Module: Legion::API::Routes::AuthSaml

Defined in:

lib/legion/api/auth_saml.rb

Class Method Summary

• .build_saml_settings ⇒ Object
• .extract_claims(response) ⇒ Object
• .map_roles(groups) ⇒ Object
• .register_acs(app) ⇒ Object
• .register_login(app) ⇒ Object
• .register_metadata(app) ⇒ Object
• .registered(app) ⇒ Object
• .resolve_saml_config ⇒ Object
• .saml_enabled? ⇒ Boolean

Class Method Details

.build_saml_settings ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 39

def self.build_saml_settings
  cfg = resolve_saml_config

  settings                            = OneLogin::RubySaml::Settings.new
  settings.idp_sso_service_url        = cfg[:idp_sso_url]
  settings.idp_cert                   = cfg[:idp_cert]
  settings.sp_entity_id               = cfg[:sp_entity_id]
  settings.assertion_consumer_service_url = cfg[:sp_acs_url]
  settings.name_identifier_format = cfg[:name_id_format] ||
                                    'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
  settings.security[:authn_requests_signed]   = false
  settings.security[:want_assertions_signed]  = cfg.fetch(:want_assertions_signed, true)
  settings.security[:want_assertions_encrypted] = cfg.fetch(:want_assertions_encrypted, false)
  settings
end

.extract_claims(response) ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 120

def self.extract_claims(response)
  attrs = response.attributes

  email        = first_attr(attrs, 'email', 'mail', 'emailAddress',
                            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress')
  display_name = first_attr(attrs, 'displayName', 'name',
                            'http://schemas.microsoft.com/identity/claims/displayname',
                            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name')
  groups       = multi_attr(attrs, 'groups',
                            'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups')

  {
    nameid:       response.nameid,
    email:        email,
    display_name: display_name || email,
    groups:       groups
  }
end

.map_roles(groups) ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 139

def self.map_roles(groups)
  if defined?(Legion::Rbac::ClaimsMapper) && Legion::Rbac::ClaimsMapper.respond_to?(:groups_to_roles)
    cfg          = resolve_saml_config
    group_map    = cfg[:group_map] || {}
    default_role = cfg[:default_role] || 'worker'
    Legion::Rbac::ClaimsMapper.groups_to_roles(groups, group_map: group_map, default_role: default_role)
  else
    ['worker']
  end
end

.register_acs(app) ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 80

def self.register_acs(app)
  app.post '/api/auth/saml/acs' do
    halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)

    unless params['SAMLResponse']
      halt 400, json_error('missing_saml_response', 'SAMLResponse parameter is required',
                           status_code: 400)
    end

    response = OneLogin::RubySaml::Response.new(
      params['SAMLResponse'],
      settings: saml_settings
    )

    unless response.is_valid?
      errors = response.errors.join(', ')
      halt 401, json_error('saml_invalid', "SAML assertion is invalid: #{errors}", status_code: 401)
    end

    claims = Routes::AuthSaml.extract_claims(response)
    roles  = Routes::AuthSaml.map_roles(claims[:groups])

    ttl   = 28_800
    token = Legion::API::Token.issue_human_token(
      msid:  claims[:nameid],
      name:  claims[:display_name],
      roles: roles,
      ttl:   ttl
    )

    json_response({
                    access_token: token,
                    token_type:   'Bearer',
                    expires_in:   ttl,
                    roles:        roles,
                    name:         claims[:display_name]
                  })
  end
end

.register_login(app) ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 65

def self.register_login(app)
  app.get '/api/auth/saml/login' do
    halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)

    cfg = Routes::AuthSaml.resolve_saml_config
    unless cfg[:idp_sso_url] && cfg[:sp_entity_id]
      halt 500, json_error('saml_misconfigured', 'auth.saml.idp_sso_url and sp_entity_id are required',
                           status_code: 500)
    end

    auth_request = OneLogin::RubySaml::Authrequest.new
    redirect auth_request.create(saml_settings)
  end
end

.register_metadata(app) ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 55

def self.register_metadata(app)
  app.get '/api/auth/saml/metadata' do
    halt 503, json_error('saml_not_configured', 'SAML SP is not configured', status_code: 503) unless defined?(OneLogin::RubySaml)

    meta = OneLogin::RubySaml::Metadata.new
    content_type 'application/xml'
    meta.generate(saml_settings, true)
  end
end

.registered(app) ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 7

def self.registered(app)
  return unless saml_enabled?

  app.helpers do
    define_method(:saml_settings) { Routes::AuthSaml.build_saml_settings }
  end

  register_metadata(app)
  register_login(app)
  register_acs(app)
end

.resolve_saml_config ⇒ Object

# File 'lib/legion/api/auth_saml.rb', line 26

def self.resolve_saml_config
  return {} unless defined?(Legion::Settings)

  auth = Legion::Settings[:auth]
  saml = auth.is_a?(Hash) ? auth[:saml] : nil
  return saml if saml.is_a?(Hash)

  {}
rescue StandardError => e
  Legion::Logging.debug "AuthSaml#resolve_saml_config failed: #{e.message}" if defined?(Legion::Logging)
  {}
end

.saml_enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/api/auth_saml.rb', line 19

def self.saml_enabled?
  return false unless defined?(OneLogin::RubySaml)

  cfg = resolve_saml_config
  cfg.is_a?(Hash) && cfg[:enabled]
end