RubyGems - gitlab-omniauth-openid-connect - Versions diffs - 0.4.0 - Mend

gitlab-omniauth-openid-connect 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

checksums.yaml +7 -0
data/.github/config/rubocop_linter_action.yml +59 -0
data/.github/stale.yml +17 -0
data/.github/workflows/rubocop.yml +22 -0
data/.gitignore +20 -0
data/.gitlab-ci.yml +27 -0
data/.rubocop.yml +58 -0
data/.travis.yml +9 -0
data/CHANGELOG.md +53 -0
data/Gemfile +4 -0
data/Guardfile +16 -0
data/LICENSE.txt +22 -0
data/README.md +130 -0
data/Rakefile +10 -0
data/gitlab-omniauth-openid-connect.gemspec +35 -0
data/lib/omniauth/openid_connect.rb +5 -0
data/lib/omniauth/openid_connect/errors.rb +9 -0
data/lib/omniauth/openid_connect/version.rb +7 -0
data/lib/omniauth/strategies/openid_connect.rb +406 -0
data/lib/omniauth_openid_connect.rb +3 -0
data/test/fixtures/id_token.txt +1 -0
data/test/fixtures/jwks.json +8 -0
data/test/fixtures/test.crt +19 -0
data/test/lib/omniauth/strategies/openid_connect_test.rb +684 -0
data/test/strategy_test_case.rb +64 -0
data/test/test_helper.rb +16 -0
metadata +258 -0

data/Rakefile ADDED Viewed

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  t.test_files = FileList['test/lib/omniauth/**/*_test.rb']
+  t.verbose = true
+end
+task default: :test

data/gitlab-omniauth-openid-connect.gemspec ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/openid_connect/version'
+Gem::Specification.new do |spec|
+  spec.name          = 'gitlab-omniauth-openid-connect'
+  spec.version       = OmniAuth::OpenIDConnect::VERSION
+  spec.authors       = ['John Bohn', 'Ilya Shcherbinin']
+  spec.email         = ['jjbohn@gmail.com', 'm0n9oose@gmail.com']
+  spec.summary       = 'OpenID Connect Strategy for OmniAuth'
+  spec.description   = 'OpenID Connect Strategy for OmniAuth.'
+  spec.homepage      = 'https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect'
+  spec.license       = 'MIT'
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+  spec.add_dependency 'addressable', '~> 2.7'
+  spec.add_dependency 'omniauth', '~> 1.9'
+  spec.add_dependency 'openid_connect', '~> 1.2'
+  spec.add_development_dependency 'coveralls', '~> 0.8'
+  spec.add_development_dependency 'faker', '~> 2.17'
+  spec.add_development_dependency 'guard', '~> 2.14'
+  spec.add_development_dependency 'guard-bundler', '~> 3.0'
+  spec.add_development_dependency 'guard-minitest', '~> 2.4'
+  spec.add_development_dependency 'minitest', '~> 5.14'
+  spec.add_development_dependency 'mocha', '~> 1.12'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rubocop', '~> 1.12'
+  spec.add_development_dependency 'simplecov', '~> 0.16'
+end

data/lib/omniauth/openid_connect.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+require 'omniauth/openid_connect/errors'
+require 'omniauth/openid_connect/version'
+require 'omniauth/strategies/openid_connect'

data/lib/omniauth/openid_connect/errors.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+module OmniAuth
+  module OpenIDConnect
+    class Error < RuntimeError; end
+    class MissingCodeError < Error; end
+    class MissingIdTokenError < Error; end
+  end
+end

data/lib/omniauth/openid_connect/version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+module OmniAuth
+  module OpenIDConnect
+    VERSION = '0.4.0'
+  end
+end

data/lib/omniauth/strategies/openid_connect.rb ADDED Viewed

@@ -0,0 +1,406 @@
+# frozen_string_literal: true
+require 'addressable/uri'
+require 'timeout'
+require 'net/http'
+require 'open-uri'
+require 'omniauth'
+require 'openid_connect'
+require 'forwardable'
+module OmniAuth
+  module Strategies
+    class OpenIDConnect
+      include OmniAuth::Strategy
+      extend Forwardable
+      RESPONSE_TYPE_EXCEPTIONS = {
+        'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze,
+        'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze,
+      }.freeze
+      def_delegator :request, :params
+      option :name, 'openid_connect'
+      option(:client_options, identifier: nil,
+                              secret: nil,
+                              redirect_uri: nil,
+                              scheme: 'https',
+                              host: nil,
+                              port: 443,
+                              authorization_endpoint: '/authorize',
+                              token_endpoint: '/token',
+                              userinfo_endpoint: '/userinfo',
+                              jwks_uri: '/jwk',
+                              end_session_endpoint: nil)
+      option :issuer
+      option :discovery, false
+      option :client_signing_alg
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
+      option :scope, [:openid]
+      option :response_type, 'code' # ['code', 'id_token']
+      option :state
+      option :response_mode # [:query, :fragment, :form_post, :web_message]
+      option :display, nil # [:page, :popup, :touch, :wap]
+      option :prompt, nil # [:none, :login, :consent, :select_account]
+      option :hd, nil
+      option :max_age
+      option :ui_locales
+      option :id_token_hint
+      option :acr_values
+      option :send_nonce, true
+      option :send_scope_to_token_endpoint, true
+      option :client_auth_method
+      option :post_logout_redirect_uri
+      option :extra_authorize_params, {}
+      option :uid_field, 'sub'
+      def uid
+        user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
+      end
+      info do
+        {
+          name: user_info.name,
+          email: user_info.email,
+          nickname: user_info.preferred_username,
+          first_name: user_info.given_name,
+          last_name: user_info.family_name,
+          gender: user_info.gender,
+          image: user_info.picture,
+          phone: user_info.phone_number,
+          urls: { website: user_info.website },
+        }
+      end
+      extra do
+        { raw_info: user_info.raw_attributes }
+      end
+      credentials do
+        {
+          id_token: access_token.id_token,
+          token: access_token.access_token,
+          refresh_token: access_token.refresh_token,
+          expires_in: access_token.expires_in,
+          scope: access_token.scope,
+        }
+      end
+      def client
+        @client ||= ::OpenIDConnect::Client.new(client_options)
+      end
+      def config
+        @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
+      end
+      def request_phase
+        options.issuer = issuer if options.issuer.to_s.empty?
+        discover!
+        redirect authorize_uri
+      end
+      def callback_phase
+        error = params['error_reason'] || params['error']
+        error_description = params['error_description'] || params['error_reason']
+        invalid_state = params['state'].to_s.empty? || params['state'] != stored_state
+        raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
+        raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
+        return unless valid_response_type?
+        options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+        verify_id_token!(params['id_token']) if configured_response_type == 'id_token'
+        discover!
+        client.redirect_uri = redirect_uri
+        return id_token_callback_phase if configured_response_type == 'id_token'
+        client.authorization_code = authorization_code
+        access_token
+        super
+      rescue CallbackError => e
+        fail!(e.error, e)
+      rescue ::Rack::OAuth2::Client::Error => e
+        fail!(e.response[:error], e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+      def other_phase
+        if logout_path_pattern.match?(current_path)
+          options.issuer = issuer if options.issuer.to_s.empty?
+          discover!
+          return redirect(end_session_uri) if end_session_uri
+        end
+        call_app!
+      end
+      def authorization_code
+        params['code']
+      end
+      def end_session_uri
+        return unless end_session_endpoint_is_valid?
+        end_session_uri = URI(client_options.end_session_endpoint)
+        end_session_uri.query = encoded_post_logout_redirect_uri
+        end_session_uri.to_s
+      end
+      def authorize_uri
+        client.redirect_uri = redirect_uri
+        opts = {
+          response_type: options.response_type,
+          response_mode: options.response_mode,
+          scope: options.scope,
+          state: new_state,
+          login_hint: params['login_hint'],
+          ui_locales: params['ui_locales'],
+          claims_locales: params['claims_locales'],
+          prompt: options.prompt,
+          nonce: (new_nonce if options.send_nonce),
+          hd: options.hd,
+          acr_values: options.acr_values,
+        }
+        opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
+        client.authorization_uri(opts.reject { |_k, v| v.nil? })
+      end
+      def public_key
+        @public_key ||= begin
+          if options.discovery
+            config.jwks
+          elsif key_or_secret
+            key_or_secret
+          elsif client_options.jwks_uri
+            fetch_key
+          end
+        end
+      end
+      private
+      def fetch_key
+        @fetch_key ||= parse_jwk_key(::OpenIDConnect.http_client.get_content(client_options.jwks_uri))
+      end
+      def issuer
+        resource = "#{ client_options.scheme }://#{ client_options.host }"
+        resource = "#{ resource }:#{ client_options.port }" if client_options.port
+        ::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
+      end
+      def discover!
+        return unless options.discovery
+        client_options.authorization_endpoint = config.authorization_endpoint
+        client_options.token_endpoint = config.token_endpoint
+        client_options.userinfo_endpoint = config.userinfo_endpoint
+        client_options.jwks_uri = config.jwks_uri
+        client_options.end_session_endpoint = config.end_session_endpoint if config.respond_to?(:end_session_endpoint)
+      end
+      def user_info
+        return @user_info if @user_info
+        if access_token.id_token
+          decoded = decode_id_token(access_token.id_token).raw_attributes
+          @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded)
+        else
+          @user_info = access_token.userinfo!
+        end
+      end
+      def access_token
+        return @access_token if @access_token
+        @access_token = client.access_token!(
+          scope: (options.scope if options.send_scope_to_token_endpoint),
+          client_auth_method: options.client_auth_method
+        )
+        verify_id_token!(@access_token.id_token) if configured_response_type == 'code'
+        @access_token
+      end
+      def decode_id_token(id_token)
+        decode!(id_token, public_key)
+      rescue JSON::JWK::Set::KidNotFound
+        # Either the JWT doesn't have kid specified or the set of keys doesn't
+        # have a matching key. Since we can't tell the first case from the second,
+        # try each key individually to see if one works.
+        # https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
+        decoded = decode_with_each_key!(id_token)
+        raise unless decoded
+        decoded
+      end
+      def decode!(id_token, key)
+        ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, key)
+      end
+      def decode_with_each_key!(id_token)
+        return unless public_key.is_a?(JSON::JWK::Set)
+        public_key.each do |key|
+          begin
+            decoded = decode!(id_token, key)
+          rescue JSON::JWK::Set::KidNotFound, JSON::JWS::VerificationFailed
+            next
+          end
+          return decoded if decoded
+        end
+        nil
+      end
+      def client_options
+        options.client_options
+      end
+      def new_state
+        state = if options.state.respond_to?(:call)
+                  if options.state.arity == 1
+                    options.state.call(env)
+                  else
+                    options.state.call
+                  end
+                end
+        session['omniauth.state'] = state || SecureRandom.hex(16)
+      end
+      def stored_state
+        session.delete('omniauth.state')
+      end
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.hex(16)
+      end
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+      def session
+        return {} if @env.nil?
+        super
+      end
+      def key_or_secret
+        @key_or_secret ||=
+          case options.client_signing_alg
+          when :HS256, :HS384, :HS512
+            client_options.secret
+          when :RS256, :RS384, :RS512
+            if options.client_jwk_signing_key
+              parse_jwk_key(options.client_jwk_signing_key)
+            elsif options.client_x509_signing_key
+              parse_x509_key(options.client_x509_signing_key)
+            end
+          end
+      end
+      def parse_x509_key(key)
+        OpenSSL::X509::Certificate.new(key).public_key
+      end
+      def parse_jwk_key(key)
+        json = JSON.parse(key)
+        return JSON::JWK::Set.new(json['keys']) if json.key?('keys')
+        JSON::JWK.new(json)
+      end
+      def decode(str)
+        UrlSafeBase64.decode64(str).unpack1('B*').to_i(2).to_s
+      end
+      def redirect_uri
+        return client_options.redirect_uri unless params['redirect_uri']
+        "#{ client_options.redirect_uri }?redirect_uri=#{ CGI.escape(params['redirect_uri']) }"
+      end
+      def encoded_post_logout_redirect_uri
+        return unless options.post_logout_redirect_uri
+        URI.encode_www_form(
+          post_logout_redirect_uri: options.post_logout_redirect_uri
+        )
+      end
+      def end_session_endpoint_is_valid?
+        client_options.end_session_endpoint &&
+          client_options.end_session_endpoint =~ URI::DEFAULT_PARSER.make_regexp
+      end
+      def logout_path_pattern
+        @logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
+      end
+      def id_token_callback_phase
+        user_data = decode_id_token(params['id_token']).raw_attributes
+        env['omniauth.auth'] = AuthHash.new(
+          provider: name,
+          uid: user_data['sub'],
+          info: { name: user_data['name'], email: user_data['email'] },
+          extra: { raw_info: user_data }
+        )
+        call_app!
+      end
+      def valid_response_type?
+        return true if params.key?(configured_response_type)
+        error_attrs = RESPONSE_TYPE_EXCEPTIONS[configured_response_type]
+        fail!(error_attrs[:key], error_attrs[:exception_class].new(params['error']))
+        false
+      end
+      def configured_response_type
+        @configured_response_type ||= options.response_type.to_s
+      end
+      def verify_id_token!(id_token)
+        return unless id_token
+        decode_id_token(id_token).verify!(issuer: options.issuer,
+                                          client_id: client_options.identifier,
+                                          nonce: stored_nonce)
+      end
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+        def initialize(data)
+          self.error = data[:error]
+          self.error_reason = data[:reason]
+          self.error_uri = data[:uri]
+        end
+        def message
+          [error, error_reason, error_uri].compact.join(' | ')
+        end
+      end
+    end
+  end
+end
+OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect'