RubyGems - devise_saml_authenticatable - Versions diffs - 1.3.2 → 1.6.1 - Mend

devise_saml_authenticatable 1.3.2 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

checksums.yaml +5 -5
data/.gitignore +0 -2
data/.travis.yml +29 -22
data/Gemfile +2 -2
data/README.md +105 -32
data/app/controllers/devise/saml_sessions_controller.rb +35 -7
data/devise_saml_authenticatable.gemspec +2 -1
data/lib/devise_saml_authenticatable.rb +27 -2
data/lib/devise_saml_authenticatable/default_attribute_map_resolver.rb +26 -0
data/lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb +2 -0
data/lib/devise_saml_authenticatable/exception.rb +1 -1
data/lib/devise_saml_authenticatable/model.rb +16 -18
data/lib/devise_saml_authenticatable/routes.rb +17 -6
data/lib/devise_saml_authenticatable/saml_mapped_attributes.rb +15 -2
data/lib/devise_saml_authenticatable/strategy.rb +1 -0
data/lib/devise_saml_authenticatable/version.rb +1 -1
data/spec/controllers/devise/saml_sessions_controller_spec.rb +118 -11
data/spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb +58 -0
data/spec/devise_saml_authenticatable/model_spec.rb +68 -7
data/spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb +50 -0
data/spec/features/saml_authentication_spec.rb +45 -21
data/spec/rails_helper.rb +6 -2
data/spec/routes/routes_spec.rb +102 -0
data/spec/spec_helper.rb +7 -0
data/spec/support/Gemfile.rails4 +23 -6
data/spec/support/Gemfile.rails5 +13 -2
data/spec/support/Gemfile.rails5.1 +25 -0
data/spec/support/Gemfile.rails5.2 +25 -0
data/spec/support/attribute-map.yml +12 -0
data/spec/support/attribute_map_resolver.rb.erb +14 -0
data/spec/support/idp_settings_adapter.rb.erb +5 -5
data/spec/support/idp_template.rb +6 -2
data/spec/support/rails_app.rb +75 -17
data/spec/support/saml_idp_controller.rb.erb +13 -6
data/spec/support/sp_template.rb +45 -21
metadata +25 -13
data/spec/support/Gemfile.ruby-saml-1.3 +0 -24

data/spec/devise_saml_authenticatable/model_spec.rb CHANGED

@@ -32,6 +32,7 @@ describe Devise::Models::SamlAuthenticatable do
   end
   before do
+    allow(Devise).to receive(:saml_attribute_map_resolver).and_return(attribute_map_resolver)
     allow(Devise).to receive(:saml_default_user_key).and_return(:email)
     allow(Devise).to receive(:saml_create_user).and_return(false)
     allow(Devise).to receive(:saml_use_subject).and_return(false)
@@ -39,13 +40,19 @@ describe Devise::Models::SamlAuthenticatable do
   before do
     allow(Rails).to receive(:root).and_return("/railsroot")
-    allow(File).to receive(:read).with("/railsroot/config/attribute-map.yml").and_return(<<-ATTRIBUTEMAP)
----
-"saml-email-format": email
-"saml-name-format":  name
-      ATTRIBUTEMAP
   end
+  let(:attribute_map_resolver) {
+    Class.new(::DeviseSamlAuthenticatable::DefaultAttributeMapResolver) do
+      def attribute_map
+        {
+          "saml-email-format" => "email",
+          "saml-name-format" => "name",
+        }
+      end
+    end
+  }
+  let(:attributemap) { attribute_map_resolver.new(nil).attribute_map }
   let(:response) { double(:response, attributes: attributes, name_id: name_id) }
   let(:attributes) {
     OneLogin::RubySaml::Attributes.new(
@@ -97,6 +104,12 @@ describe Devise::Models::SamlAuthenticatable do
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
       end
+      it "returns nil if it fails to create a user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        expect(Devise).to receive(:saml_update_resource_hook).and_raise(StandardError.new)
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
     end
     context "when configured to update a user and the user is found" do
@@ -112,6 +125,13 @@ describe Devise::Models::SamlAuthenticatable do
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
       end
+      it "returns nil if it fails to update a user" do
+        user = Model.new(new_record: false)
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Devise).to receive(:saml_update_resource_hook).and_raise(StandardError.new)
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
     end
   end
@@ -179,8 +199,8 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
-  context "when configured with a resource validator" do
-    let(:validator_class) { double("validator_class") }
+  context "when configured with a resource validator class" do
+    let(:validator_class) { double("validator") }
     let(:validator) { double("validator") }
     let(:user) { Model.new(new_record: false) }
@@ -212,6 +232,41 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
+  context "when configured with a resource validator hook" do
+    let(:validator_hook) { double("validator_hook") }
+    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, attributemap) }
+    let(:user) { Model.new(new_record: false) }
+    before do
+      allow(Devise).to receive(:saml_resource_validator_hook).and_return(validator_hook)
+      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, attributemap).and_return(decorated_response)
+    end
+    context "and sent a valid value" do
+      before do
+        expect(validator_hook).to receive(:call).with(user, decorated_response, 'user@example.com').and_return(true)
+      end
+      it "returns the user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to eq(user)
+      end
+    end
+    context "and sent an invalid value" do
+      before do
+        expect(validator_hook).to receive(:call).with(user, decorated_response, 'user@example.com').and_return(false)
+      end
+      it "returns nil" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
   context "when configured to use a custom update hook" do
     it "can replicate the default behaviour in a custom hook" do
       configure_hook do |user, saml_response|
@@ -330,4 +385,10 @@ describe Devise::Models::SamlAuthenticatable do
       allow(Devise).to receive(:saml_resource_locator).and_return(block)
     end
   end
+  describe "::attribute_map" do
+    it "returns the attribute map" do
+      expect(Model.attribute_map).to eq(attributemap)
+    end
+  end
 end

data/spec/devise_saml_authenticatable/saml_mapped_attributes_spec.rb ADDED

@@ -0,0 +1,50 @@
+require 'spec_helper'
+require 'devise_saml_authenticatable/saml_mapped_attributes'
+describe SamlAuthenticatable::SamlMappedAttributes do
+  let(:instance) { described_class.new(saml_attributes, attribute_map) }
+  let(:attribute_map_file) { File.join(File.dirname(__FILE__), '../support/attribute-map.yml') }
+  let(:attribute_map) { YAML.load(File.read(attribute_map_file)) }
+  let(:saml_attributes) do
+    {
+      "first_name" => ["John"],
+      "last_name"=>["Smith"],
+      "email"=>["john.smith@example.com"]
+    }
+  end
+  describe "#value_by_resource_key" do
+    RSpec.shared_examples "correctly maps the value of the resource key" do |saml_key, resource_key, expected_value|
+      subject(:perform) { instance.value_by_resource_key(resource_key) }
+      it "correctly maps the resource key, #{resource_key}, to the value of the '#{saml_key}' SAML key" do
+        saml_attributes[saml_key] = saml_attributes.delete(resource_key)
+        expect(perform).to eq(expected_value)
+      end
+    end
+    context "first_name" do
+      saml_keys = ['urn:mace:dir:attribute-def:first_name', 'first_name', 'firstName', 'firstname']
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'first_name', ['John']
+      end
+    end
+    context 'last_name' do
+      saml_keys = ['urn:mace:dir:attribute-def:last_name', 'last_name', 'lastName', 'lastname']
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'last_name', ['Smith']
+      end
+    end
+    context 'email' do
+      saml_keys = ['urn:mace:dir:attribute-def:email', 'email_address', 'emailAddress', 'email']
+      saml_keys.each do |saml_key|
+        include_examples 'correctly maps the value of the resource key', saml_key, 'email', ['john.smith@example.com']
+      end
+    end
+  end
+end

data/spec/features/saml_authentication_spec.rb CHANGED

@@ -5,6 +5,7 @@ require 'uri'
 require 'capybara/rspec'
 require 'capybara/poltergeist'
 Capybara.default_driver = :poltergeist
+Capybara.server = :webrick
 describe "SAML Authentication", type: :feature do
   let(:idp_port) { 8009 }
@@ -56,7 +57,7 @@ describe "SAML Authentication", type: :feature do
       expect(current_url).to eq("http://localhost:8020/")
       click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      # confirm the logout response redirected to the SP which in turn attempted to sign the user back in
       expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
       # prove user is now signed out
@@ -84,8 +85,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -99,8 +100,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -114,8 +115,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -130,33 +131,33 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
   end
   context "when the idp_settings_adapter key is set" do
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
       create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
-      @idp_pid = start_app('idp', idp_port)
+      # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
+      @idp_pid = start_app('idp', 8010)
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it "authenticates an existing user on a SP via an IdP" do
       create_user("you@example.com")
       visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/\?SAMLRequest=))
+      expect(current_url).to match(%r(\Ahttp://localhost:8010/saml/auth\?SAMLRequest=))
     end
   end
@@ -171,8 +172,8 @@ describe "SAML Authentication", type: :feature do
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
     it_behaves_like "it authenticates and creates users"
@@ -187,24 +188,47 @@ describe "SAML Authentication", type: :feature do
         fill_in "Email", with: "you@example.com"
         fill_in "Password", with: "asdf"
         click_on "Sign in"
-        expect(page).to have_content("Example Domain This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.")
+        expect(page).to have_content(:all, "Example Domain This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.")
         expect(current_url).to eq("http://www.example.com/")
       end
     end
   end
+  context "when the saml_attribute_map is set" do
+    before(:each) do
+      create_app(
+        "idp",
+        "EMAIL_ADDRESS_ATTRIBUTE_KEY" => "myemailaddress",
+        "NAME_ATTRIBUTE_KEY" => "myname",
+        "INCLUDE_SUBJECT_IN_ATTRIBUTES" => "false",
+      )
+      create_app(
+        "sp",
+        "ATTRIBUTE_MAP_RESOLVER" => "AttributeMapResolver",
+        "USE_SUBJECT_TO_AUTHENTICATE" => "true",
+      )
+      @idp_pid = start_app("idp", idp_port)
+      @sp_pid  = start_app("sp", sp_port)
+    end
+    after(:each) do
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
+    end
+    it_behaves_like "it authenticates and creates users"
+  end
   def create_user(email)
     response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
     expect(response.code).to eq('201')
   end
-  def sign_in
-    visit 'http://localhost:8020/'
-    expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+  def sign_in(entity_id: "")
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"
-    Timeout.timeout(Capybara.default_wait_time) do
+    Timeout.timeout(Capybara.default_max_wait_time) do
       loop do
         sleep 0.1
         break if current_url == "http://localhost:8020/"

data/spec/rails_helper.rb CHANGED

@@ -3,12 +3,16 @@ ENV["RAILS_ENV"] ||= 'test'
 require 'spec_helper'
 create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "false")
-require 'support/sp/config/environment'
+require "#{working_directory}/sp/config/environment"
 require 'rspec/rails'
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
-ActiveRecord::Migrator.migrate(File.expand_path("../support/sp/db/migrate/", __FILE__))
+if ActiveRecord::Base.connection.respond_to?(:migration_context)
+  ActiveRecord::Base.connection.migration_context.migrate
+else
+  ActiveRecord::Migrator.migrate("#{working_directory}/sp/db/migrate/")
+end
 RSpec.configure do |config|
   config.use_transactional_fixtures = true

data/spec/routes/routes_spec.rb ADDED

@@ -0,0 +1,102 @@
+require 'rails_helper'
+describe 'SamlAuthenticatable Routes', type: :routing do
+  describe 'GET /users/saml/sign_in (login)' do
+    it 'routes to Devise::SamlSessionsController#new' do
+      expect(get: '/users/saml/sign_in').to route_to(controller: 'devise/saml_sessions', action: 'new')
+      expect(get: new_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'new')
+    end
+  end
+  describe 'POST /users/saml/auth (session creation)' do
+    it 'routes to Devise::SamlSessionsController#create' do
+      expect(post: '/users/saml/auth').to route_to(controller: 'devise/saml_sessions', action: 'create')
+    end
+  end
+  describe 'DELETE /users/sign_out (logout)' do
+    it 'routes to Devise::SamlSessionsController#destroy' do
+      expect(delete: '/users/sign_out').to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+      expect(delete: destroy_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+    end
+  end
+  describe 'GET /users/saml/metadata' do
+    it 'routes to Devise::SamlSessionsController#metadata' do
+      expect(get: '/users/saml/metadata').to route_to(controller: 'devise/saml_sessions', action: 'metadata')
+    end
+  end
+  describe 'GET /users/saml/idp_sign_out (IdP-initiated logout)' do
+    it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+      expect(get: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+    end
+  end
+  describe 'POST /users/saml/idp_sign_out (IdP-initiated logout)' do
+    it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+      expect(post: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+    end
+  end
+  context 'when saml_route_helper_prefix is "sso"' do
+    before(:all) do
+      ::Devise.saml_route_helper_prefix = 'sso'
+      # A very simple Rails engine
+      module SamlRouteHelperPrefixEngine
+        class Engine < ::Rails::Engine
+          isolate_namespace SamlRouteHelperPrefixEngine
+        end
+        Engine.routes.draw do
+          devise_for :users, module: :devise
+        end
+      end
+    end
+    after(:all) do
+      ::Devise.saml_route_helper_prefix = nil
+    end
+    routes { SamlRouteHelperPrefixEngine::Engine.routes }
+    describe 'GET /users/saml/sign_in (login)' do
+      it 'routes to Devise::SamlSessionsController#new' do
+        expect(get: '/users/saml/sign_in').to route_to(controller: 'devise/saml_sessions', action: 'new')
+        expect(get: new_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'new')
+      end
+    end
+    describe 'POST /users/saml/auth (session creation)' do
+      it 'routes to Devise::SamlSessionsController#create' do
+        expect(post: '/users/saml/auth').to route_to(controller: 'devise/saml_sessions', action: 'create')
+      end
+    end
+    describe 'DELETE /users/sign_out (logout)' do
+      it 'routes to Devise::SamlSessionsController#destroy' do
+        expect(delete: '/users/sign_out').to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+        expect(delete: destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'destroy')
+      end
+    end
+    describe 'GET /users/saml/metadata' do
+      it 'routes to Devise::SamlSessionsController#metadata' do
+        expect(get: '/users/saml/metadata').to route_to(controller: 'devise/saml_sessions', action: 'metadata')
+      end
+    end
+    describe 'GET /users/saml/idp_sign_out (IdP-initiated logout)' do
+      it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+        expect(get: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+        expect(get: idp_destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+      end
+    end
+    describe 'POST /users/saml/idp_sign_out (IdP-initiated logout)' do
+      it 'routes to Devise::SamlSessionsController#idp_sign_out' do
+        expect(post: '/users/saml/idp_sign_out').to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+        expect(post: idp_destroy_sso_user_session_path).to route_to(controller: 'devise/saml_sessions', action: 'idp_sign_out')
+      end
+    end
+  end
+end

data/spec/spec_helper.rb CHANGED

@@ -1,3 +1,5 @@
+require "fileutils"
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -28,8 +30,13 @@ RSpec.configure do |config|
     Devise.saml_session_index_key = @original_saml_session_index_key
     Devise.idp_settings_adapter = nil
   end
+  config.after :suite do
+    FileUtils.rm_rf($working_directory) if $working_directory
+  end
 end
 require 'support/rails_app'
+require "action_controller" # https://github.com/heartcombo/responders/pull/95
 require 'devise_saml_authenticatable'