devise_saml_authenticatable 1.6.3 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f648472eaaf23e5e668e51f84fadff2354879045f0ec798a383dd8a2e2ee135a
-  data.tar.gz: 443a5e883595f8baa2297e2ca173e8f97ae0abf3502538ce1d0f4e0e1c84081e
+  metadata.gz: c2b6dd7d4f718cf0df20aff218f90f1eac720279e4ff5afe6aedef20f84a14fd
+  data.tar.gz: 5efc5fa9d89ee10eb6328261b6b870ce580dbe7cd48cedbe8dd609786c5c9f84
 SHA512:
-  metadata.gz: 4765fe0a60d2a8ffd97d30d5b0d2fdb55d70a56bd9cb91f760ef7862a0d9ec80570da5d4758a784ac552232e1e5893fdd1accead2ff677893b0eb4a3500dcb9c
-  data.tar.gz: fcd0e6f70b75fdb9b12b3c1954899989e26f8ddb874c6222ab59ca460387a9672ab7767c13855bc4c3cbabd14fdcdb3ddabb2478412dbb452a17194c20ff4c32
+  metadata.gz: 70c0b6c4e5f6ec2b7f4a421c898c493cb34aef837c119e126d1b557640f685c1c35ad7cddaf94de3598601fe691563fa2984297010b4ac96f539609c8fa55f95
+  data.tar.gz: ca3d854ab1bd6b84d3a7d2225feb926f9fbc2d6df5c546c975d5773e8bdd8254d5ce544dd08f6c32a0db29e15f9f4aa3bbc38bee1dbdf491d9e92826b00c760b

data/.github/workflows/ci.yml

@@ -0,0 +1,52 @@
+name: ci
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "3.1"
+          - "3.0"
+          - "2.7"
+          - "2.6"
+        gemfile:
+          - Gemfile
+          - spec/support/Gemfile.rails6.1
+          - spec/support/Gemfile.rails6
+          - spec/support/Gemfile.rails5.2
+        bundler:
+          - "2"
+        exclude:
+          - ruby: "2.6"
+            gemfile: Gemfile
+            bundler: "2"
+          - ruby: "3.0"
+            gemfile: spec/support/Gemfile.rails5.2
+            bundler: "2"
+          - ruby: "3.0"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+          - ruby: "3.1"
+            gemfile: spec/support/Gemfile.rails5.2
+            bundler: "2"
+          - ruby: "3.1"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler: ${{ matrix.bundler }}
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - run: bundle exec rake

data/.gitignore

@@ -13,4 +13,5 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
+spec/support/bin/*
 tmp

data/.ruby-version

@@ -0,0 +1 @@
+3.1.0

data/Gemfile

@@ -6,9 +6,19 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 6.0'
+  gem 'rails', '~> 7.0.0'
   gem 'rspec-rails'
   gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
-  gem 'poltergeist'
+  gem 'selenium-webdriver'
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.0")
+    gem 'webrick'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.1")
+    gem 'net-smtp', require: false
+    gem 'net-imap', require: false
+    gem 'net-pop', require: false
+  end
 end

data/README.md

@@ -57,8 +57,8 @@ An extra step in SAML SSO setup is adding your application to your identity prov
 Your IdP should give you some information you need to configure in [ruby-saml](https://github.com/onelogin/ruby-saml), as in the next section:
 
 - Issuer (`idp_entity_id`)
-- SSO endpoint (`idp_sso_target_url`)
-- SLO endpoint (`idp_slo_target_url`)
+- SSO endpoint (`idp_sso_service_url`)
+- SLO endpoint (`idp_slo_service_url`)
 - Certificate fingerprint (`idp_cert_fingerprint`) and algorithm (`idp_cert_fingerprint_algorithm`)
     - Or the certificate itself (`idp_cert`)
 
@@ -85,8 +85,8 @@ In `config/initializers/devise.rb`:
     # for the user's session to facilitate an IDP initiated logout request.
     config.saml_session_index_key = :session_index
 
-    # You can set this value to use Subject or SAML assertation as info to which email will be compared.
-    # If you don't set it then email will be extracted from SAML assertation attributes.
+    # You can set this value to use Subject or SAML assertion as info to which email will be compared.
+    # If you don't set it then email will be extracted from SAML assertion attributes.
     config.saml_use_subject = true
 
     # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
@@ -97,9 +97,9 @@ In `config/initializers/devise.rb`:
     # by setting this to the name of a custom reader class, or use the default.
     # config.idp_entity_id_reader = "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
-    # You can set a handler object that takes the response for a failed SAML request and the strategy,
+    # You can set the name of a class that takes the response for a failed SAML request and the strategy,
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
-    # config.saml_failed_callback = nil
+    # config.saml_failed_callback = "MySamlFailedCallbacksHandler"
 
     # You can customize the named routes generated in case of named route collisions with
     # other Devise modules or libraries. Set the saml_route_helper_prefix to a string that will
@@ -111,16 +111,19 @@ In `config/initializers/devise.rb`:
     # This is a time in seconds.
     # config.allowed_clock_drift_in_seconds = 0
 
+    # In SAML responses, validate that the identity provider has included an InResponseTo
+    # header that matches the ID of the SAML request. (Default is false)
+    # config.saml_validate_in_response_to = false
+
     # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
-      # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       settings.issuer                             = "http://localhost:3000/saml/metadata"
       settings.authn_context                      = ""
-      settings.idp_slo_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
-      settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
+      settings.idp_slo_service_url                = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
+      settings.idp_sso_service_url                = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
       settings.idp_cert_fingerprint               = "00:A1:2B:3C:44:55:6F:A7:88:CC:DD:EE:22:33:44:55:D6:77:8F:99"
       settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha1"
     end
@@ -207,8 +210,8 @@ class IdPSettingsAdapter
         issuer: "http://localhost:3000/saml/metadata",
         idp_entity_id: "http://www.example_idp_entity_id.com",
         authn_context: "",
-        idp_slo_target_url: "http://example_idp_slo_target_url.com",
-        idp_sso_target_url: "http://example_idp_sso_target_url.com",
+        idp_slo_service_url: "http://example_idp_slo_service_url.com",
+        idp_sso_service_url: "http://example_idp_sso_service_url.com",
         idp_cert: "example_idp_cert"
       }
     when "http://www.another_idp_entity_id.biz"
@@ -219,8 +222,8 @@ class IdPSettingsAdapter
         issuer: "http://localhost:3000/saml/metadata",
         idp_entity_id: "http://www.another_idp_entity_id.biz",
         authn_context: "",
-        idp_slo_target_url: "http://another_idp_slo_target_url.com",
-        idp_sso_target_url: "http://another_idp_sso_target_url.com",
+        idp_slo_service_url: "http://another_idp_slo_service_url.com",
+        idp_sso_service_url: "http://another_idp_sso_service_url.com",
         idp_cert: "another_idp_cert"
       }
     else

data/app/controllers/devise/saml_sessions_controller.rb

@@ -1,28 +1,24 @@
-require "ruby-saml"
+require 'ruby-saml'
 
 class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
-  unloadable if Rails::VERSION::MAJOR < 4
-  if Rails::VERSION::MAJOR < 5
-    skip_before_filter :verify_authenticity_token
-    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
-  else
-    skip_before_action :verify_authenticity_token, raise: false
-    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
-  end
+
+  skip_before_action :verify_authenticity_token, raise: false
+  prepend_before_action :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
 
   def new
     idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Authrequest.new
     auth_params = { RelayState: relay_state } if relay_state
     action = request.create(saml_config(idp_entity_id), auth_params || {})
-    redirect_to action
+    session[:saml_transaction_id] = request.request_id if request.respond_to?(:request_id)
+    redirect_to action, allow_other_host: true
   end
 
   def metadata
     idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render :xml => meta.generate(saml_config(idp_entity_id))
+    render xml: meta.generate(saml_config(idp_entity_id))
   end
 
   def idp_sign_out
@@ -31,7 +27,7 @@ class Devise::SamlSessionsController < Devise::SessionsController
       logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: saml_config)
       resource_class.reset_session_key_for(logout_request.name_id)
 
-      redirect_to generate_idp_logout_response(saml_config, logout_request.id)
+      redirect_to generate_idp_logout_response(saml_config, logout_request.id), allow_other_host: true
     elsif params[:SAMLResponse]
       # Currently Devise handles the session invalidation when the request is made.
       # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
@@ -49,18 +45,19 @@ class Devise::SamlSessionsController < Devise::SessionsController
   protected
 
   def relay_state
-    @relay_state ||= if Devise.saml_relay_state.present?
-      Devise.saml_relay_state.call(request)
-    end
+    @relay_state ||= (Devise.saml_relay_state.call(request) if Devise.saml_relay_state.present?)
   end
 
   # For non transient name ID, save info to identify user for logout purpose
   # before that user's session got destroyed. These info are used in the
   # `after_sign_out_path_for` method below.
   def store_info_for_sp_initiated_logout
-    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    return if Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+
     @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
-    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+    if Devise.saml_session_index_key
+      @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key)
+    end
   end
 
   # Override devise to send user to IdP logout for SLO
@@ -79,12 +76,21 @@ class Devise::SamlSessionsController < Devise::SessionsController
     request.create(saml_settings)
   end
 
-  def generate_idp_logout_response(saml_config, logout_request_id)
+  # Overried devise: if user is signed out, not create the SP initiated logout request,
+  # redirect to saml_sign_out_success_url,
+  # or devise's after_sign_out_path_for
+  def verify_signed_out_user
+    if all_signed_out?
+      set_flash_message! :notice, :already_signed_out
 
-    params = {}
-    if relay_state
-      params[:RelayState] = relay_state
+      redirect_to (Devise.saml_sign_out_success_url.presence ||
+                  Devise::SessionsController.new.after_sign_out_path_for(resource_name)), allow_other_host: true
     end
+  end
+
+  def generate_idp_logout_response(saml_config, logout_request_id)
+    params = {}
+    params[:RelayState] = relay_state if relay_state
 
     OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end

data/lib/devise_saml_authenticatable/logger.rb

@@ -1,9 +1,9 @@
 module DeviseSamlAuthenticatable
 
   class Logger    
-    def self.send(message, logger = Rails.logger)
+    def self.send(message, log_level = ::Logger::INFO, logger = Rails.logger)
       if ::Devise.saml_logger
-        logger.add 0, "  \e[36msaml:\e[0m #{message}"
+        logger.add log_level, "  \e[36msaml:\e[0m #{message}"
       end
     end
   end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -8,8 +8,7 @@ module Devise
         if params[:SAMLResponse]
           OneLogin::RubySaml::Response.new(
             params[:SAMLResponse],
-            settings: saml_config(get_idp_entity_id(params)),
-            allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+            response_options,
           )
         else
           false
@@ -36,8 +35,7 @@ module Devise
       def parse_saml_response
         @response = OneLogin::RubySaml::Response.new(
           params[:SAMLResponse],
-          settings: saml_config(get_idp_entity_id(params)),
-          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+          response_options,
         )
         unless @response.is_valid?
           failed_auth("Auth errors: #{@response.errors.join(', ')}")
@@ -54,9 +52,29 @@ module Devise
       def failed_auth(msg)
         DeviseSamlAuthenticatable::Logger.send(msg)
         fail!(:invalid)
-        Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+        failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+      end
+
+      def failed_callback
+        if Devise.saml_failed_callback.respond_to?(:new)
+          Devise.saml_failed_callback
+        else
+          Devise.saml_failed_callback.constantize
+        end
       end
 
+      def response_options
+        options = {
+          settings: saml_config(get_idp_entity_id(params)),
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        }
+
+        if Devise.saml_validate_in_response_to
+          options[:matches_request_id] = request.session[:saml_transaction_id] || "ID_MISSING"
+        end
+
+        options
+      end
     end
   end
 end

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.6.3"
+  VERSION = "1.8.0"
 end

data/lib/devise_saml_authenticatable.rb

@@ -67,6 +67,10 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Validate that the InResponseTo header in SAML responses matches the ID of the request.
+  mattr_accessor :saml_validate_in_response_to
+  @@saml_validate_in_response_to = false
+
   # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
   mattr_accessor :saml_attribute_map_resolver
   @@saml_attribute_map_resolver ||= "::DeviseSamlAuthenticatable::DefaultAttributeMapResolver"