cul_omniauth 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 12e145d88c005c6cab678e19eb93b17cff6e09e9
+  data.tar.gz: 262436496792653e2a1cf76e3bc76be6b94ede92
+SHA512:
+  metadata.gz: ff406c2659ce8e17f061647727f46541acf000c080eef7b13ecaf807b338c39dc012424f132d7e44c30d1b61384fcaf76770bd10d938942c835ac8201ef999ba
+  data.tar.gz: 57078dcf843567d0dce62a6bd1bd06619a099036d59384907c2888170725b0d819b6e396b039fcfbc955e4e877bff4e33fb130fa20e70985ad207a13109ae36c

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2015 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,35 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Cul::Omniauth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+  spec.pattern += FileList['spec/*_spec.rb']
+  spec.rspec_opts = []
+  spec.rspec_opts << ['--backtrace'] if ENV['CI']
+end
+
+task default: :spec

data/app/assets/javascripts/cul/omniauth/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/cul/omniauth/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/concerns/cul/omniauth/callbacks.rb

@@ -0,0 +1,36 @@
+module Cul::Omniauth::Callbacks
+  extend ActiveSupport::Concern
+  def cas
+    find_user('CAS')
+  end
+  def saml
+    find_user('SAML')
+  end
+  def wind
+    find_user('WIND')
+  end
+
+  def ssl
+    find_user('ssl')
+  end
+
+  def find_user(auth_type)
+    find_method = "find_for_#{auth_type.downcase}".to_sym
+    current_user ||= User.send(find_method,request.env["omniauth.auth"], current_user)
+    affils = ["#{request.env["omniauth.auth"].uid}:users.cul.columbia.edu"]
+    affils << "staff:cul.columbia.edu" if current_user.cul_staff?
+    affils += (request.env["omniauth.auth"].extra.affiliations || [])
+    affiliations(current_user,affils)
+    session["devise.roles"] = affils
+    if current_user.persisted?
+      flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => auth_type
+      sign_in_and_redirect current_user, :event => :authentication
+    else
+      session["devise.#{auth_type.downcase}_data"] = request.env["omniauth.auth"]
+      redirect_to root_url
+    end
+  end
+  def affiliations(user, affils)
+  end
+  protected :find_user
+end

data/app/controllers/concerns/cul/omniauth/remote_ip_ability.rb

@@ -0,0 +1,6 @@
+module Cul::Omniauth::RemoteIpAbility
+  extend ActiveSupport::Concern
+  def current_ability
+    @current_ability ||= Ability.new(current_user, remote_ip:request.remote_ip)
+  end
+end

data/app/controllers/cul/omniauth/application_controller.rb

@@ -0,0 +1,4 @@
+module Cul::Omniauth
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/cul/omniauth/callbacks_controller.rb

@@ -0,0 +1,3 @@
+class Cul::Omniauth::CallbacksController < Devise::OmniauthCallbacksController
+  include Cul::Omniauth::Callbacks
+end

data/app/helpers/cul/omniauth/application_helper.rb

@@ -0,0 +1,4 @@
+module Cul::Omniauth
+  module ApplicationHelper
+  end
+end

data/app/models/concerns/cul/omniauth/abilities.rb

@@ -0,0 +1,79 @@
+module Cul::Omniauth::Abilities
+  extend ActiveSupport::Concern
+  EMPTY = [].freeze
+  def initialize(user, opts={})
+    @user = user || User.new
+    self.class.config.select {|role,config| user.role? role }.each do |role, config|
+      config.fetch(:can,EMPTY).each do |action, conditions|
+        if conditions.blank?
+          can action, :all
+        else
+          can action, Cul::Omniauth::AbilityProxy do |proxy|
+            r = !!proxy
+            if r
+              conditions.fetch(:if,EMPTY).each do |property, comparisons|
+                p = value_for_property(proxy, property, opts)
+                r &= !!p
+                r &= comparisons.detect {|c,v| Comparisons.send(c, p, v)}
+              end
+              conditions.fetch(:unless,EMPTY).each do |property, comparisons|
+                p = value_for_property(proxy, property, opts)
+                if p
+                  r &= !comparisons.detect {|c,v| Comparisons.send(c, p, v)}
+                end
+              end
+            end
+            r
+          end
+        end
+      end
+    end
+  end
+  private
+  def value_for_property(proxy, property_handle, opts)
+    if proxy.respond_to? property_handle.to_sym
+      property = proxy.send property_handle
+    end
+    property = opts.fetch(property_handle,EMPTY) if property.blank?
+    property
+  end
+  module Comparisons
+    def self.include?(context, value)
+      context.include? value
+    end
+    def self.eql?(context, value)
+      context.eql? value
+    end
+    def self.in?(context, value)
+      (Array(value) & Array(context)).size > 0 
+    end
+  end
+  public
+  module ClassMethods
+    def config
+      @role_proxy_config ||= begin
+        root = (Rails.root.blank?) ? '.' : Rails.root
+        path = File.join(root,'config','roles.yml')
+        _opts = YAML.load_file(path)
+        all_config = _opts.fetch("_all_environments", {})
+        env_config = _opts.fetch(Rails.env, {})
+        symbolize_hash_keys(all_config.merge(env_config))
+      end
+    end
+    def self.included mod
+      mod.config.each do |k,v|
+        if v[:includes]
+          v[:includes].each do |included|
+            Role.role(k).includes(included.to_sym)
+          end
+        end
+      end
+    end
+    private
+    def symbolize_hash_keys(hash)
+      hash.symbolize_keys!
+      hash.values.select{|v| v.is_a? Hash}.each{|h| symbolize_hash_keys(h)}
+      hash
+    end
+  end
+end

data/app/models/concerns/cul/omniauth/users.rb

@@ -0,0 +1,73 @@
+module Cul::Omniauth::Users
+  extend ActiveSupport::Concern
+
+  included do |mod|
+    # Include default devise modules and the omniauthable module
+    # Others available are:
+    # :confirmable, :lockable, :timeoutable and :omniauthable
+    mod.devise :registerable, :recoverable, 
+    :rememberable, :trackable, :validatable, :omniauthable
+
+    #mod.attr_accessible :username, :uid, :provider
+    #mod.attr_accessible :email, :guest
+  
+    mod.delegate :can?, :cannot?, :to => :ability
+  end
+
+  def role? role_sym
+    role_sym == :guest
+  end
+
+  def ability
+    @ability ||= Ability.new(self)
+  end
+
+  module ClassMethods
+    def find_for_cas(token, resource=nil)
+      user = where(:login => token.uid).first
+      # create new user if necessary
+      unless user
+        user = create(whitelist(:login => token.uid))
+        # can we add groups or roles here?
+      end
+      user
+    end
+
+    def find_for_saml(token, resource=nil)
+      user = where(:login => token.uid).first
+      # create new user if necessary
+      unless user
+        user = create(whitelist(:login => token.uid))
+        # can we add groups or roles here?
+      end
+
+      user
+    end
+
+    def find_for_wind(token, resource=nil)
+      user = where(:login => token.uid).first
+      # create new user if necessary
+      unless user
+        user = create(whitelist(:login => token.uid))
+        # can we add groups or roles here?
+      end
+
+      user
+    end
+
+    def from_omniauth(auth)
+      where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
+        user.email = auth.info.email
+        user.password = Devise.friendly_token[0,20]
+        user.name = auth.info.name   # assuming the user model has a name
+        user.image = auth.info.image # assuming the user model has an image
+      end
+    end
+
+    private
+    def whitelist(params=nil)
+      params.permit(:login,:uid,:provider,:email,:guest) if params.respond_to? :permit
+      params || {}
+    end
+  end
+end

data/app/views/layouts/cul/omniauth/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Cul::Omniauth</title>
+  <%= stylesheet_link_tag    "cul/omniauth/application", media: "all" %>
+  <%= javascript_include_tag "cul/omniauth/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,2 @@
+Cul::Omniauth::Engine.routes.draw do
+end

data/lib/cul/omniauth/ability_proxy.rb

@@ -0,0 +1,21 @@
+module Cul::Omniauth
+  class AbilityProxy
+    attr_accessor :mime_type, :context, :content_models, :publisher, :remote_ip
+    def initialize(opts = {})
+      self.mime_type = opts[:mime_type]
+      self.context = opts[:context]
+      self.content_models = opts[:content_models] || []
+      self.publisher = opts[:publisher] || []
+      self.remote_ip = opts[:remote_ip] || []
+    end
+    def to_h
+      return {
+        mime_type: mime_type(),
+        context: context(),
+        content_models: content_models(),
+        publisher: publisher(),
+        remote_ip: remote_ip()
+      }
+    end
+  end
+end

data/lib/cul/omniauth/engine.rb

@@ -0,0 +1,5 @@
+module Cul::Omniauth
+  class Engine < ::Rails::Engine
+    isolate_namespace Cul::Omniauth
+  end
+end

data/lib/cul/omniauth/failure_app.rb

@@ -0,0 +1,18 @@
+require 'devise'
+class Cul::Omniauth::FailureApp < Devise::FailureApp
+  DEFAULT_PROVIDER = :saml
+  def self.provider=(provider)
+    @provider = provider
+  end
+  def self.provider
+    @provider || DEFAULT_PROVIDER
+  end
+  def self.for(provider=nil)
+  	r = Class.new(self)
+  	r.provider = provider || self.provider
+  	r
+  end
+  def redirect_url
+    user_omniauth_authorize_path(self.class.provider)
+  end
+end

data/lib/cul/omniauth/file_configurable.rb

@@ -0,0 +1,43 @@
+require 'yaml'
+require 'omniauth-cas'
+module Cul::Omniauth::FileConfigurable
+  extend ActiveSupport::Concern
+  included do |mod|
+    #OmniAuth::Strategies::CAS.configure(mod.cas_configuration_opts)
+  end
+  module ClassMethods
+    def cas_configuration_opts
+      @cas_opts ||= begin
+        _opts = YAML.load_file(File.join(Rails.root,'config','cas.yml'))[Rails.env] || {}
+        _opts = _opts.symbolize_keys
+        _opts
+      end
+      @cas_opts
+    end
+    def configure_devise_omniauth(config,opts=nil)
+      opts ||= cas_configuration_opts
+      opts = opts.dup
+      provider = opts.delete(:provider)
+      fetch_raw_info = opts.delete(:fetch_raw_info)
+      fetch_raw_info = fetch_raw_info.to_sym if fetch_raw_info.is_a? String
+      if fetch_raw_info.is_a? Symbol
+        method = fetch_raw_info
+        fetch_raw_info = lambda do |strategy, options, ticket, ticket_user_info|
+          send(method, strategy, options, ticket, ticket_user_info)
+        end
+      end
+      opts[:fetch_raw_info] = fetch_raw_info if fetch_raw_info
+      config.omniauth provider, opts
+      config.warden do |manager|
+        manager.failure_app = Cul::Omniauth::FailureApp.for(provider)
+      end
+    end
+    def print_raw_info(strategy, options, ticket, ticket_user_info)
+      puts "strategy: #{strategy.inspect}"
+      puts "options: #{options.inspect}"
+      puts "ticket: #{ticket.inspect}"
+      puts "ticket_user_info: #{ticket_user_info.inspect}"
+      {} # for merge
+    end
+  end
+end

data/lib/cul/omniauth/version.rb

@@ -0,0 +1,5 @@
+module Cul
+  module Omniauth
+    VERSION = "0.2.0"
+  end
+end

data/lib/cul_omniauth.rb

@@ -0,0 +1,59 @@
+require 'omniauth-cas'
+module Cul
+  module Omniauth
+    autoload :FailureApp, 'cul/omniauth/failure_app'
+    autoload :FileConfigurable, 'cul/omniauth/file_configurable'
+    autoload :AbilityProxy, 'cul/omniauth/ability_proxy'
+    require "cul/omniauth/engine"
+  end
+end
+module OmniAuth
+  module Strategies
+    require 'omni_auth/strategies/saml'
+    require 'omni_auth/strategies/wind'
+  end
+end
+OmniAuth::Strategies::CAS::ServiceTicketValidator.class
+class OmniAuth::Strategies::CAS::ServiceTicketValidator
+  alias defunct_parse parse_user_info
+  alias defunct_success find_authentication_success
+  # turns an `<cas:authenticationSuccess>` node into a Hash;
+  # returns nil if given nil
+  def parse_user_info(node)
+    return nil if node.nil?
+    {}.tap do |hash|
+      node.children.each do |e|
+        node_name = e.name.sub(/^cas:/, '')
+        unless e.kind_of?(Nokogiri::XML::Text) || node_name == 'proxies'
+          # There are no child elements
+          if e.element_children.count == 0
+            hash[node_name] = e.content
+          elsif e.element_children.count
+            # JASIG style extra attributes
+            if node_name == 'attributes'
+              hash.merge!(parse_user_info(e))
+            elsif node_name == 'affiliations'
+              hash.merge!(affiliations: e.xpath('cas:affil',NS).collect {|x| x.text})
+            else
+              hash[node_name] = [] if hash[node_name].nil?
+              hash[node_name].push(parse_user_info(e))
+            end
+          end
+        end
+      end
+    end
+  end
+  def find_authentication_success(body)
+    return nil if body.nil? || body == ''
+    begin
+      doc = Nokogiri::XML(body)
+      begin
+        doc.xpath('/cas:serviceResponse/cas:authenticationSuccess')
+      rescue Nokogiri::XML::XPath::SyntaxError
+        doc.xpath('/serviceResponse/authenticationSuccess')
+      end
+    rescue Nokogiri::XML::XPath::SyntaxError
+      nil
+    end
+  end
+end

data/lib/omni_auth/strategies/saml/service_ticket_validator.rb

@@ -0,0 +1,81 @@
+# This is a clone of the OmniAuth CAS ServiceTicketValidator for WIND
+# Copyright (c) 2011 Derek Lindahl and CustomInk, LLC
+# distributed under the MIT license
+# https://github.com/dlindahl/omniauth-cas
+module OmniAuth
+  module Strategies
+    class SAML
+      class ServiceTicketValidator < OmniAuth::Strategies::CAS::ServiceTicketValidator
+       ART_TEMPLATE = "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\">" +
+                     "<SOAP-ENV:Header/><SOAP-ENV:Body>" +
+                     "<samlp:Request IssueInstant=\"%s\" MajorVersion=\"1\" MinorVersion=\"1\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\">" +
+                     "<samlp:AssertionArtifact>%s</samlp:AssertionArtifact>" +
+                     "</samlp:Request>" +
+                     "</SOAP-ENV:Body>" +
+                     "</SOAP-ENV:Envelope>"
+        NAME_ID_XPATH = './samla:Assertion/samla:AuthenticationStatement/samla:Subject/samla:NameIdentifier'
+        AFFIL_VALUE_XPATH = './samla:Assertion/samla:AttributeStatement/samla:Attribute[@AttributeName=\'affiliation\']/samla:AttributeValue'
+        def initialize(strategy, options, return_to_url, ticket)
+          super
+          @ticket = ticket
+          @ticket_host = URI(return_to_url).host
+        end
+        def parse_user_info(node)
+          return nil if node.nil?
+          {}.tap do |hash|
+            node.xpath(NAME_ID_XPATH, SAML_NS).each {|n| hash['user'] = n.text }
+            hash['affiliations'] = node.xpath(AFFIL_VALUE_XPATH, SAML_NS).inject([]) {|m,v| m << v.text; m}
+          end
+        end
+        def find_authentication_success(body)
+          return nil if body.nil? || body == ''
+          begin
+            doc = Nokogiri::XML(body)
+            begin
+              prefix = nil
+              doc.xpath('//sprot:Response',SAML_NS).each do |n|
+                n.namespace_definitions.each do |ns|
+                  if ns.href == 'urn:oasis:names:tc:SAML:1.0:protocol'
+                    prefix = ns.prefix
+                  end
+                  prefix ||= n.namespace.prefix
+                end
+              end
+              prefix = prefix + ':' if prefix
+              xpath = '//sprot:Response/sprot:Status/sprot:StatusCode[@Value=\'' + prefix + 'Success\']/../..'
+              doc.xpath(xpath, SAML_NS)
+            rescue Nokogiri::XML::XPath::SyntaxError
+              doc.xpath('//Response/Status/StatusCode[@Value=\'Success\']/../..')
+            end
+          rescue Nokogiri::XML::XPath::SyntaxError
+            nil
+          end
+        end
+        def get_service_request_body
+          ART_TEMPLATE % [Time.now.utc.iso8601(3), @ticket]
+        end
+        # retrieves the `<sprot:Response>` XML from the CAS server
+        def get_service_response_body
+          result = ''
+          http = Net::HTTP.new(@uri.host, @uri.port)
+          http.use_ssl = @uri.port == 443 || @uri.instance_of?(URI::HTTPS)
+          if http.use_ssl?
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @options.disable_ssl_verification?
+            http.ca_path = @options.ca_path
+          end
+          http.start do |c|
+            body = get_service_request_body
+            headers = {
+              "Content-Type"=>"text/xml",
+              "Content-Length" => body.size.to_s,
+              'SOAPAction' => "http://www.oasis-open.org/committees/security"
+            }
+            response = c.post "#{@uri.path}?#{@uri.query}", body, headers
+            result = response.body
+          end
+          result
+        end
+      end
+    end
+  end
+end

data/lib/omni_auth/strategies/saml.rb

@@ -0,0 +1,207 @@
+# This is a clone of the OmniAuth CAS Strategy for SAML
+# Copyright (c) 2011 Derek Lindahl and CustomInk, LLC
+# distributed under the MIT license
+# https://github.com/dlindahl/omniauth-cas
+require 'omniauth'
+require 'addressable/uri'
+
+module OmniAuth
+  module Strategies
+    class SAML
+      include OmniAuth::Strategy
+      # Custom Exceptions
+      class MissingCASTicket < StandardError; end
+      class InvalidCASTicket < StandardError; end
+      autoload :ServiceTicketValidator, 'omni_auth/strategies/saml/service_ticket_validator'
+      autoload :LogoutRequest, 'omni_auth/strategies/saml/logout_request'
+
+      attr_accessor :raw_info
+      alias_method :user_info, :raw_info
+
+      SAML_NS = {
+        samla: "urn:oasis:names:tc:SAML:1.0:assertion",
+        sprot: "urn:oasis:names:tc:SAML:1.0:protocol",
+      }
+      option :name, :saml # Required property by OmniAuth::Strategy
+
+      option :host, 'cas.columbia.edu'
+      option :port, nil
+      option :path, nil
+      option :ssl,  true
+      option :service_validate_url, '/samlValidate'
+      option :login_url,            '/login'
+      option :service, nil
+      option :logout_url,           '/logout'
+      option :on_single_sign_out,   Proc.new {}
+      # A Proc or lambda that returns a Hash of additional user info to be
+      # merged with the info returned by the CAS server.
+      #
+      # @param [Object] An instance of OmniAuth::Strategies::CAS for the current request
+      # @param [String] The user's Service Ticket value
+      # @param [Hash] The user info for the Service Ticket returned by the CAS server
+      #
+      # @return [Hash] Extra user info
+      option :fetch_raw_info,       Proc.new { Hash.new }
+      # Make all the keys configurable with some defaults set here
+      option :uid_field, 'user'
+      option :name_key, 'name'
+      option :email_key, 'email'
+      option :nickname_key, 'user'
+      option :first_name_key, 'first_name'
+      option :last_name_key, 'last_name'
+      option :location_key, 'location'
+
+      # As required by https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+      AuthHashSchemaKeys = %w{name email nickname first_name last_name location}
+      info do
+        prune!({
+          name: raw_info[options[:name_key].to_s],
+          email: raw_info[options[:email_key].to_s],
+          nickname: raw_info[options[:nickname_key].to_s],
+          first_name: raw_info[options[:first_name_key].to_s],
+          last_name: raw_info[options[:last_name_key].to_s],
+          location: raw_info[options[:location_key].to_s],
+        })
+      end
+
+      extra do
+        prune!(
+          raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+        )
+      end
+
+      uid do
+        raw_info[options[:uid_field].to_s]
+      end
+
+      credentials do
+        prune!({ ticket: @ticket })
+      end
+
+      def login_url(service)
+        cas_url + append_params(options.login_url, { TARGET: service })
+      end
+      def logout_url(service)
+        cas_url + append_params(options.logout_url, { service: service})
+      end
+      # Build a CAS host with protocol and port
+      #
+      #
+      def cas_url
+        extract_url if options['url']
+        validate_cas_setup
+        @cas_url ||= begin
+          uri = Addressable::URI.new
+          uri.host = options.host
+          uri.scheme = options.ssl ? 'https' : 'http'
+          uri.port = options.port
+          uri.path = options.path
+          uri.to_s
+        end
+      end
+
+      def extract_url
+        url = Addressable::URI.parse(options.delete('url'))
+        options.merge!(
+          'host' => url.host,
+          'port' => url.port,
+          'path' => url.path,
+          'ssl' => url.scheme == 'https'
+        )
+      end
+
+      def validate_cas_setup
+        if options.host.nil? || options.login_url.nil?
+          raise ArgumentError.new(":host and :login_url MUST be provided")
+        end
+      end
+
+      def service_validate_url(service_url, ticket)
+        service_url = Addressable::URI.parse(service_url).origin
+        parms = {
+          TARGET: service_url,
+#          service: service_url,
+#          ticket: ticket
+        }
+        r = cas_url + append_params(options.service_validate_url, parms)
+        r
+      end
+
+      def callback_phase
+        if on_sso_path?
+          single_sign_out_phase
+        else
+          @ticket = request.params['SAMLart']
+          return fail!(:no_ticket, MissingCASTicket.new('No CAS Ticket')) unless @ticket
+          fetch_raw_info(@ticket)
+          return fail!(:invalid_ticket, InvalidCASTicket.new('Invalid CAS Ticket')) if raw_info.empty?
+          super
+        end
+      end
+      def request_phase
+        service_url = append_params(callback_url, return_url)
+
+        [
+          302,
+          {
+            'Location' => login_url(service_url),
+            'Content-Type' => 'text/plain'
+          },
+          ["You are being redirected to CAS for sign-in."]
+        ]
+      end
+
+      def on_sso_path?
+        request.post? && request.params.has_key?('logoutRequest')
+      end
+
+      def single_sign_out_phase
+        logout_request_service.new(self, request).call(options)
+      end
+
+      def append_params(base, params)
+        params = params.each { |k,v| v = Rack::Utils.escape(v) }
+        Addressable::URI.parse(base).tap do |base_uri|
+          base_uri.query_values = (base_uri.query_values || {}).merge(params)
+        end.to_s
+      end
+
+      # Validate the Service Ticket
+      # @return [Object] the validated Service Ticket
+      def validate_service_ticket(ticket)
+        OmniAuth::Strategies::SAML::ServiceTicketValidator.new(self, options, callback_url, ticket).call
+      end
+
+    private
+
+      def fetch_raw_info(ticket)
+        ticket_user_info = validate_service_ticket(ticket).user_info
+        custom_user_info = options.fetch_raw_info.call(self, options, ticket, ticket_user_info)
+        self.raw_info = ticket_user_info.merge(custom_user_info)
+      end
+
+      # Deletes Hash pairs with `nil` values.
+      # From https://github.com/mkdynamic/omniauth-facebook/blob/972ed5e3456bcaed7df1f55efd7c05c216c8f48e/lib/omniauth/strategies/facebook.rb#L122-127
+      def prune!(hash)
+        hash.delete_if do |_, value|
+          prune!(value) if value.is_a?(Hash)
+          value.nil? || (value.respond_to?(:empty?) && value.empty?)
+        end
+      end
+
+      def return_url
+        # If the request already has a `url` parameter, then it will already be appended to the callback URL.
+        if request.params && request.params['url']
+          {}
+        else
+          { url: request.referer }
+        end
+      end
+
+      def logout_request_service
+        LogoutRequest
+      end
+    end
+  end
+end
+OmniAuth.config.add_camelization 'saml', 'SAML'

data/lib/omni_auth/strategies/wind/logout_request.rb

@@ -0,0 +1,62 @@
+# This is a clone of the OmniAuth CAS LogoutRequest for WIND
+# Copyright (c) 2011 Derek Lindahl and CustomInk, LLC
+# distributed under the MIT license
+# https://github.com/dlindahl/omniauth-cas
+module OmniAuth
+  module Strategies
+    class WIND
+      class LogoutRequest
+        def initialize(strategy, request)
+          @strategy, @request = strategy, request
+        end
+
+        def call(options = {})
+          @options = options
+
+          begin
+            result = single_sign_out_callback.call(*logout_request)
+          rescue StandardError => err
+            return @strategy.fail! :logout_request, err
+          else
+            result = [200,{},'OK'] if result == true || result.nil?
+          ensure
+            return unless result
+
+            # TODO: Why does ActionPack::Response return [status,headers,body]
+            # when Rack::Response#new wants [body,status,headers]? Additionally,
+            # why does Rack::Response differ in argument order from the usual
+            # Rack-like [status,headers,body] array?
+            return Rack::Response.new(result[2],result[0],result[1]).finish
+          end
+        end
+
+      private
+
+        def logout_request
+          @logout_request ||= begin
+            saml = Nokogiri.parse(@request.params['logoutRequest'])
+            name_id = saml.xpath('//saml:NameID').text
+            sess_idx = saml.xpath('//samlp:SessionIndex').text
+            inject_params(name_id:name_id, session_index:sess_idx)
+            @request
+          end
+        end
+
+        def inject_params(new_params)
+          rack_input = @request.env['rack.input'].read
+          params = Rack::Utils.parse_query(rack_input, '&').merge new_params
+          @request.env['rack.input'] = StringIO.new(Rack::Utils.build_query(params))
+        rescue
+          # A no-op intended to ensure that the ensure block is run
+          raise
+        ensure
+          @request.env['rack.input'].rewind
+        end
+
+        def single_sign_out_callback
+          @options[:on_single_sign_out]
+        end
+      end
+    end
+  end
+end

data/lib/omni_auth/strategies/wind/service_ticket_validator.rb

@@ -0,0 +1,49 @@
+# This is a clone of the OmniAuth CAS ServiceTicketValidator for WIND
+# Copyright (c) 2011 Derek Lindahl and CustomInk, LLC
+# distributed under the MIT license
+# https://github.com/dlindahl/omniauth-cas
+module OmniAuth
+  module Strategies
+    class WIND
+      class ServiceTicketValidator < OmniAuth::Strategies::CAS::ServiceTicketValidator
+        NS = {wind: 'http://www.columbia.edu/acis/rad/authmethods/wind'}
+        def parse_user_info(node)
+          return nil if node.nil?
+          
+          {}.tap do |hash|
+            node.children.each do |e|
+              node_name = e.name.sub(/^wind:/, '')
+              unless e.kind_of?(Nokogiri::XML::Text) || node_name == 'proxies'
+                # There are no child elements
+                if e.element_children.count == 0
+                  hash[node_name] = e.content
+                elsif e.element_children.count
+                  # WIND style affiliations
+                  if node_name == 'affiliations'
+                    hash.merge!(affiliations: e.xpath('wind:affil',NS).collect {|x| x.text})
+                  else
+                    hash[node_name] = [] if hash[node_name].nil?
+                    hash[node_name].push(parse_user_info(e))
+                  end
+                end
+              end
+            end
+          end
+        end
+        def find_authentication_success(body)
+          return nil if body.nil? || body == ''
+          begin
+            doc = Nokogiri::XML(body)
+            begin
+              doc.xpath('/wind:serviceResponse/wind:authenticationSuccess', NS)
+            rescue Nokogiri::XML::XPath::SyntaxError
+              doc.xpath('/serviceResponse/authenticationSuccess')
+            end
+          rescue Nokogiri::XML::XPath::SyntaxError
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omni_auth/strategies/wind.rb

@@ -0,0 +1,201 @@
+# This is a clone of the OmniAuth CAS Strategy for WIND
+# Copyright (c) 2011 Derek Lindahl and CustomInk, LLC
+# distributed under the MIT license
+# https://github.com/dlindahl/omniauth-cas
+require 'omniauth'
+require 'addressable/uri'
+
+module OmniAuth
+  module Strategies
+    class WIND
+      include OmniAuth::Strategy
+      # Custom Exceptions
+      class MissingWINDTicket < StandardError; end
+      class InvalidWINDTicket < StandardError; end
+      autoload :ServiceTicketValidator, 'omni_auth/strategies/wind/service_ticket_validator'
+      autoload :LogoutRequest, 'omni_auth/strategies/wind/logout_request'
+
+      attr_accessor :raw_info
+      alias_method :user_info, :raw_info
+
+      option :name, :wind # Required property by OmniAuth::Strategy
+
+      option :host, 'wind.columbia.edu'
+      option :port, nil
+      option :path, nil
+      option :ssl,  true
+      option :service_validate_url, '/validate'
+      option :login_url,            '/login'
+      option :service, nil
+      option :logout_url,           '/logout'
+      option :on_single_sign_out,   Proc.new {}
+      # A Proc or lambda that returns a Hash of additional user info to be
+      # merged with the info returned by the CAS server.
+      #
+      # @param [Object] An instance of OmniAuth::Strategies::CAS for the current request
+      # @param [String] The user's Service Ticket value
+      # @param [Hash] The user info for the Service Ticket returned by the CAS server
+      #
+      # @return [Hash] Extra user info
+      option :fetch_raw_info,       Proc.new { Hash.new }
+      # Make all the keys configurable with some defaults set here
+      option :uid_field, 'user'
+      option :name_key, 'name'
+      option :email_key, 'email'
+      option :nickname_key, 'user'
+      option :first_name_key, 'first_name'
+      option :last_name_key, 'last_name'
+      option :location_key, 'location'
+
+      # As required by https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+      AuthHashSchemaKeys = %w{name email nickname first_name last_name location}
+      info do
+        prune!({
+          name: raw_info[options[:name_key].to_s],
+          email: raw_info[options[:email_key].to_s],
+          nickname: raw_info[options[:nickname_key].to_s],
+          first_name: raw_info[options[:first_name_key].to_s],
+          last_name: raw_info[options[:last_name_key].to_s],
+          location: raw_info[options[:location_key].to_s],
+        })
+      end
+
+      extra do
+        prune!(
+          raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+        )
+      end
+
+      uid do
+        raw_info[options[:uid_field].to_s]
+      end
+
+      credentials do
+        prune!({ ticket: @ticket })
+      end
+
+      def login_url(service)
+        wind_url + append_params(options.login_url, { destination: service, service: options.service })
+      end
+      def logout_url(service)
+        wind_url + append_params(options.logout_url, { destination: service})
+      end
+      # Build a WIND host with protocol and port
+      #
+      #
+      def wind_url
+        extract_url if options['url']
+        validate_wind_setup
+        @wind_url ||= begin
+          uri = Addressable::URI.new
+          uri.host = options.host
+          uri.scheme = options.ssl ? 'https' : 'http'
+          uri.port = options.port
+          uri.path = options.path
+          uri.to_s
+        end
+      end
+
+      def extract_url
+        url = Addressable::URI.parse(options.delete('url'))
+        options.merge!(
+          'host' => url.host,
+          'port' => url.port,
+          'path' => url.path,
+          'ssl' => url.scheme == 'https'
+        )
+      end
+
+      def validate_wind_setup
+        if options.host.nil? || options.login_url.nil?
+          raise ArgumentError.new(":host and :login_url MUST be provided")
+        end
+      end
+
+      def service_validate_url(service_url, ticket)
+        service_url = Addressable::URI.parse(service_url)
+        service_url.query_values = service_url.query_values.tap { |qs| qs.delete('ticketid') }
+        r = wind_url + append_params(options.service_validate_url, {
+          ticketid: ticket
+        })
+        r
+      end
+
+      def callback_phase
+        if on_sso_path?
+          single_sign_out_phase
+        else
+          @ticket = request.params['ticketid']
+          return fail!(:no_ticket, MissingWINDTicket.new('No WIND Ticket')) unless @ticket
+          fetch_raw_info(@ticket)
+          return fail!(:invalid_ticket, InvalidWINDTicket.new('Invalid WIND Ticket')) if raw_info.empty?
+          super
+        end
+      end
+      def request_phase
+        service_url = append_params(callback_url, return_url)
+
+        [
+          302,
+          {
+            'Location' => login_url(service_url),
+            'Content-Type' => 'text/plain'
+          },
+          ["You are being redirected to WIND for sign-in."]
+        ]
+      end
+
+      def on_sso_path?
+        request.post? && request.params.has_key?('logoutRequest')
+      end
+
+      def single_sign_out_phase
+        logout_request_service.new(self, request).call(options)
+      end
+
+      def append_params(base, params)
+        params = params.each { |k,v| v = Rack::Utils.escape(v) }
+        Addressable::URI.parse(base).tap do |base_uri|
+          base_uri.query_values = (base_uri.query_values || {}).merge(params)
+        end.to_s
+      end
+
+      # Validate the Service Ticket
+      # @return [Object] the validated Service Ticket
+      def validate_service_ticket(ticket)
+        OmniAuth::Strategies::WIND::ServiceTicketValidator.new(self, options, callback_url, ticket).call
+      end
+
+    private
+
+      def fetch_raw_info(ticket)
+        ticket_user_info = validate_service_ticket(ticket).user_info
+        custom_user_info = options.fetch_raw_info.call(self, options, ticket, ticket_user_info)
+        self.raw_info = ticket_user_info.merge(custom_user_info)
+      end
+
+      # Deletes Hash pairs with `nil` values.
+      # From https://github.com/mkdynamic/omniauth-facebook/blob/972ed5e3456bcaed7df1f55efd7c05c216c8f48e/lib/omniauth/strategies/facebook.rb#L122-127
+      def prune!(hash)
+        hash.delete_if do |_, value|
+          prune!(value) if value.is_a?(Hash)
+          value.nil? || (value.respond_to?(:empty?) && value.empty?)
+        end
+      end
+
+      def return_url
+        # If the request already has a `url` parameter, then it will already be appended to the callback URL.
+        if request.params && request.params['url']
+          {}
+        else
+          { url: request.referer }
+        end
+      end
+
+      def logout_request_service
+        LogoutRequest
+      end
+    end
+  end
+end
+OmniAuth.config.add_camelization 'wind', 'WIND'

data/lib/tasks/cul_omniauth_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :cul_omniauth do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,153 @@
+--- !ruby/object:Gem::Specification
+name: cul_omniauth
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- barmintor
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-07-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.1'
+- !ruby/object:Gem::Dependency
+  name: devise-guests
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: omniauth-cas
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cancan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+description: Engine and model mixins for Omniauth with CAS and SSL.
+email:
+- LASTNAME at gmail
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- Rakefile
+- app/assets/javascripts/cul/omniauth/application.js
+- app/assets/stylesheets/cul/omniauth/application.css
+- app/controllers/concerns/cul/omniauth/callbacks.rb
+- app/controllers/concerns/cul/omniauth/remote_ip_ability.rb
+- app/controllers/cul/omniauth/application_controller.rb
+- app/controllers/cul/omniauth/callbacks_controller.rb
+- app/helpers/cul/omniauth/application_helper.rb
+- app/models/concerns/cul/omniauth/abilities.rb
+- app/models/concerns/cul/omniauth/users.rb
+- app/views/layouts/cul/omniauth/application.html.erb
+- config/routes.rb
+- lib/cul/omniauth/ability_proxy.rb
+- lib/cul/omniauth/engine.rb
+- lib/cul/omniauth/failure_app.rb
+- lib/cul/omniauth/file_configurable.rb
+- lib/cul/omniauth/version.rb
+- lib/cul_omniauth.rb
+- lib/omni_auth/strategies/saml.rb
+- lib/omni_auth/strategies/saml/service_ticket_validator.rb
+- lib/omni_auth/strategies/wind.rb
+- lib/omni_auth/strategies/wind/logout_request.rb
+- lib/omni_auth/strategies/wind/service_ticket_validator.rb
+- lib/tasks/cul_omniauth_tasks.rake
+homepage: https://github.com/cul/cul_omniauth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.6
+signing_key: 
+specification_version: 4
+summary: Omniauth engine for CUL web apps.
+test_files: []