devise_saml_authenticatable 1.6.3 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f648472eaaf23e5e668e51f84fadff2354879045f0ec798a383dd8a2e2ee135a
-  data.tar.gz: 443a5e883595f8baa2297e2ca173e8f97ae0abf3502538ce1d0f4e0e1c84081e
+  metadata.gz: f5dd2cc3931480caf617a4a22266968ea550c52c4980353a5e295652dc25ce4d
+  data.tar.gz: b712dd20efd0c4ddd9c8a1321dc6e2cbf8876053689c36c94d272be5445f8fd7
 SHA512:
-  metadata.gz: 4765fe0a60d2a8ffd97d30d5b0d2fdb55d70a56bd9cb91f760ef7862a0d9ec80570da5d4758a784ac552232e1e5893fdd1accead2ff677893b0eb4a3500dcb9c
-  data.tar.gz: fcd0e6f70b75fdb9b12b3c1954899989e26f8ddb874c6222ab59ca460387a9672ab7767c13855bc4c3cbabd14fdcdb3ddabb2478412dbb452a17194c20ff4c32
+  metadata.gz: 697615b8dfb2f798ae0fd71b796359825633b783fbebaf66cc947bd33d78ded081a862609b55b6407d87495a7a3b3df4ae9dfce1dd2143d7ce54e2c811727d1e
+  data.tar.gz: 74037754bbe52f5036aed75ad1d96cd0a44677f2963f496a5986a8f6be0542f92645f6a3c8fa67e738a9656d2d9697566f41dfbe6f5aa4b8306114e99a182864

data/.github/workflows/ci.yml

@@ -0,0 +1,52 @@
+name: ci
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "3.1"
+          - "3.0"
+          - "2.7"
+          - "2.6"
+        gemfile:
+          - Gemfile
+          - spec/support/Gemfile.rails6.1
+          - spec/support/Gemfile.rails6
+          - spec/support/Gemfile.rails5.2
+        bundler:
+          - "2"
+        exclude:
+          - ruby: "2.6"
+            gemfile: Gemfile
+            bundler: "2"
+          - ruby: "3.0"
+            gemfile: spec/support/Gemfile.rails5.2
+            bundler: "2"
+          - ruby: "3.0"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+          - ruby: "3.1"
+            gemfile: spec/support/Gemfile.rails5.2
+            bundler: "2"
+          - ruby: "3.1"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+    runs-on: ubuntu-latest
+    env:
+      BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler: ${{ matrix.bundler }}
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+      - run: bundle exec rake

data/.gitignore

@@ -13,4 +13,5 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
+spec/support/bin/*
 tmp

data/.ruby-version

@@ -0,0 +1 @@
+3.1.0

data/Gemfile

@@ -6,9 +6,19 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 6.0'
+  gem 'rails', '~> 7.0.0'
   gem 'rspec-rails'
   gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
-  gem 'poltergeist'
+  gem 'selenium-webdriver'
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.0")
+    gem 'webrick'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.1")
+    gem 'net-smtp', require: false
+    gem 'net-imap', require: false
+    gem 'net-pop', require: false
+  end
 end

data/README.md

@@ -57,8 +57,8 @@ An extra step in SAML SSO setup is adding your application to your identity prov
 Your IdP should give you some information you need to configure in [ruby-saml](https://github.com/onelogin/ruby-saml), as in the next section:
 
 - Issuer (`idp_entity_id`)
-- SSO endpoint (`idp_sso_target_url`)
-- SLO endpoint (`idp_slo_target_url`)
+- SSO endpoint (`idp_sso_service_url`)
+- SLO endpoint (`idp_slo_service_url`)
 - Certificate fingerprint (`idp_cert_fingerprint`) and algorithm (`idp_cert_fingerprint_algorithm`)
     - Or the certificate itself (`idp_cert`)
 
@@ -72,11 +72,42 @@ In `config/initializers/devise.rb`:
     # ==> Configuration for :saml_authenticatable
 
     # Create user if the user does not exist. (Default is false)
+    # Can also accept a proc, for ex:
+    # Devise.saml_create_user = Proc.new do |model_class, saml_response, auth_value|
+    #  model_class == Admin
+    # end
     config.saml_create_user = true
 
     # Update the attributes of the user after a successful login. (Default is false)
+    # Can also accept a proc, for ex:
+    # Devise.saml_update_user = Proc.new do |model_class, saml_response, auth_value|
+    #  model_class == Admin
+    # end
     config.saml_update_user = true
 
+    # Lambda that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
+    # Receives the model object, saml_response and auth_value, and defines how the object's values are
+    # updated with regards to the SAML response. 
+    # config.saml_update_resource_hook = -> (user, saml_response, auth_value) {
+    #   saml_response.attributes.resource_keys.each do |key|
+    #     user.send "#{key}=", saml_response.attribute_value_by_resource_key(key)
+    #   end
+    #
+    #   if (Devise.saml_use_subject)
+    #     user.send "#{Devise.saml_default_user_key}=", auth_value
+    #   end
+    #
+    #   user.save!
+    # }
+
+    # Lambda that is called to resolve the saml_response and auth_value into the correct user object.
+    # Receives a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+    # one instance of the provided model that is the matched account, or nil if none exists.
+    # config.saml_resource_locator = -> (model, saml_response, auth_value) {
+    #   model.where(Devise.saml_default_user_key => auth_value).first
+    # }
+    
+
     # Set the default user key. The user will be looked up by this key. Make
     # sure that the Authentication Response includes the attribute.
     config.saml_default_user_key = :email
@@ -85,21 +116,21 @@ In `config/initializers/devise.rb`:
     # for the user's session to facilitate an IDP initiated logout request.
     config.saml_session_index_key = :session_index
 
-    # You can set this value to use Subject or SAML assertation as info to which email will be compared.
-    # If you don't set it then email will be extracted from SAML assertation attributes.
+    # You can set this value to use Subject or SAML assertion as info to which email will be compared.
+    # If you don't set it then email will be extracted from SAML assertion attributes.
     config.saml_use_subject = true
 
-    # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
-    # which takes an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
+    # You can implement IdP settings with the options to support multiple IdPs and use the request object by setting this value to the name of a class that implements a ::settings method
+    # which takes an IdP entity id and a request object as arguments and returns a hash of idp settings for the corresponding IdP.
     # config.idp_settings_adapter = "MyIdPSettingsAdapter"
 
     # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
     # by setting this to the name of a custom reader class, or use the default.
     # config.idp_entity_id_reader = "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
-    # You can set a handler object that takes the response for a failed SAML request and the strategy,
+    # You can set the name of a class that takes the response for a failed SAML request and the strategy,
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
-    # config.saml_failed_callback = nil
+    # config.saml_failed_callback = "MySamlFailedCallbacksHandler"
 
     # You can customize the named routes generated in case of named route collisions with
     # other Devise modules or libraries. Set the saml_route_helper_prefix to a string that will
@@ -111,16 +142,19 @@ In `config/initializers/devise.rb`:
     # This is a time in seconds.
     # config.allowed_clock_drift_in_seconds = 0
 
+    # In SAML responses, validate that the identity provider has included an InResponseTo
+    # header that matches the ID of the SAML request. (Default is false)
+    # config.saml_validate_in_response_to = false
+
     # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
-      # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
       settings.issuer                             = "http://localhost:3000/saml/metadata"
       settings.authn_context                      = ""
-      settings.idp_slo_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
-      settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
+      settings.idp_slo_service_url                = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
+      settings.idp_sso_service_url                = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
       settings.idp_cert_fingerprint               = "00:A1:2B:3C:44:55:6F:A7:88:CC:DD:EE:22:33:44:55:D6:77:8F:99"
       settings.idp_cert_fingerprint_algorithm     = "http://www.w3.org/2000/09/xmldsig#sha1"
     end
@@ -191,24 +225,26 @@ If you only have one IdP, you can use the config file above, or just return a si
   end
 ```
 
-## Supporting Multiple IdPs
+## IdP Settings Adapter
+
+Implementing a custom settings adapter allows you to support multiple Identity Providers, and dynamic application domains with the request object.
 
-If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
+You can implement an adapter class with a `#settings` method. It must take two arguments (idp_entity_id, request) and return a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
 
 ```ruby
 class IdPSettingsAdapter
-  def self.settings(idp_entity_id)
+  def self.settings(idp_entity_id, request)
     case idp_entity_id
     when "http://www.example_idp_entity_id.com"
       {
-        assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
+        assertion_consumer_service_url: "#{request.protocol}#{request.host_with_port}/users/saml/auth",
         assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
         name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-        issuer: "http://localhost:3000/saml/metadata",
+        issuer: "#{request.protocol}#{request.host_with_port}/saml/metadata",
         idp_entity_id: "http://www.example_idp_entity_id.com",
         authn_context: "",
-        idp_slo_target_url: "http://example_idp_slo_target_url.com",
-        idp_sso_target_url: "http://example_idp_sso_target_url.com",
+        idp_slo_service_url: "http://example_idp_slo_service_url.com",
+        idp_sso_service_url: "http://example_idp_sso_service_url.com",
         idp_cert: "example_idp_cert"
       }
     when "http://www.another_idp_entity_id.biz"
@@ -219,8 +255,8 @@ class IdPSettingsAdapter
         issuer: "http://localhost:3000/saml/metadata",
         idp_entity_id: "http://www.another_idp_entity_id.biz",
         authn_context: "",
-        idp_slo_target_url: "http://another_idp_slo_target_url.com",
-        idp_sso_target_url: "http://another_idp_sso_target_url.com",
+        idp_slo_service_url: "http://another_idp_slo_service_url.com",
+        idp_sso_service_url: "http://another_idp_sso_service_url.com",
         idp_cert: "another_idp_cert"
       }
     else

data/app/controllers/devise/saml_sessions_controller.rb

@@ -1,37 +1,33 @@
-require "ruby-saml"
+require 'ruby-saml'
 
 class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
-  unloadable if Rails::VERSION::MAJOR < 4
-  if Rails::VERSION::MAJOR < 5
-    skip_before_filter :verify_authenticity_token
-    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
-  else
-    skip_before_action :verify_authenticity_token, raise: false
-    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
-  end
+
+  skip_before_action :verify_authenticity_token, raise: false
+  prepend_before_action :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
 
   def new
     idp_entity_id = get_idp_entity_id(params)
-    request = OneLogin::RubySaml::Authrequest.new
+    auth_request = OneLogin::RubySaml::Authrequest.new
     auth_params = { RelayState: relay_state } if relay_state
-    action = request.create(saml_config(idp_entity_id), auth_params || {})
-    redirect_to action
+    action = auth_request.create(saml_config(idp_entity_id, request), auth_params || {})
+    session[:saml_transaction_id] = auth_request.request_id if auth_request.respond_to?(:request_id)
+    redirect_to action, allow_other_host: true
   end
 
   def metadata
     idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render :xml => meta.generate(saml_config(idp_entity_id))
+    render xml: meta.generate(saml_config(idp_entity_id, request))
   end
 
   def idp_sign_out
     if params[:SAMLRequest] && Devise.saml_session_index_key
-      saml_config = saml_config(get_idp_entity_id(params))
+      saml_config = saml_config(get_idp_entity_id(params), request)
       logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: saml_config)
       resource_class.reset_session_key_for(logout_request.name_id)
 
-      redirect_to generate_idp_logout_response(saml_config, logout_request.id)
+      redirect_to generate_idp_logout_response(saml_config, logout_request.id), allow_other_host: true
     elsif params[:SAMLResponse]
       # Currently Devise handles the session invalidation when the request is made.
       # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
@@ -49,25 +45,26 @@ class Devise::SamlSessionsController < Devise::SessionsController
   protected
 
   def relay_state
-    @relay_state ||= if Devise.saml_relay_state.present?
-      Devise.saml_relay_state.call(request)
-    end
+    @relay_state ||= (Devise.saml_relay_state.call(request) if Devise.saml_relay_state.present?)
   end
 
   # For non transient name ID, save info to identify user for logout purpose
   # before that user's session got destroyed. These info are used in the
   # `after_sign_out_path_for` method below.
   def store_info_for_sp_initiated_logout
-    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    return if Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+
     @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
-    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+    if Devise.saml_session_index_key
+      @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key)
+    end
   end
 
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
     idp_entity_id = get_idp_entity_id(params)
-    request = OneLogin::RubySaml::Logoutrequest.new
-    saml_settings = saml_config(idp_entity_id).dup
+    logout_request = OneLogin::RubySaml::Logoutrequest.new
+    saml_settings = saml_config(idp_entity_id, request).dup
 
     # Add attributes to saml_settings which will later be used to create the SP
     # initiated logout request
@@ -76,15 +73,24 @@ class Devise::SamlSessionsController < Devise::SessionsController
       saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
     end
 
-    request.create(saml_settings)
+    logout_request.create(saml_settings)
   end
 
-  def generate_idp_logout_response(saml_config, logout_request_id)
+  # Overried devise: if user is signed out, not create the SP initiated logout request,
+  # redirect to saml_sign_out_success_url,
+  # or devise's after_sign_out_path_for
+  def verify_signed_out_user
+    if all_signed_out?
+      set_flash_message! :notice, :already_signed_out
 
-    params = {}
-    if relay_state
-      params[:RelayState] = relay_state
+      redirect_to (Devise.saml_sign_out_success_url.presence ||
+                  Devise::SessionsController.new.after_sign_out_path_for(resource_name)), allow_other_host: true
     end
+  end
+
+  def generate_idp_logout_response(saml_config, logout_request_id)
+    params = {}
+    params[:RelayState] = relay_state if relay_state
 
     OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end

data/lib/devise_saml_authenticatable/logger.rb

@@ -1,9 +1,9 @@
 module DeviseSamlAuthenticatable
 
   class Logger    
-    def self.send(message, logger = Rails.logger)
+    def self.send(message, log_level = ::Logger::INFO, logger = Rails.logger)
       if ::Devise.saml_logger
-        logger.add 0, "  \e[36msaml:\e[0m #{message}"
+        logger.add log_level, "  \e[36msaml:\e[0m #{message}"
       end
     end
   end

data/lib/devise_saml_authenticatable/model.rb

@@ -55,8 +55,11 @@ module Devise
             end
           end
 
+          create_user = if Devise.saml_create_user.respond_to?(:call) then Devise.saml_create_user.call(self, decorated_response, auth_value)
+                        else Devise.saml_create_user
+                        end
           if resource.nil?
-            if Devise.saml_create_user
+            if create_user
               logger.info("Creating user(#{auth_value}).")
               resource = new
             else
@@ -65,7 +68,10 @@ module Devise
             end
           end
 
-          if Devise.saml_update_user || (resource.new_record? && Devise.saml_create_user)
+          update_user = if Devise.saml_update_user.respond_to?(:call) then Devise.saml_update_user.call(self, decorated_response, auth_value)
+                        else Devise.saml_update_user
+                        end
+          if update_user || (resource.new_record? && create_user)
             Devise.saml_update_resource_hook.call(resource, decorated_response, auth_value)
           end
 

data/lib/devise_saml_authenticatable/saml_config.rb

@@ -1,9 +1,9 @@
 require 'ruby-saml'
 module DeviseSamlAuthenticatable
   module SamlConfig
-    def saml_config(idp_entity_id = nil)
+    def saml_config(idp_entity_id = nil, request = nil)
       return file_based_config if file_based_config
-      return adapter_based_config(idp_entity_id) if Devise.idp_settings_adapter
+      return adapter_based_config(idp_entity_id, request) if Devise.idp_settings_adapter
 
       Devise.saml_config
     end
@@ -19,10 +19,16 @@ module DeviseSamlAuthenticatable
       end
     end
 
-    def adapter_based_config(idp_entity_id)
+    def adapter_based_config(idp_entity_id, request)
       config = Marshal.load(Marshal.dump(Devise.saml_config))
 
-      idp_settings_adapter.settings(idp_entity_id).each do |k,v|
+      if idp_settings_adapter.method(:settings).parameters.length == 1
+        settings = idp_settings_adapter.settings(idp_entity_id)
+      else
+        settings = idp_settings_adapter.settings(idp_entity_id, request)
+      end
+
+      settings.each do |k,v|
         acc = "#{k.to_s}=".to_sym
 
         if config.respond_to? acc

data/lib/devise_saml_authenticatable/strategy.rb

@@ -8,8 +8,7 @@ module Devise
         if params[:SAMLResponse]
           OneLogin::RubySaml::Response.new(
             params[:SAMLResponse],
-            settings: saml_config(get_idp_entity_id(params)),
-            allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+            response_options,
           )
         else
           false
@@ -36,8 +35,7 @@ module Devise
       def parse_saml_response
         @response = OneLogin::RubySaml::Response.new(
           params[:SAMLResponse],
-          settings: saml_config(get_idp_entity_id(params)),
-          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+          response_options,
         )
         unless @response.is_valid?
           failed_auth("Auth errors: #{@response.errors.join(', ')}")
@@ -54,9 +52,29 @@ module Devise
       def failed_auth(msg)
         DeviseSamlAuthenticatable::Logger.send(msg)
         fail!(:invalid)
-        Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+        failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+      end
+
+      def failed_callback
+        if Devise.saml_failed_callback.respond_to?(:new)
+          Devise.saml_failed_callback
+        else
+          Devise.saml_failed_callback.constantize
+        end
       end
 
+      def response_options
+        options = {
+          settings: saml_config(get_idp_entity_id(params), request),
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        }
+
+        if Devise.saml_validate_in_response_to
+          options[:matches_request_id] = request.session[:saml_transaction_id] || "ID_MISSING"
+        end
+
+        options
+      end
     end
   end
 end

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.6.3"
+  VERSION = "1.9.0"
 end

data/lib/devise_saml_authenticatable.rb

@@ -29,10 +29,20 @@ module Devise
   @@saml_logger = true
 
   # Add valid users to database
+  # Can accept a Boolean value or a Proc that is called with the model class, the saml_response and auth_value
+  # Ex: 
+  # Devise.saml_create_user = Proc.new do |model_class, saml_response, auth_value|
+  #  model_class == Admin
+  # end
   mattr_accessor :saml_create_user
   @@saml_create_user = false
 
   # Update user attributes after login
+  # Can accept a Boolean value or a Proc that is called with the model class, the saml_response and auth_value
+  # Ex: 
+  # Devise.saml_update_user = Proc.new do |model_class, saml_response, auth_value|
+  #  model_class == User
+  # end
   mattr_accessor :saml_update_user
   @@saml_update_user = false
 
@@ -67,6 +77,10 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Validate that the InResponseTo header in SAML responses matches the ID of the request.
+  mattr_accessor :saml_validate_in_response_to
+  @@saml_validate_in_response_to = false
+
   # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
   mattr_accessor :saml_attribute_map_resolver
   @@saml_attribute_map_resolver ||= "::DeviseSamlAuthenticatable::DefaultAttributeMapResolver"