omniauth-saml-cespi 1.3.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3af0eb7b2d2830055f53c1742d13b34588690491
+  data.tar.gz: ed607150e747f40d841746c5687d065a4e6c6c95
+SHA512:
+  metadata.gz: 5bbbd707b811455a7fbdc57f111ba139af3daf5551dada068d0d03b177a815ed761b6cfa0ace3e953c75c3196dad2b488ec53ed6a9ab9b4fcf308ce38dff17be
+  data.tar.gz: b7abd04fd0a97c91813b9a72a43eca93bec903dd4ea2eb129a869ee9f3476e0f46361f7d0847eb7cdd3148c64617e798f31ddb41db37450b7c572167c025305e

data/CHANGELOG.md

@@ -0,0 +1,45 @@
+# OmniAuth SAML Version History
+
+A generic SAML strategy for OmniAuth.
+
+https://github.com/PracticallyGreen/omniauth-saml
+
+## 1.3.0 (2014-14-10)
+
+* add `idp_cert_fingerprint_validator` option
+
+## 1.2.0 (2014-03-19)
+
+* provide SP metadata at `/auth/saml/metadata`
+
+## 1.1.0 (2013-11-07)
+
+* no longer set a default `name_identifier_format`
+* pass strategy options to the underlying ruby-saml library
+* fallback to omniauth callback url if `assertion_consumer_service_url` is not set
+* add `idp_sso_target_url_runtime_params` option
+
+## 1.0.0 (2012-11-12)
+
+* remove SAML code and port to ruby-saml gem
+* fix incompatibility with OmniAuth 1.1
+
+## 0.9.2 (2012-03-30)
+
+* validate the SAML response
+* 100% test coverage
+* now requires ruby 1.9.2+
+
+## 0.9.1 (2012-02-23)
+
+* return first and last name in the info hash
+* no longer use LDAP OIDs for name and email selection
+* return SAML attributes as the omniauth raw_info hash
+
+## 0.9.0 (2012-02-14)
+
+* initial release
+* extracts commits from omniauth 0-3-stable branch
+* port to omniauth 1.0 strategy format
+* update README with more documentation and license
+* package as the `omniauth-saml` gem

data/README.md

@@ -0,0 +1,124 @@
+# OmniAuth SAML
+
+A generic SAML strategy for OmniAuth.
+
+https://github.com/PracticallyGreen/omniauth-saml
+
+## Requirements
+
+* [OmniAuth](http://www.omniauth.org/) 1.2+
+* Ruby 1.9.x or Ruby 2.1.x
+
+## Usage
+
+Use the SAML strategy as a middleware in your application:
+
+```ruby
+require 'omniauth'
+use OmniAuth::Strategies::SAML,
+  :assertion_consumer_service_url     => "consumer_service_url",
+  :issuer                             => "issuer",
+  :idp_sso_target_url                 => "idp_sso_target_url",
+  :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
+  :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+  :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+  :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
+  :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+```
+
+or in your Rails application:
+
+in `Gemfile`:
+
+```ruby
+gem 'omniauth-saml'
+```
+
+and in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :saml,
+    :assertion_consumer_service_url     => "consumer_service_url",
+    :issuer                             => "rails-application",
+    :idp_sso_target_url                 => "idp_sso_target_url",
+    :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
+    :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+    :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+    :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
+    :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+end
+```
+
+For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set the `href` of your application's login link to the value of `idp_sso_target_url`. For SP-initiated SSO, link to `/auth/saml`.
+
+## Metadata
+
+The service provider metadata used to ease configuration of the SAML SP in the IdP can be retrieved from `http://example.com/auth/saml/metadata`. Send this URL to the administrator of the IdP.
+
+## Options
+
+* `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
+  received. If not provided, defaults to the OmniAuth callback URL (typically
+  `http://example.com/auth/saml/callback`). Optional.
+
+* `:issuer` - The name of your application. Some identity providers might need this
+  to establish the identity of the service provider requesting the login. **Required**.
+
+* `:idp_sso_target_url` - The URL to which the authentication request should be sent.
+  This would be on the identity provider. **Required**.
+
+* `:idp_sso_target_url_runtime_params` - A dynamic mapping of request params that exist
+  during the request phase of OmniAuth that should to be sent to the IdP after a specific
+  mapping. So for example, a param `original_request_param` with value `original_param_value`,
+  could be sent to the IdP on the login request as `mapped_idp_param` with value
+  `original_param_value`. Optional.
+
+* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
+  over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+  be present.
+
+* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
+  "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
+  the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
+
+* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
+  (the fingerprint), verify if it is valid and return it if successful. This option
+  or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
+
+* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
+  the username required by this application. If you need the email address, use
+  "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress". See
+  http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf section 8.3 for
+  other options. Note that the identity provider might not support all options.
+  If not specified, the IdP is free to choose the name identifier format used
+  in the response. Optional.
+
+* See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
+
+## Authors
+
+Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).
+
+## License
+
+Copyright (c) 2011-2014 [Practically Green, Inc.](http://www.practicallygreen.com/).
+All rights reserved. Released under the MIT license.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/lib/omniauth-saml.rb

@@ -0,0 +1,2 @@
+require 'omniauth/strategies/saml'
+require 'omniauth/strategies/saml/validation_error'

data/lib/omniauth-saml/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module SAML
+    VERSION = '1.3.1'
+  end
+end

data/lib/omniauth/strategies/saml.rb

@@ -0,0 +1,104 @@
+require 'omniauth'
+require 'ruby-saml'
+
+module OmniAuth
+  module Strategies
+    class SAML
+      include OmniAuth::Strategy
+
+      option :name_identifier_format, nil
+      option :idp_sso_target_url_runtime_params, {}
+
+      def request_phase
+        options[:assertion_consumer_service_url] ||= callback_url
+        runtime_request_parameters = options.delete(:idp_sso_target_url_runtime_params)
+
+        additional_params = {}
+        runtime_request_parameters.each_pair do |request_param_key, mapped_param_key|
+          additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
+        end if runtime_request_parameters
+
+        authn_request = OneLogin::RubySaml::Authrequest.new
+        settings = OneLogin::RubySaml::Settings.new(options)
+
+        redirect(authn_request.create(settings, additional_params))
+      end
+
+      def callback_phase
+        unless request.params['SAMLResponse']
+          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
+        end
+
+        # Call a fingerprint validation method if there's one
+        if options.idp_cert_fingerprint_validator
+          fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
+          unless fingerprint_exists
+            raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
+          end
+          # id_cert_fingerprint becomes the given fingerprint if it exists
+          options.idp_cert_fingerprint = fingerprint_exists
+        end
+
+        response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], options)
+        response.settings = OneLogin::RubySaml::Settings.new(options)
+        response.attributes['fingerprint'] = options.idp_cert_fingerprint
+
+        @name_id = response.name_id
+        @attributes = response.attributes
+
+        if @name_id.nil? || @name_id.empty?
+          raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
+        end
+
+        response.validate!
+
+        super
+      rescue OmniAuth::Strategies::SAML::ValidationError
+        fail!(:invalid_ticket, $!)
+      rescue OneLogin::RubySaml::ValidationError
+        fail!(:invalid_ticket, $!)
+      end
+
+      # Obtain an idp certificate fingerprint from the response.
+      def response_fingerprint
+        response = request.params['SAMLResponse']
+        response = (response =~ /^</) ? response : Base64.decode64(response)
+        document = XMLSecurity::SignedDocument::new(response)
+        cert_element = REXML::XPath.first(document, "//ds:X509Certificate", { "ds"=> 'http://www.w3.org/2000/09/xmldsig#' })
+        base64_cert = cert_element.text
+        cert_text = Base64.decode64(base64_cert)
+        cert = OpenSSL::X509::Certificate.new(cert_text)
+        Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+      end
+
+      def other_phase
+        if on_path?("#{request_path}/metadata")
+          # omniauth does not set the strategy on the other_phase
+          @env['omniauth.strategy'] ||= self
+          setup_phase
+
+          response = OneLogin::RubySaml::Metadata.new
+          settings = OneLogin::RubySaml::Settings.new(options)
+          Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
+        else
+          call_app!
+        end
+      end
+
+      uid { @name_id }
+
+      info do
+        {
+          :name  => @attributes[:name],
+          :email => @attributes[:email] || @attributes[:mail],
+          :first_name => @attributes[:first_name] || @attributes[:firstname] || @attributes[:firstName],
+          :last_name => @attributes[:last_name] || @attributes[:lastname] || @attributes[:lastName]
+        }
+      end
+
+      extra { { :raw_info => @attributes } }
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'saml', 'SAML'

data/lib/omniauth/strategies/saml/validation_error.rb

@@ -0,0 +1,8 @@
+module OmniAuth
+  module Strategies
+    class SAML
+      class ValidationError < Exception
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/saml_spec.rb

@@ -0,0 +1,162 @@
+require 'spec_helper'
+
+RSpec::Matchers.define :fail_with do |message|
+  match do |actual|
+    actual.redirect? && /\?.*message=#{message}/ === actual.location
+  end
+end
+
+def post_xml(xml=:example_response)
+  post "/auth/saml/callback", {'SAMLResponse' => load_xml(xml)}
+end
+
+describe OmniAuth::Strategies::SAML, :type => :strategy do
+  include OmniAuth::Test::StrategyTestCase
+
+  let(:auth_hash){ last_request.env['omniauth.auth'] }
+  let(:saml_options) do
+    {
+      :assertion_consumer_service_url     => "http://localhost:3000/auth/saml/callback",
+      :issuer                             => "https://saml.issuer.url/issuers/29490",
+      :idp_sso_target_url                 => "https://idp.sso.target_url/signon/29490",
+      :idp_cert_fingerprint               => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
+      :idp_sso_target_url_runtime_params  => {:original_param_key => :mapped_param_key},
+      :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+    }
+  end
+  let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
+
+  describe 'GET /auth/saml' do
+    context 'without idp runtime params present' do
+      before do
+        get '/auth/saml'
+      end
+
+      it 'should get authentication page' do
+        last_response.should be_redirect
+        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /\?SAMLRequest=/
+        last_response.location.should_not match /mapped_param_key/
+        last_response.location.should_not match /original_param_key/
+      end
+    end
+
+    context 'with idp runtime params' do
+      before do
+        get '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
+      end
+
+      it 'should get authentication page' do
+        last_response.should be_redirect
+        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /\?SAMLRequest=/
+        last_response.location.should match /\&mapped_param_key=original_param_value/
+        last_response.location.should_not match /original_param_key/
+      end
+    end
+  end
+
+  describe 'POST /auth/saml/callback' do
+    subject { last_response }
+
+    let(:xml) { :example_response }
+
+    before :each do
+      Time.stub(:now).and_return(Time.new(2012, 11, 8, 20, 40, 00, 0))
+    end
+
+    context "when the response is valid" do
+      before :each do
+        post_xml
+      end
+
+      it "should set the uid to the nameID in the SAML response" do
+        auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+      end
+
+      it "should set the raw info to all attributes" do
+        auth_hash['extra']['raw_info'].to_hash.should == {
+          'first_name'   => 'Rajiv',
+          'last_name'    => 'Manglani',
+          'email'        => 'user@example.com',
+          'company_name' => 'Example Company',
+          'fingerprint'  => saml_options[:idp_cert_fingerprint]
+        }
+      end
+    end
+
+    context "when fingerprint is empty and there's a fingerprint validator" do
+      before :each do
+        saml_options.delete(:idp_cert_fingerprint)
+        saml_options[:idp_cert_fingerprint_validator] = lambda { |fingerprint| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" }
+        post_xml
+      end
+
+      it "should set the uid to the nameID in the SAML response" do
+        auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+      end
+
+      it "should set the raw info to all attributes" do
+        auth_hash['extra']['raw_info'].to_hash.should == {
+          'first_name'   => 'Rajiv',
+          'last_name'    => 'Manglani',
+          'email'        => 'user@example.com',
+          'company_name' => 'Example Company',
+          'fingerprint'  => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
+        }
+      end
+    end
+
+    context "when there is no SAMLResponse parameter" do
+      before :each do
+        post '/auth/saml/callback'
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when there is no name id in the XML" do
+      before :each do
+        post_xml :no_name_id
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the fingerprint is invalid" do
+      before :each do
+        saml_options[:idp_cert_fingerprint] = "00:00:00:00:00:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB"
+        post_xml
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the digest is invalid" do
+      before :each do
+        post_xml :digest_mismatch
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context "when the signature is invalid" do
+      before :each do
+        post_xml :invalid_signature
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+  end
+
+  describe 'GET /auth/saml/metadata' do
+    before do
+      get '/auth/saml/metadata'
+    end
+
+    it 'should get SP metadata page' do
+      last_response.status.should == 200
+      last_response.header["Content-Type"].should == "application/xml"
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+require 'simplecov'
+SimpleCov.start
+
+require 'omniauth-saml'
+require 'rack/test'
+require 'rexml/document'
+require 'rexml/xpath'
+require 'base64'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+end
+
+def load_xml(filename=:example_response)
+  filename = File.expand_path(File.join('..', 'support', "#{filename.to_s}.xml"), __FILE__)
+  Base64.encode64(IO.read(filename))
+end

metadata

@@ -0,0 +1,128 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-saml-cespi
+version: !ruby/object:Gem::Version
+  version: 1.3.1
+platform: ruby
+authors:
+- Raecoo Cao
+- Ryan Wilcox
+- Rajiv Aaron Manglani
+- Steven Anderson
+- Nikos Dimitrakopoulos
+- Rudolf Vriend
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-05-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+description: A generic SAML strategy for OmniAuth.
+email: rajiv@alum.mit.edu
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- README.md
+- lib/omniauth-saml.rb
+- lib/omniauth-saml/version.rb
+- lib/omniauth/strategies/saml.rb
+- lib/omniauth/strategies/saml/validation_error.rb
+- spec/omniauth/strategies/saml_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/PracticallyGreen/omniauth-saml
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: A generic SAML strategy for OmniAuth.
+test_files:
+- spec/spec_helper.rb
+- spec/omniauth/strategies/saml_spec.rb