devise_saml_authenticatable 1.8.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2b6dd7d4f718cf0df20aff218f90f1eac720279e4ff5afe6aedef20f84a14fd
-  data.tar.gz: 5efc5fa9d89ee10eb6328261b6b870ce580dbe7cd48cedbe8dd609786c5c9f84
+  metadata.gz: f5dd2cc3931480caf617a4a22266968ea550c52c4980353a5e295652dc25ce4d
+  data.tar.gz: b712dd20efd0c4ddd9c8a1321dc6e2cbf8876053689c36c94d272be5445f8fd7
 SHA512:
-  metadata.gz: 70c0b6c4e5f6ec2b7f4a421c898c493cb34aef837c119e126d1b557640f685c1c35ad7cddaf94de3598601fe691563fa2984297010b4ac96f539609c8fa55f95
-  data.tar.gz: ca3d854ab1bd6b84d3a7d2225feb926f9fbc2d6df5c546c975d5773e8bdd8254d5ce544dd08f6c32a0db29e15f9f4aa3bbc38bee1dbdf491d9e92826b00c760b
+  metadata.gz: 697615b8dfb2f798ae0fd71b796359825633b783fbebaf66cc947bd33d78ded081a862609b55b6407d87495a7a3b3df4ae9dfce1dd2143d7ce54e2c811727d1e
+  data.tar.gz: 74037754bbe52f5036aed75ad1d96cd0a44677f2963f496a5986a8f6be0542f92645f6a3c8fa67e738a9656d2d9697566f41dfbe6f5aa4b8306114e99a182864

data/README.md

@@ -72,11 +72,42 @@ In `config/initializers/devise.rb`:
     # ==> Configuration for :saml_authenticatable
 
     # Create user if the user does not exist. (Default is false)
+    # Can also accept a proc, for ex:
+    # Devise.saml_create_user = Proc.new do |model_class, saml_response, auth_value|
+    #  model_class == Admin
+    # end
     config.saml_create_user = true
 
     # Update the attributes of the user after a successful login. (Default is false)
+    # Can also accept a proc, for ex:
+    # Devise.saml_update_user = Proc.new do |model_class, saml_response, auth_value|
+    #  model_class == Admin
+    # end
     config.saml_update_user = true
 
+    # Lambda that is called if Devise.saml_update_user and/or Devise.saml_create_user are true.
+    # Receives the model object, saml_response and auth_value, and defines how the object's values are
+    # updated with regards to the SAML response. 
+    # config.saml_update_resource_hook = -> (user, saml_response, auth_value) {
+    #   saml_response.attributes.resource_keys.each do |key|
+    #     user.send "#{key}=", saml_response.attribute_value_by_resource_key(key)
+    #   end
+    #
+    #   if (Devise.saml_use_subject)
+    #     user.send "#{Devise.saml_default_user_key}=", auth_value
+    #   end
+    #
+    #   user.save!
+    # }
+
+    # Lambda that is called to resolve the saml_response and auth_value into the correct user object.
+    # Receives a copy of the ActiveRecord::Model, saml_response and auth_value. Is expected to return
+    # one instance of the provided model that is the matched account, or nil if none exists.
+    # config.saml_resource_locator = -> (model, saml_response, auth_value) {
+    #   model.where(Devise.saml_default_user_key => auth_value).first
+    # }
+    
+
     # Set the default user key. The user will be looked up by this key. Make
     # sure that the Authentication Response includes the attribute.
     config.saml_default_user_key = :email
@@ -89,8 +120,8 @@ In `config/initializers/devise.rb`:
     # If you don't set it then email will be extracted from SAML assertion attributes.
     config.saml_use_subject = true
 
-    # You can support multiple IdPs by setting this value to the name of a class that implements a ::settings method
-    # which takes an IdP entity id as an argument and returns a hash of idp settings for the corresponding IdP.
+    # You can implement IdP settings with the options to support multiple IdPs and use the request object by setting this value to the name of a class that implements a ::settings method
+    # which takes an IdP entity id and a request object as arguments and returns a hash of idp settings for the corresponding IdP.
     # config.idp_settings_adapter = "MyIdPSettingsAdapter"
 
     # You provide you own method to find the idp_entity_id in a SAML message in the case of multiple IdPs
@@ -194,20 +225,22 @@ If you only have one IdP, you can use the config file above, or just return a si
   end
 ```
 
-## Supporting Multiple IdPs
+## IdP Settings Adapter
+
+Implementing a custom settings adapter allows you to support multiple Identity Providers, and dynamic application domains with the request object.
 
-If you must support multiple Identity Providers you can implement an adapter class with a `#settings` method that takes an IdP entity id and returns a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
+You can implement an adapter class with a `#settings` method. It must take two arguments (idp_entity_id, request) and return a hash of settings for the corresponding IdP. The `config.idp_settings_adapter` then must be set to point to your adapter in `config/initializers/devise.rb`. The implementation of the adapter is up to you. A simple example may look like this:
 
 ```ruby
 class IdPSettingsAdapter
-  def self.settings(idp_entity_id)
+  def self.settings(idp_entity_id, request)
     case idp_entity_id
     when "http://www.example_idp_entity_id.com"
       {
-        assertion_consumer_service_url: "http://localhost:3000/users/saml/auth",
+        assertion_consumer_service_url: "#{request.protocol}#{request.host_with_port}/users/saml/auth",
         assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
         name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-        issuer: "http://localhost:3000/saml/metadata",
+        issuer: "#{request.protocol}#{request.host_with_port}/saml/metadata",
         idp_entity_id: "http://www.example_idp_entity_id.com",
         authn_context: "",
         idp_slo_service_url: "http://example_idp_slo_service_url.com",

data/app/controllers/devise/saml_sessions_controller.rb

@@ -8,22 +8,22 @@ class Devise::SamlSessionsController < Devise::SessionsController
 
   def new
     idp_entity_id = get_idp_entity_id(params)
-    request = OneLogin::RubySaml::Authrequest.new
+    auth_request = OneLogin::RubySaml::Authrequest.new
     auth_params = { RelayState: relay_state } if relay_state
-    action = request.create(saml_config(idp_entity_id), auth_params || {})
-    session[:saml_transaction_id] = request.request_id if request.respond_to?(:request_id)
+    action = auth_request.create(saml_config(idp_entity_id, request), auth_params || {})
+    session[:saml_transaction_id] = auth_request.request_id if auth_request.respond_to?(:request_id)
     redirect_to action, allow_other_host: true
   end
 
   def metadata
     idp_entity_id = params[:idp_entity_id]
     meta = OneLogin::RubySaml::Metadata.new
-    render xml: meta.generate(saml_config(idp_entity_id))
+    render xml: meta.generate(saml_config(idp_entity_id, request))
   end
 
   def idp_sign_out
     if params[:SAMLRequest] && Devise.saml_session_index_key
-      saml_config = saml_config(get_idp_entity_id(params))
+      saml_config = saml_config(get_idp_entity_id(params), request)
       logout_request = OneLogin::RubySaml::SloLogoutrequest.new(params[:SAMLRequest], settings: saml_config)
       resource_class.reset_session_key_for(logout_request.name_id)
 
@@ -63,8 +63,8 @@ class Devise::SamlSessionsController < Devise::SessionsController
   # Override devise to send user to IdP logout for SLO
   def after_sign_out_path_for(_)
     idp_entity_id = get_idp_entity_id(params)
-    request = OneLogin::RubySaml::Logoutrequest.new
-    saml_settings = saml_config(idp_entity_id).dup
+    logout_request = OneLogin::RubySaml::Logoutrequest.new
+    saml_settings = saml_config(idp_entity_id, request).dup
 
     # Add attributes to saml_settings which will later be used to create the SP
     # initiated logout request
@@ -73,7 +73,7 @@ class Devise::SamlSessionsController < Devise::SessionsController
       saml_settings.sessionindex = @sessionindex_for_sp_initiated_logout
     end
 
-    request.create(saml_settings)
+    logout_request.create(saml_settings)
   end
 
   # Overried devise: if user is signed out, not create the SP initiated logout request,

data/lib/devise_saml_authenticatable/model.rb

@@ -55,8 +55,11 @@ module Devise
             end
           end
 
+          create_user = if Devise.saml_create_user.respond_to?(:call) then Devise.saml_create_user.call(self, decorated_response, auth_value)
+                        else Devise.saml_create_user
+                        end
           if resource.nil?
-            if Devise.saml_create_user
+            if create_user
               logger.info("Creating user(#{auth_value}).")
               resource = new
             else
@@ -65,7 +68,10 @@ module Devise
             end
           end
 
-          if Devise.saml_update_user || (resource.new_record? && Devise.saml_create_user)
+          update_user = if Devise.saml_update_user.respond_to?(:call) then Devise.saml_update_user.call(self, decorated_response, auth_value)
+                        else Devise.saml_update_user
+                        end
+          if update_user || (resource.new_record? && create_user)
             Devise.saml_update_resource_hook.call(resource, decorated_response, auth_value)
           end
 

data/lib/devise_saml_authenticatable/saml_config.rb

@@ -1,9 +1,9 @@
 require 'ruby-saml'
 module DeviseSamlAuthenticatable
   module SamlConfig
-    def saml_config(idp_entity_id = nil)
+    def saml_config(idp_entity_id = nil, request = nil)
       return file_based_config if file_based_config
-      return adapter_based_config(idp_entity_id) if Devise.idp_settings_adapter
+      return adapter_based_config(idp_entity_id, request) if Devise.idp_settings_adapter
 
       Devise.saml_config
     end
@@ -19,10 +19,16 @@ module DeviseSamlAuthenticatable
       end
     end
 
-    def adapter_based_config(idp_entity_id)
+    def adapter_based_config(idp_entity_id, request)
       config = Marshal.load(Marshal.dump(Devise.saml_config))
 
-      idp_settings_adapter.settings(idp_entity_id).each do |k,v|
+      if idp_settings_adapter.method(:settings).parameters.length == 1
+        settings = idp_settings_adapter.settings(idp_entity_id)
+      else
+        settings = idp_settings_adapter.settings(idp_entity_id, request)
+      end
+
+      settings.each do |k,v|
         acc = "#{k.to_s}=".to_sym
 
         if config.respond_to? acc

data/lib/devise_saml_authenticatable/strategy.rb

@@ -65,7 +65,7 @@ module Devise
 
       def response_options
         options = {
-          settings: saml_config(get_idp_entity_id(params)),
+          settings: saml_config(get_idp_entity_id(params), request),
           allowed_clock_drift: Devise.allowed_clock_drift_in_seconds,
         }
 

data/lib/devise_saml_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseSamlAuthenticatable
-  VERSION = "1.8.0"
+  VERSION = "1.9.0"
 end

data/lib/devise_saml_authenticatable.rb

@@ -29,10 +29,20 @@ module Devise
   @@saml_logger = true
 
   # Add valid users to database
+  # Can accept a Boolean value or a Proc that is called with the model class, the saml_response and auth_value
+  # Ex: 
+  # Devise.saml_create_user = Proc.new do |model_class, saml_response, auth_value|
+  #  model_class == Admin
+  # end
   mattr_accessor :saml_create_user
   @@saml_create_user = false
 
   # Update user attributes after login
+  # Can accept a Boolean value or a Proc that is called with the model class, the saml_response and auth_value
+  # Ex: 
+  # Devise.saml_update_user = Proc.new do |model_class, saml_response, auth_value|
+  #  model_class == User
+  # end
   mattr_accessor :saml_update_user
   @@saml_update_user = false
 

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -102,7 +102,7 @@ describe Devise::SamlSessionsController, type: :controller do
       it 'uses the DefaultIdpEntityIdReader' do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
-        expect(idp_providers_adapter).to have_received(:settings).with(nil)
+        expect(idp_providers_adapter).to have_received(:settings).with(nil, request)
       end
 
       context 'with a relay_state lambda defined' do
@@ -137,7 +137,7 @@ describe Devise::SamlSessionsController, type: :controller do
 
         it 'redirects to the associated IdP SSO target url' do
           do_get
-          expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com')
+          expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com', request)
           expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=})
         end
       end
@@ -305,7 +305,7 @@ describe Devise::SamlSessionsController, type: :controller do
           it 'redirects to the associated IdP SLO target url' do
             do_delete
             expect(controller).to have_received(:sign_out)
-            expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com')
+            expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com', request)
             expect(response).to redirect_to(%r{\Ahttp://idp_slo_url\?SAMLRequest=})
           end
         end
@@ -385,7 +385,7 @@ describe Devise::SamlSessionsController, type: :controller do
         it 'accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in' do
           do_post
           expect(response.status).to eq 302
-          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
+          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id, request)
           expect(response).to redirect_to 'http://localhost/logout_response'
         end
       end

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -106,6 +106,32 @@ describe Devise::Models::SamlAuthenticatable do
       end
     end
 
+    context "when configured to create a user by a proc and the user is not found" do
+      before do
+        create_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "creates and returns a new user with the name identifier and given attributes" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_create@example.com' }
+
+        it "does not creates new user" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([])
+          expect(Model.authenticate_with_saml(response, nil)).to be_nil
+        end
+      end
+    end
+
     context "when configured to update a user and the user is found" do
       before do
         allow(Devise).to receive(:saml_update_user).and_return(true)
@@ -120,8 +146,39 @@ describe Devise::Models::SamlAuthenticatable do
         expect(model.saved).to be(true)
       end
     end
+
+    context "when configured to update a user by a proc and the user is found" do
+      let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+
+      before do
+        update_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "updates user with given attributes" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_update@example.com' }
+
+        it "does not update user" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('old_mail@mail.com')
+          expect(model.name).to  eq('old name')
+        end
+      end
+    end
   end
 
+
   context "when configured to create an user and the user is not found" do
     before do
       allow(Devise).to receive(:saml_create_user).and_return(true)
@@ -136,6 +193,35 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to create a user by a proc and the user is not found" do
+    let(:create_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_create_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "creates and returns a new user with the name identifier and given attributes" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not creates new user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
   context "when configured to update an user" do
     before do
       allow(Devise).to receive(:saml_update_user).and_return(true)
@@ -156,6 +242,38 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to update a user by a proc and the user is found" do
+    let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+    let(:update_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_update_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "updates user with given attributes" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not update user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('old_mail@mail.com')
+        expect(model.name).to  eq('old name')
+      end
+    end
+  end
+
   context "when configured with a case-insensitive key" do
     shared_examples "correct downcasing" do
       before do

data/spec/devise_saml_authenticatable/strategy_spec.rb

@@ -56,9 +56,9 @@ describe Devise::Strategies::SamlAuthenticatable do
     context "when saml config uses an idp_adapter" do
       let(:idp_providers_adapter) {
         Class.new {
-          def self.settings(idp_entity_id)
+          def self.settings(idp_entity_id, request)
             base = {
-              assertion_consumer_service_url: "acs_url",
+              assertion_consumer_service_url: "acs url",
               assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
               name_identifier_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
               issuer: "sp_issuer",
@@ -93,7 +93,7 @@ describe Devise::Strategies::SamlAuthenticatable do
 
       it "authenticates with the response for the corresponding idp" do
         expect(OneLogin::RubySaml::Response).to receive(:new).with(params[:SAMLResponse], anything)
-        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id)
+        expect(idp_providers_adapter).to receive(:settings).with(idp_entity_id, anything)
         expect(user_class).to receive(:authenticate_with_saml).with(response, params[:RelayState])
         expect(user).to receive(:after_saml_authentication).with(response.sessionindex)
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_saml_authenticatable
 version: !ruby/object:Gem::Version
-  version: 1.8.0
+  version: 1.9.0
 platform: ruby
 authors:
 - Josef Sauter
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-19 00:00:00.000000000 Z
+date: 2022-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise