saml_camel 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 71f94da315b31aec73381b73e58fb6bb1a6fd3eb
-  data.tar.gz: '08d80cedc906fb1cb14ceaa008a796a9bee802c5'
+  metadata.gz: 9587f9aa4978c5bfc1ff83fd93490b77cfada4a0
+  data.tar.gz: d005f8ba385cd0443baeda86c668d002c7907857
 SHA512:
-  metadata.gz: 62891d7a9e63252a869314de2d06fc919646eb7b5a9f5b005b3d15d53bee9091514e9126ba6dd94daac2909fac9adff83eb6e3d31e1050a930183413643d9fce
-  data.tar.gz: 30cc191cb55e6a66cc192327d201365450e48beb0d76ca62d683d910ecfcbdec2b1c8faf0f4040c052d1c072357543e55b76d00167d5cb770577825d4e558806
+  metadata.gz: 012d8b91632f47e689f385cb1de8f82e7e99696579e11491ce94e54de0823f0b56f727bd25b5e748cc1c288db6debaf57f2aa5df3d7b83a3ffdc1a20514b779a
+  data.tar.gz: de3c6af5a1395e1a44502b9f85101f8e42d238362443ff7826037ec96d783712329ae028370365b2b514f4f338287e04247a3e906ae1b0dd04ac0e4bb8e2817e

data/app/controllers/concerns/saml_camel/saml_helpers.rb

@@ -7,7 +7,10 @@ module SamlCamel::SamlHelpers
 
     #this generates a call to the idp, which will then be returned to the consume action the in saml_contorller
     def saml_request(host_request)
+      relay_state = SecureRandom.base64.chomp.gsub( /\n/, '' ) #set relay state to secure against replay attack
+      session[:relay_state] = relay_state
       request = OneLogin::RubySaml::Authrequest.new
+
       secure_cookie = (Rails.env == "development" || Rails.env == "test") ? false : true
       cookies.encrypted[:saml_camel_redirect] = {
         value: host_request.url,
@@ -15,7 +18,21 @@ module SamlCamel::SamlHelpers
         httponly: true
       }
 
-      redirect_to(request.create(SamlCamel::Transaction.saml_settings))
+      cookies.encrypted[:saml_camel_relay] = {
+        value: relay_state,
+        secure: secure_cookie,
+        httponly: true
+      }
+
+      saml_request = request.create(SamlCamel::Transaction.saml_settings) + "&RelayState=#{relay_state}"
+      redirect_to(saml_request)
+    end
+
+
+    def valid_relay_state(param_relay_state)
+      stored_relay = cookies.encrypted[:saml_camel_relay]
+      cookies.delete :saml_camel_relay
+      param_relay_state == stored_relay
     end
 
 

data/app/controllers/saml_camel/saml_controller.rb

@@ -13,7 +13,9 @@ module SamlCamel
     end
 
     def consume
+      raise "Invalid RelayState" unless valid_relay_state(params[:RelayState])
       redirect_path = cookies.encrypted[:saml_camel_redirect]
+
       cookies.delete :saml_camel_redirect
       response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
       response.settings = saml_settings
@@ -38,7 +40,12 @@ module SamlCamel
     rescue => e
       session[:saml_success] = false
       SamlCamel::Logging.auth_failure(e)
-      redirect_to main_app.try('root_path')
+      redirect_to action: "failure", locals:{errors: e}
+    end
+
+    def failure
+      @error = params[:locals][:errors]
+      # byebug
     end
 
     def logout
@@ -46,12 +53,11 @@ module SamlCamel
       session[:saml_attributes] = nil
       session[:sp_session] = nil
 
-      return_url = SamlCamel::Transaction.logout #this methods logs the user out of the IDP, and returns a url to be redirected to
-      redirect_to return_url
+      # return_url = SamlCamel::Transaction.logout #this methods logs the user out of the IDP, and returns a url to be redirected to
+      redirect_to "https://shib.oit.duke.edu/cgi-bin/logout.pl"
     end
 
     def attr_check
-
     end
 
 

data/app/models/saml_camel/logging.rb

@@ -7,16 +7,22 @@ module SamlCamel
     def self.successfull_auth(saml_attrs)
       logger = Logger.new("log/saml.log")
       logger.info("#{saml_attrs[PRIMARY_ID]} has succesfully authenticated.")
+    rescue
+      logger.debug("Unknown Error During successfull_auth logging. Check PRIMARY_ID configured in settings.json and that user has attribute.")
     end
 
     def self.auth_failure(error_context)
       logger = Logger.new("log/saml.log")
       logger.error("An error occured during authentication. #{error_context}")
+    rescue
+      logger.debug("Unknown Error During auth_failure logging.")
     end
 
     def self.logout(saml_attrs)
       logger = Logger.new("log/saml.log")
       logger.info("#{saml_attrs[PRIMARY_ID]} has succesfully logged out.")
+    rescue
+      logger.debug("Unknown error logging user logout. Most likely anonymous user clicked a logout button.")
     end
 
   end

data/app/models/saml_camel/transaction.rb

@@ -46,29 +46,6 @@ module SamlCamel
       mapped_attributes
     end
 
-    #currently duke specifc
-    #TODO use the regular idp based logout
-    #TODO httponly should always be set to true on cookies
-    #TODO securure should be set to true in non dev environments (ht
-    #TODO look at metadata file import,validate via cert
-    
-    def self.logout
-      url = URI("https://shib.oit.duke.edu/cgi-bin/logout.pl")
-
-      http = Net::HTTP.new(url.host, url.port)
-      http.use_ssl = true
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-
-      request = Net::HTTP::Post.new(url)
-      request["authorization"] = 'Basic c29hcC5pZG1zLm9pdDowRGFvdXU2Y1g4MEJ1Vkg2QlFaaA=='
-      request["content-type"] = 'application/x-www-form-urlencoded'
-      request["cache-control"] = 'no-cache'
-      request.body = "logoutWithoutPrompt=1"
-
-      response = http.request(request)
-
-      logout_return = SP_SETTINGS["settings"]["logout_return_url"]
-    end
 
   end
 end

data/app/views/saml_camel/saml/failure.html.erb

@@ -0,0 +1,2 @@
+<h1>Failure in SAML Response</h1>
+<h3><%= @error %></h3>

data/config/routes.rb

@@ -1,6 +1,7 @@
 SamlCamel::Engine.routes.draw do
   get "/" => "saml#index"
   get "/attributes" => 'saml#attr_check'
+  get "/failure" => 'saml#failure'
   post "/consumeSaml" => "saml#consume"
   post "/logout" => "saml#logout"
 end

data/lib/saml_camel/version.rb

@@ -1,3 +1,3 @@
 module SamlCamel
-  VERSION = '0.1.3'
+  VERSION = '0.1.4'
 end

data/lib/tasks/saml_camel_tasks.rake

@@ -10,6 +10,7 @@ namespace :saml_camel do
     cert = generate_cert(key)
     settings = generate_saml_settings.to_json
 
+
     #TODO pull in specified idp certificate
     # idp_cert = File.read("saml/idp_certs/#{ENV['idp']}.crt") if ENV['idp']
   idp_cert = """MIIEWjCCA0KgAwIBAgIJAP1rB/FjRgy6MA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
@@ -46,6 +47,7 @@ tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
         File.open("#{Rails.root}/saml/#{e}/saml_key.key","w+") {|f| f.write(key) }
         File.open("#{Rails.root}/saml/#{e}/idp_certificate.crt","w+") {|f| f.write(idp_cert) }
         File.open("#{Rails.root}/saml/#{e}/settings.json","w+") {|f| f.write(settings) }
+        File.open('.gitignore', 'a') { |f| f.write("saml/#{e}/saml_key.key\n") }
       end
     else
       dir = "#{Rails.root}/saml/#{specified_env}"
@@ -54,6 +56,7 @@ tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
       File.open("#{Rails.root}/saml/#{specified_env}/saml_key.key","w+") {|f| f.write(key) }
       File.open("#{Rails.root}/saml/#{specified_env}/idp_certificate.crt","w+") {|f| f.write(idp_cert) }
       File.open("#{Rails.root}/saml/#{specified_env}/settings.json","w+") {|f| f.write(settings) }
+      File.open('.gitignore', 'a') { |f| f.write("saml/#{specified_env}/saml_key.key") }
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_camel
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - 'Danai Adkisson '
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-06 00:00:00.000000000 Z
+date: 2018-04-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -91,6 +91,7 @@ files:
 - app/models/saml_camel/transaction.rb
 - app/views/layouts/saml_camel/application.html.erb
 - app/views/saml_camel/saml/attr_check.html.erb
+- app/views/saml_camel/saml/failure.html.erb
 - config/routes.rb
 - lib/saml_camel.rb
 - lib/saml_camel/engine.rb