gitlab_omniauth-ldap 2.0.4 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +5 -5
  2. data/.gitlab-ci.yml +11 -6
  3. data/CHANGELOG +6 -0
  4. data/README.md +8 -0
  5. data/gitlab_omniauth-ldap.gemspec +2 -2
  6. data/lib/omniauth-ldap/adaptor.rb +51 -15
  7. data/lib/omniauth-ldap/version.rb +1 -1
  8. data/spec/omniauth/strategies/ldap_spec.rb +14 -1
  9. data/spec/omniauth-ldap/adaptor_spec.rb +17 -0
  10. metadata +12 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 4d5b4eb5376fab8ef4f9e5e006ba83aa214402e0
4
- data.tar.gz: 372d5d8f78a286cfe1328695f11323704a8297b6
2
+ SHA256:
3
+ metadata.gz: 642e2ab518a4f8a4ba59ebaf35cfa5986e610fbe15692dd95dd7bf5a6a3a06fa
4
+ data.tar.gz: 630e6293aa7810f87433fb1a0bb51a4e8cd801f1e8e3f4865bdea803ba3bd57b
5
5
  SHA512:
6
- metadata.gz: e2154945f44fa50434692911fafa1fdc098d4758603c6391be558b701ae4f87b712aef88501c98fa00dda0160e74995172067f9c24f97b051da29e8145f4e0bf
7
- data.tar.gz: 5d9b8cd9c5e488f1a643c6bae705f79290bcf04588a50e638bc1d6a80e2d67ba3fedfd122d4ca405b32e58a7fa0edcd0f58ef6736dba02876bf7bfdfab122e4e
6
+ metadata.gz: c97fd71ee465d6be8b3a91a532dcbfa24242bbe5ad6e18305881af005dc9c96c661e03298f9c4e75bba4b19c9e3152cc04d732e871eaf431422381ca7862f300
7
+ data.tar.gz: 14738f46becca517da74c67ad6f0fb37de4e545c98636e8a2a285eba5059e1722617662107196977847518416baf32221123f07ed93b6382fd5d6b6c580a56eb
data/.gitlab-ci.yml CHANGED
@@ -1,12 +1,17 @@
1
- image: "ruby:2.3.1"
2
-
3
- before_script:
4
- - bundle install
1
+ default:
2
+ image: "ruby:${RUBY_VERSION}"
5
3
 
6
4
  stages:
7
5
  - test
8
6
 
9
- rspec:
10
- stage: test
7
+ .test-template: &test
8
+ before_script:
9
+ - bundle install
11
10
  script:
12
11
  - bundle exec rake spec
12
+
13
+ rspec:
14
+ parallel:
15
+ matrix:
16
+ - RUBY_VERSION: [ "2.7", "3.0" ]
17
+ <<: *test
data/CHANGELOG CHANGED
@@ -1,3 +1,9 @@
1
+ ## 2.1.1
2
+ - Add a String check to `tls_options` sanitization to allow other objects
3
+
4
+ ## 2.1.0
5
+ - Expose `:tls_options` SSL configuration option. Deprecate :ca_file, :ssl_version
6
+
1
7
  ## 2.0.4
2
8
  - Improve log message when invalid credentials are used
3
9
 
data/README.md CHANGED
@@ -18,6 +18,10 @@ Use the LDAP strategy as a middleware in your application:
18
18
  :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
19
19
  :bind_dn => 'default_bind_dn'
20
20
  :password => 'password'
21
+ :tls_options => {
22
+ :ssl_version => 'TLSv1_2',
23
+ :ciphers => ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
24
+ }
21
25
 
22
26
  All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
23
27
 
@@ -48,6 +52,10 @@ All of the listed options are required, with the exception of :title, :name_proc
48
52
  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
49
53
  please just avoid them.
50
54
 
55
+ - `:tls_options` allows you to pass in OpenSSL options like `:ssl_version`,
56
+ `:ciphers` and more. See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
57
+ for all available options and values.
58
+
51
59
  Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
52
60
 
53
61
 
data/gitlab_omniauth-ldap.gemspec CHANGED
@@ -6,10 +6,10 @@ Gem::Specification.new do |gem|
6
6
  gem.email = ["ping@intridea.com"]
7
7
  gem.description = %q{A LDAP strategy for OmniAuth.}
8
8
  gem.summary = %q{A LDAP strategy for OmniAuth.}
9
- gem.homepage = "https://github.com/gitlabhq/omniauth-ldap"
9
+ gem.homepage = "https://gitlab.com/gitlab-org/omniauth-ldap"
10
10
  gem.license = "MIT"
11
11
 
12
- gem.add_runtime_dependency 'omniauth', '~> 1.3'
12
+ gem.add_runtime_dependency 'omniauth', '>= 1.3', '< 3'
13
13
  gem.add_runtime_dependency 'net-ldap', '~> 0.16'
14
14
  gem.add_runtime_dependency 'pyu-ruby-sasl', '>= 0.0.3.3', '< 0.1'
15
15
  gem.add_runtime_dependency 'rubyntlm', '~> 0.5'
data/lib/omniauth-ldap/adaptor.rb CHANGED
@@ -15,10 +15,12 @@ module OmniAuth
15
15
 
16
16
  VALID_ADAPTER_CONFIGURATION_KEYS = [
17
17
  :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
18
- :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
18
+ :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
19
19
 
20
20
  # Deprecated
21
- :method
21
+ :method,
22
+ :ca_file,
23
+ :ssl_version
22
24
  ]
23
25
 
24
26
  # A list of needed keys. Possible alternatives are specified using sub-lists.
@@ -134,19 +136,21 @@ module OmniAuth
134
136
  def tls_options(translated_method)
135
137
  return {} if translated_method == nil # (plain)
136
138
 
137
- tls_options = if @disable_verify_certificates
138
- # It is important to explicitly set verify_mode for two reasons:
139
- # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
140
- # 2. The net-ldap gem implementation verifies the certificate hostname
141
- # unless verify_mode is set to VERIFY_NONE.
142
- { verify_mode: OpenSSL::SSL::VERIFY_NONE }
143
- else
144
- OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
145
- end
146
-
147
- tls_options[:ca_file] = @ca_file if @ca_file
148
- tls_options[:ssl_version] = @ssl_version if @ssl_version
149
- tls_options
139
+ options = default_options
140
+
141
+ if @tls_options
142
+ # Prevent blank config values from overwriting SSL defaults
143
+ configured_options = sanitize_hash_values(@tls_options)
144
+ configured_options = symbolize_hash_keys(configured_options)
145
+
146
+ options.merge!(configured_options)
147
+ end
148
+
149
+ # Retain backward compatibility until deprecated configs are removed.
150
+ options[:ca_file] = @ca_file if @ca_file
151
+ options[:ssl_version] = @ssl_version if @ssl_version
152
+
153
+ options
150
154
  end
151
155
 
152
156
  def sasl_auths(options={})
@@ -194,6 +198,38 @@ module OmniAuth
194
198
  [Net::NTLM::Message::Type1.new.serialize, nego]
195
199
  end
196
200
 
201
+ private
202
+
203
+ def default_options
204
+ if @disable_verify_certificates
205
+ # It is important to explicitly set verify_mode for two reasons:
206
+ # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
207
+ # 2. The net-ldap gem implementation verifies the certificate hostname
208
+ # unless verify_mode is set to VERIFY_NONE.
209
+ { verify_mode: OpenSSL::SSL::VERIFY_NONE }
210
+ else
211
+ OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
212
+ end
213
+ end
214
+
215
+ # Removes keys that have blank values
216
+ #
217
+ # This gem may not always be in the context of Rails so we
218
+ # do this rather than `.blank?`.
219
+ def sanitize_hash_values(hash)
220
+ hash.delete_if do |_, value|
221
+ value.nil? ||
222
+ (value.is_a?(String) && value !~ /\S/)
223
+ end
224
+ end
225
+
226
+ def symbolize_hash_keys(hash)
227
+ hash.keys.each do |key|
228
+ hash[key.to_sym] = hash[key]
229
+ end
230
+
231
+ hash
232
+ end
197
233
  end
198
234
  end
199
235
  end
data/lib/omniauth-ldap/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module LDAP
3
- VERSION = "2.0.4"
3
+ VERSION = "2.2.0"
4
4
  end
5
5
  end
data/spec/omniauth/strategies/ldap_spec.rb CHANGED
@@ -30,7 +30,20 @@ describe "OmniAuth::Strategies::LDAP" do
30
30
  end
31
31
 
32
32
  describe '/auth/ldap' do
33
- before(:each){ get '/auth/ldap' }
33
+ let!(:csrf_token) { SecureRandom.base64(32) }
34
+ let(:post_env) { make_env('/auth/ldap', 'rack.session' => { csrf: csrf_token }, 'rack.input' => StringIO.new("authenticity_token=#{escaped_token}")) }
35
+ let(:escaped_token) { URI.encode_www_form_component(csrf_token, Encoding::UTF_8) }
36
+
37
+ before(:each) { post '/auth/ldap', nil, post_env }
38
+
39
+ def make_env(path = '/auth/ldap', props = {})
40
+ {
41
+ 'REQUEST_METHOD' => 'POST',
42
+ 'PATH_INFO' => path,
43
+ 'rack.session' => {},
44
+ 'rack.input' => StringIO.new('test=true')
45
+ }.merge(props)
46
+ end
34
47
 
35
48
  it 'should display a form' do
36
49
  last_response.status.should == 200
data/spec/omniauth-ldap/adaptor_spec.rb CHANGED
@@ -126,6 +126,22 @@ describe OmniAuth::LDAP::Adaptor do
126
126
  end
127
127
  end
128
128
 
129
+ context 'when tls_options are specified' do
130
+ it 'should pass the values along with defaults' do
131
+ cert = OpenSSL::X509::Certificate.new
132
+ key = OpenSSL::PKey::RSA.new
133
+
134
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key }})
135
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key)
136
+ end
137
+
138
+ it 'does not pass nil or blank values' do
139
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: nil, ssl_version: ' ' }})
140
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
141
+ end
142
+ end
143
+
144
+ # DEPRECATED
129
145
  context 'when ca_file is specified' do
130
146
  it 'should set the encryption tls_options ca_file' do
131
147
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
@@ -133,6 +149,7 @@ describe OmniAuth::LDAP::Adaptor do
133
149
  end
134
150
  end
135
151
 
152
+ # DEPRECATED
136
153
  context 'when ssl_version is specified' do
137
154
  it 'should overwrite the encryption tls_options ssl_version' do
138
155
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
metadata CHANGED
@@ -1,29 +1,35 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab_omniauth-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.4
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ping Yu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-10 00:00:00.000000000 Z
11
+ date: 2022-06-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
19
  version: '1.3'
20
+ - - "<"
21
+ - !ruby/object:Gem::Version
22
+ version: '3'
20
23
  type: :runtime
21
24
  prerelease: false
22
25
  version_requirements: !ruby/object:Gem::Requirement
23
26
  requirements:
24
- - - "~>"
27
+ - - ">="
25
28
  - !ruby/object:Gem::Version
26
29
  version: '1.3'
30
+ - - "<"
31
+ - !ruby/object:Gem::Version
32
+ version: '3'
27
33
  - !ruby/object:Gem::Dependency
28
34
  name: net-ldap
29
35
  requirement: !ruby/object:Gem::Requirement
@@ -152,7 +158,7 @@ files:
152
158
  - spec/omniauth-ldap/adaptor_spec.rb
153
159
  - spec/omniauth/strategies/ldap_spec.rb
154
160
  - spec/spec_helper.rb
155
- homepage: https://github.com/gitlabhq/omniauth-ldap
161
+ homepage: https://gitlab.com/gitlab-org/omniauth-ldap
156
162
  licenses:
157
163
  - MIT
158
164
  metadata: {}
@@ -171,8 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
171
177
  - !ruby/object:Gem::Version
172
178
  version: '0'
173
179
  requirements: []
174
- rubyforge_project:
175
- rubygems_version: 2.6.8
180
+ rubygems_version: 3.3.16
176
181
  signing_key:
177
182
  specification_version: 4
178
183
  summary: A LDAP strategy for OmniAuth.