omniauth-latvija 4.0.0 → 6.2.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 8b140f9721c2fdb31f45a4eb5f51fe2e1894eba947a7780f558a146437e5502d
|
|
4
|
+
data.tar.gz: 9ea9f446de8b2b46318a991fbcd45f5ca6f6a40c6eff4ca57ceff24357bdcbd8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c767e7a9317f8ff47b8952c1f259903a9dbd520c35930f6c3eeb6c1abcb8974845766b5738d10b73a6abab3b07b73a30a2609eac789ee08fa18ad2f223ee0ea9
|
|
7
|
+
data.tar.gz: bc4456fa4a1f83b5d86376568121dfd59a6f1a7815846e3a3e65d6f0db76ddaa0cf424a2cc3f636af38bad56c0d4ba8ab2012fce51b0a654752eb7c7c1c5b7d9
|
data/README.md
CHANGED
|
@@ -19,7 +19,7 @@ Provides the following authentication types:
|
|
|
19
19
|
## Installation
|
|
20
20
|
|
|
21
21
|
```ruby
|
|
22
|
-
gem 'omniauth-latvija'
|
|
22
|
+
gem 'omniauth-latvija'
|
|
23
23
|
```
|
|
24
24
|
|
|
25
25
|
## Usage
|
|
@@ -47,7 +47,7 @@ Here's an example hash available in `request.env['omniauth.auth']`
|
|
|
47
47
|
```ruby
|
|
48
48
|
{
|
|
49
49
|
provider: 'latvija',
|
|
50
|
-
uid: '
|
|
50
|
+
uid: 'PK:12345612345',
|
|
51
51
|
info: {
|
|
52
52
|
name: 'JANIS BERZINS',
|
|
53
53
|
first_name: 'JANIS',
|
|
@@ -56,14 +56,16 @@ Here's an example hash available in `request.env['omniauth.auth']`
|
|
|
56
56
|
},
|
|
57
57
|
extra: {
|
|
58
58
|
raw_info: {
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
59
|
+
givenname: 'JANIS',
|
|
60
|
+
surname: 'BERZINS',
|
|
61
|
+
privatepersonalidentifier: '12345612345',
|
|
62
|
+
historical_privatepersonalidentifier: [],
|
|
63
63
|
not_valid_before: '2019-05-09T07:29:41Z',
|
|
64
64
|
not_valid_on_or_after: '2019-05-09T08:29:41Z'
|
|
65
65
|
},
|
|
66
|
-
authentication_method: '
|
|
66
|
+
authentication_method: 'URN:IVIS:100001:AM.BANK-SWED',
|
|
67
|
+
original_issuer: 'Swedbanka',
|
|
68
|
+
legacy_uids: ['JANIS BERZINS, 12345612345']
|
|
67
69
|
}
|
|
68
70
|
}
|
|
69
71
|
```
|
|
@@ -26,23 +26,48 @@ module OmniAuth::Strategies
|
|
|
26
26
|
end
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
+
def original_issuer
|
|
30
|
+
@original_issuer ||= begin
|
|
31
|
+
xml.xpath("//saml:Attribute[@AttributeName='givenname']", saml: ASSERTION).attribute('OriginalIssuer')
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def name_identifier
|
|
36
|
+
@name_identifier ||= begin
|
|
37
|
+
xml.xpath('//saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', saml: ASSERTION).text()
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
29
41
|
# A hash of all the attributes with the response.
|
|
30
42
|
# Assuming there is only one value for each key
|
|
31
43
|
def attributes
|
|
32
44
|
@attributes ||= begin
|
|
33
45
|
attrs = {
|
|
34
46
|
'not_valid_before' => not_valid_before,
|
|
35
|
-
'not_valid_on_or_after' => not_valid_on_or_after
|
|
47
|
+
'not_valid_on_or_after' => not_valid_on_or_after,
|
|
48
|
+
'historical_privatepersonalidentifier' => []
|
|
36
49
|
}
|
|
37
50
|
|
|
38
|
-
stmt_elements = xml.xpath('//
|
|
51
|
+
stmt_elements = xml.xpath('//saml:Attribute', saml: ASSERTION)
|
|
52
|
+
|
|
39
53
|
return attrs if stmt_elements.nil?
|
|
40
54
|
|
|
55
|
+
identifiers = stmt_elements.xpath("//saml:Attribute[@AttributeName='privatepersonalidentifier']", saml: ASSERTION)
|
|
56
|
+
|
|
41
57
|
stmt_elements.each_with_object(attrs) do |element, result|
|
|
42
|
-
name
|
|
58
|
+
name = element.attribute('AttributeName').value
|
|
43
59
|
value = element.text
|
|
44
60
|
|
|
45
|
-
|
|
61
|
+
case name
|
|
62
|
+
when 'privatepersonalidentifier' # person can change their identifier, service will return all the versions
|
|
63
|
+
if identifiers.length == 1 || element.attribute('OriginalIssuer') # this is the primary identifier, as returned by third party auth service
|
|
64
|
+
result[name] = value
|
|
65
|
+
else
|
|
66
|
+
result['historical_privatepersonalidentifier'] << value
|
|
67
|
+
end
|
|
68
|
+
else
|
|
69
|
+
result[name] = value
|
|
70
|
+
end
|
|
46
71
|
end
|
|
47
72
|
end
|
|
48
73
|
end
|
|
@@ -51,7 +76,7 @@ module OmniAuth::Strategies
|
|
|
51
76
|
|
|
52
77
|
def fingerprint
|
|
53
78
|
cert = OpenSSL::X509::Certificate.new(options[:certificate])
|
|
54
|
-
Digest::
|
|
79
|
+
Digest::SHA256.hexdigest(cert.to_der).upcase.scan(/../).join(':')
|
|
55
80
|
end
|
|
56
81
|
|
|
57
82
|
def conditions_tag
|
|
@@ -64,8 +64,18 @@ module OmniAuth::Strategies
|
|
|
64
64
|
end
|
|
65
65
|
end
|
|
66
66
|
|
|
67
|
+
def digest_method_class(reference)
|
|
68
|
+
value = reference.xpath('.//xmlns:DigestMethod', xmlns: DSIG).attribute('Algorithm').value
|
|
69
|
+
value == "#{DSIG}sha1" ? Digest::SHA1 : Digest::SHA256
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
def signature_method_class(sig_element)
|
|
73
|
+
value = sig_element.xpath('.//xmlns:SignatureMethod', xmlns: DSIG).attribute('Algorithm').value
|
|
74
|
+
value == "#{DSIG}rsa-sha1" ? OpenSSL::Digest::SHA1 : OpenSSL::Digest::SHA256
|
|
75
|
+
end
|
|
76
|
+
|
|
67
77
|
def validate_fingerprint!(idp_cert_fingerprint)
|
|
68
|
-
fingerprint = Digest::
|
|
78
|
+
fingerprint = Digest::SHA256.hexdigest(certificate.to_der)
|
|
69
79
|
if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/, '').downcase
|
|
70
80
|
raise ValidationError, 'Fingerprint mismatch'
|
|
71
81
|
end
|
|
@@ -80,7 +90,7 @@ module OmniAuth::Strategies
|
|
|
80
90
|
hashed_element = response_without_signature.
|
|
81
91
|
at_xpath("//*[@AssertionID='#{uri[1, uri.size]}']").
|
|
82
92
|
canonicalize(CANON_MODE)
|
|
83
|
-
hash = Base64.encode64(
|
|
93
|
+
hash = Base64.encode64(digest_method_class(ref).digest(hashed_element)).chomp
|
|
84
94
|
digest_value = ref.xpath('.//xmlns:DigestValue', xmlns: DSIG).text
|
|
85
95
|
|
|
86
96
|
raise ValidationError, 'Digest mismatch' if hash != digest_value
|
|
@@ -94,7 +104,7 @@ module OmniAuth::Strategies
|
|
|
94
104
|
base64_signature = sig_element.xpath('.//xmlns:SignatureValue', xmlns: DSIG).text
|
|
95
105
|
signature = Base64.decode64(base64_signature)
|
|
96
106
|
|
|
97
|
-
unless certificate.public_key.verify(
|
|
107
|
+
unless certificate.public_key.verify(signature_method_class(sig_element).new, signature, signed_info_element)
|
|
98
108
|
raise ValidationError, 'Key validation error'
|
|
99
109
|
end
|
|
100
110
|
end
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
require 'time'
|
|
2
2
|
require 'openssl'
|
|
3
3
|
require 'digest/sha1'
|
|
4
|
+
require 'digest/sha2'
|
|
4
5
|
require 'xmlenc'
|
|
5
6
|
require 'nokogiri'
|
|
6
7
|
require 'omniauth/strategies/latvija/response'
|
|
@@ -34,11 +35,9 @@ module OmniAuth::Strategies
|
|
|
34
35
|
option :certificate, nil
|
|
35
36
|
option :private_key, nil
|
|
36
37
|
|
|
37
|
-
uid { "#{raw_info['givenname']} #{raw_info['surname']}, #{raw_info["privatepersonalidentifier"]}" }
|
|
38
|
-
|
|
39
38
|
info do
|
|
40
39
|
{
|
|
41
|
-
name:
|
|
40
|
+
name: full_name,
|
|
42
41
|
first_name: raw_info['givenname'],
|
|
43
42
|
last_name: raw_info['surname'],
|
|
44
43
|
private_personal_identifier: raw_info['privatepersonalidentifier']
|
|
@@ -48,7 +47,9 @@ module OmniAuth::Strategies
|
|
|
48
47
|
extra do
|
|
49
48
|
{
|
|
50
49
|
raw_info: raw_info,
|
|
51
|
-
authentication_method: @response.authentication_method
|
|
50
|
+
authentication_method: @response.authentication_method,
|
|
51
|
+
original_issuer: @response.original_issuer,
|
|
52
|
+
legacy_uids: legacy_uids
|
|
52
53
|
}
|
|
53
54
|
end
|
|
54
55
|
|
|
@@ -85,5 +86,28 @@ module OmniAuth::Strategies
|
|
|
85
86
|
def raw_info
|
|
86
87
|
@response.attributes
|
|
87
88
|
end
|
|
89
|
+
|
|
90
|
+
def uid
|
|
91
|
+
@response.name_identifier
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
def full_name
|
|
95
|
+
@full_name ||= "#{raw_info['givenname']} #{raw_info['surname']}"
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
def legacy_uids
|
|
99
|
+
# UIDs that could have been assigned to this identity by previous versions of the gem, or due to peronal identifier change
|
|
100
|
+
|
|
101
|
+
legacy_uids = [
|
|
102
|
+
"#{full_name}, #{raw_info["privatepersonalidentifier"]}" # generated by gem version <= 4.0
|
|
103
|
+
]
|
|
104
|
+
|
|
105
|
+
raw_info.fetch('historical_privatepersonalidentifier', []).each do |historical_identifier|
|
|
106
|
+
legacy_uids << "#{full_name}, #{historical_identifier}" # generated by gem version <= 4.0
|
|
107
|
+
legacy_uids << "PK:#{historical_identifier}" # due to personal identifier change
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
legacy_uids
|
|
111
|
+
end
|
|
88
112
|
end
|
|
89
113
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-latvija
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 6.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Edgars Beigarts
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-09-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth
|
|
@@ -151,10 +151,10 @@ files:
|
|
|
151
151
|
- lib/omniauth/strategies/latvija/decryptor.rb
|
|
152
152
|
- lib/omniauth/strategies/latvija/response.rb
|
|
153
153
|
- lib/omniauth/strategies/latvija/signed_document.rb
|
|
154
|
-
homepage:
|
|
154
|
+
homepage:
|
|
155
155
|
licenses: []
|
|
156
156
|
metadata: {}
|
|
157
|
-
post_install_message:
|
|
157
|
+
post_install_message:
|
|
158
158
|
rdoc_options: []
|
|
159
159
|
require_paths:
|
|
160
160
|
- lib
|
|
@@ -169,9 +169,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
169
169
|
- !ruby/object:Gem::Version
|
|
170
170
|
version: '0'
|
|
171
171
|
requirements: []
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
signing_key:
|
|
172
|
+
rubygems_version: 3.0.6
|
|
173
|
+
signing_key:
|
|
175
174
|
specification_version: 4
|
|
176
175
|
summary: Latvija.lv authentication strategy for OmniAuth
|
|
177
176
|
test_files: []
|