ruby-saml-idp 0.3.2 → 0.3.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8b16a7a227b6a3e2c072eea9c5057dcc7aaf749f
+  data.tar.gz: d759a2849e41456e496fbc5d7dfab40bb5bf626d
+SHA512:
+  metadata.gz: 24c725eb2ef8fb77b942f41a495ee806341002089c0f70155bcb801a0960d1e4be7fc4a56684f00c887fa5ee66c9e79577a5220ef43b8f923d519ccafd14e573
+  data.tar.gz: ac5269128cc77bc6c336b7705366c4c8b40f98c276d07a79565da2744687d70c77d515f503d0f12ce68675b98853d689ff6c10ffe84645eef452cce866d8e1ef

data/README.md

@@ -1,5 +1,8 @@
 # Ruby SAML Identity Provider (IdP)
-[![Build Status](https://secure.travis-ci.org/lawrencepit/ruby-saml-idp.png)](http://travis-ci.org/lawrencepit/ruby-saml-idp?branch=master) [![Dependency Status](https://gemnasium.com/lawrencepit/ruby-saml-idp.png)](https://gemnasium.com/lawrencepit/ruby-saml-idp)
+
+[![Build Status](https://secure.travis-ci.org/lawrencepit/ruby-saml-idp.png)](http://travis-ci.org/lawrencepit/ruby-saml-idp?branch=master)
+[![Code Climate](https://codeclimate.com/github/lawrencepit/ruby-saml-idp/badges/gpa.svg)](https://codeclimate.com/github/lawrencepit/ruby-saml-idp)
+[![Gem Version](https://fury-badge.herokuapp.com/rb/ruby-saml-idp.png)](http://badge.fury.io/rb/ruby-saml-idp)
 
 The ruby SAML Identity Provider library is for implementing the server side of SAML authentication. It allows your application to act as an IdP (Identity Provider) using the [SAML v2.0](http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) protocol. It provides a means for managing authentication requests and confirmation responses for SPs (Service Providers).
 
@@ -34,7 +37,7 @@ Create a controller that looks like this, customize to your own situation:
 
 ``` ruby
 class SamlIdpController < SamlIdp::IdpController
-  before_filter :find_account
+  before_action :find_account
   # layout 'saml_idp'
 
   def idp_authenticate(email, password)
@@ -76,7 +79,7 @@ end
 Keys and Secrets
 ----------------
 
-To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret. You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032. Obviously you shouldn't use these if you intend to use this in production environments. In that case, within the controller set the properties `x509_certificate` and `secret_key` using a `prepend_before_filter` callback within the current request context or set them globally via the `SamlIdp.config.x509_certificate` and `SamlIdp.config.secret_key` properties.
+To generate the SAML Response it uses a default X.509 certificate and secret key... which isn't so secret. You can find them in `SamlIdp::Default`. The X.509 certificate is valid until year 2032. Obviously you shouldn't use these if you intend to use this in production environments. In that case, within the controller set the properties `x509_certificate` and `secret_key` using a `prepend_before_action` callback within the current request context or set them globally via the `SamlIdp.config.x509_certificate` and `SamlIdp.config.secret_key` properties.
 
 The fingerprint to use, if you use the default X.509 certificate of this gem, is:
 

data/app/controllers/saml_idp/idp_controller.rb

@@ -7,7 +7,11 @@ module SamlIdp
 
     protect_from_forgery
 
-    before_filter :validate_saml_request
+    if Rails.version.to_i < 4
+      before_filter :validate_saml_request
+    else
+      before_action :validate_saml_request
+    end
 
     def new
       render :template => "saml_idp/idp/new"

data/lib/saml_idp/controller.rb

@@ -1,10 +1,10 @@
 # encoding: utf-8
+
 module SamlIdp
   module Controller
     require 'openssl'
     require 'base64'
     require 'time'
-    require 'uuid'
 
     attr_accessor :x509_certificate, :secret_key, :algorithm
     attr_accessor :saml_acs_url
@@ -46,7 +46,7 @@ module SamlIdp
     protected
 
       def validate_saml_request(saml_request = params[:SAMLRequest])
-        decode_SAMLRequest(saml_request)
+        decode_SAMLRequest(saml_request) rescue false
       end
 
       def decode_SAMLRequest(saml_request)
@@ -60,11 +60,12 @@ module SamlIdp
 
       def encode_SAMLResponse(nameID, opts = {})
         now = Time.now.utc
-        response_id, reference_id = UUID.generate, UUID.generate
+        response_id, reference_id = SecureRandom.uuid, SecureRandom.uuid
         audience_uri = opts[:audience_uri] || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
         issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || "http://example.com"
+        attributes_statement = attributes(opts[:attributes_provider], nameID)
 
-        assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+        assertion = %[<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><saml:Issuer Format="urn:oasis:names:SAML:2.0:nameid-format:entity">#{issuer_uri}</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></saml:SubjectConfirmationData></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><saml:AudienceRestriction><saml:Audience>#{audience_uri}</saml:Audience></saml:AudienceRestriction></saml:Conditions>#{attributes_statement}<saml:AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><saml:AuthnContext><saml:AuthnContextClassRef>urn:federation:authentication:windows</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>]
 
         digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
@@ -74,9 +75,9 @@ module SamlIdp
 
         signature = %[<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">#{signed_info}<ds:SignatureValue>#{signature_value}</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>#{self.x509_certificate}</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>]
 
-        assertion_and_signature = assertion.sub(/Issuer\>\<Subject/, "Issuer>#{signature}<Subject")
+        assertion_and_signature = assertion.sub(/Issuer\>\<saml:Subject/, "Issuer>#{signature}<saml:Subject")
 
-        xml = %[<samlp:Response ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{@saml_acs_url}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="#{@saml_request_id}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:Response>]
+        xml = %[<samlp:Response ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{@saml_acs_url}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="#{@saml_request_id}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:Response>]
 
         Base64.encode64(xml)
       end
@@ -88,5 +89,8 @@ module SamlIdp
         Base64.encode64(key.sign(algorithm.new, data))
       end
 
+      def attributes(provider, nameID)
+        provider ? provider : %[<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>#{nameID}</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>]
+      end
   end
-end
+end

data/lib/saml_idp/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.3.2'
+  VERSION = '0.3.3'
 end

data/ruby-saml-idp.gemspec

@@ -22,12 +22,11 @@ Gem::Specification.new do |s|
   s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
   s.rdoc_options = ["--charset=UTF-8"]
-  s.add_dependency('uuid')
   s.add_development_dependency "rake"
-  # s.add_development_dependency "rcov"
-  s.add_development_dependency "rspec"
-  s.add_development_dependency "ruby-saml"
+  s.add_development_dependency("nokogiri", "~> 1.6.8")
+  s.add_development_dependency("rspec", "~> 3.0")
+  s.add_development_dependency("ruby-saml", "~> 0.8")
   s.add_development_dependency("rails", "~> 3.2")
-  s.add_development_dependency("capybara")
+  s.add_development_dependency("capybara", "~> 2.4.1")
 end
 

data/spec/acceptance/idp_controller_spec.rb

@@ -9,8 +9,8 @@ feature 'IdpController' do
     fill_in 'Password', :with => "okidoki"
     click_button 'Sign in'
     click_button 'Submit'   # simulating onload
-    current_url.should == 'http://foo.example.com/saml/consume'
-    page.should have_content "brad.copa@example.com"
+    expect(current_url).to eq('http://foo.example.com/saml/consume')
+    expect(page).to have_content("brad.copa@example.com")
   end
 
-end
+end

data/spec/rails_app/app/controllers/saml_controller.rb

@@ -1,8 +1,8 @@
 class SamlController < ApplicationController
 
   def consume
-    response = Onelogin::Saml::Response.new(params[:SAMLResponse])
+    response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
     render :text => response.name_id
   end
 
-end
+end

data/spec/saml_idp/controller_spec.rb

@@ -12,7 +12,7 @@ describe SamlIdp::Controller do
     requested_saml_acs_url = "https://example.com/saml/consume"
     params[:SAMLRequest] = make_saml_request(requested_saml_acs_url)
     validate_saml_request
-    saml_acs_url.should == requested_saml_acs_url
+    expect(saml_acs_url).to eq(requested_saml_acs_url)
   end
 
   context "SAML Responses" do
@@ -23,38 +23,35 @@ describe SamlIdp::Controller do
 
     it "should create a SAML Response" do
       saml_response = encode_SAMLResponse("foo@example.com")
-      response = Onelogin::Saml::Response.new(saml_response)
-      response.name_id.should == "foo@example.com"
-      response.issuer.should == "http://example.com"
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      expect(response.name_id).to eq("foo@example.com")
+      expect(response.issuer).to eq("http://example.com")
       response.settings = saml_settings
-      response.is_valid?.should be_true
+      expect(response.is_valid?).to be true
     end
 
-    [:sha1, :sha256].each do |algorithm_name|
+    it "should handle custom attribute objects" do
+      provider = double(to_s: %[<saml:AttributeStatement><saml:Attribute Name="organization"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Organization name</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>])
+
+      default_attributes = %[<saml:AttributeStatement><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><saml:AttributeValue>foo@example.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>]
+
+
+      saml_response = encode_SAMLResponse("foo@example.com", { attributes_provider: provider })
+      response = OneLogin::RubySaml::Response.new(saml_response)
+      expect(response.response).to include provider.to_s
+      expect(response.response).to_not include default_attributes
+    end
+
+    [:sha1, :sha256, :sha384, :sha512].each do |algorithm_name|
       it "should create a SAML Response using the #{algorithm_name} algorithm" do
         self.algorithm = algorithm_name
         saml_response = encode_SAMLResponse("foo@example.com")
-        response = Onelogin::Saml::Response.new(saml_response)
-        response.name_id.should == "foo@example.com"
-        response.issuer.should == "http://example.com"
+        response = OneLogin::RubySaml::Response.new(saml_response)
+        expect(response.name_id).to eq("foo@example.com")
+        expect(response.issuer).to eq("http://example.com")
         response.settings = saml_settings
-        response.is_valid?.should be_true
-      end
-    end
-
-    [:sha384, :sha512].each do |algorithm_name|
-      it "should create a SAML Response using the #{algorithm_name} algorithm" do
-        pending "release of ruby-saml v0.5.4" do
-          self.algorithm = algorithm_name
-          saml_response = encode_SAMLResponse("foo@example.com")
-          response = Onelogin::Saml::Response.new(saml_response)
-          response.name_id.should == "foo@example.com"
-          response.issuer.should == "http://example.com"
-          response.settings = saml_settings
-          response.is_valid?.should be_true
-        end
+        expect(response.is_valid?).to be true
       end
     end
   end
-
-end
+end

data/spec/support/saml_request_macros.rb

@@ -1,19 +1,19 @@
 module SamlRequestMacros
 
   def make_saml_request(requested_saml_acs_url = "https://foo.example.com/saml/consume")
-    auth_request = Onelogin::Saml::Authrequest.new
-    auth_url = auth_request.create(saml_settings(requested_saml_acs_url))
+    auth_request = OneLogin::RubySaml::Authrequest.new
+    auth_url = auth_request.create(saml_settings(saml_acs_url: requested_saml_acs_url))
     CGI.unescape(auth_url.split("=").last)
   end
 
-  def saml_settings(saml_acs_url = "https://foo.example.com/saml/consume")
-    settings = Onelogin::Saml::Settings.new
-    settings.assertion_consumer_service_url = saml_acs_url
-    settings.issuer = "http://example.com/issuer"
-    settings.idp_sso_target_url = "http://idp.com/saml/idp"
+  def saml_settings(options = {})
+    settings = OneLogin::RubySaml::Settings.new
+    settings.assertion_consumer_service_url = options[:saml_acs_url] || "https://foo.example.com/saml/consume"
+    settings.issuer = options[:issuer] || "http://example.com/issuer"
+    settings.idp_sso_target_url = options[:idp_sso_target_url] || "http://idp.com/saml/idp"
     settings.idp_cert_fingerprint = SamlIdp::Default::FINGERPRINT
     settings.name_identifier_format = SamlIdp::Default::NAME_ID_FORMAT
     settings
   end
 
-end
+end

metadata

@@ -1,116 +1,108 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: ruby-saml-idp
-version: !ruby/object:Gem::Version 
-  hash: 23
-  prerelease: 
-  segments: 
-  - 0
-  - 3
-  - 2
-  version: 0.3.2
+version: !ruby/object:Gem::Version
+  version: 0.3.3
 platform: ruby
-authors: 
+authors:
 - Lawrence Pit
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2012-07-03 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
-  name: uuid
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
-  type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
+date: 2017-10-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: rake
-  prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: rspec
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.8
   type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: ruby-saml
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.8
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: rails
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 3
-        - 2
-        version: "3.2"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: capybara
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        hash: 3
-        segments: 
-        - 0
-        version: "0"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.4.1
   type: :development
-  version_requirements: *id006
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.4.1
 description: SAML IdP (Identity Provider) library in ruby
 email: lawrence.pit@gmail.com
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
+- Gemfile
+- MIT-LICENSE
+- README.md
 - app/controllers/saml_idp/idp_controller.rb
 - app/views/saml_idp/idp/new.html.erb
 - app/views/saml_idp/idp/saml_post.html.erb
@@ -120,9 +112,6 @@ files:
 - lib/saml_idp/default.rb
 - lib/saml_idp/engine.rb
 - lib/saml_idp/version.rb
-- MIT-LICENSE
-- README.md
-- Gemfile
 - ruby-saml-idp.gemspec
 - spec/acceptance/acceptance_helper.rb
 - spec/acceptance/idp_controller_spec.rb
@@ -181,38 +170,29 @@ files:
 - spec/support/saml_request_macros.rb
 homepage: http://github.com/lawrencepit/ruby-saml-idp
 licenses: []
-
+metadata: {}
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
-require_paths: 
+rdoc_options:
+- "--charset=UTF-8"
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.6.8
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: SAML Indentity Provider in ruby
-test_files: 
+test_files:
 - spec/acceptance/acceptance_helper.rb
 - spec/acceptance/idp_controller_spec.rb
 - spec/rails_app/.gitignore