omniauth-mpassid 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0ee0bd0d81ad7593a430bdb8ee94ab733d7b396231ac284b7b99b1914d28ff84
+  data.tar.gz: 6e1ef387f6e6f96e8557ced45f60817f8bb6536f7b2e53d5a1da471b82041829
+SHA512:
+  metadata.gz: e4c92ca00791f451b3a86cd8415abd1b45876e3c1515e0d4b6c038a4b293da544ffebef5b43e2c068af8991d3d22384454453b1e3b2f596f2cf129fc41148634
+  data.tar.gz: cf982a1632ee51213463d30ac7d4c1d8f6c06d6e7a499004840b84f85ae731eac46add9d13280953009f1a7294af7659a2b136e8a7bb0975c19d04d6f1f9388b

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2019 Mainio Tech Ltd.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,268 @@
+# OmniAuth MPASSid (SAML 2.0)
+
+[![Build Status](https://travis-ci.com/mainio/omniauth-mpassid.svg?branch=master)](https://travis-ci.com/mainio/omniauth-mpassid)
+[![codecov](https://codecov.io/gh/mainio/omniauth-mpassid/branch/master/graph/badge.svg)](https://codecov.io/gh/mainio/omniauth-mpassid)
+
+This is an unofficial OmniAuth strategy for authenticating with the MPASSid
+identification service used by comprehensive schools and secondary education
+facilities in Finland. This gem is mostly a configuration wrapper around
+[`omniauth-saml`](https://github.com/omniauth/omniauth-saml) which uses
+[`ruby-saml`](https://github.com/onelogin/ruby-saml) for SAML 2.0 based
+authentication implementation with identity providers, such as MPASSid.
+
+The gem can be used to hook Ruby/Rails applications to the MPASSid
+identification service. It does not provide any strong authorization features
+out of the box, as it does not know anything about the application users, but
+those can be implemented using this gem and the data provided by the MPASSid
+identification responses.
+
+The gem has been developed by [Mainio Tech](https://www.mainiotech.fi/).
+
+The development has been sponsored by the
+[City of Helsinki](https://www.hel.fi/).
+
+The MPASSid service is owned by the Ministry of the Education and Culture in
+Finland and operated by CSC - Tieteen tietotekniikan keskus Oy. Neither of these
+parties are related to this gem in any way, nor do they provide technical
+support for it. Please contact the gem maintainers in case you find any issues
+with it.
+
+## Preparation
+
+In order to start using the MPASSid authentication endpoints, you will need to
+send a join request to the MPASSid operator for them to configure the identity
+provider server for your service. Please refer to the MPASSid documentation on
+how to join the service:
+
+https://wiki.eduuni.fi/display/CSCMPASSID/Testipalveluun+liittyminen
+
+Follow the instructions for the SAML2 protocol.
+
+The details that you need to send to MPASSid are similar to the following
+information (apply to your service's domain) for non-Rails+Devise applications:
+
+- SAML2 entity ID: https://www.service.fi/auth/mpassid/metadata
+- Callback URL (ACS): https://www.service.fi/auth/mpassid/callback
+
+### Rails and Devise
+
+When applying this gem to Rails and Devise, the URLs can also include a path
+prefix to separate the scope of the authentication requests. For example, if
+you are using a `:user` scope with Devise, the URLs would look like following:
+
+- SAML2 entity ID: https://www.service.fi/users/auth/mpassid/metadata
+- Callback URL (ACS): https://www.service.fi/users/auth/mpassid/callback
+
+## Installation and Configuration
+
+This gem has been only tested and used with Rails applications using Devise, so
+this installation guide only covers that part. In case you are interested to
+learn how you can use this with other frameworks, please refer to the
+[`omniauth-saml`](https://github.com/omniauth/omniauth-saml) documentation and
+apply it to your needs (changing the strategy name to `:mpassid` and strategy
+class to `OmniAuth::Strategies::MPASSid`).
+
+To install this gem, add the following to your Gemfile:
+
+```ruby
+gem 'omniauth-mpassid'
+```
+
+For configuring the strategy for Devise, add the following in your
+`config/initializers/devise.rb` file:
+
+```ruby
+Devise.setup do |config|
+  config.omniauth :mpassid,
+    # The mode needs to be either :production or :test depending on which
+    # MPASSid enviroment you want to hook into. Please note that you will need
+    # to complete the preparation phases even for the test environment.
+    mode: :test, # :production (default, can be omitted) or :test
+    # The service provider entity ID that needs to match the ID you have sent to
+    # the MPASSid operator with your joining request.
+    sp_entity_id: 'https://www.service.fi/auth/mpassid/metadata'
+end
+```
+
+## Identification Responses
+
+The user's data is transmitted from MPASSid in the SAML authentication
+response. This data will be available in the OmniAuth
+[extra hash](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later).
+
+In order to access the response data, you can fetch the OmniAuth extra has and
+the corresponding user data in the OmniAuth callback handler, e.g. in Rails
+Devise controllers as follows:
+
+```ruby
+def saml_attributes
+  raw_hash = request.env["omniauth.auth"]
+  extra_hash = raw_hash[:extra]
+
+  extra_hash[:saml_attributes]
+end
+```
+
+### Personal Information Transmitted From MPASSid
+
+The user's personal information transmitted from MPASSid can be found under
+the `:saml_attributes` key in the OmniAuth extra hash described above.
+
+This attributes hash will contain the keys described in this following
+sub-sections. The keys marked as `(undocumented)` are not described in the
+MPASSid's own documentation but are available at least in some SAML responses.
+
+See also the MPASSid data models documentation for more information:
+
+https://wiki.eduuni.fi/display/CSCMPASSID/Data+models
+
+The attributes can be either single or multi type defining whether they can
+have a single or multiple values. The single type values are strings and multi
+type values are arrays of string when the value exists in the SAML response.
+When the value was not returned from the identity provider's endpoint, the value
+is `nil` for both types.
+
+#### `:given_name`
+
+- SAML URI: urn:oid:2.5.4.42
+- SAML FriendlyName: givenName
+- Type: Single (`String`)
+
+The first/given name of the user.
+
+#### `:first_names`
+
+- SAML URI: http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName
+- SAML FriendlyName: firstName
+- Type: Single (`String`)
+
+All the first/given names of the user.
+
+#### `:last_name`
+
+- SAML URI: urn:oid:2.5.4.4
+- SAML FriendlyName: sn
+- Type: Single (`String`)
+
+The last/family name of the user.
+
+#### `:municipality_code`
+
+- SAML URI: urn:mpass.id:municipalityCode
+- SAML FriendlyName: municipalityCode
+- Type: Multi (`Array`)
+
+The municipality codes of the authenticated user.
+
+See:
+
+http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html
+
+#### `:municipality_name`
+
+- SAML URI: one of the following (first found attribute)
+  * urn:mpass.id:municipality
+  * urn:educloudalliance.org:municipality
+- SAML FriendlyName: one of the following (first found attribute)
+  * N/A
+  * ecaMunicipality
+- Type: Multi (`Array`)
+
+The human-readable names of the municipalities of the authenticated user.
+
+#### `:school_code`
+
+- SAML URI: urn:mpass.id:municipalityCode
+- SAML FriendlyName: N/A
+- Type: Multi (`Array`)
+
+The school codes of the authenticated user.
+
+See (JSON format):
+
+For the list of codes, see:
+
+- JSON format: https://virkailija.opintopolku.fi/koodisto-service/rest/json/oppilaitosnumero/koodi
+- XML format: https://virkailija.opintopolku.fi/koodisto-service/rest/oppilaitosnumero/koodi
+
+An example for a single school code (04647), JSON format:
+
+https://virkailija.opintopolku.fi/koodisto-service/rest/codeelement/oppilaitosnumero_04647
+
+#### `:school_name`
+
+- SAML URI: urn:mpass.id:school
+- SAML FriendlyName: school
+- Type: Multi (`Array`)
+
+The human-readable names of the schools of the authenticated user.
+
+#### `:class`
+
+- SAML URI: one of the following (first found attribute)
+  * urn:mpass.id:class
+  * urn:educloudalliance.org:group
+- SAML FriendlyName: one of the following (first found attribute)
+  * N/A
+  * ecaGroup
+- Type: Multi (`Array`)
+
+The class/group-information of the authenticated user.
+
+For instance: 8A or 3B.
+
+#### `:class_level`
+
+- SAML URI: urn:mpass.id:classLevel
+- SAML FriendlyName: N/A
+- Type: Multi (`Array`)
+
+The class/level-information of the authenticated user.
+
+For instance 8 or 3.
+
+#### `:role`
+
+- SAML URI: one of the following (first found attribute)
+  * urn:mpass.id:role
+  * urn:educloudalliance.org:structuredRole
+- SAML FriendlyName: one of the following (first found attribute)
+  * N/A
+  * ecaStructuredRole
+- Type: Multi (`Array`)
+
+The roles of the user in four parts, divided with a semicolon (;) character.
+First municipality, followed by school code, group and role in the group.
+
+For instance Helsinki;32132;9A;Oppilas.
+
+#### `:role_name` (undocumented)
+
+- SAML URI: urn:educloudalliance.org:role
+- SAML FriendlyName: ecaRole
+- Type: Multi (`Array`)
+
+NOTE: This attribute is undocumented by MPASSid.
+
+The human readable names of the role (in Finnish).
+
+For instance Oppilas.
+
+#### `:funet_person_learner_id` (undocumented)
+
+- SAML URI: urn:oid:1.3.6.1.4.1.16161.1.1.27
+- SAML FriendlyName: N/A
+- Type: Single (`String`)
+
+NOTE: This attribute is undocumented by MPASSid.
+
+11-digit identifier, which may be used to identify a person while storing,
+managing or transferring personal data.
+
+See:
+
+https://wiki.eduuni.fi/display/CSCHAKA/funetEduPersonSchema2dot2#funetEduPersonSchema2dot2-funetEduPersonLearnerId
+
+## License
+
+MIT, see [LICENSE](LICENSE).

data/Rakefile

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'rspec/core/rake_task'
+
+# Run all tests, with coverage report
+RSpec::Core::RakeTask.new(:coverage) do |t|
+  ENV['CODECOV'] = '1'
+  t.verbose = false
+end
+
+# Run all tests, include all
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.verbose = false
+end
+
+# Default
+task default: :coverage

data/lib/omniauth/strategies/mpassid.rb

@@ -0,0 +1,309 @@
+# frozen_string_literal: true
+
+require 'omniauth-saml'
+
+module OmniAuth
+  module Strategies
+    class MPASSid < SAML
+      # Mode:
+      # :production - MPASSid production environment
+      # :test - MPASSid test environment
+      option :mode, :production
+
+      # The request attributes for MPASSid
+      option :request_attributes, [
+        # The unique identifier of the authenticated user. Currently recommended
+        # identifier for identifying the user. NOTE: will change if the user
+        # moves to another user registry.
+        # (single value)
+        {
+          name: 'urn:mpass.id:uid',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        # Funet EDU person learner ID
+        # (single value)
+        {
+          name: 'urn:oid:1.3.6.1.4.1.16161.1.1.27',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        # The first/given name of the user.
+        # (single value)
+        {
+          name: 'urn:oid:2.5.4.42',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'givenName'
+        },
+        # All the first/given names of the user.
+        # (single value)
+        {
+          name: 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'firstName'
+        },
+        # The last/family name of the user.
+        # (single value)
+        {
+          name: 'urn:oid:2.5.4.4',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'sn'
+        },
+        # The municipality code of the authenticated user. See
+        # http://tilastokeskus.fi/meta/luokitukset/kunta/001-2017/index.html
+        # for mappings in Finland.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:municipalityCode',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'municipalityCode'
+        },
+        # The human-readable name of the municipality of the authenticated user.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:municipality',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        {
+          name: 'urn:educloudalliance.org:municipality',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'ecaMunicipality'
+        },
+        # The school code of the authenticated user. See
+        # https://virkailija.opintopolku.fi/koodisto-service/rest/json/oppilaitosnumero/koodi
+        # (JSON format)
+        # https://virkailija.opintopolku.fi/koodisto-service/rest/oppilaitosnumero/koodi
+        # (XML format)
+        # for the mappings in Finland. For example,
+        # https://virkailija.opintopolku.fi/koodisto-service/rest/codeelement/oppilaitosnumero_04647
+        # for school code 04647.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:schoolCode',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        # The human-readable name of the school of the authenticated user.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:school',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'school'
+        },
+        # The class/group-information of the authenticated user.
+        # For instance: 8A or 3B.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:class',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        {
+          name: 'urn:educloudalliance.org:group',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'ecaGroup'
+        },
+        # The class/level-information of the authenticated user.
+        # For instance 8 or 3.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:classLevel',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        # The role name of the user.
+        # For instance Oppilas.
+        # (multi value)
+        {
+          name: 'urn:educloudalliance.org:role',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'ecaRole'
+        },
+        # The role of the user in four parts, divided with a semicolon (;)
+        # character. First municipality, followed by school code, group and role
+        # in the group.
+        # For instance Helsinki;32132;9A;Oppilas.
+        # (multi value)
+        {
+          name: 'urn:mpass.id:role',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'
+        },
+        {
+          name: 'urn:educloudalliance.org:structuredRole',
+          name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+          friendly_name: 'ecaStructuredRole'
+        }
+      ]
+
+      # Maps the SAML attributes to OmniAuth info schema:
+      # https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later
+      option(
+        :attribute_statements,
+        # Given name or all first names (in case given name is not found)
+        first_name: ['urn:oid:2.5.4.42', 'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'],
+        last_name: ['urn:oid:2.5.4.4'],
+        # The municipality of the person (literal format in Finnish)
+        location: ['urn:mpass.id:municipality', 'urn:educloudalliance.org:municipality']
+      )
+
+      info do
+        # Generate the full name to the info hash
+        first_name = find_attribute_by(
+          [
+            'urn:oid:2.5.4.42',
+            'http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'
+          ]
+        )
+        last_name = find_attribute_by(['urn:oid:2.5.4.4'])
+        display_name = "#{first_name} #{last_name}".strip
+        display_name = nil if display_name.length.zero?
+
+        found_attributes = [[:name, display_name]]
+
+        # Default functionality from omniauth-saml
+        found_attributes += options.attribute_statements.map do |key, values|
+          attribute = find_attribute_by(values)
+          [key, attribute]
+        end
+
+        Hash[found_attributes]
+      end
+
+      option(
+        :security_settings,
+        digest_method: XMLSecurity::Document::SHA256,
+        signature_method: XMLSecurity::Document::RSA_SHA256
+      )
+
+      # The attribute key maps to the SAML URIs so that we have more descriptive
+      # attribute keys available for use. These will be mapped to the OmniAuth
+      # `extra` information hash under the `:saml_attributes` key.
+      option(
+        :saml_attributes_map,
+        given_name: ['urn:oid:2.5.4.42'],
+        first_names: ['http://eidas.europa.eu/attributes/naturalperson/CurrentGivenName'],
+        last_name: ['urn:oid:2.5.4.4'],
+        municipality_code: {
+          name: ['urn:mpass.id:municipalityCode'],
+          type: :multi
+        },
+        municipality_name: {
+          name: ['urn:mpass.id:municipality', 'urn:educloudalliance.org:municipality'],
+          type: :multi
+        },
+        school_code: {
+          name: ['urn:mpass.id:schoolCode'],
+          type: :multi
+        },
+        school_name: {
+          name: ['urn:mpass.id:school'],
+          type: :multi
+        },
+        class: {
+          name: ['urn:mpass.id:class', 'urn:educloudalliance.org:group'],
+          type: :multi
+        },
+        class_level: {
+          name: ['urn:mpass.id:classLevel'],
+          type: :multi
+        },
+        role: {
+          name: ['urn:mpass.id:role', 'urn:educloudalliance.org:structuredRole'],
+          type: :multi
+        },
+        role_name: {
+          name: ['urn:educloudalliance.org:role'],
+          type: :multi
+        },
+        # Extra (undocumented)
+        funet_person_learner_id: ['urn:oid:1.3.6.1.4.1.16161.1.1.27']
+      )
+
+      # Defines the SAML attribute from which to determine the OmniAuth `uid`.
+      # NOTE:
+      # In case the user moves to another user registry, this will change.
+      # However, there is no other unique identifier passed along the SAML
+      # attributes that we could rely on, so this is the best bet.
+      option :uid_attribute, 'urn:mpass.id:uid'
+
+      # Add the SAML attributes to the extra hash for easier access.
+      extra { {saml_attributes: saml_attributes} }
+
+      def initialize(app, *args, &block)
+        super
+
+        # Add the MPASSid options to the local options, most of which are
+        # fetched from the metadata. The options array is the one that gets
+        # priority in case it overrides some of the metadata or locally defined
+        # option values.
+        @options = OmniAuth::Strategy::Options.new(
+          mpassid_options.merge(options)
+        )
+      end
+
+      # This method can be used externally to fetch information about the
+      # response, e.g. in case of failures.
+      def response_object
+        return nil unless request.params['SAMLResponse']
+
+        with_settings do |settings|
+          response = OneLogin::RubySaml::Response.new(
+            request.params['SAMLResponse'],
+            options_for_response_object.merge(settings: settings)
+          )
+          response.attributes['fingerprint'] = settings.idp_cert_fingerprint
+          response
+        end
+      end
+
+    private
+
+      def idp_metadata_url
+        case options.mode
+        when :test
+          'https://mpass-proxy-test.csc.fi/idp/shibboleth'
+        else
+          'https://mpass-proxy.csc.fi/idp/shibboleth'
+        end
+      end
+
+      def mpassid_options
+        idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+
+        # Returns OneLogin::RubySaml::Settings prepopulated with idp metadata
+        # We are using the redirect binding for the SSO and SLO URLs as these
+        # are the ones expected by omniauth-saml. Otherwise the default would be
+        # the first one defined in the IdP metadata, which would be the
+        # HTTP-POST binding.
+        settings = idp_metadata_parser.parse_remote_to_hash(
+          idp_metadata_url,
+          true,
+          sso_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+        )
+
+        # Define the security settings as there are some defaults that need to be
+        # modified
+        security_defaults = OneLogin::RubySaml::Settings::DEFAULTS[:security]
+        settings[:security] = security_defaults.merge(options.security_settings)
+
+        settings
+      end
+
+      def saml_attributes
+        {}.tap do |attrs|
+          options.saml_attributes_map.each do |target, definition|
+            unless definition.is_a?(Hash)
+              definition = {
+                name: definition,
+                type: :single
+              }
+            end
+
+            value = definition[:name].map do |key|
+              @attributes.public_send(definition[:type], key)
+            end.reject(&:nil?).first
+
+            attrs[target] = value
+          end
+        end
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'mpassid', 'MPASSid'

data/lib/omniauth-mpassid/test/certificate_generator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module MPASSid
+    module Test
+      class CertificateGenerator
+        def private_key
+          @private_key ||= OpenSSL::PKey::RSA.new(2048)
+        end
+
+        def certificate
+          @certificate ||= begin
+            public_key = private_key.public_key
+
+            subject = '/C=FI/O=Test/OU=Test/CN=Test'
+
+            cert = OpenSSL::X509::Certificate.new
+            cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+            cert.not_before = Time.now
+            cert.not_after = Time.now + 365 * 24 * 60 * 60
+            cert.public_key = public_key
+            cert.serial = 0x0
+            cert.version = 2
+
+            inject_certificate_extensions(cert)
+
+            cert.sign(private_key, OpenSSL::Digest::SHA1.new)
+
+            cert
+          end
+        end
+
+      private
+
+        def inject_certificate_extensions(cert)
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.subject_certificate = cert
+          ef.issuer_certificate = cert
+          cert.extensions = [
+            ef.create_extension('basicConstraints', 'CA:TRUE', true),
+            ef.create_extension('subjectKeyIdentifier', 'hash')
+          ]
+          cert.add_extension ef.create_extension(
+            'authorityKeyIdentifier',
+            'keyid:always,issuer:always'
+          )
+        end
+      end
+    end
+  end
+end

data/lib/omniauth-mpassid/test/utility.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module MPASSid
+    module Test
+      class Utility
+        def self.inflate_xml(encoded_deflated_xml)
+          deflated_xml = Base64.decode64(encoded_deflated_xml)
+          Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(deflated_xml)
+        end
+
+        def self.signed_xml(raw_xml_file, opts)
+          raw_xml = IO.read(raw_xml_file)
+          signed_xml_from_string(raw_xml, opts)
+        end
+
+        def self.signed_xml_from_string(raw_xml, opts)
+          sign_xml_element(
+            raw_xml,
+            opts[:sign_certificate],
+            opts[:sign_private_key]
+          )
+        end
+
+        def self.sign_xml_element(element, sign_certificate, sign_key)
+          doc = XMLSecurity::Document.new(element)
+          doc.sign_document(
+            sign_key,
+            sign_certificate,
+            XMLSecurity::Document::RSA_SHA256,
+            XMLSecurity::Document::SHA256
+          )
+          # Move the signature to the correct position, otherwise schema
+          # validation does not work because the internal logic of ruby-saml
+          # cannot handle custom element names (saml2:Issuer instead of
+          # saml:Issuer).
+          signature = doc.delete_element('//ds:Signature')
+          issuer = doc.elements['//saml2:Issuer']
+          doc.root.insert_after(issuer, signature)
+
+          doc.to_s
+        end
+      end
+    end
+  end
+end

data/lib/omniauth-mpassid/test.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative 'test/certificate_generator'
+require_relative 'test/utility'
+
+module OmniAuth
+  module MPASSid
+    module Test
+    end
+  end
+end

data/lib/omniauth-mpassid/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module MPASSid
+    VERSION = '0.1.0'
+  end
+end

data/lib/omniauth-mpassid.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth-mpassid/version'
+require 'omniauth/strategies/mpassid'

metadata

@@ -0,0 +1,156 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-mpassid
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Antti Hukkanen
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-08-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.10.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.10.1
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.6.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.6.2
+- !ruby/object:Gem::Dependency
+  name: xmlenc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+description: MPASSid identification service integration for OmniAuth.
+email:
+- antti.hukkanen@mainiotech.fi
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- Rakefile
+- lib/omniauth-mpassid.rb
+- lib/omniauth-mpassid/test.rb
+- lib/omniauth-mpassid/test/certificate_generator.rb
+- lib/omniauth-mpassid/test/utility.rb
+- lib/omniauth-mpassid/version.rb
+- lib/omniauth/strategies/mpassid.rb
+homepage: https://github.com/mainio/omniauth-mpassid
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Provides an MPASSid strategy for OmniAuth.
+test_files: []