anoubis_sso_server 0.1.1 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd3afcb17bb8237f6f7604fa63f75d13f7caa5e2c106941293785b65c5e24b3f
-  data.tar.gz: e303e294bffa7706560274fa186fba47b17e80944a699254efad0f2410cf2b20
+  metadata.gz: 756380520fc961ba7aaa7b12dc87efc34f4a598413677ea465392ebb355b9e70
+  data.tar.gz: eac01982f78ac39f0777d6579174c83eb0005a19fc9716f4f706ac006a0a9aa4
 SHA512:
-  metadata.gz: c5aa132b85b183c6adfb7f8792ca7d0344ef7eeda50da33931b361bb71b4f79c6c5d39e29ed2663d2335226f700d87d7458f6195182b1c12359f4882dc5a319e
-  data.tar.gz: 9228457e5c5aa6b85fe6682cd407a1b1e7c076f2cb4f069ecff9dab9792e579b33079eb370ca7f1eb1d21d64de127429d1c0a745b7f1addabfc7f3cffc5a20bf
+  metadata.gz: 1f64317d742c45171e135251f77d0207b9dae0434db471d0e4247be6c8f33a2b4ee526697c82756765063e16224d94e611aa356730e3f48c3cd952ada4014f73
+  data.tar.gz: 70728997ed2c5bed827e84751ecff752b8264c5a5629c6b9e2832c3e0e1203ab1f35ec01a1b43a29d52e1c66fd6b215539dc7222d6af8f008d256f5d04a44ba8

data/.env.sample

@@ -0,0 +1,3 @@
+DATABASE_USER=
+DATABASE_PASSWORD=
+DATABASE_NAME=

data/.rspec

@@ -1,3 +1,4 @@
---format documentation
 --color
 --require spec_helper
+--order rand
+--format doc

data/.ruby-version

@@ -1 +1 @@
-ruby-2.7.1
+ruby-3.0.0

data/CHANGELOG.md

@@ -1,4 +1,10 @@
-## [Unreleased]
+## [Released]
 
-## [0.1.0] - 2022-01-28
+## [1.0.2] - 2022-02-28
+- Action /api/1/auth was added.
+
+## [1.0.1] - 2022-02-27
+- Library was released.
+
+## [1.0.0] - 2022-01-28
 - Library was created.

data/Gemfile

@@ -5,10 +5,20 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in anoubis_sso_server.gemspec
 gemspec
 
-gem "rake", "~> 13.0"
+#gem "rake", "~> 13.0"
+#gem "rspec", "~> 3.0"
+#gem "rubocop", "~> 1.21"
+gem 'redis'
+gem 'jwt'
+gem 'anoubis', git: 'https://github.com/RA-Company/anoubis.git', branch: 'main'
 
-gem "rspec", "~> 3.0"
+#group :development, :test do
+#  gem "rspec-rails"
+  #gem "factory_bot_rails"
+#end
 
-gem "rubocop", "~> 1.21"
-
-gem "anoubis", git: 'https://github.com/RA-Company/anoubis.git', branch: 'main'
+group :test do
+  gem 'dotenv'
+  gem 'dotenv-rails'
+  gem 'tzinfo-data', platforms: %i[mingw mswin x64_mingw jruby]
+end

data/README.md

@@ -1,8 +1,6 @@
 # AnoubisSsoServer
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/anoubis_sso_server`. To experiment with that code, run `bin/console` for an interactive prompt.
-
-TODO: Delete this and the text above, and describe your gem
+Gem for create simple SSO server, based on OAUTH2 authentication.
 
 ## Installation
 
@@ -20,9 +18,84 @@ Or install it yourself as:
 
     $ gem install anoubis_sso_server
 
+After it please install default migrations:
+
+    $ rails anoubis_sso_server:install:migrations
+    $ bundle exec rake db:migrate
+
 ## Usage
 
-TODO: Write usage instructions here
+By default system database isn't filled any data.
+
+For adding data to database please add this to db/seed.rb of your application.
+
+First of all add admin user to database:
+
+```ruby
+user = AnoubisSsoServer::User.where(email: '<your_email>').first
+unless user
+  user = AnoubisSsoServer::User.new
+  user.email = '<your_email>'
+  user.password = '<your_password>'
+  user.password_confirmation = '<your_password>'
+  user.name = '<your_name>'
+  user.surname = '<your_surname>'
+  user.save
+end
+```
+
+Please use strong password when create user login.
+
+Then add systems to database.
+
+```ruby
+system = AnoubisSsoServer::System.where(public: 'sso-system').first
+unless system
+  system = AnoubisSsoServer::System.new
+  system.title = 'SSO'
+  system.public = 'sso-system'
+  system.state = 'hidden'
+  system.save
+end
+
+ext_system = AnoubisSsoServer::System.where(public: '<system_identifier>').first
+unless ext_system
+  ext_system = AnoubisSsoServer::System.new
+  ext_system.title = '<system_name>'
+  ext_system.public = '<system_identifier>'
+  ext_system.request_uri = %w[https://<server_url>/silent-callback.html https://<server_url>/callback]
+  ext_system.save
+end
+```
+
+After this seed this data to database:
+
+    $ bundle exec rake db:seed
+
+## Configuration parameters
+
+This configuration parameters can be placed at files config/application.rb for global configuration or config/environments/<environment>.rb for custom environment configuration.
+
+```ruby
+config.anoubis_redis_prefix = '<sample-prefix>' # Redis prefix for store cache data (when many applications run in one physical server)
+config.anoubis_sso_server = 'https://sso.example.com/' # Full URL of SSO server (*required)
+config.anoubis_sso_system = 'sso-system' # Internal SSO system identifier (*required)
+config.anoubis_sso_origin = /^https:\/\/.*\.example\.com$/ # Regexp for prevent CORS access from others domain (*required)
+config.anoubis_sso_login_url = 'https://sso.example.com/login' # Full URL for login page. (By default calculate from config.anoubis_sso_server adding 'login') (*optional)
+config.anoubis_sso_silent_url = 'https://sso.example.com/silent.html' # Full URL for silent refresh page. (By default calculate from config.anoubis_sso_server adding 'silent.html') (*optional)
+config.anoubis_sso_user_model = 'AnoubisSsoServer::User'# Used user model. ()By default used AnoubisSsoServer::User model) (*optional)
+```
+
+Also pay attention on this configuration parameters:
+
+```ruby
+config.api_only = true # for API only application
+config.middleware.use ActionDispatch::Cookies # for attach cookies into the API application
+
+config.hosts.clear # for clearing allowed IP requests
+
+config.action_dispatch.default_headers.clear # for clear default response headers 
+```
 
 ## Development
 
@@ -30,6 +103,20 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## Testing
+
+First of all create MySQL database and grant privileges to it.
+
+After that copy file `.env.sample` to `.env` and fill required fields like `DATABASE_NAME`, `DATABASE_USER` and `DATABASE_PASSWORD`.
+
+After it run migrate database to test environment:
+
+    $ bin/rails db:migrate RAILS_ENV=test DATABASE_USER=<user_name> DATABASE_PASSWORD=<user_password> DATABASE_NAME=<database_name>
+
+After all of this preparation you can start tests:
+
+    $ bundle exec rspec
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/RA-Company/anoubis_sso_server. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/RA-Company/anoubis_sso_server/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -10,3 +10,6 @@ require "rubocop/rake_task"
 RuboCop::RakeTask.new
 
 task default: %i[spec rubocop]
+
+APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'

data/app/controllers/anoubis_sso_server/application_controller.rb

@@ -1,4 +1,5 @@
-## Main application class inherited from {https://api.rubyonrails.org/v6.1.4/classes/ActionController/API.html ActionController::API}
+##
+# Main application class inherited from {https://www.rubydoc.info/gems/anoubis/Anoubis/ApplicationController Anoubis::ApplicationController}
 class AnoubisSsoServer::ApplicationController < Anoubis::ApplicationController
   ## Selected SSO system
   attr_accessor :current_system
@@ -12,6 +13,110 @@ class AnoubisSsoServer::ApplicationController < Anoubis::ApplicationController
   ## Returns SSO silent url used for silent refresh token.
   attr_accessor :sso_silent_url
 
+  ## Returns used User model
+  attr_accessor :user_model
+
+  ## Used sso_origin
+  attr_accessor :sso_origin
+
+  ##  Returns [Anoubis::Etc::Base] global system parameters
+  attr_accessor :etc
+
+  ##
+  # Current user
+  attr_accessor :current_user
+
+  ##
+  # Action fires before any other actions
+  def after_anoubis_initialization
+    if defined? params
+      self.etc = Anoubis::Etc::Base.new({ params: params })
+    else
+      self.etc = Anoubis::Etc::Base.new
+    end
+
+    if access_allowed?
+      options request.method.to_s.upcase
+    else
+      render_error_exit({ error: I18n.t('anoubis.errors.access_not_allowed') })
+      return
+    end
+
+    if authenticate?
+      if authentication
+        if check_menu_access?
+          return if !menu_access params[:controller]
+        end
+      end
+    end
+
+    after_sso_server_initialization
+  end
+
+  ##
+  # Procedure fires after initializes all basic parameters of {AnoubisSsoServer::ApplicationController}
+  def after_sso_server_initialization
+    #puts etc.inspect
+  end
+
+  ##
+  # Check for site access. By default return true.
+  def access_allowed?
+    true
+  end
+
+  ##
+  # Checks if needed user authentication.
+  # @return [Boolean] if true, then user must be authenticated. By default application do not need authorization.
+  def authenticate?
+    false
+  end
+
+
+  ##
+  # Procedure authenticates user in the system
+  def authentication
+    session = get_oauth_session
+
+    unless session
+      render_error_exit code: -2, error: I18n.t('anoubis.errors.session_expired')
+      return
+    end
+
+    self.current_user = get_user_by_uuid session[:uuid]
+
+    unless current_user
+      self.redis.del("#{redis_prefix}session:#{cookies[:oauth_session]}")
+      cookies[:oauth_session] = nil
+      render_error_exit code: -3, error: I18n.t('anoubis.errors.incorrect_user')
+      return
+    end
+  end
+
+  ##
+  # Gracefully terminate script execution with code 422 (Unprocessable entity). And JSON data
+  # @param data [Hash] Resulting data
+  # @option data [Integer] :code resulting error code
+  # @option data [String] :error resulting error message
+  def render_error_exit(data = {})
+    result = {
+      result: -1,
+      message: I18n.t('anoubis.error')
+    }
+
+    result[:result] = data[:code] if data.has_key? :code
+    result[:message] = data[:error] if data.has_key? :error
+
+
+    render json: result, status: :unprocessable_entity
+
+    begin
+      exit
+    rescue SystemExit => e
+      puts result[:message]
+    end
+  end
+
   ##
   # Returns main SSO server URL. Link should be defined in Rails.configuration.anoubis.sso_server configuration parameter
   # @return [String] link to SSO server
@@ -30,6 +135,23 @@ class AnoubisSsoServer::ApplicationController < Anoubis::ApplicationController
     value
   end
 
+  ##
+  # Returns SSO origin. Variable should be defined in Rails.configuration.anoubis.sso_origin configuration parameter
+  # @return [Regexp] regexp for check site origin
+  def sso_origin
+    @sso_origin ||= get_sso_origin
+  end
+
+  private def get_sso_origin
+    begin
+      value = Rails.configuration.anoubis_sso_origin
+    rescue StandardError
+      value = /^.*$/
+    end
+
+    value
+  end
+
   ##
   # Returns SSO Login URL used for redirect when user isn't logged in.
   # Link can be redefined in Rails.configuration.anoubis_sso_login_url configuration parameter. If this variable isn't defined
@@ -68,11 +190,47 @@ class AnoubisSsoServer::ApplicationController < Anoubis::ApplicationController
     value
   end
 
+  ##
+  # Returns SSO User model.
+  # Can be redefined in Rails.application configuration_anoubis_sso_user_model configuration parameter.
+  # By default returns {AnoubisSsoServer::User} model class
+  # @return [Class] User model class
+  def user_model
+    @user_model ||= get_user_model
+  end
+
+  private def get_user_model
+    begin
+      value = Object.const_get Rails.configuration.anoubis_sso_user_model
+    rescue
+      value = AnoubisSsoServer::User
+    end
+
+    value
+  end
+
+  ##
+  # Returns current SSO system data
+  # @param system_title [String] - System public UUID parameter. By default load from Rails.application configuration_anoubis_sso_system configuration parameter.
+  # @return [AnoubisSsoServer::System] current SSO system
+  def get_current_system(system_title = nil)
+    begin
+      system_title = Rails.configuration.anoubis_sso_system unless system_title
+      system = AnoubisSsoServer::System.new(JSON.parse(redis.get("#{redis_prefix}system:#{system_title}"),{ symbolize_names: true }))
+    rescue
+      system = nil
+    end
+
+    system
+  end
+
   ##
   # Check current origin of header by Regexp defined in Rails.configuration.anoubis_sso_origin configuration parameter
   # @return [Boolean] request host origin validation
   def check_origin
-    request.headers['origin'].match(Rails.configuration.anoubis_sso_origin)
+    return true unless request.origin
+
+    request.origin.match(sso_origin)
   end
 
   ##
@@ -93,10 +251,48 @@ class AnoubisSsoServer::ApplicationController < Anoubis::ApplicationController
         session[:ttl] = Time.now.utc.to_i + session[:timeout]
         redis.del("#{redis_prefix}session:#{cookies[:oauth_session]}")
         cookies[:oauth_session] = session_name
-        redis.set("#{redis_prefix}session:#{session_name}", session.to_json, { ex: 86400 })
+        redis.set("#{redis_prefix}session:#{session_name}", session.to_json, ex: 86400)
       end
     end
 
     session
   end
+
+  ##
+  # Returns user by UUID from the Redis cache or from database. If User isn't present in cache than User is loaded from database and placed to cache.
+  # @param uuid [String] UUID of user
+  # @return [Class] Returns user class
+  def get_user_by_uuid(uuid)
+    begin
+      user = user_model.new JSON.parse(redis.get("#{redis_prefix}user:#{uuid}"),{ symbolize_names: true })
+    rescue
+      user = nil
+    end
+
+    return user if user
+
+    user = user_model.where(uuid: uuid).first
+    return nil unless user
+
+    redis.set("#{redis_prefix}user:#{uuid}", user.to_json(except: :password_digest))
+
+    user
+  end
+
+  ##
+  # Check parameters
+  # @param list [Array] Array of parameters to check
+  def check_listed_parameters(list)
+    list.each do |key|
+      return I18n.t('anoubis.errors.is_not_defined', title: key) unless params.key? key.to_sym
+
+      return I18n.t('anoubis.errors.is_not_correct', title: key) unless params[key.to_sym]
+
+      params[key.to_sym].strip!
+
+      return I18n.t('anoubis.errors.is_not_correct', title: key)  if params[key.to_sym] == ''
+    end
+
+    nil
+  end
 end

data/app/controllers/anoubis_sso_server/data_controller.rb

@@ -0,0 +1,5 @@
+##
+# Data controller class. Defines authorized actions.
+class AnoubisSsoServer::DataController < AnoubisSsoServer::ApplicationController
+
+end

data/app/controllers/anoubis_sso_server/index_controller.rb

@@ -0,0 +1,50 @@
+##
+# Index controller class. Output system actions
+class AnoubisSsoServer::IndexController < AnoubisSsoServer::ApplicationController
+
+  ##
+  # Default dashboard action
+  def dashboard
+    result = {
+      result: 0,
+      message: I18n.t('anoubis.success'),
+      data: {
+        name: current_user.name,
+        surname: current_user.surname,
+        email: current_user.email,
+        id: current_user.public
+      }
+    }
+
+    render json: result
+  end
+
+  ##
+  # Output allowed menu items
+  def menu
+    result = {
+      result: 0,
+      message: I18n.t('anoubis.success'),
+      menu: [
+        {
+          mode: 'dashboard',
+          title: I18n.t('anoubis.install.menu.dashboard.title'),
+          page_title: I18n.t('anoubis.install.menu.dashboard.page_title'),
+          short_title: I18n.t('anoubis.install.menu.dashboard.short_title'),
+          position: 0,
+          tab: 0,
+          action: 'data',
+          access: 'write',
+          state: 'show',
+          parent: nil
+        }
+      ]
+    }
+
+    render json: result
+  end
+
+  def authenticate?
+    true
+  end
+end

data/app/controllers/anoubis_sso_server/main_controller.rb

@@ -0,0 +1,126 @@
+##
+# Main controller class. Defines basic internal SSO actions.
+class AnoubisSsoServer::MainController < AnoubisSsoServer::ApplicationController
+  ##
+  # Login action for SSO server.
+  #
+  # <b>API request:</b>
+  #   GET /api/<version>/login
+  #
+  # <b>Parameters:</b>
+  # - <b>login</b> (String) --- user email address <i>(required field)</i>
+  # - <b>password</b> (String) --- user password <i>(required field)</i>
+  # - <b>locale</b> (String) --- the output language locale <i>(optional value)</i>
+  # - <b>code</b> (String) --- login code for redirect <i>(optional value, default: 0)</i>
+  #
+  # <b>Request example:</b>
+  #   curl --header "Content-Type: application/json" http://<server>:<port>/api/<api-version>/login=admin@example.com&password=password&locale=en
+  #
+  # <b>Results:</b>
+  #
+  # Resulting data returns as redirect to silent URL with login result.
+
+  def login
+    redirect_url = sso_silent_url
+    redirect_url += redirect_url.index('?') ? '&' : '?'
+
+    unless params[:login]
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.fields.login')), { allow_other_host: true }
+      return
+    end
+
+    unless params[:password]
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.fields.password')), { allow_other_host: true }
+      return
+    end
+
+    usr = user_model.where(email: params[:login]).first
+
+    unless usr
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.incorrect_login')), { allow_other_host: true }
+      return
+    end
+
+    unless usr.authenticate(params[:password])
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.incorrect_login')), { allow_other_host: true }
+      return
+    end
+
+    self.current_system = get_current_system
+
+    unless current_system
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.system_not_defined')), { allow_other_host: true }
+      return
+    end
+
+    code = nil
+    if params[:code]
+      begin
+        code = JSON.parse(self.redis.get("#{redis_prefix}login_code:#{params[:code]}"),{ symbolize_names: true })
+      rescue
+
+      end
+    end
+
+    session_name = SecureRandom.uuid
+    session = {
+      id: usr.id,
+      uuid: usr.uuid,
+      ttl: Time.now.utc.to_i + current_system[:ttl],
+      timeout: current_system[:ttl]
+    }
+
+    cookies[:oauth_session] = session_name
+    redis.set("#{redis_prefix}session:#{session_name}", session.to_json, ex: 86400)
+
+    unless code
+      redirect_to redirect_url + "code=0", { allow_other_host: true }
+    else
+      auth_code = SecureRandom.uuid
+      redis.set("#{redis_prefix}auth_code:#{auth_code}", params[:code], ex: 600)
+      redirect_to redirect_url + "code=#{auth_code}", { allow_other_host: true }
+    end
+  end
+
+  ##
+  # Procedure check current login status of user and redirect to URL used for call /openid/oauth2/auth.
+  def auth
+    redirect_url = sso_silent_url
+    redirect_url += redirect_url.index('?') ? '&' : '?'
+
+    err = check_listed_parameters %w[code]
+
+    if err
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(err), { allow_other_host: true }
+      return
+    end
+
+    begin
+      session = JSON.parse(redis.get("#{redis_prefix}session:#{cookies[:oauth_session]}"), { symbolize_names: true })
+    rescue StandardError
+      session = nil
+      cookies[:oauth_session] = nil
+    end
+
+    unless session
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.session_expired')), { allow_other_host: true }
+      return
+    end
+
+    begin
+      auth_code = redis.get("#{redis_prefix}auth_code:#{params[:code]}")
+      code = JSON.parse(redis.get("#{redis_prefix}login_code:#{auth_code}"), { symbolize_names: true })
+    rescue StandardError
+      code = nil
+    end
+
+    unless code
+      redirect_to redirect_url + 'error=' + ERB::Util.url_encode(I18n.t('anoubis.errors.is_not_correct', title: 'code')), { allow_other_host: true }
+      return
+    end
+
+    self.redis.del("#{redis_prefix}auth_code:#{params[:code]}")
+    self.redis.del("#{redis_prefix}login_code:#{auth_code}")
+    redirect_to code[:original_url], { allow_other_host: true }
+  end
+end