gamora 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2cd6b80cc6b032dda4a916030c007de815ab7bbe86b9206797310fad36c7a70f
+  data.tar.gz: aad80d59d2dcf567445aade639916019cbc3e6570d3f9a73bde6bfd4647f26fe
+SHA512:
+  metadata.gz: 98b0c4b20abaecc2ed9042e6d04d565325b3fbc71a37f152520aec9f9f56043429843d13dd879415f961593dca7ee6f405b92f08ef85a122fe51813448e203bf
+  data.tar.gz: 6518ea2fdb5ed87f69afc422bd38ca1a82a3aea6b313ea6abef5adb057366b5d0f6fc16d11b002ca6b8bede834c90cb126f38880b19dc53bcb8d0e67e27584ea

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2022 Alejandro Gutiérrez
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,87 @@
+# Gamora - OIDC Relying Party
+
+Gamora aims to provide most of the functionality that is commonly
+required in an OpenID Connect Relying Party. An OIDC Relying Party is
+an OAuth 2.0 Client application that requires user authentication and
+claims from an OpenID Connect Provider (IdP). More information about
+[OpenID Connect](https://openid.net/connect/).
+
+## Installation
+
+Add `Gamora` to your application's Gemfile:
+
+```ruby
+gem "gamora"
+```
+
+And then install gamora:
+
+```bash
+rails g gamora:install
+```
+
+## Configuration
+
+Provide required configuration in `config/initializers/gamora.rb`:
+
+```ruby
+Gamora.setup do |config|
+  # ===> Required OAuth2 configuration options
+  config.client_id = "CLIENT_ID"
+  config.client_secret = "CLIENT_SECRET"
+  config.site = "IDENTITY_PROVIDER"
+
+  ...
+end
+```
+
+To see the full list of configuration options please check your gamora
+initializer.
+
+## User authentication
+
+### Web-based applications
+
+To authenticate the user against the Identity Provider before each request
+using an access token stored in the session you should include
+`Gamora::Authentication::Session` in your application controller and use the
+before_action `authenticate_user!` in the actions you need to protect.
+In case the access token has expired or is invalid. it will redirect the
+user to the IdP to authenticate again.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Gamora::Authentication::Session
+  ...
+
+  before_action :authenticate_user!
+end
+```
+
+### JSON API applications
+
+In the other hand, if your application is an JSON API you probably want
+to authenticate the user using the access token in the request headers.
+To do that, you should include `Gamora::Authentication::Headers` in your
+application controller and use the before_action `authenticate_user!` in
+the actions you need to protect. In case the access token has expired or
+is invalid. it will return an error json with unauthorized status.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Gamora::Authentication::Headers
+  ...
+
+  before_action :authenticate_user!
+end
+```
+
+Optionally, if you want to do something different when authentication
+fails, you just need to override the `user_authentication_failed!`
+method in you controller and customize it as you wish.
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/app/controllers/gamora/application_controller.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Gamora
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/gamora/authentication_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Gamora
+  class AuthenticationController < ApplicationController
+    def show
+      redirect_to authorization_url, allow_other_host: true
+    end
+
+    private
+
+    def authorization_url
+      Client.from_config.auth_code.authorize_url({
+        scope: Configuration.default_scope,
+        prompt: Configuration.default_prompt,
+        strategy: Configuration.default_strategy,
+        ui_locales: Configuration.ui_locales.call
+      }.merge(authorization_params).compact_blank)
+    end
+
+    def authorization_params
+      params.permit(
+        :scope,
+        :state,
+        :prompt,
+        :max_age,
+        :strategy,
+        :ui_locales
+      )
+    end
+  end
+end

data/app/controllers/gamora/callback_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Gamora
+  class CallbackController < ApplicationController
+    def show
+      access_token = access_token_from_auth_code
+      session[:access_token] = access_token.token
+      session[:refresh_token] = access_token.refresh_token
+      redirect_to session.delete("gamora.origin") || main_app.root_path
+    rescue OAuth2::Error
+      render plain: "Invalid authorization code"
+    end
+
+    private
+
+    def access_token_from_auth_code
+      Client.from_config.auth_code.get_token(params[:code])
+    end
+  end
+end

data/app/models/gamora/application_record.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Gamora
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/config/routes.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Gamora::Engine.routes.draw do
+  get "amco", to: "authentication#show", as: :authentication
+  get "amco/callback", to: "callback#show", as: :callback
+end

data/lib/gamora/authentication/base.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Gamora
+  module Authentication
+    module Base
+      def authenticate_user!
+        claims = resource_owner_claims(access_token)
+        assign_current_user_from_claims(claims) if claims.present?
+        validate_authentication!
+      end
+
+      def current_user
+        @current_user
+      end
+
+      private
+
+      def validate_authentication!
+        raise NotImplementedError
+      end
+
+      def access_token
+        raise NotImplementedError
+      end
+
+      def user_authentication_failed!
+        raise NotImplementedError
+      end
+
+      def assign_current_user_from_claims(claims)
+        attrs = user_attributes_from_claims(claims)
+        @current_user = User.new(attrs)
+      end
+
+      def user_attributes_from_claims(claims)
+        claims.transform_keys do |key|
+          case key
+          when :sub then :id
+          when :email then :email
+          when :given_name then :first_name
+          when :family_name then :last_name
+          when :phone_number then :phone_number
+          else key
+          end
+        end
+      end
+
+      def resource_owner_claims(access_token)
+        return {} if access_token.blank?
+        oauth_client.userinfo(access_token)
+      end
+
+      def oauth_client
+        Client.from_config
+      end
+    end
+  end
+end

data/lib/gamora/authentication/headers.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Gamora
+  module Authentication
+    module Headers
+      include Base
+
+      private
+
+      def validate_authentication!
+        return if current_user.present?
+        user_authentication_failed!
+      end
+
+      def access_token
+        pattern = /^Bearer /
+        header = request.headers["Authorization"]
+        return unless header&.match(pattern)
+        header.gsub(pattern, "")
+      end
+
+      def user_authentication_failed!
+        render json: { error: "Access token invalid" }, status: :unauthorized
+      end
+    end
+  end
+end

data/lib/gamora/authentication/session.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Gamora
+  module Authentication
+    module Session
+      include Base
+
+      def self.included(base)
+        base.helper_method :current_user
+      end
+
+      private
+
+      def validate_authentication!
+        return if current_user.present?
+        session["gamora.origin"] = request.original_url
+        user_authentication_failed!
+      end
+
+      def access_token
+        session[:access_token]
+      end
+
+      def user_authentication_failed!
+        redirect_to gamora.authentication_path
+      end
+    end
+  end
+end

data/lib/gamora/client.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Gamora
+  class Client < OAuth2::Client
+    def self.from_config
+      new(
+        Configuration.client_id,
+        Configuration.client_secret,
+        {
+          site: Configuration.site,
+          token_url: Configuration.token_url,
+          token_method: Configuration.token_method,
+          redirect_uri: Configuration.redirect_uri,
+          userinfo_url: Configuration.userinfo_url,
+          authorize_url: Configuration.authorize_url
+        }
+      )
+    end
+
+    def userinfo(access_token)
+      response = userinfo_request(access_token)
+      JSON.parse(response.body).symbolize_keys
+    rescue OAuth2::Error
+      {}
+    end
+
+    private
+
+    def userinfo_request(access_token)
+      opts = userinfo_request_options(access_token)
+      request(:post, options[:userinfo_url], opts)
+    end
+
+    def userinfo_request_options(access_token)
+      {
+        body: { access_token: access_token }.to_json,
+        headers: { "Content-Type": "application/json" }
+      }
+    end
+  end
+end

data/lib/gamora/configuration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Gamora
+  module Configuration
+    mattr_accessor :client_id, default: nil
+    mattr_accessor :client_secret, default: nil
+    mattr_accessor :site, default: nil
+    mattr_accessor :token_url, default: "/oauth2/token"
+    mattr_accessor :authorize_url, default: "/oauth2/authorize"
+    mattr_accessor :userinfo_url, default: "/oauth2/userinfo"
+    mattr_accessor :token_method, default: :post
+    mattr_accessor :redirect_uri, default: nil
+    mattr_accessor :default_scope, default: "openid profile email"
+    mattr_accessor :default_prompt, default: nil
+    mattr_accessor :default_strategy, default: "default"
+    mattr_accessor :ui_locales, default: -> { I18n.locale }
+
+    def setup
+      yield(self) if block_given?
+    end
+  end
+end

data/lib/gamora/engine.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Gamora
+  class Engine < ::Rails::Engine
+    isolate_namespace Gamora
+  end
+end

data/lib/gamora/user.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Gamora
+  class User
+    include ActiveModel::Model
+
+    attr_accessor :id,
+                  :email,
+                  :last_name,
+                  :first_name,
+                  :phone_number
+  end
+end

data/lib/gamora/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Gamora
+  VERSION = "0.1.0"
+end

data/lib/gamora.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "oauth2"
+require "gamora/version"
+require "gamora/engine"
+require "gamora/configuration"
+
+module Gamora
+  extend Configuration
+
+  autoload :User, "gamora/user"
+  autoload :Client, "gamora/client"
+
+  module Authentication
+    autoload :Base, "gamora/authentication/base"
+    autoload :Headers, "gamora/authentication/headers"
+    autoload :Session, "gamora/authentication/session"
+  end
+end

data/lib/generators/gamora/install_generator.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Gamora
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+      desc "Creates gamora initializer."
+
+      def create_initializer
+        template "gamora.rb", "config/initializers/gamora.rb"
+      end
+    end
+  end
+end

data/lib/generators/gamora/templates/gamora.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+Gamora.setup do |config|
+  # ===> Required OAuth2 configuration options
+  config.client_id = "CLIENT_ID"
+  config.client_secret = "CLIENT_SECRET"
+  config.site = "IDENTITY_PROVIDER_URL"
+
+  # ===> Optional OAuth2 configuration options and its defaults.
+  # config.token_url = "/oauth2/token"
+  # config.authorize_url = "/oauth2/authorize"
+  # config.userinfo_url = "/oauth2/userinfo"
+  # config.token_method = :post
+  # config.redirect_uri = nil
+  # config.default_scope = "openid profile email"
+  # config.default_prompt = nil
+  # config.default_strategy = "default"
+  # config.ui_locales = -> { I18n.locale }
+end

data/lib/tasks/gamora_tasks.rake

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+# desc "Explaining what the task does"
+# task :gamora do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: gamora
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Alejandro Gutiérrez
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-05-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+description: Gamora aims to provide most of the functionality that is commonly required
+  in an OIDC Client.
+email:
+- alejandrodevs@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/controllers/gamora/application_controller.rb
+- app/controllers/gamora/authentication_controller.rb
+- app/controllers/gamora/callback_controller.rb
+- app/models/gamora/application_record.rb
+- config/routes.rb
+- lib/gamora.rb
+- lib/gamora/authentication/base.rb
+- lib/gamora/authentication/headers.rb
+- lib/gamora/authentication/session.rb
+- lib/gamora/client.rb
+- lib/gamora/configuration.rb
+- lib/gamora/engine.rb
+- lib/gamora/user.rb
+- lib/gamora/version.rb
+- lib/generators/gamora/install_generator.rb
+- lib/generators/gamora/templates/gamora.rb
+- lib/tasks/gamora_tasks.rake
+homepage: https://github.com/amco/gamora_rb
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/amco/gamora_rb
+  source_code_uri: https://github.com/amco/gamora_rb
+  changelog_uri: https://github.com/amco/gamora_rb/blob/master/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: OpenID Connect Relying Party for rails apps.
+test_files: []