doorkeeper_sso 0.1.0.pre.alpha → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bb363d678a52d56ddf6c80dc8c1cff69deadd606
-  data.tar.gz: 1d6ac0652e3f375e675f62517f2f3a8b7fbd19f8
+  metadata.gz: 3e7ddb8b903b8df6ad77d9ed41f30c7da735f5f3
+  data.tar.gz: 1a093ad524eb1fbf32977438bca0d4334ead8691
 SHA512:
-  metadata.gz: 4cddcc1c8862063eb257c05822e7bc0976e03eb7ea9ca69c2fea503994090b9258d53b5fe047072f23b73611fc5e53e3d1403761ba911a2558d19cdb845a20ec
-  data.tar.gz: 7b20aa56f12c66ef5dad229e625f85ea94d7a3f78e41061037e8def66057d1d0d01b416415d4eebb701860ebf5177f1d38797b1a17117a522c72825447635c7b
+  metadata.gz: aadcaafcef1f23d0dd2e38a77bceb930ef156011a393b691734802830aee6e4be40594cc3e5eaed3eaedc2a710134f0b6f977f05fed0b4c180086c61c53760a6
+  data.tar.gz: ae93f59d0693635b805bae280a46008c3e6d66d78468ac2ac646d175a2d71574eab25ce44733485ff41edadeaab9299f3a734ac2b35e8ff627e88312a72c513b

data/Rakefile

@@ -7,11 +7,6 @@ end
 Bundler.require :default, :test
 
 require 'rake'
-task :environment do
-  Combustion.initialize!
-end
-Combustion::Application.load_tasks
-
 APP_RAKEFILE = File.expand_path("../spec/test_app/Rakefile", __FILE__)
 load 'rails/tasks/engine.rake'
 require "rspec/core/rake_task"

data/app/controllers/sso/application_controller.rb

@@ -0,0 +1,6 @@
+module Sso
+  class ApplicationController < ::ApplicationController
+  # class ApplicationController < RocketPants::Base
+  #   extend Apipie::DSL::Controller
+  end
+end

data/app/controllers/sso/sessions_controller.rb

@@ -1,32 +1,96 @@
 module Sso
-  class SessionsController < ApplicationController
+  class SessionsController < Sso::ApplicationController
 
-    before_action :authenticate_user!, only: :show
-    before_action :doorkeeper_authorize!, only: :create
-    before_action :find_user, only: :create
+    before_action :authenticate_user!, only: :jsonp
+    before_action :doorkeeper_authorize!, only: [:show, :create]
 
     # TODO: Security issue?
     protect_from_forgery with: :null_session
 
     respond_to :json
 
-    # Returns a 200 if access is granted
+    ################################################################################
+    # OAuth2 Endpoint
+    ################################################################################
+
+    # Passport verification
+    # Session exists (browser/insider) - return passport state
+    # Sessionless (iphone/outsider)
+    # Returns passport
     def show
-      render :nothing => true
+      @session = current_client.session
+      render json: @session, serializer: Sso::SessionSerializer
     end
 
-    # Generate an SSO:Session
+    # Passport exchange
+    # Passport Strategy first exchange
+    # Insider : Client information from Apps should always be trusted
     def create
-      render json: {}
-      # @session  = Sso::Session.generate(@user, doorkeeper_token, params )
+      # passport.load_user!
+      # passport.create_chip!
+      current_client = ::Sso::Client.find_by_access_token(doorkeeper_token.token)
+      current_client.update!(client_params)
+
+      @session = current_client.session
+      render json: @session, status: :created, serializer: Sso::SessionSerializer
+    end
+
+    ################################################################################
+    # JSONP endpoint based on Devise session
+    ################################################################################
+    def jsonp
+      # TODO : Check inconsistent
+      render :nothing => true
       # respond_with @session, :location => sso.sessions_url
     end
 
-    protected
 
-    def find_user
-      @user = User.find(doorkeeper_token.resource_owner_id)
+    ################################################################################
+    # Mobile endpoint
+    ################################################################################
+    def mobile
+      # TODO : Check inconsistent
+      render :nothing => true
+      # respond_with @session, :location => sso.sessions_url
+    end
+
+
+
+  protected
+
+    def current_client
+      @client = doorkeeper_token.sso_client
+    end
+
+    def client_params
+      params.permit(:ip, :agent)
     end
 
   end
 end
+
+
+#passport exchange
+          # finding = ::SSO::Server::Passports.find_by_access_token_id(access_token.id)
+          # if finding.failure?
+          #   # This should never happen. Every Access Token should be connected to a Passport.
+          #   return json_error :passport_not_found
+          # end
+          # passport = finding.object
+
+          # ::SSO::Server::Passports.update_activity passport_id: passport.id, request: request
+
+          # debug { "Attaching user and chip to passport #{passport.inspect}" }
+          # passport.load_user!
+          # passport.create_chip!
+
+          # payload = { success: true, code: :here_is_your_passport, passport: passport.export }
+          # debug { "Created Passport #{passport.id}, sending it including user #{passport.user.inspect}}" }
+
+          # [200, { 'Content-Type' => 'application/json' }, [payload.to_json]]
+
+#passport  verification
+
+          # if request.get? && request.path == passports_path
+          #   debug { 'Detected incoming Passport verification request.' }
+          #   env['warden'].authenticate! :passport

data/app/models/sso/client.rb

@@ -0,0 +1,28 @@
+module Sso
+  class Client < ActiveRecord::Base
+    include ::Sso::Logging
+
+    belongs_to :session, class_name: 'Sso::Session', foreign_key: :sso_session_id
+    belongs_to :application, class_name: 'Doorkeeper::Application',  inverse_of: :sso_clients
+    belongs_to :access_grant, class_name: 'Doorkeeper::AccessGrant', inverse_of: :sso_client
+    belongs_to :access_token, class_name: 'Doorkeeper::AccessToken', inverse_of: :sso_client
+
+    validates :access_grant_id, uniqueness: { allow_nil: true }
+    validates :access_token_id, uniqueness: { allow_nil: true }
+
+    class << self
+      def find_by_grant_token(token)
+        find_by!(access_grant: ::Doorkeeper::AccessGrant.by_token(token))
+      end
+
+      def find_by_access_token(token)
+        find_by!(access_token: ::Doorkeeper::AccessToken.by_token(token))
+      end
+    end
+
+    def update_access_token(token)
+      oauth_token = ::Doorkeeper::AccessToken.by_token(token)
+      update(access_token_id: oauth_token.id, application_id: oauth_token.application.id)
+    end
+  end
+end

data/app/models/sso/session.rb

@@ -1,17 +1,15 @@
 module Sso
   class Session < ActiveRecord::Base
     include ::Sso::Logging
+
     # FIXME: Not sure to use application or doorkeeper_application_id
     belongs_to :application, class_name: 'Doorkeeper::Application'  #,  inverse_of: :sso_sessions
     belongs_to :access_grant, class_name: 'Doorkeeper::AccessGrant' #, inverse_of: :sso_sessions
     belongs_to :access_token, class_name: 'Doorkeeper::AccessToken' #, inverse_of: :sso_sessions
     belongs_to :owner, class_name: 'User' #, inverse_of: :sso_sessions
+    has_many   :clients, class_name: 'Sso::Client', foreign_key: :sso_session_id
 
-    validates :group_id, presence: true
     validates :owner_id, presence: true
-    validates :ip, presence: true
-    validates :secret, presence: true
-    validates :access_token_id, uniqueness: { scope: [:owner_id, :revoked_at, :application_id], allow_blank: true }
     validates :revoke_reason, allow_blank: true, format: { with: /\A[a-z_]+\z/ }
 
     scope :active, -> { where(revoked_at: nil) }
@@ -23,59 +21,77 @@ module Sso
 
     class << self
       def master_for(grant_id)
-        active.master.find_by!(access_grant_id: grant_id)
+        active.find_by!(access_grant_id: grant_id)
       end
 
-      def generate_master(user, options)
-        relations = { owner: user }
-        attributes = ActionController::Parameters.new(options).permit(:ip, :agent, :location)
-        debug { "Sso::Session::generate_master for #{user.inspect} - #{attributes.inspect}" }
-        create!(relations.merge(attributes))
+      def with_token_id(token_id)
+        includes(:clients).where("sso_clients.access_token_id": token_id)
       end
 
-      def generate(user, access_token, options = {})
-        master_sso_session = active.master.find_by!(owner_id: user.id, access_token_id: access_token.id)
-        attributes = ActionController::Parameters.new(options).permit(:ip, :agent, :location)
-        relations = { owner: user, application: access_token.application, access_token: access_token, group_id: master_sso_session.group_id }
-
-        debug { "Sso::Session::generate for #{user.inspect} - #{access_token.inspect} - #{attributes.inspect}" }
-        create!(relations.merge(attributes))
+      def with_grant_id(grant_id)
+        includes(:clients).where("sso_clients.access_grant_id": grant_id)
       end
 
-      def logout(sso_session_id)
-        sso_session = find(sso_session_id)
-        group_id = sso_session.group_id
-
-        debug { "Sso::Session#logout - Revoking Session Group #{sso_session.group_id.inspect} from Session #{sso_session.id.inspect}" }
-        count = where(group_id: group_id).update_all revoked_at: Time.current, revoke_reason: "logout"
-        debug { "Successfully removed #{count.inspect} sessions." }
-        count
+      def by_access_token(token)
+        oauth_token = ::Doorkeeper::AccessToken.by_token(token)
+        with_token_id(oauth_token.id)
       end
 
-      def update_master_with_grant(master_sso_session_id, oauth_grant)
-        master_sso_session = active.master.find(master_sso_session_id)
-
-        if master_sso_session.update_attribute(:access_grant_id, oauth_grant.id)
-          debug { "#update_master_with_grant : #{master_sso_session.id} with Access Grant ID #{oauth_grant.id} which is #{oauth_grant.token}" }
-        else
-          error { "#update_master_with_grant : FAILED to update oauth_grant" }
-        end
+      def generate_master(user, options)
+        attributes = ActionController::Parameters.new(options).permit(:ip, :agent, :location)
+        sso_session = self.new( owner: user )
+        sso_session.clients.build(attributes)
+        debug { "Sso::Session::generate_master for #{user.inspect} - #{sso_session.inspect}" }
+        sso_session.save!
+        sso_session
       end
 
-      def update_master_with_access_token(grant_token, access_token)
-        oauth_grant  = ::Doorkeeper::AccessGrant.by_token(grant_token)
-        oauth_token  = ::Doorkeeper::AccessToken.by_token(access_token)
-        return false if oauth_token.blank? or oauth_grant.blank?
+      def generate(user, access_token, options = {})
+        master_sso_session = active.find_by!(owner_id: user.id)
 
-        master_sso_session = active.master.find_by!(access_grant_id: oauth_grant.id)
+        attributes = ActionController::Parameters.new(options).permit(:ip, :agent, :location)
+        relations = { application: access_token.application, access_token: access_token }
 
-        if master_sso_session.update_attributes(access_token_id: oauth_token.id, application_id: oauth_token.application_id)
-          debug { "#register_access_token : #{master_sso_session.id} with Access Token ID #{oauth_token.id} which is #{oauth_token.token}" }
+        debug { "Sso::Session::generate for #{user.inspect} - #{access_token.inspect} - #{attributes.inspect}" }
+
+        if client = master_sso_session_id.clients.find_by(access_token_id: access_token.id)
+          client.update_columns(attributes)
         else
-          error { "#register_access_token : FAILED to update oauth_access_token_id" }
+          master_sso_session.clients.create!(relations.merge(attributes))
         end
         master_sso_session
       end
+
+      def logout(sso_session_id)
+        session = find_by_id(sso_session_id)
+        return false if session.blank?
+        session.logout
+      end
+
+      # def update_master_with_grant(master_sso_session_id, oauth_grant)
+      #   master_sso_session = active.find(master_sso_session_id)
+
+      #   if master_sso_session.update_attribute(:access_grant_id, oauth_grant.id)
+      #     debug { "#update_master_with_grant : #{master_sso_session.id} with Access Grant ID #{oauth_grant.id} which is #{oauth_grant.token}" }
+      #   else
+      #     error { "#update_master_with_grant : FAILED to update oauth_grant" }
+      #   end
+      # end
+
+      # def update_master_with_access_token(grant_token, access_token)
+      #   oauth_grant  = ::Doorkeeper::AccessGrant.by_token(grant_token)
+      #   oauth_token  = ::Doorkeeper::AccessToken.by_token(access_token)
+      #   return false if oauth_token.blank? or oauth_grant.blank?
+
+      #   master_sso_session = active.with_grant_id(oauth_grant.id).first
+
+      #   if master_sso_session.update_attributes(access_token_id: oauth_token.id, application_id: oauth_token.application_id)
+      #     debug { "#register_access_token : #{master_sso_session.id} with Access Token ID #{oauth_token.id} which is #{oauth_token.token}" }
+      #   else
+      #     error { "#register_access_token : FAILED to update oauth_access_token_id" }
+      #   end
+      #   master_sso_session
+      # end
     end
 
     def create_session(token, options = {})
@@ -85,6 +101,14 @@ module Sso
     #   ['Sso:Session', owner_id, ip, activity_at].join ', '
     # end
 
+    def active?
+      revoked_at.blank?
+    end
+
+    def logout
+      update revoked_at: Time.current, revoke_reason: "logout"
+    end
+
   private
 
     def ensure_secret

data/app/serializers/sso/owner_serializer.rb

@@ -0,0 +1,5 @@
+module Sso
+  class OwnerSerializer < ActiveModel::Serializer
+    attributes :id, :name, :first_name, :last_name, :email, :lang
+  end
+end

data/app/serializers/sso/session_serializer.rb

@@ -0,0 +1,7 @@
+module Sso
+  class SessionSerializer < ActiveModel::Serializer
+    attributes :id, :active?, :secret, :revoked_at, :revoke_reason
+
+    belongs_to :owner, serializer: Sso::OwnerSerializer
+  end
+end

data/db/migrate/{20150414102248_create_sso_sessions.rb → 20150521102248_create_sso_sessions.rb}

@@ -2,7 +2,7 @@ class CreateSsoSessions < ActiveRecord::Migration
   def change
     enable_extension 'uuid-ossp'
 
-    create_table :sso_sessions, id: :uuid do |t|
+    create_table :sso_sessions, id: :uuid, force: true do |t|
       t.references  "access_grant", index: true
       t.references  "access_token", index: true
       t.references  "application",  index: true
@@ -15,7 +15,7 @@ class CreateSsoSessions < ActiveRecord::Migration
       t.datetime "activity_at",     null: false
       t.datetime "revoked_at"
       t.string   "revoke_reason"
-      t.timestamps
+      t.timestamps null: false
     end
 
     add_index :sso_sessions, [:owner_id, :access_token_id, :application_id], where: 'revoked_at IS NULL AND access_token_id IS NOT NULL', unique: true, name: :one_access_token_per_owner
@@ -24,6 +24,5 @@ class CreateSsoSessions < ActiveRecord::Migration
     add_index :sso_sessions, :secret
     add_index :sso_sessions, :ip
     add_index :sso_sessions, :revoke_reason
-
   end
 end

data/db/migrate/20150521142926_create_sso_clients.rb

@@ -0,0 +1,18 @@
+class CreateSsoClients < ActiveRecord::Migration
+  enable_extension 'uuid-ossp'
+
+  def change
+    create_table :sso_clients, id: :uuid do |t|
+      t.uuid        "sso_session_id",  index: true
+      t.references  "access_grant", index: true
+      t.references  "access_token", index: true
+      t.references  "application",  index: true
+      t.string      "ip"
+      t.string      "agent"
+      t.string      "location"
+      t.string      "device"
+      t.datetime    "activity_at"
+      t.timestamps  null: false
+    end
+  end
+end

data/db/migrate/20150521165143_remove_extra_columns_from_sso_sessions.rb

@@ -0,0 +1,9 @@
+class RemoveExtraColumnsFromSsoSessions < ActiveRecord::Migration
+  def change
+    change_table(:sso_sessions) do |t|
+      t.remove :ip
+      t.remove :agent
+      t.remove :location
+    end
+  end
+end

data/lib/doorkeeper_sso.rb

@@ -1,3 +1,4 @@
+require "active_model_serializers"
 require "sso"
 
 module DoorkeeperSso

data/lib/sso.rb

@@ -2,6 +2,10 @@ require "sso/engine"
 require "sso/logging"
 require "sso/warden/hooks/after_authentication"
 require "sso/warden/hooks/before_logout"
+require "sso/warden/hooks/session_check"
+require "sso/doorkeeper/access_grant_mixin"
+require "sso/doorkeeper/access_token_mixin"
+require "sso/doorkeeper/application_mixin"
 require "sso/doorkeeper/authorizations_controller_mixin"
 require "sso/doorkeeper/tokens_controller_mixin"
 

data/lib/sso/doorkeeper/access_grant_mixin.rb

@@ -0,0 +1,12 @@
+module Sso
+  module Doorkeeper
+    module AccessGrantMixin
+      extend ActiveSupport::Concern
+      include ::Sso::Logging
+
+      included do
+        has_one :sso_client, class_name: 'Sso::Client', foreign_key: :access_grant_id
+      end
+    end
+  end
+end

data/lib/sso/doorkeeper/access_token_mixin.rb

@@ -0,0 +1,12 @@
+module Sso
+  module Doorkeeper
+    module AccessTokenMixin
+      extend ActiveSupport::Concern
+      include ::Sso::Logging
+
+      included do
+        has_one :sso_client, class_name: 'Sso::Client', foreign_key: :access_token_id
+      end
+    end
+  end
+end

data/lib/sso/doorkeeper/application_mixin.rb

@@ -0,0 +1,12 @@
+module Sso
+  module Doorkeeper
+    module ApplicationMixin
+      extend ActiveSupport::Concern
+      include ::Sso::Logging
+
+      included do
+        has_many :sso_clients, class_name: 'Sso::Client', foreign_key: :application_id
+      end
+    end
+  end
+end