soar_authentication_token 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 30c0c39a09540212db058ce833ebcd693e2defd2
-  data.tar.gz: cc20f98a7bdaa653cd2fe437946d6646b268bd78
+  metadata.gz: 0f96b19d4ab690a6bfdd43d38c9c16795dbef257
+  data.tar.gz: a91497c50df87f8adaaa76c6929e33a8f3afd9fe
 SHA512:
-  metadata.gz: b76a8b2663458cd8b417c391e73b2467c31d8cbca6b2d8b5ab343f65641e698e9e2e25b0e65cdccef98f2270eddcfb712bc5ad101c0b69bead28f49f72c24eed
-  data.tar.gz: 1b9804a8de2dc0dc9ea7a84e6f9c3641d84a0a3b62b8ae94e7087813da8b49f04e9a5da910fb2860f093ce86048f2e5c4edefdb39a6afe70b6370de7d433bbee
+  metadata.gz: 0230c1bbd09ba5887a6be2908824dc5d441f28da8e9128c4da1240f967a5d2588df2f42d3b94cb984abb9375a507ab5f312f36f5e6b624d9938c595084cd1db3
+  data.tar.gz: e8dc6ceb4f1d612f40bc62b64c912a7b5085e77fe49edbeea3a40b29c0cbd209bb3b82da67d7805d50ef9d97bbaab8c7ff61bcfb04a53cbe866b731edafa677c

data/README.md

@@ -23,10 +23,9 @@ Or install it yourself as:
 
 ## Testing
 
-Run the rspec test tests:
-
-    $ docker-compose run --rm soar-authentication-token bundle exec rspec -cfd spec
+Run the rspec test tests using docker compose:
 
+    $ docker-compose run soar-authentication-token /bin/bash -c 'sleep 10; bundle exec rspec -cfd spec'
 
 ## Usage
 

data/docker-compose.yml

@@ -4,4 +4,27 @@ services:
     build: .
     image: soar-authentication-token
     volumes:
-     - .:/usr/local/src/
+      - .:/usr/local/src/
+    links:
+      - authentication-token-generator-service
+      - authentication-token-validator-service
+  authentication-token-generator-service:
+    build: ../authentication-token-generator-service
+    image: authentication-token-generator-service
+    expose:
+      - "9393"
+    volumes:
+      - ../authentication-token-generator-service:/usr/local/src/
+    environment:
+      - RACK_ENV=development
+      - ENVIRONMENT_FILE=environment_local.yml
+  authentication-token-validator-service:
+    build: ../authentication-token-validator-service
+    image: authentication-token-validator-service
+    expose:
+      - "9393"
+    volumes:
+      - ../authentication-token-validator-service:/usr/local/src/
+    environment:
+      - RACK_ENV=development
+      - ENVIRONMENT_FILE=environment_local.yml

data/lib/soar_authentication_token.rb

@@ -4,4 +4,5 @@ end
 require 'soar_authentication_token/keypair_generator'
 require 'soar_authentication_token/token_generator'
 require 'soar_authentication_token/token_validator'
+require 'soar_authentication_token/rack_middleware'
 require 'soar_authentication_token/version'

data/lib/soar_authentication_token/rack_middleware.rb

@@ -0,0 +1,97 @@
+require 'browser'
+require 'cgi'
+require 'net/http'
+require 'nokogiri'
+require 'rack/request'
+require 'uri'
+
+module SoarAuthenticationToken
+
+  class RackMiddleware
+
+    def initialize(app, config)
+      @app = app
+      @config = config
+    end
+
+    def call(env)
+      request = Rack::Request.new env
+      if @config[:browsers_only] and !is_browser?(request)
+        @app.call env
+      else
+        session, params = request.session, request.params
+        if session['user']
+          @app.call env
+        elsif params['logoutRequest']
+          callback(:on_logout, env, st_from_logoutrequest(params['logoutRequest']))
+          [200, {}, ['']]
+        elsif user = signon(request)
+          session['user'] = user
+          callback(:on_login, env, request['ticket'])
+          @app.call env
+        else
+          service = get_service request
+          [302, {'Location' => signon_url(service)}, ['']]
+        end
+      end
+    end
+
+    private
+
+    def callback(on_what, env, service_ticket)
+      @config[on_what].call(env, service_ticket) if(@config[on_what])
+    end
+
+    def st_from_logoutrequest(logout_request)
+      document = Nokogiri::XML::Document.parse(logout_request)
+      document.xpath('/samlp:LogoutRequest/samlp:SessionIndex').text
+    end
+
+
+    def is_browser?(request)
+      ua = request.user_agent
+      Browser.new(ua: ua).id != :other
+    end
+
+    def signon(request)
+      ticket = request.params['ticket']
+      service = get_service(request)
+      if ticket and service
+        redeem_service_ticket(ticket, service)
+      end
+    end
+
+    def get_service(request)
+      url = request.url
+      url.gsub!(/\&ticket=ST-\w+/, '')
+      url.gsub!(/\?ticket=ST-\w+/, '?')
+      url.chomp('?')
+    end
+
+    def redeem_service_ticket(ticket, service)
+      uri = URI.parse validation_url(ticket, service)
+      req = Net::HTTP::Get.new(uri.to_s)
+      verify_mode = @config[:ignore_certificate] ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
+      Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == 'https'), :verify_mode => verify_mode) do |http|
+        response = http.request(req)
+        if response.code.to_i == 200
+          response_xml = Nokogiri::XML::Document.parse(response.body)
+          user_element = response_xml.xpath('/cas:serviceResponse/cas:authenticationSuccess/cas:user')
+          unless user_element.empty?
+            user_element.inner_text
+          end
+        end
+      end
+    end
+
+    def signon_url(service = '')
+      "#{@config[:prefix]}/login?service=#{CGI.escape service}"
+    end
+
+    def validation_url(ticket, service)
+      "#{@config[:prefix]}/serviceValidate?ticket=#{ticket}&service=#{CGI.escape service}"
+    end
+
+  end
+
+end

data/lib/soar_authentication_token/token_generator.rb

@@ -1,12 +1,14 @@
 require 'soar_xt'
 require 'jwt'
 require 'securerandom'
+require 'time'
+require 'net/http'
+require 'uri'
+require 'json'
 
 module SoarAuthenticationToken
   class TokenGenerator
     DEFAULT_CONFIGURATION = {
-      'mode' => 'remote',
-      'url' => ''
     } unless defined? DEFAULT_CONFIGURATION; DEFAULT_CONFIGURATION.freeze
 
     def initialize(configuration)
@@ -15,12 +17,38 @@ module SoarAuthenticationToken
       @private_key = OpenSSL::PKey::EC.new(@configuration['private_key'])
     end
 
-    def generate(authenticated_identifier:)
-      encode(payload(authenticated_identifier))
+    def generate(authenticated_identifier:, flow_identifier: nil)
+      return generate_locally(authenticated_identifier) if 'local' == @configuration['mode']
+      return generate_remotely(authenticated_identifier,flow_identifier)
     end
 
     private
 
+    def generate_locally(authenticated_identifier)
+      encode(payload(authenticated_identifier))
+    end
+
+    def generate_remotely(authenticated_identifier,flow_identifier)
+      uri = URI.parse(@configuration['generator-url'])
+
+      request = Net::HTTP::Post.new uri
+      request.set_form_data({'flow_identifier' => flow_identifier})
+      request.body = { 'authenticated_identifier' => authenticated_identifier }.to_json
+      response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') { |http|
+        http.request request
+      }
+
+      validate_and_extract_token_from_response(response)
+    end
+
+    def validate_and_extract_token_from_response(response)
+      raise "Failure generating token with token generation service. Code #{response.code}" if '200' != response.code
+      body = JSON.parse(response.body)
+      raise 'Failure generating token by token service' if 'success' != body['status']
+      raise 'Token service did not provide token' if body['data'].nil? or body['data']['token'].nil?
+      body['data']['token']
+    end
+
     def payload(authenticated_identifier)
       { 'authenticated_identifier' => authenticated_identifier,
         'issue_time'               => Time.now.utc.iso8601(3),
@@ -35,7 +63,11 @@ module SoarAuthenticationToken
     def validate_configuration
       raise "'mode' must be configured" unless @configuration['mode']
       raise "'mode' must be configured as either 'local' or 'remote'" unless ['local','remote'].include?(@configuration['mode'])
-
+      if 'remote' == @configuration['mode']
+        raise "'generator-url' must be configured in remote mode" if @configuration['generator-url'].nil?
+      else
+        raise "'private_key' must be configured in local mode" unless @configuration['private_key']
+      end
     end
 
     def merge_with_default_configuration(configuration)

data/lib/soar_authentication_token/token_validator.rb

@@ -4,10 +4,7 @@ require 'jwt'
 module SoarAuthenticationToken
   class TokenValidator
     DEFAULT_CONFIGURATION = {
-      'mode' => 'local',
-      'expiry' => 604800, #a day in seconds
-      'public_key' => '',
-      'url' => ''
+      'expiry'        => 604800 #a days worth of seconds
     } unless defined? DEFAULT_CONFIGURATION; DEFAULT_CONFIGURATION.freeze
 
     def initialize(configuration)
@@ -17,9 +14,9 @@ module SoarAuthenticationToken
       @public_key.private_key = nil
     end
 
-    def validate(authentication_token)
+    def validate(authentication_token:,flow_identifier: nil)
       return validate_locally(authentication_token) if 'local' == @configuration['mode']
-      return validate_remotely(authentication_token)
+      return validate_remotely(authentication_token,flow_identifier)
     end
 
     private
@@ -32,15 +29,42 @@ module SoarAuthenticationToken
       [false, nil]
     end
 
-    def validate_remotely(authentication_token)
-      [true, 'uuid']
+    def validate_remotely(authentication_token,flow_identifier)
+      uri = URI.parse(@configuration['validator-url'])
+
+      request = Net::HTTP::Post.new uri
+      request.set_form_data({'flow_identifier' => flow_identifier})
+      request.body = { 'authentication_token' => authentication_token }.to_json
+      response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') { |http|
+        http.request request
+      }
+
+      validate_and_extract_information_from_response(response)
+    end
+
+    def validate_and_extract_information_from_response(response)
+      raise "Failure validating token with token validation service. Code #{response.code} received" if '200' != response.code
+      body = JSON.parse(response.body)
+      if 'success' == body['status']
+        raise 'Token validation service did not provide authenticated_identifier' if body['data'].nil? or body['data']['authenticated_identifier'].nil?
+        return [true, body['data']['authenticated_identifier']]
+      end
+      if 'fail' == body['status']
+        return [false, nil]
+      end
+      raise "Failure validating token with token validation service. Status '#{body['status']}' received"
     end
 
     def validate_configuration
       raise "'mode' must be configured" unless @configuration['mode']
       raise "'mode' must be configured as either 'local' or 'remote'" unless ['local','remote'].include?(@configuration['mode'])
-      raise "'expiry' must be configured" unless @configuration['expiry']
-      raise "'expiry' must be an integer" unless Integer(@configuration['expiry'])
+      if 'remote' == @configuration['mode']
+        raise "'validator-url' must be configured in remote mode" unless @configuration['validator-url']
+      else
+        raise "'public_key' must be configured in local mode" unless @configuration['public_key']
+        raise "'expiry' must be configured in local mode" unless @configuration['expiry']
+        raise "'expiry' must be an integer" unless Integer(@configuration['expiry'])
+      end
     end
 
     def merge_with_default_configuration(configuration)

data/lib/soar_authentication_token/version.rb

@@ -1,3 +1,3 @@
 module SoarAuthenticationToken
-  VERSION = '0.0.3'
+  VERSION = '0.0.4'
 end

data/spec/token_generator_spec.rb

@@ -4,49 +4,59 @@ describe SoarAuthenticationToken::TokenGenerator do
   before :all do
     keypair_generator = SoarAuthenticationToken::KeypairGenerator.new
     @private_key, @public_key = keypair_generator.generate
+    @test_authenticated_identifier = 'a@b.co.za'
   end
 
   before :each do
-    generator_configuration = {
+    @generator_configuration_local = {
       'mode' => 'local',
       'private_key' => @private_key
     }
-    validator_configuration = {
+    @validator_configuration_local = {
       'mode' => 'local',
       'public_key' => @public_key
     }
-    @iut = SoarAuthenticationToken::TokenGenerator.new(generator_configuration)
-    @validator = SoarAuthenticationToken::TokenValidator.new(validator_configuration)
+    @configuration_remote = {
+      'mode' => 'remote',
+      'generator-url' => 'http://authentication-token-generator-service:9393/generate',
+      'validator-url' => 'http://authentication-token-validator-service:9393/validate'
+    }
   end
 
   after :each do
   end
 
+  after :all do
+  end
+
   it 'has a version number' do
     expect(SoarAuthenticationToken::VERSION).not_to be nil
   end
 
   context "when generating a new token locally" do
     it 'should provide token using configured private key' do
+      @iut = SoarAuthenticationToken::TokenGenerator.new(@generator_configuration_local)
+      @validator = SoarAuthenticationToken::TokenValidator.new(@validator_configuration_local)
 
-      #binding.pry
-      token = @iut.generate(authenticated_identifier: 'a@b.co.za')
-      print @validator.validate(token)
-      print @validator.validate("asdfasdf")
-    end
-  end
+      token = @iut.generate(authenticated_identifier: @test_authenticated_identifier, flow_identifier: 'test-flow-id')
+      token_validity, token_identifier = @validator.validate(authentication_token: token, flow_identifier: 'test-flow-id')
 
-  context "when generating a new token locally" do
-    it 'should provide token using the configured private key' do
-      #TODO
-      #expect(true).to eq false
+      expect(token_validity).to eq(true)
+      expect(token_identifier).to eq(@test_authenticated_identifier)
     end
   end
 
   context "when generating a new token remotely" do
     it 'should provide token using the configured remote service' do
-      #TODO
-      #expect(true).to eq false
+      @iut = SoarAuthenticationToken::TokenGenerator.new(@configuration_remote)
+
+      token = @iut.generate(authenticated_identifier: @test_authenticated_identifier, flow_identifier: 'test-flow-id')
+
+      @validator = SoarAuthenticationToken::TokenValidator.new(@configuration_remote)
+      token_validity, token_identifier = @validator.validate(authentication_token: token, flow_identifier: 'test-flow-id')
+
+      expect(token_validity).to eq(true)
+      expect(token_identifier).to eq(@test_authenticated_identifier)
     end
   end
 end

data/spec/token_validator_spec.rb

@@ -7,24 +7,34 @@ describe SoarAuthenticationToken::TokenValidator do
     @valid_private_key,   @valid_public_key   = keypair_generator.generate
     @invalid_private_key, @invalid_public_key = keypair_generator.generate
     @test_identifier = 'a@b.co.za'
-    @valid_generator_configuration = {
+    @local_valid_generator_configuration = {
       'mode' => 'local',
       'private_key' => @valid_private_key
     }
-    @invalid_generator_configuration = {
+    @local_invalid_generator_configuration = {
       'mode' => 'local',
       'private_key' => @invalid_private_key
     }
-    @validator_configuration = {
+    @local_validator_configuration = {
       'mode' => 'local',
       'public_key' => @valid_public_key
     }
-    @valid_generator = SoarAuthenticationToken::TokenGenerator.new(@valid_generator_configuration)
-    @invalid_generator = SoarAuthenticationToken::TokenGenerator.new(@invalid_generator_configuration)
+    @remote_generator_configuration = {
+      'mode' => 'remote',
+      'generator-url' => 'http://authentication-token-generator-service:9393/generate',
+    }
+    @remote_validator_configuration = {
+      'mode' => 'remote',
+      'validator-url' => 'http://authentication-token-validator-service:9393/validate'
+    }
+    @local_valid_generator = SoarAuthenticationToken::TokenGenerator.new(@local_valid_generator_configuration)
+    @local_invalid_generator = SoarAuthenticationToken::TokenGenerator.new(@local_invalid_generator_configuration)
+    @remote_generator = SoarAuthenticationToken::TokenGenerator.new(@remote_generator_configuration)
   end
 
   before :each do
-    @iut = SoarAuthenticationToken::TokenValidator.new(@validator_configuration)
+    @iut_local  = SoarAuthenticationToken::TokenValidator.new(@local_validator_configuration)
+    @iut_remote = SoarAuthenticationToken::TokenValidator.new(@remote_validator_configuration)
   end
 
   after :each do
@@ -36,26 +46,26 @@ describe SoarAuthenticationToken::TokenValidator do
 
   context "when validating a token locally using the configured public key" do
     it 'should indicate valid if the token is valid' do
-      token = @valid_generator.generate(authenticated_identifier: @test_identifier)
-      token_validity, token_identifier = @iut.validate(token)
+      token = @local_valid_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_local.validate(authentication_token: token)
       expect(token_validity).to eq true
     end
 
     it 'should indicate invalid if the token is invalid' do
-      token = @invalid_generator.generate(authenticated_identifier: @test_identifier)
-      token_validity, token_identifier = @iut.validate(token)
+      token = @local_invalid_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_local.validate(authentication_token: token)
       expect(token_validity).to eq false
     end
 
     it 'should provide the authenticated_identifier if the token is valid' do
-      token = @valid_generator.generate(authenticated_identifier: @test_identifier)
-      token_validity, token_identifier = @iut.validate(token)
+      token = @local_valid_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_local.validate(authentication_token: token)
       expect(token_identifier).to eq @test_identifier
     end
 
     it 'should not provide the authenticated_identifier if the token is invalid' do
-      token = @invalid_generator.generate(authenticated_identifier: @test_identifier)
-      token_validity, token_identifier = @iut.validate(token)
+      token = @local_invalid_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_local.validate(authentication_token: token)
       expect(token_identifier).to eq nil
     end
 
@@ -71,6 +81,38 @@ describe SoarAuthenticationToken::TokenValidator do
   end
 
   context "when validating a token remotely using the configured url" do
-    #TODO
+    it 'should indicate valid if the token is valid' do
+      token = @remote_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_remote.validate(authentication_token: token)
+      expect(token_validity).to eq true
+    end
+
+    it 'should indicate invalid if the token is invalid' do
+      token = @local_invalid_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_remote.validate(authentication_token: token)
+      expect(token_validity).to eq false
+    end
+
+    it 'should provide the authenticated_identifier if the token is valid' do
+      token = @remote_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_remote.validate(authentication_token: token)
+      expect(token_identifier).to eq @test_identifier
+    end
+
+    it 'should not provide the authenticated_identifier if the token is invalid' do
+      token = @local_invalid_generator.generate(authenticated_identifier: @test_identifier)
+      token_validity, token_identifier = @iut_remote.validate(authentication_token: token)
+      expect(token_identifier).to eq nil
+    end
+
+    it 'should indicate as invalid tokens that are older than the configured expiry time' do
+      #TODO
+      #expect(true).to eq false
+    end
+
+    it 'should indicate as valid tokens that are not older than the configured expiry time' do
+      #TODO
+      #expect(true).to eq false
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: soar_authentication_token
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Barney de Villiers
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-29 00:00:00.000000000 Z
+date: 2016-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: soar_xt
@@ -125,6 +125,7 @@ files:
 - docker-compose.yml
 - lib/soar_authentication_token.rb
 - lib/soar_authentication_token/keypair_generator.rb
+- lib/soar_authentication_token/rack_middleware.rb
 - lib/soar_authentication_token/token_generator.rb
 - lib/soar_authentication_token/token_validator.rb
 - lib/soar_authentication_token/version.rb