eriko-omniauth-cas 1.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 38e39ed4f218491f1a36012d8ff4251a51412aa0
+  data.tar.gz: 373a1424d1cc93b5ba445f492c0137b17042a909
+SHA512:
+  metadata.gz: a011844945919e0c7c026ee4911dd30812f94da7073c1eacb53b8fda94074e29c1a3df01bb510ca058002e9938d6eac8671b95f1c2003c0ab18ccfdfe45c29ff
+  data.tar.gz: e5a94f7882809980c417a1925f07116ea9bf62382aa05341a60105a265ecc08dbf483b2283340bba67785f17ae7021c9fdb37b44f3078853a7fb64ba1ddc173c

data/.gitignore

@@ -0,0 +1,21 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+vendor
+
+# RSpec
+.rspec

data/.ruby-version

@@ -0,0 +1 @@
+2.0.0-p247

data/.travis.yml

@@ -0,0 +1,9 @@
+rvm:
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+branches:
+  only:
+    - master
+before_install:
+  - gem install bundler

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-cas.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2011 Derek Lindahl and CustomInk, LLC
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,112 @@
+# OmniAuth CAS Strategy [![Gem Version][version_badge]][version] [![Build Status][travis_status]][travis]
+
+[version_badge]: https://badge.fury.io/rb/omniauth-cas.png
+[version]: http://badge.fury.io/rb/omniauth-cas
+[travis]: http://travis-ci.org/dlindahl/omniauth-cas
+[travis_status]: https://secure.travis-ci.org/dlindahl/omniauth-cas.png
+[releases]: https://github.com/dlindahl/omniauth-cas/releases
+
+This is a OmniAuth 1.0 compatible port of the previously available
+[OmniAuth CAS strategy][old_omniauth_cas] that was bundled with OmniAuth 0.3.
+
+* [View the documentation][document_up]
+* [Changelog][releases]
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'omniauth-cas'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install omniauth-cas
+
+## Usage
+
+Use like any other OmniAuth strategy:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :cas, host: 'cas.yourdomain.com'
+end
+```
+
+### Configuration Options
+
+#### Required
+
+OmniAuth CAS requires at least one of the following two configuration options:
+
+  * `url` - Defines the URL of your CAS server (i.e. `http://example.org:8080`)
+  * `host` - Defines the host of your CAS server (i.e. `example.org`).
+
+#### Optional
+
+Other configuration options:
+
+  * `port` - The port to use for your configured CAS `host`. Optional if using `url`.
+  * `ssl` - TRUE to connect to your CAS server over SSL. Optional if using `url`.
+  * `service_validate_url` - The URL to use to validate a user. Defaults to `'/serviceValidate'`.
+  * `logout_url` - The URL to use to logout a user. Defaults to `'/logout'`.
+  * `login_url` - Defines the URL used to prompt users for their login information. Defaults to `/login` If no `host` is configured, the host application's domain will be used.
+  * `uid_field` - The user data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name).
+  * `ca_path` - Optional when `ssl` is `true`. Sets path of a CA certification directory. See [Net::HTTP][net_http] for more details.
+  * `disable_ssl_verification` - Optional when `ssl` is true. Disables verification.
+  * `on_single_sign_out` - Callback used when a [CAS 3.1 Single Sign Out][sso]
+    request is received.
+
+Configurable options for values returned by CAS:
+
+  * `uid_key` - The user ID data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name).
+  * `name_key` - The data attribute containing user first and last name.  Defaults to `'name'`.
+  * `email_key` - The data attribute containing user email address.  Defaults to `'email'`.
+  * `first_name_key` - The data attribute containing user first name.  Defaults to `'first_name'`.
+  * `last_name_key` - The data attribute containing user last name.  Defaults to `'last_name'`.
+  * `location_key` - The data attribute containing user location/address.  Defaults to `'location'`.
+  * `image_key` - The data attribute containing user image/picture.  Defaults to `'image'`.
+  * `phone_key` - The data attribute containing user contact phone number.  Defaults to `'phone'`.
+
+## Migrating from OmniAuth 0.3
+
+Given the following OmniAuth 0.3 configuration:
+
+```ruby
+provider :CAS, cas_server: 'https://cas.example.com/cas/'
+```
+
+Your new settings should look similar to this:
+
+```ruby
+provider :cas,
+         host:      'cas.example.com',
+         login_url: '/cas/login',
+  	     service_validate_url: '/cas/serviceValidate'
+```
+
+If you encounter problems wih SSL certificates you may want to set the `ca_path` parameter or activate `disable_ssl_verification` (not recommended).
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## Thanks
+
+Special thanks go out to the following people
+
+  * Phillip Aldridge (@iterateNZ) and JB Barth (@jbbarth) for helping out with Issue #3
+  * Elber Ribeiro (@dynaum) for Ubuntu SSL configuration support
+  * @rbq for README updates and OmniAuth 0.3 migration guide
+
+[old_omniauth_cas]: https://github.com/intridea/omniauth/blob/0-3-stable/oa-enterprise/lib/omniauth/strategies/cas.rb
+[document_up]: http://dlindahl.github.com/omniauth-cas/
+[net_http]: http://ruby-doc.org/stdlib-1.9.3/libdoc/net/http/rdoc/Net/HTTP.html
+[sso]: https://wiki.jasig.org/display/CASUM/Single+Sign+Out

data/Rakefile

@@ -0,0 +1,15 @@
+#!/usr/bin/env rake
+require 'bundler/gem_tasks'
+
+require 'rspec/core/rake_task'
+desc 'Default: run specs.'
+task default: :spec
+
+desc 'Run specs'
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = '--require spec_helper --color --order rand'
+end
+
+task :test do
+  fail %q{This application uses RSpec. Try running "rake spec"}
+end

data/lib/omniauth/cas/version.rb

@@ -0,0 +1,5 @@
+module Omniauth
+  module Cas
+    VERSION = '1.0.4'
+  end
+end

data/lib/omniauth/cas.rb

@@ -0,0 +1,2 @@
+require 'omniauth/cas/version'
+require 'omniauth/strategies/cas'

data/lib/omniauth/strategies/cas/logout_request.rb

@@ -0,0 +1,65 @@
+module OmniAuth
+  module Strategies
+    class CAS
+      class LogoutRequest
+        def initialize(strategy, request)
+          @strategy = strategy
+          @request  = request
+        end
+
+        def call(options = {})
+          @options = options
+
+          begin
+            result = single_sign_out_callback.call *logout_request
+          rescue StandardError => err
+            return @strategy.fail! :logout_request, err
+          else
+            result = [200,{},'OK'] if result == true || result.nil?
+          ensure
+            return unless result
+
+            # TODO: Why does ActionPack::Response return [status,headers,body]
+            # when Rack::Response#new wants [body,status,headers]? Additionally,
+            # why does Rack::Response differ in argument order from the usual
+            # Rack-like [status,headers,body] array?
+            return Rack::Response.new(result[2],result[0],result[1]).finish
+          end
+        end
+
+      private
+
+        def logout_request
+          @logout_request ||= begin
+            saml     = Nokogiri.parse @request.params['logoutRequest']
+            name_id  = saml.xpath('//saml:NameID').text
+            sess_idx = saml.xpath('//samlp:SessionIndex').text
+
+            inject_params name_id:name_id, session_index:sess_idx
+
+            @request
+          end
+        end
+
+        def inject_params(new_params)
+          rack_input = @request.env['rack.input'].read
+          params = Rack::Utils.parse_query(rack_input, '&').merge new_params
+          @request.env['rack.input'] = StringIO.new(Rack::Utils.build_query(params))
+        rescue
+          # A no-op intended to ensure that the ensure block is run
+          raise
+        ensure
+          @request.env['rack.input'].rewind
+        end
+
+        def single_sign_out_callback
+          @options.fetch :on_single_sign_out, _fallback_callback_
+        end
+
+        def _fallback_callback_
+          Proc.new {}
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/cas/service_ticket_validator.rb

@@ -0,0 +1,100 @@
+require 'net/http'
+require 'net/https'
+require 'nokogiri'
+
+module OmniAuth
+  module Strategies
+    class CAS
+      class ServiceTicketValidator
+
+        VALIDATION_REQUEST_HEADERS = { 'Accept' => '*/*' }
+
+        # Build a validator from a +configuration+, a
+        # +return_to+ URL, and a +ticket+.
+        #
+        # @param [Hash] options the OmniAuth Strategy options
+        # @param [String] return_to_url the URL of this CAS client service
+        # @param [String] ticket the service ticket to validate
+        def initialize(strategy, options, return_to_url, ticket)
+          @options = options
+          @uri = URI.parse(strategy.service_validate_url(return_to_url, ticket))
+        end
+
+        # Request validation of the ticket from the CAS server's
+        # serviceValidate (CAS 2.0) function.
+        #
+        # Swallows all XML parsing errors (and returns +nil+ in those cases).
+        #
+        # @return [Hash, nil] a user information hash if the response is valid; +nil+ otherwise.
+        #
+        # @raise any connection errors encountered.
+        def user_info
+          parse_user_info( find_authentication_success( get_service_response_body ) )
+        end
+
+      private
+
+        # turns an `<cas:authenticationSuccess>` node into a Hash;
+        # returns nil if given nil
+        def parse_user_info(node)
+          return nil if node.nil?
+
+          {}.tap do |hash|
+            node.children.each do |e|
+              node_name = e.name.sub(/^cas:/, '')
+              unless e.kind_of?(Nokogiri::XML::Text) ||
+                     node_name == 'proxies'
+                # There are no child elements
+                if e.element_children.count == 0
+                  hash[node_name] = e.content
+                elsif e.element_children.count
+                  # JASIG style extra attributes
+                  if node_name == 'attributes'
+                    hash.merge! parse_user_info e
+                  else
+                    hash[node_name] = [] if hash[node_name].nil?
+                    hash[node_name].push parse_user_info e
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        # finds an `<cas:authenticationSuccess>` node in
+        # a `<cas:serviceResponse>` body if present; returns nil
+        # if the passed body is nil or if there is no such node.
+        def find_authentication_success(body)
+          return nil if body.nil? || body == ''
+          begin
+            doc = Nokogiri::XML(body)
+            begin
+              doc.xpath('/cas:serviceResponse/cas:authenticationSuccess')
+            rescue Nokogiri::XML::XPath::SyntaxError
+              doc.xpath('/serviceResponse/authenticationSuccess')
+            end
+          rescue Nokogiri::XML::XPath::SyntaxError
+            nil
+          end
+        end
+
+        # retrieves the `<cas:serviceResponse>` XML from the CAS server
+        def get_service_response_body
+          result = ''
+          http = Net::HTTP.new(@uri.host, @uri.port)
+          http.use_ssl = @uri.port == 443 || @uri.instance_of?(URI::HTTPS)
+          if http.use_ssl?
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @options.disable_ssl_verification?
+            http.ca_path = @options.ca_path
+          end
+          http.start do |c|
+            response = c.get "#{@uri.path}?#{@uri.query}", VALIDATION_REQUEST_HEADERS.dup
+            result = response.body
+          end
+          result
+        end
+
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/cas.rb

@@ -0,0 +1,206 @@
+require 'omniauth/strategy'
+require 'addressable/uri'
+
+module OmniAuth
+  module Strategies
+    class CAS
+      include OmniAuth::Strategy
+
+      # Custom Exceptions
+      class MissingCASTicket < StandardError; end
+      class InvalidCASTicket < StandardError; end
+
+      autoload :ServiceTicketValidator, 'omniauth/strategies/cas/service_ticket_validator'
+      autoload :LogoutRequest, 'omniauth/strategies/cas/logout_request'
+
+      attr_accessor :raw_info
+      alias_method :user_info, :raw_info
+
+      option :name, :cas # Required property by OmniAuth::Strategy
+
+      option :host, nil
+      option :port, nil
+      option :path, nil
+      option :ssl,  true
+      option :service_validate_url, '/serviceValidate'
+      option :login_url,            '/login'
+      option :logout_url,           '/logout'
+      # Make all the keys configurable with some defaults set here
+      option :uid_field,            'user'
+      option :name_key,             'name'
+      option :email_key,            'email'
+      option :first_name_key,       'first_name'
+      option :last_name_key,        'last_name'
+      option :location_key,         'location'
+      option :image_key,            'image'
+      option :phone_key,            'phone'
+
+      # As required by https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
+      AuthHashSchemaKeys = %w{name email first_name last_name location image phone}
+      info do
+        prune!({
+          :name       => raw_info[ @options[:name_key].to_s ],
+          :email      => raw_info[ @options[:email_key].to_s ],
+          :first_name => raw_info[ @options[:first_name_key].to_s ],
+          :last_name  => raw_info[ @options[:last_name_key].to_s ],
+          :location   => raw_info[ @options[:location_key].to_s ],
+          :image      => raw_info[ @options[:image_key].to_s ],
+          :phone      => raw_info[ @options[:phone_key].to_s ]
+        })
+      end
+
+      extra do
+        prune! raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+      end
+
+      uid do
+        raw_info[ @options[:uid_field].to_s ]
+      end
+
+      credentials do
+        prune!({
+          :ticket => @ticket
+        })
+      end
+
+
+      def callback_phase
+        if on_sso_path?
+          single_sign_out_phase
+        else
+          @ticket = request.params['ticket']
+          return fail!(:no_ticket, MissingCASTicket.new('No CAS Ticket')) unless @ticket
+
+          self.raw_info = ServiceTicketValidator.new(self, @options, callback_url, @ticket).user_info
+
+          return fail!(:invalid_ticket, InvalidCASTicket.new('Invalid CAS Ticket')) if raw_info.empty?
+
+          super
+        end
+      end
+
+      def request_phase
+        service_url = append_params( callback_url, return_url )
+
+        [
+          302,
+          {
+            'Location' => login_url( service_url ),
+            'Content-Type' => 'text/plain'
+          },
+          ["You are being redirected to CAS for sign-in."]
+        ]
+      end
+
+      def on_sso_path?
+        request.post? && request.params.has_key?( 'logoutRequest' )
+      end
+
+      def single_sign_out_phase
+        logout_request_service.new(self, request).call @options
+      end
+
+      # Build a CAS host with protocol and port
+      #
+      #
+      def cas_url
+        extract_url if @options['url']
+
+        validate_cas_setup
+
+        @cas_url ||= begin
+          uri = Addressable::URI.new
+          uri.host   = @options.host
+          uri.scheme = @options.ssl ? 'https' : 'http'
+          uri.port   = @options.port
+          uri.path   = @options.path
+
+          uri.to_s
+        end
+      end
+
+      def extract_url
+        url = Addressable::URI.parse( @options.delete('url') )
+
+        @options.merge!(
+          'host' => url.host,
+          'port' => url.port,
+          'path' => url.path,
+          'ssl'  => url.scheme == 'https'
+        )
+      end
+
+      def validate_cas_setup
+        if @options.host.nil? || @options.login_url.nil?
+          raise ArgumentError.new(":host and :login_url MUST be provided")
+        end
+      end
+
+      # Build a service-validation URL from +service+ and +ticket+.
+      # If +service+ has a ticket param, first remove it. URL-encode
+      # +service+ and add it and the +ticket+ as paraemters to the
+      # CAS serviceValidate URL.
+      #
+      # @param [String] service the service (a.k.a. return-to) URL
+      # @param [String] ticket the ticket to validate
+      #
+      # @return [String] a URL like `http://cas.mycompany.com/serviceValidate?service=...&ticket=...`
+      def service_validate_url(service_url, ticket)
+        service_url = Addressable::URI.parse( service_url )
+        service_url.query_values = service_url.query_values.tap { |qs| qs.delete('ticket') }
+
+        cas_url + append_params(@options.service_validate_url, { :service => service_url.to_s, :ticket => ticket })
+      end
+
+      # Build a CAS login URL from +service+.
+      #
+      # @param [String] service the service (a.k.a. return-to) URL
+      #
+      # @return [String] a URL like `http://cas.mycompany.com/login?service=...`
+      def login_url(service)
+        cas_url + append_params( @options.login_url, { :service => service })
+      end
+
+      # Adds URL-escaped +parameters+ to +base+.
+      #
+      # @param [String] base the base URL
+      # @param [String] params the parameters to append to the URL
+      #
+      # @return [String] the new joined URL.
+      def append_params(base, params)
+        params = params.each { |k,v| v = Rack::Utils.escape(v) }
+
+        Addressable::URI.parse(base).tap do |base_uri|
+          base_uri.query_values = (base_uri.query_values || {}).merge( params )
+        end.to_s
+      end
+
+    private
+
+      # Deletes Hash pairs with `nil` values.
+      # From https://github.com/mkdynamic/omniauth-facebook/blob/972ed5e3456bcaed7df1f55efd7c05c216c8f48e/lib/omniauth/strategies/facebook.rb#L122-127
+      def prune!(hash)
+        hash.delete_if do |_, value|
+          prune!(value) if value.is_a?(Hash)
+          value.nil? || (value.respond_to?(:empty?) && value.empty?)
+        end
+      end
+
+      def return_url
+        # If the request already has a `url` parameter, then it will already be appended to the callback URL.
+        if request.params and request.params['url']
+          {}
+        else
+          { :url => request.referer }
+        end
+      end
+
+      def logout_request_service
+        LogoutRequest
+      end
+
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'cas', 'CAS'

data/lib/omniauth-cas.rb

@@ -0,0 +1 @@
+require "omniauth/cas"

data/omniauth-cas.gemspec

@@ -0,0 +1,29 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth/cas/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Derek Lindahl","Erik Ordway"]
+  gem.email         = ["dlindahl@customink.com","eriko@jumpsuit.org"]
+  gem.summary       = %q{CAS Strategy for OmniAuth}
+  gem.description   = gem.summary
+  gem.homepage      = "https://github.com/eriko/omniauth-cas"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "eriko-omniauth-cas"
+  gem.require_paths = ["lib"]
+  gem.version       = Omniauth::Cas::VERSION
+
+  gem.add_dependency 'omniauth',                '~> 1.1.0'
+  gem.add_dependency 'nokogiri',                '~> 1.5'
+  gem.add_dependency 'addressable',             '~> 2.3'
+
+  gem.add_development_dependency 'rake',        '~> 0.9'
+  gem.add_development_dependency 'webmock',     '~> 1.16.0'
+  gem.add_development_dependency 'simplecov',   '~> 0.8.1'
+  gem.add_development_dependency 'rspec',       '~> 2.99.0.beta1'
+  gem.add_development_dependency 'rack-test',   '~> 0.6'
+
+  gem.add_development_dependency 'awesome_print'
+end

data/spec/fixtures/cas_failure.xml

@@ -0,0 +1,4 @@
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationFailure>
+  </cas:authenticationFailure>
+</cas:serviceResponse>

data/spec/fixtures/cas_success.xml

@@ -0,0 +1,14 @@
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationSuccess>
+    <cas:user>psegel</cas:user>
+    <cas:employeeid>54</cas:employeeid>
+    <cas:first_name>P. Segel</cas:first_name>
+    <cas:first_name>Peter</cas:first_name>
+    <cas:last_name>Segel</cas:last_name>
+    <cas:email>psegel@intridea.com</cas:email>
+    <cas:location>Washington, D.C.</cas:location>
+    <cas:image>/images/user.jpg</cas:image>
+    <cas:phone>555-555-5555</cas:phone>
+    <cas:hire_date>2004-07-13</cas:hire_date>
+  </cas:authenticationSuccess>
+</cas:serviceResponse>

data/spec/fixtures/cas_success_jasig.xml

@@ -0,0 +1,16 @@
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationSuccess>
+    <cas:user>psegel</cas:user>
+    <cas:attributes>
+      <cas:employeeid>54</cas:employeeid>
+      <cas:first_name>P. Segel</cas:first_name>
+      <cas:first_name>Peter</cas:first_name>
+      <cas:last_name>Segel</cas:last_name>
+      <cas:email>psegel@intridea.com</cas:email>
+      <cas:location>Washington, D.C.</cas:location>
+      <cas:image>/images/user.jpg</cas:image>
+      <cas:phone>555-555-5555</cas:phone>
+      <cas:hire_date>2004-07-13</cas:hire_date>
+    </cas:attributes>
+  </cas:authenticationSuccess>
+</cas:serviceResponse>

data/spec/omniauth/strategies/cas/logout_request_spec.rb

@@ -0,0 +1,123 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::CAS::LogoutRequest do
+  let(:strategy) { double('strategy') }
+
+  let(:env) do
+    { 'rack.input' => StringIO.new('','r') }
+  end
+
+  let(:request) { double('request', params:params, env:env) }
+
+  let(:params) { { 'url' => url, 'logoutRequest' => logoutRequest } }
+
+  let(:url) { 'http://notes.dev/signed_in' }
+
+  let(:logoutRequest) do
+    %Q[
+      <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion\" ID="123abc-1234-ab12-cd34-1234abcd" Version="2.0" IssueInstant="#{Time.now.to_s}">
+        <saml:NameID>@NOT_USED@</saml:NameID>
+        <samlp:SessionIndex>ST-123456-123abc456def</samlp:SessionIndex>
+      </samlp:LogoutRequest>
+    ]
+  end
+
+  subject { described_class.new(strategy, request).call(options) }
+
+  describe 'with no configured SSO callback' do
+    let(:options) { {} }
+
+    it 'responds with OK' do
+      expect(subject[0]).to eq 200
+      expect(subject[2].body).to eq ['OK']
+    end
+  end
+
+  describe 'SAML attributes' do
+    let(:callback) { Proc.new{} }
+
+    let(:options) do
+      {
+        on_single_sign_out: callback
+      }
+    end
+
+    before do
+      @rack_input = nil
+
+      callback.stub(:call) do |req|
+        @rack_input = req.env['rack.input'].read
+        true
+      end
+
+      subject
+    end
+
+    it 'are parsed and injected into the Rack Request parameters' do
+      expect(@rack_input).to eq 'name_id=%40NOT_USED%40&session_index=ST-123456-123abc456def'
+    end
+
+    context 'that raise when parsed' do
+      let(:env) { { 'rack.input' => nil } }
+
+      before do
+        strategy.stub :fail!
+        subject
+      end
+
+      it 'responds with an error' do
+        expect(strategy).to have_received(:fail!)
+      end
+    end
+  end
+
+  describe 'with a configured callback' do
+    let(:options) do
+      {
+        on_single_sign_out: callback
+      }
+    end
+
+    context 'that returns TRUE' do
+      let(:callback) { Proc.new{true} }
+
+      it 'responds with OK' do
+        expect(subject[0]).to eq 200
+        expect(subject[2].body).to eq ['OK']
+      end
+    end
+
+    context 'that returns Nil' do
+      let(:callback) { Proc.new{} }
+
+      it 'responds with OK' do
+        expect(subject[0]).to eq 200
+        expect(subject[2].body).to eq ['OK']
+      end
+    end
+
+    context 'that returns a tuple' do
+      let(:callback) { Proc.new{ [400,{},'Bad Request'] } }
+
+      it 'responds with OK' do
+        expect(subject[0]).to eq 400
+        expect(subject[2].body).to eq ['Bad Request']
+      end
+    end
+
+    context 'that raises an error' do
+      let(:exception) { RuntimeError.new('error' )}
+      let(:callback) { Proc.new{raise exception} }
+
+      before do
+        strategy.stub :fail!
+        subject
+      end
+
+      it 'responds with an error' do
+        expect(strategy).to have_received(:fail!)
+          .with(:logout_request, exception)
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/cas/service_ticket_validator_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::CAS::ServiceTicketValidator do
+  let(:strategy) do
+    double('strategy',
+      service_validate_url: 'https://example.org/serviceValidate'
+    )
+  end
+
+  let(:provider_options) do
+    double('provider_options',
+      disable_ssl_verification?: false,
+      ca_path: '/etc/ssl/certsZOMG'
+    )
+  end
+
+  let(:validator) do
+    OmniAuth::Strategies::CAS::ServiceTicketValidator.new( strategy, provider_options, '/foo', nil )
+  end
+
+  describe '#user_info' do
+    before do
+      stub_request(:get, 'https://example.org/serviceValidate?')
+        .to_return(status: 200, body: '')
+      validator.user_info
+    end
+
+    it 'uses the configured CA path' do
+      expect(provider_options).to have_received :ca_path
+    end
+  end
+end

data/spec/omniauth/strategies/cas_spec.rb

@@ -0,0 +1,250 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::CAS, type: :strategy do
+  include Rack::Test::Methods
+
+  let(:my_cas_provider) { Class.new(OmniAuth::Strategies::CAS) }
+  before do
+    stub_const 'MyCasProvider', my_cas_provider
+  end
+  let(:app) do
+    Rack::Builder.new {
+      use OmniAuth::Test::PhonySession
+      use MyCasProvider, name: :cas, host: 'cas.example.org', ssl: false, port: 8080, uid_field: :employeeid
+      run lambda { |env| [404, {'Content-Type' => 'text/plain'}, [env.key?('omniauth.auth').to_s]] }
+    }.to_app
+  end
+
+  # TODO: Verify that these are even useful tests
+  shared_examples_for 'a CAS redirect response' do
+    let(:redirect_params) { 'service=' + Rack::Utils.escape("http://example.org/auth/cas/callback?url=#{Rack::Utils.escape(return_url)}") }
+
+    before { get url, nil, request_env }
+
+    subject { last_response }
+
+    it { should be_redirect }
+
+    it 'redirects to the CAS server' do
+      expect(subject.headers).to include 'Location' => "http://cas.example.org:8080/login?#{redirect_params}"
+    end
+  end
+
+  describe '#cas_url' do
+    let(:params) { Hash.new }
+
+    let(:provider) { MyCasProvider.new(nil, params) }
+
+    subject { provider.cas_url }
+
+    it 'raises an ArgumentError' do
+      expect{subject}.to raise_error ArgumentError, %r{:host and :login_url MUST be provided}
+    end
+
+    context 'with an explicit :url option' do
+      let(:url) { 'https://example.org:8080/my_cas' }
+
+      let(:params) { super().merge url:url }
+
+      before { subject }
+
+      it { should eq url }
+
+      it 'parses the URL into it the appropriate strategy options' do
+        expect(provider.options).to include ssl:true
+        expect(provider.options).to include host:'example.org'
+        expect(provider.options).to include port:8080
+        expect(provider.options).to include path:'/my_cas'
+      end
+    end
+
+    context 'with explicit URL component' do
+      let(:params) { super().merge host:'example.org', port:1234, ssl:true, path:'/a/path' }
+
+      before { subject }
+
+      it { should eq 'https://example.org:1234/a/path' }
+
+      it 'parses the URL into it the appropriate strategy options' do
+        expect(provider.options).to include ssl:true
+        expect(provider.options).to include host:'example.org'
+        expect(provider.options).to include port:1234
+        expect(provider.options).to include path:'/a/path'
+      end
+    end
+  end
+
+  describe 'defaults' do
+    subject { MyCasProvider.default_options.to_hash }
+
+    it { should include('ssl' => true) }
+  end
+
+  describe 'GET /auth/cas' do
+    let(:return_url) { 'http://myapp.com/admin/foo' }
+
+    context 'with a referer' do
+      let(:url) { '/auth/cas' }
+
+      let(:request_env) { { 'HTTP_REFERER' => return_url } }
+
+      it_behaves_like 'a CAS redirect response'
+    end
+
+    context 'with an explicit return URL' do
+      let(:url) { "/auth/cas?url=#{return_url}" }
+
+      let(:request_env) { {} }
+
+      it_behaves_like 'a CAS redirect response'
+    end
+  end
+
+  describe 'GET /auth/cas/callback' do
+    context 'without a ticket' do
+      before { get '/auth/cas/callback' }
+
+      subject { last_response }
+
+      it { should be_redirect }
+
+      it 'redirects with a failure message' do
+        expect(subject.headers).to include 'Location' => '/auth/failure?message=no_ticket&strategy=cas'
+      end
+    end
+
+    context 'with an invalid ticket' do
+      before do
+        stub_request(:get, /^http:\/\/cas.example.org:8080?\/serviceValidate\?([^&]+&)?ticket=9391d/).
+           to_return( body: File.read('spec/fixtures/cas_failure.xml') )
+        get '/auth/cas/callback?ticket=9391d'
+      end
+
+      subject { last_response }
+
+      it { should be_redirect }
+
+      it 'redirects with a failure message' do
+        expect(subject.headers).to include 'Location' => '/auth/failure?message=invalid_ticket&strategy=cas'
+      end
+    end
+
+    describe 'with a valid ticket' do
+      shared_examples :successful_validation do
+        before do
+          stub_request(:get, /^http:\/\/cas.example.org:8080?\/serviceValidate\?([^&]+&)?ticket=593af/)
+            .with { |request| @request_uri = request.uri.to_s }
+            .to_return( body: File.read("spec/fixtures/#{xml_file_name}") )
+
+          get "/auth/cas/callback?ticket=593af&url=#{return_url}"
+        end
+
+        it 'strips the ticket parameter from the callback URL' do
+          expect(@request_uri.scan('ticket=').size).to eq 1
+        end
+
+        it 'properly encodes the service URL' do
+          WebMock.should have_requested(:get, 'http://cas.example.org:8080/serviceValidate')
+            .with(query: {
+              ticket:  '593af',
+              service: 'http://example.org/auth/cas/callback?url=' + Rack::Utils.escape('http://127.0.0.10/?some=parameter')
+            })
+        end
+
+        context "request.env['omniauth.auth']" do
+          subject { last_request.env['omniauth.auth'] }
+
+          it { should be_kind_of Hash }
+
+          it 'identifes the provider' do
+            expect(subject.provider).to eq :cas
+          end
+
+          it 'returns the UID of the user' do
+            expect(subject.uid).to eq '54'
+          end
+
+          context 'the info hash' do
+            subject { last_request.env['omniauth.auth']['info'] }
+
+            it 'includes user info attributes' do
+              expect(subject.name).to eq 'Peter Segel'
+              expect(subject.first_name).to eq 'Peter'
+              expect(subject.last_name).to eq 'Segel'
+              expect(subject.email).to eq 'psegel@intridea.com'
+              expect(subject.location).to eq 'Washington, D.C.'
+              expect(subject.image).to eq '/images/user.jpg'
+              expect(subject.phone).to eq '555-555-5555'
+            end
+          end
+
+          context 'the extra hash' do
+            subject { last_request.env['omniauth.auth']['extra'] }
+
+            it 'includes additional user attributes' do
+              expect(subject.user).to eq 'psegel'
+              expect(subject.employeeid).to eq '54'
+              expect(subject.hire_date).to eq '2004-07-13'
+            end
+          end
+
+          context 'the credentials hash' do
+            subject { last_request.env['omniauth.auth']['credentials'] }
+
+            it 'has a ticket value' do
+              expect(subject.ticket).to eq '593af'
+            end
+          end
+        end
+
+        it 'calls through to the master app' do
+          expect(last_response.body).to eq 'true'
+        end
+      end
+
+      let(:return_url) { 'http://127.0.0.10/?some=parameter' }
+
+      context 'with JASIG flavored XML' do
+        let(:xml_file_name) { 'cas_success_jasig.xml' }
+
+        it_behaves_like :successful_validation
+      end
+
+      context 'with classic XML' do
+        let(:xml_file_name) { 'cas_success.xml' }
+
+        it_behaves_like :successful_validation
+      end
+    end
+  end
+
+  describe 'POST /auth/cas/callback' do
+    describe 'with a Single Sign-Out logoutRequest' do
+      let(:logoutRequest) do
+        %Q[
+          <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion\" ID="123abc-1234-ab12-cd34-1234abcd" Version="2.0" IssueInstant="#{Time.now.to_s}">
+            <saml:NameID>@NOT_USED@</saml:NameID>
+            <samlp:SessionIndex>ST-123456-123abc456def</samlp:SessionIndex>
+          </samlp:LogoutRequest>
+        ]
+      end
+
+      let(:logout_request) { double('logout_request', call:[200,{},'OK']) }
+
+      subject do
+        post 'auth/cas/callback', logoutRequest:logoutRequest
+      end
+
+      before do
+        MyCasProvider.any_instance.stub(:logout_request_service)
+          .and_return double('LogoutRequest', new:logout_request)
+
+        subject
+      end
+
+      it 'initializes a LogoutRequest' do
+        expect(logout_request).to have_received :call
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,19 @@
+require 'bundler/setup'
+require 'awesome_print'
+
+RSpec.configure do |c|
+  c.filter_run focus: true
+  c.run_all_when_everything_filtered = true
+  c.treat_symbols_as_metadata_keys_with_true_values = true
+end
+
+require 'simplecov'
+SimpleCov.start do
+  add_filter '.bundle'
+end
+
+require 'rack/test'
+require 'webmock/rspec'
+require 'omniauth-cas'
+
+OmniAuth.config.logger = Logger.new( '/dev/null' )

metadata

@@ -0,0 +1,199 @@
+--- !ruby/object:Gem::Specification
+name: eriko-omniauth-cas
+version: !ruby/object:Gem::Version
+  version: 1.0.4
+platform: ruby
+authors:
+- Derek Lindahl
+- Erik Ordway
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-02-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.16.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.99.0.beta1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.99.0.beta1
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: CAS Strategy for OmniAuth
+email:
+- dlindahl@customink.com
+- eriko@jumpsuit.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .ruby-version
+- .travis.yml
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/omniauth-cas.rb
+- lib/omniauth/cas.rb
+- lib/omniauth/cas/version.rb
+- lib/omniauth/strategies/cas.rb
+- lib/omniauth/strategies/cas/logout_request.rb
+- lib/omniauth/strategies/cas/service_ticket_validator.rb
+- omniauth-cas.gemspec
+- spec/fixtures/cas_failure.xml
+- spec/fixtures/cas_success.xml
+- spec/fixtures/cas_success_jasig.xml
+- spec/omniauth/strategies/cas/logout_request_spec.rb
+- spec/omniauth/strategies/cas/service_ticket_validator_spec.rb
+- spec/omniauth/strategies/cas_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/eriko/omniauth-cas
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: CAS Strategy for OmniAuth
+test_files:
+- spec/fixtures/cas_failure.xml
+- spec/fixtures/cas_success.xml
+- spec/fixtures/cas_success_jasig.xml
+- spec/omniauth/strategies/cas/logout_request_spec.rb
+- spec/omniauth/strategies/cas/service_ticket_validator_spec.rb
+- spec/omniauth/strategies/cas_spec.rb
+- spec/spec_helper.rb