sheeley/SessionsController.rb

## SessionsController.rb
class SessionsController < ApplicationController
  skip_before_filter :verify_authenticity_token, only: :saml
  def new
    request = Onelogin::Saml::Authrequest.new
    settings = saml_settings

    request_doc = request.create_authentication_xml_doc(settings)
    request_str = request_doc.to_s #.force_encoding("UTF-8")
    logger.debug request_str

    request_str = Base64.strict_encode64(request_str)

    # create a form in your view that POSTs to your IDP
    # <input name="SAMLRequest" value="@SAMLRequest"/>
    @SAMLRequest = request_str
  end

  def saml_settings
    Onelogin::Saml::Settings.new(
      assertion_consumer_service_url:  ENV['SAML_ASSERTION_CONSUMER_SERVICE_URL'],
      issuer:                          ENV['SAML_ISSUER'],
      idp_sso_target_url:              ENV['SAML_IDP_SSO_TARGET_URL'],
      idp_cert_fingerprint:            ENV['SAML_IDP_CERT_FINGERPRINT'],
      name_identifier_format:          ENV['SAML_NAME_IDENTIFIER_FORMAT']
    )
  end


  def create
    auth = request.env["omniauth.auth"]
    user = User.where(:provider => auth['provider'],
                      :uid => auth['uid'].to_s).first || User.create_with_omniauth(auth)
# Reset the session after successful login, per
# 2.8 Session Fixation – Countermeasures:
# http://guides.rubyonrails.org/security.html#session-fixation-countermeasures

  # binding.pry
    reset_session
    session[:user_id] = user.id
    user.add_role :admin if User.count == 1 # make the first user an admin
    if user.email.blank?
      redirect_to edit_user_path(user), :alert => "Please enter your email address."
    else
      redirect_to root_url, :notice => 'Signed in!'
    end

  end

  def saml
    # Onelogin handles the basic SAML response
    response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
    response.settings = saml_settings

    # decrypt the document
    enc_key = REXML::XPath.first(response.document, "//ds:KeyInfo/xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue").text
    enc_value = REXML::XPath.first(response.document, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue").text
    private_key = OpenSSL::PKey::RSA.new(ENV['SAML_PRIVATE_KEY'])
    data_key = private_key.private_decrypt(Base64.decode64(enc_key), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
    actual_output = decrypt_cipher_data(data_key, enc_value)

    # for some reason, the decrypted string has extra chars at the end, so remove them if they're there
    output_end = '</saml:Assertion>'
    trim_to = actual_output.index output_end
    actual_output = actual_output[0..trim_to + output_end.length-1] if not trim_to.nil?

    # create a new xml doc, grab the key/values from it
    decrypted_doc = REXML::Document.new actual_output
    values = {}
    REXML::XPath.each(decrypted_doc, "//saml:AttributeStatement/saml:Attribute") do |elem|
      value_name = elem.attribute 'Name'
      if not value_name.nil?
        value_name = value_name.value
        values[value_name] = elem.children[0].text if not elem.children.nil? and not elem.children[0].nil?
      end
    end

    request.env["omniauth.auth"] = {
      'uid' => values['name_id'],
      'provider' => 'saml',
      'info' => {
        'name' => "#{values['FirstName']} #{values['LastName']}",
        'email' => values['Email']
      }
    }

   create
  end

  def destroy
    reset_session
    redirect_to root_url, :notice => 'Signed out!'
  end

  def failure
    redirect_to root_url, :alert => "Authentication error: #{params[:message].humanize}"
  end

  private

  def decrypt_cipher_data(key_cipher, cipher_data)
    cipher_data_str = Base64.decode64(cipher_data)
    mcrypt_iv = cipher_data_str[0..15]
    cipher_data_str = cipher_data_str[16..-1]
    cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
    cipher.decrypt
    cipher.padding = 0
    cipher.key = key_cipher
    cipher.iv = mcrypt_iv
    result = cipher.update(cipher_data_str)
    result << cipher.final
  end
end
	class SessionsController < ApplicationController
	skip_before_filter :verify_authenticity_token, only: :saml
	def new
	request = Onelogin::Saml::Authrequest.new
	settings = saml_settings

	request_doc = request.create_authentication_xml_doc(settings)
	request_str = request_doc.to_s #.force_encoding("UTF-8")
	logger.debug request_str

	request_str = Base64.strict_encode64(request_str)

	# create a form in your view that POSTs to your IDP
	# <input name="SAMLRequest" value="@SAMLRequest"/>
	@SAMLRequest = request_str
	end

	def saml_settings
	Onelogin::Saml::Settings.new(
	assertion_consumer_service_url: ENV['SAML_ASSERTION_CONSUMER_SERVICE_URL'],
	issuer: ENV['SAML_ISSUER'],
	idp_sso_target_url: ENV['SAML_IDP_SSO_TARGET_URL'],
	idp_cert_fingerprint: ENV['SAML_IDP_CERT_FINGERPRINT'],
	name_identifier_format: ENV['SAML_NAME_IDENTIFIER_FORMAT']
	)
	end


	def create
	auth = request.env["omniauth.auth"]
	user = User.where(:provider => auth['provider'],
	:uid => auth['uid'].to_s).first \|\| User.create_with_omniauth(auth)
	# Reset the session after successful login, per
	# 2.8 Session Fixation – Countermeasures:
	# http://guides.rubyonrails.org/security.html#session-fixation-countermeasures

	# binding.pry
	reset_session
	session[:user_id] = user.id
	user.add_role :admin if User.count == 1 # make the first user an admin
	if user.email.blank?
	redirect_to edit_user_path(user), :alert => "Please enter your email address."
	else
	redirect_to root_url, :notice => 'Signed in!'
	end

	end

	def saml
	# Onelogin handles the basic SAML response
	response = Onelogin::Saml::Response.new(request.params['SAMLResponse'])
	response.settings = saml_settings

	# decrypt the document
	enc_key = REXML::XPath.first(response.document, "//ds:KeyInfo/xenc:EncryptedKey/xenc:CipherData/xenc:CipherValue").text
	enc_value = REXML::XPath.first(response.document, "//xenc:EncryptedData/xenc:CipherData/xenc:CipherValue").text
	private_key = OpenSSL::PKey::RSA.new(ENV['SAML_PRIVATE_KEY'])
	data_key = private_key.private_decrypt(Base64.decode64(enc_key), OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
	actual_output = decrypt_cipher_data(data_key, enc_value)

	# for some reason, the decrypted string has extra chars at the end, so remove them if they're there
	output_end = '</saml:Assertion>'
	trim_to = actual_output.index output_end
	actual_output = actual_output[0..trim_to + output_end.length-1] if not trim_to.nil?

	# create a new xml doc, grab the key/values from it
	decrypted_doc = REXML::Document.new actual_output
	values = {}
	REXML::XPath.each(decrypted_doc, "//saml:AttributeStatement/saml:Attribute") do \|elem\|
	value_name = elem.attribute 'Name'
	if not value_name.nil?
	value_name = value_name.value
	values[value_name] = elem.children[0].text if not elem.children.nil? and not elem.children[0].nil?
	end
	end

	request.env["omniauth.auth"] = {
	'uid' => values['name_id'],
	'provider' => 'saml',
	'info' => {
	'name' => "#{values['FirstName']} #{values['LastName']}",
	'email' => values['Email']
	}
	}

	create
	end

	def destroy
	reset_session
	redirect_to root_url, :notice => 'Signed out!'
	end

	def failure
	redirect_to root_url, :alert => "Authentication error: #{params[:message].humanize}"
	end

	private

	def decrypt_cipher_data(key_cipher, cipher_data)
	cipher_data_str = Base64.decode64(cipher_data)
	mcrypt_iv = cipher_data_str[0..15]
	cipher_data_str = cipher_data_str[16..-1]
	cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
	cipher.decrypt
	cipher.padding = 0
	cipher.key = key_cipher
	cipher.iv = mcrypt_iv
	result = cipher.update(cipher_data_str)
	result << cipher.final
	end
	end