omniauth-aai 0.1

data/.travis.yml

@@ -0,0 +1,10 @@
+script: "bundle exec rake test"
+rvm:
+  - 1.9.2
+  - 1.9.3
+  - jruby-19mode
+gemfile:
+  - Gemfile
+notifications:
+  recipients:
+    - claudio@beffa.ch 

data/Gemfile

@@ -0,0 +1,6 @@
+source 'http://rubygems.org'
+
+gem 'omniauth-shibboleth', :git => "git://github.com/switch-ch/omniauth-shibboleth.git"
+
+gemspec
+

data/Gemfile.lock

@@ -0,0 +1,60 @@
+GIT
+  remote: git://github.com/switch-ch/omniauth-shibboleth.git
+  revision: 8da8cbcb4d42e8b810cb5eaed59581e38b15b187
+  specs:
+    omniauth-shibboleth (1.0.6)
+      omniauth (>= 1.0.0)
+
+PATH
+  remote: .
+  specs:
+    omniauth-aai (0.1)
+      omniauth-shibboleth
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    ffi (1.0.11)
+    guard (1.2.3)
+      listen (>= 0.4.2)
+      thor (>= 0.14.6)
+    guard-rspec (1.1.0)
+      guard (>= 1.1)
+    hashie (1.2.0)
+    listen (0.4.7)
+      rb-fchange (~> 0.0.5)
+      rb-fsevent (~> 0.9.1)
+      rb-inotify (~> 0.8.8)
+    omniauth (1.1.0)
+      hashie (~> 1.2)
+      rack
+    rack (1.4.1)
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rake (0.9.2.2)
+    rb-fchange (0.0.5)
+      ffi
+    rb-fsevent (0.9.1)
+    rb-inotify (0.8.8)
+      ffi (>= 0.5.0)
+    rspec (2.10.0)
+      rspec-core (~> 2.10.0)
+      rspec-expectations (~> 2.10.0)
+      rspec-mocks (~> 2.10.0)
+    rspec-core (2.10.1)
+    rspec-expectations (2.10.0)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.10.1)
+    thor (0.15.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  guard-rspec
+  omniauth-aai!
+  omniauth-shibboleth!
+  rack-test
+  rake
+  rspec (~> 2.8)

data/Guardfile

@@ -0,0 +1,6 @@
+guard 'rspec', :version => 2 do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/omniauth/strategies/aai.rb$})     { |m| "spec/omniauth/strategies/aai_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end
+

data/README.md

@@ -0,0 +1,89 @@
+# OmniAuth AAI strategy
+
+OmniAuth Shibboleth AAI strategy is an OmniAuth strategy for authenticating through SWITCHaai. 
+
+- OmniAuth: https://github.com/intridea/omniauth/wiki
+- Shibboleth: https://wiki.shibboleth.net/
+- SWITCHaai: http://www.switch.ch/aai/index.html
+
+Most functionallity is borrwoed from https://github.com/toyokazu/omniauth-shibboleth
+
+## Getting Started
+
+### Installation
+
+Install as a gem via Gemfile or with
+
+    % gem install omniauth-aai
+
+### Setup SWITCHaai Strategy
+
+To use Shibboleth SWITCHaai strategy as a middleware in your rails application, add the following file to your rails application initializer directory. (There will be a generator soon)
+
+
+    # config/initializer/omniauth.rb
+    Rails.application.config.middleware.use OmniAuth::Builder do
+      provider :aai, {}
+    end
+
+You will get by default all the standard SWITCHaai values, or you can configure it via options:
+
+    # config/initializer/omniauth.rb
+    Rails.application.config.middleware.use OmniAuth::Builder do
+      provider :aai,{
+        :uid_field => :'persistent-id',
+        :fields => [:name, :email, :swiss_ep_uid],
+        :extra_fields => [:'Shib-Authentication-Instant']# See lib/omniauth/strategies/aai.rb for full list.
+      }
+
+Fields are provided in the Env as request.env["omniauth.auth"]["info"]["name"] and extra_fields attributes are provided as ['extra']['raw_info']['Shib-Authentication-Instant'].
+
+### How to authenticate users
+
+In your application, simply direct users to '/auth/aai' to have them sign in via your organizations's AAI SP and IdP. '/auth/aai' url simply redirect users to '/auth/aai/callback', so thus you must protect '/auth/aai/callback' by SWITCHaai SP.
+
+SWITCHaai strategy just checks the existence of Shib-Session-ID or Shib-Application-ID.
+
+### Development Mode
+
+In development / local mode you can use the following mock (with default SWITCHaai values):
+
+    # config/initializer/omniauth.rb
+    use OmniAuth::Builder do
+      provider :developer, {
+        :uid_field => :'persistent-id',
+        :fields => OmniAuth::Strategies::Aai::DEFAULT_FIELDS,
+        :extra_fields, OmniAuth::Strategies::Aai::DEFAULT_EXTRA_FIELDS
+      } if Rails.env == 'development'
+    end
+
+### Debug Mode
+
+When you deploy a new application, you may want to confirm the assumed attributes are correctly provided by SWITCHaai SP. OmniAuth SWITCHaai strategy provides a confirmation option :debug. If you set :debug true, you can see the environment variables provided at the /auth/aai/callback uri.
+
+    # config/initializer/omniauth.rb
+    Rails.application.config.middleware.use OmniAuth::Builder do
+      provider :aai, { :debug => true }
+    end
+
+## License (MIT License)
+
+Copyright (C) SWITCH, Zurich, original copyright (omniauth-shibboleth) 2011 by Toyokazu Akiyama.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec
+task :test => :spec
+

data/lib/omniauth-aai.rb

@@ -0,0 +1,8 @@
+require "omniauth-aai/version"
+require "omniauth"
+
+module OmniAuth
+  module Strategies
+    autoload :Aai, 'omniauth/strategies/aai'
+  end
+end

data/lib/omniauth-aai/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Aai
+    VERSION = "0.1"
+  end
+end

data/lib/omniauth/strategies/aai.rb

@@ -0,0 +1,105 @@
+module OmniAuth
+  module Strategies
+    class Aai < OmniAuth::Strategies::Shibboleth
+
+      # 8 core attributes, which must be available for all users
+      CORE_ATTRIBUTES = {
+        swiss_ep_uid:          [:'Shib-SwissEP-UniqueID'], 
+        first_name:            [:'Shib-InetOrgPerson-givenName'], 
+        surname:               [:'Shib-Person-surname'], 
+        mail:                  [:'Shib-InetOrgPerson-mail'],
+        homeOrganization:      [:'Shib-SwissEP-HomeOrganization'], 
+        homeOrganizationType:  [:'Shib-SwissEP-HomeOrganizationType'], 
+        affiliation:           [:'Shib-EP-Affiliation']
+      }
+
+      # 8 or more Shibboleth attributes, set by the Service Provider automatically if a user has a valid session
+      SHIBBOLETH_ATTRIBUTES = { 
+        :entitlement => [:'Shib-EP-Entitlement'],
+        :preferredLanguage => [:'Shib-InetOrgPerson-preferredLanguage'],
+        :'Shib-Application-ID' => [],
+        :'Shib-Assertion-01' => [],
+        :'Shib-Assertion-Count' => [],
+        :'Shib-Authentication-Instant' => [],
+        :'Shib-Authentication-Method' => [],
+        :'Shib-AuthnContext-Class' => [],
+        :'Shib-Identity-Provider' => [],
+        :'Shib-Session-ID' => []
+      }
+
+      DEFAULT_EXTRA_FIELDS = (CORE_ATTRIBUTES.keys + SHIBBOLETH_ATTRIBUTES.keys)
+      DEFAULT_FIELDS = [:name, :email, :swiss_ep_uid ]
+
+      # persistent-id is default uid
+      option :uid_field, :'persistent-id'
+
+      option :debug, false
+
+      option :aai_fields, CORE_ATTRIBUTES
+
+      option :aai_extra_fields, SHIBBOLETH_ATTRIBUTES
+
+      option :fields, DEFAULT_FIELDS
+      option :extra_fields, DEFAULT_EXTRA_FIELDS
+
+      # # # # #
+      # Helper Methods
+      # # # # #
+      def aai_attributes
+        options.aai_extra_fields.merge(options.aai_fields)
+      end
+
+      def read_env( attribute_key )
+        ([attribute_key] + (aai_attributes[attribute_key] || [])).each do | a |
+          v = request.env[a.to_s]
+          return v unless v.nil? || v.strip == "" 
+        end
+      end
+
+      # # # # #
+      # Rack 
+      # # # # #
+      def request_phase
+        [ 
+          302,
+          {
+            'Location' => script_name + callback_path + query_string,
+            'Content-Type' => 'text/plain'
+          },
+          ["You are being redirected to Shibboleth SP/IdP for sign-in."]
+        ]
+      end
+
+      def callback_phase
+        super
+      end
+      
+      uid do
+        # persistent-id is default uid
+        request.env[options.uid_field.to_s] 
+      end
+
+      info do
+        options.fields.inject({}) do |hash, field|
+          case field
+          when :name
+            hash[field] = "#{read_env(:first_name)} #{read_env(:surname)}"
+          when :email
+            hash[:email] = read_env(:mail)
+          else
+            hash[field] = read_env(field.to_s)
+          end
+          hash
+        end
+      end
+
+      extra do
+        options.extra_fields.inject({:raw_info => {}}) do |hash, field|
+          hash[:raw_info][field] = read_env(field.to_s)
+          hash
+        end
+      end
+
+    end
+  end
+end

data/omniauth-aai.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth-aai/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.add_dependency 'omniauth-shibboleth'
+
+  gem.add_development_dependency 'rack-test'
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec', '~> 2.8'
+  gem.add_development_dependency 'guard-rspec'
+
+  gem.authors       = ["Claudio Beffa"]
+  gem.email         = ["claudio@beffa.ch"]
+  gem.description   = %q{OmniAuth Shibboleth strategies for SWITCHaai}
+  gem.summary       = %q{OmniAuth Shibboleth strategies for SWITCHaai}
+  gem.homepage      = "https://github.com/switch-ch/omniauth-aai"
+
+  gem.files         = `find . -not \\( -regex ".*\\.git.*" -o -regex "\\./pkg.*" -o -regex "\\./spec.*" \\)`.split("\n").map{ |f| f.gsub(/^.\//, '') }
+  gem.test_files    = `find spec/*`.split("\n")
+  gem.name          = "omniauth-aai"
+  gem.require_paths = ["lib"]
+  gem.version       = OmniAuth::Aai::VERSION
+
+
+end

data/spec/omniauth/strategies/aai_spec.rb

@@ -0,0 +1,101 @@
+require 'spec_helper'
+
+def make_env(path = '/auth/aai', props = {})
+  {
+    'REQUEST_METHOD' => 'GET',
+    'PATH_INFO' => path,
+    'rack.session' => {},
+    'rack.input' => StringIO.new('test=true')
+  }.merge(props)
+end
+
+def failure_path
+  if OmniAuth::VERSION >= "1.0" && OmniAuth::VERSION < "1.1"
+    "/auth/failure?message=no_aai_session"
+  elsif OmniAuth::VERSION >= "1.1"
+    "/auth/failure?message=no_shibboleth_session&strategy=aai"
+  end
+end
+
+describe OmniAuth::Strategies::Aai do
+  let(:app){ Rack::Builder.new do |b|
+    b.use Rack::Session::Cookie
+    b.use OmniAuth::Strategies::Aai
+    b.run lambda{|env| [200, {}, ['Not Found']]}
+  end.to_app }
+
+  context 'request phase' do
+    before do
+      get '/auth/aai'
+    end
+
+    it 'should redirect to callback_url' do
+      last_response.status.should == 302
+      last_response.location.should == '/auth/aai/callback'
+    end
+  end
+
+  context 'callback phase' do
+    context 'without Shibboleth session' do
+      before do
+        get '/auth/aai/callback'
+      end
+
+      it 'should fail to get Shib-Session-ID environment variable' do
+        last_response.status.should == 302
+        last_response.location.should == failure_path
+      end
+    end
+
+    context 'with Shibboleth session' do
+      let(:strategy){ OmniAuth::Strategies::Aai.new(app, {}) }
+  
+      it 'should set default omniauth.auth fields' do
+        @dummy_id = 'abcdefg'
+        @uid = 'https://aai-logon.vho-switchaai.ch/idp/shibboleth!https://aai-viewer.switch.ch/shibboleth!lYQnHiuZjROvtykBpZHjy1UaZPg='
+        @last_name = 'Nachname'
+        @first_name = 'Vorname'
+        @email = 'test@example.com'
+        @shibboleth_unique_id = '099886@vho-switchaai.ch'
+        strategy.call!(make_env('/auth/aai/callback', 'Shib-Session-ID' => @dummy_id, 'persistent-id' => @uid, 'surname' => @last_name, 'first_name' => @first_name, 'mail' => @email, 'Shib-SwissEP-UniqueID' => @shibboleth_unique_id))
+        strategy.env['omniauth.auth']['uid'].should == @uid
+        strategy.env['omniauth.auth']['info']['name'].should == "#{@first_name} #{@last_name}"
+        strategy.env['omniauth.auth']['info']['email'].should == @email
+        strategy.env['omniauth.auth']['info']['swiss_ep_uid'].should == @shibboleth_unique_id
+      end
+    end
+
+    context 'with Shibboleth session and attribute options' do
+      let(:options){ { :uid_field => :uniqueID, :fields => [], :extra_fields => [:"Shib-Authentication-Instant", :homeOrganization] } }
+      let(:app){ lambda{|env| [404, {}, ['Awesome']]}}
+      let(:strategy){ OmniAuth::Strategies::Aai.new(app, options) }
+
+      it 'should set specified omniauth.auth fields' do
+        @dummy_id = 'abcdefg'
+        @uid = 'test'
+        @home = 'Test Corporation'
+        @instant = '2012-07-04T14:08:18.999Z'
+        strategy.call!(make_env('/auth/aai/callback', 'Shib-Session-ID' => @dummy_id, 'uniqueID' => @uid, 'Shib-Authentication-Instant' => @instant, 'homeOrganization' => @home))
+        strategy.env['omniauth.auth']['uid'].should == @uid
+        strategy.env['omniauth.auth']['extra']['raw_info']['Shib-Authentication-Instant'].should == @instant
+        strategy.env['omniauth.auth']['extra']['raw_info']['homeOrganization'].should == @home
+      end
+    end
+
+    context 'with debug options' do
+      let(:options){ { :debug => true} }
+      let(:strategy){ OmniAuth::Strategies::Shibboleth.new(app, options) }
+
+      it 'should raise environment variables' do
+        @dummy_id = 'abcdefg'
+        @uid = 'https://aai-logon.vho-switchaai.ch/idp/shibboleth!https://aai-viewer.switch.ch/shibboleth!lYQnHiuZjROvtykBpZHjy1UaZPg='
+        @last_name = 'Nachname'
+        @first_name = 'Vorname'
+        @email = 'test@example.com'
+        env = make_env('/auth/aai/callback', 'Shib-Session-ID' => @dummy_id, 'persistent-id' => @uid, 'surname' => @last_name, 'first_name' => @first_name, 'mail' => @email)
+        response = strategy.call!(env)
+        response[0].should == 200
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+require 'rspec'
+require 'rack/test'
+require 'omniauth'
+require 'omniauth/version'
+require 'omniauth-shibboleth'
+require 'omniauth-aai'
+
+RSpec.configure do |config|
+    config.include Rack::Test::Methods
+    config.color_enabled = true
+end

metadata

@@ -0,0 +1,143 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-aai
+version: !ruby/object:Gem::Version
+  version: '0.1'
+  prerelease: 
+platform: ruby
+authors:
+- Claudio Beffa
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth-shibboleth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OmniAuth Shibboleth strategies for SWITCHaai
+email:
+- claudio@beffa.ch
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .travis.yml
+- Gemfile
+- Gemfile.lock
+- Guardfile
+- lib/.DS_Store
+- lib/omniauth/.DS_Store
+- lib/omniauth/strategies/.DS_Store
+- lib/omniauth/strategies/aai.rb
+- lib/omniauth-aai/version.rb
+- lib/omniauth-aai.rb
+- omniauth-aai.gemspec
+- Rakefile
+- README.md
+- spec/omniauth/strategies/aai_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/switch-ch/omniauth-aai
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: OmniAuth Shibboleth strategies for SWITCHaai
+test_files:
+- spec/omniauth/strategies/aai_spec.rb
+- spec/spec_helper.rb
+has_rdoc: