himari 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9534716186569cef82a629dd4c15fdcc2f30b6b79712445ef67156b33c99a299
+  data.tar.gz: 8243f15a8bdf914c8b73447aab430a243b0dffea2ea2b84af032d92de3fcdc49
+SHA512:
+  metadata.gz: 30386ab57b39997a8634f63a99466f7efad64d0596767c8ad5f2123e877a1cd3b85f97f5ab29eb6a40d534a223582f56294220c5b3b9b5a873a5a61e928885d5
+  data.tar.gz: 207828253833d92b746ed271a8118e3389b9bbc51302ad57cf99bfb7dd339e337b27a770d6c63ebaa02e31c21264ca0b923fdee9ac3d28e5b55280cfd033aadf

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+gemspec
+
+gem 'rake'
+
+group :test do
+  gem 'rspec'
+  gem 'simplecov'
+  gem 'simplecov-html'
+  gem 'rack-test'
+end

data/Gemfile.lock

@@ -0,0 +1,152 @@
+PATH
+  remote: .
+  specs:
+    himari (0.1.0)
+      addressable
+      omniauth (>= 2.0)
+      openid_connect
+      rack-oauth2
+      rack-protection
+      sinatra (>= 3.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activesupport (7.0.4.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    aes_key_wrap (1.1.0)
+    attr_required (1.0.1)
+    bindata (2.4.15)
+    concurrent-ruby (1.2.2)
+    date (3.3.3)
+    diff-lcs (1.5.0)
+    docile (1.4.0)
+    faraday (2.7.4)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
+    faraday-net_http (3.0.2)
+    hashie (5.0.0)
+    i18n (1.12.0)
+      concurrent-ruby (~> 1.0)
+    json-jwt (1.16.3)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
+    mail (2.8.1)
+      mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
+    mini_mime (1.1.2)
+    minitest (5.18.0)
+    mustermann (3.0.0)
+      ruby2_keywords (~> 0.0.1)
+    net-imap (0.3.4)
+      date
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.1)
+      timeout
+    net-smtp (0.3.3)
+      net-protocol
+    omniauth (2.1.1)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    openid_connect (2.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      net-smtp
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (~> 2.0)
+    public_suffix (5.0.1)
+    rack (2.2.6.4)
+    rack-oauth2 (2.2.0)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
+    rack-protection (3.0.5)
+      rack
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rake (13.0.6)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.1)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.4)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.0)
+    ruby2_keywords (0.0.5)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.4)
+    sinatra (3.0.5)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.0.5)
+      tilt (~> 2.0)
+    swd (2.0.2)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+    tilt (2.1.0)
+    timeout (0.3.2)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
+    webfinger (2.1.2)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  himari!
+  rack-test
+  rake
+  rspec
+  simplecov
+  simplecov-html
+
+BUNDLED WITH
+   2.4.8

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Sorah Fukumori
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/himari.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require_relative "lib/himari/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "himari"
+  spec.version = Himari::VERSION
+  spec.authors = ["Sorah Fukumori"]
+  spec.email = ["her@sorah.jp"]
+
+  spec.summary = "Small OIDC IdP for small teams - Omniauth to OIDC"
+  spec.homepage = "https://github.com/sorah/himari"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/sorah/himari"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "sinatra", '>= 3.0'
+  spec.add_dependency 'rack-protection'
+  spec.add_dependency "omniauth", ">= 2.0"
+
+  spec.add_dependency 'addressable'
+
+  spec.add_dependency "rack-oauth2"
+  spec.add_dependency "openid_connect"
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency "example-gem", "~> 1.0"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/lib/himari/access_token.rb

@@ -0,0 +1,119 @@
+require 'securerandom'
+require 'base64'
+require 'digest/sha2'
+require 'rack/utils'
+
+require 'rack/oauth2'
+require 'openid_connect'
+
+module Himari
+  class AccessToken
+    class SecretMissing < StandardError; end
+    class SecretIncorrect < StandardError; end
+    class TokenExpired < StandardError; end
+    class InvalidFormat < StandardError; end
+
+    Format = Struct.new(:handler, :secret, keyword_init: true) do
+      HEADER = 'hmat'
+
+      def self.parse(str)
+        parts = str.split('.')
+        raise InvalidFormat unless parts.size == 3
+        raise InvalidFormat unless parts[0] == HEADER
+        new(handler: parts[1], secret: parts[2])
+      end
+
+      def to_s
+        "#{HEADER}.#{handler}.#{secret}"
+      end
+    end
+
+    class Bearer < Rack::OAuth2::AccessToken::Bearer
+      def token_response(options = {})
+        super.tap do |r|
+          r[:token_type] = 'Bearer' # https://github.com/nov/openid_connect_sample/blob/a5b7ee5b63508d99a3a36b4537809dfa64ba3b1f/lib/token_endpoint.rb#L37
+        end
+      end
+    end
+
+    def self.make(**kwargs)
+      new(
+        handler: SecureRandom.urlsafe_base64(32),
+        secret: SecureRandom.urlsafe_base64(32),
+        expiry: Time.now.to_i + 3600,
+        **kwargs
+      )
+    end
+
+    # @param authz [Himari::AuthorizationCode]
+    def self.from_authz(authz)
+      make(
+        client_id: authz.client_id,
+        claims: authz.claims,
+      )
+    end
+
+    def initialize(handler:, client_id:, claims:, expiry:, secret: nil, secret_hash: nil)
+      @handler = handler
+      @client_id = client_id
+      @claims = claims
+      @expiry = expiry
+
+      @secret = secret
+      @secret_hash = secret_hash
+    end
+
+    attr_reader :handler, :client_id, :claims, :expiry
+
+    def secret
+      raise SecretMissing unless @secret
+      @secret
+    end
+
+    def secret_hash
+      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+    end
+
+    def verify_secret!(given_secret)
+      dgst = Base64.urlsafe_decode64(secret_hash)
+      given_dgst = Digest::SHA384.digest(given_secret)
+      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
+      @secret = given_secret
+      true
+    end
+
+    def verify_expiry!(now = Time.now)
+      raise TokenExpired if @expiry <= now.to_i
+    end
+
+    def format
+      Format.new(handler: handler, secret: secret)
+    end
+
+    def to_bearer
+      Bearer.new(
+        access_token: format.to_s,
+        expires_in: (expiry - Time.now.to_i).to_i,
+      )
+    end
+
+    def as_log
+      {
+        handler_dgst: Digest::SHA256.hexdigest(handler),
+        client_id: client_id,
+        claims: claims,
+        expiry: expiry,
+      }
+    end
+
+    def as_json
+      {
+        handler: handler,
+        secret_hash: secret_hash,
+        client_id: client_id,
+        claims: claims,
+        expiry: expiry.to_i,
+      }
+    end
+  end
+end

data/lib/himari/app.rb

@@ -0,0 +1,193 @@
+require 'sinatra/base'
+require 'addressable'
+
+require 'himari/log_line'
+
+require 'himari/provider_chain'
+require 'himari/authorization_code'
+
+require 'himari/middlewares/client'
+require 'himari/middlewares/config'
+require 'himari/middlewares/signing_key'
+
+require 'himari/services/downstream_authorization'
+require 'himari/services/upstream_authentication'
+
+require 'himari/services/jwks_endpoint'
+require 'himari/services/oidc_authorization_endpoint'
+require 'himari/services/oidc_provider_metadata_endpoint'
+require 'himari/services/oidc_token_endpoint'
+require 'himari/services/oidc_userinfo_endpoint'
+
+module Himari
+  class App < Sinatra::Base
+    set :root, File.expand_path(File.join(__dir__, '..', '..'))
+
+    set :protection, use: %i(authenticity_token), except: %i(remote_token)
+    set :logging, nil
+
+    ProviderCandidate = Struct.new(:name, :button, :action, keyword_init: true)
+
+    helpers do
+      def current_user
+        session[:session_data]
+      end
+
+      def config
+        env[Himari::Middlewares::Config::RACK_KEY]
+      end
+
+      def signing_key_provider
+        Himari::ProviderChain.new(request.env[Himari::Middlewares::SigningKey::RACK_KEY] || [])
+      end
+
+      def client_provider
+        Himari::ProviderChain.new(request.env[Himari::Middlewares::Client::RACK_KEY] || [])
+      end
+
+      def known_providers
+        query = Addressable::URI.form_encode(back_to: request.fullpath)
+        config.providers.map do |pr|
+          name = pr.fetch(:name)
+          ProviderCandidate.new(
+            name: name,
+            button: pr[:button] || "Log in with #{name}",
+            action: "/auth/#{name}?#{query}",
+          )
+        end
+      end
+
+      def csrf_token_value
+        Rack::Protection::AuthenticityToken.token(session)
+      end
+
+      def csrf_token_name
+        'authenticity_token'
+      end
+
+      def cachebuster
+        env['himari.cachebuster'] || "#{Process.pid}"
+      end
+
+      def request_id
+        env['HTTP_X_REQUEST_ID'] ||= SecureRandom.uuid
+      end
+
+      def request_as_log
+        env['himari.request_as_log'] ||= {
+          id: request_id,
+          method: request.request_method,
+          path: request.path,
+          ip: request.ip,
+          cip: env['REMOTE_ADDR'],
+          xff: env['HTTP_X_FORWARDED_FOR'],
+        }
+      end
+    end
+
+    before do
+      request_as_log()
+    end
+
+    get '/' do
+      content_type :text
+      "Himari\n"
+    end
+
+    get '/oidc/authorize' do
+      client = client_provider.find(id: params[:client_id])
+      unless client
+        logger&.warn(Himari::LogLine.new('authorize: no client registration found', req: request_as_log, client_id: params[:client_id]))
+        next halt 401, 'unknown client' 
+      end
+      if current_user
+        # do downstream authz and process oidc request
+        decision = Himari::Services::DownstreamAuthorization.from_request(session: current_user, client: client, request: request).perform
+        logger&.info(Himari::LogLine.new('authorize: downstream authorized', req: request_as_log, allowed: decision.authz_result.allowed, result: decision.as_log))
+        raise unless decision.authz_result.allowed # sanity check
+
+        authz = AuthorizationCode.make(
+          client_id: decision.client.id,
+          claims: decision.claims,
+        )
+
+        Himari::Services::OidcAuthorizationEndpoint.new(
+          authz: authz,
+          client: client,
+          storage: config.storage,
+          logger: logger,
+        ).call(env)
+      else
+        logger&.info(Himari::LogLine.new('authorize: prompt login', req: request_as_log, client_id: params[:client_id]))
+        erb :login
+      end
+    rescue Himari::Services::DownstreamAuthorization::ForbiddenError => e
+      logger&.warn(Himari::LogLine.new('authorize: downstream forbidden', req: request_as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
+      halt 403, "Forbidden"
+    end
+
+    token_ep = proc do
+      Himari::Services::OidcTokenEndpoint.new(
+        client_provider: client_provider,
+        signing_key_provider: signing_key_provider,
+        storage: config.storage,
+        issuer: config.issuer,
+        logger: logger,
+      ).call(env)
+    end
+    post '/oidc/token', &token_ep
+    post '/public/oidc/token', &token_ep
+
+    userinfo_ep = proc do
+      Himari::Services::OidcUserinfoEndpoint.new(
+        storage: config.storage,
+        logger: logger,
+      ).call(env)
+    end
+    get '/oidc/userinfo', &userinfo_ep
+    get '/public/oidc/userinfo', &userinfo_ep
+
+
+    jwks_ep = proc do
+      Himari::Services::JwksEndpoint.new(
+        signing_key_provider: signing_key_provider,
+      ).call(env)
+    end
+    get '/jwks', &jwks_ep
+    get '/public/jwks', &jwks_ep
+
+    get '/.well-known/openid-configuration' do
+      Himari::Services::OidcProviderMetadataEndpoint.new(
+        signing_key_provider: signing_key_provider,
+        issuer: config.issuer,
+      ).call(env)
+    end
+
+    omniauth_callback = proc do
+      # do upstream auth
+      authn = Himari::Services::UpstreamAuthentication.from_request(request).perform
+      logger&.info(Himari::LogLine.new('authentication allowed', req: request_as_log, allowed: authn.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: authn.as_log))
+      raise unless authn.authn_result.allowed # sanity check
+
+      given_back_to = request.env['omniauth.params']&.fetch('back_to', nil)
+      back_to = if given_back_to
+        uri = Addressable::URI.parse(given_back_to)
+        if uri && uri.host.nil? && uri.scheme.nil? && uri.path.start_with?('/')
+          given_back_to
+        else
+          logger&.warn(Himari::LogLine.new('invalid back_to', req: request_as_log, given_back_to: given_back_to))
+          nil
+        end
+      end || '/'
+
+      session.destroy
+      session[:session_data] = authn.session_data
+      redirect back_to
+    rescue Himari::Services::UpstreamAuthentication::UnauthorizedError => e
+      logger&.warn(Himari::LogLine.new('authentication denied', req: request_as_log, err: e.class.inspect, allowed: e.result.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: e.as_log))
+      halt(401, 'Unauthorized')
+    end
+    get '/auth/:provider/callback', &omniauth_callback
+    post '/auth/:provider/callback', &omniauth_callback
+  end
+end

data/lib/himari/authorization_code.rb

@@ -0,0 +1,83 @@
+require 'digest/sha2'
+
+module Himari
+  authz_attrs = %i(
+    code
+    client_id
+    claims
+    openid
+    redirect_uri
+    nonce
+    code_challenge
+    code_challenge_method
+    expiry
+  )
+  AuthorizationCode = Struct.new(*authz_attrs, keyword_init: true) do
+    def self.make(**kwargs)
+      new(
+        code: SecureRandom.urlsafe_base64(32),
+        expiry: Time.now.to_i + 900,
+        **kwargs,
+      )
+    end
+
+    def valid_redirect_uri?(given_uri)
+      redirect_uri == given_uri
+    end
+
+    def pkce?
+      !!(code_challenge && code_challenge_method)
+    end
+
+    def pkce_known_method?
+      # https://datatracker.ietf.org/doc/html/rfc7636#section-4.2
+      %w(S256 plain).include?(code_challenge_method.to_s)
+    end
+
+    def pkce_valid_challenge?
+      # https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+      case code_challenge_method.to_s
+      when 'plain'
+        (43..128).cover?(code_challenge.size)
+      when 'S256'
+        (43..45).cover?(code_challenge.size)
+      end
+    end
+
+    def pkce_valid_request?
+      pkce? && pkce_known_method? && pkce_valid_challenge?
+    end
+
+    def code_dgst_for_log
+      @code_dgst_for_log ||= code ? Digest::SHA256.hexdigest(code) : nil
+    end
+
+    def as_log
+      {
+        code_dgst: code_dgst_for_log,
+        client_id: client_id,
+        claims: claims,
+        nonce: nonce,
+        openid: openid,
+        expiry: expiry.to_i,
+        pkce: pkce?,
+        pkce_method: code_challenge_method,
+        pkce_valid_chal: pkce_valid_challenge?,
+      }
+    end
+
+    def as_json
+      {
+        code: code,
+        client_id: client_id,
+        claims: claims,
+        openid: openid,
+        redirect_uri: redirect_uri,
+        nonce: nonce,
+        code_challenge: code_challenge,
+        code_challenge_method: code_challenge_method,
+        expiry: expiry.to_i,
+      }
+    end
+  end
+end

data/lib/himari/client_registration.rb

@@ -0,0 +1,47 @@
+require 'digest/sha2'
+
+module Himari
+  class ClientRegistration
+    def initialize(name:, id:, secret: nil, secret_hash: nil, redirect_uris:, preferred_key_group: nil)
+      @name = name
+      @id = id
+      @secret = secret
+      @secret_hash = secret_hash
+      @redirect_uris = redirect_uris
+      @preferred_key_group = preferred_key_group
+
+      raise ArgumentError, "either secret or secret_hash must be present" if !@secret && !@secret_hash
+    end
+
+    attr_reader :name, :id, :redirect_uris, :preferred_key_group
+
+    def secret_hash
+      @secret_hash ||= Digest::SHA384.hexdigest(secret)
+    end
+
+    def match_secret?(given_secret)
+      if @secret
+        Rack::Utils.secure_compare(@secret, given_secret)
+      else
+        dgst = [secret_hash].pack('H*')
+        Rack::Utils.secure_compare(dgst, Digest::SHA384.digest(given_secret))
+      end
+    end
+
+    def as_log
+      {name: name, id: id}
+    end
+
+    def match_hint?(id: nil)
+      result = true
+
+      result &&= if id
+        id == self.id
+      else
+        true
+      end
+
+      result
+    end
+  end
+end