omniauth-wsfed 0.3.0.pre.beta → 0.3.1.pre.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 372c9aadaa6c67073b87a3b89aafe1a1cd3b71fd
-  data.tar.gz: a5dbbe502136b717afce46d8e3a20bdb845bdaa7
+  metadata.gz: 6c0ad3503577aad70d428772c14a135661181aad
+  data.tar.gz: 71abed720db88b079785cda06a4afdd344f5764c
 SHA512:
-  metadata.gz: bd03cf43f7d2696bbd6d2e24c93c524feee8fbc7668ca86f4567900151ddd8a2e09f61110642f02699ce6d54405d3c680c37d8e564abff7eb8bae2b5e98fdbef
-  data.tar.gz: b2a8366308b00118a94c40bd17a8c68ec5ea343ba436ffb20f5a30d62036ed59106af75a03d9d49988335307288539cdfe240bb0f2a803a2f77281be9b30d973
+  metadata.gz: cd213f0cb47858742d2994ed1d5dc01cea7a3a21d199d735eae50202ad7b611c321ef5fbe51b969b3928fc3cf56bfc174d063c1f13b23ce9014b846a23ad4ce9
+  data.tar.gz: b43aba00a37ec14879c4b8014c1ffe13fe68a3a29e31c7f54e0fe1d28971ccdfd1685aa7f7565770416668f6bb1ee7f6ce98f65ee47fc3b369ba5ed1f0ab1f5b

data/README.md

@@ -94,6 +94,8 @@ posted. **Required**
 * `:id_claim` - Name of the authentication claim that you want to use as OmniAuth's
 **uid** property.
 
+* `:saml_version` - The version of SAML tokens. **Defaults to 2**.
+
 
 ## Authors and Credits ##
 

data/lib/omniauth-wsfed/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module WSFed
-    VERSION = '0.3.0-beta'
+    VERSION = '0.3.1-beta'
   end
 end

data/lib/omniauth/strategies/wsfed.rb

@@ -9,9 +9,14 @@ module OmniAuth
       autoload :AuthRequest,            'omniauth/strategies/wsfed/auth_request'
       autoload :AuthCallback,           'omniauth/strategies/wsfed/auth_callback'
       autoload :AuthCallbackValidator,  'omniauth/strategies/wsfed/auth_callback_validator'
+      autoload :SAML2Token,             'omniauth/strategies/wsfed/saml_2_token'
+      autoload :SAML1Token,             'omniauth/strategies/wsfed/saml_1_token'
       autoload :ValidationError,        'omniauth/strategies/wsfed/validation_error'
       autoload :XMLSecurity,            'omniauth/strategies/wsfed/xml_security'
 
+      WS_TRUST    = 'http://schemas.xmlsoap.org/ws/2005/02/trust'
+      WS_POLICY   = 'http://schemas.xmlsoap.org/ws/2004/09/policy'
+
       # Issues passive WS-Federation redirect for authentication...
       def request_phase
         auth_request = OmniAuth::Strategies::WSFed::AuthRequest.new(options, :whr => @request.params['whr'])
@@ -25,7 +30,7 @@ module OmniAuth
 
           wsfed_callback = request.params['wresult']
 
-          signed_document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(wsfed_callback)
+          signed_document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(wsfed_callback, options)
           signed_document.validate(get_fingerprint, false)
 
           auth_callback   = OmniAuth::Strategies::WSFed::AuthCallback.new(wsfed_callback, options)

data/lib/omniauth/strategies/wsfed/auth_callback.rb

@@ -8,9 +8,7 @@ module OmniAuth
 
       class AuthCallback
 
-        WS_TRUST    = 'http://schemas.xmlsoap.org/ws/2005/02/trust'
         WS_UTILITY  = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
-        WS_POLICY   = 'http://schemas.xmlsoap.org/ws/2004/09/policy'
 
         attr_accessor :options, :raw_callback, :settings
 
@@ -27,17 +25,14 @@ module OmniAuth
         # TODO: remove reference to SignedDocument (document) and move it to validation
         # use response variable instead...
         def document
-          @document ||= OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(raw_callback)
+          @document ||= OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(raw_callback, settings)
         end
 
 
         # WS-Trust Envelope and WS* Element Values
 
         def audience
-          @audience ||= begin
-            applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
-            REXML::XPath.first(applies_to, '//EndpointReference/Address').text
-          end
+          @audience ||= token.audience
         end
 
         def created_at
@@ -49,36 +44,14 @@ module OmniAuth
         end
 
 
-        # SAML 2.0 Assertion [Token] Values
-        # Note: If/When future development warrants additional token types, these items should be refactored into a
-        # token abstraction...
+        # Token Values
 
         def issuer
-          @issuer ||= begin
-            REXML::XPath.first(document, '//Assertion/Issuer').text
-          end
+          @issuer ||= token.issuer
         end
 
         def claims
-          @attr_statements ||= begin
-            stmt_element = REXML::XPath.first(document, '//Assertion/AttributeStatement')
-            return {} if stmt_element.nil?
-
-            {}.tap do |result|
-              stmt_element.elements.each do |attr_element|
-                name  = attr_element.attributes['Name']
-
-                if attr_element.elements.count > 1
-                  value = []
-                  attr_element.elements.each { |element| value << element.text }
-                else
-                  value = attr_element.elements.first.text.lstrip.rstrip
-                end
-
-                result[name] = value
-              end
-            end
-          end
+          @claims ||= token.claims
         end
         alias :attributes :claims
 
@@ -92,6 +65,17 @@ module OmniAuth
 
       private
 
+        def token
+          @token ||= begin
+            case settings[:saml_version].to_s
+            when '1'
+              SAML1Token.new(document)
+            else
+              SAML2Token.new(document)
+            end
+          end
+        end
+
 
         # WS-Trust token lifetime element
         def wstrust_lifetime

data/lib/omniauth/strategies/wsfed/saml_1_token.rb

@@ -0,0 +1,45 @@
+module OmniAuth
+  module Strategies
+    class WSFed
+      class SAML1Token
+
+        attr_accessor :document
+
+        def initialize(document)
+          @document = document
+        end
+
+        def audience
+          applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
+          REXML::XPath.first(applies_to, '//wsa:EndpointReference/wsa:Address').text
+        end
+
+        def issuer
+          REXML::XPath.first(document, '//saml:Assertion').attributes['Issuer']
+        end
+
+        def claims
+          stmt_element = REXML::XPath.first(document, '//saml:Assertion/saml:AttributeStatement')
+
+          return {} if stmt_element.nil?
+
+          {}.tap do |result|
+            stmt_element.each_element('saml:Attribute') do |attr_element|
+              name  = attr_element.attributes['AttributeName']
+
+              if attr_element.elements.count > 1
+                value = []
+                attr_element.elements.each { |element| value << element.text }
+              else
+                value = attr_element.elements.first.text.lstrip.rstrip
+              end
+
+              result[name] = value
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/wsfed/saml_2_token.rb

@@ -0,0 +1,45 @@
+module OmniAuth
+  module Strategies
+    class WSFed
+      class SAML2Token
+
+        attr_accessor :document
+
+        def initialize(document)
+          @document = document
+        end
+
+        def audience
+          applies_to = REXML::XPath.first(document, '//t:RequestSecurityTokenResponse/wsp:AppliesTo', { 't' => WS_TRUST, 'wsp' => WS_POLICY })
+          REXML::XPath.first(applies_to, '//EndpointReference/Address').text
+        end
+
+        def issuer
+          REXML::XPath.first(document, '//Assertion/Issuer').text
+        end
+
+        def claims
+          stmt_element = REXML::XPath.first(document, '//Assertion/AttributeStatement')
+
+          return {} if stmt_element.nil?
+
+          {}.tap do |result|
+            stmt_element.elements.each do |attr_element|
+              name  = attr_element.attributes['Name']
+
+              if attr_element.elements.count > 1
+                value = []
+                attr_element.elements.each { |element| value << element.text }
+              else
+                value = attr_element.elements.first.text.lstrip.rstrip
+              end
+
+              result[name] = value
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/wsfed/xml_security.rb

@@ -39,11 +39,13 @@ module OmniAuth
         class SignedDocument < REXML::Document
           DSIG = "http://www.w3.org/2000/09/xmldsig#"
 
-          attr_accessor :signed_element_id
+          attr_accessor :signed_element_id, :settings
 
-          def initialize(response)
+          def initialize(response, settings = {})
             super(response)
             extract_signed_element_id
+
+            self.settings = settings
           end
 
           def validate(idp_cert_fingerprint, soft = true)
@@ -80,9 +82,11 @@ module OmniAuth
             sig_element.remove
 
             # check digests
+            saml_version = settings[:saml_version]
             REXML::XPath.each(sig_element, "//ds:Reference", {"ds"=>DSIG}) do |ref|
               uri                           = ref.attributes.get_attribute("URI").value
-              hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']")
+              hashed_element                = REXML::XPath.first(self, "//[@ID='#{uri[1,uri.size]}']") ||
+                                              REXML::XPath.first(self, "//[@AssertionID='#{uri[1,uri.size]}']")
               canoner                       = XML::Util::XmlCanonicalizer.new(false, true)
               canoner.inclusive_namespaces  = inclusive_namespaces if canoner.respond_to?(:inclusive_namespaces) && !inclusive_namespaces.empty?
               canon_hashed_element          = canoner.canonicalize(hashed_element)

data/spec/omniauth/strategies/wsfed/auth_callback_spec.rb

@@ -36,16 +36,13 @@ describe OmniAuth::Strategies::WSFed::AuthCallback do
         auth_callback.expires_at.should == Time.parse('2012-06-29T21:17:14.766Z')
       end
 
+    end
+
+    shared_examples_for 'SAML token' do
       it 'should extract the token audience' do
         auth_callback.audience.should == 'http://rp.coding4streetcred.com/sample'
       end
 
-    end
-
-    context 'SAML 2.0 Assertion [Token] Values' do
-
-      let(:auth_callback) { described_class.new(load_support_xml(:acs_example), @wsfed_settings) }
-
       it 'should extract the issuer' do
         auth_callback.issuer.should == 'https://c4sc-identity.accesscontrol.windows.net/'
       end
@@ -59,6 +56,20 @@ describe OmniAuth::Strategies::WSFed::AuthCallback do
 
         auth_callback.attributes.should == expected_claims
       end
+    end
+
+    context 'SAML 1.0 Assertion [Token] Values' do
+
+      let(:auth_callback) { described_class.new(load_support_xml(:saml1_example), @wsfed_settings.merge(saml_version: '1')) }
+
+      it_behaves_like 'SAML token'
+    end
+
+    context 'SAML 2.0 Assertion [Token] Values' do
+
+      let(:auth_callback) { described_class.new(load_support_xml(:acs_example), @wsfed_settings) }
+
+      it_behaves_like 'SAML token'
 
       it 'should load the proper value from various id_claim settings' do
         id_claims = [

data/spec/support/saml1_example.xml

@@ -0,0 +1,66 @@
+<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
+  <t:Lifetime>
+    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-06-27T19:45:38.263Z</wsu:Created>
+    <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-06-27T20:45:38.263Z</wsu:Expires>
+  </t:Lifetime>
+  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
+      <wsa:Address>http://rp.coding4streetcred.com/sample</wsa:Address>
+    </wsa:EndpointReference>
+  </wsp:AppliesTo>
+  <t:RequestedSecurityToken>
+    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_fa0de02b-b5a1-49c5-a8c0-4b391295a789" Issuer="https://c4sc-identity.accesscontrol.windows.net/" IssueInstant="2014-06-27T19:45:38.263Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
+      <saml:Conditions NotBefore="2014-06-27T19:45:38.263Z" NotOnOrAfter="2014-06-27T20:45:38.263Z">
+	<saml:AudienceRestrictionCondition>
+	  <saml:Audience>https://c4sc-identity.accesscontrol.windows.net</saml:Audience>
+	</saml:AudienceRestrictionCondition>
+      </saml:Conditions>
+      <saml:AttributeStatement>
+	<saml:Subject>
+	  <saml:SubjectConfirmation>
+	    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
+	  </saml:SubjectConfirmation>
+	</saml:Subject>
+	<saml:Attribute AttributeName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
+	  <saml:AttributeValue>kbeckman.c4sc@gmail.com</saml:AttributeValue>
+	</saml:Attribute>
+	<saml:Attribute AttributeName="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims">
+	  <saml:AttributeValue>kbeckman.c4sc</saml:AttributeValue>
+	</saml:Attribute>
+	<saml:Attribute AttributeName="http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
+	  <saml:AttributeValue>http://identity.c4sc.com/trust/</saml:AttributeValue>
+	</saml:Attribute>
+      </saml:AttributeStatement>
+      <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2014-06-27T19:45:38.232Z">
+	<saml:Subject>
+	  <saml:SubjectConfirmation>
+	    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
+	  </saml:SubjectConfirmation>
+	</saml:Subject>
+      </saml:AuthenticationStatement>
+      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+	<ds:SignedInfo>
+	  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
+	  <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
+	  <ds:Reference URI="#_fa0de02b-b5a1-49c5-a8c0-4b391295a789">
+	    <ds:Transforms>
+	      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
+	      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
+	    </ds:Transforms>
+	    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
+	    <ds:DigestValue>bdwpOR25Tiw03Y5gZsz/NDSrN2T1XAEUQl9/B2aDVjs=</ds:DigestValue>
+	  </ds:Reference>
+	</ds:SignedInfo>
+	<ds:SignatureValue>O3dJ5YtFIJJHk8SKAqdI2goSJUj7/oZebGwrm5yjVz8WT9TdHfJT2e/rygKLz9MBujZoZ13oGaVq6NVJLvmvR+IrKsUIuUeXwk4X2UexYxJL9VGZD6RnXR+p0Jne+jGUIlVOb2zMr29Ew27wLfnw3za+Zf5ravQZ/bv3LoL/LFIYFb7iR4XlJ5bjlMhO41euUp/6NTntIC90utugpjqcPryxNbIto6nk3w57IrKmw9rFpRJudoXbw7BsA3t69dmzu2MQzjILbFcfmkUgtEXDQyGM/ziXqxNFEGNHkycEsO37NO4/t5Hk1zPufBbbhSm+5K6tVqZ2Nl1e5yNciBwo6g==</ds:SignatureValue>
+	<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+	  <X509Data>
+	    <X509Certificate>MIIDHDCCAgSgAwIBAgIQXMOBsrQ1QJpNmYFiiW5+PjANBgkqhkiG9w0BAQUFADAyMTAwLgYDVQQDEydjNHNjLWlkZW50aXR5LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTIwNjI5MjAzNTA2WhcNMTMwNjMwMDIzNTA2WjAyMTAwLgYDVQQDEydjNHNjLWlkZW50aXR5LmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrieSwMYpW73fJtHiBw1yQFWcFZwvDbltFfdb4xzC+MuC8KU/QJzKGBzxixwmvTUKTbH4W4gKNzi7+/gGk9my1UFnDLsnJBooGjx6lCXMU9HoOQA0tXVGkyYeD11Lb2KYWoivvGFI6dun84JY1n1hbAnuyqr+8VUfKpBk3bO6s3xLf2eojAHKhUiw2E+ZBFZWqlTMtSoNupe8I4Zs5Kkp5Xe1hrDjCzHWTHRf880y8f6KOvieQuGO2a2dBSYJVY3IHr1cLlk/o9Dwks4zSjYDABE8NDKer7aq2pnXl0/0XeXeYsDsZFrwfuRtf06pqGgMuqo1aFRiQ2+gm4naZn7D3AgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUIBxPC4SJIAWTt6Q4htDcvHDgatAwDQYJKoZIhvcNAQEFBQADggEBAB2RNPpJMNotdKMKtQkV/tEhttOOq+bXlMa42UQu6r+ikgJ6WcSecBxOs4KHw3lj7wO0l8CIOfvXy5KBePLQsUuk8tWCdKdpa+7uuGntIHdlTAvjlcVhXXAQQvyS+wUbnwj8rCN85e76EWMWCAVXzqwMURt5Rzmb+SdU40hRi+7u+HmZaQW5kDXD3CIm+1eOU7oyWpz6Ltx1DEJ88qt4xB2e6IGQUTdvq2jUnyzC1f9jdtRtZ3LiiVkA29rfRROJQb/PeEinUON0hP7/6VS9LZPL4vB1EIOBNahY1V4/75Hb+NGzb05w71hMUiJK2eu8w1WwqcRqUlu7GI921Od1oFQ=</X509Certificate>
+	  </X509Data>
+	</KeyInfo>
+      </ds:Signature>
+    </saml:Assertion>
+  </t:RequestedSecurityToken>
+  <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
+  <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
+  <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
+</t:RequestSecurityTokenResponse>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-wsfed
 version: !ruby/object:Gem::Version
-  version: 0.3.0.pre.beta
+  version: 0.3.1.pre.beta
 platform: ruby
 authors:
 - Keith Beckman
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-18 00:00:00.000000000 Z
+date: 2015-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -132,6 +132,8 @@ files:
 - lib/omniauth/strategies/wsfed/auth_callback.rb
 - lib/omniauth/strategies/wsfed/auth_callback_validator.rb
 - lib/omniauth/strategies/wsfed/auth_request.rb
+- lib/omniauth/strategies/wsfed/saml_1_token.rb
+- lib/omniauth/strategies/wsfed/saml_2_token.rb
 - lib/omniauth/strategies/wsfed/validation_error.rb
 - lib/omniauth/strategies/wsfed/xml_security.rb
 - omniauth-wsfed.gemspec
@@ -141,6 +143,7 @@ files:
 - spec/omniauth/strategies/wsfed_spec.rb
 - spec/spec_helper.rb
 - spec/support/acs_example.xml
+- spec/support/saml1_example.xml
 homepage: https://github.com/kbeckman/omniauth-wsfed
 licenses:
 - MIT
@@ -172,3 +175,4 @@ test_files:
 - spec/omniauth/strategies/wsfed_spec.rb
 - spec/spec_helper.rb
 - spec/support/acs_example.xml
+- spec/support/saml1_example.xml