discourse/lib/single_sign_on.rb

class SingleSignOn
  ACCESSORS = [:nonce, :name, :username, :email, :avatar_url, :avatar_force_update, :require_activation,
               :bio, :external_id, :return_sso_url, :admin, :moderator, :suppress_welcome_message, :title,
               :add_groups, :remove_groups, :groups]
  FIXNUMS = []
  BOOLS = [:avatar_force_update, :admin, :moderator, :require_activation, :suppress_welcome_message]
  ARRAYS = [:groups]
  NONCE_EXPIRY_TIME = 10.minutes

  attr_accessor(*ACCESSORS)
  attr_accessor :sso_secret, :sso_url

  def self.sso_secret
    raise RuntimeError, "sso_secret not implemented on class, be sure to set it on instance"
  end

  def self.sso_url
    raise RuntimeError, "sso_url not implemented on class, be sure to set it on instance"
  end

  def self.parse(payload, sso_secret = nil)
    sso = new
    sso.sso_secret = sso_secret if sso_secret

    parsed = Rack::Utils.parse_query(payload)
    if sso.sign(parsed["sso"]) != parsed["sig"]
      diags = "\n\nsso: #{parsed["sso"]}\n\nsig: #{parsed["sig"]}\n\nexpected sig: #{sso.sign(parsed["sso"])}"
      if parsed["sso"] =~ /[^a-zA-Z0-9=\r\n\/+]/m
        raise RuntimeError, "The SSO field should be Base64 encoded, using only A-Z, a-z, 0-9, +, /, and = characters. Your input contains characters we don't understand as Base64, see http://en.wikipedia.org/wiki/Base64 #{diags}"
      else
        raise RuntimeError, "Bad signature for payload #{diags}"
      end
    end

    decoded = Base64.decode64(parsed["sso"])
    decoded_hash = Rack::Utils.parse_query(decoded)

    ACCESSORS.each do |k|
      val = decoded_hash[k.to_s]
      val = val.to_i if FIXNUMS.include? k
      if BOOLS.include? k
        val = ["true", "false"].include?(val) ? val == "true" : nil
      end
      val = Array(val) if ARRAYS.include?(k) && !val.nil?
      sso.send("#{k}=", val)
    end

    decoded_hash.each do |k, v|
      if field = k[/^custom\.(.+)$/, 1]
        sso.custom_fields[field] = v
      end
    end

    sso
  end

  def diagnostics
    SingleSignOn::ACCESSORS.map { |a| "#{a}: #{send(a)}" }.join("\n")
  end

  def sso_secret
    @sso_secret || self.class.sso_secret
  end

  def sso_url
    @sso_url || self.class.sso_url
  end

  def custom_fields
    @custom_fields ||= {}
  end

  def sign(payload)
    OpenSSL::HMAC.hexdigest("sha256", sso_secret, payload)
  end

  def to_url(base_url = nil)
    base = "#{base_url || sso_url}"
    "#{base}#{base.include?('?') ? '&' : '?'}#{payload}"
  end

  def payload
    payload = Base64.strict_encode64(unsigned_payload)
    "sso=#{CGI::escape(payload)}&sig=#{sign(payload)}"
  end

  def unsigned_payload
    payload = {}

    ACCESSORS.each do |k|
      next if (val = send k) == nil
     payload[k] = val
    end

    @custom_fields&.each do |k, v|
      payload["custom.#{k}"] = v.to_s
    end

    Rack::Utils.build_query(payload)
  end

end
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`class SingleSignOn`
Replace site setting with a payload attribute 2015-05-20 00:16:02 +08:00			`ACCESSORS = [:nonce, :name, :username, :email, :avatar_url, :avatar_force_update, :require_activation,`
Add user title to SSO payload 2017-02-01 08:42:27 +08:00			`:bio, :external_id, :return_sso_url, :admin, :moderator, :suppress_welcome_message, :title,`
Feature: Group handling 2017-10-26 08:49:17 +08:00			`:add_groups, :remove_groups, :groups]`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`FIXNUMS = []`
Correctly parse `require_activation` field of SSO 2015-05-21 21:41:36 +08:00			`BOOLS = [:avatar_force_update, :admin, :moderator, :require_activation, :suppress_welcome_message]`
Feature: Group handling 2017-10-26 08:49:17 +08:00			`ARRAYS = [:groups]`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`NONCE_EXPIRY_TIME = 10.minutes`

			`attr_accessor(*ACCESSORS)`
			`attr_accessor :sso_secret, :sso_url`

			`def self.sso_secret`
			`raise RuntimeError, "sso_secret not implemented on class, be sure to set it on instance"`
			`end`

			`def self.sso_url`
			`raise RuntimeError, "sso_url not implemented on class, be sure to set it on instance"`
			`end`

			`def self.parse(payload, sso_secret = nil)`
			`sso = new`
			`sso.sso_secret = sso_secret if sso_secret`

			`parsed = Rack::Utils.parse_query(payload)`
			`if sso.sign(parsed["sso"]) != parsed["sig"]`
improve error handling massage for bad sso requests 2014-12-30 06:23:21 +08:00			`diags = "\n\nsso: #{parsed["sso"]}\n\nsig: #{parsed["sig"]}\n\nexpected sig: #{sso.sign(parsed["sso"])}"`
missing chars 2014-12-30 06:28:44 +08:00			`if parsed["sso"] =~ /[^a-zA-Z0-9=\r\n\/+]/m`
clarify base64 sso error message 2014-12-30 07:45:33 +08:00			`raise RuntimeError, "The SSO field should be Base64 encoded, using only A-Z, a-z, 0-9, +, /, and = characters. Your input contains characters we don't understand as Base64, see http://en.wikipedia.org/wiki/Base64 #{diags}"`
improve error handling massage for bad sso requests 2014-12-30 06:23:21 +08:00			`else`
			`raise RuntimeError, "Bad signature for payload #{diags}"`
			`end`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`end`

			`decoded = Base64.decode64(parsed["sso"])`
			`decoded_hash = Rack::Utils.parse_query(decoded)`

			`ACCESSORS.each do \|k\|`
			`val = decoded_hash[k.to_s]`
			`val = val.to_i if FIXNUMS.include? k`
FEATURE: allow creating admin and moderator accounts via SSO 2014-11-27 09:39:00 +08:00			`if BOOLS.include? k`
			`val = ["true", "false"].include?(val) ? val == "true" : nil`
			`end`
Feature: Group handling 2017-10-26 08:49:17 +08:00			`val = Array(val) if ARRAYS.include?(k) && !val.nil?`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`sso.send("#{k}=", val)`
			`end`
FEATURE: custom fields on User 2014-04-22 11:52:13 +08:00
Add rubocop to our build. (#5004) 2017-07-28 09:20:09 +08:00			`decoded_hash.each do \|k, v\|`
tiny refactor 2017-03-27 22:21:38 +08:00			`if field = k[/^custom\.(.+)$/, 1]`
FEATURE: custom fields on User 2014-04-22 11:52:13 +08:00			`sso.custom_fields[field] = v`
			`end`
			`end`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`sso`
			`end`

FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures 2016-04-08 09:20:01 +08:00			`def diagnostics`
tiny refactor 2017-03-27 22:21:38 +08:00			`SingleSignOn::ACCESSORS.map { \|a\| "#{a}: #{send(a)}" }.join("\n")`
FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures 2016-04-08 09:20:01 +08:00			`end`

FEATURE: custom fields on User 2014-04-22 11:52:13 +08:00			`def sso_secret`
			`@sso_secret \|\| self.class.sso_secret`
			`end`

			`def sso_url`
			`@sso_url \|\| self.class.sso_url`
			`end`

			`def custom_fields`
			`@custom_fields \|\|= {}`
			`end`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`def sign(payload)`
FEATURE: change SSO to use sha256 HMAC, which is more secure 2014-02-26 06:44:41 +08:00			`OpenSSL::HMAC.hexdigest("sha256", sso_secret, payload)`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`end`

Add rubocop to our build. (#5004) 2017-07-28 09:20:09 +08:00			`def to_url(base_url = nil)`
FIX: support sso_url that has query params 2014-03-20 05:14:09 +08:00			`base = "#{base_url \|\| sso_url}"`
			`"#{base}#{base.include?('?') ? '&' : '?'}#{payload}"`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`end`

			`def payload`
single_sign_on: encode the payload with strict_encode64 which doesn't add extraneous newlines 2017-10-18 01:41:52 +08:00			`payload = Base64.strict_encode64(unsigned_payload)`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`"sso=#{CGI::escape(payload)}&sig=#{sign(payload)}"`
			`end`

			`def unsigned_payload`
			`payload = {}`
tiny refactor 2017-03-27 22:21:38 +08:00
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`ACCESSORS.each do \|k\|`
Add rubocop to our build. (#5004) 2017-07-28 09:20:09 +08:00			`next if (val = send k) == nil`
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`payload[k] = val`
			`end`

tiny refactor 2017-03-27 22:21:38 +08:00			`@custom_fields&.each do \|k, v\|`
			`payload["custom.#{k}"] = v.to_s`
FEATURE: custom fields on User 2014-04-22 11:52:13 +08:00			`end`

FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta 2014-02-25 11:30:49 +08:00			`Rack::Utils.build_query(payload)`
			`end`

			`end`