himari 0.1.0

data/lib/himari/config.rb

@@ -0,0 +1,39 @@
+require 'logger'
+require 'time'
+require 'json'
+require 'himari/log_line'
+
+module Himari
+  class Config
+    def initialize(issuer:, storage:, providers: [], log_output: $stdout, log_level: Logger::INFO, preserve_rack_logger: false)
+      @issuer = issuer
+      @providers = providers
+      @storage = storage
+
+      @log_output = log_output
+      @log_level = log_level
+      @preserve_rack_logger = preserve_rack_logger
+    end
+
+    attr_reader :issuer, :providers, :storage, :preserve_rack_logger
+
+    def logger
+      @logger ||= Logger.new(@log_output).tap do |l|
+        l.level = @log_level
+        l.formatter = proc do |severity, datetime, progname, msg|
+          log = {time: datetime.xmlschema, severity: severity.to_s, pid: Process.pid}
+
+          case msg
+          when Himari::LogLine
+            log[:message] = msg.message
+            log[:data] = msg.data
+          else
+            log[:message] = msg.to_s
+          end
+
+          "#{JSON.generate(log)}\n"
+        end
+      end
+    end
+  end
+end

data/lib/himari/decisions/authentication.rb

@@ -0,0 +1,16 @@
+require 'himari/decisions/base'
+require 'himari/session_data'
+
+module Himari
+  module Decisions
+    class Authentication < Base
+      Context = Struct.new(:provider, :claims, :user_data, :request, keyword_init: true)
+
+      allow_effects(:allow, :deny, :skip)
+
+      def to_evolve_args
+        {}
+      end
+    end
+  end
+end

data/lib/himari/decisions/authorization.rb

@@ -0,0 +1,48 @@
+require 'himari/decisions/base'
+
+module Himari
+  module Decisions
+    class Authorization < Base
+      DEFAULT_ALLOWED_CLAIMS = %i(
+        sub
+        name
+        nickname
+        preferred_username
+        profile
+        picture
+        website
+        email
+        email_verified
+      )
+
+      Context = Struct.new(:claims, :user_data, :request, :client, keyword_init: true)
+
+      allow_effects(:allow, :deny, :continue, :skip)
+
+      def initialize(claims: {}, allowed_claims: DEFAULT_ALLOWED_CLAIMS, lifetime: 3600 * 12)
+        super()
+        @claims = claims
+        @allowed_claims = allowed_claims
+        @lifetime = lifetime
+      end
+
+      attr_reader :claims, :allowed_claims, :lifetime
+
+      def to_evolve_args
+        {
+          claims: @claims.dup,
+          allowed_claims: @allowed_claims.dup,
+          lifetime: @lifetime&.to_i,
+        }
+      end
+
+      def as_log
+        to_h.merge(claims: output, lifetime: @lifetime&.to_i)
+      end
+
+      def output
+        claims.select { |k,_v| allowed_claims.include?(k) }
+      end
+    end
+  end
+end

data/lib/himari/decisions/base.rb

@@ -0,0 +1,63 @@
+module Himari
+  module Decisions
+    class Base
+      class DecisionAlreadyMade < StandardError; end
+      class InvalidEffect < StandardError; end
+
+      def self.allow_effects(*effects)
+        @valid_effects = effects
+      end
+
+      def self.valid_effects
+        @valid_effects
+      end
+
+      def initialize
+        @rule_name = nil
+        @effect = nil
+        raise "#{self.class.name}.valid_effects is missing [BUG]" unless self.class.valid_effects
+      end
+
+      attr_reader :effect, :effect_comment, :rule_name
+
+      def to_evolve_args
+        raise NotImplementedError
+      end
+
+      def to_h
+        {
+          rule_name: rule_name,
+          effect: effect,
+          effect_comment: effect_comment,
+        }
+      end
+
+      def as_log
+        to_h
+      end
+
+      def evolve(rule_name)
+        self.class.new(**to_evolve_args).set_rule_name(rule_name)
+      end
+
+      def set_rule_name(rule_name)
+        raise "cannot override rule_name" if @rule_name
+        @rule_name = rule_name
+        self
+      end
+
+      def decide!(effect, comment = "")
+        raise DecisionAlreadyMade, "decision can only be made once per rule (#{rule_name})" if @effect
+        raise InvalidEffect, "this effect is not valid under this rule. Valid effects: #{self.class.valid_effects.inspect} (#{rule_name})" unless self.class.valid_effects.include?(effect)
+        @effect = effect
+        @effect_comment = comment
+        nil
+      end
+
+      def allow!(comment = ""); decide!(:allow, comment); end
+      def continue!(comment = ""); decide!(:continue, comment); end
+      def deny!(comment = ""); decide!(:deny, comment); end
+      def skip!(comment = ""); decide!(:skip, comment); end
+    end
+  end
+end

data/lib/himari/decisions/claims.rb

@@ -0,0 +1,58 @@
+require 'himari/decisions/base'
+require 'himari/session_data'
+
+module Himari
+  module Decisions
+    class Claims < Base
+      class UninitializedError < StandardError; end
+      class AlreadyInitializedError < StandardError; end
+
+      Context = Struct.new(:request, :auth, keyword_init: true) do
+        def provider; auth[:provider]; end
+      end
+
+      allow_effects(:continue, :skip)
+
+      def initialize(claims: nil, user_data: nil)
+        super()
+        @claims = claims
+        @user_data = user_data
+      end
+
+      def to_evolve_args
+        {
+          claims: @claims.dup,
+          user_data: @user_data.dup,
+        }
+      end
+
+      def as_log
+        to_h.merge(claims: @claims)
+      end
+
+      def output
+        Himari::SessionData.new(claims: claims, user_data: user_data)
+      end
+
+      def initialize_claims!(claims = {})
+        if @claims
+          raise AlreadyInitializedError, "Claims already initialized; use decision.claims to make modification, or rule might be behaving wrong"
+        end
+        @claims = claims.dup
+        @user_data = {}
+      end
+
+      def claims
+        unless @claims
+          raise UninitializedError, "Claims uninitialized; use decision.initialize_claims! to declare claims first (or rule order might be unintentional)" unless @claims
+        end
+        @claims
+      end
+
+      def user_data
+        claims # to raise UninitializedError
+        @user_data
+      end
+    end
+  end
+end

data/lib/himari/id_token.rb

@@ -0,0 +1,57 @@
+require 'rack/oauth2'
+require 'openid_connect'
+require 'base64'
+require 'json/jwt'
+
+module Himari
+  class IdToken
+    # @param authz [Himari::AuthorizationCode]
+    def self.from_authz(authz, **kwargs)
+      new(
+        claims: authz.claims,
+        client_id: authz.client_id,
+        nonce: authz.nonce,
+        **kwargs
+      )
+    end
+
+    def initialize(claims:, client_id:, nonce:, signing_key:, issuer:, access_token: nil, time: Time.now)
+      @claims = claims
+      @client_id = client_id
+      @nonce = nonce
+      @signing_key = signing_key
+      @issuer = issuer
+      @access_token = access_token
+      @time = time
+    end
+
+    attr_reader :claims, :nonce, :signing_key
+
+    def final_claims
+      # https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+      claims.merge(
+        iss: @issuer,
+        aud: @client_id,
+        iat: @time.to_i,
+        nbf: @time.to_i,
+        exp: (@time + 3600).to_i, # TODO: lifetime
+      ).merge(
+        @nonce ? { nonce: @nonce } : {}
+      ).merge(
+        @access_token ? { at_hash: at_hash } : {}
+      )
+    end
+
+    def at_hash
+      return nil unless @access_token
+      dgst = @signing_key.hash_function.digest(@access_token)
+      Base64.urlsafe_encode64(dgst[0, dgst.size/2], padding: false)
+    end
+
+    def to_jwt
+      jwt = JSON::JWT.new(final_claims)
+      jwt.kid = @signing_key.id
+      jwt.sign(@signing_key.pkey, @signing_key.alg.to_sym).to_s
+    end
+  end
+end

data/lib/himari/item_provider.rb

@@ -0,0 +1,11 @@
+module Himari
+  module ItemProvider
+    # :nocov:
+    # Return items searched by hints. This method can perform fuzzy match with hints. OTOH is not expected to return exact match results.
+    # Use Item#match_hint? to do exact match in later process. See also: ProviderChain
+    def collect(**hints) 
+      raise NotImplementedError
+    end
+    # :nocov:
+  end
+end

data/lib/himari/item_providers/static.rb

@@ -0,0 +1,20 @@
+require 'himari/item_provider'
+
+module Himari
+  module ItemProviders
+    class Static
+      include Himari::ItemProvider
+
+      # @param items [Array<Object>] List of static configuration items
+      def initialize(items)
+        @items = items.dup.freeze
+      end
+
+      attr_reader :items
+
+      def collect(**_hint)
+        @items
+      end
+    end
+  end
+end

data/lib/himari/log_line.rb

@@ -0,0 +1,9 @@
+require 'json'
+
+module Himari
+  LogLine = Struct.new(:message, :data) do
+    def to_s
+      "#{message} -- #{JSON.generate(data || {})}"
+    end
+  end
+end

data/lib/himari/middlewares/authentication_rule.rb

@@ -0,0 +1,24 @@
+require 'himari/rule'
+require 'himari/item_providers/static'
+
+module Himari
+  module Middlewares
+    class AuthenticationRule
+      RACK_KEY = 'himari.authn_rule'
+
+      def initialize(app, kwargs = {}, &block)
+        @app = app
+        @rule = Himari::Rule.new(block: block, **kwargs)
+        @provider = Himari::ItemProviders::Static.new([@rule])
+      end
+
+      attr_reader :app, :client
+
+      def call(env)
+        env[RACK_KEY] ||= []
+        env[RACK_KEY] += [@provider]
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/himari/middlewares/authorization_rule.rb

@@ -0,0 +1,24 @@
+require 'himari/rule'
+require 'himari/item_providers/static'
+
+module Himari
+  module Middlewares
+    class AuthorizationRule
+      RACK_KEY = 'himari.authz_rule'
+
+      def initialize(app, kwargs = {}, &block)
+        @app = app
+        @rule = Himari::Rule.new(block: block, **kwargs)
+        @provider = Himari::ItemProviders::Static.new([@rule])
+      end
+
+      attr_reader :app, :client
+
+      def call(env)
+        env[RACK_KEY] ||= []
+        env[RACK_KEY] += [@provider]
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/himari/middlewares/claims_rule.rb

@@ -0,0 +1,24 @@
+require 'himari/rule'
+require 'himari/item_providers/static'
+
+module Himari
+  module Middlewares
+    class ClaimsRule
+      RACK_KEY = 'himari.claims_rule'
+
+      def initialize(app, kwargs = {}, &block)
+        @app = app
+        @rule = Himari::Rule.new(block: block, **kwargs)
+        @provider = Himari::ItemProviders::Static.new([@rule])
+      end
+
+      attr_reader :app, :client
+
+      def call(env)
+        env[RACK_KEY] ||= []
+        env[RACK_KEY] += [@provider]
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/himari/middlewares/client.rb

@@ -0,0 +1,24 @@
+require 'himari/client_registration'
+require 'himari/item_providers/static'
+
+module Himari
+  module Middlewares
+    class Client
+      RACK_KEY = 'himari.clients'
+
+      def initialize(app, kwargs = {})
+        @app = app
+        @client = Himari::ClientRegistration.new(**kwargs)
+        @provider = Himari::ItemProviders::Static.new([@client])
+      end
+
+      attr_reader :app, :client
+
+      def call(env)
+        env[RACK_KEY] ||= []
+        env[RACK_KEY] += [@provider]
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/himari/middlewares/config.rb

@@ -0,0 +1,24 @@
+require 'himari/config'
+
+module Himari
+  module Middlewares
+    class Config
+      RACK_KEY = 'himari.config'
+
+      def initialize(app, kwargs = {})
+        @app = app
+        @config = Himari::Config.new(**kwargs)
+      end
+
+      attr_reader :app, :config
+
+      def call(env)
+        env[RACK_KEY] = config
+        unless config.preserve_rack_logger
+          env['rack.logger'] = config.logger
+        end
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/himari/middlewares/signing_key.rb

@@ -0,0 +1,24 @@
+require 'himari/signing_key'
+require 'himari/item_providers/static'
+
+module Himari
+  module Middlewares
+    class SigningKey
+      RACK_KEY = 'himari.signing_keys'
+
+      def initialize(app, kwargs = {})
+        @app = app
+        @signing_key = Himari::SigningKey.new(**kwargs)
+        @provider = Himari::ItemProviders::Static.new([@signing_key])
+      end
+
+      attr_reader :app, :signing_key
+
+      def call(env)
+        env[RACK_KEY] ||= []
+        env[RACK_KEY] += [@provider]
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/himari/provider_chain.rb

@@ -0,0 +1,26 @@
+module Himari
+  class ProviderChain
+    # @param providers [Array<ItemProvider>]
+    def initialize(providers)
+      @providers = providers
+    end
+
+    attr_reader :providers
+
+    def find(**hint, &block)
+      block ||= proc { |i,h| i.match_hint?(**h) } # ItemProvider#collect doesn't guarantee exact matches, so do exact match by match_hint?
+      @providers.each do |provider|
+        provider.collect(**hint).each do |item|
+          return item if block.call(item, hint)
+        end
+      end
+      nil
+    end
+
+    def collect(**hint)
+      @providers.flat_map do |provider|
+        provider.collect(**hint)
+      end
+    end
+  end
+end

data/lib/himari/rule.rb

@@ -0,0 +1,7 @@
+module Himari
+  Rule = Struct.new(:name, :block, keyword_init: true) do
+    def call(context, decision)
+      block.call(context, decision)
+    end
+  end
+end

data/lib/himari/rule_processor.rb

@@ -0,0 +1,81 @@
+module Himari
+  class RuleProcessor
+    class MissingDecisionError < StandardError; end
+
+    Result = Struct.new(:rule_name, :allowed, :explicit_deny, :decision, :decision_log, keyword_init: true) do
+      def as_log
+        {
+          rule_name: rule_name,
+          allowed: allowed,
+          explicit_deny: explicit_deny,
+          decision: decision&.as_log,
+          decision_log: decision_log.map(&:to_h),
+        }
+      end
+    end
+
+    # @param context [Object] Context data
+    # @param initial_decision [Himari::Decisions::Base] Initial decision
+    def initialize(context, initial_decision)
+      @context = context
+      @initial_decision = initial_decision
+
+      @result = Result.new(rule_name: nil, allowed: false, explicit_deny: false, decision: nil, decision_log: [])
+      @decision = initial_decision
+      @final = false
+    end
+
+    attr_reader :rules, :context, :initial_decision
+    attr_reader :result
+
+    def final?; @final; end
+
+    # @param rules [Himari::Rule] rules
+    def process(rule)
+      raise "cannot process rule for finalized result [BUG]" if final?
+
+      decision = @decision.evolve(rule.name)
+
+      rule.call(context, decision)
+      raise MissingDecisionError, "rule '#{rule.name}' returned no decision; rule must use one of decision.allow!, deny!, continue!, skip!" unless decision.effect
+      result.decision_log.push(decision)
+
+      case decision.effect
+      when :allow
+        @decision = decision
+        result.rule_name ||= rule.name
+        result.decision = decision
+        result.allowed = true
+        result.explicit_deny = false
+
+      when :continue
+        @decision = decision
+        result.decision = decision
+
+      when :skip
+        # do nothing
+
+      when :deny
+        @final = true
+        result.rule_name = rule.name
+        result.decision = nil
+        result.allowed = false
+        result.explicit_deny = true
+
+      else
+        raise "Unknown effect #{decision.effect} [BUG]"
+      end
+    end
+
+    # @param rules [Array<Himari::Rule>] rules
+    def run(rules)
+      rules.each do |rule|
+        process(rule)
+        break if final?
+      end
+      @final = true
+      result.decision ||= @initial_decision unless result.explicit_deny
+      result
+    end
+  end
+end

data/lib/himari/services/downstream_authorization.rb

@@ -0,0 +1,73 @@
+require 'himari/decisions/authorization'
+require 'himari/middlewares/authorization_rule'
+require 'himari/rule_processor'
+require 'himari/session_data'
+require 'himari/provider_chain'
+
+module Himari
+  module Services
+    class DownstreamAuthorization
+      class ForbiddenError < StandardError
+        # @param result [Himari::RuleProcessor::Result]
+        def initialize(result)
+          @result = result
+          super("Forbidden")
+        end
+
+        attr_reader :result
+
+        def as_log
+          result.as_log
+        end
+      end
+
+      Result = Struct.new(:client, :claims, :authz_result) do
+        def as_log
+          {
+            client: client.as_log,
+            claims: claims,
+            decision: {
+              authorization: authz_result.as_log,
+            },
+          }
+        end
+      end
+
+      # @param session [Himari::SessionData]
+      # @param client [Himari::ClientRegistration]
+      # @param request [Rack::Request]
+      # @param authz_rules [Array<Himari::Rule>] Authorization Rules
+      # @param logger [Logger]
+      def initialize(session:, client:, request: nil, authz_rules: [], logger: nil)
+        @session = session
+        @client = client
+        @request = request
+        @authz_rules = authz_rules
+        @logger = logger
+      end
+
+      # @param session [Himari::SessionData]
+      # @param client [Himari::ClientRegistration]
+      # @param request [Rack::Request]
+      def self.from_request(session:, client:, request:)
+        new(
+          session: session,
+          client: client,
+          request: request,
+          authz_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthorizationRule::RACK_KEY] || []).collect,
+          logger: request.env['rack.logger'],
+        )
+      end
+
+      def perform
+        context = Himari::Decisions::Authorization::Context.new(claims: @session.claims, user_data: @session.user_data, request: @request, client: @client).freeze
+
+        authorization = Himari::RuleProcessor.new(context, Himari::Decisions::Authorization.new(claims: @session.claims.dup)).run(@authz_rules)
+        raise ForbiddenError.new(Result.new(@client, nil, authorization)) unless authorization.allowed
+
+        claims = authorization.decision.output
+        Result.new(@client, claims, authorization)
+      end
+    end
+  end
+end