omniauth-cas 1.0.4 → 2.0.0

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OTU0MmMyOWM1MWY0YzBiNjMzZDRkZmE4NTljYTA4NTc3M2NmM2FiYg==
-  data.tar.gz: !binary |-
-    YjM4MmU1MTAwNThmNjJkNWU2OTJiZjJiMTc5ZDNlYjM0ZDQ2M2E3ZQ==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    ZTdkZjEzMDY4ODVjMzY1NDQ2MmUxZTAyMzRkMGUwNzcxYzAyOGM5MzBlNDZi
-    ZjU1OTk0OWU1ODIzNTIwYTIxNWM5ZDEzNzFiY2UyODJhYzY3NDRkZmM5ODcy
-    NTBlMGM5YWFhZWU1MDBlMTI2YWQ0NTRmODRkZjhiYmVmMjc2ZDI=
-  data.tar.gz: !binary |-
-    OTY0NjU1NTFhZGZmNjdlN2E2OTY5MjNkMTU0NDY5NWQ1ZjQ3N2RiZWFjNmZj
-    MDA3MmY4M2U1MjMwOThkZmRhNzYwZDI5NzljYjRiYzk5YjY5MWFlNjBjYjY0
-    NzBhNjE1OWViZjMzMGVmYzkzMWM5MTk5MGNmNjk1MTU3YjYxYWU=
+SHA256:
+  metadata.gz: 20d02177b4bdbd637993a8d225133ada4d6d40092b59db98e54b38bbe8aef780
+  data.tar.gz: 9143ccd826882b5f1228b7686958cfa62c9527ab1fef041d6ce1bfb39e7e0f6d
+SHA512:
+  metadata.gz: a9edd4d3c46a7c7349a0ebf05a67747cb25cfda51fc2c4ebfbc054726e4e8b7034f969291f5f184d609999250507bdfe1da01f659cb43682b837d4fa44292271
+  data.tar.gz: e64e3311e11537b2abc77d25189ef38eebdcbb147eb6db53deb7562530371f40851e035eae08370f3621843873c36c47e9690d1e5f2a0678b31ea8dd87f79bca

data/.editorconfig

@@ -0,0 +1,16 @@
+# EditorConfig helps developers define and maintain consistent
+# coding styles between different editors and IDEs
+# editorconfig.org
+
+root = true
+
+[*]
+# Change these settings to your own preference
+indent_style = space
+indent_size = 2
+
+# We recommend you to keep these unchanged
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

data/.travis.yml

@@ -1,8 +1,21 @@
+dist: xenial
+os: linux
+language: ruby
 rvm:
-  - 1.9.2
-  - 1.9.3
+  - 2.1
+  - 2.2
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
+  - ruby-edge
 branches:
   only:
     - master
 before_install:
-  - gem install bundler
+  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
+  - gem install bundler -v '< 2'
+jobs:
+  allow_failures:
+  - rvm: ruby-edge

data/CHANGELOG.md

@@ -0,0 +1,27 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
+project adheres to [Semantic Versioning](http://semver.org/)
+
+## 2.0.0 - 2010-11-14
+
+### Added
+
+* Add support for multivalued attributes ([#59](https://github.com/dlindahl/omniauth-cas/pull/59))
+* Successfully test against Ruby 2.4 and up ([#60](https://github.com/dlindahl/omniauth-cas/pull/60))
+
+### Changed
+
+* Forward success response to `fetch_raw_info` callback ([#51](https://github.com/dlindahl/omniauth-cas/pull/51))
+* Relax development dependencies to the latest versions
+
+## 1.1.1 - 2016-09-19
+
+### Changed
+
+* Relax gemspec requirements, to add support for Rails 5.
+
+Note that the only tested versions of Ruby are now 2.1, 2.2, and 2.3 - older
+versions of Ruby should work, but are no longer officially supported.

data/Gemfile

@@ -2,3 +2,8 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in omniauth-cas.gemspec
 gemspec
+
+if RUBY_VERSION < "2.2.2"
+  # Rack 2 needs Ruby 2.2.2+
+  gem 'rack', '< 2'
+end

data/README.md

@@ -1,14 +1,16 @@
 # OmniAuth CAS Strategy [![Gem Version][version_badge]][version] [![Build Status][travis_status]][travis]
 
-[version_badge]: https://badge.fury.io/rb/omniauth-cas.png
-[version]: http://badge.fury.io/rb/omniauth-cas
-[travis]: http://travis-ci.org/dlindahl/omniauth-cas
-[travis_status]: https://secure.travis-ci.org/dlindahl/omniauth-cas.png
+[version_badge]: https://badge.fury.io/rb/omniauth-cas.svg
+[version]: https://badge.fury.io/rb/omniauth-cas
+[travis]: https://travis-ci.org/dlindahl/omniauth-cas
+[travis_status]: https://secure.travis-ci.org/dlindahl/omniauth-cas.svg
+[releases]: https://github.com/dlindahl/omniauth-cas/releases
 
 This is a OmniAuth 1.0 compatible port of the previously available
 [OmniAuth CAS strategy][old_omniauth_cas] that was bundled with OmniAuth 0.3.
 
-[View the documentation][document_up]
+* [View the documentation][document_up]
+* [Changelog][releases]
 
 ## Installation
 
@@ -41,21 +43,49 @@ end
 OmniAuth CAS requires at least one of the following two configuration options:
 
   * `url` - Defines the URL of your CAS server (i.e. `http://example.org:8080`)
-  * `host` - Defines the host of your CAS server. Optional if using `url`
-  * `login_url` - Defines the URL used to prompt users for their login information. Defaults to `/login`
-    If no `host` is configured, the host application's domain will be used.
+  * `host` - Defines the host of your CAS server (i.e. `example.org`).
 
 #### Optional
 
 Other configuration options:
 
-  * `port` - The port to use for your configured CAS `host`. Optional if using `url`
-  * `ssl` - TRUE to connect to your CAS server over SSL. Optional if using `url`
-  * `service_validate_url` - The URL to use to validate a user. Defaults to `'/serviceValidate'`
-  * `logout_url` - The URL to use to logout a user. Defaults to `'/logout'`
-  * `uid_key` - The user data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name)
-  * `ca_path` - Optional when `ssl` is `true`. Sets path of a CA certification directory. See [Net::HTTP][net_http] for more details
+  * `port` - The port to use for your configured CAS `host`. Optional if using `url`.
+  * `ssl` - TRUE to connect to your CAS server over SSL. Optional if using `url`.
+  * `service_validate_url` - The URL to use to validate a user. Defaults to `'/serviceValidate'`.
+  * `callback_url` - The URL custom URL path which CAS uses to call back to the service.  Defaults to `/users/auth/cas/callback`.
+  * `logout_url` - The URL to use to logout a user. Defaults to `'/logout'`.
+  * `login_url` - Defines the URL used to prompt users for their login information. Defaults to `/login` If no `host` is configured, the host application's domain will be used.
+  * `uid_field` - The user data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name).
+  * `ca_path` - Optional when `ssl` is `true`. Sets path of a CA certification directory. See [Net::HTTP][net_http] for more details.
   * `disable_ssl_verification` - Optional when `ssl` is true. Disables verification.
+  * `merge_multivalued_attributes` - When set to `true` returns attributes with multiple values as arrays. Defaults to `false` and returns the last value as a string.
+  * `on_single_sign_out` - Optional. Callback used when a [CAS 3.1 Single Sign Out][sso]
+    request is received.
+  * `fetch_raw_info` - Optional. Callback used to return additional "raw" user
+    info from other sources.
+
+    ```ruby
+    provider :cas,
+      fetch_raw_info: Proc.new { |strategy, opts, ticket, user_info, rawxml|
+        return {} if user_info.empty? || rawxml.nil? # Auth failed
+
+        extra_info = ExternalService.get(user_info[:user]).attributes
+        extra_info.merge!({'roles' => rawxml.xpath('//cas:roles').map(&:text)})
+        extra_info
+      }
+    ```
+
+Configurable options for values returned by CAS:
+
+  * `uid_key` - The user ID data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name).
+  * `name_key` - The data attribute containing user first and last name.  Defaults to `'name'`.
+  * `email_key` - The data attribute containing user email address.  Defaults to `'email'`.
+  * `nickname_key` - The data attribute containing user's nickname.  Defaults to `'user'`.
+  * `first_name_key` - The data attribute containing user first name.  Defaults to `'first_name'`.
+  * `last_name_key` - The data attribute containing user last name.  Defaults to `'last_name'`.
+  * `location_key` - The data attribute containing user location/address.  Defaults to `'location'`.
+  * `image_key` - The data attribute containing user image/picture.  Defaults to `'image'`.
+  * `phone_key` - The data attribute containing user contact phone number.  Defaults to `'phone'`.
 
 ## Migrating from OmniAuth 0.3
 
@@ -93,5 +123,6 @@ Special thanks go out to the following people
   * @rbq for README updates and OmniAuth 0.3 migration guide
 
 [old_omniauth_cas]: https://github.com/intridea/omniauth/blob/0-3-stable/oa-enterprise/lib/omniauth/strategies/cas.rb
-[document_up]: http://dlindahl.github.com/omniauth-cas/
-[net_http]: http://ruby-doc.org/stdlib-1.9.3/libdoc/net/http/rdoc/Net/HTTP.html
+[document_up]: https://dlindahl.github.io/omniauth-cas/
+[net_http]: https://ruby-doc.org/stdlib-1.9.3/libdoc/net/http/rdoc/Net/HTTP.html
+[sso]: https://wiki.jasig.org/display/CASUM/Single+Sign+Out

data/lib/omniauth-cas.rb

@@ -1 +1 @@
-require "omniauth/cas"
+require 'omniauth/cas'

data/lib/omniauth/cas/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module Cas
-    VERSION = '1.0.4'
+    VERSION = '2.0.0'
   end
 end

data/lib/omniauth/strategies/cas.rb

@@ -1,4 +1,4 @@
-require 'omniauth/strategy'
+require 'omniauth'
 require 'addressable/uri'
 
 module OmniAuth
@@ -10,8 +10,8 @@ module OmniAuth
       class MissingCASTicket < StandardError; end
       class InvalidCASTicket < StandardError; end
 
-      autoload :Configuration, 'omniauth/strategies/cas/configuration'
       autoload :ServiceTicketValidator, 'omniauth/strategies/cas/service_ticket_validator'
+      autoload :LogoutRequest, 'omniauth/strategies/cas/logout_request'
 
       attr_accessor :raw_info
       alias_method :user_info, :raw_info
@@ -22,84 +22,125 @@ module OmniAuth
       option :port, nil
       option :path, nil
       option :ssl,  true
+      option :merge_multivalued_attributes, false
       option :service_validate_url, '/serviceValidate'
       option :login_url,            '/login'
       option :logout_url,           '/logout'
-      option :uid_key,              'user'
+      option :on_single_sign_out,   Proc.new {}
+      # A Proc or lambda that returns a Hash of additional user info to be
+      # merged with the info returned by the CAS server.
+      #
+      # @param [Object] An instance of OmniAuth::Strategies::CAS for the current request
+      # @param [String] The user's Service Ticket value
+      # @param [Hash] The user info for the Service Ticket returned by the CAS server
+      #
+      # @return [Hash] Extra user info
+      option :fetch_raw_info,       Proc.new { Hash.new }
+      # Make all the keys configurable with some defaults set here
+      option :uid_field, 'user'
+      option :name_key, 'name'
+      option :email_key, 'email'
+      option :nickname_key, 'user'
+      option :first_name_key, 'first_name'
+      option :last_name_key, 'last_name'
+      option :location_key, 'location'
+      option :image_key, 'image'
+      option :phone_key, 'phone'
 
       # As required by https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
-      AuthHashSchemaKeys = %w{name email first_name last_name location image phone}
+      AuthHashSchemaKeys = %w{name email nickname first_name last_name location image phone}
       info do
         prune!({
-          :name       => raw_info['name'],
-          :email      => raw_info['email'],
-          :first_name => raw_info['first_name'],
-          :last_name  => raw_info['last_name'],
-          :location   => raw_info['location'],
-          :image      => raw_info['image'],
-          :phone      => raw_info['phone']
+          name: raw_info[options[:name_key].to_s],
+          email: raw_info[options[:email_key].to_s],
+          nickname: raw_info[options[:nickname_key].to_s],
+          first_name: raw_info[options[:first_name_key].to_s],
+          last_name: raw_info[options[:last_name_key].to_s],
+          location: raw_info[options[:location_key].to_s],
+          image: raw_info[options[:image_key].to_s],
+          phone: raw_info[options[:phone_key].to_s]
         })
       end
 
       extra do
-        prune! raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+        prune!(
+          raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+        )
       end
 
       uid do
-        raw_info[ @options[:uid_key].to_s ]
+        raw_info[options[:uid_field].to_s]
       end
 
       credentials do
-        prune!({
-          :ticket => @ticket
-        })
-      end
-
-      def initialize( app, *args, &block )
-        super
-        @configuration = Configuration.new( @options )
+        prune!({ ticket: @ticket })
       end
 
       def callback_phase
-        @ticket = request.params['ticket']
-
-        return fail!(:no_ticket, MissingCASTicket.new('No CAS Ticket')) unless @ticket
-
-        self.raw_info = ServiceTicketValidator.new(self, @options, callback_url, @ticket).user_info
-
-        return fail!(:invalid_ticket, InvalidCASTicket.new('Invalid CAS Ticket')) if raw_info.empty?
-
-        super
+        if on_sso_path?
+          single_sign_out_phase
+        else
+          @ticket = request.params['ticket']
+          return fail!(:no_ticket, MissingCASTicket.new('No CAS Ticket')) unless @ticket
+          fetch_raw_info(@ticket)
+          return fail!(:invalid_ticket, InvalidCASTicket.new('Invalid CAS Ticket')) if raw_info.empty?
+          super
+        end
       end
 
       def request_phase
-        service_url = append_params( callback_url, return_url )
+        service_url = append_params(callback_url, return_url)
 
         [
           302,
           {
-            'Location' => login_url( service_url ),
+            'Location' => login_url(service_url),
             'Content-Type' => 'text/plain'
           },
           ["You are being redirected to CAS for sign-in."]
         ]
       end
 
+      def on_sso_path?
+        request.post? && request.params.has_key?('logoutRequest')
+      end
+
+      def single_sign_out_phase
+        logout_request_service.new(self, request).call(options)
+      end
+
       # Build a CAS host with protocol and port
       #
       #
       def cas_url
+        extract_url if options['url']
+        validate_cas_setup
         @cas_url ||= begin
           uri = Addressable::URI.new
-          uri.host   = @options.host
-          uri.scheme = @options.ssl ? 'https' : 'http'
-          uri.port   = @options.port
-          uri.path   = @options.path
-
+          uri.host = options.host
+          uri.scheme = options.ssl ? 'https' : 'http'
+          uri.port = options.port
+          uri.path = options.path
           uri.to_s
         end
       end
 
+      def extract_url
+        url = Addressable::URI.parse(options.delete('url'))
+        options.merge!(
+          'host' => url.host,
+          'port' => url.port,
+          'path' => url.path,
+          'ssl' => url.scheme == 'https'
+        )
+      end
+
+      def validate_cas_setup
+        if options.host.nil? || options.login_url.nil?
+          raise ArgumentError.new(":host and :login_url MUST be provided")
+        end
+      end
+
       # Build a service-validation URL from +service+ and +ticket+.
       # If +service+ has a ticket param, first remove it. URL-encode
       # +service+ and add it and the +ticket+ as paraemters to the
@@ -110,10 +151,12 @@ module OmniAuth
       #
       # @return [String] a URL like `http://cas.mycompany.com/serviceValidate?service=...&ticket=...`
       def service_validate_url(service_url, ticket)
-        service_url = Addressable::URI.parse( service_url )
+        service_url = Addressable::URI.parse(service_url)
         service_url.query_values = service_url.query_values.tap { |qs| qs.delete('ticket') }
-
-        cas_url + append_params(@options.service_validate_url, { :service => service_url.to_s, :ticket => ticket })
+        cas_url + append_params(options.service_validate_url, {
+          service: service_url.to_s,
+          ticket: ticket
+        })
       end
 
       # Build a CAS login URL from +service+.
@@ -122,7 +165,7 @@ module OmniAuth
       #
       # @return [String] a URL like `http://cas.mycompany.com/login?service=...`
       def login_url(service)
-        cas_url + append_params( @options.login_url, { :service => service })
+        cas_url + append_params(options.login_url, { service: service })
       end
 
       # Adds URL-escaped +parameters+ to +base+.
@@ -133,14 +176,28 @@ module OmniAuth
       # @return [String] the new joined URL.
       def append_params(base, params)
         params = params.each { |k,v| v = Rack::Utils.escape(v) }
-
         Addressable::URI.parse(base).tap do |base_uri|
-          base_uri.query_values = (base_uri.query_values || {}).merge( params )
+          base_uri.query_values = (base_uri.query_values || {}).merge(params)
         end.to_s
       end
 
+      # Validate the Service Ticket
+      # @return [Object] the validated Service Ticket
+      def validate_service_ticket(ticket)
+        ServiceTicketValidator.new(self, options, callback_url, ticket).call
+      end
+
     private
 
+      def fetch_raw_info(ticket)
+        validator = validate_service_ticket(ticket)
+        ticket_user_info = validator.user_info
+        ticket_success_body = validator.success_body
+        custom_user_info = options.fetch_raw_info.call(self,
+          options, ticket, ticket_user_info, ticket_success_body)
+        self.raw_info = ticket_user_info.merge(custom_user_info)
+      end
+
       # Deletes Hash pairs with `nil` values.
       # From https://github.com/mkdynamic/omniauth-facebook/blob/972ed5e3456bcaed7df1f55efd7c05c216c8f48e/lib/omniauth/strategies/facebook.rb#L122-127
       def prune!(hash)
@@ -152,13 +209,16 @@ module OmniAuth
 
       def return_url
         # If the request already has a `url` parameter, then it will already be appended to the callback URL.
-        if request.params and request.params['url']
+        if request.params && request.params['url']
           {}
         else
-          { :url => request.referer }
+          { url: request.referer }
         end
       end
 
+      def logout_request_service
+        LogoutRequest
+      end
     end
   end
 end