omniauth-mpassid 0.2.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/omniauth/strategies/mpassid.rb +87 -46
- data/lib/omniauth-mpassid/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f48ffa5ce82f1a1fc9c58c23c6922a331d9ddd67a8cf0d18727eb1c9a71349b4
|
|
4
|
+
data.tar.gz: 493aee76ba5c50ba9bbb21e4cac136a73b6a121128a12bbf95863529d2126fdf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 56ec987f2a110f6ce52471793e4e65625db009d1addb6d3c058f9f6e4d1b59fed48ee24d797c668f6849f36dc661f23ff7d4066d36f5ea733d32dae3efe49aa3
|
|
7
|
+
data.tar.gz: 21e0c03164aad2c68e4d1062120dbc325a8f141ee5f254e672bdb12e5271ab3f63360253e1d23dfe4281f1cd560f3f6a570817ee5ea72e70fd2815fe0218b346
|
|
@@ -10,6 +10,12 @@ module OmniAuth
|
|
|
10
10
|
# :test - MPASSid test environment
|
|
11
11
|
option :mode, :production
|
|
12
12
|
|
|
13
|
+
# The certificate file to define the certificate.
|
|
14
|
+
option :certificate_file, nil
|
|
15
|
+
|
|
16
|
+
# The private key file to define the private key.
|
|
17
|
+
option :private_key_file, nil
|
|
18
|
+
|
|
13
19
|
# Defines the lang parameters to check from the request phase request
|
|
14
20
|
# parameters. A valid language will be added to the IdP sign in redirect
|
|
15
21
|
# URL as the last parameter (with the name `lang` as expected by
|
|
@@ -23,13 +29,13 @@ module OmniAuth
|
|
|
23
29
|
# - fi_FI
|
|
24
30
|
#
|
|
25
31
|
# In case a valid language cannot be parsed from the parameter, the lang
|
|
26
|
-
# parameter will default to `:
|
|
27
|
-
option :
|
|
32
|
+
# parameter will default to `:idp_sso_service_url_default_lang`.
|
|
33
|
+
option :idp_sso_service_url_lang_params, %w[locale language lang]
|
|
28
34
|
|
|
29
35
|
# This is the default language to be passed to IdP sign in redirect URL as
|
|
30
36
|
# defined above. In case a valid language is not found from the request
|
|
31
37
|
# parameters, this will be used instead.
|
|
32
|
-
option :
|
|
38
|
+
option :idp_sso_service_url_default_lang, 'fi'
|
|
33
39
|
|
|
34
40
|
# The request attributes for MPASSid
|
|
35
41
|
option :request_attributes, [
|
|
@@ -39,13 +45,15 @@ module OmniAuth
|
|
|
39
45
|
# (single value)
|
|
40
46
|
{
|
|
41
47
|
name: 'urn:mpass.id:uid',
|
|
42
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
48
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
49
|
+
friendly_name: 'mpassUsername'
|
|
43
50
|
},
|
|
44
51
|
# Funet EDU person learner ID
|
|
45
52
|
# (single value)
|
|
46
53
|
{
|
|
47
54
|
name: 'urn:oid:1.3.6.1.4.1.16161.1.1.27',
|
|
48
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
55
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
56
|
+
friendly_name: 'learnerId'
|
|
49
57
|
},
|
|
50
58
|
# The first/given name of the user.
|
|
51
59
|
# (single value)
|
|
@@ -68,26 +76,6 @@ module OmniAuth
|
|
|
68
76
|
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
69
77
|
friendly_name: 'sn'
|
|
70
78
|
},
|
|
71
|
-
# The municipality code of the authenticated user. See
|
|
72
|
-
# http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html
|
|
73
|
-
# for mappings in Finland.
|
|
74
|
-
# (multi value)
|
|
75
|
-
{
|
|
76
|
-
name: 'urn:mpass.id:municipalityCode',
|
|
77
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
78
|
-
friendly_name: 'municipalityCode'
|
|
79
|
-
},
|
|
80
|
-
# The human-readable name of the municipality of the authenticated user.
|
|
81
|
-
# (multi value)
|
|
82
|
-
{
|
|
83
|
-
name: 'urn:mpass.id:municipality',
|
|
84
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
85
|
-
},
|
|
86
|
-
{
|
|
87
|
-
name: 'urn:educloudalliance.org:municipality',
|
|
88
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
89
|
-
friendly_name: 'ecaMunicipality'
|
|
90
|
-
},
|
|
91
79
|
# The school code of the authenticated user. See
|
|
92
80
|
# https://virkailija.opintopolku.fi/koodisto-service/rest/json/oppilaitosnumero/koodi
|
|
93
81
|
# (JSON format)
|
|
@@ -99,7 +87,8 @@ module OmniAuth
|
|
|
99
87
|
# (multi value)
|
|
100
88
|
{
|
|
101
89
|
name: 'urn:mpass.id:schoolCode',
|
|
102
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
90
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
91
|
+
friendly_name: 'mpassSchoolCode'
|
|
103
92
|
},
|
|
104
93
|
# The human-readable name of the school of the authenticated user.
|
|
105
94
|
# (multi value)
|
|
@@ -108,12 +97,21 @@ module OmniAuth
|
|
|
108
97
|
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
109
98
|
friendly_name: 'school'
|
|
110
99
|
},
|
|
100
|
+
# Combination of the school code and official name of the educational
|
|
101
|
+
# institution separated with semicolon.
|
|
102
|
+
# For instance: 00000;Tuntematon
|
|
103
|
+
{
|
|
104
|
+
name: 'urn:mpass.id:schoolInfo',
|
|
105
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
106
|
+
friendly_name: 'mpassSchoolInfo'
|
|
107
|
+
},
|
|
111
108
|
# The class/group-information of the authenticated user.
|
|
112
109
|
# For instance: 8A or 3B.
|
|
113
110
|
# (multi value)
|
|
114
111
|
{
|
|
115
112
|
name: 'urn:mpass.id:class',
|
|
116
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
113
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
114
|
+
friendly_name: 'mpassClass'
|
|
117
115
|
},
|
|
118
116
|
{
|
|
119
117
|
name: 'urn:educloudalliance.org:group',
|
|
@@ -125,7 +123,8 @@ module OmniAuth
|
|
|
125
123
|
# (multi value)
|
|
126
124
|
{
|
|
127
125
|
name: 'urn:mpass.id:classLevel',
|
|
128
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
126
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
127
|
+
friendly_name: 'mpassClassLevel'
|
|
129
128
|
},
|
|
130
129
|
# The role name of the user.
|
|
131
130
|
# For instance Oppilas.
|
|
@@ -136,18 +135,43 @@ module OmniAuth
|
|
|
136
135
|
friendly_name: 'ecaRole'
|
|
137
136
|
},
|
|
138
137
|
# The role of the user in four parts, divided with a semicolon (;)
|
|
139
|
-
# character. First
|
|
140
|
-
# in the group.
|
|
141
|
-
# For instance
|
|
138
|
+
# character. First educational provider's organization OID, followed by
|
|
139
|
+
# school code, group and role in the group.
|
|
140
|
+
# For instance 1.2.246.562.10.12345678907;99900;7B;Oppilas.
|
|
142
141
|
# (multi value)
|
|
142
|
+
#
|
|
143
|
+
# The educational providers' organization OIDs can be found from:
|
|
144
|
+
# https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V11_2__koulutustoimijat.sql
|
|
143
145
|
{
|
|
144
146
|
name: 'urn:mpass.id:role',
|
|
145
|
-
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
|
|
147
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
148
|
+
friendly_name: 'mpassRole'
|
|
149
|
+
},
|
|
150
|
+
# The educational provider's permanent organization OID.
|
|
151
|
+
# (multi value)
|
|
152
|
+
#
|
|
153
|
+
# The educational providers' organization OIDs can be found from:
|
|
154
|
+
# https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V11_2__koulutustoimijat.sql
|
|
155
|
+
{
|
|
156
|
+
name: 'urn:mpass.id:educationProviderId',
|
|
157
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
158
|
+
friendly_name: 'mpassEducationProviderOid'
|
|
159
|
+
},
|
|
160
|
+
# The educational provider's human-readable name.
|
|
161
|
+
# (multi value)
|
|
162
|
+
{
|
|
163
|
+
name: 'urn:mpass.id:educationProvider',
|
|
164
|
+
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
165
|
+
friendly_name: 'mpassEducationProviderName'
|
|
146
166
|
},
|
|
167
|
+
# Combination of the education provider's organisation-OID and official
|
|
168
|
+
# name. Separated by semicolon.
|
|
169
|
+
# For instance: 1.2.246.562.10.494695390410;Virallinen nimi
|
|
170
|
+
# (multi value)
|
|
147
171
|
{
|
|
148
|
-
name: 'urn:
|
|
172
|
+
name: 'urn:mpass.id:educationProviderInfo',
|
|
149
173
|
name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
|
|
150
|
-
friendly_name: '
|
|
174
|
+
friendly_name: 'mpassEducationProviderInfo'
|
|
151
175
|
}
|
|
152
176
|
]
|
|
153
177
|
|
|
@@ -158,8 +182,8 @@ module OmniAuth
|
|
|
158
182
|
# Given name or all first names (in case given name is not found)
|
|
159
183
|
first_name: ['urn:oid:2.5.4.42', 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'],
|
|
160
184
|
last_name: ['urn:oid:2.5.4.4'],
|
|
161
|
-
# The municipality of the person (literal format in Finnish)
|
|
162
|
-
location: ['urn:mpass.id:
|
|
185
|
+
# The education provider (e.g. municipality) of the person (literal format in Finnish)
|
|
186
|
+
location: ['urn:mpass.id:educationProvider']
|
|
163
187
|
)
|
|
164
188
|
|
|
165
189
|
info do
|
|
@@ -187,6 +211,7 @@ module OmniAuth
|
|
|
187
211
|
|
|
188
212
|
option(
|
|
189
213
|
:security_settings,
|
|
214
|
+
authn_requests_signed: true,
|
|
190
215
|
digest_method: XMLSecurity::Document::SHA256,
|
|
191
216
|
signature_method: XMLSecurity::Document::RSA_SHA256
|
|
192
217
|
)
|
|
@@ -197,14 +222,14 @@ module OmniAuth
|
|
|
197
222
|
option(
|
|
198
223
|
:saml_attributes_map,
|
|
199
224
|
given_name: ['urn:oid:2.5.4.42'],
|
|
200
|
-
first_names: ['
|
|
225
|
+
first_names: ['urn:oid:2.5.4.42'],
|
|
201
226
|
last_name: ['urn:oid:2.5.4.4'],
|
|
202
|
-
|
|
203
|
-
name: ['urn:mpass.id:
|
|
227
|
+
provider_id: {
|
|
228
|
+
name: ['urn:mpass.id:educationProviderId'],
|
|
204
229
|
type: :multi
|
|
205
230
|
},
|
|
206
|
-
|
|
207
|
-
name: ['urn:mpass.id:
|
|
231
|
+
provider_name: {
|
|
232
|
+
name: ['urn:mpass.id:educationProvider'],
|
|
208
233
|
type: :multi
|
|
209
234
|
},
|
|
210
235
|
school_code: {
|
|
@@ -231,7 +256,8 @@ module OmniAuth
|
|
|
231
256
|
name: ['urn:educloudalliance.org:role'],
|
|
232
257
|
type: :multi
|
|
233
258
|
},
|
|
234
|
-
# Extra
|
|
259
|
+
# Extra
|
|
260
|
+
# Unique learner ID
|
|
235
261
|
funet_person_learner_id: ['urn:oid:1.3.6.1.4.1.16161.1.1.27']
|
|
236
262
|
)
|
|
237
263
|
|
|
@@ -255,6 +281,7 @@ module OmniAuth
|
|
|
255
281
|
@options = OmniAuth::Strategy::Options.new(
|
|
256
282
|
mpassid_options.merge(options)
|
|
257
283
|
)
|
|
284
|
+
options[:security][:authn_requests_signed] = false unless options[:certificate] && options[:private_key]
|
|
258
285
|
end
|
|
259
286
|
|
|
260
287
|
# Override the request phase to be able to pass the lang parameter to
|
|
@@ -295,6 +322,14 @@ module OmniAuth
|
|
|
295
322
|
|
|
296
323
|
private
|
|
297
324
|
|
|
325
|
+
def certificate
|
|
326
|
+
File.read(options.certificate_file) if options.certificate_file
|
|
327
|
+
end
|
|
328
|
+
|
|
329
|
+
def private_key
|
|
330
|
+
File.read(options.private_key_file) if options.private_key_file
|
|
331
|
+
end
|
|
332
|
+
|
|
298
333
|
def idp_metadata_url
|
|
299
334
|
case options.mode
|
|
300
335
|
when :test
|
|
@@ -318,10 +353,16 @@ module OmniAuth
|
|
|
318
353
|
sso_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
|
|
319
354
|
)
|
|
320
355
|
|
|
356
|
+
# Local certificate and private key to decrypt the responses
|
|
357
|
+
settings[:certificate] = certificate
|
|
358
|
+
settings[:private_key] = private_key
|
|
359
|
+
|
|
321
360
|
# Define the security settings as there are some defaults that need to be
|
|
322
361
|
# modified
|
|
323
362
|
security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
|
|
324
|
-
settings[:security] = security_defaults.merge(
|
|
363
|
+
settings[:security] = security_defaults.merge(
|
|
364
|
+
options.security_settings.to_h.transform_keys(&:to_sym)
|
|
365
|
+
)
|
|
325
366
|
|
|
326
367
|
settings
|
|
327
368
|
end
|
|
@@ -346,8 +387,8 @@ module OmniAuth
|
|
|
346
387
|
end
|
|
347
388
|
|
|
348
389
|
def lang_for_authn_request
|
|
349
|
-
if options.
|
|
350
|
-
options.
|
|
390
|
+
if options.idp_sso_service_url_lang_params.is_a?(Array)
|
|
391
|
+
options.idp_sso_service_url_lang_params.each do |param|
|
|
351
392
|
next unless request.params.key?(param.to_s)
|
|
352
393
|
|
|
353
394
|
lang = parse_language_value(request.params[param.to_s])
|
|
@@ -355,7 +396,7 @@ module OmniAuth
|
|
|
355
396
|
end
|
|
356
397
|
end
|
|
357
398
|
|
|
358
|
-
options.
|
|
399
|
+
options.idp_sso_service_url_default_lang
|
|
359
400
|
end
|
|
360
401
|
|
|
361
402
|
def parse_language_value(string)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-mpassid
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2
|
|
4
|
+
version: 0.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Antti Hukkanen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-09-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth-saml
|