diff --git a/app/models/user.rb b/app/models/user.rb index 913bc02eda..07ffa3e285 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -26,7 +26,7 @@ class User < ActiveRecord::Base # Include default devise modules. Others available are: # :confirmable, :lockable, :timeoutable # Registration is controlled via settings.yml - devise_list = [:omniauthable, :rememberable, :trackable, omniauth_providers: [:shibboleth], authentication_keys: [:login]] + devise_list = [:omniauthable, :rememberable, :trackable, omniauth_providers: [:saml], authentication_keys: [:login]] devise_list.prepend(:database_authenticatable) if AuthConfig.use_database_auth? devise(*devise_list) @@ -177,15 +177,15 @@ def self.from_omniauth(auth) log_omniauth_error(auth) return User.new end - user.assign_attributes(display_name: auth.info.display_name, ppid: auth.uid, uid: auth.info.uid) + user.assign_attributes(display_name: auth.info.first_name, ppid: auth.uid, uid: auth.info.net_id) # tezprox@emory.edu isn't a real email address - user.email = auth.info.uid + '@emory.edu' unless auth.info.uid == 'tezprox' + user.email = auth.info.net_id + '@emory.edu' unless auth.info.net_id == 'tezprox' user.save user end def self.log_omniauth_error(auth) - if auth.info.uid.empty? + if auth.uid.empty? Rails.logger.error "Nil user detected: Shibboleth didn't pass a uid for #{auth.inspect}" else # Log unauthorized logins to error. diff --git a/config/environments/production.rb b/config/environments/production.rb index 25929242b5..5a6f2d9da3 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -125,10 +125,14 @@ config.idp_cert = ENV['IDP_CERT'] config.certificate = ENV['SP_CERT'] config.private_key = ENV['SP_KEY'] - config.attribute_statements = {} - config.uid_attribute = "urn:oid:0.9.2342.19200300.100.1.1" + config.attribute_statements = { + :net_id => ["urn:oid:0.9.2342.19200300.100.1.1"], + :first_name => ["urn:oid:1.3.6.1.4.1.5923.1.1.1.2"], + :last_name => ["urn:oid:2.5.4.4"] + } + config.uid_attribute = "urn:oid:2.5.4.5" config.security = { :want_assertions_encrypted => true, #makes a 2nd KeyDescriptor, this one says use="encryption" - :want_assertions_signed => true, # goes on md SPSSODescriptor tag + :want_assertions_signed => true # goes on md SPSSODescriptor tag } end diff --git a/config/routes.rb b/config/routes.rb index 0ce283813d..ca4eb36e8f 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -47,14 +47,14 @@ end devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks', sessions: 'users/sessions' }, format: false - unless AuthConfig.use_database_auth? - devise_scope :user do + devise_scope :user do + unless AuthConfig.use_database_auth? get 'sign_in', to: 'users/sessions#new', as: :new_user_session get 'sign_out', to: 'users/sessions#destroy', as: :destroy_user_session - match '/users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize, via: [:get, :post] - Avalon::Authentication::Providers.collect { |provider| provider[:provider] }.uniq.each do |provider_name| - match "/users/auth/#{provider_name}/callback", to: "users/omniauth_callbacks##{provider_name}", as: "user_omniauth_callback_#{provider_name}".to_sym, via: [:get, :post] - end + end + match '/users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize, via: [:get, :post] + Avalon::Authentication::Providers.collect { |provider| provider[:provider] }.uniq.each do |provider_name| + match "/users/auth/#{provider_name}/callback", to: "users/omniauth_callbacks##{provider_name}", as: "user_omniauth_callback_#{provider_name}".to_sym, via: [:get, :post] end end diff --git a/config/settings.yml b/config/settings.yml index a2b626955b..788de43a5a 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -82,4 +82,9 @@ auth: :oauth_credentials: <%= ENV['LTI_AUTH_KEY'] %>: <%= ENV['LTI_AUTH_SECRET'] %> <% end %> + <% if ENV['SP_KEY'] %> + - :name: Saml + :provider: :saml + :hidden: false + <% end %> # google_analytics_tracking_id: "someid" diff --git a/lib/avalon/authentication.rb b/lib/avalon/authentication.rb index 6a6327f4b4..84bf65d1ad 100644 --- a/lib/avalon/authentication.rb +++ b/lib/avalon/authentication.rb @@ -36,7 +36,18 @@ def self.load_configs end if ENV['SP_KEY'] - Config << { name: 'saml', provider: :saml, hidden: false, params: {} } + Config << { name: 'saml', provider: :saml, hidden: false, params: { :assertion_consumer_service_url => Rails.application.config.assertion_consumer_service_url, + :assertion_consumer_logout_service_url => Rails.application.config.assertion_consumer_logout_service_url, + :issuer => Rails.application.config.issuer, + :idp_sso_target_url => Rails.application.config.idp_sso_target_url, + :idp_slo_target_url => Rails.application.config.idp_slo_target_url, + :idp_cert => Rails.application.config.idp_cert, + :certificate => Rails.application.config.certificate, + :private_key => Rails.application.config.private_key, + :attribute_statements => Rails.application.config.attribute_statements, + :uid_attribute => Rails.application.config.uid_attribute, + :security => Rails.application.config.security + } } end Providers = Config.reject {|provider| provider[:provider].blank? } diff --git a/spec/controllers/omniauth_callbacks_controller_spec.rb b/spec/controllers/omniauth_callbacks_controller_spec.rb index 2c867ad637..2b5484b71e 100644 --- a/spec/controllers/omniauth_callbacks_controller_spec.rb +++ b/spec/controllers/omniauth_callbacks_controller_spec.rb @@ -153,8 +153,8 @@ provider: 'shibboleth', uid: "P0000001", info: { - display_name: "Brian Wilson", - uid: 'brianbboys1967' + first_name: "Brian Wilson", + net_id: 'brianbboys1967' } ) @@ -164,14 +164,14 @@ end it "redirects to origin" do - post :shibboleth + post :saml expect(response.redirect_url).to eq 'http://test.host/example' end end context "when origin is missing" do it "redirects to dashboard" do - post :shibboleth + post :saml expect(response.redirect_url).to include 'http://test.host/' end end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 517c601125..f98a7adcbe 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -173,8 +173,8 @@ provider: 'shibboleth', uid: "P0000001", info: { - display_name: "Brian Wilson", - uid: 'brianbboys1967' + first_name: "Brian Wilson", + net_id: 'brianbboys1967' } ) end @@ -186,10 +186,10 @@ expect(user.provider).to eq 'shibboleth' end it "has a uid" do - expect(user.uid).to eq auth_hash.info.uid + expect(user.uid).to eq auth_hash.info.net_id end it "has a name" do - expect(user.display_name).to eq auth_hash.info.display_name + expect(user.display_name).to eq auth_hash.info.first_name end it "has a PPID" do expect(user.ppid).to eq auth_hash.uid @@ -202,23 +202,23 @@ provider: 'shibboleth', uid: "P0000001", info: { - display_name: "Boaty McBoatface", - uid: 'brianbboys1968' + first_name: "Boaty McBoatface", + net_id: 'brianbboys1968' } ) end it "updates ppid and display_name with values from shibboleth" do - expect(user.uid).to eq auth_hash.info.uid + expect(user.uid).to eq auth_hash.info.net_id expect(user.ppid).to eq auth_hash.uid - expect(user.display_name).to eq auth_hash.info.display_name + expect(user.display_name).to eq auth_hash.info.first_name described_class.from_omniauth(updated_auth_hash) user.reload expect(user.ppid).to eq updated_auth_hash.uid - expect(user.uid).not_to eq auth_hash.info.uid + expect(user.uid).not_to eq auth_hash.info.net_id expect(user.ppid).to eq updated_auth_hash.uid - expect(user.display_name).not_to eq auth_hash.info.display_name - expect(user.display_name).to eq updated_auth_hash.info.display_name + expect(user.display_name).not_to eq auth_hash.info.first_name + expect(user.display_name).to eq updated_auth_hash.info.first_name end end @@ -236,8 +236,8 @@ provider: 'shibboleth', uid: 'P0000003', info: { - display_name: 'Fake Person', - uid: 'egnetid' + first_name: 'Fake Person', + net_id: 'egnetid' } ) end @@ -258,8 +258,8 @@ provider: 'shibboleth', uid: '', info: { - display_name: '', - uid: '' + first_name: '', + net_id: '' } ) end