omniauth-pfas 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE +20 -0
- data/README.md +31 -0
- data/lib/omniauth/strategies/pfas/response.rb +55 -0
- data/lib/omniauth/strategies/pfas/signed_document.rb +100 -0
- data/lib/omniauth/strategies/pfas.rb +77 -0
- data/lib/omniauth-pfas/version.rb +5 -0
- data/lib/omniauth-pfas.rb +2 -0
- metadata +157 -0
data/LICENSE
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2012 Edgars Beigarts
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
# OmniAuth PFAS Auth
|
2
|
+
|
3
|
+
This gem is based on https://github.com/ebeigarts/omniauth-latvija
|
4
|
+
It is modified to support user attributes returned by PFAS Auth.
|
5
|
+
|
6
|
+
## Installation
|
7
|
+
|
8
|
+
```ruby
|
9
|
+
gem 'omniauth-pfas', :git => 'https://github.com/mariszin/omniauth-pfas.git'
|
10
|
+
```
|
11
|
+
|
12
|
+
## Usage
|
13
|
+
|
14
|
+
`OmniAuth::Strategies::Pfas` is simply a Rack middleware. Read the OmniAuth 1.x docs for detailed instructions: https://github.com/intridea/omniauth.
|
15
|
+
|
16
|
+
Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
|
17
|
+
|
18
|
+
```ruby
|
19
|
+
Rails.application.config.middleware.use OmniAuth::Builder do
|
20
|
+
provider :pfas, {
|
21
|
+
:endpoint => "https://epaktv.vraa.gov.lv/IVIS.Pfas.STS/Default.aspx",
|
22
|
+
:certificate => File.read("/path/to/cert"),
|
23
|
+
:realm => "http://www.example.com"
|
24
|
+
}
|
25
|
+
end
|
26
|
+
```
|
27
|
+
|
28
|
+
## References
|
29
|
+
|
30
|
+
* https://github.com/ebeigarts/omniauth-latvija
|
31
|
+
* https://github.com/onelogin/ruby-saml
|
@@ -0,0 +1,55 @@
|
|
1
|
+
module OmniAuth
|
2
|
+
module Strategies
|
3
|
+
class Pfas
|
4
|
+
class Response
|
5
|
+
ASSERTION = "urn:oasis:names:tc:SAML:1.0:assertion"
|
6
|
+
|
7
|
+
attr_accessor :options, :response, :document
|
8
|
+
|
9
|
+
def initialize(response, options = {})
|
10
|
+
raise ArgumentError.new("Response cannot be nil") if response.nil?
|
11
|
+
self.options = options
|
12
|
+
self.response = response
|
13
|
+
self.document = OmniAuth::Strategies::Pfas::SignedDocument.new(response)
|
14
|
+
end
|
15
|
+
|
16
|
+
def validate!
|
17
|
+
document.validate!(fingerprint)
|
18
|
+
end
|
19
|
+
|
20
|
+
# A hash of alle the attributes with the response. Assuming there is only one value for each key
|
21
|
+
def attributes
|
22
|
+
@attributes ||= begin
|
23
|
+
result = {}
|
24
|
+
|
25
|
+
stmt_element = REXML::XPath.first(document, "//a:Assertion/a:AttributeStatement", { "a" => ASSERTION })
|
26
|
+
return {} if stmt_element.nil?
|
27
|
+
|
28
|
+
stmt_element.elements.each do |attr_element|
|
29
|
+
name = attr_element.attributes["AttributeName"]
|
30
|
+
value = attr_element.elements.map {|e|e.text}
|
31
|
+
if value.length == 1
|
32
|
+
value = value[0]
|
33
|
+
end
|
34
|
+
|
35
|
+
result[name] = value
|
36
|
+
end
|
37
|
+
|
38
|
+
result
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def expires_on
|
43
|
+
document.expires_on
|
44
|
+
end
|
45
|
+
|
46
|
+
private
|
47
|
+
|
48
|
+
def fingerprint
|
49
|
+
cert = OpenSSL::X509::Certificate.new(options[:certificate])
|
50
|
+
Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
@@ -0,0 +1,100 @@
|
|
1
|
+
# The contents of this file are subject to the terms
|
2
|
+
# of the Common Development and Distribution License
|
3
|
+
# (the License). You may not use this file except in
|
4
|
+
# compliance with the License.
|
5
|
+
#
|
6
|
+
# You can obtain a copy of the License at
|
7
|
+
# https://opensso.dev.java.net/public/CDDLv1.0.html or
|
8
|
+
# opensso/legal/CDDLv1.0.txt
|
9
|
+
# See the License for the specific language governing
|
10
|
+
# permission and limitations under the License.
|
11
|
+
#
|
12
|
+
# When distributing Covered Code, include this CDDL
|
13
|
+
# Header Notice in each file and include the License file
|
14
|
+
# at opensso/legal/CDDLv1.0.txt.
|
15
|
+
# If applicable, add the following below the CDDL Header,
|
16
|
+
# with the fields enclosed by brackets [] replaced by
|
17
|
+
# your own identifying information:
|
18
|
+
# "Portions Copyrighted [year] [name of copyright owner]"
|
19
|
+
#
|
20
|
+
# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
|
21
|
+
#
|
22
|
+
# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
|
23
|
+
# Portions Copyrighted 2007 Todd W Saxton.
|
24
|
+
|
25
|
+
module OmniAuth
|
26
|
+
module Strategies
|
27
|
+
class Pfas
|
28
|
+
class SignedDocument < REXML::Document
|
29
|
+
DSIG = "http://www.w3.org/2000/09/xmldsig#"
|
30
|
+
|
31
|
+
attr_accessor :signed_element_id, :expires_on
|
32
|
+
|
33
|
+
def initialize(response)
|
34
|
+
super(response)
|
35
|
+
extract_signed_element_id
|
36
|
+
extract_expires
|
37
|
+
end
|
38
|
+
|
39
|
+
def validate!(idp_cert_fingerprint)
|
40
|
+
# get cert from response
|
41
|
+
base64_cert = self.elements["//ds:X509Certificate"].text
|
42
|
+
cert_text = Base64.decode64(base64_cert)
|
43
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
44
|
+
|
45
|
+
# check cert matches registered idp cert
|
46
|
+
fingerprint = Digest::SHA1.hexdigest(cert.to_der)
|
47
|
+
|
48
|
+
if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
|
49
|
+
raise ValidationError.new("Fingerprint mismatch")
|
50
|
+
end
|
51
|
+
|
52
|
+
# remove signature node
|
53
|
+
sig_element = REXML::XPath.first(self, "//ds:Signature", { "ds" => DSIG })
|
54
|
+
sig_element.remove
|
55
|
+
|
56
|
+
# check digests
|
57
|
+
REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
|
58
|
+
uri = ref.attributes.get_attribute("URI").value
|
59
|
+
hashed_element = REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
|
60
|
+
canoner = XML::Util::XmlCanonicalizer.new(false, true)
|
61
|
+
canon_hashed_element = canoner.canonicalize(hashed_element)
|
62
|
+
hash = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
|
63
|
+
digest_value = REXML::XPath.first(ref, "//ds:DigestValue", { "ds" => DSIG }).text
|
64
|
+
|
65
|
+
if hash != digest_value
|
66
|
+
raise ValidationError.new("Digest mismatch")
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
70
|
+
# verify signature
|
71
|
+
canoner = XML::Util::XmlCanonicalizer.new(false, true)
|
72
|
+
signed_info_element = REXML::XPath.first(sig_element, "//ds:SignedInfo", { "ds" => DSIG })
|
73
|
+
canon_string = canoner.canonicalize(signed_info_element)
|
74
|
+
|
75
|
+
base64_signature = REXML::XPath.first(sig_element, "//ds:SignatureValue", { "ds" => DSIG }).text
|
76
|
+
signature = Base64.decode64(base64_signature)
|
77
|
+
|
78
|
+
# get certificate object
|
79
|
+
cert_text = Base64.decode64(base64_cert)
|
80
|
+
cert = OpenSSL::X509::Certificate.new(cert_text)
|
81
|
+
|
82
|
+
if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
|
83
|
+
raise ValidationError.new("Key validation error")
|
84
|
+
end
|
85
|
+
|
86
|
+
true
|
87
|
+
end
|
88
|
+
|
89
|
+
def extract_signed_element_id
|
90
|
+
reference_element = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", { "ds" => DSIG })
|
91
|
+
self.signed_element_id = reference_element.attribute("URI").value unless reference_element.nil?
|
92
|
+
end
|
93
|
+
|
94
|
+
def extract_expires
|
95
|
+
self.expires_on = Time.parse(REXML::XPath.first(self, "//trust:Lifetime/wsu:Expires").text)
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
@@ -0,0 +1,77 @@
|
|
1
|
+
require "time"
|
2
|
+
require "rexml/document"
|
3
|
+
require "rexml/xpath"
|
4
|
+
require "openssl"
|
5
|
+
require "xmlcanonicalizer"
|
6
|
+
require "digest/sha1"
|
7
|
+
|
8
|
+
require "omniauth/strategies/pfas/response"
|
9
|
+
require "omniauth/strategies/pfas/signed_document"
|
10
|
+
|
11
|
+
module OmniAuth
|
12
|
+
module Strategies
|
13
|
+
#
|
14
|
+
# Authenticate with PFAS Auth
|
15
|
+
#
|
16
|
+
# @example Basic Rails Usage
|
17
|
+
#
|
18
|
+
# Add this to config/initializers/omniauth.rb
|
19
|
+
#
|
20
|
+
# Rails.application.config.middleware.use OmniAuth::Builder do
|
21
|
+
# provider :pfas, {
|
22
|
+
# :endpoint => "https://epaktv.vraa.gov.lv/IVIS.Pfas.STS/Default.aspx",
|
23
|
+
# :certificate => File.read("/path/to/cert"),
|
24
|
+
# :realm => "http://www.example.com"
|
25
|
+
# }
|
26
|
+
# end
|
27
|
+
#
|
28
|
+
class Pfas
|
29
|
+
include OmniAuth::Strategy
|
30
|
+
|
31
|
+
class ValidationError < StandardError; end
|
32
|
+
|
33
|
+
def request_phase
|
34
|
+
params = {
|
35
|
+
:wa => 'wsignin1.0',
|
36
|
+
:wct => Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
|
37
|
+
:wtrealm => @options[:realm],
|
38
|
+
:wreply => callback_url,
|
39
|
+
:wctx => callback_url,
|
40
|
+
:wreq => '<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wst:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /><i:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="false" /><i:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="false" /></wst:Claims><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wst:Renewing /></wst:RequestSecurityToken>'
|
41
|
+
}
|
42
|
+
query_string = params.collect{ |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
|
43
|
+
redirect "#{options[:endpoint]}?#{query_string}"
|
44
|
+
end
|
45
|
+
|
46
|
+
def callback_phase
|
47
|
+
if request.params['wresult']
|
48
|
+
@response = OmniAuth::Strategies::Pfas::Response.new(request.params['wresult'], {
|
49
|
+
:certificate => File.read(options[:certificate])
|
50
|
+
})
|
51
|
+
@response.validate!
|
52
|
+
super
|
53
|
+
else
|
54
|
+
fail!(:invalid_response)
|
55
|
+
end
|
56
|
+
rescue Exception => e
|
57
|
+
fail!(:invalid_response, e)
|
58
|
+
end
|
59
|
+
|
60
|
+
def auth_hash
|
61
|
+
OmniAuth::Utils.deep_merge(super, {
|
62
|
+
'uid' => "#{@response.attributes['primarysid']}",
|
63
|
+
'user_info' => {
|
64
|
+
'user_name' => "#{@response.attributes['name']}",
|
65
|
+
'privatepersonalidentifier' => "#{@response.attributes['privatepersonalidentifier']}",
|
66
|
+
'authority' => @response.attributes['AUTHORITY'],
|
67
|
+
'email' => "#{@response.attributes['emailaddress']}",
|
68
|
+
'givenname' => "#{@response.attributes['givenname']}",
|
69
|
+
'surname' => "#{@response.attributes['surname']}",
|
70
|
+
'roles' => @response.attributes['action']
|
71
|
+
},
|
72
|
+
'expires_on' => @response.expires_on
|
73
|
+
})
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
metadata
ADDED
@@ -0,0 +1,157 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: omniauth-pfas
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 23
|
5
|
+
prerelease:
|
6
|
+
segments:
|
7
|
+
- 1
|
8
|
+
- 0
|
9
|
+
- 0
|
10
|
+
version: 1.0.0
|
11
|
+
platform: ruby
|
12
|
+
authors:
|
13
|
+
- Maris Zinbergs
|
14
|
+
autorequire:
|
15
|
+
bindir: bin
|
16
|
+
cert_chain: []
|
17
|
+
|
18
|
+
date: 2012-10-24 00:00:00 Z
|
19
|
+
dependencies:
|
20
|
+
- !ruby/object:Gem::Dependency
|
21
|
+
name: omniauth
|
22
|
+
prerelease: false
|
23
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
24
|
+
none: false
|
25
|
+
requirements:
|
26
|
+
- - ~>
|
27
|
+
- !ruby/object:Gem::Version
|
28
|
+
hash: 15
|
29
|
+
segments:
|
30
|
+
- 1
|
31
|
+
- 0
|
32
|
+
version: "1.0"
|
33
|
+
type: :runtime
|
34
|
+
version_requirements: *id001
|
35
|
+
- !ruby/object:Gem::Dependency
|
36
|
+
name: canonix
|
37
|
+
prerelease: false
|
38
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
39
|
+
none: false
|
40
|
+
requirements:
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
hash: 3
|
44
|
+
segments:
|
45
|
+
- 0
|
46
|
+
version: "0"
|
47
|
+
type: :runtime
|
48
|
+
version_requirements: *id002
|
49
|
+
- !ruby/object:Gem::Dependency
|
50
|
+
name: rake
|
51
|
+
prerelease: false
|
52
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
53
|
+
none: false
|
54
|
+
requirements:
|
55
|
+
- - ">="
|
56
|
+
- !ruby/object:Gem::Version
|
57
|
+
hash: 3
|
58
|
+
segments:
|
59
|
+
- 0
|
60
|
+
version: "0"
|
61
|
+
type: :development
|
62
|
+
version_requirements: *id003
|
63
|
+
- !ruby/object:Gem::Dependency
|
64
|
+
name: rspec
|
65
|
+
prerelease: false
|
66
|
+
requirement: &id004 !ruby/object:Gem::Requirement
|
67
|
+
none: false
|
68
|
+
requirements:
|
69
|
+
- - ~>
|
70
|
+
- !ruby/object:Gem::Version
|
71
|
+
hash: 23
|
72
|
+
segments:
|
73
|
+
- 2
|
74
|
+
- 10
|
75
|
+
version: "2.10"
|
76
|
+
type: :development
|
77
|
+
version_requirements: *id004
|
78
|
+
- !ruby/object:Gem::Dependency
|
79
|
+
name: simplecov
|
80
|
+
prerelease: false
|
81
|
+
requirement: &id005 !ruby/object:Gem::Requirement
|
82
|
+
none: false
|
83
|
+
requirements:
|
84
|
+
- - ">="
|
85
|
+
- !ruby/object:Gem::Version
|
86
|
+
hash: 3
|
87
|
+
segments:
|
88
|
+
- 0
|
89
|
+
version: "0"
|
90
|
+
type: :development
|
91
|
+
version_requirements: *id005
|
92
|
+
- !ruby/object:Gem::Dependency
|
93
|
+
name: rack-test
|
94
|
+
prerelease: false
|
95
|
+
requirement: &id006 !ruby/object:Gem::Requirement
|
96
|
+
none: false
|
97
|
+
requirements:
|
98
|
+
- - ">="
|
99
|
+
- !ruby/object:Gem::Version
|
100
|
+
hash: 3
|
101
|
+
segments:
|
102
|
+
- 0
|
103
|
+
version: "0"
|
104
|
+
type: :development
|
105
|
+
version_requirements: *id006
|
106
|
+
description: PFAS Auth authentication strategy for OmniAuth
|
107
|
+
email:
|
108
|
+
- maris.zinbergs@gmail.com
|
109
|
+
executables: []
|
110
|
+
|
111
|
+
extensions: []
|
112
|
+
|
113
|
+
extra_rdoc_files: []
|
114
|
+
|
115
|
+
files:
|
116
|
+
- lib/omniauth-pfas.rb
|
117
|
+
- lib/omniauth-pfas/version.rb
|
118
|
+
- lib/omniauth/strategies/pfas/signed_document.rb
|
119
|
+
- lib/omniauth/strategies/pfas/response.rb
|
120
|
+
- lib/omniauth/strategies/pfas.rb
|
121
|
+
- README.md
|
122
|
+
- LICENSE
|
123
|
+
homepage:
|
124
|
+
licenses: []
|
125
|
+
|
126
|
+
post_install_message:
|
127
|
+
rdoc_options: []
|
128
|
+
|
129
|
+
require_paths:
|
130
|
+
- lib
|
131
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
132
|
+
none: false
|
133
|
+
requirements:
|
134
|
+
- - ">="
|
135
|
+
- !ruby/object:Gem::Version
|
136
|
+
hash: 3
|
137
|
+
segments:
|
138
|
+
- 0
|
139
|
+
version: "0"
|
140
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
141
|
+
none: false
|
142
|
+
requirements:
|
143
|
+
- - ">="
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
hash: 3
|
146
|
+
segments:
|
147
|
+
- 0
|
148
|
+
version: "0"
|
149
|
+
requirements: []
|
150
|
+
|
151
|
+
rubyforge_project:
|
152
|
+
rubygems_version: 1.8.24
|
153
|
+
signing_key:
|
154
|
+
specification_version: 3
|
155
|
+
summary: PFAS Auth authentication strategy for OmniAuth
|
156
|
+
test_files: []
|
157
|
+
|