Adds saml config params to auth and to settings yml

* This commit also changes the uid to point to the urn for PPID and adds additional attrs to statements.
emory-libraries · Nov 17, 2020 · 4c95641 · 4c95641
1 parent 25d6cc2
commit 4c95641
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 35 deletions.
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -26,7 +26,7 @@ class User < ActiveRecord::Base
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable
   # Registration is controlled via settings.yml
-  devise_list = [:omniauthable, :rememberable, :trackable, omniauth_providers: [:shibboleth], authentication_keys: [:login]]
+  devise_list = [:omniauthable, :rememberable, :trackable, omniauth_providers: [:saml], authentication_keys: [:login]]
   devise_list.prepend(:database_authenticatable) if AuthConfig.use_database_auth?
 
   devise(*devise_list)
@@ -172,15 +172,15 @@ def self.from_omniauth(auth)
       log_omniauth_error(auth)
       return User.new
     end
-    user.assign_attributes(display_name: auth.info.display_name, ppid: auth.uid, uid: auth.info.uid)
+    user.assign_attributes(display_name: auth.info.first_name, ppid: auth.uid, uid: auth.info.net_id)
     # tezprox@emory.edu isn't a real email address
-    user.email = auth.info.uid + '@emory.edu' unless auth.info.uid == 'tezprox'
+    user.email = auth.info.net_id + '@emory.edu' unless auth.info.net_id == 'tezprox'
     user.save
     user
   end
 
   def self.log_omniauth_error(auth)
-    if auth.info.uid.empty?
+    if auth.uid.empty?
       Rails.logger.error "Nil user detected: Shibboleth didn't pass a uid for #{auth.inspect}"
     else
       # Log unauthorized logins to error.

diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -125,10 +125,14 @@
   config.idp_cert = ENV['IDP_CERT']
   config.certificate = ENV['SP_CERT']
   config.private_key = ENV['SP_KEY']
-  config.attribute_statements = {}
-  config.uid_attribute = "urn:oid:0.9.2342.19200300.100.1.1"
+  config.attribute_statements = { 
+                                  :net_id => ["urn:oid:0.9.2342.19200300.100.1.1"],
+                                  :first_name => ["urn:oid:1.3.6.1.4.1.5923.1.1.1.2"],
+                                  :last_name => ["urn:oid:2.5.4.4"]
+                                }
+  config.uid_attribute = "urn:oid:2.5.4.5"
   config.security = {
      :want_assertions_encrypted  => true, #makes a 2nd KeyDescriptor, this one says use="encryption"
-     :want_assertions_signed  => true, # goes on md SPSSODescriptor tag
+     :want_assertions_signed  => true # goes on md SPSSODescriptor tag
   }
 end
diff --git a/config/routes.rb b/config/routes.rb
@@ -47,14 +47,10 @@
   end
 
   devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks', sessions: 'users/sessions' }, format: false
-  unless AuthConfig.use_database_auth?
-    devise_scope :user do
-      get 'sign_in', to: 'users/sessions#new', as: :new_user_session
-      get 'sign_out', to: 'users/sessions#destroy', as: :destroy_user_session
-      match '/users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize, via: [:get, :post]
-      Avalon::Authentication::Providers.collect { |provider| provider[:provider] }.uniq.each do |provider_name|
-        match "/users/auth/#{provider_name}/callback", to: "users/omniauth_callbacks##{provider_name}", as: "user_omniauth_callback_#{provider_name}".to_sym, via: [:get, :post]
-      end
+  devise_scope :user do
+    match '/users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize, via: [:get, :post]
+    Avalon::Authentication::Providers.collect { |provider| provider[:provider] }.uniq.each do |provider_name|
+      match "/users/auth/#{provider_name}/callback", to: "users/omniauth_callbacks##{provider_name}", as: "user_omniauth_callback_#{provider_name}".to_sym, via: [:get, :post]
     end
   end
 

diff --git a/config/settings.yml b/config/settings.yml
@@ -82,4 +82,9 @@ auth:
         :oauth_credentials:
           <%= ENV['LTI_AUTH_KEY'] %>: <%= ENV['LTI_AUTH_SECRET'] %>
     <% end %>
+    <% if ENV['SP_KEY'] %>
+    - :name: Saml
+      :provider: :saml
+      :hidden: false
+    <% end %>
 # google_analytics_tracking_id: "someid"
diff --git a/lib/avalon/authentication.rb b/lib/avalon/authentication.rb
@@ -36,7 +36,18 @@ def self.load_configs
     end
 
     if ENV['SP_KEY']
-      Config << { name: 'saml', provider: :saml, hidden: false, params: {} }
+      Config << { name: 'saml', provider: :saml, hidden: false, params: { :assertion_consumer_service_url        => Rails.application.config.assertion_consumer_service_url,
+                                                                          :assertion_consumer_logout_service_url => Rails.application.config.assertion_consumer_logout_service_url,
+                                                                          :issuer                                => Rails.application.config.issuer,
+                                                                          :idp_sso_target_url                    => Rails.application.config.idp_sso_target_url,
+                                                                          :idp_slo_target_url                    => Rails.application.config.idp_slo_target_url,
+                                                                          :idp_cert                              => Rails.application.config.idp_cert,
+                                                                          :certificate                           => Rails.application.config.certificate,
+                                                                          :private_key                           => Rails.application.config.private_key,
+                                                                          :attribute_statements                  => Rails.application.config.attribute_statements,
+                                                                          :uid_attribute                         => Rails.application.config.uid_attribute,
+                                                                          :security                              => Rails.application.config.security
+                                                                         } }
     end
 
     Providers = Config.reject {|provider| provider[:provider].blank? }

diff --git a/spec/controllers/omniauth_callbacks_controller_spec.rb b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -153,8 +153,8 @@
         provider: 'shibboleth',
         uid:      "P0000001",
         info:     {
-          display_name: "Brian Wilson",
-          uid:          'brianbboys1967'
+          first_name: "Brian Wilson",
+          net_id:     'brianbboys1967'
         }
       )
 
@@ -164,14 +164,14 @@
       end
 
       it "redirects to origin" do
-        post :shibboleth
+        post :saml
         expect(response.redirect_url).to eq 'http://test.host/example'
       end
     end
 
     context "when origin is missing" do
       it "redirects to dashboard" do
-        post :shibboleth
+        post :saml
         expect(response.redirect_url).to include 'http://test.host/'
       end
     end

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
@@ -173,8 +173,8 @@
         provider: 'shibboleth',
         uid:      "P0000001",
         info:     {
-          display_name: "Brian Wilson",
-          uid:          'brianbboys1967'
+          first_name: "Brian Wilson",
+          net_id:     'brianbboys1967'
         }
       )
     end
@@ -186,10 +186,10 @@
         expect(user.provider).to eq 'shibboleth'
       end
       it "has a uid" do
-        expect(user.uid).to eq auth_hash.info.uid
+        expect(user.uid).to eq auth_hash.info.net_id
       end
       it "has a name" do
-        expect(user.display_name).to eq auth_hash.info.display_name
+        expect(user.display_name).to eq auth_hash.info.first_name
       end
       it "has a PPID" do
         expect(user.ppid).to eq auth_hash.uid
@@ -202,23 +202,23 @@
           provider: 'shibboleth',
           uid:      "P0000001",
           info:     {
-            display_name: "Boaty McBoatface",
-            uid:          'brianbboys1968'
+            first_name: "Boaty McBoatface",
+            net_id:     'brianbboys1968'
           }
         )
       end
 
       it "updates ppid and display_name with values from shibboleth" do
-        expect(user.uid).to eq auth_hash.info.uid
+        expect(user.uid).to eq auth_hash.info.net_id
         expect(user.ppid).to eq auth_hash.uid
-        expect(user.display_name).to eq auth_hash.info.display_name
+        expect(user.display_name).to eq auth_hash.info.first_name
         described_class.from_omniauth(updated_auth_hash)
         user.reload
         expect(user.ppid).to eq updated_auth_hash.uid
-        expect(user.uid).not_to eq auth_hash.info.uid
+        expect(user.uid).not_to eq auth_hash.info.net_id
         expect(user.ppid).to eq updated_auth_hash.uid
-        expect(user.display_name).not_to eq auth_hash.info.display_name
-        expect(user.display_name).to eq updated_auth_hash.info.display_name
+        expect(user.display_name).not_to eq auth_hash.info.first_name
+        expect(user.display_name).to eq updated_auth_hash.info.first_name
       end
     end
 
@@ -236,8 +236,8 @@
           provider: 'shibboleth',
           uid:      'P0000003',
           info:     {
-            display_name: 'Fake Person',
-            uid:          'egnetid'
+            first_name: 'Fake Person',
+            net_id:     'egnetid'
           }
         )
       end
@@ -258,8 +258,8 @@
           provider: 'shibboleth',
           uid:      '',
           info:     {
-            display_name: '',
-            uid:          ''
+            first_name: '',
+            net_id:     ''
           }
         )
       end