gitlab_omniauth-ldap 2.0.4 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +3 -0
  3. data/README.md +8 -0
  4. data/gitlab_omniauth-ldap.gemspec +1 -1
  5. data/lib/omniauth-ldap/adaptor.rb +45 -15
  6. data/lib/omniauth-ldap/version.rb +1 -1
  7. data/spec/omniauth-ldap/adaptor_spec.rb +14 -0
  8. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4d5b4eb5376fab8ef4f9e5e006ba83aa214402e0
4
- data.tar.gz: 372d5d8f78a286cfe1328695f11323704a8297b6
3
+ metadata.gz: 107e59861e46c73e0ef7ecce99aae216a71f9dd1
4
+ data.tar.gz: 0eee9f8076ecad7e956ddd666e5b921b0fcd55e8
5
5
  SHA512:
6
- metadata.gz: e2154945f44fa50434692911fafa1fdc098d4758603c6391be558b701ae4f87b712aef88501c98fa00dda0160e74995172067f9c24f97b051da29e8145f4e0bf
7
- data.tar.gz: 5d9b8cd9c5e488f1a643c6bae705f79290bcf04588a50e638bc1d6a80e2d67ba3fedfd122d4ca405b32e58a7fa0edcd0f58ef6736dba02876bf7bfdfab122e4e
6
+ metadata.gz: 91734fda37560214286bfce376042ad99a972f285de2e6c61d189ddab9a81c0ae3d8eab2ff209c41b1eb378e680f1570942e5cb08b1e729f245b65223618ee59
7
+ data.tar.gz: efe11e7dc19bf70bc74f2ac3e71cf345bf0ac20c8ef36fabceaa01c1066228d48acf5b5226ff9f951249080e0d0d5b31f79ee1c3788f2bf4cd0782e18726dec9
data/CHANGELOG CHANGED
@@ -1,3 +1,6 @@
1
+ ## 2.1.0
2
+ - Expose `:tls_options` SSL configuration option. Deprecate :ca_file, :ssl_version
3
+
1
4
  ## 2.0.4
2
5
  - Improve log message when invalid credentials are used
3
6
 
data/README.md CHANGED
@@ -18,6 +18,10 @@ Use the LDAP strategy as a middleware in your application:
18
18
  :name_proc => Proc.new {|name| name.gsub(/@.*$/,'')}
19
19
  :bind_dn => 'default_bind_dn'
20
20
  :password => 'password'
21
+ :tls_options => {
22
+ :ssl_version => 'TLSv1_2',
23
+ :ciphers => ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
24
+ }
21
25
 
22
26
  All of the listed options are required, with the exception of :title, :name_proc, :bind_dn, and :password.
23
27
 
@@ -48,6 +52,10 @@ All of the listed options are required, with the exception of :title, :name_proc
48
52
  Use them to initialize a SASL connection to server. If you are not familiar with these authentication methods,
49
53
  please just avoid them.
50
54
 
55
+ - `:tls_options` allows you to pass in OpenSSL options like `:ssl_version`,
56
+ `:ciphers` and more. See http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
57
+ for all available options and values.
58
+
51
59
  Direct users to '/auth/ldap' to have them authenticated via your company's LDAP server.
52
60
 
53
61
 
data/gitlab_omniauth-ldap.gemspec CHANGED
@@ -6,7 +6,7 @@ Gem::Specification.new do |gem|
6
6
  gem.email = ["ping@intridea.com"]
7
7
  gem.description = %q{A LDAP strategy for OmniAuth.}
8
8
  gem.summary = %q{A LDAP strategy for OmniAuth.}
9
- gem.homepage = "https://github.com/gitlabhq/omniauth-ldap"
9
+ gem.homepage = "https://gitlab.com/gitlab-org/omniauth-ldap"
10
10
  gem.license = "MIT"
11
11
 
12
12
  gem.add_runtime_dependency 'omniauth', '~> 1.3'
data/lib/omniauth-ldap/adaptor.rb CHANGED
@@ -15,10 +15,12 @@ module OmniAuth
15
15
 
16
16
  VALID_ADAPTER_CONFIGURATION_KEYS = [
17
17
  :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
18
- :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :ca_file, :ssl_version,
18
+ :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
19
19
 
20
20
  # Deprecated
21
- :method
21
+ :method,
22
+ :ca_file,
23
+ :ssl_version
22
24
  ]
23
25
 
24
26
  # A list of needed keys. Possible alternatives are specified using sub-lists.
@@ -134,19 +136,21 @@ module OmniAuth
134
136
  def tls_options(translated_method)
135
137
  return {} if translated_method == nil # (plain)
136
138
 
137
- tls_options = if @disable_verify_certificates
138
- # It is important to explicitly set verify_mode for two reasons:
139
- # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
140
- # 2. The net-ldap gem implementation verifies the certificate hostname
141
- # unless verify_mode is set to VERIFY_NONE.
142
- { verify_mode: OpenSSL::SSL::VERIFY_NONE }
143
- else
144
- OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
145
- end
146
-
147
- tls_options[:ca_file] = @ca_file if @ca_file
148
- tls_options[:ssl_version] = @ssl_version if @ssl_version
149
- tls_options
139
+ options = default_options
140
+
141
+ if @tls_options
142
+ # Prevent blank config values from overwriting SSL defaults
143
+ configured_options = sanitize_hash_values(@tls_options)
144
+ configured_options = symbolize_hash_keys(configured_options)
145
+
146
+ options.merge!(configured_options)
147
+ end
148
+
149
+ # Retain backward compatibility until deprecated configs are removed.
150
+ options[:ca_file] = @ca_file if @ca_file
151
+ options[:ssl_version] = @ssl_version if @ssl_version
152
+
153
+ options
150
154
  end
151
155
 
152
156
  def sasl_auths(options={})
@@ -194,6 +198,32 @@ module OmniAuth
194
198
  [Net::NTLM::Message::Type1.new.serialize, nego]
195
199
  end
196
200
 
201
+ private
202
+
203
+ def default_options
204
+ if @disable_verify_certificates
205
+ # It is important to explicitly set verify_mode for two reasons:
206
+ # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
207
+ # 2. The net-ldap gem implementation verifies the certificate hostname
208
+ # unless verify_mode is set to VERIFY_NONE.
209
+ { verify_mode: OpenSSL::SSL::VERIFY_NONE }
210
+ else
211
+ OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
212
+ end
213
+ end
214
+
215
+ # Removes keys that have blank values
216
+ def sanitize_hash_values(hash)
217
+ hash.delete_if { |_, value| value.nil? || value !~ /\S/ }
218
+ end
219
+
220
+ def symbolize_hash_keys(hash)
221
+ hash.keys.each do |key|
222
+ hash[key.to_sym] = hash[key]
223
+ end
224
+
225
+ hash
226
+ end
197
227
  end
198
228
  end
199
229
  end
data/lib/omniauth-ldap/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module LDAP
3
- VERSION = "2.0.4"
3
+ VERSION = "2.1.0"
4
4
  end
5
5
  end
data/spec/omniauth-ldap/adaptor_spec.rb CHANGED
@@ -126,6 +126,19 @@ describe OmniAuth::LDAP::Adaptor do
126
126
  end
127
127
  end
128
128
 
129
+ context 'when tls_options are specified' do
130
+ it 'should pass the values along with defaults' do
131
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2' }})
132
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.merge(ca_file: '/etc/ca.pem', ssl_version: 'TLSv1_2')
133
+ end
134
+
135
+ it 'does not pass nil or blank values' do
136
+ adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', tls_options: { ca_file: nil, ssl_version: ' ' }})
137
+ adaptor.connection.instance_variable_get('@encryption').should include tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
138
+ end
139
+ end
140
+
141
+ # DEPRECATED
129
142
  context 'when ca_file is specified' do
130
143
  it 'should set the encryption tls_options ca_file' do
131
144
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ca_file: '/etc/ca.pem'})
@@ -133,6 +146,7 @@ describe OmniAuth::LDAP::Adaptor do
133
146
  end
134
147
  end
135
148
 
149
+ # DEPRECATED
136
150
  context 'when ssl_version is specified' do
137
151
  it 'should overwrite the encryption tls_options ssl_version' do
138
152
  adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.145", encryption: 'ssl', base: 'dc=intridea, dc=com', port: 636, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password', ssl_version: 'TLSv1_2'})
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab_omniauth-ldap
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.4
4
+ version: 2.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ping Yu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-10 00:00:00.000000000 Z
11
+ date: 2018-06-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: omniauth
@@ -152,7 +152,7 @@ files:
152
152
  - spec/omniauth-ldap/adaptor_spec.rb
153
153
  - spec/omniauth/strategies/ldap_spec.rb
154
154
  - spec/spec_helper.rb
155
- homepage: https://github.com/gitlabhq/omniauth-ldap
155
+ homepage: https://gitlab.com/gitlab-org/omniauth-ldap
156
156
  licenses:
157
157
  - MIT
158
158
  metadata: {}
@@ -172,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
172
172
  version: '0'
173
173
  requirements: []
174
174
  rubyforge_project:
175
- rubygems_version: 2.6.8
175
+ rubygems_version: 2.4.5.1
176
176
  signing_key:
177
177
  specification_version: 4
178
178
  summary: A LDAP strategy for OmniAuth.