RubyGems - devise_saml_authenticatable - Versions diffs - 1.3.2 → 1.6.1 - Mend

devise_saml_authenticatable 1.3.2 → 1.6.1

Files changed (37) hide show

checksums.yaml +5 -5
data/.gitignore +0 -2
data/.travis.yml +29 -22
data/Gemfile +2 -2
data/README.md +105 -32
data/app/controllers/devise/saml_sessions_controller.rb +35 -7
data/devise_saml_authenticatable.gemspec +2 -1
data/lib/devise_saml_authenticatable.rb +27 -2
data/lib/devise_saml_authenticatable/default_attribute_map_resolver.rb +26 -0
data/lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb +2 -0
data/lib/devise_saml_authenticatable/exception.rb +1 -1
data/lib/devise_saml_authenticatable/model.rb +16 -18
data/lib/devise_saml_authenticatable/routes.rb +17 -6
data/lib/devise_saml_authenticatable/saml_mapped_attributes.rb +15 -2
data/lib/devise_saml_authenticatable/strategy.rb +1 -0
data/lib/devise_saml_authenticatable/version.rb +1 -1
data/spec/controllers/devise/saml_sessions_controller_spec.rb +118 -11
data/spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb +58 -0
data/spec/devise_saml_authenticatable/model_spec.rb +68 -7
data/spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb +50 -0
data/spec/features/saml_authentication_spec.rb +45 -21
data/spec/rails_helper.rb +6 -2
data/spec/routes/routes_spec.rb +102 -0
data/spec/spec_helper.rb +7 -0
data/spec/support/Gemfile.rails4 +23 -6
data/spec/support/Gemfile.rails5 +13 -2
data/spec/support/Gemfile.rails5.1 +25 -0
data/spec/support/Gemfile.rails5.2 +25 -0
data/spec/support/attribute-map.yml +12 -0
data/spec/support/attribute_map_resolver.rb.erb +14 -0
data/spec/support/idp_settings_adapter.rb.erb +5 -5
data/spec/support/idp_template.rb +6 -2
data/spec/support/rails_app.rb +75 -17
data/spec/support/saml_idp_controller.rb.erb +13 -6
data/spec/support/sp_template.rb +45 -21
metadata +25 -13
data/spec/support/Gemfile.ruby-saml-1.3 +0 -24

data/spec/devise_saml_authenticatable/model_spec.rb CHANGED

@@ -32,6 +32,7 @@ describe Devise::Models::SamlAuthenticatable do
   end
   before do
+    allow(Devise).to receive(:saml_attribute_map_resolver).and_return(attribute_map_resolver)
     allow(Devise).to receive(:saml_default_user_key).and_return(:email)
     allow(Devise).to receive(:saml_create_user).and_return(false)
     allow(Devise).to receive(:saml_use_subject).and_return(false)
@@ -39,13 +40,19 @@ describe Devise::Models::SamlAuthenticatable do
   before do
     allow(Rails).to receive(:root).and_return("/railsroot")
-    allow(File).to receive(:read).with("/railsroot/config/attribute-map.yml").and_return(<<-ATTRIBUTEMAP)
----
-"saml-email-format": email
-"saml-name-format":  name
-      ATTRIBUTEMAP
   end
+  let(:attribute_map_resolver) {
+    Class.new(::DeviseSamlAuthenticatable::DefaultAttributeMapResolver) do
+      def attribute_map
+        {
+          "saml-email-format" => "email",
+          "saml-name-format" => "name",
+        }
+      end
+    end
+  }
+  let(:attributemap) { attribute_map_resolver.new(nil).attribute_map }
   let(:response) { double(:response, attributes: attributes, name_id: name_id) }
   let(:attributes) {
     OneLogin::RubySaml::Attributes.new(
@@ -97,6 +104,12 @@ describe Devise::Models::SamlAuthenticatable do
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
       end
+      it "returns nil if it fails to create a user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        expect(Devise).to receive(:saml_update_resource_hook).and_raise(StandardError.new)
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
     end
     context "when configured to update a user and the user is found" do
@@ -112,6 +125,13 @@ describe Devise::Models::SamlAuthenticatable do
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
       end
+      it "returns nil if it fails to update a user" do
+        user = Model.new(new_record: false)
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Devise).to receive(:saml_update_resource_hook).and_raise(StandardError.new)
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
     end
   end
@@ -179,8 +199,8 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
-  context "when configured with a resource validator" do
-    let(:validator_class) { double("validator_class") }
+  context "when configured with a resource validator class" do
+    let(:validator_class) { double("validator") }
     let(:validator) { double("validator") }
     let(:user) { Model.new(new_record: false) }
@@ -212,6 +232,41 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
+  context "when configured with a resource validator hook" do
+    let(:validator_hook) { double("validator_hook") }
+    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, attributemap) }
+    let(:user) { Model.new(new_record: false) }
+    before do
+      allow(Devise).to receive(:saml_resource_validator_hook).and_return(validator_hook)
+      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, attributemap).and_return(decorated_response)
+    end
+    context "and sent a valid value" do
+      before do
+        expect(validator_hook).to receive(:call).with(user, decorated_response, 'user@example.com').and_return(true)
+      end
+      it "returns the user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to eq(user)
+      end
+    end
+    context "and sent an invalid value" do
+      before do
+        expect(validator_hook).to receive(:call).with(user, decorated_response, 'user@example.com').and_return(false)
+      end
+      it "returns nil" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
   context "when configured to use a custom update hook" do
     it "can replicate the default behaviour in a custom hook" do
       configure_hook do |user, saml_response|
@@ -330,4 +385,10 @@ describe Devise::Models::SamlAuthenticatable do
       allow(Devise).to receive(:saml_resource_locator).and_return(block)
     end
   end
+  describe "::attribute_map" do
+    it "returns the attribute map" do
+      expect(Model.attribute_map).to eq(attributemap)
+    end
+  end
 end

data/spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb ADDED

@@ -0,0 +1,50 @@
+require 'spec_helper'
+require 'devise_saml_authenticatable/saml_mapped_attributes'
+describe SamlAuthenticatable::SamlMappedAttributes do
+  let(:instance) { described_class.new(saml_attributes, attribute_map) }
+  let(:attribute_map_file) { File.join(File.dirname(__FILE__), '../support/attribute-map.yml') }
+  let(:attribute_map) { YAML.load(File.read(attribute_map_file)) }
+  let(:saml_attributes) do
+    {
+      "first_name" => ["John"],
+      "last_name"=>["Smith"],
+      "email"=>["john.smith@example.com"]
+    }
+  end
+  describe "#value_by_resource_key" do
+    RSpec.shared_examples "correctly maps the value of the resource key" do |saml_key, resource_key, expected_value|
+      subject(:perform) { instance.value_by_resource_key(resource_key) }
+      it "correctly maps the resource key, #{resource_key}, to the value of the '#{saml_key}' SAML key" do
+        saml_attributes[saml_key] = saml_attributes.delete(resource_key)
+        expect(perform).to eq(expected_value)
+      end
+    end
+    context "first_name" do
+      saml_keys = ['urn:mace:dir:attribute-def:first_name', 'first_name', 'firstName', 'firstname']
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'first_name', ['John']
+      end
+    end
+    context 'last_name' do
+      saml_keys = ['urn:mace:dir:attribute-def:last_name', 'last_name', 'lastName', 'lastname']
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'last_name', ['Smith']
+      end
+    end
+    context 'email' do
+      saml_keys = ['urn:mace:dir:attribute-def:email', 'email_address', 'emailAddress', 'email']
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'email', ['john.smith@example.com']
+      end
+    end
+  end
+end

data/spec/features/saml_authentication_spec.rb CHANGED

@@ -5,6 +5,7 @@ require 'uri'
 require 'capybara/rspec'
 require 'capybara/poltergeist'
 Capybara.default_driver = :poltergeist
+Capybara.server = :webrick
 describe "SAML Authentication", type: :feature do
   let(:idp_port) { 8009 }
@@ -56,7 +57,7 @@ describe "SAML Authentication", type: :feature do
       expect(current_url).to eq("http://localhost:8020/")
       click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      # confirm the logout response redirected to the SP which in turn attempted to sign the user back in
       expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
       # prove user is now signed out
@@ -84,8 +85,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -99,8 +100,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -114,8 +115,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -130,33 +131,33 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
   end
   context "when the idp_settings_adapter key is set" do
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
       create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
-      @idp_pid = start_app('idp', idp_port)
+      # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
+      @idp_pid = start_app('idp', 8010)
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it "authenticates an existing user on a SP via an IdP" do
       create_user("you@example.com")
       visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/\?SAMLRequest=))
+      expect(current_url).to match(%r(\Ahttp://localhost:8010/saml/auth\?SAMLRequest=))
     end
   end
@@ -171,8 +172,8 @@ describe "SAML Authentication", type: :feature do
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -187,24 +188,47 @@ describe "SAML Authentication", type: :feature do
         fill_in "Email", with: "you@example.com"
         fill_in "Password", with: "asdf"
         click_on "Sign in"
-        expect(page).to have_content("Example Domain This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.")
+        expect(page).to have_content(:all, "Example Domain This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.")
         expect(current_url).to eq("http://www.example.com/")
       end
     end
   end
+  context "when the saml_attribute_map is set" do
+    before(:each) do
+      create_app(
+        "idp",
+        "EMAIL_ADDRESS_ATTRIBUTE_KEY" => "myemailaddress",
+        "NAME_ATTRIBUTE_KEY" => "myname",
+        "INCLUDE_SUBJECT_IN_ATTRIBUTES" => "false",
+      )
+      create_app(
+        "sp",
+        "ATTRIBUTE_MAP_RESOLVER" => "AttributeMapResolver",
+        "USE_SUBJECT_TO_AUTHENTICATE" => "true",
+      )
+      @idp_pid = start_app("idp", idp_port)
+      @sp_pid  = start_app("sp", sp_port)
+    end
+    after(:each) do
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
+    end
+    it_behaves_like "it authenticates and creates users"
+  end
   def create_user(email)
     response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
     expect(response.code).to eq('201')
   end
-  def sign_in
-    visit 'http://localhost:8020/'
-    expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+  def sign_in(entity_id: "")
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"
-    Timeout.timeout(Capybara.default_wait_time) do
+    Timeout.timeout(Capybara.default_max_wait_time) do
       loop do
         sleep 0.1
         break if current_url == "http://localhost:8020/"

data/spec/rails_helper.rb CHANGED

@@ -3,12 +3,16 @@ ENV["RAILS_ENV"] ||= 'test'
 require 'spec_helper'
 create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "false")
-require 'support/sp/config/environment'
+require "#{working_directory}/sp/config/environment"
 require 'rspec/rails'
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
-ActiveRecord::Migrator.migrate(File.expand_path("../support/sp/db/migrate/", __FILE__))
+if ActiveRecord::Base.connection.respond_to?(:migration_context)
+  ActiveRecord::Base.connection.migration_context.migrate
+else
+  ActiveRecord::Migrator.migrate("#{working_directory}/sp/db/migrate/")
+end
 RSpec.configure do |config|
   config.use_transactional_fixtures = true

data/spec/routes/routes_spec.rb ADDED

@@ -0,0 +1,102 @@
+require 'rails_helper'
+describe 'SamlAuthenticatable Routes', type: :routing do
+  describe 'GET /users/saml/sign_in (login)' do
+    it 'routes to Devise::SamlSessionsController#new' do
+      expect(get: '/users/saml/sign_in').to route_to(controller: 'devise/saml_sessions', action: 'new')
+      expect(get: new_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'new')
+    end
+  end
+  describe 'POST /users/saml/auth (session creation)' do
+    it 'routes to Devise::SamlSessionsController#create' do
+      expect(post: '/users/saml/auth').to route_to(controller: 'devise/saml_sessions', action: 'create')
+    end
+  end
+  describe 'DELETE /users/sign_out (logout)' do
+    it 'routes to Devise::SamlSessionsController#destroy' do
+      expect(delete: '/users/sign_out').to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+      expect(delete: destroy_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+    end
+  end
+  describe 'GET /users/saml/metadata' do
+    it 'routes to Devise::SamlSessionsController#metadata' do
+      expect(get: '/users/saml/metadata').to route_to(controller: 'devise/saml_sessions', action: 'metadata')
+    end
+  end
+  describe 'GET /users/saml/idp_sign_out (IdP-initiated logout)' do
+    it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+      expect(get: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+    end
+  end
+  describe 'POST /users/saml/idp_sign_out (IdP-initiated logout)' do
+    it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+      expect(post: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+    end
+  end
+  context 'when saml_route_helper_prefix is "sso"' do
+    before(:all) do
+      ::Devise.saml_route_helper_prefix = 'sso'
+      # A very simple Rails engine
+      module SamlRouteHelperPrefixEngine
+        class Engine < ::Rails::Engine
+          isolate_namespace SamlRouteHelperPrefixEngine
+        end
+        Engine.routes.draw do
+          devise_for :users, module: :devise
+        end
+      end
+    end
+    after(:all) do
+      ::Devise.saml_route_helper_prefix = nil
+    end
+    routes { SamlRouteHelperPrefixEngine::Engine.routes }
+    describe 'GET /users/saml/sign_in (login)' do
+      it 'routes to Devise::SamlSessionsController#new' do
+        expect(get: '/users/saml/sign_in').to route_to(controller: 'devise/saml_sessions', action: 'new')
+        expect(get: new_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'new')
+      end
+    end
+    describe 'POST /users/saml/auth (session creation)' do
+      it 'routes to Devise::SamlSessionsController#create' do
+        expect(post: '/users/saml/auth').to route_to(controller: 'devise/saml_sessions', action: 'create')
+      end
+    end
+    describe 'DELETE /users/sign_out (logout)' do
+      it 'routes to Devise::SamlSessionsController#destroy' do
+        expect(delete: '/users/sign_out').to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+        expect(delete: destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+      end
+    end
+    describe 'GET /users/saml/metadata' do
+      it 'routes to Devise::SamlSessionsController#metadata' do
+        expect(get: '/users/saml/metadata').to route_to(controller: 'devise/saml_sessions', action: 'metadata')
+      end
+    end
+    describe 'GET /users/saml/idp_sign_out (IdP-initiated logout)' do
+      it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+        expect(get: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+        expect(get: idp_destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+      end
+    end
+    describe 'POST /users/saml/idp_sign_out (IdP-initiated logout)' do
+      it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+        expect(post: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+        expect(post: idp_destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+      end
+    end
+  end
+end

data/spec/spec_helper.rb CHANGED

@@ -1,3 +1,5 @@
+require "fileutils"
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -28,8 +30,13 @@ RSpec.configure do |config|
     Devise.saml_session_index_key = @original_saml_session_index_key
     Devise.idp_settings_adapter = nil
   end
+  config.after :suite do
+    FileUtils.rm_rf($working_directory) if $working_directory
+  end
 end
 require 'support/rails_app'
+require "action_controller" # https://github.com/heartcombo/responders/pull/95
 require 'devise_saml_authenticatable'