omniauth-latvija 4.0.0 → 6.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: '09b2671984f3e6cae04fb9c89aa8cee876a1064f'
-  data.tar.gz: 9c2a5f397af09733dc4658633d6a2c438a422ed4
+SHA256:
+  metadata.gz: 8b140f9721c2fdb31f45a4eb5f51fe2e1894eba947a7780f558a146437e5502d
+  data.tar.gz: 9ea9f446de8b2b46318a991fbcd45f5ca6f6a40c6eff4ca57ceff24357bdcbd8
 SHA512:
-  metadata.gz: e6f72751d59002fbd7d5a0b05a2a3e9024f163ac03b476359cbbeb5ac0904f333bd46ddc0e4bf55dde10f34b9489717d9fa9f8c262b5d32c49ff780091283cac
-  data.tar.gz: 806a5ffc9ef76e432a1d0e0e851cef0b5758cda40690bcdefd6647bdd3836f38575b1d18ee2c0a9369f9b6cf0b12344c04673edf9dae033ef4fb669ed792e0fb
+  metadata.gz: c767e7a9317f8ff47b8952c1f259903a9dbd520c35930f6c3eeb6c1abcb8974845766b5738d10b73a6abab3b07b73a30a2609eac789ee08fa18ad2f223ee0ea9
+  data.tar.gz: bc4456fa4a1f83b5d86376568121dfd59a6f1a7815846e3a3e65d6f0db76ddaa0cf424a2cc3f636af38bad56c0d4ba8ab2012fce51b0a654752eb7c7c1c5b7d9

data/README.md

@@ -19,7 +19,7 @@ Provides the following authentication types:
 ## Installation
 
 ```ruby
-gem 'omniauth-latvija', '~> 2.0'
+gem 'omniauth-latvija'
 ```
 
 ## Usage
@@ -47,7 +47,7 @@ Here's an example hash available in `request.env['omniauth.auth']`
 ```ruby
 {
   provider: 'latvija',
-  uid: 'JANIS BERZINS, 12345612345',
+  uid: 'PK:12345612345',
   info: {
     name: 'JANIS BERZINS',
     first_name: 'JANIS',
@@ -56,14 +56,16 @@ Here's an example hash available in `request.env['omniauth.auth']`
   },
   extra: {
     raw_info: {
-      name: 'JANIS BERZINS',
-      first_name: 'JANIS',
-      last_name: 'BERZINS',
-      private_personal_identifier: '12345612345',
+      givenname: 'JANIS',
+      surname: 'BERZINS',
+      privatepersonalidentifier: '12345612345',
+      historical_privatepersonalidentifier: [],
       not_valid_before: '2019-05-09T07:29:41Z',
       not_valid_on_or_after: '2019-05-09T08:29:41Z'
     },
-    authentication_method: 'SWEDBANK'
+    authentication_method: 'URN:IVIS:100001:AM.BANK-SWED',
+    original_issuer: 'Swedbanka',
+    legacy_uids: ['JANIS BERZINS, 12345612345']
   }
 }
 ```

data/lib/omniauth/strategies/latvija/response.rb

@@ -26,23 +26,48 @@ module OmniAuth::Strategies
         end
       end
 
+      def original_issuer
+        @original_issuer ||= begin
+          xml.xpath("//saml:Attribute[@AttributeName='givenname']", saml: ASSERTION).attribute('OriginalIssuer')
+        end
+      end
+
+      def name_identifier
+        @name_identifier ||= begin
+          xml.xpath('//saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', saml: ASSERTION).text()
+        end
+      end
+
       # A hash of all the attributes with the response.
       # Assuming there is only one value for each key
       def attributes
         @attributes ||= begin
           attrs = {
             'not_valid_before' => not_valid_before,
-            'not_valid_on_or_after' => not_valid_on_or_after
+            'not_valid_on_or_after' => not_valid_on_or_after,
+            'historical_privatepersonalidentifier' => []
           }
 
-          stmt_elements = xml.xpath('//a:Attribute', a: ASSERTION)
+          stmt_elements = xml.xpath('//saml:Attribute', saml: ASSERTION)
+
           return attrs if stmt_elements.nil?
 
+          identifiers = stmt_elements.xpath("//saml:Attribute[@AttributeName='privatepersonalidentifier']", saml: ASSERTION)
+
           stmt_elements.each_with_object(attrs) do |element, result|
-            name  = element.attribute('AttributeName').value
+            name = element.attribute('AttributeName').value
             value = element.text
 
-            result[name] = value
+            case name
+            when 'privatepersonalidentifier' # person can change their identifier, service will return all the versions
+              if identifiers.length == 1 || element.attribute('OriginalIssuer') # this is the primary identifier, as returned by third party auth service
+                result[name] = value
+              else
+                result['historical_privatepersonalidentifier'] << value
+              end
+            else
+              result[name] = value
+            end
           end
         end
       end
@@ -51,7 +76,7 @@ module OmniAuth::Strategies
 
       def fingerprint
         cert = OpenSSL::X509::Certificate.new(options[:certificate])
-        Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+        Digest::SHA256.hexdigest(cert.to_der).upcase.scan(/../).join(':')
       end
 
       def conditions_tag

data/lib/omniauth/strategies/latvija/signed_document.rb

@@ -64,8 +64,18 @@ module OmniAuth::Strategies
         end
       end
 
+      def digest_method_class(reference)
+        value = reference.xpath('.//xmlns:DigestMethod', xmlns: DSIG).attribute('Algorithm').value
+        value == "#{DSIG}sha1" ? Digest::SHA1 : Digest::SHA256
+      end
+
+      def signature_method_class(sig_element)
+        value = sig_element.xpath('.//xmlns:SignatureMethod', xmlns: DSIG).attribute('Algorithm').value
+        value == "#{DSIG}rsa-sha1" ? OpenSSL::Digest::SHA1 : OpenSSL::Digest::SHA256
+      end
+
       def validate_fingerprint!(idp_cert_fingerprint)
-        fingerprint = Digest::SHA1.hexdigest(certificate.to_der)
+        fingerprint = Digest::SHA256.hexdigest(certificate.to_der)
         if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/, '').downcase
           raise ValidationError, 'Fingerprint mismatch'
         end
@@ -80,7 +90,7 @@ module OmniAuth::Strategies
           hashed_element = response_without_signature.
             at_xpath("//*[@AssertionID='#{uri[1, uri.size]}']").
             canonicalize(CANON_MODE)
-          hash           = Base64.encode64(Digest::SHA1.digest(hashed_element)).chomp
+          hash           = Base64.encode64(digest_method_class(ref).digest(hashed_element)).chomp
           digest_value   = ref.xpath('.//xmlns:DigestValue', xmlns: DSIG).text
 
           raise ValidationError, 'Digest mismatch' if hash != digest_value
@@ -94,7 +104,7 @@ module OmniAuth::Strategies
         base64_signature    = sig_element.xpath('.//xmlns:SignatureValue', xmlns: DSIG).text
         signature           = Base64.decode64(base64_signature)
 
-        unless certificate.public_key.verify(OpenSSL::Digest::SHA1.new, signature, signed_info_element)
+        unless certificate.public_key.verify(signature_method_class(sig_element).new, signature, signed_info_element)
           raise ValidationError, 'Key validation error'
         end
       end

data/lib/omniauth/strategies/latvija.rb

@@ -1,6 +1,7 @@
 require 'time'
 require 'openssl'
 require 'digest/sha1'
+require 'digest/sha2'
 require 'xmlenc'
 require 'nokogiri'
 require 'omniauth/strategies/latvija/response'
@@ -34,11 +35,9 @@ module OmniAuth::Strategies
     option :certificate, nil
     option :private_key, nil
 
-    uid { "#{raw_info['givenname']} #{raw_info['surname']}, #{raw_info["privatepersonalidentifier"]}" }
-
     info do
       {
-        name: "#{raw_info['givenname']} #{raw_info['surname']}",
+        name: full_name,
         first_name: raw_info['givenname'],
         last_name: raw_info['surname'],
         private_personal_identifier: raw_info['privatepersonalidentifier']
@@ -48,7 +47,9 @@ module OmniAuth::Strategies
     extra do
       {
         raw_info: raw_info,
-        authentication_method: @response.authentication_method
+        authentication_method: @response.authentication_method,
+        original_issuer: @response.original_issuer,
+        legacy_uids: legacy_uids
       }
     end
 
@@ -85,5 +86,28 @@ module OmniAuth::Strategies
     def raw_info
       @response.attributes
     end
+
+    def uid
+      @response.name_identifier
+    end
+
+    def full_name
+      @full_name ||= "#{raw_info['givenname']} #{raw_info['surname']}"
+    end
+
+    def legacy_uids
+      # UIDs that could have been assigned to this identity by previous versions of the gem, or due to peronal identifier change
+
+      legacy_uids = [
+        "#{full_name}, #{raw_info["privatepersonalidentifier"]}" # generated by gem version <= 4.0
+      ]
+
+      raw_info.fetch('historical_privatepersonalidentifier', []).each do |historical_identifier|
+        legacy_uids << "#{full_name}, #{historical_identifier}" # generated by gem version <= 4.0
+        legacy_uids << "PK:#{historical_identifier}" # due to personal identifier change
+      end
+
+      legacy_uids
+    end
   end
 end

data/lib/omniauth-latvija/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Latvija
-    VERSION = '4.0.0'
+    VERSION = '6.2.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-latvija
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 6.2.0
 platform: ruby
 authors:
 - Edgars Beigarts
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-09 00:00:00.000000000 Z
+date: 2021-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -151,10 +151,10 @@ files:
 - lib/omniauth/strategies/latvija/decryptor.rb
 - lib/omniauth/strategies/latvija/response.rb
 - lib/omniauth/strategies/latvija/signed_document.rb
-homepage: 
+homepage:
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -169,9 +169,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
-signing_key: 
+rubygems_version: 3.0.6
+signing_key:
 specification_version: 4
 summary: Latvija.lv authentication strategy for OmniAuth
 test_files: []