omniauth-saml 1.8.1 → 1.10.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of omniauth-saml might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/CHANGELOG.md +48 -0
- data/README.md +26 -14
- data/lib/omniauth-saml/version.rb +1 -1
- data/lib/omniauth/strategies/saml.rb +8 -4
- data/spec/omniauth/strategies/saml_spec.rb +37 -0
- metadata +28 -21
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 78fc2aa9d53a76bfcee786298a146e780f2519b1dc610f9a3387af3be5d7e763
|
|
4
|
+
data.tar.gz: 07776a19a05fd26b1779523947c7e54268663436ca469fd135379a1a38f488ee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a06e92595e4b5008f530ead717e5948a852ef6cc656e73badb9119549425f45696a655d3073c6fd0364c1a91774d36a818af317e790301dbe5027d2c1c96f798
|
|
7
|
+
data.tar.gz: da2e24b71ed687e075299b24ad79e23b3ed878dd4b58666e42f927306e793712d43be949ba19b3c685b271666405355c093c130d538676edaa62a980b3873ba5
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,51 @@
|
|
|
1
|
+
<a name="v1.10.3"></a>
|
|
2
|
+
### v1.10.3 (2020-10-06)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* add options to logout_request initialization ([c271a37](/../../commit/c271a37))
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
<a name="v1.10.2"></a>
|
|
11
|
+
### v1.10.2 (2018-05-23)
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
#### Features
|
|
15
|
+
|
|
16
|
+
* **saml**
|
|
17
|
+
* inherits allows response options from ruby-saml instead of whitelist ([a0eedd6](/../../commit/a0eedd6))
|
|
18
|
+
|
|
19
|
+
|
|
20
|
+
<a name="v1.10.1"></a>
|
|
21
|
+
### v1.10.1 (2018-06-07)
|
|
22
|
+
|
|
23
|
+
|
|
24
|
+
#### Features
|
|
25
|
+
|
|
26
|
+
* **saml-response**
|
|
27
|
+
* whitelist more response options ([575198d](/../../commit/575198d))
|
|
28
|
+
|
|
29
|
+
|
|
30
|
+
<a name="v1.10.0"></a>
|
|
31
|
+
### v1.10.0 (2018-02-19)
|
|
32
|
+
|
|
33
|
+
|
|
34
|
+
#### Bug Fixes
|
|
35
|
+
|
|
36
|
+
* ambiguous path match in other phase ([1b465b9](/../../commit/1b465b9))
|
|
37
|
+
* Update ruby-saml gem to 1.7 or later to fix CVE-2017-11430 ([6bc28ad](/../../commit/6bc28ad))
|
|
38
|
+
|
|
39
|
+
|
|
40
|
+
<a name="v1.9.0"></a>
|
|
41
|
+
### v1.9.0 (2018-01-29)
|
|
42
|
+
|
|
43
|
+
|
|
44
|
+
#### Bug Fixes
|
|
45
|
+
|
|
46
|
+
* Update omniauth gem to 1.3.2 or later 1.3.x ([b6bb425](/../../commit/b6bb425))
|
|
47
|
+
|
|
48
|
+
|
|
1
49
|
<a name="v1.8.1"></a>
|
|
2
50
|
### v1.8.1 (2017-06-22)
|
|
3
51
|
|
data/README.md
CHANGED
|
@@ -2,14 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
4
|
[][travis]
|
|
5
|
-
[][codeclimate]
|
|
5
|
+
[][codeclimate]
|
|
7
6
|
[][coveralls]
|
|
8
7
|
|
|
9
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
10
9
|
[travis]: http://travis-ci.org/omniauth/omniauth-saml
|
|
11
|
-
[
|
|
12
|
-
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
|
|
10
|
+
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
13
11
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
14
12
|
|
|
15
13
|
A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
|
|
@@ -19,11 +17,11 @@ https://github.com/omniauth/omniauth-saml
|
|
|
19
17
|
## Requirements
|
|
20
18
|
|
|
21
19
|
* [OmniAuth](http://www.omniauth.org/) 1.3+
|
|
22
|
-
* Ruby 2.
|
|
20
|
+
* Ruby 2.4.x+
|
|
23
21
|
|
|
24
22
|
## Versioning
|
|
25
23
|
|
|
26
|
-
We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle.
|
|
24
|
+
We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle. In addition to the guidelines of Semantic Versioning, we follow a further guideline that otherwise backwards-compatible dependency upgrades for security reasons should generally be cause for a MINOR version upgrade as opposed to a PATCH version upgrade. Backwards-incompatible dependency upgrades for security reasons should still result in a MAJOR version upgrade for this library.
|
|
27
25
|
|
|
28
26
|
## Usage
|
|
29
27
|
|
|
@@ -37,6 +35,10 @@ use OmniAuth::Strategies::SAML,
|
|
|
37
35
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
38
36
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
39
37
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
38
|
+
:idp_cert_multi => {
|
|
39
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
40
|
+
:encryption => []
|
|
41
|
+
}
|
|
40
42
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
41
43
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
42
44
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -60,6 +62,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
60
62
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
61
63
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
62
64
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
65
|
+
:idp_cert_multi => {
|
|
66
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
67
|
+
:encryption => []
|
|
68
|
+
}
|
|
63
69
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
64
70
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
65
71
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -107,16 +113,20 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
107
113
|
`original_param_value`. Optional.
|
|
108
114
|
|
|
109
115
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
110
|
-
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
116
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
111
117
|
be present.
|
|
118
|
+
|
|
119
|
+
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
120
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
121
|
+
be present.
|
|
112
122
|
|
|
113
123
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
114
124
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
115
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
125
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
116
126
|
|
|
117
127
|
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
118
128
|
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
119
|
-
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
|
|
129
|
+
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
120
130
|
|
|
121
131
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
122
132
|
the username required by this application. If you need the email address, use
|
|
@@ -194,7 +204,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
|
|
|
194
204
|
When using Devise as an authentication solution, the SP initiated flow can be integrated
|
|
195
205
|
in the `SessionsController#destroy` action.
|
|
196
206
|
|
|
197
|
-
For this to work it is important to preserve the `saml_uid` value before Devise
|
|
207
|
+
For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
|
|
198
208
|
clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
|
|
199
209
|
|
|
200
210
|
Example `destroy` action in `sessions_controller.rb`:
|
|
@@ -204,17 +214,19 @@ class SessionsController < Devise::SessionsController
|
|
|
204
214
|
# ...
|
|
205
215
|
|
|
206
216
|
def destroy
|
|
207
|
-
# Preserve the saml_uid in the session
|
|
208
|
-
saml_uid = session[
|
|
217
|
+
# Preserve the saml_uid and saml_session_index in the session
|
|
218
|
+
saml_uid = session['saml_uid']
|
|
219
|
+
saml_session_index = session['saml_session_index']
|
|
209
220
|
super do
|
|
210
|
-
session[
|
|
221
|
+
session['saml_uid'] = saml_uid
|
|
222
|
+
session['saml_session_index'] = saml_session_index
|
|
211
223
|
end
|
|
212
224
|
end
|
|
213
225
|
|
|
214
226
|
# ...
|
|
215
227
|
|
|
216
228
|
def after_sign_out_path_for(_)
|
|
217
|
-
if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
|
|
229
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_target_url
|
|
218
230
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
219
231
|
else
|
|
220
232
|
super
|
|
@@ -10,7 +10,7 @@ module OmniAuth
|
|
|
10
10
|
OmniAuth::Strategy.included(subclass)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
14
14
|
|
|
15
15
|
option :name_identifier_format, nil
|
|
16
16
|
option :idp_sso_target_url_runtime_params, {}
|
|
@@ -69,7 +69,7 @@ module OmniAuth
|
|
|
69
69
|
end
|
|
70
70
|
|
|
71
71
|
def other_phase
|
|
72
|
-
if
|
|
72
|
+
if request_path_pattern.match(current_path)
|
|
73
73
|
@env['omniauth.strategy'] ||= self
|
|
74
74
|
setup_phase
|
|
75
75
|
|
|
@@ -120,6 +120,10 @@ module OmniAuth
|
|
|
120
120
|
|
|
121
121
|
private
|
|
122
122
|
|
|
123
|
+
def request_path_pattern
|
|
124
|
+
@request_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/|\z)}
|
|
125
|
+
end
|
|
126
|
+
|
|
123
127
|
def on_subpath?(subpath)
|
|
124
128
|
on_path?("#{request_path}/#{subpath}")
|
|
125
129
|
end
|
|
@@ -173,7 +177,7 @@ module OmniAuth
|
|
|
173
177
|
end
|
|
174
178
|
|
|
175
179
|
def handle_logout_request(raw_request, settings)
|
|
176
|
-
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
|
|
180
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request, {}.merge(settings: settings).merge(get_params: @request.params))
|
|
177
181
|
|
|
178
182
|
if logout_request.is_valid? &&
|
|
179
183
|
logout_request.name_id == session["saml_uid"]
|
|
@@ -227,7 +231,7 @@ module OmniAuth
|
|
|
227
231
|
|
|
228
232
|
def options_for_response_object
|
|
229
233
|
# filter options to select only extra parameters
|
|
230
|
-
opts = options.select {|k,_|
|
|
234
|
+
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
231
235
|
|
|
232
236
|
# symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
|
|
233
237
|
opts.inject({}) do |new_hash, (key, value)|
|
|
@@ -87,6 +87,34 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
87
87
|
end
|
|
88
88
|
end
|
|
89
89
|
end
|
|
90
|
+
|
|
91
|
+
context 'when authn request signing is requested' do
|
|
92
|
+
subject { get '/auth/saml' }
|
|
93
|
+
|
|
94
|
+
let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
|
|
95
|
+
|
|
96
|
+
before do
|
|
97
|
+
saml_options[:compress_request] = false
|
|
98
|
+
|
|
99
|
+
saml_options[:private_key] = private_key.to_pem
|
|
100
|
+
saml_options[:security] = {
|
|
101
|
+
authn_requests_signed: true,
|
|
102
|
+
signature_method: XMLSecurity::Document::RSA_SHA256
|
|
103
|
+
}
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
it 'should sign the request' do
|
|
107
|
+
is_expected.to be_redirect
|
|
108
|
+
|
|
109
|
+
location = URI.parse(last_response.location)
|
|
110
|
+
query = Rack::Utils.parse_query location.query
|
|
111
|
+
expect(query).to have_key('SAMLRequest')
|
|
112
|
+
expect(query).to have_key('Signature')
|
|
113
|
+
expect(query).to have_key('SigAlg')
|
|
114
|
+
|
|
115
|
+
expect(query['SigAlg']).to eq XMLSecurity::Document::RSA_SHA256
|
|
116
|
+
end
|
|
117
|
+
end
|
|
90
118
|
end
|
|
91
119
|
|
|
92
120
|
describe 'POST /auth/saml/callback' do
|
|
@@ -407,6 +435,15 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
407
435
|
specify { expect(last_response.status).to eql 404 }
|
|
408
436
|
end
|
|
409
437
|
|
|
438
|
+
context 'when hitting a route that contains a substring match for the strategy name' do
|
|
439
|
+
before { get '/auth/saml2/metadata' }
|
|
440
|
+
|
|
441
|
+
it 'should not set the strategy' do
|
|
442
|
+
expect(last_request.env['omniauth.strategy']).to be_nil
|
|
443
|
+
expect(last_response.status).to eql 404
|
|
444
|
+
end
|
|
445
|
+
end
|
|
446
|
+
|
|
410
447
|
describe 'subclass behavior' do
|
|
411
448
|
it 'registers subclasses in OmniAuth.strategies' do
|
|
412
449
|
subclass = Class.new(described_class)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.10.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2020-10-14 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -23,6 +23,9 @@ dependencies:
|
|
|
23
23
|
- - "~>"
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
25
|
version: '1.3'
|
|
26
|
+
- - ">="
|
|
27
|
+
- !ruby/object:Gem::Version
|
|
28
|
+
version: 1.3.2
|
|
26
29
|
type: :runtime
|
|
27
30
|
prerelease: false
|
|
28
31
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -30,46 +33,37 @@ dependencies:
|
|
|
30
33
|
- - "~>"
|
|
31
34
|
- !ruby/object:Gem::Version
|
|
32
35
|
version: '1.3'
|
|
36
|
+
- - ">="
|
|
37
|
+
- !ruby/object:Gem::Version
|
|
38
|
+
version: 1.3.2
|
|
33
39
|
- !ruby/object:Gem::Dependency
|
|
34
40
|
name: ruby-saml
|
|
35
41
|
requirement: !ruby/object:Gem::Requirement
|
|
36
42
|
requirements:
|
|
37
43
|
- - "~>"
|
|
38
44
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: '1.
|
|
40
|
-
- - ">="
|
|
41
|
-
- !ruby/object:Gem::Version
|
|
42
|
-
version: 1.4.3
|
|
45
|
+
version: '1.9'
|
|
43
46
|
type: :runtime
|
|
44
47
|
prerelease: false
|
|
45
48
|
version_requirements: !ruby/object:Gem::Requirement
|
|
46
49
|
requirements:
|
|
47
50
|
- - "~>"
|
|
48
51
|
- !ruby/object:Gem::Version
|
|
49
|
-
version: '1.
|
|
50
|
-
- - ">="
|
|
51
|
-
- !ruby/object:Gem::Version
|
|
52
|
-
version: 1.4.3
|
|
52
|
+
version: '1.9'
|
|
53
53
|
- !ruby/object:Gem::Dependency
|
|
54
54
|
name: rake
|
|
55
55
|
requirement: !ruby/object:Gem::Requirement
|
|
56
56
|
requirements:
|
|
57
57
|
- - ">="
|
|
58
58
|
- !ruby/object:Gem::Version
|
|
59
|
-
version:
|
|
60
|
-
- - "<"
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '12'
|
|
59
|
+
version: 12.3.3
|
|
63
60
|
type: :development
|
|
64
61
|
prerelease: false
|
|
65
62
|
version_requirements: !ruby/object:Gem::Requirement
|
|
66
63
|
requirements:
|
|
67
64
|
- - ">="
|
|
68
65
|
- !ruby/object:Gem::Version
|
|
69
|
-
version:
|
|
70
|
-
- - "<"
|
|
71
|
-
- !ruby/object:Gem::Version
|
|
72
|
-
version: '12'
|
|
66
|
+
version: 12.3.3
|
|
73
67
|
- !ruby/object:Gem::Dependency
|
|
74
68
|
name: rspec
|
|
75
69
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,6 +126,20 @@ dependencies:
|
|
|
132
126
|
- - "~>"
|
|
133
127
|
- !ruby/object:Gem::Version
|
|
134
128
|
version: '1.2'
|
|
129
|
+
- !ruby/object:Gem::Dependency
|
|
130
|
+
name: coveralls
|
|
131
|
+
requirement: !ruby/object:Gem::Requirement
|
|
132
|
+
requirements:
|
|
133
|
+
- - ">="
|
|
134
|
+
- !ruby/object:Gem::Version
|
|
135
|
+
version: 0.8.23
|
|
136
|
+
type: :development
|
|
137
|
+
prerelease: false
|
|
138
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
139
|
+
requirements:
|
|
140
|
+
- - ">="
|
|
141
|
+
- !ruby/object:Gem::Version
|
|
142
|
+
version: 0.8.23
|
|
135
143
|
description: A generic SAML strategy for OmniAuth.
|
|
136
144
|
email: rajiv@alum.mit.edu
|
|
137
145
|
executables: []
|
|
@@ -159,15 +167,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
159
167
|
requirements:
|
|
160
168
|
- - ">="
|
|
161
169
|
- !ruby/object:Gem::Version
|
|
162
|
-
version: '2.
|
|
170
|
+
version: '2.4'
|
|
163
171
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
172
|
requirements:
|
|
165
173
|
- - ">="
|
|
166
174
|
- !ruby/object:Gem::Version
|
|
167
175
|
version: '0'
|
|
168
176
|
requirements: []
|
|
169
|
-
|
|
170
|
-
rubygems_version: 2.5.1
|
|
177
|
+
rubygems_version: 3.0.3
|
|
171
178
|
signing_key:
|
|
172
179
|
specification_version: 4
|
|
173
180
|
summary: A generic SAML strategy for OmniAuth.
|