dennisreimann / masq Goto Github PK

Mountable Rails engine that provides OpenID server/identity provider functionality

License: MIT License

Ruby 99.64% CSS 0.36%

rails-engine openid-server openid identity-provider

masq's Introduction

Masq OpenID Server

Masq is a mountable Rails engine that provides OpenID server/identity provider functionality. It is the successor of the stand-alone Rails application masquerade.

The project is released under the MIT-License and its source code is available at GitHub. Feel free to fork and submit patches :)

Installation

If you want to upgrade from masquerade, please skip this part and see the Upgrading section below

In case you want to run masq as a standalone application (not integrated into an existing app), you will have to generate a barebone Rails app first:
- rails new my_openid_provider
Add masq to your Gemfile and install it:
- gem 'masq'
- bundle install
Copy the configuration and edit it:
- bundle exec rake masq:install:config
- $EDITOR config/masq.yml
Copy the migrations and migrate:
- bundle exec rake masq:install:migrations
- bundle exec rake db:migrate
Configure the routes by mounting the masq engine:
- For integration into an existing app, mount it in a subdirectory, like:
  - mount Masq::Engine => "/masq" or
  - mount Masq::Engine => "/openid"
- Standalone installation, mount it at the root:
  - mount Masq::Engine => "/"

Upgrading from masquerade

Generate a barebone Rails app:
- rails new my_openid_provider
Add masq to your Gemfile and install it:
- gem 'masq'
- bundle install
Copy your existing masquerade config file from config/app_config.yml to the new apps config/masq.yml
Copy the migrations and migrate:
- PLEASE BACKUP YOUR DATABASE FIRST!
- bundle exec rake masq:install:migrations
- bundle exec rake db:migrate

Configure the routes by mounting the masq engine:

 Rails.application.routes.draw do
   mount Masq::Engine => "/"
 end

Testing the installation

You can test the functionality in your local environment starting two instances: One as your Identity Provider/OpenID Server and another one as Relying Party.

* `rails server`
* `rails server -p 3001`

Open your browser with these urls (assumes you mounted the engine at /masq):

* [http://localhost:3000/masq](http://localhost:3000/masq) (Identity Provider)
* [http://localhost:3001/masq/consumer](http://localhost:3001/masq/consumer) (Relying Party testsuite)

First you have to create an account at the Identity Provider, after that you will be able to use the issued OpenID URL (http://localhost:3000/masq/YOUR_LOGIN) to send requests from the Relying Party to the server.

Use the options provided by the OpenID verification form to test several aspects of the client-server communication (like requesting simple registration data).

Development

Introduction

The main functionality is in the server controller, which is the endpoint for incoming OpenID requests. The server controller is supposed to only interact with relying parties a.k.a. consumer websites. It includes the OpenidServerSystem module, which provides some handy methods to access and answer OpenID requests.

Testing

You can run the tests with Rake: * DB_ADAPTER=sqlite3 bundle exec rake app:masq:test:ci * DB_ADAPTER=mysql2 bundle exec rake app:masq:test:ci * DB_ADAPTER=postgresql bundle exec rake app:masq:test:ci

The Rake task configures the database.yml for the chosen adapter.

In case you prefer running the tests continuously, use Guard: * bundle exec guard

Contact

Dennis Reimann: [email protected]

masq's People

Contributors

Stargazers

Watchers

Forkers

wedtm kerrizor glandos belighted nning adam-at-mobomo jotu bardbess matt-glover hafeez3000 upbeatproductions digideskio sureshprasanna70 telescope

masq's Issues

REQUEST FOR A NEW MAINTAINER

Are you using masq in production and would like to help maintain the project? Please contact me, because I don't use it anymore and don't have the time to give masq the attention it deserves.

Problem in production environment

It works fine in development environment, but I get this error when I use production:

Started GET "/" for 127.0.0.1 at Wed May 09 12:45:24 -0400 2012
Processing by Masq::InfoController#index as HTML
  Rendered /usr/lib/ruby/gems/1.8/gems/masq-0.1.0/app/views/masq/info/index.html.erb within layouts/masq/application (32.4ms)
  Rendered public/404.html (0.5ms)
Completed 404 Not Found in 223ms (Views: 3.8ms | ActiveRecord: 18.1ms)

Configuration comments & explanations

So I'm not sure whether or not I understand what all of the options are in config/masq.yaml, so I spent some time commenting the default options in nogweii/fisheye@92c4079. Not sure if everything I said there is correct.

Could you please go through and do a quick lookthrough and confirm everything I've mentioned is accurate?

Cover redirect vulnerability

Sorry to wake up people here, but I'm using masq, and I've read this blog article http://www.tetraph.com/blog/2014/05/covert-redirect-vulnerability-related-oauth-2-0-openid-covert-redirect-vulnerability-related-oauth-2-0-openid-%E4%B8%8E-oauth-2-0-openid-%E6%9C%89%E5%85%B3%E7%9A%84-covert-redirect/

The content is not really explicit for provider such as Masq… Can someone be clearer on the status of this?

Using email as login is broken

When trying to log in from masq interface with email_as_login: true in config, the user is logged in but https://www.le-pec.org/openid/[email protected] results in a 404.

Separate out personas & authentication for (re)use in other projects

So I'm not sure exactly how to go about this, so I'm mostly spitballing:

In my project, Fisheye, I'd like to support more authentication protocols, like WebID, which requires a FOAF profile. I would assume that it could just use Persona, but that feels a bit hackish and too tightly coupled. (I'd like to be able to include a switch and OpenID/masq is loaded if wanted, otherwise not.)
I'd also like to look at various back-end authentication changes, such as using LDAP. In theory, it should be "as simple as" switching to Devise or OmniAuth.

This might need to be split up into separate issues if it's a larger change than I think it is.

MASQ_ACCOUNTS table not compatible with oracle

Tables and columns names cannot exceed 30 characters in oracle.
The table column 'last_authenticated_with_yubikey' happens to be 31 characters long.

Validation regexps use ^$ instead of \A\z

In app/models/masq/account.rb these two validations allow newlines:

    validates_format_of :login, :with => /^[[email protected]]+$/
    validates_format_of :email, :with => /(^([^@\s]+)@((?:[-_a-z0-9]+\.)+[a-z]{2,})$)|(^$)/i

That allows e.g. registering with a username containing newline character.

More details:
http://guides.rubyonrails.org/security.html#regular-expressions

Why are the masq_open_id_associations server_url and secret binary columns?

I was having issues with the store_association method in lib/masq/active_record_openid_store/openid_ar_store.rb when trying to remove/create a record. A string would be passed back to the database but it was expecting a blob.

After changing the column to a string (varchar2 (Oracle) ) I haven't had any further issues.

Is there any reason the 'masq_open_id_associations' tables 'server_url' and 'secret' are binary column?

Yubico API appears to have changed, breaks association

Trying to use my key with an API key setup today, I ran the following in the Rails console:

> yubico = Yubico.new(my_id, my_pass)
=> #<Yubico:0x007f81b26db3d0 @_id=#####, @_key="#####">
> yubico.verify yubikey
=> "["OK"]"
> Yubico::E_OK == _
=> false
> Yubico::E_OK 
=> "OK"

The reply appears to be (maybe) returning a JSON array with one element and the Yubico lib is expecting a bare string.