authify-api 0.0.5

data/lib/authify/api.rb

@@ -0,0 +1,51 @@
+# Standard Library Requirements
+
+# External Requirements
+require 'authify/core'
+require 'authify/middleware'
+require 'sinatra/base'
+require 'sinatra/activerecord'
+require 'jsonapi-serializers'
+require 'sinatra/jsonapi'
+require 'tilt/erb'
+require 'connection_pool'
+require 'moneta'
+
+# Internal Requirements
+module Authify
+  module API
+    CONFIG = Core::CONFIG.merge(
+      db: {
+        url: ENV['AUTHIFY_DB_URL'] || 'mysql2://root@localhost:3306/authifydb'
+      },
+      session_secret: ENV['AUTHIFY_SESSION_SECRET'] || '1q2w3e4r5t6y7u8i9o0pazsxdcfvgbhnjmkl10zm',
+      redis: {
+        host: ENV['AUTHIFY_REDIS_HOST'] || 'localhost',
+        port: ENV['AUTHIFY_REDIS_PORT'] || '6379'
+      }
+    )
+  end
+end
+
+require 'authify/api/version'
+require 'authify/api/jsonapi_utils'
+require 'authify/api/controllers/api_key'
+require 'authify/api/controllers/group'
+require 'authify/api/controllers/organization'
+require 'authify/api/controllers/user'
+require 'authify/api/serializers/api_key_serializer'
+require 'authify/api/serializers/group_serializer'
+require 'authify/api/serializers/user_serializer'
+require 'authify/api/serializers/organization_serializer'
+require 'authify/api/models/api_key'
+require 'authify/api/models/group'
+require 'authify/api/models/identity'
+require 'authify/api/models/organization'
+require 'authify/api/models/organization_membership'
+require 'authify/api/models/trusted_delegate'
+require 'authify/api/models/user'
+require 'authify/api/helpers/jwt_encryption'
+require 'authify/api/helpers/api_user'
+require 'authify/api/service'
+require 'authify/api/services/api'
+require 'authify/api/services/jwt_provider'

data/lib/authify/api/controllers/api_key.rb

@@ -0,0 +1,36 @@
+module Authify
+  module API
+    module Controllers
+      APIKey = proc do
+        helpers do
+          def find(id)
+            Models::APIKey.find(id.to_i)
+          end
+        end
+
+        index do
+          Models::APIKey.all
+        end
+
+        show do
+          last_modified resource.updated_at
+          next resource
+        end
+
+        destroy do
+          resource.destroy
+        end
+
+        show_many do |ids|
+          Models::APIKey.find(ids)
+        end
+
+        has_one :user do
+          pluck do
+            resource.user
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/controllers/group.rb

@@ -0,0 +1,40 @@
+module Authify
+  module API
+    module Controllers
+      Group = proc do
+        helpers do
+          def find(id)
+            Models::Group.find(id.to_i)
+          end
+        end
+
+        index do
+          Models::Group.all
+        end
+
+        show do
+          last_modified resource.updated_at
+          next resource
+        end
+
+        create do |attrs|
+          Models::Group.new(attrs)
+        end
+
+        destroy do
+          resource.destroy
+        end
+
+        show_many do |ids|
+          Models::Group.find(ids)
+        end
+
+        has_many :users do
+          fetch do
+            resource.users
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/controllers/organization.rb

@@ -0,0 +1,48 @@
+module Authify
+  module API
+    module Controllers
+      Organization = proc do
+        helpers do
+          def find(id)
+            Models::Organization.find(id.to_i)
+          end
+        end
+
+        index do
+          Models::Organization.all
+        end
+
+        show do
+          last_modified resource.updated_at
+          next resource
+        end
+
+        show_many do |ids|
+          Models::Organization.find(ids)
+        end
+
+        destroy do
+          resource.destroy if @current_user.admin_for?(resource)
+        end
+
+        has_many :users do
+          fetch do
+            resource.users
+          end
+        end
+
+        has_many :admins do
+          fetch do
+            resource.admins
+          end
+        end
+
+        has_many :groups do
+          fetch do
+            resource.groups
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/controllers/user.rb

@@ -0,0 +1,72 @@
+module Authify
+  module API
+    module Controllers
+      User = proc do
+        helpers do
+          def find(id)
+            Models::User.find(id.to_i)
+          end
+        end
+
+        index do
+          Models::User.all
+        end
+
+        show do
+          last_modified resource.updated_at
+          next resource
+        end
+
+        show_many do |ids|
+          Models::User.find(ids)
+        end
+
+        has_many :api_keys do
+          fetch do
+            resource.api_keys
+          end
+
+          clear do
+            resource.api_keys.destroy_all
+            resource.save
+          end
+
+          subtract do |rios|
+            refs = rios.map { |attrs| Models::APIKey.new(attrs) }
+            resource.api_keys.destroy(refs)
+            resource.save
+          end
+        end
+
+        has_many :identities do
+          fetch do
+            resource.identities
+          end
+
+          clear do
+            resource.identities.destroy_all
+            resource.save
+          end
+
+          subtract do |rios|
+            refs = rios.map { |attrs| Models::Identities.new(attrs) }
+            resource.identities.destroy(refs)
+            resource.save
+          end
+        end
+
+        has_many :organizations do
+          fetch do
+            resource.organizations
+          end
+        end
+
+        has_many :groups do
+          fetch do
+            resource.groups
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/helpers/api_user.rb

@@ -0,0 +1,30 @@
+module Authify
+  module API
+    module Helpers
+      # Helper methods for API users
+      module APIUser
+        def current_user
+          @current_user ||= Models::User.find_by_email(env['user']['username'])
+        end
+
+        def update_current_user(user)
+          found_user = if user.is_a? Authify::API::Models::User
+                         user
+                       elsif user.is_a? Integer
+                         Models::User.find(user)
+                       elsif user.is_a? String
+                         Models::User.find_by_email(user)
+                       end
+
+          halt 422 unless found_user
+          @current_user = found_user
+        end
+
+        # This shouldn't work via API calls
+        def auth
+          {}
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/helpers/jwt_encryption.rb

@@ -0,0 +1,42 @@
+module Authify
+  module API
+    module Helpers
+      # Helper methods for working with JWT encryption
+      module JWTEncryption
+        include Core::Helpers::JWTSSL
+
+        def jwt_token
+          JWT.encode jwt_payload(current_user), private_key, 'ES256'
+        end
+
+        def jwt_payload(user)
+          {
+            exp: Time.now.to_i + 60 * 60,
+            iat: Time.now.to_i,
+            iss: CONFIG[:jwt][:issuer],
+            scopes: Core::Constants::JWTSCOPES,
+            user: {
+              username: user.email,
+              uid: user.id,
+              organizations: user.organizations.map do |o|
+                               { name: o.name, oid: o.id, admin: o.admins.include?(user) }
+                             end,
+              groups: user.groups.map { |g| { name: g.name, gid: g.id } }
+            }
+          }
+        end
+
+        def with_jwt(req, scope)
+          scopes, user = req.env.values_at :scopes, :user
+          set_current_user Models::User.from_username(user['username'])
+
+          if scopes.include?(scope) && current_user
+            yield req
+          else
+            halt 403
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/jsonapi_utils.rb

@@ -0,0 +1,12 @@
+module Authify
+  module API
+    # JSON API related Model utility methods
+    module JSONAPIUtils
+      def jsonapi_serializer_class_name
+        this_class = self.class.name.split('::').last
+        new_class = "Authify::API::Serializers::#{this_class}Serializer"
+        new_class.split('::').inject(Object) { |o, c| o.const_get c }
+      end
+    end
+  end
+end

data/lib/authify/api/models/api_key.rb

@@ -0,0 +1,44 @@
+module Authify
+  module API
+    module Models
+      # Additional, revocable user access
+      class APIKey < ActiveRecord::Base
+        include Core::SecureHashing
+        extend Core::SecureHashing
+        include JSONAPIUtils
+
+        attr_reader :secret_key
+
+        validates_presence_of :access_key
+        validates_presence_of :secret_key_digest
+
+        belongs_to :user,
+                   required: true,
+                   class_name: 'Authify::API::Models::User'
+
+        def secret_key=(unencrypted_string)
+          @secret_key = unencrypted_string
+          self.secret_key_digest = salted_sha512(unencrypted_string) if viable(unencrypted_string)
+        end
+
+        def compare_secret(unencrypted_string)
+          compare_salted_sha512(unencrypted_string, secret_key_digest)
+        end
+
+        def set_secret!
+          self.secret_key = self.class.generate_access_key + self.class.generate_access_key
+        end
+
+        def self.generate_access_key
+          to_hex(SecureRandom.gen_random(32))[0...32]
+        end
+
+        private
+
+        def viable(string)
+          string && !string.empty?
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/models/group.rb

@@ -0,0 +1,17 @@
+module Authify
+  module API
+    module Models
+      # A way of grouping multiple users
+      class Group < ActiveRecord::Base
+        include JSONAPIUtils
+
+        belongs_to :organization,
+                   required: true,
+                   class_name: 'Authify::API::Models::Organization'
+
+        has_and_belongs_to_many :users,
+                                class_name: 'Authify::API::Models::User'
+      end
+    end
+  end
+end

data/lib/authify/api/models/identity.rb

@@ -0,0 +1,14 @@
+module Authify
+  module API
+    module Models
+      # External identities mapped to users (GitHub, Facebook, etc.)
+      class Identity < ActiveRecord::Base
+        include JSONAPIUtils
+
+        belongs_to :user,
+                   required: true,
+                   class_name: 'Authify::API::Models::User'
+      end
+    end
+  end
+end

data/lib/authify/api/models/organization.rb

@@ -0,0 +1,26 @@
+module Authify
+  module API
+    module Models
+      # High-level logical organization of groups and users
+      class Organization < ActiveRecord::Base
+        include JSONAPIUtils
+
+        has_many :organization_memberships,
+                 class_name: 'Authify::API::Models::OrganizationMembership',
+                 dependent: :destroy
+
+        has_many :users,
+                 through: :organization_memberships,
+                 class_name: 'Authify::API::Models::User'
+
+        has_many :groups,
+                 class_name: 'Authify::API::Models::Group',
+                 dependent: :destroy
+
+        has_many :admins, -> { where admin: true },
+                 through: :organization_memberships,
+                 class_name: 'Authify::API::Models::User'
+      end
+    end
+  end
+end