omniauth-ldap 2.0.0 → 2.3.1

data/RUBOCOP.md

@@ -0,0 +1,71 @@
+# RuboCop Usage Guide
+
+## Overview
+
+A tale of two RuboCop plugin gems.
+
+### RuboCop Gradual
+
+This project uses `rubocop_gradual` instead of vanilla RuboCop for code style checking. The `rubocop_gradual` tool allows for gradual adoption of RuboCop rules by tracking violations in a lock file.
+
+### RuboCop LTS
+
+This project uses `rubocop-lts` to ensure, on a best-effort basis, compatibility with Ruby >= 1.9.2.
+RuboCop rules are meticulously configured by the `rubocop-lts` family of gems to ensure that a project is compatible with a specific version of Ruby. See: https://rubocop-lts.gitlab.io for more.
+
+## Checking RuboCop Violations
+
+To check for RuboCop violations in this project, always use:
+
+```bash
+bundle exec rake rubocop_gradual:check
+```
+
+**Do not use** the standard RuboCop commands like:
+- `bundle exec rubocop`
+- `rubocop`
+
+## Understanding the Lock File
+
+The `.rubocop_gradual.lock` file tracks all current RuboCop violations in the project. This allows the team to:
+
+1. Prevent new violations while gradually fixing existing ones
+2. Track progress on code style improvements
+3. Ensure CI builds don't fail due to pre-existing violations
+
+## Common Commands
+
+- **Check violations**
+    - `bundle exec rake rubocop_gradual`
+    - `bundle exec rake rubocop_gradual:check`
+- **(Safe) Autocorrect violations, and update lockfile if no new violations**
+  - `bundle exec rake rubocop_gradual:autocorrect`
+- **Force update the lock file (w/o autocorrect) to match violations present in code**
+  - `bundle exec rake rubocop_gradual:force_update`
+
+## Workflow
+
+1. Before submitting a PR, run `bundle exec rake rubocop_gradual:autocorrect`
+   a. or just the default `bundle exec rake`, as autocorrection is a pre-requisite of the default task.
+2. If there are new violations, either:
+   - Fix them in your code
+   - Run `bundle exec rake rubocop_gradual:force_update` to update the lock file (only for violations you can't fix immediately)
+3. Commit the updated `.rubocop_gradual.lock` file along with your changes
+
+## Never add inline RuboCop disables
+
+Do not add inline `rubocop:disable` / `rubocop:enable` comments anywhere in the codebase (including specs, except when following the few existing `rubocop:disable` patterns for a rule already being disabled elsewhere in the code). We handle exceptions in two supported ways:
+
+- Permanent/structural exceptions: prefer adjusting the RuboCop configuration (e.g., in `.rubocop.yml`) to exclude a rule for a path or file pattern when it makes sense project-wide.
+- Temporary exceptions while improving code: record the current violations in `.rubocop_gradual.lock` via the gradual workflow:
+  - `bundle exec rake rubocop_gradual:autocorrect` (preferred; will autocorrect what it can and update the lock only if no new violations were introduced)
+  - If needed, `bundle exec rake rubocop_gradual:force_update` (as a last resort when you cannot fix the newly reported violations immediately)
+
+In general, treat the rules as guidance to follow; fix violations rather than ignore them. For example, RSpec conventions in this project expect `described_class` to be used in specs that target a specific class under test.
+
+## Benefits of rubocop_gradual
+
+- Allows incremental adoption of code style rules
+- Prevents CI failures due to pre-existing violations
+- Provides a clear record of code style debt
+- Enables focused efforts on improving code quality over time

data/SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version  | Supported |
+|----------|-----------|
+| 1.latest | ✅         |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## Additional Support
+
+If you are interested in support for versions older than the latest release,
+please consider sponsoring the project / maintainer @ https://liberapay.com/pboling/donate,
+or find other sponsorship links in the [README].
+
+[README]: README.md

data/lib/omniauth/strategies/ldap.rb

@@ -1,59 +1,121 @@
-require 'omniauth'
+require "omniauth"
+require "omniauth/version"
 
 module OmniAuth
   module Strategies
     class LDAP
+      OMNIAUTH_GTE_V2 = Gem::Version.new(OmniAuth::VERSION) >= Gem::Version.new("2.0.0")
       include OmniAuth::Strategy
-      @@config = {
-        'name' => 'cn',
-        'first_name' => 'givenName',
-        'last_name' => 'sn',
-        'email' => ['mail', "email", 'userPrincipalName'],
-        'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
-        'mobile' => ['mobile', 'mobileTelephoneNumber'],
-        'nickname' => ['uid', 'userid', 'sAMAccountName'],
-        'title' => 'title',
-        'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
-        'uid' => 'dn',
-        'url' => ['wwwhomepage'],
-        'image' => 'jpegPhoto',
-        'description' => 'description'
-      }
-      option :title, "LDAP Authentication" #default title for authentication form
+
+      InvalidCredentialsError = Class.new(StandardError)
+
+      CONFIG = {
+        "name" => "cn",
+        "first_name" => "givenName",
+        "last_name" => "sn",
+        "email" => ["mail", "email", "userPrincipalName"],
+        "phone" => ["telephoneNumber", "homePhone", "facsimileTelephoneNumber"],
+        "mobile" => ["mobile", "mobileTelephoneNumber"],
+        "nickname" => ["uid", "userid", "sAMAccountName"],
+        "title" => "title",
+        "location" => {"%0, %1, %2, %3 %4" => [["address", "postalAddress", "homePostalAddress", "street", "streetAddress"], ["l"], ["st"], ["co"], ["postOfficeBox"]]},
+        "uid" => "dn",
+        "url" => ["wwwhomepage"],
+        "image" => "jpegPhoto",
+        "description" => "description",
+      }.freeze
+      option :title, "LDAP Authentication" # default title for authentication form
+      # For OmniAuth >= 2.0 the default allowed request method is POST only.
+      # Ensure the strategy follows that default so GET /auth/:provider returns 404 as expected in tests.
+      if OMNIAUTH_GTE_V2
+        option(:request_methods, [:post])
+      else
+        option(:request_methods, [:get, :post])
+      end
       option :port, 389
       option :method, :plain
-      option :uid, 'sAMAccountName'
-      option :name_proc, lambda {|n| n}
+      option :disable_verify_certificates, false
+      option :ca_file, nil
+      option :ssl_version, nil # use OpenSSL default if nil
+      option :uid, "sAMAccountName"
+      option :name_proc, lambda { |n| n }
+      # Trusted header SSO support (disabled by default)
+      # :header_auth - when true and the header is present, the strategy trusts the upstream gateway
+      #                 and searches the directory for the user without requiring a user password.
+      # :header_name - which header/env key to read (default: "REMOTE_USER"). We will also check the
+      #                 standard Rack "HTTP_" variant automatically.
+      option :header_auth, false
+      option :header_name, "REMOTE_USER"
 
       def request_phase
-        OmniAuth::LDAP::Adaptor.validate @options
-        f = OmniAuth::Form.new(:title => (options[:title] || "LDAP Authentication"), :url => callback_path)
-        f.text_field 'Login', 'username'
-        f.password_field 'Password', 'password'
-        f.button "Sign In"
+        # OmniAuth >= 2.0 expects the request phase to be POST-only for /auth/:provider.
+        # Some test environments (and OmniAuth itself) enforce this by returning 404 on GET.
+        if OMNIAUTH_GTE_V2 && request.get?
+          return Rack::Response.new("", 404, {"Content-Type" => "text/plain"}).finish
+        end
+
+        # Fast-path: if a trusted identity header is present, skip the login form
+        # and jump to the callback where we will complete using directory lookup.
+        if header_username
+          return Rack::Response.new([], 302, "Location" => callback_path).finish
+        end
+
+        # If credentials were POSTed directly to /auth/:provider, redirect to the callback path.
+        # This mirrors the behavior of many OmniAuth providers and allows test helpers (like
+        # OmniAuth::Test::PhonySession) to populate `env['omniauth.auth']` on the callback request.
+        if request.post? && request.params["username"].to_s != "" && request.params["password"].to_s != ""
+          return Rack::Response.new([], 302, "Location" => callback_path).finish
+        end
+
+        OmniAuth::LDAP::Adaptor.validate(@options)
+        f = OmniAuth::Form.new(title: options[:title] || "LDAP Authentication", url: callback_path)
+        f.text_field("Login", "username")
+        f.password_field("Password", "password")
+        f.button("Sign In")
         f.to_response
       end
 
       def callback_phase
-        @adaptor = OmniAuth::LDAP::Adaptor.new @options
+        @adaptor = OmniAuth::LDAP::Adaptor.new(@options)
+
+        return fail!(:invalid_request_method) unless valid_request_method?
+
+        # Header-based SSO (REMOTE_USER-style) path
+        if (hu = header_username)
+          begin
+            entry = directory_lookup(@adaptor, hu)
+            unless entry
+              return fail!(:invalid_credentials, InvalidCredentialsError.new("User not found for header #{hu}"))
+            end
+            @ldap_user_info = entry
+            @user_info = self.class.map_user(CONFIG, @ldap_user_info)
+            return super
+          rescue => e
+            return fail!(:ldap_error, e)
+          end
+        end
 
         return fail!(:missing_credentials) if missing_credentials?
         begin
-          @ldap_user_info = @adaptor.bind_as(:filter => filter(@adaptor), :size => 1, :password => request['password'])
-          return fail!(:invalid_credentials) if !@ldap_user_info
+          @ldap_user_info = @adaptor.bind_as(filter: filter(@adaptor), size: 1, password: request.params["password"])
+
+          unless @ldap_user_info
+            return fail!(:invalid_credentials, InvalidCredentialsError.new("Invalid credentials for #{request.params["username"]}"))
+          end
 
-          @user_info = self.class.map_user(@@config, @ldap_user_info)
+          @user_info = self.class.map_user(CONFIG, @ldap_user_info)
           super
-        rescue Exception => e
-          return fail!(:ldap_error, e)
+        rescue => e
+          fail!(:ldap_error, e)
         end
       end
 
-      def filter adaptor
-        if adaptor.filter and !adaptor.filter.empty?
-          Net::LDAP::Filter.construct(adaptor.filter % {username: @options[:name_proc].call(request['username'])})
+      def filter(adaptor, username_override = nil)
+        if adaptor.filter && !adaptor.filter.empty?
+          username = Net::LDAP::Filter.escape(@options[:name_proc].call(username_override || request.params["username"]))
+          Net::LDAP::Filter.construct(adaptor.filter % {username: username})
         else
-          Net::LDAP::Filter.eq(adaptor.uid, @options[:name_proc].call(request['username']))
+          Net::LDAP::Filter.equals(adaptor.uid, @options[:name_proc].call(username_override || request.params["username"]))
         end
       end
 
@@ -64,38 +126,82 @@ module OmniAuth
         @user_info
       }
       extra {
-        { :raw_info => @ldap_user_info }
+        {raw_info: @ldap_user_info}
       }
 
-      def self.map_user(mapper, object)
-        user = {}
-        mapper.each do |key, value|
-          case value
-          when String
-            user[key] = object[value.downcase.to_sym].first if object.respond_to? value.downcase.to_sym
-          when Array
-            value.each {|v| (user[key] = object[v.downcase.to_sym].first; break;) if object.respond_to? v.downcase.to_sym}
-          when Hash
-            value.map do |key1, value1|
-              pattern = key1.dup
-              value1.each_with_index do |v,i|
-                part = ''; v.collect(&:downcase).collect(&:to_sym).each {|v1| (part = object[v1].first; break;) if object.respond_to? v1}
-                pattern.gsub!("%#{i}",part||'')
+      class << self
+        def map_user(mapper, object)
+          user = {}
+          mapper.each do |key, value|
+            case value
+            when String
+              user[key] = object[value.downcase.to_sym].first if object.respond_to?(value.downcase.to_sym)
+            when Array
+              value.each do |v|
+                if object.respond_to?(v.downcase.to_sym)
+                  user[key] = object[v.downcase.to_sym].first
+                  break
+                end
+              end
+            when Hash
+              value.map do |key1, value1|
+                pattern = key1.dup
+                value1.each_with_index do |v, i|
+                  part = ""
+                  v.collect(&:downcase).collect(&:to_sym).each do |v1|
+                    if object.respond_to?(v1)
+                      part = object[v1].first
+                      break
+                    end
+                  end
+                  pattern.gsub!("%#{i}", part || "")
+                end
+                user[key] = pattern
               end
-              user[key] = pattern
+            else
+              # unknown mapping type; ignore
             end
           end
+          user
         end
-        user
       end
 
       protected
 
+      def valid_request_method?
+        request.env["REQUEST_METHOD"] == "POST"
+      end
+
       def missing_credentials?
-        request['username'].nil? or request['username'].empty? or request['password'].nil? or request['password'].empty?
+        request.params["username"].nil? || request.params["username"].empty? || request.params["password"].nil? || request.params["password"].empty?
       end # missing_credentials?
+
+      # Extract a normalized username from a trusted header when enabled.
+      # Returns nil when not configured or not present.
+      def header_username
+        return unless options[:header_auth]
+
+        name = options[:header_name] || "REMOTE_USER"
+        # Try both the raw env var (e.g., REMOTE_USER) and the Rack HTTP_ variant (e.g., HTTP_REMOTE_USER or HTTP_X_REMOTE_USER)
+        raw = request.env[name] || request.env["HTTP_#{name.upcase.tr("-", "_")}"]
+        return if raw.nil? || raw.to_s.strip.empty?
+
+        options[:name_proc].call(raw.to_s)
+      end
+
+      # Perform a directory lookup for the given username using the strategy configuration
+      # (bind_dn/password or anonymous). Does not attempt to bind as the user.
+      def directory_lookup(adaptor, username)
+        entry = nil
+        filter = filter(adaptor, username)
+        adaptor.connection.open do |conn|
+          rs = conn.search(filter: filter, size: 1)
+          entry = rs.first if rs && rs.first
+        end
+        entry
+      end
     end
   end
 end
 
-OmniAuth.config.add_camelization 'ldap', 'LDAP'
+OmniAuth.config.add_camelization("ldap", "LDAP")

data/lib/omniauth-ldap/adaptor.rb

@@ -1,10 +1,13 @@
-#this code borrowed pieces from activeldap and net-ldap
+# frozen_string_literal: true
+
+# this code borrowed pieces from activeldap and net-ldap
+
+# External Gems
+require "net/ldap"
+require "net/ntlm"
+require "rack"
+require "sasl"
 
-require 'rack'
-require 'net/ldap'
-require 'net/ntlm'
-require 'sasl'
-require 'kconv'
 module OmniAuth
   module LDAP
     class Adaptor
@@ -13,31 +16,64 @@ module OmniAuth
       class AuthenticationError < StandardError; end
       class ConnectionError < StandardError; end
 
-      VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter]
+      VALID_ADAPTER_CONFIGURATION_KEYS = [
+        :hosts,
+        :host,
+        :port,
+        :encryption,
+        :disable_verify_certificates,
+        :bind_dn,
+        :password,
+        :try_sasl,
+        :sasl_mechanisms,
+        :uid,
+        :base,
+        :allow_anonymous,
+        :filter,
+        :tls_options,
+
+        # Deprecated
+        :method,
+        :ca_file,
+        :ssl_version,
+      ]
 
       # A list of needed keys. Possible alternatives are specified using sub-lists.
-      MUST_HAVE_KEYS = [:host, :port, :method, [:uid, :filter], :base]
+      MUST_HAVE_KEYS = [
+        :base,
+        [:encryption, :method], # :method is deprecated
+        [:hosts, :host],
+        [:hosts, :port],
+        [:uid, :filter],
+      ]
 
-      METHOD = {
-        :ssl => :simple_tls,
-        :tls => :start_tls,
-        :plain => nil,
+      ENCRYPTION_METHOD = {
+        simple_tls: :simple_tls,
+        start_tls: :start_tls,
+        plain: nil,
+
+        # Deprecated. This mapping aimed to be user-friendly, but only caused
+        # confusion. Better to pass through the actual `Net::LDAP` encryption type.
+        ssl: :simple_tls,
+        tls: :start_tls,
       }
 
       attr_accessor :bind_dn, :password
       attr_reader :connection, :uid, :base, :auth, :filter
-      def self.validate(configuration={})
+
+      def self.validate(configuration = {})
         message = []
         MUST_HAVE_KEYS.each do |names|
           names = [names].flatten
-          missing_keys = names.select{|name| configuration[name].nil?}
+          missing_keys = names.select { |name| configuration[name].nil? }
           if missing_keys == names
-            message << names.join(' or ')
+            message << names.join(" or ")
           end
         end
-        raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
+        raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
       end
-      def initialize(configuration={})
+
+      def initialize(configuration = {})
         Adaptor.validate(configuration)
         @configuration = configuration.dup
         @configuration[:allow_anonymous] ||= false
@@ -45,23 +81,27 @@ module OmniAuth
         VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
           instance_variable_set("@#{name}", @configuration[name])
         end
-        method = ensure_method(@method)
         config = {
-          :host => @host,
-          :port => @port,
-          :base => @base
+          base: @base,
+          hosts: @hosts,
+          host: @host,
+          port: @port,
+          encryption: encryption_options,
         }
-        @bind_method = @try_sasl ? :sasl : (@allow_anonymous||!@bind_dn||!@password ? :anonymous : :simple)
-
+        @bind_method = if @try_sasl
+          :sasl
+        else
+          ((@allow_anonymous || !@bind_dn || !@password) ? :anonymous : :simple)
+        end
 
-        @auth = sasl_auths({:username => @bind_dn, :password => @password}).first if @bind_method == :sasl
-        @auth ||= { :method => @bind_method,
-                    :username => @bind_dn,
-                    :password => @password
-                  }
+        @auth = sasl_auths({username: @bind_dn, password: @password}).first if @bind_method == :sasl
+        @auth ||= {
+          method: @bind_method,
+          username: @bind_dn,
+          password: @password,
+        }
         config[:auth] = @auth
         @connection = Net::LDAP.new(config)
-        @connection.encryption(method)
       end
 
       #:base => "dc=yourcompany, dc=com",
@@ -70,16 +110,19 @@ module OmniAuth
       def bind_as(args = {})
         result = false
         @connection.open do |me|
-          rs = me.search args
+          rs = me.search(args)
           if rs and rs.first and dn = rs.first.dn
             password = args[:password]
             method = args[:method] || @method
             password = password.call if password.respond_to?(:call)
-            if method == 'sasl'
-            result = rs.first if me.bind(sasl_auths({:username => dn, :password => password}).first)
-            else
-            result = rs.first if me.bind(:method => :simple, :username => dn,
-                                :password => password)
+            if method == "sasl"
+              result = rs.first if me.bind(sasl_auths({username: dn, password: password}).first)
+            elsif me.bind(
+              method: :simple,
+              username: dn,
+              password: password,
+            )
+              result = rs.first
             end
           end
         end
@@ -87,29 +130,64 @@ module OmniAuth
       end
 
       private
-      def ensure_method(method)
-          method ||= "plain"
-          normalized_method = method.to_s.downcase.to_sym
-          return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
 
-          available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+      def encryption_options
+        translated_method = translate_method
+        return unless translated_method
+
+        {
+          method: translated_method,
+          tls_options: tls_options(translated_method),
+        }
+      end
+
+      def translate_method
+        method = @encryption || @method
+        method ||= "plain"
+        normalized_method = method.to_s.downcase.to_sym
+
+        unless ENCRYPTION_METHOD.has_key?(normalized_method)
+          available_methods = ENCRYPTION_METHOD.keys.collect { |m| m.inspect }.join(", ")
           format = "%s is not one of the available connect methods: %s"
           raise ConfigurationError, format % [method.inspect, available_methods]
+        end
+
+        ENCRYPTION_METHOD[normalized_method]
+      end
+
+      def tls_options(translated_method)
+        return {} if translated_method.nil? # (plain)
+
+        options = default_options
+
+        if @tls_options
+          # Prevent blank config values from overwriting SSL defaults
+          configured_options = sanitize_hash_values(@tls_options)
+          configured_options = symbolize_hash_keys(configured_options)
+
+          options.merge!(configured_options)
+        end
+
+        # Retain backward compatibility until deprecated configs are removed.
+        options[:ca_file] = @ca_file if @ca_file
+        options[:ssl_version] = @ssl_version if @ssl_version
+
+        options
       end
 
-      def sasl_auths(options={})
+      def sasl_auths(options = {})
         auths = []
         sasl_mechanisms = options[:sasl_mechanisms] || @sasl_mechanisms
         sasl_mechanisms.each do |mechanism|
-          normalized_mechanism = mechanism.downcase.gsub(/-/, '_')
+          normalized_mechanism = mechanism.downcase.tr("-", "_")
           sasl_bind_setup = "sasl_bind_setup_#{normalized_mechanism}"
           next unless respond_to?(sasl_bind_setup, true)
           initial_credential, challenge_response = send(sasl_bind_setup, options)
           auths << {
-            :method => :sasl,
-            :initial_credential => initial_credential,
-            :mechanism => mechanism,
-            :challenge_response => challenge_response
+            method: :sasl,
+            initial_credential: initial_credential,
+            mechanism: mechanism,
+            challenge_response: challenge_response,
           }
         end
         auths
@@ -118,8 +196,8 @@ module OmniAuth
       def sasl_bind_setup_digest_md5(options)
         bind_dn = options[:username]
         initial_credential = ""
-        challenge_response = Proc.new do |cred|
-          pref = SASL::Preferences.new :digest_uri => "ldap/#{@host}", :username => bind_dn, :has_password? => true, :password => options[:password]
+        challenge_response = proc do |cred|
+          pref = SASL::Preferences.new(digest_uri: "ldap/#{@host}", username: bind_dn, has_password?: true, password: options[:password])
           sasl = SASL.new("DIGEST-MD5", pref)
           response = sasl.receive("challenge", cred)
           response[1]
@@ -130,18 +208,48 @@ module OmniAuth
       def sasl_bind_setup_gss_spnego(options)
         bind_dn = options[:username]
         psw = options[:password]
-        raise LdapError.new( "invalid binding information" ) unless (bind_dn && psw)
+        raise LdapError.new("invalid binding information") unless bind_dn && psw
 
-        nego = proc {|challenge|
-          t2_msg = Net::NTLM::Message.parse( challenge )
-          bind_dn, domain = bind_dn.split('\\').reverse
-          t2_msg.target_name = Net::NTLM::encode_utf16le(domain) if domain
-          t3_msg = t2_msg.response( {:user => bind_dn, :password => psw}, {:ntlmv2 => true} )
+        nego = proc { |challenge|
+          t2_msg = Net::NTLM::Message.parse(challenge)
+          bind_dn, domain = bind_dn.split("\\").reverse
+          t2_msg.target_name = Net::NTLM.encode_utf16le(domain) if domain
+          t3_msg = t2_msg.response({user: bind_dn, password: psw}, {ntlmv2: true})
           t3_msg.serialize
         }
         [Net::NTLM::Message::Type1.new.serialize, nego]
       end
 
+      private
+
+      def default_options
+        if @disable_verify_certificates
+          # It is important to explicitly set verify_mode for two reasons:
+          # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+          # 2. The net-ldap gem implementation verifies the certificate hostname
+          #    unless verify_mode is set to VERIFY_NONE.
+          {verify_mode: OpenSSL::SSL::VERIFY_NONE}
+        else
+          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
+        end
+      end
+
+      # Removes keys that have blank values
+      #
+      # This gem may not always be in the context of Rails so we
+      # do this rather than `.blank?`.
+      def sanitize_hash_values(hash)
+        hash.delete_if do |_, value|
+          value.nil? ||
+            (value.is_a?(String) && value !~ /\S/)
+        end
+      end
+
+      def symbolize_hash_keys(hash)
+        hash.each_with_object({}) do |(key, value), result|
+          result[key.to_sym] = value
+        end
+      end
     end
   end
 end

data/lib/omniauth-ldap/version.rb

@@ -1,5 +1,8 @@
 module OmniAuth
   module LDAP
-    VERSION = "2.0.0"
+    module Version
+      VERSION = "2.3.1"
+    end
+    VERSION = Version::VERSION # Make VERSION available in traditional way
   end
 end