omniauth-saml 1.2.0 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of omniauth-saml might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2c97817e22f903d85818b687a7a003d8a752a5fe
4
- data.tar.gz: c947e7c9a0c693ea8a38367aee1060a3c517ba2c
3
+ metadata.gz: a3fbf2c866dd9c9b7843a160be875332185f0f97
4
+ data.tar.gz: 7b633d77ad60c42ef1f263901cf795c29862be2f
5
5
  SHA512:
6
- metadata.gz: 19ca24fce1e07008c93a66a2c2a7c46cb627372220364881ae2d966a68feec7a9fa6c75b019bdd5f935a4f6fb39a9ed5bee9008016bcf4eb51042f5cc3f105d7
7
- data.tar.gz: d766149cecbfb73e20f253a46c790ae1a87b1d8085dcf68244890dacd6a9ed40beec355fc70a35f3b6efdd219553c47d301a090299bb71ebc2492b0dc5c817d4
6
+ metadata.gz: c75c15118de34c8960ee4516b9c32633db4cb11a96271d3d76dc194ceaaf5ffa15ead1b078df39ad77c11dd6d54cd5660640e1eb547587fc0499ff53cce46452
7
+ data.tar.gz: ccb0ab71a1be6fb2d88291c58756239ec89fcc5cdb9d74abc60052430c1524fe4422670c0bfa2c324de6303e8e383ef139a1d1a04fc58a2e292d9089d2b476f8
@@ -4,6 +4,10 @@ A generic SAML strategy for OmniAuth.
4
4
 
5
5
  https://github.com/PracticallyGreen/omniauth-saml
6
6
 
7
+ ## 1.3.0 (2014-14-10)
8
+
9
+ * add `idp_cert_fingerprint_validator` option
10
+
7
11
  ## 1.2.0 (2014-03-19)
8
12
 
9
13
  * provide SP metadata at `/auth/saml/metadata`
data/README.md CHANGED
@@ -22,6 +22,7 @@ use OmniAuth::Strategies::SAML,
22
22
  :idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
23
23
  :idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
24
24
  :idp_cert_fingerprint => "E7:91:B2:E1:...",
25
+ :idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
25
26
  :name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
26
27
  ```
27
28
 
@@ -44,6 +45,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do
44
45
  :idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
45
46
  :idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
46
47
  :idp_cert_fingerprint => "E7:91:B2:E1:...",
48
+ :idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
47
49
  :name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
48
50
  end
49
51
  ```
@@ -73,12 +75,16 @@ The service provider metadata used to ease configuration of the SAML SP in the I
73
75
  `original_param_value`. Optional.
74
76
 
75
77
  * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
76
- over the fingerprint option below. This option or `:idp_cert_fingerprint` must
78
+ over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
77
79
  be present.
78
80
 
79
81
  * `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
80
82
  "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
81
- the relationship. This option or `:idp_cert` must be present.
83
+ the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
84
+
85
+ * `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
86
+ (the fingerprint), verify if it is valid and return it if successful. This option
87
+ or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
82
88
 
83
89
  * `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
84
90
  the username required by this application. If you need the email address, use
@@ -88,13 +94,11 @@ The service provider metadata used to ease configuration of the SAML SP in the I
88
94
  If not specified, the IdP is free to choose the name identifier format used
89
95
  in the response. Optional.
90
96
 
91
- * See the `Onelogin::Saml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
97
+ * See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
92
98
 
93
99
  ## Authors
94
100
 
95
- Authored by Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, Steven Anderson, Nikos Dimitrakopoulos, and Rudolf Vriend.
96
-
97
- Maintained by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/).
101
+ Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).
98
102
 
99
103
  ## License
100
104
 
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module SAML
3
- VERSION = '1.2.0'
3
+ VERSION = '1.3.0'
4
4
  end
5
5
  end
@@ -18,8 +18,8 @@ module OmniAuth
18
18
  additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
19
19
  end if runtime_request_parameters
20
20
 
21
- authn_request = Onelogin::Saml::Authrequest.new
22
- settings = Onelogin::Saml::Settings.new(options)
21
+ authn_request = OneLogin::RubySaml::Authrequest.new
22
+ settings = OneLogin::RubySaml::Settings.new(options)
23
23
 
24
24
  redirect(authn_request.create(settings, additional_params))
25
25
  end
@@ -29,8 +29,18 @@ module OmniAuth
29
29
  raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
30
30
  end
31
31
 
32
- response = Onelogin::Saml::Response.new(request.params['SAMLResponse'], options)
33
- response.settings = Onelogin::Saml::Settings.new(options)
32
+ # Call a fingerprint validation method if there's one
33
+ if options.idp_cert_fingerprint_validator
34
+ fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
35
+ unless fingerprint_exists
36
+ raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
37
+ end
38
+ # id_cert_fingerprint becomes the given fingerprint if it exists
39
+ options.idp_cert_fingerprint = fingerprint_exists
40
+ end
41
+
42
+ response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], options)
43
+ response.settings = OneLogin::RubySaml::Settings.new(options)
34
44
 
35
45
  @name_id = response.name_id
36
46
  @attributes = response.attributes
@@ -44,18 +54,30 @@ module OmniAuth
44
54
  super
45
55
  rescue OmniAuth::Strategies::SAML::ValidationError
46
56
  fail!(:invalid_ticket, $!)
47
- rescue Onelogin::Saml::ValidationError
57
+ rescue OneLogin::RubySaml::ValidationError
48
58
  fail!(:invalid_ticket, $!)
49
59
  end
50
60
 
61
+ # Obtain an idp certificate fingerprint from the response.
62
+ def response_fingerprint
63
+ response = request.params['SAMLResponse']
64
+ response = (response =~ /^</) ? response : Base64.decode64(response)
65
+ document = XMLSecurity::SignedDocument::new(response)
66
+ cert_element = REXML::XPath.first(document, "//ds:X509Certificate", { "ds"=> 'http://www.w3.org/2000/09/xmldsig#' })
67
+ base64_cert = cert_element.text
68
+ cert_text = Base64.decode64(base64_cert)
69
+ cert = OpenSSL::X509::Certificate.new(cert_text)
70
+ Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
71
+ end
72
+
51
73
  def other_phase
52
74
  if on_path?("#{request_path}/metadata")
53
75
  # omniauth does not set the strategy on the other_phase
54
76
  @env['omniauth.strategy'] ||= self
55
77
  setup_phase
56
78
 
57
- response = Onelogin::Saml::Metadata.new
58
- settings = Onelogin::Saml::Settings.new(options)
79
+ response = OneLogin::RubySaml::Metadata.new
80
+ settings = OneLogin::RubySaml::Settings.new(options)
59
81
  Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
60
82
  else
61
83
  call_app!
@@ -84,6 +84,27 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
84
84
  end
85
85
  end
86
86
 
87
+ context "when fingerprint is empty and there's a fingerprint validator" do
88
+ before :each do
89
+ saml_options.delete(:idp_cert_fingerprint)
90
+ saml_options[:idp_cert_fingerprint_validator] = lambda { |fingerprint| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" }
91
+ post_xml
92
+ end
93
+
94
+ it "should set the uid to the nameID in the SAML response" do
95
+ auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
96
+ end
97
+
98
+ it "should set the raw info to all attributes" do
99
+ auth_hash['extra']['raw_info'].to_hash.should == {
100
+ 'first_name' => 'Rajiv',
101
+ 'last_name' => 'Manglani',
102
+ 'email' => 'user@example.com',
103
+ 'company_name' => 'Example Company'
104
+ }
105
+ end
106
+ end
107
+
87
108
  context "when there is no SAMLResponse parameter" do
88
109
  before :each do
89
110
  post '/auth/saml/callback'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-saml
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Raecoo Cao
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: bin
15
15
  cert_chain: []
16
- date: 2014-03-19 00:00:00.000000000 Z
16
+ date: 2015-02-05 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: omniauth
@@ -21,28 +21,28 @@ dependencies:
21
21
  requirements:
22
22
  - - "~>"
23
23
  - !ruby/object:Gem::Version
24
- version: '1.2'
24
+ version: '1.1'
25
25
  type: :runtime
26
26
  prerelease: false
27
27
  version_requirements: !ruby/object:Gem::Requirement
28
28
  requirements:
29
29
  - - "~>"
30
30
  - !ruby/object:Gem::Version
31
- version: '1.2'
31
+ version: '1.1'
32
32
  - !ruby/object:Gem::Dependency
33
33
  name: ruby-saml
34
34
  requirement: !ruby/object:Gem::Requirement
35
35
  requirements:
36
36
  - - "~>"
37
37
  - !ruby/object:Gem::Version
38
- version: 0.7.3
38
+ version: 0.8.1
39
39
  type: :runtime
40
40
  prerelease: false
41
41
  version_requirements: !ruby/object:Gem::Requirement
42
42
  requirements:
43
43
  - - "~>"
44
44
  - !ruby/object:Gem::Version
45
- version: 0.7.3
45
+ version: 0.8.1
46
46
  - !ruby/object:Gem::Dependency
47
47
  name: rspec
48
48
  requirement: !ruby/object:Gem::Requirement