omniauth-saml 2.2.3 → 2.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -1
- data/README.md +3 -9
- data/lib/omniauth/strategies/saml.rb +0 -14
- data/lib/omniauth-saml/version.rb +1 -1
- data/spec/omniauth/strategies/saml_spec.rb +0 -35
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0ee62f105d63c2d5778122c04beb5c36a4fa8c8768beaa46d822d24ef40659ad
|
|
4
|
+
data.tar.gz: b9e3d10fa4c3bdae5ba7144e0ba8cd8e3ad98a7a16e022458cacbe2e267dd7f4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 33702588126fa0a198d286e58a4c4d7e55830582d9ed7188db51f8e428718e79c9399af1fa7d5271f804560afa45b8118182b49f6a66252200b2435c86c9e926
|
|
7
|
+
data.tar.gz: b550692fca027b90ef1f29a89a97eac2b22dfbdce6591c7b5b5cbda731b4ec807bbdfd63ef7b5397f64319b6cbea8076aa39220eb3fb7bc7491ab29668e95b59
|
data/CHANGELOG.md
CHANGED
|
@@ -1,10 +1,19 @@
|
|
|
1
|
+
<a name="v2.2.4"></a>
|
|
2
|
+
### v2.2.4 (2025-05-14)
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
#### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* remove :idp_cert_fingerprint_validator ([c573690](/../../commit/c573690))
|
|
8
|
+
* Fix GHSA-cgp2-2cmh-pf7x
|
|
9
|
+
|
|
1
10
|
<a name="v2.2.3"></a>
|
|
2
11
|
### v2.2.3 (2025-03-12)
|
|
3
12
|
|
|
4
13
|
|
|
5
14
|
#### Features
|
|
6
15
|
|
|
7
|
-
* new release 2.2.3 ([
|
|
16
|
+
* new release 2.2.3 ([34eb354](/../../commit/34eb354))
|
|
8
17
|
|
|
9
18
|
|
|
10
19
|
#### Bug Fixes
|
data/README.md
CHANGED
|
@@ -39,7 +39,6 @@ use OmniAuth::Strategies::SAML,
|
|
|
39
39
|
:encryption => []
|
|
40
40
|
},
|
|
41
41
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
42
|
-
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
43
42
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
44
43
|
```
|
|
45
44
|
|
|
@@ -66,7 +65,6 @@ Rails.application.config.middleware.use OmniAuth::Builder do
|
|
|
66
65
|
:encryption => []
|
|
67
66
|
},
|
|
68
67
|
:idp_cert_fingerprint => "E7:91:B2:E1:...",
|
|
69
|
-
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },
|
|
70
68
|
:name_identifier_format => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
|
|
71
69
|
end
|
|
72
70
|
```
|
|
@@ -112,20 +110,16 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
|
|
|
112
110
|
`original_param_value`. Optional.
|
|
113
111
|
|
|
114
112
|
* `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
|
|
115
|
-
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint`
|
|
113
|
+
over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` must
|
|
116
114
|
be present.
|
|
117
115
|
|
|
118
116
|
* `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
|
|
119
|
-
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint`
|
|
117
|
+
over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` must
|
|
120
118
|
be present.
|
|
121
119
|
|
|
122
120
|
* `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
|
|
123
121
|
"90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
|
|
124
|
-
the relationship. This option or `:idp_cert` or `:idp_cert_multi`
|
|
125
|
-
|
|
126
|
-
* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
|
|
127
|
-
(the fingerprint), verify if it is valid and return it if successful. This option
|
|
128
|
-
or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
|
|
122
|
+
the relationship. This option or `:idp_cert` or `:idp_cert_multi` MUST be present.
|
|
129
123
|
|
|
130
124
|
* `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
|
|
131
125
|
the username required by this application. If you need the email address, use
|
|
@@ -43,9 +43,6 @@ module OmniAuth
|
|
|
43
43
|
raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]
|
|
44
44
|
|
|
45
45
|
with_settings do |settings|
|
|
46
|
-
# Call a fingerprint validation method if there's one
|
|
47
|
-
validate_fingerprint(settings) if options.idp_cert_fingerprint_validator
|
|
48
|
-
|
|
49
46
|
handle_response(request.params["SAMLResponse"], options_for_response_object, settings) do
|
|
50
47
|
super
|
|
51
48
|
end
|
|
@@ -218,17 +215,6 @@ module OmniAuth
|
|
|
218
215
|
yield OneLogin::RubySaml::Settings.new(options)
|
|
219
216
|
end
|
|
220
217
|
|
|
221
|
-
def validate_fingerprint(settings)
|
|
222
|
-
fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
|
|
223
|
-
|
|
224
|
-
unless fingerprint_exists
|
|
225
|
-
raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
|
|
226
|
-
end
|
|
227
|
-
|
|
228
|
-
# id_cert_fingerprint becomes the given fingerprint if it exists
|
|
229
|
-
settings.idp_cert_fingerprint = fingerprint_exists
|
|
230
|
-
end
|
|
231
|
-
|
|
232
218
|
def options_for_response_object
|
|
233
219
|
# filter options to select only extra parameters
|
|
234
220
|
opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}
|
|
@@ -150,41 +150,6 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
|
|
|
150
150
|
end
|
|
151
151
|
end
|
|
152
152
|
|
|
153
|
-
context "when fingerprint is empty and there's a fingerprint validator" do
|
|
154
|
-
before :each do
|
|
155
|
-
saml_options.delete(:idp_cert_fingerprint)
|
|
156
|
-
saml_options[:idp_cert_fingerprint_validator] = fingerprint_validator
|
|
157
|
-
end
|
|
158
|
-
|
|
159
|
-
let(:fingerprint_validator) { lambda { |_| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" } }
|
|
160
|
-
|
|
161
|
-
context "when the fingerprint validator returns a truthy value" do
|
|
162
|
-
before { post_xml }
|
|
163
|
-
|
|
164
|
-
it "should set the uid to the nameID in the SAML response" do
|
|
165
|
-
expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
|
|
166
|
-
end
|
|
167
|
-
|
|
168
|
-
it "should set the raw info to all attributes" do
|
|
169
|
-
expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
|
|
170
|
-
'first_name' => ['Rajiv'],
|
|
171
|
-
'last_name' => ['Manglani'],
|
|
172
|
-
'email' => ['user@example.com'],
|
|
173
|
-
'company_name' => ['Example Company'],
|
|
174
|
-
'fingerprint' => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
|
|
175
|
-
)
|
|
176
|
-
end
|
|
177
|
-
end
|
|
178
|
-
|
|
179
|
-
context "when the fingerprint validator returns false" do
|
|
180
|
-
let(:fingerprint_validator) { lambda { |_| false } }
|
|
181
|
-
|
|
182
|
-
before { post_xml }
|
|
183
|
-
|
|
184
|
-
it { is_expected.to fail_with(:invalid_ticket) }
|
|
185
|
-
end
|
|
186
|
-
end
|
|
187
|
-
|
|
188
153
|
context "when the assertion_consumer_service_url is the default" do
|
|
189
154
|
before :each do
|
|
190
155
|
saml_options.delete(:assertion_consumer_service_url)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: omniauth-saml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Raecoo Cao
|
|
@@ -14,7 +14,7 @@ authors:
|
|
|
14
14
|
autorequire:
|
|
15
15
|
bindir: bin
|
|
16
16
|
cert_chain: []
|
|
17
|
-
date: 2025-
|
|
17
|
+
date: 2025-05-27 00:00:00.000000000 Z
|
|
18
18
|
dependencies:
|
|
19
19
|
- !ruby/object:Gem::Dependency
|
|
20
20
|
name: omniauth
|