omniauth-raven 0.0.10 → 0.1.0

data/lib/omniauth/pubkey2.pem

@@ -0,0 +1,5 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIGJAoGBAL/2pwBbVcJKTRF8B+K6W9Oi4xkoPiOb32te0whw7Zuf7cTFCk5tvBa6
+CI7wM0R99LtvNLFmoantTps92LjF9fvrCBYZDqpaLnk5clXShKKqt3do4SykqYkq
+66kpc42jZ58C3omR0dUfQ7o7yTktVqnrDjLVb9P+vLhAfuSFHFa1AgMBAAE=
+-----END RSA PUBLIC KEY-----

data/lib/omniauth/raven/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module Raven
-    VERSION = "0.0.10"
+    VERSION = "0.1.0"
   end
 end

data/lib/omniauth/strategies/raven.rb

@@ -1,6 +1,15 @@
 require 'omniauth'
 
 module OmniAuth
+
+	def self.raven_pubkey
+		@raven_pubkey ||= File.read File.expand_path(File.dirname(__FILE__))+'pubkey2.pem'
+	end
+
+	def self.raven_keyno
+		@raven_keyno = 2
+	end
+
     module Strategies
 
 	class Raven
@@ -15,10 +24,10 @@ module OmniAuth
 	        :url => 'https://raven.cam.ac.uk/auth/authenticate.html',
 	        :version => '1',
 	        :desc => 'DTG Gitlab',
-	        :msg => 'You are required to authenticate with Raven to access Gitlab',
-	        :iact => '0',
+	        :msg => 'you are required to authenticate with Raven to access Gitlab',
+	        :iact => '', # 'yes' to force auth, 'no' to succeed only if no interraction needs to take place
 	        :aauth => '',
-	        :fail => 'No',
+	        :fail => 'no',
 	        :max_skew => 90 #seconds
       	}
 	    
@@ -46,13 +55,48 @@ module OmniAuth
 			wls_response = request.params['WLS-Response'].to_s
 			ver, status, msg, issue, id, url, principal, auth, sso, life, params, kid, sig = wls_response.split('!')
 
-			return fail!(:invalid_credentials) if status != "200"
-
-			@name = principal
-			@email = principal+"@cam.ac.uk"
-
-			super
-
+			#Check the protocol version
+			return fail!(:invalid_response) unless ver == options[:raven_opt][:version]
+			
+			#Check the url
+			return fail!(:invalid_response) unless url == callback_url
+		
+			#Check the time skew
+			issuetime = timeforRFC3339( issue )
+			skew = issuetime - Time.now
+			return fail!(:invalid_response) unless skew.abs < options[:raven_opt][:max_skew]
+
+			#Optionally check that interaction with the user took place
+			return fail!(:invalid_response) if ( iact == 'yes' &&  auth == "" )
+			
+			#Optionally check that this response matches a request
+			if @match_response_and_request
+				response_id = unescape( params )
+				request_id = session['request_id']
+				return fail!(:invalid_response) unless request_id == response_id
+			end
+			
+			#If we got here, and status is 200, then yield the principal
+			if status == '200'
+				#Check that the Key Id is one we currently accept
+				publickey = OmniAuth.raven_pubkey
+				return fail!(:invalid_response) unless kid == OmniAuth.raven_keyno
+				
+				#Check the signature
+				length_to_drop = -(sig.length + kid.length + 3)
+				signedbit = wls_response[ 0 .. length_to_drop]
+				return fail!(:invalid_response) unless publickey.verify( OpenSSL::Digest::SHA1.new, Base64.decode64(sig.tr('-._','+/=')), signedbit)	
+
+				# Return the status
+				@name = principal
+				@email = principal+"@cam.ac.uk"
+
+				super
+			else
+				#And return the error code if it is something else.
+				return fail!(:invalid_credentials)
+			end
+			
 	    end
 
 	    uid  { @email }
@@ -78,6 +122,13 @@ module OmniAuth
 		    '%' + $1.unpack('H2' * $1.bytesize).join('%').upcase
 		  end.tr(' ', '+')
 		end
+
+		def unescape(string)
+		  str=string.tr('+', ' ').force_encoding(Encoding::ASCII_8BIT).gsub(/((?:%[0-9a-fA-F]{2})+)/) do
+		    [$1.delete('%')].pack('H*')
+		  end.force_encoding(Encoding::ASCII_8BIT)
+		  str.valid_encoding? ? str : str.force_encoding(string.encoding)
+		end
 	end
     end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-raven
 version: !ruby/object:Gem::Version
-  version: 0.0.10
+  version: 0.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -40,6 +40,7 @@ files:
 - README.md
 - Rakefile
 - lib/omniauth-raven.rb
+- lib/omniauth/pubkey2.pem
 - lib/omniauth/raven.rb
 - lib/omniauth/raven/version.rb
 - lib/omniauth/strategies/raven.rb