omniauth-saml 1.4.2 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 21488df3d77064be5813e2001f5e987836392abb
-  data.tar.gz: 929dda9646db2b98d5119a4cef16ae4306daa127
+  metadata.gz: 5157e12042f1980c72b6fa603d6cee7d818cf153
+  data.tar.gz: 44f05863e67b9b0463ddc195348174c4869b684c
 SHA512:
-  metadata.gz: f9498bec650bc5b4c591c608841b328237d9d3d43f592768d7cae10908d19cf9fe25b37b2164ce82f47aefefc2282333365e3ef60369349f791d6ab9c40e1fe7
-  data.tar.gz: 92cfd7736a4bcd419b27b8ad1d23dbc68f16e53726b59e5df02a18165b6b726661576363627974d2e2acd5f761ab95bf26842998b47d08977d75548b42888117
+  metadata.gz: fa3e6fd1d482e5787351d91e65201edfebc63999204f6ba32484a332947661d09d793bb045a5ca24426f7406d7dab706e71fd2d6a1468147eb1c72a9e33b952c
+  data.tar.gz: 6640bee32d302612b03db9b5fe37816026f78c1e7666cb8c0a95525cee0a1728df46335fd15e5932119ccb710401d8cbcd4442837bbb24c585c98edea126aa99

data/CHANGELOG.md

@@ -2,9 +2,36 @@
 
 A generic SAML strategy for OmniAuth.
 
-https://github.com/PracticallyGreen/omniauth-saml
+https://github.com/omniauth/omniauth-saml
 
-## 1.3.0 (2014-14-10)
+## 1.5.0 (2016-02-25)
+
+* Initialize OneLogin::RubySaml::Response instance with settings
+* Adding "settings" to Response Class at initialization to handle signing verification
+* Support custom attributes
+* change URL from PracticallyGreen to omniauth
+* Add specs for ACS fallback URL behavior
+* Call validation earlier to get real error instead of 'response missing name_id'
+* Avoid mutation of the options hash during requests and callbacks
+
+## 1.4.2 (2016-02-09)
+
+* update ruby-saml to 1.1
+
+## 1.4.1 (2015-08-09)
+
+* Configurable attribute_consuming_service
+
+## 1.4.0 (2015-07-23)
+
+* update ruby-saml to 1.0.0
+
+## 1.3.1 (2015-02-26)
+
+* Added missing fingerprint key check
+* Expose fingerprint on the auth_hash
+
+## 1.3.0 (2015-01-23)
 
 * add `idp_cert_fingerprint_validator` option
 

data/LICENSE.md

@@ -0,0 +1,25 @@
+# License
+
+Copyright © 2016 Omniauth-SAML maintainers
+
+Copyright © 2011-2014 [Practically Green, Inc.](http://www.practicallygreen.com/).
+
+All rights reserved. Released under the MIT license.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,13 +1,25 @@
 # OmniAuth SAML
 
-A generic SAML strategy for OmniAuth.
+[![Gem Version](http://img.shields.io/gem/v/omniauth-saml.svg)][gem]
+[![Build Status](http://img.shields.io/travis/omniauth/omniauth-saml.svg)][travis]
+[![Dependency Status](http://img.shields.io/gemnasium/omniauth/omniauth-saml.svg)][gemnasium]
+[![Code Climate](http://img.shields.io/codeclimate/github/omniauth/omniauth-saml.svg)][codeclimate]
+[![Coverage Status](http://img.shields.io/coveralls/omniauth/omniauth-saml.svg)][coveralls]
 
-https://github.com/PracticallyGreen/omniauth-saml
+[gem]: https://rubygems.org/gems/omniauth-saml
+[travis]: http://travis-ci.org/omniauth/omniauth-saml
+[gemnasium]: https://gemnasium.com/omniauth/omniauth-saml
+[codeclimate]: https://codeclimate.com/github/omniauth/omniauth-saml
+[coveralls]: https://coveralls.io/r/omniauth/omniauth-saml
+
+A generic SAML strategy for OmniAuth available under the [MIT License](LICENSE.md)
+
+https://github.com/omniauth/omniauth-saml
 
 ## Requirements
 
-* [OmniAuth](http://www.omniauth.org/) 1.2+
-* Ruby 1.9.x or Ruby 2.1.x
+* [OmniAuth](http://www.omniauth.org/) 1.3+
+* Ruby 1.9.x or Ruby 2.1.x+
 
 ## Usage
 
@@ -100,6 +112,15 @@ The service provider metadata used to ease configuration of the SAML SP in the I
 
 * `:attribute_service_name` - Name for the attribute service. Defaults to `Required attributes`.
 
+* `:attribute_statements` - Used to map Attribute Names in a SAMLResponse to
+  entries in the OmniAuth [info hash](https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later).
+  For example, if your SAMLResponse contains an Attribute called 'EmailAddress',
+  specify `{:email => ['EmailAddress']}` to map the Attribute to the
+  corresponding key in the info hash.  URI-named Attributes are also supported, e.g.
+  `{:email => ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress']}`.
+  *Note*: All attributes can also be found in an array under `auth_hash[:extra][:raw_info]`,
+  so this setting should only be used to map attributes that are part of the OmniAuth info hash schema.
+
 * See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
 
 ## Devise Integration
@@ -121,26 +142,3 @@ Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformate
 ## Authors
 
 Authored by [Rajiv Aaron Manglani](http://www.rajivmanglani.com/), Raecoo Cao, Todd W Saxton, Ryan Wilcox, Steven Anderson, Nikos Dimitrakopoulos, Rudolf Vriend and [Bruno Pedro](http://brunopedro.com/).
-
-## License
-
-Copyright (c) 2011-2014 [Practically Green, Inc.](http://www.practicallygreen.com/).
-All rights reserved. Released under the MIT license.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/lib/omniauth-saml/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module SAML
-    VERSION = '1.4.2'
+    VERSION = '1.5.0'
   end
 end

data/lib/omniauth/strategies/saml.rb

@@ -6,15 +6,23 @@ module OmniAuth
     class SAML
       include OmniAuth::Strategy
 
+      OTHER_REQUEST_OPTIONS = [:skip_conditions, :allowed_clock_drift, :matches_request_id, :skip_subject_confirmation].freeze
+
       option :name_identifier_format, nil
       option :idp_sso_target_url_runtime_params, {}
       option :request_attributes, [
-        { name: 'email', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Email address' },
-        { name: 'name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Full name' },
-        { name: 'first_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Given name' },
-        { name: 'last_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Family name' }
+        { :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
+        { :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' },
+        { :name => 'first_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Given name' },
+        { :name => 'last_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Family name' }
       ]
       option :attribute_service_name, 'Required attributes'
+      option :attribute_statements, {
+        name: ["name"],
+        email: ["email", "mail"],
+        first_name: ["first_name", "firstname", "firstName"],
+        last_name: ["last_name", "lastname", "lastName"]
+      }
 
       def request_phase
         options[:assertion_consumer_service_url] ||= callback_url
@@ -46,10 +54,22 @@ module OmniAuth
           options.idp_cert_fingerprint = fingerprint_exists
         end
 
-        response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], options)
-        response.settings = OneLogin::RubySaml::Settings.new(options)
+        settings = OneLogin::RubySaml::Settings.new(options)
+        # filter options to select only extra parameters
+        opts = options.select {|k,_| OTHER_REQUEST_OPTIONS.include?(k.to_sym)}
+        # symbolize keys without activeSupport/symbolize_keys (ruby-saml use symbols)
+        opts =
+          opts.inject({}) do |new_hash, (key, value)|
+            new_hash[key.to_sym] = value
+            new_hash
+          end
+        response = OneLogin::RubySaml::Response.new(request.params['SAMLResponse'], opts.merge(settings: settings))
         response.attributes['fingerprint'] = options.idp_cert_fingerprint
 
+        # will raise an error since we are not in soft mode
+        response.soft = false
+        response.is_valid?
+
         @name_id = response.name_id
         @attributes = response.attributes
 
@@ -57,10 +77,6 @@ module OmniAuth
           raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing 'name_id'")
         end
 
-        # will raise an error since we are not in soft mode
-        response.soft = false
-        response.is_valid?
-
         super
       rescue OmniAuth::Strategies::SAML::ValidationError
         fail!(:invalid_ticket, $!)
@@ -103,15 +119,23 @@ module OmniAuth
       uid { @name_id }
 
       info do
-        {
-          :name  => @attributes[:name],
-          :email => @attributes[:email] || @attributes[:mail],
-          :first_name => @attributes[:first_name] || @attributes[:firstname] || @attributes[:firstName],
-          :last_name => @attributes[:last_name] || @attributes[:lastname] || @attributes[:lastName]
-        }
+        found_attributes = options.attribute_statements.map do |key, values|
+          attribute = find_attribute_by(values)
+          [key, attribute]
+        end
+
+        Hash[found_attributes]
       end
 
       extra { { :raw_info => @attributes } }
+
+      def find_attribute_by(keys)
+        keys.each do |key|
+          return @attributes[key] if @attributes[key]
+        end
+
+        nil
+      end
     end
   end
 end

data/spec/omniauth/strategies/saml_spec.rb

@@ -16,16 +16,16 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
   let(:auth_hash){ last_request.env['omniauth.auth'] }
   let(:saml_options) do
     {
-      :assertion_consumer_service_url     => "http://localhost:3000/auth/saml/callback",
-      :idp_sso_target_url                 => "https://idp.sso.target_url/signon/29490",
+      :assertion_consumer_service_url     => "http://localhost:9080/auth/saml/callback",
+      :idp_sso_target_url                 => "https://idp.sso.example.com/signon/29490",
       :idp_cert_fingerprint               => "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB",
       :idp_sso_target_url_runtime_params  => {:original_param_key => :mapped_param_key},
       :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
       :request_attributes                 => [
-        { name: 'email', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Email address' },
-        { name: 'name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Full name' },
-        { name: 'first_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Given name' },
-        { name: 'last_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Family name' }
+        { :name => 'email', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Email address' },
+        { :name => 'name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Full name' },
+        { :name => 'first_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Given name' },
+        { :name => 'last_name', :name_format => 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', :friendly_name => 'Family name' }
       ],
       :attribute_service_name             => 'Required attributes'
     }
@@ -40,7 +40,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
       it 'should get authentication page' do
         last_response.should be_redirect
-        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /https:\/\/idp.sso.example.com\/signon\/29490/
         last_response.location.should match /\?SAMLRequest=/
         last_response.location.should_not match /mapped_param_key/
         last_response.location.should_not match /original_param_key/
@@ -54,12 +54,37 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
       it 'should get authentication page' do
         last_response.should be_redirect
-        last_response.location.should match /https:\/\/idp.sso.target_url\/signon\/29490/
+        last_response.location.should match /https:\/\/idp.sso.example.com\/signon\/29490/
         last_response.location.should match /\?SAMLRequest=/
         last_response.location.should match /\&mapped_param_key=original_param_value/
         last_response.location.should_not match /original_param_key/
       end
     end
+
+    context "when the assertion_consumer_service_url is the default" do
+      before :each do
+        saml_options[:compress_request] = false
+        saml_options.delete(:assertion_consumer_service_url)
+      end
+
+      it 'should send the current callback_url as the assertion_consumer_service_url' do
+        %w(foo.example.com bar.example.com).each do |host|
+          get "https://#{host}/auth/saml"
+
+          last_response.should be_redirect
+
+          location = URI.parse(last_response.location)
+          query = Rack::Utils.parse_query location.query
+          query.should have_key('SAMLRequest')
+
+          request = REXML::Document.new(Base64.decode64(query['SAMLRequest']))
+          request.root.should_not be_nil
+
+          acs = request.root.attributes.get_attribute('AssertionConsumerServiceURL')
+          acs.to_s.should == "https://#{host}/auth/saml/callback"
+        end
+      end
+    end
   end
 
   describe 'POST /auth/saml/callback' do
@@ -68,7 +93,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
     let(:xml) { :example_response }
 
     before :each do
-      Time.stub(:now).and_return(Time.new(2012, 11, 8, 20, 40, 00, 0))
+      Time.stub(:now).and_return(Time.utc(2012, 11, 8, 20, 40, 00))
     end
 
     context "when the response is valid" do
@@ -153,6 +178,27 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
 
       it { should fail_with(:invalid_ticket) }
     end
+
+    context "when response has custom attributes" do
+      before :each do
+        saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C"
+        saml_options[:attribute_statements] = {
+          email: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"],
+          first_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"],
+          last_name: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
+        }
+        post_xml :custom_attributes
+      end
+
+      it "should obey attribute statements mapping" do
+        auth_hash[:info].should == {
+          'first_name'   => 'Rajiv',
+          'last_name'    => 'Manglani',
+          'email'        => 'user@example.com',
+          'name'         => nil
+        }
+      end
+    end
   end
 
   describe 'GET /auth/saml/metadata' do

data/spec/spec_helper.rb

@@ -1,5 +1,13 @@
-require 'simplecov'
-SimpleCov.start
+if RUBY_VERSION >= '1.9'
+  require 'simplecov'
+
+  if ENV['TRAVIS']
+    require 'coveralls'
+    Coveralls.wear!
+  end
+
+  SimpleCov.start
+end
 
 require 'omniauth-saml'
 require 'rack/test'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-saml
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.5.0
 platform: ruby
 authors:
 - Raecoo Cao
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-03 00:00:00.000000000 Z
+date: 2016-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -22,14 +22,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: ruby-saml
   requirement: !ruby/object:Gem::Requirement
@@ -99,6 +99,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
+- LICENSE.md
 - README.md
 - lib/omniauth-saml.rb
 - lib/omniauth-saml/version.rb
@@ -106,7 +107,7 @@ files:
 - lib/omniauth/strategies/saml/validation_error.rb
 - spec/omniauth/strategies/saml_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/PracticallyGreen/omniauth-saml
+homepage: https://github.com/omniauth/omniauth-saml
 licenses:
 - MIT
 metadata: {}
@@ -126,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: A generic SAML strategy for OmniAuth.