ndr_authenticate 0.3.5

data/lib/generators/ndr_authenticate/install/install_generator.rb

@@ -0,0 +1,20 @@
+require 'rails/generators/active_record/migration'
+
+module NdrAuthenticate
+  # Installs configuration files required by NdrAuthenticate into host application.
+  class InstallGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_root File.expand_path('templates', __dir__)
+
+    def copy_config_files
+      config_path     = Pathname.new(destination_root).join('config')
+      migrations_path = Pathname.new(db_migrate_path)
+
+      copy_file 'ndr_authenticate.rb',     config_path.join('initializers', 'ndr_authenticate.rb')
+      copy_file 'attribute-map.yml',       config_path.join('attribute-map.yml')
+
+      migration_template 'migration.rb', migrations_path.join('add_ndr_authenticate.rb')
+    end
+  end
+end

data/lib/generators/ndr_authenticate/install/templates/attribute-map.yml

@@ -0,0 +1,77 @@
+phe: &phe
+  objectGuid: object_guid
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn:
+  # http://schemas.xmlsoap.org/claims/CommonName:
+  # http://schemas.xmlsoap.org/claims/EmailAddress:
+  # http://schemas.xmlsoap.org/claims/Group:
+  # http://schemas.xmlsoap.org/claims/UPN:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/role:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion:
+  # http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/san:
+  # http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/subject:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename:
+  # http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint:
+  # http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version:
+  # http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork:
+  # http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime:
+  # http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays:
+  # http://schemas.microsoft.com/ws/2012/01/passwordchangeurl:
+  # http://schemas.microsoft.com/claims/authnmethodsreferences:
+  # http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id:
+  # http://schemas.microsoft.com/ws/2013/11/alternateloginid:
+
+default: &default {}
+
+development:
+  <<: *default
+
+test:
+  <<: *default
+
+production:
+  <<: *default

data/lib/generators/ndr_authenticate/install/templates/migration.rb

@@ -0,0 +1,13 @@
+class AddNdrAuthenticate < ActiveRecord::Migration[5.2]
+  class User < NdrAuthenticate.user_class.constantize; end
+
+  def change
+    add_column User.table_name, saml_session_index_key, :string
+  end
+
+  private
+
+  def saml_session_index_key
+    Devise.saml_session_index_key || :session_index
+  end
+end

data/lib/generators/ndr_authenticate/install/templates/ndr_authenticate.rb

@@ -0,0 +1,31 @@
+NdrAuthenticate.configure do |config|
+  # Name of the user class within the host application.
+  config.user_class = 'User'
+
+  # Callable object that controls availability of SSO logins.
+  config.sso_enabled = ->(_request) { Rails.env.production? }
+
+  # Additional parameters to be filtered from Rails logs.
+  # config.filter_parameters = %i[
+  #   SAMLRequest
+  #   SAMLResponse
+  #   password
+  #   password_confirmation
+  #   reset_password_token
+  # ]
+
+  # Credentials for Yubico Web Services (https://upgrade.yubico.com/getapikey/)
+  # config.yubikey_api_id  = nil
+  # config.yubikey_api_key = nil
+
+  # Strategies for validating OTPWs for protected actions.
+  # Host applications are invited to add their own challenges. These should be `call`able objects
+  # that accept OTPW, user and controller context objects and return a boolean value.
+  # config.invalid_otp_reasons = {
+  #   missing: ->(otp, _user, _context) { otp.blank? },
+  #   invalid: ->(otp, _user, _context) { !Yubikey::Verify.call(otp) }
+  # }
+
+  # Apply pre-configured PHE ADFS SAML configuration.
+  config.load_defaults :phe
+end

data/lib/ndr_authenticate/connector.rb

@@ -0,0 +1,45 @@
+require 'net/ldap'
+module NdrAuthenticate
+  # Logic to connect to PHE AD via ldap protocol to find out if user exists
+  # and has an active/enabled account
+  class Connector
+    def configure_ldap
+      config = YAML.load_file(Rails.root.join('config', 'ldap.yml'))[Rails.env]
+      @hosts = config.fetch(:hosts)
+      @username = config.fetch(:username)
+      @password = config.fetch(:password)
+    end
+
+    def search_for(email)
+      configure_ldap
+
+      ldap = Net::LDAP.new(hosts: @hosts,
+                           auth: {
+                             method: :simple,
+                             username: @username,
+                             password: @password
+                           },
+                           encryption: {
+                             method: :simple_tls,
+                             tls_options: {
+                               ca_file: Rails.root.join('config', 'phe_cacert.pem').to_s,
+                               ssl_version: 'TLSv1_1'
+                             }
+                           })
+
+      email_filter = Net::LDAP::Filter.eq('userPrincipalName', email)
+      category_filter = Net::LDAP::Filter.eq('objectCategory', 'person')
+      objectclass_filter = Net::LDAP::Filter.eq('objectClass', 'user')
+      enable_filter = ~Net::LDAP::Filter.present('userAccountControl:1.2.840.113556.1.4.803:=2')
+      filter = email_filter & category_filter & objectclass_filter & enable_filter
+      treebase = 'OU=User Objects - Employee Accounts,OU=Administrated Objects,DC=phe,DC=gov,DC=uk'
+
+      user = ldap.search(base: treebase,
+                         filter: filter,
+                         attributes:   %w[sAMAccountName], # can use attribute to ensure looking \
+                         # at right person
+                         return_result: true)
+      user.size == 1
+    end
+  end
+end

data/lib/ndr_authenticate/engine.rb

@@ -0,0 +1,76 @@
+# We need to require these explicitly here, to avoid Rails zeitwerk autoload issues
+require File.join(__dir__, '../../app/controllers/concerns/ndr_authenticate/devise_helpers')
+require File.join(__dir__, '../../app/controllers/concerns/ndr_authenticate/yubikey/protectable')
+
+module NdrAuthenticate
+  class Engine < ::Rails::Engine
+    isolate_namespace NdrAuthenticate
+
+    initializer 'ndr_authenticate.assets.precompile' do |app|
+      app.config.assets.precompile += %w[
+        ndr_authenticate/ndr_authenticate.css
+        ndr_authenticate/ndr_authenticate.js
+        ndr_authenticate/bootstrap/glyphicons-halflings-regular*
+      ]
+    end
+
+    # Patch DeviseSamlAuthenticatable with the ability to configure IdP/SP automagically.
+    initializer 'ndr_authenticate.devise_saml_authenticatable' do
+      DeviseSamlAuthenticatable::SamlConfig.prepend(NdrAuthenticate::SamlConfig)
+    end
+
+    initializer 'ndr_authenticate.action_controller' do
+      ActiveSupport.on_load(:action_controller, run_once: true) do
+        include NdrAuthenticate::DeviseHelpers
+        include NdrAuthenticate::Yubikey::Protectable
+      end
+    end
+
+    initializer 'ndr_authenticate.filter_parameters' do |app|
+      app.config.filter_parameters += NdrAuthenticate.filter_parameters
+    end
+
+    initializer 'ndr_authenticate.yubikey.configure' do
+      ::Yubikey.configure do |config|
+        config.url     = NdrAuthenticate.yubikey_api_url || ::Yubikey::Configuration::DEFAULT_API_URL
+        config.api_id  = NdrAuthenticate.yubikey_api_id
+        config.api_key = NdrAuthenticate.yubikey_api_key
+      end
+
+      # Patch intended as a workaround for issues (hardcoded certs, SNI requirement) with the
+      # Yubikey gem follwing the YubiCloud service upgrade.
+      # See https://status.yubico.com/2019/11/21/2019-11-21-yubicloud-service-upgrade/
+      # TODO: When time allows, we should probably look at dropping the dependency and
+      # rolling our own implementation.
+      ::Yubikey::OTP::Verify.prepend(Module.new do
+        def verify(args)
+          query = "id=#{@api_id}&otp=#{args[:otp]}&nonce=#{@nonce}"
+
+          uri = URI.parse(@url) + 'verify'
+          uri.query = query
+
+          Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+            http.cert_store = OpenSSL::X509::Store.new.tap(&:set_default_paths)
+
+            result  = http.get(uri.request_uri)
+            @status = result.body[/status=(.*)$/, 1].strip
+
+            if @status == 'BAD_OTP' || @status == 'BACKEND_ERROR'
+              raise ::Yubikey::OTP::InvalidOTPError, "Received error: #{@status}"
+            end
+
+            @status = 'BAD_RESPONSE' unless verify_response(result.body)
+          end
+        end
+      end)
+    end
+
+    initializer 'ndr_authenticate.turbolinks' do
+      ActiveSupport.on_load(:action_controller) do
+        if const_defined?('Turbolinks')
+          NdrAuthenticate::SamlSessionsController.include(NdrAuthenticate::Turbolinks)
+        end
+      end
+    end
+  end
+end

data/lib/ndr_authenticate/saml_config.rb

@@ -0,0 +1,39 @@
+module NdrAuthenticate
+  # Patch for DeviseSamlAuthenticatable::SamlConfig.
+  # Allows for SAML configuration to be composed and cached.
+  module SamlConfig
+    include Engine.routes.url_helpers
+
+    mattr_accessor :cache
+    self.cache = {}
+
+    def saml_config(idp_entity_id = nil, request = nil)
+      cache.fetch(idp_entity_id) do |idp|
+        settings = super
+
+        settings.issuer ||= saml_metadata_url
+        settings.assertion_consumer_service_url ||= saml_user_session_url
+        settings.assertion_consumer_logout_service_url ||= idp_destroy_saml_user_session_url
+
+        idp_settings.each { |key, value| settings.try("#{key}=", value) }
+
+        cache.store(idp, settings)
+      end
+    end
+
+    private
+
+    def default_url_options
+      { host: request.host_with_port, protocol: request.protocol }
+    end
+
+    def idp_settings
+      return {} unless NdrAuthenticate.idp_metadata_url
+
+      OneLogin::RubySaml::IdpMetadataParser.new.
+        parse_remote_to_hash(NdrAuthenticate.idp_metadata_url)
+    rescue OneLogin::RubySaml::HttpError
+      {}
+    end
+  end
+end

data/lib/ndr_authenticate/version.rb

@@ -0,0 +1,3 @@
+module NdrAuthenticate
+  VERSION = '0.3.5'.freeze
+end

data/lib/ndr_authenticate/yubikey/verify.rb

@@ -0,0 +1,26 @@
+module NdrAuthenticate
+  module Yubikey
+    # Performs basic validity check of YubiKey OTPWs.
+    class Verify
+      attr_reader :otp
+
+      def self.call(otp)
+        new(otp).valid?
+      end
+
+      def initialize(otp)
+        @otp = otp
+      end
+
+      def valid?
+        verify.valid?
+      rescue ::Yubikey::OTP::InvalidOTPError
+        false
+      end
+
+      def verify
+        @verify ||= ::Yubikey::OTP::Verify.new(otp: otp)
+      end
+    end
+  end
+end

data/lib/ndr_authenticate/yubikey.rb

@@ -0,0 +1,7 @@
+require 'ndr_authenticate/yubikey/verify'
+
+module NdrAuthenticate
+  # Namespace for Yubikey related code
+  module Yubikey
+  end
+end

data/lib/ndr_authenticate.rb

@@ -0,0 +1,127 @@
+require 'devise'
+require 'devise_saml_authenticatable'
+require 'yubikey'
+require 'ndr_ui'
+require 'ndr_authenticate/engine'
+require 'ndr_authenticate/saml_config'
+require 'ndr_authenticate/yubikey'
+
+# Configuration and convenience methods.
+module NdrAuthenticate
+  # Name of the user class within the host application.
+  mattr_accessor :user_class
+  self.user_class = 'User'
+
+  # Callable object that controls availability of SSO logins.
+  # Set to false to disable entirely.
+  mattr_accessor :sso_enabled
+  self.sso_enabled = ->(_request) { Rails.env.production? }
+
+  # URL for the IdP metadata endpoint. When set allows IdP to be configured automagically,
+  # providing the URL is reachable.
+  mattr_accessor :idp_metadata_url
+  self.idp_metadata_url = nil
+
+  # Additional parameters to be filtered from Rails logs.
+  mattr_accessor :filter_parameters
+  self.filter_parameters = %i[
+    SAMLRequest
+    SAMLResponse
+    password
+    password_confirmation
+    reset_password_token
+  ]
+
+  # Configuration for Yubico Web Services (https://upgrade.yubico.com/getapikey/)
+  mattr_accessor :yubikey_api_url
+  mattr_accessor :yubikey_api_id
+  mattr_accessor :yubikey_api_key
+
+  # TODO: There's likely to be significant overlap with :invalid_otp_reasons - can we DRY
+  # this is up somehow?
+  mattr_accessor :invalid_key_reasons
+  self.invalid_key_reasons = {
+    missing: ->(key, _user, _context) { key.blank? }
+  }
+
+  # Strategies for validating OTPWs for protected actions.
+  # Host applications are invited to add their own challenges. These should be `call`able objects
+  # that accept OTPW, user and controller context objects and return a boolean value.
+  mattr_accessor :invalid_otp_reasons
+  self.invalid_otp_reasons = {
+    missing: ->(otp, _user, _context) { otp.blank? },
+    invalid: ->(otp, _user, _context) { !Yubikey::Verify.call(otp) }
+  }
+
+  class << self
+    # Syntactic sugar for configuring NdrAuthenticate in an initializer file within host app.
+    def configure
+      yield(self)
+    end
+
+    def devise
+      Devise
+    end
+
+    def default_certificate
+      File.read(saml_certificates_path.join('certificate.pem'))
+    end
+
+    def load_defaults(name = :phe)
+      case name.to_sym
+      when :phe
+        load_phe_defaults
+      else
+        raise "Unknown configuration: #{name}"
+      end
+    end
+
+    def sso_enabled_ever?
+      sso_enabled.present?
+    end
+
+    private
+
+    def saml_certificates_path
+      @saml_certificates_path ||= Pathname.new(Engine.root.join('config', 'certificates', 'saml'))
+    end
+
+    def load_phe_defaults
+      devise.setup do |config|
+        config.saml_default_user_key = :object_guid
+      end
+
+      devise.saml_configure do |config|
+        # General
+        config.name_identifier_format        = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
+
+        # IdP (ADFS)
+        config.idp_entity_id                 = 'http://fs.phe.gov.uk/adfs/services/trust'
+        config.idp_sso_target_url            = 'https://fs.phe.gov.uk/adfs/ls/'
+        config.idp_slo_target_url            = 'https://fs.phe.gov.uk/adfs/ls/'
+
+        # Privacy/Security
+        security                             = config.security
+        security[:authn_requests_signed]     = true
+        security[:logout_requests_signed]    = true
+        security[:logout_responses_signed]   = true
+        security[:want_assertions_signed]    = true
+        security[:want_assertions_encrypted] = true
+        security[:want_name_id]              = true
+        security[:metadata_signed]           = true
+        security[:embed_sign]                = true
+        security[:check_idp_cert_expiration] = true
+        security[:check_sp_cert_expiration]  = true
+        security[:digest_method]             = 'http://www.w3.org/2001/04/xmlenc#sha256'
+        security[:signature_method]          = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+
+        # Certificates
+        config.certificate                   = default_certificate
+        config.idp_cert_multi                = {
+          encryption: [File.read(saml_certificates_path.join('encryption.phe.adfs.pem'))],
+          signing:    [File.read(saml_certificates_path.join('signing.phe.adfs.pem'))]
+        }
+      end
+    end
+  end
+end

data/lib/tasks/ndr_authenticate_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :ndr_authenticate do
+#   # Task goes here
+# end