omniauth-raven 0.0.10 → 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/omniauth/pubkey2.pem +5 -0
- data/lib/omniauth/raven/version.rb +1 -1
- data/lib/omniauth/strategies/raven.rb +61 -10
- metadata +2 -1
@@ -1,6 +1,15 @@
|
|
1
1
|
require 'omniauth'
|
2
2
|
|
3
3
|
module OmniAuth
|
4
|
+
|
5
|
+
def self.raven_pubkey
|
6
|
+
@raven_pubkey ||= File.read File.expand_path(File.dirname(__FILE__))+'pubkey2.pem'
|
7
|
+
end
|
8
|
+
|
9
|
+
def self.raven_keyno
|
10
|
+
@raven_keyno = 2
|
11
|
+
end
|
12
|
+
|
4
13
|
module Strategies
|
5
14
|
|
6
15
|
class Raven
|
@@ -15,10 +24,10 @@ module OmniAuth
|
|
15
24
|
:url => 'https://raven.cam.ac.uk/auth/authenticate.html',
|
16
25
|
:version => '1',
|
17
26
|
:desc => 'DTG Gitlab',
|
18
|
-
:msg => '
|
19
|
-
:iact => '
|
27
|
+
:msg => 'you are required to authenticate with Raven to access Gitlab',
|
28
|
+
:iact => '', # 'yes' to force auth, 'no' to succeed only if no interraction needs to take place
|
20
29
|
:aauth => '',
|
21
|
-
:fail => '
|
30
|
+
:fail => 'no',
|
22
31
|
:max_skew => 90 #seconds
|
23
32
|
}
|
24
33
|
|
@@ -46,13 +55,48 @@ module OmniAuth
|
|
46
55
|
wls_response = request.params['WLS-Response'].to_s
|
47
56
|
ver, status, msg, issue, id, url, principal, auth, sso, life, params, kid, sig = wls_response.split('!')
|
48
57
|
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
58
|
+
#Check the protocol version
|
59
|
+
return fail!(:invalid_response) unless ver == options[:raven_opt][:version]
|
60
|
+
|
61
|
+
#Check the url
|
62
|
+
return fail!(:invalid_response) unless url == callback_url
|
63
|
+
|
64
|
+
#Check the time skew
|
65
|
+
issuetime = timeforRFC3339( issue )
|
66
|
+
skew = issuetime - Time.now
|
67
|
+
return fail!(:invalid_response) unless skew.abs < options[:raven_opt][:max_skew]
|
68
|
+
|
69
|
+
#Optionally check that interaction with the user took place
|
70
|
+
return fail!(:invalid_response) if ( iact == 'yes' && auth == "" )
|
71
|
+
|
72
|
+
#Optionally check that this response matches a request
|
73
|
+
if @match_response_and_request
|
74
|
+
response_id = unescape( params )
|
75
|
+
request_id = session['request_id']
|
76
|
+
return fail!(:invalid_response) unless request_id == response_id
|
77
|
+
end
|
78
|
+
|
79
|
+
#If we got here, and status is 200, then yield the principal
|
80
|
+
if status == '200'
|
81
|
+
#Check that the Key Id is one we currently accept
|
82
|
+
publickey = OmniAuth.raven_pubkey
|
83
|
+
return fail!(:invalid_response) unless kid == OmniAuth.raven_keyno
|
84
|
+
|
85
|
+
#Check the signature
|
86
|
+
length_to_drop = -(sig.length + kid.length + 3)
|
87
|
+
signedbit = wls_response[ 0 .. length_to_drop]
|
88
|
+
return fail!(:invalid_response) unless publickey.verify( OpenSSL::Digest::SHA1.new, Base64.decode64(sig.tr('-._','+/=')), signedbit)
|
89
|
+
|
90
|
+
# Return the status
|
91
|
+
@name = principal
|
92
|
+
@email = principal+"@cam.ac.uk"
|
93
|
+
|
94
|
+
super
|
95
|
+
else
|
96
|
+
#And return the error code if it is something else.
|
97
|
+
return fail!(:invalid_credentials)
|
98
|
+
end
|
99
|
+
|
56
100
|
end
|
57
101
|
|
58
102
|
uid { @email }
|
@@ -78,6 +122,13 @@ module OmniAuth
|
|
78
122
|
'%' + $1.unpack('H2' * $1.bytesize).join('%').upcase
|
79
123
|
end.tr(' ', '+')
|
80
124
|
end
|
125
|
+
|
126
|
+
def unescape(string)
|
127
|
+
str=string.tr('+', ' ').force_encoding(Encoding::ASCII_8BIT).gsub(/((?:%[0-9a-fA-F]{2})+)/) do
|
128
|
+
[$1.delete('%')].pack('H*')
|
129
|
+
end.force_encoding(Encoding::ASCII_8BIT)
|
130
|
+
str.valid_encoding? ? str : str.force_encoding(string.encoding)
|
131
|
+
end
|
81
132
|
end
|
82
133
|
end
|
83
134
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-raven
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0
|
4
|
+
version: 0.1.0
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -40,6 +40,7 @@ files:
|
|
40
40
|
- README.md
|
41
41
|
- Rakefile
|
42
42
|
- lib/omniauth-raven.rb
|
43
|
+
- lib/omniauth/pubkey2.pem
|
43
44
|
- lib/omniauth/raven.rb
|
44
45
|
- lib/omniauth/raven/version.rb
|
45
46
|
- lib/omniauth/strategies/raven.rb
|