forest_liana 2.11.13 → 2.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4e1e2f7e68df52d6adccbb4381d18c7363159ad2
-  data.tar.gz: c1a3afce3057dc8f6c2770bf585b000f031089e4
+  metadata.gz: df754c6c7de93be5e155ea18ca2a236e737ff9ed
+  data.tar.gz: fb4fb5714e04982a5db0e474491c153cbbf28b47
 SHA512:
-  metadata.gz: c449b27faa19a9eabd32f0fc2317cb63292a075d9d8d99d1176362fada86ab22d0b035df2e4cdf36f3bb660e506a29f41c01f39943777ca6e420c42a2d350b26
-  data.tar.gz: b6bfc2f00d21e33bc4e6d4b9b15c877593f0897af572c46c72973492015ab6ac12cf5e4f6fb5717e41efda041e1b8fcdf7222919dea7a59d64cd988f122d422d
+  metadata.gz: 9b9dd0d21d2a2001d980b6aee0d8f519731a331d559d58e394e5d8723033a5e17c1327da5ba8e1db83352189d3b4917c8d85abbe46b2ae5f54e8d23a140f34eb
+  data.tar.gz: 9f10c5cca47362935d125593bb107eeea8d0119bf46ac275d3d096a134f8410ca7fca16e08ea01962ab7b9f9b6059f9f0c465e19e2f7c5e91e23ca1da72f48c9

data/app/controllers/forest_liana/sessions_controller.rb

@@ -2,107 +2,82 @@ module ForestLiana
   class SessionsController < ForestLiana::BaseController
     def create_with_password
       @error_message = nil
-      @user_class = ForestLiana.user_class_name.constantize rescue nil
-
-      user = check_user
-      token = encode_token(user) if user
+      rendering_id = params['renderingId']
+      project_id = params['projectId']
+      email = params['email']
+      password = params['password']
+      two_factor_token = params['token']
+      two_factor_registration = params['twoFactorRegistration']
 
-      if token
-        render json: { token: token }, serializer: nil
-      else
-        if @error_message
-          render serializer: nil, json: JSONAPI::Serializer.serialize_errors(
-            [{ detail: @error_message }]), status: :unauthorized
-        elsif !has_internal_authentication? && ForestLiana.allowed_users.empty?
-          render serializer: nil, json: JSONAPI::Serializer.serialize_errors(
-            [{ detail: 'Forest cannot retrieve any users for the project ' \
-              'you\'re trying to unlock.' }]), status: :unauthorized
-        else
-          head :unauthorized
-        end
-      end
+      process_login(
+        use_google_authentication: false,
+        rendering_id: rendering_id,
+        project_id: project_id,
+        auth_data: { email: email, password: password },
+        two_factor_registration: two_factor_registration,
+        two_factor_token: two_factor_token,
+      )
     end
 
     def create_with_google
       @error_message = nil
 
-      rendering_id = params['renderingId']
       forest_token = params['forestToken']
+      rendering_id = params['renderingId']
+      project_id = params['projectId']
+      two_factor_token = params['token']
+      two_factor_registration = params['twoFactorRegistration']
 
-      user = GoogleAuthorizedUserGetter.new(rendering_id, forest_token).perform()
-      token = encode_token(user) if user
-
-      if token
-        render json: { token: token }, serializer: nil
-      else
-        if @error_message
-          render serializer: nil, json: JSONAPI::Serializer.serialize_errors(
-            [{ detail: @error_message }]), status: :unauthorized
-        else
-          head :unauthorized
-        end
-      end
+      process_login(
+        use_google_authentication: true,
+        rendering_id: rendering_id,
+        project_id: project_id,
+        auth_data: { forest_token: forest_token },
+        two_factor_registration: two_factor_registration,
+        two_factor_token: two_factor_token,
+      )
     end
 
     private
 
-    def check_user
-      if has_internal_authentication?
-        # NOTICE: Use the ForestUser table for authentication.
-        user = @user_class.find_by(email: params['email'])
-        user if !user.blank? && authenticate_internal_user(user['password_digest'])
-      else
-        # NOTICE: Query Forest server for authentication.
-        fetch_allowed_users
-
-        ForestLiana.allowed_users.find do |allowed_user|
-          allowed_user['email'] == params['email'] &&
-            BCrypt::Password.new(allowed_user['password']) == params['password']
+    def process_login(
+      use_google_authentication:,
+      rendering_id:,
+      project_id:,
+      auth_data:,
+      two_factor_registration:,
+      two_factor_token:
+    )
+      begin
+        if two_factor_registration && two_factor_token.nil?
+          raise Errors::HTTP401Error
         end
-      end
-    end
 
-    def fetch_allowed_users
-      AllowedUsersGetter.new(params['renderingId']).perform()
-    end
+        # TODO: Add ip whitelist retrieving when it exists.
 
-    def has_internal_authentication?
-      @user_class && defined? @user_class
-    end
+        reponse_data = LoginHandler.new(
+          rendering_id,
+          auth_data,
+          use_google_authentication,
+          two_factor_registration,
+          project_id,
+          two_factor_token
+        ).perform
 
-    def authenticate_internal_user(password_digest)
-      BCrypt::Password.new(password_digest).is_password?(params['password'])
-    end
+      rescue ForestLiana::Errors::ExpectedError => error
+        error.display_error
+        error_data = JSONAPI::Serializer.serialize_errors([{
+          status: error.error_code,
+          detail: error.message
+        }])
+        render(serializer: nil, json: error_data, status: error.status)
+      rescue StandardError => error
+        FOREST_LOGGER.error error
+        FOREST_LOGGER.error error.backtrace.join("\n")
 
-    def encode_token(user)
-      if ForestLiana.auth_secret.nil?
-        @error_message = "Your Forest auth key seems to be missing. Can " \
-          "you check that you properly set a Forest auth key in the " \
-          "forest_liana initializer?"
-        FOREST_LOGGER.error @error_message
-        nil
+        render(serializer: nil, json: nil, status: :internal_server_error)
       else
-        JWT.encode({
-          exp: Time.now.to_i + 2.weeks.to_i,
-          data: {
-            id: user['id'],
-            type: 'users',
-            data: {
-              email: user['email'],
-              first_name: user['first_name'],
-              last_name: user['last_name'],
-              teams: user['teams']
-            },
-            relationships: {
-              renderings: {
-                data: [{
-                  type: 'renderings',
-                  id: params['renderingId']
-                }]
-              }
-            }
-          }
-        }, ForestLiana.auth_secret, 'HS256')
+        render(json: reponse_data, serializer: nil)
       end
     end
   end

data/app/services/forest_liana/authorization_getter.rb

@@ -0,0 +1,46 @@
+module ForestLiana
+  class AuthorizationGetter
+    def initialize(rendering_id, use_google_authentication, auth_data, two_factor_registration)
+      @rendering_id = rendering_id
+      @use_google_authentication = use_google_authentication
+      @auth_data = auth_data
+      @two_factor_registration = two_factor_registration
+
+      @route = "/liana/v2/renderings/#{rendering_id}"
+      @route += use_google_authentication ? "/google-authorization" : "/authorization"
+    end
+
+    def perform
+      begin
+        if @use_google_authentication
+          headers = { 'forest-token': @auth_data[:forest_token] }
+        else
+          headers = { email: @auth_data[:email], password: @auth_data[:password] }
+        end
+
+        query_parameters = { 'renderingId' => @rendering_id }
+
+        if @two_factor_registration
+          query_parameters['two-factor-registration'] = true
+        end
+
+        response = ForestApiRequester.get(@route, query: query_parameters, headers: headers)
+
+        if response.is_a?(Net::HTTPOK)
+          body = JSON.parse(response.body)
+          user = body['data']['attributes']
+          user['id'] = body['data']['id']
+          user
+        else
+          if @use_google_authentication
+            raise "Cannot authorize the user using this google account. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
+          else
+            raise "Cannot authorize the user using this email/password. Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
+          end
+        end
+      rescue
+        raise Errors::HTTP401Error
+      end
+    end
+  end
+end

data/app/services/forest_liana/forest_api_requester.rb

@@ -1,33 +1,41 @@
+require 'httparty'
+
 module ForestLiana
   class ForestApiRequester
-    def perform_request(query_parameters = nil)
-      http = Net::HTTP.new(@uri.host, @uri.port)
-      http.use_ssl = true if forest_api_url.start_with?('https')
-
-      http.start do |client|
-        path = get_path(query_parameters)
-        request = Net::HTTP::Get.new(path)
-        request['Content-Type'] = 'application/json'
-        request['forest-secret-key'] = ForestLiana.env_secret
-        request['forest-token'] = @forest_token if @forest_token
-        response = client.request(request)
+    def self.get(route, query: nil, headers: {})
+      begin
+        HTTParty.get("#{forest_api_url}#{route}", {
+          headers: base_headers.merge(headers),
+          query: query,
+        }).response
+      rescue
+        raise 'Cannot reach Forest API, it seems to be down right now.'
+      end
+    end
 
-        handle_service_response(response)
+    def self.post(route, body: nil, query: nil, headers: {})
+      begin
+        HTTParty.post("#{forest_api_url}#{route}", {
+          headers: base_headers.merge(headers),
+          query: query,
+          body: body.to_json,
+        }).response
+      rescue
+        raise 'Cannot reach Forest API, it seems to be down right now.'
       end
     end
 
-    def forest_api_url
-      ENV['FOREST_URL'] || 'https://api.forestadmin.com';
+    private
+
+    def self.base_headers
+      {
+        'Content-Type' => 'application/json',
+        'forest-secret-key' => ForestLiana.env_secret,
+      }
     end
 
-    def get_path(query_parameters)
-      route = @uri.path
-      unless query_parameters.nil?
-        query = query_parameters
-          .collect { |parameter, value| "#{parameter}=#{CGI::escape(value.to_s)}" }.join('&')
-        route += "?#{query}"
-      end
-      route
+    def self.forest_api_url
+      ENV['FOREST_URL'] || 'https://api.forestadmin.com'
     end
   end
 end

data/app/services/forest_liana/login_handler.rb

@@ -0,0 +1,113 @@
+require 'rotp'
+
+module ForestLiana
+  class LoginHandler
+    def initialize(
+      rendering_id,
+      auth_data,
+      use_google_authentication,
+      two_factor_registration,
+      project_id,
+      two_factor_token
+    )
+      @rendering_id = rendering_id
+      @auth_data = auth_data
+      @use_google_authentication = use_google_authentication
+      @two_factor_registration = two_factor_registration
+      @project_id = project_id
+      @two_factor_token = two_factor_token
+    end
+
+    def perform
+      user = AuthorizationGetter.new(@rendering_id, @use_google_authentication, @auth_data, @two_factor_registration).perform
+
+      if user['two_factor_authentication_enabled']
+        if !@two_factor_token.nil?
+          if is_two_factor_token_valid(user, @two_factor_token)
+            TwoFactorRegistrationConfirmer.new(@project_id, @use_google_authentication, @auth_data)
+              .perform
+
+            return { 'token' => create_token(user, @rendering_id) }
+          else
+            raise Errors::HTTP401Error.new('Your token is invalid, please try again.')
+          end
+        else
+          return get_two_factor_response(user)
+        end
+      end
+
+      return { token: create_token(user, @rendering_id) }
+    end
+
+    private
+
+    def check_two_factor_secret_salt
+      if ENV['FOREST_2FA_SECRET_SALT'].nil?
+        FOREST_LOGGER.error 'Cannot use the two factor authentication because the environment variable "FOREST_2FA_SECRET_SALT" is not set.'
+        FOREST_LOGGER.error 'You can generate it using this command: `$ openssl rand -hex 10`'
+
+        raise Errors::HTTP401Error.new('Invalid 2FA configuration, please ask more information to your admin')
+      end
+
+      if ENV['FOREST_2FA_SECRET_SALT'].length != 20
+        FOREST_LOGGER.error 'The FOREST_2FA_SECRET_SALT environment variable must be 20 characters long.'
+        FOREST_LOGGER.error 'You can generate it using this command: `$ openssl rand -hex 10`'
+
+        raise Errors::HTTP401Error.new('Invalid 2FA configuration, please ask more information to your admin')
+      end
+    end
+
+    def get_two_factor_response(user)
+      check_two_factor_secret_salt
+
+      return { 'twoFactorAuthenticationEnabled' => true } if user['two_factor_authentication_active']
+
+      two_factor_authentication_secret = user['two_factor_authentication_secret']
+      user_secret = UserSecretCreator
+        .new(two_factor_authentication_secret, ENV['FOREST_2FA_SECRET_SALT'])
+        .perform
+
+      {
+        twoFactorAuthenticationEnabled: true,
+        userSecret: user_secret,
+      }
+    end
+
+    def is_two_factor_token_valid(user, two_factor_token)
+      check_two_factor_secret_salt
+
+      two_factor_authentication_secret = user['two_factor_authentication_secret']
+
+      user_secret = UserSecretCreator
+        .new(two_factor_authentication_secret, ENV['FOREST_2FA_SECRET_SALT'])
+        .perform
+
+      totp = ROTP::TOTP.new(user_secret)
+      totp.verify(two_factor_token)
+    end
+
+    def create_token(user, rendering_id)
+      JWT.encode({
+        exp: Time.now.to_i + 2.weeks.to_i,
+        data: {
+          id: user['id'],
+          type: 'users',
+          data: {
+            email: user['email'],
+            first_name: user['first_name'],
+            last_name: user['last_name'],
+            teams: user['teams']
+          },
+          relationships: {
+            renderings: {
+              data: [{
+                type: 'renderings',
+                id: rendering_id
+              }]
+            }
+          }
+        }
+      }, ForestLiana.auth_secret, 'HS256')
+    end
+  end
+end

data/app/services/forest_liana/permissions_getter.rb

@@ -1,28 +1,24 @@
 module ForestLiana
-  class PermissionsGetter < ForestApiRequester
+  class PermissionsGetter
     def initialize(rendering_id)
-      @uri = URI.parse("#{forest_api_url}/liana/v2/permissions")
+      @route = "/liana/v2/permissions"
       @rendering_id = rendering_id
     end
 
     def perform
-      perform_request({ 'renderingId' => @rendering_id })
-    rescue => exception
-      FOREST_LOGGER.error "Cannot retrieve the permissions for the project you\'re trying to unlock. Forest API seems to be down right now."
-      FOREST_LOGGER.error exception
-      nil
-    end
-
-    private
+      begin
+        query_parameters = { 'renderingId' => @rendering_id }
+        response = ForestApiRequester.get(@route, query: query_parameters)
 
-    def handle_service_response(response)
-      if response.is_a?(Net::HTTPOK)
-        JSON.parse(response.body)
-      elsif response.is_a?(Net::HTTPNotFound) || response.is_a?(Net::HTTPUnprocessableEntity)
-        FOREST_LOGGER.error "Cannot retrieve the permissions from the Forest server. Can you check that you properly set up the forest_env_secret?"
-        nil
-      else
-        FOREST_LOGGER.error "Cannot retrieve the data from the Forest server. An error occured in Forest API."
+        if response.is_a?(Net::HTTPOK)
+          JSON.parse(response.body)
+        else
+          raise "Forest API returned an #{Errors::HTTPErrorHelper.format(response)}"
+        end
+      rescue => exception
+        FOREST_LOGGER.error 'Cannot retrieve the permissions from the Forest server.'
+        FOREST_LOGGER.error 'Which was caused by:'
+        Errors::ExceptionHelper.recursively_print(exception, margin: ' ', is_error: true)
         nil
       end
     end