omniauth-wsfed 0.2.1 → 0.2.2

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NTdjMWJkYzEyNmNmNDZmNzRlMzlhN2IzYmZmMGY4MzM1ZTBkNTRmOA==
+    MDVjMGFmYjFiNmU3MjQxYjk1YmJiYjg4MmMzMTk5MmU0ZTJjZDdlZQ==
   data.tar.gz: !binary |-
-    ODhlOTYxY2E5M2ZlMjBiZGIzNTFiYTUzNzQ2N2FjMDRlYTdlMDJhMA==
+    YzQwNjJmOWQ2MjU3OGQ1NjMwYjNiOGI1MWRkNWM1YTFjYTNhMDkyOQ==
 !binary "U0hBNTEy":
   metadata.gz: !binary |-
-    OWU2OTYzMDBhNDE4Y2YyY2NmOGNhNjM4MWVjMTUyMmE4MzYwNjI1NjFhMWM5
-    NGIxY2YwNGYwNTk1YjdjNTdiOGE0NTlmODdlZDY1YjA4NDU4MWI5NDc0YWM0
-    ZmQ4YjE2MmM3NjNlNGY3N2QwNzY4ZTU5Nzc4Mzc4ZjFjNzVjNjY=
+    MTIwYjdjZDQwZWVlZjJkNDlmODc1MmRjMDc3ODU5Njk0YTg2YjQ0OTNjNDkz
+    YTY2ZDM5NjNkMjM3MmUzMTNkMDg3ZjM0YzMyMjJjOTIxN2UxNTIzZmYzYjJl
+    NmY1YjA5NjVlMDgxOTJjN2M0YTIzYzFmODg0Y2VlOTYwMzVkMzU=
   data.tar.gz: !binary |-
-    MTAyMDc4ZWZlYWMwZjQ5YTI0M2RiNGVlYTExMmIyNzJkMzZmZWFhY2EzZjQ1
-    YjY4ZTllNTE4ZWQ0MDZlZGIwN2QwNWU3YmZhNWU0NTAyYzE2MTRjYjUwODVk
-    ZWZhYmQzMjE5ZjBkNTM2YmUzMWNjMjJhNzMyN2JhMTcyMzE4NDc=
+    MGZlNGRiMGQwYmNhNjMyYThkMGQwOTE3MjM3ZGJkMzhmNGY4Y2U3NzlmMjgy
+    MDk2YjEzOTE2YWFlNGM2NWM4YzAyNGY5ZjAzYzE0M2Q5ODJiOGRhNDFlYTIx
+    Yzg4MjE3MzQyZTI1YTQ0Yjk4NWRhOGRhZTQ4NDg5M2U2MDdlNzI=

data/.gitignore

@@ -3,8 +3,10 @@
 
 #RVM
 .rvmrc
+.ruby-version
+.ruby-gemset
 
 #Other
 .DS_Store
 *.gem
-
+Gemfile.lock

data/.travis.yml

@@ -1,5 +1,8 @@
 language: ruby
 rvm:
-  - 1.9.3
   - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - rbx-19mode
+  - jruby-19mode
 script: bundle exec rspec spec

data/lib/omniauth-wsfed/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module WSFed
-    VERSION = '0.2.1'
+    VERSION = '0.2.2'
   end
 end

data/lib/omniauth/strategies/wsfed.rb

@@ -14,23 +14,15 @@ module OmniAuth
 
       # Issues passive WS-Federation redirect for authentication...
       def request_phase
-        whr = @request.params['whr']
-
-        if !whr.nil?
-          request = OmniAuth::Strategies::WSFed::AuthRequest.new
-          redirect(request.create(options, :whr => whr))
-        elsif !options[:home_realm_discovery_path].nil?
-          redirect(options[:home_realm_discovery_path])
-        else
-          request = OmniAuth::Strategies::WSFed::AuthRequest.new
-          redirect(request.create(options))
-        end
-
+        auth_request = OmniAuth::Strategies::WSFed::AuthRequest.new(options, :whr => @request.params['whr'])
+        redirect(auth_request.redirect_url)
       end
 
       # Parse SAML token...
       def callback_phase
         begin
+          validate_callback_params(@request)
+
           wsfed_callback = request.params['wresult']
 
           signed_document = OmniAuth::Strategies::WSFed::XMLSecurity::SignedDocument.new(wsfed_callback)
@@ -68,7 +60,13 @@ module OmniAuth
           options[:idp_cert_fingerprint]
         else
           cert = OpenSSL::X509::Certificate.new(options[:idp_cert].gsub(/^ +/, ''))
-          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(":")
+          Digest::SHA1.hexdigest(cert.to_der).upcase.scan(/../).join(':')
+        end
+      end
+
+      def validate_callback_params(request)
+        if request.params['wresult'].nil? || request.params['wresult'].empty?
+          raise OmniAuth::Strategies::WSFed::ValidationError.new('AuthN token (wresult) missing in callback.')
         end
       end
 

data/lib/omniauth/strategies/wsfed/auth_request.rb

@@ -9,10 +9,27 @@ module OmniAuth
 
         SIGNIN_PARAM = 'wsignin1.0'
 
-        def create (settings, args = {})
+        attr_reader :strategy_settings, :args
+
+        def initialize(settings, args = {})
+          raise ArgumentError.new('OmniAuth-WSFed settings cannot be nil.') if settings.nil?
+
+          @strategy_settings  = settings
+          @args               = args
+        end
+
+        def redirect_url
+          if args[:whr].nil? && strategy_settings[:home_realm_discovery_path]
+            strategy_settings[:home_realm_discovery_path]
+          else
+            wsfed_signin_request
+          end
+        end
+
+        def wsfed_signin_request
           wa      = SIGNIN_PARAM
-          wtrealm = url_encode(settings[:realm])
-          wreply  = url_encode(settings[:reply])
+          wtrealm = url_encode(strategy_settings[:realm])
+          wreply  = url_encode(strategy_settings[:reply])
           wct     = url_encode(Time.now.utc)
           whr     = url_encode(args[:whr])
 
@@ -22,7 +39,7 @@ module OmniAuth
             query_string = "#{query_string}&whr=#{whr}"
           end
 
-          settings[:issuer] + query_string
+          strategy_settings[:issuer] + query_string
         end
 
       end

data/spec/omniauth/strategies/wsfed/auth_request_spec.rb

@@ -3,64 +3,101 @@ require 'erb'
 
 describe OmniAuth::Strategies::WSFed::AuthRequest do
 
-  context 'Valid Request' do
-
-    let(:wsfed_settings) do
-      {
-          issuer: "https://c4sc.accesscontrol.windows.net.com/v2/wsfederation",
-          realm:  "http://c4sc.com/security_realm",
-          reply:  "http://rp.c4sc.com/auth/wsfed"
-      }
+  let(:wsfed_settings) do
+    {
+        :issuer                     => 'https://c4sc.accesscontrol.windows.net.com/v2/wsfederation',
+        :realm                      => 'http://c4sc.com/security_realm',
+        :reply                      => 'http://rp.c4sc.com/auth/wsfed',
+        :home_realm_discovery_path  => 'auth/home_realm_discovery'
+    }
+  end
+
+  context 'Initialization' do
+
+    it 'should raise an ArgumentException when strategy_settings are nil or empty' do
+      expect { OmniAuth::Strategies::WSFed::AuthRequest.new(nil, {}) }.to raise_error ArgumentError
     end
 
-    describe 'WsFed Auth Request URL' do
+    it 'should set strategy_settings and args properties when initialized properly' do
+      args    = { :whr => 'https://identity.c4sc.com'}
+      request = OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings, args)
 
-      let :request do
-        OmniAuth::Strategies::WSFed::AuthRequest.new.create(wsfed_settings)
-      end
+      request.strategy_settings.should  == wsfed_settings
+      request.args.should               == args
+    end
 
-      it 'should include the issuer URL followed by WsFed query string params' do
-        request.should start_with "#{wsfed_settings[:issuer]}?"
-      end
+  end
 
-      it 'should include the sign-in param [wa]' do
-        request.should include 'wa=wsignin1.0'
-      end
+  context 'Redirect URL' do
 
-      it 'should include the url-encoded security realm param [wtrealm]' do
-        request.should include "wtrealm=#{ERB::Util::url_encode(wsfed_settings[:realm])}"
-      end
+    it 'should equal the :home_realm_discovery path if configured and no :whr argument exists' do
+      request = OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings, {})
 
-      it 'should include the url-encoded reply param [wreply]' do
-        request.should include "wreply=#{ERB::Util::url_encode(wsfed_settings[:reply])}"
-      end
+      request.redirect_url.should == wsfed_settings[:home_realm_discovery_path]
+    end
 
-      it 'should include an empty context param [wctx]' do
-        request.should include "wctx=&"
-      end
+    it 'should equal the wsfed_signin_path if :whr argument exists' do
+      args    = { :whr => 'https://identity.c4sc.com'}
+      request = OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings, args)
+
+      request.redirect_url.should == request.wsfed_signin_request
+    end
 
-      it 'should include the request creation instant time param [wtc]' do
-        time = Time.now.utc
-        Time.now.stub(:utc).and_return(time)
+    it 'should equal the wsfed_signin_path if :whr argument and :home_realm_discovery_path are missing' do
+      wsfed_settings.delete(:home_realm_discovery_path)
+      request = OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings, {})
 
-        request.should include "wct=#{ERB::Util.url_encode(time)}"
-      end
+      request.redirect_url.should == request.wsfed_signin_request
+    end
+
+  end
 
-      describe 'Url-Encoded Home Realm Parameter [whr]' do
+  context 'WSFed Signin Request' do
 
-        let(:home_realm) { "http://identity.c4sc.com/trust" }
+    let :request do
+      OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings)
+    end
 
-        it 'should include [whr] if provided in the options' do
-          request = OmniAuth::Strategies::WSFed::AuthRequest.new.create(wsfed_settings, :whr => home_realm)
-          request.should include "whr=#{ERB::Util::url_encode(home_realm)}"
-        end
+    it 'should include the issuer URL followed by WsFed query string params' do
+      request.wsfed_signin_request.should start_with "#{request.strategy_settings[:issuer]}?"
+    end
+
+    it 'should include the sign-in param [wa]' do
+      request.wsfed_signin_request.should include 'wa=wsignin1.0'
+    end
+
+    it 'should include the url-encoded security realm param [wtrealm]' do
+      request.wsfed_signin_request.should include "wtrealm=#{ERB::Util::url_encode(request.strategy_settings[:realm])}"
+    end
+
+    it 'should include the url-encoded reply param [wreply]' do
+      request.wsfed_signin_request.should include "wreply=#{ERB::Util::url_encode(request.strategy_settings[:reply])}"
+    end
 
-        it 'should exclude [whr] if ignored in the options' do
-          request = OmniAuth::Strategies::WSFed::AuthRequest.new.create(wsfed_settings, :whr => nil)
-          request.should_not include "whr=#{ERB::Util::url_encode(home_realm)}"
-          request.should_not include "whr="
-        end
+    it 'should include an empty context param [wctx]' do
+      request.wsfed_signin_request.should include "wctx=&"
+    end
+
+    it 'should include the request creation instant time param [wtc]' do
+      time = Time.now.utc
+      Time.now.stub(:utc).and_return(time)
+
+      request.wsfed_signin_request.should include "wct=#{ERB::Util.url_encode(time)}"
+    end
+
+    describe 'Url-Encoded Home Realm Parameter [whr]' do
+
+      let(:home_realm) { 'http://identity.c4sc.com/trust' }
+
+      it 'should include [whr] if provided in the options' do
+        request = OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings, :whr => home_realm)
+        request.wsfed_signin_request.should include "whr=#{ERB::Util::url_encode(home_realm)}"
+      end
 
+      it 'should exclude [whr] if ignored in the options' do
+        request = OmniAuth::Strategies::WSFed::AuthRequest.new(wsfed_settings, :whr => nil)
+        request.wsfed_signin_request.should_not include "whr=#{ERB::Util::url_encode(home_realm)}"
+        request.wsfed_signin_request.should_not include 'whr='
       end
 
     end

data/spec/omniauth/strategies/wsfed_spec.rb

@@ -1,22 +1,22 @@
 require 'spec_helper'
 
-# Had to split these tests into two different classes because the OmniAuth::Test::StrategyTestCase only sets up one
-# instance of the strategy settings per spec description. In other words, any time you need to make changes to the
-# OmniAuth initialization settings, you need a new spec description to re-initialize the test strategy.
+# Had to split these tests into different classes because the OmniAuth::Test::StrategyTestCase only
+# sets up one instance of the strategy settings per spec description. In other words, any time you
+# need to make changes to the OmniAuth initialization settings, you need a new spec description to
+# re-initialize the test strategy.
 
 describe OmniAuth::Strategies::WSFed, :type => :strategy do
   include OmniAuth::Test::StrategyTestCase
 
-  let(:auth_hash){ last_request.env['omniauth.auth'] }
   let(:wsfed_settings) do
     {
-        issuer: "https://c4sc.accesscontrol.windows.net.com/v2/wsfederation",
-        realm:  "http://c4sc.com/security_realm",
-        reply:  "http://rp.c4sc.com/auth/wsfed"
+        :issuer => 'https://c4sc.accesscontrol.windows.net.com/v2/wsfederation',
+        :realm  => 'http://example.com/rp',
+        :reply  => 'http://example.com/auth/wsfed'
     }
   end
   let(:strategy) { [OmniAuth::Strategies::WSFed, wsfed_settings] }
-  let(:home_realm) { "http://identity.c4sc.com/trust" }
+  let(:home_realm) { 'http://identity.c4sc.com' }
 
 
   describe 'request_phase: GET /auth/wsfed' do
@@ -47,17 +47,16 @@ end
 describe OmniAuth::Strategies::WSFed, :type => :strategy do
   include OmniAuth::Test::StrategyTestCase
 
-  let(:home_realm_discovery) { "/auth/wsfed/home_realm_discovery" }
   let(:wsfed_settings) do
     {
-        issuer:                     "https://c4sc.accesscontrol.windows.net.com/v2/wsfederation",
-        realm:                      "http://c4sc.com/security_realm",
-        reply:                      "http://rp.c4sc.com/auth/wsfed",
-        home_realm_discovery_path:  home_realm_discovery
+        :issuer => 'https://c4sc.accesscontrol.windows.net.com/v2/wsfederation',
+        :realm  => 'http://example.com/rp',
+        :reply  => 'http://example.com/auth/wsfed',
+        :home_realm_discovery_path => '/auth/wsfed/home_realm_discovery'
     }
   end
   let(:strategy) { [OmniAuth::Strategies::WSFed, wsfed_settings] }
-  let(:home_realm) { "http://identity.c4sc.com/trust" }
+  let(:home_realm) { 'http://identity.c4sc.com' }
 
   context ':home_realm_discovery_path configured' do
 
@@ -65,7 +64,7 @@ describe OmniAuth::Strategies::WSFed, :type => :strategy do
       get '/auth/wsfed'
 
       last_response.should be_redirect
-      last_response.location.should == home_realm_discovery
+      last_response.location.should == wsfed_settings[:home_realm_discovery_path]
     end
 
     it 'should redirect to the IdP/FP Issuer URL and maintain [whr] param' do
@@ -79,4 +78,31 @@ describe OmniAuth::Strategies::WSFed, :type => :strategy do
   end
 end
 
+describe OmniAuth::Strategies::WSFed, :type => :strategy do
+  include OmniAuth::Test::StrategyTestCase
+
+  let(:home_realm_discovery) { '/auth/wsfed/home_realm_discovery' }
+  let(:wsfed_settings) do
+    {
+        :issuer => 'https://c4sc.accesscontrol.windows.net.com/v2/wsfederation',
+        :realm  => 'http://example.com/rp',
+        :reply  => 'http://example.com/auth/wsfed',
+        :home_realm_discovery_path => home_realm_discovery
+    }
+  end
+  let(:strategy) { [OmniAuth::Strategies::WSFed, wsfed_settings] }
+  let(:home_realm) { 'http://identity.c4sc.com' }
+
+  context 'invalid callbacks' do
+
+    it 'should redirect to failure route when the \'wresult\' parameter is nil'  do
+      post 'auth/wsfed/callback'
+
+      last_response.status.should   == 302
+      last_response.location.should == '/auth/failure?message=invalid_authn_token&strategy=wsfed'
+    end
+
+  end
+end
+
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-wsfed
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Keith Beckman
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-11 00:00:00.000000000 Z
+date: 2013-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
@@ -93,7 +93,6 @@ files:
 - .gitignore
 - .travis.yml
 - Gemfile
-- Gemfile.lock
 - LICENSE
 - README.md
 - Rakefile
@@ -131,7 +130,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.0.6
 signing_key: 
 specification_version: 4
 summary: A WS-Federation + WS-Trust strategy for OmniAuth.

data/Gemfile.lock

@@ -1,37 +0,0 @@
-PATH
-  remote: .
-  specs:
-    omniauth-wsfed (0.2.1)
-      omniauth (~> 1.1.0)
-      xmlcanonicalizer (= 0.1.1)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    diff-lcs (1.1.3)
-    hashie (1.2.0)
-    omniauth (1.1.0)
-      hashie (~> 1.2)
-      rack
-    rack (1.4.1)
-    rack-test (0.6.2)
-      rack (>= 1.0)
-    rake (10.0.3)
-    rspec (2.12.0)
-      rspec-core (~> 2.12.0)
-      rspec-expectations (~> 2.12.0)
-      rspec-mocks (~> 2.12.0)
-    rspec-core (2.12.2)
-    rspec-expectations (2.12.1)
-      diff-lcs (~> 1.1.3)
-    rspec-mocks (2.12.1)
-    xmlcanonicalizer (0.1.1)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  omniauth-wsfed!
-  rack-test (>= 0.6.2)
-  rake (>= 10.0.3)
-  rspec (>= 2.12.0)