omniauth-pfas 1.0.0

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2012 Edgars Beigarts
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,31 @@
+# OmniAuth PFAS Auth
+
+This gem is based on https://github.com/ebeigarts/omniauth-latvija
+It is modified to support user attributes returned by PFAS Auth.
+
+## Installation
+
+```ruby
+gem 'omniauth-pfas', :git => 'https://github.com/mariszin/omniauth-pfas.git'
+```
+
+## Usage
+
+`OmniAuth::Strategies::Pfas` is simply a Rack middleware. Read the OmniAuth 1.x docs for detailed instructions: https://github.com/intridea/omniauth.
+
+Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :pfas, {
+    :endpoint => "https://epaktv.vraa.gov.lv/IVIS.Pfas.STS/Default.aspx",
+    :certificate => File.read("/path/to/cert"),
+    :realm => "http://www.example.com"
+  }
+end
+```
+
+## References
+
+* https://github.com/ebeigarts/omniauth-latvija
+* https://github.com/onelogin/ruby-saml

data/lib/omniauth/strategies/pfas/response.rb

@@ -0,0 +1,55 @@
+module OmniAuth
+  module Strategies
+    class Pfas
+      class Response
+        ASSERTION = "urn:oasis:names:tc:SAML:1.0:assertion"
+
+        attr_accessor :options, :response, :document
+
+        def initialize(response, options = {})
+          raise ArgumentError.new("Response cannot be nil") if response.nil?
+          self.options  = options
+          self.response = response
+          self.document = OmniAuth::Strategies::Pfas::SignedDocument.new(response)
+        end
+
+        def validate!
+          document.validate!(fingerprint)
+        end
+
+        # A hash of alle the attributes with the response. Assuming there is only one value for each key
+        def attributes
+          @attributes ||= begin
+            result = {}
+
+            stmt_element = REXML::XPath.first(document, "//a:Assertion/a:AttributeStatement", { "a" => ASSERTION })
+            return {} if stmt_element.nil?
+
+            stmt_element.elements.each do |attr_element|
+              name  = attr_element.attributes["AttributeName"]
+              value = attr_element.elements.map {|e|e.text}
+              if value.length == 1
+                value = value[0]
+              end
+
+              result[name] = value
+            end
+
+            result
+          end
+        end
+
+        def expires_on
+          document.expires_on
+        end
+
+        private
+
+        def fingerprint
+          cert = OpenSSL::X509::Certificate.new(options[:certificate])
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/pfas/signed_document.rb

@@ -0,0 +1,100 @@
+# The contents of this file are subject to the terms
+# of the Common Development and Distribution License
+# (the License). You may not use this file except in
+# compliance with the License.
+#
+# You can obtain a copy of the License at
+# https://opensso.dev.java.net/public/CDDLv1.0.html or
+# opensso/legal/CDDLv1.0.txt
+# See the License for the specific language governing
+# permission and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL
+# Header Notice in each file and include the License file
+# at opensso/legal/CDDLv1.0.txt.
+# If applicable, add the following below the CDDL Header,
+# with the fields enclosed by brackets [] replaced by
+# your own identifying information:
+# "Portions Copyrighted [year] [name of copyright owner]"
+#
+# $Id: xml_sec.rb,v 1.6 2007/10/24 00:28:41 todddd Exp $
+#
+# Copyright 2007 Sun Microsystems Inc. All Rights Reserved
+# Portions Copyrighted 2007 Todd W Saxton.
+
+module OmniAuth
+  module Strategies
+    class Pfas
+      class SignedDocument < REXML::Document
+        DSIG = "http://www.w3.org/2000/09/xmldsig#"
+
+        attr_accessor :signed_element_id, :expires_on
+
+        def initialize(response)
+          super(response)
+          extract_signed_element_id
+          extract_expires
+        end
+
+        def validate!(idp_cert_fingerprint)
+          # get cert from response
+          base64_cert = self.elements["//ds:X509Certificate"].text
+          cert_text   = Base64.decode64(base64_cert)
+          cert        = OpenSSL::X509::Certificate.new(cert_text)
+
+          # check cert matches registered idp cert
+          fingerprint = Digest::SHA1.hexdigest(cert.to_der)
+
+          if fingerprint != idp_cert_fingerprint.gsub(/[^a-zA-Z0-9]/,"").downcase
+            raise ValidationError.new("Fingerprint mismatch")
+          end
+
+          # remove signature node
+          sig_element = REXML::XPath.first(self, "//ds:Signature", { "ds" => DSIG })
+          sig_element.remove
+
+          # check digests
+          REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>"http://www.w3.org/2000/09/xmldsig#"}) do |ref|
+            uri                           = ref.attributes.get_attribute("URI").value
+            hashed_element                = REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
+            canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
+            canon_hashed_element          = canoner.canonicalize(hashed_element)
+            hash                          = Base64.encode64(Digest::SHA1.digest(canon_hashed_element)).chomp
+            digest_value                  = REXML::XPath.first(ref, "//ds:DigestValue", { "ds" => DSIG }).text
+
+            if hash != digest_value
+              raise ValidationError.new("Digest mismatch")
+            end
+          end
+
+          # verify signature
+          canoner                 = XML::Util::XmlCanonicalizer.new(false, true)
+          signed_info_element     = REXML::XPath.first(sig_element, "//ds:SignedInfo", { "ds" => DSIG })
+          canon_string            = canoner.canonicalize(signed_info_element)
+
+          base64_signature        = REXML::XPath.first(sig_element, "//ds:SignatureValue", { "ds" => DSIG }).text
+          signature               = Base64.decode64(base64_signature)
+
+          # get certificate object
+          cert_text               = Base64.decode64(base64_cert)
+          cert                    = OpenSSL::X509::Certificate.new(cert_text)
+
+          if !cert.public_key.verify(OpenSSL::Digest::SHA1.new, signature, canon_string)
+            raise ValidationError.new("Key validation error")
+          end
+
+          true
+        end
+
+        def extract_signed_element_id
+          reference_element       = REXML::XPath.first(self, "//ds:Signature/ds:SignedInfo/ds:Reference", { "ds" => DSIG })
+          self.signed_element_id  = reference_element.attribute("URI").value unless reference_element.nil?
+        end
+
+        def extract_expires
+          self.expires_on  = Time.parse(REXML::XPath.first(self, "//trust:Lifetime/wsu:Expires").text)
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/pfas.rb

@@ -0,0 +1,77 @@
+require "time"
+require "rexml/document"
+require "rexml/xpath"
+require "openssl"
+require "xmlcanonicalizer"
+require "digest/sha1"
+
+require "omniauth/strategies/pfas/response"
+require "omniauth/strategies/pfas/signed_document"
+
+module OmniAuth
+  module Strategies
+    #
+    # Authenticate with PFAS Auth
+    #
+    # @example Basic Rails Usage
+    #
+    #  Add this to config/initializers/omniauth.rb
+    #
+    #    Rails.application.config.middleware.use OmniAuth::Builder do
+    #      provider :pfas, {
+    #        :endpoint => "https://epaktv.vraa.gov.lv/IVIS.Pfas.STS/Default.aspx",
+    #        :certificate => File.read("/path/to/cert"),
+    #        :realm => "http://www.example.com"
+    #      }
+    #    end
+    #
+    class Pfas
+      include OmniAuth::Strategy
+
+      class ValidationError < StandardError; end
+
+      def request_phase
+        params = {
+          :wa => 'wsignin1.0',
+          :wct => Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ'),
+          :wtrealm => @options[:realm],
+          :wreply => callback_url,
+          :wctx => callback_url,
+          :wreq => '<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wst:Claims xmlns:i="http://schemas.xmlsoap.org/ws/2005/05/identity" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"><i:ClaimType Uri="http://docs.oasis-open.org/wsfed/authorization/200706/claims/action" Optional="false" /><i:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="false" /><i:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="false" /></wst:Claims><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wst:Renewing /></wst:RequestSecurityToken>'
+        }
+        query_string = params.collect{ |key, value| "#{key}=#{Rack::Utils.escape(value)}" }.join('&')
+        redirect "#{options[:endpoint]}?#{query_string}"
+      end
+
+      def callback_phase
+        if request.params['wresult']
+          @response = OmniAuth::Strategies::Pfas::Response.new(request.params['wresult'], {
+            :certificate => File.read(options[:certificate])
+          })
+          @response.validate!
+          super
+        else
+          fail!(:invalid_response)
+        end
+      rescue Exception => e
+        fail!(:invalid_response, e)
+      end
+
+      def auth_hash
+        OmniAuth::Utils.deep_merge(super, {
+          'uid' => "#{@response.attributes['primarysid']}",
+          'user_info' => {
+            'user_name' => "#{@response.attributes['name']}",
+            'privatepersonalidentifier' => "#{@response.attributes['privatepersonalidentifier']}",
+            'authority' => @response.attributes['AUTHORITY'],
+            'email' => "#{@response.attributes['emailaddress']}",
+            'givenname' => "#{@response.attributes['givenname']}",
+            'surname' => "#{@response.attributes['surname']}",
+            'roles' => @response.attributes['action']
+          },
+          'expires_on' => @response.expires_on
+        })
+      end
+    end
+  end
+end

data/lib/omniauth-pfas/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Pfas
+    VERSION = '1.0.0' unless defined?(OmniAuth::Pfas::VERSION)
+  end
+end

data/lib/omniauth-pfas.rb

@@ -0,0 +1,2 @@
+require 'omniauth-pfas/version'
+require 'omniauth/strategies/pfas'

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification 
+name: omniauth-pfas
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: 
+  segments: 
+  - 1
+  - 0
+  - 0
+  version: 1.0.0
+platform: ruby
+authors: 
+- Maris Zinbergs
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-10-24 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: omniauth
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 1
+        - 0
+        version: "1.0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: canonix
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 2
+        - 10
+        version: "2.10"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: simplecov
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: rack-test
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id006
+description: PFAS Auth authentication strategy for OmniAuth
+email: 
+- maris.zinbergs@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/omniauth-pfas.rb
+- lib/omniauth-pfas/version.rb
+- lib/omniauth/strategies/pfas/signed_document.rb
+- lib/omniauth/strategies/pfas/response.rb
+- lib/omniauth/strategies/pfas.rb
+- README.md
+- LICENSE
+homepage: 
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: PFAS Auth authentication strategy for OmniAuth
+test_files: []
+