gds-sso 0.1.1 → 0.3.0

data/README.md

@@ -23,11 +23,17 @@ Create a `config/initializers/gds-sso.rb` that looks like:
 
     GDS::SSO.config do |config|
       config.user_model   = 'User'
+      
       # set up ID and Secret in a way which doesn't require it to be checked in to source control...
       config.oauth_id     = ENV['OAUTH_ID']
       config.oauth_secret = ENV['OAUTH_SECRET']
+      
       # optional config for location of sign-on-o-tron
       config.oauth_root_url = "http://localhost:3001"
+      
+      # optional config for API Access (requests which accept application/json)
+      config.basic_auth_user = 'api'
+      config.basic_auth_password = 'secret'
     end
 
 The user model needs to respond to klass.find_by_uid(uid), and must include the GDS::SSO::User module.

data/lib/gds-sso.rb

@@ -10,31 +10,35 @@ module GDS
     autoload :FailureApp,        'gds-sso/failure_app'
     autoload :ControllerMethods, 'gds-sso/controller_methods'
     autoload :User,              'gds-sso/user'
+    autoload :ApiAccess,         'gds-sso/api_access'
+
+    # User to return as logged in during tests
+    mattr_accessor :test_user
 
     def self.config
       yield GDS::SSO::Config
     end
 
-    def self.default_strategy
-      if ['development', 'test'].include?(Rails.env) && ENV['GDS_SSO_STRATEGY'] != 'real'
-        :mock_gds_sso
-      else
-        :gds_sso
-      end
-    end
-
     class Engine < ::Rails::Engine
       # Force routes to be loaded if we are doing any eager load.
       # TODO - check this one - Stolen from Devise because it looked sensible...
       config.before_eager_load { |app| app.reload_routes! }
-
+      
       config.app_middleware.use ::OmniAuth::Builder do
         provider :gds, GDS::SSO::Config.oauth_id, GDS::SSO::Config.oauth_secret
       end
 
-      config.app_middleware.use Warden::Manager do |manager|
-        manager.default_strategies GDS::SSO.default_strategy
-        manager.failure_app = GDS::SSO::FailureApp
+      def self.use_mock_strategies?
+        ['development', 'test'].include?(Rails.env) && ENV['GDS_SSO_STRATEGY'] != 'real'
+      end
+      
+      def self.default_strategies
+        use_mock_strategies? ? [:mock_gds_sso, :mock_gds_sso_api_access] : [:gds_sso, :gds_sso_api_access]
+      end
+
+      config.app_middleware.use Warden::Manager do |config|
+        config.default_strategies *self.default_strategies
+        config.failure_app = GDS::SSO::FailureApp
       end
     end
   end

data/lib/gds-sso/api_access.rb

@@ -0,0 +1,12 @@
+require 'rack/accept'
+
+module GDS
+  module SSO
+    class ApiAccess
+      def self.api_call?(env)
+        request = Rack::Accept::Request.new(env)
+        request.best_media_type(%w{application/json text/html}) == 'application/json'
+      end
+    end
+  end
+end

data/lib/gds-sso/config.rb

@@ -15,6 +15,13 @@ module GDS
       mattr_accessor :oauth_root_url
       @@oauth_root_url = "http://localhost:3001"
 
+      # Basic Auth Credentials (for api access when request accept
+      # header is application/json)
+      mattr_accessor :basic_auth_user
+      mattr_accessor :basic_auth_password
+      mattr_accessor :basic_auth_realm
+      @@basic_auth_realm = "API Access"
+      
       def self.user_klass
         user_model.to_s.constantize
       end

data/lib/gds-sso/failure_app.rb

@@ -9,14 +9,13 @@ module GDS
       include ActionController::RackDelegation
       include ActionController::UrlFor
       include ActionController::Redirecting
+      include ActionController::HttpAuthentication::Basic::ControllerMethods
       include Rails.application.routes.url_helpers
 
       def self.call(env)
-        action(:respond).call(env)
-      end
-
-      def respond
-        redirect
+        if ! ::GDS::SSO::ApiAccess.api_call?(env)
+          action(:redirect).call(env)
+        end
       end
 
       def redirect
@@ -33,6 +32,7 @@ module GDS
       def store_location!
         session["return_to"] = env['warden.options'][:attempted_path] if request.get?
       end
+      
     end
   end
 end

data/lib/gds-sso/omniauth_strategy.rb

@@ -8,6 +8,7 @@ require 'multi_json'
 #     use OmniAuth::Builder :gds, 'API Key', 'Secret Key'
 
 class OmniAuth::Strategies::Gds < OmniAuth::Strategies::OAuth2
+  
   # @param [Rack Application] app standard middleware application parameter
   # @param [String] api_key the application id as [provided by GDS]
   # @param [String] secret_key the application secret as [provided by Bitly]
@@ -16,12 +17,23 @@ class OmniAuth::Strategies::Gds < OmniAuth::Strategies::OAuth2
       :site => "#{GDS::SSO::Config.oauth_root_url}/",
       :authorize_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/authorize",
       :token_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
-      :access_token_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token"
+      :access_token_url => "#{GDS::SSO::Config.oauth_root_url}/oauth/access_token",
+      :ssl => {
+        :verify => false
+      }
     }
 
     super(app, :gds, api_key, secret_key, client_options, options, &block)
   end
 
+  def call(env)
+    if GDS::SSO::ApiAccess.api_call?(env)
+      @app.call(env)
+    else
+      super
+    end
+  end
+    
   protected
 
   def fetch_user_data

data/lib/gds-sso/version.rb

@@ -0,0 +1,5 @@
+module GDS
+  module SSO
+    VERSION = "0.3.0"
+  end
+end

data/lib/gds-sso/warden_config.rb

@@ -2,7 +2,7 @@ require 'warden'
 require 'omniauth/oauth'
 
 Warden::Manager.serialize_into_session do |user|
-  user.uid
+  user.respond_to?(:uid) ? user.uid : nil
 end
 
 Warden::Manager.serialize_from_session do |uid|
@@ -11,10 +11,12 @@ end
 
 Warden::Strategies.add(:gds_sso) do
   def valid?
-    true
+    ! ::GDS::SSO::ApiAccess.api_call?(env)
   end
 
   def authenticate!
+    Rails.logger.debug("Authenticating with gds_sso strategy")
+
     if request.env['omniauth.auth'].nil?
       fail!("No credentials, bub") 
     else
@@ -32,12 +34,69 @@ Warden::Strategies.add(:gds_sso) do
   end
 end
 
+Warden::Strategies.add(:gds_sso_api_access) do
+  def valid?
+    ::GDS::SSO::ApiAccess.api_call?(env)
+  end
+  
+  def authenticate!
+    Rails.logger.debug("Authenticating with gds_sso_api_access strategy")
+    
+    auth = Rack::Auth::Basic::Request.new(env)
+
+    return custom!(unauthorized) unless auth.provided?
+    return fail!(:bad_request) unless auth.basic?
+  
+    if valid_api_user?(*auth.credentials)
+      success!(auth.credentials[0])
+    else
+      custom!(unauthorized)
+    end
+  end
+  
+  def valid_api_user?(username, password)
+    username.to_s.strip != '' && 
+      password.to_s.strip != '' && 
+      username == ::GDS::SSO::Config.basic_auth_user &&
+      password == ::GDS::SSO::Config.basic_auth_password
+  end
+  
+  def unauthorized
+    [
+      401,
+      {
+        'Content-Type' => 'text/plain',
+        'Content-Length' => '0',
+        'WWW-Authenticate' => %(Basic realm="#{GDS::SSO::Config.basic_auth_realm}")
+      },
+      []
+    ]
+  end
+end
+
 Warden::Strategies.add(:mock_gds_sso) do
   def valid?
-    true
+    ! ::GDS::SSO::ApiAccess.api_call?(env)
+  end
+
+  def authenticate!
+    Rails.logger.debug("Authenticating with mock_gds_sso strategy")
+    test_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.first
+    if test_user
+      success!(test_user)
+    else
+      raise "GDS-SSO running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
+    end
   end
+end
 
+Warden::Strategies.add(:mock_gds_sso_api_access) do
+  def valid?
+    ::GDS::SSO::ApiAccess.api_call?(env)
+  end
+  
   def authenticate!
-    success!(GDS::SSO::Config.user_klass.first)
+    Rails.logger.debug("Authenticating with mock_gds_sso_api_access strategy")
+    success!(GDS::SSO.test_user || GDS::SSO::Config.user_klass.first)
   end
 end

data/test/test_omniauth_strategy.rb

@@ -5,17 +5,24 @@ require 'gds-sso/omniauth_strategy'
 
 class TestOmniAuthStrategy < Test::Unit::TestCase
   def setup
-    @strategy = OmniAuth::Strategies::Gds.new(:gds, 'client_id', 'client_secret')
+    @app = stub("app")
+    @strategy = OmniAuth::Strategies::Gds.new(@app, :gds, 'client_id', 'client_secret')
     @strategy.stubs(:fetch_user_data).returns({'user' => {'uid' => 'abcde', 'version' => 1, 'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk', 'github' => 'fidothe', 'twitter' => 'fidothe'}}.to_json)
   end
 
-  def test_basic_auth_hash_structure
+  def test_build_auth_hash_returns_name_and_email
     assert_equal 'Matt Patterson', @strategy.send(:build_auth_hash)['user_info']['name']
     assert_equal 'matt@alphagov.co.uk', @strategy.send(:build_auth_hash)['user_info']['email']
   end
 
-  def test_extra_auth_hash_structure
+  def test_build_auth_hash_contains_extra_info
     expected = {'uid' => 'abcde', 'version' => 1, 'name' => 'Matt Patterson', 'email' => 'matt@alphagov.co.uk', 'github' => 'fidothe', 'twitter' => 'fidothe'}    
     assert_equal expected, @strategy.send(:build_auth_hash)['extra']['user_hash']
   end
+  
+  def test_oauth_bypassed_if_json_is_accepted_by_request
+    @app.expects(:call)
+    rack_env = { "HTTP_ACCEPT" => 'application/json' }
+    @strategy.call(rack_env)
+  end
 end

metadata

@@ -1,108 +1,125 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: gds-sso
-version: !ruby/object:Gem::Version
-  version: 0.1.1
+version: !ruby/object:Gem::Version 
   prerelease: 
+  version: 0.3.0
 platform: ruby
-authors:
+authors: 
 - Matt Patterson
 - James Stewart
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-11-02 00:00:00.000000000Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2012-01-10 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: rails
-  requirement: &70169822136140 !ruby/object:Gem::Requirement
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
         version: 3.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *70169822136140
-- !ruby/object:Gem::Dependency
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: warden
-  requirement: &70169822135760 !ruby/object:Gem::Requirement
+  requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        version: 1.0.6
   type: :runtime
   prerelease: false
-  version_requirements: *70169822135760
-- !ruby/object:Gem::Dependency
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
   name: oauth2
-  requirement: &70169822135260 !ruby/object:Gem::Requirement
+  requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - =
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
         version: 0.4.1
   type: :runtime
   prerelease: false
-  version_requirements: *70169822135260
-- !ruby/object:Gem::Dependency
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
   name: oa-oauth
-  requirement: &70169822134800 !ruby/object:Gem::Requirement
+  requirement: &id004 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - =
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
         version: 0.2.6
   type: :runtime
   prerelease: false
-  version_requirements: *70169822134800
-- !ruby/object:Gem::Dependency
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
   name: oa-core
-  requirement: &70169822134340 !ruby/object:Gem::Requirement
+  requirement: &id005 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - =
-      - !ruby/object:Gem::Version
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
         version: 0.2.6
   type: :runtime
   prerelease: false
-  version_requirements: *70169822134340
-- !ruby/object:Gem::Dependency
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: rack-accept
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 0.4.4
+  type: :runtime
+  prerelease: false
+  version_requirements: *id006
+- !ruby/object:Gem::Dependency 
   name: rake
-  requirement: &70169822133880 !ruby/object:Gem::Requirement
+  requirement: &id007 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
         version: 0.9.2
   type: :development
   prerelease: false
-  version_requirements: *70169822133880
-- !ruby/object:Gem::Dependency
+  version_requirements: *id007
+- !ruby/object:Gem::Dependency 
   name: mocha
-  requirement: &70169822133420 !ruby/object:Gem::Requirement
+  requirement: &id008 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
+    requirements: 
     - - ~>
-      - !ruby/object:Gem::Version
+      - !ruby/object:Gem::Version 
         version: 0.9.0
   type: :development
   prerelease: false
-  version_requirements: *70169822133420
+  version_requirements: *id008
 description: Client for GDS' OAuth 2-based SSO
-email:
+email: 
 - matt@constituentparts.com
 - james.stewart@digital.cabinet-office.gov.uk
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
+- lib/gds-sso/api_access.rb
 - lib/gds-sso/config.rb
 - lib/gds-sso/controller_methods.rb
 - lib/gds-sso/failure_app.rb
 - lib/gds-sso/omniauth_strategy.rb
 - lib/gds-sso/routes.rb
 - lib/gds-sso/user.rb
+- lib/gds-sso/version.rb
 - lib/gds-sso/warden_config.rb
 - lib/gds-sso.rb
 - README.md
@@ -113,29 +130,38 @@ files:
 - test/test_user.rb
 homepage: https://github.com/alphagov/gds-sso
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: -376516686123011262
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: -376516686123011262
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: gds-sso
-rubygems_version: 1.8.10
+rubygems_version: 1.8.13
 signing_key: 
 specification_version: 3
 summary: Client for GDS' OAuth 2-based SSO
-test_files:
+test_files: 
 - test/test_helper.rb
 - test/test_omniauth_strategy.rb
 - test/test_user.rb