federated attributes for GitHub

refs CNVS-28864 Change-Id: Ic17cc3bcca94d4b320a95a0dda09df15c2ee2d4a Reviewed-on: https://gerrit.instructure.com/81363 Tested-by: Jenkins QA-Review: Benjamin Christian Nelson <bcnelson@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2016-06-02 14:30:21 -06:00 · 2016-06-02 14:30:21 -06:00 · 59c345713f
parent 0a66c4f761
commit 59c345713f
2 changed files with 40 additions and 5 deletions
--- a/app/controllers/account_authorization_configs_controller.rb
+++ b/app/controllers/account_authorization_configs_controller.rb
@ -358,6 +358,11 @@ class AccountAuthorizationConfigsController < ApplicationController
  #   The attribute to use to look up the user's login in Canvas. Either
  #   'id' (the default), or 'login'
  #
+  # - federated_attributes [Optional]
+  #
+  #   See FederatedAttributesConfig. Valid provider attributes are 'email',
+  #   'id', 'login', and 'name'.
+  #
  # For Google, the additional recognized parameters are:
  #
  # - client_id [Required]
--- a/app/models/account_authorization_config/git_hub.rb
+++ b/app/models/account_authorization_config/git_hub.rb
@ -29,6 +29,20 @@ class AccountAuthorizationConfig::GitHub < AccountAuthorizationConfig::Oauth2
    [ :login_attribute, :jit_provisioning ].freeze
  end

+  def self.login_attributes
+    ['id'.freeze, 'email'.freeze, 'login'.freeze].freeze
+  end
+  validates :login_attribute, inclusion: login_attributes
+
+  def self.recognized_federated_attributes
+    [
+      'email'.freeze,
+      'id'.freeze,
+      'login'.freeze,
+      'name'.freeze
+    ].freeze
+  end
+
  # Rename db field
  def domain=(val)
    self.auth_host = val
@ -39,14 +53,12 @@ class AccountAuthorizationConfig::GitHub < AccountAuthorizationConfig::Oauth2
  end

  def unique_id(token)
-    token.options[:mode] = :query
-    token.get('user').parsed[login_attribute].to_s
+    user(token)[login_attribute].to_s
  end

-  def self.login_attributes
-    ['id'.freeze, 'login'.freeze].freeze
+  def provider_attributes(token)
+    user(token)
  end
-  validates :login_attribute, inclusion: login_attributes

  def login_attribute
    super || 'id'.freeze
@ -54,6 +66,24 @@ class AccountAuthorizationConfig::GitHub < AccountAuthorizationConfig::Oauth2

  protected

+  def user(token)
+    token.options[:user] ||= begin
+      token.options[:mode] = :query
+      user = token.get('user').parsed
+      if !user['email'] && authorize_options[:scope]
+        user['email'] = token.get('user/emails').parsed.find { |e| e['primary'] }.try(:[], 'email')
+      end
+      user
+    end
+  end
+
+  def authorize_options
+    res = {}
+    res[:scope] = 'user:email' if login_attribute == 'email' ||
+        federated_attributes.any? { |(_k, v)| v['attribute'] == 'email' }
+    res
+  end
+
  def client_options
    {
        site: domain.present? ? "https://#{domain}/api/v3" : 'https://api.github.com'.freeze,