omniauth-globus 0.8.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9104c94aa76173b5aaa26efb5577358bfb57e8fcc5fafeb7f044d413a01af40e
+  data.tar.gz: 03156dd1bba125b360eef9dcf311b9fd9791fc08e0e4aefe092169eface776c8
+SHA512:
+  metadata.gz: 5c77a6c4c3866b0ad92a1ad31097d92b80dbfca091c617986e9bb27909bb8accd891bf79d3af38f79ac25ffeea33b46ed7fab2f9b707cbbb78d9ccb5e319404f
+  data.tar.gz: bd04da0ef51a21c19c55dbc6fc7a88252b2be8e28f9afc3fdf19592ea19484c8da242f1312f0f4b1759d6de0af62a3fcab8f2733bd0737ae70f80b285dec3d8d

data/.gitignore

@@ -0,0 +1,50 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.rubocop.yml

@@ -0,0 +1,209 @@
+# from https://github.com/rails/rails/blob/master/.rubocop.yml
+
+AllCops:
+  TargetRubyVersion: 2.5
+  # RuboCop has a bunch of cops enabled by default. This setting tells RuboCop
+  # to ignore them, so only the ones explicitly set in this file are enabled.
+  DisabledByDefault: true
+
+# Prefer &&/|| over and/or.
+Style/AndOr:
+  Enabled: true
+
+# Do not use braces for hash literals when they are the last argument of a
+# method call.
+Style/BracesAroundHashParameters:
+  Enabled: true
+  EnforcedStyle: context_dependent
+
+# Align `when` with `case`.
+Layout/CaseIndentation:
+  Enabled: true
+
+# Align comments with method definitions.
+Layout/CommentIndentation:
+  Enabled: true
+
+Layout/ElseAlignment:
+  Enabled: true
+
+# Align `end` with the matching keyword or starting expression except for
+# assignments, where it should be aligned with the LHS.
+Layout/EndAlignment:
+  Enabled: true
+  EnforcedStyleAlignWith: variable
+  AutoCorrect: true
+
+Layout/EmptyLineAfterMagicComment:
+  Enabled: true
+
+Layout/EmptyLinesAroundBlockBody:
+  Enabled: true
+
+# In a regular class definition, no empty lines around the body.
+Layout/EmptyLinesAroundClassBody:
+  Enabled: true
+
+# In a regular method definition, no empty lines around the body.
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: true
+
+# In a regular module definition, no empty lines around the body.
+Layout/EmptyLinesAroundModuleBody:
+  Enabled: true
+
+Layout/IndentFirstArgument:
+  Enabled: true
+
+# Use Ruby >= 1.9 syntax for hashes. Prefer { a: :b } over { :a => :b }.
+Style/HashSyntax:
+  Enabled: true
+
+# Method definitions after `private` or `protected` isolated calls need one
+# extra level of indentation.
+Layout/IndentationConsistency:
+  Enabled: true
+  EnforcedStyle: indented_internal_methods
+
+# Two spaces, no tabs (for indentation).
+Layout/IndentationWidth:
+  Enabled: true
+
+Layout/LeadingCommentSpace:
+  Enabled: true
+
+Layout/SpaceAfterColon:
+  Enabled: true
+
+Layout/SpaceAfterComma:
+  Enabled: true
+
+Layout/SpaceAfterSemicolon:
+  Enabled: true
+
+Layout/SpaceAroundEqualsInParameterDefault:
+  Enabled: true
+
+Layout/SpaceAroundKeyword:
+  Enabled: true
+
+Layout/SpaceAroundOperators:
+  Enabled: true
+
+Layout/SpaceBeforeComma:
+  Enabled: true
+
+Layout/SpaceBeforeComment:
+  Enabled: true
+
+Layout/SpaceBeforeFirstArg:
+  Enabled: true
+
+Style/DefWithParentheses:
+  Enabled: true
+
+# Defining a method with parameters needs parentheses.
+Style/MethodDefParentheses:
+  Enabled: true
+
+Style/FrozenStringLiteralComment:
+  Enabled: true
+  EnforcedStyle: always
+  Exclude:
+    - 'actionview/test/**/*.builder'
+    - 'actionview/test/**/*.ruby'
+    - 'actionpack/test/**/*.builder'
+    - 'actionpack/test/**/*.ruby'
+    - 'activestorage/db/migrate/**/*.rb'
+    - 'activestorage/db/update_migrate/**/*.rb'
+    - 'actionmailbox/db/migrate/**/*.rb'
+    - 'actiontext/db/migrate/**/*.rb'
+
+Style/RedundantFreeze:
+  Enabled: true
+
+# Use `foo {}` not `foo{}`.
+Layout/SpaceBeforeBlockBraces:
+  Enabled: true
+
+# Use `foo { bar }` not `foo {bar}`.
+Layout/SpaceInsideBlockBraces:
+  Enabled: true
+  EnforcedStyleForEmptyBraces: space
+
+# Use `{ a: 1 }` not `{a:1}`.
+Layout/SpaceInsideHashLiteralBraces:
+  Enabled: true
+
+Layout/SpaceInsideParens:
+  Enabled: true
+
+# Check quotes usage according to lint rule below.
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+# Detect hard tabs, no hard tabs.
+Layout/Tab:
+  Enabled: true
+
+# Blank lines should not have any spaces.
+Layout/TrailingBlankLines:
+  Enabled: true
+
+# No trailing whitespace.
+Layout/TrailingWhitespace:
+  Enabled: true
+
+# Use quotes for string literals when they are enough.
+Style/UnneededPercentQ:
+  Enabled: true
+
+Lint/AmbiguousOperator:
+  Enabled: true
+
+Lint/AmbiguousRegexpLiteral:
+  Enabled: true
+
+Lint/ErbNewArguments:
+  Enabled: true
+
+# Use my_method(my_arg) not my_method( my_arg ) or my_method my_arg.
+Lint/RequireParentheses:
+  Enabled: true
+
+Lint/ShadowingOuterLocalVariable:
+  Enabled: true
+
+Lint/StringConversionInInterpolation:
+  Enabled: true
+
+Lint/UriEscapeUnescape:
+  Enabled: true
+
+Lint/UselessAssignment:
+  Enabled: true
+
+Lint/DeprecatedClassMethods:
+  Enabled: true
+
+Style/ParenthesesAroundCondition:
+  Enabled: true
+
+Style/RedundantBegin:
+  Enabled: true
+
+Style/RedundantReturn:
+  Enabled: true
+  AllowMultipleReturnValues: true
+
+Style/Semicolon:
+  Enabled: true
+  AllowAsExpressionSeparator: true
+
+# Prefer Foo.method over Foo::method
+Style/ColonMethodCall:
+  Enabled: true
+
+Style/TrivialAccessors:
+  Enabled: true

data/.travis.yml

@@ -0,0 +1,16 @@
+language: ruby
+rvm:
+- 2.4.1
+install:
+- travis_retry bundle install
+script: bundle exec rspec
+notifications:
+  slack: datacite:Wt8En0ALoTA6Kjc5EOKNDWxN
+deploy:
+  provider: rubygems
+  api_key:
+    secure: uE7wQ63qRd3hnuzi2omMNoAcJJfQ/UQqk67qw2llQVYMbQlwgD6nnF5ipkPuqdAxPKZycUoZuD/uFKGK1B5pSPZeMTfFmTls3vPj6kLWeUCNZkZXfOsPPzhipRmxMbuxaCn6IqNtkTavsjC5xkOeBDw9aRTMRphyrwewWtk83NlwpRefNVx1SxU6IAxpySEWpjQ/PsLvJ+NmQuPl6KXlTooDPpaVHaaW9IDLtFoTK4GGWLGiDYWkhwQerUvczxvyuNGr/o0j8obCKau6lgv8eAj1f9W8pXmbvxq8Opp3/8chSvT98sO+L5RwigJYu6X7B1xVZGSNAuOVzNRagGkF2LE20b4p+1RqpmqCLViZcfPXRuSLPD4QlyRqjPbuma1mSQ/7zR8JTyobDJfyrQbuJNu+q96Edf4ZzHATDWik6sWRaU3Qcv5MN3NKgSwB0jbHgdgUeSKZusN4vkpNN4n1uxXnII/7A2b7W9U8wPFqmwhopB9egOxP9BQERFu4GxtI1TOPjIlh3tKy8SjSF0KnunHbaI1s6UrpjEh+mS5k9WryJtRmINFRI+ZHeCI6Sl5sXococnczDImG2AH7PEJ1zZ3rq/JH7J4HJ2moJW6xhvqVhoI1i9ti1VRqDE82GwRb0QE88eS2DZX2/b6J1faxlGuj1Cup+xzOrLnj9pctZLc=
+  gem: omniauth-globus
+  on:
+    tags: true
+    repo: datacite/omniauth-globus

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-github.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,98 @@
+PATH
+  remote: .
+  specs:
+    omniauth-globus (0.8.3)
+      jwt (>= 2.0)
+      omniauth (~> 1.9)
+      omniauth-oauth2 (~> 1.6)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.0)
+    codeclimate-test-reporter (1.0.9)
+      simplecov (<= 0.13)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    docile (1.1.5)
+    faraday (0.15.4)
+      multipart-post (>= 1.2, < 3)
+    hashdiff (1.0.0)
+    hashie (3.6.0)
+    jaro_winkler (1.5.3)
+    json (2.2.0)
+    jwt (2.2.1)
+    multi_json (1.13.1)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    oauth2 (1.4.1)
+      faraday (>= 0.8, < 0.16.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.9.0)
+      hashie (>= 3.4.6, < 3.7.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-oauth2 (1.6.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.9)
+    parallel (1.17.0)
+    parser (2.6.4.0)
+      ast (~> 2.4.0)
+    public_suffix (4.0.1)
+    rack (2.0.7)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rainbow (3.0.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.2)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.4)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.2)
+    rubocop (0.74.0)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.6)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    ruby-progressbar (1.10.1)
+    safe_yaml (1.0.5)
+    simplecov (0.13.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    unicode-display_width (1.6.0)
+    webmock (3.7.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0)
+  codeclimate-test-reporter (~> 1.0.0)
+  omniauth-globus!
+  rack-test (~> 0.6.3)
+  rspec (~> 3.4)
+  rubocop (~> 0.68)
+  simplecov
+  webmock (~> 3.0, >= 3.0.1)
+
+BUNDLED WITH
+   1.17.3

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 DataCite
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+# omniauth-globus
+
+Globus Auth Strategy for OmniAuth

data/lib/omniauth/globus/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Globus
+    VERSION = "0.8.3"
+  end
+end

data/lib/omniauth/globus.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'omniauth/strategies/globus'

data/lib/omniauth/strategies/globus.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+require "jwt"
+require "omniauth/strategies/oauth2"
+require "uri"
+
+module OmniAuth
+  module Strategies
+    class Globus < OmniAuth::Strategies::OAuth2
+      option :name, "globus"
+      option :issuer, "https://auth.globus.org"
+      option :scope, "openid profile email"
+      option :authorize_options, %i[access_type login_hint prompt request_visible_actions scope state redirect_uri include_granted_scopes openid_realm device_id device_name]
+
+      option(:client_options, site: 'https://auth.globus.org',
+                              authorize_url: 'https://auth.globus.org/v2/oauth2/authorize',
+                              token_url: 'https://auth.globus.org/v2/oauth2/token',
+                              discovery_endpoint: "https://auth.globus.org/.well-known/openid-configuration",
+                              authorization_endpoint: "https://auth.globus.org/v2/oauth2/authorize",
+                              token_endpoint: "https://auth.globus.org/v2/oauth2/token",
+                              userinfo_endpoint: "https://auth.globus.org/v2/oauth2/userinfo",
+                              jwks_uri: "https://auth.globus.org/jwk.json",
+                              end_session_endpoint: "https://auth.globus.org/v2/oauth2/token/revoke")
+
+      def authorize_params
+        super.tap do |params|
+          options[:authorize_options].each do |k|
+            params[k] = request.params[k.to_s] unless [nil, ''].include?(request.params[k.to_s])
+          end
+
+          params[:scope] = get_scope(params)
+          params[:access_type] = 'offline' if params[:access_type].nil?
+          params['openid.realm'] = params.delete(:openid_realm) unless params[:openid_realm].nil?
+
+          session['omniauth.state'] = params[:state] if params[:state]
+        end
+      end
+
+      uid { raw_info['sub'] }
+
+      info do
+        prune!(
+          name: raw_info['name'],
+          first_name: raw_info['given_name'],
+          last_name: raw_info['family_name'],
+          email: raw_info['email']
+        )
+      end
+
+      extra do
+        hash = {}
+        hash[:id_token] = access_token['id_token']
+        if !access_token['id_token'].nil?
+          decoded = ::JWT.decode(access_token['id_token'], nil, false).first
+
+          # We have to manually verify the claims because the third parameter to
+          # JWT.decode is false since no verification key is provided.
+          ::JWT::Verify.verify_claims(decoded,
+                                      verify_iss: true,
+                                      iss: options.issuer,
+                                      verify_expiration: true)
+
+          hash[:id_info] = decoded
+        end
+        hash[:raw_info] = raw_info unless skip_info?
+        prune! hash
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get(options.client_options.userinfo_endpoint).parsed
+      end
+
+      def custom_build_access_token
+        get_access_token(request)
+      end
+
+      alias build_access_token custom_build_access_token
+
+      private
+
+      def callback_url
+        options[:redirect_uri] || (full_host + script_name + callback_path)
+      end
+
+      def get_access_token(request)
+        verifier = request.params['code']
+        redirect_uri = request.params['redirect_uri']
+        if verifier && request.xhr?
+          client_get_token(verifier, redirect_uri || 'postmessage')
+        elsif verifier
+          client_get_token(verifier, redirect_uri || callback_url)
+        elsif verify_token(request.params['access_token'])
+          ::OAuth2::AccessToken.from_hash(client, request.params.dup)
+        elsif request.content_type =~ /json/i
+          begin
+            body = JSON.parse(request.body.read)
+            request.body.rewind # rewind request body for downstream middlewares
+            verifier = body && body['code']
+            client_get_token(verifier, 'postmessage') if verifier
+          rescue JSON::ParserError => e
+            warn "[omniauth globus] JSON parse error=#{e}"
+          end
+        end
+      end
+
+      def client_get_token(verifier, redirect_uri)
+        client.auth_code.get_token(verifier, get_token_options(redirect_uri), get_token_params)
+      end
+
+      def get_token_params
+        deep_symbolize(options.auth_token_params || {})
+      end
+
+      def get_scope(params)
+        raw_scope = params[:scope] || options.scope
+        scope_list = raw_scope.split(" ").map { |item| item.split(",") }.flatten
+        scope_list.join(" ")
+      end
+
+      def get_token_options(redirect_uri = "")
+        { redirect_uri: redirect_uri }.merge(token_params.to_hash(symbolize_keys: true))
+      end
+
+      def prune!(hash)
+        hash.delete_if do |_, v|
+          prune!(v) if v.is_a?(Hash)
+          v.nil? || (v.respond_to?(:empty?) && v.empty?)
+        end
+      end
+
+      def strip_unnecessary_query_parameters(query_parameters)
+        # strip `sz` parameter (defaults to sz=50) which overrides `image_size` options
+        return nil if query_parameters.nil?
+
+        params = CGI.parse(query_parameters)
+        stripped_params = params.delete_if { |key| key == 'sz' }
+
+        # don't return an empty Hash since that would result
+        # in URLs with a trailing ? character: http://image.url?
+        return nil if stripped_params.empty?
+
+        URI.encode_www_form(stripped_params)
+      end
+
+      def verify_token(access_token)
+        return false unless access_token
+
+        raw_response = client.request(:get, options.client_options.userinfo_endpoint,
+                                      params: { access_token: access_token }).parsed
+        raw_response["aud"] == options.client_id
+      end
+    end
+  end
+end

data/lib/omniauth-globus.rb

@@ -0,0 +1 @@
+require 'omniauth/globus'

data/omniauth-globus.gemspec

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "date"
+require File.expand_path("../lib/omniauth/globus/version", __FILE__)
+
+Gem::Specification.new do |s|
+  s.authors       = ["Martin Fenner"]
+  s.email         = ["mfenner@datacite.org"]
+  s.name          = "omniauth-globus"
+  s.homepage      = "https://github.com/datacite/omniauth-globus"
+  s.summary       = "Globus Auth OpenId connect Strategy for OmniAuth 1.0"
+  s.date          = Date.today
+  s.description   = "Enables third-party client apps to authenticate with the Globus Auth service via OpenID Connect"
+  s.require_paths = ["lib"]
+  s.version       = OmniAuth::Globus::VERSION
+  s.extra_rdoc_files = ["README.md"]
+  s.license       = "MIT"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+
+  s.required_ruby_version = ">= 2.3"
+
+  # Declary dependencies here, rather than in the Gemfile
+  s.add_dependency "jwt", ">= 2.0"
+  s.add_dependency "omniauth", "~> 1.9"
+  s.add_dependency "omniauth-oauth2", "~> 1.6"
+  s.add_development_dependency "bundler", "~> 1.0"
+  s.add_development_dependency "codeclimate-test-reporter", "~> 1.0.0"
+  s.add_development_dependency "rack-test", "~> 0.6.3"
+  s.add_development_dependency "rspec", "~> 3.4"
+  s.add_development_dependency "rubocop", "~> 0.68"
+  s.add_development_dependency "simplecov"
+  s.add_development_dependency "webmock", "~> 3.0", ">= 3.0.1"
+end

data/spec/fixtures/access_token.json

@@ -0,0 +1,9 @@
+{
+  "name": "Martin Fenner",
+  "access_token": "123",
+  "expires_in": 631138518,
+  "token_type": "bearer",
+  "orcid": "0000-0001-6528-2027",
+  "scope": "/read-limited",
+  "refresh_token": "456"
+}