forest_liana 6.0.0.pre.beta.1 → 6.0.0.pre.beta.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a534b6abdb1a47d2690f785ef13dff74d97117fa7e1871b82659644ac9c1a53
-  data.tar.gz: 9d7c3281edc36a9aabf47f74851c3ba191d1e31c7bd29a0a4c7d9e8b6f3522f7
+  metadata.gz: f2f88ccbd15c18a78b06d08ad2a17dfa2075d2b586728033cbe03564c95dd92e
+  data.tar.gz: e78f4892dc9ea07b8dbabb67d3183920f8ef41b6cb7ebe1edd8cb3d0c3b7ee2b
 SHA512:
-  metadata.gz: c18f213548f7584a4dc7aabe121442d0e50270f29860c54164348bd45fca77810d5402284147b9a114d04f17b5314ee8d7f64daae1887e6f258cfd7663ba6c1f
-  data.tar.gz: 6edfe33f160b65de926013b45ef0ba4b7ae374a4446faf64ca6ffbd3a5e606845c89c9e30756fe8e26d4d420786ab09a36b38b0077d0c975a4d695b0aaa0c5ef
+  metadata.gz: 2a1dfc618f2723448b2fea3b39a48be64fad619c87a3b7d9257e3be8292f1ae86632c38563a7c9d938fd9699a0d78bac50e521d390bb40077ab824996b987ed2
+  data.tar.gz: d1a6401e8e236b718f488e1a1b5641fb953a912c719a5ea1010f7f307c99e7b96fd9f153fc483ebd7dbef5861a5daf9c12e2bdc03f846b62850662ee1837209a

data/app/controllers/forest_liana/application_controller.rb

@@ -3,8 +3,6 @@ require 'csv'
 
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
-    REGEX_COOKIE_SESSION_TOKEN = /forest_session_token=([^;]*)/;
-
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false
     end
@@ -64,7 +62,7 @@ module ForestLiana
             token = request.headers['Authorization'].split.second
           # NOTICE: Necessary for downloads authentication.
           elsif request.headers['cookie']
-            match = REGEX_COOKIE_SESSION_TOKEN.match(request.headers['cookie'])
+            match = ForestLiana::Token::REGEX_COOKIE_SESSION_TOKEN.match(request.headers['cookie'])
             token = match[1] if match && match[1]
           end
 
@@ -97,10 +95,6 @@ module ForestLiana
       end
     end
 
-    def route_not_found
-      head :not_found
-    end
-
     def internal_server_error
       head :internal_server_error
     end

data/app/controllers/forest_liana/authentication_controller.rb

@@ -0,0 +1,122 @@
+require 'uri'
+require 'json'
+
+module ForestLiana
+  class AuthenticationController < ForestLiana::BaseController
+    START_AUTHENTICATION_ROUTE = 'authentication'
+    CALLBACK_AUTHENTICATION_ROUTE = 'authentication/callback'
+    LOGOUT_ROUTE = 'authentication/logout';
+    PUBLIC_ROUTES = [
+      "/#{START_AUTHENTICATION_ROUTE}",
+      "/#{CALLBACK_AUTHENTICATION_ROUTE}",
+      "/#{LOGOUT_ROUTE}",
+    ]
+
+    def initialize
+      @authentication_service = ForestLiana::Authentication.new()
+    end
+  
+    def get_callback_url
+        URI.join(ForestLiana.application_url, "/forest/#{CALLBACK_AUTHENTICATION_ROUTE}").to_s
+    rescue => error
+      raise "application_url is not valid or not defined" if error.is_a?(ArgumentError)
+    end
+
+    def get_and_check_rendering_id
+      if !params.has_key?('renderingId')
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:MISSING_RENDERING_ID]
+      end
+
+      rendering_id = params[:renderingId]
+      
+      if !(rendering_id.instance_of?(String) || rendering_id.instance_of?(Numeric)) || (rendering_id.instance_of?(Numeric) && rendering_id.nan?)
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:INVALID_RENDERING_ID]
+      end
+
+      return rendering_id.to_i
+    end
+
+    def start_authentication 
+      begin
+        rendering_id = get_and_check_rendering_id()
+        callback_url = get_callback_url()
+
+        result = @authentication_service.start_authentication(
+          callback_url,
+          { 'renderingId' => rendering_id },
+        )
+
+        redirect_to(result['authorization_url'])
+      rescue => error
+        render json: { errors: [{ status: 500, detail: error.message }] },
+          status: :internal_server_error, serializer: nil
+      end
+    end
+
+    def authentication_callback
+      begin
+        callback_url = get_callback_url()
+
+        token = @authentication_service.verify_code_and_generate_token(
+          callback_url,
+          params,
+        )
+    
+        response.set_cookie(
+          'forest_session_token',
+          {
+            value: token,
+            httponly: true,
+            secure: true,
+            expires: ForestLiana::Token.expiration_in_days,
+            samesite: 'none',
+            path: '/'
+          },
+        )
+
+        response_body = {
+          tokenData: JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
+        }
+
+        # The token is sent decoded, because we don't want to share the whole, signed token
+        # that is used to authenticate people
+        # but the token itself contains interesting values, such as its expiration date
+        response_body[:token] = token if !ForestLiana.application_url.start_with?('https://')
+
+        render json: response_body, status: 200
+
+      rescue => error
+        render json: { errors: [{ status: 500, detail: error.message }] },
+          status: :internal_server_error, serializer: nil
+      end
+    end
+
+    def logout
+      begin
+        if cookies.has_key?(:forest_session_token)
+          forest_session_token = cookies[:forest_session_token]
+          
+          if forest_session_token
+            response.set_cookie(
+              'forest_session_token',
+              {
+                value: forest_session_token,
+                httponly: true,
+                secure: true,
+                expires: Time.at(0),
+                samesite: 'none',
+                path: '/'
+              },
+            )
+          end
+        end
+
+        render json: {}, status: 204
+      rescue => error
+        render json: { errors: [{ status: 500, detail: error.message }] },
+        status: :internal_server_error, serializer: nil
+      end
+    end
+
+  end
+end

data/app/controllers/forest_liana/base_controller.rb

@@ -4,6 +4,10 @@ module ForestLiana
     wrap_parameters false
     before_action :reject_unauthorized_ip
 
+    def route_not_found
+      head :not_found
+    end
+
     private
 
     def reject_unauthorized_ip

data/app/controllers/forest_liana/router.rb

@@ -7,7 +7,7 @@ class ForestLiana::Router
     if resource.nil?
       FOREST_LOGGER.error "Routing error: Resource not found for collection #{collection_name}."
       FOREST_LOGGER.error "If this is a Smart Collection, please ensure your Smart Collection routes are defined before the mounted ForestLiana::Engine?"
-      ForestLiana::ApplicationController.action(:route_not_found).call(env)
+      ForestLiana::BaseController.action(:route_not_found).call(env)
     else
       begin
         component_prefix = ForestLiana.component_prefix(resource)
@@ -40,7 +40,7 @@ class ForestLiana::Router
         controller.action(action.to_sym).call(env)
       rescue NoMethodError => exception
         FOREST_LOGGER.error "Routing error: #{exception}\n#{exception.backtrace.join("\n\t")}"
-        ForestLiana::ApplicationController.action(:route_not_found).call(env)
+        ForestLiana::BaseController.action(:route_not_found).call(env)
       end
     end
   end

data/app/controllers/forest_liana/sessions_controller.rb

@@ -85,7 +85,7 @@ module ForestLiana
         # NOTICE: Set a cookie to ensure secure authentication using export feature.
         # NOTICE: The token is empty at first authentication step if the 2FA option is active.
         if reponse_data[:token]
-          response.set_cookie("forest_session_token", { value: reponse_data[:token], expires: (Time.current + 14.days) })
+          response.set_cookie("forest_session_token", { value: reponse_data[:token], expires: (ForestLiana::Token.expiration_in_days) })
         end
 
         render(json: reponse_data, serializer: nil)

data/app/controllers/forest_liana/stats_controller.rb

@@ -6,11 +6,11 @@ module ForestLiana
       before_action :find_resource, except: [:get_with_live_query]
     end
 
-    CHART_TYPE_VALUE = 'Value';
-    CHART_TYPE_PIE = 'Pie';
-    CHART_TYPE_LINE = 'Line';
-    CHART_TYPE_LEADERBOARD = 'Leaderboard';
-    CHART_TYPE_OBJECTIVE = 'Objective';
+    CHART_TYPE_VALUE = 'Value'
+    CHART_TYPE_PIE = 'Pie'
+    CHART_TYPE_LINE = 'Line'
+    CHART_TYPE_LEADERBOARD = 'Leaderboard'
+    CHART_TYPE_OBJECTIVE = 'Objective'
 
     def get
       case params[:type]

data/app/helpers/forest_liana/adapter_helper.rb

@@ -10,7 +10,7 @@ module ForestLiana
 
     def self.cast_boolean(value)
       if ['MySQL', 'SQLite'].include?(ActiveRecord::Base.connection.adapter_name)
-        value === 'true' ? 1 : 0;
+        value === 'true' ? 1 : 0
       else
         value
       end

data/app/serializers/forest_liana/schema_serializer.rb

@@ -52,7 +52,7 @@ class ForestLiana::SchemaSerializer
           @included << format_child_content('segments', segment_id, segment)
         end
       else
-        collection_serialized[:attributes][attribute.to_sym] = value;
+        collection_serialized[:attributes][attribute.to_sym] = value
       end
     end
 
@@ -75,7 +75,7 @@ class ForestLiana::SchemaSerializer
     }
 
     object.each do |attribute, value|
-      child_serialized[:attributes][attribute.to_sym] = value;
+      child_serialized[:attributes][attribute.to_sym] = value
     end
 
     child_serialized

data/app/services/forest_liana/apimap_sorter.rb

@@ -60,7 +60,7 @@ module ForestLiana
     def perform
       begin
         @apimap = reorder_keys_basic(@apimap)
-        sort_array_of_objects(@apimap['data']);
+        sort_array_of_objects(@apimap['data'])
         @apimap['data'].map! do |collection|
           collection = reorder_keys_child(collection)
           collection['attributes'] = reorder_collection_attributes(collection['attributes'])

data/app/services/forest_liana/authentication.rb

@@ -0,0 +1,59 @@
+module ForestLiana
+  class Authentication
+    def start_authentication(redirect_url, state)
+      client = ForestLiana::OidcClientManager.get_client_for_callback_url(redirect_url)
+
+      authorization_url = client.authorization_uri({
+        scope: 'openid email profile',
+        state: state.to_s,
+      })
+  
+      { 'authorization_url' => authorization_url }
+    end
+
+    def verify_code_and_generate_token(redirect_url, params) 
+      client = ForestLiana::OidcClientManager.get_client_for_callback_url(redirect_url)
+
+      rendering_id = parse_state(params['state'])
+      client.authorization_code = params['code']
+
+      if Rails.env.development? || Rails.env.test?
+        OpenIDConnect.http_config do |config|
+          config.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        end
+      end
+      access_token_instance = client.access_token! 'none'
+
+      user = ForestLiana::AuthorizationGetter.authenticate(
+        rendering_id,
+        true,
+        { :forest_token => access_token_instance.instance_variable_get(:@access_token) },
+        nil,
+      )
+
+      return ForestLiana::Token.create_token(user, rendering_id)
+    end
+
+    private
+    def parse_state(state)
+      unless state
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:INVALID_STATE_MISSING]
+      end
+
+      rendering_id = nil
+
+      begin
+        parsed_state = JSON.parse(state.gsub("'",'"').gsub('=>',':'))
+        rendering_id = parsed_state["renderingId"].to_s
+      rescue
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:INVALID_STATE_FORMAT]
+      end
+
+      if rendering_id.nil?
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:INVALID_STATE_RENDERING_ID]
+      end
+
+      return rendering_id
+    end
+  end
+end

data/app/services/forest_liana/authorization_getter.rb

@@ -1,39 +1,31 @@
 module ForestLiana
   class AuthorizationGetter
-    def initialize(rendering_id, use_google_authentication, auth_data, two_factor_registration)
-      @rendering_id = rendering_id
-      @use_google_authentication = use_google_authentication
-      @auth_data = auth_data
-      @two_factor_registration = two_factor_registration
-
-      @route = "/liana/v2/renderings/#{rendering_id}"
-      @route += use_google_authentication ? "/google-authorization" : "/authorization"
-    end
-
-    def perform
+    def self.authenticate(rendering_id, use_google_authentication, auth_data, two_factor_registration)
       begin
-        if @use_google_authentication
-          headers = { 'forest-token' => @auth_data[:forest_token] }
-        else
-          headers = { 'email' => @auth_data[:email], 'password' => @auth_data[:password] }
+        route = "/liana/v2/renderings/#{rendering_id.to_s}/authorization"
+
+        if !use_google_authentication.nil?
+          headers = { 'forest-token' => auth_data[:forest_token] }
+        elsif !auth_data[:email].nil?
+          headers = { 'email' => auth_data[:email], 'password' => auth_data[:password] }
         end
 
         query_parameters = {}
 
-        if @two_factor_registration
+        unless two_factor_registration.nil?
           query_parameters['two-factor-registration'] = true
         end
 
         response = ForestLiana::ForestApiRequester
-          .get(@route, query: query_parameters, headers: headers)
+          .get(route, query: query_parameters, headers: headers)
 
-        if response.is_a?(Net::HTTPOK)
-          body = JSON.parse(response.body)
+        if response.code.to_i == 200
+          body = JSON.parse(response.body, :symbolize_names => false)
           user = body['data']['attributes']
           user['id'] = body['data']['id']
           user
         else
-          if @use_google_authentication
+          unless use_google_authentication.nil?
             raise "Cannot authorize the user using this google account. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
           else
             raise "Cannot authorize the user using this email/password. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"

data/app/services/forest_liana/forest_api_requester.rb

@@ -5,33 +5,42 @@ module ForestLiana
     def self.get(route, query: nil, headers: {})
       begin
         HTTParty.get("#{forest_api_url}#{route}", {
+          :verify => Rails.env.production?,
           headers: base_headers.merge(headers),
           query: query,
         }).response
       rescue
-        raise 'Cannot reach Forest API, it seems to be down right now.'
+        raise "Cannot reach Forest API at #{forest_api_url}#{route}, it seems to be down right now."
       end
     end
 
     def self.post(route, body: nil, query: nil, headers: {})
       begin
-        HTTParty.post("#{forest_api_url}#{route}", {
+        if route.start_with?('https://')
+          post_route = route
+        else
+          post_route = "#{forest_api_url}#{route}"
+        end
+
+        HTTParty.post(post_route, {
+          :verify => Rails.env.production?,
           headers: base_headers.merge(headers),
           query: query,
           body: body.to_json,
         }).response
       rescue
-        raise 'Cannot reach Forest API, it seems to be down right now.'
+        raise "Cannot reach Forest API at #{post_route}, it seems to be down right now."
       end
     end
 
     private
 
     def self.base_headers
-      {
+      base_headers = {
         'Content-Type' => 'application/json',
-        'forest-secret-key' => ForestLiana.env_secret,
       }
+      base_headers['forest-secret-key'] = ForestLiana.env_secret if !ForestLiana.env_secret.nil?
+      return base_headers
     end
 
     def self.forest_api_url

data/app/services/forest_liana/ip_whitelist_checker.rb

@@ -58,7 +58,7 @@ module ForestLiana
       ip_range_maximum = (IPAddress rule['ip_maximum']).to_i
       ip_value = (IPAddress ip).to_i
 
-      return ip_value >= ip_range_minimum && ip_value <= ip_range_maximum;
+      return ip_value >= ip_range_minimum && ip_value <= ip_range_maximum
     end
 
     def self.is_ip_match_subnet(ip, subnet)

data/app/services/forest_liana/login_handler.rb

@@ -19,12 +19,12 @@ module ForestLiana
     end
 
     def perform
-      user = ForestLiana::AuthorizationGetter.new(
+      user = ForestLiana::AuthorizationGetter.authenticate(
         @rendering_id,
         @use_google_authentication,
         @auth_data,
         @two_factor_registration
-      ).perform
+      )
 
       if user['two_factor_authentication_enabled']
         if !@two_factor_token.nil?
@@ -93,15 +93,7 @@ module ForestLiana
     end
 
     def create_token(user, rendering_id)
-      JWT.encode({
-        id: user['id'],
-        email: user['email'],
-        first_name: user['first_name'],
-        last_name: user['last_name'],
-        team: user['teams'][0],
-        rendering_id: rendering_id,
-        exp: Time.now.to_i + 2.weeks.to_i
-      }, ForestLiana.auth_secret, 'HS256')
+      ForestLiana::Token.create_token(user, rendering_id)
     end
   end
 end

data/app/services/forest_liana/oidc_client_manager.rb

@@ -0,0 +1,34 @@
+require 'openid_connect'
+
+module ForestLiana
+  class OidcClientManager
+    def self.get_client_for_callback_url(callback_url)
+      begin
+        client_data = Rails.cache.read(callback_url) || nil
+        if client_data.nil?
+          configuration = ForestLiana::OidcConfigurationRetriever.retrieve()
+
+          client_credentials = ForestLiana::OidcDynamicClientRegistrator.register({
+            token_endpoint_auth_method: 'none',
+            redirect_uris: [callback_url],
+            registration_endpoint: configuration['registration_endpoint']
+          })
+
+          client_data = { :client_id => client_credentials['client_id'], :issuer => configuration['issuer'] }
+          Rails.cache.write(callback_url, client_data)
+        end
+
+        OpenIDConnect::Client.new(
+          identifier: client_data[:client_id],
+          redirect_uri: callback_url,
+          host: "#{client_data[:issuer].sub(/^https?\:\/\/(www.)?/,'')}",
+          authorization_endpoint: '/oidc/auth',
+          token_endpoint: '/oidc/token',
+        )
+      rescue => error
+        Rails.cache.delete(callback_url)
+        raise error
+      end
+    end
+  end
+end

data/app/services/forest_liana/oidc_configuration_retriever.rb

@@ -0,0 +1,12 @@
+module ForestLiana
+  class OidcConfigurationRetriever
+    def self.retrieve()
+      response = ForestLiana::ForestApiRequester.get('/oidc/.well-known/openid-configuration')
+      if response.is_a?(Net::HTTPOK)
+        return JSON.parse(response.body)
+      else
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:OIDC_CONFIGURATION_RETRIEVAL_FAILED]       
+      end
+    end
+  end
+end

data/app/services/forest_liana/oidc_dynamic_client_registrator.rb

@@ -0,0 +1,67 @@
+require 'json'
+require 'json/jwt'
+
+module ForestLiana
+  class OidcDynamicClientRegistrator
+    def self.is_standard_body_error(response)
+      result = false
+      begin
+        jsonbody
+
+        if (!response['body'].is_a?(Object) || response['body'].is_a?(StringIO)) 
+          jsonbody = JSON.parse(response['body'])
+        else 
+          jsonbody = response['body']
+        end
+
+        result = jsonbody['error'].is_a?(String) && jsonbody['error'].length > 0
+
+        if (result) 
+          response['body'] = jsonbody 
+        end
+      rescue
+        {}
+      end
+
+      return result
+    end
+
+    def self.process_response(response, expected = {})
+      statusCode = expected[:statusCode] || 200
+      body = expected[:body] || true
+
+      if (response.code.to_i != statusCode.to_i)
+        if (is_standard_body_error(response))
+          raise response['body']
+        end
+
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:REGISTRATION_FAILED] + response.body
+      end
+
+      if (body && !response.body)
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:REGISTRATION_FAILED] + response.body
+      end
+
+      return response.body
+    end
+
+    def self.authorization_header_value(token, tokenType = 'Bearer')
+      return "#{tokenType} #{token}"
+    end
+
+    def self.register(metadata)
+      initial_access_token = ForestLiana.env_secret
+
+      response = ForestLiana::ForestApiRequester.post(
+        metadata[:registration_endpoint],
+        body: metadata,
+        headers: initial_access_token ? {
+          Authorization: authorization_header_value(initial_access_token),
+        } : {},
+      )
+
+      responseBody = process_response(response, { :statusCode => 201, :bearer => true })
+      return JSON.parse(responseBody)
+    end
+  end
+end

data/app/services/forest_liana/permissions_checker.rb

@@ -44,7 +44,7 @@ module ForestLiana
       @allowed = @smart_action_permissions['allowed']
       @users = @smart_action_permissions['users']
 
-      return @allowed && (@users.nil?|| @users.include?(@user_id.to_i));
+      return @allowed && (@users.nil?|| @users.include?(@user_id.to_i))
     end
 
     def collection_list_allowed?(scope_permissions)

data/app/services/forest_liana/query_stat_getter.rb

@@ -2,11 +2,11 @@ module ForestLiana
   class QueryStatGetter
     attr_accessor :record
 
-    CHART_TYPE_VALUE = 'Value';
-    CHART_TYPE_PIE = 'Pie';
-    CHART_TYPE_LINE = 'Line';
-    CHART_TYPE_LEADERBOARD = 'Leaderboard';
-    CHART_TYPE_OBJECTIVE = 'Objective';
+    CHART_TYPE_VALUE = 'Value'
+    CHART_TYPE_PIE = 'Pie'
+    CHART_TYPE_LINE = 'Line'
+    CHART_TYPE_LEADERBOARD = 'Leaderboard'
+    CHART_TYPE_OBJECTIVE = 'Objective'
 
     def initialize(params)
       @params = params

data/app/services/forest_liana/token.rb

@@ -0,0 +1,27 @@
+EXPIRATION_IN_SECONDS = 14.days
+
+module ForestLiana
+  class Token
+    REGEX_COOKIE_SESSION_TOKEN = /forest_session_token=([^;]*)/;
+
+    def self.expiration_in_days
+      Time.current + EXPIRATION_IN_SECONDS
+    end
+
+    def self.expiration_in_seconds
+      return Time.now.to_i + EXPIRATION_IN_SECONDS
+    end
+
+    def self.create_token(user, rendering_id)
+      return JWT.encode({
+        id: user['id'],
+        email: user['email'],
+        first_name: user['first_name'],
+        last_name: user['last_name'],
+        team: user['teams'][0],
+        rendering_id: rendering_id,
+        exp: expiration_in_seconds()
+      }, ForestLiana.auth_secret, 'HS256')
+    end
+  end
+end

data/config/initializers/error-messages.rb

@@ -0,0 +1,20 @@
+module ForestLiana
+  MESSAGES = {
+    CONFIGURATION: {
+      AUTH_SECRET_MISSING: "Your Forest authSecret seems to be missing. Can you check that you properly set a Forest authSecret in the Forest initializer?",
+    },
+    SERVER_TRANSACTION: {
+      SECRET_AND_RENDERINGID_INCONSISTENT: "Cannot retrieve the project you're trying to unlock. The envSecret and renderingId seems to be missing or inconsistent.",
+      SERVER_DOWN: "Cannot retrieve the data from the Forest server. Forest API seems to be down right now.",
+      SECRET_NOT_FOUND: "Cannot retrieve the data from the Forest server. Can you check that you properly copied the Forest envSecret in the Liana initializer?",
+      UNEXPECTED: "Cannot retrieve the data from the Forest server. An error occured in Forest API.",
+      INVALID_STATE_MISSING: "Invalid response from the authentication server: the state parameter is missing",
+      INVALID_STATE_FORMAT: "Invalid response from the authentication server: the state parameter is not at the right format",
+      INVALID_STATE_RENDERING_ID: "Invalid response from the authentication server: the state does not contain a renderingId",
+      MISSING_RENDERING_ID: "Authentication request must contain a renderingId",
+      INVALID_RENDERING_ID: "The parameter renderingId is not valid",
+      REGISTRATION_FAILED: "The registration to the authentication API failed, response: ",
+      OIDC_CONFIGURATION_RETRIEVAL_FAILED: "Failed to retrieve the provider's configuration.",
+    }
+  }
+end

data/config/routes.rb

@@ -4,6 +4,11 @@ ForestLiana::Engine.routes.draw do
   # Onboarding
   get '/' => 'apimaps#index'
 
+  # Authentication
+  post 'authentication' => 'authentication#start_authentication'
+  get 'authentication/callback' => 'authentication#authentication_callback'
+  post 'authentication/logout' => 'authentication#logout'
+
   # Session
   post 'sessions' => 'sessions#create_with_password'
   post 'sessions-google' => 'sessions#create_with_google'

data/lib/forest_liana.rb

@@ -16,6 +16,7 @@ module ForestLiana
 
   mattr_accessor :env_secret
   mattr_accessor :auth_secret
+  mattr_accessor :application_url
   mattr_accessor :integrations
   mattr_accessor :apimap
   mattr_accessor :allowed_users

data/lib/forest_liana/bootstrapper.rb

@@ -621,7 +621,7 @@ module ForestLiana
     end
 
     def forest_url
-      ENV['FOREST_URL'] || 'https://api.forestadmin.com';
+      ENV['FOREST_URL'] || 'https://api.forestadmin.com'
     end
 
     def database_type

data/lib/forest_liana/collection.rb

@@ -148,7 +148,7 @@ module ForestLiana::Collection
       # TODO: Remove once lianas prior to 2.0.0 are not supported anymore.
       model = ForestLiana.models.find { |collection| collection.try(:table_name) == collection_name.to_s }
       if model
-        collection_name_new = ForestLiana.name_for(model);
+        collection_name_new = ForestLiana.name_for(model)
         FOREST_LOGGER.warn "DEPRECATION WARNING: Collection names are now based on the models " \
           "names. Please rename the collection '#{collection_name.to_s}' of your Forest " \
           "customisation in '#{collection_name_new}'."
@@ -158,7 +158,7 @@ module ForestLiana::Collection
       # TODO: Remove once lianas prior to 2.0.0 are not supported anymore.
       model = ForestLiana.names_old_overriden.invert[collection_name.to_s]
       if model
-        collection_name_new = ForestLiana.name_for(model);
+        collection_name_new = ForestLiana.name_for(model)
         FOREST_LOGGER.warn "DEPRECATION WARNING: Collection names are now based on the models " \
           "names. Please rename the collection '#{collection_name.to_s}' of your Forest " \
           "customisation in '#{collection_name_new}'."

data/lib/forest_liana/engine.rb

@@ -16,8 +16,17 @@ module ForestLiana
       begin
         rack_cors_class = Rack::Cors
         rack_cors_class = 'Rack::Cors' if Rails::VERSION::MAJOR < 5
+        null_regex = Regexp.new(/\Anull\z/)
 
         config.middleware.insert_before 0, rack_cors_class do
+          allow do
+            hostnames = [null_regex, 'localhost:4200', /\A.*\.forestadmin\.com\z/]
+            hostnames += ENV['CORS_ORIGINS'].split(',') if ENV['CORS_ORIGINS']
+
+            origins hostnames
+            resource ForestLiana::AuthenticationController::PUBLIC_ROUTES[1], headers: :any, methods: :any, credentials: true, max_age: 86400 # NOTICE: 1 day
+          end
+
           allow do
             hostnames = ['localhost:4200', /\A.*\.forestadmin\.com\z/]
             hostnames += ENV['CORS_ORIGINS'].split(',') if ENV['CORS_ORIGINS']

data/lib/forest_liana/json_printer.rb

@@ -20,7 +20,7 @@ module ForestLiana
             result << ", "
           end
 
-          result << pretty_print(item, is_primary_value ? "#{indentation}  " : indentation);
+          result << pretty_print(item, is_primary_value ? "#{indentation}  " : indentation)
         end
 
         result << "\n#{indentation}" if is_primary_value && !is_small

data/lib/forest_liana/version.rb

@@ -1,3 +1,3 @@
 module ForestLiana
-  VERSION = "6.0.0-beta.1"
+  VERSION = "6.0.0-beta.2"
 end

data/spec/dummy/config/initializers/forest_liana.rb

@@ -1,2 +1,3 @@
 ForestLiana.env_secret = 'env_secret_test'
 ForestLiana.auth_secret = 'auth_secret_test'
+ForestLiana.application_url = 'http://localhost:3000'

data/spec/requests/authentications_spec.rb

@@ -0,0 +1,107 @@
+require 'rails_helper'
+require 'openid_connect'
+require 'json'
+
+describe "Authentications", type: :request do
+  before do
+    allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
+    allow(ForestLiana::OidcConfigurationRetriever).to receive(:retrieve) {
+      JSON.parse('{
+          "registration_endpoint": "https://api.forestadmin.com/oidc/registration",
+          "issuer": "api.forestadmin.com"
+        }', :symbolize_names => false)
+    }
+    allow(ForestLiana::ForestApiRequester).to receive(:post) {
+      instance_double(HTTParty::Response, body: '{ "client_id": "random_id" }', code: 201)
+    }
+    allow_any_instance_of(OpenIDConnect::Client).to receive(:access_token!) {
+      OpenIDConnect::AccessToken.new(access_token: 'THE-ACCESS-TOKEN', client: instance_double(OpenIDConnect::Client))
+    }
+  end
+
+  after do
+    Rails.cache.delete(URI.join(ForestLiana.application_url, ForestLiana::Engine.routes.url_helpers.authentication_callback_path).to_s)
+  end
+
+  headers = {
+    'Accept' => 'application/json',
+    'Content-Type' => 'application/json',
+  }
+
+  describe "POST /authentication" do
+    before() do 
+      post ForestLiana::Engine.routes.url_helpers.authentication_path, { :renderingId => 42 }, :headers => headers
+    end
+
+    it "should respond with a 302 code" do
+      expect(response).to have_http_status(302)
+    end
+
+    it "should return a valid authentication url" do
+      expect(response.headers['Location']).to eq('https://api.forestadmin.com/oidc/auth?client_id=random_id&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fforest%2Fauthentication%2Fcallback&response_type=code&scope=openid%20email%20profile&state=%7B%22renderingId%22%3D%3E42%7D')
+    end
+  end
+
+  describe "GET /authentication/callback" do
+    before() do 
+      response = '{"data":{"id":666,"attributes":{"first_name":"Alice","last_name":"Doe","email":"alice@forestadmin.com","teams":[1,2,3]}}}'
+      allow(ForestLiana::ForestApiRequester).to receive(:get).with(
+        "/liana/v2/renderings/42/authorization", { :headers => { "forest-token" => "THE-ACCESS-TOKEN" }, :query=> {} }
+      ).and_return(
+        instance_double(HTTParty::Response, :body => response, :code => 200)
+      )
+
+      get ForestLiana::Engine.routes.url_helpers.authentication_callback_path + "?code=THE-CODE&state=#{URI.escape('{"renderingId":42}', Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))}"
+    end
+
+    it "should respond with a 200 code" do
+      expect(response).to have_http_status(200)
+    end
+
+    it "should return a valid authentication token" do
+      session_cookie = response.headers['set-cookie']
+      expect(session_cookie).to match(/^forest_session_token=[^;]+; path=\/; expires=[^;]+; secure; HttpOnly$/)
+
+      token = session_cookie.match(/^forest_session_token=([^;]+);/)[1]
+      decoded = JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
+
+      expected_token_data = {
+        "id" => 666,
+        "email" => 'alice@forestadmin.com',
+        "rendering_id" => "42",
+        "first_name" => 'Alice',
+        "last_name" => 'Doe',
+        "team" => 1,
+      }
+
+      expect(decoded).to include(expected_token_data)
+      expect(JSON.parse(response.body, :symbolize_names => true)).to eq({ token: token, tokenData: decoded.deep_symbolize_keys! })
+      expect(response).to have_http_status(200)
+    end
+  end
+
+  describe "POST /authentication/logout" do
+    before() do 
+      cookies['forest_session_token'] = {
+        value: 'eyJhbGciOiJIUzI1NiJ9.eyJpZCI6NjY2LCJlbWFpbCI6ImFsaWNlQGZvcmVzdGFkbWluLmNvbSIsImZpcnN0X25hbWUiOiJBbGljZSIsImxhc3RfbmFtZSI6IkRvZSIsInRlYW0iOjEsInJlbmRlcmluZ19pZCI6IjQyIiwiZXhwIjoxNjA4MDQ5MTI2fQ.5xaMxjUjE3wKldBsj3wW0BP9GHnnMqQi2Kpde8cIHEw',
+        path: '/',
+        expires: Time.now.to_i + 14.days,
+        secure: true,
+        httponly: true
+      }
+      post ForestLiana::Engine.routes.url_helpers.authentication_logout_path, { :renderingId => 42 }, :headers => headers
+      cookies.delete('forest_session_token')
+    end
+
+    it "should respond with a 204 code" do
+      expect(response).to have_http_status(204)
+    end
+
+    it "should invalidate token from browser" do
+      invalidated_session_cookie = response.headers['set-cookie']
+      expect(invalidated_session_cookie).to match(/^forest_session_token=[^;]+; path=\/; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure; HttpOnly$/)
+    end
+  end
+end

data/spec/requests/sessions_spec.rb

@@ -0,0 +1,55 @@
+require 'rails_helper'
+require 'openid_connect'
+require 'json'
+
+RSpec.describe "Authentications", type: :request do
+  before() do
+    allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
+    allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
+
+    body = '{"data":{"id":"654","type":"users","attributes":{"email":"user@email.com","first_name":"FirstName","last_name":"LastName","teams":["Operations"]}},"relationships":{"renderings":{"data":[{"id":1,"type":"renderings"}]}}}'
+    allow(ForestLiana::ForestApiRequester).to receive(:get).with(
+      "/liana/v2/renderings/42/authorization", { :headers => { "forest-token" => "google-access-token" }, :query=> {} }
+    ).and_return(
+      instance_double(HTTParty::Response, :body => body, :code => 200)
+    )
+  end
+
+  after() do
+    Rails.cache.delete(URI.join(ForestLiana.application_url, ForestLiana::Engine.routes.url_helpers.authentication_callback_path).to_s)
+  end
+
+  headers = {
+    'Accept' => 'application/json',
+    'Content-Type' => 'application/json',
+  }
+
+  describe "POST /forest/sessions-google" do
+    before() do 
+      post ForestLiana::Engine.routes.url_helpers.sessions_google_path, { :renderingId => 42, :forestToken => "google-access-token" }, :headers => headers
+    end
+
+    it "should respond with a 200 code" do
+      expect(response).to have_http_status(200)
+    end
+
+    it "should return a valid authentication token" do
+      response_body = JSON.parse(response.body, :symbolize_names => true)
+      expect(response_body).to have_key(:token)
+
+      token = response_body[:token]
+      decoded = JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
+
+      expected_token_data = {
+        "id" => '654',
+        "email" => 'user@email.com',
+        "first_name" => 'FirstName',
+        "last_name" => 'LastName',
+        "rendering_id" => "42",
+        "team" => 'Operations'
+      }
+      expect(decoded).to include(expected_token_data);
+    end
+  end
+end

data/spec/services/forest_liana/schema_adapter_spec.rb

@@ -9,7 +9,7 @@ module ForestLiana
 
           expect(collection.fields.map { |field| field[:field] }).to eq(
             ["id", "name", "created_at", "updated_at", "trees"]
-          );
+          )
         end
       end
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: forest_liana
 version: !ruby/object:Gem::Version
-  version: 6.0.0.pre.beta.1
+  version: 6.0.0.pre.beta.2
 platform: ruby
 authors:
 - Sandro Munda
@@ -178,6 +178,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Forest is a modern admin interface that works on all major web frameworks.
   forest_liana is the gem that makes Forest admin work on any Rails application (Rails
   >= 4.0).
@@ -197,6 +239,7 @@ files:
 - app/controllers/forest_liana/apimaps_controller.rb
 - app/controllers/forest_liana/application_controller.rb
 - app/controllers/forest_liana/associations_controller.rb
+- app/controllers/forest_liana/authentication_controller.rb
 - app/controllers/forest_liana/base_controller.rb
 - app/controllers/forest_liana/devise_controller.rb
 - app/controllers/forest_liana/intercom_controller.rb
@@ -230,6 +273,7 @@ files:
 - app/serializers/forest_liana/stripe_payment_serializer.rb
 - app/serializers/forest_liana/stripe_subscription_serializer.rb
 - app/services/forest_liana/apimap_sorter.rb
+- app/services/forest_liana/authentication.rb
 - app/services/forest_liana/authorization_getter.rb
 - app/services/forest_liana/base_getter.rb
 - app/services/forest_liana/belongs_to_updater.rb
@@ -251,6 +295,9 @@ files:
 - app/services/forest_liana/login_handler.rb
 - app/services/forest_liana/mixpanel_last_events_getter.rb
 - app/services/forest_liana/objective_stat_getter.rb
+- app/services/forest_liana/oidc_client_manager.rb
+- app/services/forest_liana/oidc_configuration_retriever.rb
+- app/services/forest_liana/oidc_dynamic_client_registrator.rb
 - app/services/forest_liana/operator_date_interval_parser.rb
 - app/services/forest_liana/permissions_checker.rb
 - app/services/forest_liana/permissions_getter.rb
@@ -275,11 +322,13 @@ files:
 - app/services/forest_liana/stripe_sources_getter.rb
 - app/services/forest_liana/stripe_subscription_getter.rb
 - app/services/forest_liana/stripe_subscriptions_getter.rb
+- app/services/forest_liana/token.rb
 - app/services/forest_liana/two_factor_registration_confirmer.rb
 - app/services/forest_liana/user_secret_creator.rb
 - app/services/forest_liana/value_stat_getter.rb
 - app/views/layouts/forest_liana/application.html.erb
 - config/initializers/arel-helpers.rb
+- config/initializers/error-messages.rb
 - config/initializers/errors.rb
 - config/initializers/logger.rb
 - config/initializers/time_formats.rb
@@ -339,7 +388,9 @@ files:
 - spec/helpers/forest_liana/query_helper_spec.rb
 - spec/helpers/forest_liana/schema_helper_spec.rb
 - spec/rails_helper.rb
+- spec/requests/authentications_spec.rb
 - spec/requests/resources_spec.rb
+- spec/requests/sessions_spec.rb
 - spec/services/forest_liana/apimap_sorter_spec.rb
 - spec/services/forest_liana/filters_parser_spec.rb
 - spec/services/forest_liana/ip_whitelist_checker_spec.rb
@@ -556,6 +607,8 @@ test_files:
 - spec/services/forest_liana/apimap_sorter_spec.rb
 - spec/services/forest_liana/filters_parser_spec.rb
 - spec/spec_helper.rb
+- spec/requests/sessions_spec.rb
+- spec/requests/authentications_spec.rb
 - spec/requests/resources_spec.rb
 - spec/dummy/README.rdoc
 - spec/dummy/app/views/layouts/application.html.erb