From ae91d9373ff8f93eb44ea0f53d71b80adb48639b Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Sun, 15 Jan 2017 12:06:57 +0100
Subject: [PATCH] feat: use latest rbsso with checks for expiry and service_id

---
 lib/omniauth/strategies/sso.rb       |  2 +-
 omniauth-sso.gemspec                 |  2 +-
 test/omniauth/strategies/sso_test.rb | 67 +++++++++++++++++++++-------
 3 files changed, 54 insertions(+), 17 deletions(-)

diff --git a/lib/omniauth/strategies/sso.rb b/lib/omniauth/strategies/sso.rb
index 17cfd26..cb9027b 100644
--- a/lib/omniauth/strategies/sso.rb
+++ b/lib/omniauth/strategies/sso.rb
@@ -42,7 +42,7 @@ module OmniAuth
       end
 
       def client
-        RbSSO::Client.new options.client_key
+        RbSSO::Client.new options.service_id, options.client_key
       end
     end
   end
diff --git a/omniauth-sso.gemspec b/omniauth-sso.gemspec
index c5592d8..4f323b6 100644
--- a/omniauth-sso.gemspec
+++ b/omniauth-sso.gemspec
@@ -11,7 +11,7 @@ Omniauth strategy for "ai's sso"(https://git.autistici.org/ai/sso) based on rbss
   s.homepage    = 'https://0xacab.org/riseup/omniauth-sso'
 
   s.add_runtime_dependency 'omniauth', '~> 1.3'
-  s.add_runtime_dependency 'rbsso', '~> 0.1'
+  s.add_runtime_dependency 'rbsso', '~> 0.2.2'
 
   s.add_development_dependency 'rake', '>= 10', '< 13'
   s.add_development_dependency 'minitest', '~>5.0'
diff --git a/test/omniauth/strategies/sso_test.rb b/test/omniauth/strategies/sso_test.rb
index d10a205..04e5783 100644
--- a/test/omniauth/strategies/sso_test.rb
+++ b/test/omniauth/strategies/sso_test.rb
@@ -1,14 +1,20 @@
 require 'test_helper'
 require 'omniauth'
+require 'logger'
 require 'rack/test'
 require 'omniauth/strategies/sso'
+require 'rbsso'
 
 class OmniAuth::Strategies::SSOTest < Minitest::Test
   include OmniAuth::Test::StrategyTestCase
   include Rack::Test::Methods
 
+  def setup
+    OmniAuth.config.logger = Logger.new '/dev/null'
+  end
+
   def strategy
-    [OmniAuth::Strategies::SSO, 'my_service_id', verify_key]
+    [OmniAuth::Strategies::SSO, 'https://my.service.id/', verify_key]
   end
 
   def test_redirect
@@ -17,20 +23,34 @@ class OmniAuth::Strategies::SSOTest < Minitest::Test
     assert_includes last_response.location,
       'https://neststaging.riseup.net/sso_auth'
     assert_includes last_response.location,
-      's=my_service_id'
+      "s=#{CGI.escape(service)}"
   end
 
-  def test_callback
-    post '/auth/sso/callback', t: ticket_string
+  def test_valid_ticket
+    post '/auth/sso/callback', t: ticket
     assert auth_hash
     assert_equal 'sso', auth_hash['provider']
-    assert_equal 'ale@sso.net', auth_hash['uid']
-    assert_equal 'ale@sso.net', auth_hash['info'].email
-    assert_equal 'ale', auth_hash['info'].name
+    assert_equal 'user@domain', auth_hash['uid']
+    assert_equal 'user@domain', auth_hash['info'].email
+    assert_equal 'user', auth_hash['info'].name
+  end
+
+  def test_expired_ticket
+    assert_raises RuntimeError do
+      post '/auth/sso/callback', t: expired_ticket
+    end
+    assert_nil auth_hash
+  end
+
+  def test_invalid_ticket
+    post '/auth/my_strategy/callback', t: invalid_ticket
+    assert_nil auth_hash
   end
 
-  def test_invalid_callback
-    post '/auth/my_strategy/callback', t: invalid_ticket_string
+  def test_wrong_service
+    assert_raises RuntimeError do
+      post '/auth/sso/callback', t: server.ticket(user, 'other_service', domain)
+    end
     assert_nil auth_hash
   end
 
@@ -38,15 +58,32 @@ class OmniAuth::Strategies::SSOTest < Minitest::Test
     last_request.env['omniauth.auth']
   end
 
-  def verify_key
-    'c0dadbb483765b055d4f9ff5554d92b3ed7a433f15f4d8ebabbbd072510bfe23'
+  def expired_ticket
+    Time.stub :now, Time.at(123456) do
+      ticket
+    end
   end
 
-  def ticket_string
-    '4bHHseETK5U9YblImiqUpPHnEktAHIlICzb8w6jfrcrDyj/y7EtWoFVTvmTPcpJKHdh7TPPYgEVHVFH4DwKsCDN8YWxlfHNlcnZpY2UvfHNzby5uZXR8MTQxNTU3NDg0NHw='
+  # We modify the content of the ticket so the signature becomes invalid.
+  # It still should have the right length and be Base64 compatible.
+  def invalid_ticket
+    ticket.tap do |string|
+      string[100..112] = '///invalid///'
+    end
   end
 
-  def invalid_ticket_string
-    '4bHHseETK5U9YblImiqUpPHnEktAHIlICzb8w6jfrcrDyj/y7EtWoFVTvmTPcpJKHdh7TPPYgEVHVFH4DwKsCDN8YWxlfHNlcnZpY2UvfHNzby5invalidQxNTU3NDg1NHw='
+  def verify_key
+    server.verify_key
   end
+
+  def ticket
+    server.ticket(user, service, domain)
+  end
+
+  def server; RbSSO::Server.new seed; end
+  def seed; '1234567890ABCDEF' * 4; end
+  def user; 'user'; end
+  def service; 'https://my.service.id/'; end
+  def domain; 'domain'; end
+
 end
-- 
GitLab