anoubis_sso_server 0.1.0 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2d11db049bf5e4413b465e954d3489cb625fc4437780c3bbffbeaf7b6e77833
-  data.tar.gz: d228e1b0bbbb7e447c123991561877ed77fc43617ba2a7cf1ebae81f87286407
+  metadata.gz: '0148b84eeebcb0d63e3959c2bd2fe28baeae62a2f223d4e314b5fd3a9e4a9401'
+  data.tar.gz: 13ca48de82c3d0028bfe0e1954324a404f7a6db95ff7d2388d1c9772d8e4414a
 SHA512:
-  metadata.gz: f548746738ce2c783c4d03d87b2735e0e395665d9b45f3a13e628a090a0dd4624487a768580e60167b6e26ffb3bf0a81a4077234dfbdb4276ae990bb7465b6e2
-  data.tar.gz: 1956034a5e1d28e4ab066800e8143a3ba7101454c10fe7accd42642f9ecf336ad3acb2f59a9ca4c65fabeb567da1c46d1e1cebb4828193fce6430a81e086a15b
+  metadata.gz: bf848a61c3f01f4e1e5effa132c0d1a88a72a0f4f550fa00819aacb9482658d6ee2094b694849bb1742054c041eb37d0c1e6f9fe7b1798e26ae113907aed25e5
+  data.tar.gz: bedcc154d4636babacc398b3e86ac141bf7898013436104c8c27355cf30efd20c12726cae5f8812844d1bb7855e94dec425ad9fce2cc7257331a361296e8fc75

data/.env.sample

@@ -0,0 +1,3 @@
+DATABASE_USER=
+DATABASE_PASSWORD=
+DATABASE_NAME=

data/.rspec

@@ -1,3 +1,4 @@
---format documentation
 --color
 --require spec_helper
+--order rand
+--format doc

data/.ruby-version

@@ -1 +1 @@
-ruby-2.7.1
+ruby-3.0.0

data/CHANGELOG.md

@@ -1,4 +1,10 @@
-## [Unreleased]
+## [Released]
 
-## [0.1.0] - 2022-01-28
+## [1.0.2] - 2022-02-28
+- Action /api/1/auth was added.
+
+## [1.0.1] - 2022-02-27
+- Library was released.
+
+## [1.0.0] - 2022-01-28
 - Library was created.

data/Gemfile

@@ -5,8 +5,20 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in anoubis_sso_server.gemspec
 gemspec
 
-gem "rake", "~> 13.0"
+#gem "rake", "~> 13.0"
+#gem "rspec", "~> 3.0"
+#gem "rubocop", "~> 1.21"
+gem 'redis'
+gem 'jwt'
+gem 'anoubis', git: 'https://github.com/RA-Company/anoubis.git', branch: 'main'
 
-gem "rspec", "~> 3.0"
+#group :development, :test do
+#  gem "rspec-rails"
+  #gem "factory_bot_rails"
+#end
 
-gem "rubocop", "~> 1.21"
+group :test do
+  gem 'dotenv'
+  gem 'dotenv-rails'
+  gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby]
+end

data/README.md

@@ -1,8 +1,6 @@
 # AnoubisSsoServer
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/anoubis_sso_server`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+Gem for create simple SSO server, based on OAUTH2 authentication.
 
 ## Installation
 
@@ -20,9 +18,84 @@ Or install it yourself as:
 
     $ gem install anoubis_sso_server
 
+After it please install default migrations:
+
+    $ rails anoubis_sso_server:install:migrations
+    $ bundle exec rake db:migrate
+
 ## Usage
 
-TODO: Write usage instructions here
+By default system database isn't filled any data.
+
+For adding data to database please add this to db/seed.rb of your application.
+
+First of all add admin user to database:
+
+```ruby
+user = AnoubisSsoServer::User.where(email: '<your_email>').first
+unless user
+  user = AnoubisSsoServer::User.new
+  user.email = '<your_email>'
+  user.password = '<your_password>'
+  user.password_confirmation = '<your_password>'
+  user.name = '<your_name>'
+  user.surname = '<your_surname>'
+  user.save
+end
+```
+
+Please use strong password when create user login.
+
+Then add systems to database.
+
+```ruby
+system = AnoubisSsoServer::System.where(public: 'sso-system').first
+unless system
+  system = AnoubisSsoServer::System.new
+  system.title = 'SSO'
+  system.public = 'sso-system'
+  system.state = 'hidden'
+  system.save
+end
+
+ext_system = AnoubisSsoServer::System.where(public: '<system_identifier>').first
+unless ext_system
+  ext_system = AnoubisSsoServer::System.new
+  ext_system.title = '<system_name>'
+  ext_system.public = '<system_identifier>'
+  ext_system.request_uri = %w[https://<server_url>/silent-callback.html https://<server_url>/callback]
+  ext_system.save
+end
+```
+
+After this seed this data to database:
+
+    $ bundle exec rake db:seed
+
+## Configuration parameters
+
+This configuration parameters can be placed at files config/application.rb for global configuration or config/environments/<environment>.rb for custom environment configuration.
+
+```ruby
+config.anoubis_redis_prefix = '<sample-prefix>' # Redis prefix for store cache data (when many applications run in one physical server)
+config.anoubis_sso_server = 'https://sso.example.com/' # Full URL of SSO server (*required)
+config.anoubis_sso_system = 'sso-system' # Internal SSO system identifier (*required)
+config.anoubis_sso_origin = /^https:\/\/.*\.example\.com$/ # Regexp for prevent CORS access from others domain (*required)
+config.anoubis_sso_login_url = 'https://sso.example.com/login' # Full URL for login page. (By default calculate from config.anoubis_sso_server adding 'login') (*optional)
+config.anoubis_sso_silent_url = 'https://sso.example.com/silent.html' # Full URL for silent refresh page. (By default calculate from config.anoubis_sso_server adding 'silent.html') (*optional)
+config.anoubis_sso_user_model = 'AnoubisSsoServer::User'# Used user model. ()By default used AnoubisSsoServer::User model) (*optional)
+```
+
+Also pay attention on this configuration parameters:
+
+```ruby
+config.api_only = true # for API only application
+config.middleware.use ActionDispatch::Cookies # for attach cookies into the API application
+
+config.hosts.clear # for clearing allowed IP requests
+
+config.action_dispatch.default_headers.clear # for clear default response headers 
+```
 
 ## Development
 
@@ -30,9 +103,23 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## Testing
+
+First of all create MySQL database and grant privileges to it.
+
+After that copy file `.env.sample` to `.env` and fill required fields like `DATABASE_NAME`, `DATABASE_USER` and `DATABASE_PASSWORD`.
+
+After it run migrate database to test environment:
+
+    $ bin/rails db:migrate RAILS_ENV=test DATABASE_USER=<user_name> DATABASE_PASSWORD=<user_password> DATABASE_NAME=<database_name>
+
+After all of this preparation you can start tests:
+
+    $ bundle exec rspec
+
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/anoubis_sso_server. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/anoubis_sso_server/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/RA-Company/anoubis_sso_server. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/RA-Company/anoubis_sso_server/blob/master/CODE_OF_CONDUCT.md).
 
 ## License
 
@@ -40,4 +127,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the AnoubisSsoServer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/anoubis_sso_server/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the AnoubisSsoServer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/RA-Company/anoubis_sso_server/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -10,3 +10,6 @@ require "rubocop/rake_task"
 RuboCop::RakeTask.new
 
 task default: %i[spec rubocop]
+
+APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'

data/app/controllers/anoubis_sso_server/application_controller.rb

@@ -0,0 +1,292 @@
+##
+# Main application class inherited from {https://www.rubydoc.info/gems/anoubis/Anoubis/ApplicationController Anoubis::ApplicationController}
+class AnoubisSsoServer::ApplicationController < Anoubis::ApplicationController
+  ## Selected SSO system
+  attr_accessor :current_system
+
+  ## Returns main SSO server URL.
+  attr_accessor :sso_server
+
+  ## Returns SSO Login URL used for redirect when user isn't logged in.
+  attr_accessor :sso_login_url
+
+  ## Returns SSO silent url used for silent refresh token.
+  attr_accessor :sso_silent_url
+
+  ## Returns used User model
+  attr_accessor :user_model
+
+  ## Used sso_origin
+  attr_accessor :sso_origin
+
+  ##  Returns [Anoubis::Etc::Base] global system parameters
+  attr_accessor :etc
+
+  ##
+  # Current user
+  attr_accessor :current_user
+
+  ##
+  # Action fires before any other actions
+  def after_anoubis_initialization
+    if defined? params
+      self.etc = Anoubis::Etc::Base.new({ params: params })
+    else
+      self.etc = Anoubis::Etc::Base.new
+    end
+
+    if access_allowed?
+      options request.method.to_s.upcase
+    else
+      render_error_exit({ error: I18n.t('errors.access_not_allowed') })
+      return
+    end
+
+    if self.authenticate?
+      if self.authentication
+        if self.check_menu_access?
+          return if !self.menu_access params[:controller]
+        end
+      end
+    end
+
+    #puts etc.inspect
+  end
+
+  ##
+  # Check for site access. By default return true.
+  def access_allowed?
+    true
+  end
+
+  ##
+  # Checks if needed user authentication.
+  # @return [Boolean] if true, then user must be authenticated. By default application do not need authorization.
+  def authenticate?
+    false
+  end
+
+
+  ##
+  # Procedure authenticates user in the system
+  def authentication
+    session = get_oauth_session
+
+    unless session
+      render_error_exit code: -2, error: I18n.t('anoubis.errors.session_expired')
+      return
+    end
+
+    self.current_user = get_user_by_uuid session[:uuid]
+
+    unless current_user
+      self.redis.del("#{redis_prefix}session:#{cookies[:oauth_session]}")
+      cookies[:oauth_session] = nil
+      render_error_exit code: -3, error: I18n.t('anoubis.errors.incorrect_user')
+      return
+    end
+  end
+
+  ##
+  # Gracefully terminate script execution with code 422 (Unprocessable entity). And JSON data
+  # @param data [Hash] Resulting data
+  # @option data [Integer] :code resulting error code
+  # @option data [String] :error resulting error message
+  def render_error_exit(data = {})
+    result = {
+      result: -1,
+      message: I18n.t('anoubis.error')
+    }
+
+    result[:result] = data[:code] if data.has_key? :code
+    result[:message] = data[:error] if data.has_key? :error
+
+
+    render json: result, status: :unprocessable_entity
+
+    begin
+      exit
+    rescue SystemExit => e
+      puts result[:message]
+    end
+  end
+
+  ##
+  # Returns main SSO server URL. Link should be defined in Rails.configuration.anoubis.sso_server configuration parameter
+  # @return [String] link to SSO server
+  def sso_server
+    @sso_server ||= get_sso_server
+  end
+
+  private def get_sso_server
+    begin
+      value = Rails.configuration.anoubis_sso_server
+    rescue StandardError
+      value = ''
+      render json: { error: 'Please setup Rails.configuration.anoubis_sso_server configuration variable' }
+    end
+
+    value
+  end
+
+  ##
+  # Returns SSO origin. Variable should be defined in Rails.configuration.anoubis.sso_origin configuration parameter
+  # @return [Regexp] regexp for check site origin
+  def sso_origin
+    @sso_origin ||= get_sso_origin
+  end
+
+  private def get_sso_origin
+    begin
+      value = Rails.configuration.anoubis_sso_origin
+    rescue StandardError
+      value = /^.*$/
+    end
+
+    value
+  end
+
+  ##
+  # Returns SSO Login URL used for redirect when user isn't logged in.
+  # Link can be redefined in Rails.configuration.anoubis_sso_login_url configuration parameter. If this variable isn't defined
+  # URL wil be defined as {sso_server}login
+  # @return [String] SSO login URL
+  def sso_login_url
+    @sso_login_url ||= get_sso_login_url
+  end
+
+  private def get_sso_login_url
+    begin
+      value = Rails.configuration.anoubis_sso_login_url
+    rescue
+      value = sso_server + 'login'
+    end
+
+    value
+  end
+
+  ##
+  # Returns SSO silent url used for silent refresh token.
+  # Link can be redefined in Rails.configuration.anoubis_sso_silent_url configuration parameter. If this variable isn't defined
+  # URL wil be defined as {sso_server}silent.html
+  # @return [String] SSO login URL
+  def sso_silent_url
+    @sso_silent_url ||= get_sso_silent_url
+  end
+
+  private def get_sso_silent_url
+    begin
+      value = Rails.configuration.anoubis_sso_silent_url
+    rescue
+      value = sso_server + 'silent.html'
+    end
+
+    value
+  end
+
+  ##
+  # Returns SSO User model.
+  # Can be redefined in Rails.application configuration_anoubis_sso_user_model configuration parameter.
+  # By default returns {AnoubisSsoServer::User} model class
+  # @return [Class] User model class
+  def user_model
+    @user_model ||= get_user_model
+  end
+
+  private def get_user_model
+    begin
+      value = Object.const_get Rails.configuration.anoubis_sso_user_model
+    rescue
+      value = AnoubisSsoServer::User
+    end
+
+    value
+  end
+
+  ##
+  # Returns current SSO system data
+  # @param system_title [String] - System public UUID parameter. By default load from Rails.application configuration_anoubis_sso_system configuration parameter.
+  # @return [AnoubisSsoServer::System] current SSO system
+  def get_current_system(system_title = nil)
+    begin
+      system_title = Rails.configuration.anoubis_sso_system unless system_title
+      system = AnoubisSsoServer::System.new(JSON.parse(redis.get("#{redis_prefix}system:#{system_title}"),{ symbolize_names: true }))
+    rescue
+      system = nil
+    end
+
+    system
+  end
+
+  ##
+  # Check current origin of header by Regexp defined in Rails.configuration.anoubis_sso_origin configuration parameter
+  # @return [Boolean] request host origin validation
+  def check_origin
+    return true unless request.origin
+
+    request.origin.match(sso_origin)
+  end
+
+  ##
+  # Return OAUTH session for current request. Session name gets from cookies. If session present but it's timeout was expired, then session regenerated.
+  def get_oauth_session
+    if cookies.key? :oauth_session
+      begin
+        session = JSON.parse(self.redis.get("#{redis_prefix}session:#{cookies[:oauth_session]}"),{ symbolize_names: true })
+      rescue
+        cookies[:oauth_session] = nil
+        session = nil
+      end
+    end
+
+    if session
+      if session[:ttl] < Time.now.utc.to_i
+        session_name = SecureRandom.uuid
+        session[:ttl] = Time.now.utc.to_i + session[:timeout]
+        redis.del("#{redis_prefix}session:#{cookies[:oauth_session]}")
+        cookies[:oauth_session] = session_name
+        redis.set("#{redis_prefix}session:#{session_name}", session.to_json, ex: 86400)
+      end
+    end
+
+    session
+  end
+
+  ##
+  # Returns user by UUID from the Redis cache or from database. If User isn't present in cache than User is loaded from database and placed to cache.
+  # @param uuid [String] UUID of user
+  # @return [Class] Returns user class
+  def get_user_by_uuid(uuid)
+    begin
+      user = user_model.new JSON.parse(redis.get("#{redis_prefix}user:#{uuid}"),{ symbolize_names: true })
+    rescue
+      user = nil
+    end
+
+    return user if user
+
+    user = user_model.where(uuid: uuid).first
+    return nil unless user
+
+    redis.set("#{redis_prefix}user:#{uuid}", user.to_json(except: :password_digest))
+
+    user
+  end
+
+  ##
+  # Check parameters
+  # @param list [Array] Array of parameters to check
+  def check_listed_parameters(list)
+    list.each do |key|
+      return I18n.t('anoubis.errors.is_not_defined', title: key) unless params.key? key.to_sym
+
+      return I18n.t('anoubis.errors.is_not_correct', title: key) unless params[key.to_sym]
+
+      params[key.to_sym].strip!
+
+      return I18n.t('anoubis.errors.is_not_correct', title: key)  if params[key.to_sym] == ''
+    end
+
+    nil
+  end
+end

data/app/controllers/anoubis_sso_server/data_controller.rb

@@ -0,0 +1,5 @@
+##
+# Data controller class. Defines authorized actions.
+class AnoubisSsoServer::DataController < AnoubisSsoServer::ApplicationController
+
+end

data/app/controllers/anoubis_sso_server/index_controller.rb

@@ -0,0 +1,50 @@
+##
+# Index controller class. Output system actions
+class AnoubisSsoServer::IndexController < AnoubisSsoServer::ApplicationController
+
+  ##
+  # Default dashboard action
+  def dashboard
+    result = {
+      result: 0,
+      message: I18n.t('anoubis.success'),
+      data: {
+        name: current_user.name,
+        surname: current_user.surname,
+        email: current_user.email,
+        id: current_user.public
+      }
+    }
+
+    render json: result
+  end
+
+  ##
+  # Output allowed menu items
+  def menu
+    result = {
+      result: 0,
+      message: I18n.t('anoubis.success'),
+      menu: [
+        {
+          mode: 'dashboard',
+          title: I18n.t('anoubis.install.menu.dashboard.title'),
+          page_title: I18n.t('anoubis.install.menu.dashboard.page_title'),
+          short_title: I18n.t('anoubis.install.menu.dashboard.short_title'),
+          position: 0,
+          tab: 0,
+          action: 'data',
+          access: 'write',
+          state: 'show',
+          parent: nil
+        }
+      ]
+    }
+
+    render json: result
+  end
+
+  def authenticate?
+    true
+  end
+end

data/app/controllers/anoubis_sso_server/main_controller.rb

@@ -0,0 +1,126 @@
+##
+# Main controller class. Defines basic internal SSO actions.
+class AnoubisSsoServer::MainController < AnoubisSsoServer::ApplicationController
+  ##
+  # Login action for SSO server.
+  #
+  # <b>API request:</b>
+  #   GET /api/<version>/login
+  #
+  # <b>Parameters:</b>
+  # - <b>login</b> (String) --- user email address <i>(required field)</i>
+  # - <b>password</b> (String) --- user password <i>(required field)</i>
+  # - <b>locale</b> (String) --- the output language locale <i>(optional value)</i>
+  # - <b>code</b> (String) --- login code for redirect <i>(optional value, default: 0)</i>
+  #
+  # <b>Request example:</b>
+  #   curl --header "Content-Type: application/json" http://<server>:<port>/api/<api-version>/login=admin@example.com&password=password&locale=en
+  #
+  # <b>Results:</b>
+  #
+  # Resulting data returns as redirect to silent URL with login result.
+
+  def login
+    redirect_url = sso_silent_url
+    redirect_url += redirect_url.index('?') ? '&' : '?'
+
+    unless params[:login]
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.fields.login')), { allow_other_host: true }
+      return
+    end
+
+    unless params[:password]
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.fields.password')), { allow_other_host: true }
+      return
+    end
+
+    usr = user_model.where(email: params[:login]).first
+
+    unless usr
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.incorrect_login')), { allow_other_host: true }
+      return
+    end
+
+    unless usr.authenticate(params[:password])
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.incorrect_login')), { allow_other_host: true }
+      return
+    end
+
+    self.current_system = get_current_system
+
+    unless current_system
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.system_not_defined')), { allow_other_host: true }
+      return
+    end
+
+    code = nil
+    if params[:code]
+      begin
+        code = JSON.parse(self.redis.get("#{redis_prefix}login_code:#{params[:code]}"),{ symbolize_names: true })
+      rescue
+
+      end
+    end
+
+    session_name = SecureRandom.uuid
+    session = {
+      id: usr.id,
+      uuid: usr.uuid,
+      ttl: Time.now.utc.to_i + current_system[:ttl],
+      timeout: current_system[:ttl]
+    }
+
+    cookies[:oauth_session] = session_name
+    redis.set("#{redis_prefix}session:#{session_name}", session.to_json, ex: 86400)
+
+    unless code
+      redirect_to redirect_url + "code=0", { allow_other_host: true }
+    else
+      auth_code = SecureRandom.uuid
+      redis.set("#{redis_prefix}auth_code:#{auth_code}", params[:code], ex: 600)
+      redirect_to redirect_url + "code=#{auth_code}", { allow_other_host: true }
+    end
+  end
+
+  ##
+  # Procedure check current login status of user and redirect to URL used for call /openid/oauth2/auth.
+  def auth
+    redirect_url = sso_silent_url
+    redirect_url += redirect_url.index('?') ? '&' : '?'
+
+    err = check_listed_parameters %w[code]
+
+    if err
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(err), { allow_other_host: true }
+      return
+    end
+
+    begin
+      session = JSON.parse(redis.get("#{redis_prefix}session:#{cookies[:oauth_session]}"), { symbolize_names: true })
+    rescue StandardError
+      session = nil
+      cookies[:oauth_session] = nil
+    end
+
+    unless session
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.session_expired')), { allow_other_host: true }
+      return
+    end
+
+    begin
+      auth_code = redis.get("#{redis_prefix}auth_code:#{params[:code]}")
+      code = JSON.parse(redis.get("#{redis_prefix}login_code:#{auth_code}"), { symbolize_names: true })
+    rescue StandardError
+      code = nil
+    end
+
+    unless code
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.is_not_correct', title: 'code')), { allow_other_host: true }
+      return
+    end
+
+    self.redis.del("#{redis_prefix}auth_code:#{params[:code]}")
+    self.redis.del("#{redis_prefix}login_code:#{auth_code}")
+    redirect_to code[:original_url], { allow_other_host: true }
+  end
+end