better_auth-sso 0.2.0 → 0.6.2

data/lib/better_auth/sso/routes/schemas.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Routes
+      module Schemas
+        OIDC_MAPPING_KEYS = %i[id email email_verified name image extra_fields].freeze
+        SAML_MAPPING_KEYS = %i[id email email_verified name first_name last_name extra_fields].freeze
+        OIDC_CONFIG_KEYS = %i[
+          client_id
+          client_secret
+          authorization_endpoint
+          token_endpoint
+          user_info_endpoint
+          token_endpoint_authentication
+          jwks_endpoint
+          discovery_endpoint
+          scopes
+          pkce
+          override_user_info
+          mapping
+        ].freeze
+        SAML_CONFIG_KEYS = %i[
+          entry_point
+          cert
+          callback_url
+          audience
+          idp_metadata
+          sp_metadata
+          want_assertions_signed
+          authn_requests_signed
+          want_logout_request_signed
+          want_logout_response_signed
+          signature_algorithm
+          digest_algorithm
+          identifier_format
+          private_key
+          decryption_pvk
+          additional_params
+          mapping
+        ].freeze
+
+        module_function
+
+        def plugin_schema(config = {})
+          normalized = BetterAuth::Plugins.normalize_hash(config || {})
+          fields = {
+            issuer: {type: "string", required: true},
+            oidcConfig: {type: "string", required: false},
+            samlConfig: {type: "string", required: false},
+            userId: {type: "string", required: true},
+            providerId: {type: "string", required: true, unique: true},
+            domain: {type: "string", required: true},
+            organizationId: {type: "string", required: false}
+          }
+          if normalized.dig(:domain_verification, :enabled)
+            fields[:domainVerified] = {type: "boolean", required: false, default_value: false}
+          end
+          {
+            ssoProvider: {
+              model_name: normalized[:model_name] || "ssoProviders",
+              fields: fields
+            }
+          }
+        end
+
+        def oidc_config_key?(key)
+          OIDC_CONFIG_KEYS.include?(BetterAuth::Plugins.normalize_key(key))
+        end
+
+        def saml_config_key?(key)
+          SAML_CONFIG_KEYS.include?(BetterAuth::Plugins.normalize_key(key))
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/routes/sso.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Routes
+      module SSO
+        module_function
+
+        def endpoints(config = {})
+          normalized = BetterAuth::Plugins.normalize_hash(config || {})
+          endpoints = {
+            sp_metadata: BetterAuth::Plugins.sso_sp_metadata_endpoint(normalized),
+            register_sso_provider: BetterAuth::Plugins.sso_register_provider_endpoint(normalized),
+            sign_in_sso: BetterAuth::Plugins.sso_sign_in_endpoint(normalized),
+            callback_sso: BetterAuth::Plugins.sso_oidc_callback_endpoint(normalized),
+            callback_sso_shared: BetterAuth::Plugins.sso_oidc_shared_callback_endpoint(normalized),
+            callback_sso_saml: BetterAuth::Plugins.sso_saml_callback_endpoint(normalized),
+            acs_endpoint: BetterAuth::Plugins.sso_saml_acs_endpoint(normalized),
+            slo_endpoint: BetterAuth::Plugins.sso_saml_slo_endpoint(normalized),
+            initiate_slo: BetterAuth::Plugins.sso_initiate_slo_endpoint(normalized),
+            list_sso_providers: BetterAuth::Plugins.sso_list_providers_endpoint,
+            get_sso_provider: BetterAuth::Plugins.sso_get_provider_endpoint,
+            update_sso_provider: BetterAuth::Plugins.sso_update_provider_endpoint,
+            delete_sso_provider: BetterAuth::Plugins.sso_delete_provider_endpoint
+          }
+          if normalized.dig(:domain_verification, :enabled)
+            endpoints[:request_domain_verification] = BetterAuth::Plugins.sso_request_domain_verification_endpoint(normalized)
+            endpoints[:verify_domain] = BetterAuth::Plugins.sso_verify_domain_endpoint(normalized)
+          end
+          endpoints
+        end
+
+        def oidc_redirect_uri(context, provider_id)
+          BetterAuth::Plugins.sso_oidc_redirect_uri(context, provider_id)
+        end
+
+        def saml_authorization_url(provider, relay_state, ctx = nil, config = {})
+          BetterAuth::Plugins.sso_saml_authorization_url(provider, relay_state, ctx, config)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml/algorithms.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module SAML
+      module Algorithms
+        module_function
+
+        SignatureAlgorithm = BetterAuth::Plugins::SSO_SAML_SIGNATURE_ALGORITHMS.merge(
+          RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+          RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+          RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+          RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+          ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+          ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+          ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+        ).freeze
+        DigestAlgorithm = BetterAuth::Plugins::SSO_SAML_DIGEST_ALGORITHMS.merge(
+          SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+          SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+          SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+          SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+        ).freeze
+        KEY_ENCRYPTION_ALGORITHM = {
+          RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+          RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+          RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+        }.freeze
+        DATA_ENCRYPTION_ALGORITHM = {
+          TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+          AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+          AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+          AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+          AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+          AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+          AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+        }.freeze
+        SecureSignatureAlgorithms = BetterAuth::Plugins::SSO_SAML_SECURE_SIGNATURE_ALGORITHMS
+        SecureDigestAlgorithms = BetterAuth::Plugins::SSO_SAML_SECURE_DIGEST_ALGORITHMS
+
+        def validate(xml, **options)
+          if xml.is_a?(Hash)
+            return validate_response(
+              sig_alg: xml[:sig_alg] || xml[:sigAlg] || xml["sig_alg"] || xml["sigAlg"],
+              saml_content: xml[:saml_content] || xml[:samlContent] || xml["saml_content"] || xml["samlContent"],
+              **options
+            )
+          end
+
+          BetterAuth::Plugins.sso_validate_saml_algorithms!(xml, normalize_options(options))
+        end
+
+        def validate_response(sig_alg: nil, saml_content: "", **options)
+          xml = +""
+          xml << "<ds:SignatureMethod Algorithm=\"#{sig_alg}\"/>" unless sig_alg.to_s.empty?
+          xml << saml_content.to_s
+          BetterAuth::Plugins.sso_validate_saml_algorithms!(xml, normalize_options(options))
+        end
+
+        def validate_config(config = {}, **options)
+          config_keys = %i[signature_algorithm signatureAlgorithm digest_algorithm digestAlgorithm]
+          inline_config = options.slice(*config_keys)
+          normalized = BetterAuth::Plugins.normalize_hash((config || {}).merge(inline_config))
+          options = options.except(*config_keys)
+          xml = +""
+          unless normalized[:signature_algorithm].to_s.empty?
+            xml << "<ds:SignatureMethod Algorithm=\"#{normalized[:signature_algorithm]}\"/>"
+          end
+          unless normalized[:digest_algorithm].to_s.empty?
+            xml << "<ds:DigestMethod Algorithm=\"#{normalized[:digest_algorithm]}\"/>"
+          end
+          BetterAuth::Plugins.sso_validate_saml_algorithms!(xml, normalize_options(options))
+        end
+
+        def normalize_signature(algorithm)
+          BetterAuth::Plugins.sso_normalize_saml_signature_algorithm(algorithm)
+        end
+
+        def normalize_digest(algorithm)
+          BetterAuth::Plugins.sso_normalize_saml_digest_algorithm(algorithm)
+        end
+
+        def normalize_options(options)
+          normalized = BetterAuth::Plugins.normalize_hash(options || {})
+          {
+            on_deprecated: normalized[:on_deprecated],
+            allowed_signature_algorithms: normalized[:allowed_signature_algorithms],
+            allowed_digest_algorithms: normalized[:allowed_digest_algorithms],
+            allowed_key_encryption_algorithms: normalized[:allowed_key_encryption_algorithms],
+            allowed_data_encryption_algorithms: normalized[:allowed_data_encryption_algorithms]
+          }.compact
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml/assertions.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module SAML
+      module Assertions
+        module_function
+
+        def validate_single_assertion!(saml_response)
+          BetterAuth::Plugins.sso_validate_single_saml_assertion!(saml_response)
+        end
+
+        def count(xml)
+          assertions = xml.to_s.scan(/<(?:\w+:)?Assertion(?:\s|>|\/)/).length
+          encrypted_assertions = xml.to_s.scan(/<(?:\w+:)?EncryptedAssertion(?:\s|>|\/)/).length
+          {assertions: assertions, encrypted_assertions: encrypted_assertions, total: assertions + encrypted_assertions}
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml/error_codes.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module SAML
+      module ErrorCodes
+        SAML_ERROR_CODES = {
+          single_logout_not_enabled: "Single Logout is not enabled",
+          invalid_logout_response: "Invalid LogoutResponse",
+          invalid_logout_request: "Invalid LogoutRequest",
+          logout_failed_at_idp: "Logout failed at IdP",
+          idp_slo_not_supported: "IdP does not support Single Logout Service",
+          saml_provider_not_found: "SAML provider not found"
+        }.freeze
+
+        module_function
+
+        def message(code)
+          SAML_ERROR_CODES[BetterAuth::Plugins.normalize_key(code)]
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml/parser.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module SAML
+      module Parser
+        module_function
+
+        def parse_response(value, config = {}, provider = nil, ctx = nil)
+          BetterAuth::Plugins.sso_parse_saml_response(value, config, provider, ctx)
+        end
+
+        def base64_xml?(value)
+          BetterAuth::Plugins.sso_base64_xml?(value)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml/timestamp.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module SAML
+      module Timestamp
+        module_function
+
+        def validate!(conditions, config = {}, now: Time.now.utc)
+          BetterAuth::Plugins.sso_validate_saml_timestamp!(conditions, config, now: now)
+        end
+
+        def conditions(assertion)
+          BetterAuth::Plugins.sso_saml_timestamp_conditions(assertion)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "base64"
+require "logger"
 require "onelogin/ruby-saml"
 require "uri"
 
@@ -25,6 +26,18 @@ module BetterAuth
         }
       end
 
+      def validate_config_algorithms(config = {}, **options)
+        Algorithms.validate_config(config, **options)
+      end
+
+      def validate_saml_algorithms(xml, **options)
+        Algorithms.validate(xml, **options)
+      end
+
+      def validate_single_assertion(saml_response)
+        Assertions.validate_single_assertion!(saml_response)
+      end
+
       def auth_request_url(settings: nil, request_options: {}, **_options)
         lambda do |provider:, relay_state:, context:|
           config = BetterAuth::Plugins.normalize_hash(provider["samlConfig"] || provider[:samlConfig] || {})
@@ -69,11 +82,18 @@ module BetterAuth
         settings = overrides || OneLogin::RubySaml::Settings.new
         provider_id = provider.fetch("providerId")
         base_url = context.context.base_url
-        settings.assertion_consumer_service_url = config[:callback_url] || "#{base_url}/sso/saml2/sp/acs/#{provider_id}"
+        idp_metadata = BetterAuth::Plugins.respond_to?(:sso_saml_idp_metadata) ? BetterAuth::Plugins.sso_saml_idp_metadata(config) : {}
+        sso_service = BetterAuth::Plugins.respond_to?(:sso_saml_preferred_service) ? BetterAuth::Plugins.sso_saml_preferred_service(idp_metadata[:single_sign_on_service]) : nil
+        sso_service = BetterAuth::Plugins.normalize_hash(sso_service || {})
+        settings.assertion_consumer_service_url = if BetterAuth::Plugins.respond_to?(:sso_saml_acs_url?) && BetterAuth::Plugins.sso_saml_acs_url?(config[:callback_url])
+          config[:callback_url]
+        else
+          "#{base_url}/sso/saml2/sp/acs/#{URI.encode_www_form_component(provider_id)}"
+        end
         settings.sp_entity_id = config.dig(:sp_metadata, :entity_id) || config[:audience] || "#{base_url}/sso/saml2/sp/metadata?providerId=#{URI.encode_www_form_component(provider_id)}"
-        settings.idp_entity_id = provider["issuer"] || provider[:issuer]
-        settings.idp_sso_service_url = config[:entry_point]
-        settings.idp_cert = config[:cert] unless config[:cert].to_s.empty?
+        settings.idp_entity_id = idp_metadata[:entity_id] || provider["issuer"] || provider[:issuer]
+        settings.idp_sso_service_url = config[:entry_point] || sso_service[:location]
+        settings.idp_cert = config[:cert] || idp_metadata[:cert] unless (config[:cert] || idp_metadata[:cert]).to_s.empty?
         settings.name_identifier_format = config[:identifier_format] unless config[:identifier_format].to_s.empty?
         private_key = config.dig(:sp_metadata, :private_key) || config[:private_key] || config[:sp_private_key]
         authn_requests_signed = config.fetch(:authn_requests_signed, config[:want_authn_requests_signed])

data/lib/better_auth/sso/saml_state.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module SAMLState
+      module_function
+
+      def generate_relay_state(ctx, link = nil, additional_data = {})
+        callback_url = BetterAuth::Plugins.sso_fetch(ctx.body, :callback_url)
+        raise APIError.new("BAD_REQUEST", message: "callbackURL is required") if callback_url.to_s.empty?
+
+        extra = (additional_data == false) ? {} : (additional_data || {})
+        BetterAuth::Plugins.sso_generate_saml_relay_state(
+          ctx,
+          extra.merge(
+            callbackURL: callback_url,
+            errorURL: BetterAuth::Plugins.sso_fetch(ctx.body, :error_callback_url),
+            newUserURL: BetterAuth::Plugins.sso_fetch(ctx.body, :new_user_callback_url),
+            requestSignUp: BetterAuth::Plugins.sso_fetch(ctx.body, :request_sign_up),
+            link: link
+          )
+        )
+      end
+
+      def parse_relay_state(ctx)
+        BetterAuth::Plugins.sso_parse_saml_relay_state(ctx, BetterAuth::Plugins.sso_fetch(ctx.body, :relay_state))
+      end
+    end
+  end
+end

data/lib/better_auth/sso/types.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Types
+      PROVIDER_TYPES = %w[oidc saml].freeze
+      OIDC_TOKEN_ENDPOINT_AUTH_METHODS = %w[client_secret_post client_secret_basic].freeze
+
+      module_function
+
+      def provider_type?(value)
+        PROVIDER_TYPES.include?(value.to_s)
+      end
+
+      def oidc_token_endpoint_auth_method?(value)
+        OIDC_TOKEN_ENDPOINT_AUTH_METHODS.include?(value.to_s)
+      end
+    end
+  end
+end

data/lib/better_auth/sso/utils.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require "json"
+require "openssl"
+
+module BetterAuth
+  module SSO
+    module Utils
+      module_function
+
+      def safe_json_parse(value)
+        return nil if value.nil? || value == ""
+        return value if value.is_a?(Hash) || value.is_a?(Array)
+
+        JSON.parse(value.to_s)
+      rescue JSON::ParserError => error
+        raise Error, "Failed to parse JSON: #{error.message}"
+      end
+
+      def domain_matches?(search_domain, domain_list)
+        BetterAuth::Plugins.sso_email_domain_matches?(search_domain, domain_list)
+      end
+
+      def validate_email_domain(email, domain)
+        BetterAuth::Plugins.sso_email_domain_matches?(email, domain)
+      end
+
+      def parse_certificate(cert)
+        value = cert.to_s
+        normalized = if value.include?("-----BEGIN")
+          value
+        else
+          body = value.delete("\n\r\t ")
+          "-----BEGIN CERTIFICATE-----\n#{body.scan(/.{1,64}/).join("\n")}\n-----END CERTIFICATE-----"
+        end
+        certificate = OpenSSL::X509::Certificate.new(normalized)
+        fingerprint = OpenSSL::Digest::SHA256.hexdigest(certificate.to_der).upcase.scan(/../).join(":")
+        {
+          fingerprint_sha256: fingerprint,
+          not_before: certificate.not_before,
+          not_after: certificate.not_after,
+          public_key_algorithm: certificate.public_key.class.name.split("::").last.upcase
+        }
+      end
+
+      def hostname_from_domain(domain)
+        BetterAuth::Plugins.sso_hostname_from_domain(domain)
+      end
+
+      def mask_client_id(client_id)
+        BetterAuth::Plugins.sso_mask_client_id(client_id)
+      end
+    end
+  end
+end

data/lib/better_auth/sso/version.rb

@@ -2,6 +2,7 @@
 
 module BetterAuth
   module SSO
-    VERSION = "0.2.0"
+    VERSION = "0.6.2"
+    PACKAGE_VERSION = VERSION
   end
 end

data/lib/better_auth/sso.rb

@@ -2,9 +2,33 @@
 
 require "better_auth"
 require_relative "sso/version"
+require_relative "sso/client"
 require_relative "sso/saml_hooks"
 require_relative "sso/saml"
 require_relative "plugins/sso"
+require_relative "sso/constants"
+require_relative "sso/types"
+require_relative "sso/utils"
+require_relative "sso/domain_verification"
+require_relative "sso/oidc"
+require_relative "sso/oidc/discovery"
+require_relative "sso/oidc/errors"
+require_relative "sso/oidc/types"
+require_relative "sso/linking"
+require_relative "sso/linking/types"
+require_relative "sso/linking/org_assignment"
+require_relative "sso/saml/algorithms"
+require_relative "sso/saml/assertions"
+require_relative "sso/saml/error_codes"
+require_relative "sso/saml/timestamp"
+require_relative "sso/saml/parser"
+require_relative "sso/routes/helpers"
+require_relative "sso/routes/providers"
+require_relative "sso/routes/schemas"
+require_relative "sso/routes/domain_verification"
+require_relative "sso/routes/saml_pipeline"
+require_relative "sso/routes/sso"
+require_relative "sso/saml_state"
 
 module BetterAuth
   module SSO

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-sso
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.6.2
 platform: ruby
 authors:
 - Sebastian Sala
@@ -43,6 +43,26 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
@@ -131,8 +151,32 @@ files:
 - README.md
 - lib/better_auth/plugins/sso.rb
 - lib/better_auth/sso.rb
+- lib/better_auth/sso/client.rb
+- lib/better_auth/sso/constants.rb
+- lib/better_auth/sso/domain_verification.rb
+- lib/better_auth/sso/linking.rb
+- lib/better_auth/sso/linking/org_assignment.rb
+- lib/better_auth/sso/linking/types.rb
+- lib/better_auth/sso/oidc.rb
+- lib/better_auth/sso/oidc/discovery.rb
+- lib/better_auth/sso/oidc/errors.rb
+- lib/better_auth/sso/oidc/types.rb
+- lib/better_auth/sso/routes/domain_verification.rb
+- lib/better_auth/sso/routes/helpers.rb
+- lib/better_auth/sso/routes/providers.rb
+- lib/better_auth/sso/routes/saml_pipeline.rb
+- lib/better_auth/sso/routes/schemas.rb
+- lib/better_auth/sso/routes/sso.rb
 - lib/better_auth/sso/saml.rb
+- lib/better_auth/sso/saml/algorithms.rb
+- lib/better_auth/sso/saml/assertions.rb
+- lib/better_auth/sso/saml/error_codes.rb
+- lib/better_auth/sso/saml/parser.rb
+- lib/better_auth/sso/saml/timestamp.rb
 - lib/better_auth/sso/saml_hooks.rb
+- lib/better_auth/sso/saml_state.rb
+- lib/better_auth/sso/types.rb
+- lib/better_auth/sso/utils.rb
 - lib/better_auth/sso/version.rb
 homepage: https://github.com/sebasxsala/better-auth
 licenses: