omniauth-cas 1.1.0.beta.1 → 1.1.0.pre.rc.1

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    Mjc3ZjA4OWRiNjhlNDgxMzcxNTEyYWIxODE1Y2U5ZWY2Y2U0YmU4MA==
-  data.tar.gz: !binary |-
-    YmE0ZjRhNzRkYmM5NTYwNGE1M2QwNjgxNGFjODAyZjk3MDk0MTE4ZA==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    NWYwMGVjNWEzMzkzODlhOWEwNWY0MWExYTBiNWM2YjdlNGNlMDAyZjJlMjQx
-    YTdiZWRkMzJhODgwOTY2YjMzZTg2ZWZiOWVjYTNiN2NlMmUzZTNhYzFjZGYx
-    MGJiODI3OTdkMDBkMGM3YjA3MmU1YWFkNmQ0YTg0Y2E4NjAzYjI=
-  data.tar.gz: !binary |-
-    YTkyYjcwZTQxMzE3NzNmYmFjOWE0ZjkyMDY4MzMxMjlhNDU1MTg2ZjQwYmFm
-    YzA2MzJkZGNlNjYzYmE2YjE3NjZiMTZiZGJkYzZkMzdlMzY3NjE1OWU5MjI1
-    MGYxZWQ1MDQ2NzhmNjUzNjVmNzJkMTc0OGJjMGIyOTYyN2MwOGM=
+SHA1:
+  metadata.gz: 9060c98d3a2f5102d1060c66308ecc86ec7fa0eb
+  data.tar.gz: 8c46c748a3580c4d5ef43307e283f003110dd6ef
+SHA512:
+  metadata.gz: 46e3e70d1513ee2f883f4996a575626b32c3c781e084f88709813b4490542e6fc10a85eaf01b9d68af8a889f48f692e7d934cac504d18462c21ce84685ffadb4
+  data.tar.gz: 3987aebc35372d17e80487bcc688805f37c4ced4434d43db504d38ab17de6dc97bc7bf1a1d4d60aadc33887ef1daffc018d97b92c8b004f14858f4720d28da14

data/.editorconfig

@@ -0,0 +1,16 @@
+# EditorConfig helps developers define and maintain consistent
+# coding styles between different editors and IDEs
+# editorconfig.org
+
+root = true
+
+[*]
+# Change these settings to your own preference
+indent_style = space
+indent_size = 2
+
+# We recommend you to keep these unchanged
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true

data/.ruby-version

@@ -0,0 +1 @@
+2.1.3

data/.travis.yml

@@ -1,6 +1,7 @@
 rvm:
   - 1.9.2
   - 1.9.3
+  - 2.0.0
 branches:
   only:
     - master

data/README.md

@@ -4,11 +4,13 @@
 [version]: http://badge.fury.io/rb/omniauth-cas
 [travis]: http://travis-ci.org/dlindahl/omniauth-cas
 [travis_status]: https://secure.travis-ci.org/dlindahl/omniauth-cas.png
+[releases]: https://github.com/dlindahl/omniauth-cas/releases
 
 This is a OmniAuth 1.0 compatible port of the previously available
 [OmniAuth CAS strategy][old_omniauth_cas] that was bundled with OmniAuth 0.3.
 
-[View the documentation][document_up]
+* [View the documentation][document_up]
+* [Changelog][releases]
 
 ## Installation
 
@@ -41,21 +43,44 @@ end
 OmniAuth CAS requires at least one of the following two configuration options:
 
   * `url` - Defines the URL of your CAS server (i.e. `http://example.org:8080`)
-  * `host` - Defines the host of your CAS server. Optional if using `url`
-  * `login_url` - Defines the URL used to prompt users for their login information. Defaults to `/login`
-    If no `host` is configured, the host application's domain will be used.
+  * `host` - Defines the host of your CAS server (i.e. `example.org`).
 
 #### Optional
 
 Other configuration options:
 
-  * `port` - The port to use for your configured CAS `host`. Optional if using `url`
-  * `ssl` - TRUE to connect to your CAS server over SSL. Optional if using `url`
-  * `service_validate_url` - The URL to use to validate a user. Defaults to `'/serviceValidate'`
-  * `logout_url` - The URL to use to logout a user. Defaults to `'/logout'`
-  * `uid_key` - The user data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name)
-  * `ca_path` - Optional when `ssl` is `true`. Sets path of a CA certification directory. See [Net::HTTP][net_http] for more details
+  * `port` - The port to use for your configured CAS `host`. Optional if using `url`.
+  * `ssl` - TRUE to connect to your CAS server over SSL. Optional if using `url`.
+  * `service_validate_url` - The URL to use to validate a user. Defaults to `'/serviceValidate'`.
+  * `callback_url` - The URL custom URL path which CAS uses to call back to the service.  Defaults to `/users/auth/cas/callback`.
+  * `logout_url` - The URL to use to logout a user. Defaults to `'/logout'`.
+  * `login_url` - Defines the URL used to prompt users for their login information. Defaults to `/login` If no `host` is configured, the host application's domain will be used.
+  * `uid_field` - The user data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name).
+  * `ca_path` - Optional when `ssl` is `true`. Sets path of a CA certification directory. See [Net::HTTP][net_http] for more details.
   * `disable_ssl_verification` - Optional when `ssl` is true. Disables verification.
+  * `on_single_sign_out` - Optional. Callback used when a [CAS 3.1 Single Sign Out][sso]
+    request is received.
+  * `fetch_raw_info` - Optional. Callback used to return additional "raw" user
+    info from other sources.
+
+    ```ruby
+    provider :cas,
+             fetch_raw_info: lambda { |strategy, options, ticket, user_info|
+               ExternalService.get(user_info[:user]).attributes
+            }
+    ```
+
+Configurable options for values returned by CAS:
+
+  * `uid_key` - The user ID data attribute to use as your user's unique identifier. Defaults to `'user'` (which usually contains the user's login name).
+  * `name_key` - The data attribute containing user first and last name.  Defaults to `'name'`.
+  * `email_key` - The data attribute containing user email address.  Defaults to `'email'`.
+  * `nickname_key` - The data attribute containing user's nickname.  Defaults to `'user'`.
+  * `first_name_key` - The data attribute containing user first name.  Defaults to `'first_name'`.
+  * `last_name_key` - The data attribute containing user last name.  Defaults to `'last_name'`.
+  * `location_key` - The data attribute containing user location/address.  Defaults to `'location'`.
+  * `image_key` - The data attribute containing user image/picture.  Defaults to `'image'`.
+  * `phone_key` - The data attribute containing user contact phone number.  Defaults to `'phone'`.
 
 ## Migrating from OmniAuth 0.3
 
@@ -95,3 +120,4 @@ Special thanks go out to the following people
 [old_omniauth_cas]: https://github.com/intridea/omniauth/blob/0-3-stable/oa-enterprise/lib/omniauth/strategies/cas.rb
 [document_up]: http://dlindahl.github.com/omniauth-cas/
 [net_http]: http://ruby-doc.org/stdlib-1.9.3/libdoc/net/http/rdoc/Net/HTTP.html
+[sso]: https://wiki.jasig.org/display/CASUM/Single+Sign+Out

data/lib/omniauth-cas.rb

@@ -1 +1 @@
-require "omniauth/cas"
+require 'omniauth/cas'

data/lib/omniauth/cas/version.rb

@@ -1,5 +1,5 @@
 module Omniauth
   module Cas
-    VERSION = '1.1.0.beta.1'
+    VERSION = '1.1.0-rc.1'
   end
 end

data/lib/omniauth/strategies/cas.rb

@@ -1,4 +1,4 @@
-require 'omniauth/strategy'
+require 'omniauth'
 require 'addressable/uri'
 
 module OmniAuth
@@ -10,8 +10,8 @@ module OmniAuth
       class MissingCASTicket < StandardError; end
       class InvalidCASTicket < StandardError; end
 
-      autoload :Configuration, 'omniauth/strategies/cas/configuration'
       autoload :ServiceTicketValidator, 'omniauth/strategies/cas/service_ticket_validator'
+      autoload :LogoutRequest, 'omniauth/strategies/cas/logout_request'
 
       attr_accessor :raw_info
       alias_method :user_info, :raw_info
@@ -25,81 +25,121 @@ module OmniAuth
       option :service_validate_url, '/serviceValidate'
       option :login_url,            '/login'
       option :logout_url,           '/logout'
-      option :uid_key,              'user'
+      option :on_single_sign_out,   Proc.new {}
+      # A Proc or lambda that returns a Hash of additional user info to be
+      # merged with the info returned by the CAS server.
+      #
+      # @param [Object] An instance of OmniAuth::Strategies::CAS for the current request
+      # @param [String] The user's Service Ticket value
+      # @param [Hash] The user info for the Service Ticket returned by the CAS server
+      #
+      # @return [Hash] Extra user info
+      option :fetch_raw_info,       Proc.new { Hash.new }
+      # Make all the keys configurable with some defaults set here
+      option :uid_field, 'user'
+      option :name_key, 'name'
+      option :email_key, 'email'
+      option :nickname_key, 'user'
+      option :first_name_key, 'first_name'
+      option :last_name_key, 'last_name'
+      option :location_key, 'location'
+      option :image_key, 'image'
+      option :phone_key, 'phone'
 
       # As required by https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema
-      AuthHashSchemaKeys = %w{name email first_name last_name location image phone}
+      AuthHashSchemaKeys = %w{name email nickname first_name last_name location image phone}
       info do
         prune!({
-          :name       => raw_info['name'],
-          :email      => raw_info['email'],
-          :first_name => raw_info['first_name'],
-          :last_name  => raw_info['last_name'],
-          :location   => raw_info['location'],
-          :image      => raw_info['image'],
-          :phone      => raw_info['phone']
+          name: raw_info[options[:name_key].to_s],
+          email: raw_info[options[:email_key].to_s],
+          nickname: raw_info[options[:nickname_key].to_s],
+          first_name: raw_info[options[:first_name_key].to_s],
+          last_name: raw_info[options[:last_name_key].to_s],
+          location: raw_info[options[:location_key].to_s],
+          image: raw_info[options[:image_key].to_s],
+          phone: raw_info[options[:phone_key].to_s]
         })
       end
 
       extra do
-        prune! raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+        prune!(
+          raw_info.delete_if{ |k,v| AuthHashSchemaKeys.include?(k) }
+        )
       end
 
       uid do
-        raw_info[ @options[:uid_key].to_s ]
+        raw_info[options[:uid_field].to_s]
       end
 
       credentials do
-        prune!({
-          :ticket => @ticket
-        })
-      end
-
-      def initialize( app, *args, &block )
-        super
-        @configuration = Configuration.new( @options )
+        prune!({ ticket: @ticket })
       end
 
       def callback_phase
-        @ticket = request.params['ticket']
-
-        return fail!(:no_ticket, MissingCASTicket.new('No CAS Ticket')) unless @ticket
-
-        self.raw_info = ServiceTicketValidator.new(self, @options, callback_url, @ticket).user_info
-
-        return fail!(:invalid_ticket, InvalidCASTicket.new('Invalid CAS Ticket')) if raw_info.empty?
-
-        super
+        if on_sso_path?
+          single_sign_out_phase
+        else
+          @ticket = request.params['ticket']
+          return fail!(:no_ticket, MissingCASTicket.new('No CAS Ticket')) unless @ticket
+          fetch_raw_info(@ticket)
+          return fail!(:invalid_ticket, InvalidCASTicket.new('Invalid CAS Ticket')) if raw_info.empty?
+          super
+        end
       end
 
       def request_phase
-        service_url = append_params( callback_url, return_url )
+        service_url = append_params(callback_url, return_url)
 
         [
           302,
           {
-            'Location' => login_url( service_url ),
+            'Location' => login_url(service_url),
             'Content-Type' => 'text/plain'
           },
           ["You are being redirected to CAS for sign-in."]
         ]
       end
 
+      def on_sso_path?
+        request.post? && request.params.has_key?('logoutRequest')
+      end
+
+      def single_sign_out_phase
+        logout_request_service.new(self, request).call(options)
+      end
+
       # Build a CAS host with protocol and port
       #
       #
       def cas_url
+        extract_url if options['url']
+        validate_cas_setup
         @cas_url ||= begin
           uri = Addressable::URI.new
-          uri.host   = @options.host
-          uri.scheme = @options.ssl ? 'https' : 'http'
-          uri.port   = @options.port
-          uri.path   = @options.path
-
+          uri.host = options.host
+          uri.scheme = options.ssl ? 'https' : 'http'
+          uri.port = options.port
+          uri.path = options.path
           uri.to_s
         end
       end
 
+      def extract_url
+        url = Addressable::URI.parse(options.delete('url'))
+        options.merge!(
+          'host' => url.host,
+          'port' => url.port,
+          'path' => url.path,
+          'ssl' => url.scheme == 'https'
+        )
+      end
+
+      def validate_cas_setup
+        if options.host.nil? || options.login_url.nil?
+          raise ArgumentError.new(":host and :login_url MUST be provided")
+        end
+      end
+
       # Build a service-validation URL from +service+ and +ticket+.
       # If +service+ has a ticket param, first remove it. URL-encode
       # +service+ and add it and the +ticket+ as paraemters to the
@@ -110,10 +150,12 @@ module OmniAuth
       #
       # @return [String] a URL like `http://cas.mycompany.com/serviceValidate?service=...&ticket=...`
       def service_validate_url(service_url, ticket)
-        service_url = Addressable::URI.parse( service_url )
+        service_url = Addressable::URI.parse(service_url)
         service_url.query_values = service_url.query_values.tap { |qs| qs.delete('ticket') }
-
-        cas_url + append_params(@options.service_validate_url, { :service => service_url.to_s, :ticket => ticket })
+        cas_url + append_params(options.service_validate_url, {
+          service: service_url.to_s,
+          ticket: ticket
+        })
       end
 
       # Build a CAS login URL from +service+.
@@ -122,7 +164,7 @@ module OmniAuth
       #
       # @return [String] a URL like `http://cas.mycompany.com/login?service=...`
       def login_url(service)
-        cas_url + append_params( @options.login_url, { :service => service })
+        cas_url + append_params(options.login_url, { service: service })
       end
 
       # Adds URL-escaped +parameters+ to +base+.
@@ -133,20 +175,25 @@ module OmniAuth
       # @return [String] the new joined URL.
       def append_params(base, params)
         params = params.each { |k,v| v = Rack::Utils.escape(v) }
-
         Addressable::URI.parse(base).tap do |base_uri|
-          base_uri.query_values = (base_uri.query_values || {}).merge( params )
+          base_uri.query_values = (base_uri.query_values || {}).merge(params)
         end.to_s
       end
 
-      # Adds support for custom callback_paths
-      # See: https://github.com/intridea/omniauth/issues/630
-      def callback_path
-        options[:callback_path].is_a?(String) ? options[:callback_path] : (custom_path(:callback_path) || custom_path(:request_path) || "#{path_prefix}/#{name}/callback")
+      # Validate the Service Ticket
+      # @return [Object] the validated Service Ticket
+      def validate_service_ticket(ticket)
+        ServiceTicketValidator.new(self, options, callback_url, ticket).call
       end
 
     private
 
+      def fetch_raw_info(ticket)
+        ticket_user_info = validate_service_ticket(ticket).user_info
+        custom_user_info = options.fetch_raw_info.call(self, options, ticket, ticket_user_info)
+        self.raw_info = ticket_user_info.merge(custom_user_info)
+      end
+
       # Deletes Hash pairs with `nil` values.
       # From https://github.com/mkdynamic/omniauth-facebook/blob/972ed5e3456bcaed7df1f55efd7c05c216c8f48e/lib/omniauth/strategies/facebook.rb#L122-127
       def prune!(hash)
@@ -158,13 +205,16 @@ module OmniAuth
 
       def return_url
         # If the request already has a `url` parameter, then it will already be appended to the callback URL.
-        if request.params and request.params['url']
+        if request.params && request.params['url']
           {}
         else
-          { :url => request.referer }
+          { url: request.referer }
         end
       end
 
+      def logout_request_service
+        LogoutRequest
+      end
     end
   end
 end

data/lib/omniauth/strategies/cas/logout_request.rb

@@ -0,0 +1,58 @@
+module OmniAuth
+  module Strategies
+    class CAS
+      class LogoutRequest
+        def initialize(strategy, request)
+          @strategy, @request = strategy, request
+        end
+
+        def call(options = {})
+          @options = options
+
+          begin
+            result = single_sign_out_callback.call(*logout_request)
+          rescue StandardError => err
+            return @strategy.fail! :logout_request, err
+          else
+            result = [200,{},'OK'] if result == true || result.nil?
+          ensure
+            return unless result
+
+            # TODO: Why does ActionPack::Response return [status,headers,body]
+            # when Rack::Response#new wants [body,status,headers]? Additionally,
+            # why does Rack::Response differ in argument order from the usual
+            # Rack-like [status,headers,body] array?
+            return Rack::Response.new(result[2],result[0],result[1]).finish
+          end
+        end
+
+      private
+
+        def logout_request
+          @logout_request ||= begin
+            saml = Nokogiri.parse(@request.params['logoutRequest'])
+            name_id = saml.xpath('//saml:NameID').text
+            sess_idx = saml.xpath('//samlp:SessionIndex').text
+            inject_params(name_id:name_id, session_index:sess_idx)
+            @request
+          end
+        end
+
+        def inject_params(new_params)
+          rack_input = @request.env['rack.input'].read
+          params = Rack::Utils.parse_query(rack_input, '&').merge new_params
+          @request.env['rack.input'] = StringIO.new(Rack::Utils.build_query(params))
+        rescue
+          # A no-op intended to ensure that the ensure block is run
+          raise
+        ensure
+          @request.env['rack.input'].rewind
+        end
+
+        def single_sign_out_callback
+          @options[:on_single_sign_out]
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/cas/service_ticket_validator.rb

@@ -6,7 +6,6 @@ module OmniAuth
   module Strategies
     class CAS
       class ServiceTicketValidator
-
         VALIDATION_REQUEST_HEADERS = { 'Accept' => '*/*' }
 
         # Build a validator from a +configuration+, a
@@ -20,6 +19,13 @@ module OmniAuth
           @uri = URI.parse(strategy.service_validate_url(return_to_url, ticket))
         end
 
+        # Executes a network request to process the CAS Service Response
+        def call
+          @response_body = get_service_response_body
+          @success_body = find_authentication_success(@response_body)
+          self
+        end
+
         # Request validation of the ticket from the CAS server's
         # serviceValidate (CAS 2.0) function.
         #
@@ -29,7 +35,7 @@ module OmniAuth
         #
         # @raise any connection errors encountered.
         def user_info
-          parse_user_info( find_authentication_success( get_service_response_body ) )
+          parse_user_info(@success_body)
         end
 
       private
@@ -38,18 +44,21 @@ module OmniAuth
         # returns nil if given nil
         def parse_user_info(node)
           return nil if node.nil?
-
           {}.tap do |hash|
             node.children.each do |e|
-              unless e.kind_of?(Nokogiri::XML::Text) ||
-                     e.name == 'cas:proxies' ||
-                     e.name == 'proxies'
+              node_name = e.name.sub(/^cas:/, '')
+              unless e.kind_of?(Nokogiri::XML::Text) || node_name == 'proxies'
                 # There are no child elements
                 if e.element_children.count == 0
-                  hash[e.name.sub(/^cas:/, '')] = e.content
+                  hash[node_name] = e.content
                 elsif e.element_children.count
-                  hash[e.name.sub(/^cas:/, '')] = [] if hash[e.name.sub(/^cas:/, '')].nil?
-                  hash[e.name.sub(/^cas:/, '')].push parse_user_info e
+                  # JASIG style extra attributes
+                  if node_name == 'attributes'
+                    hash.merge!(parse_user_info(e))
+                  else
+                    hash[node_name] = [] if hash[node_name].nil?
+                    hash[node_name].push(parse_user_info(e))
+                  end
                 end
               end
             end
@@ -88,7 +97,6 @@ module OmniAuth
           end
           result
         end
-
       end
     end
   end