forest_liana 5.3.0 → 6.0.0.pre.beta.2

data/app/services/forest_liana/forest_api_requester.rb

@@ -5,33 +5,42 @@ module ForestLiana
     def self.get(route, query: nil, headers: {})
       begin
         HTTParty.get("#{forest_api_url}#{route}", {
+          :verify => Rails.env.production?,
           headers: base_headers.merge(headers),
           query: query,
         }).response
       rescue
-        raise 'Cannot reach Forest API, it seems to be down right now.'
+        raise "Cannot reach Forest API at #{forest_api_url}#{route}, it seems to be down right now."
       end
     end
 
     def self.post(route, body: nil, query: nil, headers: {})
       begin
-        HTTParty.post("#{forest_api_url}#{route}", {
+        if route.start_with?('https://')
+          post_route = route
+        else
+          post_route = "#{forest_api_url}#{route}"
+        end
+
+        HTTParty.post(post_route, {
+          :verify => Rails.env.production?,
           headers: base_headers.merge(headers),
           query: query,
           body: body.to_json,
         }).response
       rescue
-        raise 'Cannot reach Forest API, it seems to be down right now.'
+        raise "Cannot reach Forest API at #{post_route}, it seems to be down right now."
       end
     end
 
     private
 
     def self.base_headers
-      {
+      base_headers = {
         'Content-Type' => 'application/json',
-        'forest-secret-key' => ForestLiana.env_secret,
       }
+      base_headers['forest-secret-key'] = ForestLiana.env_secret if !ForestLiana.env_secret.nil?
+      return base_headers
     end
 
     def self.forest_api_url

data/app/services/forest_liana/ip_whitelist_checker.rb

@@ -58,7 +58,7 @@ module ForestLiana
       ip_range_maximum = (IPAddress rule['ip_maximum']).to_i
       ip_value = (IPAddress ip).to_i
 
-      return ip_value >= ip_range_minimum && ip_value <= ip_range_maximum;
+      return ip_value >= ip_range_minimum && ip_value <= ip_range_maximum
     end
 
     def self.is_ip_match_subnet(ip, subnet)

data/app/services/forest_liana/login_handler.rb

@@ -19,12 +19,12 @@ module ForestLiana
     end
 
     def perform
-      user = ForestLiana::AuthorizationGetter.new(
+      user = ForestLiana::AuthorizationGetter.authenticate(
         @rendering_id,
         @use_google_authentication,
         @auth_data,
         @two_factor_registration
-      ).perform
+      )
 
       if user['two_factor_authentication_enabled']
         if !@two_factor_token.nil?
@@ -93,15 +93,7 @@ module ForestLiana
     end
 
     def create_token(user, rendering_id)
-      JWT.encode({
-        id: user['id'],
-        email: user['email'],
-        first_name: user['first_name'],
-        last_name: user['last_name'],
-        team: user['teams'][0],
-        rendering_id: rendering_id,
-        exp: Time.now.to_i + 2.weeks.to_i
-      }, ForestLiana.auth_secret, 'HS256')
+      ForestLiana::Token.create_token(user, rendering_id)
     end
   end
 end

data/app/services/forest_liana/oidc_client_manager.rb

@@ -0,0 +1,34 @@
+require 'openid_connect'
+
+module ForestLiana
+  class OidcClientManager
+    def self.get_client_for_callback_url(callback_url)
+      begin
+        client_data = Rails.cache.read(callback_url) || nil
+        if client_data.nil?
+          configuration = ForestLiana::OidcConfigurationRetriever.retrieve()
+
+          client_credentials = ForestLiana::OidcDynamicClientRegistrator.register({
+            token_endpoint_auth_method: 'none',
+            redirect_uris: [callback_url],
+            registration_endpoint: configuration['registration_endpoint']
+          })
+
+          client_data = { :client_id => client_credentials['client_id'], :issuer => configuration['issuer'] }
+          Rails.cache.write(callback_url, client_data)
+        end
+
+        OpenIDConnect::Client.new(
+          identifier: client_data[:client_id],
+          redirect_uri: callback_url,
+          host: "#{client_data[:issuer].sub(/^https?\:\/\/(www.)?/,'')}",
+          authorization_endpoint: '/oidc/auth',
+          token_endpoint: '/oidc/token',
+        )
+      rescue => error
+        Rails.cache.delete(callback_url)
+        raise error
+      end
+    end
+  end
+end

data/app/services/forest_liana/oidc_configuration_retriever.rb

@@ -0,0 +1,12 @@
+module ForestLiana
+  class OidcConfigurationRetriever
+    def self.retrieve()
+      response = ForestLiana::ForestApiRequester.get('/oidc/.well-known/openid-configuration')
+      if response.is_a?(Net::HTTPOK)
+        return JSON.parse(response.body)
+      else
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:OIDC_CONFIGURATION_RETRIEVAL_FAILED]       
+      end
+    end
+  end
+end

data/app/services/forest_liana/oidc_dynamic_client_registrator.rb

@@ -0,0 +1,67 @@
+require 'json'
+require 'json/jwt'
+
+module ForestLiana
+  class OidcDynamicClientRegistrator
+    def self.is_standard_body_error(response)
+      result = false
+      begin
+        jsonbody
+
+        if (!response['body'].is_a?(Object) || response['body'].is_a?(StringIO)) 
+          jsonbody = JSON.parse(response['body'])
+        else 
+          jsonbody = response['body']
+        end
+
+        result = jsonbody['error'].is_a?(String) && jsonbody['error'].length > 0
+
+        if (result) 
+          response['body'] = jsonbody 
+        end
+      rescue
+        {}
+      end
+
+      return result
+    end
+
+    def self.process_response(response, expected = {})
+      statusCode = expected[:statusCode] || 200
+      body = expected[:body] || true
+
+      if (response.code.to_i != statusCode.to_i)
+        if (is_standard_body_error(response))
+          raise response['body']
+        end
+
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:REGISTRATION_FAILED] + response.body
+      end
+
+      if (body && !response.body)
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:REGISTRATION_FAILED] + response.body
+      end
+
+      return response.body
+    end
+
+    def self.authorization_header_value(token, tokenType = 'Bearer')
+      return "#{tokenType} #{token}"
+    end
+
+    def self.register(metadata)
+      initial_access_token = ForestLiana.env_secret
+
+      response = ForestLiana::ForestApiRequester.post(
+        metadata[:registration_endpoint],
+        body: metadata,
+        headers: initial_access_token ? {
+          Authorization: authorization_header_value(initial_access_token),
+        } : {},
+      )
+
+      responseBody = process_response(response, { :statusCode => 201, :bearer => true })
+      return JSON.parse(responseBody)
+    end
+  end
+end

data/app/services/forest_liana/permissions_checker.rb

@@ -44,7 +44,7 @@ module ForestLiana
       @allowed = @smart_action_permissions['allowed']
       @users = @smart_action_permissions['users']
 
-      return @allowed && (@users.nil?|| @users.include?(@user_id.to_i));
+      return @allowed && (@users.nil?|| @users.include?(@user_id.to_i))
     end
 
     def collection_list_allowed?(scope_permissions)

data/app/services/forest_liana/query_stat_getter.rb

@@ -2,11 +2,11 @@ module ForestLiana
   class QueryStatGetter
     attr_accessor :record
 
-    CHART_TYPE_VALUE = 'Value';
-    CHART_TYPE_PIE = 'Pie';
-    CHART_TYPE_LINE = 'Line';
-    CHART_TYPE_LEADERBOARD = 'Leaderboard';
-    CHART_TYPE_OBJECTIVE = 'Objective';
+    CHART_TYPE_VALUE = 'Value'
+    CHART_TYPE_PIE = 'Pie'
+    CHART_TYPE_LINE = 'Line'
+    CHART_TYPE_LEADERBOARD = 'Leaderboard'
+    CHART_TYPE_OBJECTIVE = 'Objective'
 
     def initialize(params)
       @params = params

data/app/services/forest_liana/resources_getter.rb

@@ -12,11 +12,11 @@ module ForestLiana
       @collection = get_collection(@collection_name)
       @fields_to_serialize = get_fields_to_serialize
       @field_names_requested = field_names_requested
-      get_segment
-      compute_includes
+      get_segment()
+      compute_includes()
       @search_query_builder = SearchQueryBuilder.new(@params, @includes, @collection)
 
-      prepare_query
+      prepare_query()
     end
 
     def self.get_ids_from_request(params)

data/app/services/forest_liana/token.rb

@@ -0,0 +1,27 @@
+EXPIRATION_IN_SECONDS = 14.days
+
+module ForestLiana
+  class Token
+    REGEX_COOKIE_SESSION_TOKEN = /forest_session_token=([^;]*)/;
+
+    def self.expiration_in_days
+      Time.current + EXPIRATION_IN_SECONDS
+    end
+
+    def self.expiration_in_seconds
+      return Time.now.to_i + EXPIRATION_IN_SECONDS
+    end
+
+    def self.create_token(user, rendering_id)
+      return JWT.encode({
+        id: user['id'],
+        email: user['email'],
+        first_name: user['first_name'],
+        last_name: user['last_name'],
+        team: user['teams'][0],
+        rendering_id: rendering_id,
+        exp: expiration_in_seconds()
+      }, ForestLiana.auth_secret, 'HS256')
+    end
+  end
+end

data/config/initializers/error-messages.rb

@@ -0,0 +1,20 @@
+module ForestLiana
+  MESSAGES = {
+    CONFIGURATION: {
+      AUTH_SECRET_MISSING: "Your Forest authSecret seems to be missing. Can you check that you properly set a Forest authSecret in the Forest initializer?",
+    },
+    SERVER_TRANSACTION: {
+      SECRET_AND_RENDERINGID_INCONSISTENT: "Cannot retrieve the project you're trying to unlock. The envSecret and renderingId seems to be missing or inconsistent.",
+      SERVER_DOWN: "Cannot retrieve the data from the Forest server. Forest API seems to be down right now.",
+      SECRET_NOT_FOUND: "Cannot retrieve the data from the Forest server. Can you check that you properly copied the Forest envSecret in the Liana initializer?",
+      UNEXPECTED: "Cannot retrieve the data from the Forest server. An error occured in Forest API.",
+      INVALID_STATE_MISSING: "Invalid response from the authentication server: the state parameter is missing",
+      INVALID_STATE_FORMAT: "Invalid response from the authentication server: the state parameter is not at the right format",
+      INVALID_STATE_RENDERING_ID: "Invalid response from the authentication server: the state does not contain a renderingId",
+      MISSING_RENDERING_ID: "Authentication request must contain a renderingId",
+      INVALID_RENDERING_ID: "The parameter renderingId is not valid",
+      REGISTRATION_FAILED: "The registration to the authentication API failed, response: ",
+      OIDC_CONFIGURATION_RETRIEVAL_FAILED: "Failed to retrieve the provider's configuration.",
+    }
+  }
+end

data/config/routes.rb

@@ -4,6 +4,11 @@ ForestLiana::Engine.routes.draw do
   # Onboarding
   get '/' => 'apimaps#index'
 
+  # Authentication
+  post 'authentication' => 'authentication#start_authentication'
+  get 'authentication/callback' => 'authentication#authentication_callback'
+  post 'authentication/logout' => 'authentication#logout'
+
   # Session
   post 'sessions' => 'sessions#create_with_password'
   post 'sessions-google' => 'sessions#create_with_google'
@@ -57,6 +62,4 @@ ForestLiana::Engine.routes.draw do
 
   # Smart Actions forms value
   post 'actions/:action_name/values' => 'actions#values'
-  post 'actions/:action_name/hooks/load' => 'actions#load'
-  post 'actions/:action_name/hooks/change' => 'actions#change'
 end

data/lib/forest_liana.rb

@@ -16,6 +16,7 @@ module ForestLiana
 
   mattr_accessor :env_secret
   mattr_accessor :auth_secret
+  mattr_accessor :application_url
   mattr_accessor :integrations
   mattr_accessor :apimap
   mattr_accessor :allowed_users

data/lib/forest_liana/bootstrapper.rb

@@ -38,14 +38,6 @@ module ForestLiana
 
     private
 
-    def get_collection(collection_name)
-      ForestLiana.apimap.find { |collection| collection.name.to_s == collection_name }
-    end
-
-    def get_action(collection, action_name)
-      collection.actions.find {|action| action.name == action_name}
-    end
-
     def generate_apimap
       create_apimap
       require_lib_forest_liana
@@ -53,17 +45,6 @@ module ForestLiana
 
       if Rails.env.development?
         @collections_sent = ForestLiana.apimap.as_json
-
-        @collections_sent.each do |collection|
-          collection['actions'].each do |action|
-            c = get_collection(collection['name'])
-            a = get_action(c, action['name'])
-            load = !a.hooks.nil? && a.hooks.key?(:load) && a.hooks[:load].is_a?(Proc)
-            change = !a.hooks.nil? && a.hooks.key?(:change) && a.hooks[:change].is_a?(Hash) ? a.hooks[:change].keys : []
-            action['hooks'] = {:load => load, :change => change}
-          end
-        end
-
         @meta_sent = ForestLiana.meta
         SchemaFileUpdater.new(SCHEMA_FILENAME, @collections_sent, @meta_sent).perform()
       else
@@ -640,7 +621,7 @@ module ForestLiana
     end
 
     def forest_url
-      ENV['FOREST_URL'] || 'https://api.forestadmin.com';
+      ENV['FOREST_URL'] || 'https://api.forestadmin.com'
     end
 
     def database_type

data/lib/forest_liana/collection.rb

@@ -148,7 +148,7 @@ module ForestLiana::Collection
       # TODO: Remove once lianas prior to 2.0.0 are not supported anymore.
       model = ForestLiana.models.find { |collection| collection.try(:table_name) == collection_name.to_s }
       if model
-        collection_name_new = ForestLiana.name_for(model);
+        collection_name_new = ForestLiana.name_for(model)
         FOREST_LOGGER.warn "DEPRECATION WARNING: Collection names are now based on the models " \
           "names. Please rename the collection '#{collection_name.to_s}' of your Forest " \
           "customisation in '#{collection_name_new}'."
@@ -158,7 +158,7 @@ module ForestLiana::Collection
       # TODO: Remove once lianas prior to 2.0.0 are not supported anymore.
       model = ForestLiana.names_old_overriden.invert[collection_name.to_s]
       if model
-        collection_name_new = ForestLiana.name_for(model);
+        collection_name_new = ForestLiana.name_for(model)
         FOREST_LOGGER.warn "DEPRECATION WARNING: Collection names are now based on the models " \
           "names. Please rename the collection '#{collection_name.to_s}' of your Forest " \
           "customisation in '#{collection_name_new}'."

data/lib/forest_liana/engine.rb

@@ -16,8 +16,17 @@ module ForestLiana
       begin
         rack_cors_class = Rack::Cors
         rack_cors_class = 'Rack::Cors' if Rails::VERSION::MAJOR < 5
+        null_regex = Regexp.new(/\Anull\z/)
 
         config.middleware.insert_before 0, rack_cors_class do
+          allow do
+            hostnames = [null_regex, 'localhost:4200', /\A.*\.forestadmin\.com\z/]
+            hostnames += ENV['CORS_ORIGINS'].split(',') if ENV['CORS_ORIGINS']
+
+            origins hostnames
+            resource ForestLiana::AuthenticationController::PUBLIC_ROUTES[1], headers: :any, methods: :any, credentials: true, max_age: 86400 # NOTICE: 1 day
+          end
+
           allow do
             hostnames = ['localhost:4200', /\A.*\.forestadmin\.com\z/]
             hostnames += ENV['CORS_ORIGINS'].split(',') if ENV['CORS_ORIGINS']

data/lib/forest_liana/json_printer.rb

@@ -20,7 +20,7 @@ module ForestLiana
             result << ", "
           end
 
-          result << pretty_print(item, is_primary_value ? "#{indentation}  " : indentation);
+          result << pretty_print(item, is_primary_value ? "#{indentation}  " : indentation)
         end
 
         result << "\n#{indentation}" if is_primary_value && !is_small

data/lib/forest_liana/schema_file_updater.rb

@@ -50,7 +50,6 @@ module ForestLiana
       'redirect',
       'download',
       'fields',
-      'hooks',
     ]
     KEYS_ACTION_FIELD = [
       'field',

data/lib/forest_liana/version.rb

@@ -1,3 +1,3 @@
 module ForestLiana
-  VERSION = "5.3.0"
+  VERSION = "6.0.0-beta.2"
 end

data/spec/dummy/config/initializers/forest_liana.rb

@@ -1,2 +1,3 @@
 ForestLiana.env_secret = 'env_secret_test'
 ForestLiana.auth_secret = 'auth_secret_test'
+ForestLiana.application_url = 'http://localhost:3000'

data/spec/requests/authentications_spec.rb

@@ -0,0 +1,107 @@
+require 'rails_helper'
+require 'openid_connect'
+require 'json'
+
+describe "Authentications", type: :request do
+  before do
+    allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
+    allow(ForestLiana::OidcConfigurationRetriever).to receive(:retrieve) {
+      JSON.parse('{
+          "registration_endpoint": "https://api.forestadmin.com/oidc/registration",
+          "issuer": "api.forestadmin.com"
+        }', :symbolize_names => false)
+    }
+    allow(ForestLiana::ForestApiRequester).to receive(:post) {
+      instance_double(HTTParty::Response, body: '{ "client_id": "random_id" }', code: 201)
+    }
+    allow_any_instance_of(OpenIDConnect::Client).to receive(:access_token!) {
+      OpenIDConnect::AccessToken.new(access_token: 'THE-ACCESS-TOKEN', client: instance_double(OpenIDConnect::Client))
+    }
+  end
+
+  after do
+    Rails.cache.delete(URI.join(ForestLiana.application_url, ForestLiana::Engine.routes.url_helpers.authentication_callback_path).to_s)
+  end
+
+  headers = {
+    'Accept' => 'application/json',
+    'Content-Type' => 'application/json',
+  }
+
+  describe "POST /authentication" do
+    before() do 
+      post ForestLiana::Engine.routes.url_helpers.authentication_path, { :renderingId => 42 }, :headers => headers
+    end
+
+    it "should respond with a 302 code" do
+      expect(response).to have_http_status(302)
+    end
+
+    it "should return a valid authentication url" do
+      expect(response.headers['Location']).to eq('https://api.forestadmin.com/oidc/auth?client_id=random_id&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fforest%2Fauthentication%2Fcallback&response_type=code&scope=openid%20email%20profile&state=%7B%22renderingId%22%3D%3E42%7D')
+    end
+  end
+
+  describe "GET /authentication/callback" do
+    before() do 
+      response = '{"data":{"id":666,"attributes":{"first_name":"Alice","last_name":"Doe","email":"alice@forestadmin.com","teams":[1,2,3]}}}'
+      allow(ForestLiana::ForestApiRequester).to receive(:get).with(
+        "/liana/v2/renderings/42/authorization", { :headers => { "forest-token" => "THE-ACCESS-TOKEN" }, :query=> {} }
+      ).and_return(
+        instance_double(HTTParty::Response, :body => response, :code => 200)
+      )
+
+      get ForestLiana::Engine.routes.url_helpers.authentication_callback_path + "?code=THE-CODE&state=#{URI.escape('{"renderingId":42}', Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))}"
+    end
+
+    it "should respond with a 200 code" do
+      expect(response).to have_http_status(200)
+    end
+
+    it "should return a valid authentication token" do
+      session_cookie = response.headers['set-cookie']
+      expect(session_cookie).to match(/^forest_session_token=[^;]+; path=\/; expires=[^;]+; secure; HttpOnly$/)
+
+      token = session_cookie.match(/^forest_session_token=([^;]+);/)[1]
+      decoded = JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
+
+      expected_token_data = {
+        "id" => 666,
+        "email" => 'alice@forestadmin.com',
+        "rendering_id" => "42",
+        "first_name" => 'Alice',
+        "last_name" => 'Doe',
+        "team" => 1,
+      }
+
+      expect(decoded).to include(expected_token_data)
+      expect(JSON.parse(response.body, :symbolize_names => true)).to eq({ token: token, tokenData: decoded.deep_symbolize_keys! })
+      expect(response).to have_http_status(200)
+    end
+  end
+
+  describe "POST /authentication/logout" do
+    before() do 
+      cookies['forest_session_token'] = {
+        value: 'eyJhbGciOiJIUzI1NiJ9.eyJpZCI6NjY2LCJlbWFpbCI6ImFsaWNlQGZvcmVzdGFkbWluLmNvbSIsImZpcnN0X25hbWUiOiJBbGljZSIsImxhc3RfbmFtZSI6IkRvZSIsInRlYW0iOjEsInJlbmRlcmluZ19pZCI6IjQyIiwiZXhwIjoxNjA4MDQ5MTI2fQ.5xaMxjUjE3wKldBsj3wW0BP9GHnnMqQi2Kpde8cIHEw',
+        path: '/',
+        expires: Time.now.to_i + 14.days,
+        secure: true,
+        httponly: true
+      }
+      post ForestLiana::Engine.routes.url_helpers.authentication_logout_path, { :renderingId => 42 }, :headers => headers
+      cookies.delete('forest_session_token')
+    end
+
+    it "should respond with a 204 code" do
+      expect(response).to have_http_status(204)
+    end
+
+    it "should invalidate token from browser" do
+      invalidated_session_cookie = response.headers['set-cookie']
+      expect(invalidated_session_cookie).to match(/^forest_session_token=[^;]+; path=\/; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure; HttpOnly$/)
+    end
+  end
+end