First public commit

Author: Kirill Pimenov

.gitignore

@@ -0,0 +1 @@
+config/production.rb

.ruby-version

@@ -0,0 +1 @@
+ruby-2.2.1

Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem 'grape'
+gem 'goliath'
+gem 'ruby-saml'

Gemfile.lock

@@ -0,0 +1,95 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    addressable (2.3.8)
+    async-rack (0.5.1)
+      rack (~> 1.1)
+    axiom-types (0.1.1)
+      descendants_tracker (~> 0.0.4)
+      ice_nine (~> 0.11.0)
+      thread_safe (~> 0.3, >= 0.3.1)
+    builder (3.2.2)
+    coercible (1.0.0)
+      descendants_tracker (~> 0.0.1)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    em-synchrony (1.0.4)
+      eventmachine (>= 1.0.0.beta.1)
+    em-websocket (0.3.8)
+      addressable (>= 2.1.1)
+      eventmachine (>= 0.12.9)
+    equalizer (0.0.11)
+    eventmachine (1.0.7)
+    goliath (1.0.4)
+      async-rack
+      em-synchrony (>= 1.0.0)
+      em-websocket (= 0.3.8)
+      eventmachine (>= 1.0.0.beta.4)
+      http_parser.rb (= 0.6.0)
+      log4r
+      multi_json
+      rack (>= 1.2.2)
+      rack-contrib
+      rack-respond_to
+    grape (0.11.0)
+      activesupport
+      builder
+      hashie (>= 2.1.0)
+      multi_json (>= 1.3.2)
+      multi_xml (>= 0.5.2)
+      rack (>= 1.3.0)
+      rack-accept
+      rack-mount
+      virtus (>= 1.0.0)
+    hashie (3.4.1)
+    http_parser.rb (0.6.0)
+    i18n (0.7.0)
+    ice_nine (0.11.1)
+    json (1.8.2)
+    log4r (1.1.10)
+    macaddr (1.7.1)
+      systemu (~> 2.6.2)
+    mini_portile (0.6.2)
+    minitest (5.6.0)
+    multi_json (1.11.0)
+    multi_xml (0.5.5)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    rack (1.6.0)
+    rack-accept (0.4.5)
+      rack (>= 0.4)
+    rack-accept-media-types (0.9)
+    rack-contrib (1.2.0)
+      rack (>= 0.9.1)
+    rack-mount (0.8.3)
+      rack (>= 1.0.0)
+    rack-respond_to (0.9.8)
+      rack-accept-media-types (>= 0.6)
+    ruby-saml (0.9.1)
+      nokogiri (~> 1.6.0)
+      uuid (~> 2.3)
+    systemu (2.6.5)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uuid (2.3.7)
+      macaddr (~> 1.0)
+    virtus (1.0.5)
+      axiom-types (~> 0.1)
+      coercible (~> 1.0)
+      descendants_tracker (~> 0.0, >= 0.0.3)
+      equalizer (~> 0.0, >= 0.0.9)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  goliath
+  grape
+  ruby-saml

Procfile

@@ -0,0 +1 @@
+api: bundle exec ruby application.rb -s -e prod -p $PORT

app/apis/sso.rb

@@ -0,0 +1,45 @@
+require 'grape'
+
+require './lib/single_sign_on'
+require './app/helpers/saml_helpers'
+
+module API
+  class SSO < Grape::API
+    format :txt
+
+    helpers ::SAMLHelpers
+
+    params do
+      requires :sso, type: String
+      requires :sig, type: String
+    end
+    get '/login' do
+      cookies[:sso] = declared(params).sso
+      cookies[:sig] = declared(params).sig
+
+      redirect saml_url(env)
+    end
+
+    post '/saml_callback' do
+      sso = cookies[:sso]
+      sig = cookies[:sig]
+
+      user_data = parse_saml_payload(params[:SAMLResponse], env)
+
+      if user_data
+        sign_on = SingleSignOn.parse sso, sig, env.encryption_key
+
+        sign_on.external_id = user_data[:external_id]
+        sign_on.username = user_data[:username]
+        sign_on.name = user_data[:name]
+        sign_on.email = user_data[:email]
+
+        discourse_url = URI.parse env.discourse_url
+        discourse_url.path = '/session/sso_login'
+        redirect sign_on.to_url discourse_url.to_s
+      else
+        status 401
+      end
+    end
+  end
+end

app/helpers/saml_helpers.rb

@@ -0,0 +1,42 @@
+require 'ruby-saml'
+
+module SAMLHelpers
+
+  def saml_url(env)
+    request = OneLogin::RubySaml::Authrequest.new
+    request.create saml_settings(env)
+  end
+
+
+  def parse_saml_payload(saml_payload, env)
+    response = OneLogin::RubySaml::Response.new(saml_payload, allowed_clock_drift: 1)
+    response.settings = saml_settings(env)
+    if response.is_valid?
+      {
+        external_id: saml_attribute(response, 'workforceID'),
+        username: response.name_id.downcase,
+        name: [saml_attribute(response, 'givenName'), saml_attribute(response, 'sn')].join(' '),
+        email: saml_attribute(response, 'mail').downcase
+      }
+    else
+      nil
+    end
+  end
+
+  private
+
+  def saml_settings(env)
+    settings = OneLogin::RubySaml::Settings.new
+    settings.assertion_consumer_service_url = "https://#{env.HTTP_HOST}/saml_callback"
+    settings.issuer = env.saml[:issuer]
+    settings.idp_sso_target_url = env.saml[:target_url]
+    settings.idp_cert_fingerprint = env.saml[:cert_fingerprint]
+
+    settings
+  end
+
+  def saml_attribute(response, att_name)
+    response.attributes["/UserAttribute[@ldap:targetAttribute=\"#{att_name}\"]"]
+  end
+
+end

application.rb

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'goliath'
+require_relative "app/apis/sso"
+
+class Application < Goliath::API
+  def response(env)
+    API::SSO.call(env)
+  end
+end

config/application.rb

@@ -0,0 +1 @@
+import(Goliath.env)

config/development.rb

@@ -0,0 +1,8 @@
+config['encryption_key'] = 'ScarySecret'
+config['discourse_url'] = 'http://localhost:3000'
+
+config['saml'] = {
+  issuer: 'saml-auth-proxy.example.com',
+  target_url: 'https://saml.example.com/saml2/sso',
+  cert_fingerprint: '11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11'
+}

lib/single_sign_on.rb

@@ -0,0 +1,88 @@
+# Based on https://github.com/discourse/discourse/blob/master/lib/single_sign_on.rb
+# All kudos and copyrights — to its original authors.
+class SingleSignOn
+  ACCESSORS = [:nonce, :name, :username, :email, :avatar_url, :avatar_force_update,
+               :about_me, :external_id, :return_sso_url, :admin, :moderator, :suppress_welcome_message]
+  FIXNUMS = []
+  BOOLS = [:avatar_force_update, :admin, :moderator, :suppress_welcome_message]
+  NONCE_EXPIRY_TIME = 10.minutes
+
+  attr_accessor(*ACCESSORS)
+  attr_accessor :sso_secret, :sso_url
+
+  def self.parse(payload, signature, sso_secret = nil)
+    sso = new
+    sso.sso_secret = sso_secret if sso_secret
+
+    if sso.sign(payload) != signature
+      diags = "\n\nsso: #{payload}\n\nsig: #{signature}\n\nexpected sig: #{sso.sign(payload)}"
+      if payload =~ /[^a-zA-Z0-9=\r\n\/+]/m
+        raise RuntimeError, "The SSO field should be Base64 encoded, using only A-Z, a-z, 0-9, +, /, and = characters. Your input contains characters we don't understand as Base64, see http://en.wikipedia.org/wiki/Base64 #{diags}"
+      else
+        raise RuntimeError, "Bad signature for payload #{diags}"
+      end
+    end
+
+    decoded = Base64.decode64(payload)
+    decoded_hash = Rack::Utils.parse_query(decoded)
+
+    ACCESSORS.each do |k|
+      val = decoded_hash[k.to_s]
+      val = val.to_i if FIXNUMS.include? k
+      if BOOLS.include? k
+        val = ["true", "false"].include?(val) ? val == "true" : nil
+      end
+      sso.send("#{k}=", val)
+    end
+
+    decoded_hash.each do |k,v|
+      # 1234567
+      # custom.
+      #
+      if k[0..6] == "custom."
+        field = k[7..-1]
+        sso.custom_fields[field] = v
+      end
+    end
+
+    sso
+  end
+
+  def custom_fields
+    @custom_fields ||= {}
+  end
+
+
+  def sign(payload)
+    OpenSSL::HMAC.hexdigest("sha256", sso_secret, payload)
+  end
+
+
+  def to_url(base_url=nil)
+    base = "#{base_url || sso_url}"
+    "#{base}#{base.include?('?') ? '&' : '?'}#{payload}"
+  end
+
+  def payload
+    payload = Base64.encode64(unsigned_payload)
+    "sso=#{CGI::escape(payload)}&sig=#{sign(payload)}"
+  end
+
+  def unsigned_payload
+    payload = {}
+    ACCESSORS.each do |k|
+     next if (val = send k) == nil
+
+     payload[k] = val
+    end
+
+    if @custom_fields
+      @custom_fields.each do |k,v|
+        payload["custom.#{k}"] = v.to_s
+      end
+    end
+
+    Rack::Utils.build_query(payload)
+  end
+
+end