CAS: strip ticket from service URL [#162]

omniauth · Feb 13, 2011 · 31cb192 · 31cb192
1 parent 4438d34
commit 31cb192
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/oa-enterprise/lib/omniauth/strategies/cas.rb b/oa-enterprise/lib/omniauth/strategies/cas.rb
@@ -41,7 +41,7 @@ def auth_hash
           'extra' => @user_info
         })
       end
-      
+
     end
   end
 end
diff --git a/oa-enterprise/lib/omniauth/strategies/cas/configuration.rb b/oa-enterprise/lib/omniauth/strategies/cas/configuration.rb
@@ -32,13 +32,17 @@ def login_url(service)
         end
 
         # Build a service-validation URL from +service+ and +ticket+.
+        # If +service+ has a ticket param, first remove it. URL-encode
+        # +service+ and add it and the +ticket+ as paraemters to the
+        # CAS serviceValidate URL.
         #
         # @param [String] service the service (a.k.a. return-to) URL
         # @param [String] ticket the ticket to validate
         #
         # @return [String] a URL like `http://cas.mycompany.com/serviceValidate?service=...&ticket=...`
         def service_validate_url(service, ticket)
-          url = append_service @service_validate_url, service
+          service = service.sub(/[?&]ticket=[^?&]+/, '')
+          url = append_service(@service_validate_url, service)
           url << '&ticket=' << Rack::Utils.escape(ticket)
         end
 

diff --git a/oa-enterprise/lib/omniauth/strategies/cas/service_ticket_validator.rb b/oa-enterprise/lib/omniauth/strategies/cas/service_ticket_validator.rb
@@ -30,7 +30,7 @@ def user_info
         end
 
         private
-        
+
         # turns an `<cas:authenticationSuccess>` node into a Hash;
         # returns nil if given nil
         def parse_user_info(node)

diff --git a/oa-enterprise/spec/omniauth/strategies/cas_spec.rb b/oa-enterprise/spec/omniauth/strategies/cas_spec.rb
@@ -47,10 +47,15 @@ def strategy
   describe 'GET /auth/cas/callback with a valid ticket' do
     before do
       stub_request(:get, /^https:\/\/cas.example.org(:443)?\/serviceValidate\?([^&]+&)?ticket=593af/).
+         with { |request| @request_uri = request.uri.to_s }.
          to_return(:body => File.read(File.join(File.dirname(__FILE__), '..', '..', 'fixtures', 'cas_success.xml')))
       get '/auth/cas/callback?ticket=593af'
     end
 
+    it 'should strip the ticket parameter from the callback URL before sending it to the CAS server' do
+      @request_uri.scan('ticket=').length.should == 1
+    end
+
     sets_an_auth_hash
     sets_provider_to 'cas'
     sets_uid_to 'psegel'