omniauth-mpassid 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3ff6ff316ec561eadb8093c30bcbe1097823cf11796a81386b11d40228c4cdc6
4
- data.tar.gz: dd16b5f03d5e8b7814e9b210fe981b15a10521e841f9560cd40a86af67c54ce0
3
+ metadata.gz: 17b65779d78646dc1de8ab9199d37fc0493020fd8a6d3b36e2b4badc859622c6
4
+ data.tar.gz: 6ba237b13f26a22109971309d64478b836e8e8e85ab2855b8f39ef7ac82bbd72
5
5
  SHA512:
6
- metadata.gz: 2bcf7c78c1072b8c52db7e9381321fa2a9bcef19c7e5e2d62d98e161808419484c1ecb5ff7472a4fa2bd90e32ebbd735e6a6b7e8150e8a0673a4e7f46d303c6e
7
- data.tar.gz: 6c4d56294369192b594a2b6afc9c0ea371d21d44b46e49078c31af3d78794c255d3000ebae7cb8dc318f5a8f36ee8c2416bbcf27086528ca389a8a4203fdf4c8
6
+ metadata.gz: 06b3e8aaaa13509e29bce1586b8197fa62933982707263145e3047878a7800b218cc141874e80cc51c6b1ecf1466f7742b9d3604721a047e44d31052785222f8
7
+ data.tar.gz: 6eae3c513b774c1fa97241cbb7d4122d4054afe6716e7b8bdefc5aa8fa00d258e2a9a9c27adb9296b972cb394f84729e4d59ce5a7fd11028e47e9c52b4988859
data/README.md CHANGED
@@ -109,12 +109,11 @@ The user's personal information transmitted from MPASSid can be found under
109
109
  the `:saml_attributes` key in the OmniAuth extra hash described above.
110
110
 
111
111
  This attributes hash will contain the keys described in this following
112
- sub-sections. The keys marked as `(undocumented)` are not described in the
113
- MPASSid's own documentation but are available at least in some SAML responses.
112
+ sub-sections.
114
113
 
115
114
  See also the MPASSid data models documentation for more information:
116
115
 
117
- https://wiki.eduuni.fi/display/CSCMPASSID/Data+models
116
+ https://wiki.eduuni.fi/display/OPHPALV/MPASSid%3An+tietomalli
118
117
 
119
118
  The attributes can be either single or multi type defining whether they can
120
119
  have a single or multiple values. The single type values are strings and multi
@@ -128,15 +127,15 @@ is `nil` for both types.
128
127
  - SAML FriendlyName: givenName
129
128
  - Type: Single (`String`)
130
129
 
131
- The first/given name of the user.
130
+ The given name of the user.
132
131
 
133
- #### `:first_names`
132
+ #### `:first_name`
134
133
 
135
- - SAML URI: http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName
136
- - SAML FriendlyName: firstName
134
+ - SAML URI: urn:mpass.id:nickname
135
+ - SAML FriendlyName: nickname
137
136
  - Type: Single (`String`)
138
137
 
139
- All the first/given names of the user.
138
+ The first name / calling name / nickname of the user.
140
139
 
141
140
  #### `:last_name`
142
141
 
@@ -146,39 +145,45 @@ All the first/given names of the user.
146
145
 
147
146
  The last/family name of the user.
148
147
 
149
- #### `:municipality_code`
148
+ #### `:provider_info`
150
149
 
151
- - SAML URI: urn:mpass.id:municipalityCode
152
- - SAML FriendlyName: municipalityCode
153
- - Type: Multi (`Array`)
150
+ - SAML URI: urn:mpass.id:educationProviderInfo
151
+ - SAML FriendlyName: mpassEducationProviderInfo
152
+ - Type: Multi (`Array<String>`)
154
153
 
155
- The municipality codes of the authenticated user.
154
+ Information about the educational provider, each value contains multiple fields
155
+ separated with a semicolon (`;`) character.
156
156
 
157
- See:
157
+ For instance `1.2.246.562.10.494695390410;Virallinen nimi`.
158
158
 
159
- http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html
159
+ The description of the fields:
160
160
 
161
- #### `:municipality_name`
161
+ 1. The educational provider's OID as specified at the link below (`KOULUTUSTOIMIJA`)
162
+ 2. The educational provider's name as specified at the link below
162
163
 
163
- - SAML URI: one of the following (first found attribute)
164
- * urn:mpass.id:municipality
165
- * urn:educloudalliance.org:municipality
166
- - SAML FriendlyName: one of the following (first found attribute)
167
- * N/A
168
- * ecaMunicipality
169
- - Type: Multi (`Array`)
164
+ The OIDs and information for these OIDs can be found from:
170
165
 
171
- The human-readable names of the municipalities of the authenticated user.
166
+ https://virkailija.opintopolku.fi/organisaatio-service/swagger-ui/index.html
172
167
 
173
- #### `:school_code`
168
+ #### `:school_info`
174
169
 
175
- - SAML URI: urn:mpass.id:municipalityCode
176
- - SAML FriendlyName: N/A
177
- - Type: Multi (`Array`)
170
+ - SAML URI: urn:mpass.id:schoolInfo
171
+ - SAML FriendlyName: mpassSchoolInfo
172
+ - Type: Multi (`Array<String>`)
173
+
174
+ Information about the school, each value contains multiple fields separated with
175
+ a semicolon (`;`) character.
176
+
177
+ The values are provided in both of the following formats as separate values:
178
+
179
+ - `30076;Mansikkalan testi peruskoulu`
180
+ - `1.2.246.562.99.00000000002;Mansikkalan testi peruskoulu`
178
181
 
179
- The school codes of the authenticated user.
182
+ ##### First format
180
183
 
181
- See (JSON format):
184
+ The first value format specifies the national educational institution code as
185
+ the first column separated with a semicolon (`;`) as specified at the national
186
+ educational institution registry.
182
187
 
183
188
  For the list of codes, see:
184
189
 
@@ -189,37 +194,57 @@ An example for a single school code (04647), JSON format:
189
194
 
190
195
  https://virkailija.opintopolku.fi/koodisto-service/rest/codeelement/oppilaitosnumero_04647
191
196
 
192
- #### `:school_name`
197
+ ##### Second format
193
198
 
194
- - SAML URI: urn:mpass.id:school
195
- - SAML FriendlyName: school
196
- - Type: Multi (`Array`)
199
+ The second value format specifies the OID of the educational institution as
200
+ the first column separated with a semicolon (`;`). These values are specified
201
+ at (filter with `OPPILAITOS`):
197
202
 
198
- The human-readable names of the schools of the authenticated user.
203
+ https://virkailija.opintopolku.fi/organisaatio-service/swagger-ui/index.html
199
204
 
200
- #### `:class`
205
+ #### `:class_level`
201
206
 
202
- - SAML URI: one of the following (first found attribute)
203
- * urn:mpass.id:class
204
- * urn:educloudalliance.org:group
205
- - SAML FriendlyName: one of the following (first found attribute)
206
- * N/A
207
- * ecaGroup
208
- - Type: Multi (`Array`)
207
+ - SAML URI: urn:mpass.id:classLevel
208
+ - SAML FriendlyName: N/A
209
+ - Type: Single (`String`)
210
+
211
+ The class level information (0-10) of the authenticated user.
209
212
 
210
- The class/group-information of the authenticated user.
213
+ For instance 8 or 3.
211
214
 
212
- For instance: 8A or 3B.
215
+ For further information, see:
213
216
 
214
- #### `:class_level`
217
+ https://www.stat.fi/meta/kas/vuosiluokka.html
218
+
219
+ This information is available for pre-primary education and comprehensive
220
+ education students.
221
+
222
+ This information is not available for secondary level students (upper secondary
223
+ education or vocational education).
224
+
225
+ #### `:learning_materials_charge`
215
226
 
216
227
  - SAML URI: urn:mpass.id:classLevel
217
228
  - SAML FriendlyName: N/A
218
- - Type: Multi (`Array`)
229
+ - Type: Multi (`Array<String>`)
219
230
 
220
- The class/level-information of the authenticated user.
231
+ Specifies for secondary level education pupils whether their learning materials
232
+ are paid or not, each value contains multiple fields separated with a semicolon
233
+ (`;`) character.
221
234
 
222
- For instance 8 or 3.
235
+ The values are provided in both of the following formats as separate values:
236
+
237
+ - `0;00000`
238
+ - `0;1.2.246.562.99.00000000003`
239
+
240
+ Similarly to the `:school_info` field, the values are provided with the national
241
+ educational institution code as well as the educational institution's OID.
242
+
243
+ The first column specifies the value for the field which is explained as
244
+ follows:
245
+
246
+ - `0` = Learning material is free for the pupil
247
+ - `1` = Learning material is paid for the pupil
223
248
 
224
249
  #### `:role`
225
250
 
@@ -229,33 +254,34 @@ For instance 8 or 3.
229
254
  - SAML FriendlyName: one of the following (first found attribute)
230
255
  * N/A
231
256
  * ecaStructuredRole
232
- - Type: Multi (`Array`)
257
+ - Type: Multi (`Array<String>`)
233
258
 
234
259
  The roles of the user in four parts, divided with a semicolon (;) character.
235
260
  First municipality, followed by school code, group and role in the group.
236
261
 
237
- For instance Helsinki;32132;9A;Oppilas.
262
+ For instance `1.2.246.562.99.00000000001;00000;1A;Oppilas;1;1.2.246.562.99.00000000003;`.
238
263
 
239
- #### `:role_name` (undocumented)
264
+ Each value consists of the following fields:
240
265
 
241
- - SAML URI: urn:educloudalliance.org:role
242
- - SAML FriendlyName: ecaRole
243
- - Type: Multi (`Array`)
266
+ 1. Educational provider OID (e.g. `1.2.246.562.99.00000000001`)
267
+ 2. National educational institution code (e.g. `00000`)
268
+ 3. Class or group information of the pupil (e.g. `1A`)
269
+ 4. Role of the user (e.g. `Oppilas`)
270
+ 5. Role code of the user (e.g. `1`)
271
+ 6. Educational institution OID (e.g. `1.2.246.562.99.00000000003`)
272
+ 7. The office / branch OID (similar format as other OIDs, can be also empty)
244
273
 
245
- NOTE: This attribute is undocumented by MPASSid.
274
+ The OIDs for the educational provider (`KOULUTUSTOIMIJA`), educational
275
+ institution (`OPPILAITOS`) and office / branch (`TOIMIPISTE`) can be found from:
246
276
 
247
- The human readable names of the role (in Finnish).
277
+ https://virkailija.opintopolku.fi/organisaatio-service/swagger-ui/index.html
248
278
 
249
- For instance Oppilas.
250
-
251
- #### `:funet_person_learner_id` (undocumented)
279
+ #### `:learner_id`
252
280
 
253
281
  - SAML URI: urn:oid:1.3.6.1.4.1.16161.1.1.27
254
- - SAML FriendlyName: N/A
282
+ - SAML FriendlyName: learnerId
255
283
  - Type: Single (`String`)
256
284
 
257
- NOTE: This attribute is undocumented by MPASSid.
258
-
259
285
  11-digit identifier, which may be used to identify a person while storing,
260
286
  managing or transferring personal data.
261
287
 
@@ -263,6 +289,14 @@ See:
263
289
 
264
290
  https://wiki.eduuni.fi/display/CSCHAKA/funetEduPersonSchema2dot2#funetEduPersonSchema2dot2-funetEduPersonLearnerId
265
291
 
292
+ #### `:original_issuer`
293
+
294
+ Information about the user's home organization that is relying the information
295
+ to MPASSid. This information is added by the Finnish National Agency for
296
+ Education.
297
+
298
+ For instance `1.2.246.562.99.00000000001`.
299
+
266
300
  ## License
267
301
 
268
302
  MIT, see [LICENSE](LICENSE).
@@ -10,6 +10,12 @@ module OmniAuth
10
10
  # :test - MPASSid test environment
11
11
  option :mode, :production
12
12
 
13
+ # The certificate file to define the certificate.
14
+ option :certificate_file, nil
15
+
16
+ # The private key file to define the private key.
17
+ option :private_key_file, nil
18
+
13
19
  # Defines the lang parameters to check from the request phase request
14
20
  # parameters. A valid language will be added to the IdP sign in redirect
15
21
  # URL as the last parameter (with the name `lang` as expected by
@@ -33,44 +39,41 @@ module OmniAuth
33
39
 
34
40
  # The request attributes for MPASSid
35
41
  option :request_attributes, [
36
- # The unique identifier of the authenticated user. Currently recommended
37
- # identifier for identifying the user. NOTE: will change if the user
38
- # moves to another user registry.
39
- # (single value)
40
- {
41
- name: 'urn:mpass.id:uid',
42
- name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
43
- friendly_name: 'mpassUsername'
44
- },
45
- # Funet EDU person learner ID
42
+ # The last/family name of the user.
46
43
  # (single value)
47
44
  {
48
- name: 'urn:oid:1.3.6.1.4.1.16161.1.1.27',
45
+ name: 'urn:oid:2.5.4.4',
49
46
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
50
- friendly_name: 'learnerId'
47
+ friendly_name: 'sn'
51
48
  },
52
- # The first/given name of the user.
49
+ # The given name of the user.
53
50
  # (single value)
54
51
  {
55
52
  name: 'urn:oid:2.5.4.42',
56
53
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
57
54
  friendly_name: 'givenName'
58
55
  },
59
- # All the first/given names of the user.
56
+ # The first name/nickname of the user (calling name / kutsumanimi).
60
57
  # (single value)
61
58
  {
62
- name: 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName',
59
+ name: 'urn:mpass.id:nickname',
63
60
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
64
- friendly_name: 'firstName'
61
+ friendly_name: 'nickname'
65
62
  },
66
- # The last/family name of the user.
63
+ # The unique identifier of the authenticated user. Currently recommended
64
+ # identifier for identifying the user. NOTE: will change if the user
65
+ # moves to another user registry.
67
66
  # (single value)
68
67
  {
69
- name: 'urn:oid:2.5.4.4',
68
+ name: 'urn:mpass.id:uid',
70
69
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
71
- friendly_name: 'sn'
70
+ friendly_name: 'mpassUsername'
72
71
  },
73
- # The school code of the authenticated user. See
72
+ # Combination of the school code and official name of the educational
73
+ # institution separated with semicolon.
74
+ # For instance: 30076;Mansikkalan testi peruskoulu AND 1.2.246.562.99.00000000002;Mansikkalan testi peruskoulu
75
+ #
76
+ # Contains the school code of the authenticated user. See
74
77
  # https://virkailija.opintopolku.fi/koodisto-service/rest/json/oppilaitosnumero/koodi
75
78
  # (JSON format)
76
79
  # https://virkailija.opintopolku.fi/koodisto-service/rest/oppilaitosnumero/koodi
@@ -79,93 +82,77 @@ module OmniAuth
79
82
  # https://virkailija.opintopolku.fi/koodisto-service/rest/codeelement/oppilaitosnumero_04647
80
83
  # for school code 04647.
81
84
  # (multi value)
82
- {
83
- name: 'urn:mpass.id:schoolCode',
84
- name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
85
- friendly_name: 'mpassSchoolCode'
86
- },
87
- # The human-readable name of the school of the authenticated user.
88
- # (multi value)
89
- {
90
- name: 'urn:mpass.id:school',
91
- name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
92
- friendly_name: 'school'
93
- },
94
- # Combination of the school code and official name of the educational
95
- # institution separated with semicolon.
96
- # For instance: 00000;Tuntematon
85
+ #
86
+ # The OIDs for educational institution (`OPPILAITOS`) can be found from:
87
+ # https://virkailija.opintopolku.fi/organisaatio-service/swagger-ui/index.html
97
88
  {
98
89
  name: 'urn:mpass.id:schoolInfo',
99
90
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
100
91
  friendly_name: 'mpassSchoolInfo'
101
92
  },
102
- # The class/group-information of the authenticated user.
103
- # For instance: 8A or 3B.
104
- # (multi value)
105
- {
106
- name: 'urn:mpass.id:class',
107
- name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
108
- friendly_name: 'mpassClass'
109
- },
110
- {
111
- name: 'urn:educloudalliance.org:group',
112
- name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
113
- friendly_name: 'ecaGroup'
114
- },
115
93
  # The class/level-information of the authenticated user.
116
94
  # For instance 8 or 3.
117
- # (multi value)
95
+ # (single value)
118
96
  {
119
97
  name: 'urn:mpass.id:classLevel',
120
98
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
121
99
  friendly_name: 'mpassClassLevel'
122
100
  },
123
- # The role name of the user.
124
- # For instance Oppilas.
101
+ # The learning material charge.
102
+ # For instance 0;00000 AND 0;1.2.246.562.99.00000000003.
125
103
  # (multi value)
126
104
  {
127
- name: 'urn:educloudalliance.org:role',
105
+ name: 'urn:mpass.id:learningMaterialsCharge',
128
106
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
129
- friendly_name: 'ecaRole'
107
+ friendly_name: 'mpassLearningMaterialsCharge'
130
108
  },
131
109
  # The role of the user in four parts, divided with a semicolon (;)
132
110
  # character. First educational provider's organization OID, followed by
133
- # school code, group and role in the group.
134
- # For instance 1.2.246.562.10.12345678907;99900;7B;Oppilas.
111
+ # school code, group (e.g. the class), role in the group (e.g.
112
+ # "Oppilas"), the role code (e.g. "1"), the educational institution's
113
+ # OID and finally the office OID (can be undefined).
114
+ # For instance 1.2.246.562.99.00000000001;00000;1A;Oppilas;1;1.2.246.562.99.00000000003;
135
115
  # (multi value)
136
116
  #
137
- # The educational providers' organization OIDs can be found from:
138
- # https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V11_2__koulutustoimijat.sql
117
+ # The OIDs for educational providers (`KOULUTUSTOIMIJA`), educational
118
+ # institutions (`OPPILAITOS`) and offices/branches (`TOIMIPISTE`) can be
119
+ # found from:
120
+ # https://virkailija.opintopolku.fi/organisaatio-service/swagger-ui/index.html
121
+ #
122
+ # The test entries are in:
123
+ # https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V12_0__oppilaitosten_puuttuvat_koulutustoimijat.sql
139
124
  {
140
125
  name: 'urn:mpass.id:role',
141
126
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
142
127
  friendly_name: 'mpassRole'
143
128
  },
144
- # The educational provider's permanent organization OID.
145
- # (multi value)
146
- #
147
- # The educational providers' organization OIDs can be found from:
148
- # https://github.com/Opetushallitus/aitu/blob/master/ttk-db/resources/db/migration/V11_2__koulutustoimijat.sql
149
- {
150
- name: 'urn:mpass.id:educationProviderId',
151
- name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
152
- friendly_name: 'mpassEducationProviderOid'
153
- },
154
- # The educational provider's human-readable name.
155
- # (multi value)
129
+ # Funet EDU person learner ID
130
+ # (single value)
156
131
  {
157
- name: 'urn:mpass.id:educationProvider',
132
+ name: 'urn:oid:1.3.6.1.4.1.16161.1.1.27',
158
133
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
159
- friendly_name: 'mpassEducationProviderName'
134
+ friendly_name: 'learnerId'
160
135
  },
161
136
  # Combination of the education provider's organisation-OID and official
162
137
  # name. Separated by semicolon.
163
138
  # For instance: 1.2.246.562.10.494695390410;Virallinen nimi
164
139
  # (multi value)
140
+ #
141
+ # The OIDs for educational providers (`KOULUTUSTOIMIJA`) can be found
142
+ # from:
143
+ # https://virkailija.opintopolku.fi/organisaatio-service/swagger-ui/index.html
165
144
  {
166
145
  name: 'urn:mpass.id:educationProviderInfo',
167
146
  name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
168
147
  friendly_name: 'mpassEducationProviderInfo'
148
+ },
149
+ # The relaying organization for the information.
150
+ # For instance: 1.2.246.562.10.00000000000
151
+ # (single value)
152
+ {
153
+ name: 'urn:mpass.id:originalIssuer',
154
+ name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
155
+ friendly_name: 'originalIssuer'
169
156
  }
170
157
  ]
171
158
 
@@ -173,38 +160,43 @@ module OmniAuth
173
160
  # https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later
174
161
  option(
175
162
  :attribute_statements,
176
- # Given name or all first names (in case given name is not found)
177
- first_name: ['urn:oid:2.5.4.42', 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'],
178
- last_name: ['urn:oid:2.5.4.4'],
179
- # The education provider (e.g. municipality) of the person (literal format in Finnish)
180
- location: ['urn:mpass.id:educationProvider']
163
+ # First name/calling name or given name (in case first name/calling name is not found)
164
+ first_name: ['urn:mpass.id:nickname', 'urn:oid:2.5.4.42'],
165
+ last_name: ['urn:oid:2.5.4.4']
181
166
  )
182
167
 
183
168
  info do
184
169
  # Generate the full name to the info hash
185
170
  first_name = find_attribute_by(
186
171
  [
187
- 'urn:oid:2.5.4.42',
188
- 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'
172
+ 'urn:mpass.id:nickname',
173
+ 'urn:oid:2.5.4.42'
189
174
  ]
190
175
  )
191
176
  last_name = find_attribute_by(['urn:oid:2.5.4.4'])
192
177
  display_name = "#{first_name} #{last_name}".strip
193
- display_name = nil if display_name.length.zero?
178
+ display_name = nil if display_name.length.zero? # rubocop:disable Style/ZeroLengthPredicate
194
179
 
195
180
  found_attributes = [[:name, display_name]]
196
181
 
182
+ provider = find_attribute_by(['urn:mpass.id:educationProviderInfo'])
183
+ if provider
184
+ provider_parts = provider.split(';')
185
+ found_attributes << [:location, provider_parts[1]] if provider_parts[1]
186
+ end
187
+
197
188
  # Default functionality from omniauth-saml
198
189
  found_attributes += options.attribute_statements.map do |key, values|
199
190
  attribute = find_attribute_by(values)
200
- [key, attribute]
191
+ [key.to_sym, attribute]
201
192
  end
202
193
 
203
- Hash[found_attributes]
194
+ found_attributes.to_h
204
195
  end
205
196
 
206
197
  option(
207
198
  :security_settings,
199
+ authn_requests_signed: true,
208
200
  digest_method: XMLSecurity::Document::SHA256,
209
201
  signature_method: XMLSecurity::Document::RSA_SHA256
210
202
  )
@@ -215,43 +207,27 @@ module OmniAuth
215
207
  option(
216
208
  :saml_attributes_map,
217
209
  given_name: ['urn:oid:2.5.4.42'],
218
- first_names: ['urn:oid:2.5.4.42'],
210
+ first_name: ['urn:mpass.id:nickname'],
219
211
  last_name: ['urn:oid:2.5.4.4'],
220
- provider_id: {
221
- name: ['urn:mpass.id:educationProviderId'],
212
+ provider_info: {
213
+ name: ['urn:mpass.id:educationProviderInfo'],
222
214
  type: :multi
223
215
  },
224
- provider_name: {
225
- name: ['urn:mpass.id:educationProvider'],
216
+ school_info: {
217
+ name: ['urn:mpass.id:schoolInfo'],
226
218
  type: :multi
227
219
  },
228
- school_code: {
229
- name: ['urn:mpass.id:schoolCode'],
230
- type: :multi
231
- },
232
- school_name: {
233
- name: ['urn:mpass.id:school'],
234
- type: :multi
235
- },
236
- class: {
237
- name: ['urn:mpass.id:class', 'urn:educloudalliance.org:group'],
238
- type: :multi
239
- },
240
- class_level: {
241
- name: ['urn:mpass.id:classLevel'],
220
+ class_level: ['urn:mpass.id:classLevel'],
221
+ learning_materials_charge: {
222
+ name: ['urn:mpass.id:learningMaterialsCharge'],
242
223
  type: :multi
243
224
  },
244
225
  role: {
245
- name: ['urn:mpass.id:role', 'urn:educloudalliance.org:structuredRole'],
246
- type: :multi
247
- },
248
- role_name: {
249
- name: ['urn:educloudalliance.org:role'],
226
+ name: ['urn:mpass.id:role'],
250
227
  type: :multi
251
228
  },
252
- # Extra
253
- # Unique learner ID
254
- funet_person_learner_id: ['urn:oid:1.3.6.1.4.1.16161.1.1.27']
229
+ learner_id: ['urn:oid:1.3.6.1.4.1.16161.1.1.27'],
230
+ original_issuer: ['urn:mpass.id:originalIssuer']
255
231
  )
256
232
 
257
233
  # Defines the SAML attribute from which to determine the OmniAuth `uid`.
@@ -264,6 +240,9 @@ module OmniAuth
264
240
  # Add the SAML attributes to the extra hash for easier access.
265
241
  extra { {saml_attributes: saml_attributes} }
266
242
 
243
+ attr_accessor :options
244
+ attr_reader :mpassid_thread
245
+
267
246
  def initialize(app, *args, &block)
268
247
  super
269
248
 
@@ -271,15 +250,19 @@ module OmniAuth
271
250
  # fetched from the metadata. The options array is the one that gets
272
251
  # priority in case it overrides some of the metadata or locally defined
273
252
  # option values.
274
- @options = OmniAuth::Strategy::Options.new(
275
- mpassid_options.merge(options)
276
- )
253
+ @mpassid_thread = Thread.new do
254
+ @options = OmniAuth::Strategy::Options.new(
255
+ mpassid_options.merge(options)
256
+ )
257
+ options[:security][:authn_requests_signed] = false unless options[:certificate] && options[:private_key]
258
+ end
277
259
  end
278
260
 
279
261
  # Override the request phase to be able to pass the lang parameter to
280
262
  # the redirect URL. Note that this needs to be the last parameter to
281
263
  # be passed to the redirect URL.
282
264
  def request_phase
265
+ mpassid_thread.join if mpassid_thread.alive?
283
266
  authn_request = OneLogin::RubySaml::Authrequest.new
284
267
  lang = lang_for_authn_request
285
268
 
@@ -314,6 +297,14 @@ module OmniAuth
314
297
 
315
298
  private
316
299
 
300
+ def certificate
301
+ File.read(options.certificate_file) if options.certificate_file
302
+ end
303
+
304
+ def private_key
305
+ File.read(options.private_key_file) if options.private_key_file
306
+ end
307
+
317
308
  def idp_metadata_url
318
309
  case options.mode
319
310
  when :test
@@ -337,10 +328,16 @@ module OmniAuth
337
328
  sso_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
338
329
  )
339
330
 
331
+ # Local certificate and private key to decrypt the responses
332
+ settings[:certificate] = certificate
333
+ settings[:private_key] = private_key
334
+
340
335
  # Define the security settings as there are some defaults that need to be
341
336
  # modified
342
337
  security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
343
- settings[:security] = security_defaults.merge(options.security_settings)
338
+ settings[:security] = security_defaults.merge(
339
+ options.security_settings.to_h.transform_keys(&:to_sym)
340
+ )
344
341
 
345
342
  settings
346
343
  end
@@ -357,7 +354,7 @@ module OmniAuth
357
354
 
358
355
  value = definition[:name].map do |key|
359
356
  @attributes.public_send(definition[:type], key)
360
- end.reject(&:nil?).first
357
+ end.compact.first
361
358
 
362
359
  attrs[target] = value
363
360
  end
@@ -17,14 +17,14 @@ module OmniAuth
17
17
  cert = OpenSSL::X509::Certificate.new
18
18
  cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
19
19
  cert.not_before = Time.now
20
- cert.not_after = Time.now + 365 * 24 * 60 * 60
20
+ cert.not_after = Time.now + (365 * 24 * 60 * 60)
21
21
  cert.public_key = public_key
22
22
  cert.serial = 0x0
23
23
  cert.version = 2
24
24
 
25
25
  inject_certificate_extensions(cert)
26
26
 
27
- cert.sign(private_key, OpenSSL::Digest::SHA1.new)
27
+ cert.sign(private_key, OpenSSL::Digest.new('SHA1'))
28
28
 
29
29
  cert
30
30
  end
@@ -10,7 +10,7 @@ module OmniAuth
10
10
  end
11
11
 
12
12
  def self.signed_xml(raw_xml_file, opts)
13
- raw_xml = IO.read(raw_xml_file)
13
+ raw_xml = File.read(raw_xml_file)
14
14
  signed_xml_from_string(raw_xml, opts)
15
15
  end
16
16
 
@@ -2,6 +2,6 @@
2
2
 
3
3
  module OmniAuth
4
4
  module MPASSid
5
- VERSION = '0.5.0'
5
+ VERSION = '0.6.0'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-mpassid
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Antti Hukkanen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-01-09 00:00:00.000000000 Z
11
+ date: 2024-01-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth-saml
@@ -133,7 +133,8 @@ files:
133
133
  homepage: https://github.com/mainio/omniauth-mpassid
134
134
  licenses:
135
135
  - MIT
136
- metadata: {}
136
+ metadata:
137
+ rubygems_mfa_required: 'true'
137
138
  post_install_message:
138
139
  rdoc_options: []
139
140
  require_paths:
@@ -142,14 +143,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
142
143
  requirements:
143
144
  - - ">="
144
145
  - !ruby/object:Gem::Version
145
- version: '0'
146
+ version: '2.5'
146
147
  required_rubygems_version: !ruby/object:Gem::Requirement
147
148
  requirements:
148
149
  - - ">="
149
150
  - !ruby/object:Gem::Version
150
151
  version: '0'
151
152
  requirements: []
152
- rubygems_version: 3.0.3
153
+ rubygems_version: 3.2.33
153
154
  signing_key:
154
155
  specification_version: 4
155
156
  summary: Provides an MPASSid strategy for OmniAuth.