devise_g5_authenticatable 0.1.0

data/config/initializers/devise_g5_authenticatable.rb

@@ -0,0 +1,3 @@
+unless defined?(ActionController::StrongParameters)
+  require 'devise_g5_authenticatable/models/protected_attributes'
+end

data/config/locales/en.yml

@@ -0,0 +1,6 @@
+en:
+  devise:
+    sessions:
+      signed_in: 'Signed in successfully.'
+      not_found: 'You must sign up before continuing.'
+      failure: 'Could not authenticate you from %{kind} because "%{reason}".'

data/devise_g5_authenticatable.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'devise_g5_authenticatable/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'devise_g5_authenticatable'
+  spec.version       = DeviseG5Authenticatable::VERSION
+  spec.authors       = ['Maeve Revels']
+  spec.email         = ['maeve.revels@getg5.com']
+  spec.description   = 'Devise extension for the G5 Auth service'
+  spec.summary       = 'Devise extension for the G5 Auth service'
+  spec.homepage      = 'https://github.com/G5/devise_g5_authenticatable'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'devise', '~> 3.0'
+  spec.add_dependency 'g5_authentication_client', '~> 0.2'
+  spec.add_dependency 'omniauth-g5', '~> 0.1'
+end

data/lib/devise_g5_authenticatable.rb

@@ -0,0 +1,16 @@
+require 'devise_g5_authenticatable/version'
+
+require 'devise'
+
+require 'devise_g5_authenticatable/omniauth'
+require 'devise_g5_authenticatable/routes'
+require 'devise_g5_authenticatable/controllers/helpers'
+require 'devise_g5_authenticatable/controllers/url_helpers'
+
+require 'devise_g5_authenticatable/engine'
+
+Devise.add_module(:g5_authenticatable,
+                  strategy: false,
+                  route: {session: [nil, :new, :destroy]},
+                  controller: :sessions,
+                  model: 'devise_g5_authenticatable/models/g5_authenticatable')

data/lib/devise_g5_authenticatable/controllers/helpers.rb

@@ -0,0 +1,37 @@
+module DeviseG5Authenticatable
+  module Helpers
+    extend ActiveSupport::Concern
+
+    def clear_blank_passwords
+      Devise.mappings.keys.each do |scope|
+        if params[scope].present?
+          password_params(scope).each { |p| clear_blank_param(scope, p) }
+        end
+      end
+    end
+
+    def password_params(scope)
+      params[scope].keys.select { |k| k =~ /password/ }
+    end
+
+    def clear_blank_param(scope, param_name)
+      params[scope].delete(param_name) if params[scope][param_name].blank?
+    end
+
+    def handle_resource_error(error)
+      resource.errors[:base] << error.message
+      respond_with(resource)
+    end
+
+    module ClassMethods
+      def define_helpers(mapping)
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def set_updated_by_#{mapping}
+            resource_params = params[:#{mapping}] || params
+            resource_params[:updated_by] = current_#{mapping}
+          end
+        METHODS
+      end
+    end
+  end
+end

data/lib/devise_g5_authenticatable/controllers/url_helpers.rb

@@ -0,0 +1,13 @@
+module DeviseG5Authenticatable
+  module UrlHelpers
+    def g5_authorize_path(resource_or_scope, *args)
+      scope = Devise::Mapping.find_scope!(resource_or_scope)
+      _devise_route_context.send("#{scope}_g5_authorize_path", *args)
+    end
+
+    def g5_callback_path(resource_or_scope, *args)
+      scope = Devise::Mapping.find_scope!(resource_or_scope)
+      _devise_route_context.send("#{scope}_g5_callback_path", *args)
+    end
+  end
+end

data/lib/devise_g5_authenticatable/engine.rb

@@ -0,0 +1,11 @@
+module DeviseG5Authenticatable
+  class Engine < Rails::Engine
+    initializer "devise_g5_authenticatable.helpers" do
+      Devise.include_helpers(DeviseG5Authenticatable)
+    end
+
+    rake_tasks do
+      load 'tasks/g5/export_users.rake'
+    end
+  end
+end

data/lib/devise_g5_authenticatable/g5.rb

@@ -0,0 +1,4 @@
+require 'devise_g5_authenticatable/g5/auth_user_creator'
+require 'devise_g5_authenticatable/g5/auth_user_updater'
+require 'devise_g5_authenticatable/g5/auth_password_validator'
+require 'devise_g5_authenticatable/g5/user_exporter'

data/lib/devise_g5_authenticatable/g5/auth_password_validator.rb

@@ -0,0 +1,30 @@
+require 'g5_authentication_client'
+
+module Devise
+  module G5
+    class AuthPasswordValidator
+      attr_reader :model
+
+      def initialize(authenticatable_model)
+        @model = authenticatable_model
+      end
+
+      def valid_password?(password)
+        begin
+          auth_user = auth_client(password).me
+        rescue OAuth2::Error => error
+          raise unless error.code == 'invalid_resource_owner'
+        rescue RuntimeError => error
+          raise unless error.message =~ /Insufficient credentials/
+        end
+
+        !auth_user.nil?
+      end
+
+      private
+      def auth_client(password)
+        G5AuthenticationClient::Client.new(username: model.email, password: password)
+      end
+    end
+  end
+end

data/lib/devise_g5_authenticatable/g5/auth_user_creator.rb

@@ -0,0 +1,48 @@
+require 'g5_authentication_client'
+
+module Devise
+  module G5
+    class AuthUserCreator
+      attr_reader :model
+
+      def initialize(authenticatable_model)
+        @model = authenticatable_model
+      end
+
+      def create
+        create_auth_user unless auth_user_exists?
+      end
+
+      private
+      def create_auth_user
+        auth_user = auth_client.create_user(auth_user_args)
+        set_auth_attributes(auth_user)
+        auth_user
+      end
+
+      def auth_user_exists?
+        !model.uid.blank?
+      end
+
+      def auth_client
+        G5AuthenticationClient::Client.new(access_token: updated_by.g5_access_token)
+      end
+
+      def updated_by
+        model.updated_by || model
+      end
+
+      def auth_user_args
+        {email: model.email,
+         password: model.password,
+         password_confirmation: model.password_confirmation}
+      end
+
+      def set_auth_attributes(auth_user)
+        model.provider = 'g5'
+        model.uid = auth_user.id
+        model.clean_up_passwords
+      end
+    end
+  end
+end

data/lib/devise_g5_authenticatable/g5/auth_user_updater.rb

@@ -0,0 +1,43 @@
+require 'g5_authentication_client'
+
+module Devise
+  module G5
+    class AuthUserUpdater
+      attr_reader :model
+
+      def initialize(authenticatable_model)
+        @model = authenticatable_model
+      end
+
+      def update
+        update_auth_user if credentials_changed?
+      end
+
+      private
+      def update_auth_user
+        auth_user = auth_client.update_user(auth_user_args)
+        model.clean_up_passwords
+        auth_user
+      end
+
+      def credentials_changed?
+        model.email_changed? || !model.password.blank?
+      end
+
+      def auth_client
+        G5AuthenticationClient::Client.new(access_token: updated_by.g5_access_token)
+      end
+
+      def updated_by
+        model.updated_by || model
+      end
+
+      def auth_user_args
+        {id: model.uid,
+         email: model.email,
+         password: model.password,
+         password_confirmation: model.password_confirmation}
+      end
+    end
+  end
+end

data/lib/devise_g5_authenticatable/g5/user_exporter.rb

@@ -0,0 +1,61 @@
+require 'g5_authentication_client'
+
+module G5
+  # Exports all users to the G5 auth server.
+  # Assumes presence of User model with uid and
+  # provider attributes.
+  class UserExporter
+    # @param [Hash] options the options to export users with.
+    # @option options [String] :client_id the G5 OAuth client ID
+    # @option options [String] :client_secret the G5 OAuth client secret
+    # @option options [String] :redirect_uri the redirect URI registered with G5
+    # @option options [String] :endpoint the endpoint for the G5 Auth server
+    # @option options [String] :authorization_code the G5 authorization code to obtain an access token
+    def initialize(options={})
+      @client_id = options[:client_id]
+      @client_secret = options[:client_secret]
+      @redirect_uri = options[:redirect_uri]
+      @endpoint = options[:endpoint]
+      @authorization_code = options[:authorization_code]
+    end
+
+    # Export local users to the G5 Auth server.
+    # A record will be created in G5 Auth and associated with each
+    # local User. Password data is not automatically
+    # exported, but is returned in a dump of SQL update
+    # statements suitable for executing on the G5 Auth server.
+    #
+    # @return [String] SQL dump containing encrypted user passwords
+    def export
+      update_statements = User.all.collect do |user|
+        # The user won't actually be able to log in with their usual password,
+        # but at least it won't be set to a guessable value
+        auth_user = auth_client.create_user(email: user.email,
+                                            password: user.encrypted_password)
+        update_local_user(user, auth_user)
+        update_sql(auth_user.id, user.encrypted_password)
+      end
+
+      update_statements.join("\n")
+    end
+
+    private
+    def update_local_user(local_user, auth_user)
+      local_user.uid = auth_user.id
+      local_user.provider = 'g5'
+      local_user.save
+    end
+
+    def update_sql(uid, password)
+      "update users set encrypted_password='#{password}' where id=#{uid};"
+    end
+
+    def auth_client
+      @oauth_client ||= G5AuthenticationClient::Client.new(client_id: @client_id,
+                                        client_secret: @client_secret,
+                                        redirect_uri: @redirect_uri,
+                                        endpoint: @endpoint,
+                                        authorization_code: @authorization_code)
+    end
+  end
+end

data/lib/devise_g5_authenticatable/models/g5_authenticatable.rb

@@ -0,0 +1,99 @@
+require 'devise_g5_authenticatable/g5'
+
+module Devise
+  module Models
+    # Authenticatable module, responsible for remote credential management
+    # in G5 Auth.
+    #
+    # The module assumes that the following attributes have already been defined
+    # on the model:
+    #   * `provider`: the value will always be 'g5' for G5 Auth users
+    #   * `uid`: the unique id for this user in G5 Auth
+    #   * `g5_access_token`: the current OAuth access token, if one exists
+    module G5Authenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        attr_accessor :password, :password_confirmation, :current_password,
+                      :updated_by
+
+        before_save :auth_user
+      end
+
+      def auth_user
+        begin
+          if new_record?
+            G5::AuthUserCreator.new(self).create
+          else
+            G5::AuthUserUpdater.new(self).update
+          end
+        rescue OAuth2::Error => e
+          logger.error("Couldn't save user credentials because: #{e}")
+          raise ActiveRecord::RecordNotSaved.new(e.code)
+        rescue StandardError => e
+          logger.error("Couldn't save user credentials because: #{e}")
+          raise ActiveRecord::RecordNotSaved.new(e.message)
+        end
+      end
+
+      def clean_up_passwords
+        self.password = self.password_confirmation = self.current_password = nil
+      end
+
+      def valid_password?(password_to_check)
+        validator = Devise::G5::AuthPasswordValidator.new(self)
+        validator.valid_password?(password_to_check)
+      end
+
+      def update_with_password(params)
+        updated_attributes = params.reject { |k,v| k =~ /password/ && v.blank? }
+        current_password = updated_attributes.delete(:current_password)
+
+        if valid = valid_password?(current_password)
+          valid = update_attributes(updated_attributes)
+        elsif current_password.blank?
+          errors.add(:current_password, :blank)
+        else
+          errors.add(:current_password, :invalid)
+        end
+
+        valid
+      end
+
+      def update_g5_credentials(oauth_data)
+        self.g5_access_token = oauth_data.credentials.token
+      end
+
+      def revoke_g5_credentials!
+        self.g5_access_token = nil
+        save!
+      end
+
+      module ClassMethods
+        def find_for_g5_oauth(oauth_data)
+          find_by_provider_and_uid(oauth_data.provider.to_s, oauth_data.uid.to_s)
+        end
+
+        def find_and_update_for_g5_oauth(oauth_data)
+          resource = find_for_g5_oauth(oauth_data)
+          if resource
+            resource.update_g5_credentials(oauth_data)
+            resource.save!
+          end
+          resource
+        end
+
+        def new_with_session(params, session)
+          defaults = ActiveSupport::HashWithIndifferentAccess.new
+          if auth_data = session && session['omniauth.auth']
+            defaults[:email] = auth_data.info.email
+            defaults[:provider] = auth_data.provider
+            defaults[:uid] = auth_data.uid
+          end
+
+          new(defaults.merge(params))
+        end
+      end
+    end
+  end
+end

data/lib/devise_g5_authenticatable/models/protected_attributes.rb

@@ -0,0 +1,16 @@
+module DeviseG5Authenticatable
+  module Models
+    module ProtectedAttributes
+      extend ActiveSupport::Concern
+
+      included do
+        attr_accessible :email, :password, :password_confirmation,
+                        :current_password, :provider, :uid, :updated_by
+      end
+    end
+  end
+end
+
+module Devise::Models::G5Authenticatable
+  include DeviseG5Authenticatable::Models::ProtectedAttributes
+end

data/lib/devise_g5_authenticatable/omniauth.rb

@@ -0,0 +1,9 @@
+require 'devise/omniauth'
+require 'omniauth-g5'
+
+OmniAuth.config.on_failure do |env|
+  env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
+  controller_name  = ActiveSupport::Inflector.camelize(env['devise.mapping'].controllers[:sessions])
+  controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+  controller_klass.action(:failure).call(env)
+end