omniauth-latvija 1.1.1 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 0239b9b5db1634778428119aa3ccd7babdf2feb5
-  data.tar.gz: 87a622416084055bb8433baafbea7a4416536cb1
+SHA256:
+  metadata.gz: 962c2888b86b4eb1b8b3354a8fc8410afb71fbd36804d2f1d032ac79acc1a496
+  data.tar.gz: 51403707278ddc99297a0ae49707960cde28e425f08db41e134edbf601533a4e
 SHA512:
-  metadata.gz: 43ea0a0b2aca412cd61c73ec9e0e507dcb64f1db84c8057955cf22a347f5914c5e35c7fe7e586036c8b63d8b5cb8c3e055f0d814c418287f1c8cb373d3f37c7e
-  data.tar.gz: a87c8ffdd361578b2fc2c7d945ac4e4712a9f1514f83a942c31452dd2c54228750fdb551410f16a670e1a3d38d15af61cfed60503ea084dfbac9b9fbd7d3cfca
+  metadata.gz: cbe1a3e2097c8417210cc71effd54098230a7ddc9e7f2f6e315098bcf0dc9d1f9959c125cae74b46c8b4095d7eecfb738b1e7a432407c1a96e146810a87e3c4f
+  data.tar.gz: d077eb5f9a46a4654017a12a7a3fc7e1afa904a0c99c989bbeb3719f576a32d4c6faf5ea41c1bf5ee84f77d9c6bab940f47d638901a025135c91f6eba13a54e5

data/README.md

@@ -12,12 +12,14 @@ Provides the following authentication types:
 * Online bank
 * Citadele
 * Norvik banka
+* PrivatBank
+* eID
 * Lattelecom Mobile ID
 
 ## Installation
 
 ```ruby
-gem 'omniauth-latvija', :git => 'http://github.com/ebeigarts/omniauth-latvija.git'
+gem 'omniauth-latvija'
 ```
 
 ## Usage
@@ -29,13 +31,44 @@ Here's a quick example, adding the middleware to a Rails app in `config/initiali
 ```ruby
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :latvija, {
-    :endpoint => "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
-    :certificate => File.read("/path/to/cert"),
-    :realm => "urn:federation:example.com"
+    endpoint:    "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
+    certificate: File.read("/path/to/cert.pem"),
+    private_key: File.read("/path/to/private_key.pem"), # mandatory, if the response is encrypted
+    realm:       "urn:federation:example.com"
   }
 end
 ```
 
+
+## Auth Hash
+
+Here's an example hash available in `request.env['omniauth.auth']`
+
+```ruby
+{
+  provider: 'latvija',
+  uid: 'PK:12345612345',
+  info: {
+    name: 'JANIS BERZINS',
+    first_name: 'JANIS',
+    last_name: 'BERZINS',
+    private_personal_identifier: '12345612345'
+  },
+  extra: {
+    raw_info: {
+      givenname: 'JANIS',
+      surname: 'BERZINS',
+      privatepersonalidentifier: '12345612345',
+      historical_privatepersonalidentifier: [],
+      not_valid_before: '2019-05-09T07:29:41Z',
+      not_valid_on_or_after: '2019-05-09T08:29:41Z'
+    },
+    authentication_method: 'SWEDBANK',
+    legacy_uids: ['JANIS BERZINS, 12345612345']
+  }
+}
+```
+
 ## References
 
 * http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html

data/lib/omniauth-latvija/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Latvija
-    VERSION = '1.1.1'
+    VERSION = '6.0.0'
   end
 end

data/lib/omniauth/strategies/latvija.rb

@@ -1,76 +1,112 @@
-require "time"
-require "rexml/document"
-require "rexml/xpath"
-require "openssl"
-require "xmlcanonicalizer"
-require "digest/sha1"
+require 'time'
+require 'openssl'
+require 'digest/sha1'
+require 'digest/sha2'
+require 'xmlenc'
+require 'nokogiri'
+require 'omniauth/strategies/latvija/response'
+require 'omniauth/strategies/latvija/decryptor'
+require 'omniauth/strategies/latvija/signed_document'
 
-require "omniauth/strategies/latvija/response"
-require "omniauth/strategies/latvija/signed_document"
+module OmniAuth::Strategies
+  #
+  # Authenticate with Latvija.lv.
+  #
+  # @example Basic Rails Usage
+  #
+  #  Add this to config/initializers/omniauth.rb
+  #
+  #    Rails.application.config.middleware.use OmniAuth::Builder do
+  #      provider :latvija, {
+  #        endpoint:    "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
+  #        certificate: File.read("/path/to/cert"),
+  #        private:     File.read("/path/to/private_key"),
+  #        realm:       "urn:federation:example.com"
+  #      }
+  #    end
+  #
+  class Latvija
+    include OmniAuth::Strategy
+    class ValidationError < StandardError; end
 
-module OmniAuth
-  module Strategies
-    #
-    # Authenticate with Latvija.lv.
-    #
-    # @example Basic Rails Usage
-    #
-    #  Add this to config/initializers/omniauth.rb
-    #
-    #    Rails.application.config.middleware.use OmniAuth::Builder do
-    #      provider :latvija, {
-    #        :endpoint => "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
-    #        :certificate => File.read("/path/to/cert"),
-    #        :realm => "urn:federation:example.com"
-    #      }
-    #    end
-    #
-    class Latvija
-      include OmniAuth::Strategy
+    option :realm, nil
+    option :wfresh, false
+    option :endpoint, nil
+    option :certificate, nil
+    option :private_key, nil
 
-      class ValidationError < StandardError; end
+    info do
+      {
+        name: full_name,
+        first_name: raw_info['givenname'],
+        last_name: raw_info['surname'],
+        private_personal_identifier: raw_info['privatepersonalidentifier']
+      }
+    end
 
-      def request_phase
-        params = {
-          :wa => 'wsignin1.0',
-          :wct => Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
-          :wtrealm => @options[:realm],
-          :wreply => callback_url,
-          :wctx => callback_url,
-          :wreq => '<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /></trust:Claims><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken>'
-        }
-        params[:wfresh] = @options[:wfresh] if @options[:wfresh]
-        query_string = params.collect{ |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
-        redirect "#{options[:endpoint]}?#{query_string}"
-      end
+    extra do
+      {
+        raw_info: raw_info,
+        authentication_method: @response.authentication_method,
+        legacy_uids: legacy_uids
+      }
+    end
+
+    def request_phase
+      params = {
+        wa: 'wsignin1.0',
+        wct: Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
+        wtrealm: options[:realm],
+        wreply: callback_url,
+        wctx: callback_url,
+        wreq: '<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /></trust:Claims><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken>'
+      }
+      params[:wfresh] = options[:wfresh] if options[:wfresh]
+      query_string = params.collect { |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
+      redirect "#{options[:endpoint]}?#{query_string}"
+    end
 
-      def callback_phase
-        if request.params['wresult']
-          @response = OmniAuth::Strategies::Latvija::Response.new(request.params['wresult'], {
-            :certificate => options[:certificate]
-          })
-          @response.validate!
-          super
-        else
-          fail!(:invalid_response)
-        end
-      rescue Exception => e
-        fail!(:invalid_response, e)
+    def callback_phase
+      if request.params['wresult']
+        @response = OmniAuth::Strategies::Latvija::Response.new(
+          request.params['wresult'],
+          certificate: options[:certificate],
+          private_key: options[:private_key]
+        )
+        @response.validate!
+        super
+      else
+        fail!(:invalid_response)
       end
+    rescue Exception => e
+      fail!(:invalid_response, e)
+    end
+
+    def raw_info
+      @response.attributes
+    end
 
-      def auth_hash
-        OmniAuth::Utils.deep_merge(super, {
-          'uid' => "#{@response.attributes['givenname']} #{@response.attributes['surname']}, #{@response.attributes["privatepersonalidentifier"]}",
-          'user_info' => {
-            'name' => "#{@response.attributes['givenname']} #{@response.attributes['surname']}",
-            'first_name' => @response.attributes['givenname'],
-            'last_name' => @response.attributes['surname'],
-            'private_personal_identifier' => @response.attributes['privatepersonalidentifier']
-          },
-          'authentication_method' => @response.authentication_method,
-          'extra' => @response.attributes
-        })
+    def uid
+      @response.name_identifier
+    end
+
+    def full_name
+      @full_name ||= "#{raw_info['givenname']} #{raw_info['surname']}"
+    end
+
+    def legacy_uids
+      # UIDs that could have been assigned to this identity by previous versions of the gem, or due to peronal identifier change
+
+      legacy_uids = [
+        "#{full_name}, #{raw_info["privatepersonalidentifier"]}" # generated by gem version <= 4.0
+      ]
+
+      raw_info.fetch('historical_privatepersonalidentifier', []).each do |historical_identifier|
+        legacy_uids << "#{full_name}, #{historical_identifier}" # generated by gem version <= 4.0
+        legacy_uids << "PK:#{historical_identifier}" # due to personal identifier change
       end
+
+      legacy_uids
     end
   end
 end

data/lib/omniauth/strategies/latvija/decryptor.rb

@@ -0,0 +1,16 @@
+module OmniAuth::Strategies
+  class Latvija
+    class Decryptor
+      def initialize(response, key)
+        @response = response
+        @key = key
+      end
+
+      def decrypt
+        private_key = OpenSSL::PKey::RSA.new(@key)
+        encrypted_document = Xmlenc::EncryptedDocument.new(@response)
+        encrypted_document.decrypt(private_key)
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/latvija/response.rb

@@ -1,52 +1,92 @@
-module OmniAuth
-  module Strategies
-    class Latvija
-      class Response
-        ASSERTION = "urn:oasis:names:tc:SAML:1.0:assertion"
-
-        attr_accessor :options, :response, :document
-
-        def initialize(response, options = {})
-          raise ArgumentError.new("Response cannot be nil") if response.nil?
-          self.options  = options
-          self.response = response
-          self.document = OmniAuth::Strategies::Latvija::SignedDocument.new(response)
-        end
+module OmniAuth::Strategies
+  class Latvija
+    class Response
+      ASSERTION = 'urn:oasis:names:tc:SAML:1.0:assertion'.freeze
+
+      attr_accessor :options, :response
+
+      def initialize(response, **options)
+        raise ArgumentError, 'Response cannot be nil' if response.nil?
+        @options  = options
+        @response = response
+        @document = OmniAuth::Strategies::Latvija::SignedDocument.new(response, private_key: options[:private_key])
+      end
+
+      def validate!
+        @document.validate!(fingerprint) && validate_conditions!
+      end
 
-        def validate!
-          document.validate!(fingerprint)
+      def xml
+        @document.nokogiri_xml
+      end
+
+      def authentication_method
+        @authentication_method ||= begin
+          xml.xpath('//saml:AuthenticationStatement', saml: ASSERTION).attribute('AuthenticationMethod')
         end
+      end
 
-        def authentication_method
-          @authentication_method ||= begin
-            REXML::XPath.first(document, "//saml:AuthenticationStatement").attributes['AuthenticationMethod']
-          end
+      def name_identifier
+        @name_identifier ||= begin
+          xml.xpath('//saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', saml: ASSERTION).text()
         end
+      end
 
-        # A hash of alle the attributes with the response. Assuming there is only one value for each key
-        def attributes
-          @attributes ||= begin
-            result = {}
+      # A hash of all the attributes with the response.
+      # Assuming there is only one value for each key
+      def attributes
+        @attributes ||= begin
+          attrs = {
+            'not_valid_before' => not_valid_before,
+            'not_valid_on_or_after' => not_valid_on_or_after,
+            'historical_privatepersonalidentifier' => []
+          }
 
-            stmt_element = REXML::XPath.first(document, "//a:Assertion/a:AttributeStatement", { "a" => ASSERTION })
-            return {} if stmt_element.nil?
+          stmt_elements = xml.xpath('//a:Attribute', a: ASSERTION)
+          return attrs if stmt_elements.nil?
 
-            stmt_element.elements.each do |attr_element|
-              name  = attr_element.attributes["AttributeName"]
-              value = attr_element.elements.first.text
+          stmt_elements.each_with_object(attrs) do |element, result|
+            name = element.attribute('AttributeName').value
+            value = element.text
 
+            case name
+            when 'privatepersonalidentifier' # person can change their identifier, service will return all the versions
+              if element.attribute('OriginalIssuer') # this is the primary identifier, as returned by third party auth service
+                result[name] = value
+              else
+                result['historical_privatepersonalidentifier'] << value
+              end
+            else
               result[name] = value
             end
-
-            result
           end
         end
+      end
+
+      private
+
+      def fingerprint
+        cert = OpenSSL::X509::Certificate.new(options[:certificate])
+        Digest::SHA256.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+      end
 
-        private
+      def conditions_tag
+        @conditions_tag ||= xml.xpath('//saml:Conditions', saml: ASSERTION)
+      end
+
+      def not_valid_before
+        @not_valid_before ||= conditions_tag.attribute('NotBefore').value
+      end
+
+      def not_valid_on_or_after
+        @not_valid_on_or_after ||= conditions_tag.attribute('NotOnOrAfter').value
+      end
 
-        def fingerprint
-          cert = OpenSSL::X509::Certificate.new(options[:certificate])
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+      def validate_conditions!
+        if not_valid_on_or_after.present? && Time.current < Time.parse(not_valid_on_or_after)
+          true
+        else
+          raise ValidationError, 'Current time is on or after NotOnOrAfter condition'
         end
       end
     end

data/lib/omniauth/strategies/latvija/signed_document.rb

@@ -15,79 +15,97 @@
 # If applicable, add the following below the CDDL Header,
 # with the fields enclosed by brackets [] replaced by
 # your own identifying information:
-# "Portions Copyrighted [year] [name of copyright owner]"
+# 'Portions Copyrighted [year] [name of copyright owner]'
 #
 # $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
 #
 # Copyright 2007 Sun Microsystems Inc. All Rights Reserved
 # Portions Copyrighted 2007 Todd W Saxton.
 
-module OmniAuth
-  module Strategies
-    class Latvija
-      class SignedDocument < REXML::Document
-        DSIG = "http://www.w3.org/2000/09/xmldsig#"
+module OmniAuth::Strategies
+  class Latvija
+    class SignedDocument
+      DSIG = 'http://www.w3.org/2000/09/xmldsig#'.freeze
+      XENC = 'http://www.w3.org/2001/04/xmlenc#'.freeze
+      CANON_MODE = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
 
-        attr_accessor :signed_element_id
+      def initialize(response, **opts)
+        @response = Nokogiri::XML.parse(response, &:noblanks)
+        return unless encrypted?
+        decryptor = OmniAuth::Strategies::Latvija::Decryptor.new(response, opts[:private_key])
+        decrypted_response = decryptor.decrypt
+        @response = Nokogiri::XML.parse(decrypted_response, &:noblanks)
+      end
 
-        def initialize(response)
-          super(response)
-          extract_signed_element_id
-        end
+      def validate!(idp_cert_fingerprint)
+        validate_fingerprint!(idp_cert_fingerprint)
+        sig_element = @response.xpath('//xmlns:Signature', xmlns: DSIG)
+
+        validate_digest!(sig_element)
+        validate_signature!(sig_element)
+        true
+      end
+
+      def nokogiri_xml
+        @response
+      end
 
-        def validate!(idp_cert_fingerprint)
-          # get cert from response
-          base64_cert = self.elements["//ds:X509Certificate"].text
+      private
+
+      def encrypted?
+        @response.xpath('//xenc:EncryptedData', 'xmlns:xenc' => XENC).any?
+      end
+
+      def certificate
+        @certificate ||= begin
+          base64_cert = @response.xpath('//xmlns:X509Certificate', xmlns: DSIG).text
           cert_text   = Base64.decode64(base64_cert)
-          cert        = OpenSSL::X509::Certificate.new(cert_text)
-
-          # check cert matches registered idp cert
-          fingerprint = Digest::SHA1.hexdigest(cert.to_der)
-
-          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
-            raise ValidationError.new("Fingerprint mismatch")
-          end
-
-          # remove signature node
-          sig_element = REXML::XPath.first(self, "//ds:Signature", { "ds" => DSIG })
-          sig_element.remove
-
-          # check digests
-          REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
-            uri                           = ref.attributes.get_attribute("URI").value
-            hashed_element                = REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
-            canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
-            canon_hashed_element          = canoner.canonicalize(hashed_element)
-            hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
-            digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", { "ds" => DSIG }).text
-
-            if hash != digest_value
-              raise ValidationError.new("Digest mismatch")
-            end
-          end
-
-          # verify signature
-          canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
-          signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", { "ds" => DSIG })
-          canon_string            = canoner.canonicalize(signed_info_element)
-
-          base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", { "ds" => DSIG }).text
-          signature               = Base64.decode64(base64_signature)
-
-          # get certificate object
-          cert_text               = Base64.decode64(base64_cert)
-          cert                    = OpenSSL::X509::Certificate.new(cert_text)
-
-          if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
-            raise ValidationError.new("Key validation error")
-          end
-
-          true
+          OpenSSL::X509::Certificate.new(cert_text)
         end
+      end
+
+      def digest_method_class(reference)
+        value = reference.xpath('.//xmlns:DigestMethod', xmlns: DSIG).attribute('Algorithm').value
+        value == "#{DSIG}sha1" ? Digest::SHA1 : Digest::SHA256
+      end
+
+      def signature_method_class(sig_element)
+        value = sig_element.xpath('.//xmlns:SignatureMethod', xmlns: DSIG).attribute('Algorithm').value
+        value == "#{DSIG}rsa-sha1" ? OpenSSL::Digest::SHA1 : OpenSSL::Digest::SHA256
+      end
+
+      def validate_fingerprint!(idp_cert_fingerprint)
+        fingerprint = Digest::SHA256.hexdigest(certificate.to_der)
+        if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/, '').downcase
+          raise ValidationError, 'Fingerprint mismatch'
+        end
+      end
+
+      def validate_digest!(sig_element)
+        response_without_signature = @response.dup
+        response_without_signature.xpath('//xmlns:Signature', xmlns: DSIG).remove
+
+        sig_element.xpath('.//xmlns:Reference', xmlns: DSIG).each do |ref|
+          uri            = ref.attribute('URI').value
+          hashed_element = response_without_signature.
+            at_xpath("//*[@AssertionID='#{uri[1, uri.size]}']").
+            canonicalize(CANON_MODE)
+          hash           = Base64.encode64(digest_method_class(ref).digest(hashed_element)).chomp
+          digest_value   = ref.xpath('.//xmlns:DigestValue', xmlns: DSIG).text
+
+          raise ValidationError, 'Digest mismatch' if hash != digest_value
+        end
+      end
+
+      def validate_signature!(sig_element)
+        signed_info_element = sig_element.
+          at_xpath('.//xmlns:SignedInfo', xmlns: DSIG).
+          canonicalize(CANON_MODE)
+        base64_signature    = sig_element.xpath('.//xmlns:SignatureValue', xmlns: DSIG).text
+        signature           = Base64.decode64(base64_signature)
 
-        def extract_signed_element_id
-          reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", { "ds" => DSIG })
-          self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+        unless certificate.public_key.verify(signature_method_class(sig_element).new, signature, signed_info_element)
+          raise ValidationError, 'Key validation error'
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-latvija
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 6.0.0
 platform: ruby
 authors:
 - Edgars Beigarts
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-11 00:00:00.000000000 Z
+date: 2020-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -25,7 +25,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: canonix
+  name: xmlenc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -39,33 +39,61 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
+        version: 1.5.1
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.5.1
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.10'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.10'
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +122,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Latvija.lv authentication strategy for OmniAuth
 email:
 - edgars.beigarts@makit.lv
@@ -106,6 +148,7 @@ files:
 - lib/omniauth-latvija.rb
 - lib/omniauth-latvija/version.rb
 - lib/omniauth/strategies/latvija.rb
+- lib/omniauth/strategies/latvija/decryptor.rb
 - lib/omniauth/strategies/latvija/response.rb
 - lib/omniauth/strategies/latvija/signed_document.rb
 homepage: 
@@ -117,17 +160,16 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: Latvija.lv authentication strategy for OmniAuth