gitlab_omniauth-ldap 2.0.4 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 4d5b4eb5376fab8ef4f9e5e006ba83aa214402e0
-  data.tar.gz: 372d5d8f78a286cfe1328695f11323704a8297b6
+SHA256:
+  metadata.gz: 642e2ab518a4f8a4ba59ebaf35cfa5986e610fbe15692dd95dd7bf5a6a3a06fa
+  data.tar.gz: 630e6293aa7810f87433fb1a0bb51a4e8cd801f1e8e3f4865bdea803ba3bd57b
 SHA512:
-  metadata.gz: e2154945f44fa50434692911fafa1fdc098d4758603c6391be558b701ae4f87b712aef88501c98fa00dda0160e74995172067f9c24f97b051da29e8145f4e0bf
-  data.tar.gz: 5d9b8cd9c5e488f1a643c6bae705f79290bcf04588a50e638bc1d6a80e2d67ba3fedfd122d4ca405b32e58a7fa0edcd0f58ef6736dba02876bf7bfdfab122e4e
+  metadata.gz: c97fd71ee465d6be8b3a91a532dcbfa24242bbe5ad6e18305881af005dc9c96c661e03298f9c4e75bba4b19c9e3152cc04d732e871eaf431422381ca7862f300
+  data.tar.gz: 14738f46becca517da74c67ad6f0fb37de4e545c98636e8a2a285eba5059e1722617662107196977847518416baf32221123f07ed93b6382fd5d6b6c580a56eb

data/.gitlab-ci.yml

@@ -1,12 +1,17 @@
-image: "ruby:2.3.1"
-
-before_script:
-  - bundle install
+default:
+  image: "ruby:${RUBY_VERSION}"
 
 stages:
   - test
 
-rspec:
-  stage: test
+.test-template: &test
+  before_script:
+    - bundle install
   script:
     - bundle exec rake spec
+
+rspec:
+  parallel:
+    matrix:
+      - RUBY_VERSION: [ "2.7", "3.0" ]
+  <<: *test

data/CHANGELOG

@@ -1,3 +1,9 @@
+## 2.1.1
+  - Add a String check to `tls_options` sanitization to allow other objects
+
+## 2.1.0
+  - Expose `:tls_options` SSL configuration option. Deprecate :ca_file, :ssl_version
+
 ## 2.0.4
   - Improve log message when invalid credentials are used
 

data/README.md

@@ -18,6 +18,10 @@ Use the LDAP strategy as a middleware in your application:
         :name_proc    => Proc.new {|name| name.gsub(/@.*$/,'')}
         :bind_dn      => 'default_bind_dn'
         :password     => 'password'
+        :tls_options  => {
+          :ssl_version => 'TLSv1_2',
+          :ciphers     => ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
+        }
 
 All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
 
@@ -48,6 +52,10 @@ All of the listed options are required, with the exception of :title, :name_proc
   Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods, 
   please just avoid them.
 
+- `:tls_options` allows you to pass in OpenSSL options like `:ssl_version`,
+  `:ciphers` and more. See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
+  for all available options and values.
+
 Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
 
 

data/gitlab_omniauth-ldap.gemspec

@@ -6,10 +6,10 @@ Gem::Specification.new do |gem|
   gem.email         = ["ping@intridea.com"]
   gem.description   = %q{A LDAP strategy for OmniAuth.}
   gem.summary       = %q{A LDAP strategy for OmniAuth.}
-  gem.homepage      = "https://github.com/gitlabhq/omniauth-ldap"
+  gem.homepage      = "https://gitlab.com/gitlab-org/omniauth-ldap"
   gem.license       = "MIT"
 
-  gem.add_runtime_dependency     'omniauth', '~> 1.3'
+  gem.add_runtime_dependency     'omniauth', '>= 1.3', '< 3'
   gem.add_runtime_dependency     'net-ldap', '~> 0.16'
   gem.add_runtime_dependency     'pyu-ruby-sasl', '>= 0.0.3.3', '< 0.1'
   gem.add_runtime_dependency     'rubyntlm', '~> 0.5'

data/lib/omniauth-ldap/adaptor.rb

@@ -15,10 +15,12 @@ module OmniAuth
 
       VALID_ADAPTER_CONFIGURATION_KEYS = [
         :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
-        :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
+        :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
 
         # Deprecated
-        :method
+        :method,
+        :ca_file,
+        :ssl_version
       ]
 
       # A list of needed keys. Possible alternatives are specified using sub-lists.
@@ -134,19 +136,21 @@ module OmniAuth
       def tls_options(translated_method)
         return {} if translated_method == nil # (plain)
 
-        tls_options = if @disable_verify_certificates
-                        # It is important to explicitly set verify_mode for two reasons:
-                        # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
-                        # 2. The net-ldap gem implementation verifies the certificate hostname
-                        #    unless verify_mode is set to VERIFY_NONE.
-                        { verify_mode: OpenSSL::SSL::VERIFY_NONE }
-                      else
-                        OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-                      end
-
-        tls_options[:ca_file] = @ca_file if @ca_file
-        tls_options[:ssl_version] = @ssl_version if @ssl_version
-        tls_options
+        options = default_options
+
+        if @tls_options
+          # Prevent blank config values from overwriting SSL defaults
+          configured_options = sanitize_hash_values(@tls_options)
+          configured_options = symbolize_hash_keys(configured_options)
+
+          options.merge!(configured_options)
+        end
+
+        # Retain backward compatibility until deprecated configs are removed.
+        options[:ca_file] = @ca_file if @ca_file
+        options[:ssl_version] = @ssl_version if @ssl_version
+
+        options
       end
 
       def sasl_auths(options={})
@@ -194,6 +198,38 @@ module OmniAuth
         [Net::NTLM::Message::Type1.new.serialize, nego]
       end
 
+      private
+
+      def default_options
+        if @disable_verify_certificates
+          # It is important to explicitly set verify_mode for two reasons:
+          # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+          # 2. The net-ldap gem implementation verifies the certificate hostname
+          #    unless verify_mode is set to VERIFY_NONE.
+          { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+        else
+          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
+        end
+      end
+
+      # Removes keys that have blank values
+      #
+      # This gem may not always be in the context of Rails so we
+      # do this rather than `.blank?`.
+      def sanitize_hash_values(hash)
+        hash.delete_if do |_, value|
+          value.nil? ||
+          (value.is_a?(String) && value !~ /\S/)
+        end
+      end
+
+      def symbolize_hash_keys(hash)
+        hash.keys.each do |key|
+          hash[key.to_sym] = hash[key]
+        end
+
+        hash
+      end
     end
   end
 end

data/lib/omniauth-ldap/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module LDAP
-    VERSION = "2.0.4"
+    VERSION = "2.2.0"
   end
 end

data/spec/omniauth/strategies/ldap_spec.rb

@@ -30,7 +30,20 @@ describe "OmniAuth::Strategies::LDAP" do
   end
 
   describe '/auth/ldap' do
-    before(:each){ get '/auth/ldap' }
+    let!(:csrf_token) { SecureRandom.base64(32) }
+    let(:post_env) { make_env('/auth/ldap', 'rack.session' => { csrf: csrf_token }, 'rack.input' => StringIO.new("authenticity_token=#{escaped_token}")) }
+    let(:escaped_token) { URI.encode_www_form_component(csrf_token, Encoding::UTF_8) }
+
+    before(:each) { post '/auth/ldap', nil, post_env }
+
+    def make_env(path = '/auth/ldap', props = {})
+      {
+        'REQUEST_METHOD' => 'POST',
+        'PATH_INFO' => path,
+        'rack.session' => {},
+        'rack.input' => StringIO.new('test=true')
+      }.merge(props)
+    end
 
     it 'should display a form' do
       last_response.status.should == 200

data/spec/omniauth-ldap/adaptor_spec.rb

@@ -126,6 +126,22 @@ describe OmniAuth::LDAP::Adaptor do
         end
       end
 
+      context 'when tls_options are specified' do
+        it 'should pass the values along with defaults' do
+          cert = OpenSSL::X509::Certificate.new
+          key  = OpenSSL::PKey::RSA.new
+
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key }})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2', cert: cert, key: key)
+        end
+
+        it 'does not pass nil or blank values' do
+          adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: nil, ssl_version: ' ' }})
+          adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        end
+      end
+
+      # DEPRECATED
       context 'when ca_file is specified' do
         it 'should set the encryption tls_options ca_file' do
           adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
@@ -133,6 +149,7 @@ describe OmniAuth::LDAP::Adaptor do
         end
       end
 
+      # DEPRECATED
       context 'when ssl_version is specified' do
         it 'should overwrite the encryption tls_options ssl_version' do
           adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: gitlab_omniauth-ldap
 version: !ruby/object:Gem::Version
-  version: 2.0.4
+  version: 2.2.0
 platform: ruby
 authors:
 - Ping Yu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-10 00:00:00.000000000 Z
+date: 2022-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: net-ldap
   requirement: !ruby/object:Gem::Requirement
@@ -152,7 +158,7 @@ files:
 - spec/omniauth-ldap/adaptor_spec.rb
 - spec/omniauth/strategies/ldap_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/gitlabhq/omniauth-ldap
+homepage: https://gitlab.com/gitlab-org/omniauth-ldap
 licenses:
 - MIT
 metadata: {}
@@ -171,8 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.3.16
 signing_key: 
 specification_version: 4
 summary: A LDAP strategy for OmniAuth.