devise_saml_authenticatable 1.8.0 → 1.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2b6dd7d4f718cf0df20aff218f90f1eac720279e4ff5afe6aedef20f84a14fd
-  data.tar.gz: 5efc5fa9d89ee10eb6328261b6b870ce580dbe7cd48cedbe8dd609786c5c9f84
+  metadata.gz: d503c9931a5af5182f1f6910dcfc548d692fcc3e45ad2fb464b3931c4791ac59
+  data.tar.gz: 6da638f28754c2a8f9d44d38a8a61f0796b04e023e0dba8d845fb60bc004bebe
 SHA512:
-  metadata.gz: 70c0b6c4e5f6ec2b7f4a421c898c493cb34aef837c119e126d1b557640f685c1c35ad7cddaf94de3598601fe691563fa2984297010b4ac96f539609c8fa55f95
-  data.tar.gz: ca3d854ab1bd6b84d3a7d2225feb926f9fbc2d6df5c546c975d5773e8bdd8254d5ce544dd08f6c32a0db29e15f9f4aa3bbc38bee1dbdf491d9e92826b00c760b
+  metadata.gz: 1d44c5c95a396f22008c33b4636fd201c6d6ec71a5193909bb6cc1aa59f660301831cada23e589b05ed52260d8a1a2e42a7442a72757f821ef6ede752a26554e
+  data.tar.gz: '0603740818f257bc90e63f4732c59c6d8a686e0d28c9dedb6cf8ce877a06234e51d39376602d105660e3e25744dfe0163dec931b436ec3bfbe9aabbf06167e36'

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/ci.yml

@@ -12,6 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - "3.2"
           - "3.1"
           - "3.0"
           - "2.7"
@@ -39,11 +40,20 @@ jobs:
           - ruby: "3.1"
             gemfile: spec/support/Gemfile.rails6
             bundler: "2"
+          - ruby: "3.2"
+            gemfile: spec/support/Gemfile.rails5.2
+            bundler: "2"
+          - ruby: "3.2"
+            gemfile: spec/support/Gemfile.rails6
+            bundler: "2"
+          - ruby: "3.2"
+            gemfile: spec/support/Gemfile.rails6.1
+            bundler: "2"
     runs-on: ubuntu-latest
     env:
       BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: ruby/setup-ruby@v1
         with:
           bundler: ${{ matrix.bundler }}

data/README.md

@@ -72,11 +72,42 @@ In `config/initializers/devise.rb`:
     # ==> Configuration for :saml_authenticatable
 
     # Create user if the user does not exist. (Default is false)
+    # Can also accept a proc, for ex:
+    # Devise.saml_create_user = Proc.new do |model_class, saml_response, auth_value|
+    #  model_class == Admin
+    # end
     config.saml_create_user = true
 
     # Update the attributes of the user after a successful login. (Default is false)
+    # Can also accept a proc, for ex:
+    # Devise.saml_update_user = Proc.new do |model_class, saml_response, auth_value|
+    #  model_class == Admin
+    # end
     config.saml_update_user = true
 
+    # Lambda that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
+    # Receives the model object, saml_response and auth_value, and defines how the object's values are
+    # updated with regards to the SAML response. 
+    # config.saml_update_resource_hook = -> (user, saml_response, auth_value) {
+    #   saml_response.attributes.resource_keys.each do |key|
+    #     user.send "#{key}=", saml_response.attribute_value_by_resource_key(key)
+    #   end
+    #
+    #   if (Devise.saml_use_subject)
+    #     user.send "#{Devise.saml_default_user_key}=", auth_value
+    #   end
+    #
+    #   user.save!
+    # }
+
+    # Lambda that is called to resolve the saml_response and auth_value into the correct user object.
+    # Receives a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+    # one instance of the provided model that is the matched account, or nil if none exists.
+    # config.saml_resource_locator = -> (model, saml_response, auth_value) {
+    #   model.where(Devise.saml_default_user_key => auth_value).first
+    # }
+    
+
     # Set the default user key. The user will be looked up by this key. Make
     # sure that the Authentication Response includes the attribute.
     config.saml_default_user_key = :email
@@ -89,8 +120,8 @@ In `config/initializers/devise.rb`:
     # If you don't set it then email will be extracted from SAML assertion attributes.
     config.saml_use_subject = true
 
-    # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
-    # which takes an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
+    # You can implement IdP settings with the options to support multiple IdPs and use the request object by setting this value to the name of a class that implements a ::settings method
+    # which takes an IdP entity id and a request object as arguments and returns a hash of idp settings for the corresponding IdP.
     # config.idp_settings_adapter = "MyIdPSettingsAdapter"
 
     # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
@@ -120,7 +151,7 @@ In `config/initializers/devise.rb`:
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-      settings.issuer                             = "http://localhost:3000/saml/metadata"
+      settings.sp_entity_id                       = "http://localhost:3000/saml/metadata"
       settings.authn_context                      = ""
       settings.idp_slo_service_url                = "http://localhost/simplesaml/www/saml2/idp/SingleLogoutService.php"
       settings.idp_sso_service_url                = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
@@ -194,20 +225,22 @@ If you only have one IdP, you can use the config file above, or just return a si
   end
 ```
 
-## Supporting Multiple IdPs
+## IdP Settings Adapter
+
+Implementing a custom settings adapter allows you to support multiple Identity Providers, and dynamic application domains with the request object.
 
-If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
+You can implement an adapter class with a `#settings` method. It must take two arguments (idp_entity_id, request) and return a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
 
 ```ruby
 class IdPSettingsAdapter
-  def self.settings(idp_entity_id)
+  def self.settings(idp_entity_id, request)
     case idp_entity_id
     when "http://www.example_idp_entity_id.com"
       {
-        assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
+        assertion_consumer_service_url: "#{request.protocol}#{request.host_with_port}/users/saml/auth",
         assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
         name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-        issuer: "http://localhost:3000/saml/metadata",
+        sp_entity_id: "#{request.protocol}#{request.host_with_port}/saml/metadata",
         idp_entity_id: "http://www.example_idp_entity_id.com",
         authn_context: "",
         idp_slo_service_url: "http://example_idp_slo_service_url.com",
@@ -219,7 +252,7 @@ class IdPSettingsAdapter
         assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
         assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
         name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-        issuer: "http://localhost:3000/saml/metadata",
+        sp_entity_id: "http://localhost:3000/saml/metadata",
         idp_entity_id: "http://www.another_idp_entity_id.biz",
         authn_context: "",
         idp_slo_service_url: "http://another_idp_slo_service_url.com",

data/app/controllers/devise/saml_sessions_controller.rb

@@ -8,22 +8,22 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
   def new
     idp_entity_id = get_idp_entity_id(params)
-    request = OneLogin::RubySaml::Authrequest.new
+    auth_request = OneLogin::RubySaml::Authrequest.new
     auth_params = { RelayState: relay_state } if relay_state
-    action = request.create(saml_config(idp_entity_id), auth_params || {})
-    session[:saml_transaction_id] = request.request_id if request.respond_to?(:request_id)
+    action = auth_request.create(saml_config(idp_entity_id, request), auth_params || {})
+    session[:saml_transaction_id] = auth_request.request_id if auth_request.respond_to?(:request_id)
     redirect_to action, allow_other_host: true
   end
 
   def metadata
     idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render xml: meta.generate(saml_config(idp_entity_id))
+    render xml: meta.generate(saml_config(idp_entity_id, request))
   end
 
   def idp_sign_out
     if params[:SAMLRequest] && Devise.saml_session_index_key
-      saml_config = saml_config(get_idp_entity_id(params))
+      saml_config = saml_config(get_idp_entity_id(params), request)
       logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: saml_config)
       resource_class.reset_session_key_for(logout_request.name_id)
 
@@ -63,8 +63,8 @@ class Devise::SamlSessionsController < Devise::SessionsController
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
     idp_entity_id = get_idp_entity_id(params)
-    request = OneLogin::RubySaml::Logoutrequest.new
-    saml_settings = saml_config(idp_entity_id).dup
+    logout_request = OneLogin::RubySaml::Logoutrequest.new
+    saml_settings = saml_config(idp_entity_id, request).dup
 
     # Add attributes to saml_settings which will later be used to create the SP
     # initiated logout request
@@ -73,7 +73,7 @@ class Devise::SamlSessionsController < Devise::SessionsController
       saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
     end
 
-    request.create(saml_settings)
+    logout_request.create(saml_settings)
   end
 
   # Overried devise: if user is signed out, not create the SP initiated logout request,

data/devise_saml_authenticatable.gemspec

@@ -6,7 +6,7 @@ Gem::Specification.new do |gem|
   gem.email         = ["Josef.Sauter@gmail.com"]
   gem.description   = %q{SAML Authentication for devise}
   gem.summary       = %q{SAML Authentication for devise }
-  gem.homepage      = ""
+  gem.homepage      = "https://github.com/apokalipto/devise_saml_authenticatable"
   gem.license     = "MIT"
 
   gem.files         = `git ls-files`.split($\)
@@ -16,6 +16,7 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = DeviseSamlAuthenticatable::VERSION
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.required_ruby_version = ">= 2.6.0"
 
   gem.add_dependency("devise","> 2.0.0")
   gem.add_dependency("ruby-saml","~> 1.7")

data/lib/devise_saml_authenticatable/model.rb

@@ -55,8 +55,11 @@ module Devise
             end
           end
 
+          create_user = if Devise.saml_create_user.respond_to?(:call) then Devise.saml_create_user.call(self, decorated_response, auth_value)
+                        else Devise.saml_create_user
+                        end
           if resource.nil?
-            if Devise.saml_create_user
+            if create_user
               logger.info("Creating user(#{auth_value}).")
               resource = new
             else
@@ -65,7 +68,10 @@ module Devise
             end
           end
 
-          if Devise.saml_update_user || (resource.new_record? && Devise.saml_create_user)
+          update_user = if Devise.saml_update_user.respond_to?(:call) then Devise.saml_update_user.call(self, decorated_response, auth_value)
+                        else Devise.saml_update_user
+                        end
+          if update_user || (resource.new_record? && create_user)
             Devise.saml_update_resource_hook.call(resource, decorated_response, auth_value)
           end
 

data/lib/devise_saml_authenticatable/saml_config.rb

@@ -1,9 +1,9 @@
 require 'ruby-saml'
 module DeviseSamlAuthenticatable
   module SamlConfig
-    def saml_config(idp_entity_id = nil)
+    def saml_config(idp_entity_id = nil, request = nil)
       return file_based_config if file_based_config
-      return adapter_based_config(idp_entity_id) if Devise.idp_settings_adapter
+      return adapter_based_config(idp_entity_id, request) if Devise.idp_settings_adapter
 
       Devise.saml_config
     end
@@ -14,15 +14,21 @@ module DeviseSamlAuthenticatable
       return @file_based_config if @file_based_config
       idp_config_path = "#{Rails.root}/config/idp.yml"
 
-      if File.exists?(idp_config_path)
+      if File.exist?(idp_config_path)
         @file_based_config ||= OneLogin::RubySaml::Settings.new(YAML.load(File.read(idp_config_path))[Rails.env])
       end
     end
 
-    def adapter_based_config(idp_entity_id)
+    def adapter_based_config(idp_entity_id, request)
       config = Marshal.load(Marshal.dump(Devise.saml_config))
 
-      idp_settings_adapter.settings(idp_entity_id).each do |k,v|
+      if idp_settings_adapter.method(:settings).parameters.length == 1
+        settings = idp_settings_adapter.settings(idp_entity_id)
+      else
+        settings = idp_settings_adapter.settings(idp_entity_id, request)
+      end
+
+      settings.each do |k,v|
         acc = "#{k.to_s}=".to_sym
 
         if config.respond_to? acc

data/lib/devise_saml_authenticatable/strategy.rb

@@ -65,7 +65,7 @@ module Devise
 
       def response_options
         options = {
-          settings: saml_config(get_idp_entity_id(params)),
+          settings: saml_config(get_idp_entity_id(params), request),
           allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
         }
 

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.8.0"
+  VERSION = "1.9.1"
 end

data/lib/devise_saml_authenticatable.rb

@@ -29,10 +29,20 @@ module Devise
   @@saml_logger = true
 
   # Add valid users to database
+  # Can accept a Boolean value or a Proc that is called with the model class, the saml_response and auth_value
+  # Ex: 
+  # Devise.saml_create_user = Proc.new do |model_class, saml_response, auth_value|
+  #  model_class == Admin
+  # end
   mattr_accessor :saml_create_user
   @@saml_create_user = false
 
   # Update user attributes after login
+  # Can accept a Boolean value or a Proc that is called with the model class, the saml_response and auth_value
+  # Ex: 
+  # Devise.saml_update_user = Proc.new do |model_class, saml_response, auth_value|
+  #  model_class == User
+  # end
   mattr_accessor :saml_update_user
   @@saml_update_user = false
 

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -40,7 +40,7 @@ describe Devise::SamlSessionsController, type: :controller do
       assertion_consumer_service_url: 'acs_url',
       assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
       name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-      issuer: 'sp_issuer',
+      sp_entity_id: 'sp_issuer',
       idp_entity_id: 'http://www.example.com',
       authn_context: '',
       idp_cert: 'idp_cert'
@@ -102,7 +102,7 @@ describe Devise::SamlSessionsController, type: :controller do
       it 'uses the DefaultIdpEntityIdReader' do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
-        expect(idp_providers_adapter).to have_received(:settings).with(nil)
+        expect(idp_providers_adapter).to have_received(:settings).with(nil, request)
       end
 
       context 'with a relay_state lambda defined' do
@@ -137,7 +137,7 @@ describe Devise::SamlSessionsController, type: :controller do
 
         it 'redirects to the associated IdP SSO target url' do
           do_get
-          expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com')
+          expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com', request)
           expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=})
         end
       end
@@ -167,7 +167,7 @@ describe Devise::SamlSessionsController, type: :controller do
           settings.assertion_consumer_service_url = 'http://localhost:3000/users/saml/auth'
           settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
           settings.name_identifier_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
-          settings.issuer = 'http://localhost:3000'
+          settings.sp_entity_id = 'http://localhost:3000'
         end
       end
 
@@ -305,7 +305,7 @@ describe Devise::SamlSessionsController, type: :controller do
           it 'redirects to the associated IdP SLO target url' do
             do_delete
             expect(controller).to have_received(:sign_out)
-            expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com')
+            expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com', request)
             expect(response).to redirect_to(%r{\Ahttp://idp_slo_url\?SAMLRequest=})
           end
         end
@@ -385,7 +385,7 @@ describe Devise::SamlSessionsController, type: :controller do
         it 'accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in' do
           do_post
           expect(response.status).to eq 302
-          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
+          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id, request)
           expect(response).to redirect_to 'http://localhost/logout_response'
         end
       end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -64,12 +64,12 @@ describe Devise::Models::SamlAuthenticatable do
 
   it "looks up the user by the configured default user key" do
     user = Model.new(new_record: false)
-    expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+    expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
     expect(Model.authenticate_with_saml(response, nil)).to eq(user)
   end
 
   it "returns nil if it cannot find a user" do
-    expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+    expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
     expect(Model.authenticate_with_saml(response, nil)).to be_nil
   end
 
@@ -83,12 +83,12 @@ describe Devise::Models::SamlAuthenticatable do
 
     it "looks up the user by the configured default user key" do
       user = Model.new(new_record: false)
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
       expect(Model.authenticate_with_saml(response, nil)).to eq(user)
     end
 
     it "returns nil if it cannot find a user" do
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       expect(Model.authenticate_with_saml(response, nil)).to be_nil
     end
 
@@ -98,7 +98,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "creates and returns a new user with the name identifier and given attributes" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
         model = Model.authenticate_with_saml(response, nil)
         expect(model.email).to eq('user@example.com')
         expect(model.name).to  eq('A User')
@@ -106,6 +106,32 @@ describe Devise::Models::SamlAuthenticatable do
       end
     end
 
+    context "when configured to create a user by a proc and the user is not found" do
+      before do
+        create_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "creates and returns a new user with the name identifier and given attributes" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_create@example.com' }
+
+        it "does not creates new user" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([])
+          expect(Model.authenticate_with_saml(response, nil)).to be_nil
+        end
+      end
+    end
+
     context "when configured to update a user and the user is found" do
       before do
         allow(Devise).to receive(:saml_update_user).and_return(true)
@@ -113,22 +139,53 @@ describe Devise::Models::SamlAuthenticatable do
 
       it "creates and returns a new user with the name identifier and given attributes" do
         user = Model.new(email: "old_mail@mail.com", name: "old name", new_record: false)
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         model = Model.authenticate_with_saml(response, nil)
         expect(model.email).to eq('user@example.com')
         expect(model.name).to  eq('A User')
         expect(model.saved).to be(true)
       end
     end
+
+    context "when configured to update a user by a proc and the user is found" do
+      let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+
+      before do
+        update_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "updates user with given attributes" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_update@example.com' }
+
+        it "does not update user" do
+          expect(Model).to receive(:where).with({ email: name_id }).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('old_mail@mail.com')
+          expect(model.name).to  eq('old name')
+        end
+      end
+    end
   end
 
+
   context "when configured to create an user and the user is not found" do
     before do
       allow(Devise).to receive(:saml_create_user).and_return(true)
     end
 
     it "creates and returns a new user with the given attributes" do
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       model = Model.authenticate_with_saml(response, nil)
       expect(model.email).to eq('user@example.com')
       expect(model.name).to  eq('A User')
@@ -136,19 +193,48 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to create a user by a proc and the user is not found" do
+    let(:create_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_create_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "creates and returns a new user with the name identifier and given attributes" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not creates new user" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
   context "when configured to update an user" do
     before do
       allow(Devise).to receive(:saml_update_user).and_return(true)
     end
 
     it "returns nil if the user is not found" do
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       expect(Model.authenticate_with_saml(response, nil)).to be_nil
     end
 
     it "updates the attributes if the user is found" do
       user = Model.new(email: "old_mail@mail.com", name: "old name", new_record: false)
-      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+      expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
       model = Model.authenticate_with_saml(response, nil)
       expect(model.email).to eq('user@example.com')
       expect(model.name).to  eq('A User')
@@ -156,6 +242,38 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to update a user by a proc and the user is found" do
+    let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+    let(:update_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_update_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "updates user with given attributes" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not update user" do
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('old_mail@mail.com')
+        expect(model.name).to  eq('old name')
+      end
+    end
+  end
+
   context "when configured with a case-insensitive key" do
     shared_examples "correct downcasing" do
       before do
@@ -164,7 +282,7 @@ describe Devise::Models::SamlAuthenticatable do
 
       it "looks up the user with a downcased value" do
         user = Model.new(new_record: false)
-        expect(Model).to receive(:where).with(email: 'upper@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'upper@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to eq(user)
       end
     end
@@ -202,7 +320,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns the user" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to eq(user)
       end
     end
@@ -213,7 +331,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns nil" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to be_nil
       end
     end
@@ -236,7 +354,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns the user" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to eq(user)
       end
     end
@@ -247,7 +365,7 @@ describe Devise::Models::SamlAuthenticatable do
       end
 
       it "returns nil" do
-        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([user])
         expect(Model.authenticate_with_saml(response, nil)).to be_nil
       end
     end
@@ -294,7 +412,7 @@ describe Devise::Models::SamlAuthenticatable do
     end
 
     def configure_hook(&block)
-      allow(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      allow(Model).to receive(:where).with({ email: 'user@example.com' }).and_return([])
       allow(Devise).to receive(:saml_default_user_key).and_return(:email)
       allow(Devise).to receive(:saml_create_user).and_return(true)
       allow(Devise).to receive(:saml_update_resource_hook).and_return(block)
@@ -305,7 +423,7 @@ describe Devise::Models::SamlAuthenticatable do
     let(:name_id) { 'SomeUsername' }
 
     it "can replicate the default behaviour for a new user in a custom locator" do
-      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([])
+      allow(Model).to receive(:where).with({ email: attributes['saml-email-format'] }).and_return([])
 
       configure_hook do |model, saml_response, auth_value|
         Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
@@ -321,7 +439,7 @@ describe Devise::Models::SamlAuthenticatable do
       user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
       user.save!
 
-      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([user])
+      allow(Model).to receive(:where).with({ email: attributes['saml-email-format'] }).and_return([user])
 
       configure_hook do |model, saml_response, auth_value|
         Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
@@ -335,7 +453,7 @@ describe Devise::Models::SamlAuthenticatable do
     end
 
     it "can change the default behaviour for a new user from the saml response" do
-      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([])
+      allow(Model).to receive(:where).with({ foo: attributes['saml-email-format'], bar: name_id }).and_return([])
 
       configure_hook do |model, saml_response, auth_value|
         name_id = saml_response.raw_response.name_id
@@ -352,7 +470,7 @@ describe Devise::Models::SamlAuthenticatable do
       user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
       user.save!
 
-      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([user])
+      allow(Model).to receive(:where).with({ foo: attributes['saml-email-format'], bar: name_id }).and_return([user])
 
       configure_hook do |model, saml_response, auth_value|
         name_id = saml_response.raw_response.name_id

data/spec/devise_saml_authenticatable/saml_config_spec.rb

@@ -10,7 +10,7 @@ describe DeviseSamlAuthenticatable::SamlConfig do
   context "when config/idp.yml does not exist" do
     before do
       allow(Rails).to receive(:root).and_return("/railsroot")
-      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(false)
+      allow(File).to receive(:exist?).with("/railsroot/config/idp.yml").and_return(false)
     end
 
     it "is the global devise SAML config" do
@@ -38,7 +38,7 @@ describe DeviseSamlAuthenticatable::SamlConfig do
                 assertion_consumer_service_url: "acs_url",
                 assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
                 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
-                issuer: "sp_issuer",
+                sp_entity_id: "sp_issuer",
                 idp_entity_id: "http://www.example.com",
                 authn_context: "",
                 idp_cert: "idp_cert"
@@ -60,7 +60,7 @@ describe DeviseSamlAuthenticatable::SamlConfig do
                 assertion_consumer_service_url: "acs_url_other",
                 assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST_other",
                 name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress_other",
-                issuer: "sp_issuer_other",
+                sp_entity_id: "sp_issuer_other",
                 idp_entity_id: "http://www.example.com_other",
                 authn_context: "_other",
                 idp_cert: "idp_cert_other"
@@ -134,7 +134,7 @@ environment:
   idp_cert_fingerprint: idp_cert_fingerprint
   idp_cert_fingerprint_algorithm: idp_cert_fingerprint_algorithm
   idp_entity_id: idp_entity_id
-  issuer: issuer
+  sp_entity_id: issuer
   name_identifier_format: name_identifier_format
   name_identifier_value: name_identifier_value
   passive: passive
@@ -156,7 +156,7 @@ TARGET_URLS
     before do
       allow(Rails).to receive(:env).and_return("environment")
       allow(Rails).to receive(:root).and_return("/railsroot")
-      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(true)
+      allow(File).to receive(:exist?).with("/railsroot/config/idp.yml").and_return(true)
       allow(File).to receive(:read).with("/railsroot/config/idp.yml").and_return(idp_yaml)
     end
 
@@ -185,7 +185,7 @@ TARGET_URLS
         expect(saml_config.idp_slo_target_url).to eq('idp_slo_service_url')
         expect(saml_config.idp_sso_target_url).to eq('idp_sso_service_url')
       })
-      expect(saml_config.issuer).to eq('issuer')
+      expect(saml_config.sp_entity_id).to eq('issuer')
       expect(saml_config.name_identifier_format).to eq('name_identifier_format')
       expect(saml_config.name_identifier_value).to eq('name_identifier_value')
       expect(saml_config.passive).to eq('passive')

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -56,12 +56,12 @@ describe Devise::Strategies::SamlAuthenticatable do
     context "when saml config uses an idp_adapter" do
       let(:idp_providers_adapter) {
         Class.new {
-          def self.settings(idp_entity_id)
+          def self.settings(idp_entity_id, request)
             base = {
-              assertion_consumer_service_url: "acs_url",
+              assertion_consumer_service_url: "acs url",
               assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
               name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
-              issuer: "sp_issuer",
+              sp_entity_id: "sp_issuer",
               idp_entity_id: "http://www.example.com",
               authn_context: "",
               idp_cert: "idp_cert"
@@ -93,7 +93,7 @@ describe Devise::Strategies::SamlAuthenticatable do
 
       it "authenticates with the response for the corresponding idp" do
         expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
-        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id)
+        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id, anything)
         expect(user_class).to receive(:authenticate_with_saml).with(response, params[:RelayState])
         expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 

data/spec/support/idp_settings_adapter.rb.erb

@@ -5,7 +5,7 @@ class IdpSettingsAdapter
         assertion_consumer_service_url: "http://localhost:8020/users/saml/auth",
         assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
         name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-        issuer: "sp_issuer",
+        sp_entity_id: "sp_issuer",
         idp_entity_id: "http://localhost:8020/saml/metadata",
         authn_context: "",
         idp_cert_fingerprint: "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"

data/spec/support/sp_template.rb

@@ -83,7 +83,7 @@ after_bundle do
 
   config.saml_configure do |settings|
     settings.assertion_consumer_service_url = "http://localhost:8020/users/saml/auth"
-    settings.issuer = "http://localhost:8020/saml/metadata"
+    settings.sp_entity_id = "http://localhost:8020/saml/metadata"
     settings.idp_cert_fingerprint = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
     settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.1
 platform: ruby
 authors:
 - Josef Sauter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-19 00:00:00.000000000 Z
+date: 2023-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -45,6 +45,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
@@ -92,7 +93,7 @@ files:
 - spec/support/saml_idp-saml_slo_post.html.erb
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
-homepage: ''
+homepage: https://github.com/apokalipto/devise_saml_authenticatable
 licenses:
 - MIT
 metadata: {}
@@ -104,14 +105,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: SAML Authentication for devise