Merge commit from fork

fix: remove :idp_cert_fingerprint_validator

Author: bufferoverflow

README.md

@@ -39,7 +39,6 @@ use OmniAuth::Strategies::SAML,
                                            :encryption => []
                                          },
   :idp_cert_fingerprint               => "E7:91:B2:E1:...",
-  :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
   :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 ```
 
@@ -66,7 +65,6 @@ Rails.application.config.middleware.use OmniAuth::Builder do
                                              :encryption => []
                                            },
     :idp_cert_fingerprint               => "E7:91:B2:E1:...",
-    :idp_cert_fingerprint_validator     => lambda { |fingerprint| fingerprint },
     :name_identifier_format             => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 end
 ```
@@ -112,20 +110,16 @@ Note that when [integrating with Devise](#devise-integration), the URL path will
   `original_param_value`. Optional.
 
 * `:idp_cert` - The identity provider's certificate in PEM format. Takes precedence
-  over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+  over the fingerprint option below. This option or `:idp_cert_multi` or `:idp_cert_fingerprint` must
   be present.
 
 * `:idp_cert_multi` - Multiple identity provider certificates in PEM format. Takes precedence
-over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` or `:idp_cert_fingerprint_validator` must
+over the fingerprint option below. This option `:idp_cert` or `:idp_cert_fingerprint` must
 be present.
 
 * `:idp_cert_fingerprint` - The SHA1 fingerprint of the certificate, e.g.
   "90:CC:16:F0:8D:...". This is provided from the identity provider when setting up
-  the relationship. This option or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint_validator` MUST be present.
-
-* `:idp_cert_fingerprint_validator` - A lambda that MUST accept one parameter
-  (the fingerprint), verify if it is valid and return it if successful. This option
-  or `:idp_cert` or `:idp_cert_multi` or `:idp_cert_fingerprint` MUST be present.
+  the relationship. This option or `:idp_cert` or `:idp_cert_multi` MUST be present.
 
 * `:name_identifier_format` - Used during SP-initiated SSO. Describes the format of
   the username required by this application. If you need the email address, use

lib/omniauth/strategies/saml.rb

@@ -43,9 +43,6 @@ def callback_phase
         raise OmniAuth::Strategies::SAML::ValidationError.new("SAML response missing") unless request.params["SAMLResponse"]
 
         with_settings do |settings|
-          # Call a fingerprint validation method if there's one
-          validate_fingerprint(settings) if options.idp_cert_fingerprint_validator
-
           handle_response(request.params["SAMLResponse"], options_for_response_object, settings) do
             super
           end
@@ -218,17 +215,6 @@ def with_settings
         yield OneLogin::RubySaml::Settings.new(options)
       end
 
-      def validate_fingerprint(settings)
-        fingerprint_exists = options.idp_cert_fingerprint_validator[response_fingerprint]
-
-        unless fingerprint_exists
-          raise OmniAuth::Strategies::SAML::ValidationError.new("Non-existent fingerprint")
-        end
-
-        # id_cert_fingerprint becomes the given fingerprint if it exists
-        settings.idp_cert_fingerprint = fingerprint_exists
-      end
-
       def options_for_response_object
         # filter options to select only extra parameters
         opts = options.select {|k,_| RUBYSAML_RESPONSE_OPTIONS.include?(k.to_sym)}

spec/omniauth/strategies/saml_spec.rb

@@ -150,41 +150,6 @@ def post_xml(xml = :example_response, opts = {})
       end
     end
 
-    context "when fingerprint is empty and there's a fingerprint validator" do
-      before :each do
-        saml_options.delete(:idp_cert_fingerprint)
-        saml_options[:idp_cert_fingerprint_validator] = fingerprint_validator
-      end
-
-      let(:fingerprint_validator) { lambda { |_| "C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB" } }
-
-      context "when the fingerprint validator returns a truthy value" do
-        before { post_xml }
-
-        it "should set the uid to the nameID in the SAML response" do
-          expect(auth_hash['uid']).to eq '_1f6fcf6be5e13b08b1e3610e7ff59f205fbd814f23'
-        end
-
-        it "should set the raw info to all attributes" do
-          expect(auth_hash['extra']['raw_info'].all.to_hash).to eq(
-            'first_name'   => ['Rajiv'],
-            'last_name'    => ['Manglani'],
-            'email'        => ['[email protected]'],
-            'company_name' => ['Example Company'],
-            'fingerprint'  => 'C1:59:74:2B:E8:0C:6C:A9:41:0F:6E:83:F6:D1:52:25:45:58:89:FB'
-          )
-        end
-      end
-
-      context "when the fingerprint validator returns false" do
-        let(:fingerprint_validator) { lambda { |_| false } }
-
-        before { post_xml }
-
-        it { is_expected.to fail_with(:invalid_ticket) }
-      end
-    end
-
     context "when the assertion_consumer_service_url is the default" do
       before :each do
         saml_options.delete(:assertion_consumer_service_url)