omniauth-saml 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c97817e22f903d85818b687a7a003d8a752a5fe
-  data.tar.gz: c947e7c9a0c693ea8a38367aee1060a3c517ba2c
+  metadata.gz: a3fbf2c866dd9c9b7843a160be875332185f0f97
+  data.tar.gz: 7b633d77ad60c42ef1f263901cf795c29862be2f
 SHA512:
-  metadata.gz: 19ca24fce1e07008c93a66a2c2a7c46cb627372220364881ae2d966a68feec7a9fa6c75b019bdd5f935a4f6fb39a9ed5bee9008016bcf4eb51042f5cc3f105d7
-  data.tar.gz: d766149cecbfb73e20f253a46c790ae1a87b1d8085dcf68244890dacd6a9ed40beec355fc70a35f3b6efdd219553c47d301a090299bb71ebc2492b0dc5c817d4
+  metadata.gz: c75c15118de34c8960ee4516b9c32633db4cb11a96271d3d76dc194ceaaf5ffa15ead1b078df39ad77c11dd6d54cd5660640e1eb547587fc0499ff53cce46452
+  data.tar.gz: ccb0ab71a1be6fb2d88291c58756239ec89fcc5cdb9d74abc60052430c1524fe4422670c0bfa2c324de6303e8e383ef139a1d1a04fc58a2e292d9089d2b476f8

data/CHANGELOG.md

@@ -4,6 +4,10 @@ A generic SAML strategy for OmniAuth.
 
 https://github.com/PracticallyGreen/omniauth-saml
 
+## 1.3.0 (2014-14-10)
+
+* add `idp_cert_fingerprint_validator` option
+
 ## 1.2.0 (2014-03-19)
 
 * provide SP metadata at `/auth/saml/metadata`

data/README.md

@@ -22,6 +22,7 @@ use OmniAuth::Strategies::SAML,
   :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
   :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
   :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+  :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
   :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 ```
 
@@ -44,6 +45,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do
     :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
     :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
     :idp_cert_fingerprint               => "E7:91:B2:E1:...",
+    :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
     :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 end
 ```
@@ -73,12 +75,16 @@ The service provider metadata used to ease configuration of the SAML SP in the I
   `original_param_value`. Optional.
 
 * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
-  over the fingerprint option below. This option or `:idp_cert_fingerprint` must
+  over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
   be present.
 
 * `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
   "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
-  the relationship. This option or `:idp_cert` must be present.
+  the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
+
+* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
+  (the fingerprint), verify if it is valid and return it if successful. This option
+  or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
 
 * `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
   the username required by this application. If you need the email address, use
@@ -88,13 +94,11 @@ The service provider metadata used to ease configuration of the SAML SP in the I
   If not specified, the IdP is free to choose the name identifier format used
   in the response. Optional.
 
-* See the `Onelogin::Saml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
+* See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 
 ## Authors
 
-Authored by Raecoo Cao, Todd W Saxton, Ryan Wilcox, Rajiv Aaron Manglani, Steven Anderson, Nikos Dimitrakopoulos, and Rudolf Vriend.
-
-Maintained by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/).
+Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).
 
 ## License
 

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = '1.2.0'
+    VERSION = '1.3.0'
   end
 end

data/lib/omniauth/strategies/saml.rb

@@ -18,8 +18,8 @@ module OmniAuth
           additional_params[mapped_param_key] = request.params[request_param_key.to_s] if request.params.has_key?(request_param_key.to_s)
         end if runtime_request_parameters
 
-        authn_request = Onelogin::Saml::Authrequest.new
-        settings = Onelogin::Saml::Settings.new(options)
+        authn_request = OneLogin::RubySaml::Authrequest.new
+        settings = OneLogin::RubySaml::Settings.new(options)
 
         redirect(authn_request.create(settings, additional_params))
       end
@@ -29,8 +29,18 @@ module OmniAuth
           raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing")
         end
 
-        response = Onelogin::Saml::Response.new(request.params['SAMLResponse'], options)
-        response.settings = Onelogin::Saml::Settings.new(options)
+        # Call a fingerprint validation method if there's one
+        if options.idp_cert_fingerprint_validator
+          fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
+          unless fingerprint_exists
+            raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
+          end
+          # id_cert_fingerprint becomes the given fingerprint if it exists
+          options.idp_cert_fingerprint = fingerprint_exists
+        end
+
+        response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], options)
+        response.settings = OneLogin::RubySaml::Settings.new(options)
 
         @name_id = response.name_id
         @attributes = response.attributes
@@ -44,18 +54,30 @@ module OmniAuth
         super
       rescue OmniAuth::Strategies::SAML::ValidationError
         fail!(:invalid_ticket, $!)
-      rescue Onelogin::Saml::ValidationError
+      rescue OneLogin::RubySaml::ValidationError
         fail!(:invalid_ticket, $!)
       end
 
+      # Obtain an idp certificate fingerprint from the response.
+      def response_fingerprint
+        response = request.params['SAMLResponse']
+        response = (response =~ /^</) ? response : Base64.decode64(response)
+        document = XMLSecurity::SignedDocument::new(response)
+        cert_element = REXML::XPath.first(document, "//ds:X509Certificate", { "ds"=> 'http://www.w3.org/2000/09/xmldsig#' })
+        base64_cert = cert_element.text
+        cert_text = Base64.decode64(base64_cert)
+        cert = OpenSSL::X509::Certificate.new(cert_text)
+        Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+      end
+
       def other_phase
         if on_path?("#{request_path}/metadata")
           # omniauth does not set the strategy on the other_phase
           @env['omniauth.strategy'] ||= self
           setup_phase
 
-          response = Onelogin::Saml::Metadata.new
-          settings = Onelogin::Saml::Settings.new(options)
+          response = OneLogin::RubySaml::Metadata.new
+          settings = OneLogin::RubySaml::Settings.new(options)
           Rack::Response.new(response.generate(settings), 200, { "Content-Type" => "application/xml" }).finish
         else
           call_app!

data/spec/omniauth/strategies/saml_spec.rb

@@ -84,6 +84,27 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
       end
     end
 
+    context "when fingerprint is empty and there's a fingerprint validator" do
+      before :each do
+        saml_options.delete(:idp_cert_fingerprint)
+        saml_options[:idp_cert_fingerprint_validator] = lambda { |fingerprint| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" }
+        post_xml
+      end
+
+      it "should set the uid to the nameID in the SAML response" do
+        auth_hash['uid'].should == '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
+      end
+
+      it "should set the raw info to all attributes" do
+        auth_hash['extra']['raw_info'].to_hash.should == {
+          'first_name'   => 'Rajiv',
+          'last_name'    => 'Manglani',
+          'email'        => 'user@example.com',
+          'company_name' => 'Example Company'
+        }
+      end
+    end
+
     context "when there is no SAMLResponse parameter" do
       before :each do
         post '/auth/saml/callback'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Raecoo Cao
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-19 00:00:00.000000000 Z
+date: 2015-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -21,28 +21,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 0.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 0.8.1
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement