omniauth-ucam-raven 1.0.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 292db91ca4ceff8717b798ac767bbb84c499cd9031343d923804b16bfc744fb2
-  data.tar.gz: 6029057163f1176a19f577f831e2a54b085e8f506f299c6eaa343206f3295f04
+  metadata.gz: 18905b9dcd1574b2f30aabfd3f64a724de65c7bea249cd634f8accdb020971ba
+  data.tar.gz: a6c475afba94a4c864fd9b842edf6e622b5a4b724883706bcda3da464170c81b
 SHA512:
-  metadata.gz: 88873ba31e6f607990e1cfd358ce9f82855e335fdf22ad6ab57e3f11797410599f89ebce2add126d0dae875105a74162e7deb430c50e08c18eafc4fea795120d
-  data.tar.gz: b6287b6b4ffc548664aafe778a4c8db5346371dd7a43ae4087c15da453e8f005cf985a02be756feec492c66a1f28880fc385ebaeda320206084453e995117a88
+  metadata.gz: 784b0877cc602ca311b8125c8a469359954b62bb0bb38092ce5e324d4c5b6f94794942b9402dc5e8b1f03338801c3ef92e48ed0daac78090f13818b8c6030557
+  data.tar.gz: 274c9a9fcddeb0cdfc57d8441c1a0edaece1b851c24e441219a6d7ab919800ef5c7b8c2e2aa8473cf8b4feb1498aeb73c3c29f17078e323221724d225e01790f

data/.editorconfig

@@ -0,0 +1,11 @@
+# https://editorconfig.org
+
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+indent_style = space
+indent_size = 2

data/CHANGELOG.md

@@ -0,0 +1,20 @@
+# Changelog
+
+## [2.0.0] - 2020-05-27
+
+* Add support for the SRCF Goose authentication service.
+* Add support for multiple signing keys.
+* Return an error if the authentication responses is issued too far into the future from a local perspective.
+* Improve compliance of the skew parameter with the WebAuth protocol.
+* Raise an exception if RSA key file path and/or ID are not present.
+* Improve documentation and example code.
+* Bump internal dependencies.
+
+## [1.0.1] - 2018-11-15
+
+* No user-facing changes.
+* Bump internal rack version to 2.0.6 in order to patch a DoS vulnerability (CVE-2018-16468).
+
+## [1.0.0] - 2018-11-04
+
+* Initial release.

data/Gemfile.lock

@@ -1,24 +1,24 @@
 PATH
   remote: .
   specs:
-    omniauth-ucam-raven (1.0.0)
+    omniauth-ucam-raven (1.0.1)
       omniauth (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    hashie (3.5.7)
-    omniauth (1.8.1)
-      hashie (>= 3.4.6, < 3.6.0)
+    hashie (4.1.0)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    rack (2.0.6)
+    rack (2.2.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (~> 1.5)
+  bundler (~> 2.0)
   omniauth-ucam-raven!
 
 BUNDLED WITH
-   1.16.6
+   2.1.4

data/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018 Charlie Jonas
+Copyright (c) 2018-2020 Charlie Jonas
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -12,36 +12,74 @@ gem 'omniauth-ucam-raven'
 
 And then run `bundle install`.
 
+You then need to download the Raven service RSA public key pro tempore in PEM format from the project pages [here](https://raven.cam.ac.uk/project/keys/) and store it somewhere that is not writable by your web application.
+You also need to note the key ID which at the time of writing (April 2020) is 2.
+
 ## Usage
 
-You will need to download the public key used by the Raven service to sign responses and store it somewhere that is not writable by your web application.
-Download the PEM formated PKCS#1 RSA public key from the Raven project pages [here](https://raven.cam.ac.uk/project/keys/).
-You will also need the key ID that is currently in use - as of August 2004 this is 2.
-From this point on, we assume the full UNIX path and key ID are in the KEY_PATH and KEY_ID environment variables respectively.
+The strategy expects Raven signing key data in the form of an array of key ID & key path tuples.
+This allows multiple signing keys to be supported in order to facilitate key rollover or multiple backend auth servers.
+If you do not provide the key paths and/or IDs in the correct format then an exception will be raised.
+From this point on, it's assumed that the full UNIX file path and key ID are stored in the `KEY_PATH` and `KEY_ID` environment variables respectively.
 
-You can integrate the strategy into your middleware in a `config.ru`:
+If you're using Rails, you'll want to add the following to an initialisers e.g. `config/initializers/omniauth.rb` and then restart your application server:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  key_data = [[ENV['KEY_ID'], ENV['KEY_PATH']]]
+  provider :ucamraven, key_data
+end
+```
+
+For Sinatra and other Rack-based frameworks, you can integrate the strategy into your middleware e.g. in a `config.ru`:
 
 ```ruby
 use OmniAuth::Builder do
-  provider :ucamraven, ENV['KEY_ID'], ENV['KEY_PATH']
+  key_data = [[ENV['KEY_ID'], ENV['KEY_PATH']]]
+  provider :ucamraven, key_data
 end
 ```
 
-If you're using Rails, you'll want to add the following to an initialisers eg. `config/initializers/omniauth.rb` and then restart your application:
+Upon authentication, the user's details will be available in the `request.env['omniauth.auth']` object as show in the example below. Each field is well documented in the [protocol specification](https://github.com/cambridgeuniversity/UcamWebauth-protocol/blob/6e70f1f0223bc30f6963bdb79e06214a482a512e/waa2wls-protocol.txt#L231).
+It should be noted that the `email` field is for provided convenience only and its presence does not imply that the address contained therein is a valid email address.
+
+```
+{
+  "provider"=>"ucamraven",
+  "uid"=>"crsid",
+  "info"=>{"name"=>nil, "email"=>"crsid@cam.ac.uk", "ptags"=>["current"]},
+  "credentials"=>{"auth"=>"", "sso"=>["pwd"]},
+  "extra"=>{"id"=>"dateandtime", "lifetime"=>"sessionlifetime", "parameters"=>"your params string returned to you"}
+}
+```
+
+## Configuration
+
+The Ucam-Raven strategy will work straight out of the box but you can apply custom configuration if you so desire by appending an options hash to the arguments when `provider` is called, for example:
 
 ```ruby
-Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :ucamraven, ENV['KEY_ID'], ENV['KEY_PATH']
+use OmniAuth::Builder do
+  key_data = [[1, "path_to_key_1"], [2, "path_to_key_2"], [3, "path_to_key_3"]]
+  options = { desc: 'my description', msg: 'my message', params: 'string to be returned after login', date: true }
+  provider :ucamraven, key_data, options
 end
 ```
 
-For a full list of options that you can configure when setting `:ucamraven` as provider you will need to look
-[here](https://github.com/CHTJonas/omniauth-ucam-raven/blob/master/lib/omniauth/strategies/ucam-raven.rb#L13) in the source code.
+If you are looking to use the strategy with the [SRCF Goose authentication service](https://auth.srcf.net) rather than Raven then you can include the following configuration:
 
-For additional information, please refer to the [OmniAuth wiki](https://github.com/intridea/omniauth/wiki).
+```ruby
+use OmniAuth::Builder do
+  key_data = [[2, "path_to_raven_key"], [500, "path_to_goose_key"]]
+  provider :ucamraven, key_data, honk: true
+end
+```
 
-See the code for the [example Sinatra app](https://github.com/CHTJonas/omniauth-ucam-raven/blob/master/examples/sinatra/config.ru) for a hands-on example.
+See the code for the [example Sinatra app](https://github.com/CHTJonas/omniauth-ucam-raven/blob/master/examples/sinatra) for a hands-on example of this and [here](https://github.com/CHTJonas/omniauth-ucam-raven/blob/master/lib/omniauth/strategies/ucam-raven.rb#L14) for a full list of configurable options.
+Each option is fully documented in the [specification](https://github.com/cambridgeuniversity/UcamWebauth-protocol/blob/6e70f1f0223bc30f6963bdb79e06214a482a512e/waa2wls-protocol.txt#L106).
+
+For additional information, please refer to the [OmniAuth wiki](https://github.com/intridea/omniauth/wiki).
 
 ## License
 
-omniauth-ucam-raven is released under the MIT License. Copyright (c) 2018 Charlie Jonas.
+omniauth-ucam-raven is released under the MIT License.
+Copyright (c) 2018-2020 Charlie Jonas.

data/examples/sinatra/Gemfile

@@ -1,6 +1,4 @@
 source 'https://rubygems.org'
 
 gem 'sinatra'
-gem 'omniauth'
-gem 'omniauth-ucam-raven', :path => '../../'
-gem 'multi_json'
+gem 'omniauth-ucam-raven', path: '../..'

data/examples/sinatra/Gemfile.lock

@@ -1,36 +1,35 @@
 PATH
   remote: ../..
   specs:
-    omniauth-ucam-raven (1.0.0)
+    omniauth-ucam-raven (1.0.1)
       omniauth (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    hashie (3.5.7)
-    multi_json (1.13.1)
-    mustermann (1.0.3)
-    omniauth (1.8.1)
-      hashie (>= 3.4.6, < 3.6.0)
+    hashie (4.1.0)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    rack (2.0.6)
-    rack-protection (2.0.4)
+    rack (2.2.2)
+    rack-protection (2.0.8.1)
       rack
-    sinatra (2.0.4)
+    ruby2_keywords (0.0.2)
+    sinatra (2.0.8.1)
       mustermann (~> 1.0)
       rack (~> 2.0)
-      rack-protection (= 2.0.4)
+      rack-protection (= 2.0.8.1)
       tilt (~> 2.0)
-    tilt (2.0.8)
+    tilt (2.0.10)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  multi_json
-  omniauth
   omniauth-ucam-raven!
   sinatra
 
 BUNDLED WITH
-   1.16.6
+   2.1.4

data/examples/sinatra/README.md

@@ -1,12 +1,13 @@
 # Sinatra Example
 
 This example clearly demonstrates how to use the omniauth-ucam-raven strategy with a simple Sinatra web app.
-You will need to download the RSA public key from the Raven project pages [here](https://raven.cam.ac.uk/project/keys/) before you continue.
-At the time of writing (November 2018), the key ID in use to sign responses was number two.
+You will need to download the Raven service RSA public key pro tempore in PEM format from the project pages [here](https://raven.cam.ac.uk/project/keys/) and edit the path in `ucamravenexample.rb`.
+At the time of writing (April 2020), the key ID being used to sign responses is 2.
 
 ## Setup
 
 1. `git clone https://github.com/chtjonas/omniauth-ucam-raven.git`
 2. `cd omniauth-ucam-raven/examples/sinatra`
-3. Run the `rackup` command
-4. Navigate to http://localhost:4567 and complete the login process
+3. `bundle install`
+4. `bundle exec rackup`
+5. Navigate to http://localhost:4567

data/examples/sinatra/config.ru

@@ -1,29 +1,7 @@
 require 'rubygems'
-require 'bundler/setup'
-require 'sinatra'
-require 'omniauth-ucam-raven'
-require 'uri'
+require 'bundler'
 
-class UcamRavenExample < Sinatra::Base
-  use Rack::Session::Cookie
-
-  get '/' do
-    redirect '/auth/ucam-raven'
-  end
-
-  get '/auth/:provider/callback' do
-    content_type 'text/plain'
-    request.env['omniauth.auth'].to_hash.inspect rescue "No Data"
-  end
-
-  get '/auth/failure' do
-    content_type 'text/plain'
-    request.env['omniauth.auth'].to_hash.inspect rescue "No Data"
-  end
-
-  use OmniAuth::Builder do
-    provider OmniAuth::Strategies::UcamRaven, 2, "/Users/charlie/Downloads/pubkey2", {desc: 'Ucam-Raven Omniauth Strategy - Sinatra Demo', msg: 'you are testing login authorisation', params: 'This string will always get returned from WLS to WAA.', date: true }
-  end
-end
+Bundler.require
 
+require './ucamravenexample'
 run UcamRavenExample.run!

data/examples/sinatra/ucamravenexample.rb

@@ -0,0 +1,32 @@
+class UcamRavenExample < Sinatra::Base
+  use Rack::Session::Cookie
+  use OmniAuth::Builder do
+    key_data = [[2, "/Users/charlie/Downloads/pubkey2"], [500, "/Users/charlie/Downloads/pubkey500"]]
+    options = {
+      desc: 'Ucam-Raven Omniauth Strategy - Sinatra Demo',
+      msg: 'you are testing login authorisation',
+      params: 'This string will always get returned from WLS to WAA.',
+      date: true,
+      honk: true
+    }
+    provider :ucamraven, key_data, options
+  end
+
+  get '/' do
+    redirect '/auth/ucamraven'
+  end
+
+  get '/auth/:provider/callback' do
+    content_type 'text/plain'
+    request.env['omniauth.auth'].to_hash.inspect
+  rescue
+    "No Data"
+  end
+
+  get '/auth/failure' do
+    content_type 'text/plain'
+    request.env['omniauth.auth'].to_hash.inspect
+  rescue
+    "No Data"
+  end
+end

data/lib/omniauth-ucam-raven/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module UcamRaven
-    VERSION = "1.0.1"
+    VERSION = "2.0.0"
   end
 end

data/lib/omniauth/strategies/ucam-raven.rb

@@ -7,30 +7,46 @@ module OmniAuth
   module Strategies
     class UcamRaven
       include OmniAuth::Strategy
+      RAVEN_URL = 'https://raven.cam.ac.uk/auth/authenticate.html'
+      GOOSE_URL = 'https://auth.srcf.net/wls/authenticate'
 
+      # The name of the strategy.
       option :name, 'ucamraven'
 
       # Query parameters to pass to the WLS.
       # By choice, we only use version 3 so we can support Raven for Life.
-      # See: https://raven.cam.ac.uk/project/waa2wls-protocol.txt
-      option :url, 'https://raven.cam.ac.uk/auth/authenticate.html'
+      # See: https://github.com/cambridgeuniversity/UcamWebauth-protocol/blob/master/waa2wls-protocol.txt
+      option :url, nil
       option :desc, nil
       option :aauth, nil
       option :iact, nil
       option :msg, nil
       option :params, nil
       option :date, false
-      option :skew, 90
+      option :skew, 45 # the spec states that a time of 30-60 seconds is probably appropriate
       option :fail, nil
 
-      # The RSA key ID and the location on the filesystem where it's stored.
-      option :key_id, nil
-      option :key_path, nil
-      args %i[key_id key_path]
+      # An array of RSA key IDs and paths to the location where the keys are stored.
+      option :key_data, nil
+      args :key_data
 
+      # Whether or not to use the SRCF authentication service instead of Raven.
+      option :honk, false
+
+      # This method is called when the strategy is instantiated.
+      def initialize(*args, &block)
+        super(*args, &block)
+        raise 'Raven public key data not given' if options.key_data.nil?
+        raise 'Raven public key data not correctly formatted' unless options.key_data.is_a?(Array)
+        options.key_data.each do |e|
+          raise 'Raven public key data not correctly formatted' unless e.is_a?(Array) && e.length == 2
+        end
+      end
+
+      # This method is called when the user initiates a login. It redirects them to the Raven service for authentication.
       def request_phase
-        url = "#{options.url}?"
-        url << "ver=3"
+        url = (options.url || options.honk ? GOOSE_URL : RAVEN_URL).dup
+        url << "?ver=3"
         url << "&url=#{callback_url}"
         url << "&desc=#{URI::encode options.desc}" if options.desc
         url << "&aauth=#{URI::encode options.aauth}" if options.aauth
@@ -38,16 +54,15 @@ module OmniAuth
         url << "&msg=#{URI::encode options.msg}" if options.msg
         url << "&params=#{URI::encode options.params}" if options.params
         url << "&date=#{date_to_rfc3339}" if options.date
-        # skew is DEPRECATED - we don't pass it to the WLS.
+        # The skew parameter is DEPRECATED and SHOULD NOT be included in requests to the WLS.
         url << "&fail=#{URI::encode options.fail}" if options.fail
         redirect url
       end
 
+      # This method is called after the user authenticates to Raven and is redirected back to the application.
       def callback_phase
-        # Check we get what we're expecting.
-        if wls_response.nil? || wls_response == ""
-      		return fail!(:wls_response_not_present)
-        end
+        # Check the response is in the format we're expecting.
+        return fail!(:wls_response_not_present) if wls_response.nil? || wls_response == ""
         return fail!(:authentication_cancelled_by_user) if wls_response[1].to_i == 410
         return fail!(:no_mutually_acceptable_authentication_types_available) if wls_response[1].to_i == 510
         return fail!(:unsupported_protocol_version) if wls_response[1].to_i == 520
@@ -62,22 +77,24 @@ module OmniAuth
         return fail!(:too_many_wls_response_parameters) if wls_response.length > 14
 
         # Check the time skew in seconds.
+        return fail!(:invalid_issue) unless wls_response[3].length == 16
         skew = ((DateTime.now.new_offset(0) - date_from_rfc3339(wls_response[3])) * 24 * 60 * 60).to_i
-        return fail!(:skew_too_large) unless skew < options.skew
-
-        # Check the key id.
-    		return fail!(:unexpected_rsa_key_id) unless wls_response[12].to_i == options.key_id
-
-        # Check the response RSA signature.
-        signed_part = wls_response.first(12).join('!')
-        base64_part = wls_response[13].tr('-._','+/=')
-        signature = Base64.decode64(base64_part)
-        key = OpenSSL::PKey::RSA.new File.read options.key_path
-        digest  = OpenSSL::Digest::SHA1.new
-    		return fail!(:rsa_signature_check_failed) unless key.verify(digest, signature, signed_part)
-
-        # Done all we need to do; call super.
-        super
+        return fail!(:skew_too_large) unless skew.abs < options.skew
+
+        # Check that the RSA key ID and signature are correct.
+        options.key_data.each do |kid, kpath|
+          if wls_response[12].to_i == kid
+            signed_part = wls_response.first(12).join('!')
+            base64_part = wls_response[13].tr('-._','+/=')
+            signature = Base64.decode64(base64_part)
+            file_contents = File.read(kpath)
+            key = OpenSSL::PKey::RSA.new(file_contents)
+            digest  = OpenSSL::Digest::SHA1.new
+            return fail!(:rsa_signature_check_failed) unless key.verify(digest, signature, signed_part)
+            return super
+          end
+        end
+        return fail!(:unknown_rsa_key_id)
       end
 
       uid do
@@ -171,8 +188,7 @@ module OmniAuth
         s << "%02d" % t.sec
         s << "Z"
         return s
-    	end
-
+      end
     end
   end
 end

data/omniauth-ucam-raven.gemspec

@@ -6,10 +6,10 @@ Gem::Specification.new do |s|
   s.name          = 'omniauth-ucam-raven'
   s.version       = Omniauth::UcamRaven::VERSION
   s.license       = 'MIT'
-  s.summary       = "An OmniAuth strategy for Cambridge University's Raven SSO system"
-  s.description   = "An OmniAuth strategy for Cambridge University's Raven SSO system"
+  s.summary       = "OmniAuth strategy for Cambridge University's Raven SSO system"
+  s.description   = 'This Ruby gem provides an OmniAuth strategy for authenticating using the Raven SSO System, provided by the University of Cambridge, or any other system implementing the Ucam-WebAuth protocol such as the SRCF Goose login service.'
   s.authors       = ['Charlie Jonas']
-  s.email         = ['devel@charliejonas.co.uk']
+  s.email         = ['charlie@charliejonas.co.uk']
   s.homepage      = 'https://github.com/CHTJonas/omniauth-ucam-raven'
 
   s.files         = `git ls-files`.split($/)
@@ -18,5 +18,5 @@ Gem::Specification.new do |s|
   s.require_paths = ['lib']
 
   s.add_dependency 'omniauth', '~> 1.0'
-  s.add_development_dependency 'bundler', '~> 1.5'
+  s.add_development_dependency 'bundler', '~> 2.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-ucam-raven
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Charlie Jonas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-18 00:00:00.000000000 Z
+date: 2020-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -30,22 +30,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.5'
-description: An OmniAuth strategy for Cambridge University's Raven SSO system
+        version: '2.0'
+description: This Ruby gem provides an OmniAuth strategy for authenticating using
+  the Raven SSO System, provided by the University of Cambridge, or any other system
+  implementing the Ucam-WebAuth protocol such as the SRCF Goose login service.
 email:
-- devel@charliejonas.co.uk
+- charlie@charliejonas.co.uk
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".editorconfig"
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -54,6 +58,7 @@ files:
 - examples/sinatra/Gemfile.lock
 - examples/sinatra/README.md
 - examples/sinatra/config.ru
+- examples/sinatra/ucamravenexample.rb
 - lib/omniauth-ucam-raven.rb
 - lib/omniauth-ucam-raven/version.rb
 - lib/omniauth/strategies/ucam-raven.rb
@@ -77,9 +82,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
-summary: An OmniAuth strategy for Cambridge University's Raven SSO system
+summary: OmniAuth strategy for Cambridge University's Raven SSO system
 test_files: []