Upgrade to OmniAuth CAS 3.x

* Display button on `UnauthorizedError` instead of redirecting to login.

* Use `ForbiddenError` instead of redirecting to login when a user
  that is not an admin tries to access an admin page in the section
  for ref cards/stack passes.

* Update specs.

Author: awilfox

.idea/altmedia.iml

@@ -24,8 +24,9 @@ gem 'lograge', '>=0.11.2'
 gem 'netaddr', '~> 1.5', '>= 1.5.1'
 gem 'net-ssh'
 gem 'okcomputer', '~> 1.19'
-gem 'omniauth', '~> 1.9', '>= 1.9.2'
-gem 'omniauth-cas', '~> 2.0'
+gem 'omniauth', '~> 2.1'
+gem 'omniauth-cas', '~> 3.0'
+gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'pg', '~> 1.2'
 gem 'prawn', '~> 2.4'
 gem 'puma', '~> 4.3', '>= 4.3.12'

Gemfile

@@ -276,13 +276,18 @@ GEM
       ostruct (>= 0.2)
     okcomputer (1.19.1)
       benchmark
-    omniauth (1.9.2)
+    omniauth (2.1.4)
       hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
-    omniauth-cas (2.0.0)
-      addressable (~> 2.3)
-      nokogiri (~> 1.5)
-      omniauth (~> 1.2)
+      logger
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-cas (3.0.2)
+      addressable (~> 2.8)
+      nokogiri (~> 1.12)
+      omniauth (~> 2.1)
+    omniauth-rails_csrf_protection (1.0.2)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
     ostruct (0.6.3)
     ougai (2.0.0)
       oj (~> 3.10)
@@ -310,6 +315,9 @@ GEM
     raabro (1.4.0)
     racc (1.8.1)
     rack (2.2.17)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
     rack-session (1.0.2)
       rack (< 3)
     rack-test (2.2.0)
@@ -533,8 +541,9 @@ DEPENDENCIES
   net-ssh
   netaddr (~> 1.5, >= 1.5.1)
   okcomputer (~> 1.19)
-  omniauth (~> 1.9, >= 1.9.2)
-  omniauth-cas (~> 2.0)
+  omniauth (~> 2.1)
+  omniauth-cas (~> 3.0)
+  omniauth-rails_csrf_protection (~> 1.0)
   pg (~> 1.2)
   prawn (~> 2.4)
   puma (~> 4.3, >= 4.3.12)

Gemfile.lock

@@ -64,7 +64,7 @@ def log_error(error)
       # this isn't really an error condition, it just means the user's
       # not logged in, so we don't need the full stack trace etc.
       logger.info(error.message)
-      redirect_to main_app.login_path(url: request.fullpath)
+      render :unauthorized, status: :unauthorized
     end
   end
   # rubocop:enable Metrics/BlockLength

app/controllers/concerns/exception_handling.rb

@@ -85,6 +85,6 @@ def validate_recaptcha!
 
   def require_admin!
     @user_is_admin = current_user.role?(Role.stackpass_admin)
-    redirect_to login_path(url: request.fullpath) unless @user_is_admin
+    raise Error::ForbiddenError unless @user_is_admin
   end
 end

app/controllers/reference_card_forms_controller.rb

@@ -10,12 +10,6 @@
 #
 # @see https://github.com/omniauth/omniauth
 class SessionsController < ApplicationController
-  # Redirect the user to Calnet for authentication
-  def new
-    redirect_args = { origin: params[:url] || home_path }.to_query
-    redirect_to "/auth/calnet?#{redirect_args}"
-  end
-
   # Generate a new user session using data returned from a valid Calnet login
   def callback
     logger.debug({ msg: 'Received omniauth callback', omniauth: auth_params })

app/controllers/sessions_controller.rb

@@ -87,6 +87,6 @@ def validate_recaptcha!
 
   def require_admin!
     @user_is_admin = current_user.role?(Role.stackpass_admin)
-    redirect_to login_path(url: request.fullpath) unless @user_is_admin
+    raise Error::ForbiddenError unless @user_is_admin
   end
 end

app/controllers/stack_pass_forms_controller.rb

@@ -0,0 +1,7 @@
+<h1>Unauthorized</h1>
+
+<p>You need to log in to continue.</p>
+
+<%= form_tag('/auth/calnet', url: request.original_url, method: :post, data: { turbo: false }) do %>
+  <%= button_tag 'CalNet Login', class: :calnet_login, role: :link %>
+<% end %>

app/views/application/unauthorized.html.erb

@@ -74,7 +74,6 @@
 
   # Omniauth automatically handles requests to /auth/:provider. We need only
   # implement the callback.
-  get '/login', to: 'sessions#new', as: :login
   get '/logout', to: 'sessions#destroy', as: :logout
   get '/auth/:provider/callback', to: 'sessions#callback', as: :omniauth_callback
   get '/auth/failure', to: 'sessions#failure'

config/routes.rb

@@ -120,8 +120,6 @@ def without_redirects
 
   def log_in_with_omniauth(auth_hash)
     OmniAuth.config.mock_auth[:calnet] = auth_hash
-    do_get login_path
-
     Rails.application.env_config['omniauth.auth'] = auth_hash
     do_get omniauth_callback_path(:calnet)
   end