devise_saml_authenticatable 1.5.0 → 1.6.0

data/spec/support/idp_template.rb

@@ -1,5 +1,7 @@
 # Set up a SAML IdP
 
+@email_address_attribute_key = ENV.fetch("EMAIL_ADDRESS_ATTRIBUTE_KEY", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")
+@name_attribute_key = ENV.fetch("NAME_ATTRIBUTE_KEY", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name")
 @include_subject_in_attributes = ENV.fetch('INCLUDE_SUBJECT_IN_ATTRIBUTES')
 @valid_destination = ENV.fetch('VALID_DESTINATION', "true")
 
@@ -7,7 +9,7 @@ if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::M
   gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "34814fd41f91c493b89aa01ac73c44d241a31245b5bc5542fa4b7317525e1dcfa60ba947b3d085e4e229456fdee0d8af6aac6a63cf750d807ea6fe5d853dff4a"'
 end
 
-gem 'ruby-saml-idp', git: "https://github.com/lawrencepit/ruby-saml-idp.git", ref: "ec715b252e849105c7a96df27b731c6e7f725a51"
+gem 'ruby-saml-idp', '~> 0.3.3'
 gem 'thin'
 
 insert_into_file('Gemfile', after: /\z/) {

data/spec/support/rails_app.rb

@@ -1,6 +1,7 @@
-require 'open3'
-require 'socket'
-require 'timeout'
+require "open3"
+require "socket"
+require "tempfile"
+require "timeout"
 
 APP_READY_TIMEOUT ||= 30
 
@@ -17,25 +18,32 @@ rescue Errno::ESRCH
 end
 
 def create_app(name, env = {})
-  rails_new_options = %w(-T -J -S --skip-spring --skip-listen --skip-bootsnap)
-  rails_new_options << "-O" if name == 'idp'
-  Dir.chdir(File.expand_path('../../support', __FILE__)) do
-    FileUtils.rm_rf(name)
-    system(env, "rails", "new", name, *rails_new_options, "-m", "#{name}_template.rb")
+  puts "[#{name}] Creating Rails app"
+  rails_new_options = %w[-T -J -S --skip-spring --skip-listen --skip-bootsnap]
+  rails_new_options << "-O" if name == "idp"
+  with_clean_env do
+    Dir.chdir(working_directory) do
+      FileUtils.rm_rf(name)
+      puts("rails _#{Rails.version}_ new #{name} #{rails_new_options.join(" ")} -m #{File.expand_path("../#{name}_template.rb", __FILE__)}")
+      system(env, "rails", "_#{Rails.version}_", "new", name, *rails_new_options, "-m", File.expand_path("../#{name}_template.rb", __FILE__))
+    end
   end
 end
 
 def start_app(name, port, options = {})
+  puts "[#{name}] Starting Rails app"
   pid = nil
-  Bundler.with_clean_env do
-    Dir.chdir(File.expand_path("../../support/#{name}", __FILE__)) do
-      pid = Process.spawn({"RAILS_ENV" => "production"}, "bundle exec rails server -p #{port} -e production", out: "log/#{name}.log", err: "log/#{name}.err.log")
+  app_bundle_install(name)
+
+  with_clean_env do
+    Dir.chdir(app_dir(name)) do
+      pid = Process.spawn(app_env(name), "bundle exec rails server -p #{port} -e production", chdir: app_dir(name), out: "log/#{name}.log", err: "log/#{name}.err.log")
       begin
-        Timeout::timeout(APP_READY_TIMEOUT) do
+        Timeout.timeout(APP_READY_TIMEOUT) do
           sleep 1 until app_ready?(pid, port)
         end
         if app_ready?(pid, port)
-          puts "Launched #{name} on port #{port} (pid #{pid})..."
+          puts "[#{name}] Launched #{name} on port #{port} (pid #{pid})..."
         else
           raise "#{name} failed after starting"
         end
@@ -46,16 +54,33 @@ def start_app(name, port, options = {})
   end
   pid
 rescue RuntimeError => e
-  $stdout.puts "#{File.read(File.expand_path("../../support/#{name}/log/#{name}.log", __FILE__))}"
-  $stderr.puts "#{File.read(File.expand_path("../../support/#{name}/log/#{name}.err.log", __FILE__))}"
+  warn "=== #{name}"
+  Dir.chdir(app_dir(name)) do
+    warn File.read("log/#{name}.log") if File.exist?("log/#{name}.log")
+    warn File.read("log/#{name}.err.log") if File.exist?("log/#{name}.err.log")
+  end
   raise e
 end
 
-def stop_app(pid)
+def stop_app(name, pid)
   if pid
     Process.kill(:INT, pid)
     Process.wait(pid)
   end
+  Dir.chdir(app_dir(name)) do
+    if File.exist?("log/#{name}.log")
+      puts "=== [#{name}] stdout"
+      puts File.read("log/#{name}.log")
+    end
+    if File.exist?("log/#{name}.err.log")
+      warn "=== [#{name}] stderr"
+      warn File.read("log/#{name}.err.log")
+    end
+    if File.exist?("log/production.log")
+      puts "=== [#{name}] Rails logs"
+      puts File.read("log/production.log")
+    end
+  end
 end
 
 def port_open?(port)
@@ -64,7 +89,7 @@ def port_open?(port)
       s = TCPSocket.new('localhost', port)
       s.close
       return true
-    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::EADDRNOTAVAIL
       # try 127.0.0.1
     end
     begin
@@ -78,3 +103,36 @@ def port_open?(port)
 rescue Timeout::Error
   false
 end
+
+def app_bundle_install(name)
+  with_clean_env do
+    Open3.popen3(app_env(name), "bundle install", chdir: app_dir(name)) do |stdin, stdout, stderr, thread|
+      stdin.close
+      exit_status = thread.value
+
+      puts stdout.read
+      warn stderr.read
+      raise "bundle install failed" unless exit_status.success?
+    end
+  end
+end
+
+def app_dir(name)
+  File.join(working_directory, name)
+end
+
+def app_env(name)
+  {"BUNDLE_GEMFILE" => File.join(app_dir(name), "Gemfile"), "RAILS_ENV" => "production"}
+end
+
+def working_directory
+  $working_directory ||= Dir.mktmpdir("dsa_test")
+end
+
+def with_clean_env(&blk)
+  if Bundler.respond_to?(:with_original_env)
+    Bundler.with_original_env(&blk)
+  else
+    Bundler.with_clean_env(&blk)
+  end
+end

data/spec/support/saml_idp_controller.rb.erb

@@ -17,10 +17,10 @@ class SamlIdpController < SamlIdp::IdpController
 
   def idp_make_saml_response(_)
     attributes = {
-      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" => "A User",
+      name_attribute_key => "A User",
     }
     if include_subject_in_attributes
-      attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] = "you@example.com"
+      attributes[email_address_attribute_key] = "you@example.com"
     end
     encode_SAMLResponse("you@example.com", attributes: attributes)
   end
@@ -33,6 +33,13 @@ class SamlIdpController < SamlIdp::IdpController
     }
   end
 
+  def email_address_attribute_key
+    "<%= @email_address_attribute_key %>"
+  end
+
+  def name_attribute_key
+    "<%= @name_attribute_key %>"
+  end
 
   def encode_SAMLResponse(nameID, opts = {})
     now = Time.now.utc
@@ -50,7 +57,7 @@ class SamlIdpController < SamlIdp::IdpController
       attribute_statement = ""
     end
 
-    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
     digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
@@ -115,7 +122,7 @@ class SamlIdpController < SamlIdp::IdpController
   def idp_make_saml_slo_response(person)
     attributes = {}
     if include_subject_in_attributes
-      attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] = "you@example.com"
+      attributes[email_address_attribute_key] = "you@example.com"
     end
     encode_SAML_SLO_Response("you@example.com", attributes: attributes)
   end
@@ -148,7 +155,7 @@ class SamlIdpController < SamlIdp::IdpController
     audience_uri = opts[:audience_uri] || (@saml_slo_acs_url && @saml_slo_acs_url[/^(.*?\/\/.*?\/)/, 1])
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
 
-    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="#{email_address_attribute_key}"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
 
     digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
 
@@ -189,7 +196,7 @@ class SamlIdpController < SamlIdp::IdpController
     Destination="#{destination(@saml_slo_acs_url)}"
     IssueInstant="#{now.iso8601}">
     <saml:Issuer >#{issuer_uri}</saml:Issuer>
-    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</saml:NameID>
+    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</saml:NameID>
     <samlp:SessionIndex>_#{session_index}</samlp:SessionIndex>
 </samlp:LogoutRequest>]
 

data/spec/support/sp_template.rb

@@ -2,6 +2,7 @@
 
 require "onelogin/ruby-saml/version"
 
+attribute_map_resolver = ENV.fetch("ATTRIBUTE_MAP_RESOLVER", "nil")
 saml_session_index_key = ENV.fetch('SAML_SESSION_INDEX_KEY', ":session_index")
 use_subject_to_authenticate = ENV.fetch('USE_SUBJECT_TO_AUTHENTICATE')
 idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
@@ -12,7 +13,7 @@ if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::M
   gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "8b5889df1fcf03f76c7d66da02d8776bcc85b06bed7d9c592f076d9c8a5455ee6d4beae45986c3c030b40208db5e612f2a6ef8283036a352e3fae83c5eda36be"'
 end
 
-gem 'devise_saml_authenticatable', path: '../../..'
+gem 'devise_saml_authenticatable', path: File.expand_path("../../..", __FILE__)
 gem 'ruby-saml', OneLogin::RubySaml::VERSION
 gem 'thin'
 
@@ -22,17 +23,26 @@ insert_into_file('Gemfile', after: /\z/) {
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
   gem 'nokogiri', '~> 1.6.8'
+elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
+  gem 'responders', '~> 2.4'
 end
   GEMFILE
 }
+if Rails::VERSION::MAJOR < 6
+  # sqlite3 is hard-coded in Rails < 6 to v1.3.x
+  gsub_file 'Gemfile', /^gem 'sqlite3'.*$/, "gem 'sqlite3', '~> 1.3.6'"
+end
 
+template File.expand_path('../attribute_map_resolver.rb.erb', __FILE__), 'app/lib/attribute_map_resolver.rb'
 template File.expand_path('../idp_settings_adapter.rb.erb', __FILE__), 'app/lib/idp_settings_adapter.rb'
 
-create_file 'config/attribute-map.yml', <<-ATTRIBUTES
+if attribute_map_resolver == "nil"
+  create_file 'config/attribute-map.yml', <<-ATTRIBUTES
 ---
 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
 "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":         name
-ATTRIBUTES
+  ATTRIBUTES
+end
 
 create_file('app/lib/our_saml_failed_callback_handler.rb', <<-CALLBACKHANDLER)
 
@@ -61,22 +71,6 @@ end
 READER
 
 after_bundle do
-  generate :controller, 'home', 'index'
-  insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
-    <<-AUTHENTICATE
-    before_action :authenticate_user!
-    AUTHENTICATE
-  }
-  insert_into_file('app/views/home/index.html.erb', after: /\z/) {
-    <<-HOME
-<%= current_user.email %> <%= current_user.name %>
-<%= form_tag destroy_user_session_path(entity_id: "http://localhost:8020/saml/metadata"), method: :delete do %>
-  <%= submit_tag "Log out" %>
-<% end %>
-    HOME
-  }
-  route "root to: 'home#index'"
-
   # Configure for our SAML IdP
   generate 'devise:install'
   gsub_file 'config/initializers/devise.rb', /^end$/, <<-CONFIG
@@ -85,6 +79,9 @@ after_bundle do
   config.saml_default_user_key = :email
   config.saml_session_index_key = #{saml_session_index_key}
 
+  if #{attribute_map_resolver}
+    config.saml_attribute_map_resolver = #{attribute_map_resolver}
+  end
   config.saml_use_subject = #{use_subject_to_authenticate}
   config.saml_create_user = true
   config.saml_update_user = true
@@ -98,11 +95,33 @@ after_bundle do
     settings.idp_slo_target_url = "http://localhost:8009/saml/logout"
     settings.idp_sso_target_url = "http://localhost:8009/saml/auth"
     settings.idp_cert_fingerprint = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+    settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
   end
 end
   CONFIG
 
-  generate :devise, "user", "email:string", "name:string", "session_index:string"
+  generate :controller, 'home', 'index'
+  insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
+    <<-AUTHENTICATE
+    before_action :authenticate_user!
+    AUTHENTICATE
+  }
+  insert_into_file('app/views/home/index.html.erb', after: /\z/) {
+    <<-HOME
+<%= current_user.email %> <%= current_user.name %>
+<%= form_tag destroy_user_session_path(entity_id: "http://localhost:8020/saml/metadata"), method: :delete do %>
+  <%= submit_tag "Log out" %>
+<% end %>
+    HOME
+  }
+  route "root to: 'home#index'"
+
+  if Rails::VERSION::MAJOR < 6
+    generate :devise, "user", "email:string", "name:string", "session_index:string"
+  else
+    # devise seems to add `email` by default in Rails 6
+    generate :devise, "user", "name:string", "session_index:string"
+  end
   gsub_file 'app/models/user.rb', /database_authenticatable.*\n.*/, 'saml_authenticatable'
   route "resources :users, only: [:create]"
   create_file('app/controllers/users_controller.rb', <<-USERS)
@@ -119,6 +138,9 @@ end
   rake "db:migrate"
   rake "db:create", env: "production"
   rake "db:migrate", env: "production"
+
+  # Remove any specs so that future RSpec runs don't try to also run these
+  run 'rm -rf spec'
 end
 
 create_file 'public/stylesheets/application.css', ''

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-05 00:00:00.000000000 Z
+date: 2020-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -55,6 +55,7 @@ files:
 - app/controllers/devise/saml_sessions_controller.rb
 - devise_saml_authenticatable.gemspec
 - lib/devise_saml_authenticatable.rb
+- lib/devise_saml_authenticatable/default_attribute_map_resolver.rb
 - lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb
 - lib/devise_saml_authenticatable/exception.rb
 - lib/devise_saml_authenticatable/logger.rb
@@ -67,6 +68,7 @@ files:
 - lib/devise_saml_authenticatable/version.rb
 - rails/init.rb
 - spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb
 - spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb
 - spec/devise_saml_authenticatable/model_spec.rb
 - spec/devise_saml_authenticatable/saml_config_spec.rb
@@ -79,7 +81,9 @@ files:
 - spec/support/Gemfile.rails4
 - spec/support/Gemfile.rails5
 - spec/support/Gemfile.rails5.1
+- spec/support/Gemfile.rails5.2
 - spec/support/attribute-map.yml
+- spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
@@ -106,13 +110,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: SAML Authentication for devise
 test_files:
 - spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb
 - spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb
 - spec/devise_saml_authenticatable/model_spec.rb
 - spec/devise_saml_authenticatable/saml_config_spec.rb
@@ -125,7 +129,9 @@ test_files:
 - spec/support/Gemfile.rails4
 - spec/support/Gemfile.rails5
 - spec/support/Gemfile.rails5.1
+- spec/support/Gemfile.rails5.2
 - spec/support/attribute-map.yml
+- spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
 - spec/support/rails_app.rb
@@ -133,4 +139,3 @@ test_files:
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
-has_rdoc: