doorkeeper_sso 0.0.4 → 0.1.0.pre.alpha

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1325cddaeea3ad9c0db0f7421de65c7d671f4e90
-  data.tar.gz: f0c5fe37e55ee02487802801fda7c05ff6a9e679
+  metadata.gz: bb363d678a52d56ddf6c80dc8c1cff69deadd606
+  data.tar.gz: 1d6ac0652e3f375e675f62517f2f3a8b7fbd19f8
 SHA512:
-  metadata.gz: 35345790590a3d6a0a534ae30dd7717793ef3cf12036f6baf0780ebb03c014ec51110aa97574ed7ff7e299eacfb82afa4dca32fb4e772dd8131a48655788221b
-  data.tar.gz: 0da08dc94ecc077d572615e0dbf0ff0194529cd4dc5a57f23be4b4fb7d835e7352ab40f74acc61abd9fe0151e27d2591472049b19331aa6f8b067d47897491b6
+  metadata.gz: 4cddcc1c8862063eb257c05822e7bc0976e03eb7ea9ca69c2fea503994090b9258d53b5fe047072f23b73611fc5e53e3d1403761ba911a2558d19cdb845a20ec
+  data.tar.gz: 7b20aa56f12c66ef5dad229e625f85ea94d7a3f78e41061037e8def66057d1d0d01b416415d4eebb701860ebf5177f1d38797b1a17117a522c72825447635c7b

data/app/controllers/sso/sessions_controller.rb

@@ -1,29 +1,32 @@
-class Sso::SessionsController < ApplicationController
+module Sso
+  class SessionsController < ApplicationController
 
-  before_action :authenticate_user!, only: :show
-  before_action :doorkeeper_authorize!, only: :create
-  before_action :find_user, only: :create
+    before_action :authenticate_user!, only: :show
+    before_action :doorkeeper_authorize!, only: :create
+    before_action :find_user, only: :create
 
-  # TODO: Security issue?
-  protect_from_forgery with: :null_session
+    # TODO: Security issue?
+    protect_from_forgery with: :null_session
 
-  respond_to :json
+    respond_to :json
 
-  # Returns a 200 if access is granted
-  def show
-    render :nothing => true
-  end
+    # Returns a 200 if access is granted
+    def show
+      render :nothing => true
+    end
 
-  # Generate an SSO:Session
-  def create
-    @session  = Sso::Session.generate(@user, doorkeeper_token, params )
-    respond_with @session, :location => sso.sessions_url
-  end
+    # Generate an SSO:Session
+    def create
+      render json: {}
+      # @session  = Sso::Session.generate(@user, doorkeeper_token, params )
+      # respond_with @session, :location => sso.sessions_url
+    end
 
-  protected
+    protected
 
-  def find_user
-    @user = User.find(doorkeeper_token.resource_owner_id)
-  end
+    def find_user
+      @user = User.find(doorkeeper_token.resource_owner_id)
+    end
 
+  end
 end

data/app/helpers/sso/application_helper.rb

@@ -1,4 +1,24 @@
 module Sso
   module ApplicationHelper
+    # Can search for named routes directly in the main app, omitting
+    # the "main_app." prefix
+    def method_missing method, *args, &block
+      if main_app_url_helper?(method)
+        main_app.send(method, *args)
+      else
+        super
+      end
+    end
+
+    def respond_to?(method)
+      main_app_url_helper?(method) or super
+    end
+
+   private
+
+    def main_app_url_helper?(method)
+      (method.to_s.end_with?('_path') or method.to_s.end_with?('_url')) and
+        main_app.respond_to?(method)
+    end
   end
 end

data/app/models/sso/session.rb

@@ -63,13 +63,13 @@ module Sso
       end
 
       def update_master_with_access_token(grant_token, access_token)
-        oauth_grant  = Doorkeeper::AccessGrant.by_token(grant_token)
-        oauth_token  = Doorkeeper::AccessToken.by_token(access_token)
+        oauth_grant  = ::Doorkeeper::AccessGrant.by_token(grant_token)
+        oauth_token  = ::Doorkeeper::AccessToken.by_token(access_token)
         return false if oauth_token.blank? or oauth_grant.blank?
 
         master_sso_session = active.master.find_by!(access_grant_id: oauth_grant.id)
 
-        if master_sso_session.update_attribute(:access_token_id, oauth_token.id)
+        if master_sso_session.update_attributes(access_token_id: oauth_token.id, application_id: oauth_token.application_id)
           debug { "#register_access_token : #{master_sso_session.id} with Access Token ID #{oauth_token.id} which is #{oauth_token.token}" }
         else
           error { "#register_access_token : FAILED to update oauth_access_token_id" }

data/lib/sso/doorkeeper/authorizations_controller_mixin.rb

@@ -0,0 +1,24 @@
+module Sso
+  module Doorkeeper
+    module AuthorizationsControllerMixin
+      extend ActiveSupport::Concern
+      include ::Sso::Logging
+
+      included do
+        after_action :after_grant_create, only: [:new, :create]
+      end
+
+    protected
+
+      def after_grant_create
+        debug { "AuthorizationsController#Create : after_action" }
+        code_response = authorization.instance_variable_get("@response")
+        if code_response
+          warden_session = session["warden.user.user.session"]
+          debug { "Sso::Session.update_master_with_grant - #{warden_session["sso_session_id"].inspect}, #{code_response.auth.token.inspect}" }
+          Sso::Session.update_master_with_grant(warden_session["sso_session_id"], code_response.auth.token)
+        end
+      end
+    end
+  end
+end

data/lib/sso/doorkeeper/tokens_controller_mixin.rb

@@ -0,0 +1,41 @@
+module Sso
+  module Doorkeeper
+    module TokensControllerMixin
+      included do
+        after_action :after_token_create, only: :create
+      end
+
+    protected
+
+      def after_token_create
+        debug { "TokensController#Create : after_action" }
+        handle_authorization_grant_flow
+      end
+
+      def handle_authorization_grant_flow
+        # We cannot rely on session[:sso_session_id] here because the end-user might have cookies disabled.
+        # The only thing we can rely on to identify the user/Passport is the incoming grant token.
+        debug { %(Detected outgoing "Access Token" #{outgoing_access_token.inspect}) }
+        if sso_session = Sso::Session.update_master_with_access_token(grant_token, outgoing_access_token)
+          debug { "::Sso::Session.register_access_token success for access_token: #{outgoing_access_token}" }
+        else
+          debug { "::Sso::Session.register_access_token failed. #{sso_session.errors.inspect}" }
+          warden.logout
+        end
+      end
+
+      def grant_token
+        params["code"]
+      end
+
+      def grant_type
+        params["grant_type"]
+      end
+
+      def outgoing_access_token
+        @response_hash ||= JSON.parse(response.body)
+        @response_hash["access_token"]
+      end
+    end
+  end
+end

data/lib/sso/engine.rb

@@ -1,5 +1,19 @@
 module Sso
   class Engine < ::Rails::Engine
     isolate_namespace Sso
+
+    config.after_initialize do
+
+      ::Doorkeeper::TokensController.send(:include, AbstractController::Callbacks)
+      ::Doorkeeper::TokensController.send(:include, Sso::Doorkeeper::TokensControllerMixin)
+      ::Doorkeeper::AuthorizationsController.send(:include, Sso::Doorkeeper::AuthorizationsControllerMixin)
+
+      ::Warden::Manager.after_authentication(scope: :user, &::Sso::Warden::Hooks::AfterAuthentication.to_proc)
+      ::Warden::Manager.before_logout(scope: :user, &::Sso::Warden::Hooks::BeforeLogout.to_proc)
+
+      # TODO : Why does it need a passport strategy
+      # Warden::Strategies.add :passport, ::Sso::Server::Warden::Strategies::Passport
+
+    end
   end
 end

data/lib/sso/version.rb

@@ -1,3 +1,3 @@
 module Sso
-  VERSION = "0.0.4"
+  VERSION = "0.1.0-alpha"
 end

data/lib/sso/warden/hooks/after_authentication.rb

@@ -0,0 +1,34 @@
+module Sso
+  module Warden
+    module Hooks
+      class AfterAuthentication
+        include ::Sso::Logging
+
+        attr_reader :user, :warden, :options
+
+        def self.to_proc
+          proc do |user, warden, options|
+            new(user: user, warden: warden, options: options).call
+          end
+        end
+
+        def initialize(user:, warden:, options:)
+          @user, @warden, @options = user, warden, options
+        end
+
+        def call
+          debug { "Starting hook because this is considered the first login of the current session..." }
+          request = warden.request
+          session = warden.session(:user)
+
+          debug { "Generating a Sso:Session for user #{user.id.inspect} for the session cookie at the Sso server..." }
+          attributes = {  ip: request.ip, agent: request.user_agent }
+
+          sso_session = Sso::Session.generate_master(user, attributes)
+          debug { "Sso:Session with ID #{sso_session.id} generated successfuly. Persisting it in session..." }
+          session["sso_session_id"] = sso_session.id.to_s
+        end
+      end
+    end
+  end
+end

data/lib/sso/warden/hooks/before_logout.rb

@@ -0,0 +1,34 @@
+module Sso
+  module Warden
+    module Hooks
+      class BeforeLogout
+        include ::Sso::Logging
+
+        attr_reader :user, :warden, :options
+        delegate :request, to: :warden
+        delegate :params, to: :request
+        delegate :session, to: :request
+
+        def self.to_proc
+          proc do |user, warden, options|
+            new(user: user, warden: warden, options: options).call
+          end
+        end
+
+        def initialize(user:, warden:, options:)
+          @user, @warden, @options = user, warden, options
+        end
+
+        def call
+          # Only run if user is logged in
+          if warden.authenticated?(:user) && (session = warden.session(:user))
+            debug { 'Destroy all Sso::Session groups before logout' }
+            debug { session.inspect }
+            Sso::Session.logout(session["sso_session_id"])
+            #Passports.logout passport_id: params['passport_id'], provider_passport_id: session['sso_session_id']
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sso.rb

@@ -1,5 +1,10 @@
 require "sso/engine"
 require "sso/logging"
+require "sso/warden/hooks/after_authentication"
+require "sso/warden/hooks/before_logout"
+require "sso/doorkeeper/authorizations_controller_mixin"
+require "sso/doorkeeper/tokens_controller_mixin"
+
 
 module Sso
   def self.table_name_prefix

data/spec/test_app/app/controllers/application_controller.rb

@@ -0,0 +1,14 @@
+class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+
+  before_action :configure_permitted_parameters, if: :devise_controller?
+
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:first_name, :last_name, :email, :password, :password_confirmation) }
+  end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper_sso
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.1.0.pre.alpha
 platform: ruby
 authors:
 - John Wong
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-15 00:00:00.000000000 Z
+date: 2015-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -275,14 +275,8 @@ files:
 - Rakefile
 - app/assets/javascripts/sso/application.js
 - app/assets/stylesheets/sso/application.css
-- app/controllers/application_controller.rb
-- app/controllers/doorkeeper/authorizations_controller.rb
-- app/controllers/doorkeeper/tokens_controller.rb
 - app/controllers/sso/sessions_controller.rb
 - app/helpers/sso/application_helper.rb
-- app/middleware/sso/access_token_marker.rb
-- app/middleware/sso/authorization_grant_marker.rb
-- app/middleware/sso/passport_verification.rb
 - app/models/sso/session.rb
 - app/views/layouts/doorkeeper/admin.html.erb
 - app/views/layouts/doorkeeper/application.html.erb
@@ -291,9 +285,13 @@ files:
 - db/migrate/20150414102248_create_sso_sessions.rb
 - lib/doorkeeper_sso.rb
 - lib/sso.rb
+- lib/sso/doorkeeper/authorizations_controller_mixin.rb
+- lib/sso/doorkeeper/tokens_controller_mixin.rb
 - lib/sso/engine.rb
 - lib/sso/logging.rb
 - lib/sso/version.rb
+- lib/sso/warden/hooks/after_authentication.rb
+- lib/sso/warden/hooks/before_logout.rb
 - lib/tasks/sso_tasks.rake
 - spec/controllers/sso/sessions_controller_spec.rb
 - spec/fabricators/api_application_fabricator.rb
@@ -310,6 +308,7 @@ files:
 - spec/support/fabrication.rb
 - spec/support/vcr.rb
 - spec/test_app/Rakefile
+- spec/test_app/app/controllers/application_controller.rb
 - spec/test_app/app/models/user.rb
 - spec/test_app/config/database.yml
 - spec/test_app/config/initializers/devise.rb
@@ -332,9 +331,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.4.5
@@ -356,6 +355,7 @@ test_files:
 - spec/support/devise.rb
 - spec/support/fabrication.rb
 - spec/support/vcr.rb
+- spec/test_app/app/controllers/application_controller.rb
 - spec/test_app/app/models/user.rb
 - spec/test_app/config/database.yml
 - spec/test_app/config/initializers/devise.rb
@@ -364,3 +364,4 @@ test_files:
 - spec/test_app/db/schema.rb
 - spec/test_app/public/favicon.ico
 - spec/test_app/Rakefile
+has_rdoc: 

data/app/controllers/application_controller.rb

@@ -1,3 +0,0 @@
-class ApplicationController < ActionController::Base
-
-end

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -1,18 +0,0 @@
-module Doorkeeper
-  class AuthorizationsController < Doorkeeper::ApplicationController
-
-    after_action :after_grant_create, only: [:new, :create]
-
-  protected
-
-    def after_grant_create
-      Rails.logger.info "AuthorizationsController#Create : after_action"
-      code_response = authorization.instance_variable_get("@response")
-      if code_response
-        warden_session = session["warden.user.user.session"]
-        Rails.logger.debug "Sso::Session.update_master_with_grant - #{warden_session["sso_session_id"].inspect}, #{code_response.auth.token.inspect}"
-        Sso::Session.update_master_with_grant(warden_session["sso_session_id"], code_response.auth.token)
-      end
-    end
-  end
-end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -1,39 +0,0 @@
-module Doorkeeper
-  class TokensController < Doorkeeper::ApplicationMetalController
-    include AbstractController::Callbacks
-
-    after_action :after_token_create, only: :create
-
-  protected
-
-    def after_token_create
-      Rails.logger.info "TokensController#Create : after_action"
-      handle_authorization_grant_flow
-    end
-
-    def handle_authorization_grant_flow
-      # We cannot rely on session[:sso_session_id] here because the end-user might have cookies disabled.
-      # The only thing we can rely on to identify the user/Passport is the incoming grant token.
-      Rails.logger.debug { %(Detected outgoing "Access Token" #{outgoing_access_token.inspect}) }
-      if sso_session = Sso::Session.update_master_with_access_token(grant_token, outgoing_access_token)
-        Rails.logger.debug "::Sso::Session.register_access_token success for access_token: #{outgoing_access_token}"
-      else
-        Rails.logger.debug "::Sso::Session.register_access_token failed. #{sso_session.errors.inspect}"
-        warden.logout
-      end
-    end
-
-    def grant_token
-      params["code"]
-    end
-
-    def grant_type
-      params["grant_type"]
-    end
-
-    def outgoing_access_token
-      @response_hash ||= JSON.parse(response.body)
-      @response_hash["access_token"]
-    end
-  end
-end

data/app/middleware/sso/access_token_marker.rb

@@ -1,103 +0,0 @@
-# app/middleware/sso/access_token_marker.rb
-# Middleware that catches outgoing Doorkeeper access tokens
-
-module Sso
-  class AccessTokenMarker
-
-    def initialize(app)
-      @app = app
-    end
-
-    def call(env)
-      @env = env
-      @request = ::ActionDispatch::Request.new @env
-      @response = @app.call @env
-
-      return response unless request.method == 'POST'
-      return response unless authorization_grant_flow? || password_credential_flow?
-      return response unless response_code == 200
-      return response unless response_body
-      return response unless outgoing_access_token
-
-      if authorization_grant_flow?
-        Rails.logger.debug { %{Detected outgoing "Access Token" #{outgoing_access_token.inspect} of the "Authorization Code Grant" flow (belonging to "Authorization Grant Token" #{grant_token.inspect}). Augmenting related Passport with it.} }
-        registration = ::Passports.register_access_token grant_token: grant_token, access_token: outgoing_access_token
-
-        if registration.failure?
-          Rails.logger.warn { "The passport could not be augmented. Destroying warden session." }
-          warden.logout
-        end
-
-      elsif password_credential_flow?
-        Rails.logger.debug { %{Detected outgoing "Access Token" #{outgoing_access_token.inspect} of the "Resource Owner Password Credentials Grant" flow. Generating new Passport with it.} }
-        generation = ::Passports.generate_with_access_token access_token_string: outgoing_access_token, ip: request.ip, agent: request.user_agent
-
-        if generation.failure?
-          Rails.logger.warn { "The passport could not be generated. Destroying warden session." }
-          warden.logout
-        end
-
-      else
-        fail NotImplementedError
-      end
-
-      response
-    end
-
-    def request
-      @request
-    end
-
-    def response
-      @response
-    end
-
-    def response_body
-      response.last.first.presence
-      # raise response.last.inspect
-    end
-
-    def response_code
-      response.first
-    end
-
-    def parsed_response_body
-      # raise response_body.inspect
-      return unless response_body
-      ::JSON.parse response_body
-    rescue JSON::ParserError => exception
-      Trouble.notify exception
-      nil
-    end
-
-    def outgoing_access_token
-      return unless parsed_response_body
-      parsed_response_body['access_token']
-    end
-
-    def warden
-      request.env['warden']
-    end
-
-    def params
-      request.params
-    end
-
-    def authorization_grant_flow?
-      grant_token.present?
-    end
-
-    def password_credential_flow?
-      grant_type == 'password'
-    end
-
-    def grant_token
-      params['code']
-    end
-
-    def grant_type
-      params['grant_type']
-    end
-
-  end
-end

data/app/middleware/sso/authorization_grant_marker.rb

@@ -1,87 +0,0 @@
-# app/middleware/sso/authorization_grant_maker.rb
-# Middleware that catches outgoing Doorkeeper authorization grants
-
-module Sso
-  class AuthorizationGrantMarker
-
-    def initialize(app)
-      @app = app
-    end
-
-    def call(env)
-      @env = env
-      @response = @app.call @env
-
-      return response unless outgoing_grant_token
-
-      if passport_id
-        Rails.logger.debug { %{Detected outgoing "Authorization Grant Token" #{outgoing_grant_token.inspect} of the "Authorization Code Grant" flow. Augmenting Passport #{passport_id.inspect} with it.} }
-        registration = ::Passports.register_authorization_grant passport_id: passport_id, token: outgoing_grant_token
-
-        if registration.failure?
-          Rails.logger.warn { "The passport could not be augmented. Destroying warden session." }
-          warden.logout
-        end
-      end
-
-      response
-    end
-
-    def request
-      ::ActionDispatch::Request.new @env
-    end
-
-    def response
-      @response
-    end
-
-    def code
-      response.first
-    end
-
-    def session
-      request.session
-    end
-
-    def warden
-      request.env['warden']
-    end
-
-    def passport_id
-      session['passport_id']
-    end
-
-    def location_header
-      unless code == 302
-        #logger.debug { "Uninteresting response, because it is not a redirect" }
-        return
-      end
-
-      response.second['Location']
-    end
-
-    def redirect_uri
-      unless location_header
-        #logger.debug { "Uninteresting response, because there is no Location header" }
-        return
-      end
-
-      ::URI.parse location_header
-    end
-
-    def redirect_uri_params
-      return unless redirect_uri
-      ::Rack::Utils.parse_query redirect_uri.query
-    end
-
-    def outgoing_grant_token
-      unless redirect_uri_params && redirect_uri_params['code']
-        #logger.debug { "Uninteresting response, because there is no code parameter sent" }
-        return
-      end
-
-      redirect_uri_params['code']
-    end
-
-  end
-end

data/app/middleware/sso/passport_verification.rb

@@ -1,25 +0,0 @@
-# app/middleware/sso/passport_verification.rb
-# A Middleware to verify incoming requests by client applications
-# which would like to verify the passport a user presented to them
-
-module Sso
-  class PassportVerification
-
-    def initialize(app)
-      @app = app
-    end
-
-    def call(env)
-      request = Rack::Request.new(env)
-
-      if request.path == '/api/v1/passports/verify'
-        logger.debug { "Detected Passport verification request." }
-        env['warden'].authenticate! :passport
-      else
-        # logger.debug { "I'm not interested in this request to #{request.path}" }
-        @app.call(env)
-      end
-    end
-
-  end
-end