better_auth-sso 0.1.0 → 0.2.0

data/lib/better_auth/sso/saml.rb

@@ -44,18 +44,24 @@ module BetterAuth
           end
 
           attributes = response.attributes
-          email = first_attribute(attributes, attribute_map.fetch(:email)) || response.nameid
+          mapping = BetterAuth::Plugins.normalize_hash(config[:mapping] || {})
+          email = mapped_attribute(attributes, mapping[:email]) || first_attribute(attributes, attribute_map.fetch(:email)) || response.nameid
           raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response") if email.to_s.empty?
 
-          given_name = first_attribute(attributes, attribute_map.fetch(:given_name))
-          family_name = first_attribute(attributes, attribute_map.fetch(:family_name))
-          name = first_attribute(attributes, attribute_map.fetch(:name)) || [given_name, family_name].compact.join(" ").strip
-          {
+          given_name = mapped_attribute(attributes, mapping[:first_name]) || first_attribute(attributes, attribute_map.fetch(:given_name))
+          family_name = mapped_attribute(attributes, mapping[:last_name]) || first_attribute(attributes, attribute_map.fetch(:family_name))
+          name = [given_name, family_name].compact.join(" ").strip
+          name = mapped_attribute(attributes, mapping[:name]) || first_attribute(attributes, attribute_map.fetch(:name)) if name.empty?
+          extra_fields = mapped_extra_fields(attributes, mapping)
+          email_verified = mapping[:email_verified] ? mapped_attribute(attributes, mapping[:email_verified]) : true
+          extra_fields.merge(
             email: email.to_s.downcase,
             name: name.to_s.empty? ? email.to_s : name.to_s,
-            id: assertion_identifier(response, email),
-            email_verified: true
-          }
+            id: mapped_attribute(attributes, mapping[:id]) || assertion_identifier(response, email),
+            name_id: response.nameid,
+            session_index: response.sessionindex,
+            email_verified: (email_verified == false) ? false : !email_verified.to_s.empty?
+          )
         end
       end
 
@@ -69,14 +75,26 @@ module BetterAuth
         settings.idp_sso_service_url = config[:entry_point]
         settings.idp_cert = config[:cert] unless config[:cert].to_s.empty?
         settings.name_identifier_format = config[:identifier_format] unless config[:identifier_format].to_s.empty?
-        settings.private_key = config[:sp_private_key] unless config[:sp_private_key].to_s.empty?
-        settings.certificate = config[:sp_certificate] unless config[:sp_certificate].to_s.empty?
+        private_key = config.dig(:sp_metadata, :private_key) || config[:private_key] || config[:sp_private_key]
+        authn_requests_signed = config.fetch(:authn_requests_signed, config[:want_authn_requests_signed])
+        if authn_requests_signed && private_key.to_s.empty?
+          raise BetterAuth::APIError.new("BAD_REQUEST", message: "SAML authnRequestsSigned requires privateKey")
+        end
+        settings.private_key = private_key unless private_key.to_s.empty?
+        certificate = config.dig(:sp_metadata, :certificate) || config[:sp_certificate]
+        certificate ||= config[:certificate] if config[:certificate].is_a?(String)
+        settings.certificate = certificate unless certificate.to_s.empty?
         settings.security[:want_assertions_signed] = config.fetch(:want_assertions_signed, true)
         settings.security[:want_messages_signed] = config.fetch(:want_messages_signed, false)
         settings.security[:want_assertions_encrypted] = config.fetch(:want_assertions_encrypted, false)
+        settings.security[:authn_requests_signed] = !!authn_requests_signed
         settings.security[:strict_audience_validation] = true
         settings.security[:digest_method] = config[:digest_algorithm] || XMLSecurity::Document::SHA256
-        settings.security[:signature_method] = config[:signature_algorithm] || XMLSecurity::Document::RSA_SHA256
+        settings.security[:signature_method] = if config[:signature_algorithm]
+          BetterAuth::Plugins.sso_normalize_saml_signature_algorithm(config[:signature_algorithm])
+        else
+          XMLSecurity::Document::RSA_SHA256
+        end
         settings
       end
 
@@ -92,20 +110,41 @@ module BetterAuth
           allowed_data_encryption_algorithms: config[:allowed_data_encryption_algorithms]
         )
       rescue BetterAuth::APIError
-        raise
+        raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response")
       rescue
         raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response")
       end
 
       def first_attribute(attributes, names)
         Array(names).each do |name|
-          value = attributes[name]
+          value = attribute_value(attributes, name)
           value = value.first if value.is_a?(Array)
           return value unless value.to_s.empty?
         end
         nil
       end
 
+      def mapped_attribute(attributes, name)
+        return nil if name.to_s.empty?
+
+        value = attribute_value(attributes, name)
+        value = value.first if value.is_a?(Array)
+        value unless value.to_s.empty?
+      end
+
+      def mapped_extra_fields(attributes, mapping)
+        BetterAuth::Plugins.normalize_hash(mapping[:extra_fields] || {}).each_with_object({}) do |(target, source), result|
+          result[target] = mapped_attribute(attributes, source)
+        end
+      end
+
+      def attribute_value(attributes, name)
+        [name, name.to_s, BetterAuth::Plugins.normalize_key(name)].each do |key|
+          return attributes[key] if attributes.respond_to?(:key?) && attributes.key?(key)
+        end
+        attributes[name] || attributes[name.to_s] || attributes[BetterAuth::Plugins.normalize_key(name)]
+      end
+
       def assertion_identifier(response, email)
         response.assertion_id || response.nameid || response.sessionindex || email
       end

data/lib/better_auth/sso/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module SSO
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-sso
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Sebastian Sala