Skip to content

Commit

Permalink
Merge pull request #10 from ssovane/eidas
Browse files Browse the repository at this point in the history
Use single private identifier as primary
  • Loading branch information
ebeigarts authored Sep 2, 2020
2 parents 114c886 + a76fc33 commit 79f1b2c
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 3 deletions.
7 changes: 5 additions & 2 deletions lib/omniauth/strategies/latvija/response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -42,16 +42,19 @@ def attributes
'historical_privatepersonalidentifier' => []
}

stmt_elements = xml.xpath('//a:Attribute', a: ASSERTION)
stmt_elements = xml.xpath('//saml:Attribute', saml: ASSERTION)

return attrs if stmt_elements.nil?

identifiers = stmt_elements.xpath("//saml:Attribute[@AttributeName='privatepersonalidentifier']", saml: ASSERTION)

stmt_elements.each_with_object(attrs) do |element, result|
name = element.attribute('AttributeName').value
value = element.text

case name
when 'privatepersonalidentifier' # person can change their identifier, service will return all the versions
if element.attribute('OriginalIssuer') # this is the primary identifier, as returned by third party auth service
if identifiers.length == 1 || element.attribute('OriginalIssuer') # this is the primary identifier, as returned by third party auth service
result[name] = value
else
result['historical_privatepersonalidentifier'] << value
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
<?xml version="1.0"?>
<trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestSecurityTokenResponse Context="https://demo.latvijasnotars.lv/users/auth/latvija/callback">
<trust:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-11-05T13:57:02.777Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-11-05T17:57:02.777Z</wsu:Expires>
</trust:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://example.com</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_fe766b93-7b30-43cb-9f54-7e66c7421a26" Issuer="http://www.latvija.lv/sts" IssueInstant="2019-11-04T14:12:08.977Z">
<saml:Conditions NotBefore="2019-11-05T13:57:02.777Z" NotOnOrAfter="2019-11-05T17:57:02.777Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://ivis.eps.gov.lv/LVP.Sitecore</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:32345678901</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="TESTidp"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<saml:AttributeValue>ODS</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="surname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims" a:OriginalIssuer="TESTidp"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<saml:AttributeValue>KNISLIS</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="privatepersonalidentifier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
<saml:AttributeValue>32345678901</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="citizenQAALevel" AttributeNamespace="http://ivis.eps.gov.lv/schema/identity/claims">
<saml:AttributeValue a:type="tn:integer"
xmlns:tn="http://www.w3.org/2001/XMLSchema"
xmlns:a="http://www.w3.org/2001/XMLSchema-instance">4</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="109x34" AttributeNamespace="http://ivis.eps.gov.lv/schema/media/image">
<saml:AttributeValue>https://epakvisstv.vraa.gov.lv/STS/VISS.LVP.STS/Image.ashx?id=am-test</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:ivis:100001:am-idp40-wif" AuthenticationInstant="2019-11-05T13:57:02.511Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:ivis:100001:name.id-viss">PK:32345678901</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:SubjectLocality IPAddress="127.0.0.1" />
</saml:AuthenticationStatement>
</saml:Assertion>
</trust:RequestedSecurityToken>
<trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</trust:RequestSecurityTokenResponse>
</trust:RequestSecurityTokenResponseCollection>
32 changes: 31 additions & 1 deletion spec/omniauth/strategies/latvija_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ def strategy
end
end

context 'specific properties' do
context 'when response has multiple private identifiers' do
let(:wresult_decrypted) { File.read('spec/fixtures/wresult_multi_personal_codes_decrypted.xml') }

before(:each) do
Expand Down Expand Up @@ -209,5 +209,35 @@ def strategy
expect(response.dig('extra', 'legacy_uids')).to include('PK:12345678901')
end
end

context 'when response has single private identifier without original issuer parameter' do
let(:wresult_decrypted) { File.read('spec/fixtures/wresult_single_personal_code_without_issuer_decrypted.xml') }

before(:each) do
allow_any_instance_of(OmniAuth::Strategies::Latvija::SignedDocument).to receive(:validate!).and_return(true)
end

let(:response) do
post '/auth/latvija/callback', {
:wa => "wsignin1.0",
:wctx => "http://example.org/auth/latvija/callback",
:wresult => wresult_decrypted
}

last_request.env['omniauth.auth']
end

it 'should return primary personal code' do
expect(response.dig('info', 'private_personal_identifier')).to eq('32345678901')
end

it 'should not return historical personal codes in extra info' do
expect(response.dig('extra', 'raw_info', 'historical_privatepersonalidentifier')).to be_empty
end

it 'should return NameIdentifier property as the auth UID' do
expect(response.dig('uid')).to eq('PK:32345678901')
end
end
end
end

0 comments on commit 79f1b2c

Please sign in to comment.