saml_camel 0.2.2 → 0.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 28b08cae52108c58df6749ee001140b88ed5f783
-  data.tar.gz: 286d17661c59fbe7cd0b588979adb0abdbc09fcb
+  metadata.gz: b7fd883c9fb712daac3a0eec2ceecf41158452b8
+  data.tar.gz: a54c29f80e07049a3cae26a5ac2661fe458ca10e
 SHA512:
-  metadata.gz: 0a400c238fb98ebfa7951e11b1ced46e095b4c0e08dbef17cb6e11ec04c68de04c73bf5f6dea9f9234187a695077b20588c9d18ba9e1f2292a7e38f72f2ddf46
-  data.tar.gz: 7ef2bbe8e90b127740a6ccbe44f140aab5a5014c51876e85e31743e9e6ce576173177f0aff5a1e4e9304412dcc7c42a91d696e159019e0c6ec5dbe2efff6af4d
+  metadata.gz: 605cb590546df8667225f53750abc9ebd08a8e6e3884182a7f22464a916de928470955f24b04e6ccee3d564382057e88c078f7f48b9901288b54d0c2bfea2fe3
+  data.tar.gz: 4238d45a9998662d3abebea3b41a9dffe300561847f94871f70ed5eef979f9a980e45cf3cd47ad72023f7c110cc8ac3d41034e3c6093001ecbd8e7c10dd3cb10

data/README.md

@@ -31,24 +31,26 @@ $ bundle
 ### IMPORTANT: This step enables security features and is required to use the gem!
 1. in your environments config (`config/development.rb` for example) ensure that you have caching configured as follows
 
-  **NOTE:** use the cache_store most appropriate for your situation. It may make more sense to use a file store, or a redis server
+
 ```ruby
   config.action_controller.perform_caching = true
   config.cache_store = :memory_store
 ```
 
+  **NOTE:** use the cache_store most appropriate for your situation. It may make more sense to use a file store, or a redis server. For example it may not make sense to cache in memory in production. You can read more about rails caching behavior here http://guides.rubyonrails.org/caching_with_rails.html
+
 2. run `rake saml_camel:generate_saml` to generate metadata files for each environment. you can also specify a custom environment like this `rake saml_camel:generate_saml environment=acceptance`
 
   **Note: these steps will use development as an example, if you use separate metadata per environment, you will repeat each step for your chosen environment**
 
-3. from the root of your app open `saml/development/settings.json` and specify an entity ID of your choice. this is a unique identifier used by the
+3. from the root of your app open `config/saml/development/settings.json` and specify an entity ID of your choice. this is a unique identifier used by the
 Identity Provider(idp) to recognize your app. Typically it should take the form of a url, however note that it is just an identifier and does not have to resolve (e.g. https://my-app-name/not/a/real/route)
 
-4. Go to https://authentication.oit.duke.edu/manager/register/sp and register your metadata with the identity provider. You will need the values from `saml/development/settings.json` in addition to the `saml/development/saml_certificate.crt`
+4. Go to https://authentication.oit.duke.edu/manager/register/sp and register your metadata with the identity provider. You will need the values from `config/saml/development/settings.json` in addition to the `config/saml/development/saml_certificate.crt`
 
   - copy the entity_id you chose in the `settings.json` file and paste it into the "Entity Field"
   - fill out functional purpose, responsible dept, function owner dept, and audience with information relevant to your application
-  - copy the cert from `saml/development/saml_certificate.crt` and paste it into the Certificate Field
+  - copy the cert from `config/saml/development/saml_certificate.crt` and paste it into the Certificate Field
   - copy the acs value and paste it into the Location field in the Assertion Consumer Service box
     - note that the default host value for ACS is `http://locahost:3000` which is the default `rails s` host. If you're using a different host (such as in production or using docker) you will want to replace the host value with what is relevent for your situation(*e.g. https://my-app.duke.edu/saml/consumeSaml*), but keep the path `/saml/consumeSaml`
 
@@ -78,7 +80,7 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
 
 8. It is recommended to set `config.force_ssl = true` in the `config/environments/production.rb` file for security
 
-9. Logging is turned on by default. Logging is configured in `saml/development/settings.json`. To utilize logging saml_logging should be set to true (default), and primary_id must have a value. primary_id is the saml attribute you consider to be a primary identifier for a user
+9. Logging is turned on by default. Logging is configured in `config/saml/development/settings.json`. To utilize logging saml_logging should be set to true (default), and primary_id must have a value. primary_id is the saml attribute you consider to be a primary identifier for a user
 
 
 10. Users can go to http://localhost:3000/saml/attributes to view attributes being passed through
@@ -92,7 +94,7 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
     "acs": "http://localhost:3000/saml/consumeSaml",
     "entity_id": "https://samlCamel.com/doesNotResolve",
     "sso_url": "https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO",
-    "logout_return_url": "http://localhost:3000",
+    "logout_url": "https://shib.oit.duke.edu/cgi-bin/logout.pl",
     "primary_id": "eduPersonPrincipalName",
     "sp_session_timeout": 1,
     "sp_session_lifetime": 8,

data/app/controllers/concerns/saml_camel/saml_service.rb

@@ -0,0 +1,35 @@
+require_dependency "saml_camel/application_controller"
+
+module SamlCamel::SamlService
+  extend ActiveSupport::Concern
+
+  def cache_available?(app_cache)
+    if app_cache
+      true
+    else
+      session[:sp_session] = nil
+      false
+    end
+  end
+
+  def saml_protect
+    user_cache = cache_available?(Rails.cache.fetch(session[:saml_session_id])) if session[:saml_session_id]
+    if session[:saml_session_id] && user_cache
+      sp = SamlCamel::ServiceProvider.new(cache_permit_key: session[:saml_session_id].to_sym, saml_attributes: session[:saml_attributes])
+      session[:sp_session] = sp.validate_sp_session(session[:sp_session],request.remote_ip)
+      unless (session[:saml_response_success] || session[:sp_session])
+        saml_request_url = sp.generate_saml_request(request)
+        redirect_to(saml_request_url)
+      end
+
+    else
+      session[:saml_session_id] = SamlCamel::ServiceProvider.generate_permit_key
+      saml_request_url = SamlCamel::ServiceProvider.new(cache_permit_key: session[:saml_session_id].to_sym).generate_saml_request(request)
+      redirect_to(saml_request_url)
+    end
+    session[:saml_response_success] = nil #keeps us from looping
+  end
+
+
+
+end

data/app/controllers/saml_camel/saml_controller.rb

@@ -2,7 +2,7 @@ require_dependency "saml_camel/application_controller"
 
 module SamlCamel
   class SamlController < ApplicationController
-    include SamlCamel::SamlHelpers
+    include SamlCamel::SamlService
     skip_before_action :verify_authenticity_token ,only: [:consume,:logout]
     before_action :saml_protect, only: [:attr_check]
 
@@ -19,31 +19,18 @@ module SamlCamel
       permit_key = session[:saml_session_id].to_sym
       user_cache =  Rails.cache.fetch(permit_key)
       raise "Unable to access cache. Ensure cache is configrued according to documentation." unless cache_available?(user_cache)
-
       redirect_path = user_cache[:redirect_url]
-      response          = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
-      response.settings = saml_settings
-
-      if response.is_valid? # validate the SAML Response
-
-        #verify not sha1
-        verify_sha_type(response)
-
-        response_id = response.id(response.document)
-
-        #confirm that IP address from response matches that of original request
-        valid_ip?(request.remote_ip)
-
-        #check that response id has not already been used
-        duplicate_response_id?(response_id)
+      sp = SamlCamel::ServiceProvider.new(cache_permit_key: permit_key, saml_attributes: session[:saml_attributes])
+      ol_response = SamlCamel::ServiceProvider.ol_response(params[:SAMLResponse])
 
+      if sp.validate_idp_response(ol_response,request.remote_ip)
         # authorize_success, log the user
         session[:saml_response_success] = true
-        set_saml_session_lifetime(permit_key)
+        sp.set_saml_session_lifetime
         session[:sp_session] = Time.now
 
-        session[:saml_attributes] = SamlCamel::Transaction.map_attributes(response.attributes)
-        SamlCamel::Logging.successfull_auth(session[:saml_attributes])
+        session[:saml_attributes] = SamlCamel::Transaction.map_attributes(ol_response.attributes)
+        SamlCamel::Logging.successful_auth(session[:saml_attributes])
 
         redirect_to redirect_path
       else # otherwise list out the errors in the response
@@ -55,9 +42,9 @@ module SamlCamel
         session[:sp_session] = nil
         session[:saml_response_success] = false
         response.errors
-        SamlCamel::Logging.auth_failure(response.errors)
+        SamlCamel::Logging.auth_failure(ol_response.errors)
 
-        redirect_to action: "failure", locals:{errors: response.errors}
+        redirect_to action: "failure", locals:{errors: ol_response.errors}
       end
     rescue => e
       if  session[:saml_session_id]
@@ -86,7 +73,7 @@ module SamlCamel
       session[:sp_session] = nil
 
       # return_url = SamlCamel::Transaction.logout #this methods logs the user out of the IDP, and returns a url to be redirected to
-      redirect_to "https://shib.oit.duke.edu/cgi-bin/logout.pl"
+      redirect_to SP_SETTINGS["settings"]["logout_url"]
     end
 
 

data/app/models/saml_camel/application_record.rb

@@ -1,5 +1,5 @@
 module SamlCamel
   class ApplicationRecord
-    
+
   end
 end

data/app/models/saml_camel/service_provider.rb

@@ -0,0 +1,161 @@
+module SamlCamel
+  class ServiceProvider
+    attr_reader :cache_permit_key, :user_cache, :saml_attributes
+
+    def initialize(cache_permit_key: nil, user_cache: nil, saml_attributes: nil)
+      @cache_permit_key = cache_permit_key.to_sym
+      @saml_attributes = saml_attributes
+      @user_cache = Rails.cache.fetch(@cache_permit_key)
+    end
+
+
+    def self.generate_permit_key
+      secure_random = SecureRandom.base64.chomp.gsub( /\W/, '' )
+      "samlCamel#{secure_random}"
+    end
+
+    def self.ol_response(idp_response)
+      response          = OneLogin::RubySaml::Response.new(idp_response, :settings => SamlCamel::Transaction.saml_settings)
+      response.settings = SamlCamel::Transaction.saml_settings
+
+      response
+    end
+
+  
+    def check_expired_session(sp_session)
+      # cache_available?(user_cache) TODO come back to this
+      sp_timeout = SP_SETTINGS["settings"]["sp_session_timeout"]
+      sp_lifetime = SP_SETTINGS['settings']["sp_session_lifetime"]
+
+      set_saml_session_lifetime if @user_cache[:session_start_time].nil?
+      sp_session_init_time = @user_cache[:session_start_time]
+
+
+      ######## set session[:sp_session] maybe a seperate method
+      if sp_session
+
+        #if the session has timed out remove session, otherwise refresh
+        if (Time.now - Time.parse(sp_session)) < sp_timeout.hour
+          return Time.now
+        else
+          SamlCamel::Logging.expired_session(@saml_attributes)
+          return nil
+        end
+
+        #if the session has exceeded the allowed lifetime, remove session
+        if (Time.now - sp_session_init_time) > sp_lifetime.hour
+          SamlCamel::Logging.expired_session(@saml_attributes)
+          return  nil
+        end
+      else #if no sp session return nil
+        return nil
+      end
+    end
+
+
+    def duplicate_response_id?(response_id, count: 3)
+      #use semaphore to only allow 1 thread at a time to access
+      @semaphore ||= Mutex.new
+      @semaphore.synchronize {
+        ids = Rails.cache.fetch("saml_camel_response_ids")
+        if ids
+          if ids.include?(response_id)
+            session[:sp_session] = nil
+            raise "SAML response ID already issued."
+          else
+            ids << response_id
+            Rails.cache.fetch("saml_camel_response_ids", expires_in: 1.hours) do
+              ids
+            end
+          end
+        else
+          Rails.cache.fetch("saml_camel_response_ids", expires_in: 1.hours) do
+            [response_id]
+          end
+        end
+      }
+    rescue ThreadError
+       puts "locked "* 50
+      if count > 0
+        sleep(0.1)
+        duplicate_response_id?(response_id, count: count - 1)
+      else raise "Resposne ID Validation Error"
+      end
+    end
+
+
+
+    #generates a saml requests and establishes a cache for the user
+    def generate_saml_request(host_request)
+      request = OneLogin::RubySaml::Authrequest.new
+      lifetime =  SamlCamel::SP_SETTINGS['settings']["sp_session_lifetime"]
+
+      #store ip address and original url request in memory to be used for verification and redirect after response
+      Rails.cache.fetch(@cache_permit_key, expires_in: lifetime.hours) do
+        {ip_address: host_request.remote_ip,  redirect_url:  host_request.url }
+      end
+      request.create(SamlCamel::Transaction.saml_settings)
+    end
+
+    #set saml_session lifetime, called if none set
+    def set_saml_session_lifetime
+      user_saml_cache = Rails.cache.fetch(@cache_permit_key)
+      user_saml_cache[:session_start_time] = Time.now
+      sp_lifetime = SP_SETTINGS['settings']["sp_session_lifetime"]
+      Rails.cache.fetch(@cache_permit_key, expires_in: sp_lifetime.hours) do
+        user_saml_cache #not sure if this can use @user_cache
+      end
+    end
+
+    #NOTE these methods will raise errors if not a valid response_id
+     # which in turn will trigger a resuce that kills the sp session
+    def validate_idp_response(response,remote_ip)
+      if response.is_valid?
+        #validate not sha1
+        verify_sha_type(response)
+
+        #validate IP address
+        raise "IP mismatch error" unless validate_ip(remote_ip)
+
+        response_id = response.id(response.document)
+        duplicate_response_id?(response_id)
+
+        response
+      else
+        false
+      end
+    end
+
+    #validate that ip address has not changed
+    def validate_ip(remote_ip)
+      # cache_available?(saml_cache) TODO come back to this
+      return true if remote_ip == @user_cache[:ip_address]
+      SamlCamel::Logging.bad_ip(@saml_attributes, @user_cache[:ip_address], remote_ip)
+      return nil
+    end
+
+    #validates a the sp timestamps and ip. returns a new timestamp if everything is good
+    # otherwise returns nil
+    def validate_sp_session(sp_session,remote_ip)
+      new_session = check_expired_session(sp_session)
+      if new_session
+        has_valid_ip = validate_ip(remote_ip)
+      else
+        return nil
+      end
+      return new_session if has_valid_ip
+    end
+
+
+    def verify_sha_type(response)
+      #was suggested to use an xml parser, however was having great difficulyt with nokogiri
+      #open to trying a different parser or advice on nokogiri as it's not reacting as I would typically expect it to
+      raw_xml_string = response.decrypted_document.to_s
+      attr_scan = raw_xml_string.scan(/<ds:SignatureMethod.*\/>/)
+      is_sha1 = attr_scan[0].match("sha1")
+
+      raise "SHA1 algorithm not supported " if is_sha1
+    end
+
+  end
+end

data/app/models/saml_camel/shib.rb

@@ -0,0 +1,26 @@
+module SamlCamel
+  class Shib
+
+    ATTRIBUTE_MAP = JSON.parse(File.read("config/saml/shibboleth.json"))
+
+    def self.attributes(request)
+      attrs = {}
+      ATTRIBUTE_MAP.each do |header_key, new_key|
+        attrs[new_key] = request.env.dig(header_key)
+      end
+      attrs
+    end
+
+    def self.create_identity(values_hash)
+      identity = {}
+      values_hash.each {|k,v| identity[k] = v}
+      identity
+    end
+
+    #sets shib headers directly
+    def self.set_headers(request: nil,identity: nil)
+      identity.each {|k,v| request.env[k] = v }
+    end
+
+  end
+end

data/app/views/layouts/saml_camel/application.html.erb

@@ -2,8 +2,6 @@
 <html>
 <head>
   <title>Saml camel</title>
-  <%= stylesheet_link_tag    "saml_camel/application", media: "all" %>
-  <%= javascript_include_tag "saml_camel/application" %>
   <%= csrf_meta_tags %>
 </head>
 <body>

data/lib/saml_camel.rb

@@ -1,5 +1,102 @@
 require "saml_camel/engine"
 
 module SamlCamel
-  # Your code goes here...
+  begin
+    SP_SETTINGS = JSON.parse(File.read("config/saml/#{Rails.env}/settings.json"))
+  rescue
+    #rescue othewise the generator fails
+  end
+
+
+  module Transaction
+    begin
+      IDP_CERT = File.read("config/saml/#{Rails.env}/idp_certificate.crt")
+      SP_CERT = File.read("config/saml/#{Rails.env}/saml_certificate.crt")
+      SP_KEY = File.read("config/saml/#{Rails.env}/saml_key.key")
+    rescue
+      #rescue othewise the generator fails
+    end
+
+    def self.map_attributes(sp_attributes)
+      attr_map = SP_SETTINGS["attribute_map"]
+      mapped_attributes = {}
+
+      sp_attributes.each do |sp_attribute,value|
+        sp_attribute = attr_map[sp_attribute] || value
+        mapped_attributes[sp_attribute] = value
+      end
+      mapped_attributes
+    end
+
+    def self.saml_settings
+      sp_settings = SP_SETTINGS["settings"]
+
+      settings = OneLogin::RubySaml::Settings.new
+      settings.assertion_consumer_service_url = sp_settings["acs"]
+
+      settings.issuer                         = sp_settings["entity_id"]
+      settings.idp_sso_target_url             = sp_settings["sso_url"]
+
+      # certificate to register with IDP and key to decrypt
+      settings.certificate = SP_CERT
+
+      # certificate to decrypt SAML response
+      settings.private_key = SP_KEY
+
+      # certificate to verify IDP signature
+      settings.idp_cert = IDP_CERT
+
+      settings
+    end
+  end
+
+
+  module Logging
+    begin
+      PRIMARY_ID = SP_SETTINGS["settings"]["primary_id"]
+      SHOULD_LOG = SP_SETTINGS["settings"]["saml_logging"]
+      LOGGER = Logger.new("log/saml.log")
+    rescue
+      #rescue othewise the generator fails
+    end
+
+
+     def self.auth_failure(error_context)
+       LOGGER.error("An error occured during authentication. #{error_context}") if SHOULD_LOG
+       LOGGER.error("Backtrace: \n\t\t#{error_context.backtrace.join("\n\t\t")}") if SHOULD_LOG
+     rescue
+       LOGGER.debug("Unknown Error During auth_failure logging.") if SHOULD_LOG
+     end
+
+     def self.bad_ip(saml_attrs,request_ip,current_ip)
+       LOGGER.info("Bad IP address for #{saml_attrs[PRIMARY_ID]}. IP at SAML request #{request_ip} | IP presented #{current_ip}") if SHOULD_LOG
+     rescue
+       LOGGER.debug("Unknown Error During relay state logging. IP check") if SHOULD_LOG
+     end
+
+     def self.expired_session(saml_attrs)
+       LOGGER.info("Session Expired for #{saml_attrs[PRIMARY_ID]}") if SHOULD_LOG
+     rescue
+       LOGGER.debug("Unknown Error During relay state logging. Expired session check") if SHOULD_LOG
+     end
+
+     def self.logout(saml_attrs)
+       LOGGER.info("#{saml_attrs[PRIMARY_ID]} has succesfully logged out.") if SHOULD_LOG
+     rescue
+       LOGGER.debug("Unknown error logging user logout. Most likely anonymous user clicked a logout button.") if SHOULD_LOG
+     end
+
+     def self.saml_state(data)
+       LOGGER.info("Stored Relay: #{data[:stored_relay]} | RequestRelay: #{data[:request_relay]} | Stored IP: #{data[:stored_ip]}  RemoteIP: #{data[:remote_ip]}") if SHOULD_LOG
+     rescue
+       LOGGER.debug("Unknown Error During relay state logging. Saml state check") if SHOULD_LOG
+     end
+
+    def self.successful_auth(saml_attrs)
+      LOGGER.info("#{saml_attrs[PRIMARY_ID]} has succesfully authenticated.") if SHOULD_LOG
+    rescue
+      LOGGER.debug("Unknown Error During successful_auth logging. Check PRIMARY_ID configured in settings.json and that user has attribute.") if SHOULD_LOG
+    end
+  end
+
 end

data/lib/saml_camel/engine.rb

@@ -6,7 +6,7 @@ module SamlCamel
     isolate_namespace SamlCamel
 
     config.to_prepare do
-      ActionController::Base.include SamlCamel::SamlHelpers
+      ActionController::Base.include SamlCamel::SamlService
     end
 
   end

data/lib/saml_camel/version.rb

@@ -1,3 +1,3 @@
 module SamlCamel
-  VERSION = '0.2.2'
+  VERSION = '0.2.6'
 end

data/lib/tasks/saml_camel_tasks.rake

@@ -1,7 +1,7 @@
 namespace :saml_camel do
   desc "Generate Files for Saml"
   task :generate_saml  do
-    dir = "#{Rails.root}/saml/"
+    dir = "#{Rails.root}/config/saml/"
     FileUtils.mkdir(dir) unless Dir.exists?(dir)
 
     specified_env = ENV['environment']
@@ -12,7 +12,6 @@ namespace :saml_camel do
 
 
     #TODO pull in specified idp certificate
-    # idp_cert = File.read("saml/idp_certs/#{ENV['idp']}.crt") if ENV['idp']
   idp_cert = """MIIEWjCCA0KgAwIBAgIJAP1rB/FjRgy6MA0GCSqGSIb3DQEBBQUAMHsxCzAJBgNV
 BAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEPMA0GA1UEBxMGRHVyaGFt
 MRgwFgYDVQQKEw9EdWtlIFVuaXZlcnNpdHkxDDAKBgNVBAsTA09JVDEaMBgGA1UE
@@ -41,22 +40,22 @@ tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
 
     unless specified_env
       default_envs.each do |e|
-        dir = "#{Rails.root}/saml/#{e}"
+        dir = "#{Rails.root}/config/saml/#{e}"
         FileUtils.mkdir(dir) unless Dir.exists?(dir)
-        File.open("#{Rails.root}/saml/#{e}/saml_certificate.crt","w+") {|f| f.write(cert) }
-        File.open("#{Rails.root}/saml/#{e}/saml_key.key","w+") {|f| f.write(key) }
-        File.open("#{Rails.root}/saml/#{e}/idp_certificate.crt","w+") {|f| f.write(idp_cert) }
-        File.open("#{Rails.root}/saml/#{e}/settings.json","w+") {|f| f.write(settings) }
-        File.open('.gitignore', 'a') { |f| f.write("saml/#{e}/saml_key.key\n") }
+        File.open("#{Rails.root}/config/saml/#{e}/saml_certificate.crt","w+") {|f| f.write(cert) }
+        File.open("#{Rails.root}/config/saml/#{e}/saml_key.key","w+") {|f| f.write(key) }
+        File.open("#{Rails.root}/config/saml/#{e}/idp_certificate.crt","w+") {|f| f.write(idp_cert) }
+        File.open("#{Rails.root}/config/saml/#{e}/settings.json","w+") {|f| f.write(settings) }
+        File.open('.gitignore', 'a') { |f| f.write("config/saml/#{e}/saml_key.key\n") }
       end
     else
-      dir = "#{Rails.root}/saml/#{specified_env}"
+      dir = "#{Rails.root}/config/saml/#{specified_env}"
       FileUtils.mkdir(dir) unless Dir.exists?(dir)
-      File.open("#{Rails.root}/saml/#{specified_env}/saml_certificate.crt","w+") {|f| f.write(cert) }
-      File.open("#{Rails.root}/saml/#{specified_env}/saml_key.key","w+") {|f| f.write(key) }
-      File.open("#{Rails.root}/saml/#{specified_env}/idp_certificate.crt","w+") {|f| f.write(idp_cert) }
-      File.open("#{Rails.root}/saml/#{specified_env}/settings.json","w+") {|f| f.write(settings) }
-      File.open('.gitignore', 'a') { |f| f.write("saml/#{specified_env}/saml_key.key") }
+      File.open("#{Rails.root}/config/saml/#{specified_env}/saml_certificate.crt","w+") {|f| f.write(cert) }
+      File.open("#{Rails.root}/config/saml/#{specified_env}/saml_key.key","w+") {|f| f.write(key) }
+      File.open("#{Rails.root}/config/saml/#{specified_env}/idp_certificate.crt","w+") {|f| f.write(idp_cert) }
+      File.open("#{Rails.root}/config/saml/#{specified_env}/settings.json","w+") {|f| f.write(settings) }
+      File.open('.gitignore', 'a') { |f| f.write("config/saml/#{specified_env}/saml_key.key") }
     end
   end
 
@@ -68,7 +67,7 @@ tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
         acs: "http://localhost:3000/saml/consumeSaml" ,
         entity_id: "https://your-entity-id.com",
         sso_url: "https://shib.oit.duke.edu/idp/profile/SAML2/Redirect/SSO",
-        logout_return_url: "http://localhost:3000",
+        logout_url: "https://shib.oit.duke.edu/cgi-bin/logout.pl",
         primary_id: "eduPersonPrincipalName",
         sp_session_timeout: 1,
         sp_session_lifetime: 8,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_camel
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.6
 platform: ruby
 authors:
 - 'Danai Adkisson '
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-26 00:00:00.000000000 Z
+date: 2018-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -76,25 +76,19 @@ files:
 - MIT-LICENSE
 - README.md
 - Rakefile
-- app/assets/config/saml_camel_manifest.js
-- app/assets/javascripts/saml_camel/application.js
-- app/assets/stylesheets/saml_camel/application.css
-- app/assets/stylesheets/scaffold.css
-- app/controllers/concerns/saml_camel/saml_helpers.rb
+- app/controllers/concerns/saml_camel/saml_service.rb
 - app/controllers/saml_camel/application_controller.rb
 - app/controllers/saml_camel/saml_controller.rb
-- app/helpers/saml_camel/application_helper.rb
-- app/jobs/saml_camel/application_job.rb
-- app/mailers/saml_camel/application_mailer.rb
 - app/models/saml_camel/application_record.rb
-- app/models/saml_camel/logging.rb
-- app/models/saml_camel/transaction.rb
+- app/models/saml_camel/service_provider.rb
+- app/models/saml_camel/shib.rb
 - app/views/layouts/saml_camel/application.html.erb
 - app/views/saml_camel/saml/attr_check.html.erb
 - app/views/saml_camel/saml/failure.html.erb
 - config/routes.rb
 - lib/saml_camel.rb
 - lib/saml_camel/engine.rb
+- lib/saml_camel/transaction.rb
 - lib/saml_camel/version.rb
 - lib/tasks/saml_camel_tasks.rake
 homepage: https://idms-git.oit.duke.edu/da129/saml_camel

data/app/assets/config/saml_camel_manifest.js

@@ -1,2 +0,0 @@
-//= link_directory ../javascripts/saml_camel .js
-//= link_directory ../stylesheets/saml_camel .css

data/app/assets/javascripts/saml_camel/application.js

@@ -1,13 +0,0 @@
-// This is a manifest file that'll be compiled into application.js, which will include all the files
-// listed below.
-//
-// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
-// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
-//
-// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
-// compiled file. JavaScript code in this file should be added after the last require_* statement.
-//
-// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
-// about supported directives.
-//
-//= require_tree .

data/app/assets/stylesheets/saml_camel/application.css

@@ -1,15 +0,0 @@
-/*
- * This is a manifest file that'll be compiled into application.css, which will include all the files
- * listed below.
- *
- * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
- * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
- *
- * You're free to add application-wide styles to this file and they'll appear at the bottom of the
- * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
- * files in this directory. Styles in this file should be added after the last require_* statement.
- * It is generally better to create a new file per style scope.
- *
- *= require_tree .
- *= require_self
- */

data/app/assets/stylesheets/scaffold.css

@@ -1,80 +0,0 @@
-body {
-  background-color: #fff;
-  color: #333;
-  margin: 33px;
-}
-
-body, p, ol, ul, td {
-  font-family: verdana, arial, helvetica, sans-serif;
-  font-size: 13px;
-  line-height: 18px;
-}
-
-pre {
-  background-color: #eee;
-  padding: 10px;
-  font-size: 11px;
-}
-
-a {
-  color: #000;
-}
-
-a:visited {
-  color: #666;
-}
-
-a:hover {
-  color: #fff;
-  background-color: #000;
-}
-
-th {
-  padding-bottom: 5px;
-}
-
-td {
-  padding: 0 5px 7px;
-}
-
-div.field,
-div.actions {
-  margin-bottom: 10px;
-}
-
-#notice {
-  color: green;
-}
-
-.field_with_errors {
-  padding: 2px;
-  background-color: red;
-  display: table;
-}
-
-#error_explanation {
-  width: 450px;
-  border: 2px solid red;
-  padding: 7px 7px 0;
-  margin-bottom: 20px;
-  background-color: #f0f0f0;
-}
-
-#error_explanation h2 {
-  text-align: left;
-  font-weight: bold;
-  padding: 5px 5px 5px 15px;
-  font-size: 12px;
-  margin: -7px -7px 0;
-  background-color: #c00;
-  color: #fff;
-}
-
-#error_explanation ul li {
-  font-size: 12px;
-  list-style: square;
-}
-
-label {
-  display: block;
-}

data/app/controllers/concerns/saml_camel/saml_helpers.rb

@@ -1,134 +0,0 @@
-require_dependency "saml_camel/application_controller"
-
-module SamlCamel::SamlHelpers
-    extend ActiveSupport::Concern
-    SP_SETTINGS = JSON.parse(File.read("saml/#{Rails.env}/settings.json"))
-
-    #this generates a call to the idp, which will then be returned to the consume action the in saml_contorller
-    def saml_request(host_request)
-      request = OneLogin::RubySaml::Authrequest.new
-      assign_permit_key
-      lifetime =  SP_SETTINGS['settings']["sp_session_lifetime"]
-      permit_key = session[:saml_session_id].to_sym
-
-      #store ip address and original url request in memory to be used for verification and redirect after response
-      Rails.cache.fetch(permit_key, expires_in: lifetime.hours) do
-        {ip_address: host_request.remote_ip,  redirect_url:  host_request.url }
-      end
-
-      saml_request_url = request.create(SamlCamel::Transaction.saml_settings)
-      redirect_to(saml_request_url)
-    end
-
-
-    #ensures that a saml response can not be used more than once.
-    #stores response ids and checks to see if the response id has already been used.
-    def duplicate_response_id?(response_id)
-      ids = Rails.cache.fetch("response_ids")
-      if ids
-        if ids.include?(response_id)
-          session[:sp_session] = nil
-          raise "SAML response ID already issued."
-        else
-          ids << response_id
-          Rails.cache.fetch("response_ids", expires_in: 1.hours) do
-            ids
-          end
-        end
-      else
-        Rails.cache.fetch("response_ids", expires_in: 1.hours) do
-          []
-        end
-      end
-    end
-
-    def set_saml_session_lifetime(permit_key)
-      user_saml_cache = Rails.cache.fetch(permit_key)
-      user_saml_cache[:session_start_time] = Time.now
-      Rails.cache.fetch(permit_key, expires_in: 8.hours) do
-        user_saml_cache
-      end
-    end
-
-
-    #Make it so sp sessions only last 1 hour, sp_session is set on a succesfull saml response.
-    #We check that the session time is less than in hour if so we refresh, otherwise we delete the session
-    def expired_session?
-      permit_key = session[:saml_session_id].to_sym
-      user_cache = Rails.cache.fetch(permit_key)
-      cache_available?(user_cache)
-
-      sp_timeout = SP_SETTINGS["settings"]["sp_session_timeout"]
-      sp_lifetime = SP_SETTINGS['settings']["sp_session_lifetime"]
-
-      set_saml_session_lifetime(permit_key) if user_cache[:session_start_time].nil?
-      sp_session_init_time = user_cache[:session_start_time]
-
-      if session[:sp_session]
-        #if the session has timed out remove session, otherwise refresh
-        if (Time.now - Time.parse(session[:sp_session])) < sp_timeout.hour
-          session[:sp_session] = Time.now
-        else
-          SamlCamel::Logging.expired_session(session[:saml_attributes])
-          session[:sp_session] = nil
-        end
-
-        #if the session has exceeded the allowed lifetime, remove session
-        if (Time.now - sp_session_init_time) > sp_lifetime.hour
-          SamlCamel::Logging.expired_session(session[:saml_attributes])
-          session[:sp_session] = nil
-        end
-      end
-    end
-
-
-    def valid_ip?(remote_ip)
-      permit_key = session[:saml_session_id].to_sym
-      saml_cache =  Rails.cache.fetch(permit_key)
-      cache_available?(saml_cache)
-        unless remote_ip == saml_cache[:ip_address]
-          SamlCamel::Logging.bad_ip(session[:saml_attributes], saml_cache[:ip_address], remote_ip)
-          session[:sp_session] = nil
-        end
-    end
-
-
-    #saml_protect is what is called in the app. it initiates the saml request if there is no active session, or if a user has been idle for over an hour
-    def saml_protect
-      user_cache = cache_available?(Rails.cache.fetch(session[:saml_session_id]))
-      if session[:saml_session_id] && user_cache
-        #sets session[:sp_session] to nil if expired, of if the ip adress changes
-
-        expired_session?
-        valid_ip?(request.remote_ip)
-        saml_request(request) unless (session[:saml_response_success] || session[:sp_session])
-      else
-        saml_request(request)
-      end
-      session[:saml_response_success] = nil #keeps us from looping
-    end
-
-
-    def cache_available?(app_cache)
-      if app_cache
-        true
-      else
-        session[:sp_session] = nil
-        false
-      end
-    end
-
-
-    def verify_sha_type(response)
-      raw_xml_string = response.decrypted_document.to_s
-      attr_scan = raw_xml_string.scan(/<ds:SignatureMethod.*\/>/)
-      is_sha1 = attr_scan[0].match("sha1")
-
-      raise "SHA1 algorithm not supported " if is_sha1
-    end
-
-    def assign_permit_key
-      session[:saml_session_id] = SecureRandom.base64.chomp.gsub( /\W/, '' )
-    end
-
-end

data/app/helpers/saml_camel/application_helper.rb

@@ -1,4 +0,0 @@
-module SamlCamel
-  module ApplicationHelper
-  end
-end

data/app/jobs/saml_camel/application_job.rb

@@ -1,4 +0,0 @@
-module SamlCamel
-  class ApplicationJob < ActiveJob::Base
-  end
-end

data/app/mailers/saml_camel/application_mailer.rb

@@ -1,6 +0,0 @@
-module SamlCamel
-  class ApplicationMailer < ActionMailer::Base
-    default from: 'from@example.com'
-    layout 'mailer'
-  end
-end

data/app/models/saml_camel/logging.rb

@@ -1,51 +0,0 @@
-module SamlCamel
-  class Logging
-    SP_SETTINGS = JSON.parse(File.read("saml/#{Rails.env}/settings.json"))
-    PRIMARY_ID = SP_SETTINGS["settings"]["primary_id"]
-    SHOULD_LOG = SP_SETTINGS["settings"]["saml_logging"]
-
-    def self.successfull_auth(saml_attrs)
-      logger = Logger.new("log/saml.log")
-      logger.info("#{saml_attrs[PRIMARY_ID]} has succesfully authenticated.")
-    rescue
-      logger.debug("Unknown Error During successfull_auth logging. Check PRIMARY_ID configured in settings.json and that user has attribute.")
-    end
-
-    def self.auth_failure(error_context)
-      logger = Logger.new("log/saml.log")
-      logger.error("An error occured during authentication. #{error_context}")
-      logger.error("Backtrace: \n\t\t#{error_context.backtrace.join("\n\t\t")}")
-    rescue
-      logger.debug("Unknown Error During auth_failure logging.")
-    end
-
-    def self.logout(saml_attrs)
-      logger = Logger.new("log/saml.log")
-      logger.info("#{saml_attrs[PRIMARY_ID]} has succesfully logged out.")
-    rescue
-      logger.debug("Unknown error logging user logout. Most likely anonymous user clicked a logout button.")
-    end
-
-    def self.expired_session(saml_attrs)
-      logger = Logger.new("log/saml.log")
-      logger.info("Session Expired for #{saml_attrs[PRIMARY_ID]}")
-    rescue
-      logger.debug("Unknown Error During relay state logging.")
-    end
-
-    def self.bad_ip(saml_attrs,request_ip,current_ip)
-      logger = Logger.new("log/saml.log")
-      logger.info("Bad IP address for #{saml_attrs[PRIMARY_ID]}. IP at SAML request #{request_ip} | IP presented #{current_ip}")
-    rescue
-      logger.debug("Unknown Error During relay state logging.")
-    end
-
-    def self.saml_state(data)
-      logger = Logger.new("log/saml.log")
-      logger.info("Stored Relay: #{data[:stored_relay]} | RequestRelay: #{data[:request_relay]} | Stored IP: #{data[:stored_ip]}  RemoteIP: #{data[:remote_ip]}")
-    rescue
-      logger.debug("Unknown Error During relay state logging.")
-    end
-
-  end
-end

data/app/models/saml_camel/transaction.rb

@@ -1,56 +0,0 @@
-module SamlCamel
-  class Transaction
-    SP_SETTINGS = JSON.parse(File.read("saml/#{Rails.env}/settings.json"))
-
-    def self.saml_settings
-      sp_settings = SP_SETTINGS["settings"]
-      settings = OneLogin::RubySaml::Settings.new
-      settings.assertion_consumer_service_url = sp_settings["acs"]
-
-
-      settings.issuer                         = sp_settings["entity_id"]
-      settings.idp_sso_target_url             = sp_settings["sso_url"]
-
-
-      # certificate to register with IDP and key to decrypt
-      settings.certificate = File.read("saml/#{Rails.env}/saml_certificate.crt")
-
-      # certificate to decrypt SAML response
-      settings.private_key = File.read("saml/#{Rails.env}/saml_key.key")
-
-      # certificate to verify IDP signature
-      settings.idp_cert = File.read("saml/#{Rails.env}/idp_certificate.crt")
-
-
-      #TODO test by modding relying party duke-coi-smart example
-      settings.security[:digest_method]    = XMLSecurity::Document::SHA256
-      settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA256
-
-      # Optional for most SAML IdPs
-      settings.authn_context = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
-      settings.attribute_consuming_service.configure do
-        service_name "Service"
-        service_index 5
-        add_attribute :redirect_path => "root_path"
-      end
-      settings
-    end
-
-    def self.map_attributes(attrs)
-      attr_map = SP_SETTINGS["attribute_map"]
-      mapped_attributes = {}
-
-      attrs.each do |attr,value|
-        mapped_name = attr_map[attr]
-        if mapped_name.nil? #handles attributes not in map
-          mapped_attributes[attr] = value
-        else
-          mapped_attributes[mapped_name] = value
-        end
-      end
-      mapped_attributes
-    end
-
-
-  end
-end