devise_saml_authenticatable 1.3.2 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 269c0505d92b49c3b9a79d1b8aece87533018b10
-  data.tar.gz: 259f7e012808aabe3ab06e854a01deab8959843a
+  metadata.gz: 9a26db022c02d24566654e1d965c374a0e3b3380
+  data.tar.gz: 1341712900741f3c7326ddb7f099468bbc1d1066
 SHA512:
-  metadata.gz: 83a89cbe087accbcf239e047027188a35793c9cdcb3198fd207edeb95652bb6e8957ef8e0aeaa9b919f01cbb91677bf4c5ade49fae0a85b86cf95edc4b09592b
-  data.tar.gz: 230f5490186a0853cd63f401b390afa29129b8f103de04cbb64a734274edd88de9467030784122cccdc743fbd5eb7babf75ad3635be5b51d2a5af467d4e17b1f
+  metadata.gz: 9ee3d6d7075cccdb05b87c8cea6e7f9feab58d3f2a0ae4fc1cbc9d6e679b82d1c59e675195c520867903808070cc8e9fb49ff99028b7816f039e029f0d455a6a
+  data.tar.gz: 9ea8211cda495a8347e5e2672214e5fc8448e232ca1d961645dde9f22b18eaf9bd6bcf8e6876dea110cbe2292a8d01fdc303039629cbe781f3901a15ab73efc8

data/.travis.yml

@@ -32,6 +32,10 @@ matrix:
     - rvm: "2.1.10"
       gemfile: spec/support/Gemfile.ruby-saml-1.3
 
+before_install:
+  # update bundler to avoid https://github.com/travis-ci/travis-ci/issues/5239
+  - gem install bundler
+
 script:
   - bundle exec rake
 

data/README.md

@@ -69,8 +69,9 @@ In `config/initializers/devise.rb`:
     # and implements a #handle method. This method can then redirect the user, return error messages, etc.
     # config.saml_failed_callback = nil
 
-    # Configure with your SAML settings (see [ruby-saml][] for more information).
+    # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
+      # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
       settings.assertion_consumer_service_url     = "http://localhost:3000/users/saml/auth"
       settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
       settings.name_identifier_format             = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
@@ -159,6 +160,7 @@ class IdPSettingsAdapter
   end
 end
 ```
+Settings specified in the adapter will override settings in `config/initializers/devise.rb`. This is useful for establishing common settings or defaults across all IdPs.
 
 Detecting the entity ID passed to the `settings` method is done by `config.idp_entity_id_reader`.
 
@@ -192,10 +194,12 @@ Logout requests from the IDP are supported by the `idp_sign_out` endpoint.  Dire
 
 `saml_session_index_key` must be configured to support this feature.
 
-## Signing and Encrypting Authentication Requests
+## Signing and Encrypting Authentication Requests and Assertions
 
 ruby-saml 1.0.0 supports signature and decrypt. The only requirement is to set the public certificate and the private key. For more information, see [the ruby-saml documentation](https://github.com/onelogin/ruby-saml#signing).
 
+If you have multiple IdPs, the certificate and private key must be in the shared settings in `config/initializers/devise.rb`.
+
 ## Thanks
 
 The continued maintenance of this gem could not have been possible without the hard work of [Adam Stegman](https://github.com/adamstegman) and [Mitch Lindsay](https://github.com/mitch-lindsay). Thank you guys for keeping this project alive.

data/app/controllers/devise/saml_sessions_controller.rb

@@ -53,8 +53,9 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
+    idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Logoutrequest.new
-    request.create(saml_config)
+    request.create(saml_config(idp_entity_id))
   end
 
   def generate_idp_logout_response(saml_config, logout_request_id)

data/devise_saml_authenticatable.gemspec

@@ -7,6 +7,7 @@ Gem::Specification.new do |gem|
   gem.description   = %q{SAML Authentication for devise}
   gem.summary       = %q{SAML Authentication for devise }
   gem.homepage      = ""
+  gem.license     = "MIT"
 
   gem.files         = `git ls-files`.split($\)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }

data/lib/devise_saml_authenticatable.rb

@@ -94,7 +94,7 @@ module Devise
   end
 
   # Proc that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
-  # Recieves the user object, saml_response and auth_value, and defines how the object's values are
+  # Receives the user object, saml_response and auth_value, and defines how the object's values are
   # updated with regards to the SAML response. See saml_default_update_resource_hook for an example.
   mattr_accessor :saml_update_resource_hook
   @@saml_update_resource_hook = @@saml_default_update_resource_hook
@@ -107,7 +107,7 @@ module Devise
   end
 
   # Proc that is called to resolve the saml_response and auth_value into the correct user object.
-  # Recieves a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+  # Receives a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
   # one instance of the provided model that is the matched account, or nil if none exists.
   # See saml_default_resource_locator above for an example.
   mattr_accessor :saml_resource_locator

data/lib/devise_saml_authenticatable/default_idp_entity_id_reader.rb

@@ -4,11 +4,13 @@ module DeviseSamlAuthenticatable
       if params[:SAMLRequest]
         OneLogin::RubySaml::SloLogoutrequest.new(
           params[:SAMLRequest],
+          settings: Devise.saml_config,
           allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
         ).issuer
       elsif params[:SAMLResponse]
         OneLogin::RubySaml::Response.new(
           params[:SAMLResponse],
+          settings: Devise.saml_config,
           allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
         ).issuers.first
       end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -8,6 +8,7 @@ module Devise
         if params[:SAMLResponse]
           OneLogin::RubySaml::Response.new(
             params[:SAMLResponse],
+            settings: Devise.saml_config,
             allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
           )
         else

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.3.2"
+  VERSION = "1.4.0"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -66,6 +66,7 @@ describe Devise::SamlSessionsController, type: :controller do
       it "uses the DefaultIdpEntityIdReader" do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
+        expect(idp_providers_adapter).to have_received(:settings).with(nil)
       end
 
       context "with a relay_state lambda defined" do
@@ -104,6 +105,7 @@ describe Devise::SamlSessionsController, type: :controller do
 
         it "redirects to the associated IdP SSO target url" do
           do_get
+          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
           expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
         end
       end
@@ -147,10 +149,57 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#destroy' do
-    it 'signs out and redirects to the IdP' do
-      expect(controller).to receive(:sign_out)
-      delete :destroy
-      expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+    context "when using the default saml config" do
+      it 'signs out and redirects to the IdP' do
+        expect(controller).to receive(:sign_out)
+        delete :destroy
+        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+      end
+    end
+
+    context "with a specified idp" do
+      before do
+        Devise.idp_settings_adapter = idp_providers_adapter
+      end
+
+      it "redirects to the associated IdP SSO target url" do
+        expect(controller).to receive(:sign_out)
+        expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
+        delete :destroy
+        expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+      end
+
+      context "with a specified idp entity id reader" do
+        class OurIdpEntityIdReader
+          def self.entity_id(params)
+            params[:entity_id]
+          end
+        end
+
+        subject(:do_delete) {
+          if Rails::VERSION::MAJOR > 4
+            delete :destroy, params: {entity_id: "http://www.example.com"}
+          else
+            delete :destroy, entity_id: "http://www.example.com"
+          end
+        }
+
+        before do
+          @default_reader = Devise.idp_entity_id_reader
+          Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+        end
+
+        after do
+          Devise.idp_entity_id_reader = @default_reader
+        end
+
+        it "redirects to the associated IdP SLO target url" do
+          expect(controller).to receive(:sign_out)
+          do_delete
+          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
+          expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+        end
+      end
     end
   end
 

data/spec/features/saml_authentication_spec.rb

@@ -138,7 +138,6 @@ describe "SAML Authentication", type: :feature do
   end
 
   context "when the idp_settings_adapter key is set" do
-
     before(:each) do
       create_app('idp', 'INCLUDE_SUBJECT_IN_ATTRIBUTES' => "false")
       create_app('sp', 'USE_SUBJECT_TO_AUTHENTICATE' => "true", 'IDP_SETTINGS_ADAPTER' => "IdpSettingsAdapter", 'IDP_ENTITY_ID_READER' => "OurEntityIdReader")
@@ -156,7 +155,24 @@ describe "SAML Authentication", type: :feature do
       create_user("you@example.com")
 
       visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
-      expect(current_url).to match(%r(\Ahttp://www.example.com/\?SAMLRequest=))
+      expect(current_url).to match(%r(\Ahttp://www.example.com/sso\?SAMLRequest=))
+    end
+
+    it "logs a user out of the IdP via the SP" do
+      sign_in
+
+      # prove user is still signed in
+      visit 'http://localhost:8020/'
+      expect(page).to have_content("you@example.com")
+      expect(current_url).to eq("http://localhost:8020/")
+
+      click_on "Log out"
+      #confirm the logout response redirected to the SP which in turn attempted to sign th e
+      expect(current_url).to match(%r(\Ahttp://www.example.com/slo\?SAMLRequest=))
+
+      # prove user is now signed out
+      visit 'http://localhost:8020/users/saml/sign_in/?entity_id=http%3A%2F%2Flocalhost%3A8020%2Fsaml%2Fmetadata'
+      expect(current_url).to match(%r(\Ahttp://www.example.com/sso\?SAMLRequest=))
     end
   end
 

data/spec/support/Gemfile.rails4

@@ -4,7 +4,6 @@ source 'https://rubygems.org'
 gemspec path: '../..'
 
 group :test do
-  gem 'rake'
   gem 'rspec', '~> 3.0'
   gem 'rails', '~> 4.0'
   gem 'rspec-rails'
@@ -16,7 +15,15 @@ group :test do
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
     gem 'addressable', '~> 2.4.0'
     gem 'mime-types', '~> 2.99'
+    gem 'public_suffix', '~> 1.4.6'
+    gem 'rake', '~> 12.2.0'
+  elsif Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
+    gem 'public_suffix', '~> 2.0.5'
+    gem 'rake'
+  else
+    gem 'rake'
   end
+
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
     gem 'devise', '~> 3.5'
     gem 'nokogiri', '~> 1.6.8'

data/spec/support/Gemfile.ruby-saml-1.3

@@ -14,11 +14,9 @@ group :test do
   gem 'poltergeist'
 
   # Lock down versions of gems for older versions of Ruby
-  if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.0")
-    gem 'mime-types', '~> 2.99'
-  end
   if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new("2.1")
     gem 'devise', '~> 3.5'
+    gem 'public_suffix', '~> 2.0.5'
     gem 'nokogiri', '~> 1.6.8'
   end
 end

data/spec/support/idp_settings_adapter.rb.erb

@@ -8,8 +8,8 @@ class IdpSettingsAdapter
           issuer: "sp_issuer",
           idp_entity_id: "http://localhost:8020/saml/metadata",
           authn_context: "",
-          idp_slo_target_url: "http://www.example.com",
-          idp_sso_target_url: "http://www.example.com",
+          idp_slo_target_url: "http://www.example.com/slo",
+          idp_sso_target_url: "http://www.example.com/sso",
           idp_cert: "idp_cert"
       }
     else

data/spec/support/sp_template.rb

@@ -68,7 +68,7 @@ after_bundle do
   insert_into_file('app/views/home/index.html.erb', after: /\z/) {
     <<-HOME
 <%= current_user.email %> <%= current_user.name %>
-<%= form_tag destroy_user_session_path, method: :delete do %>
+<%= form_tag destroy_user_session_path(entity_id: "http://localhost:8020/saml/metadata"), method: :delete do %>
   <%= submit_tag "Log out" %>
 <% end %>
     HOME

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.4.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-22 00:00:00.000000000 Z
+date: 2018-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -85,7 +85,8 @@ files:
 - spec/support/saml_idp_controller.rb.erb
 - spec/support/sp_template.rb
 homepage: ''
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []