authress-sdk 2.0.33.0 → 2.0.36.0

data/lib/authress-sdk/omniauth.rb

@@ -0,0 +1,200 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'oauth2'
+require 'omniauth-oauth2'
+require_relative './token_validator'
+require_relative './authress_client.rb'
+
+include OAuth2
+
+module OmniAuth
+  module Authress
+    VERSION = '1.1.0'
+  end
+
+  module Strategies
+    class Authress < OmniAuth::Strategies::OAuth2
+      attr_accessor :authress_client
+      attr_accessor :token_response
+
+      def initialize(*args)
+        super
+        @authress_client = AuthressSdk::AuthressClient.default
+      end
+
+      option :name, 'authress'
+      option :pkce, true
+      option :application_id, nil
+
+      # Setup client URLs used during authentication and then call the default
+      def client
+        options.client_id = options.application_id
+        options.client_options.headers = {
+          'User-Agent' => 'Ruby OmniAuth'
+        }
+        options.client_options.auth_scheme = :request_body
+        options.client_options.site = @authress_client.custom_domain_url
+        options.client_options.authorize_url = @authress_client.custom_domain_url
+        options.client_options.token_url = @authress_client.custom_domain_url + '/api/authentication/-/tokens'
+        # https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L47
+        super
+      end
+
+      # Use the "sub" key of the userinfo returned
+      # as the uid (globally unique string identifier).
+      uid { user_info['sub'] }
+
+      # Build the API credentials hash with returned auth data.
+      credentials do
+        if @token_response == nil
+          return nil
+        end
+
+        hash = {
+          'token' => @token_response['access_token'],
+          'id_token' => @token_response['id_token'],
+          'token_type' => @token_response['token_type'] || 'Bearer',
+          'expires' => true,
+          'expires_at' => @token_response['expires_at']
+        }
+
+        # Retrieve and remove authorization params from the session
+        session_authorize_params = session['authorize_params'] || {}
+        session.delete('authorize_params')
+
+        hash
+      end
+
+      # Store all raw information for use in the session.
+      extra do
+        {
+          raw_info: user_info
+        }
+      end
+
+      # Build a hash of information about the user
+      # with keys taken from the Auth Hash Schema.
+      info do
+        {
+          name: user_info['name'] || user_info['sub'],
+          nickname: user_info['nickname'],
+          email: user_info['email'],
+          image: user_info['picture']
+        }
+      end
+
+      # Define the parameters used for the /authorize endpoint
+      def authorize_params
+        params = super
+        %w[responseLocation flowType].each do |key|
+          params[key] = request.params[key] if request.params.key?(key)
+        end
+
+        # Generate nonce
+        params[:nonce] = SecureRandom.hex
+        # Generate leeway if none exists
+        params[:leeway] = 60 unless params[:leeway]
+
+        params[:responseLocation] = 'query'
+        params[:flowType] = 'code'
+
+        # Store authorize params in the session for token verification
+        session['authorize_params'] = params.to_hash
+
+        params
+      end
+
+      # Declarative override for the request phase of authentication
+      def request_phase
+        if no_application_id?
+          # Do we have a application_id for this Application?
+          fail!(:missing_application_id)
+        elsif no_domain?
+          # Do we have a domain for this Application?
+          fail!(:missing_domain)
+        else
+          # All checks pass, run the Oauth2 request_phase method.
+          super
+        end
+      end
+
+      # https://github.com/omniauth/omniauth/blob/master/lib/omniauth/strategy.rb#L416
+      def callback_phase
+        begin
+          error = request.params["error_reason"] || request.params["error"]
+          if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
+            fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+          elsif error
+            fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+          else
+            params = {
+              'grant_type' => 'authorization_code',
+              'code' => request.params["code"],
+              'client_id' => options.application_id,
+              'redirect_uri' => callback_url
+            # https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L80
+            }.merge(token_params.to_hash(:symbolize_keys => true))
+
+            params_dup = params.dup
+            params.each_key do |key|
+              params_dup[key.to_s] = params_dup.delete(key) if key.is_a?(Symbol)
+            end
+
+            @token_response = complete_token_request(params_dup)      
+      
+            env['omniauth.auth'] = auth_hash
+            call_app!
+          end
+        rescue AuthressSdk::TokenValidationError => e
+          fail!(:token_validation_error, e)
+        rescue ::OAuth2::Error, CallbackError => e
+          fail!(:invalid_credentials, e)
+        rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+          fail!(:timeout, e)
+        rescue ::SocketError => e
+          fail!(:failed_to_connect, e)
+        end
+      end
+
+      def complete_token_request(params, &block)
+        request_opts = {
+          raise_errors: options[:raise_errors]
+        }
+        request_opts[:body] = params.to_json
+        request_opts[:headers] = options.client_options.headers
+        response = client.request(:post, options.client_options.token_url, request_opts, &block)
+        @access_token = OAuth2::AccessToken.from_hash(client, JSON.parse(response.body)).tap do |access_token|
+          access_token.response = response if access_token.respond_to?(:response=)
+        end
+        return JSON.parse(response.body)
+      end
+
+      # Parse the raw user info.
+      def user_info
+        if @token_response && @token_response['id_token']
+          jwt_payload = @token_response['id_token'] && @token_response['id_token'].to_s && @token_response['id_token'].to_s.split('.')[1]
+          if jwt_payload
+            jwt_payload += '=' * (4 - jwt_payload.length.modulo(4))
+            user_identity = JSON.parse(Base64.decode64(jwt_payload.tr('-_','+/')))
+            return user_identity
+          end
+        end
+
+        return nil
+      end
+
+      # Check if the options include a application_id
+      def no_application_id?
+        ['', nil].include?(options.application_id)
+      end
+
+      # Check if the options include a domain
+      def no_domain?
+        ['', nil].include?(@authress_client.custom_domain_url)
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'authress', 'Authress'

data/lib/authress-sdk/token_validator.rb

@@ -0,0 +1,13 @@
+require 'base64'
+require 'uri'
+require 'json'
+
+module AuthressSdk
+  class TokenValidationError < StandardError
+    attr_reader :error_reason
+    def initialize(msg)
+      @error_reason = msg
+      super(msg)
+    end
+  end
+end

data/lib/{authress_sdk.rb → authress-sdk.rb}

@@ -8,11 +8,10 @@ module AuthressSdk
   class << self
     # Customize default settings for the SDK using block.
     #   AuthressSdk.configure do |config|
-    #     config.username = "xxx"
-    #     config.password = "xxx"
+    #     config.base_url = "xxx"
     #   end
     def configure
-      AuthressClient.default
+      yield AuthressClient.default
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authress-sdk
 version: !ruby/object:Gem::Version
-  version: 2.0.33.0
+  version: 2.0.36.0
 platform: ruby
 authors:
 - Authress
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2023-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -44,6 +44,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.1.0
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -69,78 +111,81 @@ extra_rdoc_files:
 - README.md
 files:
 - README.md
-- lib/authress_sdk.rb
-- lib/authress_sdk/api/access_records_api.rb
-- lib/authress_sdk/api/accounts_api.rb
-- lib/authress_sdk/api/metadata_api.rb
-- lib/authress_sdk/api/resource_permissions_api.rb
-- lib/authress_sdk/api/roles_api.rb
-- lib/authress_sdk/api/service_clients_api.rb
-- lib/authress_sdk/api/user_permissions_api.rb
-- lib/authress_sdk/api_error.rb
-- lib/authress_sdk/authress_client.rb
-- lib/authress_sdk/constant_token_provider.rb
-- lib/authress_sdk/models/access_record.rb
-- lib/authress_sdk/models/access_record_collection.rb
-- lib/authress_sdk/models/account.rb
-- lib/authress_sdk/models/account_collection.rb
-- lib/authress_sdk/models/account_collection_accounts.rb
-- lib/authress_sdk/models/claim_request.rb
-- lib/authress_sdk/models/claim_response.rb
-- lib/authress_sdk/models/client.rb
-- lib/authress_sdk/models/client_access_key.rb
-- lib/authress_sdk/models/client_collection.rb
-- lib/authress_sdk/models/client_collection_clients.rb
-- lib/authress_sdk/models/identity.rb
-- lib/authress_sdk/models/identity_collection.rb
-- lib/authress_sdk/models/identity_collection_identities.rb
-- lib/authress_sdk/models/identity_request.rb
-- lib/authress_sdk/models/inline_response_200.rb
-- lib/authress_sdk/models/inline_response_200_1.rb
-- lib/authress_sdk/models/inline_response_200_10.rb
-- lib/authress_sdk/models/inline_response_200_11.rb
-- lib/authress_sdk/models/inline_response_200_12.rb
-- lib/authress_sdk/models/inline_response_200_13.rb
-- lib/authress_sdk/models/inline_response_200_14.rb
-- lib/authress_sdk/models/inline_response_200_15.rb
-- lib/authress_sdk/models/inline_response_200_2.rb
-- lib/authress_sdk/models/inline_response_200_3.rb
-- lib/authress_sdk/models/inline_response_200_4.rb
-- lib/authress_sdk/models/inline_response_200_5.rb
-- lib/authress_sdk/models/inline_response_200_6.rb
-- lib/authress_sdk/models/inline_response_200_7.rb
-- lib/authress_sdk/models/inline_response_200_9.rb
-- lib/authress_sdk/models/invite.rb
-- lib/authress_sdk/models/link.rb
-- lib/authress_sdk/models/metadata_object.rb
-- lib/authress_sdk/models/permission_object.rb
-- lib/authress_sdk/models/permission_response.rb
-- lib/authress_sdk/models/resource_permission.rb
-- lib/authress_sdk/models/resource_permission_collection.rb
-- lib/authress_sdk/models/resource_permission_collection_links.rb
-- lib/authress_sdk/models/resource_permission_collection_links_next.rb
-- lib/authress_sdk/models/resource_permission_collection_resources.rb
-- lib/authress_sdk/models/resource_users_collection.rb
-- lib/authress_sdk/models/role.rb
-- lib/authress_sdk/models/statement.rb
-- lib/authress_sdk/models/token_request.rb
-- lib/authress_sdk/models/user.rb
-- lib/authress_sdk/models/user_resources.rb
-- lib/authress_sdk/models/user_resources_resources.rb
-- lib/authress_sdk/models/user_token.rb
-- lib/authress_sdk/models/user_token_links.rb
-- lib/authress_sdk/models/user_token_links_self.rb
-- lib/authress_sdk/models/v1clients_options.rb
-- lib/authress_sdk/models/v1records_account.rb
-- lib/authress_sdk/models/v1records_links.rb
-- lib/authress_sdk/models/v1records_links_self.rb
-- lib/authress_sdk/models/v1records_users.rb
-- lib/authress_sdk/models/v1resourcesresource_uri_permissions.rb
-- lib/authress_sdk/models/v1roles_permissions.rb
-- lib/authress_sdk/models/v1usersuser_idresourcesresource_urimetadata_account.rb
-- lib/authress_sdk/models/v1usersuser_idtokens_resources.rb
-- lib/authress_sdk/models/v1usersuser_idtokens_statements.rb
-- lib/authress_sdk/service_client_token_provider.rb
+- lib/authress-sdk.rb
+- lib/authress-sdk/api/access_records_api.rb
+- lib/authress-sdk/api/accounts_api.rb
+- lib/authress-sdk/api/login_api.rb
+- lib/authress-sdk/api/metadata_api.rb
+- lib/authress-sdk/api/resource_permissions_api.rb
+- lib/authress-sdk/api/roles_api.rb
+- lib/authress-sdk/api/service_clients_api.rb
+- lib/authress-sdk/api/user_permissions_api.rb
+- lib/authress-sdk/api_error.rb
+- lib/authress-sdk/authress_client.rb
+- lib/authress-sdk/constant_token_provider.rb
+- lib/authress-sdk/models/access_record.rb
+- lib/authress-sdk/models/access_record_collection.rb
+- lib/authress-sdk/models/account.rb
+- lib/authress-sdk/models/account_collection.rb
+- lib/authress-sdk/models/account_collection_accounts.rb
+- lib/authress-sdk/models/claim_request.rb
+- lib/authress-sdk/models/claim_response.rb
+- lib/authress-sdk/models/client.rb
+- lib/authress-sdk/models/client_access_key.rb
+- lib/authress-sdk/models/client_collection.rb
+- lib/authress-sdk/models/client_collection_clients.rb
+- lib/authress-sdk/models/identity.rb
+- lib/authress-sdk/models/identity_collection.rb
+- lib/authress-sdk/models/identity_collection_identities.rb
+- lib/authress-sdk/models/identity_request.rb
+- lib/authress-sdk/models/inline_response_200.rb
+- lib/authress-sdk/models/inline_response_200_1.rb
+- lib/authress-sdk/models/inline_response_200_10.rb
+- lib/authress-sdk/models/inline_response_200_11.rb
+- lib/authress-sdk/models/inline_response_200_12.rb
+- lib/authress-sdk/models/inline_response_200_13.rb
+- lib/authress-sdk/models/inline_response_200_14.rb
+- lib/authress-sdk/models/inline_response_200_15.rb
+- lib/authress-sdk/models/inline_response_200_2.rb
+- lib/authress-sdk/models/inline_response_200_3.rb
+- lib/authress-sdk/models/inline_response_200_4.rb
+- lib/authress-sdk/models/inline_response_200_5.rb
+- lib/authress-sdk/models/inline_response_200_6.rb
+- lib/authress-sdk/models/inline_response_200_7.rb
+- lib/authress-sdk/models/inline_response_200_9.rb
+- lib/authress-sdk/models/invite.rb
+- lib/authress-sdk/models/link.rb
+- lib/authress-sdk/models/metadata_object.rb
+- lib/authress-sdk/models/permission_object.rb
+- lib/authress-sdk/models/permission_response.rb
+- lib/authress-sdk/models/resource_permission.rb
+- lib/authress-sdk/models/resource_permission_collection.rb
+- lib/authress-sdk/models/resource_permission_collection_links.rb
+- lib/authress-sdk/models/resource_permission_collection_links_next.rb
+- lib/authress-sdk/models/resource_permission_collection_resources.rb
+- lib/authress-sdk/models/resource_users_collection.rb
+- lib/authress-sdk/models/role.rb
+- lib/authress-sdk/models/statement.rb
+- lib/authress-sdk/models/token_request.rb
+- lib/authress-sdk/models/user.rb
+- lib/authress-sdk/models/user_resources.rb
+- lib/authress-sdk/models/user_resources_resources.rb
+- lib/authress-sdk/models/user_token.rb
+- lib/authress-sdk/models/user_token_links.rb
+- lib/authress-sdk/models/user_token_links_self.rb
+- lib/authress-sdk/models/v1clients_options.rb
+- lib/authress-sdk/models/v1records_account.rb
+- lib/authress-sdk/models/v1records_links.rb
+- lib/authress-sdk/models/v1records_links_self.rb
+- lib/authress-sdk/models/v1records_users.rb
+- lib/authress-sdk/models/v1resourcesresource_uri_permissions.rb
+- lib/authress-sdk/models/v1roles_permissions.rb
+- lib/authress-sdk/models/v1usersuser_idresourcesresource_urimetadata_account.rb
+- lib/authress-sdk/models/v1usersuser_idtokens_resources.rb
+- lib/authress-sdk/models/v1usersuser_idtokens_statements.rb
+- lib/authress-sdk/omniauth.rb
+- lib/authress-sdk/service_client_token_provider.rb
+- lib/authress-sdk/token_validator.rb
 homepage: https://github.com/Authress/authress-sdk.rb
 licenses:
 - Apache-2.0