devise_saml_authenticatable 1.5.0 → 1.6.3

data/lib/devise_saml_authenticatable/strategy.rb

@@ -8,7 +8,7 @@ module Devise
         if params[:SAMLResponse]
           OneLogin::RubySaml::Response.new(
             params[:SAMLResponse],
-            settings: Devise.saml_config,
+            settings: saml_config(get_idp_entity_id(params)),
             allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
           )
         else

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.5.0"
+  VERSION = "1.6.3"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -1,31 +1,38 @@
 require 'rails_helper'
 
-class Devise::SessionsController < ActionController::Base
-  # The important parts from devise
+# The important parts from devise
+class DeviseController < ApplicationController
+  attr_accessor :current_user
+
   def resource_class
     User
   end
 
+  def require_no_authentication
+  end
+end
+class Devise::SessionsController < DeviseController
   def destroy
     sign_out
     redirect_to after_sign_out_path_for(:user)
   end
 
-  def require_no_authentication
+  def verify_signed_out_user
+    # no-op for these tests
   end
 end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
 
 describe Devise::SamlSessionsController, type: :controller do
-  let(:saml_config) { Devise.saml_config }
   let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
 
   before do
+    @request.env["devise.mapping"] = Devise.mappings[:user]
     allow(idp_providers_adapter).to receive(:settings).and_return({
       assertion_consumer_service_url: "acs_url",
       assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
       issuer: "sp_issuer",
       idp_entity_id: "http://www.example.com",
       authn_context: "",
@@ -35,6 +42,20 @@ describe Devise::SamlSessionsController, type: :controller do
     })
   end
 
+  before do
+    if Rails::VERSION::MAJOR < 5 && Gem::Version.new(RUBY_VERSION) > Gem::Version.new("2.6")
+      # we still want to support Rails 4
+      # patch tests using snippet from https://github.com/rails/rails/issues/34790#issuecomment-483607370
+      class ActionController::TestResponse < ActionDispatch::TestResponse
+        def recycle!
+          @mon_mutex_owner_object_id = nil
+          @mon_mutex = nil
+          initialize
+        end
+      end
+    end
+  end
+
   describe '#new' do
     let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
 
@@ -113,6 +134,8 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#metadata' do
+    let(:saml_config) { Devise.saml_config.dup }
+
     context "with the default configuration" do
       it 'generates metadata' do
         get :metadata
@@ -132,7 +155,7 @@ describe Devise::SamlSessionsController, type: :controller do
         Devise.saml_configure do |settings|
           settings.assertion_consumer_service_url = "http://localhost:3000/users/saml/auth"
           settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-          settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+          settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
           settings.issuer = "http://localhost:3000"
         end
       end
@@ -149,23 +172,47 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#destroy' do
+    before do
+      allow(controller).to receive(:sign_out)
+    end
+
     context "when using the default saml config" do
-      it 'signs out and redirects to the IdP' do
-        expect(controller).to receive(:sign_out)
+      it "signs out and redirects to the IdP" do
         delete :destroy
+        expect(controller).to have_received(:sign_out)
         expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
       end
     end
 
+    context "when configured to use a non-transient name identifier" do
+      before do
+        allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
+      end
+
+      it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
+        controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+
+        actual_settings = nil
+        expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
+          actual_settings = settings
+          "http://localhost:8009/saml/logout"
+        end
+
+        delete :destroy
+        expect(actual_settings.name_identifier_value).to eq("user@example.com")
+        expect(actual_settings.sessionindex).to eq("sessionindex")
+      end
+    end
+
     context "with a specified idp" do
       before do
         Devise.idp_settings_adapter = idp_providers_adapter
       end
 
       it "redirects to the associated IdP SSO target url" do
-        expect(controller).to receive(:sign_out)
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         delete :destroy
+        expect(controller).to have_received(:sign_out)
         expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
       end
 
@@ -194,8 +241,8 @@ describe Devise::SamlSessionsController, type: :controller do
         end
 
         it "redirects to the associated IdP SLO target url" do
-          expect(controller).to receive(:sign_out)
           do_delete
+          expect(controller).to have_received(:sign_out)
           expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
           expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
         end
@@ -263,12 +310,13 @@ describe Devise::SamlSessionsController, type: :controller do
       let(:name_id) { '12312312' }
       before do
         allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
+        allow(User).to receive(:reset_session_key_for)
       end
 
       it 'direct the resource to reset the session key' do
-        expect(User).to receive(:reset_session_key_for).with(name_id)
         do_post
         expect(response).to redirect_to response_url
+        expect(User).to have_received(:reset_session_key_for).with(name_id)
       end
 
       context "with a specified idp" do
@@ -285,6 +333,16 @@ describe Devise::SamlSessionsController, type: :controller do
         end
       end
 
+      context "with a relay_state lambda defined" do
+        let(:relay_state) { ->(request) { "123" } }
+
+        it "includes the RelayState param in the request to the IdP" do
+          expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
+          do_post
+          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil, {RelayState: "123"})
+        end
+      end
+
       context 'when saml_session_index_key is not configured' do
         before do
           Devise.saml_session_index_key = nil

data/spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb

@@ -0,0 +1,58 @@
+require "spec_helper"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
+
+describe DeviseSamlAuthenticatable::DefaultAttributeMapResolver do
+  let!(:rails) { class_double("Rails", env: "test", logger: logger, root: rails_root).as_stubbed_const }
+  let(:logger) { instance_double("Logger", info: nil) }
+  let(:rails_root) { Pathname.new("tmp") }
+
+  let(:saml_response) { instance_double("OneLogin::RubySaml::Response") }
+  let(:file_contents) {
+    <<YAML
+---
+firstname: first_name
+lastname: last_name
+YAML
+  }
+  before do
+    allow(File).to receive(:exist?).and_return(true)
+    allow(File).to receive(:read).and_return(file_contents)
+  end
+
+  describe "#attribute_map" do
+    it "reads the attribute map from the config file" do
+      expect(described_class.new(saml_response).attribute_map).to eq(
+        "firstname" => "first_name",
+        "lastname" => "last_name",
+      )
+      expect(File).to have_received(:read).with(Pathname.new("tmp").join("config", "attribute-map.yml"))
+    end
+
+    context "when the attribute map is broken down by environment" do
+      let(:file_contents) {
+        <<YAML
+---
+test:
+  first: first_name
+  last: last_name
+YAML
+      }
+      it "reads the attribute map from the environment key" do
+        expect(described_class.new(saml_response).attribute_map).to eq(
+          "first" => "first_name",
+          "last" => "last_name",
+        )
+      end
+    end
+
+    context "when the config file does not exist" do
+      before do
+        allow(File).to receive(:exist?).and_return(false)
+      end
+
+      it "is an empty hash" do
+        expect(described_class.new(saml_response).attribute_map).to eq({})
+      end
+    end
+  end
+end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -32,6 +32,7 @@ describe Devise::Models::SamlAuthenticatable do
   end
 
   before do
+    allow(Devise).to receive(:saml_attribute_map_resolver).and_return(attribute_map_resolver)
     allow(Devise).to receive(:saml_default_user_key).and_return(:email)
     allow(Devise).to receive(:saml_create_user).and_return(false)
     allow(Devise).to receive(:saml_use_subject).and_return(false)
@@ -39,15 +40,19 @@ describe Devise::Models::SamlAuthenticatable do
 
   before do
     allow(Rails).to receive(:root).and_return("/railsroot")
-    allow(File).to receive(:read).with("/railsroot/config/attribute-map.yml").and_return(attributemap)
   end
 
-  let(:attributemap) {<<-ATTRIBUTEMAP
----
-"saml-email-format": email
-"saml-name-format":  name
-      ATTRIBUTEMAP
+  let(:attribute_map_resolver) {
+    Class.new(::DeviseSamlAuthenticatable::DefaultAttributeMapResolver) do
+      def attribute_map
+        {
+          "saml-email-format" => "email",
+          "saml-name-format" => "name",
+        }
+      end
+    end
   }
+  let(:attributemap) { attribute_map_resolver.new(nil).attribute_map }
   let(:response) { double(:response, attributes: attributes, name_id: name_id) }
   let(:attributes) {
     OneLogin::RubySaml::Attributes.new(
@@ -217,12 +222,12 @@ describe Devise::Models::SamlAuthenticatable do
 
   context "when configured with a resource validator hook" do
     let(:validator_hook) { double("validator_hook") }
-    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, YAML.load(attributemap)) }
+    let(:decorated_response) { ::SamlAuthenticatable::SamlResponse.new(response, attributemap) }
     let(:user) { Model.new(new_record: false) }
 
     before do
       allow(Devise).to receive(:saml_resource_validator_hook).and_return(validator_hook)
-      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, YAML.load(attributemap)).and_return(decorated_response)
+      allow(::SamlAuthenticatable::SamlResponse).to receive(:new).with(response, attributemap).and_return(decorated_response)
     end
 
     context "and sent a valid value" do
@@ -367,4 +372,10 @@ describe Devise::Models::SamlAuthenticatable do
       allow(Devise).to receive(:saml_resource_locator).and_return(block)
     end
   end
+
+  describe "::attribute_map" do
+    it "returns the attribute map" do
+      expect(Model.attribute_map).to eq(attributemap)
+    end
+  end
 end

data/spec/features/saml_authentication_spec.rb

@@ -57,7 +57,7 @@ describe "SAML Authentication", type: :feature do
       expect(current_url).to eq("http://localhost:8020/")
 
       click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      # confirm the logout response redirected to the SP which in turn attempted to sign the user back in
       expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
 
       # prove user is now signed out
@@ -85,8 +85,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -100,8 +100,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -115,8 +115,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -131,8 +131,8 @@ describe "SAML Authentication", type: :feature do
       @sp_pid  = start_app('sp',  sp_port)
     end
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -141,39 +141,23 @@ describe "SAML Authentication", type: :feature do
   context "when the idp_settings_adapter key is set" do
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
-      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => '"IdpSettingsAdapter"', 'IDP_ENTITY_ID_READER' => '"OurEntityIdReader"')
 
-      @idp_pid = start_app('idp', idp_port)
+      # use a different port for this entity ID; configured in spec/support/idp_settings_adapter.rb.erb
+      @idp_pid = start_app('idp', 8010)
       @sp_pid  = start_app('sp',  sp_port)
     end
 
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it "authenticates an existing user on a SP via an IdP" do
       create_user("you@example.com")
 
       visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/sso\?SAMLRequest=))
-    end
-
-    it "logs a user out of the IdP via the SP" do
-      sign_in
-
-      # prove user is still signed in
-      visit 'http://localhost:8020/'
-      expect(page).to have_content("you@example.com")
-      expect(current_url).to eq("http://localhost:8020/")
-
-      click_on "Log out"
-      #confirm the logout response redirected to the SP which in turn attempted to sign th e
-      expect(current_url).to match(%r(\Ahttp://www.example.com/slo\?SAMLRequest=))
-
-      # prove user is now signed out
-      visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/sso\?SAMLRequest=))
+      expect(current_url).to match(%r(\Ahttp://localhost:8010/saml/auth\?SAMLRequest=))
     end
   end
 
@@ -188,8 +172,8 @@ describe "SAML Authentication", type: :feature do
     end
 
     after(:each) do
-      stop_app(@idp_pid)
-      stop_app(@sp_pid)
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
     end
 
     it_behaves_like "it authenticates and creates users"
@@ -204,20 +188,43 @@ describe "SAML Authentication", type: :feature do
         fill_in "Email", with: "you@example.com"
         fill_in "Password", with: "asdf"
         click_on "Sign in"
-        expect(page).to have_content(:all, "Example Domain This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.")
+        expect(page).to have_content(:all, "Example Domain This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.")
         expect(current_url).to eq("http://www.example.com/")
       end
     end
   end
 
+  context "when the saml_attribute_map is set" do
+    before(:each) do
+      create_app(
+        "idp",
+        "EMAIL_ADDRESS_ATTRIBUTE_KEY" => "myemailaddress",
+        "NAME_ATTRIBUTE_KEY" => "myname",
+        "INCLUDE_SUBJECT_IN_ATTRIBUTES" => "false",
+      )
+      create_app(
+        "sp",
+        "ATTRIBUTE_MAP_RESOLVER" => '"AttributeMapResolver"',
+        "USE_SUBJECT_TO_AUTHENTICATE" => "true",
+      )
+      @idp_pid = start_app("idp", idp_port)
+      @sp_pid  = start_app("sp", sp_port)
+    end
+    after(:each) do
+      stop_app("idp", @idp_pid)
+      stop_app("sp", @sp_pid)
+    end
+
+    it_behaves_like "it authenticates and creates users"
+  end
+
   def create_user(email)
     response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
     expect(response.code).to eq('201')
   end
 
-  def sign_in
-    visit 'http://localhost:8020/'
-    expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+  def sign_in(entity_id: "")
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"