omniauth-cul 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5da31c2f79868b1ffaa0b942b3c8c26bfed1911777d53c153ed4ecf2bcd2f289
+  data.tar.gz: 39590d04655b7260e5ff0423bb826abbf9500e7cd47617bbb679b8c23fa92fdd
+SHA512:
+  metadata.gz: 85874e250cc849120dfa5869a8e78516bfc2269d0275b0e549cf755e4838a1e1be1197df01b8cb1cbbe79d9273904bf0254da6e5708a114577e2e055a7ec720c
+  data.tar.gz: 0b861025b96752b267ab4eaf78dad76aa6933c7341be2427884cdf62b82a04696be0956e90cc449ef2cc526335e2fbc80430223467cbf54cda9ce8fb01e9a388

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,13 @@
+AllCops:
+  TargetRubyVersion: 2.6
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Layout/LineLength:
+  Max: 120

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Eric O
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,114 @@
+# Cul::Omniauth
+
+Cul::Omniauth is a gem that facilitates using Rails, [Devise](https://github.com/plataformatec/devise "Devise") and Omniauth with the [CAS offering from Columbia University IT](https://cuit.columbia.edu/cas-authentication "CUIT CAS Documentation").
+
+At this time, this gem only supports Columbia University's CAS3 authentication endpoint (which provides user affiliation information), but support for additional auth mechanisms may be added later if needed.
+
+## Installation and setup
+
+The instructions below assume that your Rails application's user model will be called "User".
+
+1. Add gem `devise` (>= 4.9) to your Gemfile.
+2. Follow the standard Devise setup instructions (https://github.com/heartcombo/devise).  Recap:
+   1. `rails generate devise:install`
+   2. `rails generate devise User`
+   3. `rails db:migrate`
+3. Add gem `omniauth` (>= 2.1) to your Gemfile.
+4. Add this gem, 'omniauth-cul', to your Gemfile.
+5. Run `bundle install`.
+6. In `/config/initializers/devise.rb`, add this:
+   ```
+   config.omniauth :cas, strategy_class: Omniauth::Cul::Strategies::Cas3Strategy
+   ```
+   (There may already be a config.omniauth section, and if so you can append this to the existing lines in that section.)
+7. Add a :uid column to the User model by running: `rails generate migration AddUidToUsers uid:string:uniq:index`
+8. In `/app/models/user.rb`, find the line where the `devise` method is called (usually with arguments like `:database_authenticatable`, `:registerable`, etc.).
+   - Minimally, you need to add these additional arguments to the end of the method call: `:omniauthable, omniauth_providers: [:cas]`
+   - In most cases though, you'll probably want to disable most of the modules and have only this:
+      ```
+      devise :database_authenticatable, :validatable, :omniauthable, omniauth_providers: [:cas]
+      ```
+9.  In `/config/routes.rb`, find this line:
+   ```
+    devise_for :users
+   ```
+   And replace it with these lines:
+   ```
+    devise_for :users, controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
+   ```
+10. Create a new file at `app/controllers/users/omniauth_callbacks_controller.rb` with the following content:
+    ```
+    require 'omniauth/cul'
+
+      class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+        # Adding the line below so that if the auth endpoint POSTs to our cas endpoint, it won't
+        # be rejected by authenticity token verification.
+        # See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
+        skip_before_action :verify_authenticity_token, only: :cas
+
+        def app_cas_callback_endpoint
+          "#{request.base_url}/users/auth/cas/callback"
+        end
+
+        # GET /users/auth/cas (go here to be redirected to the CAS login form)
+        def passthru
+          redirect_to Omniauth::Cul::Cas3.passthru_redirect_url(app_cas_callback_endpoint), allow_other_host: true
+        end
+
+        # GET /users/auth/cas/callback
+        def cas
+          user_id, affils = Omniauth::Cul::Cas3.validation_callback(request.params['ticket'], app_cas_callback_endpoint)
+
+          # Custom auth logic for your app goes here.
+          # The code below is provided as an example.  If you want to use Omniauth::Cul::PermissionFileValidator,
+          # to validate see the later "Omniauth::Cul::PermissionFileValidator" section of this README.
+          #
+          # if Omniauth::Cul::PermissionFileValidator.permitted?(user_id, affils)
+          #   user = User.find_by(uid: user_id) || User.create!(
+          #       uid: user_id,
+          #       email: "#{user_id}@columbia.edu"
+          #   )
+          #   sign_in_and_redirect user, event: :authentication # this will throw if @user is not activated
+          # else
+          #   flash[:error] = 'Login attempt failed'
+          #   redirect_to root_path
+          # end
+        end
+      end
+    ```
+
+## Omniauth::Cul::PermissionFileValidator - Permission validation with a user id list or affiliation list
+
+One of the modules in this gem is `Omniauth::Cul::PermissionFileValidator`, which can be used like this:
+
+```
+user_id = 'abc123'
+affils = ['affil1']
+if Omniauth::Cul::PermissionFileValidator.permitted?(user_id, affils)
+  # This block will run if your Rails app has a file at /config/permissions.yml that
+  # permits access for user 'abc123' OR any user with affiliation 'affil1'.
+end
+```
+
+In your Rails app, your permission.yml file should be located at /config/permissions.yml.  For each environment, you may define allowed_user_ids and/or allowed_user_affils.
+
+```
+# Permissions
+
+all: &all
+  allowed_user_ids:
+    - abc123
+    - def123
+    - ghi123
+  allowed_user_affils:
+    - CUL_dpts-ldpd
+
+development: *all
+test: *all
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/lib/omniauth/cul/cas_3.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module Cul
+    module Cas3
+      # For Columbia CAS 3 endpoint info, see: https://www.cuit.columbia.edu/cas-authentication
+
+      def self.passthru_redirect_url(app_cas_callback_endpoint)
+        'https://cas.columbia.edu/cas/login?'\
+        "service=#{Rack::Utils.escape(app_cas_callback_endpoint)}"
+      end
+
+      def self.validation_callback(ticket, app_cas_callback_endpoint)
+        cas_ticket = ticket
+        validation_url = cas_validation_url(app_cas_callback_endpoint, cas_ticket)
+        validation_response = validate_ticket(validation_url, cas_ticket)
+
+        # We are always expecting an XML response
+        response_xml = Nokogiri::XML(validation_response)
+
+        user_id = user_id_from_response_xml(response_xml)
+        affils = affils_from_response_xml(response_xml)
+
+        [user_id, affils]
+      end
+
+      def self.cas_validation_url(app_cas_callback_endpoint, cas_ticket)
+        'https://cas.columbia.edu/cas/p3/serviceValidate?'\
+        "service=#{Rack::Utils.escape(app_cas_callback_endpoint)}&"\
+        "ticket=#{cas_ticket}"
+      end
+
+      def self.validate_ticket(validation_url, cas_ticket)
+        uri = URI.parse(validation_url)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        # http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        validation_request = Net::HTTP::Get.new(uri.request_uri)
+        response = http.request(validation_request)
+        response.body
+      end
+
+      def self.user_id_from_response_xml(response_xml)
+        response_xml.xpath('/cas:serviceResponse/cas:authenticationSuccess/cas:user', 'cas' => 'http://www.yale.edu/tp/cas')&.first&.text
+      end
+
+      def self.affils_from_response_xml(response_xml)
+        response_xml.xpath('/cas:serviceResponse/cas:authenticationSuccess/cas:attributes/cas:affiliation', 'cas' => 'http://www.yale.edu/tp/cas')&.map(&:text)
+      end
+    end
+  end
+end

data/lib/omniauth/cul/permission_file_validator.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module Cul
+    module PermissionFileValidator
+      # For Columbia CAS 3 endpoint info, see: https://www.cuit.columbia.edu/cas-authentication
+
+      def self.permission_file_data
+        return @permission_file_data if @permission_file_data
+        @permission_file_data = {}
+        if defined?(Rails)
+          permission_file_path = Rails.root.join('config/permissions.yml')
+          # We'll use YAML loading logic similar to Rails 7, for older and newer psych gem compatibility
+          # https://github.com/rails/rails/blob/7-1-stable/activesupport/lib/active_support/encrypted_configuration.rb#L99
+          conf = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load_file(permission_file_path) : YAML.load_file(permission_file_path)
+          @permission_file_data = conf[Rails.env] || {}
+        end
+
+        @permission_file_data
+      end
+
+      def self.allowed_user_ids
+        permission_file_data.fetch('allowed_user_ids', [])
+      end
+
+      def self.allowed_user_affils
+        permission_file_data.fetch('allowed_user_affils', [])
+      end
+
+      # Returns true if the given user_id OR affils match at least one of the rules defined in the
+      # permissions.yml config file.  This method will always return false if user_id is nil.
+      def self.permitted?(user_id, affils)
+        return false if user_id.nil?
+        return true if allowed_user_ids.include?(user_id)
+        return true if affils.respond_to?(:include?) && allowed_user_affils.include?(affils)
+        return false
+      end
+    end
+  end
+end

data/lib/omniauth/cul/strategies/cas_3_strategy.rb

@@ -0,0 +1,9 @@
+module Omniauth
+  module Cul
+    module Strategies
+      class Cas3Strategy
+        include OmniAuth::Strategy
+      end
+    end
+  end
+end

data/lib/omniauth/cul/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module Cul
+    VERSION = "0.2.0"
+  end
+end

data/lib/omniauth/cul.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative 'cul/version'
+require_relative 'cul/cas_3'
+require_relative 'cul/permission_file_validator'
+require_relative 'cul/strategies/cas_3_strategy'
+
+module Omniauth
+  module Cul
+    class Error < StandardError; end
+    # Your code goes here...
+  end
+end

data/sig/omniauth/cul.rbs

@@ -0,0 +1,6 @@
+module Omniauth
+  module Cul
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,84 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-cul
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Eric O
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-01-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.9'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description:
+email:
+- elo2112@columbia.edu
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth/cul.rb
+- lib/omniauth/cul/cas_3.rb
+- lib/omniauth/cul/permission_file_validator.rb
+- lib/omniauth/cul/strategies/cas_3_strategy.rb
+- lib/omniauth/cul/version.rb
+- sig/omniauth/cul.rbs
+homepage: https://github.com/cul/omniauth-cul
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/cul/omniauth-cul
+  source_code_uri: https://github.com/cul/omniauth-cul
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.5
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key:
+specification_version: 4
+summary: A devise omniauth adapter for Rails apps, using Columbia University authentication.
+test_files: []