gds-sso 0.1.0

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in gds-sso.gemspec
+gemspec

data/README.md

@@ -0,0 +1,35 @@
+## Introduction
+
+GDS-SSO provides everything needed to integrate an application with the sign-on-o-tron single-sign-on
+(https://github.com/alphagov/sign-on-o-tron) as used by the Government Digital Service, though it
+will probably also work with a range of other oauth2 providers.
+
+It is a wrapper around omniauth that adds a 'strategy' for oAuth2 integration against sign-on-o-tron, 
+and the necessary controller to support that request flow.
+
+For more details on OmniAuth and oAuth2 integration see https://github.com/intridea/omniauth
+
+
+## Integration with a Rails 3+ app
+
+To use gds-sso tou will need an oauth client ID and secret for sign-on-o-tron or a compatible system.
+These can be provided by one of the team with admin access to sign-on-o-tron.
+
+Then include the gem in your Gemfile:
+
+gem 'gds-sso', :git => 'https://github.com/alphagov/gds-sso.git'
+
+Create a `config/initializers/gds-sso.rb` that looks like:
+
+    GDS::SSO.config do |config|
+      config.user_model   = 'User'
+      # set up ID and Secret in a way which doesn't require it to be checked in to source control...
+      config.oauth_id     = ENV['OAUTH_ID']
+      config.oauth_secret = ENV['OAUTH_SECRET']
+      # optional config for location of sign-on-o-tron
+      config.oauth_root_url = "http://localhost:3001"
+    end
+
+The user model needs to respond to klass.find_by_uid(uid), and must include the GDS::SSO::User module.
+
+You also need to include `GDS::SSO::ControllerMethods` in your ApplicationController

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/test*.rb']
+  t.verbose = true
+end

data/lib/gds-sso.rb

@@ -0,0 +1,41 @@
+require 'rails'
+
+require 'gds-sso/config'
+require 'gds-sso/omniauth_strategy'
+require 'gds-sso/warden_config'
+require 'gds-sso/routes'
+
+module GDS
+  module SSO
+    autoload :FailureApp,        'gds-sso/failure_app'
+    autoload :ControllerMethods, 'gds-sso/controller_methods'
+    autoload :User,              'gds-sso/user'
+
+    def self.config
+      yield GDS::SSO::Config
+    end
+
+    def self.default_strategy
+      if ['development', 'test'].include?(Rails.env) && ENV['GDS_SSO_STRATEGY'] != 'real'
+        :mock_gds_sso
+      else
+        :gds_sso
+      end
+    end
+
+    class Engine < ::Rails::Engine
+      # Force routes to be loaded if we are doing any eager load.
+      # TODO - check this one - Stolen from Devise because it looked sensible...
+      config.before_eager_load { |app| app.reload_routes! }
+
+      config.app_middleware.use ::OmniAuth::Builder do
+        provider :gds, GDS::SSO::Config.oauth_id, GDS::SSO::Config.oauth_secret
+      end
+
+      config.app_middleware.use Warden::Manager do |manager|
+        manager.default_strategies GDS::SSO.default_strategy
+        manager.failure_app = GDS::SSO::FailureApp
+      end
+    end
+  end
+end

data/lib/gds-sso/config.rb

@@ -0,0 +1,23 @@
+module GDS
+  module SSO
+    module Config
+      # Name of the User class
+      mattr_accessor :user_model
+      @@user_model = "User"
+
+      # OAuth ID
+      mattr_accessor :oauth_id
+
+      # OAuth Secret
+      mattr_accessor :oauth_secret
+
+      # Location of the OAuth server
+      mattr_accessor :oauth_root_url
+      @@oauth_root_url = "http://localhost:3001"
+
+      def self.user_klass
+        user_model.to_s.constantize
+      end
+    end
+  end
+end

data/lib/gds-sso/controller_methods.rb

@@ -0,0 +1,30 @@
+module GDS
+  module SSO
+    module ControllerMethods
+      def authenticate_user!
+        warden.authenticate!
+      end
+
+      def user_signed_in?
+        warden.authenticated?
+      end
+
+      def current_user
+        warden.user if user_signed_in?
+      end
+
+      def log_out
+        warden.log_out
+      end
+
+      def warden
+        request.env['warden']
+      end
+
+      def self.included(base)
+        base.helper_method :user_signed_in?
+        base.helper_method :current_user
+      end
+    end
+  end
+end

data/lib/gds-sso/failure_app.rb

@@ -0,0 +1,38 @@
+require "action_controller/metal"
+require 'rails'
+
+# Failure application that will be called every time :warden is thrown from
+# any strategy or hook. 
+module GDS
+  module SSO
+    class FailureApp < ActionController::Metal
+      include ActionController::RackDelegation
+      include ActionController::UrlFor
+      include ActionController::Redirecting
+      include Rails.application.routes.url_helpers
+
+      def self.call(env)
+        action(:respond).call(env)
+      end
+
+      def respond
+        redirect
+      end
+
+      def redirect
+        store_location!
+        redirect_to '/auth/gds'
+      end
+
+      # Stores requested uri to redirect the user after signing in. We cannot use
+      # scoped session provided by warden here, since the user is not authenticated
+      # yet, but we still need to store the uri based on scope, so different scopes
+      # would never use the same uri to redirect.
+
+      # TOTALLY NOT DOING THE SCOPE THING. PROBABLY SHOULD.
+      def store_location!
+        session["return_to"] = env['warden.options'][:attempted_path] if request.get?
+      end
+    end
+  end
+end

data/lib/gds-sso/omniauth_strategy.rb

@@ -0,0 +1,42 @@
+require 'omniauth/oauth'
+require 'multi_json'
+
+# Authenticate to GDS with OAuth 2.0 and retrieve
+# basic user information.
+#
+# @example Basic Usage
+#     use OmniAuth::Builder :gds, 'API Key', 'Secret Key'
+
+class OmniAuth::Strategies::Gds < OmniAuth::Strategies::OAuth2
+  # @param [Rack Application] app standard middleware application parameter
+  # @param [String] api_key the application id as [provided by GDS]
+  # @param [String] secret_key the application secret as [provided by Bitly]
+  def initialize(app, api_key = nil, secret_key = nil, options = {}, &block)
+    client_options = {
+      :site => "#{GDS::SSO::Config.oauth_root_url}/",
+      :authorize_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/authorize",
+      :token_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
+      :access_token_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token"
+    }
+
+    super(app, :gds, api_key, secret_key, client_options, options, &block)
+  end
+
+  protected
+
+  def fetch_user_data
+    @access_token.get('/user.json')
+  end
+
+  def user_hash
+    @user_hash ||= MultiJson.decode(fetch_user_data)['user']
+  end
+
+  def build_auth_hash
+    {'uid' => user_hash['uid'], 'user_info' => {'name' => user_hash['name'], 'email' => user_hash['email']}, 'extra' => {'user_hash' => user_hash}}
+  end
+
+  def auth_hash
+    OmniAuth::Utils.deep_merge(super, build_auth_hash)
+  end
+end

data/lib/gds-sso/routes.rb

@@ -0,0 +1,20 @@
+module ActionDispatch::Routing
+  class Mapper
+    # Allow you to add authentication request from the router:
+    #
+    #   authenticate(:user) do
+    #     resources :post
+    #   end
+    #
+    # Stolen from devise
+    def authenticate(scope)
+      constraint = lambda do |request|
+        request.env["warden"].authenticate!(:scope => scope)
+      end
+
+      constraints(constraint) do
+        yield
+      end
+    end
+  end
+end

data/lib/gds-sso/user.rb

@@ -0,0 +1,23 @@
+require 'active_support/concern'
+
+module GDS
+  module SSO
+    module User
+      def self.user_params_from_auth_hash(auth_hash)
+        {'uid' => auth_hash['uid'], 'email' => auth_hash['user_info']['email'], 'name' => auth_hash['user_info']['name'], 'version' => auth_hash['extra']['user_hash']['version']}
+      end
+
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def find_for_gds_oauth(auth_hash)
+          if user = self.find_by_uid(auth_hash["uid"])
+            user
+          else # Create a new user.
+            self.create!(GDS::SSO::User.user_params_from_auth_hash(auth_hash))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gds-sso/warden_config.rb

@@ -0,0 +1,43 @@
+require 'warden'
+require 'omniauth/oauth'
+
+Warden::Manager.serialize_into_session do |user|
+  user.uid
+end
+
+Warden::Manager.serialize_from_session do |uid|
+  GDS::SSO::Config.user_klass.find_by_uid(uid)
+end
+
+Warden::Strategies.add(:gds_sso) do
+  def valid?
+    true
+  end
+
+  def authenticate!
+    if request.env['omniauth.auth'].nil?
+      fail!("No credentials, bub") 
+    else
+      user = prep_user(request.env['omniauth.auth'])
+      success!(user)
+    end
+  end
+
+  private
+
+  def prep_user(auth_hash)
+    user = GDS::SSO::Config.user_klass.find_for_gds_oauth(auth_hash)
+    fail!("Couldn't process credentials") unless user
+    user
+  end
+end
+
+Warden::Strategies.add(:mock_gds_sso) do
+  def valid?
+    true
+  end
+
+  def authenticate!
+    success!(GDS::SSO::Config.user_klass.first)
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,5 @@
+require 'bundler'
+Bundler.setup :default, :development, :test
+
+require 'test/unit'
+require 'mocha'

data/test/test_omniauth_strategy.rb

@@ -0,0 +1,21 @@
+require 'test_helper'
+require 'json'
+require 'gds-sso'
+require 'gds-sso/omniauth_strategy'
+
+class TestOmniAuthStrategy < Test::Unit::TestCase
+  def setup
+    @strategy = OmniAuth::Strategies::Gds.new(:gds, 'client_id', 'client_secret')
+    @strategy.stubs(:fetch_user_data).returns({'user' => {'uid' => 'abcde', 'version' => 1, 'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk', 'github' => 'fidothe', 'twitter' => 'fidothe'}}.to_json)
+  end
+
+  def test_basic_auth_hash_structure
+    assert_equal 'Matt Patterson', @strategy.send(:build_auth_hash)['user_info']['name']
+    assert_equal 'matt@alphagov.co.uk', @strategy.send(:build_auth_hash)['user_info']['email']
+  end
+
+  def test_extra_auth_hash_structure
+    expected = {'uid' => 'abcde', 'version' => 1, 'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk', 'github' => 'fidothe', 'twitter' => 'fidothe'}    
+    assert_equal expected, @strategy.send(:build_auth_hash)['extra']['user_hash']
+  end
+end

data/test/test_user.rb

@@ -0,0 +1,19 @@
+require 'test_helper'
+require 'gds-sso/user'
+
+class TestUser < Test::Unit::TestCase
+  def setup
+    @auth_hash = {
+      'provider' => 'gds',
+      'uid' => 'abcde',
+      'credentials' => {'token' => 'abcdefg', 'secret' => 'abcdefg'},
+      'user_info' => {'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk'},
+      'extra' => {'user_hash' => {'uid' => 'abcde', 'version' => 1, 'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk', 'github' => 'fidothe', 'twitter' => 'fidothe'}}
+    }
+  end
+
+  def test_user_params_creation
+    expected = {'uid' => 'abcde', 'version' => 1, 'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk'}
+    assert_equal expected, GDS::SSO::User.user_params_from_auth_hash(@auth_hash)
+  end
+end

metadata

@@ -0,0 +1,119 @@
+--- !ruby/object:Gem::Specification
+name: gds-sso
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Matt Patterson
+- James Stewart
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-11-01 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: &70320597236800 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *70320597236800
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: &70320597236420 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70320597236420
+- !ruby/object:Gem::Dependency
+  name: oa-oauth
+  requirement: &70320597236000 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70320597236000
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &70320597235500 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :development
+  prerelease: false
+  version_requirements: *70320597235500
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: &70320597235040 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.0
+  type: :development
+  prerelease: false
+  version_requirements: *70320597235040
+description: Client for GDS' OAuth 2-based SSO
+email:
+- matt@constituentparts.com
+- james.stewart@digital.cabinet-office.gov.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/gds-sso/config.rb
+- lib/gds-sso/controller_methods.rb
+- lib/gds-sso/failure_app.rb
+- lib/gds-sso/omniauth_strategy.rb
+- lib/gds-sso/routes.rb
+- lib/gds-sso/user.rb
+- lib/gds-sso/warden_config.rb
+- lib/gds-sso.rb
+- README.md
+- Gemfile
+- Rakefile
+- test/test_helper.rb
+- test/test_omniauth_strategy.rb
+- test/test_user.rb
+homepage: https://github.com/alphagov/gds-sso
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: gds-sso
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Client for GDS' OAuth 2-based SSO
+test_files:
+- test/test_helper.rb
+- test/test_omniauth_strategy.rb
+- test/test_user.rb