anoubis_sso_server 0.1.1 → 1.0.1

data/app/controllers/anoubis_sso_server/open_id_controller.rb

@@ -0,0 +1,337 @@
+##
+# OpenID controller class. Defines any OpenID actions according by specification.
+class AnoubisSsoServer::OpenIdController < AnoubisSsoServer::ApplicationController
+
+  ##
+  # Action returns {https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse Provider OpenID configuration}.
+  #
+  # Default path: /openid/.well-known/openid-configuration
+  # @return [Hash] Current OpenID configuration
+  def configuration
+    result = {
+      issuer: sso_server + 'openid/',
+      authorization_endpoint: sso_server + 'openid/oauth2/auth',
+      token_endpoint: sso_server + 'openid/oauth2/token',
+      jwks_uri: sso_server + 'openid/.well-known/jwks.json',
+      subject_types_supported: %w[public],
+      #response_types_supported: ['code', 'code id_token', 'id_token', 'token id_token', 'token', 'token id_token code'],
+      response_types_supported: %w[code],
+      claims_supported: %w[sub],
+      #grant_types_supported: ['authorization_code', 'implicit', 'client_credentials', 'refresh_token'],
+      grant_types_supported: %w[authorization_code],
+      response_modes_supported: %w[query fragment],
+      userinfo_endpoint: sso_server + 'openid/userinfo',
+      scopes_supported: %w[offline_access offline openid'],
+      token_endpoint_auth_methods_supported: %w[client_secret_post client_secret_basic private_key_jwt none],
+      userinfo_signing_alg_values_supported: %w[none RS256],
+      id_token_signing_alg_values_supported: %w[RS256],
+      request_parameter_supported: true,
+      request_uri_parameter_supported: true,
+      require_request_uri_registration: true,
+      claims_parameter_supported: false,
+      revocation_endpoint: sso_server + 'openid/oauth2/revoke',
+      backchannel_logout_supported: true,
+      backchannel_logout_session_supported: true,
+      frontchannel_logout_supported: true,
+      frontchannel_logout_session_supported: true,
+      end_session_endpoint: sso_server + 'openid/oauth2/sessions/logout',
+      request_object_signing_alg_values_supported: %w[RS256 none],
+      code_challenge_methods_supported: %w[plain S256]
+    }
+
+    render json: result
+  end
+
+  ##
+  # Action returns OpenID JWKs.
+  #
+  # Default path: /openid/.well-known/jwks.json
+  # @return [Hash] Current JWKs
+  def jwks
+    begin
+      jwks_cache = JSON.parse(self.redis.get("#{redis_prefix}jwks"),{ symbolize_names: true })
+    rescue StandardError => e
+      jwks_cache = generate_jwks
+    end
+
+    redis.set "#{redis_prefix}jwks", jwks_cache.to_json, ex: 3600
+
+    render json: jwks_cache
+  end
+
+  ##
+  # Action for check user authorization for current browser.
+  def auth
+    result = {
+      result: -1
+    }
+
+    params[:prompt] = 'is' unless params.key? :prompt
+    params[:prompt] = 'is' if params[:prompt] != 'none'
+
+    err = check_basic_parameters
+
+    if err
+      result[:message] = err
+      return render(json: result)
+    end
+
+    sign = params[:redirect_uri].index('?') ? '&' : '?'
+
+    err = check_listed_parameters %w[response_type scope code_challenge code_challenge_method state]
+
+    if err
+      result[:message] = err
+      return if redirect_to_uri result[:message], sign
+      return render(json: result)
+    end
+
+    unless %w[code].include? params[:response_type]
+      result[:message] = I18n.t('anoubis.errors.is_not_correct', title: 'response_type')
+      return if redirect_to_uri result[:message], sign
+      return render(json: result)
+    end
+
+    scopes = params[:scope].split(' ')
+
+    params[:code_challenge_method] = params[:code_challenge_method].downcase
+    unless %w[s256].include? params[:code_challenge_method]
+      result[:message] = I18n.t('anoubis.errors.is_not_correct', title: 'code_challenge_method')
+      return if self.redirect_to_uri result[:message], sign
+      return render(json: result)
+    end
+
+    if params[:state].length < 6
+      result[:message] = I18n.t('anoubis.errors.less_than', title: 'state', size: 6)
+      return if self.redirect_to_uri result[:message], sign
+      return render(json: result)
+    end
+
+    original_url = request.url[8..]
+    original_url = original_url[(original_url.index('/') + 1)..]
+
+    code = SecureRandom.uuid
+    code_hash = {
+      scope: scopes,
+      code_challenge: params[:code_challenge],
+      request_uri: params[:redirect_uri],
+      state: params[:state],
+      client_id: params[:client_id],
+      original_url: sso_server + original_url
+    }
+
+    session = self.get_oauth_session
+
+    if session
+      user = get_user_by_uuid session[:uuid]
+
+      if user
+        code_hash[:uuid] = user.uuid
+        redis.set("#{redis_prefix}code:#{code}", code_hash.to_json, ex: 6000)
+        redirect_to "#{params[:redirect_uri]}#{sign}state=#{params[:state]}&scope=#{params[:scope]}&code=#{code}", { allow_other_host: true }
+        return
+      else
+        redis.del("#{redis_prefix}session:#{cookies[:oauth_session]}")
+        cookies[:oauth_session] = nil
+      end
+    end
+
+    result[:message] = I18n.t('anoubis.errors.login_required')
+
+    if params[:prompt] == 'none'
+      redirect_to params[:redirect_uri] + sign + 'error=' + ERB::Util.url_encode(result[:message]), { allow_other_host: true }
+      return
+    end
+
+    url = sso_login_url
+    url += url.index('?') ? '&' : '?'
+    redis.set("#{redis_prefix}login_code:#{code}", code_hash.to_json, ex: 3600)
+    redirect_to "#{url}code=#{code}", { allow_other_host: true }
+  end
+
+  ##
+  # Action makes access token based on defined parameters
+  def access_token
+    result = {
+      result: -1
+    }
+
+    params[:prompt] == 'yes'
+
+    err = check_basic_parameters
+
+    if err
+      result[:message] = err
+      return render(json: result)
+    end
+
+    err = check_listed_parameters %w[scope code code_verifier grant_type]
+
+    if err
+      result[:message] = err
+      return render(json: result)
+    end
+
+    begin
+      code = JSON.parse(redis.get("#{redis_prefix}code:#{params[:code]}"),{ symbolize_names: true })
+    rescue
+      code = nil
+    end
+
+    if !code || code.class != Hash
+      result[:message] = I18n.t('anoubis.errors.is_not_correct', title: 'code')
+      return render(json: result)
+    end
+
+    str = Digest::SHA256.base64digest(params[:code_verifier]).tr("+/", "-_").tr("=", "")
+
+    if code[:code_challenge] != str
+      result[:message] = I18n.t('anoubis.errors.is_not_correct', title: 'code_verifier')
+      return render(json: result)
+    end
+
+    if code[:request_uri] != params[:redirect_uri]
+      result[:error] = I18n.t('anoubis.errors.is_not_correct', title: 'request_uri')
+      return render(json: result)
+    end
+
+    header = {
+      alg: "RS256",
+      kid: "public:#{current_system.public}",
+      typ: "JWT"
+    }
+
+    user = get_user_by_uuid code[:uuid]
+
+    payload = {
+      aud: [],
+      client_id: current_system.uuid,
+      exp: Time.now.utc.to_i + current_system.ttl,
+      ext: {},
+      iat: Time.now.utc.to_i,
+      nbf: Time.now.utc.to_i,
+      iss: "#{sso_server}openid/",
+      jti: SecureRandom.uuid,
+      sub: SecureRandom.uuid,
+      scp: []
+    }
+
+    keys = JWT::JWK.import(current_system.jwk)
+
+    user_payload = {
+      aud: [current_system.public],
+      auth_time: Time.now.utc.to_i,
+      exp: Time.now.utc.to_i + current_system.ttl,
+      iss: "#{sso_server}openid/",
+      jti: SecureRandom.uuid,
+      sid: SecureRandom.uuid,
+      sub: SecureRandom.uuid,
+      iat: Time.now.utc.to_i,
+      rat: Time.now.utc.to_i - 1
+    }
+
+    user_payload[:email] = user.email if code[:scope].include? 'email'
+
+    if code[:scope].include? 'profile'
+      user_payload[:name] = user.name
+      user_payload[:surname] = user.surname
+    end
+
+    result = {
+      access_token: JWT.encode(payload, keys.keypair, 'RS256', header),
+      expires_in: current_system.ttl,
+      scope: code[:scope],
+      token_type: 'bearer',
+      id_token: JWT.encode(user_payload, keys.keypair, 'RS256', header),
+    }
+
+    token_hash = {
+      uuid: user.uuid
+    }
+
+    self.redis.set("#{redis_prefix}token:#{result[:access_token]}", token_hash.to_json, ex: current_system.ttl)
+    self.redis.del("#{redis_prefix}code:#{params[:code]}")
+
+    options
+
+    render json: result
+  end
+
+  ##
+  # Clear default session
+  def logout
+    redis.del("#{redis_prefix}session:#{cookies[:oauth_session]}")
+    cookies[:oauth_session] = nil
+    redirect_to sso_login_url, { allow_other_host: true }
+  end
+
+  ##
+  # Check basic oauth parameters (client_id, redirect_uri)
+  def check_basic_parameters
+    return I18n.t('anoubis.errors.is_not_defined', title: 'client_id') unless params.key? :client_id
+
+    @current_system = self.get_current_system params[:client_id]
+
+    return I18n.t('anoubis.errors.is_not_correct', title: 'client_id') unless current_system
+
+    return I18n.t('anoubis.errors.is_not_defined', title: 'redirect_uri') unless params.key? :redirect_uri
+
+    return I18n.t('anoubis.errors.is_not_correct', title: 'redirect_uri') unless current_system.request_uri.include? params[:redirect_uri]
+
+    nil
+  end
+
+  ##
+  # Check parameters
+  # @param list [Array] Array of parameters to check
+  def check_listed_parameters(list)
+    list.each do |key|
+      return I18n.t('anoubis.errors.is_not_defined', title: key) unless params.key? key.to_sym
+
+      return I18n.t('anoubis.errors.is_not_correct', title: key) unless params[key.to_sym]
+
+      params[key.to_sym].strip!
+
+      return I18n.t('anoubis.errors.is_not_correct', title: key)  if params[key.to_sym] == ''
+    end
+
+    nil
+  end
+
+  ##
+  # Check if page should be redirected to url
+  # @param error [String] Error message
+  # @param sign [String] Redirect url sign (? or &)
+  # @return [Boolean] return 'true' if page should be redirected
+  def redirect_to_uri(error, sign)
+    if params[:prompt] == 'none'
+      redirect_to params[:redirect_uri] + sign + 'error=' + ERB::Util.url_encode(error), { allow_other_host: true }
+      return true
+    end
+
+    false
+  end
+
+  ##
+  # Procedure generates keys according by used systems. Data is loaded from {AnoubisSsoServer::System}.
+  # @return [Hash] Hash ow JWK keys
+  def generate_jwks
+    result = {
+      keys: []
+    }
+
+    AnoubisSsoServer::System.where(state: 'opened').each do |sys|
+      key = {
+        use: 'sig',
+        kty: sys.jwk[:kty],
+        kid: "public:#{sys.uuid}",
+        alg: 'RS256',
+        n: sys.jwk[:n],
+        e: sys.jwk[:e]
+      }
+      result[:keys].push key
+    end
+
+    result
+  end
+end

data/app/models/anoubis_sso_server/application_record.rb

@@ -1,2 +1,5 @@
-class ApplicationRecord < Anoubis::ApplicationRecord
+##
+# Main Active Record object inherited from {https://www.rubydoc.info/gems/anoubis/Anoubis/ApplicationRecord Anoubis::ApplicationRecord}
+class AnoubisSsoServer::ApplicationRecord < Anoubis::ApplicationRecord
+  self.abstract_class = true
 end

data/app/models/anoubis_sso_server/system.rb

@@ -0,0 +1,68 @@
+##
+# Default System class
+class AnoubisSsoServer::System < AnoubisSsoServer::ApplicationRecord
+  self.table_name = 'systems'
+
+  before_validation :before_validation_sso_server_system_on_create, on: :create
+  before_save :before_save_sso_server_system
+  after_save :after_save_sso_server_system
+  after_destroy :after_destroy_sso_server_system
+
+  validates :title, presence: true, length: { maximum: 100 }
+  validates :uuid, presence: true, length: { maximum: 40 }, uniqueness: { case_sensitive: true }
+  validates :public, presence: true, length: { maximum: 40 }, uniqueness: { case_sensitive: true }
+
+  enum state: { opened: 0, hidden: 1 }
+
+  ##
+  # Fires before create system. Procedure generates public and private UUID and RSA keypair
+  def before_validation_sso_server_system_on_create
+    self.uuid = setup_private_system_id
+    self.public = setup_public_system_id unless public
+    self.request_uri = [] unless request_uri
+
+    keys = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+    self.jwk = keys.export include_private: true
+  end
+
+  ##
+  # Procedure setup private user identifier. Procedure can be redefined.
+  # @return [String] public user identifier
+  def setup_private_system_id
+    SecureRandom.uuid
+  end
+
+  ##
+  # Procedure setup public user identifier. Used for open API. Procedure can be redefined.
+  # @return [String] public user identifier
+  def setup_public_system_id
+    SecureRandom.uuid
+  end
+
+  ##
+  # Returns JWK information
+  # @return [Hash] JWK information
+  def jwk
+    @jwk ||= super.deep_symbolize_keys!
+  end
+
+  ##
+  # Fires before System was saved to SQL database. Delete old system cache if public identifier was changed.
+  def before_save_sso_server_system
+    redis.del "#{redis_prefix}system:#{public_was}" if public_was && public != public_was
+  end
+
+  ##
+  # Fires after System was saved to SQL database and setup system cache in Redis database for fast access.
+  def after_save_sso_server_system
+    redis.set("#{redis_prefix}system:#{public}", { uuid: uuid, public: public, request_uri: request_uri, jwk: jwk, ttl: ttl }.to_json )
+    redis.del "#{redis_prefix}jwks"
+  end
+
+  ##
+  # Fires after System was destroyed. Clears all systems caches.
+  def after_destroy_sso_server_system
+    redis.del "#{redis_prefix}system:#{public}"
+    redis.del "#{redis_prefix}jwks"
+  end
+end

data/app/models/anoubis_sso_server/user.rb

@@ -1,13 +1,16 @@
-class AnoubisSsoServer::User < ApplicationRecord
+##
+# Default user class
+class AnoubisSsoServer::User < AnoubisSsoServer::ApplicationRecord
   self.table_name = 'users'
 
   has_secure_password
   validates :email, presence: true
 
-  before_validation :before_validation_user_on_create, on: :create
-  before_save :before_save_user
-  after_destroy :after_destroy_user
+  before_validation :before_validation_sso_server_user_on_create, on: :create
+  before_save :before_save_sso_server_user
+  after_destroy :after_destroy_sso_server_user
 
+  ## Regexp validation mask for email
   VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
 
   validates :email, presence: true, length: { maximum: 50 },
@@ -25,46 +28,83 @@ class AnoubisSsoServer::User < ApplicationRecord
   validates :uuid, presence: true, length: { maximum: 40 }, uniqueness: { case_sensitive: true }
   validates :public, presence: true, length: { maximum: 40 }, uniqueness: { case_sensitive: true }
 
-  def before_validation_user_on_create
-    self.uuid = SecureRandom.uuid
-    self.public = SecureRandom.uuid
+  ##
+  # Fires before create any User on the server. Procedure generates internal UUID and setup timezone to GMT.
+  # Public user identifier is generated also if not defined.
+  def before_validation_sso_server_user_on_create
+    self.uuid = setup_private_user_id
+    self.public = setup_public_user_id unless public
+
     self.timezone = 'GMT' if !self.timezone
   end
 
-  def before_save_user
+  ##
+  # Procedure setup private user identifier. Procedure can be redefined.
+  # @return [String] public user identifier
+  def setup_private_user_id
+    SecureRandom.uuid
+  end
+
+  ##
+  # Procedure setup public user identifier. Used for open API. Procedure can be redefined.
+  # @return [String] public user identifier
+  def setup_public_user_id
+    SecureRandom.uuid
+  end
+
+  ##
+  # Fires before save User data to database.
+  # Procedure setup email, timezone and call procedure for clear Redis cache data for the user.
+  def before_save_sso_server_user
     self.timezone = 'GMT' if !self.timezone
     self.email = self.email.downcase
     self.clear_cache
   end
 
-  def after_destroy_user
-    self.clear_cache
+  ##
+  # Fires before delete User from database.
+  # Procedure call procedure for clear Redis cache data for the user.
+  def after_destroy_sso_server_user
+    clear_cache
   end
 
+  ##
+  # Procedure saves cached User model data to Redis database for improve access speed.
   def save_cache
-    self.redis.set(self.redis_prefix + 'user:' + self.uuid, self.to_json(except: [:password_digest])) if self.redis
+    redis.set("#{redis_prefix}user:#{uuid}", self.to_json(except: [:password_digest])) if redis
   end
 
+  ##
+  # Procedure clear cached User model data.
   def clear_cache
-    self.redis.del(self.redis_prefix + 'user:' + self.uuid) if self.redis
+    redis.del("#{redis_prefix}user:#{uuid}") if redis
   end
 
+  ##
+  # Procedure checks if password was changed.
+  # @return [Boolean] return true if password was changed
   def password_changed?
     !password.blank?
   end
 
-  def self.load_cache(redis, uuid)
+  ##
+  # Procedure returns User model data from the cache or database. If user data isn't present in cache then call procedure that cache User model data.
+  # @param uuid [String] - User private UUID
+  # @return [Hash] User data
+  def self.load_cache(uuid)
     begin
-      data = JSON.parse redis.get(User.redis_prefix + 'user:' + uuid), { symbolize_names: true }
+      data = JSON.parse self.redis.get("#{self.redis_prefix}user:#{uuid}"), { symbolize_names: true }
     rescue
       data = nil
     end
 
     unless data
       user = self.where(uuid: uuid).first
-      if user
-        return JSON.parse(user.to_json(except: [:password_digest]), { symbolize_names: true })
-      end
+
+      return nil unless user
+
+      user.save_cache
+      data = JSON.parse(user.to_json(except: [:password_digest]), { symbolize_names: true })
     end
 
     data

data/config/locales/en.yml

@@ -0,0 +1,14 @@
+en:
+  anoubis:
+    errors:
+      incorrect_login: "Incorrect login or password"
+      system_not_defined: "SSO system is not defined in Rails.configuration.anoubis_sso_system"
+      session_expired: "Session expired"
+      incorrect_user: "Incorrect user"
+      is_not_defined: "%{title} isn't defined"
+      is_not_correct: "%{title} isn't correct"
+      less_than: "%{title} length should be %{size} or more symbols"
+      login_required: "Login required"
+      fields:
+        login: "Login not defined"
+        password: "Password not defined"

data/config/locales/ru.yml

@@ -0,0 +1,14 @@
+ru:
+  anoubis:
+    errors:
+      incorrect_login: "Некорректный логин или пароль"
+      system_not_defined: "SSO система не определена в Rails.configuration.anoubis_sso_system"
+      session_expired: "Сессия завершена"
+      incorrect_user: "Некорректный пользователь"
+      is_not_defined: "Переменная %{title} не определена"
+      is_not_correct: "Переменная %{title} некорректна"
+      less_than: "Длина переменной %{title} должна быть %{size} или более символов"
+      login_required: "Требуется логин"
+      fields:
+        login: "Логин не задан"
+        password: "Пароль не задан"

data/config/routes.rb

@@ -0,0 +1,23 @@
+##
+# Defines default routes
+AnoubisSsoServer::Engine.routes.draw do
+  Rails.application.routes.draw do
+    scope path: 'api', defaults: { format: 'json' } do
+      scope path: ':version' do
+        get 'login', to: 'anoubis_sso_server/main#login', as: 'api_internal_login'
+        #get 'auth', to: 'main#auth'
+        get 'dashboard', to: 'anoubis_sso_server/index#dashboard'
+        get 'menu', to: 'anoubis_sso_server/index#menu'
+      end
+    end
+
+    scope path: 'openid', defaults: { format: 'json' } do
+      get '.well-known/openid-configuration', to: 'anoubis_sso_server/open_id#configuration', as: 'openid_configuration'
+      get '.well-known/jwks.json', to: 'anoubis_sso_server/open_id#jwks', as: 'openid_jwks'
+      get 'oauth2/auth', to: 'anoubis_sso_server/open_id#auth', as: 'oauth_auth'
+      post 'oauth2/token', to: 'anoubis_sso_server/open_id#access_token', as: 'oauth_token'
+      options 'oauth2/token', to: 'anoubis_sso_server/application#options', as: nil
+      get 'oauth2/logout', to: 'anoubis_sso_server/open_id#logout', as: 'oauth_logout'
+    end
+  end
+end

data/db/migrate/20220214112633_create_anoubis_sso_server_users.rb

@@ -0,0 +1,19 @@
+class CreateAnoubisSsoServerUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :users do |t|
+      t.string :email, limit: 100, null: false
+      t.string :name, limit: 100, null: false
+      t.string :surname, limit: 100, null: false
+      t.string :timezone, limit: 30, null: false
+      t.string :locale, limit: 10, null: false, default: 'ru-RU'
+      t.string :password_digest, limit: 60, null: false
+      t.string :uuid, limit: 40, null: false
+      t.string :public, limit: 40, null: false
+
+      t.timestamps
+    end
+    add_index :users, [:email], unique: true
+    add_index :users, [:uuid], unique: true
+    add_index :users, [:public], unique: true
+  end
+end

data/db/migrate/20220214112748_create_anoubis_sso_server_systems.rb

@@ -0,0 +1,17 @@
+class CreateAnoubisSsoServerSystems < ActiveRecord::Migration[7.0]
+  def change
+    create_table :systems do |t|
+      t.string :title, limit: 100, null: false
+      t.string :uuid, limit: 40, null: false
+      t.string :public, limit: 40, null: false
+      t.integer :ttl, default: 3600, null: false
+      t.integer :state, default: 0, null: false
+      t.json :jwk
+      t.json :request_uri
+
+      t.timestamps
+    end
+    add_index :systems, [:uuid], unique: true
+    add_index :systems, [:public], unique: true
+  end
+end

data/lib/anoubis_sso_server/engine.rb

@@ -1,6 +1,6 @@
 module AnoubisSsoServer
   ##
-  # Main AnubisSsoServer Engine class
+  # Main AnoubisSsoServer Engine class
   class Engine < ::Rails::Engine
     isolate_namespace AnoubisSsoServer
     config.generators.api_only = true

data/lib/anoubis_sso_server/version.rb

@@ -2,5 +2,5 @@
 
 module AnoubisSsoServer
   ## Library version
-  VERSION = "0.1.1"
+  VERSION = "1.0.1"
 end

data/sig/anoubis_sso_server.rbs

@@ -1,4 +1,10 @@
 module AnoubisSsoServer
   VERSION: String
   # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+
+  class User
+    attr_accessor email: String
+    attr_accessor name: String
+    attr_accessor surname: String
+  end
 end