omniauth-latvija 1.1.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0239b9b5db1634778428119aa3ccd7babdf2feb5
-  data.tar.gz: 87a622416084055bb8433baafbea7a4416536cb1
+  metadata.gz: 875159da4f23d72890c3da6c24f1b174d197f6ec
+  data.tar.gz: af5a474b33c9165faf67a14a61b8785e0567a456
 SHA512:
-  metadata.gz: 43ea0a0b2aca412cd61c73ec9e0e507dcb64f1db84c8057955cf22a347f5914c5e35c7fe7e586036c8b63d8b5cb8c3e055f0d814c418287f1c8cb373d3f37c7e
-  data.tar.gz: a87c8ffdd361578b2fc2c7d945ac4e4712a9f1514f83a942c31452dd2c54228750fdb551410f16a670e1a3d38d15af61cfed60503ea084dfbac9b9fbd7d3cfca
+  metadata.gz: 36fc98917bfe2547d020287fc90f6c4dcc986722c903be7acf49a3ffe56d7899d097661a0620352bb95646cfbc6db250cf911b89b2bbf603db1e3cc5125defed
+  data.tar.gz: 1f5947b59168bf23f22ab34c7b4b5ec83c2e01f4402a7035400bd885d00a3751d6eebffa741902f2c149a5d730b1f9ffb038f84015f40b6c514fe624290fe862

data/README.md

@@ -12,12 +12,14 @@ Provides the following authentication types:
 * Online bank
 * Citadele
 * Norvik banka
+* PrivatBank
+* eID
 * Lattelecom Mobile ID
 
 ## Installation
 
 ```ruby
-gem 'omniauth-latvija', :git => 'http://github.com/ebeigarts/omniauth-latvija.git'
+gem 'omniauth-latvija', '~> 2.0'
 ```
 
 ## Usage
@@ -29,9 +31,10 @@ Here's a quick example, adding the middleware to a Rails app in `config/initiali
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :latvija, {
-    :endpoint => "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
-    :certificate => File.read("/path/to/cert"),
-    :realm => "urn:federation:example.com"
+    endpoint:    "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
+    certificate: File.read("/path/to/cert.pem"),
+    private_key: File.read("/path/to/private_key.pem"), # mandatory, if the response is encrypted
+    realm:       "urn:federation:example.com"
   }
 end
 ```

data/lib/omniauth-latvija/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Latvija
-    VERSION = '1.1.1'
+    VERSION = '2.0.0'
   end
 end

data/lib/omniauth/strategies/latvija.rb

@@ -1,76 +1,81 @@
-require "time"
-require "rexml/document"
-require "rexml/xpath"
-require "openssl"
-require "xmlcanonicalizer"
-require "digest/sha1"
+require 'time'
+require 'openssl'
+require 'digest/sha1'
+require 'xmlenc'
+require 'nokogiri'
+require 'omniauth/strategies/latvija/response'
+require 'omniauth/strategies/latvija/decryptor'
+require 'omniauth/strategies/latvija/signed_document'
 
-require "omniauth/strategies/latvija/response"
-require "omniauth/strategies/latvija/signed_document"
+module OmniAuth::Strategies
+  #
+  # Authenticate with Latvija.lv.
+  #
+  # @example Basic Rails Usage
+  #
+  #  Add this to config/initializers/omniauth.rb
+  #
+  #    Rails.application.config.middleware.use OmniAuth::Builder do
+  #      provider :latvija, {
+  #        endpoint:    "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
+  #        certificate: File.read("/path/to/cert"),
+  #        private:     File.read("/path/to/private_key"),
+  #        realm:       "urn:federation:example.com"
+  #      }
+  #    end
+  #
+  class Latvija
+    include OmniAuth::Strategy
+    class ValidationError < StandardError; end
 
-module OmniAuth
-  module Strategies
-    #
-    # Authenticate with Latvija.lv.
-    #
-    # @example Basic Rails Usage
-    #
-    #  Add this to config/initializers/omniauth.rb
-    #
-    #    Rails.application.config.middleware.use OmniAuth::Builder do
-    #      provider :latvija, {
-    #        :endpoint => "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
-    #        :certificate => File.read("/path/to/cert"),
-    #        :realm => "urn:federation:example.com"
-    #      }
-    #    end
-    #
-    class Latvija
-      include OmniAuth::Strategy
+    option :realm, nil
+    option :wfresh, false
+    option :endpoint, nil
+    option :certificate, nil
+    option :private_key, nil
 
-      class ValidationError < StandardError; end
-
-      def request_phase
-        params = {
-          :wa => 'wsignin1.0',
-          :wct => Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
-          :wtrealm => @options[:realm],
-          :wreply => callback_url,
-          :wctx => callback_url,
-          :wreq => '<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /></trust:Claims><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken>'
-        }
-        params[:wfresh] = @options[:wfresh] if @options[:wfresh]
-        query_string = params.collect{ |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
-        redirect "#{options[:endpoint]}?#{query_string}"
-      end
+    def request_phase
+      params = {
+        wa: 'wsignin1.0',
+        wct: Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
+        wtrealm: options[:realm],
+        wreply: callback_url,
+        wctx: callback_url,
+        wreq: '<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /></trust:Claims><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken>'
+      }
+      params[:wfresh] = options[:wfresh] if options[:wfresh]
+      query_string = params.collect { |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
+      redirect "#{options[:endpoint]}?#{query_string}"
+    end
 
-      def callback_phase
-        if request.params['wresult']
-          @response = OmniAuth::Strategies::Latvija::Response.new(request.params['wresult'], {
-            :certificate => options[:certificate]
-          })
-          @response.validate!
-          super
-        else
-          fail!(:invalid_response)
-        end
-      rescue Exception => e
-        fail!(:invalid_response, e)
+    def callback_phase
+      if request.params['wresult']
+        @response = OmniAuth::Strategies::Latvija::Response.new(
+          request.params['wresult'],
+          certificate: options[:certificate],
+          private_key: options[:private_key]
+        )
+        @response.validate!
+        super
+      else
+        fail!(:invalid_response)
       end
+    rescue Exception => e
+      fail!(:invalid_response, e)
+    end
 
-      def auth_hash
-        OmniAuth::Utils.deep_merge(super, {
-          'uid' => "#{@response.attributes['givenname']} #{@response.attributes['surname']}, #{@response.attributes["privatepersonalidentifier"]}",
-          'user_info' => {
-            'name' => "#{@response.attributes['givenname']} #{@response.attributes['surname']}",
-            'first_name' => @response.attributes['givenname'],
-            'last_name' => @response.attributes['surname'],
-            'private_personal_identifier' => @response.attributes['privatepersonalidentifier']
-          },
-          'authentication_method' => @response.authentication_method,
-          'extra' => @response.attributes
-        })
-      end
+    def auth_hash
+      OmniAuth::Utils.deep_merge(super,
+        uid: "#{@response.attributes['givenname']} #{@response.attributes['surname']}, #{@response.attributes["privatepersonalidentifier"]}",
+        user_info: {
+          name: "#{@response.attributes['givenname']} #{@response.attributes['surname']}",
+          first_name: @response.attributes['givenname'],
+          last_name: @response.attributes['surname'],
+          private_personal_identifier: @response.attributes['privatepersonalidentifier']
+        },
+        authentication_method: @response.authentication_method,
+        extra: @response.attributes
+      )
     end
   end
 end

data/lib/omniauth/strategies/latvija/decryptor.rb

@@ -0,0 +1,16 @@
+module OmniAuth::Strategies
+  class Latvija
+    class Decryptor
+      def initialize(response, key)
+        @response = response
+        @key = key
+      end
+
+      def decrypt
+        private_key = OpenSSL::PKey::RSA.new(@key)
+        encrypted_document = Xmlenc::EncryptedDocument.new(@response)
+        encrypted_document.decrypt(private_key)
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/latvija/response.rb

@@ -1,53 +1,53 @@
-module OmniAuth
-  module Strategies
-    class Latvija
-      class Response
-        ASSERTION = "urn:oasis:names:tc:SAML:1.0:assertion"
-
-        attr_accessor :options, :response, :document
-
-        def initialize(response, options = {})
-          raise ArgumentError.new("Response cannot be nil") if response.nil?
-          self.options  = options
-          self.response = response
-          self.document = OmniAuth::Strategies::Latvija::SignedDocument.new(response)
-        end
+module OmniAuth::Strategies
+  class Latvija
+    class Response
+      ASSERTION = 'urn:oasis:names:tc:SAML:1.0:assertion'.freeze
+
+      attr_accessor :options, :response
+
+      def initialize(response, **options)
+        raise ArgumentError, 'Response cannot be nil' if response.nil?
+        @options  = options
+        @response = response
+        @document = OmniAuth::Strategies::Latvija::SignedDocument.new(response, private_key: options[:private_key])
+      end
 
-        def validate!
-          document.validate!(fingerprint)
-        end
+      def validate!
+        @document.validate!(fingerprint)
+      end
 
-        def authentication_method
-          @authentication_method ||= begin
-            REXML::XPath.first(document, "//saml:AuthenticationStatement").attributes['AuthenticationMethod']
-          end
-        end
+      def xml
+        @document.nokogiri_xml
+      end
 
-        # A hash of alle the attributes with the response. Assuming there is only one value for each key
-        def attributes
-          @attributes ||= begin
-            result = {}
+      def authentication_method
+        @authentication_method ||= begin
+          xml.xpath('//saml:AuthenticationStatement', saml: ASSERTION).attribute('AuthenticationMethod')
+        end
+      end
 
-            stmt_element = REXML::XPath.first(document, "//a:Assertion/a:AttributeStatement", { "a" => ASSERTION })
-            return {} if stmt_element.nil?
+      # A hash of all the attributes with the response.
+      # Assuming there is only one value for each key
+      def attributes
+        @attributes ||= begin
 
-            stmt_element.elements.each do |attr_element|
-              name  = attr_element.attributes["AttributeName"]
-              value = attr_element.elements.first.text
+          stmt_elements = xml.xpath('//a:Attribute', a: ASSERTION)
+          return {} if stmt_elements.nil?
 
-              result[name] = value
-            end
+          stmt_elements.each_with_object({}) do |element, result|
+            name  = element.attribute('AttributeName').value
+            value = element.text
 
-            result
+            result[name] = value
           end
         end
+      end
 
-        private
+      private
 
-        def fingerprint
-          cert = OpenSSL::X509::Certificate.new(options[:certificate])
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-        end
+      def fingerprint
+        cert = OpenSSL::X509::Certificate.new(options[:certificate])
+        Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
       end
     end
   end

data/lib/omniauth/strategies/latvija/signed_document.rb

@@ -15,79 +15,87 @@
 # If applicable, add the following below the CDDL Header,
 # with the fields enclosed by brackets [] replaced by
 # your own identifying information:
-# "Portions Copyrighted [year] [name of copyright owner]"
+# 'Portions Copyrighted [year] [name of copyright owner]'
 #
 # $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
 #
 # Copyright 2007 Sun Microsystems Inc. All Rights Reserved
 # Portions Copyrighted 2007 Todd W Saxton.
 
-module OmniAuth
-  module Strategies
-    class Latvija
-      class SignedDocument < REXML::Document
-        DSIG = "http://www.w3.org/2000/09/xmldsig#"
+module OmniAuth::Strategies
+  class Latvija
+    class SignedDocument
+      DSIG = 'http://www.w3.org/2000/09/xmldsig#'.freeze
+      XENC = 'http://www.w3.org/2001/04/xmlenc#'.freeze
+      CANON_MODE = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
 
-        attr_accessor :signed_element_id
-
-        def initialize(response)
-          super(response)
-          extract_signed_element_id
-        end
-
-        def validate!(idp_cert_fingerprint)
-          # get cert from response
-          base64_cert = self.elements["//ds:X509Certificate"].text
-          cert_text   = Base64.decode64(base64_cert)
-          cert        = OpenSSL::X509::Certificate.new(cert_text)
+      def initialize(response, **opts)
+        @response = Nokogiri::XML.parse(response, &:noblanks)
+        return unless encrypted?
+        decryptor = OmniAuth::Strategies::Latvija::Decryptor.new(response, opts[:private_key])
+        decrypted_response = decryptor.decrypt
+        @response = Nokogiri::XML.parse(decrypted_response, &:noblanks)
+      end
 
-          # check cert matches registered idp cert
-          fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+      def validate!(idp_cert_fingerprint)
+        validate_fingerprint!(idp_cert_fingerprint)
+        sig_element = @response.xpath('//xmlns:Signature', xmlns: DSIG)
 
-          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-            raise ValidationError.new("Fingerprint mismatch")
-          end
+        validate_digest!(sig_element)
+        validate_signature!(sig_element)
+        true
+      end
 
-          # remove signature node
-          sig_element = REXML::XPath.first(self, "//ds:Signature", { "ds" => DSIG })
-          sig_element.remove
+      def nokogiri_xml
+        @response
+      end
 
-          # check digests
-          REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
-            uri                           = ref.attributes.get_attribute("URI").value
-            hashed_element                = REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
-            canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
-            canon_hashed_element          = canoner.canonicalize(hashed_element)
-            hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
-            digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", { "ds" => DSIG }).text
+      private
 
-            if hash != digest_value
-              raise ValidationError.new("Digest mismatch")
-            end
-          end
+      def encrypted?
+        @response.xpath('//xenc:EncryptedData', 'xmlns:xenc' => XENC).any?
+      end
 
-          # verify signature
-          canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
-          signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", { "ds" => DSIG })
-          canon_string            = canoner.canonicalize(signed_info_element)
+      def certificate
+        @certificate ||= begin
+          base64_cert = @response.xpath('//xmlns:X509Certificate', xmlns: DSIG).text
+          cert_text   = Base64.decode64(base64_cert)
+          OpenSSL::X509::Certificate.new(cert_text)
+        end
+      end
 
-          base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", { "ds" => DSIG }).text
-          signature               = Base64.decode64(base64_signature)
+      def validate_fingerprint!(idp_cert_fingerprint)
+        fingerprint = Digest::SHA1.hexdigest(certificate.to_der)
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/, '').downcase
+          raise ValidationError, 'Fingerprint mismatch'
+        end
+      end
 
-          # get certificate object
-          cert_text               = Base64.decode64(base64_cert)
-          cert                    = OpenSSL::X509::Certificate.new(cert_text)
+      def validate_digest!(sig_element)
+        response_without_signature = @response.dup
+        response_without_signature.xpath('//xmlns:Signature', xmlns: DSIG).remove
 
-          if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
-            raise ValidationError.new("Key validation error")
-          end
+        sig_element.xpath('.//xmlns:Reference', xmlns: DSIG).each do |ref|
+          uri            = ref.attribute('URI').value
+          hashed_element = response_without_signature.
+            at_xpath("//*[@AssertionID='#{uri[1, uri.size]}']").
+            canonicalize(CANON_MODE)
+          hash           = Base64.encode64(Digest::SHA1.digest(hashed_element)).chomp
+          digest_value   = ref.xpath('.//xmlns:DigestValue', xmlns: DSIG).text
 
-          true
+          raise ValidationError, 'Digest mismatch' if hash != digest_value
         end
+      end
+
+      def validate_signature!(sig_element)
+        signed_info_element = sig_element.
+          at_xpath('.//xmlns:SignedInfo', xmlns: DSIG).
+          canonicalize(CANON_MODE)
+        base64_signature    = sig_element.xpath('.//xmlns:SignatureValue', xmlns: DSIG).text
+        signature           = Base64.decode64(base64_signature)
 
-        def extract_signed_element_id
-          reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", { "ds" => DSIG })
-          self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+        unless certificate.public_key.verify(OpenSSL::Digest::SHA1.new, signature, signed_info_element)
+          raise ValidationError, 'Key validation error'
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-latvija
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Edgars Beigarts
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-11 00:00:00.000000000 Z
+date: 2017-10-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -25,7 +25,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: canonix
+  name: xmlenc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -106,6 +134,7 @@ files:
 - lib/omniauth-latvija.rb
 - lib/omniauth-latvija/version.rb
 - lib/omniauth/strategies/latvija.rb
+- lib/omniauth/strategies/latvija/decryptor.rb
 - lib/omniauth/strategies/latvija/response.rb
 - lib/omniauth/strategies/latvija/signed_document.rb
 homepage: 
@@ -117,9 +146,9 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -127,7 +156,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Latvija.lv authentication strategy for OmniAuth