devise_saml_authenticatable 1.3.1 → 1.6.0

data/spec/support/saml_idp_controller.rb.erb

@@ -17,10 +17,10 @@ class SamlIdpController < SamlIdp::IdpController
 
   def idp_make_saml_response(_)
     attributes = {
-      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" => "A User",
+      name_attribute_key => "A User",
     }
     if include_subject_in_attributes
-      attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] = "you@example.com"
+      attributes[email_address_attribute_key] = "you@example.com"
     end
     encode_SAMLResponse("you@example.com", attributes: attributes)
   end
@@ -29,14 +29,21 @@ class SamlIdpController < SamlIdp::IdpController
 
   def session_index
     Rails.cache.fetch('session_key') {
-      UUID.generate
+      SecureRandom.uuid
     }
   end
 
+  def email_address_attribute_key
+    "<%= @email_address_attribute_key %>"
+  end
+
+  def name_attribute_key
+    "<%= @name_attribute_key %>"
+  end
 
   def encode_SAMLResponse(nameID, opts = {})
     now = Time.now.utc
-    response_id = UUID.generate
+    response_id = SecureRandom.uuid
     audience_uri = opts[:audience_uri] || "#{saml_acs_url[/^(.*?\/\/.*?\/)/, 1]}saml/metadata"
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || "http://example.com"
 
@@ -50,7 +57,7 @@ class SamlIdpController < SamlIdp::IdpController
       attribute_statement = ""
     end
 
-    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
     digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
@@ -72,8 +79,13 @@ class SamlIdpController < SamlIdp::IdpController
   end
 
   # == SLO functionality, see https://github.com/lawrencepit/ruby-saml-idp/pull/10
+  <% if Rails::VERSION::MAJOR < 5 %>
   skip_before_filter :validate_saml_request, :only => [:logout, :sp_sign_out]
   before_filter :validate_saml_slo_request, :only => [:logout]
+  <% else %>
+  skip_before_action :validate_saml_request, :only => [:logout, :sp_sign_out]
+  before_action :validate_saml_slo_request, :only => [:logout]
+  <% end %>
 
   public
 
@@ -110,7 +122,7 @@ class SamlIdpController < SamlIdp::IdpController
   def idp_make_saml_slo_response(person)
     attributes = {}
     if include_subject_in_attributes
-      attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] = "you@example.com"
+      attributes[email_address_attribute_key] = "you@example.com"
     end
     encode_SAML_SLO_Response("you@example.com", attributes: attributes)
   end
@@ -139,11 +151,11 @@ class SamlIdpController < SamlIdp::IdpController
 
   def encode_SAML_SLO_Response(nameID, opts = {})
     now = Time.now.utc
-    response_id = UUID.generate
+    response_id = SecureRandom.uuid
     audience_uri = opts[:audience_uri] || (@saml_slo_acs_url && @saml_slo_acs_url[/^(.*?\/\/.*?\/)/, 1])
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
 
-    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="#{email_address_attribute_key}"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
     digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
@@ -175,7 +187,7 @@ class SamlIdpController < SamlIdp::IdpController
 
   def encode_SAML_SLO_Request(nameID, opts = {})
     now = Time.now.utc
-    response_id = UUID.generate
+    response_id = SecureRandom.uuid
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
     xml = %[<samlp:LogoutRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@ -184,7 +196,7 @@ class SamlIdpController < SamlIdp::IdpController
     Destination="#{destination(@saml_slo_acs_url)}"
     IssueInstant="#{now.iso8601}">
     <saml:Issuer >#{issuer_uri}</saml:Issuer>
-    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</saml:NameID>
+    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</saml:NameID>
     <samlp:SessionIndex>_#{session_index}</samlp:SessionIndex>
 </samlp:LogoutRequest>]
 

data/spec/support/sp_template.rb

@@ -2,13 +2,18 @@
 
 require "onelogin/ruby-saml/version"
 
+attribute_map_resolver = ENV.fetch("ATTRIBUTE_MAP_RESOLVER", "nil")
 saml_session_index_key = ENV.fetch('SAML_SESSION_INDEX_KEY', ":session_index")
 use_subject_to_authenticate = ENV.fetch('USE_SUBJECT_TO_AUTHENTICATE')
 idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
 idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader")
 saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
 
-gem 'devise_saml_authenticatable', path: '../../..'
+if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR < 2)
+  gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "8b5889df1fcf03f76c7d66da02d8776bcc85b06bed7d9c592f076d9c8a5455ee6d4beae45986c3c030b40208db5e612f2a6ef8283036a352e3fae83c5eda36be"'
+end
+
+gem 'devise_saml_authenticatable', path: File.expand_path("../../..", __FILE__)
 gem 'ruby-saml', OneLogin::RubySaml::VERSION
 gem 'thin'
 
@@ -17,17 +22,27 @@ insert_into_file('Gemfile', after: /\z/) {
 # Lock down versions of gems for older versions of Ruby
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
+  gem 'nokogiri', '~> 1.6.8'
+elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+  gem 'responders', '~> 2.4'
 end
   GEMFILE
 }
+if Rails::VERSION::MAJOR < 6
+  # sqlite3 is hard-coded in Rails < 6 to v1.3.x
+  gsub_file 'Gemfile', /^gem 'sqlite3'.*$/, "gem 'sqlite3', '~> 1.3.6'"
+end
 
+template File.expand_path('../attribute_map_resolver.rb.erb', __FILE__), 'app/lib/attribute_map_resolver.rb'
 template File.expand_path('../idp_settings_adapter.rb.erb', __FILE__), 'app/lib/idp_settings_adapter.rb'
 
-create_file 'config/attribute-map.yml', <<-ATTRIBUTES
+if attribute_map_resolver == "nil"
+  create_file 'config/attribute-map.yml', <<-ATTRIBUTES
 ---
 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":         name
-ATTRIBUTES
+  ATTRIBUTES
+end
 
 create_file('app/lib/our_saml_failed_callback_handler.rb', <<-CALLBACKHANDLER)
 
@@ -56,28 +71,17 @@ end
 READER
 
 after_bundle do
-  generate :controller, 'home', 'index'
-  insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
-    <<-AUTHENTICATE
-    before_action :authenticate_user!
-    AUTHENTICATE
-  }
-  insert_into_file('app/views/home/index.html.erb', after: /\z/) {
-    <<-HOME
-<%= current_user.email %> <%= current_user.name %>
-<%= form_tag destroy_user_session_path, method: :delete do %>
-  <%= submit_tag "Log out" %>
-<% end %>
-    HOME
-  }
-  route "root to: 'home#index'"
-
   # Configure for our SAML IdP
   generate 'devise:install'
   gsub_file 'config/initializers/devise.rb', /^end$/, <<-CONFIG
+  config.secret_key = 'adc7cd73792f5d20055a0ac749ce8cdddb2e0f0d3ea7fe7855eec3d0f81833b9a4ac31d12e05f232d40ae86ca492826a6fc5a65228c6e16752815316e2d5b38d'
+
   config.saml_default_user_key = :email
   config.saml_session_index_key = #{saml_session_index_key}
 
+  if #{attribute_map_resolver}
+    config.saml_attribute_map_resolver = #{attribute_map_resolver}
+  end
   config.saml_use_subject = #{use_subject_to_authenticate}
   config.saml_create_user = true
   config.saml_update_user = true
@@ -91,11 +95,33 @@ after_bundle do
     settings.idp_slo_target_url = "http://localhost:8009/saml/logout"
     settings.idp_sso_target_url = "http://localhost:8009/saml/auth"
     settings.idp_cert_fingerprint = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
   end
 end
   CONFIG
 
-  generate :devise, "user", "email:string", "name:string", "session_index:string"
+  generate :controller, 'home', 'index'
+  insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
+    <<-AUTHENTICATE
+    before_action :authenticate_user!
+    AUTHENTICATE
+  }
+  insert_into_file('app/views/home/index.html.erb', after: /\z/) {
+    <<-HOME
+<%= current_user.email %> <%= current_user.name %>
+<%= form_tag destroy_user_session_path(entity_id: "http://localhost:8020/saml/metadata"), method: :delete do %>
+  <%= submit_tag "Log out" %>
+<% end %>
+    HOME
+  }
+  route "root to: 'home#index'"
+
+  if Rails::VERSION::MAJOR < 6
+    generate :devise, "user", "email:string", "name:string", "session_index:string"
+  else
+    # devise seems to add `email` by default in Rails 6
+    generate :devise, "user", "name:string", "session_index:string"
+  end
   gsub_file 'app/models/user.rb', /database_authenticatable.*\n.*/, 'saml_authenticatable'
   route "resources :users, only: [:create]"
   create_file('app/controllers/users_controller.rb', <<-USERS)
@@ -103,13 +129,18 @@ class UsersController < ApplicationController
   skip_before_action :verify_authenticity_token
   def create
     User.create!(email: params[:email])
-    render nothing: true, status: 201
+    head 201
   end
 end
   USERS
 
   rake "db:create"
   rake "db:migrate"
+  rake "db:create", env: "production"
+  rake "db:migrate", env: "production"
+
+  # Remove any specs so that future RSpec runs don't try to also run these
+  run 'rm -rf spec'
 end
 
 create_file 'public/stylesheets/application.css', ''

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.6.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-30 00:00:00.000000000 Z
+date: 2020-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.7'
 description: SAML Authentication for devise
 email:
 - Josef.Sauter@gmail.com
@@ -55,25 +55,35 @@ files:
 - app/controllers/devise/saml_sessions_controller.rb
 - devise_saml_authenticatable.gemspec
 - lib/devise_saml_authenticatable.rb
+- lib/devise_saml_authenticatable/default_attribute_map_resolver.rb
 - lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb
 - lib/devise_saml_authenticatable/exception.rb
 - lib/devise_saml_authenticatable/logger.rb
 - lib/devise_saml_authenticatable/model.rb
 - lib/devise_saml_authenticatable/routes.rb
 - lib/devise_saml_authenticatable/saml_config.rb
+- lib/devise_saml_authenticatable/saml_mapped_attributes.rb
+- lib/devise_saml_authenticatable/saml_response.rb
 - lib/devise_saml_authenticatable/strategy.rb
 - lib/devise_saml_authenticatable/version.rb
 - rails/init.rb
 - spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb
 - spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb
 - spec/devise_saml_authenticatable/model_spec.rb
 - spec/devise_saml_authenticatable/saml_config_spec.rb
+- spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb
 - spec/devise_saml_authenticatable/strategy_spec.rb
 - spec/features/saml_authentication_spec.rb
 - spec/rails_helper.rb
+- spec/routes/routes_spec.rb
 - spec/spec_helper.rb
 - spec/support/Gemfile.rails4
-- spec/support/Gemfile.ruby-saml-1.3
+- spec/support/Gemfile.rails5
+- spec/support/Gemfile.rails5.1
+- spec/support/Gemfile.rails5.2
+- spec/support/attribute-map.yml
+- spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
@@ -82,7 +92,8 @@ files:
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
 homepage: ''
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -99,22 +110,28 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: SAML Authentication for devise
 test_files:
 - spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb
 - spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb
 - spec/devise_saml_authenticatable/model_spec.rb
 - spec/devise_saml_authenticatable/saml_config_spec.rb
+- spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb
 - spec/devise_saml_authenticatable/strategy_spec.rb
 - spec/features/saml_authentication_spec.rb
 - spec/rails_helper.rb
+- spec/routes/routes_spec.rb
 - spec/spec_helper.rb
 - spec/support/Gemfile.rails4
-- spec/support/Gemfile.ruby-saml-1.3
+- spec/support/Gemfile.rails5
+- spec/support/Gemfile.rails5.1
+- spec/support/Gemfile.rails5.2
+- spec/support/attribute-map.yml
+- spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
@@ -122,4 +139,3 @@ test_files:
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
-has_rdoc: 

data/spec/support/Gemfile.ruby-saml-1.3

@@ -1,23 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
-gemspec path: '../..'
-
-group :test do
-  gem 'rake'
-  gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.0'
-  gem 'rspec-rails'
-  gem 'ruby-saml', '~> 1.3.0'
-  gem 'sqlite3'
-  gem 'capybara'
-  gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-    gem 'mime-types', '~> 2.99'
-  end
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'devise', '~> 3.5'
-  end
-end