RubyGems - better_auth-saml - Versions diffs - 0.10.0 - Mend

better_auth-saml 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +9 -0
data/README.md +34 -0
data/lib/better_auth/plugins/saml.rb +5 -0
data/lib/better_auth/saml/version.rb +7 -0
data/lib/better_auth/saml.rb +16 -0
data/lib/better_auth/sso/constants.rb +20 -0
data/lib/better_auth/sso/plugin/saml_core.rb +54 -0
data/lib/better_auth/sso/plugin/saml_metadata_and_logout.rb +378 -0
data/lib/better_auth/sso/plugin/saml_response.rb +167 -0
data/lib/better_auth/sso/plugin/saml_validation_and_state.rb +183 -0
data/lib/better_auth/sso/routes/saml_pipeline.rb +19 -0
data/lib/better_auth/sso/saml/algorithms.rb +96 -0
data/lib/better_auth/sso/saml/assertions.rb +21 -0
data/lib/better_auth/sso/saml/error_codes.rb +24 -0
data/lib/better_auth/sso/saml/parser.rb +19 -0
data/lib/better_auth/sso/saml/timestamp.rb +19 -0
data/lib/better_auth/sso/saml.rb +173 -0
data/lib/better_auth/sso/saml_hooks.rb +21 -0
data/lib/better_auth/sso/saml_state.rb +30 -0
metadata +195 -0

data/lib/better_auth/sso/saml.rb ADDED Viewed

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+require "base64"
+require "logger"
+require "onelogin/ruby-saml"
+require "uri"
+module BetterAuth
+  module SSO
+    module SAML
+      module_function
+      DEFAULT_ATTRIBUTE_MAP = {
+        email: %w[email mail emailAddress Email EmailAddress],
+        name: %w[name displayName cn Name DisplayName],
+        given_name: %w[givenName firstName FirstName],
+        family_name: %w[familyName lastName LastName]
+      }.freeze
+      def sso_options(**options)
+        {
+          saml: {
+            auth_request_url: auth_request_url(**options),
+            parse_response: response_parser(**options)
+          }
+        }
+      end
+      def validate_config_algorithms(config = {}, **options)
+        Algorithms.validate_config(config, **options)
+      end
+      def validate_saml_algorithms(xml, **options)
+        Algorithms.validate(xml, **options)
+      end
+      def validate_single_assertion(saml_response)
+        Assertions.validate_single_assertion!(saml_response)
+      end
+      def auth_request_url(settings: nil, request_options: {}, **_options)
+        lambda do |provider:, relay_state:, context:|
+          config = BetterAuth::Plugins.normalize_hash(provider["samlConfig"] || provider[:samlConfig] || {})
+          saml_settings = settings.respond_to?(:call) ? settings.call(provider: provider, context: context, saml_config: config) : build_settings(provider, context, config, settings)
+          OneLogin::RubySaml::Authrequest.new.create(saml_settings, {RelayState: relay_state}.merge(request_options))
+        end
+      end
+      def response_parser(settings: nil, response_options: {}, attribute_map: DEFAULT_ATTRIBUTE_MAP, **_options)
+        lambda do |raw_response:, provider:, context:|
+          config = BetterAuth::Plugins.normalize_hash(provider["samlConfig"] || provider[:samlConfig] || {})
+          saml_settings = settings.respond_to?(:call) ? settings.call(provider: provider, context: context, saml_config: config) : build_settings(provider, context, config, settings)
+          validate_response_xml!(raw_response, config)
+          response = OneLogin::RubySaml::Response.new(raw_response, {settings: saml_settings}.merge(response_options))
+          unless response.is_valid?
+            raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response")
+          end
+          attributes = response.attributes
+          mapping = BetterAuth::Plugins.normalize_hash(config[:mapping] || {})
+          email = mapped_attribute(attributes, mapping[:email]) || first_attribute(attributes, attribute_map.fetch(:email)) || response.nameid
+          raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response") if email.to_s.empty?
+          given_name = mapped_attribute(attributes, mapping[:first_name]) || first_attribute(attributes, attribute_map.fetch(:given_name))
+          family_name = mapped_attribute(attributes, mapping[:last_name]) || first_attribute(attributes, attribute_map.fetch(:family_name))
+          name = [given_name, family_name].compact.join(" ").strip
+          name = mapped_attribute(attributes, mapping[:name]) || first_attribute(attributes, attribute_map.fetch(:name)) if name.empty?
+          extra_fields = mapped_extra_fields(attributes, mapping)
+          email_verified = mapping[:email_verified] ? mapped_attribute(attributes, mapping[:email_verified]) : false
+          extra_fields.merge(
+            email: email.to_s.downcase,
+            name: name.to_s.empty? ? email.to_s : name.to_s,
+            id: mapped_attribute(attributes, mapping[:id]) || assertion_identifier(response, email),
+            name_id: response.nameid,
+            session_index: response.sessionindex,
+            email_verified: (email_verified == false) ? false : !email_verified.to_s.empty?
+          )
+        end
+      end
+      def build_settings(provider, context, config, overrides = nil)
+        settings = overrides || OneLogin::RubySaml::Settings.new
+        provider_id = provider.fetch("providerId")
+        base_url = context.context.base_url
+        idp_metadata = BetterAuth::Plugins.respond_to?(:sso_saml_idp_metadata) ? BetterAuth::Plugins.sso_saml_idp_metadata(config) : {}
+        sso_service = BetterAuth::Plugins.respond_to?(:sso_saml_preferred_service) ? BetterAuth::Plugins.sso_saml_preferred_service(idp_metadata[:single_sign_on_service]) : nil
+        sso_service = BetterAuth::Plugins.normalize_hash(sso_service || {})
+        settings.assertion_consumer_service_url = if BetterAuth::Plugins.respond_to?(:sso_saml_acs_url?) && BetterAuth::Plugins.sso_saml_acs_url?(config[:callback_url])
+          config[:callback_url]
+        else
+          "#{base_url}/sso/saml2/sp/acs/#{URI.encode_www_form_component(provider_id)}"
+        end
+        settings.sp_entity_id = config.dig(:sp_metadata, :entity_id) || config[:audience] || "#{base_url}/sso/saml2/sp/metadata?providerId=#{URI.encode_www_form_component(provider_id)}"
+        settings.idp_entity_id = idp_metadata[:entity_id] || provider["issuer"] || provider[:issuer]
+        settings.idp_sso_service_url = config[:entry_point] || sso_service[:location]
+        settings.idp_cert = config[:cert] || idp_metadata[:cert] unless (config[:cert] || idp_metadata[:cert]).to_s.empty?
+        settings.name_identifier_format = config[:identifier_format] unless config[:identifier_format].to_s.empty?
+        private_key = config.dig(:sp_metadata, :private_key) || config[:private_key] || config[:sp_private_key]
+        authn_requests_signed = config.fetch(:authn_requests_signed, config[:want_authn_requests_signed])
+        if authn_requests_signed && private_key.to_s.empty?
+          raise BetterAuth::APIError.new("BAD_REQUEST", message: "SAML authnRequestsSigned requires privateKey")
+        end
+        settings.private_key = private_key unless private_key.to_s.empty?
+        certificate = config.dig(:sp_metadata, :certificate) || config[:sp_certificate]
+        certificate ||= config[:certificate] if config[:certificate].is_a?(String)
+        settings.certificate = certificate unless certificate.to_s.empty?
+        settings.security[:want_assertions_signed] = config.fetch(:want_assertions_signed, true)
+        settings.security[:want_messages_signed] = config.fetch(:want_messages_signed, false)
+        settings.security[:want_assertions_encrypted] = config.fetch(:want_assertions_encrypted, false)
+        settings.security[:authn_requests_signed] = !!authn_requests_signed
+        settings.security[:strict_audience_validation] = true
+        settings.security[:digest_method] = config[:digest_algorithm] || XMLSecurity::Document::SHA256
+        settings.security[:signature_method] = if config[:signature_algorithm]
+          BetterAuth::Plugins.sso_normalize_saml_signature_algorithm(config[:signature_algorithm])
+        else
+          XMLSecurity::Document::RSA_SHA256
+        end
+        settings
+      end
+      def validate_response_xml!(raw_response, config)
+        BetterAuth::Plugins.sso_validate_single_saml_assertion!(raw_response)
+        xml = Base64.decode64(raw_response.to_s)
+        BetterAuth::Plugins.sso_validate_saml_algorithms!(
+          xml,
+          on_deprecated: config.fetch(:on_deprecated_algorithm, "reject"),
+          allowed_signature_algorithms: config[:allowed_signature_algorithms],
+          allowed_digest_algorithms: config[:allowed_digest_algorithms],
+          allowed_key_encryption_algorithms: config[:allowed_key_encryption_algorithms],
+          allowed_data_encryption_algorithms: config[:allowed_data_encryption_algorithms]
+        )
+      rescue BetterAuth::APIError
+        raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response")
+      rescue
+        raise BetterAuth::APIError.new("BAD_REQUEST", message: "Invalid SAML response")
+      end
+      def first_attribute(attributes, names)
+        Array(names).each do |name|
+          value = attribute_value(attributes, name)
+          value = value.first if value.is_a?(Array)
+          return value unless value.to_s.empty?
+        end
+        nil
+      end
+      def mapped_attribute(attributes, name)
+        return nil if name.to_s.empty?
+        value = attribute_value(attributes, name)
+        value = value.first if value.is_a?(Array)
+        value unless value.to_s.empty?
+      end
+      def mapped_extra_fields(attributes, mapping)
+        BetterAuth::Plugins.normalize_hash(mapping[:extra_fields] || {}).each_with_object({}) do |(target, source), result|
+          result[target] = mapped_attribute(attributes, source)
+        end
+      end
+      def attribute_value(attributes, name)
+        [name, name.to_s, BetterAuth::Plugins.normalize_key(name)].each do |key|
+          return attributes[key] if attributes.respond_to?(:key?) && attributes.key?(key)
+        end
+        attributes[name] || attributes[name.to_s] || attributes[BetterAuth::Plugins.normalize_key(name)]
+      end
+      def assertion_identifier(response, email)
+        response.assertion_id || response.nameid || response.sessionindex || email
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml_hooks.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+module BetterAuth
+  module SSO
+    module SAMLHooks
+      module_function
+      def merge_options(sso_options = {}, saml_options = {})
+        sso_options = BetterAuth::Plugins.normalize_hash(sso_options || {})
+        saml_options = BetterAuth::Plugins.normalize_hash(saml_options || {})
+        sso_options.merge(saml_options) do |key, old_value, new_value|
+          if key == :saml
+            BetterAuth::Plugins.normalize_hash(old_value || {}).merge(BetterAuth::Plugins.normalize_hash(new_value || {}))
+          else
+            new_value
+          end
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/saml_state.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+module BetterAuth
+  module SSO
+    module SAMLState
+      module_function
+      def generate_relay_state(ctx, link = nil, additional_data = {})
+        callback_url = BetterAuth::Plugins.sso_fetch(ctx.body, :callback_url)
+        raise BetterAuth::APIError.new("BAD_REQUEST", message: "callbackURL is required") if callback_url.to_s.empty?
+        extra = (additional_data == false) ? {} : (additional_data || {})
+        BetterAuth::Plugins.sso_generate_saml_relay_state(
+          ctx,
+          extra.merge(
+            callbackURL: callback_url,
+            errorURL: BetterAuth::Plugins.sso_fetch(ctx.body, :error_callback_url),
+            newUserURL: BetterAuth::Plugins.sso_fetch(ctx.body, :new_user_callback_url),
+            requestSignUp: BetterAuth::Plugins.sso_fetch(ctx.body, :request_sign_up),
+            link: link
+          )
+        )
+      end
+      def parse_relay_state(ctx)
+        BetterAuth::Plugins.sso_parse_saml_relay_state(ctx, BetterAuth::Plugins.sso_fetch(ctx.body, :relay_state))
+      end
+    end
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,195 @@
+--- !ruby/object:Gem::Specification
+name: better_auth-saml
+version: !ruby/object:Gem::Version
+  version: 0.10.0
+platform: ruby
+authors:
+- Sebastian Sala
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: better_auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: ruby-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.18'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.18.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.18'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.18.1
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.25'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.25'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.2'
+- !ruby/object:Gem::Dependency
+  name: standardrb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: SAML 2.0 service provider primitives and plugin extensions for Better
+  Auth Ruby enterprise SSO. Pair with better_auth-sso for provider management or require
+  directly for SAML-only integrations.
+email:
+- sebastian.sala.tech@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- README.md
+- lib/better_auth/plugins/saml.rb
+- lib/better_auth/saml.rb
+- lib/better_auth/saml/version.rb
+- lib/better_auth/sso/constants.rb
+- lib/better_auth/sso/plugin/saml_core.rb
+- lib/better_auth/sso/plugin/saml_metadata_and_logout.rb
+- lib/better_auth/sso/plugin/saml_response.rb
+- lib/better_auth/sso/plugin/saml_validation_and_state.rb
+- lib/better_auth/sso/routes/saml_pipeline.rb
+- lib/better_auth/sso/saml.rb
+- lib/better_auth/sso/saml/algorithms.rb
+- lib/better_auth/sso/saml/assertions.rb
+- lib/better_auth/sso/saml/error_codes.rb
+- lib/better_auth/sso/saml/parser.rb
+- lib/better_auth/sso/saml/timestamp.rb
+- lib/better_auth/sso/saml_hooks.rb
+- lib/better_auth/sso/saml_state.rb
+homepage: https://github.com/sebasxsala/better-auth-rb
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/sebasxsala/better-auth-rb
+  source_code_uri: https://github.com/sebasxsala/better-auth-rb
+  changelog_uri: https://github.com/sebasxsala/better-auth-rb/blob/main/packages/better_auth-saml/CHANGELOG.md
+  bug_tracker_uri: https://github.com/sebasxsala/better-auth-rb/issues
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: SAML 2.0 SP support for Better Auth Ruby SSO
+test_files: []