saml_camel 0.1.6 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ce19d32b4ed9a740fc2af74f8ee5153b1605c6b7
-  data.tar.gz: 8c239788aca69ceefe788cc2112525160fe35d86
+  metadata.gz: f5ae86d2afccc6e4f06cecbce01cb9c8e7b26340
+  data.tar.gz: 200725807b56d5a93dd488edd9ac18bdd1a5006b
 SHA512:
-  metadata.gz: f8a289587609b90ded6d97d4d878d23c9f6f382b8870d45ae69f1fd694f0679dc132fd86dc0bdd2b379da3e7574272ad969a6e3ec86ba1ac6dc7a1d7ced2ee26
-  data.tar.gz: 7a6aa2ebb91f906ac537e6e2204fd17d3ce1add3f95555e0dd80194b1b77f8b35a5fbf07f08d4cd19d617cf118637780e4c6a368ed707cb29ea608f143d07093
+  metadata.gz: 1b665b05d63a9f28fa45f79b48067de8e18daebb9f530223174b48195e676ebd08abf984a853a11c7fc1c61cd0db354098bba25a9db47da0b49136c70b55ebcb
+  data.tar.gz: e13b5b41e5d628f99a75da7be03b06d2671ea60d26e3fc5280aa07be80b43245ae9dc63303878bffbdcedc90183c19e43650caa667ae209955bcd240adeb1f6d

data/README.md

@@ -16,20 +16,21 @@ $ bundle
 ## Usage
 ### IMPORTANT: This step enables security features and is required to use the gem!
 1. in your environments config (`config/development.rb` for example) ensure that you have caching configured as follows
-**note** use ths cache_store most appropriate for your situation. It may make more sense to use a file store, or a redis server
+
+  **NOTE:** use ths cache_store most appropriate for your situation. It may make more sense to use a file store, or a redis server
 ```ruby
   config.action_controller.perform_caching = true
   config.cache_store = :memory_store
 ```
 
-1. run `rake saml_camel:generate_saml` to generate metadata files for each environment. you can also specify a custom environment like this `rake saml_camel:generate_saml environment=acceptance`
+2. run `rake saml_camel:generate_saml` to generate metadata files for each environment. you can also specify a custom environment like this `rake saml_camel:generate_saml environment=acceptance`
 
-**Note: these steps will use development as an example, if you use separate metadata per environment, you will repeat each step for your chosen environment**
+  **Note: these steps will use development as an example, if you use separate metadata per environment, you will repeat each step for your chosen environment**
 
-2. from the root of your app open `saml/development/settings.json` and specify an entity ID of your choice. this is a unique identifier used by the
+3. from the root of your app open `saml/development/settings.json` and specify an entity ID of your choice. this is a unique identifier used by the
 Identity Provider(idp) to recognize your app. Typically it should take the form of a url, however note that it is just an identifier and does not have to resolve (e.g. https://my-app-name/not/a/real/route)
 
-3. Go to https://authentication.oit.duke.edu/manager/register/sp and register your metadata with the identity provider. You will need the values from `saml/development/settings.json` in addition to the `saml/development/saml_certificate.crt`
+4. Go to https://authentication.oit.duke.edu/manager/register/sp and register your metadata with the identity provider. You will need the values from `saml/development/settings.json` in addition to the `saml/development/saml_certificate.crt`
 
   - copy the entity_id you chose in the `settings.json` file and paste it into the "Entity Field"
   - fill out functional purpose, responsible dept, function owner dept, and audience with information relevant to your application
@@ -37,38 +38,71 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
   - copy the acs value and paste it into the Location field in the Assertion Consumer Service box
     - note that the default host value for ACS is `http://locahost:3000` which is the default `rails s` host. If you're using a differnet host (such as in production or using docker) you will want to replace the host value with what is relevent for your situation(*e.g. https://my-app.duke.edu/saml/consumeSaml*), but keep the path `/saml/consumeSaml`
 
-4. In your app mount the engine in config/routes.rb
-```ruby
-mount SamlCamel::Engine, at: "/saml"
-```
-
+5. In your app mount the engine in config/routes.rb
+  ```ruby
+    mount SamlCamel::Engine, at: "/saml"
+  ```
 
 6. now simply provide the `saml_protect` method in your controllers (via `before_action`) to protect paths
 ```ruby
-class DashboardController < ApplicationController
-  before_action :saml_protect, except: [:home]
+  class DashboardController < ApplicationController
+    before_action :saml_protect, except: [:home]
 
-  def home
-  end
+    def home
+    end
 
-  def index
+    def index
+    end
   end
-
-end
 ```
 
-
 7. to logout simply make a post to `localhost:3000/saml/logout`. This will kill the local saml session, and the session with the identity provider.
 
 7. response attributes found in `session[:saml_attributes]`
+  *note that the session can not store over the 4 kilobyte limit. Keep
+  this in mind in the use case of requesting a significant amount of attributes*
 
 8. It is recommended to set `config.force_ssl = true` in the `config/environments/production.rb` file for security
 
-
 9. Logging is turned on by default. Logging is configured in `saml/development/settings.json`. To utilize logging saml_logging should be set to true (default), and primary_id must have a value. primary_id is the saml attribute you consider to be a primary identifier for a user
 
 10. Users can go to http://localhost:3000/saml/attributes to view attributes being passed through
 
+## Example settings.json
+```json
+{
+  "_comment": "note you will need to restart the application when you make changes to this file",
+  "settings": {
+    "acs": "http://localhost:3000/saml/consumeSaml",
+    "entity_id": "http://my-entity-id.corgi",
+    "sso_url": "https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO",
+    "logout_return_url": "http://localhost:3000",
+    "primary_id": "eduPersonPrincipalName",
+    "saml_logging": true
+  },
+  "attribute_map": {
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.9": "eduPersonScopedAffiliation",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.6": "eduPersonPrincipalName",
+    "urn:oid:2.5.4.3": "cn",
+    "urn:oid:0.9.2342.19200300.100.1.1": "uid",
+    "urn:oid:0.9.2342.19200300.100.1.3": "mail",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.5": "eduPersonPrimaryAffiliation",
+    "urn:oid:2.16.840.1.113730.3.1.241": "displayName",
+    "urn:mace:duke.edu:idms:unique-id": "duDukeID",
+    "urn:mace:duke.edu:idms:dku-id": "dku-id",
+    "urn:oid:1.3.6.1.4.1.5923.1.5.1.1": "isMemberOf",
+    "urn:oid:2.5.4.42": "givenName",
+    "urn:oid:2.5.4.4": "sn",
+    "urn:oid:2.5.4.11": "ou",
+    "urn:oid:1.3.6.1.4.1.5923.1.1.1.1": "eduPersonAffiliation",
+    "urn:oid:2.5.4.20": "telephoneNumber",
+    "urn:oid:2.5.4.12": "title",
+    "urn:mace:duke.edu:idms:middle-name1": "duMiddleName1",
+    "urn:mace:duke.edu:idms:proxy-token": "duProxyToken"
+  }
+}
+```
+
 
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/app/controllers/concerns/saml_camel/saml_helpers.rb

@@ -7,11 +7,12 @@ module SamlCamel::SamlHelpers
 
     #this generates a call to the idp, which will then be returned to the consume action the in saml_contorller
     def saml_request(host_request)
-      relay_state = SecureRandom.base64.chomp.gsub( /\n/, '' ) #set relay state to secure against replay attack
+      relay_state = SecureRandom.base64.chomp.gsub( /\W/, '' ) #set relay state to secure against replay attack
       request = OneLogin::RubySaml::Authrequest.new
 
       #store relay state, ip address and original url request in memory to be used for verification and redirect after response
-      permit_key = session[:session_id].to_sym
+      assign_permit_key
+      permit_key = session[:saml_session_id].to_sym
       Rails.cache.fetch(permit_key, expires_in: 5.minutes) do
         {ip_address: host_request.remote_ip, relay_state: relay_state, redirect_url:  host_request.url }
       end
@@ -22,7 +23,7 @@ module SamlCamel::SamlHelpers
 
     #validates the user ip address and relay state given to IDP. Prevents Replay Attacks.
     def valid_state(param_relay_state, remote_ip)
-      permit_key = session[:session_id].to_sym
+      permit_key = session[:saml_session_id].to_sym
       saml_cache = Rails.cache.fetch(permit_key)
       stored_relay = saml_cache[:relay_state]
       stored_ip = saml_cache[:ip_address]
@@ -52,4 +53,8 @@ module SamlCamel::SamlHelpers
         session[:saml_success] = nil
     end
 
+    def assign_permit_key
+      session[:saml_session_id] = SecureRandom.base64.chomp.gsub( /\W/, '' )
+    end
+
 end

data/app/controllers/saml_camel/application_controller.rb

@@ -1,8 +1,6 @@
 module SamlCamel
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception
-    def saml_stuff
-      puts "boo" * 80
-    end
+    
   end
 end

data/app/controllers/saml_camel/saml_controller.rb

@@ -16,13 +16,13 @@ module SamlCamel
     #consumes the saml response from the IDP
     def consume
       raise "Invalid RelayState" unless valid_state(params[:RelayState], request.remote_ip)
-      permit_key = session[:session_id].to_sym
+      permit_key = session[:saml_session_id].to_sym
       redirect_path = Rails.cache.fetch(permit_key)[:redirect_url]
       Rails.cache.delete(permit_key) #we no longer need cache at this stage
+      session[:saml_session_id] = nil
 
       response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
       response.settings = saml_settings
-
       if response.is_valid? # validate the SAML Response
         # authorize_success, log the user
         session[:saml_success] = true
@@ -31,11 +31,11 @@ module SamlCamel
         session[:saml_attributes] = SamlCamel::Transaction.map_attributes(response.attributes)
         SamlCamel::Logging.successfull_auth(session[:saml_attributes])
 
-
         redirect_to redirect_path
       else # otherwise list out the errors in the response
-        permit_key = session[:session_id].to_sym
+        permit_key = session[:saml_session_id].to_sym
         Rails.cache.delete(permit_key)
+        session[:saml_session_id] = nil
 
         session[:saml_success] = false
         response.errors
@@ -44,9 +44,10 @@ module SamlCamel
         redirect_to action: "failure", locals:{errors: response.errors}
       end
     rescue => e
-      permit_key = session[:session_id].to_sym
+      permit_key = session[:saml_session_id].to_sym
       Rails.cache.delete(permit_key)
       session[:saml_success] = false
+      session[:saml_session_id] = nil
 
       SamlCamel::Logging.auth_failure(e)
       redirect_to action: "failure", locals:{errors: e}
@@ -64,7 +65,6 @@ module SamlCamel
       SamlCamel::Logging.logout(session[:saml_attributes])
       session[:saml_attributes] = nil
       session[:sp_session] = nil
-      cookies.delete :saml_camel_timestamp
 
       # return_url = SamlCamel::Transaction.logout #this methods logs the user out of the IDP, and returns a url to be redirected to
       redirect_to "https://shib.oit.duke.edu/cgi-bin/logout.pl"

data/lib/saml_camel/version.rb

@@ -1,3 +1,3 @@
 module SamlCamel
-  VERSION = '0.1.6'
+  VERSION = '0.1.7'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_camel
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - 'Danai Adkisson '
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-17 00:00:00.000000000 Z
+date: 2018-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails