RubyGems - devise_saml_authenticatable - Versions diffs - 0.0.2 → 0.1.0 - Mend

devise_saml_authenticatable 0.0.2 → 0.1.0

Files changed (26) hide show

checksums.yaml +7 -0
data/.gitignore +3 -2
data/.rspec +2 -0
data/.travis.yml +18 -0
data/Gemfile +10 -0
data/README.md +60 -47
data/Rakefile +6 -0
data/app/controllers/devise/saml_sessions_controller.rb +2 -0
data/devise_saml_authenticatable.gemspec +2 -1
data/lib/devise_saml_authenticatable.rb +11 -5
data/lib/devise_saml_authenticatable/model.rb +20 -12
data/lib/devise_saml_authenticatable/saml_config.rb +7 -1
data/lib/devise_saml_authenticatable/strategy.rb +4 -4
data/lib/devise_saml_authenticatable/version.rb +1 -1
data/spec/controllers/devise/saml_sessions_controller_spec.rb +30 -0
data/spec/devise_saml_authenticatable/model_spec.rb +118 -0
data/spec/devise_saml_authenticatable/saml_config_spec.rb +100 -0
data/spec/devise_saml_authenticatable/strategy_spec.rb +64 -0
data/spec/features/saml_authentication_spec.rb +71 -0
data/spec/rails_helper.rb +15 -0
data/spec/spec_helper.rb +22 -0
data/spec/support/idp_template.rb +10 -0
data/spec/support/rails_app.rb +57 -0
data/spec/support/saml_idp_controller.rb.erb +54 -0
data/spec/support/sp_template.rb +57 -0
metadata +37 -19

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 69aceb045d8de7ed6acd66fd027fdabfe8da4f89
+  data.tar.gz: def4131da232ae9818379b35750b686a77e61d78
+SHA512:
+  metadata.gz: 5a8c183ecbe7dcda723e6fa459056de365390de80baf3c587719ebdf40df07741e89de14355c5b0c623755371ee0473c6be729b1dd5d044d00da7474d87a4b12
+  data.tar.gz: 5b3b63caf790992b2263e6ccceec1570df0af4e207c42e8d89c5eeb1726740195dd28ae4e90e2823dbf1f6d47b880fa71de338ec75f35fd550012791a3df8406

data/.gitignore CHANGED Viewed

@@ -2,6 +2,7 @@
 *.rbc
 .bundle
 .config
+.idea/
 .yardoc
 Gemfile.lock
 InstalledFiles
@@ -12,6 +13,6 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
-test/tmp
-test/version_tmp
+spec/support/idp/
+spec/support/sp/
 tmp

data/.rspec ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ --color
2	+ --require spec_helper

data/.travis.yml ADDED Viewed

@@ -0,0 +1,18 @@
+language: ruby
+rvm:
+  - "1.9.3"
+  - "2.0.0"
+  - "2.1.0"
+  - "2.2.0"
+script:
+  - xvfb-run bundle exec rake
+notifications:
+  hipchat:
+    rooms:
+      secure: eWahLFbtvZaJgulhDdnmbIxtSnl2lGR4zHqcJ6d7ExG0HzfxzCknHkau4YfqhANRa3+e66F4rCNoU3+db1EKE5jij7+oIOgRHAmVwLi9WRswzb7NQfWV0/PyUjdF6T7Ac/sfQRkFIDTUL2npYMr2zTQnjDcYrT7e0IkRxNA3VXWogzhqnC4sXKLr8j9zLLw5BdFfELcJD021Rpd7O1EmAt+hahxaJCipyXV2l/kDANR24jnlXgaQn8HJwgRXsBARAQe1QgApnrmbqnGnWc4T1GbI7kExsKGCUbHxYBOp+99m25T6MK66xnvRltwKaUeMXuUyWRZtmAV3LlbACRMX3n5qkDqg8P2OPNvWWua84hkRmUNUska7YrSLX7aCWvGfA6Vr1INnsueLl5sYjHhHZnaS8Wl0iC9ltxBUY4ikg1QlHSghXFQvMC5UAROJ2x7BHGV3kDRTc52ZLdy5BDuJrf/OFEhpuTp+HQALmEKkcJKFUdBn8Cu20wF0pF8o5XvYnSozuqytJKP+b/3+U0X4SEYqbkYCi/PcSnXTtSTIl0+7uxmEBCwPKpXRkkCfVsLqIVUkyVj1d1qIxG8Zbikn5NxK6USV5+Zl4KTDFUVD4r4T8fXCV09+8q0t/uyVjCDv3g1vGRcHvxQyDiLrs7q4DL3GNQY3trrEQ6WneA8nsLw=
+    template:
+      - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
+    format: html
+    on_pull_requests: false

data/Gemfile CHANGED Viewed

@@ -2,3 +2,13 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in devise_saml_authenticatable.gemspec
 gemspec
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails'
+  gem 'rspec-rails'
+  gem 'sqlite3'
+  gem 'capybara-webkit'
+end

data/README.md CHANGED Viewed

@@ -1,6 +1,8 @@
+[![Build Status](https://travis-ci.org/apokalipto/devise_saml_authenticatable.svg?branch=master)](https://travis-ci.org/apokalipto/devise_saml_authenticatable)
 # DeviseSamlAuthenticatable
-Devise Saml Authenticatable is a Single-Sign-On authentication strategy for devise that relies on SAML. It uses [ruby-saml](https://github.com/onelogin/ruby-saml) to handle all SAML related stuff.
+Devise Saml Authenticatable is a Single-Sign-On authentication strategy for devise that relies on SAML.
+It uses [ruby-saml][] to handle all SAML related stuff.
 ## Installation
@@ -18,7 +20,8 @@ Or install it yourself as:
 ## Usage
-In app/models/<YOUR_MODEL>.rb set the :saml_authenticatable strategy. In the example the model is user.rb
+In `app/models/<YOUR_MODEL>.rb` set the `:saml_authenticatable` strategy.
+In the example the model is `user.rb`:
 ```ruby
   class User < ActiveRecord::Base
@@ -33,51 +36,52 @@ In config/initializers/devise.rb
 ```ruby
   Devise.setup do |config|
     ...
-    # ==> DeviseSamlAuthenticatable Configuration
+    # ==> Configuration for :saml_authenticatable
     # Create user if the user does not exist. (Default is false)
     config.saml_create_user = true
-    # Set the default user key (default is email). The user will be looked up by this key. Make sure that the Authentication Response includes
-    # the attribute
+    # Set the default user key. The user will be looked up by this key. Make
+    # sure that the Authentication Response includes the attribute.
     config.saml_default_user_key = :email
+    # You can set this value to use Subject or SAML assertation as info to which email will be compared
+    # If you don't set it then email will be extracted from SAML assertation attributes
+    config.saml_use_subject = true
+    # Configure with your SAML settings (see [ruby-saml][] for more information).
+    config.saml_configure do |settings|
+      settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
+      settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+      settings.issuer                             = "http://localhost:3000"
+      settings.authn_context                      = ""
+      settings.idp_sso_target_url                 = "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
+      settings.idp_cert                           = <<-CERT.chomp
+-----BEGIN CERTIFICATE-----
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111_______IDP_CERTIFICATE________111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+1111111111111111111111111111111111111111111111111111111111111111
+111111111111111111
+-----END CERTIFICATE-----
+      CERT
+    end
   end
 ```
-In config directory, create a YAML file (idp.yml) with your SAML settings (see ruby-saml for more information). For example
-```ruby
-  # idp.yaml
-  development:
-    idp_metadata: ""
-    idp_metadata_ttl: ""
-    assertion_consumer_service_url: "http://localhost:3000/users/sign_in"
-    assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-    name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-    issuer: "http://localhost:3000"
-    authn_context: ""
-    idp_sso_target_url: "http://localhost/simplesaml/www/saml2/idp/SSOService.php"
-    idp_cert: |-
-      -----BEGIN CERTIFICATE-----
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111_______IDP_CERTIFICATE________111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      1111111111111111111111111111111111111111111111111111111111111111
-      111111111111111111
-      -----END CERTIFICATE-----
-```
-In config directory create a YAML file (attribute-map.yml) that maps SAML attributes with your model's fields
+In config directory create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
-```ruby
+```yaml
   # attribute-map.yml
   "urn:mace:dir:attribute-def:uid": "user_name"
@@ -86,18 +90,19 @@ In config directory create a YAML file (attribute-map.yml) that maps SAML attrib
   "urn:mace:dir:attribute-def:givenName": "name"
 ```
-The attribute mappings are very dependent on the way the IdP encodes the attributes. In this example the attributes are given in URN style. Other IdPs might provide them as OID's or other means.
+The attribute mappings are very dependent on the way the IdP encodes the attributes.
+In this example the attributes are given in URN style.
+Other IdPs might provide them as OID's or other means.
-You are now ready to test it against an IdP. When the user goes to /users/saml/sign_in he will be redirected to the login page of the IdP. Upon successful login the user is redirected to devise user_root_path.
+You are now ready to test it against an IdP.
+When the user goes to `/users/saml/sign_in` he will be redirected to the login page of the IdP.
+Upon successful login the user is redirected to devise `user_root_path`.
 ## Identity Provider
 If you don't have an identity provider an you would like to test the authentication against your app there are some options:
-1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp).
-You can add your own logic to your IdP, or you can also set it as a dummy IdP that always sends a valid authentication response to your app.
+1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). You can add your own logic to your IdP, or you can also set it as a dummy IdP that always sends a valid authentication response to your app.
 2. Use an online service that can act as an IdP. Onelogin, Salesforce and some others provide you with this functionality
 3. Install your own IdP.
@@ -107,13 +112,21 @@ There are numerous IdPs that support SAML 2.0, there are propietary (like Micros
 ## Limitations
-1. At the moment there is no support for Single Logout (we're working on that)
+1. At the moment there is no support for Single Logout
 2. The Authentication Requests (from your app to the IdP) are not signed and encrypted
+## Thanks
+The continued maintenance of this gem could not have been possible without the hard work of [Adam Stegman](https://github.com/adamstegman) and [Mitch Lindsay](https://github.com/mitch-lindsay). Thank you guys for keeping this project alive.
+Thanks to all other contributors that have also helped us make this software better.
 ## Contributing
 1. Fork it
 2. Create your feature branch (`git checkout -b my-new-feature`)
 3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+4. Run the tests (`bundle exec rspec`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create new Pull Request
+[ruby-saml]: https://github.com/onelogin/ruby-saml

data/Rakefile CHANGED Viewed

@@ -1,2 +1,8 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new(:spec)
+desc "Default: run tests"
+task :default => :spec

data/app/controllers/devise/saml_sessions_controller.rb CHANGED Viewed

@@ -4,6 +4,8 @@ class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
   unloadable if Rails::VERSION::MAJOR < 4
   before_filter :get_saml_config
+  skip_before_filter :verify_authenticity_token
   def new
     request = OneLogin::RubySaml::Authrequest.new
     action = request.create(@saml_config)

data/devise_saml_authenticatable.gemspec CHANGED Viewed

@@ -14,7 +14,8 @@ Gem::Specification.new do |gem|
   gem.name          = "devise_saml_authenticatable"
   gem.require_paths = ["lib"]
   gem.version       = DeviseSamlAuthenticatable::VERSION
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.add_dependency("devise","> 2.0.0")
   gem.add_dependency("ruby-saml",">= 0.8.2")
 end

data/lib/devise_saml_authenticatable.rb CHANGED Viewed

@@ -20,16 +20,22 @@ module Devise
   # Allow logging
   mattr_accessor :saml_logger
   @@saml_logger = true
   # Add valid users to database
   mattr_accessor :saml_create_user
   @@saml_create_user = false
-  mattr_accessor :saml_config
-  @@saml_config = "#{Rails.root}/config/saml.yml"
   mattr_accessor :saml_default_user_key
   @@saml_default_user_key
+  mattr_accessor :saml_use_subject
+  @@saml_use_subject
+  mattr_accessor :saml_config
+  @@saml_config = OneLogin::RubySaml::Settings.new
+  def self.saml_configure
+    yield saml_config
+  end
 end
 # Add saml_authenticatable strategy to defaults.

data/lib/devise_saml_authenticatable/model.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Devise
   module Models
     module SamlAuthenticatable
       extend ActiveSupport::Concern
       # Need to determine why these need to be included
       included do
         attr_reader :password, :current_password
@@ -26,37 +26,45 @@ module Devise
       module ClassMethods
         include DeviseSamlAuthenticatable::SamlConfig
-        def authenticate_with_saml(attributes)
+        def authenticate_with_saml(saml_response)
           key = Devise.saml_default_user_key
-          inv_attr = attribute_map.invert
-					auth_value = attributes[inv_attr[key.to_s]]
-					auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
+          attributes = saml_response.attributes
+          if (Devise.saml_use_subject)
+            auth_value = saml_response.name_id
+          else
+            inv_attr = attribute_map.invert
+            auth_value = attributes[inv_attr[key.to_s]]
+            auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
+          end
           resource = where(key => auth_value).first
           if (resource.nil? && !Devise.saml_create_user)
-            logger.info("User(#{attributes[inv_attr[key.to_s]]}) not found.  Not configured to create the user.")
+            logger.info("User(#{auth_value}) not found.  Not configured to create the user.")
             return nil
           end
-	        if (resource.nil? && Devise.saml_create_user)
-            logger.info("Creating user(#{attributes[inv_attr[key.to_s]]}).")
-	          resource = new
+          if (resource.nil? && Devise.saml_create_user)
+            logger.info("Creating user(#{auth_value}).")
+            resource = new
             set_user_saml_attributes(resource,attributes)
+            if (Devise.saml_use_subject)
+              resource.send "#{key}=", auth_value
+            end
             resource.save!
           end
           resource
-	      end
+        end
         def find_for_shibb_authentication(conditions)
           find_for_authentication(conditions)
         end
         def attribute_map
           @attribute_map ||= YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
         end
         private
         def set_user_saml_attributes(user,attributes)
           attribute_map.each do |k,v|
             Rails.logger.info "Setting: #{v}, #{attributes[k]}"

data/lib/devise_saml_authenticatable/saml_config.rb CHANGED Viewed

@@ -2,7 +2,13 @@ require 'ruby-saml'
 module DeviseSamlAuthenticatable
   module SamlConfig
     def get_saml_config
-      @saml_config = OneLogin::RubySaml::Settings.new(YAML.load(File.read("#{Rails.root}/config/idp.yml"))[Rails.env])
+      idp_config_path = "#{Rails.root}/config/idp.yml"
+      # Support 0.0.x-style configuration via a YAML file
+      if File.exists?(idp_config_path)
+        Devise.saml_config = OneLogin::RubySaml::Settings.new(YAML.load(File.read(idp_config_path))[Rails.env])
+      end
+      @saml_config = Devise.saml_config
     end
   end
 end

data/lib/devise_saml_authenticatable/strategy.rb CHANGED Viewed

@@ -8,22 +8,22 @@ module Devise
       end
       def authenticate!
         @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse])
-	      @response.settings = get_saml_config
-	      resource = mapping.to.authenticate_with_saml(@response.attributes)
+        @response.settings = get_saml_config
+        resource = mapping.to.authenticate_with_saml(@response)
         if @response.is_valid?
           success!(resource)
         else
           fail!(:invalid)
         end
       end
       # This method should turn off storage whenever CSRF cannot be verified.
       # Any known way on how to let the IdP send the CSRF token along with the SAMLResponse ?
       # Please let me know!
       def store?
         true
       end
     end
   end
 end

data/lib/devise_saml_authenticatable/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "0.0.2"
+  VERSION = "0.1.0"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require 'rails_helper'
+class Devise::SessionsController < ActionController::Base
+end
+require_relative '../../../app/controllers/devise/saml_sessions_controller'
+describe Devise::SamlSessionsController, type: :controller do
+  let(:saml_config) { Devise.saml_config }
+  describe '#new' do
+    it 'redirects to the SAML Auth Request endpoint' do
+      get :new
+      expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+    end
+  end
+  describe '#metadata' do
+    it "generates metadata" do
+      get :metadata
+      # Remove ID that can vary across requests
+      expected_metadata = OneLogin::RubySaml::Metadata.new.generate(saml_config)
+      metadata_pattern = Regexp.escape(expected_metadata).gsub(/ ID='[^']+'/, " ID='[\\w-]+'")
+      expect(response.body).to match(Regexp.new(metadata_pattern))
+    end
+  end
+end

data/spec/devise_saml_authenticatable/model_spec.rb ADDED Viewed

@@ -0,0 +1,118 @@
+require 'spec_helper'
+describe Devise::Models::SamlAuthenticatable do
+  class Model
+    include Devise::Models::SamlAuthenticatable
+    attr_accessor :email, :name, :saved
+    def save!
+      self.saved = true
+    end
+    # Fake out ActiveRecord and Devise API to satisfy verifiable mocks
+    class << self
+      def where(*args); end
+      def logger; end
+    end
+  end
+  before do
+    logger = double(:logger).as_null_object
+    allow(Model).to receive(:logger).and_return(logger)
+    allow(Rails).to receive(:logger).and_return(logger)
+  end
+  before do
+    allow(Devise).to receive(:saml_default_user_key).and_return(:email)
+    allow(Devise).to receive(:saml_create_user).and_return(false)
+    allow(Devise).to receive(:saml_use_subject).and_return(false)
+  end
+  before do
+    allow(Rails).to receive(:root).and_return("/railsroot")
+    allow(File).to receive(:read).with("/railsroot/config/attribute-map.yml").and_return(<<-ATTRIBUTEMAP)
+---
+"saml-email-format": email
+"saml-name-format":  name
+      ATTRIBUTEMAP
+  end
+  let(:response) { double(:response, attributes: attributes, name_id: name_id) }
+  let(:attributes) {
+    OneLogin::RubySaml::Attributes.new(
+      'saml-email-format' => ['user@example.com'],
+      'saml-name-format'  => ['A User'],
+    )
+  }
+  let(:name_id) { nil }
+  it "looks up the user by the configured default user key" do
+    user = double(:user)
+    expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+    expect(Model.authenticate_with_saml(response)).to eq(user)
+  end
+  it "returns nil if it cannot find a user" do
+    expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+    expect(Model.authenticate_with_saml(response)).to be_nil
+  end
+  context "when configured to use the subject" do
+    let(:attributes) { OneLogin::RubySaml::Attributes.new('saml-name-format' => ['A User']) }
+    let(:name_id) { 'user@example.com' }
+    before do
+      allow(Devise).to receive(:saml_use_subject).and_return(true)
+    end
+    it "looks up the user by the configured default user key" do
+      user = double(:user)
+      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+      expect(Model.authenticate_with_saml(response)).to eq(user)
+    end
+    it "returns nil if it cannot find a user" do
+      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      expect(Model.authenticate_with_saml(response)).to be_nil
+    end
+    context "when configured to create a user and the user is not found" do
+      before do
+        allow(Devise).to receive(:saml_create_user).and_return(true)
+      end
+      it "creates and returns a new user with the name identifier and given attributes" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        model = Model.authenticate_with_saml(response)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+  end
+  context "when configured to create a user and the user is not found" do
+    before do
+      allow(Devise).to receive(:saml_create_user).and_return(true)
+    end
+    it "creates and returns a new user with the given attributes" do
+      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      model = Model.authenticate_with_saml(response)
+      expect(model.email).to eq('user@example.com')
+      expect(model.name).to  eq('A User')
+      expect(model.saved).to be(true)
+    end
+  end
+  context "when configured with a case-insensitive key" do
+    before do
+      allow(Devise).to receive(:case_insensitive_keys).and_return([:email])
+    end
+    it "looks up the user with a downcased value" do
+      user = double(:user)
+      expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+      expect(Model.authenticate_with_saml(response)).to eq(user)
+    end
+  end
+end

data/spec/devise_saml_authenticatable/saml_config_spec.rb ADDED Viewed

@@ -0,0 +1,100 @@
+require 'spec_helper'
+describe DeviseSamlAuthenticatable::SamlConfig do
+  subject(:saml_config) { controller.get_saml_config }
+  let(:controller) { Class.new { include DeviseSamlAuthenticatable::SamlConfig }.new }
+  # Replace global config since this test changes it
+  before do
+    @original_saml_config = Devise.saml_config
+  end
+  after do
+    Devise.saml_config = @original_saml_config
+  end
+  context "when config/idp.yml does not exist" do
+    before do
+      allow(Rails).to receive(:root).and_return("/railsroot")
+      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(false)
+    end
+    it "is the global devise SAML config" do
+      Devise.saml_configure do |settings|
+        settings.assertion_consumer_logout_service_binding = 'test'
+      end
+      expect(saml_config).to be(Devise.saml_config)
+      expect(saml_config.assertion_consumer_logout_service_binding).to eq('test')
+    end
+  end
+  context "when config/idp.yml exists" do
+    before do
+      allow(Rails).to receive(:env).and_return("environment")
+      allow(Rails).to receive(:root).and_return("/railsroot")
+      allow(File).to receive(:exists?).with("/railsroot/config/idp.yml").and_return(true)
+      allow(File).to receive(:read).with("/railsroot/config/idp.yml").and_return(<<-IDP)
+---
+environment:
+  assertion_consumer_logout_service_binding: assertion_consumer_logout_service_binding
+  assertion_consumer_logout_service_url: assertion_consumer_logout_service_url
+  assertion_consumer_service_binding: assertion_consumer_service_binding
+  assertion_consumer_service_url: assertion_consumer_service_url
+  attributes_index: attributes_index
+  authn_context: authn_context
+  authn_context_comparison: authn_context_comparison
+  authn_context_decl_ref: authn_context_decl_ref
+  certificate: certificate
+  compress_request: compress_request
+  compress_response: compress_response
+  double_quote_xml_attribute_values: double_quote_xml_attribute_values
+  force_authn: force_authn
+  idp_cert: idp_cert
+  idp_cert_fingerprint: idp_cert_fingerprint
+  idp_cert_fingerprint_algorithm: idp_cert_fingerprint_algorithm
+  idp_entity_id: idp_entity_id
+  idp_slo_target_url: idp_slo_target_url
+  idp_sso_target_url: idp_sso_target_url
+  issuer: issuer
+  name_identifier_format: name_identifier_format
+  name_identifier_value: name_identifier_value
+  passive: passive
+  private_key: private_key
+  protocol_binding: protocol_binding
+  security: security
+  sessionindex: sessionindex
+  sp_name_qualifier: sp_name_qualifier
+      IDP
+    end
+    it "stores the configured IdP settings" do
+      expect(saml_config.assertion_consumer_logout_service_binding).to eq('assertion_consumer_logout_service_binding')
+      expect(saml_config.assertion_consumer_logout_service_url).to eq('assertion_consumer_logout_service_url')
+      expect(saml_config.assertion_consumer_service_binding).to eq('assertion_consumer_service_binding')
+      expect(saml_config.assertion_consumer_service_url).to eq('assertion_consumer_service_url')
+      expect(saml_config.attributes_index).to eq('attributes_index')
+      expect(saml_config.authn_context).to eq('authn_context')
+      expect(saml_config.authn_context_comparison).to eq('authn_context_comparison')
+      expect(saml_config.authn_context_decl_ref).to eq('authn_context_decl_ref')
+      expect(saml_config.certificate).to eq('certificate')
+      expect(saml_config.compress_request).to eq('compress_request')
+      expect(saml_config.compress_response).to eq('compress_response')
+      expect(saml_config.double_quote_xml_attribute_values).to eq('double_quote_xml_attribute_values')
+      expect(saml_config.force_authn).to eq('force_authn')
+      expect(saml_config.idp_cert).to eq('idp_cert')
+      expect(saml_config.idp_cert_fingerprint).to eq('idp_cert_fingerprint')
+      expect(saml_config.idp_cert_fingerprint_algorithm).to eq('idp_cert_fingerprint_algorithm')
+      expect(saml_config.idp_entity_id).to eq('idp_entity_id')
+      expect(saml_config.idp_slo_target_url).to eq('idp_slo_target_url')
+      expect(saml_config.idp_sso_target_url).to eq('idp_sso_target_url')
+      expect(saml_config.issuer).to eq('issuer')
+      expect(saml_config.name_identifier_format).to eq('name_identifier_format')
+      expect(saml_config.name_identifier_value).to eq('name_identifier_value')
+      expect(saml_config.passive).to eq('passive')
+      expect(saml_config.private_key).to eq('private_key')
+      expect(saml_config.protocol_binding).to eq('protocol_binding')
+      expect(saml_config.security).to eq('security')
+      expect(saml_config.sessionindex).to eq('sessionindex')
+      expect(saml_config.sp_name_qualifier).to eq('sp_name_qualifier')
+    end
+  end
+end

data/spec/devise_saml_authenticatable/strategy_spec.rb ADDED Viewed

@@ -0,0 +1,64 @@
+require 'spec_helper'
+describe Devise::Strategies::SamlAuthenticatable do
+  subject(:strategy) { described_class.new(env, :user) }
+  let(:env) { {} }
+  let(:response) { double(:response, :settings= => nil, is_valid?: true) }
+  before do
+    allow(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
+  end
+  let(:saml_config) { OneLogin::RubySaml::Settings.new }
+  before do
+    allow(strategy).to receive(:get_saml_config).and_return(saml_config)
+  end
+  let(:mapping) { double(:mapping, to: user_class) }
+  let(:user_class) { double(:user_class, authenticate_with_saml: user) }
+  let(:user) { double(:user) }
+  before do
+    allow(strategy).to receive(:mapping).and_return(mapping)
+  end
+  let(:params) { {} }
+  before do
+    allow(strategy).to receive(:params).and_return(params)
+  end
+  context "with a SAMLResponse parameter" do
+    let(:params) { {SAMLResponse: ""} }
+    it "is valid" do
+      expect(strategy).to be_valid
+    end
+    it "authenticates with the response" do
+      expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse])
+      expect(response).to receive(:settings=).with(saml_config)
+      expect(user_class).to receive(:authenticate_with_saml).with(response)
+      expect(strategy).to receive(:success!).with(user)
+      strategy.authenticate!
+    end
+    context "and the SAML response is not valid" do
+      before do
+        allow(response).to receive(:is_valid?).and_return(false)
+      end
+      it "fails to authenticate" do
+        expect(strategy).to receive(:fail!).with(:invalid)
+        strategy.authenticate!
+      end
+    end
+  end
+  it "is not valid without a SAMLResponse parameter" do
+    expect(strategy).not_to be_valid
+  end
+  it "is permanent" do
+    expect(strategy).to be_store
+  end
+end

data/spec/features/saml_authentication_spec.rb ADDED Viewed

@@ -0,0 +1,71 @@
+require 'spec_helper'
+require 'net/http'
+require 'uri'
+require 'capybara/rspec'
+require 'capybara/webkit'
+Capybara.default_driver = :webkit
+describe "SAML Authentication", type: :feature do
+  let(:idp_port) { 8009 }
+  let(:sp_port)  { 8020 }
+  shared_examples_for "it authenticates and creates users" do
+    it "authenticates an existing user on a SP via an IdP" do
+      create_user("you@example.com")
+      visit 'http://localhost:8020/'
+      expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+      fill_in "Email", with: "you@example.com"
+      fill_in "Password", with: "asdf"
+      click_on "Sign in"
+      expect(page).to have_content("you@example.com")
+      expect(current_url).to eq("http://localhost:8020/")
+    end
+    it "creates a user on the SP from the IdP attributes" do
+      visit 'http://localhost:8020/'
+      expect(current_url).to match(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+      fill_in "Email", with: "you@example.com"
+      fill_in "Password", with: "asdf"
+      click_on "Sign in"
+      expect(page).to have_content("you@example.com")
+      expect(page).to have_content("A User")
+      expect(current_url).to eq("http://localhost:8020/")
+    end
+  end
+  context "when the attributes are used to authenticate" do
+    before(:each) do
+      create_app('idp', %w(y))
+      create_app('sp', %w(n))
+      @idp_pid = start_app('idp', idp_port)
+      @sp_pid  = start_app('sp',  sp_port)
+    end
+    after(:each) do
+      stop_app(@idp_pid)
+      stop_app(@sp_pid)
+    end
+    it_behaves_like "it authenticates and creates users"
+  end
+  context "when the subject is used to authenticate" do
+    before(:each) do
+      create_app('idp', %w(n))
+      create_app('sp', %w(y))
+      @idp_pid = start_app('idp', idp_port)
+      @sp_pid  = start_app('sp',  sp_port)
+    end
+    after(:each) do
+      stop_app(@idp_pid)
+      stop_app(@sp_pid)
+    end
+    it_behaves_like "it authenticates and creates users"
+  end
+  def create_user(email)
+    response = Net::HTTP.post_form(URI('http://localhost:8020/users'), email: email)
+    expect(response.code).to eq('201')
+  end
+end

data/spec/rails_helper.rb ADDED Viewed

@@ -0,0 +1,15 @@
+ENV["RAILS_ENV"] ||= 'test'
+require 'spec_helper'
+create_app('sp', %w(n))
+require 'support/sp/config/environment'
+require 'rspec/rails'
+ActiveRecord::Migration.verbose = false
+ActiveRecord::Base.logger = Logger.new(nil)
+ActiveRecord::Migrator.migrate(File.expand_path("../support/sp/db/migrate/", __FILE__))
+RSpec.configure do |config|
+  config.use_transactional_fixtures = true
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,22 @@
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  config.order = 'random'
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+end
+require 'support/rails_app'
+require 'devise_saml_authenticatable'

data/spec/support/idp_template.rb ADDED Viewed

@@ -0,0 +1,10 @@
+# Set up a SAML IdP
+@include_subject_in_attributes = ask("Include the subject in the attributes?", limit: %w(y n)) == "y"
+gem 'ruby-saml-idp'
+route "get '/saml/auth' => 'saml_idp#new'"
+route "post '/saml/auth' => 'saml_idp#create'"
+template File.expand_path('../saml_idp_controller.rb.erb', __FILE__), 'app/controllers/saml_idp_controller.rb'

data/spec/support/rails_app.rb ADDED Viewed

@@ -0,0 +1,57 @@
+require 'open3'
+def sh!(cmd)
+  unless system(cmd)
+    raise "[#{cmd}] failed with exit code #{$?.exitstatus}"
+  end
+end
+def app_ready?(pid, port)
+  Process.getpgid(pid) &&
+    system("lsof -i:#{port}", out: '/dev/null')
+end
+def create_app(name, answers = [])
+  rails_new_options = %w(-T -J -S --skip-spring)
+  rails_new_options << "-O" if name == 'idp'
+  Bundler.with_clean_env do
+    Dir.chdir(File.expand_path('../../support', __FILE__)) do
+      FileUtils.rm_rf(name)
+      Open3.popen3("rails", "new", name, *rails_new_options, "-m", "#{name}_template.rb") do |stdin, stdout, stderr, wait_thread|
+        while answers.any?
+          question = stdout.gets
+          answer = answers.shift
+          stdin.puts answer
+          $stdout.puts "#{question} #{answer}"
+        end
+        wait_thread.join
+        $stdout.puts stdout.read
+        $stderr.puts stderr.read
+      end
+    end
+  end
+end
+def start_app(name, port, options = {})
+  pid = nil
+  Bundler.with_clean_env do
+    Dir.chdir(File.expand_path("../../support/#{name}", __FILE__)) do
+      pid = Process.spawn("bundle exec rails server -p #{port}")
+      sleep 1 until app_ready?(pid, port)
+      if app_ready?(pid, port)
+        puts "Launched #{name} on port #{port} (pid #{pid})..."
+      else
+        raise "#{name} failed to start"
+      end
+    end
+  end
+  pid
+end
+def stop_app(pid)
+  if pid
+    Process.kill(:INT, pid)
+    Process.wait(pid)
+  end
+end

data/spec/support/saml_idp_controller.rb.erb ADDED Viewed

@@ -0,0 +1,54 @@
+class SamlIdpController < SamlIdp::IdpController
+  def idp_authenticate(email, password)
+    true
+  end
+  def idp_make_saml_response(user)
+    attributes = {
+      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" => "A User",
+    }
+    if include_subject_in_attributes
+      attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] = "you@example.com"
+    end
+    encode_SAMLResponse("you@example.com", attributes: attributes)
+  end
+  private
+  def encode_SAMLResponse(nameID, opts = {})
+    now = Time.now.utc
+    response_id, reference_id = UUID.generate, UUID.generate
+    audience_uri = opts[:audience_uri] || saml_acs_url[/^(.*?\/\/.*?\/)/, 1]
+    issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || "http://example.com"
+    attributes = opts.fetch(:attributes, {})
+    if attributes.any?
+      attribute_items = attributes.map { |format, value|
+        %[<Attribute Name="#{format}"><AttributeValue>#{value}</AttributeValue></Attribute>]
+      }
+      attribute_statement = %[<AttributeStatement>#{attribute_items.join}</AttributeStatement>]
+    else
+      attribute_statement = ""
+    end
+    assertion = %[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_#{reference_id}" IssueInstant="#{now.iso8601}" Version="2.0"><Issuer>#{issuer_uri}</Issuer><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">#{nameID}</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="#{@saml_request_id}" NotOnOrAfter="#{(now+3*60).iso8601}" Recipient="#{@saml_acs_url}"></SubjectConfirmationData></SubjectConfirmation></Subject><Conditions NotBefore="#{(now-5).iso8601}" NotOnOrAfter="#{(now+60*60).iso8601}"><AudienceRestriction><Audience>#{audience_uri}</Audience></AudienceRestriction></Conditions>#{attribute_statement}<AuthnStatement AuthnInstant="#{now.iso8601}" SessionIndex="_#{reference_id}"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>]
+    digest_value = Base64.encode64(algorithm.digest(assertion)).gsub(/\n/, '')
+    signed_info = %[<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-#{algorithm_name}"></ds:SignatureMethod><ds:Reference URI="#_#{reference_id}"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig##{algorithm_name}"></ds:DigestMethod><ds:DigestValue>#{digest_value}</ds:DigestValue></ds:Reference></ds:SignedInfo>]
+    signature_value = sign(signed_info).gsub(/\n/, '')
+    signature = %[<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">#{signed_info}<ds:SignatureValue>#{signature_value}</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>#{self.x509_certificate}</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature>]
+    assertion_and_signature = assertion.sub(/Issuer\>\<Subject/, "Issuer>#{signature}<Subject")
+    xml = %[<samlp:Response ID="_#{response_id}" Version="2.0" IssueInstant="#{now.iso8601}" Destination="#{@saml_acs_url}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="#{@saml_request_id}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">#{issuer_uri}</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status>#{assertion_and_signature}</samlp:Response>]
+    Base64.encode64(xml)
+  end
+  def include_subject_in_attributes
+    <%= @include_subject_in_attributes %>
+  end
+end

data/spec/support/sp_template.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# Set up a SAML Service Provider
+use_subject_to_authenticate = ask("Use subject to authenticate?", limit: %w(y n)) == "y"
+gem 'devise_saml_authenticatable', path: '../../..'
+create_file 'config/attribute-map.yml', <<-ATTRIBUTES
+---
+"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
+"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":         name
+ATTRIBUTES
+after_bundle do
+  generate :controller, 'home', 'index'
+  insert_into_file('app/controllers/home_controller.rb', after: "class HomeController < ApplicationController\n") {
+    <<-AUTHENTICATE
+    before_action :authenticate_user!
+    AUTHENTICATE
+  }
+  insert_into_file('app/views/home/index.html.erb', after: /\z/) {
+    "<%= current_user.email %> <%= current_user.name %>"
+  }
+  route "root to: 'home#index'"
+  # Configure for our SAML IdP
+  generate 'devise:install'
+  gsub_file 'config/initializers/devise.rb', /^end$/, <<-CONFIG
+  config.saml_default_user_key = :email
+  config.saml_use_subject = #{use_subject_to_authenticate}
+  config.saml_create_user = true
+  config.saml_configure do |settings|
+    settings.assertion_consumer_service_url = "http://localhost:8020/users/saml/auth"
+    settings.issuer = "http://localhost:8020/saml/metadata"
+    settings.idp_sso_target_url = "http://localhost:8009/saml/auth"
+    settings.idp_cert_fingerprint = "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
+  end
+end
+  CONFIG
+  generate :devise, "user", "email:string", "name:string"
+  gsub_file 'app/models/user.rb', /database_authenticatable.*\n.*/, 'saml_authenticatable'
+  route "resources :users"
+  create_file('app/controllers/users_controller.rb', <<-USERS)
+class UsersController < ApplicationController
+  skip_before_filter :verify_authenticity_token
+  def create
+    User.create!(email: params[:email])
+    render nothing: true, status: 201
+  end
+end
+  USERS
+  rake "db:create"
+  rake "db:migrate"
+end

metadata CHANGED Viewed

@@ -1,46 +1,41 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 0.0.2
-  prerelease:
+  version: 0.1.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-02-02 00:00:00.000000000 Z
+date: 2015-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.8.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 0.8.2
 description: SAML Authentication for devise
@@ -50,7 +45,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -66,29 +63,50 @@ files:
 - lib/devise_saml_authenticatable/strategy.rb
 - lib/devise_saml_authenticatable/version.rb
 - rails/init.rb
+- spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/model_spec.rb
+- spec/devise_saml_authenticatable/saml_config_spec.rb
+- spec/devise_saml_authenticatable/strategy_spec.rb
+- spec/features/saml_authentication_spec.rb
+- spec/rails_helper.rb
+- spec/spec_helper.rb
+- spec/support/idp_template.rb
+- spec/support/rails_app.rb
+- spec/support/saml_idp_controller.rb.erb
+- spec/support/sp_template.rb
 homepage: ''
 licenses: []
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.24
+rubygems_version: 2.4.6
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: SAML Authentication for devise
-test_files: []
+test_files:
+- spec/controllers/devise/saml_sessions_controller_spec.rb
+- spec/devise_saml_authenticatable/model_spec.rb
+- spec/devise_saml_authenticatable/saml_config_spec.rb
+- spec/devise_saml_authenticatable/strategy_spec.rb
+- spec/features/saml_authentication_spec.rb
+- spec/rails_helper.rb
+- spec/spec_helper.rb
+- spec/support/idp_template.rb
+- spec/support/rails_app.rb
+- spec/support/saml_idp_controller.rb.erb
+- spec/support/sp_template.rb
 has_rdoc: