gitlab_omniauth-ldap 2.0.4 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/.gitlab-ci.yml +11 -6
- data/CHANGELOG +6 -0
- data/README.md +8 -0
- data/gitlab_omniauth-ldap.gemspec +2 -2
- data/lib/omniauth-ldap/adaptor.rb +51 -15
- data/lib/omniauth-ldap/version.rb +1 -1
- data/spec/omniauth/strategies/ldap_spec.rb +14 -1
- data/spec/omniauth-ldap/adaptor_spec.rb +17 -0
- metadata +12 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 642e2ab518a4f8a4ba59ebaf35cfa5986e610fbe15692dd95dd7bf5a6a3a06fa
|
4
|
+
data.tar.gz: 630e6293aa7810f87433fb1a0bb51a4e8cd801f1e8e3f4865bdea803ba3bd57b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c97fd71ee465d6be8b3a91a532dcbfa24242bbe5ad6e18305881af005dc9c96c661e03298f9c4e75bba4b19c9e3152cc04d732e871eaf431422381ca7862f300
|
7
|
+
data.tar.gz: 14738f46becca517da74c67ad6f0fb37de4e545c98636e8a2a285eba5059e1722617662107196977847518416baf32221123f07ed93b6382fd5d6b6c580a56eb
|
data/.gitlab-ci.yml
CHANGED
@@ -1,12 +1,17 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
before_script:
|
4
|
-
- bundle install
|
1
|
+
default:
|
2
|
+
image: "ruby:${RUBY_VERSION}"
|
5
3
|
|
6
4
|
stages:
|
7
5
|
- test
|
8
6
|
|
9
|
-
|
10
|
-
|
7
|
+
.test-template: &test
|
8
|
+
before_script:
|
9
|
+
- bundle install
|
11
10
|
script:
|
12
11
|
- bundle exec rake spec
|
12
|
+
|
13
|
+
rspec:
|
14
|
+
parallel:
|
15
|
+
matrix:
|
16
|
+
- RUBY_VERSION: [ "2.7", "3.0" ]
|
17
|
+
<<: *test
|
data/CHANGELOG
CHANGED
data/README.md
CHANGED
@@ -18,6 +18,10 @@ Use the LDAP strategy as a middleware in your application:
|
|
18
18
|
:name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
|
19
19
|
:bind_dn => 'default_bind_dn'
|
20
20
|
:password => 'password'
|
21
|
+
:tls_options => {
|
22
|
+
:ssl_version => 'TLSv1_2',
|
23
|
+
:ciphers => ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
|
24
|
+
}
|
21
25
|
|
22
26
|
All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
|
23
27
|
|
@@ -48,6 +52,10 @@ All of the listed options are required, with the exception of :title, :name_proc
|
|
48
52
|
Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
|
49
53
|
please just avoid them.
|
50
54
|
|
55
|
+
- `:tls_options` allows you to pass in OpenSSL options like `:ssl_version`,
|
56
|
+
`:ciphers` and more. See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
|
57
|
+
for all available options and values.
|
58
|
+
|
51
59
|
Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
|
52
60
|
|
53
61
|
|
@@ -6,10 +6,10 @@ Gem::Specification.new do |gem|
|
|
6
6
|
gem.email = ["ping@intridea.com"]
|
7
7
|
gem.description = %q{A LDAP strategy for OmniAuth.}
|
8
8
|
gem.summary = %q{A LDAP strategy for OmniAuth.}
|
9
|
-
gem.homepage = "https://
|
9
|
+
gem.homepage = "https://gitlab.com/gitlab-org/omniauth-ldap"
|
10
10
|
gem.license = "MIT"
|
11
11
|
|
12
|
-
gem.add_runtime_dependency 'omniauth', '
|
12
|
+
gem.add_runtime_dependency 'omniauth', '>= 1.3', '< 3'
|
13
13
|
gem.add_runtime_dependency 'net-ldap', '~> 0.16'
|
14
14
|
gem.add_runtime_dependency 'pyu-ruby-sasl', '>= 0.0.3.3', '< 0.1'
|
15
15
|
gem.add_runtime_dependency 'rubyntlm', '~> 0.5'
|
@@ -15,10 +15,12 @@ module OmniAuth
|
|
15
15
|
|
16
16
|
VALID_ADAPTER_CONFIGURATION_KEYS = [
|
17
17
|
:hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
|
18
|
-
:sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :
|
18
|
+
:sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
|
19
19
|
|
20
20
|
# Deprecated
|
21
|
-
:method
|
21
|
+
:method,
|
22
|
+
:ca_file,
|
23
|
+
:ssl_version
|
22
24
|
]
|
23
25
|
|
24
26
|
# A list of needed keys. Possible alternatives are specified using sub-lists.
|
@@ -134,19 +136,21 @@ module OmniAuth
|
|
134
136
|
def tls_options(translated_method)
|
135
137
|
return {} if translated_method == nil # (plain)
|
136
138
|
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
139
|
+
options = default_options
|
140
|
+
|
141
|
+
if @tls_options
|
142
|
+
# Prevent blank config values from overwriting SSL defaults
|
143
|
+
configured_options = sanitize_hash_values(@tls_options)
|
144
|
+
configured_options = symbolize_hash_keys(configured_options)
|
145
|
+
|
146
|
+
options.merge!(configured_options)
|
147
|
+
end
|
148
|
+
|
149
|
+
# Retain backward compatibility until deprecated configs are removed.
|
150
|
+
options[:ca_file] = @ca_file if @ca_file
|
151
|
+
options[:ssl_version] = @ssl_version if @ssl_version
|
152
|
+
|
153
|
+
options
|
150
154
|
end
|
151
155
|
|
152
156
|
def sasl_auths(options={})
|
@@ -194,6 +198,38 @@ module OmniAuth
|
|
194
198
|
[Net::NTLM::Message::Type1.new.serialize, nego]
|
195
199
|
end
|
196
200
|
|
201
|
+
private
|
202
|
+
|
203
|
+
def default_options
|
204
|
+
if @disable_verify_certificates
|
205
|
+
# It is important to explicitly set verify_mode for two reasons:
|
206
|
+
# 1. The behavior of OpenSSL is undefined when verify_mode is not set.
|
207
|
+
# 2. The net-ldap gem implementation verifies the certificate hostname
|
208
|
+
# unless verify_mode is set to VERIFY_NONE.
|
209
|
+
{ verify_mode: OpenSSL::SSL::VERIFY_NONE }
|
210
|
+
else
|
211
|
+
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
|
212
|
+
end
|
213
|
+
end
|
214
|
+
|
215
|
+
# Removes keys that have blank values
|
216
|
+
#
|
217
|
+
# This gem may not always be in the context of Rails so we
|
218
|
+
# do this rather than `.blank?`.
|
219
|
+
def sanitize_hash_values(hash)
|
220
|
+
hash.delete_if do |_, value|
|
221
|
+
value.nil? ||
|
222
|
+
(value.is_a?(String) && value !~ /\S/)
|
223
|
+
end
|
224
|
+
end
|
225
|
+
|
226
|
+
def symbolize_hash_keys(hash)
|
227
|
+
hash.keys.each do |key|
|
228
|
+
hash[key.to_sym] = hash[key]
|
229
|
+
end
|
230
|
+
|
231
|
+
hash
|
232
|
+
end
|
197
233
|
end
|
198
234
|
end
|
199
235
|
end
|
@@ -30,7 +30,20 @@ describe "OmniAuth::Strategies::LDAP" do
|
|
30
30
|
end
|
31
31
|
|
32
32
|
describe '/auth/ldap' do
|
33
|
-
|
33
|
+
let!(:csrf_token) { SecureRandom.base64(32) }
|
34
|
+
let(:post_env) { make_env('/auth/ldap', 'rack.session' => { csrf: csrf_token }, 'rack.input' => StringIO.new("authenticity_token=#{escaped_token}")) }
|
35
|
+
let(:escaped_token) { URI.encode_www_form_component(csrf_token, Encoding::UTF_8) }
|
36
|
+
|
37
|
+
before(:each) { post '/auth/ldap', nil, post_env }
|
38
|
+
|
39
|
+
def make_env(path = '/auth/ldap', props = {})
|
40
|
+
{
|
41
|
+
'REQUEST_METHOD' => 'POST',
|
42
|
+
'PATH_INFO' => path,
|
43
|
+
'rack.session' => {},
|
44
|
+
'rack.input' => StringIO.new('test=true')
|
45
|
+
}.merge(props)
|
46
|
+
end
|
34
47
|
|
35
48
|
it 'should display a form' do
|
36
49
|
last_response.status.should == 200
|
@@ -126,6 +126,22 @@ describe OmniAuth::LDAP::Adaptor do
|
|
126
126
|
end
|
127
127
|
end
|
128
128
|
|
129
|
+
context 'when tls_options are specified' do
|
130
|
+
it 'should pass the values along with defaults' do
|
131
|
+
cert = OpenSSL::X509::Certificate.new
|
132
|
+
key = OpenSSL::PKey::RSA.new
|
133
|
+
|
134
|
+
adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key }})
|
135
|
+
adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key)
|
136
|
+
end
|
137
|
+
|
138
|
+
it 'does not pass nil or blank values' do
|
139
|
+
adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: nil, ssl_version: ' ' }})
|
140
|
+
adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
# DEPRECATED
|
129
145
|
context 'when ca_file is specified' do
|
130
146
|
it 'should set the encryption tls_options ca_file' do
|
131
147
|
adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
|
@@ -133,6 +149,7 @@ describe OmniAuth::LDAP::Adaptor do
|
|
133
149
|
end
|
134
150
|
end
|
135
151
|
|
152
|
+
# DEPRECATED
|
136
153
|
context 'when ssl_version is specified' do
|
137
154
|
it 'should overwrite the encryption tls_options ssl_version' do
|
138
155
|
adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
|
metadata
CHANGED
@@ -1,29 +1,35 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: gitlab_omniauth-ldap
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0
|
4
|
+
version: 2.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ping Yu
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-06-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: omniauth
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - "
|
17
|
+
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
19
|
version: '1.3'
|
20
|
+
- - "<"
|
21
|
+
- !ruby/object:Gem::Version
|
22
|
+
version: '3'
|
20
23
|
type: :runtime
|
21
24
|
prerelease: false
|
22
25
|
version_requirements: !ruby/object:Gem::Requirement
|
23
26
|
requirements:
|
24
|
-
- - "
|
27
|
+
- - ">="
|
25
28
|
- !ruby/object:Gem::Version
|
26
29
|
version: '1.3'
|
30
|
+
- - "<"
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: '3'
|
27
33
|
- !ruby/object:Gem::Dependency
|
28
34
|
name: net-ldap
|
29
35
|
requirement: !ruby/object:Gem::Requirement
|
@@ -152,7 +158,7 @@ files:
|
|
152
158
|
- spec/omniauth-ldap/adaptor_spec.rb
|
153
159
|
- spec/omniauth/strategies/ldap_spec.rb
|
154
160
|
- spec/spec_helper.rb
|
155
|
-
homepage: https://
|
161
|
+
homepage: https://gitlab.com/gitlab-org/omniauth-ldap
|
156
162
|
licenses:
|
157
163
|
- MIT
|
158
164
|
metadata: {}
|
@@ -171,8 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
171
177
|
- !ruby/object:Gem::Version
|
172
178
|
version: '0'
|
173
179
|
requirements: []
|
174
|
-
|
175
|
-
rubygems_version: 2.6.8
|
180
|
+
rubygems_version: 3.3.16
|
176
181
|
signing_key:
|
177
182
|
specification_version: 4
|
178
183
|
summary: A LDAP strategy for OmniAuth.
|