concerto_saml_auth 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b6ebfa7bb437454efca0513642b2bfbf5464e5f2
-  data.tar.gz: 59ac1d64b4f418bc48019657687edc7bb94ddc98
+  metadata.gz: 90b41d1da193def155770eac480a23b933f9160d
+  data.tar.gz: b764233babcee9bf78a7cd3b9a527807410fe04d
 SHA512:
-  metadata.gz: 2e16f9fa978ded9c51250f5a3e2b2aee663db06cceabd22a2ae1c5068b9c2e1e667d91e1acc5879d3f8c1d319e39a1408dfbcbb2199270ef3969a827f0c73ede
-  data.tar.gz: 6d466a2c368cd922ec36fb2d7cc6d0d8249ba5dfef681d03f211905fd1f2e387239febe9bef305e756db91e1a25a57e25255f9baaefd4bcba9c03cbf05b94cb8
+  metadata.gz: aa1ab6c6bebb042a75def3c578763c7a05f8b296d69fcefc4c67f7405084efc4b5e4b7d7de2e7645d26f337f93c864fb16386ec9af1c88f32b8a61dc84929e96
+  data.tar.gz: f37cc2db9fa584050956779fea291dc2699eea719667a584dfabf79b472571897a81af029487c810a153becbe298fa32bdc99f07e7a64606eba1964667a11e2d

data/README.md

@@ -13,10 +13,9 @@ Installing the plugin
 1. Log in using a system admin account in your Concerto deployment. You should have set up your Concerto installation already.
 2. Click on the "plugins" button on the top navigation bar under the admin section.
 3. On the right side of the page, click on the "new plugin" button.
-4. With Git Repository selected as the source, write `concerto_saml_auth` as the Gem Name, and this repository's clone URL as the Source URL. 
-5. Click save, you will now stop your Concerto web server, run the ```bundle``` command (while in the Concerto directory), and start your web server again.
+4. With Ruby Gem selected as the source, write `concerto_saml_auth` as the Gem Name.
 6. Since the SAML plugin is not configured yet, you can log back into your Concerto accounts by visiting the ```your.concerto.url/users/sign_in``` route, using
-   any user that was not created using through SAML login. 
+   any user that was not created through SAML login. Or continue using the user you're logged in as.
 7. If the plugin was installed successfully, you will see a new "SAML User Authentication" settings tab under the "settings" page. This page can be found by clicking the "settings" button on the top navigation bar under the admin section.
 8. Configure the plugin and restart the web server, as explained below.
 9. Add your Service Provider's metadata to the Identity Provider. You can find your metadata at `your.concerto.url/auth/saml/metadata`.

data/app/controllers/concerto_saml_auth/application_controller.rb

@@ -57,7 +57,7 @@ module ConcertoSamlAuth
         end
 
         if omniauth_config[:admin_groups].present?
-          synchronize_is_admin(user, omniauth_config)
+          synchronize_is_admin(user, saml_hash, omniauth_config)
         end
 
         user.save!
@@ -92,7 +92,26 @@ module ConcertoSamlAuth
     end
 
     def find_user_groups(saml_hash, omniauth_config)
+      member_of_mapping = create_member_of_mapping(omniauth_config[:member_of_mapping])
+      Rails.logger.debug member_of_mapping
+
+      common_names = find_cn_from_member_of(saml_hash, omniauth_config)
+
+      # Apply the mapping
+      concerto_groups = []
+      member_of_mapping.each do |concerto_group_name, ldap_group_names|
+        common_group_names = ldap_group_names & common_names
+        if common_group_names
+          # This user is a member of a group associated with this Concerto group.
+          concerto_groups.push(concerto_group_name)
+        end
+      end
+      concerto_groups
+    end
+
+    def find_cn_from_member_of(saml_hash, omniauth_config)
       member_of_key = omniauth_config[:member_of_key]
+
       member_of_lines = saml_hash[:extra][:response_object].attributes.multi(member_of_key)
       if member_of_lines.nil?
         Rails.logger.debug "No user groups found"
@@ -111,24 +130,8 @@ module ConcertoSamlAuth
       end
       Rails.logger.debug "Interpreting the memberOf field:"
       Rails.logger.debug groups_splitted
-      # Remove elements which are not matched by the filter
-      if !omniauth_config[:member_of_filter].blank?
-        filter = omniauth_config[:member_of_filter]
-        filter = (filter.strip).downcase
-        filter_list = filter.split(",")
-        Rails.logger.debug filter_list
-        matching_groups = groups_splitted.select do |single_splitted_group|
-          # Check if the intersection of single_splitted_group and filter_list has elements
-          # (meaning that at least one element in single_splitted_group matches one element
-          # in filter_list)
-          !(single_splitted_group & filter_list).empty?
-        end
-      else
-        matching_groups = groups_splitted
-      end
-      Rails.logger.debug matching_groups
       # Go to array of {:cn => ["broadcast engineer"], :ou => ["commission", "groups"], :dc => ["example", "com"]}
-      group_hashes = matching_groups.map do |single_splitted_group|
+      group_hashes = groups_splitted.map do |single_splitted_group|
         # Create a hash which returns new Arrays for missing entries
         resulting_group_hash = Hash.new{|h,k| h[k] = []}
         single_splitted_group.each do |single_group_attribute|
@@ -147,11 +150,29 @@ module ConcertoSamlAuth
           common_names.push(group_name)
         end
       end
-      Rails.logger.debug common_names
-      # Go to array of "Broadcast engineer" (normalizing names)
-      common_names.map do |single_common_name|
-        single_common_name.capitalize
+      common_names
+    end
+
+    def create_member_of_mapping(member_of_mapping_str)
+      member_of_mapping_str.strip!
+      group_statements = member_of_mapping_str.split(';')
+      group_statements.map! {|s| s.strip }
+      mapping = {}
+      group_statements.each do |statement|
+        parts = statement.split('=')
+        if parts.count <= 1
+          return nil
+        end
+        concerto_group_name = parts[0]
+
+        ldap_groups_str = parts[1]
+        ldap_groups_str.downcase!
+        ldap_group_names = ldap_groups_str.split(',')
+        ldap_group_names.map! {|s| s.strip }
+
+        mapping[concerto_group_name] = ldap_group_names
       end
+      mapping
     end
 
     def add_user_to(all_groups, user)
@@ -167,21 +188,18 @@ module ConcertoSamlAuth
     def remove_user_from(all_groups, user)
       all_groups.each do |group_name|
         group = Group.where(:name => group_name).first!
-        Membership.where(:user_id => user.id, :group_id => group.id).destroy
+        Membership.where(:user_id => user.id, :group_id => group.id).destroy_all
       end
     end
 
-    def synchronize_is_admin(user, omniauth_config)
+    def synchronize_is_admin(user, saml_hash, omniauth_config)
       admin_group_string = omniauth_config[:admin_groups]
       admin_group_names = admin_group_string.split(",")
       admin_group_names.map! do |group|
-        (group.strip).capitalize
+        (group.strip).downcase
       end
 
-      user_groups = Membership.where(:user_id => user.id)
-      user_group_names = user_groups.map do |membership|
-        membership.group.name
-      end
+      user_group_names = find_cn_from_member_of(saml_hash, omniauth_config)
       should_be_admin = admin_group_names & user_group_names
       user.is_admin = !should_be_admin.empty?
     end

data/config/initializers/omniauth.rb

@@ -16,16 +16,23 @@ if ActiveRecord::Base.connection.table_exists? 'concerto_configs'
     :seq_no => 2,
     :description => "A unique identifier used by this application to identify itself to the identity provider.")
 
-  ConcertoConfig.make_concerto_config("saml_uid_key", "uid",
+  default_saml_callback = "https://concerto.example.com/auth/saml/callback"
+  ConcertoConfig.make_concerto_config("saml_callback", default_saml_callback,
     :value_type => "string",
     :category => "SAML User Authentication",
     :seq_no => 3,
+    :description => "This is where the identity provider should redirect the user upon authentication. The path should be /auth/saml/callback, but using this setting you can enforce HTTPS for the callback. Leave empty or as default to automatically find callback URL.")
+
+  ConcertoConfig.make_concerto_config("saml_uid_key", "uid",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 4,
     :description => "SAML field name containing user login names")
 
   ConcertoConfig.make_concerto_config("saml_email_key", "email",
     :value_type => "string",
     :category => "SAML User Authentication",
-    :seq_no => 4,
+    :seq_no => 5,
     :description => "SAML field name containing user email addresses. Leave blank if using email_suffix below")
 
   ConcertoConfig.make_concerto_config("saml_first_name_key", "first_name",
@@ -46,17 +53,17 @@ if ActiveRecord::Base.connection.table_exists? 'concerto_configs'
     :seq_no => 8,
     :description => "SAML field name containing the memberOf attribute, as retrieved from LDAP")
 
-  ConcertoConfig.make_concerto_config("saml_member_of_filter", "OU=Access control",
+  ConcertoConfig.make_concerto_config("saml_member_of_mapping", "Concerto group 1 = LDAP group 1, LDAP group 2; Concerto group 2 = LDAP group 2",
     :value_type => "string",
     :category => "SAML User Authentication",
     :seq_no => 9,
-    :description => "Filter determining which groups are made in Concerto. At least one of the assertions provided here, separated by comma, must match a memberOf field for it to be included.")
+    :description => "Mapping between LDAP groups and Concerto groups. Format: GROUP NAME IN CONCERTO = GROUP NAME IN LDAP[, ANOTHER GROUP IN LDAP]…; ANOTHER GROUP NAME IN CONCERTO = (and so on)")
 
   ConcertoConfig.make_concerto_config("saml_admin_groups", "administrator group",
     :value_type => "string",
     :category => "SAML User Authentication",
     :seq_no => 10,
-    :description => "Common name of groups, separated by comma, whose members should be granted administrator permission in Concerto")
+    :description => "Common name of LDAP groups, separated by comma, whose members should be granted administrator permission in Concerto")
 
   # Store omniauth config values from main application's ConcertoConfig
   saml_idp_metadata = ConcertoConfig[:saml_idp_metadata]
@@ -74,6 +81,11 @@ if ActiveRecord::Base.connection.table_exists? 'concerto_configs'
     Rails.logger.warn "No URL (or default URL) defined for IDP metadata, SAML authentication will not be working."
   end
 
+  saml_callback = ConcertoConfig[:saml_callback]
+  if saml_callback.present? && saml_callback != default_saml_callback
+    omniauth_config[:assertion_consumer_service_url] = saml_callback
+  end
+
   request_attributes = []
   if ConcertoConfig[:saml_email_key].present?
     request_attributes.push({:name => ConcertoConfig[:saml_email_key], :friendly_name => "Email", :is_required => true})
@@ -103,9 +115,8 @@ if ActiveRecord::Base.connection.table_exists? 'concerto_configs'
     },
     :request_attributes => request_attributes,
     :member_of_key => ConcertoConfig[:saml_member_of_key],
-    :member_of_filter => ConcertoConfig[:saml_member_of_filter],
+    :member_of_mapping => ConcertoConfig[:saml_member_of_mapping],
     :admin_groups => ConcertoConfig[:saml_admin_groups],
-    # :callback_url => "/auth/saml/callback"
   )
 
   Rails.logger.debug omniauth_config

data/lib/concerto_saml_auth/version.rb

@@ -1,3 +1,3 @@
 module ConcertoSamlAuth
-  VERSION = "0.1.0"
+  VERSION = "1.0.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: concerto_saml_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Gabe Perez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-16 00:00:00.000000000 Z
+date: 2017-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -76,7 +76,7 @@ files:
 - lib/concerto_saml_auth/engine.rb
 - lib/concerto_saml_auth/version.rb
 - lib/tasks/concerto_saml_auth_tasks.rake
-homepage: http://www.concerto-signage.org
+homepage: https://github.com/Studentmediene/concerto_saml_auth
 licenses:
 - Apache-2.0
 metadata: {}
@@ -96,7 +96,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Provides user authentication using SAML