gitlab_omniauth-ldap 2.0.4 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +3 -0
  3. data/README.md +8 -0
  4. data/gitlab_omniauth-ldap.gemspec +1 -1
  5. data/lib/omniauth-ldap/adaptor.rb +45 -15
  6. data/lib/omniauth-ldap/version.rb +1 -1
  7. data/spec/omniauth-ldap/adaptor_spec.rb +14 -0
  8. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4d5b4eb5376fab8ef4f9e5e006ba83aa214402e0
4
- data.tar.gz: 372d5d8f78a286cfe1328695f11323704a8297b6
3
+ metadata.gz: 107e59861e46c73e0ef7ecce99aae216a71f9dd1
4
+ data.tar.gz: 0eee9f8076ecad7e956ddd666e5b921b0fcd55e8
5
5
  SHA512:
6
- metadata.gz: e2154945f44fa50434692911fafa1fdc098d4758603c6391be558b701ae4f87b712aef88501c98fa00dda0160e74995172067f9c24f97b051da29e8145f4e0bf
7
- data.tar.gz: 5d9b8cd9c5e488f1a643c6bae705f79290bcf04588a50e638bc1d6a80e2d67ba3fedfd122d4ca405b32e58a7fa0edcd0f58ef6736dba02876bf7bfdfab122e4e
6
+ metadata.gz: 91734fda37560214286bfce376042ad99a972f285de2e6c61d189ddab9a81c0ae3d8eab2ff209c41b1eb378e680f1570942e5cb08b1e729f245b65223618ee59
7
+ data.tar.gz: efe11e7dc19bf70bc74f2ac3e71cf345bf0ac20c8ef36fabceaa01c1066228d48acf5b5226ff9f951249080e0d0d5b31f79ee1c3788f2bf4cd0782e18726dec9
data/CHANGELOG CHANGED
@@ -1,3 +1,6 @@
1
+ ## 2.1.0
2
+ - Expose `:tls_options` SSL configuration option. Deprecate :ca_file, :ssl_version
3
+
1
4
  ## 2.0.4
2
5
  - Improve log message when invalid credentials are used
3
6
 
data/README.md CHANGED
@@ -18,6 +18,10 @@ Use the LDAP strategy as a middleware in your application:
18
18
  :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
19
19
  :bind_dn => 'default_bind_dn'
20
20
  :password => 'password'
21
+ :tls_options => {
22
+ :ssl_version => 'TLSv1_2',
23
+ :ciphers => ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
24
+ }
21
25
 
22
26
  All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
23
27
 
@@ -48,6 +52,10 @@ All of the listed options are required, with the exception of :title, :name_proc
48
52
  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
49
53
  please just avoid them.
50
54
 
55
+ - `:tls_options` allows you to pass in OpenSSL options like `:ssl_version`,
56
+ `:ciphers` and more. See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
57
+ for all available options and values.
58
+
51
59
  Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
52
60
 
53
61
 
data/gitlab_omniauth-ldap.gemspec CHANGED
@@ -6,7 +6,7 @@ Gem::Specification.new do |gem|
6
6
  gem.email = ["ping@intridea.com"]
7
7
  gem.description = %q{A LDAP strategy for OmniAuth.}
8
8
  gem.summary = %q{A LDAP strategy for OmniAuth.}
9
- gem.homepage = "https://github.com/gitlabhq/omniauth-ldap"
9
+ gem.homepage = "https://gitlab.com/gitlab-org/omniauth-ldap"
10
10
  gem.license = "MIT"
11
11
 
12
12
  gem.add_runtime_dependency 'omniauth', '~> 1.3'
data/lib/omniauth-ldap/adaptor.rb CHANGED
@@ -15,10 +15,12 @@ module OmniAuth
15
15
 
16
16
  VALID_ADAPTER_CONFIGURATION_KEYS = [
17
17
  :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
18
- :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
18
+ :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
19
19
 
20
20
  # Deprecated
21
- :method
21
+ :method,
22
+ :ca_file,
23
+ :ssl_version
22
24
  ]
23
25
 
24
26
  # A list of needed keys. Possible alternatives are specified using sub-lists.
@@ -134,19 +136,21 @@ module OmniAuth
134
136
  def tls_options(translated_method)
135
137
  return {} if translated_method == nil # (plain)
136
138
 
137
- tls_options = if @disable_verify_certificates
138
- # It is important to explicitly set verify_mode for two reasons:
139
- # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
140
- # 2. The net-ldap gem implementation verifies the certificate hostname
141
- # unless verify_mode is set to VERIFY_NONE.
142
- { verify_mode: OpenSSL::SSL::VERIFY_NONE }
143
- else
144
- OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
145
- end
146
-
147
- tls_options[:ca_file] = @ca_file if @ca_file
148
- tls_options[:ssl_version] = @ssl_version if @ssl_version
149
- tls_options
139
+ options = default_options
140
+
141
+ if @tls_options
142
+ # Prevent blank config values from overwriting SSL defaults
143
+ configured_options = sanitize_hash_values(@tls_options)
144
+ configured_options = symbolize_hash_keys(configured_options)
145
+
146
+ options.merge!(configured_options)
147
+ end
148
+
149
+ # Retain backward compatibility until deprecated configs are removed.
150
+ options[:ca_file] = @ca_file if @ca_file
151
+ options[:ssl_version] = @ssl_version if @ssl_version
152
+
153
+ options
150
154
  end
151
155
 
152
156
  def sasl_auths(options={})
@@ -194,6 +198,32 @@ module OmniAuth
194
198
  [Net::NTLM::Message::Type1.new.serialize, nego]
195
199
  end
196
200
 
201
+ private
202
+
203
+ def default_options
204
+ if @disable_verify_certificates
205
+ # It is important to explicitly set verify_mode for two reasons:
206
+ # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
207
+ # 2. The net-ldap gem implementation verifies the certificate hostname
208
+ # unless verify_mode is set to VERIFY_NONE.
209
+ { verify_mode: OpenSSL::SSL::VERIFY_NONE }
210
+ else
211
+ OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
212
+ end
213
+ end
214
+
215
+ # Removes keys that have blank values
216
+ def sanitize_hash_values(hash)
217
+ hash.delete_if { |_, value| value.nil? || value !~ /\S/ }
218
+ end
219
+
220
+ def symbolize_hash_keys(hash)
221
+ hash.keys.each do |key|
222
+ hash[key.to_sym] = hash[key]
223
+ end
224
+
225
+ hash
226
+ end
197
227
  end
198
228
  end
199
229
  end
data/lib/omniauth-ldap/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module LDAP
3
- VERSION = "2.0.4"
3
+ VERSION = "2.1.0"
4
4
  end
5
5
  end
data/spec/omniauth-ldap/adaptor_spec.rb CHANGED
@@ -126,6 +126,19 @@ describe OmniAuth::LDAP::Adaptor do
126
126
  end
127
127
  end
128
128
 
129
+ context 'when tls_options are specified' do
130
+ it 'should pass the values along with defaults' do
131
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2' }})
132
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2')
133
+ end
134
+
135
+ it 'does not pass nil or blank values' do
136
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: nil, ssl_version: ' ' }})
137
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
138
+ end
139
+ end
140
+
141
+ # DEPRECATED
129
142
  context 'when ca_file is specified' do
130
143
  it 'should set the encryption tls_options ca_file' do
131
144
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
@@ -133,6 +146,7 @@ describe OmniAuth::LDAP::Adaptor do
133
146
  end
134
147
  end
135
148
 
149
+ # DEPRECATED
136
150
  context 'when ssl_version is specified' do
137
151
  it 'should overwrite the encryption tls_options ssl_version' do
138
152
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab_omniauth-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.4
4
+ version: 2.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ping Yu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-10 00:00:00.000000000 Z
11
+ date: 2018-06-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
@@ -152,7 +152,7 @@ files:
152
152
  - spec/omniauth-ldap/adaptor_spec.rb
153
153
  - spec/omniauth/strategies/ldap_spec.rb
154
154
  - spec/spec_helper.rb
155
- homepage: https://github.com/gitlabhq/omniauth-ldap
155
+ homepage: https://gitlab.com/gitlab-org/omniauth-ldap
156
156
  licenses:
157
157
  - MIT
158
158
  metadata: {}
@@ -172,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
172
172
  version: '0'
173
173
  requirements: []
174
174
  rubyforge_project:
175
- rubygems_version: 2.6.8
175
+ rubygems_version: 2.4.5.1
176
176
  signing_key:
177
177
  specification_version: 4
178
178
  summary: A LDAP strategy for OmniAuth.