omniauth-suomifi 0.3.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a1f6be0c9db1b5a90f38af2f9eb08aa48330aaf0fac09d820a91134a7d22ba9
-  data.tar.gz: a03dae85e69231eb5106a76499bebf5a0dd8ddb639b8bcb3cc05348879d73470
+  metadata.gz: 2312191c6d70426259424cd525b77161966b43b151e84b9269dc7fe61c828754
+  data.tar.gz: a483682acfd192e66a87b4a556f9a61e7bbe63e9c9529635718005022c4f9e91
 SHA512:
-  metadata.gz: e3b5d2142c659ecdda0d3e88b625e0005b35f58bb25b4f44d06dff8b984deb733b148f8e85537d05584a7d817d0f1b36bb3efba52599e71b9858003209417e1a
-  data.tar.gz: a60c7e15ffa8aecad4d896d3de2ebb4aa20ac3cd44fb7764b093d66c85a8330b90954f889319e21704bfb2c70f1fc66f0f8bb5cf0b7774c1b31d18991e7bf2f5
+  metadata.gz: 856b8252bf76f046acb4788dcc5b5f4400a7dec5f7351c6fbae1fa17842335c805afcf008b32eddf856299f4b12e4bb6a6398ff7bbd2d84e5a70a59aca8cd0c8
+  data.tar.gz: 775d337ab4941f7c9fa79f4dd4376b2cfdc9f2d5f1e57a5dc9abbb00b52f3888dba5c7d6103d429f22a98ec46353ada3954d12bd931b842eafcb2ed1f0088ee4

data/README.md

@@ -1,6 +1,6 @@
 # OmniAuth Suomi.fi
 
-[![Build Status](https://travis-ci.com/mainio/omniauth-suomifi.svg?branch=master)](https://travis-ci.com/mainio/omniauth-suomifi)
+[![Build Status](https://github.com/mainio/omniauth-suomifi/actions/workflows/ci_omniauth-suomifi.yml/badge.svg)](https://github.com/mainio/omniauth-suomifi/actions)
 [![codecov](https://codecov.io/gh/mainio/omniauth-suomifi/branch/master/graph/badge.svg)](https://codecov.io/gh/mainio/omniauth-suomifi)
 
 This is an unofficial OmniAuth strategy for authenticating with the Suomi.fi

data/lib/omniauth/strategies/suomifi.rb

@@ -28,16 +28,16 @@ module OmniAuth
       # - en_US
       #
       # In case a valid language cannot be parsed from the parameter, the locale
-      # parameter will default to `:idp_sso_target_url_default_locale`.
+      # parameter will default to `:idp_sso_service_url_default_locale`.
       #
       # Note that the locale parameter is always added as the last parameter in
       # in the redirect URL as expected by Suomi.fi.
-      option :idp_sso_target_url_locale_params, %w[locale language lang]
+      option :idp_sso_service_url_locale_params, %w[locale language lang]
 
       # This is the default locale to be passed to IdP sign in redirect URL as
       # defined above. In case a valid locale is not found from the request
       # parameters, this will be used instead.
-      option :idp_sso_target_url_default_locale, 'fi'
+      option :idp_sso_service_url_default_locale, 'fi'
 
       # The request attributes for Suomi.fi
       option :possible_request_attributes, [
@@ -557,7 +557,7 @@ module OmniAuth
       # Suomi.fi requires that the service provider needs to end the local user
       # session BEFORE sending the logout request to the identity provider.
       def other_phase_for_spslo
-        return super unless options.idp_slo_target_url
+        return super unless options.idp_slo_service_url
 
         with_settings do |settings|
           # Some session variables are needed when generating the logout request
@@ -609,8 +609,8 @@ module OmniAuth
         case options.mode
         when :test
           'https://testi.apro.tunnistus.fi/static/metadata/idp-metadata.xml'
-        else
-          'https://tunnistus.suomi.fi/static/metadata/idp-metadata-secondary.xml'
+        else # :production
+          'https://tunnistus.suomi.fi/static/metadata/idp-metadata-tunnistautuminen.xml'
         end
       end
 
@@ -629,6 +629,16 @@ module OmniAuth
           slo_binding: ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
         )
 
+        if settings[:idp_slo_response_service_url].nil? && settings[:idp_slo_target_url].nil?
+          # Mitigation after ruby-saml update to 1.12.x. This gem has been
+          # originally developed relying on the `:idp_slo_target_url` settings
+          # which was removed from the newer versions. The SLO requests won't
+          # work unless `:idp_slo_response_service_url` is defined in the
+          # metadata through the `ResponseLocation` attribute in the
+          # `<SingleLogoutService />` node.
+          settings[:idp_slo_target_url] ||= settings[:idp_slo_service_url]
+        end
+
         # Local certificate and private key to decrypt the responses
         settings[:certificate] = certificate
         settings[:private_key] = private_key
@@ -662,8 +672,8 @@ module OmniAuth
       end
 
       def locale_for_authn_request
-        if options.idp_sso_target_url_locale_params.is_a?(Array)
-          options.idp_sso_target_url_locale_params.each do |param|
+        if options.idp_sso_service_url_locale_params.is_a?(Array)
+          options.idp_sso_service_url_locale_params.each do |param|
             next unless request.params.key?(param.to_s)
 
             locale = parse_language_value(request.params[param.to_s])
@@ -671,7 +681,7 @@ module OmniAuth
           end
         end
 
-        options.idp_sso_target_url_default_locale
+        options.idp_sso_service_url_default_locale
       end
 
       def parse_language_value(string)

data/lib/omniauth-suomifi/ruby_saml_extensions.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# This overrides the decryption method in RubySaml in order to add support for
+# AES GCM decryption required by Suomi.fi. The Suomi.fi AES GCM cipher text
+# contains an auth tag that needs to be extracted from the end of the cipher
+# text before decrypting it. Otherwise the `cipher.final` method would fail
+# becuse the decrypted data is incorrect.
+#
+# Related to this GitHub issue:
+# https://github.com/onelogin/ruby-saml/issues/541
+#
+# This differs from the original implementation only with the following aspects:
+# - Detects the AES GCM cipher methods
+# - For the AES CGM cipher methods, extracts the auth tag from the end of the
+#   cipher text, assuming it to be 16 bytes in length.
+#
+# Regarding the authentication tag, see:
+# https://tools.ietf.org/html/rfc5116#section-5.1
+#
+# > An authentication tag with a length of 16 octets (128
+# > bits) is used.  The AEAD_AES_128_GCM ciphertext is formed by
+# > appending the authentication tag provided as an output to the GCM
+# > encryption operation to the ciphertext that is output by that
+# > operation.
+OneLogin::RubySaml::Utils.class_eval do
+  # Obtains the deciphered text
+  # @param cipher_text [String]   The ciphered text
+  # @param symmetric_key [String] The symetric key used to encrypt the text
+  # @param algorithm [String]     The encrypted algorithm
+  # @return [String] The deciphered text
+  def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
+    case algorithm
+    when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' then cipher = OpenSSL::Cipher.new('AES-128-CBC').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' then cipher = OpenSSL::Cipher.new('AES-192-CBC').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' then cipher = OpenSSL::Cipher.new('AES-256-CBC').decrypt
+    when 'http://www.w3.org/2009/xmlenc11#aes128-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-128-GCM').decrypt
+    when 'http://www.w3.org/2009/xmlenc11#aes192-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-192-GCM').decrypt
+    when 'http://www.w3.org/2009/xmlenc11#aes256-gcm' then auth_cipher = OpenSSL::Cipher.new('AES-256-GCM').decrypt
+    when 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' then rsa = symmetric_key
+    when 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' then oaep = symmetric_key
+    end
+
+    if cipher
+      iv_len = cipher.iv_len
+      data = cipher_text[iv_len..-1]
+      cipher.padding = 0
+      cipher.key = symmetric_key
+      cipher.iv = cipher_text[0..iv_len - 1]
+      assertion_plaintext = cipher.update(data)
+      assertion_plaintext << cipher.final
+    elsif auth_cipher
+      iv_len = auth_cipher.iv_len
+      text_len = cipher_text.length
+      tag_len = 16
+      data = cipher_text[iv_len..text_len - 1 - tag_len]
+      auth_cipher.padding = 0
+      auth_cipher.key = symmetric_key
+      auth_cipher.iv = cipher_text[0..iv_len - 1]
+      auth_cipher.auth_data = ''
+      auth_cipher.auth_tag = cipher_text[text_len - tag_len..-1]
+      assertion_plaintext = auth_cipher.update(data)
+      assertion_plaintext << auth_cipher.final
+    elsif rsa
+      rsa.private_decrypt(cipher_text)
+    elsif oaep
+      oaep.private_decrypt(cipher_text, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+    else
+      cipher_text
+    end
+  end
+end

data/lib/omniauth-suomifi/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Suomifi
-    VERSION = '0.3.0'
+    VERSION = '0.6.0'
   end
 end

data/lib/omniauth-suomifi.rb

@@ -2,3 +2,4 @@
 
 require 'omniauth-suomifi/version'
 require 'omniauth/strategies/suomifi'
+require 'omniauth-suomifi/ruby_saml_extensions'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-suomifi
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Antti Hukkanen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-15 00:00:00.000000000 Z
+date: 2021-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-saml
@@ -16,42 +16,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.1
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.10.1
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.13.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.13.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +120,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.19.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 0.19.0
 description: Suomi.fi e-Identification service integration for OmniAuth.
 email:
 - antti.hukkanen@mainiotech.fi
@@ -125,6 +139,7 @@ files:
 - README.md
 - Rakefile
 - lib/omniauth-suomifi.rb
+- lib/omniauth-suomifi/ruby_saml_extensions.rb
 - lib/omniauth-suomifi/test.rb
 - lib/omniauth-suomifi/test/certificate_generator.rb
 - lib/omniauth-suomifi/test/templates/encrypted_data_template.xml