devise_saml_authenticatable 1.3.1 → 1.6.0

data/spec/rails_helper.rb

@@ -3,12 +3,16 @@ ENV["RAILS_ENV"] ||= 'test'
 require 'spec_helper'
 
 create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "false")
-require 'support/sp/config/environment'
+require "#{working_directory}/sp/config/environment"
 require 'rspec/rails'
 
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
-ActiveRecord::Migrator.migrate(File.expand_path("../support/sp/db/migrate/", __FILE__))
+if ActiveRecord::Base.connection.respond_to?(:migration_context)
+  ActiveRecord::Base.connection.migration_context.migrate
+else
+  ActiveRecord::Migrator.migrate("#{working_directory}/sp/db/migrate/")
+end
 
 RSpec.configure do |config|
   config.use_transactional_fixtures = true

data/spec/routes/routes_spec.rb

@@ -0,0 +1,102 @@
+require 'rails_helper'
+
+describe 'SamlAuthenticatable Routes', type: :routing do
+  describe 'GET /users/saml/sign_in (login)' do
+    it 'routes to Devise::SamlSessionsController#new' do
+      expect(get: '/users/saml/sign_in').to route_to(controller: 'devise/saml_sessions', action: 'new')
+      expect(get: new_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'new')
+    end
+  end
+
+  describe 'POST /users/saml/auth (session creation)' do
+    it 'routes to Devise::SamlSessionsController#create' do
+      expect(post: '/users/saml/auth').to route_to(controller: 'devise/saml_sessions', action: 'create')
+    end
+  end
+
+  describe 'DELETE /users/sign_out (logout)' do
+    it 'routes to Devise::SamlSessionsController#destroy' do
+      expect(delete: '/users/sign_out').to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+      expect(delete: destroy_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+    end
+  end
+
+  describe 'GET /users/saml/metadata' do
+    it 'routes to Devise::SamlSessionsController#metadata' do
+      expect(get: '/users/saml/metadata').to route_to(controller: 'devise/saml_sessions', action: 'metadata')
+    end
+  end
+
+  describe 'GET /users/saml/idp_sign_out (IdP-initiated logout)' do
+    it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+      expect(get: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+    end
+  end
+
+  describe 'POST /users/saml/idp_sign_out (IdP-initiated logout)' do
+    it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+      expect(post: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+    end
+  end
+
+  context 'when saml_route_helper_prefix is "sso"' do
+    before(:all) do
+      ::Devise.saml_route_helper_prefix = 'sso'
+
+      # A very simple Rails engine
+      module SamlRouteHelperPrefixEngine
+        class Engine < ::Rails::Engine
+          isolate_namespace SamlRouteHelperPrefixEngine
+        end
+
+        Engine.routes.draw do
+          devise_for :users, module: :devise
+        end
+      end
+    end
+    after(:all) do
+      ::Devise.saml_route_helper_prefix = nil
+    end
+    routes { SamlRouteHelperPrefixEngine::Engine.routes }
+
+    describe 'GET /users/saml/sign_in (login)' do
+      it 'routes to Devise::SamlSessionsController#new' do
+        expect(get: '/users/saml/sign_in').to route_to(controller: 'devise/saml_sessions', action: 'new')
+        expect(get: new_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'new')
+      end
+    end
+
+    describe 'POST /users/saml/auth (session creation)' do
+      it 'routes to Devise::SamlSessionsController#create' do
+        expect(post: '/users/saml/auth').to route_to(controller: 'devise/saml_sessions', action: 'create')
+      end
+    end
+
+    describe 'DELETE /users/sign_out (logout)' do
+      it 'routes to Devise::SamlSessionsController#destroy' do
+        expect(delete: '/users/sign_out').to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+        expect(delete: destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+      end
+    end
+
+    describe 'GET /users/saml/metadata' do
+      it 'routes to Devise::SamlSessionsController#metadata' do
+        expect(get: '/users/saml/metadata').to route_to(controller: 'devise/saml_sessions', action: 'metadata')
+      end
+    end
+
+    describe 'GET /users/saml/idp_sign_out (IdP-initiated logout)' do
+      it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+        expect(get: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+        expect(get: idp_destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+      end
+    end
+
+    describe 'POST /users/saml/idp_sign_out (IdP-initiated logout)' do
+      it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+        expect(post: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+        expect(post: idp_destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,3 +1,5 @@
+require "fileutils"
+
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -28,8 +30,13 @@ RSpec.configure do |config|
     Devise.saml_session_index_key = @original_saml_session_index_key
     Devise.idp_settings_adapter = nil
   end
+
+  config.after :suite do
+    FileUtils.rm_rf($working_directory) if $working_directory
+  end
 end
 
 require 'support/rails_app'
 
+require "action_controller" # https://github.com/heartcombo/responders/pull/95
 require 'devise_saml_authenticatable'

data/spec/support/Gemfile.rails4

@@ -4,20 +4,38 @@ source 'https://rubygems.org'
 gemspec path: '../..'
 
 group :test do
-  gem 'rake'
   gem 'rspec', '~> 3.0'
   gem 'rails', '~> 4.0'
-  gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'
   gem 'poltergeist'
 
   # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-    gem 'addressable', '~> 2.4.0'
-    gem 'mime-types', '~> 2.99'
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'rake', '~> 12.2'
+  else
+    gem 'rake'
   end
+
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
     gem 'devise', '~> 3.5'
+    gem 'minitest', '~> 5.11.0'
+    gem 'nokogiri', '~> 1.6.8'
+    gem 'public_suffix', '~> 2.0.5'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'responders', '~> 1.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.0'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.2")
+    gem 'byebug', '~> 9.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
   end
 end

data/spec/support/Gemfile.rails5

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 5.0.0'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
+  gem 'capybara'
+  gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.4'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
+  end
+end

data/spec/support/Gemfile.rails5.1

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 5.1.0'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
+  gem 'capybara'
+  gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.4'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
+  end
+end

data/spec/support/Gemfile.rails5.2

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 5.2'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
+  gem 'capybara'
+  gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.4'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
+  end
+end

data/spec/support/attribute-map.yml

@@ -0,0 +1,12 @@
+"urn:mace:dir:attribute-def:first_name": "first_name"
+"first_name": "first_name"
+"firstName": "first_name"
+"firstname": "first_name"
+"urn:mace:dir:attribute-def:last_name": "last_name"
+"last_name": "last_name"
+"lastName": "last_name"
+"lastname": "last_name"
+"urn:mace:dir:attribute-def:email": "email"
+"email_address": "email"
+"emailAddress": "email"
+"email": "email"

data/spec/support/attribute_map_resolver.rb.erb

@@ -0,0 +1,14 @@
+class AttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+  def attribute_map
+    issuer = saml_response.issuers.first
+    Rails.logger.info("[#{self.class.name}] issuer=#{issuer.inspect}")
+    if issuer == "http://localhost:8009/saml/auth"
+      {
+        "myemailaddress" => "email",
+        "myname" => "name",
+      }
+    else
+      {}
+    end
+  end
+end

data/spec/support/idp_settings_adapter.rb.erb

@@ -2,15 +2,15 @@ class IdpSettingsAdapter
   def self.settings(idp_entity_id)
     if idp_entity_id == "http://localhost:8020/saml/metadata"
       {
-          assertion_consumer_service_url: "acs_url",
+          assertion_consumer_service_url: "http://localhost:8020/users/saml/auth",
           assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+          name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
           issuer: "sp_issuer",
           idp_entity_id: "http://localhost:8020/saml/metadata",
           authn_context: "",
-          idp_slo_target_url: "http://www.example.com",
-          idp_sso_target_url: "http://www.example.com",
-          idp_cert: "idp_cert"
+          idp_slo_target_url: "http://localhost:8010/saml/logout",
+          idp_sso_target_url: "http://localhost:8010/saml/auth",
+          idp_cert_fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
       }
     else
       {}

data/spec/support/idp_template.rb

@@ -1,9 +1,15 @@
 # Set up a SAML IdP
 
+@email_address_attribute_key = ENV.fetch("EMAIL_ADDRESS_ATTRIBUTE_KEY", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")
+@name_attribute_key = ENV.fetch("NAME_ATTRIBUTE_KEY", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name")
 @include_subject_in_attributes = ENV.fetch('INCLUDE_SUBJECT_IN_ATTRIBUTES')
 @valid_destination = ENV.fetch('VALID_DESTINATION', "true")
 
-gem 'ruby-saml-idp'
+if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR < 2)
+  gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "34814fd41f91c493b89aa01ac73c44d241a31245b5bc5542fa4b7317525e1dcfa60ba947b3d085e4e229456fdee0d8af6aac6a63cf750d807ea6fe5d853dff4a"'
+end
+
+gem 'ruby-saml-idp', '~> 0.3.3'
 gem 'thin'
 
 insert_into_file('Gemfile', after: /\z/) {
@@ -11,6 +17,7 @@ insert_into_file('Gemfile', after: /\z/) {
 # Lock down versions of gems for older versions of Ruby
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
+  gem 'nokogiri', '~> 1.6.8'
 end
   GEMFILE
 }

data/spec/support/rails_app.rb

@@ -1,4 +1,9 @@
-require 'open3'
+require "open3"
+require "socket"
+require "tempfile"
+require "timeout"
+
+APP_READY_TIMEOUT ||= 30
 
 def sh!(cmd)
   unless system(cmd)
@@ -7,38 +12,127 @@ def sh!(cmd)
 end
 
 def app_ready?(pid, port)
-  Process.getpgid(pid) &&
-    system("lsof -i:#{port}", out: '/dev/null')
+  Process.getpgid(pid) && port_open?(port)
+rescue Errno::ESRCH
+  false
 end
 
 def create_app(name, env = {})
-  rails_new_options = %w(-T -J -S --skip-spring --skip-listen)
-  rails_new_options << "-O" if name == 'idp'
-  Dir.chdir(File.expand_path('../../support', __FILE__)) do
-    FileUtils.rm_rf(name)
-    system(env, "rails", "new", name, *rails_new_options, "-m", "#{name}_template.rb")
+  puts "[#{name}] Creating Rails app"
+  rails_new_options = %w[-T -J -S --skip-spring --skip-listen --skip-bootsnap]
+  rails_new_options << "-O" if name == "idp"
+  with_clean_env do
+    Dir.chdir(working_directory) do
+      FileUtils.rm_rf(name)
+      puts("rails _#{Rails.version}_ new #{name} #{rails_new_options.join(" ")} -m #{File.expand_path("../#{name}_template.rb", __FILE__)}")
+      system(env, "rails", "_#{Rails.version}_", "new", name, *rails_new_options, "-m", File.expand_path("../#{name}_template.rb", __FILE__))
+    end
   end
 end
 
 def start_app(name, port, options = {})
+  puts "[#{name}] Starting Rails app"
   pid = nil
-  Bundler.with_clean_env do
-    Dir.chdir(File.expand_path("../../support/#{name}", __FILE__)) do
-      pid = Process.spawn("bundle exec rails server -p #{port}")
-      sleep 1 until app_ready?(pid, port)
-      if app_ready?(pid, port)
-        puts "Launched #{name} on port #{port} (pid #{pid})..."
-      else
+  app_bundle_install(name)
+
+  with_clean_env do
+    Dir.chdir(app_dir(name)) do
+      pid = Process.spawn(app_env(name), "bundle exec rails server -p #{port} -e production", chdir: app_dir(name), out: "log/#{name}.log", err: "log/#{name}.err.log")
+      begin
+        Timeout.timeout(APP_READY_TIMEOUT) do
+          sleep 1 until app_ready?(pid, port)
+        end
+        if app_ready?(pid, port)
+          puts "[#{name}] Launched #{name} on port #{port} (pid #{pid})..."
+        else
+          raise "#{name} failed after starting"
+        end
+      rescue Timeout::Error
         raise "#{name} failed to start"
       end
     end
   end
   pid
+rescue RuntimeError => e
+  warn "=== #{name}"
+  Dir.chdir(app_dir(name)) do
+    warn File.read("log/#{name}.log") if File.exist?("log/#{name}.log")
+    warn File.read("log/#{name}.err.log") if File.exist?("log/#{name}.err.log")
+  end
+  raise e
 end
 
-def stop_app(pid)
+def stop_app(name, pid)
   if pid
     Process.kill(:INT, pid)
     Process.wait(pid)
   end
+  Dir.chdir(app_dir(name)) do
+    if File.exist?("log/#{name}.log")
+      puts "=== [#{name}] stdout"
+      puts File.read("log/#{name}.log")
+    end
+    if File.exist?("log/#{name}.err.log")
+      warn "=== [#{name}] stderr"
+      warn File.read("log/#{name}.err.log")
+    end
+    if File.exist?("log/production.log")
+      puts "=== [#{name}] Rails logs"
+      puts File.read("log/production.log")
+    end
+  end
+end
+
+def port_open?(port)
+  Timeout::timeout(1) do
+    begin
+      s = TCPSocket.new('localhost', port)
+      s.close
+      return true
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::EADDRNOTAVAIL
+      # try 127.0.0.1
+    end
+    begin
+      s = TCPSocket.new('127.0.0.1', port)
+      s.close
+      return true
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+      return false
+    end
+  end
+rescue Timeout::Error
+  false
+end
+
+def app_bundle_install(name)
+  with_clean_env do
+    Open3.popen3(app_env(name), "bundle install", chdir: app_dir(name)) do |stdin, stdout, stderr, thread|
+      stdin.close
+      exit_status = thread.value
+
+      puts stdout.read
+      warn stderr.read
+      raise "bundle install failed" unless exit_status.success?
+    end
+  end
+end
+
+def app_dir(name)
+  File.join(working_directory, name)
+end
+
+def app_env(name)
+  {"BUNDLE_GEMFILE" => File.join(app_dir(name), "Gemfile"), "RAILS_ENV" => "production"}
+end
+
+def working_directory
+  $working_directory ||= Dir.mktmpdir("dsa_test")
+end
+
+def with_clean_env(&blk)
+  if Bundler.respond_to?(:with_original_env)
+    Bundler.with_original_env(&blk)
+  else
+    Bundler.with_clean_env(&blk)
+  end
 end