Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update fork #2

Merged
merged 31 commits into from
Nov 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
ef524a7
service_validator: use custom callback_url if provided
safeforge Jan 24, 2017
bc7a280
Revert "service_validator: use custom callback_url if provided"
vjt Jun 27, 2018
e98635a
Handle better a parameter
vjt Jun 27, 2018
a167036
Return a 400 in non-dev environment
vjt Jun 27, 2018
5ab4dad
Fix specs due to protection introduced in e98635aa
vjt Nov 27, 2018
c56bac2
Test protection introduced in e98635aa
vjt Nov 27, 2018
b56400d
Add url_by_request_host option @lleirborras @mirkomignini
vjt Nov 27, 2018
cf104c1
Fix crash
vjt Nov 27, 2018
a58d7d4
Allow debugging when using bundler
vjt Nov 27, 2018
f97f52a
Bump version to v1.2.0
vjt Nov 27, 2018
6f8f3af
Safer request.host call
vjt Nov 27, 2018
af8a87e
Bump version to v1.2.1
vjt Nov 27, 2018
e3f3102
service_validator: use custom callback_url if provided
safeforge Jan 24, 2017
f40c1d8
Revert "service_validator: use custom callback_url if provided"
vjt Jun 27, 2018
a50539e
Handle better a parameter
vjt Jun 27, 2018
81fa359
Return a 400 in non-dev environment
vjt Jun 27, 2018
9ff671e
Fix specs due to protection introduced in e98635aa
vjt Nov 27, 2018
623d0bd
Test protection introduced in e98635aa
vjt Nov 27, 2018
eee8a39
Add url_by_request_host option @lleirborras @mirkomignini
vjt Nov 27, 2018
b892d1b
Fix crash
vjt Nov 27, 2018
ecf718c
Allow debugging when using bundler
vjt Nov 27, 2018
838eb12
Safer request.host call
vjt Nov 27, 2018
b2250a0
Fix specs against Ruby 2.1
tagliala Nov 9, 2021
7fcc924
Move CI build to GitHub Actions
tagliala Jul 26, 2021
ecb7d2a
Update action links
tagliala Nov 9, 2021
eaede6a
Update changelog
tagliala Nov 10, 2021
f53d868
Improve CI
tagliala Jul 15, 2023
4801bae
Update actions and add dependabot for actions
tagliala Oct 3, 2023
76cc442
Update actions for develop branch
tagliala Nov 12, 2023
294ef14
Merge remote-tracking branch 'origin/master' into update-fork
tagliala Nov 12, 2023
813f6ec
Remove duplicate entry in readme
tagliala Nov 12, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
28 changes: 28 additions & 0 deletions .github/workflows/legacy_ruby.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Legacy Ruby specs

on:
push:
branches: [ master, develop ]
pull_request:
branches: [ master, develop ]

permissions:
contents: read

jobs:
test:
name: Specs
runs-on: ubuntu-20.04
strategy:
matrix:
ruby-version: ['2.1', '2.2', '2.3', '2.4', '2.5', '2.6']

steps:
- uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true
- name: Run specs
run: bundle exec rake
35 changes: 35 additions & 0 deletions .github/workflows/ruby.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Ruby specs

on:
push:
branches: [ master, develop ]
pull_request:
branches: [ master, develop ]

permissions:
contents: read

jobs:
test:
name: Specs
runs-on: ubuntu-latest
strategy:
matrix:
ruby-version: ['2.7', '3.0', '3.1', '3.2']
channel: ['stable']

include:
- ruby-version: 'head'
channel: ['experimental']

continue-on-error: ${{ matrix.channel != 'stable' }}

steps:
- uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true
- name: Run specs
run: bundle exec rake
21 changes: 0 additions & 21 deletions .travis.yml

This file was deleted.

17 changes: 15 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
project adheres to [Semantic Versioning](http://semver.org/)
The format is based on [Keep a Changelog](https://keepachangelog.com/) and this
project adheres to [Semantic Versioning](https://semver.org/)

## 2.0.0 - 2010-11-14

Expand All @@ -17,6 +17,19 @@ project adheres to [Semantic Versioning](http://semver.org/)
* Forward success response to `fetch_raw_info` callback ([#51](https://github.com/dlindahl/omniauth-cas/pull/51))
* Relax development dependencies to the latest versions

## 1.2.1 (IFAD) - 2018-11-27

### Changed

* Safer request.host call

## 1.2.0 (IFAD) - 2018-11-27

### Added

* service_validator: use custom callback_url if provided
* Add url_by_request_host option

## 1.1.1 - 2016-09-19

### Changed
Expand Down
1 change: 1 addition & 0 deletions Gemfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
source 'https://rubygems.org'
gem 'byebug'

# Specify your gem's dependencies in omniauth-cas.gemspec
gemspec
Expand Down
20 changes: 17 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
# OmniAuth CAS Strategy [![Gem Version][version_badge]][version] [![Build Status][travis_status]][travis]
# OmniAuth CAS Strategy [![Gem Version][version_badge]][version] [![Build Status][github_actions_status]][github_actions] [![Build Status][github_legacy_actions_status]][github_actions]

[version_badge]: https://badge.fury.io/rb/omniauth-cas.svg
[version]: https://badge.fury.io/rb/omniauth-cas
[travis]: https://travis-ci.org/dlindahl/omniauth-cas
[travis_status]: https://secure.travis-ci.org/dlindahl/omniauth-cas.svg
[github_actions]: https://github.com/ifad/omniauth-cas/actions
[github_actions_status]: https://github.com/ifad/omniauth-cas/actions/workflows/ruby.yml/badge.svg
[github_actions_legacy_status]: https://github.com/ifad/omniauth-cas/actions/workflows/legacy_ruby.yml/badge.svg
[releases]: https://github.com/dlindahl/omniauth-cas/releases

This is a OmniAuth 1.0 compatible port of the previously available
Expand Down Expand Up @@ -74,6 +75,19 @@ Other configuration options:
extra_info
}
```
* `url_by_request_host` - Optional. Hash keyed by request host, to use
different CAS Server URLs depending on the request host. *Requires* `url`
or `host` to be set anyway, that'll be used as defaults if no host
matches.

```ruby
provider :cas,
url: 'https://cas.example.org',
url_by_request_host: {
'host1.example.org' => 'https://host1.cas.example.org',
'host2.example.org' => 'https://host2.cas.example.org',
}
```

Configurable options for values returned by CAS:

Expand Down
81 changes: 65 additions & 16 deletions lib/omniauth/strategies/cas.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ class CAS
# Custom Exceptions
class MissingCASTicket < StandardError; end
class InvalidCASTicket < StandardError; end
class MissingReturnURL < StandardError; end
class InvalidReturnURL < StandardError; end

autoload :ServiceTicketValidator, 'omniauth/strategies/cas/service_ticket_validator'
autoload :LogoutRequest, 'omniauth/strategies/cas/logout_request'
Expand Down Expand Up @@ -91,14 +93,18 @@ def callback_phase
def request_phase
service_url = append_params(callback_url, return_url)

[
302,
{
'Location' => login_url(service_url),
'Content-Type' => 'text/plain'
},
["You are being redirected to CAS for sign-in."]
]
if validate_service_url!(service_url)
[
302,
{
'Location' => login_url(service_url),
'Content-Type' => 'text/plain'
},
["You are being redirected to CAS for sign-in."]
]
else
[ 400, {}, [ "Bad request" ] ]
end
end

def on_sso_path?
Expand All @@ -115,14 +121,30 @@ def single_sign_out_phase
def cas_url
extract_url if options['url']
validate_cas_setup
@cas_url ||= begin
uri = Addressable::URI.new
uri.host = options.host
uri.scheme = options.ssl ? 'https' : 'http'
uri.port = options.port
uri.path = options.path
uri.to_s
end

by_host_cas_url || static_cas_url
end

def by_host_cas_url
return unless options.url_by_request_host && \
options.url_by_request_host.respond_to?(:fetch)

uri = options.url_by_request_host.fetch(request.host)

Addressable::URI.parse(uri).to_s
rescue
nil # When request.host is not defined or it raises,
# or when Addressable raises, we can only resort
# to the default.
end

def static_cas_url
uri = Addressable::URI.new
uri.host = options.host
uri.scheme = options.ssl ? 'https' : 'http'
uri.port = options.port
uri.path = options.path
uri.to_s
end

def extract_url
Expand All @@ -141,6 +163,33 @@ def validate_cas_setup
end
end

# Checks that the callback URL is within the scope of the target
# service url, to protect against redirects to phishing pages.
#
def validate_service_url!(service_url)
service_url = Addressable::URI.parse(service_url)

return_url = service_url.query_values['url']

if return_url.nil? || return_url.empty?
fail!(:missing_return_url, MissingReturnURL.new('Missing Return URL'))
return false
end

return_url = Addressable::URI.parse(return_url)

# Check that the return URL host, if present, is equal to the service
# URL host. If the return_url host is nil, it means this is a relative
# url - and we can accept it.
#
if !return_url.host.nil? && (return_url.host != service_url.host)
fail!(:invalid_return_url, InvalidReturnURL.new('Invalid Return URL'))
return false
end

return true
end

# Build a service-validation URL from +service+ and +ticket+.
# If +service+ has a ticket param, first remove it. URL-encode
# +service+ and add it and the +ticket+ as paraemters to the
Expand Down
46 changes: 45 additions & 1 deletion spec/omniauth/strategies/cas_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,42 @@
expect(provider.options).to include path:'/a/path'
end
end

context 'with a URL by host mapping' do
let(:params) { super().merge(
url: 'https://default.cas.host',
url_by_request_host: {
'host1.example.org' => 'https://host1.cas.host',
'host2.example.org' => 'https://host2.cas.host',
})
}

let(:request_host) { nil }

before do
allow_any_instance_of(MyCasProvider)
.to receive(:request)
.and_return(Rack::Request.new('HTTP_HOST' => request_host))
end

it { true }

context 'and an host in the map' do
let(:request_host) { 'host1.example.org' }

it 'returns the corresponding CAS host in the map' do
expect(subject).to eq('https://host1.cas.host')
end
end

context 'and an host not in the map' do
let(:request_host) { 'foo.bar' }

it 'returns the default CAS host' do
expect(subject).to eq('https://default.cas.host')
end
end
end
end

describe 'defaults' do
Expand All @@ -89,7 +125,15 @@
end

describe 'GET /auth/cas' do
let(:return_url) { 'http://myapp.com/admin/foo' }
let(:return_url) { 'http://example.org/admin/foo' }

context 'with a return url on a different host than the service url' do
before { get '/auth/cas?url=http://attack.example.org/' }

subject { last_response }

it { should be_bad_request }
end

context 'with a referer' do
let(:url) { '/auth/cas' }
Expand Down