omniauth-ldap 2.3.4 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cfb42b529db19042a0140d9bdb39698b177710df48bc80eb9c1470bfebda0ae2
-  data.tar.gz: 411ba1e8817fc5814c248cbf096471ebe2f4a013a69dff3b6771143526a73f8b
+  metadata.gz: 1d35c59d3cac9dfc1276e32d05fca52c05aa3d4d2be2f89d4520f2ec980114f5
+  data.tar.gz: e7fb5be1483678069eca5c5be9d7f62c75fa3fe85dd0dd10f22c56e3e67818d3
 SHA512:
-  metadata.gz: e5cd173bb9dd917627ba9d96d3fe3a5e713bb74e3623d8ab1247fe71da0243e0e66658f64dd356247e060fbddda4a9031e76242dd8b0ea0575d9233bfcee1b0d
-  data.tar.gz: 70d8dd160e9793037bb4564cde716dfc8cd98c3805b73c65f49c5ecd2383b13c920828affab59e458b224b8f1eebfd4a127d9bd06a55d967e1d397f21f01a1da
+  metadata.gz: 87d6203baa343ba839702afb07c78f4ec538e0d0fad85dd13715392648de07a796d917792d4b24792585ad28bdbab75a166e0aaacec01c99b513ffdc22666db6
+  data.tar.gz: 3e36b569abad7ee13cde1a4e0fa8437e700a1f30a826eb455ff3c4cf024b620db72c79896ae80ab8351afa5756c59777012658777f41f4e535d4e12c9704617a

data/CHANGELOG.md

@@ -2,9 +2,7 @@
 
 [![SemVer 2.0.0][📌semver-img]][📌semver] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog]
 
-Since version v2.3.1, all notable changes to this project will be documented in this file.
-
-This changelog lists the releases of the original omniauth-ldap, and the GitLab forked versions, up until v2.3.0.
+All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog][📗keep-changelog],
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
@@ -32,6 +30,56 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [3.0.1] - 2026-06-16
+
+- TAG: [v3.0.1][3.0.1t]
+- COVERAGE: 97.53% -- 316/324 lines in 6 files
+- BRANCH COVERAGE: 79.41% -- 108/136 branches in 6 files
+- 89.19% documented
+
+### Changed
+
+- Retemplated generated project metadata, support documentation, CI workflows,
+  binstubs, and development dependency floors with the current `kettle-jem`
+  template.
+- Raised the `auth-sanitizer` runtime dependency floor to `>= 0.2.1`, so
+  OmniAuth LDAP consumers get hash and nested-attribute inspect redaction fixes
+  plus downstream RBS duplicate-declaration fixes.
+
+### Fixed
+
+- Restored `docs/CNAME` so the generated documentation site keeps its custom domain.
+
+- Route unsafe trusted-header authentication configuration errors through
+  OmniAuth's failure flow consistently across supported OmniAuth versions.
+
+### Security
+
+- Hardened `OmniAuth::LDAP::Adaptor#inspect` redaction so LDAP bind passwords
+  and TLS private key values are filtered anywhere they appear in nested
+  connection/configuration output.
+
+## [3.0.0] - 2026-05-21
+
+- TAG: [v3.0.0][3.0.0t]
+- COVERAGE: 97.52% -- 315/323 lines in 6 files
+- BRANCH COVERAGE: 79.41% -- 108/136 branches in 6 files
+- 94.59% documented
+
+### Added
+
+- Add `auth-sanitizer` runtime dependency to redact sensitive LDAP adaptor inspection output without defining top-level `Auth` or `AuthSanitizer`
+
+### Changed
+
+- Minimum supported Ruby version is now 2.2.0
+
+### Removed
+
+- Remove deprecated (since `v2.1.0-gl` in 2018) top-level `:ca_file` and `:ssl_version` LDAP configuration options; use `:tls_options` instead
+- Remove adaptor backward-compatibility that translated top-level `:ca_file` and `:ssl_version` into TLS options
+- Remove deprecated direct-option specs for top-level `:ca_file` and `:ssl_version`
+
 ## [2.3.4] - 2026-05-18
 
 - TAG: [v2.3.4][2.3.4t]
@@ -265,7 +313,11 @@ Please file a bug if you notice a violation of semantic versioning.
 [1.0.0]: https://github.com/omniauth/omniauth-ldap/compare/5656da80d4193e0d0584f44bac493a87695e580f...v1.0.0
 [1.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v1.0.0
 
-[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.4...HEAD
+[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v3.0.1...HEAD
+[3.0.1]: https://github.com/omniauth/omniauth-ldap/compare/v3.0.0...v3.0.1
+[3.0.1t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v3.0.1
+[3.0.0]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.4...v3.0.0
+[3.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v3.0.0
 [2.3.4]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.3...v2.3.4
 [2.3.4t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.4
 [2.3.3]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.2...v2.3.3

data/CITATION.cff

@@ -1,19 +1,19 @@
 cff-version: 1.2.0
-title: omniauth-ldap
+title: "omniauth-ldap"
 message: >-
   If you use this work and you want to cite it,
   then you can use the metadata from this file.
 type: software
 authors:
-  - given-names: Peter Hurn
-    family-names: Boling
-    email: peter@railsbling.com
-    affiliation: railsbling.com
+  - given-names: "Peter H."
+    family-names: "Boling"
+    email: "floss@galtzo.com"
+    affiliation: "galtzo.com"
     orcid: 'https://orcid.org/0009-0008-8519-441X'
 identifiers:
   - type: url
     value: 'https://github.com/omniauth/omniauth-ldap'
-    description: omniauth-ldap
+    description: "omniauth-ldap"
 repository-code: 'https://github.com/omniauth/omniauth-ldap'
 abstract: >-
   omniauth-ldap

data/CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing
 
-Bug reports and pull requests are welcome on [GitHub][📜src-gh].
+Bug reports and pull requests are welcome on [CodeBerg][📜src-cb], [GitLab][📜src-gl], or [GitHub][📜src-gh].
 This project should be a safe, welcoming space for collaboration, so contributors agree to adhere to
 the [code of conduct][🤝conduct].
 
@@ -8,19 +8,27 @@ To submit a patch, please fork the project, create a patch with tests, and send
 
 Remember to [![Keep A Changelog][📗keep-changelog-img]][📗keep-changelog] if you make changes.
 
+## Developer Certificate of Origin
+
+In order to protect users of this project, we require all contributors to comply with the
+[Developer Certificate of Origin](https://developercertificate.org/).
+This ensures that all contributions are properly licensed and attributed.
+
 ## Help out!
 
-Take a look at the `reek` list which is the file called `REEK` and find something to improve.
+Take a look at the open issues and pull requests, or use the gem and find something to improve.
 
 Follow these instructions:
 
-1. Fork the repository
-2. Create a feature branch (`git checkout -b my-new-feature`)
-3. Make some fixes.
-4. Commit changes (`git commit -am 'Added some feature'`)
-5. Push to the branch (`git push origin my-new-feature`)
-6. Make sure to add tests for it. This is important, so it doesn't break in a future release.
-7. Create new Pull Request.
+1. Join the Discord: [![Live Chat on Discord][✉️discord-invite-img]][✉️discord-invite]
+2. Fork the repository
+3. Create your feature branch (`git checkout -b my-new-feature`)
+4. Make some fixes.
+5. Commit your changes (`git commit -am 'Added some feature'`)
+6. Push to the branch (`git push origin my-new-feature`)
+7. Make sure to add tests for it. This is important, so it doesn't break in a future release.
+8. Create new Pull Request.
+9. Announce it in the channel for this org in the [Discord][✉️discord-invite]!
 
 ## Executables vs Rake tasks
 
@@ -42,6 +50,22 @@ There are many Rake tasks available as well. You can see them by running:
 bin/rake -T
 ```
 
+## Code quality checks
+
+Run the Reek task when you want a smell check that fails on current findings:
+
+```shell
+bin/rake reek
+```
+
+Refresh the checked-in `REEK` backlog through the rake task, not by redirecting
+the raw `reek` executable output. The rake task uses the project bundle and
+avoids stale generated binstubs shadowing the Reek gem executable:
+
+```shell
+bin/rake reek:update
+```
+
 ## Environment Variables for Local Development
 
 Below are the primary environment variables recognized by stone_checksums (and its integrated tools). Unless otherwise noted, set boolean values to the string "true" to enable.
@@ -52,7 +76,7 @@ General/runtime
 - CI: When set to true, adjusts default rake tasks toward CI behavior
 
 Coverage (kettle-soup-cover / SimpleCov)
-- K_SOUP_COV_DO: Enable coverage collection (default: true in .envrc)
+- K_SOUP_COV_DO: Enable coverage collection (default: true in `mise.toml`)
 - K_SOUP_COV_FORMATTERS: Comma-separated list of formatters (html, xml, rcov, lcov, json, tty)
 - K_SOUP_COV_MIN_LINE: Minimum line coverage threshold (integer, e.g., 100)
 - K_SOUP_COV_MIN_BRANCH: Minimum branch coverage threshold (integer, e.g., 100)
@@ -78,35 +102,60 @@ Git hooks and commit message helpers (exe/kettle-commit-msg)
 - GIT_HOOK_FOOTER_SENTINEL: Required when footer append is enabled — a unique first-line sentinel to prevent duplicates
 - GIT_HOOK_FOOTER_APPEND_DEBUG: Extra debug output in the footer template (true/false)
 
-For a quick starting point, this repository’s `.envrc` shows sane defaults, and `.env.local` can override them locally.
+Git diff driver setup
+- Local setup writes repository `.gitattributes` entries and local Git `diff.smorg-*` command config so this checkout uses StructuredMerge semantic diffs.
+- Global setup registers `diff.smorg-*` commands once in the user Git config; use it when you work across several StructuredMerge-enabled repositories.
+- Include-file setup writes `.git/smorg/config` and includes it from local Git config, keeping command registrations out of the repository files.
+- Git hosting forges generally ignore external diff drivers, so pull request views may still show raw textual diffs even when local `git diff` uses semantic drivers.
+
+```console
+K_JEM_TEMPLATING=true kettle-jem install
+```
+
+Troubleshooting Git diffs
+- Use `git diff --no-ext-diff` to compare against Git's built-in diff output.
+- Use `git diff --no-textconv` when a textconv projection obscures the raw file bytes you need to inspect.
+- If Git reports a missing `smorg-*` executable, rerun `bundle install` and the setup command above, then check `git config --local --get-regexp '^diff\.smorg-'`.
+- To remove managed local entries, run `K_JEM_TEMPLATING=true kettle-jem install --undo`; remove global command registrations with `git config --global --unset-all diff.smorg-ruby.command`.
+
+For a quick starting point, this repository’s `mise.toml` defines the shared defaults, and `.env.local` can override them locally. Copy `.env.local.example` to `.env.local`, use `KEY=value` lines, and either activate `mise` in your shell or run commands through `mise exec -C /path/to/project -- ...`.
 
 ## Appraisals
 
 From time to time the [appraisal2][🚎appraisal2] gemfiles in `gemfiles/` will need to be updated.
+Generated appraisal and CI workflow floors are controlled by `ruby.test_minimum`
+in `.structuredmerge/kettle-jem.yml`; this project was templated with `ruby.test_minimum: 2.4`.
+That value describes the lowest Ruby version expected to run the test/development
+toolchain, and it may be higher than the gemspec runtime floor.
+
 They are created and updated with the commands:
 
 ```console
 bin/rake appraisal:update
 ```
 
-When adding an appraisal to CI, check the [runner tool cache][🏃‍♂️runner-tool-cache] to see which runner to use.
+If you need to reset all gemfiles/*.gemfile.lock files:
 
-## The Reek List
+```console
+bin/rake appraisal:reset
+```
 
-Take a look at the `reek` list which is the file called `REEK` and find something to improve.
+When adding an appraisal to CI, check the [runner tool cache][🏃‍♂️runner-tool-cache] to see which runner to use.
+
+## Run Tests
 
-To refresh the `reek` list:
+Run tests via `kettle-test` (provided by `kettle-test`). It runs RSpec, writes the full log to
+`tmp/kettle-test/rspec-TIMESTAMP.log`, and prints a compact highlight block with timing, seed,
+pass/fail count, failing example list, and SimpleCov coverage percentages.
 
 ```console
-bundle exec reek > REEK
+bundle exec kettle-test
 ```
 
-## Run Tests
-
-To run all tests
+For targeted runs, disable the hard coverage threshold to avoid false failures:
 
 ```console
-bundle exec rake test
+K_SOUP_COV_MIN_HARD=false bundle exec kettle-test spec/path/to/spec.rb
 ```
 
 ### Spec organization (required)
@@ -149,6 +198,8 @@ Your picture could be here!
 
 Made with [contributors-img][🖐contrib-rocks].
 
+Also see GitLab Contributors: [https://gitlab.com/omniauth/omniauth-ldap/-/graphs/main][🚎contributors-gl]
+
 ## For Maintainers
 
 ### One-time, Per-maintainer, Setup
@@ -175,33 +226,37 @@ NOTE: To build without signing the gem set `SKIP_GEM_SIGNING` to any value in th
 1. Run `bin/setup && bin/rake` as a "test, coverage, & linting" sanity check
 2. Update the version number in `version.rb`, and ensure `CHANGELOG.md` reflects changes
 3. Run `bin/setup && bin/rake` again as a secondary check, and to update `Gemfile.lock`
-4. Run `git commit -am "🔖 Prepare release v<VERSION>"` to commit the changes
-5. Run `git push` to trigger the final CI pipeline before release, and merge PRs
+4. Run `bin/rake yard` to regenerate the docs site using the canonical docs task
+5. Run `git commit -am "🔖 Prepare release v<VERSION>"` to commit the changes
+6. Run `git push` to trigger the final CI pipeline before release, and merge PRs
     - NOTE: Remember to [check the build][🧪build].
-6. Run `export GIT_TRUNK_BRANCH_NAME="$(git remote show origin | grep 'HEAD branch' | cut -d ' ' -f5)" && echo $GIT_TRUNK_BRANCH_NAME`
-7. Run `git checkout $GIT_TRUNK_BRANCH_NAME`
-8. Run `git pull origin $GIT_TRUNK_BRANCH_NAME` to ensure latest trunk code
-9. Optional for older Bundler (< 2.7.0): Set `SOURCE_DATE_EPOCH` so `rake build` and `rake release` use the same timestamp and generate the same checksums
+7. Run `export GIT_TRUNK_BRANCH_NAME="$(git remote show origin | grep 'HEAD branch' | cut -d ' ' -f5)" && echo $GIT_TRUNK_BRANCH_NAME`
+8. Run `git checkout $GIT_TRUNK_BRANCH_NAME`
+9. Run `git pull origin $GIT_TRUNK_BRANCH_NAME` to ensure latest trunk code
+10. Optional for older Bundler (< 2.7.0): Set `SOURCE_DATE_EPOCH` so `rake build` and `rake release` use the same timestamp and generate the same checksums
     - If your Bundler is >= 2.7.0, you can skip this; builds are reproducible by default.
     - Run `export SOURCE_DATE_EPOCH=$EPOCHSECONDS && echo $SOURCE_DATE_EPOCH`
     - If the echo above has no output, then it didn't work.
     - Note: `zsh/datetime` module is needed, if running `zsh`.
     - In older versions of `bash` you can use `date +%s` instead, i.e. `export SOURCE_DATE_EPOCH=$(date +%s) && echo $SOURCE_DATE_EPOCH`
-10. Run `bundle exec rake build`
-11. Run `bin/gem_checksums` (more context [1][🔒️rubygems-checksums-pr], [2][🔒️rubygems-guides-pr])
+11. Run `bundle exec rake build`
+12. Run `bin/gem_checksums` (more context [1][🔒️rubygems-checksums-pr], [2][🔒️rubygems-guides-pr])
     to create SHA-256 and SHA-512 checksums. This functionality is provided by the `stone_checksums`
     [gem][💎stone_checksums].
     - The script automatically commits but does not push the checksums
-12. Sanity check the SHA256, comparing with the output from the `bin/gem_checksums` command:
+13. Sanity check the SHA256, comparing with the output from the `bin/gem_checksums` command:
     - `sha256sum pkg/<gem name>-<version>.gem`
-13. Run `bundle exec rake release` which will create a git tag for the version,
+14. Run `bundle exec rake release` which will create a git tag for the version,
     push git commits and tags, and push the `.gem` file to the gem host configured in the gemspec.
 
+[📜src-gl]: https://gitlab.com/omniauth/omniauth-ldap
+[📜src-cb]: https://codeberg.org/omniauth/omniauth-ldap
 [📜src-gh]: https://github.com/omniauth/omniauth-ldap
 [🧪build]: https://github.com/omniauth/omniauth-ldap/actions
-[🤝conduct]: https://gitlab.com/omniauth/omniauth-ldap/-/blob/main/CODE_OF_CONDUCT.md
+[🤝conduct]: https://github.com/omniauth/omniauth-ldap/blob/main/CODE_OF_CONDUCT.md
 [🖐contrib-rocks]: https://contrib.rocks
 [🖐contributors]: https://github.com/omniauth/omniauth-ldap/graphs/contributors
+[🚎contributors-gl]: https://gitlab.com/omniauth/omniauth-ldap/-/graphs/main
 [🖐contributors-img]: https://contrib.rocks/image?repo=omniauth/omniauth-ldap
 [💎gem-coop]: https://gem.coop
 [🔒️rubygems-security-guide]: https://guides.rubygems.org/security/#building-gems
@@ -214,3 +269,4 @@ NOTE: To build without signing the gem set `SKIP_GEM_SIGNING` to any value in th
 [📌major-versions-not-sacred]: https://tom.preston-werner.com/2022/05/23/major-version-numbers-are-not-sacred.html
 [🚎appraisal2]: https://github.com/appraisal-rb/appraisal2
 [🏃‍♂️runner-tool-cache]: https://github.com/ruby/ruby-builder/releases/tag/toolcache
+[✉️discord-invite]: https://discord.gg/3qme4XHNKN

data/FUNDING.md

@@ -15,7 +15,7 @@ Many paths lead to being a sponsor or a backer of this project. Are you on such
 [🖇polar-img]: https://img.shields.io/badge/polar-donate-a51611.svg?style=flat
 [🖇polar]: https://polar.sh/pboling
 [🖇kofi-img]: https://img.shields.io/badge/ko--fi-%E2%9C%93-a51611.svg?style=flat
-[🖇kofi]: https://ko-fi.com/O5O86SNP4
+[🖇kofi]: https://ko-fi.com/pboling
 [🖇patreon-img]: https://img.shields.io/badge/patreon-donate-a51611.svg?style=flat
 [🖇patreon]: https://patreon.com/galtzo
 [🖇buyme-small-img]: https://img.shields.io/badge/buy_me_a_coffee-%E2%9C%93-a51611.svg?style=flat

data/LICENSE.md

@@ -0,0 +1,33 @@
+# License
+
+This project is made available under the following license.
+Choose the option that best fits your use case:
+
+- [MIT](MIT.md)
+
+## Copyright Notice
+
+- Copyright (c) 2011 Hubert
+- Copyright (c) 2011-2013 Ping Yu
+- Copyright (c) 2012 angel brown
+- Copyright (c) 2012 Dmitriy Dzema
+- Copyright (c) 2012 Dmitriy Zaporozhets
+- Copyright (c) 2012 Pat Thoyts
+- Copyright (c) 2012 Rashit Azizbaev
+- Copyright (c) 2012 Samuel de Framond
+- Copyright (c) 2012 Terry Tai
+- Copyright (c) 2014 David Benko
+- Copyright (c) 2014 Jakub Jirutka
+- Copyright (c) 2014 Jason Hollingsworth
+- Copyright (c) 2014 Mack Talcott
+- Copyright (c) 2016-2018 Drew Blessing
+- Copyright (c) 2016 Julian Kniephoff
+- Copyright (c) 2016 Mike Tierney
+- Copyright (c) 2016 Sasha Kotlyar
+- Copyright (c) 2017 Michael Kozono
+- Copyright (c) 2017 Tiago Botelho
+- Copyright (c) 2018 tmilewski
+- Copyright (c) 2019 Drew Blessing
+- Copyright (c) 2022 Finn Bacall
+- Copyright (c) 2022 Stan Hu
+- Copyright (c) 2025-2026 Peter H. Boling