saml_camel 1.0.6 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4ad1d62b323fe26e46a9a3a792d8135f1527cdb0baca5be3b0d3dee9269d9dc
-  data.tar.gz: 3e541102a3ad4019bc2324ad5f0381ce139e8119c294ba9f8e9220748b342f57
+  metadata.gz: a85dd9e46209cb477da0b7519ef800d88796e6084a7c5679af77507f7209faba
+  data.tar.gz: 539f735329de875c9679f39862f20a6a608e4362ad0b06fcae941d7f17fbbd9e
 SHA512:
-  metadata.gz: bdf5758464765a73a0ece1c6f6ed4046bbe345a574b4ea990dab8f821e89fe6c01db4be13dd0f5690c3c667269f8b48704d1dac8b9b257791d06f9ae5e3e19cc
-  data.tar.gz: 6dd10093b2ffb277485400ca236cd4ab017c67cc0b626110c21bc43b654997f8671c03ca5e0144a53e97cf194312cca3bb8ecabbcb6095a669b1f5414ddb27a9
+  metadata.gz: 52102243981e4784384594b1799c6f9de96b9f7840ab8315fea0d7b004cdfd2c87629673af860f3240b53aa4b55cf4cb9b9d96d620a8c92939cfba90a826e71b
+  data.tar.gz: 208ad0581678d2a9f600786cd9acb25d3b0218fde684b03b1d7f5d98398caa419b6ad94f25c7d596ff0ca463c0a8c8cd5987ae3ccd10364c24da9813ebd333a7

data/README.md

@@ -37,7 +37,7 @@ $ bundle
   config.cache_store = :memory_store
 ```
 
-  **NOTE:** use the cache_store most appropriate for your situation. **It may make more sense to use a file store, or a redis server. If you are running an app accross multiple instances do not use memory_store**. For example it may not make sense to cache in memory in production. You can read more about rails caching behavior here http://guides.rubyonrails.org/caching_with_rails.html
+  **NOTE:** use the cache_store most appropriate for your situation. **It may make more sense to use a file store, or a redis server. If you are running an app across multiple instances do not use memory_store**. For example it may not make sense to cache in memory in production. You can read more about rails caching behavior here http://guides.rubyonrails.org/caching_with_rails.html
 
 2. run `rake saml_camel:generate_saml` to generate metadata files for the development, test, and production environment. You can also specify a custom environment like this `rake saml_camel:generate_saml environment=acceptance`
 
@@ -72,6 +72,22 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
   end
 ```
 
+6. you can also pass in an optional `RelayState:` keyword argument to provide the RelayState parameter.
+The relay state parameter will be played back to you in the response parameters from the idp. This can be useful if you want to redirect users to different endpoints after the response goes to the ACS.
+```ruby
+  class DashboardController < ApplicationController
+    before_action except: [:home] do
+      saml_protect(relay_state: "some-value-I-want-in-the-response")
+    end
+
+    def home
+    end
+
+    def index
+    end
+  end
+```
+
 7. to logout simply make a post to `localhost:3000/saml/logout`. This will kill the local saml session, and the session with the identity provider.
 
 7. response attributes found in `session[:saml_attributes]`
@@ -82,6 +98,9 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
 
 9. Logging is turned on by default. Logging is configured in `config/saml/development/settings.json`. To utilize logging saml_logging should be set to true (default), and primary_id must have a value. primary_id is the saml attribute you consider to be a primary identifier for a user
 
+11. Clock drift can be adjusted by setting the `clock_drift` in `config/saml/development/settings.json`
+The value should be an integer(which translates to seconds). For example a value of 60 will allow clock drift of 1 minute. It is recommended that if you set this value, it should be set as low as possible for security purposes. 
+
 
 10. Convenience Endpoints (assuming enginte is mounted to `saml` path):
   - `/saml/attributes` view attributes being passed through
@@ -101,6 +120,7 @@ Identity Provider(idp) to recognize your app. Typically it should take the form
     "primary_id": "eduPersonPrincipalName",
     "sp_session_timeout": 1,
     "sp_session_lifetime": 8,
+    "clock_drift": false,
     "test_auth_path": true,
     "saml_logging": true,
     "debug": false,

data/app/controllers/concerns/saml_camel/saml_service.rb

@@ -17,7 +17,8 @@ module SamlCamel::SamlService # rubocop:disable Style/ClassAndModuleChildren
   end
 
   # TODO: refactor
-  def saml_protect # rubocop:disable Metrics/MethodLength, Metrics/AbcSize:
+  def saml_protect(relay_state: nil) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize:
+    relay_state = relay_state ? "&RelayState=#{CGI.escape(relay_state)}" : ""
     #TODO move this
     begin
       settings = JSON.parse(File.read("config/saml/#{Rails.env}/settings.json"))
@@ -27,6 +28,8 @@ module SamlCamel::SamlService # rubocop:disable Style/ClassAndModuleChildren
     end
 
     user_cache = cache_available?(Rails.cache.fetch(session[:saml_session_id])) if session[:saml_session_id]
+
+    #user has an active saml_session_id and cache was found using that session id
     if session[:saml_session_id] && user_cache
       SamlCamel::Logging.debug('Saml Session and User Cache Found.') if sp_debug
       SamlCamel::Logging.debug("SAML session id: #{session[:saml_session_id]} | Cache: #{user_cache}") if sp_debug
@@ -35,14 +38,22 @@ module SamlCamel::SamlService # rubocop:disable Style/ClassAndModuleChildren
         saml_attributes: session[:saml_attributes]
       )
       session[:sp_session] = sp.validate_sp_session(session[:sp_session], request.remote_ip)
+
+      # run this if a user does not have an sp session, or if the response was a failure
       unless session[:saml_response_success] || session[:sp_session]
         SamlCamel::Logging.debug('SAML response not successful or no sp session not valid. Generating new request.') if sp_debug
         SamlCamel::Logging.debug("SAML response: #{session[:saml_response_success]}") if sp_debug
         SamlCamel::Logging.debug("SP session #{session[:sp_session]}") if sp_debug
+        
+        session[:saml_session_id] = SamlCamel::ServiceProvider.generate_permit_key
+        saml_request_url = SamlCamel::ServiceProvider.new(
+          cache_permit_key: session[:saml_session_id].to_sym
+        ).generate_saml_request(request)
 
-        saml_request_url = sp.generate_saml_request(request)
-        redirect_to(saml_request_url)
+        redirect_to(saml_request_url + relay_state)
       end
+
+    # user did not have a saml_session_id and an active cache
     else
       SamlCamel::Logging.debug('User Cache or saml session id not found. Generating new request.') if sp_debug
       SamlCamel::Logging.debug("SAML session id: #{session[:saml_session_id]} | Cache: #{user_cache}") if sp_debug
@@ -51,7 +62,7 @@ module SamlCamel::SamlService # rubocop:disable Style/ClassAndModuleChildren
       saml_request_url = SamlCamel::ServiceProvider.new(
         cache_permit_key: session[:saml_session_id].to_sym
       ).generate_saml_request(request)
-      redirect_to(saml_request_url)
+      redirect_to(saml_request_url + relay_state)
     end
     session[:saml_response_success] = nil # keeps us from looping
   end

data/app/models/saml_camel/service_provider.rb

@@ -25,13 +25,31 @@ module SamlCamel
 
     # ol OneLogin
     def self.ol_response(idp_response, raw_response: false)
+      clock_drift = set_clock_drift
       settings = SamlCamel::Transaction.saml_settings(raw_response: raw_response)
-      response          = OneLogin::RubySaml::Response.new(idp_response, settings: settings)
+      if clock_drift
+        response          = OneLogin::RubySaml::Response.new(idp_response, settings: settings, allowed_clock_drift: clock_drift.second)
+      else
+        response          = OneLogin::RubySaml::Response.new(idp_response, settings: settings)
+      end
       response.settings = settings
-
       response
     end
 
+    #if user configured clock drift, check configuration
+    # ruby saml default I "think" is 180 sec based of the java saml pull request https://github.com/onelogin/java-saml/issues/89
+    # however when I pulled the ruby-saml gem and searched the repo it looks like there is no clock drift by default
+    def self.set_clock_drift
+      clock_drift = SP_SETTINGS.dig('settings','clock_drift')
+      # clock drift must either be an integer of falsey
+      unless (clock_drift.class == Integer || clock_drift.class == Fixnum) || !clock_drift
+        SamlCamel::Logging.clock_drift(clock_drift)
+        raise "Clock Drift Incorrectly Configured."
+      end
+      clock_drift
+    end
+
+
     # TODO: method too complex
     def check_expired_session(sp_session) # rubocop:disable Metrics/MethodLength, Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/LineLength
       sp_timeout = SP_SETTINGS['settings']['sp_session_timeout']
@@ -117,6 +135,7 @@ module SamlCamel
     end
 
 
+
     # set saml_session lifetime, called if none set
     # TODO: this may need to be renamed, it's not really setting the lifetime
     # it's refreshing the last time a user authenticated

data/app/models/saml_camel/shib.rb

@@ -4,7 +4,11 @@ module SamlCamel
   # handle shib attributes
   class Shib
     if SP_SETTINGS.dig('settings','shib_module')
-      ATTRIBUTE_MAP = JSON.parse(File.read('config/saml/shibboleth.json'))
+      if File.file?('config/saml/shibboleth.json') #keep backwards compatiblity
+        ATTRIBUTE_MAP = JSON.parse(File.read('config/saml/shibboleth.json'))
+      else
+        ATTRIBUTE_MAP = JSON.parse(File.read("config/saml/#{Rails.env}/settings.json"))["attribute_map"]
+      end
     end
 
     def self.attributes(request)

data/app/views/saml_camel/saml/failure.html.erb

@@ -1,2 +1,4 @@
-<h1>Failure in SAML Response</h1>
-<h3><%= @error %></h3>
+<div id="samlcamel-error-container">
+  <h1 id='samlcamel-error-head'>Failure in SAML Response</h1>
+  <h3 id='samlcamel-error-msg'><%= @error %></h3>
+</div>

data/lib/saml_camel.rb

@@ -87,6 +87,12 @@ module SamlCamel
       LOGGER.debug('Unknown Error During relay state logging. IP check') if SHOULD_LOG
     end
 
+    def self.clock_drift(clock_drift)
+      LOGGER.debug("Clock drift has not been configured. Must either be false, or an integer. Currently configured as #{clock_drift}(#{clock_drift.class})") if SHOULD_LOG
+    rescue StandardError
+      LOGGER.debug('Unknown Error During Debug') if SHOULD_LOG
+    end
+
     def self.debug(message)
       LOGGER.debug(message) if SHOULD_LOG
     rescue StandardError
@@ -108,6 +114,7 @@ module SamlCamel
       end
     end
 
+    #no occurances of this being used, may be able to remove? 10/17/2018
     def self.saml_state(data)
       if SHOULD_LOG
         LOGGER.info("Stored Relay: #{data[:stored_relay]} |

data/lib/saml_camel/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SamlCamel
-  VERSION = '1.0.6'
+  VERSION = '1.0.7'
 end

data/lib/tasks/saml_camel_tasks.rake

@@ -71,6 +71,7 @@ tA6SX0infqNRyPRNJK+bnQd1yOP4++tjD/lAPE+5tiD/waI3fArt43ZE/qp7pYMS
         primary_id: 'eduPersonPrincipalName',
         sp_session_timeout: 1,
         sp_session_lifetime: 8,
+        clock_drift: false,
         test_auth_path: true,
         saml_logging: true,
         debug: false,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: saml_camel
 version: !ruby/object:Gem::Version
-  version: 1.0.6
+  version: 1.0.7
 platform: ruby
 authors:
 - 'Danai Adkisson '
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-02 00:00:00.000000000 Z
+date: 2018-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails