omniauth_crowd 2.2.3 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 59c97cc073c410612b365745b87b17e917845178
-  data.tar.gz: e98defefdd3a85dcb46dbcf896cdb2e3e7fa3c75
+  metadata.gz: d6496c1f734a4cc164441c2cceb75039fa3751b2
+  data.tar.gz: 9d8e8b2cff8787f2d346dcb45f06486a1596d08d
 SHA512:
-  metadata.gz: b2ea0383c88b06a00874e5053164c938f075b2df3ebd8b0ce0b50633d28653236d371616654d984e73c24cdc19eb4bca7626549fd2d2bd05803a8b0d6bc5fbe6
-  data.tar.gz: 7e10ab76e6cf238e4b97e92cc9a10948eb2458ca56f9914f733a6271d7da3db1a30f4ed3e44545968c0bee3e1c5c3f945ee544dffe2b7baa7cb665d1bf30fabc
+  metadata.gz: 598ab5299d7381c0804b8afc81bd7227eea20d868ff2afd3dd38d4e9c518c6486706dc90a7d1b936c46c86e2d6bd6763fa2a7df0285bc6928564fb530a0e4cb2
+  data.tar.gz: 7f88dc8845d027da6983af8a3e05e3c544e5dea8075977eb376708917140298fbd3f30b26173f929877433057aaf1ca56cf8fdec588f933eea463c268f4e638d

data/.travis.yml

@@ -1,6 +1,10 @@
 language: ruby
+before_install:
+  - gem install bundler -v '~> 1.11'
 rvm:
   - "1.9.3"
   - "2.0.0"
   - "2.1.2"
+  - "2.2.4"
+  - "2.3.0"
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    omniauth_crowd (2.2.3)
+    omniauth_crowd (2.3.0)
       activesupport
       nokogiri (>= 1.4.4)
       omniauth (~> 1.0)
@@ -9,49 +9,51 @@ PATH
 GEM
   remote: http://rubygems.org/
   specs:
-    activesupport (4.1.4)
-      i18n (~> 0.6, >= 0.6.9)
+    activesupport (4.2.5.1)
+      i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
-      thread_safe (~> 0.1)
+      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.3.6)
-    crack (0.4.2)
+    addressable (2.4.0)
+    crack (0.4.3)
       safe_yaml (~> 1.0.0)
     diff-lcs (1.2.5)
-    hashie (3.2.0)
-    i18n (0.6.11)
-    json (1.8.1)
-    mini_portile (0.6.0)
-    minitest (5.4.0)
-    nokogiri (1.6.3.1)
-      mini_portile (= 0.6.0)
-    omniauth (1.2.2)
+    hashdiff (0.3.0)
+    hashie (3.4.3)
+    i18n (0.7.0)
+    json (1.8.3)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    omniauth (1.3.1)
       hashie (>= 1.2, < 4)
-      rack (~> 1.0)
-    rack (1.5.2)
-    rack-test (0.6.2)
+      rack (>= 1.0, < 3)
+    rack (1.6.4)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rake (10.3.2)
+    rake (10.5.0)
     rspec (3.0.0)
       rspec-core (~> 3.0.0)
       rspec-expectations (~> 3.0.0)
       rspec-mocks (~> 3.0.0)
-    rspec-core (3.0.3)
+    rspec-core (3.0.4)
       rspec-support (~> 3.0.0)
-    rspec-expectations (3.0.3)
+    rspec-expectations (3.0.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.0.0)
-    rspec-mocks (3.0.3)
+    rspec-mocks (3.0.4)
       rspec-support (~> 3.0.0)
-    rspec-support (3.0.3)
-    safe_yaml (1.0.3)
-    thread_safe (0.3.4)
+    rspec-support (3.0.4)
+    safe_yaml (1.0.4)
+    thread_safe (0.3.5)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    webmock (1.18.0)
+    webmock (1.24.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
+      hashdiff
 
 PLATFORMS
   ruby
@@ -64,3 +66,6 @@ DEPENDENCIES
   rake
   rspec (~> 3.0.0)
   webmock
+
+BUNDLED WITH
+   1.11.2

data/lib/omniauth/strategies/crowd.rb

@@ -18,7 +18,13 @@ module OmniAuth
 
       def request_phase
         if env['REQUEST_METHOD'] == 'GET'
-          get_credentials
+
+          if @configuration.use_sso? && request.cookies[@configuration.session_cookie]
+            redirect callback_url
+          else            
+            get_credentials
+          end
+
         elsif (env['REQUEST_METHOD'] == 'POST') && (not request.params['username'])
           get_credentials
         else
@@ -27,17 +33,52 @@ module OmniAuth
         end
       end
 
+      def get_client_ip
+        env['HTTP_X_FORWARDED_FOR'] ? env['HTTP_X_FORWARDED_FOR'] : env['REMOTE_ADDRESS']
+      end
+
+      def get_sso_tokens
+        env['HTTP_COOKIE'].split(';').select { |val| 
+          val.strip.start_with?(@configuration.session_cookie)
+        }.map { |val| 
+          val.strip.split('=').last
+        }            
+      end
+
       def get_credentials
+
+        configuration = @configuration
+
         OmniAuth::Form.build(:title => (options[:title] || "Crowd Authentication")) do
           text_field 'Login', 'username'
           password_field 'Password', 'password'
+
+          if configuration.use_sso? && configuration.sso_url
+            fieldset 'SSO' do
+              html "<a href=\"#{configuration.sso_url}/users/auth/crowd/callback\">" + (configuration.sso_url_image ? "<img src=\"#{configuration.sso_url_image}\" />" : '') + "</a>"
+            end
+          end
+
         end.to_response
-      end
 
+      end
+      
       def callback_phase
+
         creds = session.delete 'omniauth.crowd'
-        return fail!(:no_credentials) unless creds
-        validator = CrowdValidator.new(@configuration, creds['username'], creds['password'])
+        username = creds.nil? ? nil : creds['username']
+        password = creds.nil? ? nil : creds['password']
+
+        unless creds
+          if @configuration.use_sso? && request.cookies[@configuration.session_cookie]
+            validator = CrowdValidator.new(@configuration, username, password, get_client_ip, get_sso_tokens)
+          else
+            return fail!(:no_credentials)
+          end
+        else
+          validator = CrowdValidator.new(@configuration, username, password, get_client_ip, nil)
+        end
+
         @user_info = validator.user_info
 
         return fail!(:invalid_credentials) if @user_info.nil? || @user_info.empty?

data/lib/omniauth/strategies/crowd/configuration.rb

@@ -8,8 +8,9 @@ module OmniAuth
         DEFAULT_AUTHENTICATION_URL = "%s/rest/usermanagement/latest/authentication"
         DEFAULT_USER_GROUP_URL = "%s/rest/usermanagement/latest/user/group/direct"
         DEFAULT_CONTENT_TYPE = 'application/xml'
+        DEFAULT_SESSION_COOKIE = 'crowd.token_key'
 
-        attr_reader :crowd_application_name, :crowd_password, :disable_ssl_verification, :include_users_groups, :use_sessions, :session_url, :content_type
+        attr_reader :crowd_application_name, :crowd_password, :disable_ssl_verification, :include_users_groups, :use_sessions, :session_url, :content_type, :session_cookie, :sso_url, :sso_url_image
 
         alias :"disable_ssl_verification?" :disable_ssl_verification
         alias :"include_users_groups?" :include_users_groups
@@ -29,6 +30,10 @@ module OmniAuth
         # @option params [String, nil] :crowd_user_group_url (:crowd_server_url + '/rest/usermanagement/latest/user/group/direct') the URL to which to
         #         use for retrieving users groups optional if `:crowd_server_url` is specified, or if `:include_user_groups` is false
         #         required otherwise.
+        # @option params [Boolean, false] :use_sessions Use Crowd sessions. If the user logins with user and password create a new Crowd session. Update the session if only a session token is sent (Cookie name set by option session_cookie)
+        # @option params [String, 'crowd.token_key'] :session_cookie Session cookie name. Defaults to: 'crowd.token_key'
+        # @option params [String, nil] :sso_url URL of the external SSO page. If this parameter is defined the login form will have a link which will redirect to the SSO page. The SSO must return to the URL of the page using omniauth_crowd (Path portion '/users/auth/crowd/callback' is appended to the URL)
+        # @option params [String, nil] :sso_url_image Optional image URL to be used in SSO link in the login form
         def initialize(params)
           parse_params params
         end
@@ -46,6 +51,10 @@ module OmniAuth
           @user_group_url.nil? ? nil : append_username( @user_group_url, username)
         end
 
+        def use_sso?()
+          @use_sessions && @sso_url ? true : false
+        end
+
         private
         def parse_params(options)
           options= {:include_user_groups => true}.merge(options || {})
@@ -56,6 +65,9 @@ module OmniAuth
           @crowd_password         = options[:application_password]
           @use_sessions           = options[:use_sessions]
           @content_type           = options[:content_type] || DEFAULT_CONTENT_TYPE
+          @session_cookie         = options[:session_cookie] || DEFAULT_SESSION_COOKIE
+          @sso_url                = options[:sso_url]
+          @sso_url_image          = options[:sso_url_image]
 
           unless options.include?(:crowd_server_url) || options.include?(:crowd_authentication_url)
             raise ArgumentError.new("Either :crowd_server_url or :crowd_authentication_url MUST be provided")

data/lib/omniauth/strategies/crowd/crowd_validator.rb

@@ -6,22 +6,16 @@ module OmniAuth
   module Strategies
     class Crowd
       class CrowdValidator
-        SESSION_REQUEST_BODY = <<-BODY.strip
-<authentication-context>
-  <username>%s</username>
-  <password>%s</password>
-</authentication-context>
-BODY
         AUTHENTICATION_REQUEST_BODY = "<password><value>%s</value></password>"
-        def initialize(configuration, username, password)
-          @configuration, @username, @password = configuration, username, password
+        def initialize(configuration, username, password, client_ip, tokens)
+          @configuration, @username, @password, @client_ip, @tokens = configuration, username, password, client_ip, tokens
           @authentiction_uri = URI.parse(@configuration.authentication_url(@username))
           @session_uri       = URI.parse(@configuration.session_url) if @configuration.use_sessions
-          @user_group_uri    = @configuration.include_users_groups? ? URI.parse(@configuration.user_group_url(@username)) : nil
         end
 
         def user_info
           user_info_hash = retrieve_user_info!
+
           if user_info_hash && @configuration.include_users_groups?
             user_info_hash = add_user_groups!(user_info_hash)
           else
@@ -29,27 +23,36 @@ BODY
           end
 
           if user_info_hash && @configuration.use_sessions?
-            user_info_hash = add_session!(user_info_hash)
+            user_info_hash = set_session!(user_info_hash)
           end
 
           user_info_hash
         end
 
         private
-        def add_session!(user_info_hash)
-          response = make_session_request
+        def set_session!(user_info_hash)
+
+          response = nil
+
+          if user_info_hash["sso_token"]
+            response = make_session_request(user_info_hash["sso_token"])
+          else
+            response = make_session_request(nil)
+          end
+
           if response.kind_of?(Net::HTTPSuccess) && response.body
             doc = Nokogiri::XML(response.body)
             user_info_hash["sso_token"] = doc.xpath('//token/text()').to_s
           else
-            OmniAuth.logger.send(:warn, "(crowd) [add_session!] response code: #{response.code.to_s}")
-            OmniAuth.logger.send(:warn, "(crowd) [add_session!] response body: #{response.body}")
+            OmniAuth.logger.send(:warn, "(crowd) [set_session!] response code: #{response.code.to_s}")
+            OmniAuth.logger.send(:warn, "(crowd) [set_session!] response body: #{response.body}")
           end
+
           user_info_hash
         end
 
         def add_user_groups!(user_info_hash)
-          response = make_user_group_request
+          response = make_user_group_request(user_info_hash['user'])
           unless response.code.to_i != 200 || response.body.nil? || response.body == ''
             doc = Nokogiri::XML(response.body)
             user_info_hash["groups"] = doc.xpath("//groups/group/@name").map(&:to_s)
@@ -59,18 +62,32 @@ BODY
 
         def retrieve_user_info!
           response = make_authorization_request
-          unless response.code.to_i != 200 || response.body.nil? || response.body == ''
-            doc = Nokogiri::XML(response.body)
-            {
-              "user" => doc.xpath("//user/@name").to_s,
-              "name" => doc.xpath("//user/display-name/text()").to_s,
-              "first_name" => doc.xpath("//user/first-name/text()").to_s,
-              "last_name" => doc.xpath("//user/last-name/text()").to_s,
-              "email" => doc.xpath("//user/email/text()").to_s
-            }
+
+          unless response === nil
+            unless response.code.to_i != 200 || response.body.nil? || response.body == ''
+
+              doc = Nokogiri::XML(response.body)
+              result = {
+                "user" => doc.xpath("//user/@name").to_s,
+                "name" => doc.xpath("//user/display-name/text()").to_s,
+                "first_name" => doc.xpath("//user/first-name/text()").to_s,
+                "last_name" => doc.xpath("//user/last-name/text()").to_s,
+                "email" => doc.xpath("//user/email/text()").to_s
+              }
+
+              if doc.at_xpath("//token")
+                result["sso_token"] = doc.xpath("//token/text()").to_s
+              end
+
+              result
+              
+            else
+              OmniAuth.logger.send(:warn, "(crowd) [retrieve_user_info!] response code: #{response.code.to_s}")
+              OmniAuth.logger.send(:warn, "(crowd) [retrieve_user_info!] response body: #{response.body}")
+              nil
+            end
           else
-            OmniAuth.logger.send(:warn, "(crowd) [retrieve_user_info!] response code: #{response.code.to_s}")
-            OmniAuth.logger.send(:warn, "(crowd) [retrieve_user_info!] response body: #{response.body}")
+            OmniAuth.logger.send(:warn, "(crowd) [retrieve_user_info!] None of the session tokens were valid")
             nil
           end
         end
@@ -91,18 +108,58 @@ BODY
           end
         end
 
-        def make_user_group_request
-          make_request(@user_group_uri)
+        def make_user_group_request(username)
+          make_request(URI.parse(@configuration.user_group_url(username)))
         end
 
         def make_authorization_request
-          make_request(@authentiction_uri, make_authentication_request_body(@password))
-        end
 
-        def make_session_request
-          make_request(@session_uri, make_session_request_body(@username, @password))
+          if @configuration.use_sessions? && @tokens.kind_of?(Array)
+            make_session_retrieval_request
+          else 
+            make_request(@authentiction_uri, make_authentication_request_body(@password))
+          end
         end
 
+        def make_session_request(token)
+
+          root = url = validation_factor = nil
+          doc = Nokogiri::XML::Document.new
+
+          if token === nil
+
+            url = @session_uri
+            root = doc.create_element('authentication-context')
+
+            doc.root = root
+            root.add_child(doc.create_element('username', @username))
+            root.add_child(doc.create_element('password', @password))
+
+          else
+            url = URI.parse(@session_uri.to_s() + "/#{token}")
+          end
+
+          if @configuration.use_sessions? || @client_ip
+
+            if root === nil
+              root = doc.create_element('validation-factors')
+              doc.root = root
+            else
+              root.add_child(doc.create_element('validation-factors'))
+            end
+
+            validation_factor = doc.create_element('validation-factor')
+            validation_factor.add_child(doc.create_element('name', 'remote_address'))
+            validation_factor.add_child(doc.create_element('value', @client_ip))
+            
+            doc.xpath('//validation-factors').first.add_child(validation_factor)
+            
+          end
+          
+          make_request(url, doc.to_s)
+          
+        end        
+
         # create the body using Nokogiri so proper encoding of passwords can be ensured
         def make_authentication_request_body(password)
           request_body = Nokogiri::XML(AUTHENTICATION_REQUEST_BODY)
@@ -111,11 +168,17 @@ BODY
           return request_body.root.to_s # return the body without the xml header
         end
 
-        def make_session_request_body(username,password)
-          request_body = Nokogiri::XML(SESSION_REQUEST_BODY)
-          request_body.at_css("username").content = username
-          request_body.at_css("password").content = password
-          return request_body.root.to_s
+        def make_session_retrieval_request
+
+          response = nil
+
+          @tokens.any? { |token|
+            response = make_request(URI.parse(@session_uri.to_s() + "/#{token}"))
+            response.code.to_i == 200 && !response.body.nil? && response.body != ''
+          }            
+
+          response
+          
         end
       end
     end

data/lib/omniauth_crowd/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Crowd
-    VERSION = "2.2.3"
+    VERSION = "2.3.0"
   end
 end

data/spec/omniauth/strategies/crowd_spec.rb

@@ -9,12 +9,17 @@ describe OmniAuth::Strategies::Crowd, :type=>:strategy do
     [OmniAuth::Strategies::Crowd, {:crowd_server_url => @crowd_server_url,
                                     :application_name => @application_name,
                                     :application_password => @application_password,
-                                    :use_sessions => @using_sessions}]
+                                    :use_sessions => @using_sessions,
+                                    :sso_url => @sso_url,
+                                    :sso_url_image => @sso_url_image
+     }]
   end
 
   @using_sessions = false
+  @sso_url = nil
+  @sso_url_image = nil
   let(:config) { OmniAuth::Strategies::Crowd::Configuration.new(strategy[1]) }
-  let(:validator) { OmniAuth::Strategies::Crowd::CrowdValidator.new(config, 'foo', 'bar') }
+  let(:validator) { OmniAuth::Strategies::Crowd::CrowdValidator.new(config, 'foo', 'bar', nil, nil) }
 
   describe 'Authentication Request Body' do
 
@@ -37,28 +42,6 @@ BODY
     end
   end
 
-  describe 'Session Request Body' do
-    it 'should send username and password in session request' do
-      body = <<-BODY.strip
-<authentication-context>
-  <username>foo</username>
-  <password>bar</password>
-</authentication-context>
-BODY
-      expect(validator.send(:make_session_request_body, 'foo', 'bar')).to eq(body)
-    end
-
-    it 'should escape special characters username and password in session request' do
-      body = <<-BODY.strip
-<authentication-context>
-  <username>foo</username>
-  <password>bar&lt;</password>
-</authentication-context>
-BODY
-      expect(validator.send(:make_session_request_body, 'foo', 'bar<')).to eq(body)
-    end
-  end
-
   describe 'GET /auth/crowd' do
     it 'should show the login form' do
       get '/auth/crowd'
@@ -150,7 +133,7 @@ BODY
   describe 'GET /auth/crowd/callback with credentials will fail' do
     before do
       stub_request(:post, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/authentication?username=foo").
-      to_return(:code=>400)
+      to_return(:status=>400)
       get '/auth/crowd/callback', nil, 'rack.session'=>{'omniauth.crowd'=> {"username"=>"foo", "password"=>"ba"}}
     end
     it 'should fail' do
@@ -158,4 +141,247 @@ BODY
       expect(last_response.headers['Location']).to match(/invalid_credentials/)
     end
   end
+
+  describe 'GET /auth/crowd without credentials will redirect to login form' do
+    
+    sso_url = 'https://foo.bar'
+
+    before do
+      @using_sessions = true
+      @sso_url = sso_url
+    end
+
+    it 'should have the SSO button in the response body' do
+
+      found_legend = found_anchor = nil
+
+      get '/auth/crowd'
+
+      Nokogiri::HTML(last_response.body).xpath('//html/body/form/fieldset/*').each do |element|
+
+        if element.name === 'legend' && element.content() === 'SSO'
+          found_legend = true
+        elsif element.name === 'a' && element.attr('href') === "#{sso_url}/users/auth/crowd/callback"
+          found_anchor = true
+        end        
+      end
+
+      expect(found_legend).to(be(true))
+      expect(found_anchor).to(be(true))
+
+    end
+
+    after do
+      @using_sessions = false
+      @sso_url = nil
+    end
+
+  end
+  
+  describe 'GET /auth/crowd without credentials will redirect to login form which has custom image in the SSO link' do
+    
+    sso_url = 'https://foo.bar'
+    sso_url_image = 'https://foo.bar/image.png'
+    
+    before do
+      @using_sessions = true
+      @sso_url = sso_url
+      @sso_url_image = 'https://foo.bar/image.png'
+    end
+
+    it 'should have the SSO button with a custom image in the response body' do
+
+      found_legend = found_anchor = found_image = false
+
+      get '/auth/crowd'
+
+      Nokogiri::HTML(last_response.body).xpath('//html/body/form/fieldset/*').each do |element|
+
+        if element.name === 'legend' && element.content() === 'SSO'
+          found_legend = true
+        elsif element.name === 'a' && element.attr('href') === "#{sso_url}/users/auth/crowd/callback"
+
+          found_anchor = true
+
+          if element.children.length === 1 && element.children.first.name === 'img' && element.children.first.attr('src') === sso_url_image
+            found_image = true
+          end
+
+        end
+      end
+
+      expect(found_legend).to(be(true))
+      expect(found_anchor).to(be(true))
+      expect(found_image).to(be(true))
+
+    end
+
+    after do
+      @using_sessions = false
+      @sso_url = nil
+      @sso_url_image = nil
+    end
+
+  end
+
+  describe 'GET /auth/crowd without credentials but with SSO cookie will redirect to callback' do
+    
+    sso_url = 'https://foo.bar'
+    
+    before do
+      
+      @using_sessions = true
+      @sso_url = sso_url
+
+      set_cookie('crowd.token_key=foobar')
+
+    end
+
+    it 'should redirect to callback' do
+      get '/auth/crowd'
+      expect(last_response).to be_redirect
+      expect(last_response.headers['Location']).to eq('http://example.org/auth/crowd/callback')
+    end
+
+    after do
+
+      @using_sessions = false
+      @sso_url = nil
+
+      clear_cookies()
+
+    end
+
+  end
+  
+  describe 'POST /auth/crowd/callback without credentials but with SSO cookie will redirect to login form because session is invalid' do
+    
+    sso_url = 'https://foo.bar'
+    token = 'foobar'
+    
+    before do
+      
+      @using_sessions = true
+      @sso_url = sso_url
+
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/#{token}").
+          to_return(:status => [404])
+
+      set_cookie("crowd.token_key=#{token}")
+
+    end
+
+    it 'should redirect to login form' do
+      post '/auth/crowd/callback'
+      expect(last_response).to be_redirect
+      expect(last_response.headers['Location']).to match(/invalid_credentials/)
+    end
+
+    after do
+
+      @using_sessions = false
+      @sso_url = nil
+
+      clear_cookies()
+
+    end
+
+  end
+  
+  describe 'GET /auth/crowd/callback without credentials but with SSO cookie will succeed' do
+
+    sso_url = 'https://foo.bar'
+    token = 'rtk8eMvqq00EiGn5iJCMZQ00'
+    
+    before do
+      
+      @using_sessions = true
+      @sso_url = sso_url
+
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/#{token}").
+        to_return(:status => 200, :body => File.read(File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'session.xml')))
+      stub_request(:post, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/#{token}").
+        to_return(:status => 200)
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/user/group/direct?username=foo").
+        to_return(:body => File.read(File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'groups.xml')))
+      
+      set_cookie("crowd.token_key=#{token}")
+
+    end
+
+    it 'should return user data' do
+
+      auth = nil
+
+      get '/auth/crowd/callback'
+
+      auth = last_request.env['omniauth.auth']
+
+      expect(auth['provider']).to eq(:crowd)
+      expect(auth['uid']).to eq('foo')
+      expect(auth['info']).to be_kind_of(Hash)
+      expect(auth['info']['groups'].sort).to eq(["Developers", "jira-users"].sort)
+
+    end
+
+    after do
+
+      @using_sessions = false
+      @sso_url = nil
+
+      clear_cookies()
+
+    end
+
+  end
+
+  describe 'GET /auth/crowd/callback without credentials but with multiple SSO cookies will succeed because one of them is valid' do
+
+    sso_url = 'https://foo.bar'
+    
+    before do
+      
+      @using_sessions = true
+      @sso_url = sso_url
+
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/foo").
+        to_return(:status => 404)
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/fubar").
+        to_return(:status => 404)
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/rtk8eMvqq00EiGn5iJCMZQ00").
+        to_return(:status => 200, :body => File.read(File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'session.xml')))
+      stub_request(:post, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/session/rtk8eMvqq00EiGn5iJCMZQ00").
+        to_return(:status => 200)
+      stub_request(:get, "https://bogus_app:bogus_app_password@crowd.example.org/rest/usermanagement/latest/user/group/direct?username=foo").
+        to_return(:body => File.read(File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'groups.xml')))
+
+      header('Cookie', "crowd.token_key=foo;crowd.token_key=rtk8eMvqq00EiGn5iJCMZQ00;crowd.token_key=fubar")
+
+    end
+
+    it 'should return user data' do
+
+      auth = nil
+
+      get '/auth/crowd/callback'
+
+      auth = last_request.env['omniauth.auth']
+
+      expect(auth['provider']).to eq(:crowd)
+      expect(auth['uid']).to eq('foo')
+      expect(auth['info']).to be_kind_of(Hash)
+      expect(auth['info']['groups'].sort).to eq(["Developers", "jira-users"].sort)
+
+    end
+
+    after do
+
+      @using_sessions = false
+      @sso_url = nil
+
+      header('Cookie', nil)
+
+    end
+
+  end
 end

data/spec/spec_helper.rb

@@ -3,6 +3,7 @@ Bundler.setup
 require 'rack/test'
 require 'webmock'
 require 'webmock/rspec'
+require 'nokogiri'
 
 require 'omniauth_crowd'
 RSpec.configure do |config|

metadata

@@ -1,139 +1,139 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_crowd
 version: !ruby/object:Gem::Version
-  version: 2.2.3
+  version: 2.3.0
 platform: ruby
 authors:
 - Robert Di Marco
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-28 00:00:00.000000000 Z
+date: 2016-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.4.4
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 3.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: 1.0.0
 description: This is an OmniAuth provider for Atlassian Crowd's REST API.  It allows
@@ -144,9 +144,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .document
-- .gitignore
-- .travis.yml
+- ".document"
+- ".gitignore"
+- ".travis.yml"
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -172,17 +172,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: An OmniAuth provider for Atlassian Crowd REST API