omniauth-iu-cas 1.1.1.1

data/lib/omniauth/strategies/cas/logout_request.rb

@@ -0,0 +1,58 @@
+module OmniAuth
+  module Strategies
+    class CAS
+      class LogoutRequest
+        def initialize(strategy, request)
+          @strategy, @request = strategy, request
+        end
+
+        def call(options = {})
+          @options = options
+
+          begin
+            result = single_sign_out_callback.call(*logout_request)
+          rescue StandardError => err
+            return @strategy.fail! :logout_request, err
+          else
+            result = [200,{},'OK'] if result == true || result.nil?
+          ensure
+            return unless result
+
+            # TODO: Why does ActionPack::Response return [status,headers,body]
+            # when Rack::Response#new wants [body,status,headers]? Additionally,
+            # why does Rack::Response differ in argument order from the usual
+            # Rack-like [status,headers,body] array?
+            return Rack::Response.new(result[2],result[0],result[1]).finish
+          end
+        end
+
+      private
+
+        def logout_request
+          @logout_request ||= begin
+            saml = Nokogiri.parse(@request.params['logoutRequest'])
+            name_id = saml.xpath('//saml:NameID').text
+            sess_idx = saml.xpath('//samlp:SessionIndex').text
+            inject_params(name_id:name_id, session_index:sess_idx)
+            @request
+          end
+        end
+
+        def inject_params(new_params)
+          rack_input = @request.env['rack.input'].read
+          params = Rack::Utils.parse_query(rack_input, '&').merge new_params
+          @request.env['rack.input'] = StringIO.new(Rack::Utils.build_query(params))
+        rescue
+          # A no-op intended to ensure that the ensure block is run
+          raise
+        ensure
+          @request.env['rack.input'].rewind
+        end
+
+        def single_sign_out_callback
+          @options[:on_single_sign_out]
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/strategies/cas/service_ticket_validator.rb

@@ -0,0 +1,112 @@
+require 'net/http'
+require 'net/https'
+require 'nokogiri'
+
+module OmniAuth
+  module Strategies
+    class CAS
+      class ServiceTicketValidator
+        VALIDATION_REQUEST_HEADERS = { 'Accept' => '*/*' }
+
+        attr_reader :success_body
+
+        # Build a validator from a +configuration+, a
+        # +return_to+ URL, and a +ticket+.
+        #
+        # @param [Hash] options the OmniAuth Strategy options
+        # @param [String] return_to_url the URL of this CAS client service
+        # @param [String] ticket the service ticket to validate
+        def initialize(strategy, options, return_to_url, ticket)
+          @options = options
+          @uri = URI.parse(strategy.service_validate_url(return_to_url, ticket))
+        end
+
+        # Executes a network request to process the CAS Service Response
+        def call
+          @response_body = get_service_response_body
+          @success_body = find_authentication_success(@response_body)
+          self
+        end
+
+        # Request validation of the ticket from the CAS server's
+        # serviceValidate (CAS 2.0) function.
+        #
+        # Swallows all XML parsing errors (and returns +nil+ in those cases).
+        #
+        # @return [Hash, nil] a user information hash if the response is valid; +nil+ otherwise.
+        #
+        # @raise any connection errors encountered.
+        def user_info
+          parse_user_info(@success_body)
+        end
+
+      private
+
+        # turns an `<cas:authenticationSuccess>` node into a Hash;
+        # returns nil if given nil
+        def parse_user_info(node)
+          return nil if node.nil?
+          return node if node.is_a? Hash
+          {}.tap do |hash|
+            node.children.each do |e|
+              node_name = e.name.sub(/^cas:/, '')
+              unless e.kind_of?(Nokogiri::XML::Text) || node_name == 'proxies'
+                # There are no child elements
+                if e.element_children.count == 0
+                  hash[node_name] = e.content
+                elsif e.element_children.count
+                  # JASIG style extra attributes
+                  if node_name == 'attributes'
+                    hash.merge!(parse_user_info(e))
+                  else
+                    hash[node_name] = [] if hash[node_name].nil?
+                    hash[node_name].push(parse_user_info(e))
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        # finds an `<cas:authenticationSuccess>` node in
+        # a `<cas:serviceResponse>` body if present; returns nil
+        # if the passed body is nil or if there is no such node.
+        def find_authentication_success(body)
+          return nil if body.nil? || body == ''
+
+          if body =~ /^(yes|no)[[:space:]]+(.*?)[[:space:]]*$/m
+            return nil unless $~[1] == 'yes'
+            return { @options[:uid_field].to_s => $~[2] }
+          end
+
+          begin
+            doc = Nokogiri::XML(body)
+            begin
+              doc.xpath('/cas:serviceResponse/cas:authenticationSuccess')
+            rescue Nokogiri::XML::XPath::SyntaxError
+              doc.xpath('/serviceResponse/authenticationSuccess')
+            end
+          rescue Nokogiri::XML::XPath::SyntaxError
+            nil
+          end
+        end
+
+        # retrieves the `<cas:serviceResponse>` XML from the CAS server
+        def get_service_response_body
+          result = ''
+          http = Net::HTTP.new(@uri.host, @uri.port)
+          http.use_ssl = @uri.port == 443 || @uri.instance_of?(URI::HTTPS)
+          if http.use_ssl?
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE if @options.disable_ssl_verification?
+            http.ca_path = @options.ca_path
+          end
+          http.start do |c|
+            response = c.get "#{@uri.path}?#{@uri.query}", VALIDATION_REQUEST_HEADERS.dup
+            result = response.body
+          end
+          result
+        end
+      end
+    end
+  end
+end

data/omniauth-cas.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/omniauth/cas/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Derek Lindahl", "Daniel Pierce"]
+  gem.email         = ["dlindahl@customink.com", "dlpierce@indiana.edu"]
+  gem.summary       = %q{CAS Strategy for OmniAuth with custom IU extensions}
+  gem.description   = gem.summary
+  gem.homepage      = "https://github.com/IUBLibTech/omniauth-cas"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "omniauth-iu-cas"
+  gem.require_paths = ["lib"]
+  gem.version       = Omniauth::Cas::VERSION
+
+  gem.add_dependency 'omniauth',                '~> 1.2'
+  gem.add_dependency 'nokogiri',                '~> 1.5'
+  gem.add_dependency 'addressable',             '~> 2.3'
+
+  gem.add_development_dependency 'rake',        '~> 10.0'
+  gem.add_development_dependency 'webmock',     '~> 2.3.1'
+  gem.add_development_dependency 'rspec',       '~> 3.1.0'
+  gem.add_development_dependency 'rack-test',   '~> 0.6'
+
+  gem.add_development_dependency 'awesome_print'
+end

data/spec/fixtures/cas_failure.xml

@@ -0,0 +1,4 @@
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationFailure>
+  </cas:authenticationFailure>
+</cas:serviceResponse>

data/spec/fixtures/cas_success.xml

@@ -0,0 +1,17 @@
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationSuccess>
+    <cas:user>psegel</cas:user>
+    <cas:employeeid>54</cas:employeeid>
+    <cas:first_name>P. Segel</cas:first_name>
+    <cas:first_name>Peter</cas:first_name>
+    <cas:last_name>Segel</cas:last_name>
+    <cas:email>psegel@intridea.com</cas:email>
+    <cas:location>Washington, D.C.</cas:location>
+    <cas:image>/images/user.jpg</cas:image>
+    <cas:phone>555-555-5555</cas:phone>
+    <cas:hire_date>2004-07-13</cas:hire_date>
+    <cas:roles>senator</cas:roles>
+    <cas:roles>lobbyist</cas:roles>
+    <cas:roles>financier</cas:roles>
+  </cas:authenticationSuccess>
+</cas:serviceResponse>

data/spec/fixtures/cas_success_jasig.xml

@@ -0,0 +1,19 @@
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationSuccess>
+    <cas:user>psegel</cas:user>
+    <cas:attributes>
+      <cas:employeeid>54</cas:employeeid>
+      <cas:first_name>P. Segel</cas:first_name>
+      <cas:first_name>Peter</cas:first_name>
+      <cas:last_name>Segel</cas:last_name>
+      <cas:email>psegel@intridea.com</cas:email>
+      <cas:location>Washington, D.C.</cas:location>
+      <cas:image>/images/user.jpg</cas:image>
+      <cas:phone>555-555-5555</cas:phone>
+      <cas:hire_date>2004-07-13</cas:hire_date>
+      <cas:roles>senator</cas:roles>
+      <cas:roles>lobbyist</cas:roles>
+      <cas:roles>financier</cas:roles>
+    </cas:attributes>
+  </cas:authenticationSuccess>
+</cas:serviceResponse>

data/spec/fixtures/iu_cas_failure

@@ -0,0 +1 @@
+no

data/spec/fixtures/iu_cas_success

@@ -0,0 +1 @@
+yes

data/spec/omniauth/strategies/cas/logout_request_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::CAS::LogoutRequest do
+  let(:strategy) { double('strategy') }
+  let(:env) do
+    { 'rack.input' => StringIO.new('','r') }
+  end
+  let(:request) { double('request', params:params, env:env) }
+  let(:params) { { 'url' => url, 'logoutRequest' => logoutRequest } }
+  let(:url) { 'http://notes.dev/signed_in' }
+  let(:logoutRequest) do
+    %Q[
+      <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion\" ID="123abc-1234-ab12-cd34-1234abcd" Version="2.0" IssueInstant="#{Time.now.to_s}">
+        <saml:NameID>@NOT_USED@</saml:NameID>
+        <samlp:SessionIndex>ST-123456-123abc456def</samlp:SessionIndex>
+      </samlp:LogoutRequest>
+    ]
+  end
+
+  subject { described_class.new(strategy, request).call(options) }
+
+  describe 'SAML attributes' do
+    let(:callback) { Proc.new{} }
+    let(:options) do
+      { on_single_sign_out: callback }
+    end
+
+    before do
+      @rack_input = nil
+      allow(callback).to receive(:call) do |req|
+        @rack_input = req.env['rack.input'].read
+        true
+      end
+      subject
+    end
+
+    it 'are parsed and injected into the Rack Request parameters' do
+      expect(@rack_input).to eq 'name_id=%40NOT_USED%40&session_index=ST-123456-123abc456def'
+    end
+
+    context 'that raise when parsed' do
+      let(:env) { { 'rack.input' => nil } }
+
+      before do
+        allow(strategy).to receive(:fail!)
+        subject
+        expect(strategy).to have_received(:fail!)
+      end
+
+      it 'responds with an error' do
+        expect(strategy).to have_received(:fail!)
+      end
+    end
+  end
+
+  describe 'with a configured callback' do
+    let(:options) do
+      { on_single_sign_out: callback }
+    end
+
+    context 'that returns TRUE' do
+      let(:callback) { Proc.new{true} }
+
+      it 'responds with OK' do
+        expect(subject[0]).to eq 200
+        expect(subject[2].body).to eq ['OK']
+      end
+    end
+
+    context 'that returns Nil' do
+      let(:callback) { Proc.new{} }
+
+      it 'responds with OK' do
+        expect(subject[0]).to eq 200
+        expect(subject[2].body).to eq ['OK']
+      end
+    end
+
+    context 'that returns a tuple' do
+      let(:callback) { Proc.new{ [400,{},'Bad Request'] } }
+
+      it 'responds with OK' do
+        expect(subject[0]).to eq 400
+        expect(subject[2].body).to eq ['Bad Request']
+      end
+    end
+
+    context 'that raises an error' do
+      let(:exception) { RuntimeError.new('error' )}
+      let(:callback) { Proc.new{raise exception} }
+
+      before do
+        allow(strategy).to receive(:fail!)
+        subject
+      end
+
+      it 'responds with an error' do
+        expect(strategy).to have_received(:fail!)
+          .with(:logout_request, exception)
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/cas/service_ticket_validator_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::CAS::ServiceTicketValidator do
+  let(:strategy) do
+    double('strategy',
+      service_validate_url: 'https://example.org/serviceValidate'
+    )
+  end
+  let(:provider_options) do
+    double('provider_options',
+      disable_ssl_verification?: false,
+      ca_path: '/etc/ssl/certsZOMG'
+    )
+  end
+  let(:validator) do
+    OmniAuth::Strategies::CAS::ServiceTicketValidator.new( strategy, provider_options, '/foo', nil )
+  end
+
+  describe '#call' do
+    before do
+      stub_request(:get, 'https://example.org/serviceValidate?')
+        .to_return(status: 200, body: '')
+    end
+
+    subject { validator.call }
+
+    it 'returns itself' do
+      expect(subject).to eq validator
+    end
+
+    it 'uses the configured CA path' do
+      subject
+      expect(provider_options).to have_received :ca_path
+    end
+  end
+
+  describe '#user_info' do
+    let(:ok_fixture) do
+      File.expand_path(File.join(File.dirname(__FILE__), '../../../fixtures/cas_success.xml'))
+    end
+    let(:service_response) { File.read(ok_fixture) }
+
+    before do
+      stub_request(:get, 'https://example.org/serviceValidate?')
+        .to_return(status: 200, body:service_response)
+      validator.call
+    end
+
+    subject { validator.user_info }
+
+    it 'parses user info from the response' do
+      expect(subject).to include 'user' => 'psegel'
+    end
+  end
+end

data/spec/omniauth/strategies/cas_spec.rb

@@ -0,0 +1,339 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::CAS, type: :strategy do
+  include Rack::Test::Methods
+
+  let(:my_cas_provider) { Class.new(OmniAuth::Strategies::CAS) }
+  before do
+    stub_const 'MyCasProvider', my_cas_provider
+  end
+  let(:app) do
+    Rack::Builder.new {
+      use OmniAuth::Test::PhonySession
+      use MyCasProvider,
+        name: :cas,
+        host: 'cas.example.org',
+        ssl: false,
+        port: 8080,
+        uid_field: :employeeid,
+        cassvc: 'ANY',
+        fetch_raw_info: Proc.new { |v, opts, ticket, info, node|
+          info.nil? or info.empty? ? {} : {
+            "roles" => node.xpath('//cas:roles').map(&:text),
+          }
+        }
+      run lambda { |env| [404, {'Content-Type' => 'text/plain'}, [env.key?('omniauth.auth').to_s]] }
+    }.to_app
+  end
+
+  # TODO: Verify that these are even useful tests
+  shared_examples_for 'a CAS redirect response' do
+    let(:redirect_params) { 'cassvc=ANY&casurl=' + Rack::Utils.escape("http://example.org/auth/cas/callback?url=#{Rack::Utils.escape(return_url)}") }
+
+    before { get url, nil, request_env }
+
+    subject { last_response }
+
+    it { should be_redirect }
+
+    it 'redirects to the CAS server' do
+      expect(subject.headers).to include 'Location' => "http://cas.example.org:8080/login?#{redirect_params}"
+    end
+  end
+
+  describe '#cas_url' do
+    let(:params) { Hash.new }
+    let(:provider) { MyCasProvider.new(nil, params) }
+
+    subject { provider.cas_url }
+
+    it 'raises an ArgumentError' do
+      expect{subject}.to raise_error ArgumentError, %r{:host and :login_url MUST be provided}
+    end
+
+    context 'with an explicit :url option' do
+      let(:url) { 'https://example.org:8080/my_cas' }
+      let(:params) { super().merge url:url }
+
+      before { subject }
+
+      it { should eq url }
+
+      it 'parses the URL into it the appropriate strategy options' do
+        expect(provider.options).to include ssl:true
+        expect(provider.options).to include host:'example.org'
+        expect(provider.options).to include port:8080
+        expect(provider.options).to include path:'/my_cas'
+      end
+    end
+
+    context 'with explicit URL component' do
+      let(:params) { super().merge host:'example.org', port:1234, ssl:true, path:'/a/path' }
+
+      before { subject }
+
+      it { should eq 'https://example.org:1234/a/path' }
+
+      it 'parses the URL into it the appropriate strategy options' do
+        expect(provider.options).to include ssl:true
+        expect(provider.options).to include host:'example.org'
+        expect(provider.options).to include port:1234
+        expect(provider.options).to include path:'/a/path'
+      end
+    end
+  end
+
+  describe 'defaults' do
+    subject { MyCasProvider.default_options.to_hash }
+
+    it { should include('ssl' => true) }
+  end
+
+  describe 'GET /auth/cas' do
+    let(:return_url) { 'http://myapp.com/admin/foo' }
+
+    context 'with a referer' do
+      let(:url) { '/auth/cas' }
+
+      let(:request_env) { { 'HTTP_REFERER' => return_url } }
+
+      it_behaves_like 'a CAS redirect response'
+    end
+
+    context 'with an explicit return URL' do
+      let(:url) { "/auth/cas?url=#{return_url}" }
+
+      let(:request_env) { {} }
+
+      it_behaves_like 'a CAS redirect response'
+    end
+  end
+
+  describe 'GET /auth/cas/callback' do
+    context 'without a ticket' do
+      before { get '/auth/cas/callback' }
+
+      subject { last_response }
+
+      it { should be_redirect }
+
+      it 'redirects with a failure message' do
+        expect(subject.headers).to include 'Location' => '/auth/failure?message=no_ticket&strategy=cas'
+      end
+    end
+
+    context 'with an invalid ticket' do
+      before do
+        stub_request(:get, /^http:\/\/cas.example.org:8080?\/serviceValidate\?([^&]+&)?cassvc=ANY&casticket=9391d/).
+           to_return( body: File.read('spec/fixtures/cas_failure.xml') )
+        get '/auth/cas/callback?cassvc=ANY&casticket=9391d'
+      end
+
+      subject { last_response }
+
+      it { should be_redirect }
+
+      it 'redirects with a failure message' do
+        expect(subject.headers).to include 'Location' => '/auth/failure?message=invalid_ticket&strategy=cas'
+      end
+    end
+
+    describe 'GET /auth/cas/callback with an invalid ticket at IU' do
+      before do
+        stub_request(:get, /^http:\/\/cas.example.org(:8080)?\/serviceValidate\?([^&]+&)?cassvc=ANY&casticket=9391d/).
+          to_return( :body => File.read('spec/fixtures/iu_cas_failure') )
+        get '/auth/cas/callback?cassvc=ANY&casticket=9391d'
+      end
+
+      subject { last_response }
+
+      it { should be_redirect }
+      it 'should have a failure message' do
+        subject.headers['Location'].should == "/auth/failure?message=invalid_ticket&strategy=cas"
+      end
+    end
+
+    describe 'with a valid ticket' do
+      shared_examples :successful_validation do
+        before do
+          stub_request(:get, /^http:\/\/cas.example.org:8080?\/serviceValidate\?([^&]+&)?cassvc=ANY&casticket=593af/)
+            .with { |request| @request_uri = request.uri.to_s }
+            .to_return( body: File.read("spec/fixtures/#{xml_file_name}") )
+
+          get "/auth/cas/callback?cassvc=ANY&casticket=593af&url=#{return_url}"
+        end
+
+        it 'strips the casticket parameter from the callback URL' do
+          expect(@request_uri.scan('casticket=').size).to eq 1
+        end
+
+        it 'strips the cassvc parameter from the callback URL' do
+          expect(@request_uri.scan('cassvc=').size).to eq 1
+        end
+
+        it 'properly encodes the service URL' do
+          expect(WebMock).to have_requested(:get, 'http://cas.example.org:8080/serviceValidate')
+            .with(query: {
+              cassvc: 'ANY',
+              casticket:  '593af',
+              casurl: 'http://example.org/auth/cas/callback?url=' + Rack::Utils.escape('http://127.0.0.10/?some=parameter')
+            })
+        end
+
+        context "request.env['omniauth.auth']" do
+          subject { last_request.env['omniauth.auth'] }
+
+          it { should be_kind_of Hash }
+
+          it 'identifes the provider' do
+            expect(subject.provider).to eq :cas
+          end
+
+          it 'returns the UID of the user' do
+            expect(subject.uid).to eq '54'
+          end
+
+          context 'the info hash' do
+            subject { last_request.env['omniauth.auth']['info'] }
+
+            it 'includes user info attributes' do
+              expect(subject.name).to eq 'Peter Segel'
+              expect(subject.first_name).to eq 'Peter'
+              expect(subject.last_name).to eq 'Segel'
+              expect(subject.nickname).to eq 'psegel'
+              expect(subject.email).to eq 'psegel@intridea.com'
+              expect(subject.location).to eq 'Washington, D.C.'
+              expect(subject.image).to eq '/images/user.jpg'
+              expect(subject.phone).to eq '555-555-5555'
+            end
+          end
+
+          context 'the extra hash' do
+            subject { last_request.env['omniauth.auth']['extra'] }
+
+            it 'includes additional user attributes' do
+              expect(subject.user).to eq 'psegel'
+              expect(subject.employeeid).to eq '54'
+              expect(subject.hire_date).to eq '2004-07-13'
+              expect(subject.roles).to eq %w(senator lobbyist financier)
+            end
+          end
+
+          context 'the credentials hash' do
+            subject { last_request.env['omniauth.auth']['credentials'] }
+
+            it 'has a ticket value' do
+              expect(subject.casticket).to eq '593af'
+            end
+          end
+        end
+
+        it 'calls through to the master app' do
+          expect(last_response.body).to eq 'true'
+        end
+      end
+
+      let(:return_url) { 'http://127.0.0.10/?some=parameter' }
+
+      context 'with JASIG flavored XML' do
+        let(:xml_file_name) { 'cas_success_jasig.xml' }
+
+        it_behaves_like :successful_validation
+      end
+
+      context 'with classic XML' do
+        let(:xml_file_name) { 'cas_success.xml' }
+
+        it_behaves_like :successful_validation
+      end
+    end
+
+    describe 'GET /auth/cas/callback with a valid IU CAS 1.0 ticket' do
+      class MyCasProvider < OmniAuth::Strategies::CAS; end # TODO: Not really needed. just an alias but it requires the :name option which might confuse users...
+      def app
+        Rack::Builder.new {
+          use OmniAuth::Test::PhonySession
+          use MyCasProvider,
+              name: :cas,
+              host: 'cas.example.org',
+              ssl: false,
+              port: 8080,
+              cassvc: 'ANY'
+          run lambda { |env| [404, {'Content-Type' => 'text/plain'}, [env.key?('omniauth.auth').to_s]] }
+        }.to_app
+      end
+
+      let(:return_url) { "http://127.0.0.10/?some=parameter" }
+      before do
+        stub_request(:get, /^http:\/\/cas.example.org(:8080)?\/serviceValidate\?([^&]+&)?cassvc=ANY&casticket=593af/).
+          with { |request| @request_uri = request.uri.to_s }.
+          to_return( :body => File.read('spec/fixtures/iu_cas_success') )
+
+        get "/auth/cas/callback?cassvc=ANY&casticket=593af&url=#{return_url}"
+      end
+
+      context "request.env['omniauth.auth']" do
+        subject { last_request.env['omniauth.auth'] }
+        it { should be_kind_of Hash }
+        it 'identifies the provider' do
+          expect(subject.provider).to eq :cas
+        end
+        it 'returns the UID of the user' do
+          expect(subject.uid).to eq 'psegel'
+        end
+        context "the info hash" do
+          subject { last_request.env['omniauth.auth']['info'] }
+          it "contains only the user" do
+            expect(subject.size).to eq 1
+            expect(subject.nickname).to eq 'psegel'
+          end
+        end
+        context "the extra hash" do
+          subject { last_request.env['omniauth.auth']['extra'] }
+          it "contains only the user" do
+            expect(subject.size).to eq 1
+            expect(subject.user).to eq 'psegel'
+          end
+        end
+        context "the credentials hash" do
+          subject { last_request.env['omniauth.auth']['credentials'] }
+          it 'contains only the casticket' do
+            expect(subject.size).to eq 1
+            expect(subject.casticket).to eq '593af'
+          end
+        end
+      end
+    end
+  end
+
+  describe 'POST /auth/cas/callback' do
+    describe 'with a Single Sign-Out logoutRequest' do
+      let(:logoutRequest) do
+        %Q[
+          <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion\" ID="123abc-1234-ab12-cd34-1234abcd" Version="2.0" IssueInstant="#{Time.now.to_s}">
+            <saml:NameID>@NOT_USED@</saml:NameID>
+            <samlp:SessionIndex>ST-123456-123abc456def</samlp:SessionIndex>
+          </samlp:LogoutRequest>
+        ]
+      end
+
+      let(:logout_request) { double('logout_request', call:[200,{},'OK']) }
+
+      subject do
+        post 'auth/cas/callback', logoutRequest:logoutRequest
+      end
+
+      before do
+        allow_any_instance_of(MyCasProvider)
+          .to receive(:logout_request_service)
+          .and_return double('LogoutRequest', new:logout_request)
+
+        subject
+      end
+
+      it 'initializes a LogoutRequest' do
+        expect(logout_request).to have_received :call
+      end
+    end
+  end
+end