devise_saml_authenticatable 1.3.1 → 1.6.0

data/spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb

@@ -0,0 +1,58 @@
+require "spec_helper"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
+
+describe DeviseSamlAuthenticatable::DefaultAttributeMapResolver do
+  let!(:rails) { class_double("Rails", env: "test", logger: logger, root: rails_root).as_stubbed_const }
+  let(:logger) { instance_double("Logger", info: nil) }
+  let(:rails_root) { Pathname.new("tmp") }
+
+  let(:saml_response) { instance_double("OneLogin::RubySaml::Response") }
+  let(:file_contents) {
+    <<YAML
+---
+firstname: first_name
+lastname: last_name
+YAML
+  }
+  before do
+    allow(File).to receive(:exist?).and_return(true)
+    allow(File).to receive(:read).and_return(file_contents)
+  end
+
+  describe "#attribute_map" do
+    it "reads the attribute map from the config file" do
+      expect(described_class.new(saml_response).attribute_map).to eq(
+        "firstname" => "first_name",
+        "lastname" => "last_name",
+      )
+      expect(File).to have_received(:read).with(Pathname.new("tmp").join("config", "attribute-map.yml"))
+    end
+
+    context "when the attribute map is broken down by environment" do
+      let(:file_contents) {
+        <<YAML
+---
+test:
+  first: first_name
+  last: last_name
+YAML
+      }
+      it "reads the attribute map from the environment key" do
+        expect(described_class.new(saml_response).attribute_map).to eq(
+          "first" => "first_name",
+          "last" => "last_name",
+        )
+      end
+    end
+
+    context "when the config file does not exist" do
+      before do
+        allow(File).to receive(:exist?).and_return(false)
+      end
+
+      it "is an empty hash" do
+        expect(described_class.new(saml_response).attribute_map).to eq({})
+      end
+    end
+  end
+end

data/spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb

@@ -5,18 +5,48 @@ describe DeviseSamlAuthenticatable::DefaultIdpEntityIdReader do
     context "when there is a SAMLRequest in the params" do
       let(:params) { {SAMLRequest: "logout request"} }
       let(:slo_logout_request) { double('slo_logout_request', issuer: 'meow')}
+      before do
+        allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(slo_logout_request)
+      end
+
       it "uses an OneLogin::RubySaml::SloLogoutrequest to get the idp_entity_id" do
-        expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(slo_logout_request)
-        described_class.entity_id(params)
+        expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).with("logout request", hash_including)
+        expect(described_class.entity_id(params)).to eq("meow")
+      end
+
+      context "and allowed_clock_drift is configured" do
+        before do
+          allow(Devise).to receive(:allowed_clock_drift_in_seconds).and_return(30)
+        end
+
+        it "allows the configured clock drift" do
+          expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).with("logout request", hash_including(allowed_clock_drift: 30))
+          expect(described_class.entity_id(params)).to eq("meow")
+        end
       end
     end
 
     context "when there is a SAMLResponse in the params" do
       let(:params) { {SAMLResponse: "auth response"} }
       let(:response) { double('response', issuers: ['meow'] )}
+      before do
+        allow(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
+      end
+
       it "uses an OneLogin::RubySaml::Response to get the idp_entity_id" do
-        expect(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
-        described_class.entity_id(params)
+        expect(OneLogin::RubySaml::Response).to receive(:new).with("auth response", hash_including)
+        expect(described_class.entity_id(params)).to eq("meow")
+      end
+
+      context "and allowed_clock_drift is configured" do
+        before do
+          allow(Devise).to receive(:allowed_clock_drift_in_seconds).and_return(30)
+        end
+
+        it "allows the configured clock drift" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with("auth response", hash_including(allowed_clock_drift: 30))
+          expect(described_class.entity_id(params)).to eq("meow")
+        end
       end
     end
   end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -32,6 +32,7 @@ describe Devise::Models::SamlAuthenticatable do
   end
 
   before do
+    allow(Devise).to receive(:saml_attribute_map_resolver).and_return(attribute_map_resolver)
     allow(Devise).to receive(:saml_default_user_key).and_return(:email)
     allow(Devise).to receive(:saml_create_user).and_return(false)
     allow(Devise).to receive(:saml_use_subject).and_return(false)
@@ -39,13 +40,19 @@ describe Devise::Models::SamlAuthenticatable do
 
   before do
     allow(Rails).to receive(:root).and_return("/railsroot")
-    allow(File).to receive(:read).with("/railsroot/config/attribute-map.yml").and_return(<<-ATTRIBUTEMAP)
----
-"saml-email-format": email
-"saml-name-format":  name
-      ATTRIBUTEMAP
   end
 
+  let(:attribute_map_resolver) {
+    Class.new(::DeviseSamlAuthenticatable::DefaultAttributeMapResolver) do
+      def attribute_map
+        {
+          "saml-email-format" => "email",
+          "saml-name-format" => "name",
+        }
+      end
+    end
+  }
+  let(:attributemap) { attribute_map_resolver.new(nil).attribute_map }
   let(:response) { double(:response, attributes: attributes, name_id: name_id) }
   let(:attributes) {
     OneLogin::RubySaml::Attributes.new(
@@ -178,4 +185,191 @@ describe Devise::Models::SamlAuthenticatable do
       include_examples "correct downcasing"
     end
   end
+
+  context "when configured with a resource validator class" do
+    let(:validator_class) { double("validator") }
+    let(:validator) { double("validator") }
+    let(:user) { Model.new(new_record: false) }
+
+    before do
+      allow(Devise).to receive(:saml_resource_validator).and_return(validator_class)
+      allow(validator_class).to receive(:new).and_return(validator)
+    end
+
+    context "and sent a valid value" do
+      before do
+        allow(validator).to receive(:validate).with(user, response).and_return(true)
+      end
+
+      it "returns the user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to eq(user)
+      end
+    end
+
+    context "and sent an invalid value" do
+      before do
+        allow(validator).to receive(:validate).with(user, response).and_return(false)
+      end
+
+      it "returns nil" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
+
+  context "when configured with a resource validator hook" do
+    let(:validator_hook) { double("validator_hook") }
+    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, attributemap) }
+    let(:user) { Model.new(new_record: false) }
+
+    before do
+      allow(Devise).to receive(:saml_resource_validator_hook).and_return(validator_hook)
+      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, attributemap).and_return(decorated_response)
+    end
+
+    context "and sent a valid value" do
+      before do
+        expect(validator_hook).to receive(:call).with(user, decorated_response, 'user@example.com').and_return(true)
+      end
+
+      it "returns the user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to eq(user)
+      end
+    end
+
+    context "and sent an invalid value" do
+      before do
+        expect(validator_hook).to receive(:call).with(user, decorated_response, 'user@example.com').and_return(false)
+      end
+
+      it "returns nil" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
+
+  context "when configured to use a custom update hook" do
+    it "can replicate the default behaviour in a custom hook" do
+      configure_hook do |user, saml_response|
+        Devise.saml_default_update_resource_hook.call(user, saml_response)
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can extend the default behaviour with custom transformations" do
+      configure_hook do |user, saml_response|
+        Devise.saml_default_update_resource_hook.call(user, saml_response)
+
+        user.email = "ext+#{user.email}"
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq("ext+#{attributes['saml-email-format']}")
+    end
+
+    it "can extend the default behaviour using information from the saml response" do
+      configure_hook do |user, saml_response|
+        Devise.saml_default_update_resource_hook.call(user, saml_response)
+
+        name_id = saml_response.raw_response.name_id
+        user.name += "@#{name_id}"
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq("#{attributes['saml-name-format']}@#{response.name_id}")
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    def configure_hook(&block)
+      allow(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      allow(Devise).to receive(:saml_default_user_key).and_return(:email)
+      allow(Devise).to receive(:saml_create_user).and_return(true)
+      allow(Devise).to receive(:saml_update_resource_hook).and_return(block)
+    end
+  end
+
+  context "when configured to use a custom user locator" do
+    let(:name_id) { 'SomeUsername' }
+
+    it "can replicate the default behaviour for a new user in a custom locator" do
+      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([])
+
+      configure_hook do |model, saml_response, auth_value|
+        Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can replicate the default behaviour for an existing user in a custom locator" do
+      user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
+      user.save!
+
+      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([user])
+
+      configure_hook do |model, saml_response, auth_value|
+        Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user).to eq(user)
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can change the default behaviour for a new user from the saml response" do
+      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([])
+
+      configure_hook do |model, saml_response, auth_value|
+        name_id = saml_response.raw_response.name_id
+        model.where(foo: auth_value, bar: name_id).first
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can change the default behaviour for an existing user from the saml response" do
+      user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
+      user.save!
+
+      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([user])
+
+      configure_hook do |model, saml_response, auth_value|
+        name_id = saml_response.raw_response.name_id
+        model.where(foo: auth_value, bar: name_id).first
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user).to eq(user)
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    def configure_hook(&block)
+      allow(Devise).to receive(:saml_default_user_key).and_return(:email)
+      allow(Devise).to receive(:saml_create_user).and_return(true)
+      allow(Devise).to receive(:saml_resource_locator).and_return(block)
+    end
+  end
 end

data/spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+require 'devise_saml_authenticatable/saml_mapped_attributes'
+
+describe SamlAuthenticatable::SamlMappedAttributes do
+  let(:instance) { described_class.new(saml_attributes, attribute_map) }
+  let(:attribute_map_file) { File.join(File.dirname(__FILE__), '../support/attribute-map.yml') }
+  let(:attribute_map) { YAML.load(File.read(attribute_map_file)) }
+  let(:saml_attributes) do
+    {
+      "first_name" => ["John"],
+      "last_name"=>["Smith"],
+      "email"=>["john.smith@example.com"]
+    }
+  end
+
+  describe "#value_by_resource_key" do
+    RSpec.shared_examples "correctly maps the value of the resource key" do |saml_key, resource_key, expected_value|
+      subject(:perform) { instance.value_by_resource_key(resource_key) }
+
+      it "correctly maps the resource key, #{resource_key}, to the value of the '#{saml_key}' SAML key" do
+        saml_attributes[saml_key] = saml_attributes.delete(resource_key)
+        expect(perform).to eq(expected_value)
+      end
+    end
+
+    context "first_name" do
+      saml_keys = ['urn:mace:dir:attribute-def:first_name', 'first_name', 'firstName', 'firstname']
+
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'first_name', ['John']
+      end
+    end
+
+    context 'last_name' do
+      saml_keys = ['urn:mace:dir:attribute-def:last_name', 'last_name', 'lastName', 'lastname']
+
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'last_name', ['Smith']
+      end
+    end
+
+    context 'email' do
+      saml_keys = ['urn:mace:dir:attribute-def:email', 'email_address', 'emailAddress', 'email']
+
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'email', ['john.smith@example.com']
+      end
+    end
+  end
+end

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -134,6 +134,24 @@ describe Devise::Strategies::SamlAuthenticatable do
         strategy.authenticate!
       end
     end
+
+    context "when allowed_clock_drift is configured" do
+      before do
+        allow(Devise).to receive(:allowed_clock_drift_in_seconds).and_return(30)
+      end
+
+      it "is valid with the configured clock drift" do
+        expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(allowed_clock_drift: 30))
+        expect(strategy).to be_valid
+      end
+
+      it "authenticates with the configured clock drift" do
+        expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(allowed_clock_drift: 30))
+
+        expect(strategy).to receive(:success!).with(user)
+        strategy.authenticate!
+      end
+    end
   end
 
   it "is not valid without a SAMLResponse parameter" do

data/spec/features/saml_authentication_spec.rb

@@ -5,6 +5,7 @@ require 'uri'
 require 'capybara/rspec'
 require 'capybara/poltergeist'
 Capybara.default_driver = :poltergeist
+Capybara.server = :webrick
 
 describe "SAML Authentication", type: :feature do
   let(:idp_port) { 8009 }
@@ -56,7 +57,7 @@ describe "SAML Authentication", type: :feature do
       expect(current_url).to eq("http://localhost:8020/")
 
       click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      # confirm the logout response redirected to the SP which in turn attempted to sign the user back in
       expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
 
       # prove user is now signed out
@@ -84,8 +85,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -99,8 +100,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -114,8 +115,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -130,33 +131,33 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
   end
 
   context "when the idp_settings_adapter key is set" do
-
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
       create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
 
-      @idp_pid = start_app('idp', idp_port)
+      # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
+      @idp_pid = start_app('idp', 8010)
       @sp_pid  = start_app('sp',  sp_port)
     end
 
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it "authenticates an existing user on a SP via an IdP" do
       create_user("you@example.com")
 
       visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/\?SAMLRequest=))
+      expect(current_url).to match(%r(\Ahttp://localhost:8010/saml/auth\?SAMLRequest=))
     end
   end
 
@@ -171,8 +172,8 @@ describe "SAML Authentication", type: :feature do
     end
 
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -187,24 +188,47 @@ describe "SAML Authentication", type: :feature do
         fill_in "Email", with: "you@example.com"
         fill_in "Password", with: "asdf"
         click_on "Sign in"
-        expect(page).to have_content("Example Domain This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.")
+        expect(page).to have_content(:all, "Example Domain This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.")
         expect(current_url).to eq("http://www.example.com/")
       end
     end
   end
 
+  context "when the saml_attribute_map is set" do
+    before(:each) do
+      create_app(
+        "idp",
+        "EMAIL_ADDRESS_ATTRIBUTE_KEY" => "myemailaddress",
+        "NAME_ATTRIBUTE_KEY" => "myname",
+        "INCLUDE_SUBJECT_IN_ATTRIBUTES" => "false",
+      )
+      create_app(
+        "sp",
+        "ATTRIBUTE_MAP_RESOLVER" => "AttributeMapResolver",
+        "USE_SUBJECT_TO_AUTHENTICATE" => "true",
+      )
+      @idp_pid = start_app("idp", idp_port)
+      @sp_pid  = start_app("sp", sp_port)
+    end
+    after(:each) do
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
+    end
+
+    it_behaves_like "it authenticates and creates users"
+  end
+
   def create_user(email)
     response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
     expect(response.code).to eq('201')
   end
 
-  def sign_in
-    visit 'http://localhost:8020/'
-    expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+  def sign_in(entity_id: "")
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"
-    Timeout.timeout(Capybara.default_wait_time) do
+    Timeout.timeout(Capybara.default_max_wait_time) do
       loop do
         sleep 0.1
         break if current_url == "http://localhost:8020/"