RubyGems - saml_camel - Versions diffs - 0.1.4 → 0.1.5 - Mend

saml_camel 0.1.4 → 0.1.5

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +8 -1
data/app/controllers/concerns/saml_camel/saml_helpers.rb +32 -23
data/app/controllers/saml_camel/saml_controller.rb +21 -9
data/app/models/saml_camel/logging.rb +7 -0
data/config/routes.rb +2 -0
data/lib/saml_camel/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9587f9aa4978c5bfc1ff83fd93490b77cfada4a0
-  data.tar.gz: d005f8ba385cd0443baeda86c668d002c7907857
+  metadata.gz: 60103dee96fb0b95caeb04551deac81568e5149a
+  data.tar.gz: eb15b9fc8c642e88bf0ff8be268f206de1be3b73
 SHA512:
-  metadata.gz: 012d8b91632f47e689f385cb1de8f82e7e99696579e11491ce94e54de0823f0b56f727bd25b5e748cc1c288db6debaf57f2aa5df3d7b83a3ffdc1a20514b779a
-  data.tar.gz: de3c6af5a1395e1a44502b9f85101f8e42d238362443ff7826037ec96d783712329ae028370365b2b514f4f338287e04247a3e906ae1b0dd04ac0e4bb8e2817e
+  metadata.gz: acda10e48b2cabdb24f187ffaf3fde6dbb5992efe032f56ca623098999b754c9094fe94271cbeac50097f00679a87710db95ebe96be7a22b0904607a7b62c165
+  data.tar.gz: 8ea077c92e5d0fcf0df9bcae2d086a5635152ceb3d37afbc7a0e7e4777a3d9dda32b651280d9bc54f12ecdf4f859c640c658e68ff972521d0473e25f9d465233

data/README.md CHANGED Viewed

@@ -14,6 +14,13 @@ $ bundle
 ## Usage
+### IMPORTANT!
+1. in your environments config (`config/development.rb` for example) ensure that you have caching configured as follows
+```ruby
+  config.action_controller.perform_caching = true
+  config.cache_store = :memory_store
+```
 1. run `rake saml_camel:generate_saml` to generate metadata files for each environment. you can also specify a specifc/custom environment like this `rake saml_camel:generate_saml  environment=acceptance`
 **Note: these steps will use development as an example, if you use seperate metadata per environemtn, you will repeat each step for your chosed environement**
@@ -57,7 +64,7 @@ end
 ```
-7. to logout simply make a post to `localhost:3000/saml/logout`. This will kill the local saml session, and the session with the identity provider. You can specify a return url in `saml/development/settings.json`
+7. to logout simply make a post to `localhost:3000/saml/logout`. This will kill the local saml session, and the session with the identity provider.
 7. response attributes found in `session[:saml_attributes]`

data/app/controllers/concerns/saml_camel/saml_helpers.rb CHANGED Viewed

@@ -8,39 +8,48 @@ module SamlCamel::SamlHelpers
     #this generates a call to the idp, which will then be returned to the consume action the in saml_contorller
     def saml_request(host_request)
       relay_state = SecureRandom.base64.chomp.gsub( /\n/, '' ) #set relay state to secure against replay attack
-      session[:relay_state] = relay_state
       request = OneLogin::RubySaml::Authrequest.new
-      secure_cookie = (Rails.env == "development" || Rails.env == "test") ? false : true
-      cookies.encrypted[:saml_camel_redirect] = {
-        value: host_request.url,
-        secure: secure_cookie,
-        httponly: true
-      }
-      cookies.encrypted[:saml_camel_relay] = {
-        value: relay_state,
-        secure: secure_cookie,
-        httponly: true
-      }
-      saml_request = request.create(SamlCamel::Transaction.saml_settings) + "&RelayState=#{relay_state}"
-      redirect_to(saml_request)
+      #store relay state, ip address and original url request in memory to be used for verification and redirect after response
+      permit_key = session[:session_id].to_sym
+      Rails.cache.fetch(permit_key, expires_in: 5.minutes) do
+        {ip_address: host_request.remote_ip, relay_state: relay_state, redirect_url:  host_request.url }
+      end
+      saml_request_url = request.create(SamlCamel::Transaction.saml_settings) + "&RelayState=#{Rails.cache.fetch(permit_key)[:relay_state]}"
+      redirect_to(saml_request_url)
     end
-    def valid_relay_state(param_relay_state)
-      stored_relay = cookies.encrypted[:saml_camel_relay]
-      cookies.delete :saml_camel_relay
-      param_relay_state == stored_relay
+    #validates the user ip address and relay state given to IDP. Prevents Replay Attacks.
+    def valid_state(param_relay_state, remote_ip)
+      permit_key = session[:session_id].to_sym
+      saml_cache = Rails.cache.fetch(permit_key)
+      stored_relay = saml_cache[:relay_state]
+      stored_ip = saml_cache[:ip_address]
+      SamlCamel::Logging.saml_state({stored_relay: stored_relay, request_relay: param_relay_state, stored_ip: stored_ip, remote_ip: remote_ip})
+      param_relay_state == stored_relay && remote_ip == stored_ip
     end
-    def saml_protect
-        saml_request(request) unless (session[:saml_success] || session[:sp_session]) #keeps us from looping, and maintains sp session
-        session[:saml_success] = nil
+    #Make it so sp sessions only last 1 hour, sp_session is set on a succesfull saml response.
+    #We check that the session time is less than in hour if so we refresh, otherwise we delete the session
+    def expired_session?
+      if session[:sp_session]
+        if (Time.now - Time.parse(session[:sp_session])) < 1.hour
+          session[:sp_session] = Time.now
+          return true
+        end
+      end
     end
+    #saml_protect is what is called in the app. it initiates the saml request if there is no active session, or if a user has been idle for over an hour
+    #TODO re-factor in future
+    def saml_protect
+        not_expired = expired_session?
+        saml_request(request) unless (session[:saml_success] || session[:sp_session] || not_expired) #keeps us from looping, and maintains sp session
+        session[:saml_success] = nil
+    end
 end

data/app/controllers/saml_camel/saml_controller.rb CHANGED Viewed

@@ -7,30 +7,34 @@ module SamlCamel
     before_action :saml_protect, only: [:attr_check]
-    #TODO ROUTABLE STUFF GOES IN THE SHIB CONTROLLER, METHODS CALLED BUT NOT ROUTED GO TO SAML_CONTROLLER
+    #convinence route to see attributes that are coming through
     def index
       @attributes = session[:saml_attributes]
     end
-    def consume
-      raise "Invalid RelayState" unless valid_relay_state(params[:RelayState])
-      redirect_path = cookies.encrypted[:saml_camel_redirect]
-      cookies.delete :saml_camel_redirect
+    #consumes the saml response from the IDP
+    def consume
+      raise "Invalid RelayState" unless valid_state(params[:RelayState], request.remote_ip)
+      permit_key = session[:session_id].to_sym
+      redirect_path = Rails.cache.fetch(permit_key)[:redirect_url]
+      Rails.cache.delete(permit_key) #we no longer need cache at this stage
       response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
       response.settings = saml_settings
       if response.is_valid? # validate the SAML Response
         # authorize_success, log the user
         session[:saml_success] = true
-        session[:sp_session] = true
+        session[:sp_session] = Time.now
         session[:saml_attributes] = SamlCamel::Transaction.map_attributes(response.attributes)
         SamlCamel::Logging.successfull_auth(session[:saml_attributes])
         #TODO account for nil redirect
         redirect_to redirect_path
       else # otherwise list out the errors in the response
-        #TODO how do we handle errors?
+        permit_key = session[:session_id].to_sym
+        Rails.cache.delete(permit_key)
         session[:saml_success] = false
         response.errors
         SamlCamel::Logging.auth_failure(response.errors)
@@ -38,25 +42,33 @@ module SamlCamel
         redirect_to main_app.try('root_path')
       end
     rescue => e
+      permit_key = session[:session_id].to_sym
+      Rails.cache.delete(permit_key)
       session[:saml_success] = false
       SamlCamel::Logging.auth_failure(e)
       redirect_to action: "failure", locals:{errors: e}
     end
+    #route to show saml failures
     def failure
       @error = params[:locals][:errors]
-      # byebug
     end
+    #kills SP session and redirects to IDP to kill idp session
     def logout
       SamlCamel::Logging.logout(session[:saml_attributes])
       session[:saml_attributes] = nil
       session[:sp_session] = nil
+      cookies.delete :saml_camel_timestamp
       # return_url = SamlCamel::Transaction.logout #this methods logs the user out of the IDP, and returns a url to be redirected to
       redirect_to "https://shib.oit.duke.edu/cgi-bin/logout.pl"
     end
     def attr_check
     end

data/app/models/saml_camel/logging.rb CHANGED Viewed

@@ -25,5 +25,12 @@ module SamlCamel
       logger.debug("Unknown error logging user logout. Most likely anonymous user clicked a logout button.")
     end
+    def self.saml_state(data)
+      logger = Logger.new("log/saml.log")
+      logger.info("Stored Relay: #{data[:stored_relay]} | RequestRelay: #{data[:request_relay]} | Stored IP: #{data[:stored_ip]}  RemoteIP: #{data[:remote_ip]}")
+    rescue
+      logger.debug("Unknown Error During relay state logging.")
+    end
   end
 end

data/config/routes.rb CHANGED Viewed

@@ -5,3 +5,5 @@ SamlCamel::Engine.routes.draw do
   post "/consumeSaml" => "saml#consume"
   post "/logout" => "saml#logout"
 end
+#TODO check ip_address stored by the IDP
+#TODO chceck ip address on every check ra

data/lib/saml_camel/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SamlCamel
-  VERSION = '0.1.4'
+  VERSION = '0.1.5'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_camel
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - 'Danai Adkisson '
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-04-10 00:00:00.000000000 Z
+date: 2018-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails