gitlab_omniauth-ldap 2.0.4 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 4d5b4eb5376fab8ef4f9e5e006ba83aa214402e0
4
- data.tar.gz: 372d5d8f78a286cfe1328695f11323704a8297b6
2
+ SHA256:
3
+ metadata.gz: 642e2ab518a4f8a4ba59ebaf35cfa5986e610fbe15692dd95dd7bf5a6a3a06fa
4
+ data.tar.gz: 630e6293aa7810f87433fb1a0bb51a4e8cd801f1e8e3f4865bdea803ba3bd57b
5
5
  SHA512:
6
- metadata.gz: e2154945f44fa50434692911fafa1fdc098d4758603c6391be558b701ae4f87b712aef88501c98fa00dda0160e74995172067f9c24f97b051da29e8145f4e0bf
7
- data.tar.gz: 5d9b8cd9c5e488f1a643c6bae705f79290bcf04588a50e638bc1d6a80e2d67ba3fedfd122d4ca405b32e58a7fa0edcd0f58ef6736dba02876bf7bfdfab122e4e
6
+ metadata.gz: c97fd71ee465d6be8b3a91a532dcbfa24242bbe5ad6e18305881af005dc9c96c661e03298f9c4e75bba4b19c9e3152cc04d732e871eaf431422381ca7862f300
7
+ data.tar.gz: 14738f46becca517da74c67ad6f0fb37de4e545c98636e8a2a285eba5059e1722617662107196977847518416baf32221123f07ed93b6382fd5d6b6c580a56eb
data/.gitlab-ci.yml CHANGED
@@ -1,12 +1,17 @@
1
- image: "ruby:2.3.1"
2
-
3
- before_script:
4
- - bundle install
1
+ default:
2
+ image: "ruby:${RUBY_VERSION}"
5
3
 
6
4
  stages:
7
5
  - test
8
6
 
9
- rspec:
10
- stage: test
7
+ .test-template: &test
8
+ before_script:
9
+ - bundle install
11
10
  script:
12
11
  - bundle exec rake spec
12
+
13
+ rspec:
14
+ parallel:
15
+ matrix:
16
+ - RUBY_VERSION: [ "2.7", "3.0" ]
17
+ <<: *test
data/CHANGELOG CHANGED
@@ -1,3 +1,9 @@
1
+ ## 2.1.1
2
+ - Add a String check to `tls_options` sanitization to allow other objects
3
+
4
+ ## 2.1.0
5
+ - Expose `:tls_options` SSL configuration option. Deprecate :ca_file, :ssl_version
6
+
1
7
  ## 2.0.4
2
8
  - Improve log message when invalid credentials are used
3
9
 
data/README.md CHANGED
@@ -18,6 +18,10 @@ Use the LDAP strategy as a middleware in your application:
18
18
  :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
19
19
  :bind_dn => 'default_bind_dn'
20
20
  :password => 'password'
21
+ :tls_options => {
22
+ :ssl_version => 'TLSv1_2',
23
+ :ciphers => ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
24
+ }
21
25
 
22
26
  All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
23
27
 
@@ -48,6 +52,10 @@ All of the listed options are required, with the exception of :title, :name_proc
48
52
  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
49
53
  please just avoid them.
50
54
 
55
+ - `:tls_options` allows you to pass in OpenSSL options like `:ssl_version`,
56
+ `:ciphers` and more. See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
57
+ for all available options and values.
58
+
51
59
  Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
52
60
 
53
61
 
@@ -6,10 +6,10 @@ Gem::Specification.new do |gem|
6
6
  gem.email = ["ping@intridea.com"]
7
7
  gem.description = %q{A LDAP strategy for OmniAuth.}
8
8
  gem.summary = %q{A LDAP strategy for OmniAuth.}
9
- gem.homepage = "https://github.com/gitlabhq/omniauth-ldap"
9
+ gem.homepage = "https://gitlab.com/gitlab-org/omniauth-ldap"
10
10
  gem.license = "MIT"
11
11
 
12
- gem.add_runtime_dependency 'omniauth', '~> 1.3'
12
+ gem.add_runtime_dependency 'omniauth', '>= 1.3', '< 3'
13
13
  gem.add_runtime_dependency 'net-ldap', '~> 0.16'
14
14
  gem.add_runtime_dependency 'pyu-ruby-sasl', '>= 0.0.3.3', '< 0.1'
15
15
  gem.add_runtime_dependency 'rubyntlm', '~> 0.5'
@@ -15,10 +15,12 @@ module OmniAuth
15
15
 
16
16
  VALID_ADAPTER_CONFIGURATION_KEYS = [
17
17
  :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
18
- :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
18
+ :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
19
19
 
20
20
  # Deprecated
21
- :method
21
+ :method,
22
+ :ca_file,
23
+ :ssl_version
22
24
  ]
23
25
 
24
26
  # A list of needed keys. Possible alternatives are specified using sub-lists.
@@ -134,19 +136,21 @@ module OmniAuth
134
136
  def tls_options(translated_method)
135
137
  return {} if translated_method == nil # (plain)
136
138
 
137
- tls_options = if @disable_verify_certificates
138
- # It is important to explicitly set verify_mode for two reasons:
139
- # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
140
- # 2. The net-ldap gem implementation verifies the certificate hostname
141
- # unless verify_mode is set to VERIFY_NONE.
142
- { verify_mode: OpenSSL::SSL::VERIFY_NONE }
143
- else
144
- OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
145
- end
146
-
147
- tls_options[:ca_file] = @ca_file if @ca_file
148
- tls_options[:ssl_version] = @ssl_version if @ssl_version
149
- tls_options
139
+ options = default_options
140
+
141
+ if @tls_options
142
+ # Prevent blank config values from overwriting SSL defaults
143
+ configured_options = sanitize_hash_values(@tls_options)
144
+ configured_options = symbolize_hash_keys(configured_options)
145
+
146
+ options.merge!(configured_options)
147
+ end
148
+
149
+ # Retain backward compatibility until deprecated configs are removed.
150
+ options[:ca_file] = @ca_file if @ca_file
151
+ options[:ssl_version] = @ssl_version if @ssl_version
152
+
153
+ options
150
154
  end
151
155
 
152
156
  def sasl_auths(options={})
@@ -194,6 +198,38 @@ module OmniAuth
194
198
  [Net::NTLM::Message::Type1.new.serialize, nego]
195
199
  end
196
200
 
201
+ private
202
+
203
+ def default_options
204
+ if @disable_verify_certificates
205
+ # It is important to explicitly set verify_mode for two reasons:
206
+ # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
207
+ # 2. The net-ldap gem implementation verifies the certificate hostname
208
+ # unless verify_mode is set to VERIFY_NONE.
209
+ { verify_mode: OpenSSL::SSL::VERIFY_NONE }
210
+ else
211
+ OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
212
+ end
213
+ end
214
+
215
+ # Removes keys that have blank values
216
+ #
217
+ # This gem may not always be in the context of Rails so we
218
+ # do this rather than `.blank?`.
219
+ def sanitize_hash_values(hash)
220
+ hash.delete_if do |_, value|
221
+ value.nil? ||
222
+ (value.is_a?(String) && value !~ /\S/)
223
+ end
224
+ end
225
+
226
+ def symbolize_hash_keys(hash)
227
+ hash.keys.each do |key|
228
+ hash[key.to_sym] = hash[key]
229
+ end
230
+
231
+ hash
232
+ end
197
233
  end
198
234
  end
199
235
  end
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module LDAP
3
- VERSION = "2.0.4"
3
+ VERSION = "2.2.0"
4
4
  end
5
5
  end
@@ -30,7 +30,20 @@ describe "OmniAuth::Strategies::LDAP" do
30
30
  end
31
31
 
32
32
  describe '/auth/ldap' do
33
- before(:each){ get '/auth/ldap' }
33
+ let!(:csrf_token) { SecureRandom.base64(32) }
34
+ let(:post_env) { make_env('/auth/ldap', 'rack.session' => { csrf: csrf_token }, 'rack.input' => StringIO.new("authenticity_token=#{escaped_token}")) }
35
+ let(:escaped_token) { URI.encode_www_form_component(csrf_token, Encoding::UTF_8) }
36
+
37
+ before(:each) { post '/auth/ldap', nil, post_env }
38
+
39
+ def make_env(path = '/auth/ldap', props = {})
40
+ {
41
+ 'REQUEST_METHOD' => 'POST',
42
+ 'PATH_INFO' => path,
43
+ 'rack.session' => {},
44
+ 'rack.input' => StringIO.new('test=true')
45
+ }.merge(props)
46
+ end
34
47
 
35
48
  it 'should display a form' do
36
49
  last_response.status.should == 200
@@ -126,6 +126,22 @@ describe OmniAuth::LDAP::Adaptor do
126
126
  end
127
127
  end
128
128
 
129
+ context 'when tls_options are specified' do
130
+ it 'should pass the values along with defaults' do
131
+ cert = OpenSSL::X509::Certificate.new
132
+ key = OpenSSL::PKey::RSA.new
133
+
134
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key }})
135
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key)
136
+ end
137
+
138
+ it 'does not pass nil or blank values' do
139
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: nil, ssl_version: ' ' }})
140
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
141
+ end
142
+ end
143
+
144
+ # DEPRECATED
129
145
  context 'when ca_file is specified' do
130
146
  it 'should set the encryption tls_options ca_file' do
131
147
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
@@ -133,6 +149,7 @@ describe OmniAuth::LDAP::Adaptor do
133
149
  end
134
150
  end
135
151
 
152
+ # DEPRECATED
136
153
  context 'when ssl_version is specified' do
137
154
  it 'should overwrite the encryption tls_options ssl_version' do
138
155
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
metadata CHANGED
@@ -1,29 +1,35 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab_omniauth-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.4
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ping Yu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-10 00:00:00.000000000 Z
11
+ date: 2022-06-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
19
  version: '1.3'
20
+ - - "<"
21
+ - !ruby/object:Gem::Version
22
+ version: '3'
20
23
  type: :runtime
21
24
  prerelease: false
22
25
  version_requirements: !ruby/object:Gem::Requirement
23
26
  requirements:
24
- - - "~>"
27
+ - - ">="
25
28
  - !ruby/object:Gem::Version
26
29
  version: '1.3'
30
+ - - "<"
31
+ - !ruby/object:Gem::Version
32
+ version: '3'
27
33
  - !ruby/object:Gem::Dependency
28
34
  name: net-ldap
29
35
  requirement: !ruby/object:Gem::Requirement
@@ -152,7 +158,7 @@ files:
152
158
  - spec/omniauth-ldap/adaptor_spec.rb
153
159
  - spec/omniauth/strategies/ldap_spec.rb
154
160
  - spec/spec_helper.rb
155
- homepage: https://github.com/gitlabhq/omniauth-ldap
161
+ homepage: https://gitlab.com/gitlab-org/omniauth-ldap
156
162
  licenses:
157
163
  - MIT
158
164
  metadata: {}
@@ -171,8 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
171
177
  - !ruby/object:Gem::Version
172
178
  version: '0'
173
179
  requirements: []
174
- rubyforge_project:
175
- rubygems_version: 2.6.8
180
+ rubygems_version: 3.3.16
176
181
  signing_key:
177
182
  specification_version: 4
178
183
  summary: A LDAP strategy for OmniAuth.