Cannot logout Gitlab from CAS logout

[novaforge]

Hi, I'm trying to use omniauth-cas v1.1.0 with Gitlab 7.3.1 and I got some troubles on CAS Logout.

Firstly, Gitlab does not work yet with omniauth 1.2.0, so i had to downgrade the dependence to omniauth 1.1.0 into omniauth-cas.gemspec.

Secondly, I got any trouble to login with CAS, but on the log out using /cas/logout, omniauth-cas crash because I do not know how to use option "on_single_sign_out" :

Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"logoutRequest"=>"<samlp:LogoutRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"LR-6-ztDqay1xsaBBxderXxmkfZGnEH5CNG6h6yU\" Version=\"2.0\" IssueInstant=\"2014-11-14T14:52:03Z\"><saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-6-P4Z4Sr2WbtxLBnOwcvL5-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>", "url"=>"https://gitlab/gitlab-default/gitlab/users/sign_in"}
Can't verify CSRF token authenticity
Redirected to https://gitlab/gitlab-default/gitlab/users/sign_in
Completed 302 Found in 8ms (ActiveRecord: 0.0ms)

NoMethodError (undefined method `[]' for nil:NilClass):
  rack (1.5.2) lib/rack/etag.rb:30:in `call'
  rack (1.5.2) lib/rack/conditionalget.rb:35:in `call'
  rack (1.5.2) lib/rack/head.rb:11:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/flash.rb:254:in `call'
  rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.1.1) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.1.1) lib/active_record/connection_adapters/abstract/connection_pool.rb:621:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.1.1) lib/active_support/callbacks.rb:82:in `run_callbacks'
  actionpack (4.1.1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.1.1) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.1.1) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.1.1) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.1.1) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.1.1) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.1.1) lib/rails/rack/logger.rb:20:in `call'
  actionpack (4.1.1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
  rack (1.5.2) lib/rack/runtime.rb:17:in `call'
  rack (1.5.2) lib/rack/lock.rb:17:in `call'
  rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
  railties (4.1.1) lib/rails/engine.rb:514:in `call'
  railties (4.1.1) lib/rails/application.rb:144:in `call'
  railties (4.1.1) lib/rails/railtie.rb:194:in `public_send'
  railties (4.1.1) lib/rails/railtie.rb:194:in `method_missing'
  rack (1.5.2) lib/rack/builder.rb:138:in `call'
  rack (1.5.2) lib/rack/urlmap.rb:65:in `block in call'
  rack (1.5.2) lib/rack/urlmap.rb:50:in `each'
  rack (1.5.2) lib/rack/urlmap.rb:50:in `call'
  unicorn (4.6.3) lib/unicorn/http_server.rb:552:in `process_client'
  unicorn-worker-killer (0.4.2) lib/unicorn/worker_killer.rb:51:in `process_client'
  unicorn (4.6.3) lib/unicorn/http_server.rb:632:in `worker_loop'
  unicorn (4.6.3) lib/unicorn/http_server.rb:500:in `spawn_missing_workers'
  unicorn (4.6.3) lib/unicorn/http_server.rb:142:in `start'
  unicorn (4.6.3) bin/unicorn:126:in `<top (required)>'
  /opt/gitlab/embedded/service/gem/ruby/2.1.0/bin/unicorn:23:in `load'
  /opt/gitlab/embedded/service/gem/ruby/2.1.0/bin/unicorn:23:in `<main>'
Here is my "simple" configuration file :

providers:

• {"name":"cas","args":{"host":"gca","path":"/cas","disable_ssl_verification":true}} Any idea on how to configure "on_single_sign_out" option would be nice ;)

Of course, I'm new to Ruby ;)

Cheers,

[novaforge]

@dlindahl have you any idea on how to configure "on_single_sign_out" option ?

I would really appreciate any help you can provide ;)

[novaforge]

@dlindahl My first issue about "Can't verify CSRF token authenticity" came from a error in logout_request method "Undefined namespace prefix: //saml:NameID".

I changed the code as bellow and error was gone. saml = Nokogiri::XML(@request.params['logoutRequest']) saml.remove_namespaces! name_id = saml.xpath('LogoutRequest/NameID').text sess_idx = saml.xpath('LogoutRequest/SessionIndex').text

Unfurtunalty after that, nothing append; my user is still log on. I have tried to declare the following but I don't know what to implement to delete user's session from its service ticket.

option :on_single_sign_out, Proc.new { |request| rack_input = request.env['rack.input'].read params = Rack::Utils.parse_query(rack_input, '&')

Take whatever action is necessary to remove any local reference to the user's session

     -->>> Dont know what to do here!
}

I guess I need to retrieve session from the ticket but as omniauth-cas doesn't use CAS client I have not access to it. Do you have any idea about it?

Thanks.

[novaforge]

I got logout support working. I needed to do some changes; I am not a ruby dev so the following needs to be cleaned :

1. Enable Active record store for session
   • Add gem activerecord-session_store to your GemFile
   • Enable :active_record_store to your Application session_store settings
2. I patched the activerecord-session Gem, creating a new ActiveRecord called SessionTicket used to store session and its CAS ticket.
3. I patched omniauth-cas Gem, correcting issues when parsing logout request, and adding a lambda to destroy session from tickect included in the CAS request.

You can consider this issue closed.

EDIT : I cannot attach the patch files for activerecord-session or omniauth-cas, feel free to contact me if you need them.

[senscombo]

ｈｉ，ｉ encounter the problem : when logout,gitlab doesn't redirect to cas to logout . anyone could help me ?

[samgville]

@novaforge Hey! I sent you an email because I need those patched files, or perhaps a more straight forward explanation on how you made this work. Thanks in Advance!

[jgribonvald]

@novaforge @samgville do you have a patched version with the activerecord-session embedded to an amniauth-cas version ? Because with GEM you can point to a specific github repository when needed, so it's easy to fork and fix in that way. In my mind this option should be provided with omniauth-cas with an option that enable the active record. I can try to make this version, but if you have already the patch could you do that or provide me the patchs ? Thanks in advance.