id], url: params[:site][:url]).first_or_create
+          @site.update(site_params)
+        elsif sreg_request || ax_fetch_request
+          @site = current_account.sites.where(persona_id: params[:site][:persona_id], url: params[:site][:url]).first_or_create
+          @site.attributes = site_params
+        elsif ax_store_request
+          @site = current_account.sites.where(persona_id: params[:site][:persona_id], url: params[:site][:url]).first_or_create
+          not_supported = []
+          not_accepted = []
+          accepted = []
+          ax_store_request.data.each do |type_uri, values|
+            property = Persona.attribute_name_for_type_uri(type_uri)
+            if property
+              store_attribute = params[:site][:ax_store][property.to_sym]
+              if store_attribute && !store_attribute[:value].blank?
+                @site.persona.update_attribute(property, values.first)
+                accepted << type_uri
+              else
+                not_accepted << type_uri
+              end
+            else
+              not_supported << type_uri
+            end
+          end
+          ax_store_response = (accepted.count > 0) ? OpenID::AX::StoreResponse.new : OpenID::AX::StoreResponse.new(false, "None of the attributes were accepted.")
+          resp.add_extension(ax_store_response)
+        end
+        resp = add_pape(resp, auth_policies, auth_level, auth_time)
+        resp = add_sreg(resp, @site.sreg_properties) if sreg_request && @site.sreg_properties
+        resp = add_ax(resp, @site.ax_properties) if ax_fetch_request && @site.ax_properties
+        render_response(resp)
+      end
+    end
+
+    # Cancels the current OpenID request
+    def cancel
+      if checkid_request
+        redirect_to(checkid_request.cancel_url)
+      else
+        reset_session
+        redirect_to(login_path)
+      end
+    end
+
+    protected
+
+    # Decides how to process an incoming checkid request. If the user is
+    # already logged in he will be forwarded to the proceed action. If
+    # the user is not logged in and the request is immediate, the request
+    # cannot be answered successfully. In case the user is not logged in,
+    # the request will be stored and the user is asked to log in.
+    def handle_checkid_request
+      if allow_verification?
+        save_checkid_request
+        redirect_to(proceed_path)
+      elsif openid_request.immediate
+        render_response(openid_request.answer(false))
+      else
+        reset_session
+        request = save_checkid_request
+        session[:return_to] = proceed_path
+        redirect_to(request.from_trusted_domain? ? login_path : safe_login_path)
+      end
+    end
+
+    # Stores the current OpenID request.
+    # Returns the OpenIdRequest
+    def save_checkid_request
+      clear_checkid_request
+      request = OpenIdRequest.create!(parameters: openid_params)
+      session[:request_token] = request.token
+
+      request
+    end
+
+    # Deletes the old request when a new one comes in.
+    def clear_checkid_request
+      unless session[:request_token].blank?
+        OpenIdRequest.where(token: session[:request_token]).destroy_all
+        session[:request_token] = nil
+      end
+    end
+
+    # Use this as before_action for every CheckID request based action.
+    # Loads the current openid request and cancels if none can be found.
+    # The user has to log in, if he has not verified his ownership of
+    # the identifier, yet.
+    def ensure_valid_checkid_request
+      self.openid_request = checkid_request
+      if !openid_request.is_a?(OpenID::Server::CheckIDRequest)
+        redirect_to(root_path, alert: t(:identity_verification_request_invalid))
+      elsif !allow_verification?
+        flash[:notice] = (logged_in? && !pape_requirements_met?(auth_time)) ?
+          t(:service_provider_requires_reauthentication_last_login_too_long_ago) :
+          t(:login_to_verify_identity)
+        session[:return_to] = proceed_path
+        redirect_to(login_path)
+      end
+    end
+
+    # The user must be logged in, he must be the owner of the claimed identifier
+    # and the PAPE requirements must be met if applicable.
+    def allow_verification?
+      logged_in? && correct_identifier? && pape_requirements_met?(auth_time)
+    end
+
+    # Is the user allowed to verify the claimed identifier? The user
+    # must be logged in, so that we know his identifier or the identifier
+    # has to be selected by the server (id_select).
+    def correct_identifier?
+      openid_request.identity == identifier(current_account) || openid_request.id_select
+    end
+
+    # Clears the stored request and answers
+    def render_response(resp)
+      clear_checkid_request
+      render_openid_response(resp)
+    end
+
+    # Transforms the parameters from the form to valid AX response values
+    def transform_ax_data(parameters)
+      data = {}
+      parameters.each_pair do |key, details|
+        if details["value"]
+          data["type.#{key}"] = details["type"]
+          data["value.#{key}"] = details["value"]
+        end
+      end
+      data
+    end
+
+    # Renders the exception message as text output
+    def render_openid_error(exception)
+      error = case exception
+      when OpenID::Server::MalformedTrustRoot then "Malformed trust root '#{exception}'"
+      else exception.to_s
+      end
+      render(plain: "Invalid OpenID request: #{error}", status: 500)
+    end
+
+    private
+
+    # The NIST Assurance Level, see:
+    # http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#anchor12
+    def auth_level
+      if Masq::Engine.config.masq["use_ssl"]
+        current_account.last_authenticated_by_yubikey? ? 3 : 2
+      else
+        0
+      end
+    end
+
+    def auth_time
+      current_account.last_authenticated_at
+    end
+
+    def auth_policies
+      current_account.last_authenticated_by_yubikey? ?
+        [OpenID::PAPE::AUTH_MULTI_FACTOR, OpenID::PAPE::AUTH_PHISHING_RESISTANT] :
+        []
+    end
+
+    def site_params
+      authorized_params = params.require(:site).permit(:persona_id, :url)
+      additional_data = params[:site].slice(:ax_fetch, :sreg, :properties).permit!
+      authorized_params.merge(additional_data)
+    end
+  end
+end

data/app/controllers/masq/sessions_controller.rb

@@ -0,0 +1,58 @@
+module Masq
+  class SessionsController < BaseController
+    before_action :login_required, only: :destroy
+    after_action :set_login_cookie, only: :create
+
+    def new
+      redirect_after_login if logged_in?
+    end
+
+    def create
+      self.current_account = Masq::Account.authenticate(params[:login], params[:password])
+      if logged_in?
+        flash[:notice] = t(:you_are_logged_in)
+        redirect_after_login
+      else
+        a = Masq::Account.find_by(login: params[:login])
+        if a.nil?
+          redirect_to(login_path(error: "incorrect-login"), alert: t(:login_incorrect))
+        elsif a.active? && a.enabled?
+          redirect_to(login_path(error: "incorrect-password"), alert: t(:password_incorrect))
+        elsif !a.enabled?
+          redirect_to(login_path(error: "deactivated"), alert: t(:account_deactivated))
+        else
+          redirect_to(login_path(resend_activation_for: params[:login]), alert: t(:account_not_yet_activated))
+        end
+      end
+    end
+
+    def destroy
+      current_account.forget_me
+      cookies.delete(:auth_token)
+      reset_session
+      redirect_to(root_path, notice: t(:you_are_now_logged_out))
+    end
+
+    private
+
+    def set_login_cookie
+      if logged_in? and params[:remember_me] == "1"
+        current_account.remember_me
+        cookies[:auth_token] = {
+          value: current_account.remember_token,
+          expires: current_account.remember_token_expires_at,
+        }
+      end
+    end
+
+    def redirect_after_login
+      return_to = session[:return_to]
+      if return_to
+        session[:return_to] = nil
+        redirect_to(return_to)
+      else
+        redirect_to(identifier(current_account))
+      end
+    end
+  end
+end