omniauth-mpassid 0.3.1 → 0.5.1
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6c9ea1c51d3ddc3c48696d8fa28047dbd410f9a59418cb7f4518c579533d36ad
|
4
|
+
data.tar.gz: c2dc1ef5792ac9363beb524f3e608c19364e7a711e8e2a98e4c57d2bc0919a07
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f71ab3a1cb4a99f7ad90071c21742b9203f437496f1ebb9b87a6c402e2d2751458e834f27e35ec8691518ebcd2c2a8a8f4064ff6ecc5efd9943fcb94821a81c8
|
7
|
+
data.tar.gz: 165be346329403c8486d526ca2bcbe6c0b9c630f78b81b325843914523f028bd62dfb28007d5b85e370e55ce12551ff3811a19fb39bde216c2e09f1f99b2505e
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# OmniAuth MPASSid (SAML 2.0)
|
2
2
|
|
3
|
-
[![Build Status](https://
|
3
|
+
[![Build Status](https://github.com/mainio/omniauth-mpassid/actions/workflows/ci_omniauth_mpassid.yml/badge.svg)](https://github.com/mainio/omniauth-mpassid/actions)
|
4
4
|
[![codecov](https://codecov.io/gh/mainio/omniauth-mpassid/branch/master/graph/badge.svg)](https://codecov.io/gh/mainio/omniauth-mpassid)
|
5
5
|
|
6
6
|
This is an unofficial OmniAuth strategy for authenticating with the MPASSid
|
@@ -10,6 +10,12 @@ module OmniAuth
|
|
10
10
|
# :test - MPASSid test environment
|
11
11
|
option :mode, :production
|
12
12
|
|
13
|
+
# The certificate file to define the certificate.
|
14
|
+
option :certificate_file, nil
|
15
|
+
|
16
|
+
# The private key file to define the private key.
|
17
|
+
option :private_key_file, nil
|
18
|
+
|
13
19
|
# Defines the lang parameters to check from the request phase request
|
14
20
|
# parameters. A valid language will be added to the IdP sign in redirect
|
15
21
|
# URL as the last parameter (with the name `lang` as expected by
|
@@ -200,11 +206,12 @@ module OmniAuth
|
|
200
206
|
[key, attribute]
|
201
207
|
end
|
202
208
|
|
203
|
-
|
209
|
+
found_attributes.to_h
|
204
210
|
end
|
205
211
|
|
206
212
|
option(
|
207
213
|
:security_settings,
|
214
|
+
authn_requests_signed: true,
|
208
215
|
digest_method: XMLSecurity::Document::SHA256,
|
209
216
|
signature_method: XMLSecurity::Document::RSA_SHA256
|
210
217
|
)
|
@@ -264,6 +271,9 @@ module OmniAuth
|
|
264
271
|
# Add the SAML attributes to the extra hash for easier access.
|
265
272
|
extra { {saml_attributes: saml_attributes} }
|
266
273
|
|
274
|
+
attr_accessor :options
|
275
|
+
attr_reader :mpassid_thread
|
276
|
+
|
267
277
|
def initialize(app, *args, &block)
|
268
278
|
super
|
269
279
|
|
@@ -271,15 +281,19 @@ module OmniAuth
|
|
271
281
|
# fetched from the metadata. The options array is the one that gets
|
272
282
|
# priority in case it overrides some of the metadata or locally defined
|
273
283
|
# option values.
|
274
|
-
@
|
275
|
-
|
276
|
-
|
284
|
+
@mpassid_thread = Thread.new do
|
285
|
+
@options = OmniAuth::Strategy::Options.new(
|
286
|
+
mpassid_options.merge(options)
|
287
|
+
)
|
288
|
+
options[:security][:authn_requests_signed] = false unless options[:certificate] && options[:private_key]
|
289
|
+
end
|
277
290
|
end
|
278
291
|
|
279
292
|
# Override the request phase to be able to pass the lang parameter to
|
280
293
|
# the redirect URL. Note that this needs to be the last parameter to
|
281
294
|
# be passed to the redirect URL.
|
282
295
|
def request_phase
|
296
|
+
mpassid_thread.join if mpassid_thread.alive?
|
283
297
|
authn_request = OneLogin::RubySaml::Authrequest.new
|
284
298
|
lang = lang_for_authn_request
|
285
299
|
|
@@ -314,6 +328,14 @@ module OmniAuth
|
|
314
328
|
|
315
329
|
private
|
316
330
|
|
331
|
+
def certificate
|
332
|
+
File.read(options.certificate_file) if options.certificate_file
|
333
|
+
end
|
334
|
+
|
335
|
+
def private_key
|
336
|
+
File.read(options.private_key_file) if options.private_key_file
|
337
|
+
end
|
338
|
+
|
317
339
|
def idp_metadata_url
|
318
340
|
case options.mode
|
319
341
|
when :test
|
@@ -337,10 +359,16 @@ module OmniAuth
|
|
337
359
|
sso_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
|
338
360
|
)
|
339
361
|
|
362
|
+
# Local certificate and private key to decrypt the responses
|
363
|
+
settings[:certificate] = certificate
|
364
|
+
settings[:private_key] = private_key
|
365
|
+
|
340
366
|
# Define the security settings as there are some defaults that need to be
|
341
367
|
# modified
|
342
368
|
security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
|
343
|
-
settings[:security] = security_defaults.merge(
|
369
|
+
settings[:security] = security_defaults.merge(
|
370
|
+
options.security_settings.to_h.transform_keys(&:to_sym)
|
371
|
+
)
|
344
372
|
|
345
373
|
settings
|
346
374
|
end
|
@@ -357,7 +385,7 @@ module OmniAuth
|
|
357
385
|
|
358
386
|
value = definition[:name].map do |key|
|
359
387
|
@attributes.public_send(definition[:type], key)
|
360
|
-
end.
|
388
|
+
end.compact.first
|
361
389
|
|
362
390
|
attrs[target] = value
|
363
391
|
end
|
@@ -17,14 +17,14 @@ module OmniAuth
|
|
17
17
|
cert = OpenSSL::X509::Certificate.new
|
18
18
|
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
|
19
19
|
cert.not_before = Time.now
|
20
|
-
cert.not_after = Time.now + 365 * 24 * 60 * 60
|
20
|
+
cert.not_after = Time.now + (365 * 24 * 60 * 60)
|
21
21
|
cert.public_key = public_key
|
22
22
|
cert.serial = 0x0
|
23
23
|
cert.version = 2
|
24
24
|
|
25
25
|
inject_certificate_extensions(cert)
|
26
26
|
|
27
|
-
cert.sign(private_key, OpenSSL::Digest
|
27
|
+
cert.sign(private_key, OpenSSL::Digest.new('SHA1'))
|
28
28
|
|
29
29
|
cert
|
30
30
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-mpassid
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Antti Hukkanen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-01
|
11
|
+
date: 2022-09-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth-saml
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version:
|
19
|
+
version: '2.0'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version:
|
26
|
+
version: '2.0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: rake
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -133,7 +133,8 @@ files:
|
|
133
133
|
homepage: https://github.com/mainio/omniauth-mpassid
|
134
134
|
licenses:
|
135
135
|
- MIT
|
136
|
-
metadata:
|
136
|
+
metadata:
|
137
|
+
rubygems_mfa_required: 'true'
|
137
138
|
post_install_message:
|
138
139
|
rdoc_options: []
|
139
140
|
require_paths:
|
@@ -142,7 +143,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
142
143
|
requirements:
|
143
144
|
- - ">="
|
144
145
|
- !ruby/object:Gem::Version
|
145
|
-
version: '
|
146
|
+
version: '2.5'
|
146
147
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
147
148
|
requirements:
|
148
149
|
- - ">="
|