class Object

Public Instance Methods

allowed_clock_drift() click to toggle source 
# File lib/omniauth/strategies/realme.rb, line 247
def allowed_clock_drift
  options.fetch('allowed_clock_drift', 0)
end
create_exception_for(status_code:, message:) click to toggle source

Realme documents the various error conditions it can return:

developers.realme.govt.nz/how-realme-works/realme-saml-exception-handling/

# File lib/omniauth/strategies/realme.rb, line 207
def create_exception_for(status_code:, message:) # rubocop:disable Metrics/MethodLength, Metrics/CyclomaticComplexity
  case status_code
  when /status:Timeout\z/
    RealmeTimeoutError.new(message)
  when /status:InternalError\z/
    RealmeInternalError.new(message)
  when /status:AuthnFailed\z/
    RealmeAuthnFailedError.new(message)
  when /status:NoAvailableIDP\z/
    RealmeNoAvailableIDPError.new(message)
  when /status:NoPassive\z/
    RealmeNoPassiveError.new(message)
  when /status:RequestDenied\z/
    RealmeRequestDeniedError.new(message)
  when /status:RequestUnsupported\z/
    RealmeRequestUnsupportedError.new(message)
  when /status:UnknownPrincipal\z/
    RealmeUnknownPrincipalError.new(message)
  when /status:UnsupportedBinding\z/
    RealmeUnsupportedBindingError.new(message)
  else
    RealmeUnrecognisedError.new("Realme login service returned an unrecognised error. status_code=#{status_code} message=#{message}")
  end
end
create_label_for(exception) click to toggle source

The OmniAuth failure endpoint requires us to pass an instance of an Exception and a String|Symbol describing the error. This method builds a simple description based on class of the exception.

This gem can be used in any Rack environment so we don't use any Rails specific text wrangling methods

@param [Exception] exception The exception to describe @return [String] The label describing the exception

# File lib/omniauth/strategies/realme.rb, line 243
def create_label_for(exception)
  exception.class.to_s.gsub('::', '_')
end
default_error_messages_for_rails_session(error) click to toggle source 
# File lib/omniauth/strategies/realme.rb, line 255
def default_error_messages_for_rails_session(error)
  case error
  when /Timeout/
    '<p>Your RealMe session has expired due to inactivity.</p>'
  when /NoAvailableIDP/
    "<p>RealMe reported that the TXT service, Google Authenticator or the RealMe token service is not available.</p>
     <p>You may try again later. If the problem persists, please contact RealMe Help <a href='tel:'0800664774>0800 664 774</a>.</p>"
  when /AuthnFailed/
    '<p>You have chosen to leave the RealMe login screen without completing the login process.</p>'
  when /InternalError/
    "<p>RealMe was unable to process your request due to a RealMe internal error.</p>
        <p>Please try again. If the problem persists, please contact RealMe Help Desk on <a href='tel:'0800664774>0800 664 774</a>.</p>"
  else
    "<p>RealMe reported a serious application error with the message:</p>
        <p>#{error}</p>
        <p>Please try again later. If the problem persists, please contact RealMe Help Desk on <a href='tel:'0800664774>0800 664 774</a>.</p>"
  end
end
legacy_rails_session_behaviour_enabled?() click to toggle source 
# File lib/omniauth/strategies/realme.rb, line 251
def legacy_rails_session_behaviour_enabled?
  options.fetch('legacy_rails_session_behaviour_enabled', true)
end
saml_settings() click to toggle source 
# File lib/omniauth/strategies/realme.rb, line 162
def saml_settings # rubocop:disable Metrics/AbcSize
  idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
  settings = idp_metadata_parser.parse(File.read(options.fetch('idp_service_metadata')))

  settings.issuer                             = options.fetch('issuer')
  settings.assertion_consumer_service_url     = options.fetch('assertion_consumer_service_url')
  settings.attributes_index                   = options.fetch('attributes_index', '0')
  settings.private_key                        = options.fetch('private_key')
  settings.authn_context                      = options.fetch('auth_strength', 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength')
  settings.protocol_binding                   = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
  settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
  settings.soft                               = !options.fetch('raise_exceptions_for_saml_validation_errors', false)

  settings.security[:authn_requests_signed] = true

  ##
  # Realme error if this is missing from the metadata
  #
  #     WantAssertionsSigned must be true (MTS-002)
  #
  settings.security[:want_assertions_signed] = true

  ##
  # Realme MTS requires our Metadata XML to have both:
  #
  #     <md:KeyDescriptor use="signing">...</md:KeyDescriptor>
  #     <md:KeyDescriptor use="encryption">...</md:KeyDescriptor>
  #
  # in the metadata XML we submit. We need to set a certificate **and**
  # set `:want_assertions_encrypted` for ruby-saml to include these
  # elements.
  #
  settings.certificate = options.fetch('certificate')
  settings.security[:want_assertions_encrypted] = true

  settings
end