omniauth-saml 1.9.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a3895e66de86a36af32ed2a4307562e1d549d69a
-  data.tar.gz: 413848e6bdb2dc31758a1b60f5aeae811afb9b2c
+SHA256:
+  metadata.gz: 36019dbb0985207e4a8e6faa24f50abed3f707d3d4c8ad1370403e658b708730
+  data.tar.gz: '042845e9351550c797149bfdba0f395059a0a8d590d70cdcec19828e9cc4a6c6'
 SHA512:
-  metadata.gz: f27b3b76a2859c680bdc446b0f678616b43cd2d2e1896bba9297d673e00689c25e55170b1f2a4ea021653704bff92f7885df322518100431c3ac50ef97271782
-  data.tar.gz: 0f0e9056f26ff234e92e000c9a360e12038b8c25e7ae56599eda22b7eb06a8434befbe85ec564d388d9fb0396f3b329db7e66c9bb69ff70afc3ff5bcfa008350
+  metadata.gz: 5f8100b1f45f5e09e778bb6ccf96bffdf041b5dc7da72a67fe5063fe30eb01c7a61481c8b5c8e3700b91af362e3a5f8915c5797d97eb3f2e3197333a1117bb49
+  data.tar.gz: 71c78f0ff383876af1fe15d471e35ea70bedbabccc6e2b7b79bf7c6f643c5f5330bbe706b24b25c92f47fb68d85ec062c9e12819a5430cbff9e91fb7e08c3055

data/CHANGELOG.md

@@ -1,3 +1,51 @@
+<a name="v2.0.0"></a>
+### v2.0.0 (2021-01-13)
+
+
+#### Chores
+
+* Allow OmniAuth 2.0.0	 ([f7ec7ee](/../../commit/f7ec7ee))
+
+
+<a name="v1.10.3"></a>
+### v1.10.3 (2020-10-06)
+
+
+#### Bug Fixes
+
+* add options to logout_request initialization	 ([c271a37](/../../commit/c271a37))
+
+
+<a name="v1.10.2"></a>
+### v1.10.2 (2018-05-23)
+
+
+#### Features
+
+* **saml**
+  * inherits allows response options from ruby-saml instead of whitelist	 ([a0eedd6](/../../commit/a0eedd6))
+
+
+<a name="v1.10.1"></a>
+### v1.10.1 (2018-06-07)
+
+
+#### Features
+
+* **saml-response**
+  * whitelist more response options	 ([575198d](/../../commit/575198d))
+
+
+<a name="v1.10.0"></a>
+### v1.10.0 (2018-02-19)
+
+
+#### Bug Fixes
+
+* ambiguous path match in other phase	 ([1b465b9](/../../commit/1b465b9))
+* Update ruby-saml gem to 1.7 or later to fix CVE-2017-11430 ([6bc28ad](/../../commit/6bc28ad))
+
+
 <a name="v1.9.0"></a>
 ### v1.9.0 (2018-01-29)
 

data/README.md

@@ -2,14 +2,12 @@
 
 [![Gem Version](http://img.shields.io/gem/v/omniauth-saml.svg)][gem]
 [![Build Status](http://img.shields.io/travis/omniauth/omniauth-saml.svg)][travis]
-[![Dependency Status](http://img.shields.io/gemnasium/omniauth/omniauth-saml.svg)][gemnasium]
-[![Code Climate](http://img.shields.io/codeclimate/github/omniauth/omniauth-saml.svg)][codeclimate]
+[![Maintainability](https://api.codeclimate.com/v1/badges/749e17b553ea944522c1/maintainability)][codeclimate]
 [![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth-saml.svg)][coveralls]
 
 [gem]: https://rubygems.org/gems/omniauth-saml
 [travis]: http://travis-ci.org/omniauth/omniauth-saml
-[gemnasium]: https://gemnasium.com/omniauth/omniauth-saml
-[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
+[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml/maintainability
 [coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
 
 A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
@@ -19,11 +17,11 @@ https://github.com/omniauth/omniauth-saml
 ## Requirements
 
 * [OmniAuth](http://www.omniauth.org/) 1.3+
-* Ruby 2.1.x+
+* Ruby 2.4.x+
 
 ## Versioning
 
-We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle.
+We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle. In addition to the guidelines of Semantic Versioning, we follow a further guideline that otherwise backwards-compatible dependency upgrades for security reasons should generally be cause for a MINOR version upgrade as opposed to a PATCH version upgrade. Backwards-incompatible dependency upgrades for security reasons should still result in a MAJOR version upgrade for this library.
 
 ## Usage
 
@@ -37,6 +35,10 @@ use OmniAuth::Strategies::SAML,
   :idp_sso_target_url                 => "idp_sso_target_url",
   :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
   :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+  :idp_cert_multi                     => {
+                                           :signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
+                                           :encryption => []
+                                         }
   :idp_cert_fingerprint               => "E7:91:B2:E1:...",
   :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
   :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -60,6 +62,10 @@ Rails.application.config.middleware.use OmniAuth::Builder do
     :idp_sso_target_url                 => "idp_sso_target_url",
     :idp_sso_target_url_runtime_params  => {:original_request_param => :mapped_idp_param},
     :idp_cert                           => "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----",
+    :idp_cert_multi                     => {
+                                             :signing => ["-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----", ...],
+                                             :encryption => []
+                                           }
     :idp_cert_fingerprint               => "E7:91:B2:E1:...",
     :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
     :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
@@ -107,16 +113,20 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
   `original_param_value`. Optional.
 
 * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
-  over the fingerprint option below. This option or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+  over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
   be present.
+  
+* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
+over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+be present.
 
 * `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
   "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
-  the relationship. This option or `:idp_cert` or `:idp_cert_fingerprint_validator` MUST be present.
+  the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
 
 * `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
   (the fingerprint), verify if it is valid and return it if successful. This option
-  or `:idp_cert` or `:idp_cert_fingerprint` MUST be present.
+  or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
 
 * `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
   the username required by this application. If you need the email address, use
@@ -194,7 +204,7 @@ advertised in metadata by setting the `single_logout_service_url` config option)
 When using Devise as an authentication solution, the SP initiated flow can be integrated
 in the `SessionsController#destroy` action.
 
-For this to work it is important to preserve the `saml_uid` value before Devise
+For this to work it is important to preserve the `saml_uid` and `saml_session_index` value before Devise
 clears the session and redirect to the `/spslo` sub-path to initiate the single logout.
 
 Example `destroy` action in `sessions_controller.rb`:
@@ -204,17 +214,19 @@ class SessionsController < Devise::SessionsController
   # ...
 
   def destroy
-    # Preserve the saml_uid in the session
-    saml_uid = session["saml_uid"]
+    # Preserve the saml_uid and saml_session_index in the session
+    saml_uid = session['saml_uid']
+    saml_session_index = session['saml_session_index']
     super do
-      session["saml_uid"] = saml_uid
+      session['saml_uid'] = saml_uid
+      session['saml_session_index'] = saml_session_index
     end
   end
 
   # ...
 
   def after_sign_out_path_for(_)
-    if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
+    if session['saml_uid'] && session['saml_session_index'] && SAML_SETTINGS.idp_slo_target_url
       user_saml_omniauth_authorize_path + "/spslo"
     else
       super

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = '1.9.0'
+    VERSION = '2.0.0'
   end
 end

data/lib/omniauth/strategies/saml.rb

@@ -10,7 +10,7 @@ module OmniAuth
         OmniAuth::Strategy.included(subclass)
       end
 
-      OTHER_REQUEST_OPTIONS = [:skip_conditions, :allowed_clock_drift, :matches_request_id, :skip_subject_confirmation].freeze
+      RUBYSAML_RESPONSE_OPTIONS = OneLogin::RubySaml::Response::AVAILABLE_OPTIONS
 
       option :name_identifier_format, nil
       option :idp_sso_target_url_runtime_params, {}
@@ -69,7 +69,7 @@ module OmniAuth
       end
 
       def other_phase
-        if current_path.start_with?(request_path)
+        if request_path_pattern.match(current_path)
           @env['omniauth.strategy'] ||= self
           setup_phase
 
@@ -120,6 +120,10 @@ module OmniAuth
 
       private
 
+      def request_path_pattern
+        @request_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/|\z)}
+      end
+
       def on_subpath?(subpath)
         on_path?("#{request_path}/#{subpath}")
       end
@@ -173,7 +177,7 @@ module OmniAuth
       end
 
       def handle_logout_request(raw_request, settings)
-        logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request)
+        logout_request = OneLogin::RubySaml::SloLogoutrequest.new(raw_request, {}.merge(settings: settings).merge(get_params: @request.params))
 
         if logout_request.is_valid? &&
           logout_request.name_id == session["saml_uid"]
@@ -227,7 +231,7 @@ module OmniAuth
 
       def options_for_response_object
         # filter options to select only extra parameters
-        opts = options.select {|k,_| OTHER_REQUEST_OPTIONS.include?(k.to_sym)}
+        opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
 
         # symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
         opts.inject({}) do |new_hash, (key, value)|

data/spec/omniauth/strategies/saml_spec.rb

@@ -6,7 +6,7 @@ RSpec::Matchers.define :fail_with do |message|
   end
 end
 
-def post_xml(xml=:example_response, opts = {})
+def post_xml(xml = :example_response, opts = {})
   post "/auth/saml/callback", opts.merge({'SAMLResponse' => load_xml(xml)})
 end
 
@@ -34,10 +34,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   end
   let(:strategy) { [OmniAuth::Strategies::SAML, saml_options] }
 
-  describe 'GET /auth/saml' do
+  describe 'POST /auth/saml' do
     context 'without idp runtime params present' do
       before do
-        get '/auth/saml'
+        post '/auth/saml'
       end
 
       it 'should get authentication page' do
@@ -51,7 +51,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
     context 'with idp runtime params' do
       before do
-        get '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
+        post '/auth/saml', 'original_param_key' => 'original_param_value', 'mapped_param_key' => 'mapped_param_value'
       end
 
       it 'should get authentication page' do
@@ -71,7 +71,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
       it 'should send the current callback_url as the assertion_consumer_service_url' do
         %w(foo.example.com bar.example.com).each do |host|
-          get "https://#{host}/auth/saml"
+          post "https://#{host}/auth/saml"
 
           expect(last_response).to be_redirect
 
@@ -89,7 +89,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     end
 
     context 'when authn request signing is requested' do
-      subject { get '/auth/saml' }
+      subject { post '/auth/saml' }
 
       let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
 
@@ -402,10 +402,10 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     end
   end
 
-  describe 'GET /auth/saml/metadata' do
+  describe 'POST /auth/saml/metadata' do
     before do
       saml_options[:issuer] = 'http://example.com/SAML'
-      get '/auth/saml/metadata'
+      post '/auth/saml/metadata'
     end
 
     it 'should get SP metadata page' do
@@ -424,17 +424,26 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   end
 
   context 'when hitting an unknown route in our sub path' do
-    before { get '/auth/saml/unknown' }
+    before { post '/auth/saml/unknown' }
 
     specify { expect(last_response.status).to eql 404 }
   end
 
   context 'when hitting a completely unknown route' do
-    before { get '/unknown' }
+    before { post '/unknown' }
 
     specify { expect(last_response.status).to eql 404 }
   end
 
+  context 'when hitting a route that contains a substring match for the strategy name' do
+    before { post '/auth/saml2/metadata' }
+
+    it 'should not set the strategy' do
+      expect(last_request.env['omniauth.strategy']).to be_nil
+      expect(last_response.status).to eql 404
+    end
+  end
+
   describe 'subclass behavior' do
     it 'registers subclasses in OmniAuth.strategies' do
       subclass = Class.new(described_class)

data/spec/spec_helper.rb

@@ -16,6 +16,7 @@ require 'base64'
 TEST_LOGGER = Logger.new(StringIO.new)
 OneLogin::RubySaml::Logging.logger = TEST_LOGGER
 OmniAuth.config.logger = TEST_LOGGER
+OmniAuth.config.request_validation_phase = proc {}
 
 RSpec.configure do |config|
   config.include Rack::Test::Methods

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.9.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Raecoo Cao
@@ -11,10 +11,10 @@ authors:
 - Nikos Dimitrakopoulos
 - Rudolf Vriend
 - Bruno Pedro
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-01-31 00:00:00.000000000 Z
+date: 2021-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -22,60 +22,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.3.2
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.3.2
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.4.3
+        version: '1.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.4.3
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '12'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '10'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '12'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -138,6 +120,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.23
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.8.23
 description: A generic SAML strategy for OmniAuth.
 email: rajiv@alum.mit.edu
 executables: []
@@ -157,7 +153,7 @@ homepage: https://github.com/omniauth/omniauth-saml
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -165,16 +161,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: A generic SAML strategy for OmniAuth.
 test_files: