okta-auth-proxy 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 29d6ec6994ef42bb021bfc2f2ad9f02941ea1af4
4
+ data.tar.gz: 8dca49d5119505c14c28914bfe10078afd01f176
5
+ SHA512:
6
+ metadata.gz: 880d4eda3831c0766098b576ea2941b6a88985f86ef65bfc70e4840c5db26912fab6ed0cfaa5d8c43c05c0536d6549ab15dcc1387e1d80b591d92bd70ccf9ad4
7
+ data.tar.gz: 6475e2b99700c8e48e6d9b9338685a052ec2422f1f2824cb8bbe02c9b66b8498702e06427a928a1c7cf57d66f0c6b6cc94a74cb8fda93e2184ca6d75cbce5812
@@ -0,0 +1,15 @@
1
+ #!/usr/bin/env ruby
2
+ $LOAD_PATH.unshift(File.expand_path('../lib', __dir__))
3
+ require 'okta-auth-proxy/cli'
4
+ require 'benchmark'
5
+
6
+ begin
7
+ etime = Benchmark.realtime { OktaAuthProxy::CLI.start(ARGV) }
8
+ $stderr.puts "Completed in #{etime}s"
9
+ rescue Thor::UndefinedCommandError, Thor::UnknownArgumentError, Thor::AmbiguousCommandError, Thor::InvocationError => e
10
+ $stderr.puts(e.message)
11
+ exit(64)
12
+ rescue Thor::Error => e
13
+ $stderr.puts(e.message)
14
+ exit(1)
15
+ end
@@ -0,0 +1,5 @@
1
+ require 'active_support/all'
2
+ require 'okta-auth-proxy/version'
3
+ require 'okta-auth-proxy/app'
4
+ require 'okta-auth-proxy/auth'
5
+ require 'okta-auth-proxy/server'
@@ -0,0 +1,44 @@
1
+ require 'sinatra'
2
+ require 'okta-auth-proxy/auth'
3
+
4
+ module OktaAuthProxy
5
+ class ProxyApp < Sinatra::Base
6
+ register OktaAuthProxy::OktaAuth
7
+
8
+ # Block that is called back when authentication is successful
9
+ [:get, :post, :put, :head, :delete, :options, :patch, :link, :unlink].each do |verb|
10
+
11
+ send verb, '/*' do
12
+ pass if request.host == (ENV['AUTH_DOMAIN'] || 'localhost')
13
+ pass if request.path == '/auth/saml/callback'
14
+ protected!
15
+ # If authorized, serve request
16
+ if url = authorized?(request.host)
17
+ headers "X-Remote-User" => session[:email]
18
+ headers "X-Reproxy-URL" => File.join(url, request.fullpath)
19
+ headers "X-Accel-Redirect" => "/reproxy"
20
+ redirect to('http://localhost')
21
+ end
22
+ end
23
+
24
+ send verb, '/auth/:name/callback' do
25
+ auth = request.env['omniauth.auth']
26
+ session[:logged] = true
27
+ session[:provider] = auth.provider
28
+ session[:uid] = auth.uid
29
+ session[:name] = auth.info.name
30
+ session[:email] = auth.info.email
31
+ if request.env.has_key? 'HTTP_X_FORWARDED_FOR'
32
+ session[:remote_ip] = request.env['HTTP_X_FORWARDED_FOR']
33
+ else
34
+ session[:remote_ip] = request.env['HTTP_X_REAL_IP']
35
+ end
36
+ redirect to(params[:RelayState] || '/')
37
+ end
38
+
39
+ send verb, '/auth/failure' do
40
+ 'Login failed'
41
+ end
42
+ end
43
+ end
44
+ end
@@ -0,0 +1,71 @@
1
+ require 'sinatra/base'
2
+ require 'omniauth'
3
+ require 'omniauth-saml'
4
+
5
+ module OktaAuthProxy
6
+ module OktaAuth
7
+
8
+ module AuthHelpers
9
+ def protected!
10
+ return if authorized?(request.host)
11
+ redirect to("/auth/saml?redirectUrl=#{URI::encode(request.path)}")
12
+ end
13
+
14
+ def authorized?(host)
15
+ if session[:uid]
16
+ return ENV['PROXY_TARGET']
17
+ else
18
+ return false
19
+ end
20
+ end
21
+ end
22
+
23
+ def self.registered(app)
24
+ app.helpers OktaAuthProxy::OktaAuth::AuthHelpers
25
+ # Use a wildcard cookie to achieve single sign-on for all subdomains
26
+ app.use Rack::Session::Cookie, secret: ENV['COOKIE_SECRET'] || 'replaceme',
27
+ domain: ENV['COOKIE_DOMAIN'] || 'localhost'
28
+ app.use OmniAuth::Builder do
29
+ provider :saml,
30
+ issuer: "http://localhost:3311",
31
+ idp_sso_target_url: ENV['SSO_TARGET_URL'],
32
+ idp_cert: File.read( ENV['CERT_PATH'] || 'okta_cert.pem'),
33
+ name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
34
+ idp_sso_target_url_runtime_params: {:redirectUrl => :RelayState}
35
+ end
36
+ end
37
+ end
38
+ end
39
+
40
+
41
+ #def authenticated?
42
+ # #check_remote_ip = nil
43
+ # #if request.env.has_key? 'HTTP_X_FORWARDED_FOR'
44
+ # # check_remote_ip = request.env['HTTP_X_FORWARDED_FOR']
45
+ # #else
46
+ # # check_remote_ip = request.env['HTTP_X_REAL_IP']
47
+ # #end
48
+ # if session[:logged] == true #and session[:remote_ip] == check_remote_ip
49
+ # return true
50
+ # else
51
+ # return false
52
+ # end
53
+ #end
54
+ #
55
+ ## Return internal URL or false if unauthorized
56
+ #def authorized?(host)
57
+ # authorized = false
58
+ # # Check whether the email address is authorized
59
+ # if ! session.has_key? :email
60
+ # return false
61
+ # end
62
+ # split_email_address = session[:email].split('@')
63
+ # if defined? settings.allowed_email_domains and settings.allowed_email_domains.include? split_email_address.last
64
+ # authorized = true
65
+ # end
66
+ # if authorized == true #and settings.routing.has_key? host
67
+ # return settings.routing[host]
68
+ # else
69
+ # return false
70
+ # end
71
+ #end
@@ -0,0 +1,15 @@
1
+ require 'thor'
2
+ require 'okta-auth-proxy'
3
+
4
+ class OktaAuthProxy::CLI < Thor
5
+
6
+ desc 'serve', 'Start the server'
7
+ method_option :threads, type: :numeric, default: 1000, banner: 'THREADS', desc: 'Number of worker threads', aliases: '-t'
8
+ method_option :bind, type: :string, default: '127.0.0.1', banner: 'BIND_HOST', desc: 'Address to bind to', aliases: '-b'
9
+ method_option :port, type: :numeric, default: 3311, banner: 'PORT', desc: 'Port to listen on', aliases: '-p'
10
+ method_option :debug, type: :boolean, default: false, desc: 'Run in debug mode', aliases: '-d'
11
+ def serve(port: nil, threads: nil, bind: nil, debug: nil)
12
+ opts = options.deep_symbolize_keys
13
+ OktaAuthProxy::ProxyServer.new(**opts).run
14
+ end
15
+ end
@@ -0,0 +1,42 @@
1
+ require 'okta-auth-proxy/app'
2
+ require 'thin'
3
+ require 'em-synchrony'
4
+
5
+ module OktaAuthProxy
6
+ class ProxyServer
7
+ def initialize(port: 3311, threads:1000, bind: '127.0.0.1', debug:false)
8
+ debug ||= ENV['DEBUG']
9
+
10
+ if debug
11
+ $stdout.sync = true
12
+ $stderr.sync = true
13
+ end
14
+
15
+ app = ProxyApp.new
16
+ dispatch = Rack::Builder.app do
17
+ map '/' do
18
+ run app
19
+ end
20
+ end
21
+ @server = Thin::Server.new(port, bind, dispatch, threadpool_size: threads).backend
22
+ end
23
+
24
+ def start
25
+ @server.start
26
+ end
27
+
28
+ def run
29
+ EM.run do
30
+ init_sighandlers
31
+ @server.start
32
+ end
33
+ end
34
+ private
35
+
36
+ def init_sighandlers
37
+ trap(:INT) { 'Got interrupt'; EM.stop; exit }
38
+ trap(:TERM) { 'Got term'; EM.stop; exit }
39
+ trap(:KILL) { 'Got kill'; EM.stop; exit }
40
+ end
41
+ end
42
+ end
@@ -0,0 +1,3 @@
1
+ module OktaAuthProxy
2
+ VERSION = '0.0.2'
3
+ end
metadata ADDED
@@ -0,0 +1,219 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: okta-auth-proxy
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.2
5
+ platform: ruby
6
+ authors:
7
+ - Dale Hamel
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2016-04-09 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: sinatra
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - '='
18
+ - !ruby/object:Gem::Version
19
+ version: 1.4.7
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - '='
25
+ - !ruby/object:Gem::Version
26
+ version: 1.4.7
27
+ - !ruby/object:Gem::Dependency
28
+ name: omniauth
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - '='
32
+ - !ruby/object:Gem::Version
33
+ version: 1.3.1
34
+ type: :runtime
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - '='
39
+ - !ruby/object:Gem::Version
40
+ version: 1.3.1
41
+ - !ruby/object:Gem::Dependency
42
+ name: omniauth-saml
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - '='
46
+ - !ruby/object:Gem::Version
47
+ version: 1.5.0
48
+ type: :runtime
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - '='
53
+ - !ruby/object:Gem::Version
54
+ version: 1.5.0
55
+ - !ruby/object:Gem::Dependency
56
+ name: em-synchrony
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - '='
60
+ - !ruby/object:Gem::Version
61
+ version: 1.0.4
62
+ type: :runtime
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - '='
67
+ - !ruby/object:Gem::Version
68
+ version: 1.0.4
69
+ - !ruby/object:Gem::Dependency
70
+ name: thin
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: 1.6.4
76
+ type: :runtime
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - ">="
81
+ - !ruby/object:Gem::Version
82
+ version: 1.6.4
83
+ - !ruby/object:Gem::Dependency
84
+ name: thor
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: 0.19.1
90
+ type: :runtime
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - ">="
95
+ - !ruby/object:Gem::Version
96
+ version: 0.19.1
97
+ - !ruby/object:Gem::Dependency
98
+ name: activesupport
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - '='
102
+ - !ruby/object:Gem::Version
103
+ version: 4.2.5
104
+ type: :runtime
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - '='
109
+ - !ruby/object:Gem::Version
110
+ version: 4.2.5
111
+ - !ruby/object:Gem::Dependency
112
+ name: pry
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - '='
116
+ - !ruby/object:Gem::Version
117
+ version: 0.10.3
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - '='
123
+ - !ruby/object:Gem::Version
124
+ version: 0.10.3
125
+ - !ruby/object:Gem::Dependency
126
+ name: pry-byebug
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - '='
130
+ - !ruby/object:Gem::Version
131
+ version: 3.3.0
132
+ type: :development
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - '='
137
+ - !ruby/object:Gem::Version
138
+ version: 3.3.0
139
+ - !ruby/object:Gem::Dependency
140
+ name: rake
141
+ requirement: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - '='
144
+ - !ruby/object:Gem::Version
145
+ version: 10.4.2
146
+ type: :development
147
+ prerelease: false
148
+ version_requirements: !ruby/object:Gem::Requirement
149
+ requirements:
150
+ - - '='
151
+ - !ruby/object:Gem::Version
152
+ version: 10.4.2
153
+ - !ruby/object:Gem::Dependency
154
+ name: simplecov
155
+ requirement: !ruby/object:Gem::Requirement
156
+ requirements:
157
+ - - '='
158
+ - !ruby/object:Gem::Version
159
+ version: 0.10.0
160
+ type: :development
161
+ prerelease: false
162
+ version_requirements: !ruby/object:Gem::Requirement
163
+ requirements:
164
+ - - '='
165
+ - !ruby/object:Gem::Version
166
+ version: 0.10.0
167
+ - !ruby/object:Gem::Dependency
168
+ name: rspec
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - '='
172
+ - !ruby/object:Gem::Version
173
+ version: 3.2.0
174
+ type: :development
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - '='
179
+ - !ruby/object:Gem::Version
180
+ version: 3.2.0
181
+ description: Auth backend for use with nginx to protect applications with Okta SAML
182
+ email: dale.hamel@srvthe.net
183
+ executables:
184
+ - okta-auth-proxy
185
+ extensions: []
186
+ extra_rdoc_files: []
187
+ files:
188
+ - bin/okta-auth-proxy
189
+ - lib/okta-auth-proxy.rb
190
+ - lib/okta-auth-proxy/app.rb
191
+ - lib/okta-auth-proxy/auth.rb
192
+ - lib/okta-auth-proxy/cli.rb
193
+ - lib/okta-auth-proxy/server.rb
194
+ - lib/okta-auth-proxy/version.rb
195
+ homepage: https://github.com/dalehamel/okta-auth-proxy
196
+ licenses:
197
+ - MIT
198
+ metadata: {}
199
+ post_install_message:
200
+ rdoc_options: []
201
+ require_paths:
202
+ - lib
203
+ required_ruby_version: !ruby/object:Gem::Requirement
204
+ requirements:
205
+ - - ">="
206
+ - !ruby/object:Gem::Version
207
+ version: '0'
208
+ required_rubygems_version: !ruby/object:Gem::Requirement
209
+ requirements:
210
+ - - ">="
211
+ - !ruby/object:Gem::Version
212
+ version: '0'
213
+ requirements: []
214
+ rubyforge_project:
215
+ rubygems_version: 2.4.8
216
+ signing_key:
217
+ specification_version: 4
218
+ summary: Okta for apps without SAML support
219
+ test_files: []