rack_entra_id_auth 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 49047b15ce1a63b8d78470a9f3470642bc1097ef848af57c588a105583ac5c08
+  data.tar.gz: 831a559681d4e4f17b837796bc670d93bbec3c148ac0f9ad868a72a2631df53c
+SHA512:
+  metadata.gz: b6e06a56cad6e71aa29e1191cec1a5e6d1c3f3a6c1080d2ed2fd2291de3af5ad3c0a41de393b72c26fb117b42490269a6c7b2eaeb65cb4e03fbf6a9cb5ee0ca5
+  data.tar.gz: a685bb6f5f8dae75f9153acfcb403594f8be4cd1ab1621b7abca4cbf97a04a55b53d4ce70c10a7b0803587816c3fbd6732d24b9ce65ebebbd1bdd62835ad9ba1

data/MIT-LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2024 David Susco
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,35 @@
+# EntraIdActiveRecordSessionStore
+
+TODO: Delete this and the text below, and describe your gem
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/entra_id_active_record_session_store`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+## Installation
+
+TODO: Replace `UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG` with your gem name right after releasing it to RubyGems.org. Please do not do it earlier due to security reasons. Alternatively, replace this section with instructions to install your gem from git if you don't plan to release to RubyGems.org.
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+    $ gem install UPDATE_WITH_YOUR_GEM_NAME_IMMEDIATELY_AFTER_RELEASE_TO_RUBYGEMS_ORG
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/entra_id_active_record_session_store.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'minitest/test_task'
+
+Minitest::TestTask.create
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/lib/generators/rack_entra_id_auth/initializer_generator.rb

@@ -0,0 +1,13 @@
+module RackEntraIdAuth
+  module Generators
+    class InitializerGenerator < Rails::Generators::Base
+      desc 'Create an initializer to configure RackEntraIdAuth.'
+
+      source_root File.expand_path('templates', __dir__)
+
+      def create_initializer
+        template 'config_initializer.rb', Rails.root.join('config', 'initializers', 'rack_entra_id_auth.rb')
+      end
+    end
+  end
+end

data/lib/generators/rack_entra_id_auth/routes_generator.rb

@@ -0,0 +1,15 @@
+module RackEntraIdAuth
+  module Generators
+    class RoutesGenerator < Rails::Generators::Base
+      desc 'Create route helpers for single sign-on/logout requests handled by the RackEntraIdAuth middleware.'
+
+      def create_login_route
+        route "get '#{RackEntraIdAuth.config.login_path}', as: :login, to: ->(env) { [204, {}, ['']] }"
+      end
+
+      def create_logout_route
+        route "get '#{RackEntraIdAuth.config.logout_path}', as: :logout, to: ->(env) { [204, {}, ['']] }"
+      end
+    end
+  end
+end

data/lib/generators/rack_entra_id_auth/templates/config_initializer.rb

@@ -0,0 +1,169 @@
+RackEntraIdAuth.configure do |config|
+  # Ruby SAML needs to be configured with the Entra ID application it will using
+  # as the Identify Provider (IdP) as well as your application that it will be
+  # using as the Service Provider (SP).
+  #
+  # All of the Ruby SAML settings are exposed as configuration attributes on the
+  # RackEntraIdAuth.config object and can be set from within this initializer or
+  # within `config/application.rb' or the environment-specific configuration
+  # files (e.g. config.rack_entra_id_auth.idp_entity_id = '…'). Any default
+  # settings defined by Ruby SAML are used by RackEntraIdAuth and called out
+  # below. They can also be found here:
+  # https://github.com/SAML-Toolkits/ruby-saml/blob/master/lib/onelogin/ruby-saml/settings.rb#L276
+
+  # ------------------------
+  # RackEntraIdAuth Settings
+  # ------------------------
+
+  # The login/logout paths are used by the middleware to create single
+  # sign-on/logout requests and redirect them to the IdP SSO/SLO Service URLs
+  # set below, respectively. It's handy to define these as routes in your
+  # application so you can use the route helpers in your views. You can do so
+  # with the `rack_entra_id_auth:routes` generator.
+  # config.login_path  = '/login'
+  # config.logout_path = '/logout'
+
+  # By default, all the login/logout responses from the IdP are redirected to
+  # base URL of your application after the response is successfully processed
+  # and the user's session is set/deleted. If you'd like the user redirected to
+  # another URL upon successful login/logout this can be set below. These can
+  # also be overridden on a per-request basis by adding a `relay_state` query
+  # parameter to requests for the login/logout paths above, e.g.
+  # `http://your:app/login?relay_state=https%3A%2F%2Fyour.app%2Fgo_here_instead`
+  # config.login_relay_state_url  = ''
+  # config.logout_relay_state_url = ''
+
+  # ----------------------------------------------------------------------------
+  # THIS SETTING HAS NO EFFECT IN AN INITIALIZER (it's set too late). It needs
+  # to be in `config/application.rb` or an environment-specific configuration
+  # file. You'll likely want to put it in in your
+  # `config/environments/production.rb` file as
+  # `config.rack_entra_id_auth.mock_server = false`.
+  # ----------------------------------------------------------------------------
+  # config.mock_server = false
+
+  # If mock_server is enabled these are the usernames you'll be able to log in
+  # as with the mock middleware, as well as the assoicatied "SAML" attributes
+  # that will be placed in the user's session.
+  # config.mock_attributes = {
+  #   'rtables' => {
+  #     'displayname'  => 'Little Bobby Tables',
+  #     'groups'       => ['Students'],
+  #     'givenname'    => "Robert');DROP TABLE Students;-- ?",
+  #     'surname'      => 'Tables',
+  #     'emailaddress' => 'rtables@your.app',
+  #     'name'         => 'rtables@your.app'
+  #   },
+  #   'badmin' => {
+  #     'displayname'  => 'Bad Admin',
+  #     'groups'       => ['Admins'],
+  #     'givenname'    => 'Bad',
+  #     'surname'      => 'Admin',
+  #     'emailaddress' => 'badmin@your.app',
+  #     'name'         => 'badmin@your.app'
+  #   }
+  # }
+
+  # The hash key the SAML attributes are stored under in the sessions hash.
+  # config.session_key = :entra_id
+
+  # The SAML attributes can be modified before they are stored within the user's
+  # session via the proc below. The following is the default proc.
+  # config.session_value_proc = Proc.new { |attributes|
+  #   attributes.inject({}) do |memo, (key, value)|
+  #     key = key.split('/').last
+  #     value = value.first if value.kind_of?(Array) and value.length.eql?(1) and !key.eql?('groups')
+  #     memo[key] = value
+  #     memo
+  #   end
+  # }
+
+  # Single logout requires changing the application's session store to work, so
+  # it is disabled by default. Once the session store is configured uncomment
+  # the line below to enable single logout.
+  # config.skip_single_logout = true
+
+  # ----------------------
+  # Ruby SAML IdP Settings
+  # ----------------------
+
+  # When the Entra ID application is set up you'll be provided with single sign-
+  # on/logout service URLs. RackEntraIdAuth needs these so it can direct the
+  # single sign-on/logout requests that originate from within your application.
+  # The public certificate provided by the IdP also needs to be in these
+  # requests and should be set below as well.
+
+  # config.idp_entity_id                  = ''
+  config.idp_sso_service_url            = "IdP SINGLE SIGN-ON SERVICE URL"
+  config.idp_slo_service_url            = "IdP SINGLE LOGOUT SERVICE URL"
+  # config.idp_slo_response_service_url   = ''
+  config.idp_cert                       = 'IdP X509CERTIFICATE'
+  # config.idp_cert_fingerprint           = ''
+  # config.idp_cert_fingerprint_algorithm = XMLSecurity::Document::SHA1
+  # config.idp_cert_multi                 = ''
+  # config.idp_attribute_names            = ''
+  # config.idp_name_qualifier             = ''
+  # config.valid_until                    = ''
+
+  # ---------------------
+  # Ruby SAML SP Settings
+  # ---------------------
+
+  # When the Entra ID application is set up you'll need to provide some way to
+  # identify your application (the SP) to it as well as the URLs your
+  # application will use to handle single sign-on/logout reseponses sent by the
+  # IdP to your application. Your application does not need to be aware of these
+  # URLs, the RackEntraIdAuth middleware will intercept and handle them.
+  # However, these URLs should not conflict with any routes within your
+  # application as requests sent to them will never make it to your application.
+
+  config.sp_entity_id                      = 'https://your.app/'
+  config.assertion_consumer_service_url    = 'https://your.app/saml/login'
+  config.single_logout_service_url         = 'https://your.app/saml/logout'
+  # config.sp_name_qualifier                 = ''
+  # config.name_identifier_format            = ''
+  # config.name_identifier_value             = ''
+  # config.name_identifier_value_requested   = ''
+  # config.sessionindex                      = ''
+  # Ruby SAML normally compresses requests/responses and double quotes the XML
+  # attributes. Uncomment the lines below to change that.
+  # config.compress_request                  = false
+  # config.compress_response                 = false
+  # config.double_quote_xml_attribute_values = false
+  # config.message_max_bytesize              = 250000
+  # config.passive                           = ''
+  # config.attributes_index                  = ''
+  # config.force_authn                       = ''
+  # config.certificate                       = ''
+  # config.private_key                       = ''
+  # config.sp_cert_multi                     = ''
+  # config.authn_context                     = ''
+  # config.authn_context_comparison          = ''
+  # config.authn_context_decl_ref            = ''
+
+  # ---------------------------
+  # Ruby SAML Workflow Settings
+  # ---------------------------
+
+  # The default Ruby SAML security configurations can be overriden by
+  # uncommenting the lines below.
+  # config.security = {
+  #   :authn_requests_signed      => true,
+  #   :logout_requests_signed     => true,
+  #   :logout_responses_signed    => true,
+  #   :want_assertions_signed     => true,
+  #   :want_assertions_encrypted  => true,
+  #   :want_name_id               => true,
+  #   :metadata_signed            => true,
+  #   :digest_method              => XMLSecurity::Document::SHA1,
+  #   :signature_method           => XMLSecurity::Document::RSA_SHA1,
+  #   :check_idp_cert_expiration  => true,
+  #   :check_sp_cert_expiration   => true,
+  #   :strict_audience_validation => true,
+  #   :lowercase_url_encoding     => true
+  # }
+
+  # Ruby SAML normally doesn't raise SAML validation errors, uncomment the line
+  # below to raise them.
+  # config.soft = false
+end

data/lib/rack_entra_id_auth/configuration.rb

@@ -0,0 +1,80 @@
+require 'active_support/configurable'
+
+module RackEntraIdAuth
+  class Configuration
+    include ActiveSupport::Configurable
+
+    config_accessor :login_path, default: '/login'
+    config_accessor :login_relay_state_url
+    config_accessor :logout_path, default: '/logout'
+    config_accessor :logout_relay_state_url
+    # mock_server must be set in `config/application.rb` or an environment-
+    # specific configuration file. I.e. it must happen before initializers as
+    # it's used in the initializer created in the Railtie.
+    config_accessor :mock_server, default: true
+    config_accessor :mock_attributes, default: {}
+    config_accessor :session_key, default: :entra_id
+    config_accessor :session_value_proc, default: Proc.new { |attributes|
+      attributes.inject({}) do |memo, (key, value)|
+        key = key.split('/').last
+        value = value.first if value.kind_of?(Array) and value.length.eql?(1) and !key.eql?('groups')
+        memo[key] = value
+        memo
+      end
+    }
+    config_accessor :skip_single_logout, default: true
+
+    # Ruby SAML ID Provider Settings
+    config_accessor :idp_entity_id
+    config_accessor :idp_sso_service_url
+    config_accessor :idp_slo_service_url
+    config_accessor :idp_slo_response_service_url
+    config_accessor :idp_cert
+    config_accessor :idp_cert_fingerprint
+    config_accessor :idp_cert_fingerprint_algorithm
+    config_accessor :idp_cert_multi
+    config_accessor :idp_attribute_names
+    config_accessor :idp_name_qualifier
+    config_accessor :valid_until
+
+    # Ruby SAML Service Provider Settings
+    config_accessor :sp_entity_id
+    config_accessor :assertion_consumer_service_url
+    config_accessor :single_logout_service_url
+    config_accessor :sp_name_qualifier
+    config_accessor :name_identifier_format
+    config_accessor :name_identifier_value
+    config_accessor :name_identifier_value_requested
+    config_accessor :sessionindex
+    config_accessor :compress_request
+    config_accessor :compress_response
+    config_accessor :double_quote_xml_attribute_values
+    config_accessor :message_max_bytesize
+    config_accessor :passive
+    config_accessor :attributes_index
+    config_accessor :force_authn
+    config_accessor :certificate
+    config_accessor :private_key
+    config_accessor :sp_cert_multi
+    config_accessor :authn_context
+    config_accessor :authn_context_comparison
+    config_accessor :authn_context_decl_ref
+
+    # Ruby SAML workflow Settings
+    config_accessor :security
+    config_accessor :soft
+
+    def ruby_saml_settings
+      config.to_h.except(
+        :login_path,
+        :login_relay_state_url,
+        :logout_path,
+        :logout_relay_state_url,
+        :mock_server,
+        :mock_attributes,
+        :session_key,
+        :session_value_proc,
+        :skip_single_logout)
+    end
+  end
+end

data/lib/rack_entra_id_auth/entra_id_request.rb

@@ -0,0 +1,240 @@
+require 'ruby-saml'
+
+module RackEntraIdAuth
+  class EntraIdRequest
+    attr_reader :request
+
+    def initialize(request, saml_setting_overrides = {})
+      @request = request
+
+      @saml_settings = OneLogin::RubySaml::Settings.new(RackEntraIdAuth.config.ruby_saml_settings.merge(saml_setting_overrides))
+    end
+
+    # Returns the request's base URL and path without the path_info at the end.
+    #
+    # @return [String]
+    #
+    def base_url
+      "#{request.base_url}#{request.path}".sub(Regexp.new("#{request.path_info}$"), '')
+    end
+
+    # Returns whether the request is a Service Provider initiated sign-on
+    # request. Returns true if the request's path info equals the login path
+    # configuration (login_path), otherwise returns false.
+    #
+    # @return [Bool]
+    #
+    def login?
+      request.path_info.eql?(RackEntraIdAuth.config.login_path)
+    end
+
+    # Returns whether the request contains a single sign-on response (for
+    # Service Provider initiated single sign-on requests). Returns true if the
+    # request's header contains a SAMLResponse and if the request's base_url and
+    # path match the ACS service url setting (assertion_consumer_service_url),
+    # otherwise returns false.
+    #
+    # @return [Bool]
+    #
+    def login_response?
+      saml_response.present? and "#{request.base_url}#{request.path}".eql?(@saml_settings.assertion_consumer_service_url)
+    end
+
+    # Returns whether the request is a Service Provider initiated logout
+    # request. Returns true if the request's path info equals the logout path
+    # configuration (logout_path), otherwise returns false.
+    #
+    # @return [Bool]
+    #
+    def logout?
+      request.path_info.eql?(RackEntraIdAuth.config.logout_path)
+    end
+
+    # Returns whether the request contains a single logout request (for ID
+    # Provider initiated single logout requests). Returns true if the request
+    # contains a SAMLRequest query parameter and if the request's base_url and
+    # path match the single logout service url setting
+    # (single_logout_service_url), otherwise returns false.
+    #
+    # @return [Bool]
+    #
+    def logout_request?
+      request.params['SAMLRequest'].present? and "#{request.base_url}#{request.path}".eql?(@saml_settings.single_logout_service_url)
+    end
+
+    # Returns whether the request contains a single logout response for Service
+    # Provider initiated logout request. Returns true if the request contains a
+    # SAMLResponse query parameter and if the request's base_url and path match
+    # the single logout service url setting (single_logout_service_url),
+    # otherwise returns false.
+    #
+    # @return [Bool]
+    #
+    def logout_response?
+      request.params['SAMLResponse'].present? and "#{request.base_url}#{request.path}".eql?(@saml_settings.single_logout_service_url)
+    end
+
+    # Returns the RelayState in the header of the request or its query
+    # parameters.
+    #
+    # @return [String]
+    #
+    def relay_state_url
+      request.get_header('rack.request.form_hash')['RelayState'] || request.params['RelayState']
+    end
+
+    # A single sign-on response for the SAMLResponse in the request's header.
+    # This is the response sent by the ID Provider for Service Provider
+    # initiated single sign-on requests.
+    #
+    # @param auth_request_id [String] If provided, check that the inResponseTo
+    #        in the response matches the uuid of the sign-on request that
+    #        initiated the response.
+    # @param skip_conditions [Bool] Skip the conditions validation.
+    # @param allowed_clock_drift [Float] The allowed clock drift when checking
+    #        time stamps.
+    # @param skip_subject_confirmation [Bool] Skip the subject confirmation
+    #        validation.
+    # @param skip_recipient_check [Bool] Skip the recipient validation of the
+    #        subject confirmation element.
+    # @param skip_audience [Bool] Skip the audience validation.
+    #
+    # @return [OneLogin::RubySaml::Response] A single sign-on response for a
+    #         Service Provideer initiated single sign-on request.
+    #
+    def saml_auth_response (auth_request_id: request.session[:auth_request_id], skip_conditions: false, allowed_clock_drift: nil, skip_subject_confirmation: false, skip_recipient_check: false, skip_audience: false)
+      response = OneLogin::RubySaml::Response.new(
+        saml_response,
+        { :settings => @saml_settings,
+          :matches_request_id => auth_request_id,
+          :skip_conditions => skip_conditions,
+          :allowed_clock_drift => allowed_clock_drift,
+          :skip_subject_confirmation => skip_subject_confirmation,
+          :skip_recipient_check => skip_recipient_check,
+          :skip_audience => skip_audience })
+
+      # the auth request's ID is no longer needed
+      request.session.delete(:auth_request_id)
+
+      response
+    end
+
+    # A single logout request for the SAMLRequest in the request's query
+    # parameters. This is the request sent by the ID Provider for ID Provider
+    # initiated single logout requests.
+    #
+    # @param allowed_clock_drift [Float] The allowed clock drift when checking
+    #        time stamps.
+    # @param relax_signature_validation [Bool] If true and there's no ID
+    #        Provider certs in the settings then ignore the signature validation
+    #        on the request.
+    #
+    # @return [OneLogin::RubySaml::Logoutresponse] A single logout response for
+    #         a Service Provideer initiated single logout request.
+    #
+    def saml_logout_request (allowed_clock_drift: nil, relax_signature_validation: false)
+      OneLogin::RubySaml::SloLogoutrequest.new(
+        request.params['SAMLRequest'],
+        { :settings => @saml_settings,
+          :allowed_clock_drift => allowed_clock_drift,
+          :relax_signature_validation => relax_signature_validation })
+    end
+
+    # A single logout response for the SAMLResponse in the request's query
+    # parameters. This is the response sent by the ID Provider for Service
+    # Provider initiated single logout requests.
+    #
+    # @param logout_request_id [String] If provided, check that the inResponseTo
+    #        in the response matches the uuid of the logout request that
+    #        initiated the response.
+    # @param relax_signature_validation [Bool] If true and there's no ID
+    #        Provider certs in the settings then ignore the signature validation
+    #        on the response.
+    #
+    # @return [OneLogin::RubySaml::Logoutresponse] A single logout response for
+    #         a Service Provideer initiated single logout request.
+    #
+    def saml_logout_response (logout_request_id: request.session[:logout_request_id], relax_signature_validation: false)
+      logout_response = OneLogin::RubySaml::Logoutresponse.new(
+        request.params['SAMLResponse'],
+        @saml_settings,
+        { :get_params => request.params,
+          :matches_request_id => logout_request_id,
+          :relax_signature_validation => relax_signature_validation })
+
+      # the logout request's ID is no longer needed
+      request.session.delete(:logout_request_id)
+
+      logout_response
+    end
+
+    # Returns a single logout reponse URL for the settings provided. Used for ID
+    # Provider initiated log outs.
+    #
+    # @param request_id [String] The ID of the LogoutRequest sent by this SP to
+    #        the IdP. That ID will be placed as the InResponseTo in the logout
+    #        response.
+    # @param logout_message [String] The message to be placed as StatusMessage
+    #        in the logout response.
+    # @param params [Hash] Extra query parameters to be added to the URL (e.g.
+    #        RelayState).
+    # @param logout_status_code [String] The StatusCode to be placed as
+    #        StatusMessage in the logout response.
+    #
+    # @return [String]
+    #
+    def slo_response_url (request_id: nil, logout_message: nil, params: {}, logout_status_code: nil)
+      OneLogin::RubySaml::SloLogoutresponse.new.create(
+        @saml_settings,
+        request_id,
+        logout_message,
+        params,
+        logout_status_code)
+    end
+
+    # Returns a single logout request URL for the settings provided if an ID
+    # Provider single logout target URL is present in the settings
+    # (idp_slo_service_url), otherwise returns nil. Used for Service Provider
+    # initiated log outs.
+    #
+    # @param params [Hash] Extra query parameters to be added to the URL (e.g.
+    #        RelayState).
+    #
+    # @return [String|nil]
+    #
+    def slo_url (params = {})
+      logout_request = OneLogin::RubySaml::Logoutrequest.new
+
+      if @saml_settings.idp_slo_service_url.present?
+        # store the logout request's uuid to validate it in the response
+        request.session[:logout_request_id] = logout_request.uuid
+
+        # return nil if no single logout url is set
+        logout_request.create(@saml_settings, params)
+      end
+    end
+
+    # Returns a single sign-on authentication request URL for the settings
+    # provided. Used for Service Provider initiated sign-ins.
+    #
+    # @param params [Hash] Extra query parameters to be added to the URL (e.g.
+    #        RelayState).
+    #
+    # @return [String]
+    #
+    def sso_url (params = {})
+      auth_request = OneLogin::RubySaml::Authrequest.new
+
+      # store the auth request's uuid to validate it in the response
+      request.session[:auth_request_id] = auth_request.uuid
+
+      auth_request.create(@saml_settings, params)
+    end
+
+    private
+
+      def saml_response
+        request.get_header('rack.request.form_hash').try(:[], 'SAMLResponse')
+      end
+  end
+end

data/lib/rack_entra_id_auth/middleware.rb

@@ -0,0 +1,192 @@
+require 'rack_entra_id_auth/entra_id_request'
+
+module RackEntraIdAuth
+  class Middleware
+    def initialize (app)
+      @app = app
+    end
+
+    def call (env)
+      request = Rack::Request.new(env)
+      entra_id_request = EntraIdRequest.new(request)
+
+      # SP initiated single sign-on request
+      if entra_id_request.login?
+        log(env, 'Redirecting login request to Entra ID single sign-on URL…')
+
+        sso_url = entra_id_request.sso_url(
+          { :RelayState => request.params['relay_state'] ||
+                           RackEntraIdAuth.config.login_relay_state_url ||
+                           entra_id_request.base_url })
+
+        return found_redirect_response(
+          sso_url,
+          'Redirecting login request to Entra ID single sign-on URL')
+      end
+
+      # SP initiated logout/single logout request
+      if entra_id_request.logout?
+        log(env, 'Destroying session…')
+
+        # destroy session in case single logout fails
+        destroy_session()
+
+        relay_state_url = request.params['relay_state'] ||
+                          RackEntraIdAuth.config.logout_relay_state_url ||
+                          entra_id_request.base_url
+
+        slo_url = entra_id_request.slo_url({ :RelayState => relay_state_url })
+
+        if request.params['skip_single_logout'].blank? and
+           !RackEntraIdAuth.config.skip_single_logout and
+           slo_url.present?
+
+          log(env, 'Redirecting logout request to Entra ID single logout URL…')
+
+          return found_redirect_response(
+            slo_url,
+            'Redirecting logout request to Entra ID single logout URL')
+        end
+
+        log(env, 'Skipping single logout because of skip_single_logout query parameter…') if request.params['skip_single_logout'].present?
+        log(env, 'Skipping single logout because of skip_single_logout configuration setting…') if RackEntraIdAuth.config.skip_single_logout
+        log(env, 'Skipping single logout because no Entra ID single logout URL was found…') if slo_url.blank?
+
+        log(env, 'Redirecting to relay state URL…')
+
+        return found_redirect_response(relay_state_url)
+      end
+
+      # SP initiatied single sign-on response
+      if entra_id_request.login_response?
+        log(env, 'Received single login response…')
+
+        auth_response = entra_id_request.saml_auth_response()
+
+        if !auth_response.is_valid?
+          log(env, "Invalid single login reponse from Entra ID: #{auth_response.errors.first}")
+
+          return internal_server_error_response("Invalid login reponse from Entra ID: #{auth_response.errors.first}")
+        end
+
+        if !auth_response.success?
+          log(env, 'Unsuccessful single single reponse from Entra ID.')
+
+          return internal_server_error_response('Unsuccessful login reponse from Entra ID.')
+        end
+
+        log(env, 'Initializing session and redirecting to relay state URL…')
+
+        # initialize the session with the response's SAML attributes
+        request.session[RackEntraIdAuth.config.session_key] = RackEntraIdAuth.config.session_value_proc.call(auth_response.attributes.all)
+
+        return found_redirect_response(
+                 entra_id_request.relay_state_url,
+                 'Received single login response, redirecting to relay state URL')
+      end
+
+      # IdP initiatied single logout request
+      if entra_id_request.logout_request? and !RackEntraIdAuth.config.skip_single_logout
+        log(env, 'Received single logout request…')
+
+        logout_request = entra_id_request.saml_logout_request()
+
+        if !logout_request.is_valid?
+          log(env, "Invalid single logout request from Entra ID: #{logout_request.errors.first}")
+
+          return internal_server_error_response("Invalid logout request from Entra ID: #{logout_request.errors.first}")
+        end
+
+        log(env, 'Destroying session and sending logout response to Entra ID…')
+
+        # destroy the session
+        destroy_session()
+
+        response_url = entra_id_request.slo_response_url(
+          request_id: logout_request.id,
+          logout_message: nil,
+          params: {
+            :RelayState => entra_id_request.relay_state_url
+          },
+          logout_status_code: nil)
+
+        return found_redirect_response(
+                 response_url,
+                 'Received single logout request, redirecting to Entra ID')
+      end
+
+      # SP initiated single logout response
+      if entra_id_request.logout_response?
+        log(env, 'Received single logout response…')
+
+        logout_response = entra_id_request.saml_logout_response()
+
+        if !logout_response.validate
+          log(env, "Invalid single logout reponse from Entra ID: #{logout_response.errors.first}")
+
+          return internal_server_error_response("Invalid logout reponse from Entra ID: #{logout_response.errors.first}")
+        end
+
+        if !logout_response.success?
+          log(env, 'Unsuccessful single logout reponse from Entra ID.')
+
+          return internal_server_error_response('Unsuccessful logout reponse from Entra ID.')
+        end
+
+        log(env, 'Destroying session and redirecting to relay state URL…')
+
+        # session should already be destroyed from SP initiated logout/single
+        # logout request, but just to be safe…
+        destroy_session()
+
+        return found_redirect_response(
+                 entra_id_request.relay_state_url,
+                 'Received single logout response, redirecting to relay state URL')
+      end
+
+      response = @app.call(env)
+
+      # Authenticate 401s
+      if response[0] == 401
+        log(env, 'Intercepted 401 Unauthorized response, redirecting to Entra ID single sign-on URL…')
+
+        return found_redirect_response(
+                 entra_id_request.sso_url(:RelayState => request.url),
+                 'Intercepted 401 Unauthorized response, redirecting to Entra ID single sign-on URL')
+      end
+
+      response
+    end
+
+    protected
+
+      def destroy_session ()
+        request.session.send(request.session.respond_to?(:destroy) ? :destroy : :clear)
+      end
+
+      def found_redirect_response (url, message = 'Redirecting to URL')
+        [ 302,
+          { 'location' => url,
+            'content-type' => 'text/plain' },
+          [ "#{message}: #{url}" ] ]
+      end
+
+      def internal_server_error_response (content = 'Internal server error')
+        [ 500,
+          { 'content-type' => 'text/html',
+            'content-length' => content.length },
+            [ content ] ]
+      end
+
+      def log (env, message, level = :info)
+        env['rack.logger'] ||= Rails.logger if defined?(Rails.logger)
+        message = "rack_entra_id_auth: #{message}"
+
+        if env['rack.logger']
+          env['rack.logger'].send(level, message)
+        else
+          env['rack.errors'].write(message.concat("\n"))
+        end
+      end
+  end
+end

data/lib/rack_entra_id_auth/mock_middleware.rb

@@ -0,0 +1,123 @@
+require 'uri'
+
+require 'rack_entra_id_auth/entra_id_request'
+
+module RackEntraIdAuth
+  class MockMiddleware
+    def initialize (app)
+      @app = app
+    end
+
+    def call (env)
+      request = Rack::Request.new(env)
+      entra_id_request = EntraIdRequest.new(request)
+
+      # mock a login page
+      if entra_id_request.login? and request.request_method.eql?('GET')
+        log(env, 'Rendering mock login page…')
+
+        return [ 200,
+                 { 'Content-Type' => 'text/html' },
+                 [ login_page(request.url) ] ]
+      end
+
+      # mock a login request
+      if entra_id_request.login? and request.request_method.eql?('POST')
+        log(env, 'Initializing session and redirecting to relay state URL…')
+
+        attributes = RackEntraIdAuth.config.mock_attributes[request.params['username']] || {}
+        redirect_url = request.params['relay_state'] ||
+                       request.params['RelayState'] ||
+                       RackEntraIdAuth.config.login_relay_state_url ||
+                       entra_id_request.base_url
+
+        request.session[RackEntraIdAuth.config.session_key] = RackEntraIdAuth.config.session_value_proc.call(attributes)
+
+        return found_redirect_response(
+                 redirect_url,
+                 'Initializing session and redirecting to relay state URL')
+      end
+
+      # mock a logout request
+      if entra_id_request.logout?
+        log(env, 'Destroying session and redirecting to relay state URL…')
+
+        redirect_url = request.params['relay_state'] ||
+                       request.params['RelayState'] ||
+                       RackEntraIdAuth.config.logout_relay_state_url ||
+                       entra_id_request.base_url
+
+        request.session.send(request.session.respond_to?(:destroy) ? :destroy : :clear)
+
+        return found_redirect_response(
+                 redirect_url,
+                 'Destroying session and redirecting to relay state URL')
+      end
+
+      response = @app.call(env)
+
+      # Authenticate 401s
+      if response[0] == 401
+        log(env, 'Intercepted 401 Unauthorized response, redirecting to mock login URL…')
+
+        login_url = URI::HTTP.build(host: request.host,
+                                    port: request.port,
+                                    path: RackEntraIdAuth.config.login_path,
+                                    query: URI.encode_www_form({ :RelayState => request.url }))
+
+        return found_redirect_response(
+                 login_url,
+                 'Intercepted 401 Unauthorized response, redirecting to mock login URL')
+      end
+
+      response
+    end
+
+    protected
+
+      def found_redirect_response (url, message = 'Redirecting to URL')
+        [ 302,
+          { 'location' => url,
+            'content-type' => 'text/plain' },
+          [ "#{message}: #{url}" ] ]
+      end
+
+      def log (env, message, level = :info)
+        env['rack.logger'] ||= Rails.logger if defined?(Rails.logger)
+        message = "rack_entra_id_auth: #{message}"
+
+        if env['rack.logger']
+          env['rack.logger'].send(level, message)
+        else
+          env['rack.errors'].write(message.concat("\n"))
+        end
+      end
+
+      def login_page (action)
+        options = RackEntraIdAuth.config.mock_attributes.keys.map { |key| %Q~<option value="#{key}">#{key}</option>~ } .join
+
+        <<-EOS
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Mock Middleware Login</title>
+  </head>
+
+  <body>
+    <form action="#{action}" method="post">
+      <label for="username">Username</label>
+
+      <select id="username" name="username">
+        <option label="No User" value=""></option>
+        #{options}
+      </select>
+
+      <input type="submit" value="Login">
+    </form>
+  </body>
+</html>
+        EOS
+      end
+  end
+end

data/lib/rack_entra_id_auth/railtie.rb

@@ -0,0 +1,19 @@
+require 'rack'
+
+module RackEntraIdAuth
+  class Railtie < ::Rails::Railtie
+    config.rack_entra_id_auth = RackEntraIdAuth.config
+
+    initializer 'Add RackEntraIdAuth Middleware' do |app|
+      if config.rack_entra_id_auth.mock_server
+        require 'rack_entra_id_auth/mock_middleware'
+
+        app.middleware.use MockMiddleware
+      else
+        require 'rack_entra_id_auth/middleware'
+
+        app.middleware.use Middleware
+      end
+    end
+  end
+end

data/lib/rack_entra_id_auth/version.rb

@@ -0,0 +1,3 @@
+module RackEntraIdAuth
+  VERSION = '1.0.0'
+end

data/lib/rack_entra_id_auth.rb

@@ -0,0 +1,14 @@
+require 'rack_entra_id_auth/configuration'
+
+module RackEntraIdAuth
+  def self.configure
+    yield config
+  end
+
+  def self.config
+    @config ||= Configuration.new
+  end
+end
+
+# done here so the RackEntraIdAuth.config method can be used in the Railtie
+require 'rack_entra_id_auth/railtie' if defined?(Rails::Railtie)

metadata

@@ -0,0 +1,144 @@
+--- !ruby/object:Gem::Specification
+name: rack_entra_id_auth
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- David Susco
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-08-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+description: Rails aware Rack middleware for Entra ID authentication.
+email:
+- dsusco@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/generators/rack_entra_id_auth/initializer_generator.rb
+- lib/generators/rack_entra_id_auth/routes_generator.rb
+- lib/generators/rack_entra_id_auth/templates/config_initializer.rb
+- lib/rack_entra_id_auth.rb
+- lib/rack_entra_id_auth/configuration.rb
+- lib/rack_entra_id_auth/entra_id_request.rb
+- lib/rack_entra_id_auth/middleware.rb
+- lib/rack_entra_id_auth/mock_middleware.rb
+- lib/rack_entra_id_auth/railtie.rb
+- lib/rack_entra_id_auth/version.rb
+homepage: https://github.com/dsusco/rack_entra_id_auth
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/dsusco/rack_entra_id_auth/issues
+  changelog_uri: https://github.com/dsusco/rack_entra_id_auth/releases/tag/v1.0.0
+  homepage_uri: https://github.com/dsusco/rack_entra_id_auth
+  source_code_uri: https://github.com/dsusco/rack_entra_id_auth
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.11
+signing_key:
+specification_version: 4
+summary: Rails aware Rack middleware for Entra ID authentication.
+test_files: []