himari 0.1.0

data/lib/himari/services/jwks_endpoint.rb

@@ -0,0 +1,40 @@
+module Himari
+  module Services
+    class JwksEndpoint
+      # @param signing_key_provider [Himari::ProviderChain<Himari::SigningKey>]
+      def initialize(signing_key_provider:)
+        @signing_key_provider = signing_key_provider
+      end
+
+      def app
+        self
+      end
+
+      def call(env)
+        Handler.new(signing_key_provider: @signing_key_provider, env: env).response
+      end
+
+      class Handler
+        class InvalidToken < StandardError; end
+
+        def initialize(signing_key_provider:, env:)
+          @signing_key_provider = signing_key_provider
+          @env = env
+        end
+
+        def response
+          # https://www.rfc-editor.org/rfc/rfc7517#section-5
+          return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless @env['REQUEST_METHOD'] == 'GET'
+
+          signing_keys = @signing_key_provider.collect()
+
+          [
+            200,
+            {'Content-Type' => 'application/json; charset=utf-8'},
+            [JSON.pretty_generate(keys: signing_keys.map(&:as_jwk)), "\n"],
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/himari/services/oidc_authorization_endpoint.rb

@@ -0,0 +1,82 @@
+require 'rack/oauth2'
+require 'digest/sha2'
+require 'openid_connect'
+
+module Himari
+  module Services
+    class OidcAuthorizationEndpoint
+      SUPPORTED_RESPONSE_TYPES = ['code'] # TODO: share with oidc metadata
+
+      # @param authz [Himari::AuthorizationCode] pending (unpersisted) authz data
+      # @param client [Himari::ClientRegistration]
+      # @param storage [Himari::Storages::Base]
+      # @param logger [Logger]
+      def initialize(authz:, client:, storage:, logger: nil)
+        @authz = authz
+        @client = client
+        @storage = storage
+        @logger = logger
+      end
+
+      def call(env)
+        app(env).call(env)
+      rescue Rack::OAuth2::Server::Abstract::Error => e
+        @logger&.warn(Himari::LogLine.new('OidcAuthorizationEndpoint: returning error', req: env['himari.request_as_log'], err: e.class.inspect, err_content: e.protocol_params))
+        # XXX: finish???? https://github.com/nov/rack-oauth2/blob/v2.2.0/lib/rack/oauth2/server/authorize/error.rb#L19
+        # Call https://github.com/nov/rack-oauth2/blob/v2.2.0/lib/rack/oauth2/server/abstract/error.rb#L25
+        Rack::OAuth2::Server::Abstract::Error.instance_method(:finish).bind(e).call
+      end
+
+      def app(env)
+        Rack::OAuth2::Server::Authorize.new do |req, res|
+          # sanity check
+          unless @client.id == req.client_id
+            @logger&.warn(Himari::LogLine.new('OidcAuthorizationEndpoint: @client.id != req.client_id', req: env['himari.request_as_log'], known_client: @client.id, given_client: req.client_id))
+            next req.bad_request!
+          end
+          raise "[BUG] client.id != authz.cilent_id" unless @authz.client_id == @client.id
+          res.redirect_uri = req.verify_redirect_uri!(@client.redirect_uris)
+
+          req.unsupported_response_type! if res.protocol_params_location == :fragment
+          req.bad_request!(:request_uri_not_supported, "Request Object is not implemented") if req.request_uri || req.request
+
+          requested_response_types = [*req.response_type]
+          unless SUPPORTED_RESPONSE_TYPES.include?(requested_response_types.map(&:to_s).join(' '))
+            next req.unsupported_response_type!
+          end
+
+          if requested_response_types.include?(:code)
+            @authz.redirect_uri = res.redirect_uri
+            @authz.nonce = req.nonce
+
+            @authz.openid = req.scope.include?('openid')
+            if req.code_challenge && req.code_challenge_method
+              @authz.code_challenge = req.code_challenge
+              @authz.code_challenge_method = req.code_challenge_method || 'plain'
+              next req.bad_request!(:invalid_request, 'Invalid PKCE parameters') unless @authz.pkce_valid_request?
+            end
+
+            @storage.put_authorization(@authz)
+            res.code = @authz.code
+
+            @logger&.debug(Himari::LogLine.new('OidcAuthorizationEndpoint: grant code', req: env['himari.request_as_log'], client: @client.as_log, claims: @authz.claims, code: @authz.code))
+          end
+
+          # if requested_response_types.include?(:token)
+          #   token = AccessToken.from_authz(@authz)
+          #   @storage.put_token(token)
+          #   res.access_token = token.format.to_s
+          # end
+
+          # if requested_response_types.include?(:id_token)
+          #   @id_token.nonce = req.nonce
+          #   res.id_token = @id_token.to_jwt
+          # end
+
+          @logger&.info(Himari::LogLine.new('OidcAuthorizationEndpoint: authorized', req: env['himari.request_as_log'], client: @client.as_log, claims: @authz.claims, redirect_uri: @authz.redirect_uri, code_dgst: Digest::SHA256.hexdigest(@authz.code)))
+          res.approve!
+        end
+      end
+    end
+  end
+end

data/lib/himari/services/oidc_provider_metadata_endpoint.rb

@@ -0,0 +1,56 @@
+module Himari
+  module Services
+    class OidcProviderMetadataEndpoint
+      # @param signing_key_provider [Himari::ProviderChain<Himari::SigningKey>]
+      def initialize(signing_key_provider:, issuer:)
+        @signing_key_provider = signing_key_provider
+        @issuer = issuer
+      end
+
+      def app
+        self
+      end
+
+      def call(env)
+        Handler.new(signing_key_provider: @signing_key_provider, issuer: @issuer, env: env).response
+      end
+
+      class Handler
+        class InvalidToken < StandardError; end
+
+        def initialize(signing_key_provider:, issuer:, env:)
+          @signing_key_provider = signing_key_provider
+          @issuer = issuer
+          @env = env
+        end
+
+        def metadata
+          signing_keys = @signing_key_provider.collect()
+          {
+            issuer: @issuer,
+            authorization_endpoint: "#{@issuer}/oidc/authorize",
+            token_endpoint: "#{@issuer}/public/oidc/token",
+            userinfo_endpoint: "#{@issuer}/public/oidc/userinfo",
+            jwks_uri: "#{@issuer}/public/jwks",
+            scopes_supported: %w(openid),
+            response_types_supported: ['code'], # violation: dynamic OpenID Provider MUST support code, id_token, token+id_token
+            subject_types_supported: ['public'],
+            id_token_signing_alg_values_supported: signing_keys.map(&:alg).uniq.sort,
+            claims_supported: %w(sub iss iat nbf exp),
+          }
+        end
+
+        def response
+          # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+          return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless @env['REQUEST_METHOD'] == 'GET'
+
+          [
+            200,
+            {'Content-Type' => 'application/json; charset=utf-8'},
+            [JSON.pretty_generate(metadata), "\n"],
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/himari/services/oidc_token_endpoint.rb

@@ -0,0 +1,86 @@
+require 'rack/oauth2'
+require 'digest/sha2'
+require 'openid_connect'
+require 'himari/access_token'
+require 'himari/id_token'
+
+module Himari
+  module Services
+    class OidcTokenEndpoint
+      class SigningKeyMissing < StandardError; end
+
+      # @param client_provider [Himari::ProviderChain<Himari::ClientRegistration>]
+      # @param signing_key_provider [Himari::ProviderChain<Himari::SigningKey>]
+      # @param storage [Himari::Storages::Base]
+      # @param issuer [String]
+      # @param logger [Logger]
+      def initialize(client_provider:, signing_key_provider:, storage:, issuer:, logger: nil)
+        @client_provider = client_provider
+        @signing_key_provider = signing_key_provider
+        @storage = storage
+        @issuer = issuer
+        @logger = logger
+      end
+
+      def call(env)
+        app(env).call(env)
+      rescue Rack::OAuth2::Server::Abstract::Error => e
+        @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: returning error', req: env['himari.request_as_log'], client: client.as_log, err: e.class.inspect, err_content: e.protocol_params))
+        e.finish
+      end
+
+      def app(env)
+        Rack::OAuth2::Server::Token.new do |req, res|
+          code_dgst = req.code ? Digest::SHA256.hexdigest(req.code) : nil
+          client = @client_provider.find(id: req.client_id)
+          unless client
+            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_client, no client registration', req: env['himari.request_as_log'], client_id: req.client_id, code_dgst: code_dgst))
+            next req.invalid_client!
+          end
+          unless client.match_secret?(req.client_secret)
+            @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_client, client secret mismatch', req: env['himari.request_as_log'], client: client.as_log, code_dgst: code_dgst))
+            next req.invalid_client! 
+          end
+
+          case req.grant_type
+          when :authorization_code
+            authz = @storage.find_authorization(req.code)
+            unless authz
+              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, no grant code found', req: env['himari.request_as_log'], client: client.as_log))
+              next req.invalid_grant! 
+            end
+            unless authz.valid_redirect_uri?(req.redirect_uri)
+              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, redirect_uri mismatch', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+              next req.invalid_grant! 
+            end
+            if authz.expiry <= Time.now.to_i
+              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, expired grant', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+              next req.invalid_grant! 
+            end
+            if authz.pkce? && !req.verify_code_verifier!(authz.code_challenge, authz.code_challenge_method)
+              # :nocov:
+              @logger&.warn(Himari::LogLine.new('OidcTokenEndpoint: invalid_grant, invalid pkce', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log))
+              next req.invalid_grant!
+              # :nocov:
+            end
+
+            token = AccessToken.from_authz(authz)
+            @storage.put_token(token)
+            res.access_token = token.to_bearer
+
+            if authz.openid
+              signing_key = @signing_key_provider.find(group: client.preferred_key_group, active: true)
+              raise SigningKeyMissing unless signing_key
+              res.id_token = IdToken.from_authz(authz, signing_key: signing_key, access_token: token.format.to_s, issuer: @issuer).to_jwt
+            end
+
+            @storage.delete_authorization(authz)
+            @logger&.info(Himari::LogLine.new('OidcTokenEndpoint: issued', req: env['himari.request_as_log'], client: client.as_log, grant: authz.as_log, token: token.as_log, signing_key_kid: signing_key&.id))
+          else
+            req.unsupported_response_type!
+          end
+        end
+      end
+    end
+  end
+end

data/lib/himari/services/oidc_userinfo_endpoint.rb

@@ -0,0 +1,73 @@
+require 'himari/access_token'
+require 'himari/log_line'
+
+module Himari
+  module Services
+    class OidcUserinfoEndpoint
+      # @param storage [Himari::Storages::Base]
+      # @param logger [Logger]
+      def initialize(storage:, logger: nil)
+        @storage = storage
+        @logger = logger
+      end
+
+      def app
+        self
+      end
+
+      def call(env)
+        Handler.new(storage: @storage, env: env, logger: @logger).response
+      end
+
+      class Handler
+        class InvalidToken < StandardError; end
+
+        def initialize(storage:, env:, logger:)
+          @storage = storage
+          @env = env
+          @logger = logger
+        end
+
+        def response
+          # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
+          return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless %w(GET POST).include?(@env['REQUEST_METHOD'])
+
+          raise InvalidToken unless given_token
+          given_parsed_token = Himari::AccessToken::Format.parse(given_token)
+
+          token = @storage.find_token(given_parsed_token.handler)
+          raise InvalidToken unless token
+          token.verify_expiry!()
+          token.verify_secret!(given_parsed_token.secret)
+
+          @logger&.info(Himari::LogLine.new('OidcUserinfoEndpoint: returning', req: @env['himari.request_as_log'], token: token.as_log))
+          [
+            200,
+            {'Content-Type' => 'application/json; charset=utf-8'},
+            [JSON.pretty_generate(token.claims), "\n"],
+          ]
+        rescue InvalidToken, Himari::AccessToken::SecretIncorrect, Himari::AccessToken::InvalidFormat, Himari::AccessToken::TokenExpired => e
+          @logger&.warn(Himari::LogLine.new('OidcUserinfoEndpoint: invalid_token', req: @env['himari.request_as_log'], err: e.class.inspect, token: token&.as_log))
+          [
+            401,
+            {'Content-Type' => 'application/json', 'WWW-Authenticate' => 'error="invalid_token", error_description="invalid access token"'},
+            [JSON.pretty_generate(error: 'invalid_token'), "\n"],
+          ]
+        end
+
+        def given_token
+          # Only supports Authorization Request Header Field method https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1
+          @given_token ||= begin
+            ah = @env['HTTP_AUTHORIZATION']
+            method, token = ah&.split(/\s+/, 2) # https://www.rfc-editor.org/rfc/rfc9110#name-credentials
+            if method&.downcase == 'bearer' && token && !token.empty?
+              token
+            else
+              nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/himari/services/upstream_authentication.rb

@@ -0,0 +1,106 @@
+require 'himari/log_line'
+require 'himari/decisions/authentication'
+require 'himari/decisions/claims'
+require 'himari/middlewares/authentication_rule'
+require 'himari/middlewares/claims_rule'
+require 'himari/rule_processor'
+require 'himari/session_data'
+require 'himari/provider_chain'
+
+module Himari
+  module Services
+    class UpstreamAuthentication
+      class UnauthorizedError < StandardError
+        # @param result [Himari::RuleProcessor::Result]
+        def initialize(result)
+          @result = result
+          super("Unauthorized")
+        end
+
+        attr_reader :result
+
+        def as_log
+          result.as_log
+        end
+      end
+
+      Result = Struct.new(:claims_result, :authn_result, :session_data) do
+        def as_log
+          {
+            claims: session_data&.claims,
+            decision: {
+              claims: claims_result&.as_log&.reject{ |k,_v| %i(allowed explicit_deny).include?(k) },
+              authentication: authn_result&.as_log,
+            },
+          }
+        end
+      end
+
+      # @param auth [Hash] Omniauth Auth Hash
+      # @param claims_rules [Array<Himari::Rule>] Claims Rules
+      # @param authn_rules [Array<Himari::Rule>] Authentication Rules
+      # @param logger [Logger]
+      def initialize(auth:, request: nil, claims_rules: [], authn_rules: [], logger: nil)
+        @request = request
+        @auth = auth
+        @claims_rules = claims_rules
+        @authn_rules = authn_rules
+        @logger = logger
+      end
+
+      # @param request [Rack::Request]
+      def self.from_request(request)
+        new(
+          auth: request.env.fetch('omniauth.auth'),
+          request: request,
+          claims_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::ClaimsRule::RACK_KEY] || []).collect,
+          authn_rules: Himari::ProviderChain.new(request.env[Himari::Middlewares::AuthenticationRule::RACK_KEY] || []).collect,
+          logger: request.env['rack.logger'],
+        )
+      end
+
+      def provider
+        @auth&.fetch(:provider)
+      end
+
+      def perform
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: perform', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider]))
+        claims_result = make_claims()
+        session_data = claims_result.decision.output
+
+        authn_result = check_authn(claims_result, session_data)
+
+
+        result = Result.new(claims_result, authn_result, session_data)
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: result', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider], result: result.as_log))
+        result
+      end
+
+      def make_claims
+        context = Himari::Decisions::Claims::Context.new(request: @request, auth: @auth).freeze
+        result = Himari::RuleProcessor.new(context, Himari::Decisions::Claims.new).run(@claims_rules)
+
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: claims', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider], claims_result: result.as_log))
+
+        begin
+          claims = result.decision&.output&.claims
+          raise UnauthorizedError.new(Result.new(result, nil, nil)) unless claims
+        rescue Himari::Decisions::Claims::UninitializedError
+          raise UnauthorizedError.new(Result.new(result, nil, nil))
+        end
+
+        result
+      end
+
+      def check_authn(claims_result, session_data)
+        context = Himari::Decisions::Authentication::Context.new(provider: provider, claims: session_data.claims, user_data: session_data.user_data, request: @request).freeze
+        result = Himari::RuleProcessor.new(context, Himari::Decisions::Authentication.new).run(@authn_rules)
+
+        @logger&.debug(Himari::LogLine.new('UpstreamAuthentication: authentication', objid: self.object_id.to_s(16), uid: @auth[:uid], provider: @auth[:provider],  authn_result: result.as_log))
+
+        raise UnauthorizedError.new(Result.new(claims_result, result, nil)) unless result.allowed
+        result
+      end
+    end
+  end
+end

data/lib/himari/session_data.rb

@@ -0,0 +1,7 @@
+module Himari
+  SessionData = Struct.new(:claims, :user_data, keyword_init: true) do
+    def as_log
+      {claims: claims}
+    end
+  end
+end

data/lib/himari/signing_key.rb

@@ -0,0 +1,128 @@
+require 'digest/sha2'
+require 'base64'
+module Himari
+  class SigningKey
+    class AlgUnknown < StandardError; end
+    class OperationInvalid < StandardError; end
+
+    def initialize(id:, pkey:, alg: nil, inactive: false, group: nil)
+      @id = id
+      @pkey = pkey
+      @alg = alg
+      @inactive = inactive
+      @group = group
+    end
+
+    attr_reader :id, :pkey, :group
+
+
+    def active?
+      !@inactive
+    end
+
+    def match_hint?(id: nil, active: nil, group: nil)
+      result = true
+
+      result &&= if id
+        id == self.id
+      else
+        true
+      end
+
+      result &&= if !active.nil?
+        active == self.active?
+      else
+        true
+      end
+
+      result &&= if group
+        group == self.group
+      else
+        true
+      end
+
+      result
+    end
+
+    def alg
+      @alg ||= inferred_alg
+    end
+
+    def inferred_alg
+      # https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
+      case pkey
+      when OpenSSL::PKey::RSA
+        'RS256'
+      when OpenSSL::PKey::EC
+        case ec_crv
+        when 'P-256'; 'ES256'
+        when 'P-384'; 'ES384'
+        when 'P-521'; 'ES512'
+        else
+          raise AlgUnknown
+        end
+      else
+        raise AlgUnknown
+      end
+    end
+
+    def hash_function
+      case alg
+      when 'ES256', 'RS256'; Digest::SHA256
+      when 'ES384'; Digest::SHA384
+      when 'ES512'; Digest::SHA512
+      else
+        raise AlgUnknown
+      end
+    end
+
+    def ec_crv
+      raise OperationInvalid, "this key is not EC" unless pkey.is_a?(OpenSSL::PKey::EC)
+      # https://www.rfc-editor.org/rfc/rfc8422.html#appendix-A
+      case pkey.group.curve_name
+      when 'prime256v1', 'secp256r1'
+        'P-256'
+      when 'secp384r1'
+        'P-384'
+      when 'secp521r1'
+        'P-521'
+      else
+        raise AlgUnknown
+      end
+    end
+
+    def as_jwk
+      # https://www.rfc-editor.org/rfc/rfc7517#section-4
+      case pkey
+      when OpenSSL::PKey::EC # https://www.rfc-editor.org/rfc/rfc7518#section-6.2
+        # https://www.secg.org/sec1-v2.pdf - 2.3.3. Elliptic-Curve-Point-to-Octet-String Conversion
+        xy = pkey.public_key.to_octet_string(:uncompressed) # 0x04 || X || Y
+        len = pkey.group.degree/8
+        raise unless xy[0] == "\x04".b && xy.size == ((len*2)+1)
+        x = xy[1,len]
+        y = xy[1+len,len]
+
+        {
+          kid: id,
+          kty: 'EC',
+          crv: ec_crv,
+          use: "sig",
+          alg: alg,
+          x: Base64.urlsafe_encode64(OpenSSL::BN.new(x, 2).to_s(2)).gsub(/\n|=/, ''),
+          y: Base64.urlsafe_encode64(OpenSSL::BN.new(y, 2).to_s(2)).gsub(/\n|=/, ''),
+        }
+      when OpenSSL::PKey::RSA # https://www.rfc-editor.org/rfc/rfc7518#section-6.3
+        {
+          kid: id,
+          kty: 'RSA',
+          use: "sig",
+          alg: alg,
+          n: Base64.urlsafe_encode64(pkey.n.to_s(2)).gsub(/=+/,''),
+          e: Base64.urlsafe_encode64(pkey.e.to_s(2)).gsub(/=+/,''),
+        }
+      else
+        raise AlgUnknown
+      end
+    end
+  end
+end

data/lib/himari/storages/base.rb

@@ -0,0 +1,57 @@
+require 'himari/authorization_code'
+require 'himari/access_token'
+
+module Himari
+  module Storages
+    module Base
+      class Conflict < StandardError; end
+
+      def find_authorization(code)
+        content = read('authz', code)
+        content && AuthorizationCode.new(**content)
+      end
+
+      def put_authorization(authz, overwrite: false)
+        write('authz', authz.code, authz.as_json, overwrite: overwrite)
+      end
+
+      def delete_authorization(authz)
+        delete_authorization_by_code(authz.code)
+      end
+
+      def delete_authorization_by_code(code)
+        delete('authz', code)
+      end
+
+      def find_token(handler)
+        content = read('token', handler)
+        content && AccessToken.new(**content)
+      end
+
+      def put_token(token, overwrite: false)
+        write('token', token.handler, token.as_json, overwrite: overwrite)
+      end
+
+      def delete_token(token)
+        delete_authorization_by_token(token.handler)
+      end
+
+      def delete_token_by_handler(handler)
+        delete('token', handler)
+      end
+
+
+      private def write(kind, key, content, overwrite: false)
+        raise NotImplementedError
+      end
+
+      private def read(kind, key)
+        raise NotImplementedError
+      end
+
+      private def delete(kind, key)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/himari/storages/filesystem.rb

@@ -0,0 +1,36 @@
+require 'himari/storages/base'
+
+module Himari
+  module Storages
+    class Filesystem
+      include Himari::Storages::Base
+
+      def initialize(path)
+        @path = path
+      end
+
+      attr_reader :path
+
+      private def write(kind, key, content, overwrite: false)
+        dir = File.join(@path, kind)
+        path = File.join(dir, key)
+        Dir.mkdir(dir) unless Dir.exist?(dir)
+        raise Himari::Storages::Base::Conflict if File.exist?(path)
+        File.write(path, "#{JSON.pretty_generate(content)}\n")
+        nil
+      end
+
+      private def read(kind, key)
+        path = File.join(@path, kind, key)
+        JSON.parse(File.read(path), symbolize_names: true)
+      rescue Errno::ENOENT
+        return nil
+      end
+
+      private def delete(kind, key)
+        path = File.join(@path, kind, key)
+        File.unlink(path) if File.exist?(path)
+      end
+    end
+  end
+end