devise_saml_authenticatable 1.3.1 → 1.6.0

data/devise_saml_authenticatable.gemspec

@@ -7,6 +7,7 @@ Gem::Specification.new do |gem|
   gem.description   = %q{SAML Authentication for devise}
   gem.summary       = %q{SAML Authentication for devise }
   gem.homepage      = ""
+  gem.license     = "MIT"
 
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
@@ -17,5 +18,5 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
 
   gem.add_dependency("devise","> 2.0.0")
-  gem.add_dependency("ruby-saml","~> 1.3")
+  gem.add_dependency("ruby-saml","~> 1.7")
 end

data/lib/devise_saml_authenticatable.rb

@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
 require "devise_saml_authenticatable/logger"
 require "devise_saml_authenticatable/routes"
 require "devise_saml_authenticatable/saml_config"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
 require "devise_saml_authenticatable/default_idp_entity_id_reader"
 
 begin
@@ -19,6 +20,10 @@ end
 
 # Get saml information from config/saml.yml now
 module Devise
+  # Allow route customization to avoid collision
+  mattr_accessor :saml_route_helper_prefix
+  @@saml_route_helper_prefix
+
   # Allow logging
   mattr_accessor :saml_logger
   @@saml_logger = true
@@ -62,11 +67,76 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
+  mattr_accessor :saml_attribute_map_resolver
+  @@saml_attribute_map_resolver ||= ::DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+
+  # Implements a #validate method that takes the retrieved resource and response right after retrieval,
+  # and returns true if it's valid.  False will cause authentication to fail.
+  # Only one of saml_resource_validator and saml_resource_validator_hook may be used.
+  mattr_accessor :saml_resource_validator
+  @@saml_resource_validator
+
+  # Proc that determines whether a technically correct SAML response is valid per some custom logic.
+  # Receives the user object (or nil, if no match was found), decorated saml_response and
+  # auth_value, inspects the combination for acceptability of login (or create+login, if enabled),
+  # and returns true if it's valid.  False will cause authentication to fail.
+  mattr_accessor :saml_resource_validator_hook
+  @@saml_resource_validator_hook
+
+  # Custom value for ruby-saml allowed_clock_drift
+  mattr_accessor :allowed_clock_drift_in_seconds
+  @@allowed_clock_drift_in_seconds
+
   mattr_accessor :saml_config
   @@saml_config = OneLogin::RubySaml::Settings.new
   def self.saml_configure
     yield saml_config
   end
+
+  # Default update resource hook. Updates each attribute on the model that is mapped, updates the
+  # saml_default_user_key if saml_use_subject is true and saves the user model.
+  # See saml_update_resource_hook for more information.
+  mattr_reader :saml_default_update_resource_hook
+  @@saml_default_update_resource_hook = Proc.new do |user, saml_response, auth_value|
+    saml_response.attributes.resource_keys.each do |key|
+      user.send "#{key}=", saml_response.attribute_value_by_resource_key(key)
+    end
+
+    if (Devise.saml_use_subject)
+      user.send "#{Devise.saml_default_user_key}=", auth_value
+    end
+
+    user.save!
+  end
+
+  # Proc that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
+  # Receives the user object, saml_response and auth_value, and defines how the object's values are
+  # updated with regards to the SAML response. See saml_default_update_resource_hook for an example.
+  mattr_accessor :saml_update_resource_hook
+  @@saml_update_resource_hook = @@saml_default_update_resource_hook
+
+  # Default resource locator. Uses saml_default_user_key and auth_value to resolve user.
+  # See saml_resource_locator for more information.
+  mattr_reader :saml_default_resource_locator
+  @@saml_default_resource_locator = Proc.new do |model, saml_response, auth_value|
+    model.where(Devise.saml_default_user_key => auth_value).first
+  end
+
+  # Proc that is called to resolve the saml_response and auth_value into the correct user object.
+  # Receives a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+  # one instance of the provided model that is the matched account, or nil if none exists.
+  # See saml_default_resource_locator above for an example.
+  mattr_accessor :saml_resource_locator
+  @@saml_resource_locator = @@saml_default_resource_locator
+
+  # Proc that is called to resolve the name identifier to use in a LogoutRequest for the current user.
+  # Receives the logged-in user.
+  # Is expected to return the identifier the IdP understands for this user, e.g. email address or username.
+  mattr_accessor :saml_name_identifier_retriever
+  @@saml_name_identifier_retriever = Proc.new do |current_user|
+    current_user.public_send(Devise.saml_default_user_key)
+  end
 end
 
 # Add saml_authenticatable strategy to defaults.

data/lib/devise_saml_authenticatable/default_attribute_map_resolver.rb

@@ -0,0 +1,26 @@
+module DeviseSamlAuthenticatable
+  class DefaultAttributeMapResolver
+    def initialize(saml_response)
+      @saml_response = saml_response
+    end
+
+    def attribute_map
+      return {} unless File.exist?(attribute_map_path)
+
+      attribute_map = YAML.load(File.read(attribute_map_path))
+      if attribute_map.key?(Rails.env)
+        attribute_map[Rails.env]
+      else
+        attribute_map
+      end
+    end
+
+    private
+
+    attr_reader :saml_response
+
+    def attribute_map_path
+      Rails.root.join("config", "attribute-map.yml")
+    end
+  end
+end

data/lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb

@@ -2,9 +2,17 @@ module DeviseSamlAuthenticatable
   class DefaultIdpEntityIdReader
     def self.entity_id(params)
       if params[:SAMLRequest]
-        OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest]).issuer
+        OneLogin::RubySaml::SloLogoutrequest.new(
+          params[:SAMLRequest],
+          settings: Devise.saml_config,
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        ).issuer
       elsif params[:SAMLResponse]
-        OneLogin::RubySaml::Response.new(params[:SAMLResponse]).issuers.first
+        OneLogin::RubySaml::Response.new(
+          params[:SAMLResponse],
+          settings: Devise.saml_config,
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        ).issuers.first
       end
     end
   end

data/lib/devise_saml_authenticatable/exception.rb

@@ -1,6 +1,6 @@
 module DeviseSamlAuthenticatable
 
-  class SamlException < Exception
+  class SamlException < StandardError
   end
 
 end

data/lib/devise_saml_authenticatable/model.rb

@@ -1,4 +1,5 @@
 require 'devise_saml_authenticatable/strategy'
+require 'devise_saml_authenticatable/saml_response'
 
 module Devise
   module Models
@@ -30,16 +31,29 @@ module Devise
       module ClassMethods
         def authenticate_with_saml(saml_response, relay_state)
           key = Devise.saml_default_user_key
-          attributes = saml_response.attributes
-          if (Devise.saml_use_subject)
+          decorated_response = ::SamlAuthenticatable::SamlResponse.new(
+            saml_response,
+            Devise.saml_attribute_map_resolver.new(saml_response).attribute_map,
+          )
+          if Devise.saml_use_subject
             auth_value = saml_response.name_id
           else
-            inv_attr = attribute_map.invert
-            auth_value = attributes[inv_attr[key.to_s]]
+            auth_value = decorated_response.attribute_value_by_resource_key(key)
           end
           auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
 
-          resource = where(key => auth_value).first
+          resource = Devise.saml_resource_locator.call(self, decorated_response, auth_value)
+
+          raise "Only one validator configuration can be used at a time" if Devise.saml_resource_validator && Devise.saml_resource_validator_hook
+          if Devise.saml_resource_validator || Devise.saml_resource_validator_hook
+            valid = if Devise.saml_resource_validator then Devise.saml_resource_validator.new.validate(resource, saml_response)
+                    else Devise.saml_resource_validator_hook.call(resource, decorated_response, auth_value)
+                    end
+            if !valid
+              logger.info("User(#{auth_value}) did not pass custom validation.")
+              return nil
+            end
+          end
 
           if resource.nil?
             if Devise.saml_create_user
@@ -52,11 +66,7 @@ module Devise
           end
 
           if Devise.saml_update_user || (resource.new_record? && Devise.saml_create_user)
-            set_user_saml_attributes(resource, attributes)
-            if (Devise.saml_use_subject)
-              resource.send "#{key}=", auth_value
-            end
-            resource.save!
+            Devise.saml_update_resource_hook.call(resource, decorated_response, auth_value)
           end
 
           resource
@@ -70,28 +80,6 @@ module Devise
         def find_for_shibb_authentication(conditions)
           find_for_authentication(conditions)
         end
-
-        def attribute_map
-          @attribute_map ||= attribute_map_for_environment
-        end
-
-        private
-
-        def set_user_saml_attributes(user,attributes)
-          attribute_map.each do |k,v|
-            Rails.logger.info "Setting: #{v}, #{attributes[k]}"
-            user.send "#{v}=", attributes[k]
-          end
-        end
-
-        def attribute_map_for_environment
-          attribute_map = YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
-          if attribute_map.has_key?(Rails.env)
-            attribute_map[Rails.env]
-          else
-            attribute_map
-          end
-        end
       end
     end
   end

data/lib/devise_saml_authenticatable/routes.rb

@@ -1,12 +1,23 @@
 ActionDispatch::Routing::Mapper.class_eval do
   protected
   def devise_saml_authenticatable(mapping, controllers)
-    resource :session, :only => [], :controller => controllers[:saml_sessions], :path => "" do
-      get :new, :path => "saml/sign_in", :as => "new"
-      post :create, :path=>"saml/auth"
-      match :destroy, :path => mapping.path_names[:sign_out], :as => "destroy", :via => mapping.sign_out_via
-      get :metadata, :path=>"saml/metadata"
-      match :idp_sign_out, :path=>"saml/idp_sign_out", via: [:get, :post]
+    if ::Devise.saml_route_helper_prefix
+      prefix = ::Devise.saml_route_helper_prefix
+      resource :session, only: [], controller: controllers[:saml_sessions], path: '' do
+        get :new, path: 'saml/sign_in', as: "new_#{prefix}"
+        post :create, path: 'saml/auth', as: prefix
+        match :destroy, path: mapping.path_names[:sign_out], as: "destroy_#{prefix}", via: mapping.sign_out_via
+        get :metadata, path: 'saml/metadata'
+        match :idp_sign_out, path: 'saml/idp_sign_out', as: "idp_destroy_#{prefix}", via: [:get, :post]
+      end
+    else
+      resource :session, only: [], controller: controllers[:saml_sessions], path: '' do
+        get :new, path: 'saml/sign_in', as: 'new'
+        post :create, path: 'saml/auth'
+        match :destroy, path: mapping.path_names[:sign_out], as: 'destroy', via: mapping.sign_out_via
+        get :metadata, path: 'saml/metadata'
+        match :idp_sign_out, path: 'saml/idp_sign_out', via: [:get, :post]
+      end
     end
   end
 end

data/lib/devise_saml_authenticatable/saml_mapped_attributes.rb

@@ -0,0 +1,38 @@
+module SamlAuthenticatable
+  class SamlMappedAttributes
+    def initialize(attributes, attribute_map)
+      @attributes = attributes
+      @attribute_map = attribute_map
+    end
+
+    def saml_attribute_keys
+      @attribute_map.keys
+    end
+
+    def resource_keys
+      @attribute_map.values
+    end
+
+    def value_by_resource_key(key)
+      str_key = String(key)
+
+      # Find all of the SAML attributes that map to the resource key
+      attribute_map_for_key = @attribute_map.select { |_, resource_key| String(resource_key) == str_key }
+
+      saml_value = nil
+
+      # Find the first non-nil value
+      attribute_map_for_key.each_key do |saml_key|
+        saml_value = value_by_saml_attribute_key(saml_key)
+
+        break unless saml_value.nil?
+      end
+
+      saml_value
+    end
+
+    def value_by_saml_attribute_key(key)
+      @attributes[String(key)]
+    end
+  end
+end

data/lib/devise_saml_authenticatable/saml_response.rb

@@ -0,0 +1,16 @@
+require 'devise_saml_authenticatable/saml_mapped_attributes'
+
+module SamlAuthenticatable
+  class SamlResponse
+    attr_reader :raw_response, :attributes
+
+    def initialize(saml_response, attribute_map)
+      @attributes = ::SamlAuthenticatable::SamlMappedAttributes.new(saml_response.attributes, attribute_map)
+      @raw_response = saml_response
+    end
+
+    def attribute_value_by_resource_key(key)
+      attributes.value_by_resource_key(key)
+    end
+  end
+end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -6,7 +6,11 @@ module Devise
       include DeviseSamlAuthenticatable::SamlConfig
       def valid?
         if params[:SAMLResponse]
-          OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+          OneLogin::RubySaml::Response.new(
+            params[:SAMLResponse],
+            settings: saml_config(get_idp_entity_id(params)),
+            allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+          )
         else
           false
         end
@@ -30,7 +34,11 @@ module Devise
 
       private
       def parse_saml_response
-        @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config(get_idp_entity_id(params)))
+        @response = OneLogin::RubySaml::Response.new(
+          params[:SAMLResponse],
+          settings: saml_config(get_idp_entity_id(params)),
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        )
         unless @response.is_valid?
           failed_auth("Auth errors: #{@response.errors.join(', ')}")
         end

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.3.1"
+  VERSION = "1.6.0"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -1,31 +1,38 @@
 require 'rails_helper'
 
-class Devise::SessionsController < ActionController::Base
-  # The important parts from devise
+# The important parts from devise
+class DeviseController < ApplicationController
+  attr_accessor :current_user
+
   def resource_class
     User
   end
 
+  def require_no_authentication
+  end
+end
+class Devise::SessionsController < DeviseController
   def destroy
     sign_out
     redirect_to after_sign_out_path_for(:user)
   end
 
-  def require_no_authentication
+  def verify_signed_out_user
+    # no-op for these tests
   end
 end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
 
 describe Devise::SamlSessionsController, type: :controller do
-  let(:saml_config) { Devise.saml_config }
   let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
 
   before do
+    @request.env["devise.mapping"] = Devise.mappings[:user]
     allow(idp_providers_adapter).to receive(:settings).and_return({
       assertion_consumer_service_url: "acs_url",
       assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
       issuer: "sp_issuer",
       idp_entity_id: "http://www.example.com",
       authn_context: "",
@@ -35,6 +42,20 @@ describe Devise::SamlSessionsController, type: :controller do
     })
   end
 
+  before do
+    if Rails::VERSION::MAJOR < 5 && Gem::Version.new(RUBY_VERSION) > Gem::Version.new("2.6")
+      # we still want to support Rails 4
+      # patch tests using snippet from https://github.com/rails/rails/issues/34790#issuecomment-483607370
+      class ActionController::TestResponse < ActionDispatch::TestResponse
+        def recycle!
+          @mon_mutex_owner_object_id = nil
+          @mon_mutex = nil
+          initialize
+        end
+      end
+    end
+  end
+
   describe '#new' do
     let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
 
@@ -66,6 +87,7 @@ describe Devise::SamlSessionsController, type: :controller do
       it "uses the DefaultIdpEntityIdReader" do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
+        expect(idp_providers_adapter).to have_received(:settings).with(nil)
       end
 
       context "with a relay_state lambda defined" do
@@ -104,6 +126,7 @@ describe Devise::SamlSessionsController, type: :controller do
 
         it "redirects to the associated IdP SSO target url" do
           do_get
+          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
           expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
         end
       end
@@ -111,6 +134,8 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#metadata' do
+    let(:saml_config) { Devise.saml_config.dup }
+
     context "with the default configuration" do
       it 'generates metadata' do
         get :metadata
@@ -130,7 +155,7 @@ describe Devise::SamlSessionsController, type: :controller do
         Devise.saml_configure do |settings|
           settings.assertion_consumer_service_url = "http://localhost:3000/users/saml/auth"
           settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-          settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+          settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
           settings.issuer = "http://localhost:3000"
         end
       end
@@ -147,10 +172,81 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#destroy' do
-    it 'signs out and redirects to the IdP' do
-      expect(controller).to receive(:sign_out)
-      delete :destroy
-      expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+    before do
+      allow(controller).to receive(:sign_out)
+    end
+
+    context "when using the default saml config" do
+      it "signs out and redirects to the IdP" do
+        delete :destroy
+        expect(controller).to have_received(:sign_out)
+        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+      end
+    end
+
+    context "when configured to use a non-transient name identifier" do
+      before do
+        allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
+      end
+
+      it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
+        controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+
+        actual_settings = nil
+        expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
+          actual_settings = settings
+          "http://localhost:8009/saml/logout"
+        end
+
+        delete :destroy
+        expect(actual_settings.name_identifier_value).to eq("user@example.com")
+        expect(actual_settings.sessionindex).to eq("sessionindex")
+      end
+    end
+
+    context "with a specified idp" do
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+      end
+
+      it "redirects to the associated IdP SSO target url" do
+        expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
+        delete :destroy
+        expect(controller).to have_received(:sign_out)
+        expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+      end
+
+      context "with a specified idp entity id reader" do
+        class OurIdpEntityIdReader
+          def self.entity_id(params)
+            params[:entity_id]
+          end
+        end
+
+        subject(:do_delete) {
+          if Rails::VERSION::MAJOR > 4
+            delete :destroy, params: {entity_id: "http://www.example.com"}
+          else
+            delete :destroy, entity_id: "http://www.example.com"
+          end
+        }
+
+        before do
+          @default_reader = Devise.idp_entity_id_reader
+          Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+        end
+
+        after do
+          Devise.idp_entity_id_reader = @default_reader
+        end
+
+        it "redirects to the associated IdP SLO target url" do
+          do_delete
+          expect(controller).to have_received(:sign_out)
+          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
+          expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+        end
+      end
     end
   end
 
@@ -214,12 +310,13 @@ describe Devise::SamlSessionsController, type: :controller do
       let(:name_id) { '12312312' }
       before do
         allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
+        allow(User).to receive(:reset_session_key_for)
       end
 
       it 'direct the resource to reset the session key' do
-        expect(User).to receive(:reset_session_key_for).with(name_id)
         do_post
         expect(response).to redirect_to response_url
+        expect(User).to have_received(:reset_session_key_for).with(name_id)
       end
 
       context "with a specified idp" do
@@ -236,6 +333,16 @@ describe Devise::SamlSessionsController, type: :controller do
         end
       end
 
+      context "with a relay_state lambda defined" do
+        let(:relay_state) { ->(request) { "123" } }
+
+        it "includes the RelayState param in the request to the IdP" do
+          expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
+          do_post
+          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil, {RelayState: "123"})
+        end
+      end
+
       context 'when saml_session_index_key is not configured' do
         before do
           Devise.saml_session_index_key = nil