omniauth-signicat 1.6.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: fc291d34932e5333c40e4a218590e1fd0bcbd495
+  data.tar.gz: 2e38e29be4badafe083aff0a0b88e59eaad7c4a3
+SHA512:
+  metadata.gz: cd0c52f433b28da51137d841fea1b0358e9d578df8196e909dba5940dd49ca1ff9f1bdd66679a7e324c2f16d95239a5082e1030e710f70e395967c42466e3bce
+  data.tar.gz: cb0c5ea48e377b56cecba069b7cc1fc008658435858d155ecb1787636de9a984cff4dbaa49ba7faf8e594c7f226de9040c6ff78929e819e8ced39dc9ee34877d

data/CHANGELOG.md

@@ -0,0 +1,13 @@
+# OmniAuth Signicat Version History
+
+A Signicat strategy for OmniAuth.
+
+https://github.com/Nabobil/omniauth-signicat
+
+## 1.6.0 (2016-05-16)
+
+* First version
+
+## 1.5.0 and prior
+
+* Please view the [OmniAuth SAML project](https://github.com/omniauth/omniauth-saml)

data/LICENSE.md

@@ -0,0 +1,25 @@
+# License
+
+Copyright © 2016 Omniauth-SAML maintainers
+
+Copyright © 2011-2014 [Practically Green, Inc.](http://www.practicallygreen.com/).
+
+All rights reserved. Released under the MIT license.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,102 @@
+# OmniAuth Signicat
+
+[![Gem Version](http://img.shields.io/gem/v/omniauth-signicat.svg)][gem]
+[![Build Status](https://img.shields.io/codeship/10a7cb50-af95-0132-a853-0e5ba92aabbb.svg)][codeship]
+[![Dependency Status](http://img.shields.io/gemnasium/Nabobil/omniauth-signicat.svg)][gemnasium]
+[![Coverage Status](http://img.shields.io/coveralls/Nabobil/omniauth-signicat.svg)][coveralls]
+
+[gem]: https://rubygems.org/gems/omniauth-signicat
+[codeship]: https://codeship.com/projects/152234
+[gemnasium]: https://gemnasium.com/github.com/Nabobil/omniauth-signicat
+[coveralls]: https://coveralls.io/github/Nabobil/omniauth-signicat
+
+Signicat strategy for OmniAuth available under the [MIT License](LICENSE.md)
+
+https://github.com/Nabobil/omniauth-signicat
+
+## Requirements
+
+* [OmniAuth](http://www.omniauth.org/) 1.3+
+* Ruby 1.9.x or Ruby 2.1.x+
+
+## Versioning
+
+We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle.
+
+## Usage
+
+Use the Signicat strategy as a middleware in your application:
+
+```ruby
+require 'omniauth'
+use OmniAuth::Strategies::Signicat,
+  :env      => 'preprod',
+  :service  => 'demo',
+  :method   => 'nbid',
+  :language => 'nb'
+```
+
+or in your Rails application:
+
+in `Gemfile`:
+
+```ruby
+gem 'omniauth-signicat'
+```
+
+and in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :signicat,
+    :env      => 'preprod',
+    :service  => 'demo',
+    :method   => 'nbid',
+    :language => 'nb'
+end
+```
+
+## Options
+
+* `:env` - `preprod` or `id`. **Required**.
+
+* `:service` - The name of your service as registered with Signicat. There is a
+  demo preprod service called `demo` which you may use as you'd like, but eventually
+  you will start using your own service. **Required**.
+
+* `:method` - The name of the id-method as registered with Signicat. Common
+  abbreviations are `nbid` for Norwegian BankID, `sbid` for Swedish BankID,
+  `nemid` for Danish NemID, `tupas` for Finnish Tupas, `esteid` for Estonian
+  ID-card and so on. **Required**.
+
+* `:language` - Two letter code (ISO 639-1) for the language you would like in
+  the user interface, such as `nb` for Norwegian, `da` for Danish, `sv` for
+  Swedish, `fi` for Finnish, `et` for Estonian and so on. **Required**.
+
+* `:profile` - The name of the graphical profile you would like to use. If you
+  don't have a graphical profile, you can omit the value and the default profile
+  will be used. Optional.
+
+## Devise Integration
+
+Straightforward integration with [Devise](https://github.com/plataformatec/devise), the widely-used authentication solution for Rails.
+
+In `config/initializers/devise.rb`:
+
+```ruby
+Devise.setup do |config|
+  config.omniauth :signicat,
+    :env      => 'preprod',
+    :service  => 'demo',
+    :method   => 'nbid',
+    :language => 'nb'
+end
+```
+
+Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview), replacing references to `facebook` with `signicat`.
+
+## Authors
+
+Authored by [Theodor Tonum](https://github.com/theodorton) at [Nabobil](https://nabobil.no).
+
+Original `omniauth-saml` project authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).

data/lib/omniauth-signicat.rb

@@ -0,0 +1,2 @@
+require 'omniauth/strategies/signicat'
+require 'omniauth/strategies/signicat/validation_error'

data/lib/omniauth-signicat/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Signicat
+    VERSION = '1.6.0'.freeze
+  end
+end

data/lib/omniauth/strategies/signicat.rb

@@ -0,0 +1,118 @@
+require 'omniauth'
+require 'cgi'
+require 'base64'
+require 'nokogiri'
+require 'digest/sha1'
+
+module OmniAuth
+  module Strategies
+    # OmniAuth Strategy for authenticating with Signicat based identity solutions
+    class Signicat
+      include OmniAuth::Strategy
+
+      def self.inherited(subclass)
+        OmniAuth::Strategy.included(subclass)
+      end
+
+      XML_DS_NS = 'http://www.w3.org/2000/09/xmldsig#'.freeze
+
+      option :env, 'preprod'
+      option :service, 'demo'
+      option :method, nil
+      option :profile, 'default'
+      option :language, 'en'
+
+      def request_phase
+        redirect(target_url)
+      end
+
+      def callback_phase
+        unless request.params['SAMLResponse']
+          raise OmniAuth::Strategies::Signicat::ValidationError, 'SAML response missing'
+        end
+
+        saml_response = Base64.decode64(request.params['SAMLResponse'])
+        xml = Nokogiri.parse(saml_response)
+        verify_signature!(xml)
+        assign_attributes(xml)
+
+        super
+      rescue OmniAuth::Strategies::Signicat::ValidationError
+        fail!(:invalid_ticket, $ERROR_INFO)
+      end
+
+      def target_url
+        [
+          "https://#{options[:env]}.signicat.com",
+          "/std/method/#{options[:service]}",
+          "?id=#{options[:method]}:#{options[:profile]}:#{options[:language]}",
+          "&target=#{CGI.escape(callback_url)}"
+        ].join('')
+      end
+
+      uid { @name_id }
+
+      info do
+        {
+          'firstname' => @attributes['firstname'],
+          'lastname' => @attributes['lastname'],
+          'date-of-birth' => @attributes['date-of-birth']
+        }
+      end
+
+      extra { { raw_info: @attributes } }
+
+      private
+
+      def verify_signature!(xml)
+        key = extract_public_key(xml)
+
+        signed_info = extract_signed_info(xml)
+        signature = extract_signature(xml)
+        return if key.verify(OpenSSL::Digest::SHA1.new, signature, signed_info)
+
+        raise OmniAuth::Strategies::Signicat::ValidationError, 'Invalid signature'
+      end
+
+      def extract_public_key(xml)
+        raw_cert = xml.xpath('//ds:X509Certificate/text()', 'ds' => XML_DS_NS).text
+        cert = OpenSSL::X509::Certificate.new(Base64.decode64(raw_cert))
+        if cert.subject.to_s != expected_cert_subject
+          raise OmniAuth::Strategies::Signicat::ValidationError, 'Invalid certificate'
+        end
+        cert.public_key
+      end
+
+      def extract_signed_info(xml)
+        noko_sig_element = xml.at_xpath('//ds:Signature', 'ds' => XML_DS_NS)
+        noko_signed_info_element = noko_sig_element.at_xpath('./ds:SignedInfo', 'ds' => XML_DS_NS)
+
+        canon_algorithm = Nokogiri::XML::XML_C14N_EXCLUSIVE_1_0
+        noko_signed_info_element.canonicalize(canon_algorithm)
+      end
+
+      def extract_signature(xml)
+        raw_signature = xml.xpath('//ds:SignatureValue', 'ds' => XML_DS_NS).text
+        Base64.decode64(raw_signature)
+      end
+
+      def assign_attributes(xml)
+        @attributes = {}
+        xml.xpath('//saml:Attribute').each do |attr_node|
+          key   = attr_node['AttributeName']
+          value = attr_node.text
+          @attributes[key] = value
+        end
+        @name_id = @attributes['unique-id']
+      end
+
+      def expected_cert_subject
+        if options[:env] == 'id'
+          '/C=NO/ST=Norway/L=Trondheim/O=Signicat/OU=Signicat/CN=id.signicat.com/std'
+        else
+          '/C=NO/ST=Norway/L=Trondheim/O=Signicat/OU=Signicat/CN=test.signicat.com/std'
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/signicat/validation_error.rb

@@ -0,0 +1,8 @@
+module OmniAuth
+  module Strategies
+    class Signicat
+      class ValidationError < RuntimeError
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/signicat_spec.rb

@@ -0,0 +1,140 @@
+# rubocop:disable Metrics/LineLength
+require 'spec_helper'
+
+RSpec::Matchers.define :fail_with do |message|
+  match do |actual|
+    actual.redirect? && /\?.*message=#{message}/ =~ actual.location
+  end
+end
+
+def post_xml(xml = :example_response)
+  post '/auth/signicat/callback', 'SAMLResponse' => load_xml(xml)
+end
+
+describe OmniAuth::Strategies::Signicat, type: :strategy do
+  include OmniAuth::Test::StrategyTestCase
+
+  let(:auth_hash) { last_request.env['omniauth.auth'] }
+  let(:signicat_options) do
+    {
+      env: 'preprod',
+      service: 'demo',
+      method: 'nbid',
+      language: 'nb'
+    }
+  end
+  let(:strategy) { [OmniAuth::Strategies::Signicat, signicat_options] }
+
+  describe 'GET /auth/signicat' do
+    before do
+      get '/auth/signicat'
+    end
+
+    it 'should redirect correctly' do
+      last_response.location.should include 'https://preprod.signicat.com/std/method/demo?id=nbid:default:nb'
+    end
+  end
+
+  describe 'POST /auth/signicat/callback' do
+    subject { last_response }
+
+    let(:xml) { :example_response }
+
+    before :each do
+      Time.stub(:now).and_return(Time.utc(2016, 5, 10, 8, 57, 00))
+    end
+
+    shared_examples_for 'a valid response' do
+      it 'should set the uid to the nameID in the SAML response' do
+        auth_hash['uid'].should == '9578-6000-4-140135'
+      end
+
+      it 'should set the info' do
+        auth_hash[:info].should == {
+          'firstname' => 'Bjørn Test',
+          'lastname' => 'Teisvær',
+          'date-of-birth' => '1961-03-23'
+        }
+      end
+
+      it 'should set the raw info to all attributes' do
+        auth_hash['extra'][:raw_info].should == {
+          'action' => 'auth',
+          'bank' => 'TestBank1',
+          'bankid-no' => '9578-6000-4-140135',
+          'date-of-birth' => '1961-03-23',
+          'firstname' => "Bjørn Test",
+          'fnr' => '23036107340',
+          'issuer-dn' => 'CN=BankID TestBank1 Bank CA 2,OU=123456789,O=TestBank1 AS,C=NO',
+          'key-algorithm' => 'RSA',
+          'key-size' => '2048',
+          'lastname' => "Teisvær",
+          'method-name' => 'nbid',
+          'monetary-limit-amount' => '100000',
+          'monetary-limit-currency' => 'NOK',
+          'national-id' => '23036107340',
+          'no.fnr' => '23036107340',
+          'originator' => '9999',
+          'plain-name' => "Teisvær, Bjørn Test",
+          'policy-oid' => '2.16.578.1.16.1.12.1.1',
+          'qualified' => 'true',
+          'security-level' => '3',
+          'serialnumber' => '552735',
+          'service-name' => 'shared',
+          'subject-dn' => "CN=Teisvær\\, Bjørn Test,O=BankID - TestBank1,C=NO,SERIALNUMBER=9578-6000-4-140135",
+          'unique-id' => '9578-6000-4-140135',
+          'valid-from' => '2016-05-09',
+          'valid-to' => '2018-05-09',
+          'version-number' => '3'
+        }
+      end
+    end
+
+    context 'when the response is valid' do
+      before :each do
+        post_xml
+      end
+
+      it_behaves_like 'a valid response'
+    end
+
+    context 'when there is no SAMLResponse parameter' do
+      before :each do
+        post '/auth/signicat/callback'
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context 'when the digest is invalid' do
+      before :each do
+        post_xml :digest_mismatch
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context 'when the signature is invalid' do
+      before :each do
+        post_xml :invalid_signature
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+
+    context 'when the cert is wrong' do
+      before :each do
+        post_xml :invalid_cert
+      end
+
+      it { should fail_with(:invalid_ticket) }
+    end
+  end
+
+  describe 'subclass behavior' do
+    it 'registers subclasses in OmniAuth.strategies' do
+      subclass = Class.new(described_class)
+      expect(OmniAuth.strategies).to include(described_class, subclass)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,27 @@
+if RUBY_VERSION >= '1.9'
+  require 'simplecov'
+
+  if ENV['CI']
+    require 'coveralls'
+    Coveralls.wear!
+  end
+
+  SimpleCov.start
+end
+
+require 'omniauth-signicat'
+require 'rack/test'
+require 'rexml/document'
+require 'rexml/xpath'
+require 'base64'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+end
+
+def load_xml(filename = :example_response)
+  filename = File.expand_path(File.join('..', 'support', "#{filename}.xml"), __FILE__)
+  Base64.encode64(IO.read(filename))
+end

metadata

@@ -0,0 +1,138 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-signicat
+version: !ruby/object:Gem::Version
+  version: 1.6.0
+platform: ruby
+authors:
+- Theodor Tonum
+- Raecoo Cao
+- Ryan Wilcox
+- Rajiv Aaron Manglani
+- Steven Anderson
+- Nikos Dimitrakopoulos
+- Rudolf Vriend
+- Bruno Pedro
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-05-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.5.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+description: Signicat strategy for OmniAuth.
+email: theodor@nabobil.no
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.md
+- README.md
+- lib/omniauth-signicat.rb
+- lib/omniauth-signicat/version.rb
+- lib/omniauth/strategies/signicat.rb
+- lib/omniauth/strategies/signicat/validation_error.rb
+- spec/omniauth/strategies/signicat_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/Nabobil/omniauth-signicat
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Signicat strategy for OmniAuth.
+test_files:
+- spec/omniauth/strategies/signicat_spec.rb
+- spec/spec_helper.rb
+has_rdoc: