From 24b51b192fb12a0d8d8eb02674731d31576aae23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Fri, 25 Jan 2019 16:43:51 +0100
Subject: [PATCH] Bump omniauth-saml in saml oauth

---
 Gemfile.lock                                  |  15 ++--
 Gemfile.modules                               |   3 +-
 modules/auth_saml/README.md                   |  64 ++++++++++++++++++
 .../app/assets/images/auth_provider-saml.png  | Bin 0 -> 17058 bytes
 .../auth_saml/lib/open_project/auth_saml.rb   |   5 ++
 .../lib/open_project/auth_saml/engine.rb      |  48 +++++++++++++
 .../lib/open_project/auth_saml/version.rb     |   5 ++
 .../auth_saml/lib/openproject-auth_saml.rb    |   1 +
 .../auth_saml/openproject-auth_saml.gemspec   |  20 ++++++
 9 files changed, 156 insertions(+), 5 deletions(-)
 create mode 100644 modules/auth_saml/README.md
 create mode 100644 modules/auth_saml/app/assets/images/auth_provider-saml.png
 create mode 100644 modules/auth_saml/lib/open_project/auth_saml.rb
 create mode 100644 modules/auth_saml/lib/open_project/auth_saml/engine.rb
 create mode 100644 modules/auth_saml/lib/open_project/auth_saml/version.rb
 create mode 100644 modules/auth_saml/lib/openproject-auth_saml.rb
 create mode 100644 modules/auth_saml/openproject-auth_saml.gemspec

diff --git a/Gemfile.lock b/Gemfile.lock
index f2fae008e5..b5e911b63b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -89,6 +89,12 @@ PATH
     openproject-auth_plugins (8.2.1)
       omniauth (~> 1.0)
 
+PATH
+  remote: modules/auth_saml
+  specs:
+    openproject-auth_saml (8.2.1)
+      omniauth-saml (~> 1.10.1)
+
 PATH
   remote: modules/avatars
   specs:
@@ -543,9 +549,9 @@ GEM
       nokogiri (~> 1.8, >= 1.8.4)
     oj (3.7.8)
     okcomputer (1.17.3)
-    omniauth-saml (1.7.0)
-      omniauth (~> 1.3)
-      ruby-saml (~> 1.4)
+    omniauth-saml (1.10.1)
+      omniauth (~> 1.3, >= 1.3.2)
+      ruby-saml (~> 1.7)
     openid_connect (1.1.6)
       activemodel
       attr_required (>= 1.0.0)
@@ -914,8 +920,9 @@ DEPENDENCIES
   omniauth!
   omniauth-openid-connect!
   omniauth-openid_connect-providers!
-  omniauth-saml (~> 1.7.0)
+  omniauth-saml (~> 1.10.1)
   openproject-auth_plugins!
+  openproject-auth_saml!
   openproject-avatars!
   openproject-backlogs!
   openproject-costs!
diff --git a/Gemfile.modules b/Gemfile.modules
index b0f5cfba29..acc6074b2a 100644
--- a/Gemfile.modules
+++ b/Gemfile.modules
@@ -2,7 +2,7 @@
 # Defines OpenProject (CE) modules and their dependencies
 # the dependencies from the gemspec from a git repo are ignored
 # see also https://github.com/bundler/bundler/issues/1041
-gem 'omniauth-saml', '~> 1.7.0'
+gem 'omniauth-saml', '~> 1.10.1'
 
 gem 'omniauth-openid_connect-providers',
 		git: 'https://github.com/finnlabs/omniauth-openid_connect-providers.git',
@@ -15,6 +15,7 @@ gem 'omniauth-openid-connect',
 group :opf_plugins do
 	gem 'openproject-global_roles',              path: 'modules/global_roles'
 	gem 'openproject-auth_plugins',              path: 'modules/auth_plugins'
+	gem 'openproject-auth_saml',                 path: 'modules/auth_saml'
 	gem 'openproject-openid_connect',            path: 'modules/openid_connect'
 	gem 'openproject-documents',                 path: 'modules/documents'
 	gem 'openproject-my_project_page',           path: 'modules/my_project_page'
diff --git a/modules/auth_saml/README.md b/modules/auth_saml/README.md
new file mode 100644
index 0000000000..ba0287df6e
--- /dev/null
+++ b/modules/auth_saml/README.md
@@ -0,0 +1,64 @@
+# OpenProject OmniAuth SAML Single-Sign On
+
+![](https://github.com/finnlabs/openproject-auth_saml/blob/dev/app/assets/images/auth_provider-saml.png)
+
+This plugin provides the [OmniAuth SAML strategy](https://github.com/omniauth/omniauth-saml) into OpenProject.
+
+## Installation
+
+Add the following entries to your `Gemfile.plugins` in your OpenProject root directory:
+
+    gem 'openproject-auth_plugins', git: 'https://github.com/finnlabs/openproject-auth_plugins', branch: 'stable'
+    gem "openproject-auth_saml", git: 'https://github.com/finnlabs/openproject-auth_saml', branch: 'stable'
+
+## Requirements
+
+* [omniauth-saml gem](https://github.com/omniauth/omniauth-saml) >= 1.4.0
+* [OpenProject](https://www.openproject.org) >= 5.0
+* [openproject-auth_plugins](https://github.com/opf/openproject-auth_plugins)
+
+## Configuration
+
+To add your own SAML strategy provider(s), create the following settings file (relative to your OpenProject root):
+
+	config/plugins/auth_saml/settings.yml
+	
+with the following contents:
+
+    your-provider-name:
+      name: "your-provider-name"
+      display_name: "My SAML provider"
+      # Use the default SAML icon
+      icon: "auth_provider-saml.png"
+      # omniauth-saml config
+      assertion_consumer_service_url: "consumer_service_url"
+      issuer: "issuer"
+      idp_sso_target_url: "idp_sso_target_url"
+      idp_cert_fingerprint: "E7:91:B2:E1:..."
+      attribute_statements:
+        email: ['mailPrimaryAddress']
+        name: ['gecos']
+        first_name: ['givenName']
+        last_name: ['sn']
+        admin: ['openproject-isadmin']
+
+The plugin simply passes all options to omniauth-saml. See [their configuration
+documentation](https://github.com/omniauth/omniauth-saml#usage) for further
+details.
+
+### Custom Provider Icon
+
+To add a custom icon to be rendered as your omniauth provider icon, add an
+image asset to OpenProject and reference it in your `settings.yml`:
+
+	icon: "my/asset/path/to/icon.png"
+	
+## Copyrights & License
+
+OpenProject SAML Auth is completely free and open source and released under the
+[MIT
+License](https://github.com/finnlabs/openproject-auth_saml/blob/dev/LICENSE).
+
+Copyright (c) 2016 OpenProject GmbH
+
+The default provider icon is a combination of icons from [Font Awesome by Dave Gandy](http://fontawesome.io).
diff --git a/modules/auth_saml/app/assets/images/auth_provider-saml.png b/modules/auth_saml/app/assets/images/auth_provider-saml.png
new file mode 100644
index 0000000000000000000000000000000000000000..97158c63565ecc92e2e9f5d7d704762dc23ba40a
GIT binary patch
literal 17058
zcmeI4cU%+M7RLuHAi|<PtRTjKf+b86l0aezAV?7s3n0Z69g+!TNh1l}#h`)}SPK@c
zt1G$+cCmq=B0OMOR1^!AfL+wEc2<182_S?K=lS;S=kxxVd_G}v?z!i8?)~0#@612L
zvgtf;Gm{Y}005Zz`gqPnuG4j2<G#q>%z-cSkxM_hPpA?AdROSa2K3gG0{~!>xhOD1
z6~gsr@nsSRNFa-V9TFsRq&EPtT@&OGKN?mMBH&1o)P<-$T}&j11TMs2I+x6qd%#g5
zpCknwki-k*Cq?s_0-`I&gq^@b1SGHuA|yz}QY9<Fh1jOcLVoL-K_a28iz?cM=&nmh
z2;ojAc*qnmf$l&j@yQe#!HMZWp;Ktil!*i?nc@hN9YKmCi9%(OnJfyO(D5O1Opsq}
zg+R!f>FL#x4zXN_Q7V<31%mPM@ec8h4l+d~NMSOWAejnMsU)NaNtq~BK?x+O(xzSH
zvyLaM<SRsSl}IKf=yah7S**&1NYo|j{B+DqBJWHjRd%pLD1r%)9Hcmq!JdKy{LUD8
ztU}y2Gyxxk#jpgHs+33^rN=mVluRX4M#;XCveW(5#K@X(xt+Ot9Ir&uV``;pN*scq
z18I+u%D_Z949<j=vRDNlo)U*l#ipm(t3<-C#p$M`^L%yeaDwP7VLDHHSX(KyuMiuV
zE6YOxLn@gfP$m;|+N*5(XM_X~4}v`x;)|p@q~q8ix_{SVcS*sXkP7A?#YiKO=_E2U
zkV0qCs4R-(1Ts>UWId7go+u5jOdt{_>S-`Z6iOhK%tE4RbbSrIo@fnZ^9Udn^i3-I
zef4w%e3nqAkU%PqNCHK|pj;Zs2D=*ddUlo+%R?rXDUe~o97i_TQ*)0|fpCJ#A4-H3
zO1-5)7N~8zPKF}8w|;hrMQz(o4k?tduBcpypR1~KpLT9TT};<-+H&zA3Cz)^rs|Kg
z%h5H?P7SnxZqz*rv^mfMY*2Sbh(+D!(%#yAiuwcUk&Ld=xLlU6RH=fbeAw5MgETmZ
zL;@C_FLZPk3Ya7^<V+#asC-8fM2~<;0vg0*QkV=1UkJ68U-$5?v35v%%J{LmL#9Jo
zfJj4h3YE`vb|MLdOhg)nDI{lDh)6pNsSJJu9TqU?pQZJ}zmT4$5Fs}RNUYaKH~RlJ
zMGrDxr1B9dk!_ubBCcD8063<5>tC&@wgZm^@pU%=4qtbUzydbdt+i`dU6s_{LG<MU
zejDX4!oQv)J_?p%9YyU@ZN0uOqLc|$@sI*`k3?$XKOT|olHFs_+CA@vzhxDaP~88v
z2H&=c{@NP!c$EL2)<8$QJvBcHl19P;4*0orKR0~avb8T}_dWIbDEM*@vUT@w7P5bl
zT7ug44TTMU(bko@y?==AY!}D2^>?IDD0DJNAtRrTP<=N#G!#2j-;ECKiVTv9R2*tY
zHdM1-l<py;{U#WIJP*Sh2A%GR9E<2?bi{N~0xS;k6d`A>Qg@O#BlBvDK|6X34E<W5
zo}(kMeW~=GT-%Pp_EzM%7<nWIJD<tFI3YXFufOw0*Npy7Rg@N<1O)`!#BpKsL3wdp
zC?MD-jtiR)%8TPd0l_wLT-bb2UK|$+2)2pi!sdhW;<!*iuuU8nHXoE1$AtodZQ{7F
z`JlWwE))=K6UT+k2j#_ap@3kUI4*2HC@+o+1q9o~abfd8d2w7QAlN333!4whi{nB8
z!8UPR*nCi492W`*wu$4y=7aL$xKKc_O&k|CACwozg#v<Y;<&K+pu9LP6cB6^$A!%Y
z<;8KKfMA<AE^Iz1FOCZZ1lz=MVe>(Gaa<@M*d~q(n-9v1<3a(!HgR0od{AB-7YYcr
ziHXak>n&GUioDtykG#Wb-Yd}?dH<Eb_nFBBfTS@1pk4$3EuWC<699-M1HjXH0KnP+
z07GS~=U(sv03$PBPxruto6ojPi?R&1E_W^1Z0tR-VCkiKwUhJiPd6NN^rA#1ikjrN
zspy|e-dOCtd}pn7j>j~vJyh}Y!J^V7_YYpp_dB+v!ul7#fIXLg3b&{e_upzg$hdO!
zIpNC5WcMLFcC7iUXYaFY{dOkS9mxlc1yxC}l1HT!zq_NYZry5BS6BBq+w}ZWAZFg=
z!ZN3#xeE+_lO>bHNwST(Ek}cY9CkfgoemY6{GuMGu_9lA*X%2qLom1Subn?%1B^%?
zIJ6{J?PNRm#V14I9a{C>cO<v-<i2W=W_)v47V#OU*<6z=%89;gFe1Gn__P+d3&?h)
z3sb?=Nw*n-oQLbS8U4th8MFeec>~ysNv{3t2c<Bc4J`>)Yt?tvulDSFb*@aixOytU
zwp;n9=R)tQi`x&rae|Vk8H58VhGo|mjQB^v+{b-NMr&BjpvL$^u(#)^{mFB(k_?6!
zr1a)I(mYmP+Pze)-kti%KpWHidh6qQQ7B+jlFtJV)~Lc>QyQI+*oOv7jt_6Fjw>&X
zGx~jFk#T*<L@&0r-722}8D5uYX6mqfuan=G6-X){P<PE-7M4GD(&k9@ij-dzLreX~
za8K=DGj$h3{X7@x_G{pd>Gt#L3;b(2z0OFoE1y41eN<`zR^Ov;G(8lOw^N%od9-Sd
z-A4b_HIK$wm>l*mbYR%NNb1)Rto~FP_UOqe9&5{33zI~tjfKf7-tJ4ZjPD)nZ1S><
z`yS|(&9hr|0EUMl`6>jb79KAunh?DIeO>sXl@FSDkqy0@51B@<uCU$c?^P-PiMJb0
zds$u`7n76L><WubqjKtou<HvBO^mMUy~@XSY5Bd=NjoI<)Us0dv-f4sf%!(hvuB=8
zlbrm1?D{Gwv@Wy8B+W1<ch%Hg7h{V=mQPeU$?slNY}iuMpAjFH)(pJh9o8-{zejS}
z6Eacp<npfcW=67*u?ZFma~~{5q6BF#of>CN2~gMi-1L<`pkIhsC1%ve%|`e|U)z7I
zaMtPQ%J1If&bwlv2^t=3mNwaTO+{{acGUxxwDxe`y1SE--{wsO3vUkCe&UV&gBPL1
zORWsgpQkq$rc4;Jf?HhwG-u9J`q>|r81X7jMbJh_hG&Kc?YkNh5)$>KWi{>CZeUa5
zA~<wTr1_hqqA?m51AFV^KYc7MaldT2@J6~3@6E=9SLZk-QiJ8*zukH9>T!t7GJW9i
z(jPgpJvBS|W(I$_hjU7=2S3Vr-0RsO&43sDV`uzok7lU$-k8i9k&(n}t=Y`%RdWBn
z;Czjpo!!a#EmYvhks}r>rVPJrHEP4wt-l+LYPs>l#35@=dOTx3ZxWo}!Tsnx)%e57
zIokEAIokIRgKEm$`lbK5<96K9qRiAv9?{Rw&r<8{<+XN;=i1uFMq+{Fp7ZZzTEkR;
z&*!hq%9;Q-5u}HfQ}+gr|E;D*mTIJN{;oh0@M~ZoH9mZt8VL{FcQs?1%_`%Z+=0sq
z=ZEYK%RhYL#2(X<(b<4B-HAdu1b=j9u_||ZX8{Q>@B3D9Z+bjQ&AiwA?1m$-@T}%L
zHyaxpt4VRD>g?>nTU{6IH!bONb?hoP!ojAy_J(rz;pV2j4SO$g2iC1$A1}T-Df0*%
zG2Ghv#ggW@jLb}F;eyupls8Eu%VYLjYYH4cc-E|0jIrzE3RMTj4(xwiaP(31xhUGy
zV__F!tPp|3W{rDoae&)CHQj!B_JSE>Ryu*9BgR>Mw{Osy;tjbis*hWJ!n4Vom`2a4
zn)0%><Ca$*h$K!mu(Gz6K22+ohwR$?evI3Uv7h#hUq`pRXYumP+-q4whTY-?27#u1
z7gZ*1I}BK6q@B*la50L?$xZv<Q#^>3((2qGKOy?zn#b*-d2tDZ6Gk-qoono-Q7M$O
zzXt3Mq(=AO`5cfnT3_7m&$G(#VkW)bGk$Efi5J&kf5TSkrEJ@4hZ5JBe^@$K>dM(Q
zW8C?Xw^mQn+K4#^tdOm>anq)z+-0+A&Wv55|4QzcFe>X9u_<;$KtRCMTX&95T!EB7
zSI|0o!$pS@rY8ATEveaLM#Ml(cvJFO!IH4V>%nf>XZ9}av&AqESYQ-x6_Eh;UbK9u
zT2ogM&MpPO%R6SB7^&9G65n-R+$=qqA9j0!n;KNtFEPF&xfI!Icw+f%o43saN|NpW
zJoVJhO}+cXm~H0f&V{db9C&Xg|7f^?xxHcj?AQ4=Mt`gpvHNhG=l!F~?9%ScX}#Wt
z)fJD=eP8poh4n|;<MS8d%Gt$$G`z7jcAIcw5cJ{rZCYdb*+KC!H9;-MeNF{k8+ESk
zTKsHV?ckC(N3{Xa6;fKm?Lmx`o8w)Y`jo_0H&~m!bTD}??mzp^;DYLw8wc||_*y__
zFzRx>Wzf4cGg-s=;g>V6xSFK60=N1e`BY;(fALA}r;%mbdI3`${Ep3jR<u+1UnG2|
L@I3cVp11JdWESpP

literal 0
HcmV?d00001

diff --git a/modules/auth_saml/lib/open_project/auth_saml.rb b/modules/auth_saml/lib/open_project/auth_saml.rb
new file mode 100644
index 0000000000..acff9141c1
--- /dev/null
+++ b/modules/auth_saml/lib/open_project/auth_saml.rb
@@ -0,0 +1,5 @@
+module OpenProject
+  module AuthSaml
+    require 'open_project/auth_saml/engine'
+  end
+end
diff --git a/modules/auth_saml/lib/open_project/auth_saml/engine.rb b/modules/auth_saml/lib/open_project/auth_saml/engine.rb
new file mode 100644
index 0000000000..764fd994b7
--- /dev/null
+++ b/modules/auth_saml/lib/open_project/auth_saml/engine.rb
@@ -0,0 +1,48 @@
+require 'omniauth-saml'
+module OpenProject
+  module AuthSaml
+    class Engine < ::Rails::Engine
+      engine_name :openproject_auth_saml
+
+      include OpenProject::Plugins::ActsAsOpEngine
+      extend OpenProject::Plugins::AuthPlugin
+
+      register 'openproject-auth_saml',
+               author_url: 'https://github.com/finnlabs/openproject-auth_saml',
+               requires_openproject: '>= 5.0.0'
+
+      assets %w(
+        auth_saml/**
+        auth_provider-saml.png
+      )
+
+      config.after_initialize do
+        # Automatically update the openproject user whenever their info change in the upstream identity provider
+        OpenProject::OmniAuth::Authorization.after_login do |user, auth_hash, context|
+          # see https://github.com/opf/openproject/blob/caa07c5dd470f82e1a76d2bd72d3d55b9d2b0b83/app/controllers/concerns/omniauth_login.rb#L148
+          user.update_attributes context.send(:omniauth_hash_to_user_attributes, auth_hash)
+        end
+      end
+
+      register_auth_providers do
+        settings = Rails.root.join('config', 'plugins', 'auth_saml', 'settings.yml')
+        if settings.exist?
+          providers = YAML::load(File.open(settings)).symbolize_keys
+          strategy :saml do
+            providers.values.map do |h|
+              h[:openproject_attribute_map] = Proc.new do |auth|
+                {
+                  login: auth[:uid],
+                  admin: (auth.info['admin'].to_s.downcase == "true")
+                }
+              end
+              h.symbolize_keys
+            end
+          end
+        else
+          Rails.logger.warn("[auth_saml] Missing settings from '#{settings}', skipping omniauth registration.")
+        end
+      end
+    end
+  end
+end
diff --git a/modules/auth_saml/lib/open_project/auth_saml/version.rb b/modules/auth_saml/lib/open_project/auth_saml/version.rb
new file mode 100644
index 0000000000..86c0f40a73
--- /dev/null
+++ b/modules/auth_saml/lib/open_project/auth_saml/version.rb
@@ -0,0 +1,5 @@
+module OpenProject
+  module AuthSaml
+    VERSION = ::OpenProject::VERSION.to_semver
+  end
+end
diff --git a/modules/auth_saml/lib/openproject-auth_saml.rb b/modules/auth_saml/lib/openproject-auth_saml.rb
new file mode 100644
index 0000000000..5c30b502dc
--- /dev/null
+++ b/modules/auth_saml/lib/openproject-auth_saml.rb
@@ -0,0 +1 @@
+require 'open_project/auth_saml'
diff --git a/modules/auth_saml/openproject-auth_saml.gemspec b/modules/auth_saml/openproject-auth_saml.gemspec
new file mode 100644
index 0000000000..8fb3a6e462
--- /dev/null
+++ b/modules/auth_saml/openproject-auth_saml.gemspec
@@ -0,0 +1,20 @@
+# encoding: UTF-8
+$:.push File.expand_path("../lib", __FILE__)
+$:.push File.expand_path("../../lib", __dir__)
+
+require 'open_project/auth_saml/version'
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |s|
+  s.name        = 'openproject-auth_saml'
+  s.version     = OpenProject::AuthSaml::VERSION
+  s.authors     = 'Cyril Rohr'
+  s.email       = 'cyril.rohr@gmail.com'
+  s.homepage    = 'https://github.com/finnlabs/openproject-auth_saml'
+  s.summary     = 'OmniAuth SAML / Single-Sign On'
+  s.description = 'Adds the OmniAuth SAML provider to OpenProject'
+  s.license     = 'MIT'
+
+  s.files = Dir['{app,lib}/**/*'] + %w(README.md)
+
+  s.add_dependency 'omniauth-saml', '~> 1.10.1'
+end