omniauth-realme 0.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 369eb6792746df27c18c4b55d482912718e80ce3e0af63373edb785b3bbe7c48
-  data.tar.gz: 13d664346fad0cd4dc3341bd69cb9db87ef2b90a4db8c23f67b583bc5236bf41
+  metadata.gz: 46aeccbc5129dddb0f783c1c48a6e9cfd4afaa9101b139ba0a9224e6ef1f3b00
+  data.tar.gz: dbf07ef67c3aa012bc4f7b06f072992f17283f7d2a8786f2a727d003aeae90c5
 SHA512:
-  metadata.gz: 9fd1cda9c776c282b3185898780d3a51e8346e16e60d26deffabe454a346ed6f9b7ec396af78315a06fae9517a3e41a9229d4cb8c4f2b6a374162a6d6126c8eb
-  data.tar.gz: 77e45207f35ea5c62e42f7c83687c63a70f42b01b5b986eb2a439ca79c3510929c6df6907f23f6c5768ad26186b96ca8d88ab7f54b42cae0a1bd4e60004a67f7
+  metadata.gz: 3dd9674eb32527ead0968f5d89bcbf66e938d45df9ecc6e15a8567a36ab011a2047a39efbd7a44e2b0d219f3fc5885d1baa6ee0a8970e966530b67426bb0a608
+  data.tar.gz: 7d2e03de4151e52d43c6f56d393bb9d6d3b6b52a695b6abbba9a71f4f8c2d287dc4ce9c5352eb915bcdfdf9d3b072305e2084acc304501252cb286c2d1315d21

data/.github/workflows/ci.yml

@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  ci_checks:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby:
+          - 2.5.8
+          - 2.6.6
+          - 2.7.1
+          - 3.0.0
+
+    name: Ruby ${{ matrix.ruby }} sample
+
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@v2
+
+      - name: Install Ruby and Bundler
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: ${{ matrix.ruby }}
+
+      - name: Run rubocop
+        run: |
+          bundle exec rubocop
+
+      - name: Run tests
+        run: |
+          bundle exec rspec
+

data/.gitignore

@@ -1,59 +1,11 @@
-*.gem
-*.rbc
-/.config
-/coverage/
-/InstalledFiles
-/pkg/
-/spec/reports/
-/spec/examples.txt
-/test/tmp/
-/test/version_tmp/
-/tmp/
 /.bundle/
 /.yardoc
 /_yardoc/
+/coverage/
 /doc/
-/ruby/**/*
-spec/secrets/**/*
+/pkg/
+/spec/reports/
+/tmp/
 
 # rspec failure tracking
 .rspec_status
-
-# Used by dotenv library to load environment variables.
-# .env
-
-## Specific to RubyMotion:
-.dat*
-.repl_history
-build/
-*.bridgesupport
-build-iPhoneOS/
-build-iPhoneSimulator/
-
-## Specific to RubyMotion (use of CocoaPods):
-#
-# We recommend against adding the Pods directory to your .gitignore. However
-# you should judge for yourself, the pros and cons are mentioned at:
-# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
-#
-# vendor/Pods/
-
-## Documentation cache and generated files:
-/.yardoc/
-/_yardoc/
-/doc/
-/rdoc/
-
-## Environment normalization:
-/.bundle/
-/vendor/bundle
-/lib/bundler/man/
-
-# for a library or gem, you might want to ignore these files since the code is
-# intended to run in multiple environments; otherwise, check them in:
-# Gemfile.lock
-# .ruby-version
-# .ruby-gemset
-
-# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
-.rvmrc

data/.rubocop.yml

@@ -1,35 +1,19 @@
-AllCops:
-  DisplayStyleGuide: true
-  DisplayCopNames: true
-  Exclude:
-    - 'bin/**/*'
-    - 'Gemfile'
-    - 'Gemfile.lock'
-Documentation:
+inherit_from: .rubocop_todo.yml
+
+Style/HashEachMethods:
   Enabled: false
-Rails:
-  Enabled: true
-Rails/FilePath:
-  Exclude:
-    - 'spec/**/*'
-Metrics/LineLength:
-  Max: 150
-  Exclude:
-    - 'spec/**/*'
-Metrics/MethodLength:
-  Max: 20
-Metrics/BlockLength:
-  Exclude:
-    - 'spec/**/*'
-Metrics/AbcSize:
-  Max: 20
-Style/SymbolArray:
+
+Style/HashTransformKeys:
   Enabled: false
-Style/WordArray:
+
+Style/HashTransformValues:
   Enabled: false
-Style/GlobalVars:
-  Enabled: false
-Style/RedundantBegin:
-  Enabled: false
-Lint/ReturnInVoidContext:
-  Enabled: false 
+
+Metrics/ClassLength:
+  Max: 130
+
+Metrics/BlockLength:
+  Exclude:
+    - "spec/**/*" # specs can have long blocks
+    - "*.gemspec"
+

data/.rubocop_todo.yml

@@ -0,0 +1,30 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2020-02-26 11:21:32 +1300 using RuboCop version 0.80.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 2
+Metrics/AbcSize:
+  Max: 20
+
+# Offense count: 3
+# Configuration parameters: CountComments, ExcludedMethods.
+Metrics/MethodLength:
+  Max: 16
+
+# Offense count: 1
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/omniauth/strategies/realme.rb'
+
+# Offense count: 18
+# Cop supports --auto-correct.
+# Configuration parameters: AutoCorrect, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
+# URISchemes: http, https
+Layout/LineLength:
+  Max: 162

data/.ruby-version

@@ -1 +1 @@
-2.5.0
+2.6.5

data/Gemfile

@@ -2,16 +2,9 @@
 
 source 'https://rubygems.org'
 
-git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
-
 # Specify your gem's dependencies in omniauth-realme.gemspec
 gemspec
 
-group :development, :test do
-  gem 'rubocop',  require: false
-  gem 'pry',      require: false
-end
-
-group :test do
-  gem 'simplecov', '~> 0.16.1'
-end
+gem 'nokogiri', '>= 1.12.5'
+gem 'rake', '~> 13.0.6'
+gem 'rspec', '~> 3.10.0'

data/Gemfile.lock

@@ -1,104 +1,94 @@
 PATH
   remote: .
   specs:
-    omniauth-realme (0.0.1)
-      nokogiri
-      omniauth
-      savon
-      uuid
+    omniauth-realme (2.0.0)
+      omniauth (~> 2.0.4)
+      ruby-saml (~> 1.13.0)
+      uuid (~> 2.3.9)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    akami (1.3.1)
-      gyoku (>= 0.4.0)
-      nokogiri
     ast (2.4.0)
-    builder (3.2.3)
-    coderay (1.1.2)
-    diff-lcs (1.3)
-    docile (1.3.0)
-    gyoku (1.3.1)
-      builder (>= 2.1.2)
-    hashie (3.5.7)
-    httpi (2.4.3)
-      rack
-      socksify
-    json (2.1.0)
-    macaddr (1.7.1)
-      systemu (~> 2.6.2)
-    method_source (0.9.0)
-    mini_portile2 (2.3.0)
-    nokogiri (1.8.2)
-      mini_portile2 (~> 2.3.0)
-    nori (2.6.0)
-    omniauth (1.8.1)
-      hashie (>= 3.4.6, < 3.6.0)
+    byebug (11.1.3)
+    coderay (1.1.3)
+    diff-lcs (1.4.4)
+    hashie (4.1.0)
+    jaro_winkler (1.5.4)
+    macaddr (1.7.2)
+      systemu (~> 2.6.5)
+    method_source (1.0.0)
+    mini_portile2 (2.6.1)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
+      racc (~> 1.4)
+    omniauth (2.0.4)
+      hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    parallel (1.12.1)
-    parser (2.5.1.0)
+      rack-protection
+    parallel (1.19.1)
+    parser (2.7.0.2)
       ast (~> 2.4.0)
-    powerpack (0.1.1)
-    pry (0.11.3)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    rack (2.0.5)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    pry-byebug (3.9.0)
+      byebug (~> 11.0)
+      pry (~> 0.13.0)
+    racc (1.5.2)
+    rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
     rainbow (3.0.0)
-    rake (10.5.0)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rake (13.0.6)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
-    rubocop (0.55.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
+    rubocop (0.80.0)
+      jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5)
-      powerpack (~> 0.1)
+      parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
+      rexml
       ruby-progressbar (~> 1.7)
-      unicode-display_width (~> 1.0, >= 1.0.1)
-    ruby-progressbar (1.9.0)
-    savon (2.12.0)
-      akami (~> 1.2)
-      builder (>= 2.1.2)
-      gyoku (~> 1.2)
-      httpi (~> 2.3)
-      nokogiri (>= 1.8.1)
-      nori (~> 2.4)
-      wasabi (~> 3.4)
-    simplecov (0.16.1)
-      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    socksify (1.7.1)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    rubocop-rspec (1.38.1)
+      rubocop (>= 0.68.1)
+    ruby-progressbar (1.10.1)
+    ruby-saml (1.13.0)
+      nokogiri (>= 1.10.5)
+      rexml
     systemu (2.6.5)
-    unicode-display_width (1.3.0)
-    uuid (2.3.8)
+    unicode-display_width (1.6.1)
+    uuid (2.3.9)
       macaddr (~> 1.0)
-    wasabi (3.5.0)
-      httpi (~> 2.0)
-      nokogiri (>= 1.4.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   bundler
+  nokogiri (>= 1.12.5)
   omniauth-realme!
-  pry
-  rake
-  rspec
+  pry-byebug
+  rack-test
+  rake (~> 13.0.6)
+  rspec (~> 3.10.0)
   rubocop
-  simplecov (~> 0.16.1)
+  rubocop-rspec
 
 BUNDLED WITH
-   1.16.1
+   2.1.4

data/README.md

@@ -1,16 +1,19 @@
 # omniauth-realme
-Omniauth strategy for New Zealands secure online identity verification service.
 
-This Gem has been developed for the intension of using [devise](https://github.com/plataformatec/devise) as the account model with Realme SSO intergation.
-This Gem covers all of the SAML client requirements for RealMe intergations including the RealMe's default error messages.
+![CI](https://github.com/DigitalNZ/omniauth-realme/workflows/CI/badge.svg)
 
-You will need to set up your frontend login pages to match [RealMe's branding guide lines](https://developers.realme.govt.nz/how-to-integrate/application-design-and-branding-guide/realme-page-elements/)
-We suggest you use their assets in a zip file their page.
+Omniauth strategy for New Zealand's secure online identity verification service.
+
+This Gem has been developed for the intention of using [Devise](https://github.com/plataformatec/devise) as the account model with Realme SSO integration.
+This gem covers all of the SAML client requirements for RealMe integrations including the RealMe's default error messages.
+
+You will need to set up your frontend login pages to match [RealMe's branding guidelines](https://developers.realme.govt.nz/how-to-integrate/application-design-and-branding-guide/realme-page-elements/)
+We suggest you use their assets in a zip file on their page.
 
 Getting to Production:
 You will need to complete the [RealMe Operational handover checklist](https://developers.realme.govt.nz/how-to-integrate/getting-to-production/operational-handover-checklist/) `login service` form to gain access to RealMe production environments.
 
-Not Using *ruby* but need to itergrate? Use this gem is a baseline and find a suitable Library on [onelogin's](https://github.com/onelogin) github account.
+Not using *Ruby* but need to integrate? Use this gem as a baseline and find a suitable Library on [onelogin's](https://github.com/onelogin) github account.
 
 ## Installation
 
@@ -26,21 +29,42 @@ And then execute:
     $ bundle
 
 ### Realme
-To test that you have installed the Gem correctly intergrate with their message testing servies [RealMe MTS](https://mts.realme.govt.nz/logon-mts/home) first, followed by ITE then Production intergrations.
+To test that you have installed the Gem correctly integrate with their message testing servies [RealMe MTS](https://mts.realme.govt.nz/logon-mts/home) first, followed by ITE then Production integrations.
 
-You will need to be setup your applications intergration via their [developers website](https://developers.realme.govt.nz) for ITE and production set up.
+You will need to set up your applications integration via their [developers website](https://developers.realme.govt.nz) for ITE and production.
 
 ### Devise
+
 Setup
+
 ```ruby
 # config/initializers/devise.rb
-Devise.setup do |d_config|
-  d_config.omniauth :realme
+Devise.setup do |config|
+  # ...
+  config.omniauth :realme
 end
 ```
 
 Here we configure the [ruby-saml](https://github.com/onelogin/ruby-saml) gem.
-Realme provides the nessassery `service-metadata.xml` files for their side of the intergation they can be found on this [page](https://developers.realme.govt.nz/how-realme-works/technical-integration-steps#e75)
+Realme provides the necessary `service-metadata.xml` files for their side of the integration. They can be found on this [page](https://developers.realme.govt.nz/how-realme-works/technical-integration-steps#e75)
+
+```ruby
+# config/initializers/omniauth.rb
+
+# Use OmniAuthCallbacksController#failure as the Rack app which OmniAuth will
+# redirect to in the event of a failure
+OmniAuth.config.on_failure = Proc.new { |env| OmniAuthCallbacksController.action(:failure).call(env) }
+
+OmniAuth.configure do |config|
+  # Always redirect to the failure endpoint if there is an error. Normally the
+  # exception would just be raised in development mode. This is useful for
+  # testing your Realme error handling in development.
+  config.failure_raise_out_environments = []
+
+  # We want to see OmniAuth messages in the log
+  config.logger = Rails.logger
+end
+```
 
 ```ruby
 # config/initializers/realme_omniauth.rb
@@ -50,19 +74,69 @@ OmniAuth::Strategies::Realme.configure do |config|
 
   # Callback url
   config.assertion_consumer_service_url = 'http://myapp.com/users/auth/realme/callback'
-  
+
   # Sign the request saml and decrypt response
-  config.private_key = 'Realme SLL private cert'
+
+  # Read the public+private keypair from a file. This example demonstrates
+  # using the .p12 file Realme provides to help you get up an running with their
+  # MTS environment.
+  p12 = OpenSSL::PKCS12.new(File.read(Rails.root.join("realme/Integration-Bundle-MTS-V3.2/mts_saml_sp.p12")), "password")
+
+  # Give the strategy the public key that will identify your SP to Realme (the IdP)
+  config.certificate = p12.certificate.to_s
+
+  # Give the strategy the corresponding private key so it can decrypt messages
+  # sent by Realme which are encrypted with the public key
+  config.private_key = p12.key.to_s
 
   # Realme login service xml file.
   # You will need to download the different XML files for the different environments found here: https://developers.realme.govt.nz/how-realme-works/technical-integration-steps/
   config.idp_service_metadata = Rails.root.join('path', 'to', 'logon-service-metadata.xml')
-  
-  # default Strenght
-  config.auth_strenght = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength'   
+
+  # default strength
+  config.auth_strength = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength'
+
+  # The allowed clock drift is added to the current time at which the response
+  # is validated before it's tested against the NotBefore assertion. Its value
+  # must be given in a number (and/or fraction) of seconds.
+  #
+  # Make sure to keep the value as comfortably small as possible to keep
+  # security risks to a minimum.
+  #
+  # See: https://github.com/onelogin/ruby-saml#clock-drift
+  #
+  config.allowed_clock_drift = 5.seconds # default is 0.seconds
+
+  # It can be very useful to fail noisily in development if there are SAML
+  # validation errors. We recommend enabling this in Rails development env at
+  # least.
+  #
+  config.raise_exceptions_for_saml_validation_errors = Rails.env.development? # default: false
+
+  # Versions 0.1.0 and older of this gem return the FLT or any errors from
+  # Realme in the Rails session. We are migrating away from this to a more
+  # conventional OmniAuth approach of returning the FLT in
+  # `request.env['omniauth.auth'] and errors redirect to the OmniAuth failure
+  # Rack app.
+  #
+  # As of version 0.1.0, using the Rails session is enabled by default to not
+  # break existing installations. If you are configuring this strategy in a new
+  # application, you should set this behaviour to `false` to ensure your app
+  # continues to work seamlessly in future versions of this gem.
+  #
+  config.legacy_rails_session_behaviour_enabled = false
 end
 ```
 
+Routes
+
+```ruby
+# config/routes.rb
+
+# Add/edit the `devise_for` line in your routes file as shown here
+devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+```
+
 Controllers
 ```ruby
 # app/controllers/application_controller.rb
@@ -81,19 +155,18 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-The customer `uid` will come through in their session as `session[:uid]`
+The customer `uid` will come through in `request.env['omniauth.auth']['uid']`
 
 ```ruby
-require 'devise'
+# app/controllers/users/omniauth_callbacks_controller.rb
 
 module Users
   class OmniauthCallbacksController < ::Devise::OmniauthCallbacksController
     skip_before_action :verify_authenticity_token
 
     def realme
-      return redirect_to new_user_session_path, alert: session.delete(:realme_error)[:message] if session[:realme_error].present? || session[:uid].blank?
-
-      @user = User.from_omniauth('realme', session.delete(:uid))
+      realme_flt_token = request.env["omniauth.auth"]["uid"]
+      @user = User.from_omniauth('realme', realme_flt_token)
 
       unless @user.valid?
         @user.errors.each { |err| @user.errors.delete(err) }
@@ -106,6 +179,15 @@ module Users
 
       sign_in_and_redirect @user
     end
+
+    def failure
+      exception = request.env["omniauth.error"] # a reference to the exception instance class
+      error_type = request.env["omniauth.error.type"] # the first symbol passed to fail!()
+      erroring_strategy = request.env["omniauth.error.strategy"] # a reference to the strategy instance that threw the error
+
+      flash.alert = "Realme login failed because #{exception.message}"
+      redirect_to root_path
+    end
   end
 end
 ```
@@ -163,6 +245,67 @@ Remove SAMLResponse from Rails log
 Rails.application.config.filter_parameters += [:password, 'SAMLResponse']
 ```
 
+## Metadata
+
+This gem includes `OmniAuth::Realme.generate_metadata_xml` which will generate SAML SP metadata in a form suitable for uploading to the [Realme MTS Metadata upload](https://mts.realme.govt.nz/logon-mts/metadataupdate) endpoint using the same settings you used to configure this strategy.
+
+Below is an example of using it to create a `/saml/metadata.xml` endpoint in your app. This can be convenient but might be unnecessary for your application, depending on your use case so this step is optional.
+
+```ruby
+# config/routes.rb
+
+# Example: curl http://localhost:3000/saml/metadata.xml
+get "saml/metadata", to: "saml_metadata#metadata"
+```
+
+```ruby
+# app/controllers/saml_metadata_controller.rb
+class SamlMetadataController < ApplicationController
+  # Skip authentication on the metadata action (this line is only required if
+  # you are using devise)
+  skip_before_action :authenticate_user!, only: [:metadata]
+
+  def metadata
+    respond_to do |format|
+      format.xml  { render xml: OmniAuth::Realme.generate_metadata_xml }
+    end
+  end
+end
+```
+
+If you don't need an endpoint in your app you can just invoke the function from the console e.g.
+
+```ruby
+rails-console> puts OmniAuth::Realme.generate_metadata_xml
+```
+
+## Realme Context Mapping Service (RCMS)
+
+[Realme Context Mapping Service](https://developers.realme.govt.nz/how-realme-works/whats-realme-rcms/) is an additional service which your app can optionally integrate with.
+
+Most of the work of integrating with RCMS is outside of the scope of what OmniAuth does. If your app is using RCMS then you will receive a _Login Attributes Token_ as well as the normal Realme FLT with the SAMLResponse.
+
+This strategy facilitates your use of RCMS by making that additional token (if
+it exists) available in
+`request.env['omniauth.auth']['credentials']['realme_cms_lat']` e.g.
+
+```ruby
+# app/controllers/users/omniauth_callbacks_controller.rb
+
+module Users
+  class OmniauthCallbacksController < ::Devise::OmniauthCallbacksController
+    skip_before_action :verify_authenticity_token
+
+    def realme
+      realme_flt = request.env['omniauth.auth']['uid']
+      realme_cms_lat = request.env['omniauth.auth']['credentials']['realme_cms_lat']
+
+      # complete your RCMS integration here ...
+    end
+  end
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -171,7 +314,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/omniauth-realme.
+Bug reports and pull requests are welcome on GitHub at https://github.com/DigitalNZ/omniauth-realme.
 
 ## License
   GNU GENERAL PUBLIC LICENSE

data/lib/omniauth/realme/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-module Omniauth
+module OmniAuth
   module Realme
-    VERSION = '0.1.0'
+    VERSION = '2.0.0'
   end
 end