omniauth-ucam-raven 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d4123c610653dad32a2b12ddb9983cc9e62c3eb0aced3c2cba4b54ebb6b8235c
+  data.tar.gz: f803c16c63e20e8a8133e7c6862915f7687aa22d91849b13e15fe882f4781b58
+SHA512:
+  metadata.gz: e06c5366c7e2a2672490aaa6200067c8c6bf1f1f2c90365b750a128e0bf3293d0d4138b7485d462bad90e7557da03c556a9f271368a478fafb780066ff3b0d52
+  data.tar.gz: a6bfa250b9b1903c0adf13a754b66d9b3e1da3b3cf1401c6c7da92e7b4ecc0c848929b59086fd28b55333e04eea45b687164f1581ed05e9542f75ae454c4e1a7

data/.gitignore

@@ -0,0 +1,25 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-ucam-raven.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,24 @@
+PATH
+  remote: .
+  specs:
+    omniauth-ucam-raven (1.0.0)
+      omniauth (~> 1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    hashie (3.5.7)
+    omniauth (1.8.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    rack (2.0.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.5)
+  omniauth-ucam-raven!
+
+BUNDLED WITH
+   1.16.6

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Charlie Jonas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,47 @@
+# Raven Omniauth strategy
+
+This Ruby gem provides an OmniAuth strategy for authenticating using the [Raven SSO System](https://raven.cam.ac.uk), provided by the University of Cambridge.
+
+## Installation
+
+Add the strategy to your `Gemfile`:
+
+```ruby
+gem 'omniauth-ucam-raven'
+```
+
+And then run `bundle install`.
+
+## Usage
+
+You will need to download the public key used by the Raven service to sign responses and store it somewhere that is not writable by your web application.
+Download the PEM formated PKCS#1 RSA public key from the Raven project pages [here](https://raven.cam.ac.uk/project/keys/).
+You will also need the key ID that is currently in use - as of August 2004 this is 2.
+From this point on, we assume the full UNIX path and key ID are in the KEY_PATH and KEY_ID environment variables respectively.
+
+You can integrate the strategy into your middleware in a `config.ru`:
+
+```ruby
+use OmniAuth::Builder do
+  provider :ucamraven, ENV['KEY_ID'], ENV['KEY_PATH']
+end
+```
+
+If you're using Rails, you'll want to add the following to an initialisers eg. `config/initializers/omniauth.rb` and then restart your application:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :ucamraven, ENV['KEY_ID'], ENV['KEY_PATH']
+end
+```
+
+For a full list of options that you can configure when setting `:ucamraven` as provider you will need to look
+[here](https://github.com/CHTJonas/omniauth-ucam-raven/blob/master/lib/omniauth/strategies/ucam-raven.rb#L13) in the source code.
+
+For additional information, please refer to the [OmniAuth wiki](https://github.com/intridea/omniauth/wiki).
+
+See the code for the [example Sinatra app](https://github.com/CHTJonas/omniauth-ucam-raven/blob/master/examples/sinatra/config.ru) for a hands-on example.
+
+## License
+
+omniauth-ucam-raven is released under the MIT License. Copyright (c) 2018 Charlie Jonas.

data/examples/sinatra/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gem 'sinatra'
+gem 'omniauth'
+gem 'omniauth-ucam-raven', :path => '../../'
+gem 'multi_json'

data/examples/sinatra/Gemfile.lock

@@ -0,0 +1,36 @@
+PATH
+  remote: ../..
+  specs:
+    omniauth-ucam-raven (1.0.0)
+      omniauth (~> 1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    hashie (3.5.7)
+    multi_json (1.13.1)
+    mustermann (1.0.3)
+    omniauth (1.8.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    rack (2.0.5)
+    rack-protection (2.0.4)
+      rack
+    sinatra (2.0.4)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.4)
+      tilt (~> 2.0)
+    tilt (2.0.8)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  multi_json
+  omniauth
+  omniauth-ucam-raven!
+  sinatra
+
+BUNDLED WITH
+   1.16.6

data/examples/sinatra/README.md

@@ -0,0 +1,12 @@
+# Sinatra Example
+
+This example clearly demonstrates how to use the omniauth-ucam-raven strategy with a simple Sinatra web app.
+You will need to download the RSA public key from the Raven project pages [here](https://raven.cam.ac.uk/project/keys/) before you continue.
+At the time of writing (November 2018), the key ID in use to sign responses was number two.
+
+## Setup
+
+1. `git clone https://github.com/chtjonas/omniauth-ucam-raven.git`
+2. `cd omniauth-ucam-raven/examples/sinatra`
+3. Run the `rackup` command
+4. Navigate to http://localhost:4567 and complete the login process

data/examples/sinatra/config.ru

@@ -0,0 +1,29 @@
+require 'rubygems'
+require 'bundler/setup'
+require 'sinatra'
+require 'omniauth-ucam-raven'
+require 'uri'
+
+class UcamRavenExample < Sinatra::Base
+  use Rack::Session::Cookie
+
+  get '/' do
+    redirect '/auth/ucam-raven'
+  end
+
+  get '/auth/:provider/callback' do
+    content_type 'text/plain'
+    request.env['omniauth.auth'].to_hash.inspect rescue "No Data"
+  end
+
+  get '/auth/failure' do
+    content_type 'text/plain'
+    request.env['omniauth.auth'].to_hash.inspect rescue "No Data"
+  end
+
+  use OmniAuth::Builder do
+    provider OmniAuth::Strategies::UcamRaven, 2, "/Users/charlie/Downloads/pubkey2", {desc: 'Ucam-Raven Omniauth Strategy - Sinatra Demo', msg: 'you are testing login authorisation', params: 'This string will always get returned from WLS to WAA.', date: true }
+  end
+end
+
+run UcamRavenExample.run!

data/lib/omniauth/strategies/ucam-raven.rb

@@ -0,0 +1,180 @@
+require 'omniauth'
+require 'uri'
+require 'base64'
+require 'openssl'
+
+module OmniAuth
+  module Strategies
+    class UcamRaven
+      include OmniAuth::Strategy
+
+      option :name, 'ucamraven'
+
+      # Query parameters to pass to the WLS.
+      # By choice, we only use version 3 so we can support Raven for Life.
+      # See: https://raven.cam.ac.uk/project/waa2wls-protocol.txt
+      option :url, 'https://raven.cam.ac.uk/auth/authenticate.html'
+      option :desc, nil
+      option :aauth, nil
+      option :iact, nil
+      option :msg, nil
+      option :params, nil
+      option :date, false
+      option :skew, 90
+      option :fail, nil
+
+      # The RSA key ID and the location on the filesystem where it's stored.
+      option :key_id, nil
+      option :key_path, nil
+      args %i[key_id key_path]
+
+      def request_phase
+        url = "#{options.url}?"
+        url << "ver=3"
+        url << "&url=#{callback_url}"
+        url << "&desc=#{URI::encode options.desc}" if options.desc
+        url << "&aauth=#{URI::encode options.aauth}" if options.aauth
+        url << "&iact=#{URI::encode options.iact}" if options.iact
+        url << "&msg=#{URI::encode options.msg}" if options.msg
+        url << "&params=#{URI::encode options.params}" if options.params
+        url << "&date=#{date_to_rfc3339}" if options.date
+        # skew is DEPRECATED - we don't pass it to the WLS.
+        url << "&fail=#{URI::encode options.fail}" if options.fail
+        redirect url
+      end
+
+      def callback_phase
+        # Check we get what we're expecting.
+        if wls_response.nil? || wls_response == ""
+      		return fail!(:wls_response_not_present)
+        end
+        return fail!(:authentication_cancelled_by_user) if wls_response[1].to_i == 410
+        return fail!(:no_mutually_acceptable_authentication_types_available) if wls_response[1].to_i == 510
+        return fail!(:unsupported_protocol_version) if wls_response[1].to_i == 520
+        return fail!(:general_request_parameter_error) if wls_response[1].to_i == 530
+        return fail!(:interaction_would_be_required) if wls_response[1].to_i == 540
+        return fail!(:waa_not_authorised) if wls_response[1].to_i == 560
+        return fail!(:authentication_declined) if wls_response[1].to_i == 570
+        return fail!(:invalid_response_status) unless wls_response[1].to_i == 200
+        return fail!(:raven_version_mismatch) unless wls_response[0].to_i == 3
+        return fail!(:invalid_response_url) unless wls_response[5] == callback_url.split('?').first
+        return fail!(:too_few_wls_response_parameters) if wls_response.length < 14
+        return fail!(:too_many_wls_response_parameters) if wls_response.length > 14
+
+        # Check the time skew in seconds.
+        skew = ((DateTime.now.new_offset(0) - date_from_rfc3339(wls_response[3])) * 24 * 60 * 60).to_i
+        return fail!(:skew_too_large) unless skew < options.skew
+
+        # Check the key id.
+    		return fail!(:unexpected_rsa_key_id) unless wls_response[12].to_i == options.key_id
+
+        # Check the response RSA signature.
+        signed_part = wls_response.first(12).join('!')
+        base64_part = wls_response[13].tr('-._','+/=')
+        signature = Base64.decode64(base64_part)
+        key = OpenSSL::PKey::RSA.new File.read options.key_path
+        digest  = OpenSSL::Digest::SHA1.new
+    		return fail!(:rsa_signature_check_failed) unless key.verify(digest, signature, signed_part)
+
+        # Done all we need to do; call super.
+        super
+      end
+
+      uid do
+        wls_response[6]
+      end
+
+      info do
+        {
+          name: nil,
+          email: email,
+          ptags: ptags
+        }
+      end
+
+      credentials do
+        {
+          auth: auth,
+          sso: sso
+        }
+      end
+
+      extra do
+        {
+          id: id,
+          lifetime: lifetime,
+          parameters: parameters
+        }
+      end
+
+      private
+
+      def wls_response
+        # ver, status, msg, issue, id, url, principal, ptags, auth, sso, life, params, kid, signature
+        @wls_response ||= request.params['WLS-Response'].split('!')
+      end
+
+      def email
+        if ptags.include? 'current'
+          # Only current students/staff will have an internal address.
+          uid + "@cam.ac.uk"
+        else
+          nil
+        end
+      end
+
+      def ptags
+        wls_response[7].split(',')
+      end
+
+      def auth
+        wls_response[8]
+      end
+
+      def sso
+        wls_response[9].split(',')
+      end
+
+      def id
+        wls_response[4]
+      end
+
+      def lifetime
+        wls_response[10]
+      end
+
+      def parameters
+        wls_response[11]
+      end
+
+      # Raven returns RFC3339 without hyphens and colons so we
+      # can't pass to the inbuilt Date.rfc3339 method. Grrrr...
+      def date_from_rfc3339(rfc3339)
+        year = rfc3339[0..3].to_i
+        month = rfc3339[4..5].to_i
+        day = rfc3339[6..7].to_i
+        hour = rfc3339[9..10].to_i
+        minute = rfc3339[11..12].to_i
+        second = rfc3339[13..14].to_i
+        DateTime.new(year, month, day, hour, minute, second)
+      end
+
+      def date_to_rfc3339
+        t = Time.now.utc
+        s = String.new
+        s << "%04d" % t.year
+        s << "%02d" % t.month
+        s << "%02d" % t.day
+        s << "T"
+        s << "%02d" % t.hour
+        s << "%02d" % t.min
+        s << "%02d" % t.sec
+        s << "Z"
+        return s
+    	end
+
+    end
+  end
+end
+
+OmniAuth.config.add_camelization "ucamraven", "UcamRaven"

data/lib/omniauth-ucam-raven/version.rb

@@ -0,0 +1,5 @@
+module Omniauth
+  module UcamRaven
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth-ucam-raven.rb

@@ -0,0 +1,2 @@
+require 'omniauth-ucam-raven/version'
+require 'omniauth/strategies/ucam-raven'

data/omniauth-ucam-raven.gemspec

@@ -0,0 +1,22 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth-ucam-raven/version'
+
+Gem::Specification.new do |s|
+  s.name          = 'omniauth-ucam-raven'
+  s.version       = Omniauth::UcamRaven::VERSION
+  s.license       = 'MIT'
+  s.summary       = "An OmniAuth strategy for Cambridge University's Raven SSO system"
+  s.description   = "An OmniAuth strategy for Cambridge University's Raven SSO system"
+  s.authors       = ['Charlie Jonas']
+  s.email         = ['devel@charliejonas.co.uk']
+  s.homepage      = 'https://github.com/CHTJonas/omniauth-ucam-raven'
+
+  s.files         = `git ls-files`.split($/)
+  s.executables   = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  s.test_files    = s.files.grep(%r{^(test|spec|features)/})
+  s.require_paths = ['lib']
+
+  s.add_dependency 'omniauth', '~> 1.0'
+  s.add_development_dependency 'bundler', '~> 1.5'
+end

metadata

@@ -0,0 +1,85 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-ucam-raven
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Charlie Jonas
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-11-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+description: An OmniAuth strategy for Cambridge University's Raven SSO system
+email:
+- devel@charliejonas.co.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- examples/sinatra/Gemfile
+- examples/sinatra/Gemfile.lock
+- examples/sinatra/README.md
+- examples/sinatra/config.ru
+- lib/omniauth-ucam-raven.rb
+- lib/omniauth-ucam-raven/version.rb
+- lib/omniauth/strategies/ucam-raven.rb
+- omniauth-ucam-raven.gemspec
+homepage: https://github.com/CHTJonas/omniauth-ucam-raven
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: An OmniAuth strategy for Cambridge University's Raven SSO system
+test_files: []