omniauth-latvija 2.0.0 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 875159da4f23d72890c3da6c24f1b174d197f6ec
-  data.tar.gz: af5a474b33c9165faf67a14a61b8785e0567a456
+SHA256:
+  metadata.gz: b501b35e3685a3963f0f38ec951a345aae8d534dd3ce323566775eda8bb048bf
+  data.tar.gz: f9e4ef1dff0294bd8ff5a4389be6bb6964a55b7fe5534c2c266d957515e33a4b
 SHA512:
-  metadata.gz: 36fc98917bfe2547d020287fc90f6c4dcc986722c903be7acf49a3ffe56d7899d097661a0620352bb95646cfbc6db250cf911b89b2bbf603db1e3cc5125defed
-  data.tar.gz: 1f5947b59168bf23f22ab34c7b4b5ec83c2e01f4402a7035400bd885d00a3751d6eebffa741902f2c149a5d730b1f9ffb038f84015f40b6c514fe624290fe862
+  metadata.gz: 03c8dc65d2f8a0290756e5b91d8b01bf9fff8dbbf038685566223e3ebb710fc5080e54c91c2b85fc22a32baa182fff4a00c7158d1f9868fce257ea7d3bc6de45
+  data.tar.gz: 13a84d4d7b8caa0dbc8685fa7f18eb322d1319ce22f074aeefaa1cd169593abd4f7f3c0853174d640de0b69716c14a507abc04fa33e04272e130393e49118145

data/README.md

@@ -19,7 +19,7 @@ Provides the following authentication types:
 ## Installation
 
 ```ruby
-gem 'omniauth-latvija', '~> 2.0'
+gem 'omniauth-latvija'
 ```
 
 ## Usage
@@ -39,6 +39,36 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+
+## Auth Hash
+
+Here's an example hash available in `request.env['omniauth.auth']`
+
+```ruby
+{
+  provider: 'latvija',
+  uid: 'PK:12345612345',
+  info: {
+    name: 'JANIS BERZINS',
+    first_name: 'JANIS',
+    last_name: 'BERZINS',
+    private_personal_identifier: '12345612345'
+  },
+  extra: {
+    raw_info: {
+      givenname: 'JANIS',
+      surname: 'BERZINS',
+      privatepersonalidentifier: '12345612345',
+      historical_privatepersonalidentifier: [],
+      not_valid_before: '2019-05-09T07:29:41Z',
+      not_valid_on_or_after: '2019-05-09T08:29:41Z'
+    },
+    authentication_method: 'SWEDBANK',
+    legacy_uids: ['JANIS BERZINS, 12345612345']
+  }
+}
+```
+
 ## References
 
 * http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html

data/lib/omniauth-latvija/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Latvija
-    VERSION = '2.0.0'
+    VERSION = '6.1.0'
   end
 end

data/lib/omniauth/strategies/latvija.rb

@@ -1,6 +1,7 @@
 require 'time'
 require 'openssl'
 require 'digest/sha1'
+require 'digest/sha2'
 require 'xmlenc'
 require 'nokogiri'
 require 'omniauth/strategies/latvija/response'
@@ -34,6 +35,23 @@ module OmniAuth::Strategies
     option :certificate, nil
     option :private_key, nil
 
+    info do
+      {
+        name: full_name,
+        first_name: raw_info['givenname'],
+        last_name: raw_info['surname'],
+        private_personal_identifier: raw_info['privatepersonalidentifier']
+      }
+    end
+
+    extra do
+      {
+        raw_info: raw_info,
+        authentication_method: @response.authentication_method,
+        legacy_uids: legacy_uids
+      }
+    end
+
     def request_phase
       params = {
         wa: 'wsignin1.0',
@@ -64,18 +82,31 @@ module OmniAuth::Strategies
       fail!(:invalid_response, e)
     end
 
-    def auth_hash
-      OmniAuth::Utils.deep_merge(super,
-        uid: "#{@response.attributes['givenname']} #{@response.attributes['surname']}, #{@response.attributes["privatepersonalidentifier"]}",
-        user_info: {
-          name: "#{@response.attributes['givenname']} #{@response.attributes['surname']}",
-          first_name: @response.attributes['givenname'],
-          last_name: @response.attributes['surname'],
-          private_personal_identifier: @response.attributes['privatepersonalidentifier']
-        },
-        authentication_method: @response.authentication_method,
-        extra: @response.attributes
-      )
+    def raw_info
+      @response.attributes
+    end
+
+    def uid
+      @response.name_identifier
+    end
+
+    def full_name
+      @full_name ||= "#{raw_info['givenname']} #{raw_info['surname']}"
+    end
+
+    def legacy_uids
+      # UIDs that could have been assigned to this identity by previous versions of the gem, or due to peronal identifier change
+
+      legacy_uids = [
+        "#{full_name}, #{raw_info["privatepersonalidentifier"]}" # generated by gem version <= 4.0
+      ]
+
+      raw_info.fetch('historical_privatepersonalidentifier', []).each do |historical_identifier|
+        legacy_uids << "#{full_name}, #{historical_identifier}" # generated by gem version <= 4.0
+        legacy_uids << "PK:#{historical_identifier}" # due to personal identifier change
+      end
+
+      legacy_uids
     end
   end
 end

data/lib/omniauth/strategies/latvija/response.rb

@@ -13,7 +13,7 @@ module OmniAuth::Strategies
       end
 
       def validate!
-        @document.validate!(fingerprint)
+        @document.validate!(fingerprint) && validate_conditions!
       end
 
       def xml
@@ -26,19 +26,42 @@ module OmniAuth::Strategies
         end
       end
 
+      def name_identifier
+        @name_identifier ||= begin
+          xml.xpath('//saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', saml: ASSERTION).text()
+        end
+      end
+
       # A hash of all the attributes with the response.
       # Assuming there is only one value for each key
       def attributes
         @attributes ||= begin
+          attrs = {
+            'not_valid_before' => not_valid_before,
+            'not_valid_on_or_after' => not_valid_on_or_after,
+            'historical_privatepersonalidentifier' => []
+          }
+
+          stmt_elements = xml.xpath('//saml:Attribute', saml: ASSERTION)
 
-          stmt_elements = xml.xpath('//a:Attribute', a: ASSERTION)
-          return {} if stmt_elements.nil?
+          return attrs if stmt_elements.nil?
 
-          stmt_elements.each_with_object({}) do |element, result|
-            name  = element.attribute('AttributeName').value
+          identifiers = stmt_elements.xpath("//saml:Attribute[@AttributeName='privatepersonalidentifier']", saml: ASSERTION)
+
+          stmt_elements.each_with_object(attrs) do |element, result|
+            name = element.attribute('AttributeName').value
             value = element.text
 
-            result[name] = value
+            case name
+            when 'privatepersonalidentifier' # person can change their identifier, service will return all the versions
+              if identifiers.length == 1 || element.attribute('OriginalIssuer') # this is the primary identifier, as returned by third party auth service
+                result[name] = value
+              else
+                result['historical_privatepersonalidentifier'] << value
+              end
+            else
+              result[name] = value
+            end
           end
         end
       end
@@ -47,7 +70,27 @@ module OmniAuth::Strategies
 
       def fingerprint
         cert = OpenSSL::X509::Certificate.new(options[:certificate])
-        Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+        Digest::SHA256.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+      end
+
+      def conditions_tag
+        @conditions_tag ||= xml.xpath('//saml:Conditions', saml: ASSERTION)
+      end
+
+      def not_valid_before
+        @not_valid_before ||= conditions_tag.attribute('NotBefore').value
+      end
+
+      def not_valid_on_or_after
+        @not_valid_on_or_after ||= conditions_tag.attribute('NotOnOrAfter').value
+      end
+
+      def validate_conditions!
+        if not_valid_on_or_after.present? && Time.current < Time.parse(not_valid_on_or_after)
+          true
+        else
+          raise ValidationError, 'Current time is on or after NotOnOrAfter condition'
+        end
       end
     end
   end

data/lib/omniauth/strategies/latvija/signed_document.rb

@@ -64,8 +64,18 @@ module OmniAuth::Strategies
         end
       end
 
+      def digest_method_class(reference)
+        value = reference.xpath('.//xmlns:DigestMethod', xmlns: DSIG).attribute('Algorithm').value
+        value == "#{DSIG}sha1" ? Digest::SHA1 : Digest::SHA256
+      end
+
+      def signature_method_class(sig_element)
+        value = sig_element.xpath('.//xmlns:SignatureMethod', xmlns: DSIG).attribute('Algorithm').value
+        value == "#{DSIG}rsa-sha1" ? OpenSSL::Digest::SHA1 : OpenSSL::Digest::SHA256
+      end
+
       def validate_fingerprint!(idp_cert_fingerprint)
-        fingerprint = Digest::SHA1.hexdigest(certificate.to_der)
+        fingerprint = Digest::SHA256.hexdigest(certificate.to_der)
         if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/, '').downcase
           raise ValidationError, 'Fingerprint mismatch'
         end
@@ -80,7 +90,7 @@ module OmniAuth::Strategies
           hashed_element = response_without_signature.
             at_xpath("//*[@AssertionID='#{uri[1, uri.size]}']").
             canonicalize(CANON_MODE)
-          hash           = Base64.encode64(Digest::SHA1.digest(hashed_element)).chomp
+          hash           = Base64.encode64(digest_method_class(ref).digest(hashed_element)).chomp
           digest_value   = ref.xpath('.//xmlns:DigestValue', xmlns: DSIG).text
 
           raise ValidationError, 'Digest mismatch' if hash != digest_value
@@ -94,7 +104,7 @@ module OmniAuth::Strategies
         base64_signature    = sig_element.xpath('.//xmlns:SignatureValue', xmlns: DSIG).text
         signature           = Base64.decode64(base64_signature)
 
-        unless certificate.public_key.verify(OpenSSL::Digest::SHA1.new, signature, signed_info_element)
+        unless certificate.public_key.verify(signature_method_class(sig_element).new, signature, signed_info_element)
           raise ValidationError, 'Key validation error'
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-latvija
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 6.1.0
 platform: ruby
 authors:
 - Edgars Beigarts
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-10-23 00:00:00.000000000 Z
+date: 2020-09-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -56,30 +56,30 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '12.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '12.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.10'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.10'
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +122,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Latvija.lv authentication strategy for OmniAuth
 email:
 - edgars.beigarts@makit.lv
@@ -137,10 +151,10 @@ files:
 - lib/omniauth/strategies/latvija/decryptor.rb
 - lib/omniauth/strategies/latvija/response.rb
 - lib/omniauth/strategies/latvija/signed_document.rb
-homepage: 
+homepage:
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -155,9 +169,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.11
-signing_key: 
+rubygems_version: 3.0.6
+signing_key:
 specification_version: 4
 summary: Latvija.lv authentication strategy for OmniAuth
 test_files: []