omniauth-gov 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a35d8b3dad929e14a1d45db69e92fad22a501148b1c6d76ba45f11d56ab9a2a7
-  data.tar.gz: 64cd57c77a5e0fcbb565f84c1fa83c11596fd3bc2ca92f4b10db115bc54336ff
+  metadata.gz: 59fc74ddbc0e9597ed857fb5e0d81d23ba1cc39d68bf53df937cc1c6ac550fdd
+  data.tar.gz: cb6cbb1cf394fa99880afdba93b0dbf12b53a5f1a3853ba944dcb2ff1509d773
 SHA512:
-  metadata.gz: 50b73332b1cad7b4e1f59ed0fcb75abc31785978cbceea68c31c37e14ab2fc4f73b3d6f4f8ae3a35e9674d3b3dabb609ab4d9216c67fa6b759934cca1b10ca30
-  data.tar.gz: c43269d0df9ffce5f99d65eee2a63df14bc1d53b6de5931561ad8af88cfb8076f0fc41787e72b54c682fc6919cfe8d0699d5b778439b6947753d6054b5bc452b
+  metadata.gz: 5d40363557839ba4743fef89876c43e66280f9d659641771ac8dd9ec577732f3de6e807672025416b355aac3ddb2ec2a413e012e9ae9daf8286ceea8747325f2
+  data.tar.gz: 78b60e07c8ffffe0c4ac3e5d9348d7a6c2b7a38fb7adbad9e3fe1b99ba43daf21918ec5f9bd16a3add1bfd3dc033254fbde8c33833b46682d9a32ea88cabd93b

data/.github/workflows/ruby.yml

@@ -0,0 +1,24 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.4', '2.5', '2.6', '2.7', '3.0', '3.1', '3.2', 'truffleruby-head']
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Build and test with Rake
+      run: bundle exec rake

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+/pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1 @@
+--colour

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-gov.gemspec
+gemspec
+
+group :development, :test do
+  gem 'guard'
+  gem 'guard-rspec'
+  gem 'guard-bundler'
+  gem 'rb-fsevent'
+  gem 'growl'
+  gem 'rake'
+end

data/Guardfile

@@ -0,0 +1,10 @@
+guard 'rspec', :version => 2 do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end
+
+guard 'bundler' do
+  watch('Gemfile')
+  watch('omniauth-gov.gemspec')
+end

data/LICENSE.txt

@@ -0,0 +1,7 @@
+Copyright (c) 2011 Michael Bleigh and Intridea, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,129 @@
+![Ruby](https://github.com/omniauth/omniauth-gov/workflows/Ruby/badge.svg?branch=main)
+
+# OmniAuth Gov
+
+Estratégia omniauth para integração do Login Único do governo brasileiro ao autentiador devise.
+
+## Instalação
+
+```ruby
+gem 'omniauth', '1.9.1'
+gem "omniauth-rails_csrf_protection", '0.1.2'
+gem 'omniauth-oauth2'
+gem 'omniauth-gov', '~> 0.1.2'
+```
+
+## Configuração devise
+
+Em `config/initializers/devise.rb.rb`
+
+```ruby
+  Devise.setup do |config|
+    # ...
+    config.omniauth :gov, 
+      ENV['client_id'], 
+      ENV['client_secret'], 
+    scope: 'openid+email+profile+govbr_confiabilidades+', 
+    callback_path: '/callback-da-aplicacao'
+
+    config.omniauth_path_prefix = '/prefixo-devise/prefixo-omniauth'
+  end
+```
+
+## Initializer
+Em `config/initializer/omniauth.rb`
+
+```ruby 
+OmniAuth.config.full_host = "<host-da-aplicacao-com-protocolo>"
+OmniAuth.config.logger = Rails.logger
+```
+
+## Route
+Em `config/routes.rb`
+```ruby
+  # ...
+  devise_for :users, controllers: {
+    # ...
+    :omniauth_callbacks => 'auth/omniauth_callbacks'
+  }
+
+  # opcional: redirecionar url de callback para o callback do devise
+  devise_scope :user do
+    get 'url-de-callback', to: 'auth/omniauth_callbacks#gov'
+  end
+
+```
+
+## Controller
+Em `controllers/auth/omniauth_callbacks_controller.rb`
+
+```ruby
+# frozen_string_literal: true
+
+class Auth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+	skip_before_action :verify_authenticity_token
+
+	def gov
+		@user = User.from_gov_br_omniauth(request.env["omniauth.auth"]["info"])
+
+		if @user.id.present?
+			sign_in_and_redirect @user, :event => :authentication
+			set_flash_message(:notice, :success, :kind => "Login Unico") if is_navigational_format?	  
+		else
+		end
+	end
+	
+	def failure
+    redirect_to root_path
+	end
+
+end
+```
+
+## Model User
+Em `model/user.rb`
+```ruby
+devise :database_authenticatable,
+  # ...
+  :omniauthable, omniauth_providers: %i[gov]
+
+  # ...
+  def self.from_gov_br_omniauth(info)
+    # Exemplo hash info
+    # {
+    #   "id": 1702579345,
+    #   "cpf": '99999999999',
+    #   "nome_social": 'Nome Social',
+    #   "email_verified": true,
+    #   "profile": 'https://servicos.staging.acesso.gov.br/',
+    #   "username": '99999999999',
+    #   "picture": raw_info["picture"],
+    #   "name": raw_info["name"],
+    #   "email": raw_info["email"],
+    # }    
+    user = User.find_by_email(info["email"]) # ou outra chave
+
+    unless user.nil?
+      user.update_attributes(provider: 'login-unico', uid: info["id"])
+    else
+      name = info["name"]
+      email = info["email"]
+      user = User.new do |user|
+        user.name = name
+        user.email = email
+      end
+      user.skip_confirmation!
+      user.save
+    end
+
+    return user
+  end
+
+```
+
+## Licença
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,8 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new
+
+desc 'Run specs'
+task :default => :spec

data/lib/omniauth/strategies/gov.rb

@@ -0,0 +1,84 @@
+require 'omniauth-oauth2'
+
+module Omniauth
+  module Strategies
+    class Gov < OmniAuth::Strategies::OAuth2
+      option :client_options, {
+        site: 'https://sso.staging.acesso.gov.br',
+        authorize_url: 'https://sso.staging.acesso.gov.br/authorize',
+        token_url: 'https://sso.staging.acesso.gov.br/token'
+      }
+      option :pkce, true
+
+      credentials do
+        hash = {"access_token" => access_token.token}
+        hash["id_token"] = access_token.params["id_token"]
+        hash["refresh_token"] = access_token.refresh_token if access_token.expires? && access_token.refresh_token
+        hash["expires_at"] = access_token.expires_at if access_token.expires?
+        hash["expires"] = access_token.expires?        
+        hash
+      end
+
+      info do
+        prune!({
+          "id": raw_info['auth_time'],
+          "cpf": raw_info["sub"],
+          "nome_social": raw_info["social_name"],
+          "email_verified": raw_info["email_verified"],
+          "profile": raw_info["profile"],
+          "username": raw_info["preferred_username"],
+          "picture": raw_info["picture"],
+          "name": raw_info["name"],
+          "email": raw_info["email"],
+        })
+      end
+
+      uid { raw_info['auth_time'] }
+
+      extra do
+        {
+          'raw_info': raw_info
+        }
+      end
+      
+      def raw_info
+        @raw_info ||= JWT.decode(credentials["id_token"], nil, false)[0]
+      end
+
+      def prune!(hash)
+        hash.delete_if do |_, value|
+          prune!(value) if value.is_a?(Hash)
+          value.nil? || (value.respond_to?(:empty?) && value.empty?)
+        end
+      end
+
+      def authorize_params # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        options.authorize_params[:state] = SecureRandom.hex(24)
+        options.authorize_params[:client_id] = options[:client_id]
+        options.authorize_params[:scope] = options[:scope]
+        options.authorize_params[:response_type] = 'code'
+        options.authorize_params[:nonce] = SecureRandom.hex[0..11]
+        params = options.authorize_params
+          .merge(options_for("authorize"))
+          .merge(pkce_authorize_params)
+
+        session["omniauth.pkce.verifier"] = options.pkce_verifier if options.pkce
+        session["omniauth.state"] = params[:state]
+
+        params
+      end   
+
+      def build_access_token
+        verifier = request.params["code"]
+        
+        atoken = client.auth_code.get_token(
+          verifier, 
+          {"grant_type": "authorization_code", "code": verifier, "redirect_uri": OmniAuth.config.full_host+options.callback_path, "code_verifier": session["omniauth.pkce.verifier"]}, 
+          {"Content-Type"  => "application/x-www-form-urlencoded", "Authorization" => "Basic #{Base64.strict_encode64(Settings.reload!.omniauth.client_id+":"+Settings.reload!.omniauth.client_secret)}" })
+        atoken
+      end  
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'gov', 'Gov'

data/lib/omniauth-gov/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Gov
+    VERSION = "0.1.2"
+  end
+end

data/lib/omniauth-gov.rb

@@ -0,0 +1,2 @@
+require "omniauth-gov/version"
+require 'omniauth/strategies/gov'

data/omniauth-gov.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth-gov/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Jonas Ricardo"]
+  gem.email         = ["jonas.campos@yahoo.com.br"]
+  gem.description   = %q{Official OmniAuth strategy for GitHub.}
+  gem.summary       = %q{Official OmniAuth strategy for GitHub.}
+  gem.homepage      = "https://github.com/jonasrscampos/omniauth-gov"
+  gem.license       = "MIT"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "omniauth-gov"
+  gem.require_paths = ["lib"]
+  gem.version       = OmniAuth::Gov::VERSION
+
+  gem.add_dependency 'omniauth', '1.9.1' 
+  gem.add_dependency 'omniauth-oauth2'
+  gem.add_development_dependency 'rspec', '~> 3.5'
+  gem.add_development_dependency 'rack-test'
+  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'webmock'
+end

data/spec/omniauth/strategies/github_spec.rb

@@ -0,0 +1,183 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::GitHub do
+  let(:access_token) { instance_double('AccessToken', :options => {}, :[] => 'user') }
+  let(:parsed_response) { instance_double('ParsedResponse') }
+  let(:response) { instance_double('Response', :parsed => parsed_response) }
+
+  let(:enterprise_site)          { 'https://some.other.site.com/api/v3' }
+  let(:enterprise_authorize_url) { 'https://some.other.site.com/login/oauth/authorize' }
+  let(:enterprise_token_url)     { 'https://some.other.site.com/login/oauth/access_token' }
+  let(:enterprise) do
+    OmniAuth::Strategies::GitHub.new('GITHUB_KEY', 'GITHUB_SECRET',
+        {
+            :client_options => {
+                :site => enterprise_site,
+                :authorize_url => enterprise_authorize_url,
+                :token_url => enterprise_token_url
+            }
+        }
+    )
+  end
+
+  subject do
+    OmniAuth::Strategies::GitHub.new({})
+  end
+
+  before(:each) do
+    allow(subject).to receive(:access_token).and_return(access_token)
+  end
+
+  context 'client options' do
+    it 'should have correct site' do
+      expect(subject.options.client_options.site).to eq('https://api.github.com')
+    end
+
+    it 'should have correct authorize url' do
+      expect(subject.options.client_options.authorize_url).to eq('https://github.com/login/oauth/authorize')
+    end
+
+    it 'should have correct token url' do
+      expect(subject.options.client_options.token_url).to eq('https://github.com/login/oauth/access_token')
+    end
+
+    describe 'should be overrideable' do
+      it 'for site' do
+        expect(enterprise.options.client_options.site).to eq(enterprise_site)
+      end
+
+      it 'for authorize url' do
+        expect(enterprise.options.client_options.authorize_url).to eq(enterprise_authorize_url)
+      end
+
+      it 'for token url' do
+        expect(enterprise.options.client_options.token_url).to eq(enterprise_token_url)
+      end
+    end
+  end
+
+  context '#email_access_allowed?' do
+    it 'should not allow email if scope is nil' do
+      expect(subject.options['scope']).to be_nil
+      expect(subject).to_not be_email_access_allowed
+    end
+
+    it 'should allow email if scope is user' do
+      subject.options['scope'] = 'user'
+      expect(subject).to be_email_access_allowed
+    end
+
+    it 'should allow email if scope is a bunch of stuff including user' do
+      subject.options['scope'] = 'public_repo,user,repo,delete_repo,gist'
+      expect(subject).to be_email_access_allowed
+    end
+
+    it 'should not allow email if scope does not grant email access' do
+      subject.options['scope'] = 'repo,user:follow'
+      expect(subject).to_not be_email_access_allowed
+    end
+
+    it 'should assume email access not allowed if scope is something currently not documented' do
+      subject.options['scope'] = 'currently_not_documented'
+      expect(subject).to_not be_email_access_allowed
+    end
+  end
+
+  context '#email' do
+    it 'should return email from raw_info if available' do
+      allow(subject).to receive(:raw_info).and_return({ 'email' => 'you@example.com' })
+      expect(subject.email).to eq('you@example.com')
+    end
+
+    it 'should return nil if there is no raw_info and email access is not allowed' do
+      allow(subject).to receive(:raw_info).and_return({})
+      expect(subject.email).to be_nil
+    end
+
+    it 'should not return the primary email if there is no raw_info and email access is allowed' do
+      emails = [
+        { 'email' => 'secondary@example.com', 'primary' => false },
+        { 'email' => 'primary@example.com',   'primary' => true }
+      ]
+      allow(subject).to receive(:raw_info).and_return({})
+      subject.options['scope'] = 'user'
+      allow(subject).to receive(:emails).and_return(emails)
+      expect(subject.email).to be_nil
+    end
+
+    it 'should not return the first email if there is no raw_info and email access is allowed' do
+      emails = [
+        { 'email' => 'first@example.com',   'primary' => false },
+        { 'email' => 'second@example.com',  'primary' => false }
+      ]
+      allow(subject).to receive(:raw_info).and_return({})
+      subject.options['scope'] = 'user'
+      allow(subject).to receive(:emails).and_return(emails)
+      expect(subject.email).to be_nil
+    end
+  end
+
+  context '#raw_info' do
+    it 'should use relative paths' do
+      expect(access_token).to receive(:get).with('user').and_return(response)
+      expect(subject.raw_info).to eq(parsed_response)
+    end
+
+    it 'should use the header auth mode' do
+      expect(access_token).to receive(:get).with('user').and_return(response)
+      subject.raw_info
+      expect(access_token.options[:mode]).to eq(:header)
+    end
+  end
+
+  context '#emails' do
+    it 'should use relative paths' do
+      expect(access_token).to receive(:get).with('user/emails', :headers => {
+        'Accept' => 'application/vnd.github.v3'
+      }).and_return(response)
+
+      subject.options['scope'] = 'user'
+      expect(subject.emails).to eq(parsed_response)
+    end
+
+    it 'should use the header auth mode' do
+      expect(access_token).to receive(:get).with('user/emails', :headers => {
+        'Accept' => 'application/vnd.github.v3'
+      }).and_return(response)
+
+      subject.options['scope'] = 'user'
+      subject.emails
+      expect(access_token.options[:mode]).to eq(:header)
+    end
+  end
+
+  context '#info.email' do
+    it 'should use any available email' do
+      allow(subject).to receive(:raw_info).and_return({})
+      allow(subject).to receive(:email).and_return('you@example.com')
+      expect(subject.info['email']).to eq('you@example.com')
+    end
+  end
+
+  context '#info.urls' do
+    it 'should use html_url from raw_info' do
+      allow(subject).to receive(:raw_info).and_return({ 'login' => 'me', 'html_url' => 'http://enterprise/me' })
+      expect(subject.info['urls']['GitHub']).to eq('http://enterprise/me')
+    end
+  end
+
+  context '#extra.scope' do
+    it 'returns the scope on the returned access_token' do
+      expect(subject.scope).to eq('user')
+    end
+  end
+
+  describe '#callback_url' do
+    it 'is a combination of host, script name, and callback path' do
+      allow(subject).to receive(:full_host).and_return('https://example.com')
+      allow(subject).to receive(:script_name).and_return('/sub_uri')
+
+      expect(subject.callback_url).to eq('https://example.com/sub_uri/auth/github/callback')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+$:.unshift File.expand_path('..', __FILE__)
+$:.unshift File.expand_path('../../lib', __FILE__)
+require 'simplecov'
+SimpleCov.start
+require 'rspec'
+require 'rack/test'
+require 'webmock/rspec'
+require 'omniauth'
+require 'omniauth-gov'
+
+RSpec.configure do |config|
+  config.include WebMock::API
+  config.include Rack::Test::Methods
+  config.extend  OmniAuth::Test::StrategyMacros, :type => :strategy
+end
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-gov
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors:
 - Jonas Ricardo
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-07 00:00:00.000000000 Z
+date: 2023-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -100,7 +100,21 @@ email:
 executables: []
 extensions: []
 extra_rdoc_files: []
-files: []
+files:
+- ".github/workflows/ruby.yml"
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-gov.rb
+- lib/omniauth-gov/version.rb
+- lib/omniauth/strategies/gov.rb
+- omniauth-gov.gemspec
+- spec/omniauth/strategies/github_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/jonasrscampos/omniauth-gov
 licenses:
 - MIT
@@ -120,7 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.5
 signing_key: 
 specification_version: 4
 summary: Official OmniAuth strategy for GitHub.