Merge branch 'main' into providers/oidc

# Conflicts:
#	README.md
#	lib/code0/identities.rb

Author: Knerio

.github/workflows/main.yml

@@ -14,7 +14,9 @@ jobs:
     strategy:
       matrix:
         ruby:
+          - '3.1.2' # using 3.1.2 instead of latest patch as 3.1.2 is the minimum specified in the gemspec
           - '3.2.2'
+          - '3.3.6'
 
     steps:
     - uses: actions/checkout@v4

.rubocop.yml

@@ -3,7 +3,7 @@ require:
   - rubocop-rspec
 
 AllCops:
-  TargetRubyVersion: 3.0.0
+  TargetRubyVersion: 3.1.2
   NewCops: enable
 
 Gemspec/DevelopmentDependencies:
@@ -38,6 +38,9 @@ RSpec/ExampleLength:
 Style/Documentation:
   Enabled: false
 
+Style/HashSyntax:
+  EnforcedShorthandSyntax: never
+
 RSpec/MultipleMemoizedHelpers:
   Enabled: false
 RSpec/MultipleExpectations:

Gemfile.lock

@@ -3,6 +3,7 @@ PATH
   specs:
     code0-identities (0.0.0)
       httparty (~> 0.22)
+      ruby-saml (~> 1.17.0)
 
 GEM
   remote: https://rubygems.org/
@@ -24,8 +25,14 @@ GEM
     json (2.7.2)
     language_server-protocol (3.17.0.3)
     mini_mime (1.1.5)
+    mini_portile2 (2.8.8)
     multi_xml (0.7.1)
       bigdecimal (~> 3.1)
+    nokogiri (1.16.7)
+      mini_portile2 (~> 2.8.2)
+      racc (~> 1.4)
+    nokogiri (1.16.7-x86_64-linux)
+      racc (~> 1.4)
     parallel (1.25.1)
     parser (3.3.4.0)
       ast (~> 2.4.1)
@@ -77,6 +84,9 @@ GEM
     rubocop-rspec_rails (2.28.3)
       rubocop (~> 1.40)
     ruby-progressbar (1.13.0)
+    ruby-saml (1.17.0)
+      nokogiri (>= 1.13.10)
+      rexml
     strscan (3.1.0)
     unicode-display_width (2.5.0)
     webmock (3.23.1)

README.md

@@ -11,6 +11,7 @@ OAuth:
 - Github
 - Gitlab
 - OIDC / oAuth2
+- SAML
 
 ## Installation
 

code0-identities.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   spec.summary = "Library to manage external identities"
   spec.homepage = "https://github.com/code0-tech/code0-identities"
   spec.license = "MIT"
-  spec.required_ruby_version = ">= 3.0.0"
+  spec.required_ruby_version = ">= 3.1.2"
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
@@ -31,12 +31,13 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "httparty", "~> 0.22"
-  spec.add_development_dependency "webmock", "~> 3.23.1"
+  spec.add_dependency "ruby-saml", "~> 1.17.0"
 
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "rubocop", "~> 1.21"
   spec.add_development_dependency "rubocop-rake", "~> 0.6"
   spec.add_development_dependency "rubocop-rspec", "~> 2.29" # Uncomment to register a new dependency of your gem
+  spec.add_development_dependency "webmock", "~> 3.23.1"
   spec.metadata["rubygems_mfa_required"] = "true"
 end

lib/code0/identities.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "httparty"
+require "onelogin/ruby-saml"
 
 require_relative "identities/version"
 require_relative "identities/identity_provider"
@@ -11,6 +12,7 @@
 require_relative "identities/provider/discord"
 require_relative "identities/provider/github"
 require_relative "identities/provider/oidc"
+require_relative "identities/provider/saml"
 
 module Code0
   module Identities

lib/code0/identities/provider/base_oauth.rb

@@ -68,9 +68,12 @@ def create_identity(response, token, token_type)
         end
 
         def config
-          return config_loader.call if config_loader.is_a?(Proc)
+          config = config_loader
+          config = config_loader.call if config_loader.is_a?(Proc)
 
-          config_loader
+          config[:provider_name] ||= self.class.name.downcase.split("::").last
+
+          config
         end
       end
     end

lib/code0/identities/provider/discord.rb

@@ -31,7 +31,7 @@ def create_identity(response, *)
           username = body["username"]
           email = body["email"]
 
-          Identity.new(:discord, identifier, username, email, nil, nil)
+          Identity.new(config[:provider_name], identifier, username, email, nil, nil)
         end
       end
     end

lib/code0/identities/provider/github.rb

@@ -43,7 +43,7 @@ def create_identity(response, access_token, token_type)
 
           email = private_email(access_token, token_type) if email.nil?
 
-          Identity.new(:github, identifier, username, email, nil, nil)
+          Identity.new(config[:provider_name], identifier, username, email, nil, nil)
         end
       end
     end

lib/code0/identities/provider/gitlab.rb

@@ -37,7 +37,7 @@ def create_identity(response, *)
           username = body["username"]
           email = body["email"]
 
-          Identity.new(config_loader.call[:provider_name], identifier, username, email, nil, nil)
+          Identity.new(config[:provider_name], identifier, username, email, nil, nil)
         end
       end
     end

lib/code0/identities/provider/google.rb

@@ -41,7 +41,7 @@ def create_identity(response, *)
           firstname = body["given_name"]
           lastname = body["family_name"]
 
-          Identity.new(:google, identifier, username, email, firstname, lastname)
+          Identity.new(config[:provider_name], identifier, username, email, firstname, lastname)
         end
       end
     end

lib/code0/identities/provider/microsoft.rb

@@ -36,7 +36,7 @@ def create_identity(response, *)
           lastname = body["familyname"]
           email = body["email"]
 
-          Identity.new(:microsoft, identifier, nil, email, firstname, lastname)
+          Identity.new(config[:provider_name], identifier, nil, email, firstname, lastname)
         end
       end
     end

lib/code0/identities/provider/saml.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Code0
+  module Identities
+    module Provider
+      class Saml
+        attr_reader :config_loader
+
+        def initialize(config_loader)
+          @config_loader = config_loader
+        end
+
+        def authorization_url
+          request = OneLogin::RubySaml::Authrequest.new
+          request.create(create_settings)
+
+          request.instance_variable_get :@login_url
+        end
+
+        def load_identity(**params)
+          response = OneLogin::RubySaml::Response.new(params[:SAMLResponse],
+                                                      { **config[:response_settings], settings: create_settings })
+          attributes = response.attributes
+
+          Identity.new(config[:provider_name],
+                       response.name_id,
+                       find_attribute(attributes, config[:attribute_statements][:username]),
+                       find_attribute(attributes, config[:attribute_statements][:email]),
+                       find_attribute(attributes, config[:attribute_statements][:firstname]),
+                       find_attribute(attributes, config[:attribute_statements][:lastname]))
+        end
+
+        private
+
+        def find_attribute(attributes, attribute_statements)
+          attribute_statements.each do |statement|
+            return attributes[statement] unless attributes[statement].nil?
+          end
+          nil
+        end
+
+        def create_settings
+          if config[:metadata_url].nil?
+            settings = OneLogin::RubySaml::Settings.new
+          else
+            idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+            settings = idp_metadata_parser.parse_remote(config[:metadata_url])
+          end
+
+          settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+
+          config[:settings].each do |key, value|
+            settings.send(:"#{key}=", value)
+          end
+          settings
+        end
+
+        def config
+          config = config_loader
+          config = config_loader.call if config_loader.is_a?(Proc)
+
+          # rubocop:disable Layout/LineLength
+          config[:provider_name] ||= :saml
+          config[:response_settings] ||= {}
+          config[:settings] ||= {}
+          config[:attribute_statements] ||= {}
+          config[:attribute_statements][:username] ||= %w[username name http://schemas.goauthentik.io/2021/02/saml/username]
+          config[:attribute_statements][:email] ||= %w[email mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2008/06/identity/claims/emailaddress]
+          config[:attribute_statements][:firstname] ||= %w[first_name firstname firstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2008/06/identity/claims/givenname]
+          config[:attribute_statements][:lastname] ||= %w[last_name lastname lastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.microsoft.com/ws/2008/06/identity/claims/surname]
+          # rubocop:enable Layout/LineLength
+
+          config
+        end
+      end
+    end
+  end
+end

sig/code0/identities/provider/saml.rbs

@@ -0,0 +1,11 @@
+module Code0
+  module Identities
+    module Provider
+      class Saml
+        def authorization_url: () -> String
+
+        def load_identity: (Hash[Symbol, any]) -> Identity
+      end
+    end
+  end
+end

spec/code0/identities/provider/discord_spec.rb

@@ -58,7 +58,7 @@
         .to_return(body: response_body, headers: { "Content-Type": "application/json" })
 
       expect(service_response.identifier).to eq(1)
-      expect(service_response.provider).to eq(:discord)
+      expect(service_response.provider).to eq("discord")
       expect(service_response.username).to eq("name")
       expect(service_response.email).to eq("example@code0.tech")
     end