omniauth-osso 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 328ecac5ccc2447ce90e9920e6031edb78e014839a4d338a0ed2cced64250fe3
-  data.tar.gz: dd1291453982cdefeb3283560084675586732777ebd155cf0ddc24c74e73d240
+  metadata.gz: 3133a1114c18dbe8a2463d5685563cc5ab02ff590b170b8c200ececa1fed86d3
+  data.tar.gz: 0215ac5b2a2d90680b5a1c10fed3a6feed3410c558f7841ce9817878a55a20fc
 SHA512:
-  metadata.gz: 4db39607891bf68cfb40ea72dfbd0f3178dd0feccf66ff3ef5dfbe8739b3488bb49b1f469204ba9da841b1486c34a5ca77bccbddd4cd005651820345b5907634
-  data.tar.gz: ae0b069373f8e6ca7fc4a964055433774f2a0af448057f3bf8b3a5ba0b746438a1a4b9f576a2c4ce678848c99792503f265fb4468a905208b9a3c7edba3e6133
+  metadata.gz: 5c6ba794ffe88930b4603ddc7e7a1b2329c70766c3e29323ff7efbc447ad0a5283dd1dd6203efde56f87dd724f181fb583fb2967e6369f84c9da0b62fd6a41f8
+  data.tar.gz: 118fb88f913616eb3e4bbcc572b46e6679bd9685806ee1d4540e7484a06bf34e76b29c4921c91ef6f55f2d3b0ae6b366bc870c5763648992fdc638349978928a

data/.buildkite/hooks/environment

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eu
+
+echo '--- RBENV'
+
+export PATH="$HOME/.rbenv/bin:$PATH"
+
+eval "$(rbenv init -)"

data/.buildkite/hooks/pre-command

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -eu
+
+export PATH="$HOME/.rbenv/bin:$PATH"
+
+eval "$(rbenv init -)"

data/.buildkite/pipeline.yml

@@ -0,0 +1,17 @@
+steps:
+  - name: ":rspec:"
+    commands: 
+      - bundle install
+      - bundle exec rspec
+
+  - name: "rubocop :male-police-officer:"
+    commands: 
+      - bundle install
+      - bundle exec rubocop
+  
+  - block: ":rubygems: Publish :red_button:"
+    branches: "main"
+  
+  - name: "Push :rubygems:"
+    commands: "./bin/publish"
+    branches: "main"

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,130 @@
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+sbauch@gmail.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
+

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    omniauth-osso (0.1.2)
+    omniauth-osso (0.1.4)
       omniauth-oauth2 (~> 1.6.0)
 
 GEM
@@ -21,7 +21,7 @@ GEM
     jaro_winkler (1.5.4)
     jwt (2.2.1)
     method_source (1.0.0)
-    multi_json (1.14.1)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     oauth2 (1.4.4)

data/LICENSE

@@ -0,0 +1,111 @@
+Business Source License 1.1
+
+Parameters
+
+Licensor:             Samuel Bauch
+Licensed Work:        omniauth-osso
+                      The Licensed Work is (c) 2020 Samuel Bauch.
+Additional Use Grant: You may make use of the Licensed Work, provided that you do
+                      not use the Licensed Work in a Single Sign On Management
+                      Service.
+
+                      A "Single Sign On Management Service" is an offering
+                      (be it free or commercial) that uses the Licensed Work
+                      to allow third parties (other than your employees and 
+                      contractors) to access the functionality of the 
+                      Licensed Work such that any fourth parties directly 
+                      benefit from the authentication, configuration, or 
+                      documentation features of the Licensed Work.
+
+                      You thus may only use the Licensed Work in a manner 
+                      whereby parties who directly benefit from the 
+                      authentication, configuration, or documentation features 
+                      of the Licensed Work are yourself, your employees or 
+                      contractors, and your customers or partners.
+
+Change Date:          2023-05-01
+
+Change License:       Apache License, Version 2.0
+
+For information about alternative licensing arrangements for the Software,
+contact: hello@enterprise-oss.dev
+
+Notice
+
+The Business Source License (this document, or the "License") is not an Open
+Source license. However, the Licensed Work will eventually be made available
+under an Open Source License, as stated in this License.
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+-----------------------------------------------------------------------------
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License’s text to license
+your works, and to refer to it using the trademark "Business Source License",
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License’s text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where "compatible" means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text "None".
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.

data/bin/publish

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Scriptacular - gemify.sh
+# Create a Ruby gem and push it to rubygems.org
+# Copyright 2013 Christopher Simpkins
+# MIT License
+
+GEM_NAME="omniauth-osso"
+GEMSPEC_SUFFIX=".gemspec"
+
+# run the gem build and parse for the gem release filename
+GEM_BUILD_NAME=$(gem build "$GEM_NAME$GEMSPEC_SUFFIX" |  awk '/File/ {print $2}' -)
+
+if [ -z "$GEM_BUILD_NAME" ]; then
+  echo "The gem build failed." >&2
+  exit 1
+fi
+
+gem push $GEM_BUILD_NAME

data/lib/omniauth-osso/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Osso
-    VERSION = '0.1.3'
+    VERSION = '0.1.4'
   end
 end

data/lib/omniauth/strategies/osso.rb

@@ -1,22 +1,17 @@
 # frozen_string_literal: true
 
 require 'omniauth-oauth2'
-
+require 'pry'
 module OmniAuth
   module Strategies
     # The main source for the Osso Omniauth Strategy
     class Osso < OmniAuth::Strategies::OAuth2
-      include OmniAuth::Strategy
+      attr_accessor :env
 
       option :name, 'osso'
       option :client_id, nil
       option :client_secret, nil
-      option :client_options, { site: ENV['OSSO_BASE_URL'] }
-      option :authorize_params, { state: SecureRandom.hex(24) }
       option :authorize_options, %i[state]
-      option :token_params, {}
-      option :token_options, []
-      option :auth_token_params, {}
       option :provider_ignores_state, false
 
       def request_phase
@@ -24,25 +19,17 @@ module OmniAuth
           client
             .auth_code
             .authorize_url(
-              {
-                redirect_uri: callback_url,
-                domain: request_domain
-              }.merge(authorize_params)
+              request_params
+              .merge(authorize_params)
             )
         )
       end
 
-      def authorize_params
-        params = options.authorize_params.merge(options_for('authorize')) || {}
-
-        if OmniAuth.config.test_mode
-          @env ||= {}
-          @env['rack.session'] ||= {}
-        end
-
-        session['omniauth.state'] = params[:state]
-
-        params
+      def request_params
+        {
+          redirect_uri: callback_url,
+          domain: request_domain
+        }
       end
 
       uid { raw_info['id'] }
@@ -63,6 +50,35 @@ module OmniAuth
         @raw_info ||= access_token.get("/oauth/me?access_token=#{access_token.token}").parsed
       end
 
+      def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        error = request.params['error_reason'] || request.params['error']
+
+        if error
+          fail!(
+            error,
+            CallbackError.new(
+              request.params['error'], request.params['error_description'] ||
+              request.params['error_reason'], request.params['error_uri']
+            )
+          )
+        elsif request.params['state'] != 'IDP_INITIATED' &&
+              request.params['state'] != session.delete('omniauth.state')
+
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, 'CSRF detected'))
+        else
+          self.access_token = build_access_token
+          self.access_token = access_token.refresh! if access_token.expired?
+          env['omniauth.auth'] = auth_hash
+          call_app!
+        end
+      rescue ::OAuth2::Error, CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+
       protected
 
       def callback_url

data/omniauth-osso.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |gem|
   gem.description   = 'An OAuth 2.0 OmniAuth provider for Osso SSO.'
   gem.summary       = gem.description
   gem.homepage      = 'https://github.com/enterprise-oss/omniauth-osso'
-  gem.license       = 'MIT'
+  gem.license       = 'BSL'
 
   gem.add_dependency 'omniauth-oauth2', '~> 1.6.0'
   gem.add_development_dependency 'bundler', '~> 2.1'

data/spec/omniauth/strategies/osso_spec.rb

@@ -46,28 +46,90 @@ describe OmniAuth::Strategies::Osso do
     end
 
     it 'includes custom state in the authorize params' do
-      instance = subject.new('abc', 'def', authorize_params: { state: 'qux' })
+      instance = subject.new('abc', 'def', state: 'qux')
       expect(instance.authorize_params.keys).to include('state')
       expect(instance.session['omniauth.state']).to eq('qux')
     end
   end
 
-  describe '#token_params' do
+  describe '#request_params' do
+    let(:url) { 'https://example.com/auth/osso' }
     subject { fresh_strategy }
 
-    it 'includes any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', token_params: { foo: 'bar', baz: 'zip' })
-      expect(instance.token_params).to eq('foo' => 'bar', 'baz' => 'zip')
+    before do
+      ENV['OSSO_REDIRECT_URI'] = url
+      ENV['OSSO_BASE_URL'] = 'https://osso-base.com'
     end
 
-    it 'includes top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', token_options: %i[scope foo], scope: 'bar', foo: 'baz')
-      expect(instance.token_params).to eq('scope' => 'bar', 'foo' => 'baz')
+    it 'includes domain passed as a request param' do
+      instance = subject.new('abc', 'def')
+      allow(instance).to receive(:request) do
+        double('Request', params: { 'domain' => 'example.com' }, scheme: 'https', url: url)
+      end
+
+      expect(instance.request_params[:domain]).to eq('example.com')
+    end
+
+    it 'includes domain when an email address is passed as an authorize option' do
+      instance = subject.new('abc', 'def')
+
+      allow(instance).to receive(:request) do
+        double('Request', params: { 'email' => 'user@example.com' }, scheme: 'https', url: url)
+      end
+
+      expect(instance.request_params[:domain]).to eq('example.com')
     end
   end
 
+  # We need to get a little hacky with testing the callback phase
+  # in order to cover IDP initiated flows. When a user opens
+  # an SP app by clicking a tile on their IDP, then the OAuth flow
+  # skips the first leg, and we have to ignore CSRF protection.
+  # Osso will send `state=IDP_INITIATED_FLOW` when this is the case,
+  # and here we ensure that our strategy completes the callback phase
+  # with this state param.
+
   describe '#callback_phase' do
     subject { fresh_strategy }
+    let(:url) { 'https://example.com/auth/osso/callback' }
+    let(:instance) { subject.new(app, 'abc', 'def') }
+
+    before do
+      OmniAuth.config.test_mode = true
+      ENV['OSSO_REDIRECT_URI'] = url
+      ENV['OSSO_BASE_URL'] = 'https://osso-base.com'
+      allow(instance).to receive(:auth_hash) { auth_hash }
+      instance.env = {}
+    end
+
+    let :auth_hash do
+      {
+        provider: 'osso',
+        uid: 'uuid',
+        info: {
+          email: 'user@enterprise.com',
+          name: 'user@enterprise.com'
+        },
+        credentials: {
+        },
+        extra: {
+        }
+      }
+    end
+
+    it 'allows callbacks with IDP_INITIATED state param' do
+      allow(instance).to receive(:request) do
+        double('Request', params: { 'state' => 'IDP_INITIATED' }, scheme: 'https', url: url)
+      end
+
+      allow(instance).to receive(:build_access_token) do
+        double('AccessToken', expired?: false, token: 'token')
+      end
+
+      expect(instance).to_not receive(:fail!)
+      instance.callback_phase
+    end
+
     it 'calls fail with the client error received' do
       instance = subject.new('abc', 'def')
       allow(instance).to receive(:request) do

data/spec/spec_helper.rb

@@ -38,8 +38,5 @@ end
 
 RSpec.configure do |config|
   config.include RSpecMixin
-
-  # OmniAuth.config.test_mode = true
-  # OmniAuth.config.logger = Logger.new('/dev/null')
   WebMock.disable_net_connect!(allow_localhost: true)
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-osso
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-01 00:00:00.000000000 Z
+date: 2020-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -43,18 +43,25 @@ email:
 - sbauch@gmail.com
 executables:
 - console
+- publish
 - setup
 extensions: []
 extra_rdoc_files: []
 files:
+- ".buildkite/hooks/environment"
+- ".buildkite/hooks/pre-command"
+- ".buildkite/pipeline.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
+- LICENSE
 - README.md
 - Rakefile
 - bin/console
+- bin/publish
 - bin/setup
 - lib/omniauth-osso.rb
 - lib/omniauth-osso/version.rb
@@ -64,7 +71,7 @@ files:
 - spec/spec_helper.rb
 homepage: https://github.com/enterprise-oss/omniauth-osso
 licenses:
-- MIT
+- BSL
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -81,11 +88,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: An OAuth 2.0 OmniAuth provider for Osso SSO.
-test_files:
-- spec/omniauth/strategies/osso_spec.rb
-- spec/spec_helper.rb
+test_files: []