omniauth-ldap 2.0.0 → 2.3.2

data/RUBOCOP.md

@@ -0,0 +1,71 @@
+# RuboCop Usage Guide
+
+## Overview
+
+A tale of two RuboCop plugin gems.
+
+### RuboCop Gradual
+
+This project uses `rubocop_gradual` instead of vanilla RuboCop for code style checking. The `rubocop_gradual` tool allows for gradual adoption of RuboCop rules by tracking violations in a lock file.
+
+### RuboCop LTS
+
+This project uses `rubocop-lts` to ensure, on a best-effort basis, compatibility with Ruby >= 1.9.2.
+RuboCop rules are meticulously configured by the `rubocop-lts` family of gems to ensure that a project is compatible with a specific version of Ruby. See: https://rubocop-lts.gitlab.io for more.
+
+## Checking RuboCop Violations
+
+To check for RuboCop violations in this project, always use:
+
+```bash
+bundle exec rake rubocop_gradual:check
+```
+
+**Do not use** the standard RuboCop commands like:
+- `bundle exec rubocop`
+- `rubocop`
+
+## Understanding the Lock File
+
+The `.rubocop_gradual.lock` file tracks all current RuboCop violations in the project. This allows the team to:
+
+1. Prevent new violations while gradually fixing existing ones
+2. Track progress on code style improvements
+3. Ensure CI builds don't fail due to pre-existing violations
+
+## Common Commands
+
+- **Check violations**
+    - `bundle exec rake rubocop_gradual`
+    - `bundle exec rake rubocop_gradual:check`
+- **(Safe) Autocorrect violations, and update lockfile if no new violations**
+  - `bundle exec rake rubocop_gradual:autocorrect`
+- **Force update the lock file (w/o autocorrect) to match violations present in code**
+  - `bundle exec rake rubocop_gradual:force_update`
+
+## Workflow
+
+1. Before submitting a PR, run `bundle exec rake rubocop_gradual:autocorrect`
+   a. or just the default `bundle exec rake`, as autocorrection is a pre-requisite of the default task.
+2. If there are new violations, either:
+   - Fix them in your code
+   - Run `bundle exec rake rubocop_gradual:force_update` to update the lock file (only for violations you can't fix immediately)
+3. Commit the updated `.rubocop_gradual.lock` file along with your changes
+
+## Never add inline RuboCop disables
+
+Do not add inline `rubocop:disable` / `rubocop:enable` comments anywhere in the codebase (including specs, except when following the few existing `rubocop:disable` patterns for a rule already being disabled elsewhere in the code). We handle exceptions in two supported ways:
+
+- Permanent/structural exceptions: prefer adjusting the RuboCop configuration (e.g., in `.rubocop.yml`) to exclude a rule for a path or file pattern when it makes sense project-wide.
+- Temporary exceptions while improving code: record the current violations in `.rubocop_gradual.lock` via the gradual workflow:
+  - `bundle exec rake rubocop_gradual:autocorrect` (preferred; will autocorrect what it can and update the lock only if no new violations were introduced)
+  - If needed, `bundle exec rake rubocop_gradual:force_update` (as a last resort when you cannot fix the newly reported violations immediately)
+
+In general, treat the rules as guidance to follow; fix violations rather than ignore them. For example, RSpec conventions in this project expect `described_class` to be used in specs that target a specific class under test.
+
+## Benefits of rubocop_gradual
+
+- Allows incremental adoption of code style rules
+- Prevents CI failures due to pre-existing violations
+- Provides a clear record of code style debt
+- Enables focused efforts on improving code quality over time

data/SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version  | Supported |
+|----------|-----------|
+| 1.latest | ✅         |
+
+## Security contact information
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## Additional Support
+
+If you are interested in support for versions older than the latest release,
+please consider sponsoring the project / maintainer @ https://liberapay.com/pboling/donate,
+or find other sponsorship links in the [README].
+
+[README]: README.md

data/lib/omniauth/strategies/ldap.rb

@@ -1,59 +1,130 @@
-require 'omniauth'
+require "omniauth"
+require "omniauth/version"
 
 module OmniAuth
   module Strategies
     class LDAP
+      OMNIAUTH_GTE_V2 = Gem::Version.new(OmniAuth::VERSION) >= Gem::Version.new("2.0.0")
       include OmniAuth::Strategy
-      @@config = {
-        'name' => 'cn',
-        'first_name' => 'givenName',
-        'last_name' => 'sn',
-        'email' => ['mail', "email", 'userPrincipalName'],
-        'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
-        'mobile' => ['mobile', 'mobileTelephoneNumber'],
-        'nickname' => ['uid', 'userid', 'sAMAccountName'],
-        'title' => 'title',
-        'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
-        'uid' => 'dn',
-        'url' => ['wwwhomepage'],
-        'image' => 'jpegPhoto',
-        'description' => 'description'
+
+      InvalidCredentialsError = Class.new(StandardError)
+
+      option :mapping, {
+        "name" => "cn",
+        "first_name" => "givenName",
+        "last_name" => "sn",
+        "email" => ["mail", "email", "userPrincipalName"],
+        "phone" => ["telephoneNumber", "homePhone", "facsimileTelephoneNumber"],
+        "mobile" => ["mobile", "mobileTelephoneNumber"],
+        "nickname" => ["uid", "userid", "sAMAccountName"],
+        "title" => "title",
+        "location" => {"%0, %1, %2, %3 %4" => [["address", "postalAddress", "homePostalAddress", "street", "streetAddress"], ["l"], ["st"], ["co"], ["postOfficeBox"]]},
+        "uid" => "dn",
+        "url" => ["wwwhomepage"],
+        "image" => "jpegPhoto",
+        "description" => "description",
       }
-      option :title, "LDAP Authentication" #default title for authentication form
+      option :title, "LDAP Authentication" # default title for authentication form
+      # For OmniAuth >= 2.0 the default allowed request method is POST only.
+      # Ensure the strategy follows that default so GET /auth/:provider returns 404 as expected in tests.
+      if OMNIAUTH_GTE_V2
+        option(:request_methods, [:post])
+      else
+        option(:request_methods, [:get, :post])
+      end
       option :port, 389
       option :method, :plain
-      option :uid, 'sAMAccountName'
-      option :name_proc, lambda {|n| n}
+      option :disable_verify_certificates, false
+      option :ca_file, nil
+      option :ssl_version, nil # use OpenSSL default if nil
+      option :uid, "sAMAccountName"
+      option :name_proc, lambda { |n| n }
+      # Trusted header SSO support (disabled by default)
+      # :header_auth - when true and the header is present, the strategy trusts the upstream gateway
+      #                 and searches the directory for the user without requiring a user password.
+      # :header_name - which header/env key to read (default: "REMOTE_USER"). We will also check the
+      #                 standard Rack "HTTP_" variant automatically.
+      option :header_auth, false
+      option :header_name, "REMOTE_USER"
+      # Optional timeouts (forwarded to Net::LDAP when supported)
+      option :connect_timeout, nil
+      option :read_timeout, nil
 
       def request_phase
-        OmniAuth::LDAP::Adaptor.validate @options
-        f = OmniAuth::Form.new(:title => (options[:title] || "LDAP Authentication"), :url => callback_path)
-        f.text_field 'Login', 'username'
-        f.password_field 'Password', 'password'
-        f.button "Sign In"
+        # OmniAuth >= 2.0 expects the request phase to be POST-only for /auth/:provider.
+        # Some test environments (and OmniAuth itself) enforce this by returning 404 on GET.
+        if OMNIAUTH_GTE_V2 && request.get?
+          return Rack::Response.new("", 404, {"Content-Type" => "text/plain"}).finish
+        end
+
+        # Fast-path: if a trusted identity header is present, skip the login form
+        # and jump to the callback where we will complete using directory lookup.
+        if header_username
+          return Rack::Response.new([], 302, "Location" => callback_url).finish
+        end
+
+        # If credentials were POSTed directly to /auth/:provider, redirect to the callback path.
+        # This mirrors the behavior of many OmniAuth providers and allows test helpers (like
+        # OmniAuth::Test::PhonySession) to populate `env['omniauth.auth']` on the callback request.
+        if request.post? && request_data["username"].to_s != "" && request_data["password"].to_s != ""
+          return Rack::Response.new([], 302, "Location" => callback_url).finish
+        end
+
+        OmniAuth::LDAP::Adaptor.validate(@options)
+        f = OmniAuth::Form.new(title: options[:title] || "LDAP Authentication", url: callback_url)
+        f.text_field("Login", "username")
+        f.password_field("Password", "password")
+        f.button("Sign In")
         f.to_response
       end
 
       def callback_phase
-        @adaptor = OmniAuth::LDAP::Adaptor.new @options
+        @adaptor = OmniAuth::LDAP::Adaptor.new(@options)
+
+        return fail!(:invalid_request_method) unless valid_request_method?
+
+        # Header-based SSO (REMOTE_USER-style) path
+        if (hu = header_username)
+          begin
+            entry = directory_lookup(@adaptor, hu)
+            unless entry
+              return fail!(:invalid_credentials, InvalidCredentialsError.new("User not found for header #{hu}"))
+            end
+            @ldap_user_info = entry
+            @user_info = self.class.map_user(@options[:mapping], @ldap_user_info)
+            return super
+          rescue => e
+            return fail!(:ldap_error, e)
+          end
+        end
 
         return fail!(:missing_credentials) if missing_credentials?
         begin
-          @ldap_user_info = @adaptor.bind_as(:filter => filter(@adaptor), :size => 1, :password => request['password'])
-          return fail!(:invalid_credentials) if !@ldap_user_info
+          @ldap_user_info = @adaptor.bind_as(filter: filter(@adaptor), size: 1, password: request_data["password"])
+
+          unless @ldap_user_info
+            # Attach password policy info to env if available (best-effort)
+            attach_password_policy_env(@adaptor)
+            return fail!(:invalid_credentials, InvalidCredentialsError.new("Invalid credentials for #{request_data["username"]}"))
+          end
 
-          @user_info = self.class.map_user(@@config, @ldap_user_info)
+          # Optionally attach policy info even on success (e.g., timeBeforeExpiration)
+          attach_password_policy_env(@adaptor)
+
+          @user_info = self.class.map_user(@options[:mapping], @ldap_user_info)
           super
-        rescue Exception => e
-          return fail!(:ldap_error, e)
+        rescue => e
+          fail!(:ldap_error, e)
         end
       end
 
-      def filter adaptor
-        if adaptor.filter and !adaptor.filter.empty?
-          Net::LDAP::Filter.construct(adaptor.filter % {username: @options[:name_proc].call(request['username'])})
+      def filter(adaptor, username_override = nil)
+        flt = adaptor.filter
+        if flt && !flt.to_s.empty?
+          username = Net::LDAP::Filter.escape(@options[:name_proc].call(username_override || request_data["username"]))
+          Net::LDAP::Filter.construct(flt % {username: username})
         else
-          Net::LDAP::Filter.eq(adaptor.uid, @options[:name_proc].call(request['username']))
+          Net::LDAP::Filter.equals(adaptor.uid, @options[:name_proc].call(username_override || request_data["username"]))
         end
       end
 
@@ -64,38 +135,127 @@ module OmniAuth
         @user_info
       }
       extra {
-        { :raw_info => @ldap_user_info }
+        {raw_info: @ldap_user_info}
       }
 
-      def self.map_user(mapper, object)
-        user = {}
-        mapper.each do |key, value|
-          case value
-          when String
-            user[key] = object[value.downcase.to_sym].first if object.respond_to? value.downcase.to_sym
-          when Array
-            value.each {|v| (user[key] = object[v.downcase.to_sym].first; break;) if object.respond_to? v.downcase.to_sym}
-          when Hash
-            value.map do |key1, value1|
-              pattern = key1.dup
-              value1.each_with_index do |v,i|
-                part = ''; v.collect(&:downcase).collect(&:to_sym).each {|v1| (part = object[v1].first; break;) if object.respond_to? v1}
-                pattern.gsub!("%#{i}",part||'')
+      class << self
+        def map_user(mapper, object)
+          user = {}
+          mapper.each do |key, value|
+            case value
+            when String
+              user[key] = object[value.downcase.to_sym].first if object.respond_to?(value.downcase.to_sym)
+            when Array
+              value.each do |v|
+                if object.respond_to?(v.downcase.to_sym)
+                  user[key] = object[v.downcase.to_sym].first
+                  break
+                end
+              end
+            when Hash
+              value.map do |key1, value1|
+                pattern = key1.dup
+                value1.each_with_index do |v, i|
+                  part = ""
+                  v.collect(&:downcase).collect(&:to_sym).each do |v1|
+                    if object.respond_to?(v1)
+                      part = object[v1].first
+                      break
+                    end
+                  end
+                  pattern.gsub!("%#{i}", part || "")
+                end
+                user[key] = pattern
               end
-              user[key] = pattern
+            else
+              # unknown mapping type; ignore
             end
           end
+          user
         end
-        user
       end
 
       protected
 
+      def valid_request_method?
+        request.env["REQUEST_METHOD"] == "POST"
+      end
+
       def missing_credentials?
-        request['username'].nil? or request['username'].empty? or request['password'].nil? or request['password'].empty?
-      end # missing_credentials?
+        request_data["username"].nil? || request_data["username"].empty? || request_data["password"].nil? || request_data["password"].empty?
+      end
+
+      def request_data
+        @env["action_dispatch.request.request_parameters"] || request.params
+      end
+
+      # Extract a normalized username from a trusted header when enabled.
+      # Returns nil when not configured or not present.
+      def header_username
+        return unless options[:header_auth]
+
+        name = options[:header_name] || "REMOTE_USER"
+        # Try both the raw env var (e.g., REMOTE_USER) and the Rack HTTP_ variant (e.g., HTTP_REMOTE_USER or HTTP_X_REMOTE_USER)
+        raw = request.env[name] || request.env["HTTP_#{name.upcase.tr("-", "_")}"]
+        return if raw.nil? || raw.to_s.strip.empty?
+
+        options[:name_proc].call(raw.to_s)
+      end
+
+      # Perform a directory lookup for the given username using the strategy configuration
+      # (bind_dn/password or anonymous). Does not attempt to bind as the user.
+      def directory_lookup(adaptor, username)
+        entry = nil
+        search_filter = filter(adaptor, username)
+        adaptor.connection.open do |conn|
+          rs = conn.search(filter: search_filter, size: 1)
+          entry = rs && rs.first
+        end
+        entry
+      end
+
+      # If the adaptor captured a Password Policy response control, expose a minimal, stable hash
+      # in the Rack env for applications to inspect.
+      def attach_password_policy_env(adaptor)
+        return unless adaptor.respond_to?(:password_policy) && adaptor.password_policy
+        ctrl = adaptor.respond_to?(:last_password_policy_response) ? adaptor.last_password_policy_response : nil
+        op = adaptor.respond_to?(:last_operation_result) ? adaptor.last_operation_result : nil
+        return unless ctrl || op
+
+        request.env["omniauth.ldap.password_policy"] = extract_password_policy(ctrl, op)
+      end
+
+      # Best-effort extraction across net-ldap versions; if fields are not available, returns a raw payload.
+      def extract_password_policy(control, operation)
+        data = {raw: control}
+        if control
+          # Prefer named readers if present
+          if control.respond_to?(:error)
+            data[:error] = control.public_send(:error)
+          elsif control.respond_to?(:ppolicy_error)
+            data[:error] = control.public_send(:ppolicy_error)
+          end
+          if control.respond_to?(:time_before_expiration)
+            data[:time_before_expiration] = control.public_send(:time_before_expiration)
+          end
+          if control.respond_to?(:grace_authns_remaining)
+            data[:grace_authns_remaining] = control.public_send(:grace_authns_remaining)
+          elsif control.respond_to?(:grace_logins_remaining)
+            data[:grace_authns_remaining] = control.public_send(:grace_logins_remaining)
+          end
+          if control.respond_to?(:oid)
+            data[:oid] = control.public_send(:oid)
+          end
+        end
+        if operation
+          code = operation.respond_to?(:code) ? operation.code : nil
+          message = operation.respond_to?(:message) ? operation.message : nil
+          data[:operation] = {code: code, message: message}
+        end
+        data
+      end
     end
   end
 end
 
-OmniAuth.config.add_camelization 'ldap', 'LDAP'
+OmniAuth.config.add_camelization("ldap", "LDAP")