Class: Keycard::Request::ShibbolethAttributes

Inherits:
Attributes
  • Object
show all
Defined in:
lib/keycard/request/shibboleth_attributes.rb

Overview

This class extracts attributes for Shibboleth-enabled applications. It trusts specific HTTP headers, so the app must not be exposed to direct requests. The pid is typically a SAML2 Persistent NameID, which is very long and cumbersome. The presence of an eid depends on attribute release by the IdP, and will commonly be an eduPersonPrincipalName. The only two attributes guaranteed to have usable values are the client_ip, for all requests, and the user_pid, for requests from authenticated users.

Constant Summary

Constants inherited from Attributes

Attributes::IDENTITY_ATTRS

Instance Method Summary collapse

Methods inherited from Attributes

#[], #all, #auth_token, #external, #identity, #initialize, #supplemental

Constructor Details

This class inherits a constructor from Keycard::Request::Attributes

Instance Method Details

#affiliationObject 



55
56
57
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 55

def affiliation
  safe('HTTP_X_SHIB_EDUPERSONSCOPEDAFFILIATION').split(';')
end

#authn_contextObject 



63
64
65
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 63

def authn_context
  get 'HTTP_X_SHIB_AUTHNCONTEXT_CLASS'
end

#authn_methodObject 



59
60
61
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 59

def authn_method
  get 'HTTP_X_SHIB_AUTHENTICATION_METHOD'
end

#baseObject

rubocop:disable Metrics/MethodLength



12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 12

def base # rubocop:disable Metrics/MethodLength
  super.merge(
    {
      persistentNameID:           persistent_id,
      eduPersonPrincipalName:     principal_name,
      eduPersonScopedAffiliation: affiliation,
      displayName:                display_name,
      mail:                       email,
      authnContextClassRef:       authn_context,
      authenticationMethod:       authn_method,
      identity_provider:          identity_provider
    }
  )
end

#client_ipObject 



35
36
37
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 35

def client_ip
  safe('HTTP_X_FORWARDED_FOR').split(',').first
end

#display_nameObject 



47
48
49
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 47

def display_name
  get 'HTTP_X_SHIB_DISPLAYNAME'
end

#emailObject 



51
52
53
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 51

def email
  get 'HTTP_X_SHIB_MAIL'
end

#identity_keysObject 



71
72
73
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 71

def identity_keys
  %i[user_pid user_eid eduPersonScopedAffiliation]
end

#identity_providerObject 



67
68
69
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 67

def identity_provider
  get 'HTTP_X_SHIB_IDENTITY_PROVIDER'
end

#persistent_idObject 



39
40
41
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 39

def persistent_id
  get 'HTTP_X_SHIB_PERSISTENT_ID'
end

#principal_nameObject 



43
44
45
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 43

def principal_name
  get 'HTTP_X_SHIB_EDUPERSONPRINCIPALNAME'
end

#user_eidObject 



31
32
33
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 31

def user_eid
  principal_name
end

#user_pidObject 



27
28
29
 
# File 'lib/keycard/request/shibboleth_attributes.rb', line 27

def user_pid
  persistent_id
end