devise_saml_authenticatable 1.5.0 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 388799cd1bf9c14ad21b7a042d63957d965ec080
4
- data.tar.gz: b5e153ee444879be849e6ddda43e2762a3905092
2
+ SHA256:
3
+ metadata.gz: f648472eaaf23e5e668e51f84fadff2354879045f0ec798a383dd8a2e2ee135a
4
+ data.tar.gz: 443a5e883595f8baa2297e2ca173e8f97ae0abf3502538ce1d0f4e0e1c84081e
5
5
  SHA512:
6
- metadata.gz: 2c304efa473b057a46895b96db3d6d076ebdaa332de7c7d6a3480b86a3ae3e33d17123b5f565d229c5412a9496cc9c549e34960aa119f8a1c18180eea87eb05e
7
- data.tar.gz: 40a2dd033fd20cccc2803dc587309be272005a5d84c8e80a0325b038079fcd2deb9b6aad78f8afb30c2462f9952efe1e49ffa100b9187480c5234a6565aaf566
6
+ metadata.gz: 4765fe0a60d2a8ffd97d30d5b0d2fdb55d70a56bd9cb91f760ef7862a0d9ec80570da5d4758a784ac552232e1e5893fdd1accead2ff677893b0eb4a3500dcb9c
7
+ data.tar.gz: fcd0e6f70b75fdb9b12b3c1954899989e26f8ddb874c6222ab59ca460387a9672ab7767c13855bc4c3cbabd14fdcdb3ddabb2478412dbb452a17194c20ff4c32
data/.gitignore CHANGED
@@ -13,6 +13,4 @@ lib/bundler/man
13
13
  pkg
14
14
  rdoc
15
15
  spec/reports
16
- spec/support/idp/
17
- spec/support/sp/
18
16
  tmp
data/.travis.yml CHANGED
@@ -1,53 +1,52 @@
1
1
  language: ruby
2
2
  rvm:
3
- - "1.9.3"
4
3
  - "2.0.0"
5
4
  - "2.1.10"
6
5
  - "2.2.10"
7
6
  - "2.3.8"
8
- - "2.4.5"
9
- - "2.5.3"
10
- - "2.6.0"
7
+ - "2.4.10"
8
+ - "2.5.8"
9
+ - "2.6.6"
10
+ - "2.7.1"
11
11
  gemfile:
12
12
  - Gemfile
13
+ - spec/support/Gemfile.rails5.2
13
14
  - spec/support/Gemfile.rails5.1
14
15
  - spec/support/Gemfile.rails5
15
16
  - spec/support/Gemfile.rails4
16
17
  matrix:
17
18
  allow_failures:
18
- - rvm: "1.9.3"
19
- gemfile: Gemfile
20
- - rvm: "1.9.3"
21
- gemfile: spec/support/Gemfile.rails5
22
- - rvm: "1.9.3"
23
- gemfile: spec/support/Gemfile.rails5.1
24
19
  - rvm: "2.0.0"
25
20
  gemfile: Gemfile
26
21
  - rvm: "2.0.0"
27
22
  gemfile: spec/support/Gemfile.rails5
28
23
  - rvm: "2.0.0"
29
24
  gemfile: spec/support/Gemfile.rails5.1
25
+ - rvm: "2.0.0"
26
+ gemfile: spec/support/Gemfile.rails5.2
30
27
  - rvm: "2.1.10"
31
28
  gemfile: Gemfile
32
29
  - rvm: "2.1.10"
33
30
  gemfile: spec/support/Gemfile.rails5
34
31
  - rvm: "2.1.10"
35
32
  gemfile: spec/support/Gemfile.rails5.1
36
- - rvm: "2.6.0"
33
+ - rvm: "2.1.10"
34
+ gemfile: spec/support/Gemfile.rails5.2
35
+ - rvm: "2.2.10"
36
+ gemfile: Gemfile
37
+ - rvm: "2.2.10"
38
+ gemfile: spec/support/Gemfile.rails5.2
39
+ - rvm: "2.3.8"
40
+ gemfile: Gemfile
41
+ - rvm: "2.4.10"
42
+ gemfile: Gemfile
43
+ - rvm: "2.6.6"
44
+ gemfile: spec/support/Gemfile.rails4
45
+ - rvm: "2.7.1"
37
46
  gemfile: spec/support/Gemfile.rails4
38
47
 
39
48
  before_install:
40
- # update bundler to avoid https://github.com/travis-ci/travis-ci/issues/5239
41
49
  - command -v bundle || gem install bundler -v '~> 1.17.3'
42
50
 
43
51
  script:
44
52
  - bundle exec rake
45
-
46
- notifications:
47
- hipchat:
48
- rooms:
49
- secure: cuDak5a6fBeg+sp61COqxQfzdcFEsjwCqtwvCISso0RNh5SR8v+uVYKcA8rlK+GE1l9uR7tLRHeHF3ZmzvFSOat07NvpScvjZXi+OSpWlc6rwQ6Pl6bBP6gu6sREiKVe0eT/uGrvJloyWKZaXIhiiBzQ+ZERx/ssGA9WMmNkhlwy1OgGnPNurNNHZLBjEZn1V6kdyxiXx6QPASNpjNEgN1G8dUh3qzcWUGVQGNZSJk65A6ie1MveNyecTjDhw+ADBU8nS28Ja4y6ohRm4FzofSgespYrvfygIZ5rYF0HPMj5FW1ZDWtM5355ojCk8RLT+ZkuhssCn1OJk7ogaOVjnYcOFRxEfpu3eIbjtMmUz3j4umatFqbgas+6SXMVIPkr5HUoTrP8HNFssIpcEBOnPwAF8QCpx+daHc0r2cc8lGuXhtJfpW0P2F0dmwJNiQ7//nz2y2xs84x4Gb7MV9tEDYp0FqEClMuFBkPNizBljarm04PkiLSrqvR52aMDfQz7YAX2oXAvFjPzI1GC0K8x7xX8TuHT9yuHy7fI+rUSNivZYLKO+IEZqPPDdJpXISUbVwanZoNvmQYk5PZV21MfDSGwQrz8eO/uFiAblj18yIlNbAfb2hdZDVYsm4EvWxELJtfaTxgrj6M3Y3m/KbCbCoDp+2jE307M2rxL0Gum2gk=
50
- template:
51
- - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
52
- format: html
53
- on_pull_requests: true
data/Gemfile CHANGED
@@ -6,9 +6,9 @@ gemspec
6
6
  group :test do
7
7
  gem 'rake'
8
8
  gem 'rspec', '~> 3.0'
9
- gem 'rails', '~> 5.1'
9
+ gem 'rails', '~> 6.0'
10
10
  gem 'rspec-rails'
11
- gem 'sqlite3'
11
+ gem 'sqlite3', '~> 1.4.0'
12
12
  gem 'capybara'
13
13
  gem 'poltergeist'
14
14
  end
data/README.md CHANGED
@@ -6,18 +6,15 @@ It uses [ruby-saml][] to handle all SAML-related stuff.
6
6
 
7
7
  ## Installation
8
8
 
9
- Add this line to your application's Gemfile:
9
+ Add this gem to your application's Gemfile:
10
10
 
11
- gem 'devise_saml_authenticatable'
11
+ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
12
+ gem "devise_saml_authenticatable", github: "apokalipto/devise_saml_authenticatable"
12
13
 
13
14
  And then execute:
14
15
 
15
16
  $ bundle
16
17
 
17
- Or install it yourself as:
18
-
19
- $ gem install devise_saml_authenticatable
20
-
21
18
  ## Usage
22
19
 
23
20
  Follow the [normal devise installation process](https://github.com/plataformatec/devise/tree/master#getting-started). The controller filters and helpers are unchanged from normal devise usage.
@@ -92,13 +89,13 @@ In `config/initializers/devise.rb`:
92
89
  # If you don't set it then email will be extracted from SAML assertation attributes.
93
90
  config.saml_use_subject = true
94
91
 
95
- # You can support multiple IdPs by setting this value to a class that implements a #settings method which takes
96
- # an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
97
- config.idp_settings_adapter = nil
92
+ # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
93
+ # which takes an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
94
+ # config.idp_settings_adapter = "MyIdPSettingsAdapter"
98
95
 
99
96
  # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
100
- # by setting this to a custom reader class, or use the default.
101
- # config.idp_entity_id_reader = DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
97
+ # by setting this to the name of a custom reader class, or use the default.
98
+ # config.idp_entity_id_reader = "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
102
99
 
103
100
  # You can set a handler object that takes the response for a failed SAML request and the strategy,
104
101
  # and implements a #handle method. This method can then redirect the user, return error messages, etc.
@@ -110,6 +107,10 @@ In `config/initializers/devise.rb`:
110
107
  # If saml_route_helper_prefix = 'saml' then the new_user_session route becomes new_saml_user_session
111
108
  # config.saml_route_helper_prefix = 'saml'
112
109
 
110
+ # You can add allowance for clock drift between the sp and idp.
111
+ # This is a time in seconds.
112
+ # config.allowed_clock_drift_in_seconds = 0
113
+
113
114
  # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
114
115
  config.saml_configure do |settings|
115
116
  # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
@@ -126,7 +127,26 @@ In `config/initializers/devise.rb`:
126
127
  end
127
128
  ```
128
129
 
129
- In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
130
+ #### Attributes
131
+
132
+ There are two ways to map SAML attributes to User attributes:
133
+
134
+ - [initializer](#attribute-map-initializer)
135
+ - [config file](#attribute-map-config-file)
136
+
137
+ The attribute mappings are very dependent on the way the IdP encodes the attributes.
138
+ In these examples the attributes are given in URN style.
139
+ Other IdPs might provide them as OID's, or by other means.
140
+
141
+ You are now ready to test it against an IdP.
142
+
143
+ When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
144
+
145
+ Upon successful login the user is redirected to the Devise `user_root_path`.
146
+
147
+ ##### Attribute map config file
148
+
149
+ Create a YAML file (`config/attribute-map.yml`) that maps SAML attributes with your model's fields:
130
150
 
131
151
  ```yaml
132
152
  # attribute-map.yml
@@ -137,15 +157,39 @@ In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML
137
157
  "urn:mace:dir:attribute-def:givenName": "name"
138
158
  ```
139
159
 
140
- The attribute mappings are very dependent on the way the IdP encodes the attributes.
141
- In this example the attributes are given in URN style.
142
- Other IdPs might provide them as OID's, or by other means.
160
+ ##### Attribute map initializer
143
161
 
144
- You are now ready to test it against an IdP.
162
+ In `config/initializers/devise.rb` (see above), add an attribute map resolver.
163
+ The resolver gets the [SAML response from the IdP](https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb) so it can decide which attribute map to load.
164
+ If you only have one IdP, you can use the config file above, or just return a single hash.
145
165
 
146
- When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
166
+ ```ruby
167
+ # config/initializers/devise.rb
168
+ Devise.setup do |config|
169
+ ...
170
+ # ==> Configuration for :saml_authenticatable
147
171
 
148
- Upon successful login the user is redirected to the Devise `user_root_path`.
172
+ config.saml_attribute_map_resolver = "MyAttributeMapResolver"
173
+ end
174
+ ```
175
+
176
+ ```ruby
177
+ # app/lib/my_attribute_map_resolver
178
+ class MyAttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
179
+ def attribute_map
180
+ issuer = saml_response.issuers.first
181
+ case issuer
182
+ when "idp_entity_id"
183
+ {
184
+ "urn:mace:dir:attribute-def:uid" => "user_name",
185
+ "urn:mace:dir:attribute-def:email" => "email",
186
+ "urn:mace:dir:attribute-def:name" => "last_name",
187
+ "urn:mace:dir:attribute-def:givenName" => "name",
188
+ }
189
+ end
190
+ end
191
+ end
192
+ ```
149
193
 
150
194
  ## Supporting Multiple IdPs
151
195
 
@@ -5,8 +5,10 @@ class Devise::SamlSessionsController < Devise::SessionsController
5
5
  unloadable if Rails::VERSION::MAJOR < 4
6
6
  if Rails::VERSION::MAJOR < 5
7
7
  skip_before_filter :verify_authenticity_token
8
+ prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
8
9
  else
9
10
  skip_before_action :verify_authenticity_token, raise: false
11
+ prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
10
12
  end
11
13
 
12
14
  def new
@@ -18,8 +20,9 @@ class Devise::SamlSessionsController < Devise::SessionsController
18
20
  end
19
21
 
20
22
  def metadata
23
+ idp_entity_id = params[:idp_entity_id]
21
24
  meta = OneLogin::RubySaml::Metadata.new
22
- render :xml => meta.generate(saml_config)
25
+ render :xml => meta.generate(saml_config(idp_entity_id))
23
26
  end
24
27
 
25
28
  def idp_sign_out
@@ -30,16 +33,16 @@ class Devise::SamlSessionsController < Devise::SessionsController
30
33
 
31
34
  redirect_to generate_idp_logout_response(saml_config, logout_request.id)
32
35
  elsif params[:SAMLResponse]
33
- #Currently Devise handles the session invalidation when the request is made.
34
- #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
35
- #based on that.
36
+ # Currently Devise handles the session invalidation when the request is made.
37
+ # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
38
+ # based on that.
36
39
  if Devise.saml_sign_out_success_url
37
40
  redirect_to Devise.saml_sign_out_success_url
38
41
  else
39
42
  redirect_to action: :new
40
43
  end
41
44
  else
42
- head :invalid_request
45
+ head 500
43
46
  end
44
47
  end
45
48
 
@@ -51,14 +54,38 @@ class Devise::SamlSessionsController < Devise::SessionsController
51
54
  end
52
55
  end
53
56
 
57
+ # For non transient name ID, save info to identify user for logout purpose
58
+ # before that user's session got destroyed. These info are used in the
59
+ # `after_sign_out_path_for` method below.
60
+ def store_info_for_sp_initiated_logout
61
+ return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
62
+ @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
63
+ @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
64
+ end
65
+
54
66
  # Override devise to send user to IdP logout for SLO
55
67
  def after_sign_out_path_for(_)
56
68
  idp_entity_id = get_idp_entity_id(params)
57
69
  request = OneLogin::RubySaml::Logoutrequest.new
58
- request.create(saml_config(idp_entity_id))
70
+ saml_settings = saml_config(idp_entity_id).dup
71
+
72
+ # Add attributes to saml_settings which will later be used to create the SP
73
+ # initiated logout request
74
+ unless Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
75
+ saml_settings.name_identifier_value = @name_identifier_value_for_sp_initiated_logout
76
+ saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
77
+ end
78
+
79
+ request.create(saml_settings)
59
80
  end
60
81
 
61
82
  def generate_idp_logout_response(saml_config, logout_request_id)
62
- OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil)
83
+
84
+ params = {}
85
+ if relay_state
86
+ params[:RelayState] = relay_state
87
+ end
88
+
89
+ OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
63
90
  end
64
91
  end
@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
5
5
  require "devise_saml_authenticatable/logger"
6
6
  require "devise_saml_authenticatable/routes"
7
7
  require "devise_saml_authenticatable/saml_config"
8
+ require "devise_saml_authenticatable/default_attribute_map_resolver"
8
9
  require "devise_saml_authenticatable/default_idp_entity_id_reader"
9
10
 
10
11
  begin
@@ -55,7 +56,7 @@ module Devise
55
56
 
56
57
  # Reader that can parse entity id from a SAMLMessage
57
58
  mattr_accessor :idp_entity_id_reader
58
- @@idp_entity_id_reader ||= ::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader
59
+ @@idp_entity_id_reader ||= "::DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
59
60
 
60
61
  # Implements a #handle method that takes the response and strategy as an argument
61
62
  mattr_accessor :saml_failed_callback
@@ -66,6 +67,10 @@ module Devise
66
67
  mattr_accessor :saml_relay_state
67
68
  @@saml_relay_state
68
69
 
70
+ # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
71
+ mattr_accessor :saml_attribute_map_resolver
72
+ @@saml_attribute_map_resolver ||= "::DeviseSamlAuthenticatable::DefaultAttributeMapResolver"
73
+
69
74
  # Implements a #validate method that takes the retrieved resource and response right after retrieval,
70
75
  # and returns true if it's valid. False will cause authentication to fail.
71
76
  # Only one of saml_resource_validator and saml_resource_validator_hook may be used.
@@ -124,6 +129,14 @@ module Devise
124
129
  # See saml_default_resource_locator above for an example.
125
130
  mattr_accessor :saml_resource_locator
126
131
  @@saml_resource_locator = @@saml_default_resource_locator
132
+
133
+ # Proc that is called to resolve the name identifier to use in a LogoutRequest for the current user.
134
+ # Receives the logged-in user.
135
+ # Is expected to return the identifier the IdP understands for this user, e.g. email address or username.
136
+ mattr_accessor :saml_name_identifier_retriever
137
+ @@saml_name_identifier_retriever = Proc.new do |current_user|
138
+ current_user.public_send(Devise.saml_default_user_key)
139
+ end
127
140
  end
128
141
 
129
142
  # Add saml_authenticatable strategy to defaults.
@@ -0,0 +1,26 @@
1
+ module DeviseSamlAuthenticatable
2
+ class DefaultAttributeMapResolver
3
+ def initialize(saml_response)
4
+ @saml_response = saml_response
5
+ end
6
+
7
+ def attribute_map
8
+ return {} unless File.exist?(attribute_map_path)
9
+
10
+ attribute_map = YAML.load(File.read(attribute_map_path))
11
+ if attribute_map.key?(Rails.env)
12
+ attribute_map[Rails.env]
13
+ else
14
+ attribute_map
15
+ end
16
+ end
17
+
18
+ private
19
+
20
+ attr_reader :saml_response
21
+
22
+ def attribute_map_path
23
+ Rails.root.join("config", "attribute-map.yml")
24
+ end
25
+ end
26
+ end
@@ -1,6 +1,6 @@
1
1
  module DeviseSamlAuthenticatable
2
2
 
3
- class SamlException < Exception
3
+ class SamlException < StandardError
4
4
  end
5
5
 
6
6
  end
@@ -33,9 +33,9 @@ module Devise
33
33
  key = Devise.saml_default_user_key
34
34
  decorated_response = ::SamlAuthenticatable::SamlResponse.new(
35
35
  saml_response,
36
- attribute_map
36
+ attribute_map(saml_response),
37
37
  )
38
- if (Devise.saml_use_subject)
38
+ if Devise.saml_use_subject
39
39
  auth_value = saml_response.name_id
40
40
  else
41
41
  auth_value = decorated_response.attribute_value_by_resource_key(key)
@@ -81,18 +81,15 @@ module Devise
81
81
  find_for_authentication(conditions)
82
82
  end
83
83
 
84
- def attribute_map
85
- @attribute_map ||= attribute_map_for_environment
84
+ def attribute_map(saml_response = nil)
85
+ attribute_map_resolver.new(saml_response).attribute_map
86
86
  end
87
87
 
88
- private
89
-
90
- def attribute_map_for_environment
91
- attribute_map = YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
92
- if attribute_map.has_key?(Rails.env)
93
- attribute_map[Rails.env]
88
+ def attribute_map_resolver
89
+ if Devise.saml_attribute_map_resolver.respond_to?(:new)
90
+ Devise.saml_attribute_map_resolver
94
91
  else
95
- attribute_map
92
+ Devise.saml_attribute_map_resolver.constantize
96
93
  end
97
94
  end
98
95
  end
@@ -22,7 +22,7 @@ module DeviseSamlAuthenticatable
22
22
  def adapter_based_config(idp_entity_id)
23
23
  config = Marshal.load(Marshal.dump(Devise.saml_config))
24
24
 
25
- Devise.idp_settings_adapter.settings(idp_entity_id).each do |k,v|
25
+ idp_settings_adapter.settings(idp_entity_id).each do |k,v|
26
26
  acc = "#{k.to_s}=".to_sym
27
27
 
28
28
  if config.respond_to? acc
@@ -33,7 +33,23 @@ module DeviseSamlAuthenticatable
33
33
  end
34
34
 
35
35
  def get_idp_entity_id(params)
36
- Devise.idp_entity_id_reader.entity_id(params)
36
+ idp_entity_id_reader.entity_id(params)
37
+ end
38
+
39
+ def idp_entity_id_reader
40
+ if Devise.idp_entity_id_reader.respond_to?(:entity_id)
41
+ Devise.idp_entity_id_reader
42
+ else
43
+ @idp_entity_id_reader ||= Devise.idp_entity_id_reader.constantize
44
+ end
45
+ end
46
+
47
+ def idp_settings_adapter
48
+ if Devise.idp_settings_adapter.respond_to?(:settings)
49
+ Devise.idp_settings_adapter
50
+ else
51
+ @idp_settings_adapter ||= Devise.idp_settings_adapter.constantize
52
+ end
37
53
  end
38
54
  end
39
55
  end