ginjo-omniauth-slack 2.4.0

data/lib/omniauth/strategies/slack.rb

@@ -0,0 +1,394 @@
+require 'omniauth/strategies/oauth2'
+require 'thread'
+
+module OmniAuth
+  module Strategies
+    
+    class Slack < OmniAuth::Strategies::OAuth2
+      option :name, 'slack'
+
+      option :authorize_options, [:scope, :team, :team_domain, :redirect_uri]
+
+      option :client_options, {
+        site: 'https://slack.com',
+        token_url: '/api/oauth.access'
+      }
+
+      # Add team_domain to site subdomain if provided in auth url or provider options. 
+      option :setup, lambda{|env|
+        strategy = env['omniauth.strategy']
+        team_domain = strategy.request.params['team_domain'] || strategy.options[:team_domain]
+        site = strategy.options[:client_options]['site']
+        strategy.options[:client_options].site = (
+          !team_domain.to_s.empty? ? site.sub(/\:\\\\/, "://#{team_domain}.") : site
+        )
+      }
+      
+      option :auth_token_params, {
+        mode: :query,
+        param_name: 'token'
+      }
+      
+      option :preload_data_with_threads, 0
+      
+      option :include_data, []
+      
+      option :exclude_data, []
+      
+      option :additional_data, {}
+      
+      # User ID is not guaranteed to be globally unique across all Slack users.
+      # The combination of user ID and team ID, on the other hand, is guaranteed
+      # to be globally unique.
+      uid { "#{user_id}-#{team_id}" }
+      
+      credentials do
+        {
+          token: auth['token'],
+          scope: (is_app_token? ? all_scopes : auth['scope']),
+          expires: false
+        }
+      end
+
+      info do
+        define_additional_data
+        semaphore
+        
+        num_threads = options.preload_data_with_threads.to_i
+        if num_threads > 0 && !skip_info?
+          preload_data_with_threads(num_threads)
+        end
+      
+        # Start with only what we can glean from the authorization response.
+        hash = { 
+          name: auth['user'].to_h['name'],
+          email: auth['user'].to_h['email'],
+          user_id: user_id,
+          team_name: auth['team_name'] || auth['team'].to_h['name'],
+          team_id: team_id,
+          image: auth['team'].to_h['image_48']
+        }
+
+        # Now add everything else, using further calls to the api, if necessary.
+        unless skip_info?
+          %w(first_name last_name phone skype avatar_hash real_name real_name_normalized).each do |key|
+            hash[key.to_sym] = (
+              user_info['user'].to_h['profile'] ||
+              user_profile['profile']
+            ).to_h[key]
+          end
+
+          %w(deleted status color tz tz_label tz_offset is_admin is_owner is_primary_owner is_restricted is_ultra_restricted is_bot has_2fa).each do |key|
+            hash[key.to_sym] = user_info['user'].to_h[key]
+          end
+
+          more_info = {
+            image: (
+              hash[:image] ||
+              user_identity.to_h['image_48'] ||
+              user_info['user'].to_h['profile'].to_h['image_48'] ||
+              user_profile['profile'].to_h['image_48']
+              ),
+            name:(
+              hash[:name] ||
+              user_identity['name'] ||
+              user_info['user'].to_h['real_name'] ||
+              user_profile['profile'].to_h['real_name']
+              ),
+            email:(
+              hash[:email] ||
+              user_identity.to_h['email'] ||
+              user_info['user'].to_h['profile'].to_h['email'] ||
+              user_profile['profile'].to_h['email']
+              ),
+            team_name:(
+              hash[:team_name] ||
+              team_identity.to_h['name'] ||
+              team_info['team'].to_h['name']
+              ),
+            team_domain:(
+              auth['team'].to_h['domain'] ||
+              team_identity.to_h['domain'] ||
+              team_info['team'].to_h['domain']
+              ),
+            team_image:(
+              auth['team'].to_h['image_44'] ||
+              team_identity.to_h['image_44'] ||
+              team_info['team'].to_h['icon'].to_h['image_44']
+              ),
+            team_email_domain:(
+              team_info['team'].to_h['email_domain']
+              ),
+            nickname:(
+              user_info.to_h['user'].to_h['name'] ||
+              auth['user'].to_h['name'] ||
+              user_identity.to_h['name']
+              ),
+          }
+          
+          hash.merge!(more_info)
+        end
+        hash
+      end
+
+      extra do
+        {
+          scopes_requested: (env['omniauth.params'] && env['omniauth.params']['scope']) || \
+            (env['omniauth.strategy'] && env['omniauth.strategy'].options && env['omniauth.strategy'].options.scope),
+          web_hook_info: web_hook_info,
+          bot_info: auth['bot'] || bot_info['bot'],
+          auth: auth,
+          identity: identity,
+          user_info: user_info,
+          user_profile: user_profile,
+          team_info: team_info,
+          apps_permissions_users_list: apps_permissions_users_list,
+          additional_data: get_additional_data,
+          raw_info: @raw_info
+        }
+      end
+      
+      # Pass on certain authorize_params to the Slack authorization GET request.
+      # See https://github.com/omniauth/omniauth/issues/390
+      def authorize_params
+        super.tap do |params|
+          %w(scope team redirect_uri).each do |v|
+            if !request.params[v].to_s.empty?
+              params[v.to_sym] = request.params[v]
+            end
+          end
+        end
+      end
+      
+      # Get a new OAuth2::Client and define custom capabilities.
+      # * verrides super :client method.
+      #
+      # * Log API requests with OmniAuth.logger
+      # * Add API responses to @raw_info hash
+      #
+      def client
+        st_raw_info = raw_info
+        new_client = super
+        log(:debug, "New client #{new_client}.")
+        
+        new_client.instance_eval do
+          define_singleton_method(:request) do |*args|
+            OmniAuth.logger.send(:debug, "(slack) API request #{args[0..1]}; in thread #{Thread.current.object_id}.")
+            request_output = super(*args)
+            uri = args[1].to_s.gsub(/^.*\/([^\/]+)/, '\1') # use single-quote or double-back-slash for replacement.
+            st_raw_info[uri.to_s]= request_output
+            request_output
+          end
+        end
+        new_client
+      end
+      
+      # Dropping query_string from callback_url prevents some errors in call to /api/oauth.access.
+      def callback_url
+        full_host + script_name + callback_path
+      end
+
+      def identity
+        return {} unless !skip_info? && has_scope?(identity: ['identity.basic','identity:read:user']) && is_not_excluded?
+        semaphore.synchronize {
+          @identity_raw ||= access_token.get('/api/users.identity', headers: {'X-Slack-User' => user_id})
+          @identity ||= @identity_raw.parsed
+        }
+      end
+      
+      
+      private
+      
+      def initialize(*args)
+        super
+        @main_semaphore = Mutex.new
+        @semaphores = {}
+      end
+      
+      # Get a mutex specific to the calling method.
+      # This operation is synchronized with its own mutex.
+      def semaphore(method_name = caller[0][/`([^']*)'/, 1])
+        @main_semaphore.synchronize {
+          @semaphores[method_name] ||= Mutex.new
+        }
+      end
+      
+      def active_methods
+        @active_methods ||= (
+          includes = [options.include_data].flatten.compact
+          excludes = [options.exclude_data].flatten.compact unless includes.size > 0
+          method_list = %w(apps_permissions_users_list identity user_info user_profile team_info bot_info)  #.concat(options[:additional_data].keys)
+          if includes.size > 0
+            method_list.keep_if {|m| includes.include?(m.to_s) || includes.include?(m.to_s.to_sym)}
+          elsif excludes.size > 0
+            method_list.delete_if {|m| excludes.include?(m.to_s) || excludes.include?(m.to_s.to_sym)}
+          end
+          log :debug, "Activated API calls: #{method_list}."
+          log :debug, "Activated additional_data calls: #{options.additional_data.keys}."
+          method_list
+        )
+      end
+      
+      def is_not_excluded?(method_name = caller[0][/`([^']*)'/, 1])
+        active_methods.include?(method_name.to_s) || active_methods.include?(method_name.to_s.to_sym)
+      end
+      
+      # Preload additional api calls with a pool of threads.
+      def preload_data_with_threads(num_threads)
+        return unless num_threads > 0
+        preload_methods = active_methods.concat(options[:additional_data].keys)
+        log :info, "Preloading (#{preload_methods.size}) data requests using (#{num_threads}) threads."
+        work_q = Queue.new
+        preload_methods.each{|x| work_q.push x }
+        workers = num_threads.to_i.times.map do
+          Thread.new do
+            begin
+              while x = work_q.pop(true)
+                log :debug, "Preloading #{x}."
+                send x
+              end
+            rescue ThreadError
+            end
+          end
+        end
+        workers.map(&:join); "ok"
+      end
+      
+      # Define methods for addional data from :additional_data option
+      def define_additional_data
+        hash = options[:additional_data]
+        if !hash.to_h.empty?
+          hash.each do |k,v|
+            define_singleton_method(k) do
+              instance_variable_get(:"@#{k}") || 
+              instance_variable_set(:"@#{k}", v.respond_to?(:call) ? v.call(env) : v)
+            end
+          end
+        end
+      end
+      
+      def get_additional_data
+        if skip_info?
+          {}
+        else
+          options[:additional_data].inject({}) do |hash,tupple|
+            hash[tupple[0].to_s] = send(tupple[0].to_s)
+            hash
+          end
+        end
+      end
+      
+      # Parsed data returned from /slack/oauth.access api call.
+      def auth
+        @auth ||= access_token.params.to_h.merge({'token' => access_token.token})
+      end
+
+      def user_identity
+        @user_identity ||= identity['user'].to_h
+      end
+
+      def team_identity
+        @team_identity ||= identity['team'].to_h
+      end
+
+      def user_info
+        return {} unless !skip_info? && has_scope?(identity: 'users:read', team: 'users:read') && is_not_excluded?
+        semaphore.synchronize {
+          @user_info_raw ||= access_token.get('/api/users.info', params: {user: user_id}, headers: {'X-Slack-User' => user_id})
+          @user_info ||= @user_info_raw.parsed
+        }
+      end
+      
+      def user_profile
+        return {} unless !skip_info? && has_scope?(identity: 'users.profile:read', team: 'users.profile:read') && is_not_excluded?
+        semaphore.synchronize {
+          @user_profile_raw ||= access_token.get('/api/users.profile.get', params: {user: user_id}, headers: {'X-Slack-User' => user_id})
+          @user_profile ||= @user_profile_raw.parsed
+        }
+      end
+
+      def team_info
+        return {} unless !skip_info? && has_scope?(identity: 'team:read', team: 'team:read') && is_not_excluded?
+        semaphore.synchronize {
+          @team_info_raw ||= access_token.get('/api/team.info')
+          @team_info ||= @team_info_raw.parsed
+        }
+      end
+
+      def web_hook_info
+        return {} unless auth.key? 'incoming_webhook'
+        auth['incoming_webhook']
+      end
+      
+      def bot_info
+        return {} unless !skip_info? && has_scope?(identity: 'users:read') && is_not_excluded?
+        semaphore.synchronize {
+          @bot_info_raw ||= access_token.get('/api/bots.info')
+          @bot_info ||= @bot_info_raw.parsed
+        }
+      end
+      
+      def user_id
+        auth['user_id'] || auth['user'].to_h['id'] || auth['authorizing_user'].to_h['user_id']
+      end
+      
+      def team_id
+        auth['team_id'] || auth['team'].to_h['id']
+      end
+      
+      # API call to get user permissions for workspace token.
+      # This is needed because workspace token 'sign-in-with-slack' is missing scopes
+      # in the :scope field (acknowledged issue in developer preview).
+      #
+      # Returns [<id>: <resource>]
+      def apps_permissions_users_list
+        return {} unless !skip_info? && is_app_token?
+        semaphore.synchronize {
+          @apps_permissions_users_list_raw ||= access_token.get('/api/apps.permissions.users.list')
+          @apps_permissions_users_list ||= @apps_permissions_users_list_raw.parsed['resources'].inject({}){|h,i| h[i['id']] = i; h}
+        }
+      end
+      
+      def raw_info
+        @raw_info ||= {}
+      end
+      
+      # Is this a workspace app token?
+      def is_app_token?
+        auth['token_type'].to_s == 'app'
+      end
+      
+      # Scopes come from at least 3 different places now.
+      # * The classic :scope field (string)
+      # * New workshop token :scopes field (hash)
+      # * Separate call to apps.permissions.users.list (array)
+      #
+      # This returns hash of workspace scopes, with classic & new identity scopes in :identity.
+      # Lists of scopes are in array form.
+      def all_scopes
+        @all_scopes ||=
+        {'identity' => (auth['scope'] || apps_permissions_users_list[user_id].to_h['scopes'].to_a.join(',')).to_s.split(',')}
+        .merge(auth['scopes'].to_h)
+      end
+      
+      # Determine if given scopes exist in current authorization.
+      # Scopes is hash where
+      #   key == scope type <identity|app_hope|team|channel|group|mpim|im>
+      #   val == array or string of individual scopes.
+      def has_scope?(**scopes_hash)
+        scopes_hash.detect do |section, scopes|
+          test_scopes = case
+            when scopes.is_a?(String); scopes.split(',')
+            when scopes.is_a?(Array); scopes
+            else raise "Scope must be a string or array"
+          end
+          test_scopes.detect do |scope|
+            all_scopes[section.to_s].to_a.include?(scope.to_s)
+          end
+        end
+      end
+      
+    end
+  end
+end
+

data/lib/omniauth-slack/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Slack
+    VERSION = "2.4.0"
+  end
+end

data/lib/omniauth-slack.rb

@@ -0,0 +1,2 @@
+require 'omniauth-slack/version'
+require 'omniauth/strategies/slack'

data/omniauth-slack.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+require File.expand_path('../lib/omniauth-slack/version', __FILE__)
+
+Gem::Specification.new do |spec|
+  spec.name          = 'ginjo-omniauth-slack'
+  spec.version       = OmniAuth::Slack::VERSION
+  spec.authors       = ['kimura', 'ginjo']
+  spec.email         = ['kimura@enigmo.co.jp', 'wbr@mac.com']
+  spec.description   = %q{OmniAuth strategy for Slack}
+  spec.summary       = %q{OmniAuth strategy for Slack, based on the oauth2 and omniauth-oauth2 gems}
+  spec.homepage      = 'https://github.com/kmrshntr/omniauth-slack.git'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'omniauth-oauth2', ['~> 1.4', '~> 1.5']
+
+  spec.add_development_dependency 'bundler', '>= 1.11.2'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'minitest'
+  spec.add_development_dependency 'mocha'
+end

data/test/helper.rb

@@ -0,0 +1,57 @@
+require "bundler/setup"
+require "minitest/autorun"
+require "mocha/setup"
+require "omniauth/strategies/slack"
+
+OmniAuth.config.test_mode = true
+
+module BlockTestHelper
+  def test(name, &blk)
+    method_name = "test_#{name.gsub(/\s+/, "_")}"
+    raise "Method already defined: #{method_name}" if instance_methods.include?(method_name.to_sym)
+    define_method method_name, &blk
+  end
+end
+
+module CustomAssertions
+  def assert_has_key(key, hash, msg = nil)
+    msg = message(msg) { "Expected #{hash.inspect} to have key #{key.inspect}" }
+    assert hash.has_key?(key), msg
+  end
+
+  def refute_has_key(key, hash, msg = nil)
+    msg = message(msg) { "Expected #{hash.inspect} not to have key #{key.inspect}" }
+    refute hash.has_key?(key), msg
+  end
+end
+
+class TestCase < Minitest::Test
+  extend BlockTestHelper
+  include CustomAssertions
+end
+
+class StrategyTestCase < TestCase
+  def setup
+    @request = stub("Request")
+    @request.stubs(:params).returns({})
+    @request.stubs(:cookies).returns({})
+    @request.stubs(:env).returns({})
+    @request.stubs(:scheme).returns({})
+    @request.stubs(:ssl?).returns(false)
+
+    @client_id = "123"
+    @client_secret = "53cr3tz"
+    @options = {}
+  end
+
+  def strategy
+    @strategy ||= begin
+      args = [@client_id, @client_secret, @options].compact
+      OmniAuth::Strategies::Slack.new(nil, *args).tap do |strategy|
+        strategy.stubs(:request).returns(@request)
+      end
+    end
+  end
+end
+
+Dir[File.expand_path("../support/**/*", __FILE__)].each(&method(:require))

data/test/support/shared_examples.rb

@@ -0,0 +1,85 @@
+# NOTE it would be useful if this lived in omniauth-oauth2 eventually
+module OAuth2StrategyTests
+  def self.included(base)
+    base.class_eval do
+      include ClientTests
+      include AuthorizeParamsTests
+      include CSRFAuthorizeParamsTests
+      include TokenParamsTests
+    end
+  end
+
+  module ClientTests
+    extend BlockTestHelper
+
+    test "should be initialized with symbolized client_options" do
+      @options = { :client_options => { "authorize_url" => "https://example.com" } }
+      assert_equal "https://example.com", strategy.client.options[:authorize_url]
+    end
+  end
+
+  module AuthorizeParamsTests
+    extend BlockTestHelper
+
+    test "should include any authorize params passed in the :authorize_params option" do
+      @options = { :authorize_params => { :foo => "bar", :baz => "zip" } }
+      assert_equal "bar", strategy.authorize_params["foo"]
+      assert_equal "zip", strategy.authorize_params["baz"]
+    end
+
+    test "should include top-level options that are marked as :authorize_options" do
+      @options = { :authorize_options => [:scope, :foo], :scope => "bar", :foo => "baz" }
+      assert_equal "bar", strategy.authorize_params["scope"]
+      assert_equal "baz", strategy.authorize_params["foo"]
+    end
+
+    test "should exclude top-level options that are not passed" do
+      @options = { :authorize_options => [:bar] }
+      refute_has_key :bar, strategy.authorize_params
+      refute_has_key "bar", strategy.authorize_params
+    end
+  end
+
+  module CSRFAuthorizeParamsTests
+    extend BlockTestHelper
+
+    test "should store random state in the session when none is present in authorize or request params" do
+      assert_includes strategy.authorize_params.keys, "state"
+      refute_empty strategy.authorize_params["state"]
+      refute_empty strategy.session["omniauth.state"]
+      assert_equal strategy.authorize_params["state"], strategy.session["omniauth.state"]
+    end
+
+    test "should not store state in the session when present in authorize params vs. a random one" do
+      @options = { :authorize_params => { :state => "bar" } }
+      refute_empty strategy.authorize_params["state"]
+      refute_equal "bar", strategy.authorize_params[:state]
+      refute_empty strategy.session["omniauth.state"]
+      refute_equal "bar", strategy.session["omniauth.state"]
+    end
+
+    test "should not store state in the session when present in request params vs. a random one" do
+      @request.stubs(:params).returns({ "state" => "foo" })
+      refute_empty strategy.authorize_params["state"]
+      refute_equal "foo", strategy.authorize_params[:state]
+      refute_empty strategy.session["omniauth.state"]
+      refute_equal "foo", strategy.session["omniauth.state"]
+    end
+  end
+
+  module TokenParamsTests
+    extend BlockTestHelper
+
+    test "should include any authorize params passed in the :token_params option" do
+      @options = { :token_params => { :foo => "bar", :baz => "zip" } }
+      assert_equal "bar", strategy.token_params["foo"]
+      assert_equal "zip", strategy.token_params["baz"]
+    end
+
+    test "should include top-level options that are marked as :token_options" do
+      @options = { :token_options => [:scope, :foo], :scope => "bar", :foo => "baz" }
+      assert_equal "bar", strategy.token_params["scope"]
+      assert_equal "baz", strategy.token_params["foo"]
+    end
+  end
+end