omniauth-suomifi 0.6.3 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 73fe21e9c9621ccdf65ff05a986ed1c078cd4e4e8bae541d85441713a8df12dc
|
4
|
+
data.tar.gz: 73a64e776f800ac6bc69a956c5e8e7b37ad4f95a497a43367ba583c82a1688eb
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6e361fa187b5f6a3f91b30255eddc0d936079b5f0f0909ddf2d7a0b94cfda4bdd2175de2beac6b705ccb1868004d5ad6a34030b6556a0d02c7e6bb8c28d1b900
|
7
|
+
data.tar.gz: 0f31b85bfe3c9cba91819bcc1466ac313b52d850c9bcb18137431b087fb922b3a0a594c9a7372845fb86cef77ecac4002abc89b50b54d7c483541b32711b57cf
|
@@ -458,7 +458,7 @@ module OmniAuth
|
|
458
458
|
eidas_id = find_attribute_by(
|
459
459
|
['http://eidas.europa.eu/attributes/naturalperson/PersonIdentifier']
|
460
460
|
)
|
461
|
-
hash_salt =
|
461
|
+
hash_salt =
|
462
462
|
if options.uid_salt
|
463
463
|
options.uid_salt
|
464
464
|
elsif defined?(::Rails) && ::Rails.application
|
@@ -466,14 +466,13 @@ module OmniAuth
|
|
466
466
|
else
|
467
467
|
''
|
468
468
|
end
|
469
|
-
end
|
470
469
|
|
471
470
|
if !electronic_id.nil?
|
472
|
-
|
471
|
+
"FINUID:#{electronic_id}"
|
473
472
|
elsif !national_id.nil?
|
474
|
-
|
473
|
+
"FIHETU:#{Digest::MD5.hexdigest("FI:#{national_id}:#{hash_salt}")}"
|
475
474
|
elsif !eidas_id.nil?
|
476
|
-
|
475
|
+
"EIDASPID:#{Digest::MD5.hexdigest("EIDAS:#{eidas_id}:#{hash_salt}")}"
|
477
476
|
else
|
478
477
|
@name_id
|
479
478
|
end
|
@@ -491,6 +490,7 @@ module OmniAuth
|
|
491
490
|
attr_accessor :options
|
492
491
|
attr_reader :suomifi_thread
|
493
492
|
|
493
|
+
# rubocop:disable Metrics/MethodLength
|
494
494
|
def initialize(app, *args, &block)
|
495
495
|
super
|
496
496
|
|
@@ -520,6 +520,7 @@ module OmniAuth
|
|
520
520
|
)
|
521
521
|
end
|
522
522
|
end
|
523
|
+
# rubocop:enable Metrics/MethodLength
|
523
524
|
|
524
525
|
# Override the request phase to be able to pass the locale parameter to
|
525
526
|
# the redirect URL. Note that this needs to be the last parameter to
|
@@ -529,7 +530,7 @@ module OmniAuth
|
|
529
530
|
authn_request = OneLogin::RubySaml::Authrequest.new
|
530
531
|
locale = locale_for_authn_request
|
531
532
|
|
532
|
-
session[
|
533
|
+
session['saml_redirect_url'] = request.params['redirect_url']
|
533
534
|
|
534
535
|
with_settings do |settings|
|
535
536
|
url = authn_request.create(settings, additional_params_for_authn_request)
|
@@ -562,6 +563,49 @@ module OmniAuth
|
|
562
563
|
|
563
564
|
private
|
564
565
|
|
566
|
+
# The single log-out (SLO) in Suomi.fi is initiated in an iframe within
|
567
|
+
# the single logout page at Suomi.fi side. Therefore, due to browser
|
568
|
+
# restrictions, it is not possible to transfer session related data to the
|
569
|
+
# service from that page because it would require 3rd party cookies which
|
570
|
+
# are restricted by browsers.
|
571
|
+
#
|
572
|
+
# Therefore, the SLO request needs to be handled at the service's side by
|
573
|
+
# storing the Suomi.fi sessions in a database and then comparing the SAML
|
574
|
+
# uid of the SLO request to the values stored witin the database to log
|
575
|
+
# out the user who requested the logout. There is no other way to transfer
|
576
|
+
# this information from the SLO page.
|
577
|
+
#
|
578
|
+
# The default functionality within the `omniauth-saml` strategy relies on
|
579
|
+
# the session variables to compare the SAML uid during the SLO request but
|
580
|
+
# this is not possible with Suomi.fi when the 3rd party cookies are
|
581
|
+
# prevented by the browser.
|
582
|
+
def handle_logout_request(raw_request, settings)
|
583
|
+
# If the "saml_uid" is set, the logout request was initiated by the
|
584
|
+
# application itself. If not, the code below calls the application which
|
585
|
+
# can do the validation against the database where the sessions are
|
586
|
+
# stored.
|
587
|
+
return super if session['saml_uid']
|
588
|
+
|
589
|
+
# Otherwise, the application itself needs to handle the logout because
|
590
|
+
# this is not happening within the same session that the user has
|
591
|
+
# currently open at the website.
|
592
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(
|
593
|
+
raw_request,
|
594
|
+
{settings: settings, get_params: @request.params}
|
595
|
+
)
|
596
|
+
raise OmniAuth::Strategies::SAML::ValidationError.new('SAML failed to process LogoutRequest') unless logout_request.is_valid?
|
597
|
+
|
598
|
+
@env['omniauth.saml_request'] = logout_request
|
599
|
+
|
600
|
+
# The SAML request needs to be validated at the application side and
|
601
|
+
# then the user needs to be redirected to the
|
602
|
+
logout_request_id = logout_request.id
|
603
|
+
logout_response = OneLogin::RubySaml::SloLogoutresponse.new.create(settings, logout_request_id, nil, RelayState: slo_relay_state)
|
604
|
+
@env['omniauth.saml_response'] = logout_response
|
605
|
+
|
606
|
+
call_app!
|
607
|
+
end
|
608
|
+
|
565
609
|
# Suomi.fi requires that the service provider needs to end the local user
|
566
610
|
# session BEFORE sending the logout request to the identity provider.
|
567
611
|
def other_phase_for_spslo
|
@@ -622,6 +666,7 @@ module OmniAuth
|
|
622
666
|
end
|
623
667
|
end
|
624
668
|
|
669
|
+
# rubocop:disable Metrics/MethodLength
|
625
670
|
def suomifi_options
|
626
671
|
idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
|
627
672
|
|
@@ -662,6 +707,7 @@ module OmniAuth
|
|
662
707
|
|
663
708
|
settings
|
664
709
|
end
|
710
|
+
# rubocop:enable Metrics/MethodLength
|
665
711
|
|
666
712
|
# This will return true if the VTJ search (population information system,
|
667
713
|
# väestötietojärjestelmä) was successful and information about the person
|
@@ -28,6 +28,7 @@ OneLogin::RubySaml::Utils.class_eval do
|
|
28
28
|
# @param symmetric_key [String] The symetric key used to encrypt the text
|
29
29
|
# @param algorithm [String] The encrypted algorithm
|
30
30
|
# @return [String] The deciphered text
|
31
|
+
# rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
|
31
32
|
def self.retrieve_plaintext(cipher_text, symmetric_key, algorithm)
|
32
33
|
case algorithm
|
33
34
|
when 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' then cipher = OpenSSL::Cipher.new('DES-EDE3-CBC').decrypt
|
@@ -43,7 +44,7 @@ OneLogin::RubySaml::Utils.class_eval do
|
|
43
44
|
|
44
45
|
if cipher
|
45
46
|
iv_len = cipher.iv_len
|
46
|
-
data = cipher_text[iv_len
|
47
|
+
data = cipher_text[iv_len..]
|
47
48
|
cipher.padding = 0
|
48
49
|
cipher.key = symmetric_key
|
49
50
|
cipher.iv = cipher_text[0..iv_len - 1]
|
@@ -58,7 +59,7 @@ OneLogin::RubySaml::Utils.class_eval do
|
|
58
59
|
auth_cipher.key = symmetric_key
|
59
60
|
auth_cipher.iv = cipher_text[0..iv_len - 1]
|
60
61
|
auth_cipher.auth_data = ''
|
61
|
-
auth_cipher.auth_tag = cipher_text[text_len - tag_len
|
62
|
+
auth_cipher.auth_tag = cipher_text[text_len - tag_len..]
|
62
63
|
assertion_plaintext = auth_cipher.update(data)
|
63
64
|
assertion_plaintext << auth_cipher.final
|
64
65
|
elsif rsa
|
@@ -69,4 +70,5 @@ OneLogin::RubySaml::Utils.class_eval do
|
|
69
70
|
cipher_text
|
70
71
|
end
|
71
72
|
end
|
73
|
+
# rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
|
72
74
|
end
|
@@ -17,14 +17,14 @@ module OmniAuth
|
|
17
17
|
cert = OpenSSL::X509::Certificate.new
|
18
18
|
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
|
19
19
|
cert.not_before = Time.now
|
20
|
-
cert.not_after = Time.now + 365 * 24 * 60 * 60
|
20
|
+
cert.not_after = Time.now + (365 * 24 * 60 * 60)
|
21
21
|
cert.public_key = public_key
|
22
22
|
cert.serial = 0x0
|
23
23
|
cert.version = 2
|
24
24
|
|
25
25
|
inject_certificate_extensions(cert)
|
26
26
|
|
27
|
-
cert.sign(private_key, OpenSSL::Digest
|
27
|
+
cert.sign(private_key, OpenSSL::Digest.new('SHA1'))
|
28
28
|
|
29
29
|
cert
|
30
30
|
end
|
@@ -33,7 +33,7 @@ module OmniAuth
|
|
33
33
|
end
|
34
34
|
|
35
35
|
def self.encrypted_xml(raw_xml_file, cert, sign_cert, sign_key)
|
36
|
-
raw_xml =
|
36
|
+
raw_xml = File.read(raw_xml_file)
|
37
37
|
encrypted_xml_from_string(raw_xml, cert, sign_cert, sign_key)
|
38
38
|
end
|
39
39
|
|
@@ -53,7 +53,7 @@ module OmniAuth
|
|
53
53
|
template_path = Utility.template_filepath(
|
54
54
|
'encrypted_data_template.xml'
|
55
55
|
)
|
56
|
-
template_io =
|
56
|
+
template_io = File.read(template_path)
|
57
57
|
|
58
58
|
Nokogiri::XML::Document.parse(template_io).root
|
59
59
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: omniauth-suomifi
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Antti Hukkanen
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-09-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth-saml
|
@@ -16,118 +16,112 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '2.
|
19
|
+
version: '2.1'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '2.
|
26
|
+
version: '2.1'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: ruby-saml
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
33
|
+
version: '1.17'
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 1.
|
40
|
+
version: '1.17'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: rake
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
45
|
- - "~>"
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: '13.
|
47
|
+
version: '13.1'
|
48
48
|
type: :development
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: '13.
|
54
|
+
version: '13.1'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: rspec
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
59
|
- - "~>"
|
60
60
|
- !ruby/object:Gem::Version
|
61
|
-
version: '3.
|
61
|
+
version: '3.13'
|
62
62
|
type: :development
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
66
|
- - "~>"
|
67
67
|
- !ruby/object:Gem::Version
|
68
|
-
version: '3.
|
68
|
+
version: '3.13'
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: rack-test
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
73
|
- - "~>"
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version:
|
75
|
+
version: 2.1.0
|
76
76
|
type: :development
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version:
|
82
|
+
version: 2.1.0
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: webmock
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
86
86
|
requirements:
|
87
87
|
- - "~>"
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: '3.
|
90
|
-
- - ">="
|
91
|
-
- !ruby/object:Gem::Version
|
92
|
-
version: 3.6.2
|
89
|
+
version: '3.20'
|
93
90
|
type: :development
|
94
91
|
prerelease: false
|
95
92
|
version_requirements: !ruby/object:Gem::Requirement
|
96
93
|
requirements:
|
97
94
|
- - "~>"
|
98
95
|
- !ruby/object:Gem::Version
|
99
|
-
version: '3.
|
100
|
-
- - ">="
|
101
|
-
- !ruby/object:Gem::Version
|
102
|
-
version: 3.6.2
|
96
|
+
version: '3.20'
|
103
97
|
- !ruby/object:Gem::Dependency
|
104
98
|
name: xmlenc
|
105
99
|
requirement: !ruby/object:Gem::Requirement
|
106
100
|
requirements:
|
107
101
|
- - "~>"
|
108
102
|
- !ruby/object:Gem::Version
|
109
|
-
version: 0.
|
103
|
+
version: 0.8.0
|
110
104
|
type: :development
|
111
105
|
prerelease: false
|
112
106
|
version_requirements: !ruby/object:Gem::Requirement
|
113
107
|
requirements:
|
114
108
|
- - "~>"
|
115
109
|
- !ruby/object:Gem::Version
|
116
|
-
version: 0.
|
110
|
+
version: 0.8.0
|
117
111
|
- !ruby/object:Gem::Dependency
|
118
112
|
name: simplecov
|
119
113
|
requirement: !ruby/object:Gem::Requirement
|
120
114
|
requirements:
|
121
115
|
- - "~>"
|
122
116
|
- !ruby/object:Gem::Version
|
123
|
-
version: 0.
|
117
|
+
version: 0.22.0
|
124
118
|
type: :development
|
125
119
|
prerelease: false
|
126
120
|
version_requirements: !ruby/object:Gem::Requirement
|
127
121
|
requirements:
|
128
122
|
- - "~>"
|
129
123
|
- !ruby/object:Gem::Version
|
130
|
-
version: 0.
|
124
|
+
version: 0.22.0
|
131
125
|
description: Suomi.fi e-Identification service integration for OmniAuth.
|
132
126
|
email:
|
133
127
|
- antti.hukkanen@mainiotech.fi
|
@@ -150,7 +144,8 @@ files:
|
|
150
144
|
homepage: https://github.com/mainio/omniauth-suomifi
|
151
145
|
licenses:
|
152
146
|
- MIT
|
153
|
-
metadata:
|
147
|
+
metadata:
|
148
|
+
rubygems_mfa_required: 'true'
|
154
149
|
post_install_message:
|
155
150
|
rdoc_options: []
|
156
151
|
require_paths:
|
@@ -159,7 +154,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
159
154
|
requirements:
|
160
155
|
- - ">="
|
161
156
|
- !ruby/object:Gem::Version
|
162
|
-
version: '2.
|
157
|
+
version: '2.6'
|
163
158
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
164
159
|
requirements:
|
165
160
|
- - ">="
|