Upgrade from Google OpenID to Google OAuth2

[Fixes #94585256]

Signed-off-by: Isobel Redelmeier <[email protected]>

Author: Chris Hendrix

.env-development

@@ -4,3 +4,6 @@ export WORDPRESS_BASIC_AUTH_PASSWORD=password
 export WORDPRESS_XMLRPC_ENDPOINT_PATH=/wordpress/xmlrpc.php
 export WORDPRESS_USER=user
 export WORDPRESS_PASSWORD=password
+export GOOGLE_CLIENT_ID=your_id_here
+export GOOGLE_CLIENT_SECRET=your_secret_here
+export GOOGLE_CLIENT_DOMAIN=your_domain_here

.env-example

@@ -4,3 +4,6 @@ WORDPRESS_BASIC_AUTH_PASSWORD=password
 WORDPRESS_XMLRPC_ENDPOINT_PATH=/wordpress/xmlrpc.php
 WORDPRESS_USER=user
 WORDPRESS_PASSWORD=password
+GOOGLE_CLIENT_ID=your_id_here
+GOOGLE_CLIENT_SECRET=your_secret_here
+GOOGLE_CLIENT_DOMAIN=your_domain_here

Gemfile

@@ -5,7 +5,7 @@ gem 'rails', '4.1.0.rc1'
 gem 'pg'
 gem 'unicorn'
 gem 'jquery-rails'
-gem 'omniauth-google-apps'
+gem 'omniauth-google-oauth2'
 gem 'github-markdown', require: 'github/markdown'
 gem 'exceptional'
 gem 'protected_attributes'

Gemfile.lock

@@ -84,6 +84,8 @@ GEM
     fakefs (0.5.0)
     faker (1.2.0)
       i18n (~> 0.5)
+    faraday (0.9.1)
+      multipart-post (>= 1.2, < 3)
     ffi (1.9.3)
     font-awesome-sass-rails (3.0.2.2)
       railties (>= 3.1.1)
@@ -93,14 +95,15 @@ GEM
       thor (>= 0.13.6)
     fssm (0.2.10)
     github-markdown (0.6.4)
-    hashie (2.0.5)
+    hashie (3.4.1)
     highline (1.6.21)
     hike (1.2.3)
     i18n (0.6.9)
     jquery-rails (3.1.0)
       railties (>= 3.0, < 5.0)
       thor (>= 0.14, < 2.0)
     json (1.8.1)
+    jwt (1.5.0)
     kgio (2.9.2)
     launchy (2.4.2)
       addressable (~> 2.3)
@@ -113,6 +116,8 @@ GEM
     mini_portile (0.6.0)
     minitest (5.3.0)
     multi_json (1.10.1)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
     net-scp (1.2.0)
       net-ssh (>= 2.6.5)
     net-sftp (2.1.2)
@@ -122,25 +127,26 @@ GEM
       net-ssh (>= 2.6.5)
     nokogiri (1.6.3.1)
       mini_portile (= 0.6.0)
-    omniauth (1.2.1)
-      hashie (>= 1.2, < 3)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    omniauth (1.2.2)
+      hashie (>= 1.2, < 4)
       rack (~> 1.0)
-    omniauth-google-apps (0.1.0)
-      omniauth (~> 1.0)
-      omniauth-openid (~> 1.0)
-      ruby-openid (~> 2.3.0)
-      ruby-openid-apps-discovery (~> 1.2.0)
-    omniauth-openid (1.0.1)
-      omniauth (~> 1.0)
-      rack-openid (~> 1.3.1)
+    omniauth-google-oauth2 (0.2.6)
+      omniauth (> 1.0)
+      omniauth-oauth2 (~> 1.1)
+    omniauth-oauth2 (1.3.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
     pg (0.17.1)
     polyglot (0.3.4)
     protected_attributes (1.0.5)
       activemodel (>= 4.0.1, < 5.0)
     rack (1.5.2)
-    rack-openid (1.3.1)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
     rack-test (0.6.2)
       rack (>= 1.0)
     rails (4.1.0.rc1)
@@ -171,9 +177,6 @@ GEM
       rspec-core (~> 2.14.0)
       rspec-expectations (~> 2.14.0)
       rspec-mocks (~> 2.14.0)
-    ruby-openid (2.3.0)
-    ruby-openid-apps-discovery (1.2.0)
-      ruby-openid (>= 2.1.7)
     rubyzip (1.1.6)
     sass (3.2.14)
     sass-rails (4.0.1)
@@ -241,7 +244,7 @@ DEPENDENCIES
   launchy
   letter_opener
   minitest
-  omniauth-google-apps
+  omniauth-google-oauth2
   pg
   protected_attributes
   rails (= 4.1.0.rc1)

README.md

@@ -43,6 +43,14 @@ The following environment variables are necessary for posting to email via SendG
 
     export SENDGRID_USERNAME=<username>
     export SENDGRID_PASSWORD=<password>
+    
+The following environment variables are necessary to integrate with google oauth2.
+
+    export GOOGLE_CLIENT_ID=<client_id>
+    export GOOGLE_CLIENT_SECRET=<client_secret>
+    
+You can find these in the [Google Developers Console](https://console.developers.google.com). See the 
+[OmniAuth Google OAuth2 repo](https://github.com/zquestz/omniauth-google-oauth2) for more details.
 
 To use these environment variables in development mode:
 
@@ -106,4 +114,4 @@ Whiteboard was written by [Matthew Kocher](https://github.com/mkocher).
 
 License
 =======
-Whiteboard is MIT Licensed. See MIT-LICENSE for details.
+Whiteboard is MIT Licensed. See MIT-LICENSE for details.

app/controllers/application_controller.rb

@@ -5,7 +5,7 @@ class ApplicationController < ActionController::Base
 
   def require_login
     mapper = IpToStandupMapper.new
-    redirect_to '/auth/google_apps' unless session[:logged_in] || mapper.authorized?(ip_address_string: request.remote_ip)
+    redirect_to '/auth/google_oauth2' unless session[:logged_in] || mapper.authorized?(ip_address_string: request.remote_ip)
   end
 
   # Adds an outer container element around any yielded HTML.

app/controllers/sessions_controller.rb

@@ -2,7 +2,7 @@ class SessionsController < ApplicationController
   skip_before_filter :verify_authenticity_token, only: :create
 
   def create
-    session[:logged_in] = true if request.env['omniauth.auth']['info']['email'] =~ /.*@pivotal\.io/
+    session[:logged_in] = true
     session[:username] = request.env['omniauth.auth']['info']['name']
     redirect_to '/'
   end

config/initializers/omniauth.rb

@@ -1,3 +1,6 @@
 Rails.application.config.middleware.use OmniAuth::Builder do
-  provider :google_apps, domain: 'pivotal.io'
+  provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
+    {
+      hd: ENV['GOOGLE_CLIENT_DOMAIN'] || 'pivotal.io'
+    }
 end

config/routes.rb

@@ -24,6 +24,7 @@
     end
   end
 
+  get '/auth/:provider/callback', to: 'sessions#create'
   post '/auth/:provider/callback', to: 'sessions#create'
   get '/logout', to: 'sessions#destroy'
 

spec/controllers/application_controller_spec.rb

@@ -13,6 +13,6 @@
     allow(request).to receive(:remote_ip).and_return('')
     get :index
     response.should be_redirect
-    expect(response).to redirect_to 'http://test.host/auth/google_apps'
+    expect(response).to redirect_to 'http://test.host/auth/google_oauth2'
   end
 end

spec/controllers/sessions_controller_spec.rb

@@ -15,12 +15,6 @@
       post :create
       request.session['username'].should == 'Dennis'
     end
-
-    it "does not allow someone from outside pivotal.io to log in" do
-      request.env['omniauth.auth'] = { 'info' => { 'email' => '[email protected]' } }
-      post :create
-      request.session['logged_in'].should be_nil
-    end
   end
 
   describe '#destroy' do