devise_saml_authenticatable 1.5.0 → 1.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +0 -2
- data/.travis.yml +20 -21
- data/Gemfile +2 -2
- data/README.md +62 -18
- data/app/controllers/devise/saml_sessions_controller.rb +34 -7
- data/lib/devise_saml_authenticatable.rb +14 -1
- data/lib/devise_saml_authenticatable/default_attribute_map_resolver.rb +26 -0
- data/lib/devise_saml_authenticatable/exception.rb +1 -1
- data/lib/devise_saml_authenticatable/model.rb +8 -11
- data/lib/devise_saml_authenticatable/saml_config.rb +18 -2
- data/lib/devise_saml_authenticatable/strategy.rb +1 -1
- data/lib/devise_saml_authenticatable/version.rb +1 -1
- data/spec/controllers/devise/saml_sessions_controller_spec.rb +69 -11
- data/spec/devise_saml_authenticatable/default_attribute_map_resolver_spec.rb +58 -0
- data/spec/devise_saml_authenticatable/model_spec.rb +19 -8
- data/spec/features/saml_authentication_spec.rb +44 -37
- data/spec/rails_helper.rb +2 -2
- data/spec/spec_helper.rb +7 -0
- data/spec/support/Gemfile.rails4 +20 -10
- data/spec/support/Gemfile.rails5 +13 -2
- data/spec/support/Gemfile.rails5.1 +13 -2
- data/spec/support/Gemfile.rails5.2 +25 -0
- data/spec/support/attribute_map_resolver.rb.erb +14 -0
- data/spec/support/idp_settings_adapter.rb.erb +5 -5
- data/spec/support/idp_template.rb +3 -1
- data/spec/support/rails_app.rb +75 -17
- data/spec/support/saml_idp_controller.rb.erb +13 -6
- data/spec/support/sp_template.rb +43 -21
- metadata +13 -8
data/spec/rails_helper.rb
CHANGED
|
@@ -3,7 +3,7 @@ ENV["RAILS_ENV"] ||= 'test'
|
|
|
3
3
|
require 'spec_helper'
|
|
4
4
|
|
|
5
5
|
create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "false")
|
|
6
|
-
require
|
|
6
|
+
require "#{working_directory}/sp/config/environment"
|
|
7
7
|
require 'rspec/rails'
|
|
8
8
|
|
|
9
9
|
ActiveRecord::Migration.verbose = false
|
|
@@ -11,7 +11,7 @@ ActiveRecord::Base.logger = Logger.new(nil)
|
|
|
11
11
|
if ActiveRecord::Base.connection.respond_to?(:migration_context)
|
|
12
12
|
ActiveRecord::Base.connection.migration_context.migrate
|
|
13
13
|
else
|
|
14
|
-
ActiveRecord::Migrator.migrate(
|
|
14
|
+
ActiveRecord::Migrator.migrate("#{working_directory}/sp/db/migrate/")
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
RSpec.configure do |config|
|
data/spec/spec_helper.rb
CHANGED
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require "fileutils"
|
|
2
|
+
|
|
1
3
|
RSpec.configure do |config|
|
|
2
4
|
config.run_all_when_everything_filtered = true
|
|
3
5
|
config.filter_run :focus
|
|
@@ -28,8 +30,13 @@ RSpec.configure do |config|
|
|
|
28
30
|
Devise.saml_session_index_key = @original_saml_session_index_key
|
|
29
31
|
Devise.idp_settings_adapter = nil
|
|
30
32
|
end
|
|
33
|
+
|
|
34
|
+
config.after :suite do
|
|
35
|
+
FileUtils.rm_rf($working_directory) if $working_directory
|
|
36
|
+
end
|
|
31
37
|
end
|
|
32
38
|
|
|
33
39
|
require 'support/rails_app'
|
|
34
40
|
|
|
41
|
+
require "action_controller" # https://github.com/heartcombo/responders/pull/95
|
|
35
42
|
require 'devise_saml_authenticatable'
|
data/spec/support/Gemfile.rails4
CHANGED
|
@@ -6,26 +6,36 @@ gemspec path: '../..'
|
|
|
6
6
|
group :test do
|
|
7
7
|
gem 'rspec', '~> 3.0'
|
|
8
8
|
gem 'rails', '~> 4.0'
|
|
9
|
-
gem 'rspec-rails'
|
|
10
|
-
gem 'sqlite3'
|
|
9
|
+
gem 'rspec-rails', '~> 3.9'
|
|
10
|
+
gem 'sqlite3', '~> 1.3.6'
|
|
11
11
|
gem 'capybara'
|
|
12
12
|
gem 'poltergeist'
|
|
13
13
|
|
|
14
14
|
# Lock down versions of gems for older versions of Ruby
|
|
15
|
-
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.
|
|
16
|
-
gem '
|
|
17
|
-
gem 'mime-types', '~> 2.99'
|
|
18
|
-
gem 'public_suffix', '~> 1.4.6'
|
|
19
|
-
gem 'rake', '~> 12.2.0'
|
|
20
|
-
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
|
|
21
|
-
gem 'public_suffix', '~> 2.0.5'
|
|
22
|
-
gem 'rake'
|
|
15
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
|
|
16
|
+
gem 'rake', '~> 12.2'
|
|
23
17
|
else
|
|
24
18
|
gem 'rake'
|
|
25
19
|
end
|
|
26
20
|
|
|
27
21
|
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
|
|
28
22
|
gem 'devise', '~> 3.5'
|
|
23
|
+
gem 'minitest', '~> 5.11.0'
|
|
29
24
|
gem 'nokogiri', '~> 1.6.8'
|
|
25
|
+
gem 'public_suffix', '~> 2.0.5'
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
|
|
29
|
+
gem 'responders', '~> 1.0'
|
|
30
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
31
|
+
gem 'responders', '~> 2.0'
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.2")
|
|
35
|
+
gem 'byebug', '~> 9.0'
|
|
36
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
|
|
37
|
+
gem 'byebug', '~> 10.0'
|
|
38
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
39
|
+
gem 'byebug', '~> 11.0.0'
|
|
30
40
|
end
|
|
31
41
|
end
|
data/spec/support/Gemfile.rails5
CHANGED
|
@@ -7,8 +7,19 @@ group :test do
|
|
|
7
7
|
gem 'rake'
|
|
8
8
|
gem 'rspec', '~> 3.0'
|
|
9
9
|
gem 'rails', '~> 5.0.0'
|
|
10
|
-
gem 'rspec-rails'
|
|
11
|
-
gem 'sqlite3'
|
|
10
|
+
gem 'rspec-rails', '~> 3.9'
|
|
11
|
+
gem 'sqlite3', '~> 1.3.6'
|
|
12
12
|
gem 'capybara'
|
|
13
13
|
gem 'poltergeist'
|
|
14
|
+
|
|
15
|
+
# Lock down versions of gems for older versions of Ruby
|
|
16
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
17
|
+
gem 'responders', '~> 2.4'
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
|
|
21
|
+
gem 'byebug', '~> 10.0'
|
|
22
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
23
|
+
gem 'byebug', '~> 11.0.0'
|
|
24
|
+
end
|
|
14
25
|
end
|
|
@@ -7,8 +7,19 @@ group :test do
|
|
|
7
7
|
gem 'rake'
|
|
8
8
|
gem 'rspec', '~> 3.0'
|
|
9
9
|
gem 'rails', '~> 5.1.0'
|
|
10
|
-
gem 'rspec-rails'
|
|
11
|
-
gem 'sqlite3'
|
|
10
|
+
gem 'rspec-rails', '~> 3.9'
|
|
11
|
+
gem 'sqlite3', '~> 1.3.6'
|
|
12
12
|
gem 'capybara'
|
|
13
13
|
gem 'poltergeist'
|
|
14
|
+
|
|
15
|
+
# Lock down versions of gems for older versions of Ruby
|
|
16
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
17
|
+
gem 'responders', '~> 2.4'
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
|
|
21
|
+
gem 'byebug', '~> 10.0'
|
|
22
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
23
|
+
gem 'byebug', '~> 11.0.0'
|
|
24
|
+
end
|
|
14
25
|
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
source 'https://rubygems.org'
|
|
2
|
+
|
|
3
|
+
# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
|
|
4
|
+
gemspec path: '../..'
|
|
5
|
+
|
|
6
|
+
group :test do
|
|
7
|
+
gem 'rake'
|
|
8
|
+
gem 'rspec', '~> 3.0'
|
|
9
|
+
gem 'rails', '~> 5.2'
|
|
10
|
+
gem 'rspec-rails', '~> 3.9'
|
|
11
|
+
gem 'sqlite3', '~> 1.3.6'
|
|
12
|
+
gem 'capybara'
|
|
13
|
+
gem 'poltergeist'
|
|
14
|
+
|
|
15
|
+
# Lock down versions of gems for older versions of Ruby
|
|
16
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
17
|
+
gem 'responders', '~> 2.4'
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
|
|
21
|
+
gem 'byebug', '~> 10.0'
|
|
22
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
23
|
+
gem 'byebug', '~> 11.0.0'
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
class AttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
|
|
2
|
+
def attribute_map
|
|
3
|
+
issuer = saml_response.issuers.first
|
|
4
|
+
Rails.logger.info("[#{self.class.name}] issuer=#{issuer.inspect}")
|
|
5
|
+
if issuer == "http://localhost:8009/saml/auth"
|
|
6
|
+
{
|
|
7
|
+
"myemailaddress" => "email",
|
|
8
|
+
"myname" => "name",
|
|
9
|
+
}
|
|
10
|
+
else
|
|
11
|
+
{}
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
@@ -2,15 +2,15 @@ class IdpSettingsAdapter
|
|
|
2
2
|
def self.settings(idp_entity_id)
|
|
3
3
|
if idp_entity_id == "http://localhost:8020/saml/metadata"
|
|
4
4
|
{
|
|
5
|
-
assertion_consumer_service_url: "
|
|
5
|
+
assertion_consumer_service_url: "http://localhost:8020/users/saml/auth",
|
|
6
6
|
assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
|
|
7
|
-
name_identifier_format: "urn:oasis:names:tc:SAML:
|
|
7
|
+
name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
|
|
8
8
|
issuer: "sp_issuer",
|
|
9
9
|
idp_entity_id: "http://localhost:8020/saml/metadata",
|
|
10
10
|
authn_context: "",
|
|
11
|
-
idp_slo_target_url: "http://
|
|
12
|
-
idp_sso_target_url: "http://
|
|
13
|
-
|
|
11
|
+
idp_slo_target_url: "http://localhost:8010/saml/logout",
|
|
12
|
+
idp_sso_target_url: "http://localhost:8010/saml/auth",
|
|
13
|
+
idp_cert_fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
|
|
14
14
|
}
|
|
15
15
|
else
|
|
16
16
|
{}
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
# Set up a SAML IdP
|
|
2
2
|
|
|
3
|
+
@email_address_attribute_key = ENV.fetch("EMAIL_ADDRESS_ATTRIBUTE_KEY", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress")
|
|
4
|
+
@name_attribute_key = ENV.fetch("NAME_ATTRIBUTE_KEY", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name")
|
|
3
5
|
@include_subject_in_attributes = ENV.fetch('INCLUDE_SUBJECT_IN_ATTRIBUTES')
|
|
4
6
|
@valid_destination = ENV.fetch('VALID_DESTINATION', "true")
|
|
5
7
|
|
|
@@ -7,7 +9,7 @@ if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::M
|
|
|
7
9
|
gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "34814fd41f91c493b89aa01ac73c44d241a31245b5bc5542fa4b7317525e1dcfa60ba947b3d085e4e229456fdee0d8af6aac6a63cf750d807ea6fe5d853dff4a"'
|
|
8
10
|
end
|
|
9
11
|
|
|
10
|
-
gem 'ruby-saml-idp',
|
|
12
|
+
gem 'ruby-saml-idp', '~> 0.3.3'
|
|
11
13
|
gem 'thin'
|
|
12
14
|
|
|
13
15
|
insert_into_file('Gemfile', after: /\z/) {
|
data/spec/support/rails_app.rb
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
3
|
-
require
|
|
1
|
+
require "open3"
|
|
2
|
+
require "socket"
|
|
3
|
+
require "tempfile"
|
|
4
|
+
require "timeout"
|
|
4
5
|
|
|
5
6
|
APP_READY_TIMEOUT ||= 30
|
|
6
7
|
|
|
@@ -17,25 +18,32 @@ rescue Errno::ESRCH
|
|
|
17
18
|
end
|
|
18
19
|
|
|
19
20
|
def create_app(name, env = {})
|
|
20
|
-
|
|
21
|
-
rails_new_options
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
21
|
+
puts "[#{name}] Creating Rails app"
|
|
22
|
+
rails_new_options = %w[-T -J -S --skip-spring --skip-listen --skip-bootsnap]
|
|
23
|
+
rails_new_options << "-O" if name == "idp"
|
|
24
|
+
with_clean_env do
|
|
25
|
+
Dir.chdir(working_directory) do
|
|
26
|
+
FileUtils.rm_rf(name)
|
|
27
|
+
puts("rails _#{Rails.version}_ new #{name} #{rails_new_options.join(" ")} -m #{File.expand_path("../#{name}_template.rb", __FILE__)}")
|
|
28
|
+
system(env, "rails", "_#{Rails.version}_", "new", name, *rails_new_options, "-m", File.expand_path("../#{name}_template.rb", __FILE__))
|
|
29
|
+
end
|
|
25
30
|
end
|
|
26
31
|
end
|
|
27
32
|
|
|
28
33
|
def start_app(name, port, options = {})
|
|
34
|
+
puts "[#{name}] Starting Rails app"
|
|
29
35
|
pid = nil
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
36
|
+
app_bundle_install(name)
|
|
37
|
+
|
|
38
|
+
with_clean_env do
|
|
39
|
+
Dir.chdir(app_dir(name)) do
|
|
40
|
+
pid = Process.spawn(app_env(name), "bundle exec rails server -p #{port} -e production", chdir: app_dir(name), out: "log/#{name}.log", err: "log/#{name}.err.log")
|
|
33
41
|
begin
|
|
34
|
-
Timeout
|
|
42
|
+
Timeout.timeout(APP_READY_TIMEOUT) do
|
|
35
43
|
sleep 1 until app_ready?(pid, port)
|
|
36
44
|
end
|
|
37
45
|
if app_ready?(pid, port)
|
|
38
|
-
puts "Launched #{name} on port #{port} (pid #{pid})..."
|
|
46
|
+
puts "[#{name}] Launched #{name} on port #{port} (pid #{pid})..."
|
|
39
47
|
else
|
|
40
48
|
raise "#{name} failed after starting"
|
|
41
49
|
end
|
|
@@ -46,16 +54,33 @@ def start_app(name, port, options = {})
|
|
|
46
54
|
end
|
|
47
55
|
pid
|
|
48
56
|
rescue RuntimeError => e
|
|
49
|
-
|
|
50
|
-
|
|
57
|
+
warn "=== #{name}"
|
|
58
|
+
Dir.chdir(app_dir(name)) do
|
|
59
|
+
warn File.read("log/#{name}.log") if File.exist?("log/#{name}.log")
|
|
60
|
+
warn File.read("log/#{name}.err.log") if File.exist?("log/#{name}.err.log")
|
|
61
|
+
end
|
|
51
62
|
raise e
|
|
52
63
|
end
|
|
53
64
|
|
|
54
|
-
def stop_app(pid)
|
|
65
|
+
def stop_app(name, pid)
|
|
55
66
|
if pid
|
|
56
67
|
Process.kill(:INT, pid)
|
|
57
68
|
Process.wait(pid)
|
|
58
69
|
end
|
|
70
|
+
Dir.chdir(app_dir(name)) do
|
|
71
|
+
if File.exist?("log/#{name}.log")
|
|
72
|
+
puts "=== [#{name}] stdout"
|
|
73
|
+
puts File.read("log/#{name}.log")
|
|
74
|
+
end
|
|
75
|
+
if File.exist?("log/#{name}.err.log")
|
|
76
|
+
warn "=== [#{name}] stderr"
|
|
77
|
+
warn File.read("log/#{name}.err.log")
|
|
78
|
+
end
|
|
79
|
+
if File.exist?("log/production.log")
|
|
80
|
+
puts "=== [#{name}] Rails logs"
|
|
81
|
+
puts File.read("log/production.log")
|
|
82
|
+
end
|
|
83
|
+
end
|
|
59
84
|
end
|
|
60
85
|
|
|
61
86
|
def port_open?(port)
|
|
@@ -64,7 +89,7 @@ def port_open?(port)
|
|
|
64
89
|
s = TCPSocket.new('localhost', port)
|
|
65
90
|
s.close
|
|
66
91
|
return true
|
|
67
|
-
rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
|
|
92
|
+
rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH, Errno::EADDRNOTAVAIL
|
|
68
93
|
# try 127.0.0.1
|
|
69
94
|
end
|
|
70
95
|
begin
|
|
@@ -78,3 +103,36 @@ def port_open?(port)
|
|
|
78
103
|
rescue Timeout::Error
|
|
79
104
|
false
|
|
80
105
|
end
|
|
106
|
+
|
|
107
|
+
def app_bundle_install(name)
|
|
108
|
+
with_clean_env do
|
|
109
|
+
Open3.popen3(app_env(name), "bundle install", chdir: app_dir(name)) do |stdin, stdout, stderr, thread|
|
|
110
|
+
stdin.close
|
|
111
|
+
exit_status = thread.value
|
|
112
|
+
|
|
113
|
+
puts stdout.read
|
|
114
|
+
warn stderr.read
|
|
115
|
+
raise "bundle install failed" unless exit_status.success?
|
|
116
|
+
end
|
|
117
|
+
end
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
def app_dir(name)
|
|
121
|
+
File.join(working_directory, name)
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
def app_env(name)
|
|
125
|
+
{"BUNDLE_GEMFILE" => File.join(app_dir(name), "Gemfile"), "RAILS_ENV" => "production"}
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
def working_directory
|
|
129
|
+
$working_directory ||= Dir.mktmpdir("dsa_test")
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
def with_clean_env(&blk)
|
|
133
|
+
if Bundler.respond_to?(:with_original_env)
|
|
134
|
+
Bundler.with_original_env(&blk)
|
|
135
|
+
else
|
|
136
|
+
Bundler.with_clean_env(&blk)
|
|
137
|
+
end
|
|
138
|
+
end
|
|
@@ -17,10 +17,10 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
17
17
|
|
|
18
18
|
def idp_make_saml_response(_)
|
|
19
19
|
attributes = {
|
|
20
|
-
|
|
20
|
+
name_attribute_key => "A User",
|
|
21
21
|
}
|
|
22
22
|
if include_subject_in_attributes
|
|
23
|
-
attributes[
|
|
23
|
+
attributes[email_address_attribute_key] = "you@example.com"
|
|
24
24
|
end
|
|
25
25
|
encode_SAMLResponse("you@example.com", attributes: attributes)
|
|
26
26
|
end
|
|
@@ -33,6 +33,13 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
33
33
|
}
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
+
def email_address_attribute_key
|
|
37
|
+
"<%= @email_address_attribute_key %>"
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def name_attribute_key
|
|
41
|
+
"<%= @name_attribute_key %>"
|
|
42
|
+
end
|
|
36
43
|
|
|
37
44
|
def encode_SAMLResponse(nameID, opts = {})
|
|
38
45
|
now = Time.now.utc
|
|
@@ -50,7 +57,7 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
50
57
|
attribute_statement = ""
|
|
51
58
|
end
|
|
52
59
|
|
|
53
|
-
assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:
|
|
60
|
+
assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
|
|
54
61
|
|
|
55
62
|
digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
|
|
56
63
|
|
|
@@ -115,7 +122,7 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
115
122
|
def idp_make_saml_slo_response(person)
|
|
116
123
|
attributes = {}
|
|
117
124
|
if include_subject_in_attributes
|
|
118
|
-
attributes[
|
|
125
|
+
attributes[email_address_attribute_key] = "you@example.com"
|
|
119
126
|
end
|
|
120
127
|
encode_SAML_SLO_Response("you@example.com", attributes: attributes)
|
|
121
128
|
end
|
|
@@ -148,7 +155,7 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
148
155
|
audience_uri = opts[:audience_uri] || (@saml_slo_acs_url && @saml_slo_acs_url[/^(.*?\/\/.*?\/)/, 1])
|
|
149
156
|
issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
|
|
150
157
|
|
|
151
|
-
assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:
|
|
158
|
+
assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{session_index}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer2>#{issuer_uri}</Issuer2><Subject><NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_slo_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_slo_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="#{email_address_attribute_key}"><AttributeValue>#{nameID}</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{session_index}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
|
|
152
159
|
|
|
153
160
|
digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
|
|
154
161
|
|
|
@@ -189,7 +196,7 @@ class SamlIdpController < SamlIdp::IdpController
|
|
|
189
196
|
Destination="#{destination(@saml_slo_acs_url)}"
|
|
190
197
|
IssueInstant="#{now.iso8601}">
|
|
191
198
|
<saml:Issuer >#{issuer_uri}</saml:Issuer>
|
|
192
|
-
<saml:NameID Format="urn:oasis:names:tc:SAML:
|
|
199
|
+
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">#{nameID}</saml:NameID>
|
|
193
200
|
<samlp:SessionIndex>_#{session_index}</samlp:SessionIndex>
|
|
194
201
|
</samlp:LogoutRequest>]
|
|
195
202
|
|
data/spec/support/sp_template.rb
CHANGED
|
@@ -2,17 +2,18 @@
|
|
|
2
2
|
|
|
3
3
|
require "onelogin/ruby-saml/version"
|
|
4
4
|
|
|
5
|
+
attribute_map_resolver = ENV.fetch("ATTRIBUTE_MAP_RESOLVER", "nil")
|
|
5
6
|
saml_session_index_key = ENV.fetch('SAML_SESSION_INDEX_KEY', ":session_index")
|
|
6
7
|
use_subject_to_authenticate = ENV.fetch('USE_SUBJECT_TO_AUTHENTICATE')
|
|
7
8
|
idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
|
|
8
|
-
idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader")
|
|
9
|
+
idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', '"DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"')
|
|
9
10
|
saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
|
|
10
11
|
|
|
11
12
|
if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR < 2)
|
|
12
13
|
gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "8b5889df1fcf03f76c7d66da02d8776bcc85b06bed7d9c592f076d9c8a5455ee6d4beae45986c3c030b40208db5e612f2a6ef8283036a352e3fae83c5eda36be"'
|
|
13
14
|
end
|
|
14
15
|
|
|
15
|
-
gem 'devise_saml_authenticatable', path:
|
|
16
|
+
gem 'devise_saml_authenticatable', path: File.expand_path("../../..", __FILE__)
|
|
16
17
|
gem 'ruby-saml', OneLogin::RubySaml::VERSION
|
|
17
18
|
gem 'thin'
|
|
18
19
|
|
|
@@ -22,17 +23,26 @@ insert_into_file('Gemfile', after: /\z/) {
|
|
|
22
23
|
if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
|
|
23
24
|
gem 'devise', '~> 3.5'
|
|
24
25
|
gem 'nokogiri', '~> 1.6.8'
|
|
26
|
+
elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
|
|
27
|
+
gem 'responders', '~> 2.4'
|
|
25
28
|
end
|
|
26
29
|
GEMFILE
|
|
27
30
|
}
|
|
31
|
+
if Rails::VERSION::MAJOR < 6
|
|
32
|
+
# sqlite3 is hard-coded in Rails < 6 to v1.3.x
|
|
33
|
+
gsub_file 'Gemfile', /^gem 'sqlite3'.*$/, "gem 'sqlite3', '~> 1.3.6'"
|
|
34
|
+
end
|
|
28
35
|
|
|
36
|
+
template File.expand_path('../attribute_map_resolver.rb.erb', __FILE__), 'app/lib/attribute_map_resolver.rb'
|
|
29
37
|
template File.expand_path('../idp_settings_adapter.rb.erb', __FILE__), 'app/lib/idp_settings_adapter.rb'
|
|
30
38
|
|
|
31
|
-
|
|
39
|
+
if attribute_map_resolver == "nil"
|
|
40
|
+
create_file 'config/attribute-map.yml', <<-ATTRIBUTES
|
|
32
41
|
---
|
|
33
42
|
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
|
|
34
43
|
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": name
|
|
35
|
-
ATTRIBUTES
|
|
44
|
+
ATTRIBUTES
|
|
45
|
+
end
|
|
36
46
|
|
|
37
47
|
create_file('app/lib/our_saml_failed_callback_handler.rb', <<-CALLBACKHANDLER)
|
|
38
48
|
|
|
@@ -61,22 +71,6 @@ end
|
|
|
61
71
|
READER
|
|
62
72
|
|
|
63
73
|
after_bundle do
|
|
64
|
-
generate :controller, 'home', 'index'
|
|
65
|
-
insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
|
|
66
|
-
<<-AUTHENTICATE
|
|
67
|
-
before_action :authenticate_user!
|
|
68
|
-
AUTHENTICATE
|
|
69
|
-
}
|
|
70
|
-
insert_into_file('app/views/home/index.html.erb', after: /\z/) {
|
|
71
|
-
<<-HOME
|
|
72
|
-
<%= current_user.email %> <%= current_user.name %>
|
|
73
|
-
<%= form_tag destroy_user_session_path(entity_id: "http://localhost:8020/saml/metadata"), method: :delete do %>
|
|
74
|
-
<%= submit_tag "Log out" %>
|
|
75
|
-
<% end %>
|
|
76
|
-
HOME
|
|
77
|
-
}
|
|
78
|
-
route "root to: 'home#index'"
|
|
79
|
-
|
|
80
74
|
# Configure for our SAML IdP
|
|
81
75
|
generate 'devise:install'
|
|
82
76
|
gsub_file 'config/initializers/devise.rb', /^end$/, <<-CONFIG
|
|
@@ -85,6 +79,9 @@ after_bundle do
|
|
|
85
79
|
config.saml_default_user_key = :email
|
|
86
80
|
config.saml_session_index_key = #{saml_session_index_key}
|
|
87
81
|
|
|
82
|
+
if #{attribute_map_resolver}
|
|
83
|
+
config.saml_attribute_map_resolver = #{attribute_map_resolver}
|
|
84
|
+
end
|
|
88
85
|
config.saml_use_subject = #{use_subject_to_authenticate}
|
|
89
86
|
config.saml_create_user = true
|
|
90
87
|
config.saml_update_user = true
|
|
@@ -98,11 +95,33 @@ after_bundle do
|
|
|
98
95
|
settings.idp_slo_target_url = "http://localhost:8009/saml/logout"
|
|
99
96
|
settings.idp_sso_target_url = "http://localhost:8009/saml/auth"
|
|
100
97
|
settings.idp_cert_fingerprint = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
|
|
98
|
+
settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
|
|
101
99
|
end
|
|
102
100
|
end
|
|
103
101
|
CONFIG
|
|
104
102
|
|
|
105
|
-
generate :
|
|
103
|
+
generate :controller, 'home', 'index'
|
|
104
|
+
insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
|
|
105
|
+
<<-AUTHENTICATE
|
|
106
|
+
before_action :authenticate_user!
|
|
107
|
+
AUTHENTICATE
|
|
108
|
+
}
|
|
109
|
+
insert_into_file('app/views/home/index.html.erb', after: /\z/) {
|
|
110
|
+
<<-HOME
|
|
111
|
+
<%= current_user.email %> <%= current_user.name %>
|
|
112
|
+
<%= form_tag destroy_user_session_path(entity_id: "http://localhost:8020/saml/metadata"), method: :delete do %>
|
|
113
|
+
<%= submit_tag "Log out" %>
|
|
114
|
+
<% end %>
|
|
115
|
+
HOME
|
|
116
|
+
}
|
|
117
|
+
route "root to: 'home#index'"
|
|
118
|
+
|
|
119
|
+
if Rails::VERSION::MAJOR < 6
|
|
120
|
+
generate :devise, "user", "email:string", "name:string", "session_index:string"
|
|
121
|
+
else
|
|
122
|
+
# devise seems to add `email` by default in Rails 6
|
|
123
|
+
generate :devise, "user", "name:string", "session_index:string"
|
|
124
|
+
end
|
|
106
125
|
gsub_file 'app/models/user.rb', /database_authenticatable.*\n.*/, 'saml_authenticatable'
|
|
107
126
|
route "resources :users, only: [:create]"
|
|
108
127
|
create_file('app/controllers/users_controller.rb', <<-USERS)
|
|
@@ -119,6 +138,9 @@ end
|
|
|
119
138
|
rake "db:migrate"
|
|
120
139
|
rake "db:create", env: "production"
|
|
121
140
|
rake "db:migrate", env: "production"
|
|
141
|
+
|
|
142
|
+
# Remove any specs so that future RSpec runs don't try to also run these
|
|
143
|
+
run 'rm -rf spec'
|
|
122
144
|
end
|
|
123
145
|
|
|
124
146
|
create_file 'public/stylesheets/application.css', ''
|