New upstream version 1.10.0

parent 4ded1815
......@@ -16,12 +16,11 @@ script:
- bundle exec rspec
rvm:
- 1.9.3
- jruby-19mode
- 2.0.0
- 2.1.10
- 2.2.2
- 2.3.1
- 2.2.9
- 2.3.6
- 2.4.3
- 2.5.0
- jruby-9.0.5.0
- ruby-head
......@@ -36,14 +35,5 @@ matrix:
fast_finish: true
exclude:
- rvm: 1.9.3
gemfile: gemfiles/rack_2.gemfile
- rvm: jruby-19mode
gemfile: gemfiles/rack_2.gemfile
- rvm: 2.0.0
gemfile: gemfiles/rack_2.gemfile
- rvm: 2.1.10
gemfile: gemfiles/rack_2.gemfile
appraise 'rack-1' do
gem 'rack', '~> 1.x'
gem 'rack-test', '~> 0.7.0'
gem 'term-ansicolor', '1.3.2'
end
......
<a name="v1.7.0"></a>
### v1.7.0 (2016-09-18)
<a name="v1.10.0"></a>
### v1.10.0 (2018-02-19)
#### Bug Fixes
* ambiguous path match in other phase ([1b465b9](/../../commit/1b465b9))
* Update ruby-saml gem to 1.7 or later to fix CVE-2017-11430 ([6bc28ad](/../../commit/6bc28ad))
<a name="v1.9.0"></a>
### v1.9.0 (2018-01-29)
#### Bug Fixes
* Update omniauth gem to 1.3.2 or later 1.3.x ([b6bb425](/../../commit/b6bb425))
<a name="v1.8.1"></a>
### v1.8.1 (2017-06-22)
#### Bug Fixes
* default assertion_consumer_service_url not set during callback ([4a2a5ef](/../../commit/4a2a5ef))
<a name="v1.8.0"></a>
### v1.8.0 (2017-06-07)
#### Features
* include SessionIndex in logout requests ([fb6ad86](/../../commit/fb6ad86))
* Support for configurable IdP SLO session destruction ([586bf89](/../../commit/586bf89))
* Add `uid_attribute` option to control the attribute used for the user id. ([eacc536](/../../commit/eacc536))
<a name="v1.7.0"></a>
### v1.7.0 (2016-10-19)
#### Features
* Support for Single Logout ([cd3fc43](/../../commit/cd3fc43))
......@@ -12,7 +50,6 @@
* Update `ruby-saml` to 1.4.0 to address security fixes. ([638212](/../../commit/638212))
<a name="v1.6.0"></a>
### v1.6.0 (2016-06-27)
* Ensure that subclasses of `OmniAuth::Stategies::SAML` are registered with OmniAuth as strategies (https://github.com/omniauth/omniauth-saml/pull/95)
......
......@@ -19,11 +19,11 @@ https://github.com/omniauth/omniauth-saml
## Requirements
* [OmniAuth](http://www.omniauth.org/) 1.3+
* Ruby 1.9.x or Ruby 2.1.x+
* Ruby 2.1.x+
## Versioning
We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle.
We tag and release gems according to the [Semantic Versioning](http://semver.org/) principle. In addition to the guidelines of Semantic Versioning, we follow a further guideline that otherwise backwards-compatible dependency upgrades for security reasons should generally be cause for a MINOR version upgrade as opposed to a PATCH version upgrade. Backwards-incompatible dependency upgrades for security reasons should still result in a MAJOR version upgrade for this library.
## Usage
......@@ -70,10 +70,12 @@ For IdP-initiated SSO, users should directly access the IdP SSO target URL. Set
A `OneLogin::RubySaml::Response` object is added to the `env['omniauth.auth']` extra attribute, so we can use it in the controller via `env['omniauth.auth'].extra.response_object`
## Metadata
## SP Metadata
The service provider metadata used to ease configuration of the SAML SP in the IdP can be retrieved from `http://example.com/auth/saml/metadata`. Send this URL to the administrator of the IdP.
Note that when [integrating with Devise](#devise-integration), the URL path will be scoped according to the name of the Devise resource. For example, if the app's user model calls `devise_for :users`, the metadata URL will be `http://example.com/users/auth/saml/metadata`.
## Options
* `:assertion_consumer_service_url` - The URL at which the SAML assertion should be
......@@ -89,6 +91,10 @@ The service provider metadata used to ease configuration of the SAML SP in the I
* `:idp_slo_target_url` - The URL to which the single logout request and response should
be sent. This would be on the identity provider. Optional.
* `:idp_slo_session_destroy` - A proc that accepts up to two parameters (the rack environment, and the session),
and performs whatever tasks are necessary to log out the current user from your application.
See the example listed under "Single Logout." Defaults to calling `#clear` on the session. Optional.
* `:slo_default_relay_state` - The value to use as default `RelayState` for single log outs. The
value can be a string, or a `Proc` (or other object responding to `call`). The `request`
instance will be passed to this callable if it has an arity of 1. If the value is a string,
......@@ -135,8 +141,31 @@ The service provider metadata used to ease configuration of the SAML SP in the I
*Note*: All attributes can also be found in an array under `auth_hash[:extra][:raw_info]`,
so this setting should only be used to map attributes that are part of the OmniAuth info hash schema.
* `:uid_attribute` - Attribute that uniquely identifies the user. If unset, the name identifier returned by the IdP is used.
* See the `OneLogin::RubySaml::Settings` class in the [Ruby SAML gem](https://github.com/onelogin/ruby-saml) for additional supported options.
## IdP Metadata
You can use the `OneLogin::RubySaml::IdpMetadataParser` to configure some options:
```ruby
require 'omniauth'
idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
idp_metadata = idp_metadata_parser.parse_remote_to_hash("http://idp.example.com/saml/metadata")
# or, if you have the metadata in a String:
# idp_metadata = idp_metadata_parser.parse_to_hash(idp_metadata_xml)
use OmniAuth::Strategies::SAML,
idp_metadata.merge(
:assertion_consumer_service_url => "consumer_service_url",
:issuer => "issuer"
)
```
See the [Ruby SAML gem's README](https://github.com/onelogin/ruby-saml#metadata-based-configuration) for more details.
## Devise Integration
Straightforward integration with [Devise](https://github.com/plataformatec/devise), the widely-used authentication solution for Rails.
......@@ -156,6 +185,12 @@ Then follow Devise's general [OmniAuth tutorial](https://github.com/plataformate
## Single Logout
Single Logout can be Service Provider initiated or Identity Provider initiated.
For SP initiated logout, the `idp_slo_target_url` option must be set to the logout url on the IdP,
and users directed to `user_saml_omniauth_authorize_path + '/spslo'` after logging out locally. For
IdP initiated logout, logout requests from the IdP should go to `/auth/saml/slo` (this can be
advertised in metadata by setting the `single_logout_service_url` config option).
When using Devise as an authentication solution, the SP initiated flow can be integrated
in the `SessionsController#destroy` action.
......@@ -173,12 +208,30 @@ class SessionsController < Devise::SessionsController
saml_uid = session["saml_uid"]
super do
session["saml_uid"] = saml_uid
if SAML_SETTINGS.idp_slo_target_url
spslo_url = user_omniauth_authorize_url(:saml) + "/spslo"
redirect_to(spslo_url)
end
end
end
# ...
def after_sign_out_path_for(_)
if session['saml_uid'] && SAML_SETTINGS.idp_slo_target_url
user_saml_omniauth_authorize_path + "/spslo"
else
super
end
end
end
```
By default, omniauth-saml attempts to log the current user out of your application by clearing the session.
This may not be enough for some authentication solutions (e.g. [Clearance](https://github.com/thoughtbot/clearance/)).
Instead, you may set the `:idp_slo_session_destroy` option to a proc that performs the necessary logout tasks.
Example `:idp_slo_session_destroy` setting for Clearance compatibility:
```ruby
Rails.application.config.middleware.use OmniAuth::Builder do
provider :saml, idp_slo_session_destroy: proc { |env, _session| env[:clearance].sign_out }, ...
end
```
......
......@@ -4,13 +4,14 @@ source "https://rubygems.org"
gem "appraisal"
gem "rack", "~> 1.x"
gem "rack-test", "~> 0.7.0"
gem "term-ansicolor", "1.3.2"
group :test do
gem "coveralls", "~> 0.8", ">= 0.8.13", :require => false
gem "coveralls", "~> 0.8", ">= 0.8.13", require: false
gem "json", "~> 1.8"
gem "tins", "~> 1.6.0"
gem "mime-types", "< 3"
end
gemspec :path => "../"
gemspec path: "../"
......@@ -6,10 +6,10 @@ gem "appraisal"
gem "rack", "~> 2.x"
group :test do
gem "coveralls", "~> 0.8", ">= 0.8.13", :require => false
gem "coveralls", "~> 0.8", ">= 0.8.13", require: false
gem "json", "~> 1.8"
gem "tins", "~> 1.6.0"
gem "mime-types", "< 3"
end
gemspec :path => "../"
gemspec path: "../"
module OmniAuth
module SAML
VERSION = '1.7.0'
VERSION = '1.10.0'
end
end
This diff is collapsed.
......@@ -11,8 +11,10 @@ Gem::Specification.new do |gem|
gem.email = 'rajiv@alum.mit.edu'
gem.homepage = 'https://github.com/omniauth/omniauth-saml'
gem.add_runtime_dependency 'omniauth', '~> 1.3'
gem.add_runtime_dependency 'ruby-saml', '~> 1.4'
gem.required_ruby_version = '>= 2.1'
gem.add_runtime_dependency 'omniauth', '~> 1.3', '>= 1.3.2'
gem.add_runtime_dependency 'ruby-saml', '~> 1.7'
gem.add_development_dependency 'rake', '>= 10', '< 12'
gem.add_development_dependency 'rspec', '~>3.4'
......
......@@ -87,6 +87,34 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
end
end
end
context 'when authn request signing is requested' do
subject { get '/auth/saml' }
let(:private_key) { OpenSSL::PKey::RSA.new 2048 }
before do
saml_options[:compress_request] = false
saml_options[:private_key] = private_key.to_pem
saml_options[:security] = {
authn_requests_signed: true,
signature_method: XMLSecurity::Document::RSA_SHA256
}
end
it 'should sign the request' do
is_expected.to be_redirect
location = URI.parse(last_response.location)
query = Rack::Utils.parse_query location.query
expect(query).to have_key('SAMLRequest')
expect(query).to have_key('Signature')
expect(query).to have_key('SigAlg')
expect(query['SigAlg']).to eq XMLSecurity::Document::RSA_SHA256
end
end
end
describe 'POST /auth/saml/callback' do
......@@ -125,31 +153,54 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
context "when fingerprint is empty and there's a fingerprint validator" do
before :each do
saml_options.delete(:idp_cert_fingerprint)
saml_options[:idp_cert_fingerprint_validator] = lambda { |fingerprint| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" }
post_xml
saml_options[:idp_cert_fingerprint_validator] = fingerprint_validator
end
it "should set the uid to the nameID in the SAML response" do
expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
let(:fingerprint_validator) { lambda { |_| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" } }
context "when the fingerprint validator returns a truthy value" do
before { post_xml }
it "should set the uid to the nameID in the SAML response" do
expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
end
it "should set the raw info to all attributes" do
expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
'first_name' => ['Rajiv'],
'last_name' => ['Manglani'],
'email' => ['user@example.com'],
'company_name' => ['Example Company'],
'fingerprint' => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
)
end
end
it "should set the raw info to all attributes" do
expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
'first_name' => ['Rajiv'],
'last_name' => ['Manglani'],
'email' => ['user@example.com'],
'company_name' => ['Example Company'],
'fingerprint' => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
)
context "when the fingerprint validator returns false" do
let(:fingerprint_validator) { lambda { |_| false } }
before { post_xml }
it { is_expected.to fail_with(:invalid_ticket) }
end
end
context "when the assertion_consumer_service_url is the default" do
before :each do
saml_options.delete(:assertion_consumer_service_url)
OmniAuth.config.full_host = 'http://localhost:9080'
post_xml
end
it { is_expected.not_to fail_with(:invalid_ticket) }
end
context "when there is no SAMLResponse parameter" do
before :each do
post '/auth/saml/callback'
end
it { should fail_with(:invalid_ticket) }
it { is_expected.to fail_with(:invalid_ticket) }
end
context "when there is no name id in the XML" do
......@@ -158,7 +209,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
post_xml :no_name_id
end
it { should fail_with(:invalid_ticket) }
it { is_expected.to fail_with(:invalid_ticket) }
end
context "when the fingerprint is invalid" do
......@@ -167,7 +218,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
post_xml
end
it { should fail_with(:invalid_ticket) }
it { is_expected.to fail_with(:invalid_ticket) }
end
context "when the digest is invalid" do
......@@ -175,7 +226,7 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
post_xml :digest_mismatch
end
it { should fail_with(:invalid_ticket) }
it { is_expected.to fail_with(:invalid_ticket) }
end
context "when the signature is invalid" do
......@@ -183,7 +234,28 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
post_xml :invalid_signature
end
it { should fail_with(:invalid_ticket) }
it { is_expected.to fail_with(:invalid_ticket) }
end
context "when the response is stale" do
before :each do
allow(Time).to receive(:now).and_return(Time.utc(2012, 11, 8, 20, 45, 00))
end
context "without :allowed_clock_drift option" do
before { post_xml :example_response }
it { is_expected.to fail_with(:invalid_ticket) }
end
context "with :allowed_clock_drift option" do
before :each do
saml_options[:allowed_clock_drift] = 60
post_xml :example_response
end
it { is_expected.to_not fail_with(:invalid_ticket) }
end
end
context "when response has custom attributes" do
......@@ -207,6 +279,31 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
end
end
context "when using custom user id attribute" do
before :each do
saml_options[:idp_cert_fingerprint] = "3B:82:F1:F5:54:FC:A8:FF:12:B8:4B:B8:16:61:1D:E4:8E:9B:E2:3C"
saml_options[:uid_attribute] = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
post_xml :custom_attributes
end
it "should return user id attribute" do
expect(auth_hash[:uid]).to eq("user@example.com")
end
end
context "when using custom user id attribute, but it is missing" do
before :each do
saml_options[:uid_attribute] = "missing_attribute"
post_xml
end
it "should fail to authenticate" do
should fail_with(:invalid_ticket)
expect(last_request.env['omniauth.error']).to be_instance_of(OmniAuth::Strategies::SAML::ValidationError)
expect(last_request.env['omniauth.error'].message).to eq("SAML response missing 'missing_attribute' attribute")
end
end
context "when response is a logout response" do
before :each do
saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490"
......@@ -223,18 +320,49 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
end
context "when request is a logout request" do
subject { post "/auth/saml/slo", params, "rack.session" => { "saml_uid" => "username@example.com" } }
before :each do
saml_options[:issuer] = "https://idp.sso.example.com/metadata/29490"
post "/auth/saml/slo", {
end
let(:params) do
{
"SAMLRequest" => load_xml(:example_logout_request),
"RelayState" => "https://example.com/",
}, "rack.session" => {"saml_uid" => "username@example.com"}
}
end
it "should redirect to logout response" do
expect(last_response).to be_redirect
expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
context "when logout request is valid" do
before { subject }
it "should redirect to logout response" do
expect(last_response).to be_redirect
expect(last_response.location).to match /https:\/\/idp.sso.example.com\/signoff\/29490/
expect(last_response.location).to match /RelayState=https%3A%2F%2Fexample.com%2F/
end
end
context "when request is an invalid logout request" do
before :each do
allow_any_instance_of(OneLogin::RubySaml::SloLogoutrequest).to receive(:is_valid?).and_return(false)
end
# TODO: Maybe this should not raise an exception, but return some 4xx error instead?
it "should raise an exception" do
expect { subject }.
to raise_error(OmniAuth::Strategies::SAML::ValidationError, 'SAML failed to process LogoutRequest')
end
end
context "when request is a logout request but the request param is missing" do
let(:params) { {} }
# TODO: Maybe this should not raise an exception, but return a 422 error instead?
it 'should raise an exception' do
expect { subject }.
to raise_error(OmniAuth::Strategies::SAML::ValidationError, 'SAML logout response/request missing')
end
end
end
......@@ -295,6 +423,27 @@ describe OmniAuth::Strategies::SAML, :type => :strategy do
end
end
context 'when hitting an unknown route in our sub path' do
before { get '/auth/saml/unknown' }
specify { expect(last_response.status).to eql 404 }
end
context 'when hitting a completely unknown route' do
before { get '/unknown' }
specify { expect(last_response.status).to eql 404 }
end
context 'when hitting a route that contains a substring match for the strategy name' do
before { get '/auth/saml2/metadata' }
it 'should not set the strategy' do
expect(last_request.env['omniauth.strategy']).to be_nil
expect(last_response.status).to eql 404
end
end
describe 'subclass behavior' do
it 'registers subclasses in OmniAuth.strategies' do
subclass = Class.new(described_class)
......
if RUBY_VERSION >= '1.9'
require 'simplecov'
require 'simplecov'
if ENV['TRAVIS']
require 'coveralls'
Coveralls.wear!
end
SimpleCov.start
if ENV['TRAVIS']
require 'coveralls'
Coveralls.wear!
end
SimpleCov.start
require 'omniauth-saml'
require 'rack/test'
require 'rexml/document'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment