omniauth-suomifi 0.6.3 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3145f5edab1c7f635c55c21d23eee97fba96657bf156076ec700261dc962e142
-  data.tar.gz: 0da243959e4f569866ec5bdcf97c686f2e08dfeacc6e38fbd514452f3cd0859e
+  metadata.gz: 73fe21e9c9621ccdf65ff05a986ed1c078cd4e4e8bae541d85441713a8df12dc
+  data.tar.gz: 73a64e776f800ac6bc69a956c5e8e7b37ad4f95a497a43367ba583c82a1688eb
 SHA512:
-  metadata.gz: c7888c909cb1f4c55a6b89f788c8754242eac7d1f0b6bdcd58efc1e60827a0d824e50300b44226994e10d12afe2137ac27c5a338f1b7b671652b7d525110a0af
-  data.tar.gz: a8d854ea5d5bc6cb16ed5e78e3f93fd50eb25aa5b89539ebc0f8f22c4ec00c2b5efd3e6cfaf0ef3c543ca974c78693225609776a59a5551f20cd1d173c6a70de
+  metadata.gz: 6e361fa187b5f6a3f91b30255eddc0d936079b5f0f0909ddf2d7a0b94cfda4bdd2175de2beac6b705ccb1868004d5ad6a34030b6556a0d02c7e6bb8c28d1b900
+  data.tar.gz: 0f31b85bfe3c9cba91819bcc1466ac313b52d850c9bcb18137431b087fb922b3a0a594c9a7372845fb86cef77ecac4002abc89b50b54d7c483541b32711b57cf

data/lib/omniauth/strategies/suomifi.rb

@@ -458,7 +458,7 @@ module OmniAuth
         eidas_id = find_attribute_by(
           ['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier']
         )
-        hash_salt = begin
+        hash_salt =
           if options.uid_salt
             options.uid_salt
           elsif defined?(::Rails) && ::Rails.application
@@ -466,14 +466,13 @@ module OmniAuth
           else
             ''
           end
-        end
 
         if !electronic_id.nil?
-          'FINUID:' + electronic_id
+          "FINUID:#{electronic_id}"
         elsif !national_id.nil?
-          'FIHETU:' + Digest::MD5.hexdigest("FI:#{national_id}:#{hash_salt}")
+          "FIHETU:#{Digest::MD5.hexdigest("FI:#{national_id}:#{hash_salt}")}"
         elsif !eidas_id.nil?
-          'EIDASPID:' + Digest::MD5.hexdigest("EIDAS:#{eidas_id}:#{hash_salt}")
+          "EIDASPID:#{Digest::MD5.hexdigest("EIDAS:#{eidas_id}:#{hash_salt}")}"
         else
           @name_id
         end
@@ -491,6 +490,7 @@ module OmniAuth
       attr_accessor :options
       attr_reader :suomifi_thread
 
+      # rubocop:disable Metrics/MethodLength
       def initialize(app, *args, &block)
         super
 
@@ -520,6 +520,7 @@ module OmniAuth
           )
         end
       end
+      # rubocop:enable Metrics/MethodLength
 
       # Override the request phase to be able to pass the locale parameter to
       # the redirect URL. Note that this needs to be the last parameter to
@@ -529,7 +530,7 @@ module OmniAuth
         authn_request = OneLogin::RubySaml::Authrequest.new
         locale = locale_for_authn_request
 
-        session["saml_redirect_url"] = request.params["redirect_url"]
+        session['saml_redirect_url'] = request.params['redirect_url']
 
         with_settings do |settings|
           url = authn_request.create(settings, additional_params_for_authn_request)
@@ -562,6 +563,49 @@ module OmniAuth
 
     private
 
+      # The single log-out (SLO) in Suomi.fi is initiated in an iframe within
+      # the single logout page at Suomi.fi side. Therefore, due to browser
+      # restrictions, it is not possible to transfer session related data to the
+      # service from that page because it would require 3rd party cookies which
+      # are restricted by browsers.
+      #
+      # Therefore, the SLO request needs to be handled at the service's side by
+      # storing the Suomi.fi sessions in a database and then comparing the SAML
+      # uid of the SLO request to the values stored witin the database to log
+      # out the user who requested the logout. There is no other way to transfer
+      # this information from the SLO page.
+      #
+      # The default functionality within the `omniauth-saml` strategy relies on
+      # the session variables to compare the SAML uid during the SLO request but
+      # this is not possible with Suomi.fi when the 3rd party cookies are
+      # prevented by the browser.
+      def handle_logout_request(raw_request, settings)
+        # If the "saml_uid" is set, the logout request was initiated by the
+        # application itself. If not, the code below calls the application which
+        # can do the validation against the database where the sessions are
+        # stored.
+        return super if session['saml_uid']
+
+        # Otherwise, the application itself needs to handle the logout because
+        # this is not happening within the same session that the user has
+        # currently open at the website.
+        logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
+          raw_request,
+          {settings: settings, get_params: @request.params}
+        )
+        raise OmniAuth::Strategies::SAML::ValidationError.new('SAML failed to process LogoutRequest') unless logout_request.is_valid?
+
+        @env['omniauth.saml_request'] = logout_request
+
+        # The SAML request needs to be validated at the application side and
+        # then the user needs to be redirected to the
+        logout_request_id = logout_request.id
+        logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request_id, nil, RelayState: slo_relay_state)
+        @env['omniauth.saml_response'] = logout_response
+
+        call_app!
+      end
+
       # Suomi.fi requires that the service provider needs to end the local user
       # session BEFORE sending the logout request to the identity provider.
       def other_phase_for_spslo
@@ -622,6 +666,7 @@ module OmniAuth
         end
       end
 
+      # rubocop:disable Metrics/MethodLength
       def suomifi_options
         idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
 
@@ -662,6 +707,7 @@ module OmniAuth
 
         settings
       end
+      # rubocop:enable Metrics/MethodLength
 
       # This will return true if the VTJ search (population information system,
       # väestötietojärjestelmä) was successful and information about the person

data/lib/omniauth-suomifi/ruby_saml_extensions.rb

@@ -28,6 +28,7 @@ OneLogin::RubySaml::Utils.class_eval do
   # @param symmetric_key [String] The symetric key used to encrypt the text
   # @param algorithm [String]     The encrypted algorithm
   # @return [String] The deciphered text
+  # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
   def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
     case algorithm
     when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
@@ -43,7 +44,7 @@ OneLogin::RubySaml::Utils.class_eval do
 
     if cipher
       iv_len = cipher.iv_len
-      data = cipher_text[iv_len..-1]
+      data = cipher_text[iv_len..]
       cipher.padding = 0
       cipher.key = symmetric_key
       cipher.iv = cipher_text[0..iv_len - 1]
@@ -58,7 +59,7 @@ OneLogin::RubySaml::Utils.class_eval do
       auth_cipher.key = symmetric_key
       auth_cipher.iv = cipher_text[0..iv_len - 1]
       auth_cipher.auth_data = ''
-      auth_cipher.auth_tag = cipher_text[text_len - tag_len..-1]
+      auth_cipher.auth_tag = cipher_text[text_len - tag_len..]
       assertion_plaintext = auth_cipher.update(data)
       assertion_plaintext << auth_cipher.final
     elsif rsa
@@ -69,4 +70,5 @@ OneLogin::RubySaml::Utils.class_eval do
       cipher_text
     end
   end
+  # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
 end

data/lib/omniauth-suomifi/test/certificate_generator.rb

@@ -17,14 +17,14 @@ module OmniAuth
             cert = OpenSSL::X509::Certificate.new
             cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
             cert.not_before = Time.now
-            cert.not_after = Time.now + 365 * 24 * 60 * 60
+            cert.not_after = Time.now + (365 * 24 * 60 * 60)
             cert.public_key = public_key
             cert.serial = 0x0
             cert.version = 2
 
             inject_certificate_extensions(cert)
 
-            cert.sign(private_key, OpenSSL::Digest::SHA1.new)
+            cert.sign(private_key, OpenSSL::Digest.new('SHA1'))
 
             cert
           end

data/lib/omniauth-suomifi/test/xml_encryptor.rb

@@ -33,7 +33,7 @@ module OmniAuth
         end
 
         def self.encrypted_xml(raw_xml_file, cert, sign_cert, sign_key)
-          raw_xml = IO.read(raw_xml_file)
+          raw_xml = File.read(raw_xml_file)
           encrypted_xml_from_string(raw_xml, cert, sign_cert, sign_key)
         end
 
@@ -53,7 +53,7 @@ module OmniAuth
           template_path = Utility.template_filepath(
             'encrypted_data_template.xml'
           )
-          template_io = IO.read(template_path)
+          template_io = File.read(template_path)
 
           Nokogiri::XML::Document.parse(template_io).root
         end

data/lib/omniauth-suomifi/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Suomifi
-    VERSION = '0.6.3'
+    VERSION = '0.8.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-suomifi
 version: !ruby/object:Gem::Version
-  version: 0.6.3
+  version: 0.8.0
 platform: ruby
 authors:
 - Antti Hukkanen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-06 00:00:00.000000000 Z
+date: 2024-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-saml
@@ -16,118 +16,112 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.13.0
+        version: '1.17'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.13.0
+        version: '1.17'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '13.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '13.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.9'
+        version: '3.13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.9'
+        version: '3.13'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 2.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 2.1.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.6'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.6.2
+        version: '3.20'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.6'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.6.2
+        version: '3.20'
 - !ruby/object:Gem::Dependency
   name: xmlenc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.1
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.22.0
 description: Suomi.fi e-Identification service integration for OmniAuth.
 email:
 - antti.hukkanen@mainiotech.fi
@@ -150,7 +144,8 @@ files:
 homepage: https://github.com/mainio/omniauth-suomifi
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -159,7 +154,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="