Class: Identizer::Configuration

Inherits:

Object

• Object
• Identizer::Configuration

Defined in:

lib/identizer/configuration.rb

Overview

Everything the provider needs to run, with sensible dev defaults. Replaces the Rails.* / ENV reads of the original emulator with one explicit object.

Constant Summary

SAML_ATTRIBUTE_NAMES =

Claim -> SAML Attribute Name. Defaults to the Microsoft/WS-Fed claim URIs that real SAML IdPs (Azure AD, ADFS, Okta) emit and SPs match on; the short claim name is kept as the FriendlyName. Override to suit a specific SP.

{
  "email" => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
  "given_name" => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
  "family_name" => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
  "name" => "http://schemas.microsoft.com/identity/claims/displayname",
  "groups" => "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
}.freeze

Instance Attribute Summary

• #access_token_ttl ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #base_url ⇒ Object

  Public URL the provider advertises in metadata, discovery and redirects.

• #clients ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #code_ttl ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #config_dir ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #host ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #hs256_key ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #identity_store ⇒ Object
• #issuer ⇒ Object
• #ldap_base_dn ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #ldap_host ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #ldap_port ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #ldaps_port ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #port ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #providers ⇒ Object

  Cheatsheet rendered on the dashboard.

• #refresh_token_ttl ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #request_logging ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #saml_allowed_acs ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #saml_attribute_names ⇒ Object
• #saml_encrypt_assertion ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #saml_keypair ⇒ Object

  The IdP’s SAML signing key + certificate, generated/persisted on first use.

• #saml_sign_response ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #saml_sp_certificate ⇒ Object

  The SP certificate used to encrypt the assertion (PEM string or cert object).

• #scheme ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #seed_identities ⇒ Object
• #shared_password ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #signing ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #sqlite_path ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #tls_cert_path ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #tls_key_path ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

• #url_host ⇒ Object

  All plain settings, grouped (defaults are set in #initialize).

Instance Method Summary

• #acs_allowed?(acs) ⇒ Boolean

  SAML ACS guard.

• #apply_persisted_settings! ⇒ Object

  Apply settings previously saved from the web admin (password, signing mode).

• #initialize ⇒ Configuration constructor

  A new instance of Configuration.

• #persist_settings! ⇒ Object
• #post_logout_redirect_allowed?(client_id, uri) ⇒ Boolean

  RP-initiated-logout guard, mirroring redirect_uri_allowed?.

• #redirect_uri_allowed?(client_id, redirect_uri) ⇒ Boolean

  Open-redirect guard.

• #rs256? ⇒ Boolean
• #settings_path ⇒ Object

Constructor Details

#initialize ⇒ Configuration

Returns a new instance of Configuration.

# File 'lib/identizer/configuration.rb', line 7

def initialize
  @host = "127.0.0.1"
  @port = int_env("IDENTIZER_PORT", "SSO_MOCK_PORT", default: 9999)
  @tls_cert_path = env_presence("IDENTIZER_TLS_CERT", "SSO_MOCK_TLS_CERT")
  @tls_key_path = env_presence("IDENTIZER_TLS_KEY", "SSO_MOCK_TLS_KEY")
  @config_dir = ENV.fetch("IDENTIZER_CONFIG_DIR", File.join(Dir.pwd, "tmp", "identizer"))
  @shared_password = "password"
  @signing = :hs256 # :hs256 (unsigned-style parity) or :rs256 (verifiable)
  @hs256_key = "identizer-development-key"
  @scheme = "https"
  @url_host = "localhost"
  @ldap_base_dn = "dc=identizer,dc=local"
  @ldap_host = nil
  @ldap_port = optional_int_env("IDENTIZER_LDAP_PORT") # nil = LDAP listener off
  @ldaps_port = optional_int_env("IDENTIZER_LDAPS_PORT") # nil = LDAPS listener off
  @seed_identities = []
  # Optional client registry: [{ client_id:, redirect_uris:, post_logout_redirect_uris: }].
  # A client_secret may be present but is NOT verified (dev tool). Separate from
  # the apps provisioned at runtime via the Auth0 Management API.
  @clients = []
  @saml_allowed_acs = [] # optional allowlist of SAML ACS URLs ([] = allow any, dev default)
  @saml_sign_response = true # sign the SAML Response in addition to the Assertion
  @saml_encrypt_assertion = false # encrypt the assertion when an SP certificate is set
  @saml_sp_certificate = nil # SP cert (PEM) used to encrypt the assertion
  @code_ttl = 600
  @access_token_ttl = 3600
  @refresh_token_ttl = 86_400
  @request_logging = true # standalone server logs a concise request line
end

Instance Attribute Details

#access_token_ttl ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def access_token_ttl
  @access_token_ttl
end

#base_url ⇒ Object

Public URL the provider advertises in metadata, discovery and redirects.

# File 'lib/identizer/configuration.rb', line 81

def base_url
  @base_url ||= "#{scheme}://#{url_host}:#{port}"
end

#clients ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def clients
  @clients
end

#code_ttl ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def code_ttl
  @code_ttl
end

#config_dir ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def config_dir
  @config_dir
end

#host ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def host
  @host
end

#hs256_key ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def hs256_key
  @hs256_key
end

#identity_store ⇒ Object

# File 'lib/identizer/configuration.rb', line 97

def identity_store
  @identity_store ||= IdentityStore::ConfigStore.new(
    path: File.join(config_dir, "config.json"),
    seed: seed_identities,
    base_dn: ldap_base_dn
  )
end

#issuer ⇒ Object

# File 'lib/identizer/configuration.rb', line 85

def issuer
  @issuer ||= base_url
end

#ldap_base_dn ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def ldap_base_dn
  @ldap_base_dn
end

#ldap_host ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def ldap_host
  @ldap_host
end

#ldap_port ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def ldap_port
  @ldap_port
end

#ldaps_port ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def ldaps_port
  @ldaps_port
end

#port ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def port
  @port
end

#providers ⇒ Object

Cheatsheet rendered on the dashboard. Override to match your app’s stack.

# File 'lib/identizer/configuration.rb', line 106

def providers
  @providers || Providers.default(base_url)
end

#refresh_token_ttl ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def refresh_token_ttl
  @refresh_token_ttl
end

#request_logging ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def request_logging
  @request_logging
end

#saml_allowed_acs ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def saml_allowed_acs
  @saml_allowed_acs
end

#saml_attribute_names ⇒ Object

# File 'lib/identizer/configuration.rb', line 73

def saml_attribute_names
  @saml_attribute_names ||= SAML_ATTRIBUTE_NAMES.dup
end

#saml_encrypt_assertion ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def saml_encrypt_assertion
  @saml_encrypt_assertion
end

#saml_keypair ⇒ Object

The IdP’s SAML signing key + certificate, generated/persisted on first use.

# File 'lib/identizer/configuration.rb', line 55

def saml_keypair
  @saml_keypair ||= begin
    require "identizer/saml/keypair"
    Saml::Keypair.load_or_generate(config_dir)
  end
end

#saml_sign_response ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def saml_sign_response
  @saml_sign_response
end

#saml_sp_certificate ⇒ Object

The SP certificate used to encrypt the assertion (PEM string or cert object).

# File 'lib/identizer/configuration.rb', line 47

def saml_sp_certificate
  cert = @saml_sp_certificate
  return nil if cert.nil?

  cert.is_a?(OpenSSL::X509::Certificate) ? cert : OpenSSL::X509::Certificate.new(cert.to_s)
end

#scheme ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def scheme
  @scheme
end

#seed_identities ⇒ Object

# File 'lib/identizer/configuration.rb', line 93

def seed_identities
  Array(@seed_identities).map { |entry| DirectoryEntry.from(entry, base_dn: ldap_base_dn) }
end

#shared_password ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def shared_password
  @shared_password
end

#signing ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def signing
  @signing
end

#sqlite_path ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def sqlite_path
  @sqlite_path
end

#tls_cert_path ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def tls_cert_path
  @tls_cert_path
end

#tls_key_path ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def tls_key_path
  @tls_key_path
end

#url_host ⇒ Object

All plain settings, grouped (defaults are set in #initialize).

# File 'lib/identizer/configuration.rb', line 38

def url_host
  @url_host
end

Instance Method Details

#acs_allowed?(acs) ⇒ Boolean

SAML ACS guard. Lenient until an allowlist is configured.

Returns:

• (Boolean)

# File 'lib/identizer/configuration.rb', line 134

def acs_allowed?(acs)
  saml_allowed_acs.empty? || saml_allowed_acs.include?(acs)
end

#apply_persisted_settings! ⇒ Object

Apply settings previously saved from the web admin (password, signing mode). Called at boot; explicit flags/config still override afterwards.

# File 'lib/identizer/configuration.rb', line 144

def apply_persisted_settings!
  data = JSON.parse(File.read(settings_path))
  self.shared_password = data["shared_password"] if data["shared_password"]
  self.signing = data["signing"].to_sym if data["signing"]
  self
rescue StandardError
  self
end

#persist_settings! ⇒ Object

# File 'lib/identizer/configuration.rb', line 153

def persist_settings!
  FileUtils.mkdir_p(config_dir)
  File.write(settings_path, JSON.generate("shared_password" => shared_password, "signing" => signing.to_s))
end

#post_logout_redirect_allowed?(client_id, uri) ⇒ Boolean

RP-initiated-logout guard, mirroring redirect_uri_allowed?.

Returns:

• (Boolean)

# File 'lib/identizer/configuration.rb', line 123

def post_logout_redirect_allowed?(client_id, uri)
  return true if clients.empty?

  client = clients.find { |entry| entry[:client_id] == client_id }
  return false unless client

  allowed = Array(client[:post_logout_redirect_uris])
  allowed.empty? || allowed.include?(uri)
end

#redirect_uri_allowed?(client_id, redirect_uri) ⇒ Boolean

Open-redirect guard. Lenient (true) until clients are registered; then the redirect_uri must match one registered for that client.

Returns:

• (Boolean)

# File 'lib/identizer/configuration.rb', line 112

def redirect_uri_allowed?(client_id, redirect_uri)
  return true if clients.empty?

  client = clients.find { |entry| entry[:client_id] == client_id }
  return false unless client

  allowed = Array(client[:redirect_uris])
  allowed.empty? || allowed.include?(redirect_uri)
end

#rs256? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/identizer/configuration.rb', line 89

def rs256?
  signing == :rs256
end

#settings_path ⇒ Object

# File 'lib/identizer/configuration.rb', line 138

def settings_path
  File.join(config_dir, "settings.json")
end