forest_liana 6.0.0.pre.beta.3 → 6.0.3

data/app/controllers/forest_liana/sessions_controller.rb

@@ -1,95 +0,0 @@
-module ForestLiana
-  class SessionsController < ForestLiana::BaseController
-    def create_with_password
-      @error_message = nil
-      rendering_id = params['renderingId']
-      project_id = params['projectId']
-      email = params['email']
-      password = params['password']
-      two_factor_token = params['token']
-      two_factor_registration = params['twoFactorRegistration']
-
-      process_login(
-        use_google_authentication: false,
-        rendering_id: rendering_id,
-        project_id: project_id,
-        auth_data: { email: email, password: password },
-        two_factor_registration: two_factor_registration,
-        two_factor_token: two_factor_token,
-      )
-    end
-
-    def create_with_google
-      @error_message = nil
-
-      forest_token = params['forestToken']
-      rendering_id = params['renderingId']
-      project_id = params['projectId']
-      two_factor_token = params['token']
-      two_factor_registration = params['twoFactorRegistration']
-
-      process_login(
-        use_google_authentication: true,
-        rendering_id: rendering_id,
-        project_id: project_id,
-        auth_data: { forest_token: forest_token },
-        two_factor_registration: two_factor_registration,
-        two_factor_token: two_factor_token,
-      )
-    end
-
-    private
-
-    def process_login(
-      use_google_authentication:,
-      rendering_id:,
-      project_id:,
-      auth_data:,
-      two_factor_registration:,
-      two_factor_token:
-    )
-      begin
-        if two_factor_registration && two_factor_token.nil?
-          raise ForestLiana::Errors::HTTP401Error
-        end
-
-        # NOTICE: The IP Whitelist is retrieved on any request if it was not retrieved yet, or when
-        #         an IP is rejected, to ensure the IP is still rejected (meaning the configuration
-        #         on the projects has not changed). To handle the last case, which is rejecting an
-        #         IP which was not initaliy rejected, we need periodically refresh the whitelist.
-        #         This is done here on the login of any user.
-        ForestLiana::IpWhitelist.retrieve
-
-        reponse_data = ForestLiana::LoginHandler.new(
-          rendering_id,
-          auth_data,
-          use_google_authentication,
-          two_factor_registration,
-          project_id,
-          two_factor_token
-        ).perform
-
-      rescue ForestLiana::Errors::ExpectedError => error
-        error.display_error
-        error_data = JSONAPI::Serializer.serialize_errors([{
-          status: error.error_code,
-          detail: error.message
-        }])
-        render(serializer: nil, json: error_data, status: error.status)
-      rescue StandardError => error
-        FOREST_LOGGER.error error
-        FOREST_LOGGER.error error.backtrace.join("\n")
-
-        render(serializer: nil, json: nil, status: :internal_server_error)
-      else
-        # NOTICE: Set a cookie to ensure secure authentication using export feature.
-        # NOTICE: The token is empty at first authentication step if the 2FA option is active.
-        if reponse_data[:token]
-          response.set_cookie("forest_session_token", { value: reponse_data[:token], expires: (ForestLiana::Token.expiration_in_days) })
-        end
-
-        render(json: reponse_data, serializer: nil)
-      end
-    end
-  end
-end

data/app/serializers/forest_liana/session_serializer.rb

@@ -1,33 +0,0 @@
-module ForestLiana
-  class SessionSerializer
-    include JSONAPI::Serializer
-
-    attribute :first_name
-    attribute :last_name
-    attribute :email
-
-    def type
-      'users'
-    end
-
-    def format_name(attribute_name)
-      attribute_name.to_s
-    end
-
-    def unformat_name(attribute_name)
-      attribute_name.to_s.underscore
-    end
-
-    def self_link
-      nil
-    end
-
-    def relationship_self_link(attribute_name)
-      nil
-    end
-
-    def relationship_related_link(attribute_name)
-      nil
-    end
-  end
-end

data/app/services/forest_liana/login_handler.rb

@@ -1,99 +0,0 @@
-require 'rotp'
-
-module ForestLiana
-  class LoginHandler
-    def initialize(
-      rendering_id,
-      auth_data,
-      use_google_authentication,
-      two_factor_registration,
-      project_id,
-      two_factor_token
-    )
-      @rendering_id = rendering_id
-      @auth_data = auth_data
-      @use_google_authentication = use_google_authentication
-      @two_factor_registration = two_factor_registration
-      @project_id = project_id
-      @two_factor_token = two_factor_token
-    end
-
-    def perform
-      user = ForestLiana::AuthorizationGetter.authenticate(
-        @rendering_id,
-        @use_google_authentication,
-        @auth_data,
-        @two_factor_registration
-      )
-
-      if user['two_factor_authentication_enabled']
-        if !@two_factor_token.nil?
-          if is_two_factor_token_valid(user, @two_factor_token)
-            ForestLiana::TwoFactorRegistrationConfirmer
-              .new(@project_id, @use_google_authentication, @auth_data)
-              .perform
-
-            return { 'token' => create_token(user, @rendering_id) }
-          else
-            raise ForestLiana::Errors::HTTP401Error.new('Your token is invalid, please try again.')
-          end
-        else
-          return get_two_factor_response(user)
-        end
-      end
-
-      return { token: create_token(user, @rendering_id) }
-    end
-
-    private
-
-    def check_two_factor_secret_salt
-      if ENV['FOREST_2FA_SECRET_SALT'].nil?
-        FOREST_LOGGER.error 'Cannot use the two factor authentication because the environment variable "FOREST_2FA_SECRET_SALT" is not set.'
-        FOREST_LOGGER.error 'You can generate it using this command: `$ openssl rand -hex 10`'
-
-        raise Errors::HTTP401Error.new('Invalid 2FA configuration, please ask more information to your admin')
-      end
-
-      if ENV['FOREST_2FA_SECRET_SALT'].length != 20
-        FOREST_LOGGER.error 'The FOREST_2FA_SECRET_SALT environment variable must be 20 characters long.'
-        FOREST_LOGGER.error 'You can generate it using this command: `$ openssl rand -hex 10`'
-
-        raise ForestLiana::Errors::HTTP401Error.new('Invalid 2FA configuration, please ask more information to your admin')
-      end
-    end
-
-    def get_two_factor_response(user)
-      check_two_factor_secret_salt
-
-      return { 'twoFactorAuthenticationEnabled' => true } if user['two_factor_authentication_active']
-
-      two_factor_authentication_secret = user['two_factor_authentication_secret']
-      user_secret = ForestLiana::UserSecretCreator
-        .new(two_factor_authentication_secret, ENV['FOREST_2FA_SECRET_SALT'])
-        .perform
-
-      {
-        twoFactorAuthenticationEnabled: true,
-        userSecret: user_secret,
-      }
-    end
-
-    def is_two_factor_token_valid(user, two_factor_token)
-      check_two_factor_secret_salt
-
-      two_factor_authentication_secret = user['two_factor_authentication_secret']
-
-      user_secret = ForestLiana::UserSecretCreator
-        .new(two_factor_authentication_secret, ENV['FOREST_2FA_SECRET_SALT'])
-        .perform
-
-      totp = ROTP::TOTP.new(user_secret)
-      totp.verify(two_factor_token)
-    end
-
-    def create_token(user, rendering_id)
-      ForestLiana::Token.create_token(user, rendering_id)
-    end
-  end
-end

data/app/services/forest_liana/two_factor_registration_confirmer.rb

@@ -1,36 +0,0 @@
-module ForestLiana
-  class TwoFactorRegistrationConfirmer
-    def initialize(
-      project_id,
-      use_google_authentication,
-      auth_data
-    )
-      @project_id = project_id
-      @use_google_authentication = use_google_authentication
-      @auth_data = auth_data
-    end
-
-    def perform
-      begin
-        body_data = { 'useGoogleAuthentication' => @use_google_authentication }
-
-        if @use_google_authentication
-          body_data['forestToken'] = @auth_data[:forest_token]
-        else
-          body_data['email'] = @auth_data[:email]
-        end
-
-        response = ForestLiana::ForestApiRequester.post(
-          "/liana/v2/projects/#{@project_id}/two-factor-registration-confirm",
-          body: body_data,
-        )
-
-        unless response.is_a?(Net::HTTPOK)
-          raise "Cannot retrieve the data from the Forest server. Forest API returned an #{ForestLiana::Errors::HTTPErrorHelper.format(response)}"
-        end
-      rescue
-        raise ForestLiana::Errors::HTTP401Error
-      end
-    end
-  end
-end

data/app/services/forest_liana/user_secret_creator.rb

@@ -1,26 +0,0 @@
-require 'base32'
-
-module ForestLiana
-  # NOTICE: This service combines the 2FA secret stored on the forest server to the local secret
-  #         salt. This guarantees that only the owner of the server and the concerned end user can
-  #         know the final key.
-  #         This is done by using a bitwise exclusive or operation, which guarantees the key to stay
-  #         unique, so it is impossible for two users to have the same key.
-  class UserSecretCreator
-    def initialize(two_factor_authentication_secret, two_factor_secret_salt)
-      @two_factor_authentication_secret = two_factor_authentication_secret
-      @two_factor_secret_salt = two_factor_secret_salt
-    end
-
-    def perform
-      hash = (@two_factor_authentication_secret.to_i(16) ^ @two_factor_secret_salt.to_i(16)).to_s(16)
-      bin_hash = hex_to_bin(hash)
-
-      Base32.encode(bin_hash).tr('=', '')
-    end
-
-    def hex_to_bin(hex_string)
-      hex_string.scan(/../).map { |x| x.hex.chr }.join
-    end
-  end
-end

data/spec/requests/sessions_spec.rb

@@ -1,53 +0,0 @@
-require 'rails_helper'
-require 'openid_connect'
-require 'json'
-
-RSpec.describe "Authentications", type: :request do
-  before() do
-    allow(ForestLiana::IpWhitelist).to receive(:retrieve) { true }
-    allow(ForestLiana::IpWhitelist).to receive(:is_ip_whitelist_retrieved) { true }
-    allow(ForestLiana::IpWhitelist).to receive(:is_ip_valid) { true }
-
-    body = '{"data":{"id":"654","type":"users","attributes":{"email":"user@email.com","first_name":"FirstName","last_name":"LastName","teams":["Operations"]}},"relationships":{"renderings":{"data":[{"id":1,"type":"renderings"}]}}}'
-    allow(ForestLiana::ForestApiRequester).to receive(:get).with(
-      "/liana/v2/renderings/42/authorization", { :headers => { "forest-token" => "google-access-token" }, :query=> {} }
-    ).and_return(
-      instance_double(HTTParty::Response, :body => body, :code => 200)
-    )
-  end
-
-  after() do
-    Rails.cache.delete(URI.join(ForestLiana.application_url, ForestLiana::Engine.routes.url_helpers.authentication_callback_path).to_s)
-  end
-
-  describe "POST /forest/sessions-google" do
-    before() do 
-      post ForestLiana::Engine.routes.url_helpers.sessions_google_path, params: '{ "renderingId": "42", "forestToken": "google-access-token" }', headers: {
-      'Accept' => 'application/json',
-      'Content-Type' => 'application/json',
-    }
-    end
-
-    it "should respond with a 200 code" do
-      expect(response).to have_http_status(200)
-    end
-
-    it "should return a valid authentication token" do
-      response_body = JSON.parse(response.body, :symbolize_names => true)
-      expect(response_body).to have_key(:token)
-
-      token = response_body[:token]
-      decoded = JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
-
-      expected_token_data = {
-        "id" => '654',
-        "email" => 'user@email.com',
-        "first_name" => 'FirstName',
-        "last_name" => 'LastName',
-        "rendering_id" => "42",
-        "team" => 'Operations'
-      }
-      expect(decoded).to include(expected_token_data);
-    end
-  end
-end