omniauth-ldap 2.3.3 → 2.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8bcc01a9129d0db019b5530a9bf5f7b5241f9eacba974d5c5585b4620a8d140b
-  data.tar.gz: 5eb2878ad0b0d471d60dfb4596baddb077cde9c26499ad1d2c3f661a96f1b242
+  metadata.gz: cfb42b529db19042a0140d9bdb39698b177710df48bc80eb9c1470bfebda0ae2
+  data.tar.gz: 411ba1e8817fc5814c248cbf096471ebe2f4a013a69dff3b6771143526a73f8b
 SHA512:
-  metadata.gz: f3d489556fa774b9865a3138dcce9f9eef4d2afedbeff2d0bdb5ce239a3b18dd430bcdf2438b77135434e511750a50236fb0e6902ad00ce16e60d1021058fb41
-  data.tar.gz: 4d544ca2868b9c0eb8d283dbc996b305bd1ca3d8070c9b5d342dc3de6d8d98206f197926da1bfd9f9b57e03728f8d96932a824b540fce3f4c66efd7e8ae08630
+  metadata.gz: e5cd173bb9dd917627ba9d96d3fe3a5e713bb74e3623d8ab1247fe71da0243e0e66658f64dd356247e060fbddda4a9031e76242dd8b0ea0575d9233bfcee1b0d
+  data.tar.gz: 70d8dd160e9793037bb4564cde716dfc8cd98c3805b73c65f49c5ecd2383b13c920828affab59e458b224b8f1eebfd4a127d9bd06a55d967e1d397f21f01a1da

data/CHANGELOG.md

@@ -32,6 +32,31 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [2.3.4] - 2026-05-18
+
+- TAG: [v2.3.4][2.3.4t]
+- COVERAGE: 97.44% -- 304/312 lines in 4 files
+- BRANCH COVERAGE: 79.58% -- 113/142 branches in 4 files
+- 94.44% documented
+
+### Added
+
+- Add `header_auth_source` to require explicit selection of trusted header identity source (`:env` or `:http_header`)
+- Add `header_auth_require_tls` to require TLS for trusted header SSO by default
+- Log a prominent security warning when `header_auth` is enabled
+
+### Changed
+
+- Trusted header SSO now defaults to trusting only server-set env variables and no longer checks Rack `HTTP_` header variants unless `header_auth_source: :http_header` is configured
+
+### Fixed
+
+- Fix OpenSSL 3/Ruby 4 compatibility in the TLS options adaptor spec
+
+### Security
+
+- Harden trusted header SSO against spoofing by removing automatic fallback from `REMOTE_USER` to `HTTP_REMOTE_USER`
+
 ## [2.3.3] - 2025-11-10
 
 - TAG: [v2.3.3][2.3.3t]
@@ -240,7 +265,9 @@ Please file a bug if you notice a violation of semantic versioning.
 [1.0.0]: https://github.com/omniauth/omniauth-ldap/compare/5656da80d4193e0d0584f44bac493a87695e580f...v1.0.0
 [1.0.0t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v1.0.0
 
-[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.3...HEAD
+[Unreleased]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.4...HEAD
+[2.3.4]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.3...v2.3.4
+[2.3.4t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.4
 [2.3.3]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.2...v2.3.3
 [2.3.3t]: https://github.com/omniauth/omniauth-ldap/releases/tag/v2.3.3
 [2.3.2]: https://github.com/omniauth/omniauth-ldap/compare/v2.3.1...v2.3.2

data/LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Peter H. Boling, and omniauth-ldap contributors
+Copyright (c) 2025 - 2026 Peter H. Boling, and omniauth-ldap contributors
 Copyright (c) 2014 David Benko
 Copyright (c) 2011 by Ping Yu and Intridea, Inc.
 

data/README.md

@@ -1,32 +1,3 @@
-| 📍 NOTE                                                                                                                                                           |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| RubyGems (the [GitHub org][rubygems-org], not the website) [suffered][draper-security] a [hostile takeover][ellen-takeover] in September 2025.                    |
-| Ultimately [4 maintainers][simi-removed] were [hard removed][martin-removed] and a reason has been given for only 1 of those, while 2 others resigned in protest. |
-| It is a [complicated story][draper-takeover] which is difficult to [parse quickly][draper-lies].                                                                  |
-| I'm adding notes like this to gems because I [don't condone theft][draper-theft] of repositories or gems from their rightful owners.                              |
-| If a similar theft happened with my repos/gems, I'd hope some would stand up for me.                                                                              |
-| Disenfranchised former-maintainers have started [gem.coop][gem-coop].                                                                                             |
-| Once available I will publish there exclusively; unless RubyCentral makes amends with the community.                                                              |
-| The ["Technology for Humans: Joel Draper"][reinteractive-podcast] podcast episode by [reinteractive][reinteractive] is the most cogent summary I'm aware of.      |
-| See [here][gem-naming], [here][gem-coop] and [here][martin-ann] for more info on what comes next.                                                                 |
-| What I'm doing: A (WIP) proposal for [bundler/gem scopes][gem-scopes], and a (WIP) proposal for a federated [gem server][gem-server].                             |
-
-[rubygems-org]: https://github.com/rubygems/
-[draper-security]: https://joel.drapper.me/p/ruby-central-security-measures/
-[draper-takeover]: https://joel.drapper.me/p/ruby-central-takeover/
-[ellen-takeover]: https://pup-e.com/blog/goodbye-rubygems/
-[simi-removed]: https://www.reddit.com/r/ruby/s/gOk42POCaV
-[martin-removed]: https://bsky.app/profile/martinemde.com/post/3m3occezxxs2q
-[draper-lies]: https://joel.drapper.me/p/ruby-central-fact-check/
-[draper-theft]: https://joel.drapper.me/p/ruby-central/
-[reinteractive]: https://reinteractive.com/ruby-on-rails
-[gem-coop]: https://gem.coop
-[gem-naming]: https://github.com/gem-coop/gem.coop/issues/12
-[martin-ann]: https://martinemde.com/2025/10/05/announcing-gem-coop.html
-[gem-scopes]: https://github.com/galtzo-floss/bundle-namespace
-[gem-server]: https://github.com/galtzo-floss/gem-server
-[reinteractive-podcast]: https://youtu.be/_H4qbtC5qzU?si=BvuBU90R2wAqD2E6
-
 [![Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0][🖼️galtzo-i]][🖼️galtzo-discord] [![ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5][🖼️ruby-lang-i]][🖼️ruby-lang] [![omniauth Logo (presumed to be) by tomeara, (presumed to be) MIT License][🖼️omniauth-i]][🖼️omniauth]
 
 [🖼️galtzo-i]: https://logos.galtzo.com/assets/images/galtzo-floss/avatar-192px.svg
@@ -48,6 +19,13 @@
 
 [![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate at ko-fi.com][🖇kofi-img]][🖇kofi]
 
+<details>
+    <summary>👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️</summary>
+
+I've summarized my thoughts in [this blog post](https://dev.to/galtzo/hostile-takeover-of-rubygems-my-thoughts-5hlo).
+
+</details>
+
 ## 🌻 Synopsis
 
 Use the LDAP strategy as a middleware in your application:
@@ -79,7 +57,9 @@ use OmniAuth::Strategies::LDAP,
 # use OmniAuth::Strategies::LDAP, filter: '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
 ```
 
-All of the listed options are required, with the exception of `:title`, `:name_proc`, `:bind_dn`, and `:password`.
+At minimum you normally configure `:host`, `:base`, and either `:uid` or `:filter`. The other options shown above customize connection behavior, TLS, username normalization, timeouts, and returned auth info.
+
+For trusted header SSO, enable `header_auth: true` and explicitly choose the trusted identity source with `header_auth_source: :env` or `header_auth_source: :http_header`. See [Trusted header SSO](#trusted-header-sso-remote_user-and-friends) for the security requirements.
 
 ### TLS certificate verification
 
@@ -228,14 +208,14 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 ### Required Options
 
 - `:host` - The hostname or IP address of the LDAP server.
-- `:port` - The port number of the LDAP server (default: 389).
-- `:method` - The connection method. Allowed values: `:plain`, `:ssl`, `:tls` (default: `:plain`).
 - `:base` - The base DN for the LDAP search.
 - `:uid` or `:filter` - Either `:uid` (the LDAP attribute for username, default: "sAMAccountName") or `:filter` (LDAP filter for searching user entries). If `:filter` is provided, `:uid` is not required. Note: This `:uid` option is the search attribute, not the top-level `auth.uid` in the OmniAuth result.
 
 ### Optional Options
 
 - `:title` - The title for the authentication form (default: "LDAP Authentication").
+- `:port` - The port number of the LDAP server (default: 389).
+- `:encryption` - The connection method. Allowed values: `:plain`, `:ssl`, `:tls` (default: `:plain`). `:method` is still accepted for compatibility, but is deprecated.
 - `:bind_dn` - The DN to bind with for searching users (required if anonymous access is not allowed).
 - `:password` - The password for the bind DN.
 - `:name_proc` - A proc to process the username before using it in the search (default: identity proc that returns the username unchanged).
@@ -249,6 +229,10 @@ The following options are available for configuring the OmniAuth LDAP strategy:
 - `:connect_timeout` - Maximum time in seconds to wait when establishing the TCP connection to the LDAP server. Forwarded to `Net::LDAP`.
 - `:read_timeout` - Maximum time in seconds to wait for reads during LDAP operations (search/bind). Forwarded to `Net::LDAP`.
 - `:mapping` - Customize how LDAP attributes map to the returned `auth.info` hash. A sensible default mapping is built into the strategy and will be merged with your overrides. See `lib/omniauth/strategies/ldap.rb` for the default keys and behavior; values can be a String (single attribute), an Array (first present attribute wins), or a Hash (string pattern with placeholders like `%0` combined from multiple attributes).
+- `:header_auth` - Enable trusted upstream identity SSO (default: false). When enabled, the strategy trusts the configured header/env key, performs an LDAP lookup, and skips the user password bind.
+- `:header_name` - Header/env key used for trusted header SSO (default: "REMOTE_USER").
+- `:header_auth_source` - Trusted identity source for header SSO (default: `:env`). Use `:env` to read only `env["REMOTE_USER"]`-style server variables. Use `:http_header` to read only Rack `HTTP_` header keys such as `env["HTTP_REMOTE_USER"]`; only configure this behind a proxy that strips client-supplied copies.
+- `:header_auth_require_tls` - Require TLS for trusted header SSO requests (default: true).
 
 Example enabling password policy:
 
@@ -284,7 +268,7 @@ Where to find the "username"-style value
 - You can also read the raw attribute from `auth.extra.raw_info` (a `Net::LDAP::Entry`):
 
 ```ruby
-get "/auth/ldap/callback" do
+post "/auth/ldap/callback" do
   auth = request.env["omniauth.auth"]
   dn = auth.uid                                # => "cn=alice,ou=users,dc=example,dc=com"
   username = auth.info.nickname                # => "alice" (from uid/sAMAccountName)
@@ -300,7 +284,7 @@ If you need top-level `auth.uid` to be something other than the DN (for example,
 ## 🔧 Basic Usage
 
 The strategy exposes a simple Rack middleware and can be used in plain Rack apps, Sinatra, or Rails.
-Direct users to `/auth/ldap` to start authentication and handle the callback at `/auth/ldap/callback`.
+With OmniAuth 2.x, initiate authentication with `POST /auth/ldap`; `GET /auth/ldap` returns 404 by default. Older OmniAuth 1.x deployments may still render the form on `GET /auth/ldap`. Handle the callback at `/auth/ldap/callback`.
 
 Below are several concrete examples to get you started.
 
@@ -316,7 +300,7 @@ use OmniAuth::Builder do
   provider :ldap,
     host: "ldap.example.com",
     port: 389,
-    method: :plain,
+    encryption: :plain,
     base: "dc=example,dc=com",
     uid: "uid",
     title: "Example LDAP"
@@ -325,7 +309,7 @@ end
 run lambda { |env| [404, {"Content-Type" => "text/plain"}, [env.key?("omniauth.auth").to_s]] }
 ```
 
-Visit `GET /auth/ldap` to initiate authentication (the middleware will render a login form unless you POST to `/auth/ldap`).
+Submit `POST /auth/ldap` to initiate authentication. With OmniAuth 2.x, the middleware renders the login form on POST when credentials are not already present; with OmniAuth 1.x, `GET /auth/ldap` can also render the form.
 
 ### Sinatra example
 
@@ -344,10 +328,10 @@ use OmniAuth::Builder do
 end
 
 get "/" do
-  '<a href="/auth/ldap">Sign in with LDAP</a>'
+  '<form action="/auth/ldap" method="post"><button type="submit">Sign in with LDAP</button></form>'
 end
 
-get "/auth/ldap/callback" do
+post "/auth/ldap/callback" do
   auth = request.env["omniauth.auth"]
   "Hello, #{auth.info["name"]}"
 end
@@ -371,7 +355,7 @@ Rails.application.config.middleware.use(OmniAuth::Builder) do
 end
 ```
 
-Then link users to `/auth/ldap` in your app (for example, in a Devise sign-in page).
+Then submit users to `/auth/ldap` with POST in your app (for example, from a Devise sign-in page).
 
 ### Use JSON Body
 
@@ -422,7 +406,7 @@ Examples
 
 Notes
 
-- You can still initiate authentication by visiting `GET /auth/ldap` to render the HTML form and then submitting it (form-encoded). JSON is an additional option, not a replacement.
+- You can still initiate authentication with a regular form POST and then submit credentials as form-encoded data. JSON is an additional option, not a replacement.
 - In the callback phase (`POST /auth/ldap/callback`), the strategy reads JSON credentials the same way; Rails exposes them via `action_dispatch.request.request_parameters` and non-Rails apps should use a JSON parser middleware.
 
 ### Using a custom filter
@@ -607,15 +591,19 @@ Note: You generally do not need this override. Prefer configuring your proxy to
 
 ### Trusted header SSO (REMOTE_USER and friends)
 
-Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via an HTTP header such as `REMOTE_USER`.
+Some deployments terminate SSO at a reverse proxy or portal and forward the already-authenticated user identity via a server-set environment variable or HTTP header such as `REMOTE_USER`.
 When you enable this mode, the LDAP strategy will trust the upstream header, perform a directory lookup for that user, and complete OmniAuth without asking the user for a password.
 
-Important: Only enable this behind a trusted front-end that strips and sets the header itself. Never enable on a public endpoint without such a gateway, or an attacker could spoof the header.
+Important: Only enable this behind a trusted front-end that authenticates users before they can reach the OmniAuth endpoint. When `header_auth` is enabled the strategy logs a prominent security warning because it trusts the upstream identity completely.
 
 Configuration options:
 
 - `:header_auth` (Boolean, default: false) — Enable trusted header SSO.
-- `:header_name` (String, default: "REMOTE_USER") — The env/header key to read. The strategy checks both `env["REMOTE_USER"]` and the Rack variant `env["HTTP_REMOTE_USER"]`.
+- `:header_name` (String, default: "REMOTE_USER") — The env/header key to read.
+- `:header_auth_source` (`:env` or `:http_header`, default: `:env`) — Which Rack env key form to trust.
+  - `:env` reads only the exact server-set environment key, such as `env["REMOTE_USER"]`.
+  - `:http_header` reads only the Rack HTTP header key, such as `env["HTTP_REMOTE_USER"]`. Only use this behind a proxy that strips client-sent copies of the header before setting its trusted value.
+- `:header_auth_require_tls` (Boolean, default: true) — Raise an error if trusted header SSO is used on a non-TLS request.
 - `:name_proc` is applied to the header value before search (e.g., to strip a domain part).
 - Search is done using your configured `:uid` or `:filter` and the service bind (`:bind_dn`/`:password`) or anonymous bind if allowed.
 
@@ -629,8 +617,9 @@ use OmniAuth::Builder do
     uid: "uid",
     bind_dn: "cn=search,dc=example,dc=com",
     password: ENV["LDAP_SEARCH_PASSWORD"],
-    header_auth: true,                 # trust REMOTE_USER
-    header_name: "REMOTE_USER",       # default
+    header_auth: true,                  # trust the configured upstream identity
+    header_name: "REMOTE_USER",        # default
+    header_auth_source: :env,           # default; reads env["REMOTE_USER"]
     name_proc: proc { |n| n.split("@").first }
 end
 ```
@@ -648,6 +637,7 @@ Rails.application.config.middleware.use(OmniAuth::Builder) do
     password: ENV["LDAP_SEARCH_PASSWORD"],
     header_auth: true,
     header_name: "REMOTE_USER",
+    header_auth_source: :env,
     # Optionally restrict with a group filter while using the header value
     filter: "(&(sAMAccountName=%{username})(memberOf=cn=myapp-users,ou=groups,dc=acme,dc=corp))",
     name_proc: proc { |n| n.gsub(/@.*$/, "") }
@@ -662,8 +652,9 @@ Flow:
 
 Security checklist:
 
-- Ensure your reverse proxy strips user-controlled copies of the header and sets the canonical `REMOTE_USER` itself.
-- Prefer TLS-secured internal links between the proxy and your app.
+- Prefer `header_auth_source: :env` for server-set variables such as `REMOTE_USER`.
+- Use `header_auth_source: :http_header` only when your reverse proxy strips user-controlled copies of the header and sets the canonical value itself.
+- Keep `header_auth_require_tls` enabled unless a separate trusted channel protects traffic between the proxy and your app.
 - Consider also restricting with a group-based `:filter` so only authorized users can sign in.
 
 ## 🦷 FLOSS Funding
@@ -795,7 +786,7 @@ See [LICENSE.txt][📄license] for the official [Copyright Notice][📄copyright
 
 <ul>
     <li>
-        Copyright (c) 2025 Peter H. Boling, of
+        Copyright (c) 2025 - 2026 Peter H. Boling, of
         <a href="https://discord.gg/3qme4XHNKN">
             Galtzo.com
             <picture>
@@ -990,7 +981,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.293-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.312-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year

data/lib/omniauth/strategies/ldap.rb

@@ -97,12 +97,18 @@ module OmniAuth
       option :name_proc, lambda { |n| n }
 
       # Trusted header SSO support (disabled by default)
-      # :header_auth - when true and the header is present, the strategy trusts the upstream gateway
-      #                 and searches the directory for the user without requiring a user password.
-      # :header_name - which header/env key to read (default: "REMOTE_USER"). We will also check the
-      #                 standard Rack "HTTP_" variant automatically.
+      # :header_auth - when true and the configured header/env key is present, the strategy trusts
+      #                 the upstream gateway and searches the directory for the user without
+      #                 requiring a user password.
+      # :header_name - which header/env key to read (default: "REMOTE_USER").
+      # :header_auth_source - :env trusts only server-set env variables. :http_header trusts only
+      #                       Rack HTTP header keys, and should only be used behind a proxy that
+      #                       strips client-supplied copies of the header.
+      # :header_auth_require_tls - require a TLS request for header auth.
       option :header_auth, false
       option :header_name, "REMOTE_USER"
+      option :header_auth_source, :env
+      option :header_auth_require_tls, true
 
       # Optional timeouts (forwarded to Net::LDAP when supported)
       option :connect_timeout, nil
@@ -124,6 +130,8 @@ module OmniAuth
           return Rack::Response.new("", 404, {"Content-Type" => "text/plain"}).finish
         end
 
+        validate_header_auth_configuration!
+
         # Fast-path: if a trusted identity header is present, skip the login form
         # and jump to the callback where we will complete using directory lookup.
         if header_username
@@ -163,6 +171,8 @@ module OmniAuth
 
         return fail!(:invalid_request_method) unless valid_request_method?
 
+        validate_header_auth_configuration!
+
         # Header-based SSO (REMOTE_USER-style) path
         if (hu = header_username)
           begin
@@ -311,24 +321,62 @@ module OmniAuth
         @env["action_dispatch.request.request_parameters"] || request.params
       end
 
-      # Extract a normalized username from a trusted header when enabled.
+      # Extract a normalized username from a trusted header/env key when enabled.
       # Returns nil when not configured or not present.
       #
-      # The method will attempt the raw env key (e.g. "REMOTE_USER") and the Rack
-      # HTTP_ variant (e.g. "HTTP_REMOTE_USER" or "HTTP_X_REMOTE_USER").
+      # The source is intentionally explicit: :env reads the raw env key
+      # (e.g. "REMOTE_USER"), while :http_header reads the Rack HTTP_ variant
+      # (e.g. "HTTP_REMOTE_USER" or "HTTP_X_REMOTE_USER").
       #
       # @return [String, nil] normalized username or nil if not present
       def header_username
         return unless options[:header_auth]
 
-        name = options[:header_name] || "REMOTE_USER"
-        # Try both the raw env var (e.g., REMOTE_USER) and the Rack HTTP_ variant (e.g., HTTP_REMOTE_USER or HTTP_X_REMOTE_USER)
-        raw = request.env[name] || request.env["HTTP_#{name.upcase.tr("-", "_")}"]
+        raw = request.env[header_auth_env_key]
         return if raw.nil? || raw.to_s.strip.empty?
 
         options[:name_proc].call(raw.to_s)
       end
 
+      # Validate trusted header auth before reading the configured identity key.
+      #
+      # @raise [ArgumentError] when the header auth options are unsafe or invalid
+      # @return [void]
+      def validate_header_auth_configuration!
+        return unless options[:header_auth]
+
+        log_header_auth_warning
+
+        source = (options[:header_auth_source] || :env).to_sym
+        unless [:env, :http_header].include?(source)
+          raise ArgumentError, "header_auth_source must be :env or :http_header"
+        end
+
+        if options[:header_auth_require_tls] && !request.ssl?
+          raise ArgumentError, "header_auth requires TLS unless header_auth_require_tls is disabled"
+        end
+      end
+
+      # Rack env key selected by the explicit header auth source option.
+      #
+      # @return [String]
+      def header_auth_env_key
+        name = options[:header_name] || "REMOTE_USER"
+        return name if (options[:header_auth_source] || :env).to_sym == :env
+
+        "HTTP_#{name.upcase.tr("-", "_")}"
+      end
+
+      # Warn operators that trusted header auth delegates authentication to the upstream gateway.
+      #
+      # @return [void]
+      def log_header_auth_warning
+        logger = OmniAuth.config.respond_to?(:logger) ? OmniAuth.config.logger : nil
+        return unless logger && logger.respond_to?(:warn)
+
+        logger.warn("[omniauth-ldap] SECURITY WARNING: header_auth is enabled. This trusts upstream authentication completely; only enable it behind a trusted proxy that strips client-supplied identity headers.")
+      end
+
       # Perform a directory lookup for the given username using the strategy configuration
       # (bind_dn/password or anonymous). Does not attempt to bind as the user.
       #

data/lib/omniauth-ldap/adaptor.rb

@@ -131,16 +131,18 @@ module OmniAuth
       # @param configuration [Hash] configuration hash passed to the adaptor
       # @raise [ArgumentError] when required keys are missing
       # @return [void]
-      def self.validate(configuration = {})
-        message = []
-        MUST_HAVE_KEYS.each do |names|
-          names = [names].flatten
-          missing_keys = names.select { |name| configuration[name].nil? }
-          if missing_keys == names
-            message << names.join(" or ")
+      class << self
+        def validate(configuration = {})
+          message = []
+          MUST_HAVE_KEYS.each do |names|
+            names = [names].flatten
+            missing_keys = names.select { |name| configuration[name].nil? }
+            if missing_keys == names
+              message << names.join(" or ")
+            end
           end
+          raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
         end
-        raise ArgumentError.new(message.join(",") + " MUST be provided") unless message.empty?
       end
 
       # Create a new adaptor instance backed by a Net::LDAP connection.

data/lib/omniauth-ldap/version.rb

@@ -8,7 +8,7 @@ module OmniAuth
     module Version
       # Public semantic version for the gem
       # @return [String]
-      VERSION = "2.3.3"
+      VERSION = "2.3.4"
     end
     # Convenience constant for consumers that expect OmniAuth::LDAP::VERSION
     # @return [String]

data/sig/omniauth/strategies/ldap.rbs

@@ -22,6 +22,12 @@ module OmniAuth
       # Extract username from a trusted header when enabled
       def header_username: () -> (String | nil)
 
+      def validate_header_auth_configuration!: () -> void
+
+      def header_auth_env_key: () -> String
+
+      def log_header_auth_warning: () -> void
+
       # Perform a directory lookup for a given username; returns an Entry or nil
       def directory_lookup: (OmniAuth::LDAP::Adaptor, String) -> untyped
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-ldap
 version: !ruby/object:Gem::Version
-  version: 2.3.3
+  version: 2.3.4
 platform: ruby
 authors:
 - Peter Boling
@@ -380,10 +380,10 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://omniauth-ldap.galtzo.com/
-  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.3
-  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.3/CHANGELOG.md
+  source_code_uri: https://github.com/omniauth/omniauth-ldap/tree/v2.3.4
+  changelog_uri: https://github.com/omniauth/omniauth-ldap/blob/v2.3.4/CHANGELOG.md
   bug_tracker_uri: https://github.com/omniauth/omniauth-ldap/issues
-  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.3
+  documentation_uri: https://www.rubydoc.info/gems/omniauth-ldap/2.3.4
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/omniauth/omniauth-ldap/wiki
   news_uri: https://www.railsbling.com/tags/omniauth-ldap
@@ -412,7 +412,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 4.0.11
 specification_version: 4
 summary: "\U0001F4C1 LDAP strategy for OmniAuth."
 test_files: []