From 3fe0a4b4bfc6e487f44403f304c1f03f25cdf192 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 11:51:38 +0300 Subject: [PATCH 01/18] Remake for TARA strategy --- LICENSE.txt | 38 +-- README.md | 107 +------ lib/omniauth/openid_connect.rb | 5 - .../strategies/{openid_connect.rb => tara.rb} | 50 ++-- lib/omniauth/tara.rb | 6 + .../{openid_connect => tara}/errors.rb | 2 +- lib/omniauth/tara/user_info.rb | 46 +++ .../{openid_connect => tara}/version.rb | 2 +- lib/omniauth_openid_connect.rb | 3 - lib/omniauth_tara.rb | 3 + ...d_connect.gemspec => omniauth_tara.gemspec | 29 +- .../{openid_connect_test.rb => tara_test.rb} | 278 +----------------- test/strategy_test_case.rb | 17 +- test/test_helper.rb | 2 +- 14 files changed, 147 insertions(+), 441 deletions(-) delete mode 100644 lib/omniauth/openid_connect.rb rename lib/omniauth/strategies/{openid_connect.rb => tara.rb} (91%) create mode 100644 lib/omniauth/tara.rb rename lib/omniauth/{openid_connect => tara}/errors.rb (88%) create mode 100644 lib/omniauth/tara/user_info.rb rename lib/omniauth/{openid_connect => tara}/version.rb (77%) delete mode 100644 lib/omniauth_openid_connect.rb create mode 100644 lib/omniauth_tara.rb rename omniauth_openid_connect.gemspec => omniauth_tara.gemspec (56%) rename test/lib/omniauth/strategies/{openid_connect_test.rb => tara_test.rb} (69%) diff --git a/LICENSE.txt b/LICENSE.txt index fb7b9071..825c8e7b 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,22 +1,26 @@ +Copyright (c) 2023 Estonian Internet Foundation Copyright (c) 2014 John Bohn -MIT License +The MIT/X11 License (MIT/X11) -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +Except as contained in this notice, the name(s) of the above copyright holders +shall not be used in advertising or otherwise to promote the sale, use or other +dealings in this Software without prior written authorization. diff --git a/README.md b/README.md index 6fc80304..6ce8724a 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,17 @@ -# OmniAuth::OpenIDConnect +# OmniAuth::Tara -Originally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect) +Originally based on [omniauth_openid_connect](https://github.com/omniauth/omniauth_openid_connect), +with parts rewritten to fit TARA-Doku protocol. I've forked this repository and launch as separate gem because maintaining of original was dropped. -[![Build Status](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml/badge.svg)](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml) -[![Coverage Status](https://coveralls.io/repos/github/omniauth/omniauth_openid_connect/badge.svg)](https://coveralls.io/github/omniauth/omniauth_openid_connect) +[![Build Status](https://travis-ci.org/internetee/omniauth-tara.svg?branch=master)](https://travis-ci.org/internetee/omniauth-tara) ## Installation Add this line to your application's Gemfile: - gem 'omniauth_openid_connect' + gem 'omniauth-tara' And then execute: @@ -19,11 +19,11 @@ And then execute: Or install it yourself as: - $ gem install omniauth_openid_connect + $ gem install omniauth-tara ## Supported Ruby Versions -OmniAuth::OpenIDConnect is tested under 2.7, 3.0, 3.1, 3.2 +OmniAuth::Tara is tested under 2.7, 3.0, 3.1, 3.2 ## Usage @@ -31,9 +31,9 @@ Example configuration ```ruby Rails.application.config.middleware.use OmniAuth::Builder do - provider :openid_connect, { + provider :tara, { name: :my_provider, - scope: [:openid, :email, :profile, :address], + scope: [:openid, :idcard, :mid, :smartid], response_type: :code, uid_field: "preferred_username", client_options: { @@ -48,81 +48,12 @@ Rails.application.config.middleware.use OmniAuth::Builder do end ``` -### with Devise -```ruby -Devise.setup do |config| - config.omniauth :openid_connect, { - name: :my_provider, - scope: [:openid, :email, :profile, :address], - response_type: :code, - uid_field: "preferred_username", - client_options: { - port: 443, - scheme: "https", - host: "myprovider.com", - identifier: ENV["OP_CLIENT_ID"], - secret: ENV["OP_SECRET_KEY"], - redirect_uri: "http://myapp.com/users/auth/openid_connect/callback", - }, - } -end -``` - -### Options Overview - -| Field | Description | Required | Default | Example/Options | -|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------| -| name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp | -| issuer | Root url for the authorization server | yes | | https://myprovider.com | -| discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false | -| client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | "basic", "jwks" | -| scope | Which OpenID scopes to include (:openid is always required) | no | Array [:openid] | [:openid, :profile, :email] | -| response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' | -| state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } | -| require_state | Should state param be verified - this is recommended, not required by the OIDC specification | no | true | false | -| response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message | -| display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap | -| prompt | An optional parameter to the authrization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account | -| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false | -| post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback | -| uid_field | The field of the user info response to be used as a unique id | no | 'sub' | "sub", "preferred_username" | -| extra_authorize_params | A hash of extra fixed parameters that will be merged to the authorization request | no | Hash | {"tenant" => "common"} | -| allow_authorize_params | A list of allowed dynamic parameters that will be merged to the authorization request | no | Array | [:screen_name] | -| pkce | Enable [PKCE flow](https://oauth.net/2/pkce/) | no | false | one of: true, false | -| pkce_verifier | Specify a custom PKCE verifier code. | no | A random 128-char string | Proc.new { SecureRandom.hex(64) } | -| pkce_options | Specify a custom implementation of the PKCE code challenge/method. | no | SHA256(code_challenge) in hex | Proc to customise the code challenge generation | -| client_options | A hash of client options detailed in its own section | yes | | | -| jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n" -| logout_path | The log out is only triggered when the request path ends on this path | no | '/logout' | '/sign_out' - -### Client Config Options - -These are the configuration options for the client_options hash of the configuration. - -| Field | Description | Default | Replaced by discovery? | -|------------------------|-----------------------------------------------------------------|------------|------------------------| -| identifier | The OAuth2 client_id | | | -| secret | The OAuth2 client secret | | | -| redirect_uri | The OAuth2 authorization callback url in your app | | | -| scheme | The http scheme to use | https | | -| host | The host of the authorization server | nil | | -| port | The port for the authorization server | 443 | | -| authorization_endpoint | The authorize endpoint on the authorization server | /authorize | yes | -| token_endpoint | The token endpoint on the authorization server | /token | yes | -| userinfo_endpoint | The user info endpoint on the authorization server | /userinfo | yes | -| jwks_uri | The jwks_uri on the authorization server | /jwk | yes | -| end_session_endpoint | The url to call to log the user out at the authorization server | nil | yes | - ### Additional Configuration Notes * `name` is arbitrary, I recommend using the name of your provider. The name configuration exists because you could be using multiple OpenID Connect providers in a single app. - - **NOTE**: if you use this gem with Devise you should use `:openid_connect` name, - or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect' - * `response_type` tells the authorization server which grant type the application wants to use, - currently, only `:code` (Authorization Code grant) and `:id_token` (Implicit grant) are valid. + currently, only `:code` (Authorization Code grant) is valid. * If you want to pass `state` parameter by yourself. You can set Proc Object. e.g. `state: Proc.new { SecureRandom.hex(32) }` * `nonce` is optional. If don't want to pass "nonce" parameter to provider, You should specify @@ -140,24 +71,6 @@ These are the configuration options for the client_options hash of the configura that appears in the `user_info` details. * The `issuer` property should exactly match the provider's issuer link. * The `response_mode` option is optional and specifies how the result of the authorization request is formatted. - * Some OpenID Connect providers require the `scope` attribute in requests to the token endpoint, even if - this is not in the protocol specifications. In those cases, the `send_scope_to_token_endpoint` - property can be used to add the attribute to the token request. Initial value is `true`, which means that the - scope attribute is included by default. - -## Additional notes - * In some cases, you may want to go straight to the callback phase - e.g. when requested by a stateless client, like a mobile app. - In such example, the session is empty, so you have to forward certain parameters received from the client. - Currently supported ones are `code_verifier` and `nonce` - simply provide them as the `/callback` request parameters. For the full low down on OpenID Connect, please check out [the spec](http://openid.net/specs/openid-connect-core-1_0.html). - -## Contributing - -1. Fork it ( http://github.com/omniauth/omniauth_openid_connect/fork ) -2. Create your feature branch (`git checkout -b my-new-feature`) -3. Cover your changes with tests and make sure they're green (`bundle install && bundle exec rake test`) -4. Commit your changes (`git commit -am 'Add some feature'`) -5. Push to the branch (`git push origin my-new-feature`) -6. Create new Pull Request diff --git a/lib/omniauth/openid_connect.rb b/lib/omniauth/openid_connect.rb deleted file mode 100644 index 6158e0f0..00000000 --- a/lib/omniauth/openid_connect.rb +++ /dev/null @@ -1,5 +0,0 @@ -# frozen_string_literal: true - -require 'omniauth/openid_connect/errors' -require 'omniauth/openid_connect/version' -require 'omniauth/strategies/openid_connect' diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/tara.rb similarity index 91% rename from lib/omniauth/strategies/openid_connect.rb rename to lib/omniauth/strategies/tara.rb index ebfaaa17..196c372f 100644 --- a/lib/omniauth/strategies/openid_connect.rb +++ b/lib/omniauth/strategies/tara.rb @@ -10,28 +10,28 @@ module OmniAuth module Strategies - class OpenIDConnect # rubocop:disable Metrics/ClassLength + class Tara # rubocop:disable Metrics/ClassLength include OmniAuth::Strategy extend Forwardable RESPONSE_TYPE_EXCEPTIONS = { - 'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze, - 'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze, + 'code' => { exception_class: OmniAuth::Tara::MissingCodeError, + key: :missing_code }.freeze, }.freeze def_delegator :request, :params - option :name, 'openid_connect' + option :name, 'tara' option(:client_options, identifier: nil, secret: nil, redirect_uri: nil, scheme: 'https', host: nil, port: 443, - authorization_endpoint: '/authorize', - token_endpoint: '/token', - userinfo_endpoint: '/userinfo', - jwks_uri: '/jwk', + authorization_endpoint: '/oidc/authorize', + token_endpoint: '/oidc/token', + userinfo_endpoint: '/oidc/profile', + jwks_uri: '/oidc/jwks', end_session_endpoint: nil) option :issuer @@ -41,7 +41,7 @@ class OpenIDConnect # rubocop:disable Metrics/ClassLength option :client_jwk_signing_key option :client_x509_signing_key option :scope, [:openid] - option :response_type, 'code' # ['code', 'id_token'] + option :response_type, 'code' option :require_state, true option :state option :response_mode # [:query, :fragment, :form_post, :web_message] @@ -76,16 +76,18 @@ def uid info do { - name: user_info.name, + # name: user_info.name, email: user_info.email, email_verified: user_info.email_verified, - nickname: user_info.preferred_username, + # nickname: user_info.preferred_username, first_name: user_info.given_name, last_name: user_info.family_name, - gender: user_info.gender, - image: user_info.picture, - phone: user_info.phone_number, - urls: { website: user_info.website }, + # gender: user_info.gender, + # image: user_info.picture, + phone_number: user_info.phone_number, + phone_verified: user_info.phone_number_verified, + birthdate: user_info.birthdate, + # urls: { website: user_info.website }, } end @@ -129,12 +131,8 @@ def callback_phase options.issuer = issuer if options.issuer.nil? || options.issuer.empty? - verify_id_token!(params['id_token']) if configured_response_type == 'id_token' discover! client.redirect_uri = redirect_uri - - return id_token_callback_phase if configured_response_type == 'id_token' - client.authorization_code = authorization_code access_token super @@ -256,13 +254,9 @@ def discover! def user_info return @user_info if @user_info - if access_token.id_token - decoded = decode_id_token(access_token.id_token).raw_attributes - - @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded) - else - @user_info = access_token.userinfo! - end + decoded = decode_id_token(access_token.id_token).raw_attributes + # @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded) + @user_info = OmniAuth::Tara::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded) end def access_token @@ -276,7 +270,7 @@ def access_token token_request_params[:code_verifier] = params['code_verifier'] || session.delete('omniauth.pkce.verifier') if options.pkce @access_token = client.access_token!(token_request_params) - verify_id_token!(@access_token.id_token) if configured_response_type == 'code' + verify_id_token!(@access_token.id_token) @access_token end @@ -487,4 +481,4 @@ def message end end -OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect' +OmniAuth.config.add_camelization 'tara', 'Tara' diff --git a/lib/omniauth/tara.rb b/lib/omniauth/tara.rb new file mode 100644 index 00000000..91107560 --- /dev/null +++ b/lib/omniauth/tara.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true + +require 'omniauth/tara/errors' +require 'omniauth/tara/version' +require 'omniauth/tara/user_info' +require 'omniauth/strategies/tara' diff --git a/lib/omniauth/openid_connect/errors.rb b/lib/omniauth/tara/errors.rb similarity index 88% rename from lib/omniauth/openid_connect/errors.rb rename to lib/omniauth/tara/errors.rb index 37c9da1c..0b076b9d 100644 --- a/lib/omniauth/openid_connect/errors.rb +++ b/lib/omniauth/tara/errors.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module OmniAuth - module OpenIDConnect + module Tara class Error < RuntimeError; end class MissingCodeError < Error; end diff --git a/lib/omniauth/tara/user_info.rb b/lib/omniauth/tara/user_info.rb new file mode 100644 index 00000000..383681ea --- /dev/null +++ b/lib/omniauth/tara/user_info.rb @@ -0,0 +1,46 @@ +require 'openid_connect' + +module OmniAuth + module Tara + class UserInfo < OpenIDConnect::ConnectObject + attr_optional( + :sub, + :name, + :nickname, + :preferred_username, + :profile, + :locale, + :email, + :email_verified, + :phone_number, + :phone_number_verified, + :profile_attributes, + ) + alias subject sub + alias subject= sub= + + validates :email_verified, :phone_number_verified, allow_nil: true, inclusion: { in: [true, false] } + validates :email, allow_nil: true, email: true + validate :require_at_least_one_attributes + + def initialize(attributes = {}) + super + (all_attributes - %i[email_verified phone_number_verified profile_attributes]).each do |key| + send "#{key}=", send(key).try(:to_s) + end + end + + def given_name + raw_attributes.dig('profile_attributes', 'given_name') + end + + def family_name + raw_attributes.dig('profile_attributes', 'family_name') + end + + def birthdate + raw_attributes.dig('profile_attributes', 'date_of_birth') + end + end + end +end diff --git a/lib/omniauth/openid_connect/version.rb b/lib/omniauth/tara/version.rb similarity index 77% rename from lib/omniauth/openid_connect/version.rb rename to lib/omniauth/tara/version.rb index 78efcf6c..ee7187bf 100644 --- a/lib/omniauth/openid_connect/version.rb +++ b/lib/omniauth/tara/version.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module OmniAuth - module OpenIDConnect + module Tara VERSION = '0.7.1' end end diff --git a/lib/omniauth_openid_connect.rb b/lib/omniauth_openid_connect.rb deleted file mode 100644 index e04c2d37..00000000 --- a/lib/omniauth_openid_connect.rb +++ /dev/null @@ -1,3 +0,0 @@ -# frozen_string_literal: true - -require 'omniauth/openid_connect' diff --git a/lib/omniauth_tara.rb b/lib/omniauth_tara.rb new file mode 100644 index 00000000..882c0a85 --- /dev/null +++ b/lib/omniauth_tara.rb @@ -0,0 +1,3 @@ +# frozen_string_literal: true + +require 'omniauth/tara' diff --git a/omniauth_openid_connect.gemspec b/omniauth_tara.gemspec similarity index 56% rename from omniauth_openid_connect.gemspec rename to omniauth_tara.gemspec index 9d2b8d2b..8fc3d54c 100644 --- a/omniauth_openid_connect.gemspec +++ b/omniauth_tara.gemspec @@ -2,31 +2,26 @@ lib = File.expand_path('lib', __dir__) $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) -require 'omniauth/openid_connect/version' +require 'omniauth/tara/version' Gem::Specification.new do |spec| - spec.name = 'omniauth_openid_connect' - spec.version = OmniAuth::OpenIDConnect::VERSION - spec.authors = ['John Bohn', 'Ilya Shcherbinin'] - spec.email = ['jjbohn@gmail.com', 'm0n9oose@gmail.com'] - spec.summary = 'OpenID Connect Strategy for OmniAuth' - spec.description = 'OpenID Connect Strategy for OmniAuth.' - spec.homepage = 'https://github.com/m0n9oose/omniauth_openid_connect' - spec.license = 'MIT' + spec.required_ruby_version = '>= 2.7' + spec.name = 'omniauth-tara' + spec.version = OmniAuth::Tara::VERSION + spec.authors = ['John Bohn', 'Ilya Shcherbinin', 'Artur Beljajev', 'Maciej Szlosarczyk', + 'Sergei Tsõganov'] + spec.email = ['jjbohn@gmail.com', 'm0n9oose@gmail.com', 'artur.beljajev@internet.ee', 'maciej.szlosarczyk@eestiinternet.ee', + 'sergei.tsoganov@internet.ee'] + spec.summary = 'TARA-Doku (https://github.com/e-gov/TARA-Doku) strategy for OmniAuth' + spec.description = 'TARA-Doku (https://github.com/e-gov/TARA-Doku) strategy for OmniAuth' + spec.homepage = 'https://github.com/internetee/omniauth-tara' + spec.license = 'MIT/X11' spec.files = `git ls-files -z`.split("\x0") spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) } spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) spec.require_paths = ['lib'] - spec.metadata = { - 'bug_tracker_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/issues', - 'changelog_uri' => 'https://github.com/m0n9oose/omniauth_openid_connect/releases', - 'documentation_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}#readme", - 'source_code_uri' => "https://github.com/m0n9oose/omniauth_openid_connect/tree/v#{spec.version}", - 'rubygems_mfa_required' => 'true', - } - spec.add_dependency 'omniauth', '>= 1.9', '< 3' spec.add_dependency 'openid_connect', '~> 2.2' spec.add_development_dependency 'faker', '~> 2.0' diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/tara_test.rb similarity index 69% rename from test/lib/omniauth/strategies/openid_connect_test.rb rename to test/lib/omniauth/strategies/tara_test.rb index 031e1e3c..8e05f891 100644 --- a/test/lib/omniauth/strategies/openid_connect_test.rb +++ b/test/lib/omniauth/strategies/tara_test.rb @@ -4,16 +4,16 @@ module OmniAuth module Strategies - class OpenIDConnectTest < StrategyTestCase # rubocop:disable Metrics/ClassLength + class TaraTest < StrategyTestCase # rubocop:disable Metrics/ClassLength def test_client_options_defaults assert_equal 'https', strategy.options.client_options.scheme assert_equal 443, strategy.options.client_options.port - assert_equal '/authorize', strategy.options.client_options.authorization_endpoint - assert_equal '/token', strategy.options.client_options.token_endpoint + assert_equal '/oidc/authorize', strategy.options.client_options.authorization_endpoint + assert_equal '/oidc/token', strategy.options.client_options.token_endpoint end def test_request_phase - expected_redirect = %r{^https://example\.com/authorize\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$} + expected_redirect = %r{^https://example\.com/oidc/authorize\?client_id=1234&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}$} strategy.options.issuer = 'example.com' strategy.options.client_options.host = 'example.com' strategy.expects(:redirect).with(regexp_matches(expected_redirect)) @@ -37,8 +37,8 @@ def test_logout_phase_with_discovery config.stubs(:end_session_endpoint).returns('https://example.com/logout') ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config) - request.stubs(:path_info).returns('/auth/openid_connect/logout') - request.stubs(:path).returns('/auth/openid_connect/logout') + request.stubs(:path_info).returns('/auth/tara/logout') + request.stubs(:path).returns('/auth/tara/logout') strategy.expects(:redirect).with(regexp_matches(expected_redirect)) strategy.other_phase @@ -62,8 +62,8 @@ def test_logout_phase_with_discovery_and_post_logout_redirect_uri config.stubs(:end_session_endpoint).returns('https://example.com/logout') ::OpenIDConnect::Discovery::Provider::Config.stubs(:discover!).with('https://example.com/').returns(config) - request.stubs(:path_info).returns('/auth/openid_connect/logout') - request.stubs(:path).returns('/auth/openid_connect/logout') + request.stubs(:path_info).returns('/auth/tara/logout') + request.stubs(:path).returns('/auth/tara/logout') strategy.expects(:redirect).with(expected_redirect) strategy.other_phase @@ -91,7 +91,7 @@ def test_logout_phase end def test_request_phase_with_params - expected_redirect = %r{^https://example\.com/authorize\?claims_locales=es&client_id=1234&login_hint=john.doe%40example.com&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}&ui_locales=en$} + expected_redirect = %r{^https://example\.com/oidc/authorize\?claims_locales=es&client_id=1234&login_hint=john.doe%40example.com&nonce=\w{32}&response_type=code&scope=openid&state=\w{32}&ui_locales=en$} strategy.options.issuer = 'example.com' strategy.options.client_options.host = 'example.com' request.stubs(:params).returns('login_hint' => 'john.doe@example.com', 'ui_locales' => 'en', 'claims_locales' => 'es') @@ -128,10 +128,10 @@ def test_request_phase_with_discovery end def test_request_phase_with_response_mode - expected_redirect = %r{^https://example\.com/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$} + expected_redirect = %r{^https://example\.com/oidc/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=code&scope=openid&state=\w{32}$} strategy.options.issuer = 'example.com' strategy.options.response_mode = 'form_post' - strategy.options.response_type = 'id_token' + strategy.options.response_type = 'code' strategy.options.client_options.host = 'example.com' strategy.expects(:redirect).with(regexp_matches(expected_redirect)) @@ -139,10 +139,10 @@ def test_request_phase_with_response_mode end def test_request_phase_with_response_mode_symbol - expected_redirect = %r{^https://example\.com/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=id_token&scope=openid&state=\w{32}$} + expected_redirect = %r{^https://example\.com/oidc/authorize\?client_id=1234&nonce=\w{32}&response_mode=form_post&response_type=code&scope=openid&state=\w{32}$} strategy.options.issuer = 'example.com' strategy.options.response_mode = 'form_post' - strategy.options.response_type = :id_token + strategy.options.response_type = :code strategy.options.client_options.host = 'example.com' strategy.expects(:redirect).with(regexp_matches(expected_redirect)) @@ -220,34 +220,6 @@ def test_callback_phase(_session = {}, _params = {}) # rubocop:disable Metrics/A strategy.callback_phase end - def test_callback_phase_with_id_token - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => jwt.to_s, 'state' => state) - request.stubs(:path).returns('') - - strategy.options.issuer = 'example.com' - strategy.options.client_signing_alg = :RS256 - strategy.options.client_jwk_signing_key = jwks.to_json - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - access_token = stub('OpenIDConnect::AccessToken') - access_token.stubs(:access_token) - access_token.stubs(:refresh_token) - access_token.stubs(:expires_in) - access_token.stubs(:scope) - access_token.stubs(:id_token).returns(jwt.to_s) - - id_token = stub('OpenIDConnect::ResponseObject::IdToken') - id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email') - id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true) - ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token) - id_token.expects(:verify!) - - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - end - def test_callback_phase_with_id_token_and_param_provided_nonce # rubocop:disable Metrics/AbcSize code = SecureRandom.hex(16) state = SecureRandom.hex(16) @@ -280,138 +252,6 @@ def test_callback_phase_with_id_token_and_param_provided_nonce # rubocop:disable strategy.callback_phase end - def test_callback_phase_with_id_token_no_kid - other_rsa_private = OpenSSL::PKey::RSA.generate(2048) - - key = JSON::JWK.new(private_key) - other_key = JSON::JWK.new(other_rsa_private) - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => jwt.to_s, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.client_signing_alg = :RS256 - strategy.options.client_jwk_signing_key = { 'keys' => [other_key, key] }.to_json - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - end - - def test_callback_phase_with_id_token_with_kid - other_rsa_private = OpenSSL::PKey::RSA.generate(2048) - - key = JSON::JWK.new(private_key) - other_key = JSON::JWK.new(other_rsa_private) - state = SecureRandom.hex(16) - jwt_with_kid = JSON::JWT.new(payload).sign(key, :RS256) - request.stubs(:params).returns('id_token' => jwt_with_kid.to_s, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.client_signing_alg = :RS256 - strategy.options.client_jwk_signing_key = { 'keys' => [other_key, key] }.to_json - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - end - - def test_callback_phase_with_id_token_with_kid_and_no_matching_kid - other_rsa_private = OpenSSL::PKey::RSA.generate(2048) - - key = JSON::JWK.new(private_key) - other_key = JSON::JWK.new(other_rsa_private) - state = SecureRandom.hex(16) - jwt_with_kid = JSON::JWT.new(payload).sign(key, :RS256) - request.stubs(:params).returns('id_token' => jwt_with_kid.to_s, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.client_signing_alg = :RS256 - # We use private_key here instead of the wrapped key, which contains a kid - strategy.options.client_jwk_signing_key = { 'keys' => [other_key, private_key] }.to_json - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - - assert_raises JSON::JWK::Set::KidNotFound do - strategy.callback_phase - end - end - - def test_callback_phase_with_id_token_with_hs256 - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.client_options.secret = hmac_secret - strategy.options.client_signing_alg = :HS256 - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - end - - def test_callback_phase_with_hs256_base64_jwt_secret - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => jwt_with_hs256.to_s, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.jwt_secret_base64 = Base64.encode64(hmac_secret) - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - end - - def test_callback_phase_with_mismatched_signing_algorithm - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => jwt_with_hs512.to_s, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.client_options.secret = hmac_secret - strategy.options.client_signing_alg = :HS256 - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - - strategy.expects(:fail!).with(:invalid_jwt_algorithm, is_a(OmniAuth::Strategies::OpenIDConnect::CallbackError)) - strategy.callback_phase - end - - def test_callback_phase_with_id_token_no_matching_key - rsa_private = OpenSSL::PKey::RSA.generate(2048) - other_rsa_private = OpenSSL::PKey::RSA.generate(2048) - - other_key = JSON::JWK.new(other_rsa_private) - token = JSON::JWT.new(payload).sign(rsa_private, :RS256).to_s - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => token, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = issuer - strategy.options.client_signing_alg = :RS256 - strategy.options.client_jwk_signing_key = { 'keys' => [other_key] }.to_json - strategy.options.response_type = 'id_token' - - strategy.unstub(:user_info) - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - - assert_raises JSON::JWK::Set::KidNotFound do - strategy.callback_phase - end - end - def test_callback_phase_with_discovery # rubocop:disable Metrics/AbcSize state = SecureRandom.hex(16) @@ -510,39 +350,6 @@ def test_callback_phase_with_invalid_state_without_state_verification strategy.callback_phase end - def test_callback_phase_with_jwks_uri - id_token = jwt.to_s - state = SecureRandom.hex(16) - request.stubs(:params).returns('id_token' => id_token, 'state' => state) - request.stubs(:path_info).returns('') - - strategy.options.issuer = 'example.com' - strategy.options.client_options.jwks_uri = 'https://jwks.example.com' - strategy.options.response_type = 'id_token' - - stub_request(:get, strategy.options.client_options.jwks_uri).to_return( - body: jwks.to_json, - headers: { 'Content-Type' => 'application/json' } - ) - - strategy.unstub(:user_info) - access_token = stub('OpenIDConnect::AccessToken') - access_token.stubs(:access_token) - access_token.stubs(:refresh_token) - access_token.stubs(:expires_in) - access_token.stubs(:scope) - access_token.stubs(:id_token).returns(id_token) - - id_token = stub('OpenIDConnect::ResponseObject::IdToken') - id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email') - id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true) - ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token) - id_token.expects(:verify!) - - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - end - def test_callback_phase_with_error state = SecureRandom.hex(16) request.stubs(:params).returns('error' => 'invalid_request') @@ -571,31 +378,7 @@ def test_callback_phase_without_code strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.expects(:fail!).with(:missing_code, is_a(OmniAuth::OpenIDConnect::MissingCodeError)) - strategy.callback_phase - end - - def test_callback_phase_without_id_token - state = SecureRandom.hex(16) - request.stubs(:params).returns('state' => state) - request.stubs(:path).returns('') - strategy.options.response_type = 'id_token' - - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - - strategy.expects(:fail!).with(:missing_id_token, is_a(OmniAuth::OpenIDConnect::MissingIdTokenError)) - strategy.callback_phase - end - - def test_callback_phase_without_id_token_symbol - state = SecureRandom.hex(16) - request.stubs(:params).returns('state' => state) - request.stubs(:path).returns('') - strategy.options.response_type = :id_token - - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - - strategy.expects(:fail!).with(:missing_id_token, is_a(OmniAuth::OpenIDConnect::MissingIdTokenError)) + strategy.expects(:fail!).with(:missing_code, is_a(OmniAuth::Tara::MissingCodeError)) strategy.callback_phase end @@ -677,16 +460,11 @@ def test_callback_phase_with_rack_oauth2_client_error def test_info info = strategy.info - assert_equal user_info.name, info[:name] assert_equal user_info.email, info[:email] assert_equal user_info.email_verified, info[:email_verified] - assert_equal user_info.preferred_username, info[:nickname] assert_equal user_info.given_name, info[:first_name] assert_equal user_info.family_name, info[:last_name] - assert_equal user_info.gender, info[:gender] - assert_equal user_info.picture, info[:image] - assert_equal user_info.phone_number, info[:phone] - assert_equal({ website: user_info.website }, info[:urls]) + assert_equal user_info.phone_number, info[:phone_number] end def test_extra @@ -846,32 +624,6 @@ def test_public_key_with_hmac assert_equal strategy.options.client_options.secret, strategy.secret end - def test_id_token_auth_hash - state = SecureRandom.hex(16) - strategy.options.response_type = 'id_token' - strategy.options.issuer = 'example.com' - - id_token = stub('OpenIDConnect::ResponseObject::IdToken') - id_token.stubs(:verify!).returns(true) - id_token.stubs(:raw_attributes, :to_h).returns(payload) - - request.stubs(:params).returns('state' => state, 'nounce' => nonce, 'id_token' => id_token) - request.stubs(:path).returns('') - - strategy.stubs(:decode_id_token).returns(id_token) - strategy.stubs(:stored_state).returns(state) - - strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce }) - strategy.callback_phase - - auth_hash = strategy.send(:env)['omniauth.auth'] - assert auth_hash.key?('provider') - assert auth_hash.key?('uid') - assert auth_hash.key?('info') - assert auth_hash.key?('extra') - assert auth_hash['extra'].key?('raw_info') - end - def test_option_pkce strategy.options.client_options[:host] = 'example.com' diff --git a/test/strategy_test_case.rb b/test/strategy_test_case.rb index 1492d02b..773a24f5 100644 --- a/test/strategy_test_case.rb +++ b/test/strategy_test_case.rb @@ -58,19 +58,20 @@ def jwks end def user_info - @user_info ||= OpenIDConnect::ResponseObject::UserInfo.new( + @user_info ||= OmniAuth::Tara::UserInfo.new( sub: SecureRandom.hex(16), name: Faker::Name.name, email: Faker::Internet.email, email_verified: Faker::Boolean.boolean, - nickname: Faker::Name.first_name, preferred_username: Faker::Internet.user_name, - given_name: Faker::Name.first_name, - family_name: Faker::Name.last_name, - gender: 'female', - picture: "#{Faker::Internet.url}.png", + nickname: Faker::Name.first_name, + profile_attributes: { + given_name: Faker::Name.first_name, + family_name: Faker::Name.last_name, + date_of_birth: '1903-03-03', + }, phone_number: Faker::PhoneNumber.phone_number, - website: Faker::Internet.url + phone_number_verified: Faker::Boolean.boolean ) end @@ -86,7 +87,7 @@ def request end def strategy - @strategy ||= OmniAuth::Strategies::OpenIDConnect.new(DummyApp.new).tap do |strategy| + @strategy ||= OmniAuth::Strategies::Tara.new(DummyApp.new).tap do |strategy| strategy.options.client_options.identifier = @identifier strategy.options.client_options.secret = @secret strategy.stubs(:request).returns(request) diff --git a/test/test_helper.rb b/test/test_helper.rb index 9bf7ba94..fb57378b 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -22,6 +22,6 @@ lib = File.expand_path('../lib', __dir__) $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) -require 'omniauth_openid_connect' +require 'omniauth_tara' require_relative 'strategy_test_case' OmniAuth.config.test_mode = true From b254c38ff3d3942f3ca876e6a1a0cd6d317a2af1 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:00:10 +0300 Subject: [PATCH 02/18] Updated .gitignore --- .gitignore | 1 - Gemfile.lock | 210 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 210 insertions(+), 1 deletion(-) create mode 100644 Gemfile.lock diff --git a/.gitignore b/.gitignore index a93278e8..d654a4bd 100644 --- a/.gitignore +++ b/.gitignore @@ -17,4 +17,3 @@ test/version_tmp tmp .ruby-version .ruby-gemset -Gemfile.lock diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 00000000..222b872e --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,210 @@ +PATH + remote: . + specs: + omniauth_openid_connect (0.7.1) + omniauth (>= 1.9, < 3) + openid_connect (~> 2.2) + +GEM + remote: https://rubygems.org/ + specs: + activemodel (7.0.7) + activesupport (= 7.0.7) + activesupport (7.0.7) + concurrent-ruby (~> 1.0, >= 1.0.2) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + addressable (2.8.5) + public_suffix (>= 2.0.2, < 6.0) + aes_key_wrap (1.1.0) + ast (2.4.2) + attr_required (1.0.1) + base64 (0.1.1) + bindata (2.4.15) + coderay (1.1.3) + concurrent-ruby (1.2.2) + crack (0.4.5) + rexml + date (3.3.3) + docile (1.4.0) + faker (2.23.0) + i18n (>= 1.8.11, < 2) + faraday (2.7.10) + faraday-net_http (>= 2.0, < 3.1) + ruby2_keywords (>= 0.0.4) + faraday-follow_redirects (0.3.0) + faraday (>= 1, < 3) + faraday-net_http (3.0.2) + ffi (1.15.5) + formatador (1.1.0) + guard (2.18.0) + formatador (>= 0.2.4) + listen (>= 2.7, < 4.0) + lumberjack (>= 1.0.12, < 2.0) + nenv (~> 0.1) + notiffany (~> 0.0) + pry (>= 0.13.0) + shellany (~> 0.0) + thor (>= 0.18.1) + guard-bundler (2.2.1) + bundler (>= 1.3.0, < 3) + guard (~> 2.2) + guard-compat (~> 1.1) + guard-compat (1.2.1) + guard-minitest (2.4.6) + guard-compat (~> 1.2) + minitest (>= 3.0) + hashdiff (1.0.1) + hashie (5.0.0) + i18n (1.14.1) + concurrent-ruby (~> 1.0) + json (2.6.3) + json-jwt (1.16.3) + activesupport (>= 4.2) + aes_key_wrap + bindata + faraday (~> 2.0) + faraday-follow_redirects + language_server-protocol (3.17.0.3) + listen (3.8.0) + rb-fsevent (~> 0.10, >= 0.10.3) + rb-inotify (~> 0.9, >= 0.9.10) + lumberjack (1.2.9) + mail (2.8.1) + mini_mime (>= 0.1.1) + net-imap + net-pop + net-smtp + method_source (1.0.0) + mini_mime (1.1.5) + minitest (5.19.0) + mocha (1.16.1) + nenv (0.3.0) + net-imap (0.3.7) + date + net-protocol + net-pop (0.1.2) + net-protocol + net-protocol (0.2.1) + timeout + net-smtp (0.3.3) + net-protocol + notiffany (0.1.3) + nenv (~> 0.1) + shellany (~> 0.0) + omniauth (2.1.1) + hashie (>= 3.4.6) + rack (>= 2.2.3) + rack-protection + openid_connect (2.2.0) + activemodel + attr_required (>= 1.0.0) + faraday (~> 2.0) + faraday-follow_redirects + json-jwt (>= 1.16) + net-smtp + rack-oauth2 (~> 2.2) + swd (~> 2.0) + tzinfo + validate_email + validate_url + webfinger (~> 2.0) + parallel (1.23.0) + parser (3.2.2.3) + ast (~> 2.4.1) + racc + pry (0.14.2) + coderay (~> 1.1) + method_source (~> 1.0) + public_suffix (5.0.3) + racc (1.7.1) + rack (3.0.8) + rack-oauth2 (2.2.0) + activesupport + attr_required + faraday (~> 2.0) + faraday-follow_redirects + json-jwt (>= 1.11.0) + rack (>= 2.1.0) + rack-protection (3.0.6) + rack + rainbow (3.1.1) + rake (12.3.3) + rb-fsevent (0.11.2) + rb-inotify (0.10.1) + ffi (~> 1.0) + regexp_parser (2.8.1) + rexml (3.2.6) + rubocop (1.56.0) + base64 (~> 0.1.1) + json (~> 2.3) + language_server-protocol (>= 3.17.0) + parallel (~> 1.10) + parser (>= 3.2.2.3) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 1.8, < 3.0) + rexml (>= 3.2.5, < 4.0) + rubocop-ast (>= 1.28.1, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 2.4.0, < 3.0) + rubocop-ast (1.29.0) + parser (>= 3.2.1.0) + ruby-progressbar (1.13.0) + ruby2_keywords (0.0.5) + shellany (0.0.1) + simplecov (0.22.0) + docile (~> 1.1) + simplecov-html (~> 0.11) + simplecov_json_formatter (~> 0.1) + simplecov-html (0.12.3) + simplecov-lcov (0.8.0) + simplecov_json_formatter (0.1.4) + swd (2.0.2) + activesupport (>= 3) + attr_required (>= 0.0.5) + faraday (~> 2.0) + faraday-follow_redirects + thor (1.2.2) + timeout (0.4.0) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + unicode-display_width (2.4.2) + validate_email (0.1.6) + activemodel (>= 3.0) + mail (>= 2.2.5) + validate_url (1.0.15) + activemodel (>= 3.0.0) + public_suffix + webfinger (2.1.2) + activesupport + faraday (~> 2.0) + faraday-follow_redirects + webmock (3.18.1) + addressable (>= 2.8.0) + crack (>= 0.3.2) + hashdiff (>= 0.4.0, < 2.0.0) + +PLATFORMS + arm64-darwin-22 + x86_64-linux + +DEPENDENCIES + faker (~> 2.0) + guard (~> 2.14) + guard-bundler (~> 2.2) + guard-minitest (~> 2.4) + minitest (~> 5.1) + mocha (~> 1.7) + net-imap + net-pop + net-smtp + omniauth_openid_connect! + rake (~> 12.0) + rubocop (~> 1.12) + simplecov (~> 0.21) + simplecov-lcov (~> 0.8) + webmock (~> 3.18) + +BUNDLED WITH + 2.3.26 From d6ba9523ac97582238270c2dd5fa006928642451 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:06:50 +0300 Subject: [PATCH 03/18] Updated Gemfile.lock --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 222b872e..4a3f4ee3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - omniauth_openid_connect (0.7.1) + omniauth-tara (0.7.1) omniauth (>= 1.9, < 3) openid_connect (~> 2.2) @@ -199,7 +199,7 @@ DEPENDENCIES net-imap net-pop net-smtp - omniauth_openid_connect! + omniauth-tara! rake (~> 12.0) rubocop (~> 1.12) simplecov (~> 0.21) From d971e16d7b9d37f7e04f0d858089a249ef50fc07 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:21:04 +0300 Subject: [PATCH 04/18] Updated .gitignore --- .gitignore | 1 + Gemfile.lock | 210 --------------------------------------------------- 2 files changed, 1 insertion(+), 210 deletions(-) delete mode 100644 Gemfile.lock diff --git a/.gitignore b/.gitignore index d654a4bd..a93278e8 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ test/version_tmp tmp .ruby-version .ruby-gemset +Gemfile.lock diff --git a/Gemfile.lock b/Gemfile.lock deleted file mode 100644 index 4a3f4ee3..00000000 --- a/Gemfile.lock +++ /dev/null @@ -1,210 +0,0 @@ -PATH - remote: . - specs: - omniauth-tara (0.7.1) - omniauth (>= 1.9, < 3) - openid_connect (~> 2.2) - -GEM - remote: https://rubygems.org/ - specs: - activemodel (7.0.7) - activesupport (= 7.0.7) - activesupport (7.0.7) - concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 1.6, < 2) - minitest (>= 5.1) - tzinfo (~> 2.0) - addressable (2.8.5) - public_suffix (>= 2.0.2, < 6.0) - aes_key_wrap (1.1.0) - ast (2.4.2) - attr_required (1.0.1) - base64 (0.1.1) - bindata (2.4.15) - coderay (1.1.3) - concurrent-ruby (1.2.2) - crack (0.4.5) - rexml - date (3.3.3) - docile (1.4.0) - faker (2.23.0) - i18n (>= 1.8.11, < 2) - faraday (2.7.10) - faraday-net_http (>= 2.0, < 3.1) - ruby2_keywords (>= 0.0.4) - faraday-follow_redirects (0.3.0) - faraday (>= 1, < 3) - faraday-net_http (3.0.2) - ffi (1.15.5) - formatador (1.1.0) - guard (2.18.0) - formatador (>= 0.2.4) - listen (>= 2.7, < 4.0) - lumberjack (>= 1.0.12, < 2.0) - nenv (~> 0.1) - notiffany (~> 0.0) - pry (>= 0.13.0) - shellany (~> 0.0) - thor (>= 0.18.1) - guard-bundler (2.2.1) - bundler (>= 1.3.0, < 3) - guard (~> 2.2) - guard-compat (~> 1.1) - guard-compat (1.2.1) - guard-minitest (2.4.6) - guard-compat (~> 1.2) - minitest (>= 3.0) - hashdiff (1.0.1) - hashie (5.0.0) - i18n (1.14.1) - concurrent-ruby (~> 1.0) - json (2.6.3) - json-jwt (1.16.3) - activesupport (>= 4.2) - aes_key_wrap - bindata - faraday (~> 2.0) - faraday-follow_redirects - language_server-protocol (3.17.0.3) - listen (3.8.0) - rb-fsevent (~> 0.10, >= 0.10.3) - rb-inotify (~> 0.9, >= 0.9.10) - lumberjack (1.2.9) - mail (2.8.1) - mini_mime (>= 0.1.1) - net-imap - net-pop - net-smtp - method_source (1.0.0) - mini_mime (1.1.5) - minitest (5.19.0) - mocha (1.16.1) - nenv (0.3.0) - net-imap (0.3.7) - date - net-protocol - net-pop (0.1.2) - net-protocol - net-protocol (0.2.1) - timeout - net-smtp (0.3.3) - net-protocol - notiffany (0.1.3) - nenv (~> 0.1) - shellany (~> 0.0) - omniauth (2.1.1) - hashie (>= 3.4.6) - rack (>= 2.2.3) - rack-protection - openid_connect (2.2.0) - activemodel - attr_required (>= 1.0.0) - faraday (~> 2.0) - faraday-follow_redirects - json-jwt (>= 1.16) - net-smtp - rack-oauth2 (~> 2.2) - swd (~> 2.0) - tzinfo - validate_email - validate_url - webfinger (~> 2.0) - parallel (1.23.0) - parser (3.2.2.3) - ast (~> 2.4.1) - racc - pry (0.14.2) - coderay (~> 1.1) - method_source (~> 1.0) - public_suffix (5.0.3) - racc (1.7.1) - rack (3.0.8) - rack-oauth2 (2.2.0) - activesupport - attr_required - faraday (~> 2.0) - faraday-follow_redirects - json-jwt (>= 1.11.0) - rack (>= 2.1.0) - rack-protection (3.0.6) - rack - rainbow (3.1.1) - rake (12.3.3) - rb-fsevent (0.11.2) - rb-inotify (0.10.1) - ffi (~> 1.0) - regexp_parser (2.8.1) - rexml (3.2.6) - rubocop (1.56.0) - base64 (~> 0.1.1) - json (~> 2.3) - language_server-protocol (>= 3.17.0) - parallel (~> 1.10) - parser (>= 3.2.2.3) - rainbow (>= 2.2.2, < 4.0) - regexp_parser (>= 1.8, < 3.0) - rexml (>= 3.2.5, < 4.0) - rubocop-ast (>= 1.28.1, < 2.0) - ruby-progressbar (~> 1.7) - unicode-display_width (>= 2.4.0, < 3.0) - rubocop-ast (1.29.0) - parser (>= 3.2.1.0) - ruby-progressbar (1.13.0) - ruby2_keywords (0.0.5) - shellany (0.0.1) - simplecov (0.22.0) - docile (~> 1.1) - simplecov-html (~> 0.11) - simplecov_json_formatter (~> 0.1) - simplecov-html (0.12.3) - simplecov-lcov (0.8.0) - simplecov_json_formatter (0.1.4) - swd (2.0.2) - activesupport (>= 3) - attr_required (>= 0.0.5) - faraday (~> 2.0) - faraday-follow_redirects - thor (1.2.2) - timeout (0.4.0) - tzinfo (2.0.6) - concurrent-ruby (~> 1.0) - unicode-display_width (2.4.2) - validate_email (0.1.6) - activemodel (>= 3.0) - mail (>= 2.2.5) - validate_url (1.0.15) - activemodel (>= 3.0.0) - public_suffix - webfinger (2.1.2) - activesupport - faraday (~> 2.0) - faraday-follow_redirects - webmock (3.18.1) - addressable (>= 2.8.0) - crack (>= 0.3.2) - hashdiff (>= 0.4.0, < 2.0.0) - -PLATFORMS - arm64-darwin-22 - x86_64-linux - -DEPENDENCIES - faker (~> 2.0) - guard (~> 2.14) - guard-bundler (~> 2.2) - guard-minitest (~> 2.4) - minitest (~> 5.1) - mocha (~> 1.7) - net-imap - net-pop - net-smtp - omniauth-tara! - rake (~> 12.0) - rubocop (~> 1.12) - simplecov (~> 0.21) - simplecov-lcov (~> 0.8) - webmock (~> 3.18) - -BUNDLED WITH - 2.3.26 From 1b7a53185a98a5909587d9d493ce175e88413177 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:31:49 +0300 Subject: [PATCH 05/18] Updated workflow file --- .github/workflows/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4efc513c..ae4e1b6c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -27,6 +27,13 @@ jobs: ruby-version: ${{ matrix.ruby }} bundler-cache: true + - name: Config bundler + run: | + bundle config set without 'development staging production' + bundle config set deployment '[secure]' + bundle env + head -n1 $(which bundle) + - name: Run tests run: bundle exec rake From ad7deec317149dc5aa266de81ff086c9e8e98dba Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:39:22 +0300 Subject: [PATCH 06/18] Updated workflow file --- .github/workflows/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ae4e1b6c..eb6edacf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -35,7 +35,13 @@ jobs: head -n1 $(which bundle) - name: Run tests - run: bundle exec rake + run: | + gem install bundler -v '>= 2.2.10' + gem install builder + gem install webmock + gem install minitest -v '~> 5.14' + bundle install + rake - name: Coveralls Parallel uses: coverallsapp/github-action@master From 365b723c56db15cdfe3038dbdafea0175584459f Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:41:23 +0300 Subject: [PATCH 07/18] Updated workflow file --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index eb6edacf..2ac5b020 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -37,6 +37,7 @@ jobs: - name: Run tests run: | gem install bundler -v '>= 2.2.10' + gem install simplecov -v '~> 0.21' gem install builder gem install webmock gem install minitest -v '~> 5.14' From 09263da68a2c68f15f398bdbd854a86e0b3a8724 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:43:34 +0300 Subject: [PATCH 08/18] Updated workflow file --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2ac5b020..462d6d68 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -40,6 +40,7 @@ jobs: gem install simplecov -v '~> 0.21' gem install builder gem install webmock + gem install mocha -v '~> 1.7' gem install minitest -v '~> 5.14' bundle install rake From 23645cbe1873cce5d31dd0963a99ba2f4944ff08 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:48:50 +0300 Subject: [PATCH 09/18] Updated workflow file --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 462d6d68..b7a381b7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -40,8 +40,8 @@ jobs: gem install simplecov -v '~> 0.21' gem install builder gem install webmock - gem install mocha -v '~> 1.7' - gem install minitest -v '~> 5.14' + gem install minitest + gem install mocha bundle install rake From 902dc0c9924573c8679688b4de2a4775ed1e6c1c Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:50:05 +0300 Subject: [PATCH 10/18] Updated workflow file --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b7a381b7..3434978f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -42,6 +42,7 @@ jobs: gem install webmock gem install minitest gem install mocha + gem install faker bundle install rake From 11cd6c10c958889e126a01c22253e55c7b8bec5d Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:53:41 +0300 Subject: [PATCH 11/18] Updated workflow file --- .github/workflows/main.yml | 18 +----------------- omniauth_tara.gemspec | 4 ++-- 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3434978f..4efc513c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -27,24 +27,8 @@ jobs: ruby-version: ${{ matrix.ruby }} bundler-cache: true - - name: Config bundler - run: | - bundle config set without 'development staging production' - bundle config set deployment '[secure]' - bundle env - head -n1 $(which bundle) - - name: Run tests - run: | - gem install bundler -v '>= 2.2.10' - gem install simplecov -v '~> 0.21' - gem install builder - gem install webmock - gem install minitest - gem install mocha - gem install faker - bundle install - rake + run: bundle exec rake - name: Coveralls Parallel uses: coverallsapp/github-action@master diff --git a/omniauth_tara.gemspec b/omniauth_tara.gemspec index 8fc3d54c..8fa0f5e9 100644 --- a/omniauth_tara.gemspec +++ b/omniauth_tara.gemspec @@ -28,8 +28,8 @@ Gem::Specification.new do |spec| spec.add_development_dependency 'guard', '~> 2.14' spec.add_development_dependency 'guard-bundler', '~> 2.2' spec.add_development_dependency 'guard-minitest', '~> 2.4' - spec.add_development_dependency 'minitest', '~> 5.1' - spec.add_development_dependency 'mocha', '~> 1.7' + spec.add_development_dependency 'minitest', '~> 5.8', '>= 5.8.4' + spec.add_development_dependency 'mocha', '~> 2.1' spec.add_development_dependency 'rake', '~> 12.0' spec.add_development_dependency 'rubocop', '~> 1.12' spec.add_development_dependency 'simplecov', '~> 0.21' From 6410e619b7c771bf3a56982e55721ed08978ebb0 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 12:59:27 +0300 Subject: [PATCH 12/18] Updated workflow file --- .github/workflows/main.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4efc513c..60bc5fc6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,9 +26,28 @@ jobs: with: ruby-version: ${{ matrix.ruby }} bundler-cache: true + - name: config bundler + run: | + bundle config set without 'staging production' + bundle config set deployment '[secure]' + bundle env + head -n1 $(which bundle) - name: Run tests - run: bundle exec rake + env: + RAILS_ENV: test + COVERAGE: true + DISABLE_SPRING: 1 + run: | + gem install bundler -v '>= 2.2.10' + gem install simplecov -v '~> 0.21' + gem install builder + gem install webmock + gem install mocha + gem install faker + gem install minitest -v '~> 5.8', '>= 5.8.4' + bundle install + rake - name: Coveralls Parallel uses: coverallsapp/github-action@master From fdf64947fe3b1e54ab4bfba607c83cf817ab7232 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 13:01:02 +0300 Subject: [PATCH 13/18] Updated workflow file --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 60bc5fc6..252ab124 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -45,7 +45,7 @@ jobs: gem install webmock gem install mocha gem install faker - gem install minitest -v '~> 5.8', '>= 5.8.4' + gem install minitest bundle install rake From f2459aac4a1df3a52b35fbaa567a1cb4aa95dc58 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 13:05:39 +0300 Subject: [PATCH 14/18] Updated workflow file --- .github/workflows/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 252ab124..8ce20ab7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,7 +28,7 @@ jobs: bundler-cache: true - name: config bundler run: | - bundle config set without 'staging production' + bundle config set without 'development staging production' bundle config set deployment '[secure]' bundle env head -n1 $(which bundle) @@ -36,12 +36,13 @@ jobs: - name: Run tests env: RAILS_ENV: test - COVERAGE: true DISABLE_SPRING: 1 run: | gem install bundler -v '>= 2.2.10' gem install simplecov -v '~> 0.21' gem install builder + gem install omniauth -v '>= 1.9' + gem install openid_connect -v '~> 2.2' gem install webmock gem install mocha gem install faker From 39fe0186f81643ea220a86f4c19d79004457f7c6 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 13:06:57 +0300 Subject: [PATCH 15/18] Updated workflow file --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8ce20ab7..f67a5faa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,6 +47,7 @@ jobs: gem install mocha gem install faker gem install minitest + gem install simplecov-lcov -v '~> 0.8' bundle install rake From 887075518a5baf0a6ce27d12eb7a0c6cd045eafe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sergei=20Ts=C3=B5ganov?= Date: Tue, 15 Aug 2023 13:30:09 +0300 Subject: [PATCH 16/18] Update main.yml --- .github/workflows/main.yml | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f67a5faa..b5414a22 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,3 +1,4 @@ + name: Main on: push: @@ -26,30 +27,9 @@ jobs: with: ruby-version: ${{ matrix.ruby }} bundler-cache: true - - name: config bundler - run: | - bundle config set without 'development staging production' - bundle config set deployment '[secure]' - bundle env - head -n1 $(which bundle) - name: Run tests - env: - RAILS_ENV: test - DISABLE_SPRING: 1 - run: | - gem install bundler -v '>= 2.2.10' - gem install simplecov -v '~> 0.21' - gem install builder - gem install omniauth -v '>= 1.9' - gem install openid_connect -v '~> 2.2' - gem install webmock - gem install mocha - gem install faker - gem install minitest - gem install simplecov-lcov -v '~> 0.8' - bundle install - rake + run: bundle exec rake - name: Coveralls Parallel uses: coverallsapp/github-action@master From 2abec983e669433bca14b8fc2fa12d50d522d2b5 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 13:31:15 +0300 Subject: [PATCH 17/18] Fix MiniTest NameError --- test/strategy_test_case.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/strategy_test_case.rb b/test/strategy_test_case.rb index 773a24f5..72a1bd06 100644 --- a/test/strategy_test_case.rb +++ b/test/strategy_test_case.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class StrategyTestCase < MiniTest::Test +class StrategyTestCase < Minitest::Test class DummyApp def call(env); end end From 09f44ed99241fded3b47d0bb25d977b1cf55cdd0 Mon Sep 17 00:00:00 2001 From: Sergei Tsoganov Date: Tue, 15 Aug 2023 13:47:20 +0300 Subject: [PATCH 18/18] Fixed rubocop errors --- lib/omniauth/tara/user_info.rb | 4 +++- omniauth_tara.gemspec | 10 ++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/omniauth/tara/user_info.rb b/lib/omniauth/tara/user_info.rb index 383681ea..1e920506 100644 --- a/lib/omniauth/tara/user_info.rb +++ b/lib/omniauth/tara/user_info.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'openid_connect' module OmniAuth @@ -14,7 +16,7 @@ class UserInfo < OpenIDConnect::ConnectObject :email_verified, :phone_number, :phone_number_verified, - :profile_attributes, + :profile_attributes ) alias subject sub alias subject= sub= diff --git a/omniauth_tara.gemspec b/omniauth_tara.gemspec index 8fa0f5e9..aec34da8 100644 --- a/omniauth_tara.gemspec +++ b/omniauth_tara.gemspec @@ -8,10 +8,12 @@ Gem::Specification.new do |spec| spec.required_ruby_version = '>= 2.7' spec.name = 'omniauth-tara' spec.version = OmniAuth::Tara::VERSION - spec.authors = ['John Bohn', 'Ilya Shcherbinin', 'Artur Beljajev', 'Maciej Szlosarczyk', - 'Sergei Tsõganov'] - spec.email = ['jjbohn@gmail.com', 'm0n9oose@gmail.com', 'artur.beljajev@internet.ee', 'maciej.szlosarczyk@eestiinternet.ee', - 'sergei.tsoganov@internet.ee'] + spec.authors = ['John Bohn', 'Ilya Shcherbinin', 'Artur Beljajev', + 'Maciej Szlosarczyk', + 'Sergei Tsõganov'] + spec.email = ['jjbohn@gmail.com', 'm0n9oose@gmail.com', 'artur.beljajev@internet.ee', + 'maciej.szlosarczyk@eestiinternet.ee', + 'sergei.tsoganov@internet.ee'] spec.summary = 'TARA-Doku (https://github.com/e-gov/TARA-Doku) strategy for OmniAuth' spec.description = 'TARA-Doku (https://github.com/e-gov/TARA-Doku) strategy for OmniAuth' spec.homepage = 'https://github.com/internetee/omniauth-tara'