gamora 0.7.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e164eceeb7c3a744ed43be46877cb904fff4add871d4a7b4fac25e4837f2f731
-  data.tar.gz: cff5f7b7f3ffd07b13d6e6cc0e476ae86c87788bdf47a4e9c9ff4703dfe54d64
+  metadata.gz: 6fff76821e79e75149f4d407303a9b52dac3b68ac711ffc38ac4e8d517ab7225
+  data.tar.gz: 4f5d52c9ef04b8d1219ca84a28fe25d3bb0dad677d97edc7c863d3c039a9e8d4
 SHA512:
-  metadata.gz: b5da9c118a7f13441147ded22bb7bc237e7b51cd583e7355fa65370ef4e71dfa5256150f6ff0b6aad0f0169a1113dc9a8af2514aecff33454bb571391dea74de
-  data.tar.gz: ad67d0b0be691f544bd2ffcc277b6a70f036bd20ddbabfd9a48b1f92023f84023e8eaa715b6ccc82a9f8a90f4be975b0ac54a657bc18a14e6fd6e40f4bff6f23
+  metadata.gz: eaec688075667ad6184c0567aa2637480a1781e50e5a7bb9448ba27f0b39cc969f42d83374afb5c1c2a5ccc1a339cfc95c553e71492e1e0de65a836f247bde45
+  data.tar.gz: a7d1eadca9cd826bcb13f22c01e332324199877fd9e43285e3daae60a6b3ce29102f3beeccfb20db200563d7a6a90c8ae7dfe25d4097e9cb6fd8a2762ef9f0bb

data/lib/gamora/authentication/base.rb

@@ -5,6 +5,7 @@ module Gamora
     module Base
       CLAIMS = {
         sub: :id,
+        roles: :roles,
         email: :email,
         given_name: :first_name,
         family_name: :last_name,
@@ -14,9 +15,15 @@ module Gamora
       }.freeze
 
       def authenticate_user!
+        return authentication_failed! unless access_token.present?
+
+        token_data = introspect_access_token(access_token)
+        return authentication_failed! unless valid_token_data?(token_data)
+
         claims = resource_owner_claims(access_token)
-        assign_current_user_from_claims(claims) if claims.present?
-        validate_authentication!
+        return authentication_failed! unless claims.present?
+
+        assign_current_user_from_claims(claims)
       end
 
       def current_user
@@ -25,21 +32,29 @@ module Gamora
 
       private
 
-      def validate_authentication!
+      def access_token
         raise NotImplementedError
       end
 
-      def access_token
+      def authentication_failed!
         raise NotImplementedError
       end
 
-      def user_authentication_failed!
-        raise NotImplementedError
+      def valid_token_data?(token_data)
+        token_data[:active] && whitelisted_client?(token_data[:client_id])
+      end
+
+      def whitelisted_client?(client_id)
+        whitelisted_clients.include?(client_id)
+      end
+
+      def whitelisted_clients
+        Configuration.whitelisted_clients | [Configuration.client_id]
       end
 
       def assign_current_user_from_claims(claims)
-        attrs = user_attributes_from_claims(claims)
-        @current_user = User.new(attrs)
+        attributes = user_attributes_from_claims(claims)
+        @current_user = User.new(attributes)
       end
 
       def user_attributes_from_claims(claims)
@@ -47,27 +62,29 @@ module Gamora
       end
 
       def resource_owner_claims(access_token)
-        return {} if access_token.blank?
-
-        resource_owner_claims!(access_token)
-      end
+        cache_key = cache_key(:userinfo, access_token)
+        expires_in = Configuration.userinfo_cache_expires_in
 
-      def resource_owner_claims!(access_token)
-        Rails.cache.fetch(cache_key(access_token), cache_options) do
+        Rails.cache.fetch(cache_key, { expires_in: expires_in }) do
           oauth_client.userinfo(access_token)
         end
       end
 
-      def oauth_client
-        Client.from_config
+      def introspect_access_token(access_token)
+        cache_key = cache_key(:introspect, access_token)
+        expires_in = Configuration.introspect_cache_expires_in
+
+        Rails.cache.fetch(cache_key, { expires_in: expires_in }) do
+          oauth_client.introspect(access_token)
+        end
       end
 
-      def cache_options
-        { expires_in: Configuration.userinfo_cache_expires_in }
+      def cache_key(context, access_token)
+        "gamora:#{context}:#{Digest::SHA256.hexdigest(access_token)}"
       end
 
-      def cache_key(access_token)
-        "userinfo:#{Digest::SHA256.hexdigest(access_token)}"
+      def oauth_client
+        Client.from_config
       end
     end
   end

data/lib/gamora/authentication/headers.rb

@@ -7,12 +7,6 @@ module Gamora
 
       private
 
-      def validate_authentication!
-        return if current_user.present?
-
-        user_authentication_failed!
-      end
-
       def access_token
         pattern = /^Bearer /
         header = request.headers["Authorization"]
@@ -21,7 +15,7 @@ module Gamora
         header.gsub(pattern, "")
       end
 
-      def user_authentication_failed!
+      def authentication_failed!
         render json: { error: "Access token invalid" }, status: :unauthorized
       end
     end

data/lib/gamora/authentication/session.rb

@@ -11,18 +11,12 @@ module Gamora
 
       private
 
-      def validate_authentication!
-        return if current_user.present?
-
-        session["gamora.origin"] = request.original_url
-        user_authentication_failed!
-      end
-
       def access_token
         session[:access_token]
       end
 
-      def user_authentication_failed!
+      def authentication_failed!
+        session["gamora.origin"] = request.original_url
         redirect_to gamora.authentication_path
       end
     end

data/lib/gamora/client.rb

@@ -20,13 +20,25 @@ module Gamora
           token_method: Configuration.token_method,
           redirect_uri: Configuration.redirect_uri,
           userinfo_url: Configuration.userinfo_url,
-          authorize_url: Configuration.authorize_url
+          authorize_url: Configuration.authorize_url,
+          introspect_url: Configuration.introspect_url
         }
       end
     end
 
     def userinfo(access_token)
-      response = userinfo_request(access_token)
+      params = userinfo_params(access_token)
+      opts = request_options(params)
+      response = request(:post, options[:userinfo_url], opts)
+      JSON.parse(response.body).symbolize_keys
+    rescue OAuth2::Error
+      {}
+    end
+
+    def introspect(access_token)
+      params = introspect_params(access_token)
+      opts = request_options(params)
+      response = request(:post, options[:introspect_url], opts)
       JSON.parse(response.body).symbolize_keys
     rescue OAuth2::Error
       {}
@@ -34,15 +46,22 @@ module Gamora
 
     private
 
-    def userinfo_request(access_token)
-      opts = userinfo_request_options(access_token)
-      request(:post, options[:userinfo_url], opts)
+    def request_options(params)
+      {
+        body: params.to_json,
+        headers: { "Content-Type": "application/json" }
+      }
     end
 
-    def userinfo_request_options(access_token)
+    def userinfo_params(access_token)
+      { access_token: access_token }
+    end
+
+    def introspect_params(access_token)
       {
-        body: { access_token: access_token }.to_json,
-        headers: { "Content-Type": "application/json" }
+        token: access_token,
+        client_id: Configuration.client_id,
+        client_secret: Configuration.client_secret
       }
     end
   end

data/lib/gamora/configuration.rb

@@ -6,8 +6,9 @@ module Gamora
     mattr_accessor :client_secret, default: nil
     mattr_accessor :site, default: nil
     mattr_accessor :token_url, default: "/oauth2/token"
-    mattr_accessor :authorize_url, default: "/oauth2/authorize"
     mattr_accessor :userinfo_url, default: "/oauth2/userinfo"
+    mattr_accessor :authorize_url, default: "/oauth2/authorize"
+    mattr_accessor :introspect_url, default: "/oauth2/introspect"
     mattr_accessor :token_method, default: :post
     mattr_accessor :redirect_uri, default: nil
     mattr_accessor :default_scope, default: "openid profile email"
@@ -16,7 +17,9 @@ module Gamora
     mattr_accessor :default_branding, default: "amco"
     mattr_accessor :default_theme, default: "default"
     mattr_accessor :ui_locales, default: -> { I18n.locale }
-    mattr_accessor :userinfo_cache_expires_in, default: 0.seconds
+    mattr_accessor :userinfo_cache_expires_in, default: 1.minute
+    mattr_accessor :introspect_cache_expires_in, default: 0.seconds
+    mattr_accessor :whitelisted_clients, default: []
 
     def setup
       yield(self) if block_given?

data/lib/gamora/user.rb

@@ -5,6 +5,7 @@ module Gamora
     include ActiveModel::Model
 
     attr_accessor :id,
+                  :roles,
                   :email,
                   :last_name,
                   :first_name,

data/lib/gamora/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Gamora
-  VERSION = "0.7.0"
+  VERSION = "0.9.0"
 end

data/lib/generators/gamora/templates/gamora.rb

@@ -8,8 +8,9 @@ Gamora.setup do |config|
 
   # ===> Optional OAuth2 configuration options and its defaults.
   # config.token_url = "/oauth2/token"
-  # config.authorize_url = "/oauth2/authorize"
   # config.userinfo_url = "/oauth2/userinfo"
+  # config.authorize_url = "/oauth2/authorize"
+  # config.introspect_url = "/oauth2/introspect"
   # config.token_method = :post
   # config.redirect_uri = nil
   # config.default_scope = "openid profile email"
@@ -18,5 +19,7 @@ Gamora.setup do |config|
   # config.default_branding = "amco"
   # config.default_theme = "default"
   # config.ui_locales = -> { I18n.locale }
-  # config.userinfo_cache_expires_in = 0.seconds
+  # config.userinfo_cache_expires_in = 1.minute
+  # config.introspect_cache_expires_in = 0.seconds
+  # config.whitelisted_clients = []
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gamora
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Alejandro Gutiérrez
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-02 00:00:00.000000000 Z
+date: 2023-11-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2