omniauth-wsfed 0.3.0.pre.beta → 0.3.1.pre.beta

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 372c9aadaa6c67073b87a3b89aafe1a1cd3b71fd
4
- data.tar.gz: a5dbbe502136b717afce46d8e3a20bdb845bdaa7
3
+ metadata.gz: 6c0ad3503577aad70d428772c14a135661181aad
4
+ data.tar.gz: 71abed720db88b079785cda06a4afdd344f5764c
5
5
  SHA512:
6
- metadata.gz: bd03cf43f7d2696bbd6d2e24c93c524feee8fbc7668ca86f4567900151ddd8a2e09f61110642f02699ce6d54405d3c680c37d8e564abff7eb8bae2b5e98fdbef
7
- data.tar.gz: b2a8366308b00118a94c40bd17a8c68ec5ea343ba436ffb20f5a30d62036ed59106af75a03d9d49988335307288539cdfe240bb0f2a803a2f77281be9b30d973
6
+ metadata.gz: cd213f0cb47858742d2994ed1d5dc01cea7a3a21d199d735eae50202ad7b611c321ef5fbe51b969b3928fc3cf56bfc174d063c1f13b23ce9014b846a23ad4ce9
7
+ data.tar.gz: b43aba00a37ec14879c4b8014c1ffe13fe68a3a29e31c7f54e0fe1d28971ccdfd1685aa7f7565770416668f6bb1ee7f6ce98f65ee47fc3b369ba5ed1f0ab1f5b
data/README.md CHANGED
@@ -94,6 +94,8 @@ posted. **Required**
94
94
  * `:id_claim` - Name of the authentication claim that you want to use as OmniAuth's
95
95
  **uid** property.
96
96
 
97
+ * `:saml_version` - The version of SAML tokens. **Defaults to 2**.
98
+
97
99
 
98
100
  ## Authors and Credits ##
99
101
 
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module WSFed
3
- VERSION = '0.3.0-beta'
3
+ VERSION = '0.3.1-beta'
4
4
  end
5
5
  end
@@ -9,9 +9,14 @@ module OmniAuth
9
9
  autoload :AuthRequest, 'omniauth/strategies/wsfed/auth_request'
10
10
  autoload :AuthCallback, 'omniauth/strategies/wsfed/auth_callback'
11
11
  autoload :AuthCallbackValidator, 'omniauth/strategies/wsfed/auth_callback_validator'
12
+ autoload :SAML2Token, 'omniauth/strategies/wsfed/saml_2_token'
13
+ autoload :SAML1Token, 'omniauth/strategies/wsfed/saml_1_token'
12
14
  autoload :ValidationError, 'omniauth/strategies/wsfed/validation_error'
13
15
  autoload :XMLSecurity, 'omniauth/strategies/wsfed/xml_security'
14
16
 
17
+ WS_TRUST = 'http://schemas.xmlsoap.org/ws/2005/02/trust'
18
+ WS_POLICY = 'http://schemas.xmlsoap.org/ws/2004/09/policy'
19
+
15
20
  # Issues passive WS-Federation redirect for authentication...
16
21
  def request_phase
17
22
  auth_request = OmniAuth::Strategies::WSFed::AuthRequest.new(options, :whr => @request.params['whr'])
@@ -25,7 +30,7 @@ module OmniAuth
25
30
 
26
31
  wsfed_callback = request.params['wresult']
27
32
 
28
- signed_document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(wsfed_callback)
33
+ signed_document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(wsfed_callback, options)
29
34
  signed_document.validate(get_fingerprint, false)
30
35
 
31
36
  auth_callback = OmniAuth::Strategies::WSFed::AuthCallback.new(wsfed_callback, options)
@@ -8,9 +8,7 @@ module OmniAuth
8
8
 
9
9
  class AuthCallback
10
10
 
11
- WS_TRUST = 'http://schemas.xmlsoap.org/ws/2005/02/trust'
12
11
  WS_UTILITY = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
13
- WS_POLICY = 'http://schemas.xmlsoap.org/ws/2004/09/policy'
14
12
 
15
13
  attr_accessor :options, :raw_callback, :settings
16
14
 
@@ -27,17 +25,14 @@ module OmniAuth
27
25
  # TODO: remove reference to SignedDocument (document) and move it to validation
28
26
  # use response variable instead...
29
27
  def document
30
- @document ||= OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(raw_callback)
28
+ @document ||= OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(raw_callback, settings)
31
29
  end
32
30
 
33
31
 
34
32
  # WS-Trust Envelope and WS* Element Values
35
33
 
36
34
  def audience
37
- @audience ||= begin
38
- applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
39
- REXML::XPath.first(applies_to, '//EndpointReference/Address').text
40
- end
35
+ @audience ||= token.audience
41
36
  end
42
37
 
43
38
  def created_at
@@ -49,36 +44,14 @@ module OmniAuth
49
44
  end
50
45
 
51
46
 
52
- # SAML 2.0 Assertion [Token] Values
53
- # Note: If/When future development warrants additional token types, these items should be refactored into a
54
- # token abstraction...
47
+ # Token Values
55
48
 
56
49
  def issuer
57
- @issuer ||= begin
58
- REXML::XPath.first(document, '//Assertion/Issuer').text
59
- end
50
+ @issuer ||= token.issuer
60
51
  end
61
52
 
62
53
  def claims
63
- @attr_statements ||= begin
64
- stmt_element = REXML::XPath.first(document, '//Assertion/AttributeStatement')
65
- return {} if stmt_element.nil?
66
-
67
- {}.tap do |result|
68
- stmt_element.elements.each do |attr_element|
69
- name = attr_element.attributes['Name']
70
-
71
- if attr_element.elements.count > 1
72
- value = []
73
- attr_element.elements.each { |element| value << element.text }
74
- else
75
- value = attr_element.elements.first.text.lstrip.rstrip
76
- end
77
-
78
- result[name] = value
79
- end
80
- end
81
- end
54
+ @claims ||= token.claims
82
55
  end
83
56
  alias :attributes :claims
84
57
 
@@ -92,6 +65,17 @@ module OmniAuth
92
65
 
93
66
  private
94
67
 
68
+ def token
69
+ @token ||= begin
70
+ case settings[:saml_version].to_s
71
+ when '1'
72
+ SAML1Token.new(document)
73
+ else
74
+ SAML2Token.new(document)
75
+ end
76
+ end
77
+ end
78
+
95
79
 
96
80
  # WS-Trust token lifetime element
97
81
  def wstrust_lifetime
@@ -0,0 +1,45 @@
1
+ module OmniAuth
2
+ module Strategies
3
+ class WSFed
4
+ class SAML1Token
5
+
6
+ attr_accessor :document
7
+
8
+ def initialize(document)
9
+ @document = document
10
+ end
11
+
12
+ def audience
13
+ applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
14
+ REXML::XPath.first(applies_to, '//wsa:EndpointReference/wsa:Address').text
15
+ end
16
+
17
+ def issuer
18
+ REXML::XPath.first(document, '//saml:Assertion').attributes['Issuer']
19
+ end
20
+
21
+ def claims
22
+ stmt_element = REXML::XPath.first(document, '//saml:Assertion/saml:AttributeStatement')
23
+
24
+ return {} if stmt_element.nil?
25
+
26
+ {}.tap do |result|
27
+ stmt_element.each_element('saml:Attribute') do |attr_element|
28
+ name = attr_element.attributes['AttributeName']
29
+
30
+ if attr_element.elements.count > 1
31
+ value = []
32
+ attr_element.elements.each { |element| value << element.text }
33
+ else
34
+ value = attr_element.elements.first.text.lstrip.rstrip
35
+ end
36
+
37
+ result[name] = value
38
+ end
39
+ end
40
+ end
41
+
42
+ end
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,45 @@
1
+ module OmniAuth
2
+ module Strategies
3
+ class WSFed
4
+ class SAML2Token
5
+
6
+ attr_accessor :document
7
+
8
+ def initialize(document)
9
+ @document = document
10
+ end
11
+
12
+ def audience
13
+ applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
14
+ REXML::XPath.first(applies_to, '//EndpointReference/Address').text
15
+ end
16
+
17
+ def issuer
18
+ REXML::XPath.first(document, '//Assertion/Issuer').text
19
+ end
20
+
21
+ def claims
22
+ stmt_element = REXML::XPath.first(document, '//Assertion/AttributeStatement')
23
+
24
+ return {} if stmt_element.nil?
25
+
26
+ {}.tap do |result|
27
+ stmt_element.elements.each do |attr_element|
28
+ name = attr_element.attributes['Name']
29
+
30
+ if attr_element.elements.count > 1
31
+ value = []
32
+ attr_element.elements.each { |element| value << element.text }
33
+ else
34
+ value = attr_element.elements.first.text.lstrip.rstrip
35
+ end
36
+
37
+ result[name] = value
38
+ end
39
+ end
40
+ end
41
+
42
+ end
43
+ end
44
+ end
45
+ end
@@ -39,11 +39,13 @@ module OmniAuth
39
39
  class SignedDocument < REXML::Document
40
40
  DSIG = "http://www.w3.org/2000/09/xmldsig#"
41
41
 
42
- attr_accessor :signed_element_id
42
+ attr_accessor :signed_element_id, :settings
43
43
 
44
- def initialize(response)
44
+ def initialize(response, settings = {})
45
45
  super(response)
46
46
  extract_signed_element_id
47
+
48
+ self.settings = settings
47
49
  end
48
50
 
49
51
  def validate(idp_cert_fingerprint, soft = true)
@@ -80,9 +82,11 @@ module OmniAuth
80
82
  sig_element.remove
81
83
 
82
84
  # check digests
85
+ saml_version = settings[:saml_version]
83
86
  REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
84
87
  uri = ref.attributes.get_attribute("URI").value
85
- hashed_element = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
88
+ hashed_element = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']") ||
89
+ REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
86
90
  canoner = XML::Util::XmlCanonicalizer.new(false, true)
87
91
  canoner.inclusive_namespaces = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
88
92
  canon_hashed_element = canoner.canonicalize(hashed_element)
@@ -36,16 +36,13 @@ describe OmniAuth::Strategies::WSFed::AuthCallback do
36
36
  auth_callback.expires_at.should == Time.parse('2012-06-29T21:17:14.766Z')
37
37
  end
38
38
 
39
+ end
40
+
41
+ shared_examples_for 'SAML token' do
39
42
  it 'should extract the token audience' do
40
43
  auth_callback.audience.should == 'http://rp.coding4streetcred.com/sample'
41
44
  end
42
45
 
43
- end
44
-
45
- context 'SAML 2.0 Assertion [Token] Values' do
46
-
47
- let(:auth_callback) { described_class.new(load_support_xml(:acs_example), @wsfed_settings) }
48
-
49
46
  it 'should extract the issuer' do
50
47
  auth_callback.issuer.should == 'https://c4sc-identity.accesscontrol.windows.net/'
51
48
  end
@@ -59,6 +56,20 @@ describe OmniAuth::Strategies::WSFed::AuthCallback do
59
56
 
60
57
  auth_callback.attributes.should == expected_claims
61
58
  end
59
+ end
60
+
61
+ context 'SAML 1.0 Assertion [Token] Values' do
62
+
63
+ let(:auth_callback) { described_class.new(load_support_xml(:saml1_example), @wsfed_settings.merge(saml_version: '1')) }
64
+
65
+ it_behaves_like 'SAML token'
66
+ end
67
+
68
+ context 'SAML 2.0 Assertion [Token] Values' do
69
+
70
+ let(:auth_callback) { described_class.new(load_support_xml(:acs_example), @wsfed_settings) }
71
+
72
+ it_behaves_like 'SAML token'
62
73
 
63
74
  it 'should load the proper value from various id_claim settings' do
64
75
  id_claims = [
@@ -0,0 +1,66 @@
1
+ <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
2
+ <t:Lifetime>
3
+ <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-06-27T19:45:38.263Z</wsu:Created>
4
+ <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-06-27T20:45:38.263Z</wsu:Expires>
5
+ </t:Lifetime>
6
+ <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
7
+ <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
8
+ <wsa:Address>http://rp.coding4streetcred.com/sample</wsa:Address>
9
+ </wsa:EndpointReference>
10
+ </wsp:AppliesTo>
11
+ <t:RequestedSecurityToken>
12
+ <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_fa0de02b-b5a1-49c5-a8c0-4b391295a789" Issuer="https://c4sc-identity.accesscontrol.windows.net/" IssueInstant="2014-06-27T19:45:38.263Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
13
+ <saml:Conditions NotBefore="2014-06-27T19:45:38.263Z" NotOnOrAfter="2014-06-27T20:45:38.263Z">
14
+ <saml:AudienceRestrictionCondition>
15
+ <saml:Audience>https://c4sc-identity.accesscontrol.windows.net</saml:Audience>
16
+ </saml:AudienceRestrictionCondition>
17
+ </saml:Conditions>
18
+ <saml:AttributeStatement>
19
+ <saml:Subject>
20
+ <saml:SubjectConfirmation>
21
+ <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
22
+ </saml:SubjectConfirmation>
23
+ </saml:Subject>
24
+ <saml:Attribute AttributeName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
25
+ <saml:AttributeValue>kbeckman.c4sc@gmail.com</saml:AttributeValue>
26
+ </saml:Attribute>
27
+ <saml:Attribute AttributeName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
28
+ <saml:AttributeValue>kbeckman.c4sc</saml:AttributeValue>
29
+ </saml:Attribute>
30
+ <saml:Attribute AttributeName="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
31
+ <saml:AttributeValue>http://identity.c4sc.com/trust/</saml:AttributeValue>
32
+ </saml:Attribute>
33
+ </saml:AttributeStatement>
34
+ <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2014-06-27T19:45:38.232Z">
35
+ <saml:Subject>
36
+ <saml:SubjectConfirmation>
37
+ <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
38
+ </saml:SubjectConfirmation>
39
+ </saml:Subject>
40
+ </saml:AuthenticationStatement>
41
+ <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
42
+ <ds:SignedInfo>
43
+ <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
44
+ <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
45
+ <ds:Reference URI="#_fa0de02b-b5a1-49c5-a8c0-4b391295a789">
46
+ <ds:Transforms>
47
+ <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
48
+ <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
49
+ </ds:Transforms>
50
+ <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
51
+ <ds:DigestValue>bdwpOR25Tiw03Y5gZsz/NDSrN2T1XAEUQl9/B2aDVjs=</ds:DigestValue>
52
+ </ds:Reference>
53
+ </ds:SignedInfo>
54
+ <ds:SignatureValue>O3dJ5YtFIJJHk8SKAqdI2goSJUj7/oZebGwrm5yjVz8WT9TdHfJT2e/rygKLz9MBujZoZ13oGaVq6NVJLvmvR+IrKsUIuUeXwk4X2UexYxJL9VGZD6RnXR+p0Jne+jGUIlVOb2zMr29Ew27wLfnw3za+Zf5ravQZ/bv3LoL/LFIYFb7iR4XlJ5bjlMhO41euUp/6NTntIC90utugpjqcPryxNbIto6nk3w57IrKmw9rFpRJudoXbw7BsA3t69dmzu2MQzjILbFcfmkUgtEXDQyGM/ziXqxNFEGNHkycEsO37NO4/t5Hk1zPufBbbhSm+5K6tVqZ2Nl1e5yNciBwo6g==</ds:SignatureValue>
55
+ <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
56
+ <X509Data>
57
+ <X509Certificate>MIIDHDCCAgSgAwIBAgIQXMOBsrQ1QJpNmYFiiW5+PjANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydjNHNjLWlkZW50aXR5LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjI5MjAzNTA2WhcNMTMwNjMwMDIzNTA2WjAyMTAwLgYDVQQDEydjNHNjLWlkZW50aXR5LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrieSwMYpW73fJtHiBw1yQFWcFZwvDbltFfdb4xzC+MuC8KU/QJzKGBzxixwmvTUKTbH4W4gKNzi7+/gGk9my1UFnDLsnJBooGjx6lCXMU9HoOQA0tXVGkyYeD11Lb2KYWoivvGFI6dun84JY1n1hbAnuyqr+8VUfKpBk3bO6s3xLf2eojAHKhUiw2E+ZBFZWqlTMtSoNupe8I4Zs5Kkp5Xe1hrDjCzHWTHRf880y8f6KOvieQuGO2a2dBSYJVY3IHr1cLlk/o9Dwks4zSjYDABE8NDKer7aq2pnXl0/0XeXeYsDsZFrwfuRtf06pqGgMuqo1aFRiQ2+gm4naZn7D3AgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUIBxPC4SJIAWTt6Q4htDcvHDgatAwDQYJKoZIhvcNAQEFBQADggEBAB2RNPpJMNotdKMKtQkV/tEhttOOq+bXlMa42UQu6r+ikgJ6WcSecBxOs4KHw3lj7wO0l8CIOfvXy5KBePLQsUuk8tWCdKdpa+7uuGntIHdlTAvjlcVhXXAQQvyS+wUbnwj8rCN85e76EWMWCAVXzqwMURt5Rzmb+SdU40hRi+7u+HmZaQW5kDXD3CIm+1eOU7oyWpz6Ltx1DEJ88qt4xB2e6IGQUTdvq2jUnyzC1f9jdtRtZ3LiiVkA29rfRROJQb/PeEinUON0hP7/6VS9LZPL4vB1EIOBNahY1V4/75Hb+NGzb05w71hMUiJK2eu8w1WwqcRqUlu7GI921Od1oFQ=</X509Certificate>
58
+ </X509Data>
59
+ </KeyInfo>
60
+ </ds:Signature>
61
+ </saml:Assertion>
62
+ </t:RequestedSecurityToken>
63
+ <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
64
+ <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
65
+ <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
66
+ </t:RequestSecurityTokenResponse>
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-wsfed
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0.pre.beta
4
+ version: 0.3.1.pre.beta
5
5
  platform: ruby
6
6
  authors:
7
7
  - Keith Beckman
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-01-18 00:00:00.000000000 Z
11
+ date: 2015-01-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
@@ -132,6 +132,8 @@ files:
132
132
  - lib/omniauth/strategies/wsfed/auth_callback.rb
133
133
  - lib/omniauth/strategies/wsfed/auth_callback_validator.rb
134
134
  - lib/omniauth/strategies/wsfed/auth_request.rb
135
+ - lib/omniauth/strategies/wsfed/saml_1_token.rb
136
+ - lib/omniauth/strategies/wsfed/saml_2_token.rb
135
137
  - lib/omniauth/strategies/wsfed/validation_error.rb
136
138
  - lib/omniauth/strategies/wsfed/xml_security.rb
137
139
  - omniauth-wsfed.gemspec
@@ -141,6 +143,7 @@ files:
141
143
  - spec/omniauth/strategies/wsfed_spec.rb
142
144
  - spec/spec_helper.rb
143
145
  - spec/support/acs_example.xml
146
+ - spec/support/saml1_example.xml
144
147
  homepage: https://github.com/kbeckman/omniauth-wsfed
145
148
  licenses:
146
149
  - MIT
@@ -172,3 +175,4 @@ test_files:
172
175
  - spec/omniauth/strategies/wsfed_spec.rb
173
176
  - spec/spec_helper.rb
174
177
  - spec/support/acs_example.xml
178
+ - spec/support/saml1_example.xml