omniauth-osso 0.1.3 → 0.1.8.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 328ecac5ccc2447ce90e9920e6031edb78e014839a4d338a0ed2cced64250fe3
-  data.tar.gz: dd1291453982cdefeb3283560084675586732777ebd155cf0ddc24c74e73d240
+  metadata.gz: efe9a8d36940d227d545a3cf506bd1d381b861eae392eed1b3eec0d02e36d0e5
+  data.tar.gz: fd73cbce13680ef1da6e4cc2a2f0556557521d4ffe2e6b970d85172dabe84226
 SHA512:
-  metadata.gz: 4db39607891bf68cfb40ea72dfbd0f3178dd0feccf66ff3ef5dfbe8739b3488bb49b1f469204ba9da841b1486c34a5ca77bccbddd4cd005651820345b5907634
-  data.tar.gz: ae0b069373f8e6ca7fc4a964055433774f2a0af448057f3bf8b3a5ba0b746438a1a4b9f576a2c4ce678848c99792503f265fb4468a905208b9a3c7edba3e6133
+  metadata.gz: 0b0de0abbf87c876d7604d72838b68ea659158449bb9a02ffb588809dabd59d5c2f17c78063404f2c9472a6922a435012414caff00bf77473f8e1a96019c3127
+  data.tar.gz: deaa1f5a322dd3ec21b5cb7c839de4aa161fb0bd2ebedde8f75ecd1138f22234a394896f496916a74149063098dd4c86ce683e70f81c75787560e94e60b23aca

data/.buildkite/hooks/environment

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eu
+
+echo '--- RBENV'
+
+export PATH="$HOME/.rbenv/bin:$PATH"
+
+eval "$(rbenv init -)"

data/.buildkite/hooks/pre-command

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -eu
+
+export PATH="$HOME/.rbenv/bin:$PATH"
+
+eval "$(rbenv init -)"

data/.buildkite/pipeline.yml

@@ -0,0 +1,17 @@
+steps:
+  - name: ":rspec:"
+    commands: 
+      - bundle install
+      - bundle exec rspec
+
+  - name: "rubocop :male-police-officer:"
+    commands: 
+      - bundle install
+      - bundle exec rubocop
+  
+  - block: ":rubygems: Publish :red_button:"
+    if: build.tag != null
+  
+  - name: "Push :rubygems:"
+    commands: "./bin/publish"
+    if: build.tag != null

data/.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  labels:
+    - "dependencies"

data/.github/workflows/automerge.yml

@@ -0,0 +1,19 @@
+name: auto-merge
+
+on:
+  pull_request:
+
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+        with:
+          target: minor
+          github-token: ${{ secrets.TOKEN }}
+      - uses: hmarr/auto-approve-action@v2.0.0
+        if: github.actor == 'dependabot[bot]'
+        with:
+          github-token: "${{ secrets.TOKEN }}"
+      

data/.rubocop.yml

@@ -1,3 +1,6 @@
+AllCops:
+  TargetRubyVersion: 2.4
+
 Layout/LineLength:
   Max: 120
 

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,130 @@
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+sbauch@gmail.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
+

data/Gemfile

@@ -7,9 +7,9 @@ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 group :test do
   gem 'pry'
   gem 'rack-test'
-  gem 'rspec', '~> 3.2'
+  gem 'rspec', '~> 3.10'
   gem 'rubocop'
-  gem 'webmock', '~> 3.0'
+  gem 'webmock', '~> 3.10'
 end
 
 gemspec

data/Gemfile.lock

@@ -1,27 +1,26 @@
 PATH
   remote: .
   specs:
-    omniauth-osso (0.1.2)
-      omniauth-oauth2 (~> 1.6.0)
+    omniauth-osso (0.1.7)
+      omniauth-oauth2 (>= 1.6, < 1.8)
 
 GEM
   remote: https://rubygems.org/
   specs:
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    ast (2.4.0)
-    coderay (1.1.2)
-    crack (0.4.3)
-      safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
-    faraday (1.0.1)
+    ast (2.4.1)
+    coderay (1.1.3)
+    crack (0.4.4)
+    diff-lcs (1.4.4)
+    faraday (1.1.0)
       multipart-post (>= 1.2, < 3)
+      ruby2_keywords
     hashdiff (1.0.1)
     hashie (4.1.0)
-    jaro_winkler (1.5.4)
-    jwt (2.2.1)
+    jwt (2.2.2)
     method_source (1.0.0)
-    multi_json (1.14.1)
+    multi_json (1.15.0)
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     oauth2 (1.4.4)
@@ -33,46 +32,50 @@ GEM
     omniauth (1.9.1)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.6.0)
-      oauth2 (~> 1.1)
+    omniauth-oauth2 (1.7.0)
+      oauth2 (~> 1.4)
       omniauth (~> 1.9)
-    parallel (1.19.1)
-    parser (2.7.1.0)
-      ast (~> 2.4.0)
-    pry (0.13.0)
+    parallel (1.20.1)
+    parser (2.7.2.0)
+      ast (~> 2.4.1)
+    pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.4)
-    rack (2.2.2)
+    public_suffix (4.0.6)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
+    regexp_parser (2.0.0)
     rexml (3.2.4)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.4)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.0)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.1)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.2)
-    rubocop (0.81.0)
-      jaro_winkler (~> 1.5.1)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.0)
+    rubocop (1.6.1)
       parallel (~> 1.10)
-      parser (>= 2.7.0.1)
+      parser (>= 2.7.1.5)
       rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
       rexml
+      rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (1.3.0)
+      parser (>= 2.7.1.5)
     ruby-progressbar (1.10.1)
-    safe_yaml (1.0.5)
+    ruby2_keywords (0.0.2)
     unicode-display_width (1.7.0)
-    webmock (3.8.3)
+    webmock (3.10.0)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -85,9 +88,9 @@ DEPENDENCIES
   omniauth-osso!
   pry
   rack-test
-  rspec (~> 3.2)
+  rspec (~> 3.10)
   rubocop
-  webmock (~> 3.0)
+  webmock (~> 3.10)
 
 BUNDLED WITH
    2.1.4

data/LICENSE

@@ -0,0 +1,109 @@
+Business Source License 1.1
+
+Parameters
+
+Licensor:             EnterpriseOSS, Inc.
+Licensed Work:        omniauth-osso
+                      The Licensed Work is (c) 2020 EnterpriseOSS, Inc.
+
+Additional Use Grant: You and your Authorized Users may make use of the 
+                      Licensed Work for your internal business purposes, 
+                      provided that you do not (i) rent, lease, copy, transfer,
+                      resell, sublicense, lease, time-share, or otherwise provide 
+                      access to the Licensed Work to a third party (except 
+                      Authorized Users) or (ii) incorporate the Licensed Work 
+                      (or any portion of such) with, or use it with or to provide,
+                      any site, product, or service, other than on sites/applications 
+                      owned and operated by you.
+                      
+                      An “Authorized User” is defined as an individual person 
+                      (e.g. your employee, contractor, agent) who is registered and 
+                      permitted by you to use the Licensed Work subject to these 
+                      restrictions.
+
+Change Date:          2025-10-01
+
+Change License:       Apache License, Version 2.0
+
+For information about alternative licensing arrangements for the Software,
+contact: hello@enterpriseoss.dev
+
+Notice
+
+The Business Source License (this document, or the "License") is not an Open
+Source license. However, the Licensed Work will eventually be made available
+under an Open Source License, as stated in this License.
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+-----------------------------------------------------------------------------
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License’s text to license
+your works, and to refer to it using the trademark "Business Source License",
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License’s text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where "compatible" means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text "None".
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.

data/bin/publish

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Scriptacular - gemify.sh
+# Create a Ruby gem and push it to rubygems.org
+# Copyright 2013 Christopher Simpkins
+# MIT License
+
+GEM_NAME="omniauth-osso"
+GEMSPEC_SUFFIX=".gemspec"
+
+# run the gem build and parse for the gem release filename
+GEM_BUILD_NAME=$(gem build "$GEM_NAME$GEMSPEC_SUFFIX" |  awk '/File/ {print $2}' -)
+
+if [ -z "$GEM_BUILD_NAME" ]; then
+  echo "The gem build failed." >&2
+  exit 1
+fi
+
+gem push $GEM_BUILD_NAME

data/lib/omniauth-osso/version.rb

@@ -2,6 +2,6 @@
 
 module OmniAuth
   module Osso
-    VERSION = '0.1.3'
+    VERSION = '0.1.8.pre'
   end
 end

data/lib/omniauth/strategies/osso.rb

@@ -6,17 +6,12 @@ module OmniAuth
   module Strategies
     # The main source for the Osso Omniauth Strategy
     class Osso < OmniAuth::Strategies::OAuth2
-      include OmniAuth::Strategy
+      attr_accessor :env
 
       option :name, 'osso'
       option :client_id, nil
       option :client_secret, nil
-      option :client_options, { site: ENV['OSSO_BASE_URL'] }
-      option :authorize_params, { state: SecureRandom.hex(24) }
       option :authorize_options, %i[state]
-      option :token_params, {}
-      option :token_options, []
-      option :auth_token_params, {}
       option :provider_ignores_state, false
 
       def request_phase
@@ -24,25 +19,16 @@ module OmniAuth
           client
             .auth_code
             .authorize_url(
-              {
-                redirect_uri: callback_url,
-                domain: request_domain
-              }.merge(authorize_params)
+              request_params
+              .merge(authorize_params)
             )
         )
       end
 
-      def authorize_params
-        params = options.authorize_params.merge(options_for('authorize')) || {}
-
-        if OmniAuth.config.test_mode
-          @env ||= {}
-          @env['rack.session'] ||= {}
-        end
-
-        session['omniauth.state'] = params[:state]
-
-        params
+      def request_params
+        {
+          redirect_uri: callback_url
+        }.merge(user_param)
       end
 
       uid { raw_info['id'] }
@@ -55,7 +41,8 @@ module OmniAuth
 
       extra do
         {
-          idp: raw_info['idp']
+          idp: raw_info['idp'],
+          requested: raw_info['requested']
         }
       end
 
@@ -63,20 +50,48 @@ module OmniAuth
         @raw_info ||= access_token.get("/oauth/me?access_token=#{access_token.token}").parsed
       end
 
-      protected
+      def callback_phase # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        error = request.params['error_reason'] || request.params['error']
 
-      def callback_url
-        ENV['OSSO_REDIRECT_URI'] || super
+        if error
+          fail!(
+            error,
+            CallbackError.new(
+              request.params['error'], request.params['error_description'] ||
+              request.params['error_reason'], request.params['error_uri']
+            )
+          )
+        elsif request.params['state'] != 'IDP_INITIATED' &&
+              request.params['state'] != session.delete('omniauth.state')
+
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, 'CSRF detected'))
+        else
+          self.access_token = build_access_token
+          self.access_token = access_token.refresh! if access_token.expired?
+          env['omniauth.auth'] = auth_hash
+          call_app!
+        end
+      rescue ::OAuth2::Error, CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
       end
 
-      def request_domain
-        return @request_domain if defined?(@request_domain)
+      protected
 
-        @request_domain = request.params['domain'] || request.params['email'].split('@')[1]
+      def callback_url
+        full_host + callback_path
+      end
 
-        raise StandardError if @request_domain.nil?
+      def user_param
+        return @user_param if defined?(@user_param)
 
-        @request_domain
+        @user_param = {
+          domain: request.params['domain'],
+          email: request.params['email']
+        }.compact
       end
     end
   end

data/omniauth-osso.gemspec

@@ -8,9 +8,9 @@ Gem::Specification.new do |gem|
   gem.description   = 'An OAuth 2.0 OmniAuth provider for Osso SSO.'
   gem.summary       = gem.description
   gem.homepage      = 'https://github.com/enterprise-oss/omniauth-osso'
-  gem.license       = 'MIT'
+  gem.license       = 'BSL'
 
-  gem.add_dependency 'omniauth-oauth2', '~> 1.6.0'
+  gem.add_dependency 'omniauth-oauth2', '>= 1.6', '< 1.8'
   gem.add_development_dependency 'bundler', '~> 2.1'
 
   gem.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
@@ -19,4 +19,5 @@ Gem::Specification.new do |gem|
   gem.name          = 'omniauth-osso'
   gem.require_paths = ['lib']
   gem.version       = OmniAuth::Osso::VERSION
+  gem.required_ruby_version = '~> 2.4'
 end

data/spec/omniauth/strategies/osso_spec.rb

@@ -46,28 +46,88 @@ describe OmniAuth::Strategies::Osso do
     end
 
     it 'includes custom state in the authorize params' do
-      instance = subject.new('abc', 'def', authorize_params: { state: 'qux' })
+      instance = subject.new('abc', 'def', state: 'qux')
       expect(instance.authorize_params.keys).to include('state')
       expect(instance.session['omniauth.state']).to eq('qux')
     end
   end
 
-  describe '#token_params' do
+  describe '#request_params' do
+    let(:url) { 'https://example.com/auth/osso' }
     subject { fresh_strategy }
 
-    it 'includes any authorize params passed in the :authorize_params option' do
-      instance = subject.new('abc', 'def', token_params: { foo: 'bar', baz: 'zip' })
-      expect(instance.token_params).to eq('foo' => 'bar', 'baz' => 'zip')
+    before do
+      OmniAuth.config.full_host = 'https://osso-base.com'
     end
 
-    it 'includes top-level options that are marked as :authorize_options' do
-      instance = subject.new('abc', 'def', token_options: %i[scope foo], scope: 'bar', foo: 'baz')
-      expect(instance.token_params).to eq('scope' => 'bar', 'foo' => 'baz')
+    it 'includes domain passed as a request param' do
+      instance = subject.new('abc', 'def')
+      allow(instance).to receive(:request) do
+        double('Request', params: { 'domain' => 'example.com' }, scheme: 'https', url: url)
+      end
+
+      expect(instance.request_params[:domain]).to eq('example.com')
+    end
+
+    it 'includes email when an email address is passed as an authorize option' do
+      instance = subject.new('abc', 'def')
+
+      allow(instance).to receive(:request) do
+        double('Request', params: { 'email' => 'user@example.com' }, scheme: 'https', url: url)
+      end
+
+      expect(instance.request_params[:email]).to eq('user@example.com')
     end
   end
 
+  # We need to get a little hacky with testing the callback phase
+  # in order to cover IDP initiated flows. When a user opens
+  # an SP app by clicking a tile on their IDP, then the OAuth flow
+  # skips the first leg, and we have to ignore CSRF protection.
+  # Osso will send `state=IDP_INITIATED_FLOW` when this is the case,
+  # and here we ensure that our strategy completes the callback phase
+  # with this state param.
+
   describe '#callback_phase' do
     subject { fresh_strategy }
+    let(:url) { 'https://example.com/auth/osso/callback' }
+    let(:instance) { subject.new(app, 'abc', 'def') }
+
+    before do
+      OmniAuth.config.test_mode = true
+      ENV['OSSO_BASE_URL'] = 'https://osso-base.com'
+      allow(instance).to receive(:auth_hash) { auth_hash }
+      instance.env = {}
+    end
+
+    let :auth_hash do
+      {
+        provider: 'osso',
+        uid: 'uuid',
+        info: {
+          email: 'user@enterprise.com',
+          name: 'user@enterprise.com'
+        },
+        credentials: {
+        },
+        extra: {
+        }
+      }
+    end
+
+    it 'allows callbacks with IDP_INITIATED state param' do
+      allow(instance).to receive(:request) do
+        double('Request', params: { 'state' => 'IDP_INITIATED' }, scheme: 'https', url: url)
+      end
+
+      allow(instance).to receive(:build_access_token) do
+        double('AccessToken', expired?: false, token: 'token')
+      end
+
+      expect(instance).to_not receive(:fail!)
+      instance.callback_phase
+    end
+
     it 'calls fail with the client error received' do
       instance = subject.new('abc', 'def')
       allow(instance).to receive(:request) do

data/spec/spec_helper.rb

@@ -38,8 +38,5 @@ end
 
 RSpec.configure do |config|
   config.include RSpecMixin
-
-  # OmniAuth.config.test_mode = true
-  # OmniAuth.config.logger = Logger.new('/dev/null')
   WebMock.disable_net_connect!(allow_localhost: true)
 end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-osso
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.8.pre
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-01 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '1.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.0
+        version: '1.6'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -43,18 +49,27 @@ email:
 - sbauch@gmail.com
 executables:
 - console
+- publish
 - setup
 extensions: []
 extra_rdoc_files: []
 files:
+- ".buildkite/hooks/environment"
+- ".buildkite/hooks/pre-command"
+- ".buildkite/pipeline.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/automerge.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
+- LICENSE
 - README.md
 - Rakefile
 - bin/console
+- bin/publish
 - bin/setup
 - lib/omniauth-osso.rb
 - lib/omniauth-osso/version.rb
@@ -64,7 +79,7 @@ files:
 - spec/spec_helper.rb
 homepage: https://github.com/enterprise-oss/omniauth-osso
 licenses:
-- MIT
+- BSL
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -72,20 +87,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: An OAuth 2.0 OmniAuth provider for Osso SSO.
-test_files:
-- spec/omniauth/strategies/osso_spec.rb
-- spec/spec_helper.rb
+test_files: []