clavis 0.7.1

data/lib/clavis/providers/generic.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Clavis
+  module Providers
+    # Generic provider that can be used as a template for custom providers
+    # This class requires all OAuth endpoints to be provided in the configuration
+    class Generic < Base
+      attr_reader :authorize_endpoint_url, :token_endpoint_url, :userinfo_endpoint_url
+
+      def initialize(config = {})
+        # Validation happens first
+        validate_endpoints_config!(config)
+
+        # These class vars will be derived from config, since we pass it all to super
+        @is_openid = config[:openid_provider] || false
+
+        # Support both :scope and :scopes for backward compatibility
+        config[:scope] ||= config[:scopes] if config[:scopes]
+
+        # Set provider_name explicitly for generic provider
+        config[:provider_name] = :generic
+
+        super
+      end
+
+      def authorization_endpoint
+        @authorize_endpoint_url
+      end
+
+      def token_endpoint
+        @token_endpoint_url
+      end
+
+      def userinfo_endpoint
+        @userinfo_endpoint_url
+      end
+
+      def default_scopes
+        @scope || ""
+      end
+
+      def openid_provider?
+        @is_openid
+      end
+
+      protected
+
+      def validate_endpoints_config!(config)
+        if config[:authorization_endpoint].nil? || config[:authorization_endpoint].empty?
+          raise Clavis::MissingConfiguration,
+                "authorization_endpoint"
+        end
+        if config[:token_endpoint].nil? || config[:token_endpoint].empty?
+          raise Clavis::MissingConfiguration,
+                "token_endpoint"
+        end
+        return unless config[:userinfo_endpoint].nil? || config[:userinfo_endpoint].empty?
+
+        raise Clavis::MissingConfiguration, "userinfo_endpoint"
+      end
+    end
+  end
+end

data/lib/clavis/providers/github.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Clavis
+  module Providers
+    class Github < Base
+      def initialize(config = {})
+        config[:authorization_endpoint] = "https://github.com/login/oauth/authorize"
+        config[:token_endpoint] = "https://github.com/login/oauth/access_token"
+        config[:userinfo_endpoint] = "https://api.github.com/user"
+        config[:scope] = config[:scope] || "user:email"
+        super
+      end
+
+      def authorization_endpoint
+        "https://github.com/login/oauth/authorize"
+      end
+
+      def token_endpoint
+        "https://github.com/login/oauth/access_token"
+      end
+
+      def userinfo_endpoint
+        "https://api.github.com/user"
+      end
+
+      def default_scopes
+        "user:email"
+      end
+
+      def get_user_info(access_token)
+        return {} unless userinfo_endpoint
+
+        # Validate inputs
+        raise Clavis::InvalidToken unless Clavis::Security::InputValidator.valid_token?(access_token)
+
+        response = http_client.get(userinfo_endpoint) do |req|
+          req.headers["Authorization"] = "Bearer #{access_token}"
+        end
+
+        if response.status != 200
+          Clavis::Logging.log_userinfo_request(provider_name, false)
+          handle_userinfo_error_response(response)
+        end
+
+        Clavis::Logging.log_userinfo_request(provider_name, true)
+
+        process_userinfo_response(response)
+      end
+
+      protected
+
+      def process_userinfo_response(response)
+        data = JSON.parse(response.body, symbolize_names: true)
+
+        # GitHub doesn't include email in the user response if it's private
+        # We need to make a separate request to get the emails
+        emails = get_emails(response.env.request.headers["Authorization"])
+        primary_email = emails.find { |email| email[:primary] }
+
+        {
+          id: data[:id].to_s,
+          name: data[:name],
+          nickname: data[:login],
+          email: primary_email ? primary_email[:email] : data[:email],
+          email_verified: primary_email ? primary_email[:verified] : nil,
+          image: data[:avatar_url]
+        }
+      end
+
+      private
+
+      def get_emails(auth_header)
+        return [] unless auth_header
+
+        response = http_client.get("https://api.github.com/user/emails") do |req|
+          req.headers["Authorization"] = auth_header
+        end
+
+        if response.status == 200
+          JSON.parse(response.body, symbolize_names: true)
+        else
+          []
+        end
+      end
+    end
+  end
+end

data/lib/clavis/providers/google.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module Clavis
+  module Providers
+    class Google < Base
+      def initialize(config = {})
+        # Validate required fields first
+        if config[:client_id].nil? || config[:client_id].empty?
+          raise Clavis::MissingConfiguration,
+                "client_id for google"
+        end
+        if config[:client_secret].nil? || config[:client_secret].empty?
+          raise Clavis::MissingConfiguration,
+                "client_secret for google"
+        end
+        if config[:redirect_uri].nil? || config[:redirect_uri].empty?
+          raise Clavis::MissingConfiguration,
+                "redirect_uri for google"
+        end
+
+        # Set endpoints
+        config[:authorization_endpoint] = "https://accounts.google.com/o/oauth2/v2/auth"
+        config[:token_endpoint] = "https://oauth2.googleapis.com/token"
+        config[:userinfo_endpoint] = "https://www.googleapis.com/oauth2/v3/userinfo"
+        config[:scope] = config[:scope] || "openid email profile"
+
+        super
+      end
+
+      def authorization_endpoint
+        "https://accounts.google.com/o/oauth2/v2/auth"
+      end
+
+      def token_endpoint
+        "https://oauth2.googleapis.com/token"
+      end
+
+      def userinfo_endpoint
+        "https://www.googleapis.com/oauth2/v3/userinfo"
+      end
+
+      def default_scopes
+        "openid email profile"
+      end
+
+      def openid_provider?
+        true
+      end
+
+      def authorize_url(state:, nonce:, scope: nil)
+        # Validate state and nonce
+        raise Clavis::InvalidState unless Clavis::Security::InputValidator.valid_state?(state)
+        raise Clavis::InvalidNonce unless Clavis::Security::InputValidator.valid_state?(nonce)
+
+        # Build authorization URL
+        params = {
+          response_type: "code",
+          client_id: client_id,
+          redirect_uri: Clavis::Security::HttpsEnforcer.enforce_https(redirect_uri),
+          scope: scope || default_scopes,
+          state: state,
+          nonce: nonce,
+          access_type: "offline",
+          prompt: "consent" # Force consent screen to ensure refresh token
+        }
+
+        Clavis::Logging.log_authorization_request(provider_name, params)
+
+        "#{authorization_endpoint}?#{to_query(params)}"
+      end
+
+      protected
+
+      def additional_authorize_params
+        {
+          access_type: "offline",
+          prompt: "consent" # Force consent screen to ensure refresh token
+        }
+      end
+
+      def process_userinfo_response(response)
+        data = JSON.parse(response.body, symbolize_names: true)
+
+        # For Google, we ALWAYS want to use the sub as the identifier
+        # We don't set @uid anymore since we want to use sub consistently
+        {
+          sub: data[:sub],
+          email: data[:email],
+          email_verified: data[:email_verified],
+          name: data[:name],
+          given_name: data[:given_name],
+          family_name: data[:family_name],
+          picture: data[:picture]
+        }
+      end
+    end
+  end
+end

data/lib/clavis/providers/microsoft.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Clavis
+  module Providers
+    class Microsoft < Base
+      def initialize(config = {})
+        @tenant = config[:tenant] || "common"
+
+        # Set endpoints based on tenant
+        config[:authorization_endpoint] = "https://login.microsoftonline.com/#{@tenant}/oauth2/v2.0/authorize"
+        config[:token_endpoint] = "https://login.microsoftonline.com/#{@tenant}/oauth2/v2.0/token"
+        config[:userinfo_endpoint] = "https://graph.microsoft.com/v1.0/me"
+        config[:scope] = config[:scope] || "openid email profile User.Read"
+
+        super
+      end
+
+      def authorization_endpoint
+        "https://login.microsoftonline.com/#{tenant}/oauth2/v2.0/authorize"
+      end
+
+      def token_endpoint
+        "https://login.microsoftonline.com/#{tenant}/oauth2/v2.0/token"
+      end
+
+      def userinfo_endpoint
+        "https://graph.microsoft.com/v1.0/me"
+      end
+
+      def default_scopes
+        "openid email profile User.Read"
+      end
+
+      def openid_provider?
+        true
+      end
+
+      protected
+
+      def process_userinfo_response(response)
+        data = JSON.parse(response.body, symbolize_names: true)
+
+        {
+          id: data[:id],
+          name: data[:displayName],
+          email: data[:mail] || data[:userPrincipalName],
+          first_name: data[:givenName],
+          last_name: data[:surname]
+        }
+      end
+
+      private
+
+      attr_reader :tenant
+    end
+  end
+end

data/lib/clavis/security/csrf_protection.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module Clavis
+  module Security
+    module CsrfProtection
+      class << self
+        # Generates a secure random state token for CSRF protection
+        # @return [String] A secure random state token
+        def generate_state
+          SecureRandom.hex(24)
+        end
+
+        # Validates that the actual state matches the expected state
+        # @param actual_state [String] The state received from the OAuth provider
+        # @param expected_state [String] The state that was originally sent
+        # @raise [Clavis::MissingState] If either state is nil
+        # @raise [Clavis::InvalidState] If the states don't match
+        def validate_state!(actual_state, expected_state)
+          raise Clavis::MissingState if actual_state.nil? || expected_state.nil?
+          raise Clavis::InvalidState unless actual_state == expected_state
+        end
+
+        # Stores a state token in the Rails session
+        # @param controller [ActionController::Base] The controller instance
+        # @return [String] The generated state token
+        def store_state_in_session(controller)
+          state = generate_state
+          controller.session[:oauth_state] = state
+          state
+        end
+
+        # Validates the state from the Rails session
+        # @param controller [ActionController::Base] The controller instance
+        # @param actual_state [String] The state received from the OAuth provider
+        # @raise [Clavis::MissingState] If either state is nil
+        # @raise [Clavis::InvalidState] If the states don't match
+        def validate_state_from_session!(controller, actual_state)
+          expected_state = controller.session[:oauth_state]
+          validate_state!(actual_state, expected_state)
+
+          # Clear the state from the session after validation
+          controller.session.delete(:oauth_state)
+        end
+
+        # Generates a nonce for OIDC requests
+        # @return [String] A secure random nonce
+        def generate_nonce
+          SecureRandom.hex(16)
+        end
+
+        # Stores a nonce in the Rails session
+        # @param controller [ActionController::Base] The controller instance
+        # @return [String] The generated nonce
+        def store_nonce_in_session(controller)
+          nonce = generate_nonce
+          controller.session[:oauth_nonce] = nonce
+          nonce
+        end
+
+        # Validates the nonce from the ID token against the one in the session
+        # @param controller [ActionController::Base] The controller instance
+        # @param id_token_nonce [String] The nonce from the ID token
+        # @raise [Clavis::MissingNonce] If either nonce is nil
+        # @raise [Clavis::InvalidNonce] If the nonces don't match
+        def validate_nonce_from_session!(controller, id_token_nonce)
+          expected_nonce = controller.session[:oauth_nonce]
+
+          raise Clavis::MissingNonce if id_token_nonce.nil? || expected_nonce.nil?
+          raise Clavis::InvalidNonce unless id_token_nonce == expected_nonce
+
+          # Clear the nonce from the session after validation
+          controller.session.delete(:oauth_nonce)
+        end
+      end
+    end
+  end
+end

data/lib/clavis/security/https_enforcer.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "uri"
+require "faraday"
+
+module Clavis
+  module Security
+    module HttpsEnforcer
+      class << self
+        # Enforces HTTPS for a URL
+        # @param url [String] The URL to enforce HTTPS for
+        # @return [String] The URL with HTTPS enforced
+        def enforce_https(url)
+          return url unless Clavis.configuration.enforce_https
+          return url if url.nil? || url.empty?
+
+          begin
+            uri = URI.parse(url)
+
+            # Skip if already HTTPS
+            return url if uri.scheme == "https"
+
+            # Allow HTTP for localhost in development if configured
+            if localhost?(uri.host) &&
+               Clavis.configuration.allow_http_localhost &&
+               (defined?(Rails) && !Rails.env.production?)
+              return url
+            end
+
+            # Upgrade to HTTPS
+            uri.scheme = "https"
+            uri.to_s
+          rescue URI::InvalidURIError
+            url
+          end
+        end
+
+        # Creates a new HTTP client with proper TLS configuration
+        # @return [Faraday::Connection] A configured HTTP client
+        def create_http_client
+          Faraday.new do |conn|
+            conn.ssl.verify = Clavis.configuration.should_verify_ssl?
+            conn.ssl.min_version = Clavis.configuration.minimum_tls_version if Clavis.configuration.minimum_tls_version
+
+            # Add middleware
+            conn.request :url_encoded
+            conn.response :json, content_type: /\bjson$/
+            conn.adapter Faraday.default_adapter
+          end
+        end
+
+        # Checks if a URL is using HTTPS
+        # @param url [String] The URL to check
+        # @return [Boolean] Whether the URL is using HTTPS
+        def https?(url)
+          return false if url.nil? || url.empty?
+
+          begin
+            uri = URI.parse(url)
+            uri.scheme == "https"
+          rescue URI::InvalidURIError
+            false
+          end
+        end
+
+        # Logs a warning if a URL is not using HTTPS
+        # @param url [String] The URL to check
+        # @param context [String] The context for the warning
+        def warn_if_not_https(url, context = nil)
+          return if https?(url)
+
+          message = "WARNING: Non-HTTPS URL detected"
+          message += " in #{context}" if context
+          message += ": #{url}"
+
+          Clavis.logger.warn(message)
+        end
+
+        private
+
+        # Checks if a host is localhost
+        # @param host [String] The host to check
+        # @return [Boolean] Whether the host is localhost
+        def localhost?(host)
+          ["localhost", "127.0.0.1"].include?(host)
+        end
+      end
+    end
+  end
+end

data/lib/clavis/security/input_validator.rb

@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module Clavis
+  module Security
+    module InputValidator
+      # Regular expressions for validation
+      TOKEN_REGEX = /\A[a-zA-Z0-9\-_.]+\z/
+      CODE_REGEX = %r{\A[a-zA-Z0-9\-_./=+]+\z}
+      STATE_REGEX = /\A[a-zA-Z0-9\-_.]+\z/
+      EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d-]+(\.[a-z\d-]+)*\.[a-z]+\z/i
+
+      # Dangerous schemes that should never be allowed
+      DANGEROUS_SCHEMES = %w[javascript data vbscript file].freeze
+
+      class << self
+        # Validates a URL
+        # @param url [String] The URL to validate
+        # @param allowed_schemes [Array<String>] The allowed URL schemes
+        # @return [Boolean] Whether the URL is valid
+        def valid_url?(url, allowed_schemes: %w[http https])
+          return false if url.nil? || url.empty?
+
+          begin
+            uri = URI.parse(url)
+
+            # Check if the URI has a scheme
+            return false unless uri.scheme
+
+            # Check if the scheme is allowed
+            return false if DANGEROUS_SCHEMES.include?(uri.scheme.downcase)
+            return false unless allowed_schemes.include?(uri.scheme.downcase)
+
+            # Check if the URI has a host
+            return false unless uri.host
+
+            true
+          rescue URI::InvalidURIError
+            false
+          end
+        end
+
+        # Validates an OAuth token
+        # @param token [String] The token to validate
+        # @return [Boolean] Whether the token is valid
+        def valid_token?(token)
+          return false if token.nil? || token.empty?
+
+          # Make token validation more permissive
+          # Just check if it's a string with reasonable length
+          token.is_a?(String) && token.length > 5
+        end
+
+        # Validates an authorization code
+        # @param code [String] The code to validate
+        # @return [Boolean] Whether the code is valid
+        def valid_code?(code)
+          return false if code.nil? || code.empty?
+
+          is_valid = CODE_REGEX.match?(code)
+
+          # For now, be more permissive
+          # Eventually, we should properly validate but the regex might need adjustment
+          # based on the specific OAuth provider
+          return true if code.length > 5 && code.length < 1000
+
+          is_valid
+        end
+
+        # Validates a state parameter
+        # @param state [String] The state to validate
+        # @return [Boolean] Whether the state is valid
+        def valid_state?(state)
+          return false if state.nil? || state.empty?
+
+          STATE_REGEX.match?(state)
+        end
+
+        # Validates an email address
+        # @param email [String] The email to validate
+        # @return [Boolean] Whether the email is valid
+        def valid_email?(email)
+          return false if email.nil? || email.empty?
+
+          EMAIL_REGEX.match?(email)
+        end
+
+        # Validates a token response
+        # @param response [Hash] The token response to validate
+        # @return [Boolean] Whether the response is valid
+        def valid_token_response?(response)
+          return false unless response.is_a?(Hash)
+
+          # Check for error response
+          return false if response["error"] || response[:error]
+
+          # Check for required fields
+          access_token = response["access_token"] || response[:access_token]
+          response["token_type"] || response[:token_type]
+
+          # Be more permissive for debugging - just require an access_token
+          return true if access_token && !access_token.empty?
+
+          # Original strict validation:
+          # return false unless access_token && token_type
+          # return false unless valid_token?(access_token)
+          #
+          # # Validate optional fields if present
+          # if (expires_in = response["expires_in"] || response[:expires_in]) &&
+          #    !(expires_in.is_a?(Integer) && expires_in.positive?)
+          #   return false
+          # end
+          #
+          # if (refresh_token = response["refresh_token"] || response[:refresh_token]) && !valid_token?(refresh_token)
+          #   return false
+          # end
+          #
+          # if (id_token = response["id_token"] || response[:id_token]) && !valid_token?(id_token)
+          #   return false
+          # end
+
+          true
+        end
+
+        # Validates a userinfo response
+        # @param response [Hash] The userinfo response to validate
+        # @return [Boolean] Whether the response is valid
+        def valid_userinfo_response?(response)
+          return false unless response.is_a?(Hash)
+
+          # Check for error response
+          return false if response["error"] || response[:error]
+
+          # Be more permissive - don't require specific fields
+          # Only check for dangerous values
+
+          # Sanitize all string values to prevent XSS
+          response.each_value do |value|
+            if value.is_a?(String) &&
+               (value.include?("<script") ||
+                value.include?("javascript:") ||
+                value.include?("data:"))
+              return false
+            end
+          end
+
+          true
+        end
+
+        # Sanitizes a string to prevent XSS
+        # @param input [String] The string to sanitize
+        # @return [String] The sanitized string
+        def sanitize(input)
+          return "" if input.nil?
+          return input unless input.is_a?(String)
+
+          # Remove script tags and their content
+          result = input.gsub(%r{<script\b[^>]*>.*?</script>}im, "")
+
+          # Remove other potentially dangerous tags
+          result = result.gsub(/<[^>]*>/, "")
+
+          # Remove javascript: and data: URLs
+          result = result.gsub(/javascript:/i, "")
+          result.gsub(/data:/i, "")
+        end
+
+        # Sanitizes a hash to prevent XSS
+        # @param hash [Hash] The hash to sanitize
+        # @return [Hash] The sanitized hash
+        def sanitize_hash(hash)
+          return {} unless hash.is_a?(Hash)
+
+          result = {}
+
+          hash.each do |key, value|
+            result[key] = if value.is_a?(Hash)
+                            sanitize_hash(value)
+                          elsif value.is_a?(Array)
+                            value.map { |item| item.is_a?(Hash) ? sanitize_hash(item) : sanitize(item) }
+                          else
+                            sanitize(value)
+                          end
+          end
+
+          result
+        end
+      end
+    end
+  end
+end