omniauth-saml 1.8.1 → 1.10.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +48 -0
- data/README.md +26 -14
- data/lib/omniauth-saml/version.rb +1 -1
- data/lib/omniauth/strategies/saml.rb +8 -4
- data/spec/omniauth/strategies/saml_spec.rb +37 -0
- metadata +28 -21
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 78fc2aa9d53a76bfcee786298a146e780f2519b1dc610f9a3387af3be5d7e763
|
|
4
|
+
data.tar.gz: 07776a19a05fd26b1779523947c7e54268663436ca469fd135379a1a38f488ee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a06e92595e4b5008f530ead717e5948a852ef6cc656e73badb9119549425f45696a655d3073c6fd0364c1a91774d36a818af317e790301dbe5027d2c1c96f798
|
|
7
|
+
data.tar.gz: da2e24b71ed687e075299b24ad79e23b3ed878dd4b58666e42f927306e793712d43be949ba19b3c685b271666405355c093c130d538676edaa62a980b3873ba5
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,51 @@
|
|
|
1
|
+
<a name="v1.10.3"></a>
|
|
2
|
+
### v1.10.3 (2020-10-06)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* add options to logout_request initialization ([c271a37](/../../commit/c271a37))
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
<a name="v1.10.2"></a>
|
|
11
|
+
### v1.10.2 (2018-05-23)
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
#### Features
|
|
15
|
+
|
|
16
|
+
* **saml**
|
|
17
|
+
* inherits allows response options from ruby-saml instead of whitelist ([a0eedd6](/../../commit/a0eedd6))
|
|
18
|
+
|
|
19
|
+
|
|
20
|
+
<a name="v1.10.1"></a>
|
|
21
|
+
### v1.10.1 (2018-06-07)
|
|
22
|
+
|
|
23
|
+
|
|
24
|
+
#### Features
|
|
25
|
+
|
|
26
|
+
* **saml-response**
|
|
27
|
+
* whitelist more response options ([575198d](/../../commit/575198d))
|
|
28
|
+
|
|
29
|
+
|
|
30
|
+
<a name="v1.10.0"></a>
|
|
31
|
+
### v1.10.0 (2018-02-19)
|
|
32
|
+
|
|
33
|
+
|
|
34
|
+
#### Bug Fixes
|
|
35
|
+
|
|
36
|
+
* ambiguous path match in other phase ([1b465b9](/../../commit/1b465b9))
|
|
37
|
+
* Update ruby-saml gem to 1.7 or later to fix CVE-2017-11430 ([6bc28ad](/../../commit/6bc28ad))
|
|
38
|
+
|
|
39
|
+
|
|
40
|
+
<a name="v1.9.0"></a>
|
|
41
|
+
### v1.9.0 (2018-01-29)
|
|
42
|
+
|
|
43
|
+
|
|
44
|
+
#### Bug Fixes
|
|
45
|
+
|
|
46
|
+
* Update omniauth gem to 1.3.2 or later 1.3.x ([b6bb425](/../../commit/b6bb425))
|
|
47
|
+
|
|
48
|
+
|
|
1
49
|
<a name="v1.8.1"></a>
|
|
2
50
|
### v1.8.1 (2017-06-22)
|
|
3
51
|
|
data/README.md
CHANGED
|
@@ -2,14 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
[][gem]
|
|
4
4
|
[][travis]
|
|
5
|
-
[][codeclimate]
|
|
5
|
+
[][codeclimate]
|
|
7
6
|
[][coveralls]
|
|
8
7
|
|
|
9
8
|
[gem]: https://rubygems.org/gems/omniauth-saml
|
|
10
9
|
[travis]: http://travis-ci.org/omniauth/omniauth-saml
|
|
11
|
-
[
|
|
12
|
-
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
|
|
10
|
+
[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
|
|
13
11
|
[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
|
|
14
12
|
|
|
15
13
|
A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
|
|
@@ -19,11 +17,11 @@ https://github.com/omniauth/omniauth-saml
|
|
|
19
17
|
## Requirements
|
|
20
18
|
|
|
21
19
|
* [OmniAuth](http://www.omniauth.org/) 1.3+
|
|
22
|
-
* Ruby 2.
|
|
20
|
+
* Ruby 2.4.x+
|
|
23
21
|
|
|
24
22
|
## Versioning
|
|
25
23
|
|
|
26
|
-
We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle.
|
|
24
|
+
We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle. In addition to the guidelines of Semantic Versioning, we follow a further guideline that otherwise backwards-compatible dependency upgrades for security reasons should generally be cause for a MINOR version upgrade as opposed to a PATCH version upgrade. Backwards-incompatible dependency upgrades for security reasons should still result in a MAJOR version upgrade for this library.
|
|
27
25
|
|
|
28
26
|
## Usage
|
|
29
27
|
|
|
@@ -37,6 +35,10 @@ use OmniAuth::Strategies::SAML,
|
|
|
37
35
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
38
36
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
39
37
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
38
|
+
:idp_cert_multi => {
|
|
39
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
40
|
+
:encryption => []
|
|
41
|
+
}
|
|
40
42
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
41
43
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
42
44
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -60,6 +62,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
60
62
|
:idp_sso_target_url => "idp_sso_target_url",
|
|
61
63
|
:idp_sso_target_url_runtime_params => {:original_request_param => :mapped_idp_param},
|
|
62
64
|
:idp_cert => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
|
|
65
|
+
:idp_cert_multi => {
|
|
66
|
+
:signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
|
|
67
|
+
:encryption => []
|
|
68
|
+
}
|
|
63
69
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
64
70
|
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
65
71
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
@@ -107,16 +113,20 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
107
113
|
`original_param_value`. Optional.
|
|
108
114
|
|
|
109
115
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
110
|
-
over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
116
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
111
117
|
be present.
|
|
118
|
+
|
|
119
|
+
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
120
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
|
|
121
|
+
be present.
|
|
112
122
|
|
|
113
123
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
114
124
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
115
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
125
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
|
|
116
126
|
|
|
117
127
|
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
118
128
|
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
119
|
-
or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
|
|
129
|
+
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
120
130
|
|
|
121
131
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
122
132
|
the username required by this application. If you need the email address, use
|
|
@@ -194,7 +204,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
|
|
|
194
204
|
When using Devise as an authentication solution, the SP initiated flow can be integrated
|
|
195
205
|
in the `SessionsController#destroy` action.
|
|
196
206
|
|
|
197
|
-
For this to work it is important to preserve the `saml_uid` value before Devise
|
|
207
|
+
For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
|
|
198
208
|
clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
|
|
199
209
|
|
|
200
210
|
Example `destroy` action in `sessions_controller.rb`:
|
|
@@ -204,17 +214,19 @@ class SessionsController < Devise::SessionsController
|
|
|
204
214
|
# ...
|
|
205
215
|
|
|
206
216
|
def destroy
|
|
207
|
-
# Preserve the saml_uid in the session
|
|
208
|
-
saml_uid = session[
|
|
217
|
+
# Preserve the saml_uid and saml_session_index in the session
|
|
218
|
+
saml_uid = session['saml_uid']
|
|
219
|
+
saml_session_index = session['saml_session_index']
|
|
209
220
|
super do
|
|
210
|
-
session[
|
|
221
|
+
session['saml_uid'] = saml_uid
|
|
222
|
+
session['saml_session_index'] = saml_session_index
|
|
211
223
|
end
|
|
212
224
|
end
|
|
213
225
|
|
|
214
226
|
# ...
|
|
215
227
|
|
|
216
228
|
def after_sign_out_path_for(_)
|
|
217
|
-
if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
|
|
229
|
+
if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_target_url
|
|
218
230
|
user_saml_omniauth_authorize_path + "/spslo"
|
|
219
231
|
else
|
|
220
232
|
super
|
|
@@ -10,7 +10,7 @@ module OmniAuth
|
|
|
10
10
|
OmniAuth::Strategy.included(subclass)
|
|
11
11
|
end
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
|
|
14
14
|
|
|
15
15
|
option :name_identifier_format, nil
|
|
16
16
|
option :idp_sso_target_url_runtime_params, {}
|
|
@@ -69,7 +69,7 @@ module OmniAuth
|
|
|
69
69
|
end
|
|
70
70
|
|
|
71
71
|
def other_phase
|
|
72
|
-
if
|
|
72
|
+
if request_path_pattern.match(current_path)
|
|
73
73
|
@env['omniauth.strategy'] ||= self
|
|
74
74
|
setup_phase
|
|
75
75
|
|
|
@@ -120,6 +120,10 @@ module OmniAuth
|
|
|
120
120
|
|
|
121
121
|
private
|
|
122
122
|
|
|
123
|
+
def request_path_pattern
|
|
124
|
+
@request_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/|\z)}
|
|
125
|
+
end
|
|
126
|
+
|
|
123
127
|
def on_subpath?(subpath)
|
|
124
128
|
on_path?("#{request_path}/#{subpath}")
|
|
125
129
|
end
|
|
@@ -173,7 +177,7 @@ module OmniAuth
|
|
|
173
177
|
end
|
|
174
178
|
|
|
175
179
|
def handle_logout_request(raw_request, settings)
|
|
176
|
-
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
|
|
180
|
+
logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request, {}.merge(settings: settings).merge(get_params: @request.params))
|
|
177
181
|
|
|
178
182
|
if logout_request.is_valid? &&
|
|
179
183
|
logout_request.name_id == session["saml_uid"]
|
|
@@ -227,7 +231,7 @@ module OmniAuth
|
|
|
227
231
|
|
|
228
232
|
def options_for_response_object
|
|
229
233
|
# filter options to select only extra parameters
|
|
230
|
-
opts = options.select {|k,_|
|
|
234
|
+
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
231
235
|
|
|
232
236
|
# symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
|
|
233
237
|
opts.inject({}) do |new_hash, (key, value)|
|
|
@@ -87,6 +87,34 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
87
87
|
end
|
|
88
88
|
end
|
|
89
89
|
end
|
|
90
|
+
|
|
91
|
+
context 'when authn request signing is requested' do
|
|
92
|
+
subject { get '/auth/saml' }
|
|
93
|
+
|
|
94
|
+
let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
|
|
95
|
+
|
|
96
|
+
before do
|
|
97
|
+
saml_options[:compress_request] = false
|
|
98
|
+
|
|
99
|
+
saml_options[:private_key] = private_key.to_pem
|
|
100
|
+
saml_options[:security] = {
|
|
101
|
+
authn_requests_signed: true,
|
|
102
|
+
signature_method: XMLSecurity::Document::RSA_SHA256
|
|
103
|
+
}
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
it 'should sign the request' do
|
|
107
|
+
is_expected.to be_redirect
|
|
108
|
+
|
|
109
|
+
location = URI.parse(last_response.location)
|
|
110
|
+
query = Rack::Utils.parse_query location.query
|
|
111
|
+
expect(query).to have_key('SAMLRequest')
|
|
112
|
+
expect(query).to have_key('Signature')
|
|
113
|
+
expect(query).to have_key('SigAlg')
|
|
114
|
+
|
|
115
|
+
expect(query['SigAlg']).to eq XMLSecurity::Document::RSA_SHA256
|
|
116
|
+
end
|
|
117
|
+
end
|
|
90
118
|
end
|
|
91
119
|
|
|
92
120
|
describe 'POST /auth/saml/callback' do
|
|
@@ -407,6 +435,15 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
407
435
|
specify { expect(last_response.status).to eql 404 }
|
|
408
436
|
end
|
|
409
437
|
|
|
438
|
+
context 'when hitting a route that contains a substring match for the strategy name' do
|
|
439
|
+
before { get '/auth/saml2/metadata' }
|
|
440
|
+
|
|
441
|
+
it 'should not set the strategy' do
|
|
442
|
+
expect(last_request.env['omniauth.strategy']).to be_nil
|
|
443
|
+
expect(last_response.status).to eql 404
|
|
444
|
+
end
|
|
445
|
+
end
|
|
446
|
+
|
|
410
447
|
describe 'subclass behavior' do
|
|
411
448
|
it 'registers subclasses in OmniAuth.strategies' do
|
|
412
449
|
subclass = Class.new(described_class)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.10.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date:
|
|
17
|
+
date: 2020-10-14 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|
|
@@ -23,6 +23,9 @@ dependencies:
|
|
|
23
23
|
- - "~>"
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
25
|
version: '1.3'
|
|
26
|
+
- - ">="
|
|
27
|
+
- !ruby/object:Gem::Version
|
|
28
|
+
version: 1.3.2
|
|
26
29
|
type: :runtime
|
|
27
30
|
prerelease: false
|
|
28
31
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -30,46 +33,37 @@ dependencies:
|
|
|
30
33
|
- - "~>"
|
|
31
34
|
- !ruby/object:Gem::Version
|
|
32
35
|
version: '1.3'
|
|
36
|
+
- - ">="
|
|
37
|
+
- !ruby/object:Gem::Version
|
|
38
|
+
version: 1.3.2
|
|
33
39
|
- !ruby/object:Gem::Dependency
|
|
34
40
|
name: ruby-saml
|
|
35
41
|
requirement: !ruby/object:Gem::Requirement
|
|
36
42
|
requirements:
|
|
37
43
|
- - "~>"
|
|
38
44
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: '1.
|
|
40
|
-
- - ">="
|
|
41
|
-
- !ruby/object:Gem::Version
|
|
42
|
-
version: 1.4.3
|
|
45
|
+
version: '1.9'
|
|
43
46
|
type: :runtime
|
|
44
47
|
prerelease: false
|
|
45
48
|
version_requirements: !ruby/object:Gem::Requirement
|
|
46
49
|
requirements:
|
|
47
50
|
- - "~>"
|
|
48
51
|
- !ruby/object:Gem::Version
|
|
49
|
-
version: '1.
|
|
50
|
-
- - ">="
|
|
51
|
-
- !ruby/object:Gem::Version
|
|
52
|
-
version: 1.4.3
|
|
52
|
+
version: '1.9'
|
|
53
53
|
- !ruby/object:Gem::Dependency
|
|
54
54
|
name: rake
|
|
55
55
|
requirement: !ruby/object:Gem::Requirement
|
|
56
56
|
requirements:
|
|
57
57
|
- - ">="
|
|
58
58
|
- !ruby/object:Gem::Version
|
|
59
|
-
version:
|
|
60
|
-
- - "<"
|
|
61
|
-
- !ruby/object:Gem::Version
|
|
62
|
-
version: '12'
|
|
59
|
+
version: 12.3.3
|
|
63
60
|
type: :development
|
|
64
61
|
prerelease: false
|
|
65
62
|
version_requirements: !ruby/object:Gem::Requirement
|
|
66
63
|
requirements:
|
|
67
64
|
- - ">="
|
|
68
65
|
- !ruby/object:Gem::Version
|
|
69
|
-
version:
|
|
70
|
-
- - "<"
|
|
71
|
-
- !ruby/object:Gem::Version
|
|
72
|
-
version: '12'
|
|
66
|
+
version: 12.3.3
|
|
73
67
|
- !ruby/object:Gem::Dependency
|
|
74
68
|
name: rspec
|
|
75
69
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,6 +126,20 @@ dependencies:
|
|
|
132
126
|
- - "~>"
|
|
133
127
|
- !ruby/object:Gem::Version
|
|
134
128
|
version: '1.2'
|
|
129
|
+
- !ruby/object:Gem::Dependency
|
|
130
|
+
name: coveralls
|
|
131
|
+
requirement: !ruby/object:Gem::Requirement
|
|
132
|
+
requirements:
|
|
133
|
+
- - ">="
|
|
134
|
+
- !ruby/object:Gem::Version
|
|
135
|
+
version: 0.8.23
|
|
136
|
+
type: :development
|
|
137
|
+
prerelease: false
|
|
138
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
139
|
+
requirements:
|
|
140
|
+
- - ">="
|
|
141
|
+
- !ruby/object:Gem::Version
|
|
142
|
+
version: 0.8.23
|
|
135
143
|
description: A generic SAML strategy for OmniAuth.
|
|
136
144
|
email: rajiv@alum.mit.edu
|
|
137
145
|
executables: []
|
|
@@ -159,15 +167,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
159
167
|
requirements:
|
|
160
168
|
- - ">="
|
|
161
169
|
- !ruby/object:Gem::Version
|
|
162
|
-
version: '2.
|
|
170
|
+
version: '2.4'
|
|
163
171
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
164
172
|
requirements:
|
|
165
173
|
- - ">="
|
|
166
174
|
- !ruby/object:Gem::Version
|
|
167
175
|
version: '0'
|
|
168
176
|
requirements: []
|
|
169
|
-
|
|
170
|
-
rubygems_version: 2.5.1
|
|
177
|
+
rubygems_version: 3.0.3
|
|
171
178
|
signing_key:
|
|
172
179
|
specification_version: 4
|
|
173
180
|
summary: A generic SAML strategy for OmniAuth.
|