devise_saml_authenticatable 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 388799cd1bf9c14ad21b7a042d63957d965ec080
-  data.tar.gz: b5e153ee444879be849e6ddda43e2762a3905092
+SHA256:
+  metadata.gz: 8f372d3d801220ab4ce4a7e83501f0e5d7a9cc2590eb64aa1c91a0a5ad053d7d
+  data.tar.gz: bcdfc0370f0926a542164ea577030e9ff17666adb9e0d5ae8367a605e4966866
 SHA512:
-  metadata.gz: 2c304efa473b057a46895b96db3d6d076ebdaa332de7c7d6a3480b86a3ae3e33d17123b5f565d229c5412a9496cc9c549e34960aa119f8a1c18180eea87eb05e
-  data.tar.gz: 40a2dd033fd20cccc2803dc587309be272005a5d84c8e80a0325b038079fcd2deb9b6aad78f8afb30c2462f9952efe1e49ffa100b9187480c5234a6565aaf566
+  metadata.gz: d9bd026db0bb199aaa9b72d1c03fccef49a905dc7270739b48e682623036f945b74f16c99f1d457086df47ff03f8e71aee5c4a412d01cd9f9c80b4f84e79d58a
+  data.tar.gz: c2f32e5297c0e9a4aadce6069282d8c17e91d95550a777e2f5755745effc0fda5eaa958e4656d5776e2a507251d230fdaba3d944189874d0166d3f2cefbe153c

data/.gitignore

@@ -13,6 +13,4 @@ lib/bundler/man
 pkg
 rdoc
 spec/reports
-spec/support/idp/
-spec/support/sp/
 tmp

data/.travis.yml

@@ -1,53 +1,52 @@
 language: ruby
 rvm:
-  - "1.9.3"
   - "2.0.0"
   - "2.1.10"
   - "2.2.10"
   - "2.3.8"
-  - "2.4.5"
-  - "2.5.3"
-  - "2.6.0"
+  - "2.4.10"
+  - "2.5.8"
+  - "2.6.6"
+  - "2.7.1"
 gemfile:
   - Gemfile
+  - spec/support/Gemfile.rails5.2
   - spec/support/Gemfile.rails5.1
   - spec/support/Gemfile.rails5
   - spec/support/Gemfile.rails4
 matrix:
   allow_failures:
-    - rvm: "1.9.3"
-      gemfile: Gemfile
-    - rvm: "1.9.3"
-      gemfile: spec/support/Gemfile.rails5
-    - rvm: "1.9.3"
-      gemfile: spec/support/Gemfile.rails5.1
     - rvm: "2.0.0"
       gemfile: Gemfile
     - rvm: "2.0.0"
       gemfile: spec/support/Gemfile.rails5
     - rvm: "2.0.0"
       gemfile: spec/support/Gemfile.rails5.1
+    - rvm: "2.0.0"
+      gemfile: spec/support/Gemfile.rails5.2
     - rvm: "2.1.10"
       gemfile: Gemfile
     - rvm: "2.1.10"
       gemfile: spec/support/Gemfile.rails5
     - rvm: "2.1.10"
       gemfile: spec/support/Gemfile.rails5.1
-    - rvm: "2.6.0"
+    - rvm: "2.1.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.2.10"
+      gemfile: Gemfile
+    - rvm: "2.2.10"
+      gemfile: spec/support/Gemfile.rails5.2
+    - rvm: "2.3.8"
+      gemfile: Gemfile
+    - rvm: "2.4.10"
+      gemfile: Gemfile
+    - rvm: "2.6.6"
+      gemfile: spec/support/Gemfile.rails4
+    - rvm: "2.7.1"
       gemfile: spec/support/Gemfile.rails4
 
 before_install:
-  # update bundler to avoid https://github.com/travis-ci/travis-ci/issues/5239
   - command -v bundle || gem install bundler -v '~> 1.17.3'
 
 script:
   - bundle exec rake
-
-notifications:
-  hipchat:
-    rooms:
-      secure: cuDak5a6fBeg+sp61COqxQfzdcFEsjwCqtwvCISso0RNh5SR8v+uVYKcA8rlK+GE1l9uR7tLRHeHF3ZmzvFSOat07NvpScvjZXi+OSpWlc6rwQ6Pl6bBP6gu6sREiKVe0eT/uGrvJloyWKZaXIhiiBzQ+ZERx/ssGA9WMmNkhlwy1OgGnPNurNNHZLBjEZn1V6kdyxiXx6QPASNpjNEgN1G8dUh3qzcWUGVQGNZSJk65A6ie1MveNyecTjDhw+ADBU8nS28Ja4y6ohRm4FzofSgespYrvfygIZ5rYF0HPMj5FW1ZDWtM5355ojCk8RLT+ZkuhssCn1OJk7ogaOVjnYcOFRxEfpu3eIbjtMmUz3j4umatFqbgas+6SXMVIPkr5HUoTrP8HNFssIpcEBOnPwAF8QCpx+daHc0r2cc8lGuXhtJfpW0P2F0dmwJNiQ7//nz2y2xs84x4Gb7MV9tEDYp0FqEClMuFBkPNizBljarm04PkiLSrqvR52aMDfQz7YAX2oXAvFjPzI1GC0K8x7xX8TuHT9yuHy7fI+rUSNivZYLKO+IEZqPPDdJpXISUbVwanZoNvmQYk5PZV21MfDSGwQrz8eO/uFiAblj18yIlNbAfb2hdZDVYsm4EvWxELJtfaTxgrj6M3Y3m/KbCbCoDp+2jE307M2rxL0Gum2gk=
-    template:
-      - '%{repository}<a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
-    format: html
-    on_pull_requests: true

data/Gemfile

@@ -6,9 +6,9 @@ gemspec
 group :test do
   gem 'rake'
   gem 'rspec', '~> 3.0'
-  gem 'rails', '~> 5.1'
+  gem 'rails', '~> 6.0'
   gem 'rspec-rails'
-  gem 'sqlite3'
+  gem 'sqlite3', '~> 1.4.0'
   gem 'capybara'
   gem 'poltergeist'
 end

data/README.md

@@ -6,18 +6,15 @@ It uses [ruby-saml][] to handle all SAML-related stuff.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this gem to your application's Gemfile:
 
-    gem 'devise_saml_authenticatable'
+    git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+    gem "devise_saml_authenticatable", github: "apokalipto/devise_saml_authenticatable"
 
 And then execute:
 
     $ bundle
 
-Or install it yourself as:
-
-    $ gem install devise_saml_authenticatable
-
 ## Usage
 
 Follow the [normal devise installation process](https://github.com/plataformatec/devise/tree/master#getting-started). The controller filters and helpers are unchanged from normal devise usage.
@@ -110,6 +107,10 @@ In `config/initializers/devise.rb`:
     # If saml_route_helper_prefix = 'saml' then the new_user_session route becomes new_saml_user_session
     # config.saml_route_helper_prefix = 'saml'
 
+    # You can add allowance for clock drift between the sp and idp.
+    # This is a time in seconds.
+    # config.allowed_clock_drift_in_seconds = 0
+
     # Configure with your SAML settings (see ruby-saml's README for more information: https://github.com/onelogin/ruby-saml).
     config.saml_configure do |settings|
       # assertion_consumer_service_url is required starting with ruby-saml 1.4.3: https://github.com/onelogin/ruby-saml#updating-from-142-to-143
@@ -126,7 +127,26 @@ In `config/initializers/devise.rb`:
   end
 ```
 
-In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML attributes with your model's fields:
+#### Attributes
+
+There are two ways to map SAML attributes to User attributes:
+
+- [initializer](#attribute-map-initializer)
+- [config file](#attribute-map-config-file)
+
+The attribute mappings are very dependent on the way the IdP encodes the attributes.
+In these examples the attributes are given in URN style.
+Other IdPs might provide them as OID's, or by other means.
+
+You are now ready to test it against an IdP.
+
+When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+
+Upon successful login the user is redirected to the Devise `user_root_path`.
+
+##### Attribute map config file
+
+Create a YAML file (`config/attribute-map.yml`) that maps SAML attributes with your model's fields:
 
 ```yaml
   # attribute-map.yml
@@ -137,15 +157,39 @@ In the config directory, create a YAML file (`attribute-map.yml`) that maps SAML
   "urn:mace:dir:attribute-def:givenName": "name"
 ```
 
-The attribute mappings are very dependent on the way the IdP encodes the attributes.
-In this example the attributes are given in URN style.
-Other IdPs might provide them as OID's, or by other means.
+##### Attribute map initializer
 
-You are now ready to test it against an IdP.
+In `config/initializers/devise.rb` (see above), add an attribute map resolver.
+The resolver gets the [SAML response from the IdP](https://github.com/onelogin/ruby-saml/blob/master/lib/onelogin/ruby-saml/response.rb) so it can decide which attribute map to load.
+If you only have one IdP, you can use the config file above, or just return a single hash.
 
-When the user visits `/users/saml/sign_in` they will be redirected to the login page of the IdP.
+```ruby
+  # config/initializers/devise.rb
+  Devise.setup do |config|
+    ...
+    # ==> Configuration for :saml_authenticatable
 
-Upon successful login the user is redirected to the Devise `user_root_path`.
+    config.saml_attribute_map_resolver = MyAttributeMapResolver
+  end
+```
+
+```ruby
+  # app/lib/my_attribute_map_resolver
+  class MyAttributeMapResolver < DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+    def attribute_map
+      issuer = saml_response.issuers.first
+      case issuer
+      when "idp_entity_id"
+        {
+          "urn:mace:dir:attribute-def:uid" => "user_name",
+          "urn:mace:dir:attribute-def:email" => "email",
+          "urn:mace:dir:attribute-def:name" => "last_name",
+          "urn:mace:dir:attribute-def:givenName" => "name",
+        }
+      end
+    end
+  end
+```
 
 ## Supporting Multiple IdPs
 

data/app/controllers/devise/saml_sessions_controller.rb

@@ -5,8 +5,10 @@ class Devise::SamlSessionsController < Devise::SessionsController
   unloadable if Rails::VERSION::MAJOR < 4
   if Rails::VERSION::MAJOR < 5
     skip_before_filter :verify_authenticity_token
+    prepend_before_filter :store_info_for_sp_initiated_logout, only: :destroy
   else
     skip_before_action :verify_authenticity_token, raise: false
+    prepend_before_action :store_info_for_sp_initiated_logout, only: :destroy
   end
 
   def new
@@ -30,16 +32,16 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
       redirect_to generate_idp_logout_response(saml_config, logout_request.id)
     elsif params[:SAMLResponse]
-      #Currently Devise handles the session invalidation when the request is made.
-      #To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
-      #based on that.
+      # Currently Devise handles the session invalidation when the request is made.
+      # To support a true SP initiated logout response, the request ID would have to be tracked and session invalidated
+      # based on that.
       if Devise.saml_sign_out_success_url
         redirect_to Devise.saml_sign_out_success_url
       else
         redirect_to action: :new
       end
     else
-      head :invalid_request
+      head 500
     end
   end
 
@@ -51,14 +53,38 @@ class Devise::SamlSessionsController < Devise::SessionsController
     end
   end
 
+  # For non transient name ID, save info to identify user for logout purpose
+  # before that user's session got destroyed. These info are used in the
+  # `after_sign_out_path_for` method below.
+  def store_info_for_sp_initiated_logout
+    return if Devise.saml_config.name_identifier_format == "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+    @name_identifier_value_for_sp_initiated_logout = Devise.saml_name_identifier_retriever.call(current_user)
+    @sessionindex_for_sp_initiated_logout = current_user.public_send(Devise.saml_session_index_key) if Devise.saml_session_index_key
+  end
+
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
     idp_entity_id = get_idp_entity_id(params)
     request = OneLogin::RubySaml::Logoutrequest.new
-    request.create(saml_config(idp_entity_id))
+    saml_settings = saml_config(idp_entity_id).dup
+
+    # Add attributes to saml_settings which will later be used to create the SP
+    # initiated logout request
+    unless Devise.saml_config.name_identifier_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+      saml_settings.name_identifier_value = @name_identifier_value_for_sp_initiated_logout
+      saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
+    end
+
+    request.create(saml_settings)
   end
 
   def generate_idp_logout_response(saml_config, logout_request_id)
-    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil)
+
+    params = {}
+    if relay_state
+      params[:RelayState] = relay_state
+    end
+
+    OneLogin::RubySaml::SloLogoutresponse.new.create(saml_config, logout_request_id, nil, params)
   end
 end

data/lib/devise_saml_authenticatable.rb

@@ -5,6 +5,7 @@ require "devise_saml_authenticatable/exception"
 require "devise_saml_authenticatable/logger"
 require "devise_saml_authenticatable/routes"
 require "devise_saml_authenticatable/saml_config"
+require "devise_saml_authenticatable/default_attribute_map_resolver"
 require "devise_saml_authenticatable/default_idp_entity_id_reader"
 
 begin
@@ -66,6 +67,10 @@ module Devise
   mattr_accessor :saml_relay_state
   @@saml_relay_state
 
+  # Instead of storing the attribute_map in attribute-map.yml, store it in the database, or set it programatically
+  mattr_accessor :saml_attribute_map_resolver
+  @@saml_attribute_map_resolver ||= ::DeviseSamlAuthenticatable::DefaultAttributeMapResolver
+
   # Implements a #validate method that takes the retrieved resource and response right after retrieval,
   # and returns true if it's valid.  False will cause authentication to fail.
   # Only one of saml_resource_validator and saml_resource_validator_hook may be used.
@@ -124,6 +129,14 @@ module Devise
   # See saml_default_resource_locator above for an example.
   mattr_accessor :saml_resource_locator
   @@saml_resource_locator = @@saml_default_resource_locator
+
+  # Proc that is called to resolve the name identifier to use in a LogoutRequest for the current user.
+  # Receives the logged-in user.
+  # Is expected to return the identifier the IdP understands for this user, e.g. email address or username.
+  mattr_accessor :saml_name_identifier_retriever
+  @@saml_name_identifier_retriever = Proc.new do |current_user|
+    current_user.public_send(Devise.saml_default_user_key)
+  end
 end
 
 # Add saml_authenticatable strategy to defaults.

data/lib/devise_saml_authenticatable/default_attribute_map_resolver.rb

@@ -0,0 +1,26 @@
+module DeviseSamlAuthenticatable
+  class DefaultAttributeMapResolver
+    def initialize(saml_response)
+      @saml_response = saml_response
+    end
+
+    def attribute_map
+      return {} unless File.exist?(attribute_map_path)
+
+      attribute_map = YAML.load(File.read(attribute_map_path))
+      if attribute_map.key?(Rails.env)
+        attribute_map[Rails.env]
+      else
+        attribute_map
+      end
+    end
+
+    private
+
+    attr_reader :saml_response
+
+    def attribute_map_path
+      Rails.root.join("config", "attribute-map.yml")
+    end
+  end
+end

data/lib/devise_saml_authenticatable/exception.rb

@@ -1,6 +1,6 @@
 module DeviseSamlAuthenticatable
 
-  class SamlException < Exception
+  class SamlException < StandardError
   end
 
 end

data/lib/devise_saml_authenticatable/model.rb

@@ -33,9 +33,9 @@ module Devise
           key = Devise.saml_default_user_key
           decorated_response = ::SamlAuthenticatable::SamlResponse.new(
             saml_response,
-            attribute_map
+            Devise.saml_attribute_map_resolver.new(saml_response).attribute_map,
           )
-          if (Devise.saml_use_subject)
+          if Devise.saml_use_subject
             auth_value = saml_response.name_id
           else
             auth_value = decorated_response.attribute_value_by_resource_key(key)
@@ -80,21 +80,6 @@ module Devise
         def find_for_shibb_authentication(conditions)
           find_for_authentication(conditions)
         end
-
-        def attribute_map
-          @attribute_map ||= attribute_map_for_environment
-        end
-
-        private
-
-        def attribute_map_for_environment
-          attribute_map = YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
-          if attribute_map.has_key?(Rails.env)
-            attribute_map[Rails.env]
-          else
-            attribute_map
-          end
-        end
       end
     end
   end

data/lib/devise_saml_authenticatable/strategy.rb

@@ -8,7 +8,7 @@ module Devise
         if params[:SAMLResponse]
           OneLogin::RubySaml::Response.new(
             params[:SAMLResponse],
-            settings: Devise.saml_config,
+            settings: saml_config(get_idp_entity_id(params)),
             allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
           )
         else

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.5.0"
+  VERSION = "1.6.0"
 end

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -1,31 +1,38 @@
 require 'rails_helper'
 
-class Devise::SessionsController < ActionController::Base
-  # The important parts from devise
+# The important parts from devise
+class DeviseController < ApplicationController
+  attr_accessor :current_user
+
   def resource_class
     User
   end
 
+  def require_no_authentication
+  end
+end
+class Devise::SessionsController < DeviseController
   def destroy
     sign_out
     redirect_to after_sign_out_path_for(:user)
   end
 
-  def require_no_authentication
+  def verify_signed_out_user
+    # no-op for these tests
   end
 end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
 
 describe Devise::SamlSessionsController, type: :controller do
-  let(:saml_config) { Devise.saml_config }
   let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
 
   before do
+    @request.env["devise.mapping"] = Devise.mappings[:user]
     allow(idp_providers_adapter).to receive(:settings).and_return({
       assertion_consumer_service_url: "acs_url",
       assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-      name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
       issuer: "sp_issuer",
       idp_entity_id: "http://www.example.com",
       authn_context: "",
@@ -35,6 +42,20 @@ describe Devise::SamlSessionsController, type: :controller do
     })
   end
 
+  before do
+    if Rails::VERSION::MAJOR < 5 && Gem::Version.new(RUBY_VERSION) > Gem::Version.new("2.6")
+      # we still want to support Rails 4
+      # patch tests using snippet from https://github.com/rails/rails/issues/34790#issuecomment-483607370
+      class ActionController::TestResponse < ActionDispatch::TestResponse
+        def recycle!
+          @mon_mutex_owner_object_id = nil
+          @mon_mutex = nil
+          initialize
+        end
+      end
+    end
+  end
+
   describe '#new' do
     let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
 
@@ -113,6 +134,8 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#metadata' do
+    let(:saml_config) { Devise.saml_config.dup }
+
     context "with the default configuration" do
       it 'generates metadata' do
         get :metadata
@@ -132,7 +155,7 @@ describe Devise::SamlSessionsController, type: :controller do
         Devise.saml_configure do |settings|
           settings.assertion_consumer_service_url = "http://localhost:3000/users/saml/auth"
           settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-          settings.name_identifier_format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+          settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
           settings.issuer = "http://localhost:3000"
         end
       end
@@ -149,23 +172,47 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#destroy' do
+    before do
+      allow(controller).to receive(:sign_out)
+    end
+
     context "when using the default saml config" do
-      it 'signs out and redirects to the IdP' do
-        expect(controller).to receive(:sign_out)
+      it "signs out and redirects to the IdP" do
         delete :destroy
+        expect(controller).to have_received(:sign_out)
         expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
       end
     end
 
+    context "when configured to use a non-transient name identifier" do
+      before do
+        allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
+      end
+
+      it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
+        controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+
+        actual_settings = nil
+        expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
+          actual_settings = settings
+          "http://localhost:8009/saml/logout"
+        end
+
+        delete :destroy
+        expect(actual_settings.name_identifier_value).to eq("user@example.com")
+        expect(actual_settings.sessionindex).to eq("sessionindex")
+      end
+    end
+
     context "with a specified idp" do
       before do
         Devise.idp_settings_adapter = idp_providers_adapter
       end
 
       it "redirects to the associated IdP SSO target url" do
-        expect(controller).to receive(:sign_out)
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         delete :destroy
+        expect(controller).to have_received(:sign_out)
         expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
       end
 
@@ -194,8 +241,8 @@ describe Devise::SamlSessionsController, type: :controller do
         end
 
         it "redirects to the associated IdP SLO target url" do
-          expect(controller).to receive(:sign_out)
           do_delete
+          expect(controller).to have_received(:sign_out)
           expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
           expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
         end
@@ -263,12 +310,13 @@ describe Devise::SamlSessionsController, type: :controller do
       let(:name_id) { '12312312' }
       before do
         allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
+        allow(User).to receive(:reset_session_key_for)
       end
 
       it 'direct the resource to reset the session key' do
-        expect(User).to receive(:reset_session_key_for).with(name_id)
         do_post
         expect(response).to redirect_to response_url
+        expect(User).to have_received(:reset_session_key_for).with(name_id)
       end
 
       context "with a specified idp" do
@@ -285,6 +333,16 @@ describe Devise::SamlSessionsController, type: :controller do
         end
       end
 
+      context "with a relay_state lambda defined" do
+        let(:relay_state) { ->(request) { "123" } }
+
+        it "includes the RelayState param in the request to the IdP" do
+          expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
+          do_post
+          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil, {RelayState: "123"})
+        end
+      end
+
       context 'when saml_session_index_key is not configured' do
         before do
           Devise.saml_session_index_key = nil