omniauth-suomifi 0.1.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3bba7a20e137303ea20efd3d2d829c9e37e103b5c47d864188b50a16cce7d758
-  data.tar.gz: 481a5fe89956132db550b05d7ffd9e997ae377b6dafb4ba096c4e011edaf0fed
+  metadata.gz: 541ef437515bdfaca98ec7fe448e82a2c9008910d0937796cde8b92e92642344
+  data.tar.gz: 5a0987732cc390c688f58c9f0f48f579d29ade702a462f5295b0399df9675268
 SHA512:
-  metadata.gz: 5e58186eca6d49643657a3e421a5417b9caf988d212c78230224ca1e0e7e0819a46c04adf19f3e94554730cb7090c1cdc786cc4e6cdac61cffe96b9ab3cccd5e
-  data.tar.gz: 4cac68f67dab309856e7919c2b894322dcb90370968ec2772b5b19d738486afd0b8977ec4ece944c653e65fc862372e881f9553e94ea64afceaa77cd7bd6b876
+  metadata.gz: 0b87dcd1dc757088bce48a1cc98594f46c594223fc9d80f7c810ca71a87a762eed52c8906690376c034b2ffc59df73b10783198c3162841a53e171986fb467a5
+  data.tar.gz: 8d1fe6697ebe488eb7ced33a1e4caf8fdd91803eb256a039fd4d61ad5e6ebe8900952eba478c96d04b608dc31dae11c6161f05168a772738d3dacba88969fd20

data/lib/omniauth-suomifi.rb

@@ -2,3 +2,4 @@
 
 require 'omniauth-suomifi/version'
 require 'omniauth/strategies/suomifi'
+require 'omniauth-suomifi/ruby_saml_extensions'

data/lib/omniauth-suomifi/ruby_saml_extensions.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# This overrides the decryption method in RubySaml in order to add support for
+# AES GCM decryption required by Suomi.fi. The Suomi.fi AES GCM cipher text
+# contains an auth tag that needs to be extracted from the end of the cipher
+# text before decrypting it. Otherwise the `cipher.final` method would fail
+# becuse the decrypted data is incorrect.
+#
+# Related to this GitHub issue:
+# https://github.com/onelogin/ruby-saml/issues/541
+#
+# This differs from the original implementation only with the following aspects:
+# - Detects the AES GCM cipher methods
+# - For the AES CGM cipher methods, extracts the auth tag from the end of the
+#   cipher text, assuming it to be 16 bytes in length.
+#
+# Regarding the authentication tag, see:
+# https://tools.ietf.org/html/rfc5116#section-5.1
+#
+# > An authentication tag with a length of 16 octets (128
+# > bits) is used.  The AEAD_AES_128_GCM ciphertext is formed by
+# > appending the authentication tag provided as an output to the GCM
+# > encryption operation to the ciphertext that is output by that
+# > operation.
+OneLogin::RubySaml::Utils.class_eval do
+  # Obtains the deciphered text
+  # @param cipher_text [String]   The ciphered text
+  # @param symmetric_key [String] The symetric key used to encrypt the text
+  # @param algorithm [String]     The encrypted algorithm
+  # @return [String] The deciphered text
+  def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+    case algorithm
+    when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+    when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
+    when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
+    when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+    when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+    end
+
+    if cipher
+      iv_len = cipher.iv_len
+      data = cipher_text[iv_len..-1]
+      cipher.padding = 0
+      cipher.key = symmetric_key
+      cipher.iv = cipher_text[0..iv_len - 1]
+      assertion_plaintext = cipher.update(data)
+      assertion_plaintext << cipher.final
+    elsif auth_cipher
+      iv_len = auth_cipher.iv_len
+      text_len = cipher_text.length
+      tag_len = 16
+      data = cipher_text[iv_len..text_len - 1 - tag_len]
+      auth_cipher.padding = 0
+      auth_cipher.key = symmetric_key
+      auth_cipher.iv = cipher_text[0..iv_len - 1]
+      auth_cipher.auth_data = ''
+      auth_cipher.auth_tag = cipher_text[text_len - tag_len..-1]
+      assertion_plaintext = auth_cipher.update(data)
+      assertion_plaintext << auth_cipher.final
+    elsif rsa
+      rsa.private_decrypt(cipher_text)
+    elsif oaep
+      oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    else
+      cipher_text
+    end
+  end
+end

data/lib/omniauth-suomifi/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Suomifi
-    VERSION = '0.1.0'
+    VERSION = '0.5.0'
   end
 end

data/lib/omniauth/strategies/suomifi.rb

@@ -16,6 +16,29 @@ module OmniAuth
       # The private key file to define the private key.
       option :private_key_file, nil
 
+      # Defines the locale parameters to check from the request phase request
+      # parameters. A valid language will be added to the IdP sign in redirect
+      # URL as the last parameter (with the name `locale` as expected by
+      # Suomi.fi).
+      #
+      # Suomi.fi accepts `fi`, `sv` or `en` in this parameter. The language can
+      # be parsed from the following kind of strings:
+      # - fi
+      # - sv-SE
+      # - en_US
+      #
+      # In case a valid language cannot be parsed from the parameter, the locale
+      # parameter will default to `:idp_sso_service_url_default_locale`.
+      #
+      # Note that the locale parameter is always added as the last parameter in
+      # in the redirect URL as expected by Suomi.fi.
+      option :idp_sso_service_url_locale_params, %w[locale language lang]
+
+      # This is the default locale to be passed to IdP sign in redirect URL as
+      # defined above. In case a valid locale is not found from the request
+      # parameters, this will be used instead.
+      option :idp_sso_service_url_default_locale, 'fi'
+
       # The request attributes for Suomi.fi
       option :possible_request_attributes, [
         ##############################
@@ -493,6 +516,20 @@ module OmniAuth
         )
       end
 
+      # Override the request phase to be able to pass the locale parameter to
+      # the redirect URL. Note that this needs to be the last parameter to
+      # be passed to the redirect URL.
+      def request_phase
+        authn_request = OneLogin::RubySaml::Authrequest.new
+        locale = locale_for_authn_request
+
+        with_settings do |settings|
+          url = authn_request.create(settings, additional_params_for_authn_request)
+          url += "&locale=#{CGI.escape(locale)}" unless locale.nil?
+          redirect(url)
+        end
+      end
+
       # This method can be used externally to fetch information about the
       # response, e.g. in case of failures.
       def response_object
@@ -508,12 +545,19 @@ module OmniAuth
         end
       end
 
+      # Override the callback URL so that it always matches the one expected by
+      # Suomi.fi. No additional query string parameters can be included in the
+      # string.
+      def callback_url
+        full_host + script_name + callback_path
+      end
+
     private
 
       # Suomi.fi requires that the service provider needs to end the local user
       # session BEFORE sending the logout request to the identity provider.
       def other_phase_for_spslo
-        return super unless options.idp_slo_target_url
+        return super unless options.idp_slo_service_url
 
         with_settings do |settings|
           # Some session variables are needed when generating the logout request
@@ -525,6 +569,19 @@ module OmniAuth
         end
       end
 
+      # Overridden to disable passing the relay state with a request parameter
+      # which is possible in the default implementation.
+      def slo_relay_state
+        state = super
+
+        # Ensure that we are only using the relay states to redirect the user
+        # within the current website. This forces the relay state to always
+        # start with a single forward slash character (/).
+        return '/' unless state =~ %r{^/[^/].*}
+
+        state
+      end
+
       def scoped_request_attributes
         scopes = [:limited]
         scopes << :medium_extensive if options.scope_of_data == :medium_extensive
@@ -552,8 +609,8 @@ module OmniAuth
         case options.mode
         when :test
           'https://testi.apro.tunnistus.fi/static/metadata/idp-metadata.xml'
-        else
-          'https://tunnistus.suomi.fi/static/metadata/idp-metadata-secondary.xml'
+        else # :production
+          'https://tunnistus.suomi.fi/static/metadata/idp-metadata-tunnistautuminen.xml'
         end
       end
 
@@ -572,6 +629,16 @@ module OmniAuth
           slo_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
         )
 
+        if settings[:idp_slo_response_service_url].nil? && settings[:idp_slo_target_url].nil?
+          # Mitigation after ruby-saml update to 1.12.x. This gem has been
+          # originally developed relying on the `:idp_slo_target_url` settings
+          # which was removed from the newer versions. The SLO requests won't
+          # work unless `:idp_slo_response_service_url` is defined in the
+          # metadata through the `ResponseLocation` attribute in the
+          # `<SingleLogoutService />` node.
+          settings[:idp_slo_target_url] ||= settings[:idp_slo_service_url]
+        end
+
         # Local certificate and private key to decrypt the responses
         settings[:certificate] = certificate
         settings[:private_key] = private_key
@@ -603,6 +670,25 @@ module OmniAuth
           end
         end
       end
+
+      def locale_for_authn_request
+        if options.idp_sso_service_url_locale_params.is_a?(Array)
+          options.idp_sso_service_url_locale_params.each do |param|
+            next unless request.params.key?(param.to_s)
+
+            locale = parse_language_value(request.params[param.to_s])
+            return locale unless locale.nil?
+          end
+        end
+
+        options.idp_sso_service_url_default_locale
+      end
+
+      def parse_language_value(string)
+        language = string.sub('_', '-').split('-').first
+
+        language if language =~ /^(fi|sv|en)$/
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-suomifi
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Antti Hukkanen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-15 00:00:00.000000000 Z
+date: 2021-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-saml
@@ -16,42 +16,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.1
+        version: 1.10.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.1
+        version: 1.10.3
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.12.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.12.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +120,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.19.0
 description: Suomi.fi e-Identification service integration for OmniAuth.
 email:
 - antti.hukkanen@mainiotech.fi
@@ -125,6 +139,7 @@ files:
 - README.md
 - Rakefile
 - lib/omniauth-suomifi.rb
+- lib/omniauth-suomifi/ruby_saml_extensions.rb
 - lib/omniauth-suomifi/test.rb
 - lib/omniauth-suomifi/test/certificate_generator.rb
 - lib/omniauth-suomifi/test/templates/encrypted_data_template.xml