RubyGems - omniauth-wsfed - Versions diffs - 0.1.0 → 0.2.0 - Mend

omniauth-wsfed 0.1.0 → 0.2.0

Files changed (17) hide show

data/.gitignore +6 -1
data/Gemfile.lock +13 -19
data/LICENSE +1 -1
data/README.md +1 -31
data/lib/omniauth-wsfed.rb +0 -1
data/lib/omniauth-wsfed/version.rb +1 -1
data/lib/omniauth/strategies/wsfed.rb +32 -9
data/lib/omniauth/strategies/wsfed/auth_callback.rb +107 -0
data/lib/omniauth/strategies/wsfed/auth_callback_validator.rb +49 -0
data/omniauth-wsfed.gemspec +10 -11
data/spec/omniauth/strategies/wsfed/auth_callback_spec.rb +81 -0
data/spec/omniauth/strategies/wsfed/auth_callback_validator_spec.rb +100 -0
metadata +26 -42
data/lib/azure_acs/idp_feed.rb +0 -16
data/lib/omniauth/strategies/wsfed/auth_response.rb +0 -159
data/spec/azure_acs/idp_feed_spec.rb +0 -18
data/spec/omniauth/strategies/wsfed/auth_response_spec.rb +0 -67

data/.gitignore CHANGED Viewed

@@ -2,4 +2,9 @@
 .idea
 #RVM
-.rvmrc
+.rvmrc
+#Other
+.DS_Store
+*.gem

data/Gemfile.lock CHANGED Viewed

@@ -1,36 +1,30 @@
 PATH
   remote: .
   specs:
-    omniauth-wsfed (0.1.0)
+    omniauth-wsfed (0.2.0)
       omniauth (~> 1.1.0)
-      typhoeus (~> 0.4.2)
       xmlcanonicalizer (= 0.1.1)
 GEM
   remote: https://rubygems.org/
   specs:
     diff-lcs (1.1.3)
-    ffi (1.1.0)
     hashie (1.2.0)
-    mime-types (1.19)
     omniauth (1.1.0)
       hashie (~> 1.2)
       rack
     rack (1.4.1)
-    rack-test (0.6.1)
+    rack-test (0.6.2)
       rack (>= 1.0)
-    rake (0.9.2.2)
-    rspec (2.10.0)
-      rspec-core (~> 2.10.0)
-      rspec-expectations (~> 2.10.0)
-      rspec-mocks (~> 2.10.0)
-    rspec-core (2.10.1)
-    rspec-expectations (2.10.0)
+    rake (10.0.3)
+    rspec (2.12.0)
+      rspec-core (~> 2.12.0)
+      rspec-expectations (~> 2.12.0)
+      rspec-mocks (~> 2.12.0)
+    rspec-core (2.12.2)
+    rspec-expectations (2.12.1)
       diff-lcs (~> 1.1.3)
-    rspec-mocks (2.10.1)
-    typhoeus (0.4.2)
-      ffi (~> 1.0)
-      mime-types (~> 1.18)
+    rspec-mocks (2.12.1)
     xmlcanonicalizer (0.1.1)
 PLATFORMS
@@ -38,6 +32,6 @@ PLATFORMS
 DEPENDENCIES
   omniauth-wsfed!
-  rack-test (~> 0.6.1)
-  rake (~> 0.9.2)
-  rspec (~> 2.10.0)
+  rack-test (>= 0.6.2)
+  rake (>= 10.0.3)
+  rspec (>= 2.12.0)

data/LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2012 Keith Beckman, http://www.coding4streetcred.com/blog
+Copyright (c) 2011-2013 Keith Beckman, http://coding4streetcred.com/blog
 All rights reserved. Released under the MIT license.
 Portions Copyright (c) 2007 Sun Microsystems Inc.

data/README.md CHANGED Viewed

@@ -1,7 +1,5 @@
 # OmniAuth WS-Fed #
-#### This gem is currently under construction... Expect an official v1 release by the the end of July 2012. ####
 The OmniAuth-WSFed authentication strategy can be used with the following technologies
 under scenarios requiring the [WS-Federation protocol](http://msdn.microsoft.com/en-us/library/bb498017.aspx)
 for authentication. These services are typically used for Identity Federation and Single
@@ -71,9 +69,7 @@ end
 ## Configuration Options ##
-* `:issuer_name` - The name of your Identity Provider (IdP). This option is not required,
-but can be a nice way to differentiate your IdP configurations if you are testing with
-multiple providers in multiple enviornments. **Optional**
+* `:issuer_name` - The URI name of your Identity Provider (IdP). **Required**
 * `:issuer` - The IdP web endpoint (URL) to which the authentication request should be
 sent. **Required**.
@@ -103,29 +99,3 @@ Special thanks to the developers of the following projects from which I borrowed
 * [PracticallyGreen / omniauth-saml](https://github.com/PracticallyGreen/omniauth-saml)
 * [onelogin / ruby-saml](https://github.com/onelogin/ruby-saml)
-## License ##
-Copyright (c) 2011-2012 Keith Beckman, [Coding4StreetCred.com](http://www.coding4streetcred.com/blog)
-All rights reserved. Released under the MIT license.
-Portions Copyright (c) 2007 Sun Microsystems Inc.
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/lib/omniauth-wsfed.rb CHANGED Viewed

	@@ -1,2 +1 @@
1 1	require 'omniauth/strategies/wsfed'
2	- require 'azure_acs/idp_feed'

data/lib/omniauth-wsfed/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module OmniAuth
   module WSFed
-    VERSION = "0.1.0"
+    VERSION = '0.2.0'
   end
 end

data/lib/omniauth/strategies/wsfed.rb CHANGED Viewed

@@ -6,10 +6,11 @@ module OmniAuth
     class WSFed
       include OmniAuth::Strategy
-      autoload :AuthRequest,      'omniauth/strategies/wsfed/auth_request'
-      autoload :AuthResponse,     'omniauth/strategies/wsfed/auth_response'
-      autoload :ValidationError,  'omniauth/strategies/wsfed/validation_error'
-      autoload :XMLSecurity,      'omniauth/strategies/wsfed/xml_security'
+      autoload :AuthRequest,            'omniauth/strategies/wsfed/auth_request'
+      autoload :AuthCallback,           'omniauth/strategies/wsfed/auth_callback'
+      autoload :AuthCallbackValidator,  'omniauth/strategies/wsfed/auth_callback_validator'
+      autoload :ValidationError,        'omniauth/strategies/wsfed/validation_error'
+      autoload :XMLSecurity,            'omniauth/strategies/wsfed/xml_security'
       # Issues passive WS-Federation redirect for authentication...
       def request_phase
@@ -30,16 +31,27 @@ module OmniAuth
       # Parse SAML token...
       def callback_phase
         begin
-          response = OmniAuth::Strategies::WSFed::AuthResponse.new(request.params['wresult'], options)
+          wsfed_callback = request.params['wresult']
-          @name_id  = response.name_id
-          @claims   = response.attributes
+          signed_document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(wsfed_callback)
+          signed_document.validate(get_fingerprint, false)
+          auth_callback   = OmniAuth::Strategies::WSFed::AuthCallback.new(wsfed_callback, options)
+          validator       = OmniAuth::Strategies::WSFed::AuthCallbackValidator.new(auth_callback, options)
+          validator.validate!
+          @name_id  = auth_callback.name_id
+          @claims   = auth_callback.attributes
-          return fail!(:invalid_ticket, OmniAuth::Strategies::WSFed::ValidationError('Invalid SAML Token') ) if @claims.nil? || @claims.empty? || !response.valid?
           super
         rescue ArgumentError => e
-          fail!(:invalid_ticket, 'Invalid WSFed Response')
+          fail!(:invalid_response, e)
+        rescue OmniAuth::Strategies::WSFed::ValidationError => e
+          fail!(:invalid_authn_token, e)
         end
       end
       # OmniAuth DSL methods...
@@ -49,6 +61,17 @@ module OmniAuth
       extra { { :wresult => request.params['wresult'] } }
+    private
+      def get_fingerprint
+        if options[:idp_cert_fingerprint]
+          options[:idp_cert_fingerprint]
+        else
+          cert = OpenSSL::X509::Certificate.new(options[:idp_cert].gsub(/^ +/, ''))
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+        end
+      end
     end
   end
 end

data/lib/omniauth/strategies/wsfed/auth_callback.rb ADDED Viewed

@@ -0,0 +1,107 @@
+require 'time'
+require 'hashie'
+require 'rexml/xpath'
+module OmniAuth
+  module Strategies
+    class WSFed
+      class AuthCallback
+        WS_TRUST    = 'http://schemas.xmlsoap.org/ws/2005/02/trust'
+        WS_UTILITY  = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
+        WS_POLICY   = 'http://schemas.xmlsoap.org/ws/2004/09/policy'
+        attr_accessor :options, :raw_callback, :settings
+        def initialize(raw_callback, settings, options = {})
+          raise ArgumentError.new('Response cannot be nil.') if raw_callback.nil?
+          raise ArgumentError.new('WSFed settings cannot be nil.') if settings.nil?
+          self.options      = options
+          self.raw_callback = raw_callback
+          self.settings     = settings
+        end
+        # TODO: remove reference to SignedDocument (document) and move it to validation
+        # use response variable instead...
+        def document
+          @document ||= OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(raw_callback)
+        end
+        # WS-Trust Envelope and WS* Element Values
+        def audience
+          @audience ||= begin
+            applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
+            REXML::XPath.first(applies_to, '//EndpointReference/Address').text
+          end
+        end
+        def created_at
+          Time.parse(REXML::XPath.first(wstrust_lifetime, '//wsu:Created', { 'wsu' => WS_UTILITY }).text)
+        end
+        def expires_at
+          Time.parse(REXML::XPath.first(wstrust_lifetime, '//wsu:Expires', { 'wsu' => WS_UTILITY }).text)
+        end
+        # SAML 2.0 Assertion [Token] Values
+        # Note: If/When future development warrants additional token types, these items should be refactored into a
+        # token abstraction...
+        def issuer
+          @issuer ||= begin
+            REXML::XPath.first(document, '//Assertion/Issuer').text
+          end
+        end
+        def claims
+          @attr_statements ||= begin
+            stmt_element = REXML::XPath.first(document, '//Assertion/AttributeStatement')
+            return {} if stmt_element.nil?
+            {}.tap do |result|
+              stmt_element.elements.each do |attr_element|
+                name  = attr_element.attributes['Name']
+                if attr_element.elements.count > 1
+                  value = []
+                  attr_element.elements.each { |element| value << element.text }
+                else
+                  value = attr_element.elements.first.text.lstrip.rstrip
+                end
+                result[name] = value
+              end
+            end
+          end
+        end
+        alias :attributes :claims
+        # The value of the user identifier as defined by the id_claim configuration setting...
+        def name_id
+          @name_id ||= begin
+            claims.has_key?(settings[:id_claim]) ? claims.fetch(settings[:id_claim]) : nil
+          end
+        end
+      private
+        # WS-Trust token lifetime element
+        def wstrust_lifetime
+          @wstrust_lifetime ||= begin
+            REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/t:Lifetime', { 't' => WS_TRUST })
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/wsfed/auth_callback_validator.rb ADDED Viewed

@@ -0,0 +1,49 @@
+module OmniAuth
+  module Strategies
+    class WSFed
+      class AuthCallbackValidator
+        attr_accessor :auth_callback, :wsfed_settings
+        ISSUER_MISMATCH     = 'AuthN token issuer does not match configured issuer.'
+        AUDIENCE_MISMATCH   = 'AuthN token audience does not match configured realm.'
+        FUTURE_CREATED_AT   = 'AuthN token created timestamp occurs in the future.'
+        TOKEN_EXPIRED       = 'AuthN token has expired.'
+        NO_CLAIMS           = 'AuthN token contains no claims.'
+        NO_USER_IDENTIFIER  = 'AuthN token contains no user identifier. Verify that configured :id_claim setting is correct.'
+        def initialize(auth_callback, wsfed_settings)
+          self.auth_callback  = auth_callback
+          self.wsfed_settings = wsfed_settings
+        end
+        def validate!
+          raise OmniAuth::Strategies::WSFed::ValidationError.new(ISSUER_MISMATCH) unless
+            auth_callback.issuer == wsfed_settings[:issuer_name]
+          raise OmniAuth::Strategies::WSFed::ValidationError.new(AUDIENCE_MISMATCH) unless
+            auth_callback.audience == wsfed_settings[:realm]
+          raise OmniAuth::Strategies::WSFed::ValidationError.new(FUTURE_CREATED_AT) unless
+            auth_callback.created_at < Time.now.utc
+          raise OmniAuth::Strategies::WSFed::ValidationError.new(TOKEN_EXPIRED) unless
+            auth_callback.expires_at > Time.now.utc
+          if auth_callback.claims.nil? || auth_callback.claims.empty?
+            raise OmniAuth::Strategies::WSFed::ValidationError.new(NO_CLAIMS)
+          end
+          if auth_callback.name_id.nil? || auth_callback.name_id.empty?
+            raise OmniAuth::Strategies::WSFed::ValidationError.new(NO_USER_IDENTIFIER)
+          end
+          true
+        end
+      end
+    end
+  end
+end

data/omniauth-wsfed.gemspec CHANGED Viewed

@@ -3,26 +3,25 @@ require File.expand_path('../lib/omniauth-wsfed/version', __FILE__)
 Gem::Specification.new do |gem|
-  gem.name          = "omniauth-wsfed"
+  gem.name          = 'omniauth-wsfed'
   gem.version       = OmniAuth::WSFed::VERSION
-  gem.description   = %q{A WS-Federation + WS-Trust strategy for OmniAuth.}
-  gem.summary       = %q{OmniAuth WS-Federation strategy enabling integration with Windows Azure Access Control Service (ACS), Active Directory Federation Services (ADFS) 2.0, custom Identity Providers built with Windows Identity Foundation (WIF) or any other Identity Provider supporting the WS-Federation protocol.}
+  gem.summary       = %q{A WS-Federation + WS-Trust strategy for OmniAuth.}
+  gem.description   = %q{OmniAuth WS-Federation strategy enabling integration with Windows Azure Access Control Service (ACS), Active Directory Federation Services (ADFS) 2.0, custom Identity Providers built with Windows Identity Foundation (WIF) or any other Identity Provider supporting the WS-Federation protocol.}
-  gem.authors       = ["Keith Beckman"]
-  gem.email         = ["kbeckman.c4sc@gmail.com"]
-  gem.homepage      = "https://github.com/kbeckman/omniauth-wsfed"
+  gem.authors       = ['Keith Beckman']
+  gem.email         = ['kbeckman.c4sc@gmail.com']
+  gem.homepage      = 'https://github.com/kbeckman/omniauth-wsfed'
   gem.add_runtime_dependency 'omniauth', '~> 1.1.0'
   gem.add_runtime_dependency 'xmlcanonicalizer', '0.1.1'
-  gem.add_runtime_dependency 'typhoeus', '~> 0.4.2'
-  gem.add_development_dependency 'rspec', '~> 2.10.0'
-  gem.add_development_dependency 'rake', '~> 0.9.2'
-  gem.add_development_dependency 'rack-test', '~> 0.6.1'
+  gem.add_development_dependency 'rspec', '>= 2.12.0'
+  gem.add_development_dependency 'rake', '>= 10.0.3'
+  gem.add_development_dependency 'rack-test', '>= 0.6.2'
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
-  gem.require_paths = ["lib"]
+  gem.require_paths = ['lib']
 end

data/spec/omniauth/strategies/wsfed/auth_callback_spec.rb ADDED Viewed

@@ -0,0 +1,81 @@
+require 'spec_helper'
+describe OmniAuth::Strategies::WSFed::AuthCallback do
+  describe 'Initialization' do
+    context 'with Invalid Context' do
+      it 'should raise an exception when raw callback is nil' do
+        expect { described_class.new(nil, {}) }.to raise_error ArgumentError
+      end
+      it 'should raise an exception when settings are nil' do
+        expect { described_class.new({}, nil) }.to raise_error ArgumentError
+      end
+    end
+  end
+  describe 'Callback Parsing' do
+    before(:each) do
+      @wsfed_settings = {}
+    end
+    context 'WS-Trust Envelope and WS* Values' do
+      let(:auth_callback) { described_class.new(load_support_xml(:acs_example), @wsfed_settings) }
+      it 'should extract the creation timestamp' do
+        auth_callback.created_at.should == Time.parse('2012-06-29T21:07:14.766Z')
+      end
+      it 'should extract the expiration limit' do
+        auth_callback.expires_at.should == Time.parse('2012-06-29T21:17:14.766Z')
+      end
+      it 'should extract the token audience' do
+        auth_callback.audience.should == 'http://rp.coding4streetcred.com/sample'
+      end
+    end
+    context 'SAML 2.0 Assertion [Token] Values' do
+      let(:auth_callback) { described_class.new(load_support_xml(:acs_example), @wsfed_settings) }
+      it 'should extract the issuer' do
+        auth_callback.issuer.should == 'https://c4sc-identity.accesscontrol.windows.net/'
+      end
+      it 'should extract the authentication claims' do
+        expected_claims = {
+            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'                => 'kbeckman.c4sc@gmail.com',
+            'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'                        => 'kbeckman.c4sc',
+            'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' => 'http://identity.c4sc.com/trust/'
+        }
+        auth_callback.attributes.should == expected_claims
+      end
+      it 'should load the proper value from various id_claim settings' do
+        id_claims = [
+            { :id_claim => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',  :value => 'kbeckman.c4sc@gmail.com' },
+            { :id_claim => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',          :value => 'kbeckman.c4sc' }
+        ]
+        id_claims.each do |claim_setting|
+          @wsfed_settings.merge!(claim_setting.select { |k| k == :id_claim })
+          auth_callback = described_class.new(load_support_xml(:acs_example), @wsfed_settings)
+          auth_callback.name_id.should == claim_setting[:value]
+        end
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/wsfed/auth_callback_validator_spec.rb ADDED Viewed

@@ -0,0 +1,100 @@
+require 'spec_helper'
+describe OmniAuth::Strategies::WSFed::AuthCallbackValidator do
+  describe 'Response Validation Rules' do
+    let(:auth_callback) { OmniAuth::Strategies::WSFed::AuthCallback.new({}, {})}
+    before(:each) do
+      @wsfed_settings = {
+          :issuer_name  => 'https://identity-wwf.accesscontrol.windows.net/',
+          :realm        => 'http://rp.wwf.com/wsfed-sample',
+          :id_claim     => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
+      }
+      @claims = {
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'                => 'ravishing_rick@wwf.com',
+        'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'                        => 'rick.rude',
+        'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' => 'http://sso.wwf.com'
+      }
+      auth_callback.stub(:issuer).and_return(@wsfed_settings[:issuer_name])
+      auth_callback.stub(:audience).and_return(@wsfed_settings[:realm])
+      auth_callback.stub(:claims).and_return(@claims)
+      auth_callback.stub(:name_id).and_return(@claims[@wsfed_settings[:id_claim]])
+      auth_callback.stub(:created_at).and_return(Time.now.utc - 1) # 1 second ago
+      auth_callback.stub(:expires_at).and_return(Time.now.utc + 300) # 5 minutes from now
+    end
+    it 'should pass validation with....' do
+      validator = described_class.new(auth_callback, @wsfed_settings)
+      validator.validate!.should == true
+    end
+    context 'with Invalid Response' do
+      it 'should throw an exception when issuers do not match' do
+        auth_callback.stub(:issuer).and_return('https://c4sc-federation-nomatch.accesscontrol.windows.net/')
+        validator = described_class.new(auth_callback, @wsfed_settings)
+        lambda { validator.validate! }.should raise_error OmniAuth::Strategies::WSFed::ValidationError,
+                                                          OmniAuth::Strategies::WSFed::AuthCallbackValidator::ISSUER_MISMATCH
+      end
+      it 'should throw an exception when realm/audience do not match' do
+        auth_callback.stub(:audience).and_return('http://rp.c4sc.com/wsfed-sample-nomatch')
+        validator = described_class.new(auth_callback, @wsfed_settings)
+        lambda { validator.validate! }.should raise_error OmniAuth::Strategies::WSFed::ValidationError,
+                                                          OmniAuth::Strategies::WSFed::AuthCallbackValidator::AUDIENCE_MISMATCH
+      end
+      it 'should throw an exception when the created_at timestamp is in the future' do
+        auth_callback.stub(:created_at).and_return(Time.now.utc + 2)
+        validator = described_class.new(auth_callback, @wsfed_settings)
+        lambda { validator.validate! }.should raise_error OmniAuth::Strategies::WSFed::ValidationError,
+                                                          OmniAuth::Strategies::WSFed::AuthCallbackValidator::FUTURE_CREATED_AT
+      end
+      it 'should throw an exception when the expires_at timestamp limit has been exceeded' do
+        auth_callback.stub(:expires_at).and_return(Time.now.utc - 1)
+        validator = described_class.new(auth_callback, @wsfed_settings)
+        lambda { validator.validate! }.should raise_error OmniAuth::Strategies::WSFed::ValidationError,
+                                                          OmniAuth::Strategies::WSFed::AuthCallbackValidator::TOKEN_EXPIRED
+      end
+      it 'should throw an exception when claims are empty or nil' do
+        [nil, {}].each do |val|
+          auth_callback.stub(:claims).and_return(val)
+          validator = described_class.new(auth_callback, @wsfed_settings)
+          lambda { validator.validate! }.should raise_error OmniAuth::Strategies::WSFed::ValidationError,
+                                                            OmniAuth::Strategies::WSFed::AuthCallbackValidator::NO_CLAIMS
+        end
+      end
+      it 'should throw an exception when the name_id is empty or nil' do
+        [nil, ""].each do |val|
+          auth_callback.stub(:name_id).and_return(val)
+          validator = described_class.new(auth_callback, @wsfed_settings)
+          lambda { validator.validate! }.should raise_error OmniAuth::Strategies::WSFed::ValidationError,
+                                                            OmniAuth::Strategies::WSFed::AuthCallbackValidator::NO_USER_IDENTIFIER
+        end
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-wsfed
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-09-07 00:00:00.000000000 Z
+date: 2013-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -43,71 +43,58 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.1.1
-- !ruby/object:Gem::Dependency
-  name: typhoeus
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 0.4.2
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 0.4.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 2.10.0
+        version: 2.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 2.10.0
+        version: 2.12.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 10.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 10.0.3
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.6.1
+        version: 0.6.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.6.1
-description: A WS-Federation + WS-Trust strategy for OmniAuth.
+        version: 0.6.2
+description: OmniAuth WS-Federation strategy enabling integration with Windows Azure
+  Access Control Service (ACS), Active Directory Federation Services (ADFS) 2.0, custom
+  Identity Providers built with Windows Identity Foundation (WIF) or any other Identity
+  Provider supporting the WS-Federation protocol.
 email:
 - kbeckman.c4sc@gmail.com
 executables: []
@@ -120,18 +107,18 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- lib/azure_acs/idp_feed.rb
 - lib/omniauth-wsfed.rb
 - lib/omniauth-wsfed/version.rb
 - lib/omniauth/strategies/wsfed.rb
+- lib/omniauth/strategies/wsfed/auth_callback.rb
+- lib/omniauth/strategies/wsfed/auth_callback_validator.rb
 - lib/omniauth/strategies/wsfed/auth_request.rb
-- lib/omniauth/strategies/wsfed/auth_response.rb
 - lib/omniauth/strategies/wsfed/validation_error.rb
 - lib/omniauth/strategies/wsfed/xml_security.rb
 - omniauth-wsfed.gemspec
-- spec/azure_acs/idp_feed_spec.rb
+- spec/omniauth/strategies/wsfed/auth_callback_spec.rb
+- spec/omniauth/strategies/wsfed/auth_callback_validator_spec.rb
 - spec/omniauth/strategies/wsfed/auth_request_spec.rb
-- spec/omniauth/strategies/wsfed/auth_response_spec.rb
 - spec/omniauth/strategies/wsfed_spec.rb
 - spec/spec_helper.rb
 - spec/support/acs_example.xml
@@ -155,17 +142,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key:
 specification_version: 3
-summary: OmniAuth WS-Federation strategy enabling integration with Windows Azure Access
-  Control Service (ACS), Active Directory Federation Services (ADFS) 2.0, custom Identity
-  Providers built with Windows Identity Foundation (WIF) or any other Identity Provider
-  supporting the WS-Federation protocol.
+summary: A WS-Federation + WS-Trust strategy for OmniAuth.
 test_files:
-- spec/azure_acs/idp_feed_spec.rb
+- spec/omniauth/strategies/wsfed/auth_callback_spec.rb
+- spec/omniauth/strategies/wsfed/auth_callback_validator_spec.rb
 - spec/omniauth/strategies/wsfed/auth_request_spec.rb
-- spec/omniauth/strategies/wsfed/auth_response_spec.rb
 - spec/omniauth/strategies/wsfed_spec.rb
 - spec/spec_helper.rb
 - spec/support/acs_example.xml

data/lib/azure_acs/idp_feed.rb DELETED Viewed

@@ -1,16 +0,0 @@
-module AzureACS
-  class IdPFeed
-    def initialize(idp_json_feed_url)
-      raise ArgumentError.new("Azure ACS JSON feed URL cannot be null.") if idp_json_feed_url.nil?
-      @json_feed_url = idp_json_feed_url
-    end
-    def identity_providers
-      @json_feed ||= Typhoeus::Request.get(@json_feed_url).body
-    end
-  end
-end

data/lib/omniauth/strategies/wsfed/auth_response.rb DELETED Viewed

@@ -1,159 +0,0 @@
-require "time"
-require "hashie"
-module OmniAuth
-  module Strategies
-    class WSFed
-      class AuthResponse
-        ASSERTION = "urn:oasis:names:tc:SAML:2.0:assertion"
-        PROTOCOL  = "urn:oasis:names:tc:SAML:2.0:protocol"
-        DSIG      = "http://www.w3.org/2000/09/xmldsig#"
-        attr_accessor :options, :response, :document, :settings
-        def initialize(response, settings, options = {})
-          raise ArgumentError.new("Response cannot be nil.") if response.nil?
-          raise ArgumentError.new("WSFed settings cannot be nil.") if settings.nil?
-          self.options  = options
-          self.response = response
-          self.settings = settings
-          self.document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(response)
-        end
-        def valid?
-          validate(soft = true)
-        end
-        def validate!
-          validate(soft = false)
-        end
-        # The value of the user identifier as defined by the id_claim setting...
-        def name_id
-          @name_id ||= begin
-            attributes.has_key?(settings[:id_claim]) ? attributes.fetch(settings[:id_claim]) : nil
-          end
-        end
-        # A hash of all the claims provided by the response.
-        def attributes
-          @attr_statements ||= begin
-            stmt_element = REXML::XPath.first(document, "//Assertion/AttributeStatement")
-            return {} if stmt_element.nil?
-            {}.tap do |result|
-              stmt_element.elements.each do |attr_element|
-                name  = attr_element.attributes["Name"]
-                if attr_element.elements.count > 1
-                  value = []
-                  attr_element.elements.each { |element| value << element.text }
-                else
-                  value = attr_element.elements.first.text.lstrip.rstrip
-                end
-                result[name] = value
-              end
-            end
-          end
-        end
-        # When this user session should expire at latest
-        def session_expires_at
-          @expires_at ||= begin
-            node = xpath("/p:Response/a:Assertion/a:AuthnStatement")
-            parse_time(node, "SessionNotOnOrAfter")
-          end
-        end
-        # Conditions (if any) for the assertion to run
-        def conditions
-          @conditions ||= begin
-            xpath("/p:Response/a:Assertion[@ID='#{signed_element_id}']/a:Conditions")
-          end
-        end
-      private
-        def validation_error(message)
-          raise OmniAuth::Strategies::WSFed::ValidationError.new(message)
-        end
-        def validate(soft = true)
-          validate_response_state(soft) &&
-              validate_conditions(soft)     &&
-              document.validate(get_fingerprint, soft)
-        end
-        def validate_response_state(soft = true)
-          if response.empty?
-            return soft ? false : validation_error("Blank response")
-          end
-          if settings.nil?
-            return soft ? false : validation_error("No settings on response")
-          end
-          if settings[:idp_cert_fingerprint].nil? && settings[:idp_cert].nil?
-            return soft ? false : validation_error("No fingerprint or certificate on settings")
-          end
-          true
-        end
-        def get_fingerprint
-          if settings[:idp_cert_fingerprint]
-            settings[:idp_cert_fingerprint]
-          else
-            cert = OpenSSL::X509::Certificate.new(settings[:idp_cert].gsub(/^ +/, ''))
-            Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
-          end
-        end
-        def validate_conditions(soft = true)
-          return true if conditions.nil?
-          return true if options[:skip_conditions]
-          if not_before = parse_time(conditions, "NotBefore")
-            if Time.now.utc < not_before
-              return soft ? false : validation_error("Current time is earlier than NotBefore condition")
-            end
-          end
-          if not_on_or_after = parse_time(conditions, "NotOnOrAfter")
-            if Time.now.utc >= not_on_or_after
-              return soft ? false : validation_error("Current time is on or after NotOnOrAfter condition")
-            end
-          end
-          true
-        end
-        def parse_time(node, attribute)
-          if node && node.attributes[attribute]
-            Time.parse(node.attributes[attribute])
-          end
-        end
-        #def strip(string)
-        #  return string unless string
-        #  string.gsub(/^\s+/, '').gsub(/\s+$/, '')
-        #end
-        def xpath(path)
-          #REXML::XPath.first(document, path, { "p" => PROTOCOL, "a" => ASSERTION })
-          REXML::XPath.first(document, path, { "saml" => ASSERTION })
-        end
-        def signed_element_id
-          doc_id = document.signed_element_id
-          doc_id[1, doc_id.size]
-        end
-      end
-    end
-  end
-end

data/spec/azure_acs/idp_feed_spec.rb DELETED Viewed

@@ -1,18 +0,0 @@
-require 'spec_helper'
-require 'erb'
-describe AzureACS::IdPFeed do
-describe "Initialization" do
-  context "with Invalid Context" do
-    it "should raise an exception when IdP JSON feed URL is nil" do
-      expect { described_class.new(nil) }.to raise_error ArgumentError
-    end
-  end
-end
-end

data/spec/omniauth/strategies/wsfed/auth_response_spec.rb DELETED Viewed

@@ -1,67 +0,0 @@
-require 'spec_helper'
-describe OmniAuth::Strategies::WSFed::AuthResponse do
-  describe "Initialization" do
-    context "with Invalid Context" do
-      it "should raise an exception when response is nil" do
-        expect { described_class.new(nil, {}) }.to raise_error ArgumentError
-      end
-      it "should raise an exception when settings are nil" do
-        expect { described_class.new({}, nil) }.to raise_error ArgumentError
-      end
-    end
-  end
-  describe "Response Parsing" do
-    before(:each) do
-      @wsfed_settings = {
-          issuer_name:  "http://identity.c4sc.com/trust/",
-          issuer:       "https://identity.c4sc.com/issue/wsfed",
-          realm:        "http://rp.c4sc/security_realm",
-          reply:        "http://rp.c4sc/callback",
-      }
-    end
-    context "name_id" do
-      it "should load the proper value from various id_claim settings" do
-        id_claims = [
-            { id_claim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", value: "kbeckman.c4sc@gmail.com" },
-            { id_claim: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", value: "kbeckman.c4sc" }
-        ]
-        id_claims.each do |claim_setting|
-          @wsfed_settings.merge!(claim_setting.select { |k,v| k == :id_claim })
-          response = described_class.new(load_support_xml(:acs_example), @wsfed_settings)
-          response.name_id.should == claim_setting[:value]
-        end
-      end
-    end
-    context "attributes" do
-      it "should extract the authentication claims" do
-        expected_claims = {
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" => "kbeckman.c4sc@gmail.com",
-            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" => "kbeckman.c4sc",
-            "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" => "http://identity.c4sc.com/trust/"
-        }
-        response = described_class.new(load_support_xml(:acs_example), @wsfed_settings)
-        response.attributes.should == expected_claims
-      end
-    end
-  end
-end