Class: OmniAuth::Strategies::UcamRaven
- Inherits:
-
Object
- Object
- OmniAuth::Strategies::UcamRaven
- Includes:
- OmniAuth::Strategy
- Defined in:
- lib/omniauth/strategies/ucam-raven.rb
Constant Summary collapse
- RAVEN_URL =
'https://raven.cam.ac.uk/auth/authenticate.html'
- GOOSE_URL =
'https://auth.srcf.net/wls/authenticate'
Instance Method Summary collapse
-
#callback_phase ⇒ Object
This method is called after the user authenticates to Raven and is redirected back to the application.
-
#initialize(*args, &block) ⇒ UcamRaven
constructor
This method is called when the strategy is instantiated.
-
#request_phase ⇒ Object
This method is called when the user initiates a login.
Constructor Details
#initialize(*args, &block) ⇒ UcamRaven
This method is called when the strategy is instantiated.
37 38 39 40 41 42 43 44 |
# File 'lib/omniauth/strategies/ucam-raven.rb', line 37 def initialize(*args, &block) super(*args, &block) raise 'Raven public key data not given' if .key_data.nil? raise 'Raven public key data not correctly formatted' unless .key_data.is_a?(Array) .key_data.each do |e| raise 'Raven public key data not correctly formatted' unless e.is_a?(Array) && e.length == 2 end end |
Instance Method Details
#callback_phase ⇒ Object
This method is called after the user authenticates to Raven and is redirected back to the application.
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
# File 'lib/omniauth/strategies/ucam-raven.rb', line 63 def callback_phase # Check the response is in the format we're expecting. return fail!(:wls_response_not_present) if wls_response.nil? || wls_response == "" return fail!(:authentication_cancelled_by_user) if wls_response[1].to_i == 410 return fail!(:no_mutually_acceptable_authentication_types_available) if wls_response[1].to_i == 510 return fail!(:unsupported_protocol_version) if wls_response[1].to_i == 520 return fail!(:general_request_parameter_error) if wls_response[1].to_i == 530 return fail!(:interaction_would_be_required) if wls_response[1].to_i == 540 return fail!(:waa_not_authorised) if wls_response[1].to_i == 560 return fail!(:authentication_declined) if wls_response[1].to_i == 570 return fail!(:invalid_response_status) unless wls_response[1].to_i == 200 return fail!(:raven_version_mismatch) unless wls_response[0].to_i == 3 return fail!(:invalid_response_url) unless wls_response[5] == callback_url.split('?').first return fail!(:too_few_wls_response_parameters) if wls_response.length < 14 return fail!(:too_many_wls_response_parameters) if wls_response.length > 14 # Check the time skew in seconds. return fail!(:invalid_issue) unless wls_response[3].length == 16 skew = ((DateTime.now.new_offset(0) - date_from_rfc3339(wls_response[3])) * 24 * 60 * 60).to_i return fail!(:skew_too_large) unless skew.abs < .skew # Check that the RSA key ID and signature are correct. .key_data.each do |kid, kpath| if wls_response[12].to_i == kid.to_i signed_part = wls_response.first(12).join('!') base64_part = wls_response[13].tr('-._','+/=') signature = Base64.decode64(base64_part) file_contents = File.read(kpath) key = OpenSSL::PKey::RSA.new(file_contents) digest = OpenSSL::Digest::SHA1.new return fail!(:rsa_signature_check_failed) unless key.verify(digest, signature, signed_part) return super end end return fail!(:unknown_rsa_key_id) end |
#request_phase ⇒ Object
This method is called when the user initiates a login. It redirects them to the Raven service for authentication.
47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# File 'lib/omniauth/strategies/ucam-raven.rb', line 47 def request_phase url = (.url || .honk ? GOOSE_URL : RAVEN_URL).dup url << "?ver=3" url << "&url=#{callback_url}" url << "&desc=#{URI::encode .desc}" if .desc url << "&aauth=#{URI::encode .aauth}" if .aauth url << "&iact=#{URI::encode .iact}" if .iact url << "&msg=#{URI::encode .msg}" if .msg url << "¶ms=#{URI::encode .params}" if .params url << "&date=#{date_to_rfc3339}" if .date # The skew parameter is DEPRECATED and SHOULD NOT be included in requests to the WLS. url << "&fail=#{URI::encode .fail}" if .fail redirect url end |