Fix bug. Change fingerprint to read adfs_fingerprint.txt.(use crontab to update it.)

2023-02-13 23:22:31 +08:00 · 2023-02-13 23:22:31 +08:00 · 9131449314
parent 0d6c29d6d2
commit 9131449314
2 changed files with 12 additions and 5 deletions
--- a/adfs_fingerprint.sh
+++ b/adfs_fingerprint.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+dir="$(dirname $0)"
+adfs_fingerprint=`openssl s_client -connect adfs.ntu.edu.tw:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin| cut -d '=' -f2`
+if [ ! -z "$adfs_fingerprint" ]; then
+  echo "$adfs_fingerprint" > "$dir/adfs_fingerprint.txt"
+fi
--- a/app/controllers/sso_login_box_controller.rb
+++ b/app/controllers/sso_login_box_controller.rb
@ -4,7 +4,7 @@ class SsoLoginBoxController < SessionsController
  OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
  def sso_auth_page
    session[:referer_url] = params[:referer_url]
-    puts ["session", session, session.to_hash]
+    # puts ["session", session, session.to_hash]
    request = OneLogin::RubySaml::Authrequest.new
    redirect_to(request.create(saml_settings))
  end
@ -21,7 +21,7 @@ class SsoLoginBoxController < SessionsController
    # We validate the SAML Response and check if the user already exists in the system
    if response.is_valid?
      attributes = response.attributes
-      puts ["attributes", attributes.inspect]
+      # puts ["attributes", attributes.inspect]
      if true#["f", "s"].include?(attributes["AccountTypeCode"])
        email = attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
        member_name = attributes["ChineseName"]
@ -39,6 +39,7 @@ class SsoLoginBoxController < SessionsController
          end
        end
        if !user.nil?
+          puts "Login #{user.user_name} success by sso!"
          session[:sso_token] = user.id
          session[:user_id] = user.id
          session[:login_referer] = nil
@ -97,13 +98,13 @@ class SsoLoginBoxController < SessionsController
  def saml_settings
    settings = OneLogin::RubySaml::Settings.new
    request_host = request.host
-    settings.assertion_consumer_service_url = "https://#{request_host}/ntu_sso/response?referer_url=#{params[:referer_url]}"
+    settings.assertion_consumer_service_url = "https://#{request_host}/ntu_sso/response"
    settings.issuer                         = request_host
    settings.idp_sso_target_url            = "https://adfs.ntu.edu.tw/adfs/ls/"
    # settings.idp_sso_target_binding        = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" # or :post, :redirect
    settings.idp_slo_target_url            = "https://adfs.ntu.edu.tw/adfs/ls/clearall.aspx?url=https://#{request_host}"
    # settings.idp_slo_service_binding        = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" # or :post, :redirect
-    settings.idp_cert_fingerprint           = "0a:27:fc:d5:ce:dc:d8:44:cc:a9:58:8a:42:d1:f4:df:38:2e:4a:c3"
+    settings.idp_cert_fingerprint           = (File.read('adfs_fingerprint.txt') rescue '') #"0A:27:FC:D5:CE:DC:D8:44:CC:A9:58:8A:42:D1:F4:DF:38:2E:4A:C3"
    settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha1"
    # settings.security[:signature_method] = XMLSecurity::Document::SHA256
    # settings.name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@ -122,4 +123,4 @@ class SsoLoginBoxController < SessionsController

    settings
  end
-end
+end