SSO Interface and Setup for SAML, OpenID Connect and CAS

.gitguardian.yaml

@@ -0,0 +1,5 @@
+secret:
+  ignored-matches:
+  - match: 2ace7433e96955aeed1a310d7dcc61f8761d05fbff91b92d79d860e307d6ea6a
+    name: Generic High Entropy Secret - .env
+version: 2

Gemfile

@@ -1,144 +1,93 @@
 # frozen_string_literal: true
 
+# rubocop:disable Metrics/LineLength
 source 'https://rubygems.org'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
 gem 'rails', '~> 5.2.5'
 
+gem 'active-fedora', '>= 11.1.4'
+gem 'active_elastic_job', github: 'active-elastic-job/active-elastic-job', ref: 'ec51c5d9dedc4a1b47f2db41f26d5fceb251e979', group: %i[aws]
 gem 'activerecord-nulldb-adapter'
 gem 'addressable', '2.8.1' # remove once https://github.com/postrank-labs/postrank-uri/issues/49 is fixed
-# Use sqlite3 as the database for Active Record
-gem 'pg'
-# Use Puma as the app server
-gem 'puma', '~> 4.3'
-# Use SCSS for stylesheets
-gem 'sass-rails', '~> 5.0'
-# Use CoffeeScript for .coffee assets and views
-gem 'coffee-rails', '~> 4.2'
-# See https://github.com/rails/execjs#readme for more supported runtimes
-# gem 'therubyracer', platforms: :ruby
-
-# Use jquery as the JavaScript library
-gem 'jquery-rails'
-# Turbolinks makes following links in your web application faster. Read more: https://github.com/rails/turbolinks
-gem 'turbolinks', '~> 5'
-# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
-gem 'jbuilder', '~> 2.5'
-# bundle exec rake doc:rails generates the API under doc/api.
-# gem 'sdoc', '~> 0.4.0', group: :doc
-
-# Use ActiveModel has_secure_password
-# gem 'bcrypt', '~> 3.1.7'
-
-gem 'active-fedora', '>= 11.1.4'
-gem 'flutie'
-# Use Capistrano for deployment
-# gem 'capistrano-rails', group: :development
-
-group :development, :test do
-  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
-  gem 'byebug'
-  gem 'pry-byebug'
-
-  gem 'i18n-debug', require: false
-  gem 'i18n-tasks'
-  gem 'rspec'
-  gem 'rspec-rails', '>= 3.6.0'
-
-  gem 'simplecov', require: false
-
-  gem 'fcrepo_wrapper', '~> 0.4'
-  gem 'solr_wrapper', '~> 2.0'
-
-  gem 'rubocop', '~> 0.50', '<= 0.52.1'
-  gem 'rubocop-rspec', '~> 1.22', '<= 1.22.2'
-end
-
-group :test do
-  gem 'capybara'
-  gem 'capybara-screenshot', '~> 1.0'
-  gem 'database_cleaner'
-  gem 'factory_bot_rails'
-  gem 'launchy'
-  # rack-test >= 0.71 does not work with older Capybara versions (< 2.17). See #214 for more details
-  gem 'rack-test', '0.7.0'
-  gem 'rails-controller-testing'
-  gem 'rspec-activemodel-mocks'
-  gem 'rspec-its'
-  gem 'rspec-retry'
-  gem 'rspec_junit_formatter'
-  gem 'selenium-webdriver', '4.8.1'
-  gem 'shoulda-matchers', '~> 4.0'
-  gem 'webdrivers', '~> 4.7.0'
-  gem 'webmock'
-end
-
-group :development do
-  # Access an IRB console on exception pages or by using <%= console %> in views
-  gem 'web-console', '>= 3.3.0'
-
-  gem 'listen', '>= 3.0.5', '< 3.2'
-  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
-  gem 'easy_translate'
-  gem 'scss_lint', require: false
-  gem 'spring', '~> 1.7'
-  gem 'spring-watcher-listen', '~> 2.0.0'
-end
-
-gem 'bulkrax', '~> 5.0'
-
+gem 'apartment'
+gem 'aws-sdk-sqs', group: %i[aws]
 gem 'blacklight', '~> 6.7'
 gem 'blacklight_oai_provider', '~> 6.1', '>= 6.1.1'
-
-gem 'hyrax', '~> 3.5.0'
-
 gem 'bolognese', '>= 1.9.10'
-gem 'hyrax-doi', git: 'https://github.com/samvera-labs/hyrax-doi.git', branch: 'main'
-gem 'hyrax-iiif_av', git: 'https://github.com/samvera-labs/hyrax-iiif_av.git', branch: 'main'
-gem 'iiif_print', git: 'https://github.com/scientist-softserv/iiif_print.git', branch: 'main'
-gem 'postrank-uri', '>= 1.0.24'
-gem 'redlock', '>= 0.1.2', '< 2.0' # lock redlock per https://github.com/samvera/hyrax/pull/5961
-gem 'rsolr', '~> 2.0'
-
+gem 'bootstrap-datepicker-rails'
+gem 'bulkrax', '~> 5.0'
+gem 'byebug', group: %i[development test]
+gem 'capybara', group: %i[test]
+gem 'capybara-screenshot', '~> 1.0', group: %i[test]
+gem 'carrierwave-aws', '~> 1.3', group: %i[aws test]
+gem 'cocoon'
+gem 'codemirror-rails'
+gem 'coffee-rails', '~> 4.2' # Use CoffeeScript for .coffee assets and views
+gem 'database_cleaner', group: %i[test]
 gem 'devise'
 gem 'devise-guests', '~> 0.3'
 gem 'devise-i18n'
 gem 'devise_invitable', '~> 1.6'
-
-gem 'apartment'
-gem 'is_it_working'
-gem 'rolify'
-
+gem 'dry-monads', '~> 1.4.0' # Locked because 1.5.0 was not compatible with Hyrax v.3.4.2
+gem 'easy_translate', group: %i[development]
+gem 'factory_bot_rails', group: %i[test]
+gem 'fcrepo_wrapper', '~> 0.4', group: %i[development test]
 gem 'flipflop', '~> 2.6.0' # waiting for hyrax 4 upgrade
+gem 'flutie'
+gem 'hyrax', '~> 3.5.0'
+gem 'hyrax-doi', github: 'samvera-labs/hyrax-doi', branch: 'main'
+gem 'hyrax-iiif_av', github: 'samvera-labs/hyrax-iiif_av', branch: 'main'
+gem 'i18n-debug', require: false, group: %i[development test]
+gem 'i18n-tasks', group: %i[development test]
+gem 'iiif_print', github: 'scientist-softserv/iiif_print', branch: 'main'
+gem 'jbuilder', '~> 2.5'
+gem 'jquery-rails' # Use jquery as the JavaScript library
+gem 'launchy', group: %i[test]
+gem 'listen', '>= 3.0.5', '< 3.2', group: %i[development]
 gem 'lograge'
-
 gem 'mods', '~> 2.4'
-
-group :aws, :test do
-  gem 'carrierwave-aws', '~> 1.3'
-end
-
-group :aws do
-  gem 'active_elastic_job', git: 'https://github.com/active-elastic-job/active-elastic-job.git',
-                            ref: 'ec51c5d9dedc4a1b47f2db41f26d5fceb251e979'
-  gem 'aws-sdk-sqs'
-end
-
-gem 'bootstrap-datepicker-rails'
-gem "cocoon"
-gem 'codemirror-rails'
 gem 'negative_captcha'
 gem 'okcomputer'
+gem 'omniauth-cas', github: 'stanhu/omniauth-cas', ref: '4211e6d05941b4a981f9a36b49ec166cecd0e271'
+gem 'omniauth-multi-provider'
+gem 'omniauth-rails_csrf_protection', '~> 1.0'
+gem 'omniauth-saml', '~> 2.1'
+gem 'omniauth_openid_connect'
 gem 'parser', '~> 2.5.3'
+gem 'pg'
+gem 'postrank-uri', '>= 1.0.24'
+gem 'pry-byebug', group: %i[development test]
+gem 'puma', '~> 4.3' # Use Puma as the app server
+gem 'rack-test', '0.7.0', group: %i[test] # rack-test >= 0.71 does not work with older Capybara versions (< 2.17). See #214 for more details
+gem 'rails-controller-testing', group: %i[test]
 gem 'rdf', '~> 3.1.15' # rdf 3.2.0 removed SerializedTransaction which ldp requires
+gem 'redlock', '>= 0.1.2', '< 2.0' # lock redlock per https://github.com/samvera/hyrax/pull/5961
 gem 'riiif', '~> 1.1'
+gem 'rolify'
+gem 'rsolr', '~> 2.0'
+gem 'rspec', group: %i[development test]
+gem 'rspec-activemodel-mocks', group: %i[test]
+gem 'rspec-its', group: %i[test]
+gem 'rspec-rails', '>= 3.6.0', group: %i[development test]
+gem 'rspec-retry', group: %i[test]
+gem 'rspec_junit_formatter', group: %i[test]
+gem 'rubocop', '~> 0.50', '<= 0.52.1', group: %i[development test]
+gem 'rubocop-rspec', '~> 1.22', '<= 1.22.2', group: %i[development test]
+gem 'sass-rails', '~> 5.0' # Use SCSS for stylesheets
+gem 'scss_lint', require: false, group: %i[development]
 gem 'secure_headers'
+gem 'selenium-webdriver', '4.8.1', group: %i[test]
+gem 'shoulda-matchers', '~> 4.0', group: %i[test]
 gem 'sidekiq', "< 7.0" # sidekiq 7 requires upgrade to redis 6
+gem 'simplecov', require: false, group: %i[development test]
+gem 'solr_wrapper', '~> 2.0', group: %i[development test]
+gem 'spring', '~> 1.7', group: %i[development]
+gem 'spring-watcher-listen', '~> 2.0.0', group: %i[development]
 gem 'terser' # to support the Safe Navigation / Optional Chaining operator (?.) and avoid uglifier precompile issue
 gem 'tether-rails'
-
-# When first attempting to upgrade to Hyrax v3.4.2, this dry-monads gem was upgraded to v1.5.0.
-# This version threw the following error:
-# NameError: uninitialized constant Dry::Monads::Result::Transformer
-# Locking it to v1.4.x does not throw an error.
-gem 'dry-monads', '~> 1.4.0'
+gem 'turbolinks', '~> 5'
+gem 'web-console', '>= 3.3.0', group: %i[development] # <%= console %> in views
+gem 'webdrivers', '~> 4.7.0', group: %i[test]
+gem 'webmock', group: %i[test]
+# rubocop:enable Metrics/LineLength

Gemfile.lock

@@ -43,6 +43,16 @@ GIT
       rails (~> 5.0)
       rdf-vocab (~> 3.0)
 
+GIT
+  remote: https://github.com/stanhu/omniauth-cas.git
+  revision: 4211e6d05941b4a981f9a36b49ec166cecd0e271
+  ref: 4211e6d05941b4a981f9a36b49ec166cecd0e271
+  specs:
+    omniauth-cas (2.0.0)
+      addressable (~> 2.3)
+      nokogiri (~> 1.5)
+      omniauth (>= 1.2, < 3)
+
 GEM
   remote: https://rubygems.org/
   specs:
@@ -115,6 +125,7 @@ GEM
       tzinfo (~> 1.1)
     addressable (2.8.1)
       public_suffix (>= 2.0.2, < 6.0)
+    aes_key_wrap (1.1.0)
     almond-rails (0.3.0)
       rails (>= 4.2)
     amazing_print (1.4.0)
@@ -125,6 +136,7 @@ GEM
       rack (>= 1.3.6)
     arel (9.0.0)
     ast (2.4.2)
+    attr_required (1.0.1)
     autoprefixer-rails (10.4.13.0)
       execjs (~> 2)
     awesome_nested_set (3.5.0)
@@ -169,6 +181,7 @@ GEM
       smart_properties
     bibtex-ruby (6.0.0)
       latex-decode (~> 0.0)
+    bindata (2.4.15)
     bindex (0.8.1)
     blacklight (6.25.0)
       bootstrap-sass (~> 3.2)
@@ -612,7 +625,6 @@ GEM
       json
     iiif_manifest (1.3.1)
       activesupport (>= 4)
-    is_it_working (1.1.0)
     iso-639 (0.3.6)
     iso8601 (0.9.1)
     jbuilder (2.11.5)
@@ -632,6 +644,11 @@ GEM
       railties (>= 3.2.16)
     json (2.6.3)
     json-canonicalization (0.3.2)
+    json-jwt (1.15.3)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+      httpclient
     json-ld (3.1.10)
       htmlentities (~> 4.3)
       json-canonicalization (~> 0.2)
@@ -816,6 +833,32 @@ GEM
     oj (3.14.3)
     oj_mimic_json (1.0.1)
     okcomputer (1.18.4)
+    omniauth (2.1.1)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-multi-provider (0.4.0)
+      omniauth
+    omniauth-rails_csrf_protection (1.0.1)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    omniauth-saml (2.1.0)
+      omniauth (~> 2.0)
+      ruby-saml (~> 1.12)
+    omniauth_openid_connect (0.6.1)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 1.1)
+    openid_connect (1.4.2)
+      activemodel
+      attr_required (>= 1.0.0)
+      json-jwt (>= 1.15.0)
+      net-smtp
+      rack-oauth2 (~> 1.21)
+      swd (~> 1.3)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (~> 1.2)
     openseadragon (0.6.0)
       rails (> 3.2.0)
     optimist (3.0.1)
@@ -853,7 +896,15 @@ GEM
       rails (>= 5.0, < 7.1)
       rdf
     racc (1.7.1)
-    rack (2.2.7)
+    rack (2.2.8)
+    rack-oauth2 (1.21.3)
+      activesupport
+      attr_required
+      httpclient
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
+    rack-protection (3.0.6)
+      rack
     rack-test (0.7.0)
       rack (>= 1.0, < 3)
     rails (5.2.8.1)
@@ -1038,6 +1089,9 @@ GEM
       multipart-post
       oauth2
     ruby-progressbar (1.13.0)
+    ruby-saml (1.15.0)
+      nokogiri (>= 1.13.10)
+      rexml
     ruby2_keywords (0.0.5)
     ruby_dep (1.5.0)
     rubyzip (2.3.2)
@@ -1137,6 +1191,10 @@ GEM
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
     ssrf_filter (1.0.8)
+    swd (1.3.0)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      httpclient (>= 2.4)
     sxp (1.1.0)
       rdf (~> 3.1)
     temple (0.10.0)
@@ -1169,6 +1227,12 @@ GEM
     unicode-types (1.8.0)
     unicode_utils (1.4.0)
     validatable (1.6.7)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
     valkyrie (2.2.0)
       activemodel
       activesupport
@@ -1196,6 +1260,9 @@ GEM
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
       selenium-webdriver (> 3.141, < 5.0)
+    webfinger (1.2.0)
+      activesupport
+      httpclient (>= 2.4)
     webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -1248,7 +1315,6 @@ DEPENDENCIES
   i18n-debug
   i18n-tasks
   iiif_print!
-  is_it_working
   jbuilder (~> 2.5)
   jquery-rails
   launchy
@@ -1257,6 +1323,11 @@ DEPENDENCIES
   mods (~> 2.4)
   negative_captcha
   okcomputer
+  omniauth-cas!
+  omniauth-multi-provider
+  omniauth-rails_csrf_protection (~> 1.0)
+  omniauth-saml (~> 2.1)
+  omniauth_openid_connect
   parser (~> 2.5.3)
   pg
   postrank-uri (>= 1.0.24)

app/assets/stylesheets/application.css

@@ -17,5 +17,6 @@
  *= require hyrax
  *= require dataTables/bootstrap/3/jquery.dataTables.bootstrap
  *= require bootstrap-datepicker
+ *= require single_signon
  *= require_self
  */