omniauth-latvija 1.0.0

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2012 Edgars Beigarts
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,44 @@
+# OmniAuth Latvija.lv
+
+> **Autentifikācijas serviss.** Ar autentifikācijas servisa palīdzību iestādes var ērti savos pakalpojumu portālos vai reģistros autentificēt pakalpojuma lietotāju atbilstoši visiem drošības standartiem. Iestādei vairs nav nepieciešams veidot jaunus autentifikācijas mehānismus un juridiski slēgt vienošanos ar katru no autentifikācijas iespējas nodrošinātājiem. Šobrīd pieejamos autentifikācijas līdzekļus var apskatīties portālā [www.latvija.lv](http://www.latvija.lv/) sadaļā „E-pakalpojumi”.
+>
+> -- [VRAA E-pakalpojumi](http://www.vraa.gov.lv/lv/epakalpojumi/viss/)
+
+Provides the following authentication types:
+
+* E-paraksts
+* Swedbank
+* SEB banka
+* Online bank
+* Citadele
+* Norvik banka
+* Lattelecom Mobile ID
+
+## Installation
+
+```ruby
+gem 'omniauth-latvija', :git => 'http://github.com/ebeigarts/omniauth-latvija.git'
+```
+
+## Usage
+
+`OmniAuth::Strategies::Latvija` is simply a Rack middleware. Read the OmniAuth 1.x docs for detailed instructions: https://github.com/intridea/omniauth.
+
+Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :latvija, {
+    :endpoint => "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
+    :certificate => File.read("/path/to/cert"),
+    :realm => "urn:federation:example.com"
+  }
+end
+```
+
+## References
+
+* http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html
+* http://msdn.microsoft.com/en-us/library/bb498017.aspx
+* http://msdn.microsoft.com/en-us/library/bb608217.aspx
+* https://github.com/onelogin/ruby-saml

data/lib/omniauth/strategies/latvija/response.rb

@@ -0,0 +1,48 @@
+module OmniAuth
+  module Strategies
+    class Latvija
+      class Response
+        ASSERTION = "urn:oasis:names:tc:SAML:1.0:assertion"
+
+        attr_accessor :options, :response, :document
+
+        def initialize(response, options = {})
+          raise ArgumentError.new("Response cannot be nil") if response.nil?
+          self.options  = options
+          self.response = response
+          self.document = OmniAuth::Strategies::Latvija::SignedDocument.new(response)
+        end
+
+        def validate!
+          document.validate!(fingerprint)
+        end
+
+        # A hash of alle the attributes with the response. Assuming there is only one value for each key
+        def attributes
+          @attributes ||= begin
+            result = {}
+
+            stmt_element = REXML::XPath.first(document, "//a:Assertion/a:AttributeStatement", { "a" => ASSERTION })
+            return {} if stmt_element.nil?
+
+            stmt_element.elements.each do |attr_element|
+              name  = attr_element.attributes["AttributeName"]
+              value = attr_element.elements.first.text
+
+              result[name] = value
+            end
+
+            result
+          end
+        end
+
+        private
+
+        def fingerprint
+          cert = OpenSSL::X509::Certificate.new(options[:certificate])
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/latvija/signed_document.rb

@@ -0,0 +1,95 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+module OmniAuth
+  module Strategies
+    class Latvija
+      class SignedDocument < REXML::Document
+        DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+        attr_accessor :signed_element_id
+
+        def initialize(response)
+          super(response)
+          extract_signed_element_id
+        end
+
+        def validate!(idp_cert_fingerprint)
+          # get cert from response
+          base64_cert = self.elements["//ds:X509Certificate"].text
+          cert_text   = Base64.decode64(base64_cert)
+          cert        = OpenSSL::X509::Certificate.new(cert_text)
+
+          # check cert matches registered idp cert
+          fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+            raise ValidationError.new("Fingerprint mismatch")
+          end
+
+          # remove signature node
+          sig_element = REXML::XPath.first(self, "//ds:Signature", { "ds" => DSIG })
+          sig_element.remove
+
+          # check digests
+          REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
+            uri                           = ref.attributes.get_attribute("URI").value
+            hashed_element                = REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
+            canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
+            canon_hashed_element          = canoner.canonicalize(hashed_element)
+            hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+            digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", { "ds" => DSIG }).text
+
+            if hash != digest_value
+              raise ValidationError.new("Digest mismatch")
+            end
+          end
+
+          # verify signature
+          canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+          signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", { "ds" => DSIG })
+          canon_string            = canoner.canonicalize(signed_info_element)
+
+          base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", { "ds" => DSIG }).text
+          signature               = Base64.decode64(base64_signature)
+
+          # get certificate object
+          cert_text               = Base64.decode64(base64_cert)
+          cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+          if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+            raise ValidationError.new("Key validation error")
+          end
+
+          true
+        end
+
+        def extract_signed_element_id
+          reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", { "ds" => DSIG })
+          self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/latvija.rb

@@ -0,0 +1,74 @@
+require "time"
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+
+require "omniauth/strategies/latvija/response"
+require "omniauth/strategies/latvija/signed_document"
+
+module OmniAuth
+  module Strategies
+    #
+    # Authenticate with Latvija.lv.
+    #
+    # @example Basic Rails Usage
+    #
+    #  Add this to config/initializers/omniauth.rb
+    #
+    #    Rails.application.config.middleware.use OmniAuth::Builder do
+    #      provider :latvija, {
+    #        :endpoint => "https://epaktv.vraa.gov.lv/IVIS.LVP.STS/Default.aspx",
+    #        :certificate => File.read("/path/to/cert"),
+    #        :realm => "urn:federation:example.com"
+    #      }
+    #    end
+    #
+    class Latvija
+      include OmniAuth::Strategy
+
+      class ValidationError < StandardError; end
+
+      def request_phase
+        params = {
+          :wa => 'wsignin1.0',
+          :wct => Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
+          :wtrealm => @options[:realm],
+          :wreply => callback_url,
+          :wctx => callback_url,
+          :wreq => '<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /></trust:Claims><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType></trust:RequestSecurityToken>'
+        }
+        query_string = params.collect{ |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
+        redirect "#{options[:endpoint]}?#{query_string}"
+      end
+
+      def callback_phase
+        if request.params['wresult']
+          @response = OmniAuth::Strategies::Latvija::Response.new(request.params['wresult'], {
+            :certificate => options[:certificate]
+          })
+          @response.validate!
+          super
+        else
+          fail!(:invalid_response)
+        end
+      rescue Exception => e
+        fail!(:invalid_response, e)
+      end
+
+      def auth_hash
+        OmniAuth::Utils.deep_merge(super, {
+          'uid' => "#{@response.attributes['givenname']} #{@response.attributes['surname']}, #{@response.attributes["privatepersonalidentifier"]}",
+          'user_info' => {
+            'name' => "#{@response.attributes['givenname']} #{@response.attributes['surname']}",
+            'first_name' => @response.attributes['givenname'],
+            'last_name' => @response.attributes['surname'],
+            'private_personal_identifier' => @response.attributes['privatepersonalidentifier']
+          },
+          'extra' => @response.attributes
+        })
+      end
+    end
+  end
+end

data/lib/omniauth-latvija/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Latvija
+    VERSION = '1.0.0'
+  end
+end

data/lib/omniauth-latvija.rb

@@ -0,0 +1,2 @@
+require 'omniauth-latvija/version'
+require 'omniauth/strategies/latvija'

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-latvija
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Edgars Beigarts
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-06-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: canonix
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Latvija.lv authentication strategy for OmniAuth
+email:
+- edgars.beigarts@makit.lv
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/omniauth/strategies/latvija/response.rb
+- lib/omniauth/strategies/latvija/signed_document.rb
+- lib/omniauth/strategies/latvija.rb
+- lib/omniauth-latvija/version.rb
+- lib/omniauth-latvija.rb
+- README.md
+- LICENSE
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Latvija.lv authentication strategy for OmniAuth
+test_files: []