devise_saml_authenticatable 1.5.0 → 1.6.0

data/spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb

@@ -0,0 +1,58 @@
+require "spec_helper"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
+
+describe DeviseSamlAuthenticatable::DefaultAttributeMapResolver do
+  let!(:rails) { class_double("Rails", env: "test", logger: logger, root: rails_root).as_stubbed_const }
+  let(:logger) { instance_double("Logger", info: nil) }
+  let(:rails_root) { Pathname.new("tmp") }
+
+  let(:saml_response) { instance_double("OneLogin::RubySaml::Response") }
+  let(:file_contents) {
+    <<YAML
+---
+firstname: first_name
+lastname: last_name
+YAML
+  }
+  before do
+    allow(File).to receive(:exist?).and_return(true)
+    allow(File).to receive(:read).and_return(file_contents)
+  end
+
+  describe "#attribute_map" do
+    it "reads the attribute map from the config file" do
+      expect(described_class.new(saml_response).attribute_map).to eq(
+        "firstname" => "first_name",
+        "lastname" => "last_name",
+      )
+      expect(File).to have_received(:read).with(Pathname.new("tmp").join("config", "attribute-map.yml"))
+    end
+
+    context "when the attribute map is broken down by environment" do
+      let(:file_contents) {
+        <<YAML
+---
+test:
+  first: first_name
+  last: last_name
+YAML
+      }
+      it "reads the attribute map from the environment key" do
+        expect(described_class.new(saml_response).attribute_map).to eq(
+          "first" => "first_name",
+          "last" => "last_name",
+        )
+      end
+    end
+
+    context "when the config file does not exist" do
+      before do
+        allow(File).to receive(:exist?).and_return(false)
+      end
+
+      it "is an empty hash" do
+        expect(described_class.new(saml_response).attribute_map).to eq({})
+      end
+    end
+  end
+end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -32,6 +32,7 @@ describe Devise::Models::SamlAuthenticatable do
   end
 
   before do
+    allow(Devise).to receive(:saml_attribute_map_resolver).and_return(attribute_map_resolver)
     allow(Devise).to receive(:saml_default_user_key).and_return(:email)
     allow(Devise).to receive(:saml_create_user).and_return(false)
     allow(Devise).to receive(:saml_use_subject).and_return(false)
@@ -39,15 +40,19 @@ describe Devise::Models::SamlAuthenticatable do
 
   before do
     allow(Rails).to receive(:root).and_return("/railsroot")
-    allow(File).to receive(:read).with("/railsroot/config/attribute-map.yml").and_return(attributemap)
   end
 
-  let(:attributemap) {<<-ATTRIBUTEMAP
----
-"saml-email-format": email
-"saml-name-format":  name
-      ATTRIBUTEMAP
+  let(:attribute_map_resolver) {
+    Class.new(::DeviseSamlAuthenticatable::DefaultAttributeMapResolver) do
+      def attribute_map
+        {
+          "saml-email-format" => "email",
+          "saml-name-format" => "name",
+        }
+      end
+    end
   }
+  let(:attributemap) { attribute_map_resolver.new(nil).attribute_map }
   let(:response) { double(:response, attributes: attributes, name_id: name_id) }
   let(:attributes) {
     OneLogin::RubySaml::Attributes.new(
@@ -217,12 +222,12 @@ describe Devise::Models::SamlAuthenticatable do
 
   context "when configured with a resource validator hook" do
     let(:validator_hook) { double("validator_hook") }
-    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, YAML.load(attributemap)) }
+    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, attributemap) }
     let(:user) { Model.new(new_record: false) }
 
     before do
       allow(Devise).to receive(:saml_resource_validator_hook).and_return(validator_hook)
-      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, YAML.load(attributemap)).and_return(decorated_response)
+      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, attributemap).and_return(decorated_response)
     end
 
     context "and sent a valid value" do

data/spec/features/saml_authentication_spec.rb

@@ -57,7 +57,7 @@ describe "SAML Authentication", type: :feature do
       expect(current_url).to eq("http://localhost:8020/")
 
       click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      # confirm the logout response redirected to the SP which in turn attempted to sign the user back in
       expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
 
       # prove user is now signed out
@@ -85,8 +85,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -100,8 +100,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -115,8 +115,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -131,8 +131,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -143,37 +143,21 @@ describe "SAML Authentication", type: :feature do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
       create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
 
-      @idp_pid = start_app('idp', idp_port)
+      # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
+      @idp_pid = start_app('idp', 8010)
       @sp_pid  = start_app('sp',  sp_port)
     end
 
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it "authenticates an existing user on a SP via an IdP" do
       create_user("you@example.com")
 
       visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/sso\?SAMLRequest=))
-    end
-
-    it "logs a user out of the IdP via the SP" do
-      sign_in
-
-      # prove user is still signed in
-      visit 'http://localhost:8020/'
-      expect(page).to have_content("you@example.com")
-      expect(current_url).to eq("http://localhost:8020/")
-
-      click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
-      expect(current_url).to match(%r(\Ahttp://www.example.com/slo\?SAMLRequest=))
-
-      # prove user is now signed out
-      visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/sso\?SAMLRequest=))
+      expect(current_url).to match(%r(\Ahttp://localhost:8010/saml/auth\?SAMLRequest=))
     end
   end
 
@@ -188,8 +172,8 @@ describe "SAML Authentication", type: :feature do
     end
 
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -204,20 +188,43 @@ describe "SAML Authentication", type: :feature do
         fill_in "Email", with: "you@example.com"
         fill_in "Password", with: "asdf"
         click_on "Sign in"
-        expect(page).to have_content(:all, "Example Domain This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.")
+        expect(page).to have_content(:all, "Example Domain This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.")
         expect(current_url).to eq("http://www.example.com/")
       end
     end
   end
 
+  context "when the saml_attribute_map is set" do
+    before(:each) do
+      create_app(
+        "idp",
+        "EMAIL_ADDRESS_ATTRIBUTE_KEY" => "myemailaddress",
+        "NAME_ATTRIBUTE_KEY" => "myname",
+        "INCLUDE_SUBJECT_IN_ATTRIBUTES" => "false",
+      )
+      create_app(
+        "sp",
+        "ATTRIBUTE_MAP_RESOLVER" => "AttributeMapResolver",
+        "USE_SUBJECT_TO_AUTHENTICATE" => "true",
+      )
+      @idp_pid = start_app("idp", idp_port)
+      @sp_pid  = start_app("sp", sp_port)
+    end
+    after(:each) do
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
+    end
+
+    it_behaves_like "it authenticates and creates users"
+  end
+
   def create_user(email)
     response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
     expect(response.code).to eq('201')
   end
 
-  def sign_in
-    visit 'http://localhost:8020/'
-    expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+  def sign_in(entity_id: "")
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"

data/spec/rails_helper.rb

@@ -3,7 +3,7 @@ ENV["RAILS_ENV"] ||= 'test'
 require 'spec_helper'
 
 create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "false")
-require 'support/sp/config/environment'
+require "#{working_directory}/sp/config/environment"
 require 'rspec/rails'
 
 ActiveRecord::Migration.verbose = false
@@ -11,7 +11,7 @@ ActiveRecord::Base.logger = Logger.new(nil)
 if ActiveRecord::Base.connection.respond_to?(:migration_context)
   ActiveRecord::Base.connection.migration_context.migrate
 else
-  ActiveRecord::Migrator.migrate(File.expand_path("../support/sp/db/migrate/", __FILE__))
+  ActiveRecord::Migrator.migrate("#{working_directory}/sp/db/migrate/")
 end
 
 RSpec.configure do |config|

data/spec/spec_helper.rb

@@ -1,3 +1,5 @@
+require "fileutils"
+
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
@@ -28,8 +30,13 @@ RSpec.configure do |config|
     Devise.saml_session_index_key = @original_saml_session_index_key
     Devise.idp_settings_adapter = nil
   end
+
+  config.after :suite do
+    FileUtils.rm_rf($working_directory) if $working_directory
+  end
 end
 
 require 'support/rails_app'
 
+require "action_controller" # https://github.com/heartcombo/responders/pull/95
 require 'devise_saml_authenticatable'

data/spec/support/Gemfile.rails4

@@ -6,26 +6,36 @@ gemspec path: '../..'
 group :test do
   gem 'rspec', '~> 3.0'
   gem 'rails', '~> 4.0'
-  gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'
   gem 'poltergeist'
 
   # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-    gem 'addressable', '~> 2.4.0'
-    gem 'mime-types', '~> 2.99'
-    gem 'public_suffix', '~> 1.4.6'
-    gem 'rake', '~> 12.2.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'public_suffix', '~> 2.0.5'
-    gem 'rake'
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'rake', '~> 12.2'
   else
     gem 'rake'
   end
 
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
     gem 'devise', '~> 3.5'
+    gem 'minitest', '~> 5.11.0'
     gem 'nokogiri', '~> 1.6.8'
+    gem 'public_suffix', '~> 2.0.5'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'responders', '~> 1.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.0'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.2")
+    gem 'byebug', '~> 9.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
   end
 end

data/spec/support/Gemfile.rails5

@@ -7,8 +7,19 @@ group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
   gem 'rails', '~> 5.0.0'
-  gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'
   gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.4'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
+  end
 end

data/spec/support/Gemfile.rails5.1

@@ -7,8 +7,19 @@ group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
   gem 'rails', '~> 5.1.0'
-  gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'
   gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.4'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
+  end
 end

data/spec/support/Gemfile.rails5.2

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 5.2'
+  gem 'rspec-rails', '~> 3.9'
+  gem 'sqlite3', '~> 1.3.6'
+  gem 'capybara'
+  gem 'poltergeist'
+
+  # Lock down versions of gems for older versions of Ruby
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'responders', '~> 2.4'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
+    gem 'byebug', '~> 10.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+    gem 'byebug', '~> 11.0.0'
+  end
+end

data/spec/support/attribute_map_resolver.rb.erb

@@ -0,0 +1,14 @@
+class AttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+  def attribute_map
+    issuer = saml_response.issuers.first
+    Rails.logger.info("[#{self.class.name}] issuer=#{issuer.inspect}")
+    if issuer == "http://localhost:8009/saml/auth"
+      {
+        "myemailaddress" => "email",
+        "myname" => "name",
+      }
+    else
+      {}
+    end
+  end
+end

data/spec/support/idp_settings_adapter.rb.erb

@@ -2,15 +2,15 @@ class IdpSettingsAdapter
   def self.settings(idp_entity_id)
     if idp_entity_id == "http://localhost:8020/saml/metadata"
       {
-          assertion_consumer_service_url: "acs_url",
+          assertion_consumer_service_url: "http://localhost:8020/users/saml/auth",
           assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-          name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+          name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
           issuer: "sp_issuer",
           idp_entity_id: "http://localhost:8020/saml/metadata",
           authn_context: "",
-          idp_slo_target_url: "http://www.example.com/slo",
-          idp_sso_target_url: "http://www.example.com/sso",
-          idp_cert: "idp_cert"
+          idp_slo_target_url: "http://localhost:8010/saml/logout",
+          idp_sso_target_url: "http://localhost:8010/saml/auth",
+          idp_cert_fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
       }
     else
       {}