🔀 Merge branch 'gl-master' into sync-gl

# Conflicts:
#	.gitignore
#	.gitlab-ci.yml
#	Gemfile
#	README.md
#	gitlab_omniauth-ldap.gemspec
#	lib/omniauth-ldap/adaptor.rb
#	lib/omniauth-ldap/version.rb
#	lib/omniauth/strategies/ldap.rb
#	spec/omniauth-ldap/adaptor_spec.rb
#	spec/omniauth/strategies/ldap_spec.rb
#	spec/spec_helper.rb

Author: pboling

.gitignore

@@ -1,3 +1,6 @@
+.project
+.tags
+
 # Build Artifacts
 /pkg/
 /tmp/

.gitlab-ci.yml

@@ -13,7 +13,7 @@
 #  - template: Security/SAST.gitlab-ci.yml
 
 default:
-  image: ruby
+  image: "ruby:${RUBY_VERSION}"
 
 variables:
   BUNDLE_INSTALL_FLAGS: "--quiet --jobs=$(nproc) --retry=3"
@@ -39,7 +39,6 @@ workflow:
     - if: '$CI_COMMIT_TAG'
 
 .test_template-current: &test_definition-current
-  image: ruby:${RUBY_VERSION}
   stage: test
   script:
     # || true so we don't fail here, because it'll probably work even if the gem update fails
@@ -67,7 +66,6 @@ workflow:
       - vendor/ruby
 
 .test_template-legacy: &test_definition-legacy
-  image: ruby:${RUBY_VERSION}
   stage: test
   script:
     # RUBYGEMS_VERSION because we support EOL Ruby still...

CHANGELOG

@@ -0,0 +1,11 @@
+## 2.1.1
+  - Add a String check to `tls_options` sanitization to allow other objects
+
+## 2.1.0
+  - Expose `:tls_options` SSL configuration option. Deprecate :ca_file, :ssl_version
+
+## 2.0.4
+  - Improve log message when invalid credentials are used
+
+## 2.0.3
+  - Protects against wrong request method call to callback

Gemfile.lock

@@ -13,12 +13,12 @@ GIT
 PATH
   remote: .
   specs:
-    omniauth-ldap (2.0.0)
-      net-ldap (~> 0.16)
-      omniauth (>= 1)
-      pyu-ruby-sasl (~> 0.0.3.3)
-      rack (>= 1)
-      rubyntlm (~> 0.6.2)
+    omniauth-ldap (2.3.0)
+      net-ldap (~> 0.16, < 1)
+      omniauth (>= 1, < 3)
+      pyu-ruby-sasl (>= 0.0.3.3, < 0.1)
+      rack (>= 1, < 4)
+      rubyntlm (~> 0.6.2, < 1)
       version_gem (~> 1.1, >= 1.1.9)
 
 GEM

README.md

@@ -57,12 +57,16 @@ use OmniAuth::Strategies::LDAP,
   title: "My LDAP",
   host: "10.101.10.1",
   port: 389,
-  method: :plain,
+  encryption: :plain,
   base: "dc=intridea,dc=com",
   uid: "sAMAccountName",
   name_proc: proc { |name| name.gsub(/@.*$/, "") },
   bind_dn: "default_bind_dn",
-  password: "password"
+  password: "password",
+  tls_options: {
+    ssl_version: 'TLSv1_2',
+    ciphers: ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CBC-HMAC-SHA256"]
+  }
 # Or, alternatively:
 # use OmniAuth::Strategies::LDAP, filter: '(&(uid=%{username})(memberOf=cn=myapp-users,ou=groups,dc=example,dc=com))'
 ```
@@ -642,8 +646,8 @@ Thanks for RTFM. ☺️
 [📌changelog]: CHANGELOG.md
 [📗keep-changelog]: https://keepachangelog.com/en/1.0.0/
 [📗keep-changelog-img]: https://img.shields.io/badge/keep--a--changelog-1.0.0-34495e.svg?style=flat
-[📌gitmoji]:https://gitmoji.dev
-[📌gitmoji-img]:https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
+[📌gitmoji]: https://gitmoji.dev
+[📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
 [🧮kloc-img]: https://img.shields.io/badge/KLOC-4.076-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: SECURITY.md

omniauth-ldap.gemspec renamed to gitlab_omniauth-ldap.gemspec

@@ -97,16 +97,16 @@ Gem::Specification.new do |spec|
   # Listed files are the relative paths from bindir above.
   spec.executables = []
 
-  spec.add_dependency("net-ldap", "~> 0.16")          # ruby >= 2.0
+  spec.add_dependency("net-ldap", "~> 0.16", "< 1")             # ruby >= 2.0
   # nkf/kconv has been part of Ruby since long ago.
   # Eventually it became a standard gem, but was changed to a bundled gem in Ruby 3.4.
   # In general, kconv and iconv have been superseded since Ruby 1.9 by the built-in
   #   encoding support provided by String#encode, String#force_encoding, and similar methods.
-  # spec.add_dependency("nkf")                        # ruby >= 2.3
-  spec.add_dependency("omniauth", ">= 1")             # ruby >= 0.0
-  spec.add_dependency("pyu-ruby-sasl", "~> 0.0.3.3")  # ruby >= 0.0
-  spec.add_dependency("rack", ">= 1")                 # ruby >= 0.0
-  spec.add_dependency("rubyntlm", "~> 0.6.2")         # ruby >= 1.8.7
+  # spec.add_dependency("nkf")                                  # ruby >= 2.3
+  spec.add_dependency("omniauth", ">= 1", "< 3")                # ruby >= 0.0
+  spec.add_dependency("pyu-ruby-sasl", ">= 0.0.3.3", "< 0.1")   # ruby >= 0.0
+  spec.add_dependency("rack", ">= 1", "< 4")                    # ruby >= 0.0
+  spec.add_dependency("rubyntlm", "~> 0.6.2", "< 1")            # ruby >= 1.8.7
 
   # Utilities
   spec.add_dependency("version_gem", "~> 1.1", ">= 1.1.9")              # ruby >= 2.2.0

lib/omniauth-ldap/adaptor.rb

@@ -20,19 +20,39 @@ class ConfigurationError < StandardError; end
       class AuthenticationError < StandardError; end
       class ConnectionError < StandardError; end
 
-      VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password, :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter]
+      VALID_ADAPTER_CONFIGURATION_KEYS = [
+        :hosts, :host, :port, :encryption, :disable_verify_certificates, :bind_dn, :password, :try_sasl,
+        :sasl_mechanisms, :uid, :base, :allow_anonymous, :filter, :tls_options,
+
+        # Deprecated
+        :method,
+        :ca_file,
+        :ssl_version,
+      ]
 
       # A list of needed keys. Possible alternatives are specified using sub-lists.
-      MUST_HAVE_KEYS = [:host, :port, :method, [:uid, :filter], :base]
+      MUST_HAVE_KEYS = [
+        :base,
+        [:encryption, :method], # :method is deprecated
+        [:hosts, :host],
+        [:hosts, :port],
+        [:uid, :filter],
+      ]
+
+      ENCRYPTION_METHOD = {
+        simple_tls: :simple_tls,
+        start_tls: :start_tls,
+        plain: nil,
 
-      METHOD = {
+        # Deprecated. This mapping aimed to be user-friendly, but only caused
+        # confusion. Better to pass through the actual `Net::LDAP` encryption type.
         ssl: :simple_tls,
         tls: :start_tls,
-        plain: nil,
       }
 
       attr_accessor :bind_dn, :password
       attr_reader :connection, :uid, :base, :auth, :filter
+
       def self.validate(configuration = {})
         message = []
         MUST_HAVE_KEYS.each do |names|
@@ -53,17 +73,14 @@ def initialize(configuration = {})
         VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
           instance_variable_set("@#{name}", @configuration[name])
         end
-        method = ensure_method(@method)
         config = {
+          base: @base,
+          hosts: @hosts,
           host: @host,
           port: @port,
-          base: @base,
+          encryption: encryption_options
         }
-        @bind_method = if @try_sasl
-          :sasl
-        else
-          ((@allow_anonymous || !@bind_dn || !@password) ? :anonymous : :simple)
-        end
+        @bind_method = @try_sasl ? :sasl : (@allow_anonymous||!@bind_dn||!@password ? :anonymous : :simple)
 
         @auth = sasl_auths({username: @bind_dn, password: @password}).first if @bind_method == :sasl
         @auth ||= {
@@ -72,7 +89,6 @@ def initialize(configuration = {})
           password: @password,
         }
         config[:auth] = @auth
-        config[:encryption] = method
         @connection = Net::LDAP.new(config)
       end
 
@@ -103,14 +119,49 @@ def bind_as(args = {})
 
       private
 
-      def ensure_method(method)
+      def encryption_options
+        translated_method = translate_method
+        return nil unless translated_method
+
+        {
+          method: translated_method,
+          tls_options: tls_options(translated_method)
+        }
+      end
+
+      def translate_method
+        method = @encryption || @method
         method ||= "plain"
         normalized_method = method.to_s.downcase.to_sym
-        return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
 
-        available_methods = METHOD.keys.collect { |m| m.inspect }.join(", ")
-        format = "%s is not one of the available connect methods: %s"
-        raise ConfigurationError, format % [method.inspect, available_methods]
+        unless ENCRYPTION_METHOD.has_key?(normalized_method)
+          available_methods = ENCRYPTION_METHOD.keys.collect {|m| m.inspect}.join(", ")
+          format = "%s is not one of the available connect methods: %s"
+          raise ConfigurationError, format % [method.inspect, available_methods]
+        end
+
+        ENCRYPTION_METHOD[normalized_method]
+      end
+
+
+      def tls_options(translated_method)
+        return {} if translated_method == nil # (plain)
+
+        options = default_options
+
+        if @tls_options
+          # Prevent blank config values from overwriting SSL defaults
+          configured_options = sanitize_hash_values(@tls_options)
+          configured_options = symbolize_hash_keys(configured_options)
+
+          options.merge!(configured_options)
+        end
+
+        # Retain backward compatibility until deprecated configs are removed.
+        options[:ca_file] = @ca_file if @ca_file
+        options[:ssl_version] = @ssl_version if @ssl_version
+
+        options
       end
 
       def sasl_auths(options = {})
@@ -157,6 +208,39 @@ def sasl_bind_setup_gss_spnego(options)
         }
         [Net::NTLM::Message::Type1.new.serialize, nego]
       end
+
+      private
+
+      def default_options
+        if @disable_verify_certificates
+          # It is important to explicitly set verify_mode for two reasons:
+          # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+          # 2. The net-ldap gem implementation verifies the certificate hostname
+          #    unless verify_mode is set to VERIFY_NONE.
+          { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+        else
+          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.dup
+        end
+      end
+
+      # Removes keys that have blank values
+      #
+      # This gem may not always be in the context of Rails so we
+      # do this rather than `.blank?`.
+      def sanitize_hash_values(hash)
+        hash.delete_if do |_, value|
+          value.nil? ||
+          (value.is_a?(String) && value !~ /\S/)
+        end
+      end
+
+      def symbolize_hash_keys(hash)
+        hash.keys.each do |key|
+          hash[key.to_sym] = hash[key]
+        end
+
+        hash
+      end
     end
   end
 end

lib/omniauth-ldap/version.rb

@@ -1,7 +1,7 @@
 module OmniAuth
   module LDAP
     module Version
-      VERSION = "2.0.0"
+      VERSION = "2.3.0"
     end
     VERSION = Version::VERSION # Make VERSION available in traditional way
   end

lib/omniauth/strategies/ldap.rb

@@ -1,11 +1,14 @@
 require "omniauth"
+require "omniauth/version"
 
 module OmniAuth
   module Strategies
     class LDAP
       OMNIAUTH_GTE_V2 = Gem::Version.new(OmniAuth::VERSION) >= Gem::Version.new("2.0.0")
       include OmniAuth::Strategy
 
+      InvalidCredentialsError = Class.new(StandardError)
+
       CONFIG = {
         "name" => "cn",
         "first_name" => "givenName",
@@ -31,6 +34,9 @@ class LDAP
       end
       option :port, 389
       option :method, :plain
+      option :disable_verify_certificates, false
+      option :ca_file, nil
+      option :ssl_version, nil # use OpenSSL default if nil
       option :uid, "sAMAccountName"
       option :name_proc, lambda { |n| n }
 
@@ -59,10 +65,14 @@ def request_phase
       def callback_phase
         @adaptor = OmniAuth::LDAP::Adaptor.new(@options)
 
+        return fail!(:invalid_request_method) unless valid_request_method?
         return fail!(:missing_credentials) if missing_credentials?
         begin
           @ldap_user_info = @adaptor.bind_as(filter: filter(@adaptor), size: 1, password: request.params["password"])
-          return fail!(:invalid_credentials) unless @ldap_user_info
+
+          unless @ldap_user_info
+            return fail!(:invalid_credentials, InvalidCredentialsError.new("Invalid credentials for #{request.params['username']}"))
+          end
 
           @user_info = self.class.map_user(CONFIG, @ldap_user_info)
           super
@@ -73,9 +83,10 @@ def callback_phase
 
       def filter(adaptor)
         if adaptor.filter && !adaptor.filter.empty?
-          Net::LDAP::Filter.construct(adaptor.filter % {username: @options[:name_proc].call(request.params["username"])})
+          username = Net::LDAP::Filter.escape(@options[:name_proc].call(request.params['username']))
+          Net::LDAP::Filter.construct(adaptor.filter % { username: username })
         else
-          Net::LDAP::Filter.eq(adaptor.uid, @options[:name_proc].call(request.params["username"]))
+          Net::LDAP::Filter.equals(adaptor.uid, @options[:name_proc].call(request.params["username"]))
         end
       end
 
@@ -128,6 +139,10 @@ def map_user(mapper, object)
 
       protected
 
+      def valid_request_method?
+        request.env['REQUEST_METHOD'] == 'POST'
+      end
+
       def missing_credentials?
         request.params["username"].nil? || request.params["username"].empty? || request.params["password"].nil? || request.params["password"].empty?
       end # missing_credentials?