devise_saml_authenticatable 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23fdb33308c8d98c67e3fe7d5654bfcdc7afe40c2276822a3936785ed29e15ea
-  data.tar.gz: 11569096a198fb51b129d82eaab03a870c3c8983b7dfe88aa0bcc53f1f4fa2ce
+  metadata.gz: c2b6dd7d4f718cf0df20aff218f90f1eac720279e4ff5afe6aedef20f84a14fd
+  data.tar.gz: 5efc5fa9d89ee10eb6328261b6b870ce580dbe7cd48cedbe8dd609786c5c9f84
 SHA512:
-  metadata.gz: 605f76c64fa08cb1ec9f26224af74ccec6c8d85b507899e6f61f1c65e8ada6b7672b6b9398d78fcfbd075d8c7754e824e0a8ed822001b124a6658e862b72203c
-  data.tar.gz: 0f8bb1f715288790cffb1b20214d6c0da71c546aaa09e626183b86d1274c5d6e3aae90dea8af6c4d572c6f2131360c948203a9a14706ed7414c685833eac173d
+  metadata.gz: 70c0b6c4e5f6ec2b7f4a421c898c493cb34aef837c119e126d1b557640f685c1c35ad7cddaf94de3598601fe691563fa2984297010b4ac96f539609c8fa55f95
+  data.tar.gz: ca3d854ab1bd6b84d3a7d2225feb926f9fbc2d6df5c546c975d5773e8bdd8254d5ce544dd08f6c32a0db29e15f9f4aa3bbc38bee1dbdf491d9e92826b00c760b

data/.github/workflows/ci.yml

@@ -12,57 +12,33 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - "3.1"
+          - "3.0"
           - "2.7"
           - "2.6"
-          - "2.5"
-          - "2.4"
-          - "2.3"
         gemfile:
           - Gemfile
+          - spec/support/Gemfile.rails6.1
           - spec/support/Gemfile.rails6
           - spec/support/Gemfile.rails5.2
-          - spec/support/Gemfile.rails5.1
-          - spec/support/Gemfile.rails5
         bundler:
           - "2"
         exclude:
-          - ruby: "2.3"
+          - ruby: "2.6"
             gemfile: Gemfile
             bundler: "2"
-          - ruby: "2.3"
+          - ruby: "3.0"
+            gemfile: spec/support/Gemfile.rails5.2
+            bundler: "2"
+          - ruby: "3.0"
             gemfile: spec/support/Gemfile.rails6
             bundler: "2"
-          - ruby: "2.4"
-            gemfile: Gemfile
+          - ruby: "3.1"
+            gemfile: spec/support/Gemfile.rails5.2
             bundler: "2"
-          - ruby: "2.4"
+          - ruby: "3.1"
             gemfile: spec/support/Gemfile.rails6
             bundler: "2"
-        include:
-          - ruby: "2.5"
-            gemfile: spec/support/Gemfile.rails4
-            bundler: "1"
-          - ruby: "2.4"
-            gemfile: spec/support/Gemfile.rails4
-            bundler: "1"
-          - ruby: "2.3"
-            gemfile: spec/support/Gemfile.rails4
-            bundler: "1"
-          - ruby: "2.2"
-            gemfile: spec/support/Gemfile.rails5.1
-            bundler: "1"
-          - ruby: "2.2"
-            gemfile: spec/support/Gemfile.rails5
-            bundler: "1"
-          - ruby: "2.2"
-            gemfile: spec/support/Gemfile.rails4
-            bundler: "1"
-          - ruby: "2.1"
-            gemfile: spec/support/Gemfile.rails4
-            bundler: "1"
-          - ruby: "2.0"
-            gemfile: spec/support/Gemfile.rails4
-            bundler: "1"
     runs-on: ubuntu-latest
     env:
       BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}

data/.gitignore

@@ -13,4 +13,5 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
+spec/support/bin/*
 tmp

data/.ruby-version

@@ -0,0 +1 @@
+3.1.0

data/Gemfile

@@ -6,9 +6,19 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 6.0'
+  gem 'rails', '~> 7.0.0'
   gem 'rspec-rails'
   gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
-  gem 'poltergeist'
+  gem 'selenium-webdriver'
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.0")
+    gem 'webrick'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.1")
+    gem 'net-smtp', require: false
+    gem 'net-imap', require: false
+    gem 'net-pop', require: false
+  end
 end

data/README.md

@@ -85,8 +85,8 @@ In `config/initializers/devise.rb`:
     # for the user's session to facilitate an IDP initiated logout request.
     config.saml_session_index_key = :session_index
 
-    # You can set this value to use Subject or SAML assertation as info to which email will be compared.
-    # If you don't set it then email will be extracted from SAML assertation attributes.
+    # You can set this value to use Subject or SAML assertion as info to which email will be compared.
+    # If you don't set it then email will be extracted from SAML assertion attributes.
     config.saml_use_subject = true
 
     # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
@@ -97,9 +97,9 @@ In `config/initializers/devise.rb`:
     # by setting this to the name of a custom reader class, or use the default.
     # config.idp_entity_id_reader = "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader"
 
-    # You can set a handler object that takes the response for a failed SAML request and the strategy,
+    # You can set the name of a class that takes the response for a failed SAML request and the strategy,
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
-    # config.saml_failed_callback = nil
+    # config.saml_failed_callback = "MySamlFailedCallbacksHandler"
 
     # You can customize the named routes generated in case of named route collisions with
     # other Devise modules or libraries. Set the saml_route_helper_prefix to a string that will
@@ -117,7 +117,6 @@ In `config/initializers/devise.rb`:
 
     # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
-      # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"

data/app/controllers/devise/saml_sessions_controller.rb

@@ -1,31 +1,24 @@
-require "ruby-saml"
+require 'ruby-saml'
 
 class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
-  unloadable if Rails::VERSION::MAJOR < 4
-  if Rails::VERSION::MAJOR < 5
-    skip_before_filter :verify_authenticity_token
-    prepend_before_filter :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
-  else
-    skip_before_action :verify_authenticity_token, raise: false
-    prepend_before_action :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
-  end
+
+  skip_before_action :verify_authenticity_token, raise: false
+  prepend_before_action :verify_signed_out_user, :store_info_for_sp_initiated_logout, only: :destroy
 
   def new
     idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Authrequest.new
     auth_params = { RelayState: relay_state } if relay_state
     action = request.create(saml_config(idp_entity_id), auth_params || {})
-    if request.respond_to?(:request_id)
-      session[:saml_transaction_id] = request.request_id
-    end
-    redirect_to action
+    session[:saml_transaction_id] = request.request_id if request.respond_to?(:request_id)
+    redirect_to action, allow_other_host: true
   end
 
   def metadata
     idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render :xml => meta.generate(saml_config(idp_entity_id))
+    render xml: meta.generate(saml_config(idp_entity_id))
   end
 
   def idp_sign_out
@@ -34,7 +27,7 @@ class Devise::SamlSessionsController < Devise::SessionsController
       logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: saml_config)
       resource_class.reset_session_key_for(logout_request.name_id)
 
-      redirect_to generate_idp_logout_response(saml_config, logout_request.id)
+      redirect_to generate_idp_logout_response(saml_config, logout_request.id), allow_other_host: true
     elsif params[:SAMLResponse]
       # Currently Devise handles the session invalidation when the request is made.
       # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
@@ -52,18 +45,19 @@ class Devise::SamlSessionsController < Devise::SessionsController
   protected
 
   def relay_state
-    @relay_state ||= if Devise.saml_relay_state.present?
-      Devise.saml_relay_state.call(request)
-    end
+    @relay_state ||= (Devise.saml_relay_state.call(request) if Devise.saml_relay_state.present?)
   end
 
   # For non transient name ID, save info to identify user for logout purpose
   # before that user's session got destroyed. These info are used in the
   # `after_sign_out_path_for` method below.
   def store_info_for_sp_initiated_logout
-    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    return if Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+
     @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
-    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+    if Devise.saml_session_index_key
+      @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key)
+    end
   end
 
   # Override devise to send user to IdP logout for SLO
@@ -89,17 +83,14 @@ class Devise::SamlSessionsController < Devise::SessionsController
     if all_signed_out?
       set_flash_message! :notice, :already_signed_out
 
-      redirect_to Devise.saml_sign_out_success_url.presence ||
-                  Devise::SessionsController.new.after_sign_out_path_for(resource_name)
+      redirect_to (Devise.saml_sign_out_success_url.presence ||
+                  Devise::SessionsController.new.after_sign_out_path_for(resource_name)), allow_other_host: true
     end
   end
 
   def generate_idp_logout_response(saml_config, logout_request_id)
-
     params = {}
-    if relay_state
-      params[:RelayState] = relay_state
-    end
+    params[:RelayState] = relay_state if relay_state
 
     OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end

data/lib/devise_saml_authenticatable/logger.rb

@@ -1,9 +1,9 @@
 module DeviseSamlAuthenticatable
 
   class Logger    
-    def self.send(message, logger = Rails.logger)
+    def self.send(message, log_level = ::Logger::INFO, logger = Rails.logger)
       if ::Devise.saml_logger
-        logger.add 0, "  \e[36msaml:\e[0m #{message}"
+        logger.add log_level, "  \e[36msaml:\e[0m #{message}"
       end
     end
   end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -52,7 +52,15 @@ module Devise
       def failed_auth(msg)
         DeviseSamlAuthenticatable::Logger.send(msg)
         fail!(:invalid)
-        Devise.saml_failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+        failed_callback.new.handle(@response, self) if Devise.saml_failed_callback
+      end
+
+      def failed_callback
+        if Devise.saml_failed_callback.respond_to?(:new)
+          Devise.saml_failed_callback
+        else
+          Devise.saml_failed_callback.constantize
+        end
       end
 
       def response_options

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.7.0"
+  VERSION = "1.8.0"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -10,13 +10,12 @@ class DeviseController < ApplicationController
   end
 
   def resource_name
-    "users"
+    'users'
   end
 
-  def require_no_authentication
-  end
+  def require_no_authentication; end
 
-  def set_flash_message!(key, kind, options = {})
+  def set_flash_message!(key, kind, _options = {})
     flash[key] = I18n.t("devise.sessions.#{kind}")
   end
 end
@@ -24,7 +23,7 @@ end
 class Devise::SessionsController < DeviseController
   def destroy
     sign_out
-    redirect_to after_sign_out_path_for(:user)
+    redirect_to after_sign_out_path_for(:user), allow_other_host: true
   end
 end
 
@@ -33,65 +32,49 @@ require_relative '../../../app/controllers/devise/saml_sessions_controller'
 describe Devise::SamlSessionsController, type: :controller do
   include RubySamlSupport
 
-  let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
+  let(:idp_providers_adapter) { spy('Stub IDPSettings Adaptor') }
 
   before do
-    @request.env["devise.mapping"] = Devise.mappings[:user]
+    @request.env['devise.mapping'] = Devise.mappings[:user]
     settings = {
-      assertion_consumer_service_url: "acs_url",
-      assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-      issuer: "sp_issuer",
-      idp_entity_id: "http://www.example.com",
-      authn_context: "",
-      idp_cert: "idp_cert"
+      assertion_consumer_service_url: 'acs_url',
+      assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+      issuer: 'sp_issuer',
+      idp_entity_id: 'http://www.example.com',
+      authn_context: '',
+      idp_cert: 'idp_cert'
     }
     with_ruby_saml_1_12_or_greater(proc {
       settings.merge!(
-        idp_slo_service_url: "http://idp_slo_url",
-        idp_sso_service_url: "http://idp_sso_url",
+        idp_slo_service_url: 'http://idp_slo_url',
+        idp_sso_service_url: 'http://idp_sso_url'
       )
     }, else_do: proc {
       settings.merge!(
-        idp_slo_target_url: "http://idp_slo_url",
-        idp_sso_target_url: "http://idp_sso_url",
+        idp_slo_target_url: 'http://idp_slo_url',
+        idp_sso_target_url: 'http://idp_sso_url'
       )
     })
     allow(idp_providers_adapter).to receive(:settings).and_return(settings)
   end
 
-  before do
-    if Rails::VERSION::MAJOR < 5 && Gem::Version.new(RUBY_VERSION) > Gem::Version.new("2.6")
-      # we still want to support Rails 4
-      # patch tests using snippet from https://github.com/rails/rails/issues/34790#issuecomment-483607370
-      class ActionController::TestResponse < ActionDispatch::TestResponse
-        def recycle!
-          @mon_mutex_owner_object_id = nil
-          @mon_mutex = nil
-          initialize
-        end
-      end
-    end
-  end
-
   describe '#new' do
-    let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
+    let(:saml_response) do
+      File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64'))
+    end
 
-    subject(:do_get) {
-      if Rails::VERSION::MAJOR > 4
-        get :new, params: {"SAMLResponse" => saml_response}
-      else
-        get :new, "SAMLResponse" => saml_response
-      end
-    }
+    subject(:do_get) do
+      get :new, params: { 'SAMLResponse' => saml_response }
+    end
 
-    context "when using the default saml config" do
-      it "redirects to the IdP SSO target url" do
+    context 'when using the default saml config' do
+      it 'redirects to the IdP SSO target url' do
         do_get
-        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+        expect(response).to redirect_to(%r{\Ahttp://localhost:8009/saml/auth\?SAMLRequest=})
       end
 
-      it "stores saml_transaction_id in the session" do
+      it 'stores saml_transaction_id in the session' do
         do_get
         if OneLogin::RubySaml::Authrequest.public_instance_methods.include?(:request_id)
           expect(session[:saml_transaction_id]).to be_present
@@ -99,53 +82,49 @@ describe Devise::SamlSessionsController, type: :controller do
       end
     end
 
-    context "with a specified idp" do
+    context 'with a specified idp' do
       before do
         Devise.idp_settings_adapter = idp_providers_adapter
       end
 
-      it "redirects to the associated IdP SSO target url" do
+      it 'redirects to the associated IdP SSO target url' do
         do_get
-        expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
+        expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=})
       end
 
-      it "stores saml_transaction_id in the session" do
+      it 'stores saml_transaction_id in the session' do
         do_get
         if OneLogin::RubySaml::Authrequest.public_instance_methods.include?(:request_id)
           expect(session[:saml_transaction_id]).to be_present
         end
       end
 
-      it "uses the DefaultIdpEntityIdReader" do
+      it 'uses the DefaultIdpEntityIdReader' do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
         expect(idp_providers_adapter).to have_received(:settings).with(nil)
       end
 
-      context "with a relay_state lambda defined" do
-        let(:relay_state) { ->(request) { "123" } }
+      context 'with a relay_state lambda defined' do
+        let(:relay_state) { ->(_request) { '123' } }
 
-        it "includes the RelayState param in the request to the IdP" do
+        it 'includes the RelayState param in the request to the IdP' do
           expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
           do_get
-          expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=.*&RelayState=123))
+          expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=.*&RelayState=123})
         end
       end
 
-      context "with a specified idp entity id reader" do
+      context 'with a specified idp entity id reader' do
         class OurIdpEntityIdReader
           def self.entity_id(params)
             params[:entity_id]
           end
         end
 
-        subject(:do_get) {
-          if Rails::VERSION::MAJOR > 4
-            get :new, params: {entity_id: "http://www.example.com"}
-          else
-            get :new, entity_id: "http://www.example.com"
-          end
-        }
+        subject(:do_get) do
+          get :new, params: { entity_id: 'http://www.example.com' }
+        end
 
         before do
           @default_reader = Devise.idp_entity_id_reader
@@ -156,10 +135,10 @@ describe Devise::SamlSessionsController, type: :controller do
           Devise.idp_entity_id_reader = @default_reader
         end
 
-        it "redirects to the associated IdP SSO target url" do
+        it 'redirects to the associated IdP SSO target url' do
           do_get
-          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
-          expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
+          expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com')
+          expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=})
         end
       end
     end
@@ -168,7 +147,7 @@ describe Devise::SamlSessionsController, type: :controller do
   describe '#metadata' do
     let(:saml_config) { Devise.saml_config.dup }
 
-    context "with the default configuration" do
+    context 'with the default configuration' do
       it 'generates metadata' do
         get :metadata
 
@@ -179,20 +158,20 @@ describe Devise::SamlSessionsController, type: :controller do
       end
     end
 
-    context "with a specified IDP" do
-      let(:saml_config) { controller.saml_config("anything") }
+    context 'with a specified IDP' do
+      let(:saml_config) { controller.saml_config('anything') }
 
       before do
         Devise.idp_settings_adapter = idp_providers_adapter
         Devise.saml_configure do |settings|
-          settings.assertion_consumer_service_url = "http://localhost:3000/users/saml/auth"
-          settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-          settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-          settings.issuer = "http://localhost:3000"
+          settings.assertion_consumer_service_url = 'http://localhost:3000/users/saml/auth'
+          settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+          settings.name_identifier_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+          settings.issuer = 'http://localhost:3000'
         end
       end
 
-      it "generates the same service metadata" do
+      it 'generates the same service metadata' do
         get :metadata
 
         # Remove ID that can vary across requests
@@ -206,7 +185,7 @@ describe Devise::SamlSessionsController, type: :controller do
   describe '#destroy' do
     subject { delete :destroy }
 
-    context "when user is signed out" do
+    context 'when user is signed out' do
       before do
         class Devise::SessionsController < DeviseController
           def all_signed_out?
@@ -215,45 +194,45 @@ describe Devise::SamlSessionsController, type: :controller do
         end
       end
 
-      shared_examples "not create SP initiated logout request" do
+      shared_examples 'not create SP initiated logout request' do
         it do
           expect(OneLogin::RubySaml::Logoutrequest).not_to receive(:new)
           subject
         end
       end
 
-      context "when Devise.saml_sign_out_success_url is set" do
+      context 'when Devise.saml_sign_out_success_url is set' do
         before do
-          allow(Devise).to receive(:saml_sign_out_success_url).and_return("http://localhost:8009/logged_out")
+          allow(Devise).to receive(:saml_sign_out_success_url).and_return('http://localhost:8009/logged_out')
         end
 
-        it "redirect to saml_sign_out_success_url" do
-          is_expected.to redirect_to "http://localhost:8009/logged_out"
-          expect(flash[:notice]).to eq I18n.t("devise.sessions.already_signed_out")
+        it 'redirect to saml_sign_out_success_url' do
+          is_expected.to redirect_to 'http://localhost:8009/logged_out'
+          expect(flash[:notice]).to eq I18n.t('devise.sessions.already_signed_out')
         end
 
-        it_behaves_like "not create SP initiated logout request"
+        it_behaves_like 'not create SP initiated logout request'
       end
 
-      context "when Devise.saml_sign_out_success_url is not set" do
+      context 'when Devise.saml_sign_out_success_url is not set' do
         before do
           class Devise::SessionsController < DeviseController
             def after_sign_out_path_for(_)
-              "http://localhost:8009/logged_out"
+              'http://localhost:8009/logged_out'
             end
           end
         end
 
         it "redirect to devise's after sign out path" do
-          is_expected.to redirect_to "http://localhost:8009/logged_out"
-          expect(flash[:notice]).to eq I18n.t("devise.sessions.already_signed_out")
+          is_expected.to redirect_to 'http://localhost:8009/logged_out'
+          expect(flash[:notice]).to eq I18n.t('devise.sessions.already_signed_out')
         end
 
-        it_behaves_like "not create SP initiated logout request"
+        it_behaves_like 'not create SP initiated logout request'
       end
     end
 
-    context "when user is not signed out" do
+    context 'when user is not signed out' do
       before do
         class Devise::SessionsController < DeviseController
           def all_signed_out?
@@ -263,60 +242,56 @@ describe Devise::SamlSessionsController, type: :controller do
         allow(controller).to receive(:sign_out)
       end
 
-      context "when using the default saml config" do
-        it "signs out and redirects to the IdP" do
+      context 'when using the default saml config' do
+        it 'signs out and redirects to the IdP' do
           delete :destroy
           expect(controller).to have_received(:sign_out)
-          expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+          expect(response).to redirect_to(%r{\Ahttp://localhost:8009/saml/logout\?SAMLRequest=})
         end
       end
 
-      context "when configured to use a non-transient name identifier" do
+      context 'when configured to use a non-transient name identifier' do
         before do
-          allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
+          allow(Devise.saml_config).to receive(:name_identifier_format).and_return('urn:oasis:names:tc:SAML:2.0:nameid-format:persistent')
         end
 
-        it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
-          controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+        it 'includes a LogoutRequest with the name identifier and session index', :aggregate_failures do
+          controller.current_user = Struct.new(:email, :session_index).new('user@example.com', 'sessionindex')
 
           actual_settings = nil
           expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
             actual_settings = settings
-            "http://localhost:8009/saml/logout"
+            'http://localhost:8009/saml/logout'
           end
 
           delete :destroy
-          expect(actual_settings.name_identifier_value).to eq("user@example.com")
-          expect(actual_settings.sessionindex).to eq("sessionindex")
+          expect(actual_settings.name_identifier_value).to eq('user@example.com')
+          expect(actual_settings.sessionindex).to eq('sessionindex')
         end
       end
 
-      context "with a specified idp" do
+      context 'with a specified idp' do
         before do
           Devise.idp_settings_adapter = idp_providers_adapter
         end
 
-        it "redirects to the associated IdP SSO target url" do
+        it 'redirects to the associated IdP SSO target url' do
           expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
           delete :destroy
           expect(controller).to have_received(:sign_out)
-          expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+          expect(response).to redirect_to(%r{\Ahttp://idp_slo_url\?SAMLRequest=})
         end
 
-        context "with a specified idp entity id reader" do
+        context 'with a specified idp entity id reader' do
           class OurIdpEntityIdReader
             def self.entity_id(params)
               params[:entity_id]
             end
           end
 
-          subject(:do_delete) {
-            if Rails::VERSION::MAJOR > 4
-              delete :destroy, params: {entity_id: "http://www.example.com"}
-            else
-              delete :destroy, entity_id: "http://www.example.com"
-            end
-          }
+          subject(:do_delete) do
+            delete :destroy, params: { entity_id: 'http://www.example.com' }
+          end
 
           before do
             @default_reader = Devise.idp_entity_id_reader
@@ -327,11 +302,11 @@ describe Devise::SamlSessionsController, type: :controller do
             Devise.idp_entity_id_reader = @default_reader
           end
 
-          it "redirects to the associated IdP SLO target url" do
+          it 'redirects to the associated IdP SLO target url' do
             do_delete
             expect(controller).to have_received(:sign_out)
-            expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
-            expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+            expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com')
+            expect(response).to redirect_to(%r{\Ahttp://idp_slo_url\?SAMLRequest=})
           end
         end
       end
@@ -352,14 +327,10 @@ describe Devise::SamlSessionsController, type: :controller do
       expect(response.status).to eq 500
     end
 
-    context "when receiving a logout response from the IdP after redirecting an SP logout request" do
-      subject(:do_post) {
-        if Rails::VERSION::MAJOR > 4
-          post :idp_sign_out, params: {SAMLResponse: "stubbed_response"}
-        else
-          post :idp_sign_out, SAMLResponse: "stubbed_response"
-        end
-      }
+    context 'when receiving a logout response from the IdP after redirecting an SP logout request' do
+      subject(:do_post) do
+        post :idp_sign_out, params: { SAMLResponse: 'stubbed_response' }
+      end
 
       it 'accepts a LogoutResponse and redirects sign_in' do
         do_post
@@ -381,20 +352,18 @@ describe Devise::SamlSessionsController, type: :controller do
       end
     end
 
-    context "when receiving an IdP logout request" do
-      subject(:do_post) {
-        if Rails::VERSION::MAJOR > 4
-          post :idp_sign_out, params: {SAMLRequest: "stubbed_logout_request"}
-        else
-          post :idp_sign_out, SAMLRequest: "stubbed_logout_request"
-        end
-      }
+    context 'when receiving an IdP logout request' do
+      subject(:do_post) do
+        post :idp_sign_out, params: { SAMLRequest: 'stubbed_logout_request' }
+      end
 
-      let(:saml_request) { double(:slo_logoutrequest, {
-        id: 42,
-        name_id: name_id,
-        issuer: "http://www.example.com"
-      }) }
+      let(:saml_request) do
+        double(:slo_logoutrequest, {
+                 id: 42,
+                 name_id: name_id,
+                 issuer: 'http://www.example.com'
+               })
+      end
       let(:name_id) { '12312312' }
       before do
         allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
@@ -407,27 +376,28 @@ describe Devise::SamlSessionsController, type: :controller do
         expect(User).to have_received(:reset_session_key_for).with(name_id)
       end
 
-      context "with a specified idp" do
-        let(:idp_entity_id) { "http://www.example.com" }
+      context 'with a specified idp' do
+        let(:idp_entity_id) { 'http://www.example.com' }
         before do
           Devise.idp_settings_adapter = idp_providers_adapter
         end
 
-        it "accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in" do
+        it 'accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in' do
           do_post
           expect(response.status).to eq 302
           expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
-          expect(response).to redirect_to "http://localhost/logout_response"
+          expect(response).to redirect_to 'http://localhost/logout_response'
         end
       end
 
-      context "with a relay_state lambda defined" do
-        let(:relay_state) { ->(request) { "123" } }
+      context 'with a relay_state lambda defined' do
+        let(:relay_state) { ->(_request) { '123' } }
 
-        it "includes the RelayState param in the request to the IdP" do
+        it 'includes the RelayState param in the request to the IdP' do
           expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
           do_post
-          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil, {RelayState: "123"})
+          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil,
+                                                               { RelayState: '123' })
         end
       end
 

data/spec/features/saml_authentication_spec.rb

@@ -3,8 +3,21 @@ require 'net/http'
 require 'timeout'
 require 'uri'
 require 'capybara/rspec'
-require 'capybara/poltergeist'
-Capybara.default_driver = :poltergeist
+require 'selenium-webdriver'
+
+Capybara.register_driver :chrome do |app|
+  options = Selenium::WebDriver::Chrome::Options.new
+  options.add_argument('--headless')
+  options.add_argument('--allow-insecure-localhost')
+  options.add_argument('--ignore-certificate-errors')
+
+  Capybara::Selenium::Driver.new(
+    app,
+    browser: :chrome,
+    capabilities: [options]
+  )
+end
+Capybara.default_driver = :chrome
 Capybara.server = :webrick
 
 describe "SAML Authentication", type: :feature do
@@ -165,7 +178,7 @@ describe "SAML Authentication", type: :feature do
     let(:valid_destination) { "true" }
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false", 'VALID_DESTINATION' => valid_destination)
-      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'SAML_FAILED_CALLBACK' => "OurSamlFailedCallbackHandler")
+      create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'SAML_FAILED_CALLBACK' => '"OurSamlFailedCallbackHandler"')
 
       @idp_pid = start_app('idp', idp_port)
       @sp_pid  = start_app('sp',  sp_port)
@@ -224,7 +237,7 @@ describe "SAML Authentication", type: :feature do
   end
 
   def sign_in(entity_id: "")
-    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.escape(entity_id)}"
+    visit "http://localhost:8020/users/saml/sign_in/?entity_id=#{URI.encode_www_form_component(entity_id)}"
     fill_in "Email", with: "you@example.com"
     fill_in "Password", with: "asdf"
     click_on "Sign in"

data/spec/support/Gemfile.rails5.2

@@ -10,16 +10,5 @@ group :test do
   gem 'rspec-rails', '~> 3.9'
   gem 'sqlite3', '~> 1.3.6'
   gem 'capybara'
-  gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'responders', '~> 2.4'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
-    gem 'byebug', '~> 10.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'byebug', '~> 11.0.0'
-  end
+  gem 'selenium-webdriver'
 end

data/spec/support/Gemfile.rails6

@@ -10,5 +10,9 @@ group :test do
   gem 'rspec-rails', '~> 5.0'
   gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
-  gem 'poltergeist'
+  gem 'selenium-webdriver'
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.0")
+    gem 'webrick'
+  end
 end

data/spec/support/Gemfile.rails6.1

@@ -0,0 +1,24 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 6.1.0'
+  gem 'rspec-rails', '~> 5.0'
+  gem 'sqlite3', '~> 1.4.0'
+  gem 'capybara'
+  gem 'selenium-webdriver'
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.0")
+    gem 'webrick'
+  end
+
+  if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.1")
+    gem 'net-smtp', require: false
+    gem 'net-imap', require: false
+    gem 'net-pop', require: false
+  end
+end

data/spec/support/idp_template.rb

@@ -5,22 +5,14 @@
 @include_subject_in_attributes = ENV.fetch('INCLUDE_SUBJECT_IN_ATTRIBUTES')
 @valid_destination = ENV.fetch('VALID_DESTINATION', "true")
 
-if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR < 2)
-  gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "34814fd41f91c493b89aa01ac73c44d241a31245b5bc5542fa4b7317525e1dcfa60ba947b3d085e4e229456fdee0d8af6aac6a63cf750d807ea6fe5d853dff4a"'
-end
-
-gem 'ruby-saml-idp', '~> 0.3.3'
+gem 'stub_saml_idp'
 gem 'thin'
 
-insert_into_file('Gemfile', after: /\z/) {
-  <<-GEMFILE
-# Lock down versions of gems for older versions of Ruby
-if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-  gem 'devise', '~> 3.5'
-  gem 'nokogiri', '~> 1.6.8'
+if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.1")
+  gem 'net-smtp', require: false
+  gem 'net-imap', require: false
+  gem 'net-pop', require: false
 end
-  GEMFILE
-}
 
 route "get '/saml/auth' => 'saml_idp#new'"
 route "post '/saml/auth' => 'saml_idp#create'"

data/spec/support/rails_app.rb

@@ -19,7 +19,7 @@ end
 
 def create_app(name, env = {})
   puts "[#{name}] Creating Rails app"
-  rails_new_options = %w[-T -J -S --skip-spring --skip-listen --skip-bootsnap]
+  rails_new_options = %w[-A -G -C -T -J -S --skip-spring --skip-listen --skip-bootsnap --skip-action-mailbox --skip-jbuilder --skip-active-storage]
   rails_new_options << "-O" if name == "idp"
   env.merge!("RUBY_SAML_VERSION" => OneLogin::RubySaml::VERSION)
   Dir.chdir(working_directory) do

data/spec/support/saml_idp_controller.rb.erb

@@ -1,4 +1,4 @@
-class SamlIdpController < SamlIdp::IdpController
+class SamlIdpController < StubSamlIdp::IdpController
   def new
     if session[:user_id]
       @saml_response = idp_make_saml_response(session[:user_id])
@@ -79,13 +79,8 @@ class SamlIdpController < SamlIdp::IdpController
   end
 
   # == SLO functionality, see https://github.com/lawrencepit/ruby-saml-idp/pull/10
-  <% if Rails::VERSION::MAJOR < 5 %>
-  skip_before_filter :validate_saml_request, :only => [:logout, :sp_sign_out]
-  before_filter :validate_saml_slo_request, :only => [:logout]
-  <% else %>
   skip_before_action :validate_saml_request, :only => [:logout, :sp_sign_out]
   before_action :validate_saml_slo_request, :only => [:logout]
-  <% end %>
 
   public
 

data/spec/support/sp_template.rb

@@ -10,25 +10,16 @@ idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', '"DeviseSamlAuthenticat
 saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
 ruby_saml_version = ENV.fetch("RUBY_SAML_VERSION")
 
-if Rails::VERSION::MAJOR < 5 || (Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR < 2)
-  gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "8b5889df1fcf03f76c7d66da02d8776bcc85b06bed7d9c592f076d9c8a5455ee6d4beae45986c3c030b40208db5e612f2a6ef8283036a352e3fae83c5eda36be"'
-end
-
 gem 'devise_saml_authenticatable', path: File.expand_path("../../..", __FILE__)
 gem 'ruby-saml', ruby_saml_version
 gem 'thin'
 
-insert_into_file('Gemfile', after: /\z/) {
-  <<-GEMFILE
-# Lock down versions of gems for older versions of Ruby
-if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-  gem 'devise', '~> 3.5'
-  gem 'nokogiri', '~> 1.6.8'
-elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-  gem 'responders', '~> 2.4'
+if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new("3.1")
+  gem 'net-smtp', require: false
+  gem 'net-imap', require: false
+  gem 'net-pop', require: false
 end
-  GEMFILE
-}
+
 if Rails::VERSION::MAJOR < 6
   # sqlite3 is hard-coded in Rails < 6 to v1.3.x
   gsub_file 'Gemfile', /^gem 'sqlite3'.*$/, "gem 'sqlite3', '~> 1.3.6'"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-03 00:00:00.000000000 Z
+date: 2022-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -48,6 +48,7 @@ files:
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
+- ".ruby-version"
 - Gemfile
 - LICENSE
 - README.md
@@ -78,11 +79,9 @@ files:
 - spec/rails_helper.rb
 - spec/routes/routes_spec.rb
 - spec/spec_helper.rb
-- spec/support/Gemfile.rails4
-- spec/support/Gemfile.rails5
-- spec/support/Gemfile.rails5.1
 - spec/support/Gemfile.rails5.2
 - spec/support/Gemfile.rails6
+- spec/support/Gemfile.rails6.1
 - spec/support/attribute-map.yml
 - spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb
@@ -112,7 +111,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.3
 signing_key:
 specification_version: 4
 summary: SAML Authentication for devise
@@ -128,11 +127,9 @@ test_files:
 - spec/rails_helper.rb
 - spec/routes/routes_spec.rb
 - spec/spec_helper.rb
-- spec/support/Gemfile.rails4
-- spec/support/Gemfile.rails5
-- spec/support/Gemfile.rails5.1
 - spec/support/Gemfile.rails5.2
 - spec/support/Gemfile.rails6
+- spec/support/Gemfile.rails6.1
 - spec/support/attribute-map.yml
 - spec/support/attribute_map_resolver.rb.erb
 - spec/support/idp_settings_adapter.rb.erb

data/spec/support/Gemfile.rails4

@@ -1,41 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
-gemspec path: '../..'
-
-group :test do
-  gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 4.0'
-  gem 'rspec-rails', '~> 3.9'
-  gem 'sqlite3', '~> 1.3.6'
-  gem 'capybara'
-  gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'rake', '~> 12.2'
-  else
-    gem 'rake'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'devise', '~> 3.5'
-    gem 'minitest', '~> 5.11.0'
-    gem 'nokogiri', '~> 1.6.8'
-    gem 'public_suffix', '~> 2.0.5'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'responders', '~> 1.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'responders', '~> 2.0'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.2")
-    gem 'byebug', '~> 9.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
-    gem 'byebug', '~> 10.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'byebug', '~> 11.0.0'
-  end
-end

data/spec/support/Gemfile.rails5

@@ -1,25 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
-gemspec path: '../..'
-
-group :test do
-  gem 'rake'
-  gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.0.0'
-  gem 'rspec-rails', '~> 3.9'
-  gem 'sqlite3', '~> 1.3.6'
-  gem 'capybara'
-  gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'responders', '~> 2.4'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
-    gem 'byebug', '~> 10.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'byebug', '~> 11.0.0'
-  end
-end

data/spec/support/Gemfile.rails5.1

@@ -1,25 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
-gemspec path: '../..'
-
-group :test do
-  gem 'rake'
-  gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.1.0'
-  gem 'rspec-rails', '~> 3.9'
-  gem 'sqlite3', '~> 1.3.6'
-  gem 'capybara'
-  gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'responders', '~> 2.4'
-  end
-
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.3")
-    gem 'byebug', '~> 10.0'
-  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.4")
-    gem 'byebug', '~> 11.0.0'
-  end
-end