devise_saml_authenticatable 1.3.1 → 1.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eeabad37a5473557499db0b8de604afb7740608d
-  data.tar.gz: 952108992254613cdf27f72aedbf6e2a772f95a3
+  metadata.gz: 269c0505d92b49c3b9a79d1b8aece87533018b10
+  data.tar.gz: 259f7e012808aabe3ab06e854a01deab8959843a
 SHA512:
-  metadata.gz: 720d7b21c40596b762a85c5c0df2f9dc3d1af7fdce86a7c8562428b866e79eab6a768e070c648fd4c657415bca175102d4eaa0dff6866c7cc8b14025d1bf5101
-  data.tar.gz: c3368984264f54a99a37ce9e4b546b7bbd2460a834bc57300dfaf242232619bad50f51bb66adc4d2e1e41d287ce4f3f7f85923697835a06bf14f73968a31f1ed
+  metadata.gz: 83a89cbe087accbcf239e047027188a35793c9cdcb3198fd207edeb95652bb6e8957ef8e0aeaa9b919f01cbb91677bf4c5ade49fae0a85b86cf95edc4b09592b
+  data.tar.gz: 230f5490186a0853cd63f401b390afa29129b8f103de04cbb64a734274edd88de9467030784122cccdc743fbd5eb7babf75ad3635be5b51d2a5af467d4e17b1f

data/.travis.yml

@@ -2,26 +2,34 @@ language: ruby
 rvm:
   - "1.9.3"
   - "2.0.0"
-  - "2.1.9"
-  - "2.2.5"
-  - "2.3.1"
+  - "2.1.10"
+  - "2.2.7"
+  - "2.3.4"
+  - "2.4.1"
 gemfile:
   - Gemfile
+  - spec/support/Gemfile.rails5
   - spec/support/Gemfile.rails4
   - spec/support/Gemfile.ruby-saml-1.3
 matrix:
   allow_failures:
     - rvm: "1.9.3"
       gemfile: Gemfile
+    - rvm: "1.9.3"
+      gemfile: spec/support/Gemfile.rails5
     - rvm: "1.9.3"
       gemfile: spec/support/Gemfile.ruby-saml-1.3
     - rvm: "2.0.0"
       gemfile: Gemfile
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5
     - rvm: "2.0.0"
       gemfile: spec/support/Gemfile.ruby-saml-1.3
-    - rvm: "2.1.9"
+    - rvm: "2.1.10"
       gemfile: Gemfile
-    - rvm: "2.1.9"
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5
+    - rvm: "2.1.10"
       gemfile: spec/support/Gemfile.ruby-saml-1.3
 
 script:

data/Gemfile

@@ -6,17 +6,9 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.0'
+  gem 'rails', '~> 5.1'
   gem 'rspec-rails'
   gem 'sqlite3'
   gem 'capybara'
   gem 'poltergeist'
-
-  # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-    gem 'mime-types', '~> 2.99'
-  end
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
-    gem 'devise', '~> 3.5'
-  end
 end

data/README.md

@@ -2,7 +2,7 @@
 # DeviseSamlAuthenticatable
 
 Devise Saml Authenticatable is a Single-Sign-On authentication strategy for devise that relies on SAML.
-It uses [ruby-saml][] to handle all SAML related stuff.
+It uses [ruby-saml][] to handle all SAML-related stuff.
 
 ## Installation
 
@@ -21,6 +21,7 @@ Or install it yourself as:
 ## Usage
 
 In `app/models/<YOUR_MODEL>.rb` set the `:saml_authenticatable` strategy.
+
 In the example the model is `user.rb`:
 
 ```ruby
@@ -31,7 +32,7 @@ In the example the model is `user.rb`:
   end
 ```
 
-In config/initializers/devise.rb
+In `config/initializers/devise.rb`:
 
 ```ruby
   Devise.setup do |config|
@@ -52,8 +53,8 @@ In config/initializers/devise.rb
     # for the user's session to facilitate an IDP initiated logout request.
     config.saml_session_index_key = :session_index
 
-    # You can set this value to use Subject or SAML assertation as info to which email will be compared
-    # If you don't set it then email will be extracted from SAML assertation attributes
+    # You can set this value to use Subject or SAML assertation as info to which email will be compared.
+    # If you don't set it then email will be extracted from SAML assertation attributes.
     config.saml_use_subject = true
 
     # You can support multiple IdPs by setting this value to a class that implements a #settings method which takes
@@ -99,7 +100,7 @@ In config/initializers/devise.rb
   end
 ```
 
-In config directory create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
+In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
 
 ```yaml
   # attribute-map.yml
@@ -112,15 +113,17 @@ In config directory create a YAML file (`attribute-map.yml`) that maps SAML attr
 
 The attribute mappings are very dependent on the way the IdP encodes the attributes.
 In this example the attributes are given in URN style.
-Other IdPs might provide them as OID's or other means.
+Other IdPs might provide them as OID's, or by other means.
 
 You are now ready to test it against an IdP.
-When the user goes to `/users/saml/sign_in` he will be redirected to the login page of the IdP.
-Upon successful login the user is redirected to devise `user_root_path`.
+
+When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+
+Upon successful login the user is redirected to the Devise `user_root_path`.
 
 ## Supporting Multiple IdPs
 
-If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in config/initializers/devise.rb. The implementation of the adapter is up to you. A simple example may look like this:
+If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
 
 ```ruby
 class IdPSettingsAdapter
@@ -158,21 +161,26 @@ end
 ```
 
 Detecting the entity ID passed to the `settings` method is done by `config.idp_entity_id_reader`.
+
 By default this will find the `Issuer` in the SAML request.
+
 You can support more use cases by writing your own and implementing the `.entity_id` method.
+
 If you use encrypted assertions, your entity ID reader will need to understand how to decrypt the response from each of the possible IdPs.
 
 ## Identity Provider
 
-If you don't have an identity provider an you would like to test the authentication against your app there are some options:
+If you don't have an identity provider and you would like to test the authentication against your app, there are some options:
 
-1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). You can add your own logic to your IdP, or you can also set it as a dummy IdP that always sends a valid authentication response to your app.
-2. Use an online service that can act as an IdP. Onelogin, Salesforce, Okta and some others provide you with this functionality
+1. Use [ruby-saml-idp](https://github.com/lawrencepit/ruby-saml-idp). You can add your own logic to your IdP, or you can also set it up as a dummy IdP that always sends a valid authentication response to your app.
+2. Use an online service that can act as an IdP. OneLogin, Salesforce, Okta and some others provide you with this functionality.
 3. Install your own IdP.
 
-There are numerous IdPs that support SAML 2.0, there are propietary (like Microsoft ADFS 2.0 or Ping federate) and there are also open source solutions like Shibboleth and simplesamlphp.
+There are numerous IdPs that support SAML 2.0, there are propietary (like Microsoft ADFS 2.0 or Ping federate) and there are also open source solutions like Shibboleth and [SimpleSAMLphp].
+
+[SimpleSAMLphp] was my choice for development since it is a production-ready SAML solution, that is also really easy to install, configure and use.
 
-[SimpleSAMLphp](http://simplesamlphp.org/) was my choice for development since it is a production-ready SAML solution, that is also really easy to install, configure and use.
+[SimpleSAMLphp]: http://simplesamlphp.org/
 
 ## Logout
 
@@ -180,18 +188,20 @@ Logout support is included by immediately terminating the local session and then
 
 ## Logout Request
 
-Logout requests from the IDP are supported by the `idp_sign_out` end point.  Directing logout requests to `users/saml/idp_sign_out` will logout the respective user by invalidating their current sessions.
+Logout requests from the IDP are supported by the `idp_sign_out` endpoint.  Directing logout requests to `users/saml/idp_sign_out` will log out the respective user by invalidating their current sessions.
+
 `saml_session_index_key` must be configured to support this feature.
 
 ## Signing and Encrypting Authentication Requests
 
-ruby-saml 1.0.0 supports signature and decrypt. Teh only requirement is to place the public certificate and the private key. Please reffer to these features in the ruby-saml documentation [here](https://github.com/onelogin/ruby-saml#signing)
+ruby-saml 1.0.0 supports signature and decrypt. The only requirement is to set the public certificate and the private key. For more information, see [the ruby-saml documentation](https://github.com/onelogin/ruby-saml#signing).
 
 ## Thanks
 
 The continued maintenance of this gem could not have been possible without the hard work of [Adam Stegman](https://github.com/adamstegman) and [Mitch Lindsay](https://github.com/mitch-lindsay). Thank you guys for keeping this project alive.
 
 Thanks to all other contributors that have also helped us make this software better.
+
 ## Contributing
 
 1. Fork it

data/app/controllers/devise/saml_sessions_controller.rb

@@ -3,7 +3,11 @@ require "ruby-saml"
 class Devise::SamlSessionsController < Devise::SessionsController
   include DeviseSamlAuthenticatable::SamlConfig
   unloadable if Rails::VERSION::MAJOR < 4
-  skip_before_filter :verify_authenticity_token, raise: false
+  if Rails::VERSION::MAJOR < 5
+    skip_before_filter :verify_authenticity_token
+  else
+    skip_before_action :verify_authenticity_token, raise: false
+  end
 
   def new
     idp_entity_id = get_idp_entity_id(params)

data/lib/devise_saml_authenticatable.rb

@@ -62,11 +62,56 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Implements a #validate method that takes the retrieved resource and response right after retrieval,
+  # and returns true if it's valid.  False will cause authentication to fail.
+  mattr_accessor :saml_resource_validator
+  @@saml_resource_validator
+
+  # Custom value for ruby-saml allowed_clock_drift
+  mattr_accessor :allowed_clock_drift_in_seconds
+  @@allowed_clock_drift_in_seconds
+
   mattr_accessor :saml_config
   @@saml_config = OneLogin::RubySaml::Settings.new
   def self.saml_configure
     yield saml_config
   end
+
+  # Default update resource hook. Updates each attribute on the model that is mapped, updates the
+  # saml_default_user_key if saml_use_subject is true and saves the user model.
+  # See saml_update_resource_hook for more information.
+  mattr_reader :saml_default_update_resource_hook
+  @@saml_default_update_resource_hook = Proc.new do |user, saml_response, auth_value|
+    saml_response.attributes.resource_keys.each do |key|
+      user.send "#{key}=", saml_response.attribute_value_by_resource_key(key)
+    end
+
+    if (Devise.saml_use_subject)
+      user.send "#{Devise.saml_default_user_key}=", auth_value
+    end
+
+    user.save!
+  end
+
+  # Proc that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
+  # Recieves the user object, saml_response and auth_value, and defines how the object's values are
+  # updated with regards to the SAML response. See saml_default_update_resource_hook for an example.
+  mattr_accessor :saml_update_resource_hook
+  @@saml_update_resource_hook = @@saml_default_update_resource_hook
+
+  # Default resource locator. Uses saml_default_user_key and auth_value to resolve user.
+  # See saml_resource_locator for more information.
+  mattr_reader :saml_default_resource_locator
+  @@saml_default_resource_locator = Proc.new do |model, saml_response, auth_value|
+    model.where(Devise.saml_default_user_key => auth_value).first
+  end
+
+  # Proc that is called to resolve the saml_response and auth_value into the correct user object.
+  # Recieves a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+  # one instance of the provided model that is the matched account, or nil if none exists.
+  # See saml_default_resource_locator above for an example.
+  mattr_accessor :saml_resource_locator
+  @@saml_resource_locator = @@saml_default_resource_locator
 end
 
 # Add saml_authenticatable strategy to defaults.

data/lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb

@@ -2,9 +2,15 @@ module DeviseSamlAuthenticatable
   class DefaultIdpEntityIdReader
     def self.entity_id(params)
       if params[:SAMLRequest]
-        OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest]).issuer
+        OneLogin::RubySaml::SloLogoutrequest.new(
+          params[:SAMLRequest],
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        ).issuer
       elsif params[:SAMLResponse]
-        OneLogin::RubySaml::Response.new(params[:SAMLResponse]).issuers.first
+        OneLogin::RubySaml::Response.new(
+          params[:SAMLResponse],
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        ).issuers.first
       end
     end
   end

data/lib/devise_saml_authenticatable/model.rb

@@ -1,4 +1,5 @@
 require 'devise_saml_authenticatable/strategy'
+require 'devise_saml_authenticatable/saml_response'
 
 module Devise
   module Models
@@ -30,16 +31,25 @@ module Devise
       module ClassMethods
         def authenticate_with_saml(saml_response, relay_state)
           key = Devise.saml_default_user_key
-          attributes = saml_response.attributes
+          decorated_response = ::SamlAuthenticatable::SamlResponse.new(
+            saml_response,
+            attribute_map
+          )
           if (Devise.saml_use_subject)
             auth_value = saml_response.name_id
           else
-            inv_attr = attribute_map.invert
-            auth_value = attributes[inv_attr[key.to_s]]
+            auth_value = decorated_response.attribute_value_by_resource_key(key)
           end
           auth_value.try(:downcase!) if Devise.case_insensitive_keys.include?(key)
 
-          resource = where(key => auth_value).first
+          resource = Devise.saml_resource_locator.call(self, decorated_response, auth_value)
+
+          if Devise.saml_resource_validator
+            if not Devise.saml_resource_validator.new.validate(resource, saml_response)
+              logger.info("User(#{auth_value}) did not pass custom validation.")
+              return nil
+            end
+          end
 
           if resource.nil?
             if Devise.saml_create_user
@@ -52,11 +62,7 @@ module Devise
           end
 
           if Devise.saml_update_user || (resource.new_record? && Devise.saml_create_user)
-            set_user_saml_attributes(resource, attributes)
-            if (Devise.saml_use_subject)
-              resource.send "#{key}=", auth_value
-            end
-            resource.save!
+            Devise.saml_update_resource_hook.call(resource, decorated_response, auth_value)
           end
 
           resource
@@ -77,13 +83,6 @@ module Devise
 
         private
 
-        def set_user_saml_attributes(user,attributes)
-          attribute_map.each do |k,v|
-            Rails.logger.info "Setting: #{v}, #{attributes[k]}"
-            user.send "#{v}=", attributes[k]
-          end
-        end
-
         def attribute_map_for_environment
           attribute_map = YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
           if attribute_map.has_key?(Rails.env)

data/lib/devise_saml_authenticatable/saml_mapped_attributes.rb

@@ -0,0 +1,25 @@
+module SamlAuthenticatable
+  class SamlMappedAttributes
+    def initialize(attributes, attribute_map)
+      @attributes = attributes
+      @attribute_map = attribute_map
+      @inverted_attribute_map = @attribute_map.invert
+    end
+
+    def saml_attribute_keys
+      @attribute_map.keys
+    end
+
+    def resource_keys
+      @attribute_map.values
+    end
+
+    def value_by_resource_key(key)
+      value_by_saml_attribute_key(@inverted_attribute_map.fetch(String(key)))
+    end
+
+    def value_by_saml_attribute_key(key)
+      @attributes[String(key)]
+    end
+  end
+end

data/lib/devise_saml_authenticatable/saml_response.rb

@@ -0,0 +1,16 @@
+require 'devise_saml_authenticatable/saml_mapped_attributes'
+
+module SamlAuthenticatable
+  class SamlResponse
+    attr_reader :raw_response, :attributes
+
+    def initialize(saml_response, attribute_map)
+      @attributes = ::SamlAuthenticatable::SamlMappedAttributes.new(saml_response.attributes, attribute_map)
+      @raw_response = saml_response
+    end
+
+    def attribute_value_by_resource_key(key)
+      attributes.value_by_resource_key(key)
+    end
+  end
+end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -6,7 +6,10 @@ module Devise
       include DeviseSamlAuthenticatable::SamlConfig
       def valid?
         if params[:SAMLResponse]
-          OneLogin::RubySaml::Response.new(params[:SAMLResponse])
+          OneLogin::RubySaml::Response.new(
+            params[:SAMLResponse],
+            allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+          )
         else
           false
         end
@@ -30,7 +33,11 @@ module Devise
 
       private
       def parse_saml_response
-        @response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config(get_idp_entity_id(params)))
+        @response = OneLogin::RubySaml::Response.new(
+          params[:SAMLResponse],
+          settings: saml_config(get_idp_entity_id(params)),
+          allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
+        )
         unless @response.is_valid?
           failed_auth("Auth errors: #{@response.errors.join(', ')}")
         end

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.3.1"
+  VERSION = "1.3.2"
 end

data/spec/devise_saml_authenticatable/default_idp_entity_id_reader_spec.rb

@@ -5,18 +5,48 @@ describe DeviseSamlAuthenticatable::DefaultIdpEntityIdReader do
     context "when there is a SAMLRequest in the params" do
       let(:params) { {SAMLRequest: "logout request"} }
       let(:slo_logout_request) { double('slo_logout_request', issuer: 'meow')}
+      before do
+        allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(slo_logout_request)
+      end
+
       it "uses an OneLogin::RubySaml::SloLogoutrequest to get the idp_entity_id" do
-        expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(slo_logout_request)
-        described_class.entity_id(params)
+        expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).with("logout request", hash_including)
+        expect(described_class.entity_id(params)).to eq("meow")
+      end
+
+      context "and allowed_clock_drift is configured" do
+        before do
+          allow(Devise).to receive(:allowed_clock_drift_in_seconds).and_return(30)
+        end
+
+        it "allows the configured clock drift" do
+          expect(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).with("logout request", hash_including(allowed_clock_drift: 30))
+          expect(described_class.entity_id(params)).to eq("meow")
+        end
       end
     end
 
     context "when there is a SAMLResponse in the params" do
       let(:params) { {SAMLResponse: "auth response"} }
       let(:response) { double('response', issuers: ['meow'] )}
+      before do
+        allow(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
+      end
+
       it "uses an OneLogin::RubySaml::Response to get the idp_entity_id" do
-        expect(OneLogin::RubySaml::Response).to receive(:new).and_return(response)
-        described_class.entity_id(params)
+        expect(OneLogin::RubySaml::Response).to receive(:new).with("auth response", hash_including)
+        expect(described_class.entity_id(params)).to eq("meow")
+      end
+
+      context "and allowed_clock_drift is configured" do
+        before do
+          allow(Devise).to receive(:allowed_clock_drift_in_seconds).and_return(30)
+        end
+
+        it "allows the configured clock drift" do
+          expect(OneLogin::RubySaml::Response).to receive(:new).with("auth response", hash_including(allowed_clock_drift: 30))
+          expect(described_class.entity_id(params)).to eq("meow")
+        end
       end
     end
   end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -178,4 +178,156 @@ describe Devise::Models::SamlAuthenticatable do
       include_examples "correct downcasing"
     end
   end
+
+  context "when configured with a resource validator" do
+    let(:validator_class) { double("validator_class") }
+    let(:validator) { double("validator") }
+    let(:user) { Model.new(new_record: false) }
+
+    before do
+      allow(Devise).to receive(:saml_resource_validator).and_return(validator_class)
+      allow(validator_class).to receive(:new).and_return(validator)
+    end
+
+    context "and sent a valid value" do
+      before do
+        allow(validator).to receive(:validate).with(user, response).and_return(true)
+      end
+
+      it "returns the user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to eq(user)
+      end
+    end
+
+    context "and sent an invalid value" do
+      before do
+        allow(validator).to receive(:validate).with(user, response).and_return(false)
+      end
+
+      it "returns nil" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
+  context "when configured to use a custom update hook" do
+    it "can replicate the default behaviour in a custom hook" do
+      configure_hook do |user, saml_response|
+        Devise.saml_default_update_resource_hook.call(user, saml_response)
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can extend the default behaviour with custom transformations" do
+      configure_hook do |user, saml_response|
+        Devise.saml_default_update_resource_hook.call(user, saml_response)
+
+        user.email = "ext+#{user.email}"
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq("ext+#{attributes['saml-email-format']}")
+    end
+
+    it "can extend the default behaviour using information from the saml response" do
+      configure_hook do |user, saml_response|
+        Devise.saml_default_update_resource_hook.call(user, saml_response)
+
+        name_id = saml_response.raw_response.name_id
+        user.name += "@#{name_id}"
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq("#{attributes['saml-name-format']}@#{response.name_id}")
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    def configure_hook(&block)
+      allow(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+      allow(Devise).to receive(:saml_default_user_key).and_return(:email)
+      allow(Devise).to receive(:saml_create_user).and_return(true)
+      allow(Devise).to receive(:saml_update_resource_hook).and_return(block)
+    end
+  end
+
+  context "when configured to use a custom user locator" do
+    let(:name_id) { 'SomeUsername' }
+
+    it "can replicate the default behaviour for a new user in a custom locator" do
+      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([])
+
+      configure_hook do |model, saml_response, auth_value|
+        Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can replicate the default behaviour for an existing user in a custom locator" do
+      user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
+      user.save!
+
+      allow(Model).to receive(:where).with(email: attributes['saml-email-format']).and_return([user])
+
+      configure_hook do |model, saml_response, auth_value|
+        Devise.saml_default_resource_locator.call(model, saml_response, auth_value)
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user).to eq(user)
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can change the default behaviour for a new user from the saml response" do
+      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([])
+
+      configure_hook do |model, saml_response, auth_value|
+        name_id = saml_response.raw_response.name_id
+        model.where(foo: auth_value, bar: name_id).first
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    it "can change the default behaviour for an existing user from the saml response" do
+      user = Model.new(email: attributes['saml-email-format'], name: attributes['saml-name-format'])
+      user.save!
+
+      allow(Model).to receive(:where).with(foo: attributes['saml-email-format'], bar: name_id).and_return([user])
+
+      configure_hook do |model, saml_response, auth_value|
+        name_id = saml_response.raw_response.name_id
+        model.where(foo: auth_value, bar: name_id).first
+      end
+
+      new_user = Model.authenticate_with_saml(response, nil)
+
+      expect(new_user).to eq(user)
+      expect(new_user.name).to eq(attributes['saml-name-format'])
+      expect(new_user.email).to eq(attributes['saml-email-format'])
+    end
+
+    def configure_hook(&block)
+      allow(Devise).to receive(:saml_default_user_key).and_return(:email)
+      allow(Devise).to receive(:saml_create_user).and_return(true)
+      allow(Devise).to receive(:saml_resource_locator).and_return(block)
+    end
+  end
 end

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -134,6 +134,24 @@ describe Devise::Strategies::SamlAuthenticatable do
         strategy.authenticate!
       end
     end
+
+    context "when allowed_clock_drift is configured" do
+      before do
+        allow(Devise).to receive(:allowed_clock_drift_in_seconds).and_return(30)
+      end
+
+      it "is valid with the configured clock drift" do
+        expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(allowed_clock_drift: 30))
+        expect(strategy).to be_valid
+      end
+
+      it "authenticates with the configured clock drift" do
+        expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], hash_including(allowed_clock_drift: 30))
+
+        expect(strategy).to receive(:success!).with(user)
+        strategy.authenticate!
+      end
+    end
   end
 
   it "is not valid without a SAMLResponse parameter" do

data/spec/support/Gemfile.rails4

@@ -19,5 +19,6 @@ group :test do
   end
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
     gem 'devise', '~> 3.5'
+    gem 'nokogiri', '~> 1.6.8'
   end
 end

data/spec/support/Gemfile.rails5

@@ -0,0 +1,14 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_saml_authenticatable.gemspec
+gemspec path: '../..'
+
+group :test do
+  gem 'rake'
+  gem 'rspec', '~> 3.0'
+  gem 'rails', '~> 5.0.0'
+  gem 'rspec-rails'
+  gem 'sqlite3'
+  gem 'capybara'
+  gem 'poltergeist'
+end

data/spec/support/Gemfile.ruby-saml-1.3

@@ -19,5 +19,6 @@ group :test do
   end
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
     gem 'devise', '~> 3.5'
+    gem 'nokogiri', '~> 1.6.8'
   end
 end

data/spec/support/idp_template.rb

@@ -3,7 +3,9 @@
 @include_subject_in_attributes = ENV.fetch('INCLUDE_SUBJECT_IN_ATTRIBUTES')
 @valid_destination = ENV.fetch('VALID_DESTINATION', "true")
 
-gem 'ruby-saml-idp'
+gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "34814fd41f91c493b89aa01ac73c44d241a31245b5bc5542fa4b7317525e1dcfa60ba947b3d085e4e229456fdee0d8af6aac6a63cf750d807ea6fe5d853dff4a"'
+
+gem 'ruby-saml-idp', git: "https://github.com/lawrencepit/ruby-saml-idp.git", ref: "ec715b252e849105c7a96df27b731c6e7f725a51"
 gem 'thin'
 
 insert_into_file('Gemfile', after: /\z/) {
@@ -11,6 +13,7 @@ insert_into_file('Gemfile', after: /\z/) {
 # Lock down versions of gems for older versions of Ruby
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
+  gem 'nokogiri', '~> 1.6.8'
 end
   GEMFILE
 }

data/spec/support/rails_app.rb

@@ -1,4 +1,8 @@
 require 'open3'
+require 'socket'
+require 'timeout'
+
+APP_READY_TIMEOUT ||= 30
 
 def sh!(cmd)
   unless system(cmd)
@@ -7,8 +11,9 @@ def sh!(cmd)
 end
 
 def app_ready?(pid, port)
-  Process.getpgid(pid) &&
-    system("lsof -i:#{port}", out: '/dev/null')
+  Process.getpgid(pid) && port_open?(port)
+rescue Errno::ESRCH
+  false
 end
 
 def create_app(name, env = {})
@@ -24,16 +29,26 @@ def start_app(name, port, options = {})
   pid = nil
   Bundler.with_clean_env do
     Dir.chdir(File.expand_path("../../support/#{name}", __FILE__)) do
-      pid = Process.spawn("bundle exec rails server -p #{port}")
-      sleep 1 until app_ready?(pid, port)
-      if app_ready?(pid, port)
-        puts "Launched #{name} on port #{port} (pid #{pid})..."
-      else
+      pid = Process.spawn({"RAILS_ENV" => "production"}, "bundle exec rails server -p #{port} -e production", out: "log/#{name}.log", err: "log/#{name}.err.log")
+      begin
+        Timeout::timeout(APP_READY_TIMEOUT) do
+          sleep 1 until app_ready?(pid, port)
+        end
+        if app_ready?(pid, port)
+          puts "Launched #{name} on port #{port} (pid #{pid})..."
+        else
+          raise "#{name} failed after starting"
+        end
+      rescue Timeout::Error
         raise "#{name} failed to start"
       end
     end
   end
   pid
+rescue RuntimeError => e
+  $stdout.puts "#{File.read(File.expand_path("../../support/#{name}/log/#{name}.log", __FILE__))}"
+  $stderr.puts "#{File.read(File.expand_path("../../support/#{name}/log/#{name}.err.log", __FILE__))}"
+  raise e
 end
 
 def stop_app(pid)
@@ -42,3 +57,24 @@ def stop_app(pid)
     Process.wait(pid)
   end
 end
+
+def port_open?(port)
+  Timeout::timeout(1) do
+    begin
+      s = TCPSocket.new('localhost', port)
+      s.close
+      return true
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+      # try 127.0.0.1
+    end
+    begin
+      s = TCPSocket.new('127.0.0.1', port)
+      s.close
+      return true
+    rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH
+      return false
+    end
+  end
+rescue Timeout::Error
+  false
+end

data/spec/support/saml_idp_controller.rb.erb

@@ -29,14 +29,14 @@ class SamlIdpController < SamlIdp::IdpController
 
   def session_index
     Rails.cache.fetch('session_key') {
-      UUID.generate
+      SecureRandom.uuid
     }
   end
 
 
   def encode_SAMLResponse(nameID, opts = {})
     now = Time.now.utc
-    response_id = UUID.generate
+    response_id = SecureRandom.uuid
     audience_uri = opts[:audience_uri] || "#{saml_acs_url[/^(.*?\/\/.*?\/)/, 1]}saml/metadata"
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url) || "http://example.com"
 
@@ -72,8 +72,13 @@ class SamlIdpController < SamlIdp::IdpController
   end
 
   # == SLO functionality, see https://github.com/lawrencepit/ruby-saml-idp/pull/10
+  <% if Rails::VERSION::MAJOR < 5 %>
   skip_before_filter :validate_saml_request, :only => [:logout, :sp_sign_out]
   before_filter :validate_saml_slo_request, :only => [:logout]
+  <% else %>
+  skip_before_action :validate_saml_request, :only => [:logout, :sp_sign_out]
+  before_action :validate_saml_slo_request, :only => [:logout]
+  <% end %>
 
   public
 
@@ -139,7 +144,7 @@ class SamlIdpController < SamlIdp::IdpController
 
   def encode_SAML_SLO_Response(nameID, opts = {})
     now = Time.now.utc
-    response_id = UUID.generate
+    response_id = SecureRandom.uuid
     audience_uri = opts[:audience_uri] || (@saml_slo_acs_url && @saml_slo_acs_url[/^(.*?\/\/.*?\/)/, 1])
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
 
@@ -175,7 +180,7 @@ class SamlIdpController < SamlIdp::IdpController
 
   def encode_SAML_SLO_Request(nameID, opts = {})
     now = Time.now.utc
-    response_id = UUID.generate
+    response_id = SecureRandom.uuid
     issuer_uri = opts[:issuer_uri] || (defined?(request) && request.url.split("?")[0]) || "http://example.com"
     xml = %[<samlp:LogoutRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

data/spec/support/sp_template.rb

@@ -8,6 +8,8 @@ idp_settings_adapter = ENV.fetch('IDP_SETTINGS_ADAPTER', "nil")
 idp_entity_id_reader = ENV.fetch('IDP_ENTITY_ID_READER', "DeviseSamlAuthenticatable::DefaultIdpEntityIdReader")
 saml_failed_callback = ENV.fetch('SAML_FAILED_CALLBACK', "nil")
 
+gsub_file 'config/secrets.yml', /secret_key_base:.*$/, 'secret_key_base: "8b5889df1fcf03f76c7d66da02d8776bcc85b06bed7d9c592f076d9c8a5455ee6d4beae45986c3c030b40208db5e612f2a6ef8283036a352e3fae83c5eda36be"'
+
 gem 'devise_saml_authenticatable', path: '../../..'
 gem 'ruby-saml', OneLogin::RubySaml::VERSION
 gem 'thin'
@@ -17,6 +19,7 @@ insert_into_file('Gemfile', after: /\z/) {
 # Lock down versions of gems for older versions of Ruby
 if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
   gem 'devise', '~> 3.5'
+  gem 'nokogiri', '~> 1.6.8'
 end
   GEMFILE
 }
@@ -75,6 +78,8 @@ after_bundle do
   # Configure for our SAML IdP
   generate 'devise:install'
   gsub_file 'config/initializers/devise.rb', /^end$/, <<-CONFIG
+  config.secret_key = 'adc7cd73792f5d20055a0ac749ce8cdddb2e0f0d3ea7fe7855eec3d0f81833b9a4ac31d12e05f232d40ae86ca492826a6fc5a65228c6e16752815316e2d5b38d'
+
   config.saml_default_user_key = :email
   config.saml_session_index_key = #{saml_session_index_key}
 
@@ -103,13 +108,15 @@ class UsersController < ApplicationController
   skip_before_action :verify_authenticity_token
   def create
     User.create!(email: params[:email])
-    render nothing: true, status: 201
+    head 201
   end
 end
   USERS
 
   rake "db:create"
   rake "db:migrate"
+  rake "db:create", env: "production"
+  rake "db:migrate", env: "production"
 end
 
 create_file 'public/stylesheets/application.css', ''

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.3.2
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-30 00:00:00.000000000 Z
+date: 2017-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -61,6 +61,8 @@ files:
 - lib/devise_saml_authenticatable/model.rb
 - lib/devise_saml_authenticatable/routes.rb
 - lib/devise_saml_authenticatable/saml_config.rb
+- lib/devise_saml_authenticatable/saml_mapped_attributes.rb
+- lib/devise_saml_authenticatable/saml_response.rb
 - lib/devise_saml_authenticatable/strategy.rb
 - lib/devise_saml_authenticatable/version.rb
 - rails/init.rb
@@ -73,6 +75,7 @@ files:
 - spec/rails_helper.rb
 - spec/spec_helper.rb
 - spec/support/Gemfile.rails4
+- spec/support/Gemfile.rails5
 - spec/support/Gemfile.ruby-saml-1.3
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb
@@ -114,6 +117,7 @@ test_files:
 - spec/rails_helper.rb
 - spec/spec_helper.rb
 - spec/support/Gemfile.rails4
+- spec/support/Gemfile.rails5
 - spec/support/Gemfile.ruby-saml-1.3
 - spec/support/idp_settings_adapter.rb.erb
 - spec/support/idp_template.rb