Merge pull request #9 from techAPJ/beta

FEATURE: two new settings for email_valid defaults

.gitignore

 auto_generated
 gems
-
+.DS_Store

README.md

@@ -22,7 +22,7 @@ Add the following settings to your `app.yml` file in the Environment Settings se
   DISCOURSE_SAML_CERT_FINGERPRINT: "43:BB:DA:FF..."
   #DISCOURSE_SAML_REQUEST_METHOD: post
   #DISCOURSE_SAML_FULL_SCREEN_LOGIN: true
-  DISCOURSE_SAML_CERT: "-----BEGIN CERTIFICATE----- 
+  DISCOURSE_SAML_CERT: "-----BEGIN CERTIFICATE-----
   ...
   -----END CERTIFICATE-----"
 ```
@@ -35,6 +35,16 @@ Add the following settings to your `discourse.conf` file:
 
 - `saml_target_url`
 
+### Supported settings
+
+- `DISCOURSE_SAML_SP_CERTIFICATE`: SAML Service Provider Certificate
+- `DISCOURSE_SAML_SP_PRIVATE_KEY`: SAML Service Provider Private Key
+- `DISCOURSE_SAML_AUTHN_REQUESTS_SIGNED`: defaults to false
+- `DISCOURSE_SAML_WANT_ASSERTIONS_SIGNED`: defaults to false
+- `DISCOURSE_SAML_NAME_IDENTIFIER_FORMAT`: defaults to "urn:oasis:names:tc:SAML:2.0:protocol"
+- `DISCOURSE_SAML_DEFAULT_EMAILS_VALID`: defaults to true
+- `DISCOURSE_SAML_VALIDATE_EMAIL_FIELDS`: defaults to blank. This setting accepts pipe separated group names that are supplied in `memberOf` attribute in SAML payload. If the group name specified in the value matches that from `memberOf` attribute than the `email_valid` is set to `true`, otherwise it defaults to `false`. This setting overrides `DISCOURSE_SAML_DEFAULT_EMAILS_VALID`.
+
 ### Convering an RSA Key to a PEM
 
 If the idp has an RSA key split up as modulus and exponent, this javascript library makes

lib/saml_authenticator.rb

@@ -45,7 +45,6 @@ class SamlAuthenticator < ::Auth::OAuth2Authenticator
     end
 
     result.email = auth[:info].email || uid
-    result.email_valid = true
 
     if result.respond_to?(:skip_email_validation) && GlobalSetting.try(:saml_skip_email_validation)
       result.skip_email_validation = true
@@ -62,6 +61,18 @@ class SamlAuthenticator < ::Auth::OAuth2Authenticator
       ::PluginStore.set("saml", "saml_user_#{uid}", {user_id: result.user.id })
     end
 
+    if GlobalSetting.try(:saml_validate_email_fields).present? && auth.extra[:raw_info].attributes['memberOf'].present?
+      unless (GlobalSetting.try(:saml_validate_email_fields).split("|").map(&:downcase) & auth.extra[:raw_info].attributes['memberOf'].map(&:downcase)).empty?
+        result.email_valid = true
+      else
+        result.email_valid = false
+      end
+    elsif GlobalSetting.respond_to?(:saml_default_emails_valid) && !GlobalSetting.saml_default_emails_valid.nil?
+      result.email_valid = GlobalSetting.saml_default_emails_valid
+    else
+      result.email_valid = true
+    end
+
     if GlobalSetting.try(:saml_clear_username) && result.user.blank?
       result.username = ''
     end

spec/saml_authenticator_spec.rb

@@ -34,6 +34,44 @@ describe SamlAuthenticator do
 
       result = @authenticator.after_authenticate(hash)
       expect(result.user.email).to eq(@user.email)
+      expect(result.email_valid).to eq(true)
+    end
+
+    it 'defaults email_valid to false if saml_default_emails_valid is false' do
+      GlobalSetting.stubs(:saml_default_emails_valid).returns(false)
+
+      hash = OmniAuth::AuthHash.new(
+        uid: @uid,
+        info: {
+            name: "John Doe",
+            email: @user.email
+        }
+      )
+
+      result = @authenticator.after_authenticate(hash)
+      expect(result.user.email).to eq(@user.email)
+      expect(result.email_valid).to eq(false)
+    end
+
+    it 'defaults email_valid based on saml_validate_email_fields setting' do
+      GlobalSetting.stubs(:saml_validate_email_fields).returns("customers")
+
+      hash = OmniAuth::AuthHash.new(
+        uid: @uid,
+        info: {
+            name: "John Doe",
+            email: @user.email
+        },
+        extra: {
+          raw_info: OneLogin::RubySaml::Attributes.new({
+            'memberOf' => %w(Customers Employees)
+          })
+        }
+      )
+
+      result = @authenticator.after_authenticate(hash)
+      expect(result.user.email).to eq(@user.email)
+      expect(result.email_valid).to eq(true)
     end
   end
 end