himari 0.4.0 → 0.6.0

data/lib/himari/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'logger'
 require 'time'
 require 'json'
@@ -5,7 +7,7 @@ require 'himari/log_line'
 
 module Himari
   class Config
-    def initialize(issuer:, storage:, providers: [], log_output: $stdout, log_level: Logger::INFO, preserve_rack_logger: false, custom_templates: {}, custom_messages: {}, release_fragment: nil)
+    def initialize(issuer:, storage:, providers: [], log_output: $stdout, log_level: Logger::INFO, preserve_rack_logger: false, custom_templates: {}, custom_messages: {}, release_fragment: nil, scopes_supported: [], claims_supported: [])
       @issuer = issuer
       @providers = providers
       @storage = storage
@@ -17,14 +19,17 @@ module Himari
       @custom_messages = custom_messages
       @custom_templates = custom_templates
       @release_fragment = release_fragment
+
+      @scopes_supported = scopes_supported
+      @claims_supported = claims_supported
     end
 
-    attr_reader :issuer, :providers, :storage, :preserve_rack_logger, :custom_messages, :custom_templates, :release_fragment
+    attr_reader :issuer, :providers, :storage, :preserve_rack_logger, :custom_messages, :custom_templates, :release_fragment, :scopes_supported, :claims_supported
 
     def logger
       @logger ||= Logger.new(@log_output).tap do |l|
         l.level = @log_level
-        l.formatter = proc do |severity, datetime, progname, msg|
+        l.formatter = proc do |severity, datetime, _progname, msg|
           log = {time: datetime.xmlschema, severity: severity.to_s, pid: Process.pid}
 
           case msg

data/lib/himari/decisions/authentication.rb

@@ -1,15 +1,31 @@
+# frozen_string_literal: true
+
 require 'himari/decisions/base'
 require 'himari/session_data'
 
 module Himari
   module Decisions
     class Authentication < Base
-      Context = Struct.new(:provider, :claims, :user_data, :request, keyword_init: true)
+      Context = Struct.new(:provider, :claims, :user_data, :request, :grant_type, :refresh_info, keyword_init: true) do
+        def initial?; grant_type.nil? || grant_type == :initial; end
+        def refresh?; grant_type == :refresh_token; end
+      end
 
       allow_effects(:allow, :deny, :skip)
 
+      def initialize(refresh_info: nil)
+        super()
+        @refresh_info = refresh_info
+      end
+
+      attr_accessor :refresh_info
+
       def to_evolve_args
-        {}
+        {refresh_info: @refresh_info}
+      end
+
+      def as_log
+        to_h.merge(refresh_info_set: !@refresh_info.nil?)
       end
     end
   end

data/lib/himari/decisions/authorization.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/decisions/base'
 require 'himari/lifetime_value'
 
@@ -16,26 +18,34 @@ module Himari
         email_verified
       )
 
-      Context = Struct.new(:claims, :user_data, :request, :client, keyword_init: true)
+      Context = Struct.new(:claims, :user_data, :request, :client, :scopes, :grant_type, keyword_init: true) do
+        def initial?; grant_type.nil? || grant_type == :initial; end
+        def refresh?; grant_type == :refresh_token; end
+      end
 
       allow_effects(:allow, :deny, :continue, :skip)
 
-      def initialize(claims: {}, allowed_claims: DEFAULT_ALLOWED_CLAIMS, lifetime: 3600)
+      def initialize(claims: {}, allowed_claims: DEFAULT_ALLOWED_CLAIMS, lifetime: 3600, mint_jwt_access_token: false)
         super()
         @claims = claims
         @allowed_claims = allowed_claims
+        @mint_jwt_access_token = mint_jwt_access_token
         self.lifetime = lifetime
       end
 
       attr_reader :claims, :allowed_claims
       attr_reader :lifetime
 
+      # When set by an authz rule, the issued access token is an RFC 9068 JWT instead of an
+      # opaque token (the token is still tracked and validated against storage either way).
+      attr_accessor :mint_jwt_access_token
+
       def lifetime=(x)
-        case x
+        @lifetime = case x
         when LifetimeValue
-          @lifetime = x
+          x
         else
-          @lifetime = LifetimeValue.from_integer(x)
+          LifetimeValue.from_integer(x)
         end
       end
 
@@ -44,15 +54,16 @@ module Himari
           claims: @claims.dup,
           allowed_claims: @allowed_claims.dup,
           lifetime: @lifetime,
+          mint_jwt_access_token: @mint_jwt_access_token,
         }
       end
 
       def as_log
-        to_h.merge(claims: output_claims, lifetime: @lifetime.to_h)
+        to_h.merge(claims: output_claims, lifetime: @lifetime.to_h, mint_jwt_access_token: @mint_jwt_access_token)
       end
 
       def output_claims
-        claims.select { |k,_v| allowed_claims.include?(k) }
+        claims.select { |k, _v| allowed_claims.include?(k) }
       end
     end
   end

data/lib/himari/decisions/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Himari
   module Decisions
     class Base
@@ -8,8 +10,8 @@ module Himari
         @valid_effects = effects
       end
 
-      def self.valid_effects
-        @valid_effects
+      class << self
+        attr_reader :valid_effects
       end
 
       def initialize
@@ -45,6 +47,7 @@ module Himari
 
       def set_rule_name(rule_name)
         raise "cannot override rule_name" if @rule_name
+
         @rule_name = rule_name
         self
       end
@@ -52,7 +55,8 @@ module Himari
       def decide!(effect, comment = "", user_facing_message: nil, suggest: nil)
         raise DecisionAlreadyMade, "decision can only be made once per rule (#{rule_name})" if @effect
         raise InvalidEffect, "this effect is not valid under this rule. Valid effects: #{self.class.valid_effects.inspect} (#{rule_name})" unless self.class.valid_effects.include?(effect)
-        raise InvalidEffect, "only deny effect can have suggestion" if suggest&& effect != :deny
+        raise InvalidEffect, "only deny effect can have suggestion" if suggest && effect != :deny
+
         @effect = effect
         @effect_comment = comment
         @effect_user_facing_message = user_facing_message

data/lib/himari/decisions/claims.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/decisions/base'
 require 'himari/session_data'
 
@@ -7,31 +9,34 @@ module Himari
       class UninitializedError < StandardError; end
       class AlreadyInitializedError < StandardError; end
 
-      Context = Struct.new(:request, :auth, keyword_init: true) do
-        def provider; auth[:provider]; end
+      Context = Struct.new(:request, :auth, :provider, :grant_type, :refresh_info, keyword_init: true) do
+        def initial?; grant_type.nil? || grant_type == :initial; end
+        def refresh?; grant_type == :refresh_token; end
       end
 
-      allow_effects(:continue, :skip)
+      allow_effects(:continue, :skip, :deny)
 
-      def initialize(claims: nil, user_data: nil, lifetime: nil)
+      def initialize(claims: nil, user_data: nil, lifetime: nil, refresh_info: nil)
         super()
         @claims = claims
         @user_data = user_data
         @lifetime = lifetime
+        @refresh_info = refresh_info
       end
 
-      attr_accessor :lifetime
+      attr_accessor :lifetime, :refresh_info
 
       def to_evolve_args
         {
           claims: @claims.dup,
           user_data: @user_data.dup,
           lifetime: @lifetime&.to_i,
+          refresh_info: @refresh_info,
         }
       end
 
       def as_log
-        to_h.merge(claims: @claims)
+        to_h.merge(claims: @claims, refresh_info_set: !@refresh_info.nil?)
       end
 
       def output
@@ -42,14 +47,14 @@ module Himari
         if @claims
           raise AlreadyInitializedError, "Claims already initialized; use decision.claims to make modification, or rule might be behaving wrong"
         end
+
         @claims = claims.dup
         @user_data = {}
       end
 
       def claims
-        unless @claims
-          raise UninitializedError, "Claims uninitialized; use decision.initialize_claims! to declare claims first (or rule order might be unintentional)" unless @claims
-        end
+        raise UninitializedError, "Claims uninitialized; use decision.initialize_claims! to declare claims first (or rule order might be unintentional)" unless @claims
+
         @claims
       end
 

data/lib/himari/dynamic_client_registration.rb

@@ -0,0 +1,255 @@
+# frozen_string_literal: true
+
+require 'digest/sha2'
+require 'securerandom'
+require 'addressable/uri'
+require 'himari/client_registration'
+
+module Himari
+  # A client created at runtime via RFC 7591 Dynamic Client Registration, persisted in
+  # storage. This is purely a storage/registration record: the registration endpoint
+  # interacts with it directly, while the OIDC endpoints only ever see the plain
+  # ClientRegistration produced by #to_client_registration at the provider layer.
+  class DynamicClientRegistration
+    # Default registration lifetime; overridable per deployment via Middlewares::DynamicClients.
+    REGISTRATION_LIFETIME = 180 * 86400
+
+    SUPPORTED_GRANT_TYPES = %w(authorization_code refresh_token).freeze
+    SUPPORTED_RESPONSE_TYPES = %w(code).freeze
+    SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS = %w(none client_secret_basic client_secret_post).freeze
+
+    DEFAULT_TOKEN_ENDPOINT_AUTH_METHOD = 'client_secret_basic'
+
+    MAX_REDIRECT_URIS = 32
+    MAX_URI_LENGTH = 2000
+    MAX_CLIENT_NAME_LENGTH = 60
+    DANGEROUS_REDIRECT_URI_SCHEMES = %w(javascript data vbscript file blob).freeze
+
+    # Raised on invalid client metadata. error_code maps to an RFC 7591 §3.2.2 error code.
+    class ValidationError < StandardError
+      def initialize(error_code, message)
+        @error_code = error_code
+        super(message)
+      end
+
+      attr_reader :error_code
+    end
+
+    # Build and validate a registration from RFC 7591 client metadata.
+    #
+    # @param metadata [Hash] parsed client metadata (symbolized keys) from the request body
+    # @return [DynamicClientRegistration]
+    def self.register(metadata:, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, lifetime: REGISTRATION_LIFETIME, ignore_localhost_redirect_uri_port: true, now: Time.now)
+      raise ValidationError.new(:invalid_client_metadata, 'request body must be a JSON object') unless metadata.is_a?(Hash)
+
+      auth_method = metadata.fetch(:token_endpoint_auth_method, DEFAULT_TOKEN_ENDPOINT_AUTH_METHOD).to_s
+      unless SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS.include?(auth_method)
+        raise ValidationError.new(:invalid_client_metadata, "unsupported token_endpoint_auth_method: #{auth_method}")
+      end
+
+      grant_types = Array(metadata[:grant_types] || %w(authorization_code)).map(&:to_s)
+      unless (grant_types - SUPPORTED_GRANT_TYPES).empty?
+        raise ValidationError.new(:invalid_client_metadata, "unsupported grant_types: #{(grant_types - SUPPORTED_GRANT_TYPES).join(",")}")
+      end
+
+      response_types = Array(metadata[:response_types] || %w(code)).map(&:to_s)
+      unless (response_types - SUPPORTED_RESPONSE_TYPES).empty?
+        raise ValidationError.new(:invalid_client_metadata, "unsupported response_types: #{(response_types - SUPPORTED_RESPONSE_TYPES).join(",")}")
+      end
+
+      if response_types.include?('code') && !grant_types.include?('authorization_code')
+        raise ValidationError.new(:invalid_client_metadata, 'response_type "code" requires grant_type "authorization_code"')
+      end
+
+      redirect_uris = validate_redirect_uris(metadata[:redirect_uris])
+
+      client_name = metadata[:client_name]&.to_s
+      if client_name && client_name.length > MAX_CLIENT_NAME_LENGTH
+        raise ValidationError.new(:invalid_client_metadata, "client_name must not exceed #{MAX_CLIENT_NAME_LENGTH} characters")
+      end
+
+      client_uri = validate_client_uri(metadata[:client_uri])
+
+      issued_at = now.to_i
+      secret = auth_method == 'none' ? nil : SecureRandom.urlsafe_base64(48)
+
+      new(
+        id: SecureRandom.urlsafe_base64(24),
+        redirect_uris: redirect_uris,
+        token_endpoint_auth_method: auth_method,
+        grant_types: grant_types,
+        response_types: response_types,
+        client_name: client_name,
+        client_uri: client_uri,
+        scope: metadata[:scope]&.to_s,
+        secret: secret,
+        secret_hash: secret && Digest::SHA384.hexdigest(secret),
+        client_id_issued_at: issued_at,
+        expiry: issued_at + lifetime,
+        registration_ip: registration_ip,
+        registration_remote_addr: registration_remote_addr,
+        registration_x_forwarded_for: registration_x_forwarded_for,
+        ignore_localhost_redirect_uri_port: ignore_localhost_redirect_uri_port,
+      )
+    end
+
+    def self.validate_redirect_uris(given)
+      raise ValidationError.new(:invalid_redirect_uri, 'redirect_uris is required and must be a non-empty array') unless given.is_a?(Array) && !given.empty?
+      raise ValidationError.new(:invalid_redirect_uri, "redirect_uris must not exceed #{MAX_REDIRECT_URIS} entries") if given.size > MAX_REDIRECT_URIS
+
+      given.map do |uri|
+        str = uri.to_s
+        parsed = begin
+          Addressable::URI.parse(str)
+        rescue Addressable::URI::InvalidURIError
+          nil
+        end
+        raise ValidationError.new(:invalid_redirect_uri, "redirect_uri must not exceed #{MAX_URI_LENGTH} characters") if str.length > MAX_URI_LENGTH
+        raise ValidationError.new(:invalid_redirect_uri, "invalid redirect_uri: #{str}") unless parsed&.scheme
+        raise ValidationError.new(:invalid_redirect_uri, "redirect_uri must not contain a fragment: #{str}") if parsed.fragment
+        raise ValidationError.new(:invalid_redirect_uri, "redirect_uri scheme not allowed: #{str}") if DANGEROUS_REDIRECT_URI_SCHEMES.include?(parsed.scheme.downcase)
+
+        str
+      end
+    end
+
+    def self.validate_client_uri(given)
+      return if given.nil?
+
+      str = given.to_s
+      raise ValidationError.new(:invalid_client_metadata, "client_uri must not exceed #{MAX_URI_LENGTH} characters") if str.length > MAX_URI_LENGTH
+
+      parsed = begin
+        Addressable::URI.parse(str)
+      rescue Addressable::URI::InvalidURIError
+        nil
+      end
+      raise ValidationError.new(:invalid_client_metadata, "invalid client_uri: #{str}") unless parsed&.scheme && parsed.host
+
+      str
+    end
+
+    def self.from_json(hash)
+      attrs = hash.dup
+      attrs.delete(:ttl)
+      new(**attrs)
+    end
+
+    def initialize(id:, redirect_uris:, token_endpoint_auth_method:, grant_types:, response_types:, client_id_issued_at:, expiry:, secret: nil, secret_hash: nil, client_name: nil, client_uri: nil, scope: nil, preferred_key_group: nil, registration_ip: nil, registration_remote_addr: nil, registration_x_forwarded_for: nil, ignore_localhost_redirect_uri_port: true)
+      @id = id
+      @redirect_uris = redirect_uris
+      @token_endpoint_auth_method = token_endpoint_auth_method
+      @grant_types = grant_types
+      @response_types = response_types
+      @client_id_issued_at = client_id_issued_at
+      @expiry = expiry
+      @secret = secret
+      @secret_hash = secret_hash
+      @client_name = client_name
+      @client_uri = client_uri
+      @scope = scope
+      @preferred_key_group = preferred_key_group
+      @registration_ip = registration_ip
+      @registration_remote_addr = registration_remote_addr
+      @registration_x_forwarded_for = registration_x_forwarded_for
+      @ignore_localhost_redirect_uri_port = ignore_localhost_redirect_uri_port
+    end
+
+    attr_reader :id, :redirect_uris, :token_endpoint_auth_method, :grant_types, :response_types,
+      :client_id_issued_at, :expiry, :secret, :secret_hash, :client_name, :client_uri, :scope,
+      :preferred_key_group, :registration_ip, :registration_remote_addr, :registration_x_forwarded_for,
+      :ignore_localhost_redirect_uri_port
+
+    def confidential?
+      token_endpoint_auth_method != 'none'
+    end
+
+    # Public clients have no secret to bind the authorization code, so PKCE is mandatory.
+    def require_pkce
+      !confidential?
+    end
+
+    def active?(now = Time.now)
+      expiry > now.to_i
+    end
+
+    # The client object the OIDC authorization/token endpoints consume. Dynamic records carry
+    # no name (so operator rules keyed on name never match them) and pass through the secret
+    # hash only for confidential clients. skip_consent and scopes default to the conservative
+    # values and are supplied by the provider from the DynamicClients middleware options.
+    def to_client_registration(skip_consent: false, scopes: ClientRegistration::IMPLICIT_SCOPES)
+      ClientRegistration.new(
+        id: id,
+        redirect_uris: redirect_uris,
+        secret_hash: confidential? ? secret_hash : nil,
+        preferred_key_group: preferred_key_group,
+        require_pkce: require_pkce,
+        confidential: confidential?,
+        ignore_localhost_redirect_uri_port: ignore_localhost_redirect_uri_port,
+        skip_consent: skip_consent,
+        scopes: scopes,
+      )
+    end
+
+    def as_log
+      {
+        id: id,
+        token_endpoint_auth_method: token_endpoint_auth_method,
+        redirect_uris: redirect_uris,
+        grant_types: grant_types,
+        response_types: response_types,
+        client_name: client_name,
+        client_uri: client_uri,
+        scope: scope,
+        client_id_issued_at: client_id_issued_at,
+        expiry: expiry,
+        dynamic: true,
+      }
+    end
+
+    def as_json
+      {
+        id: id,
+        secret_hash: secret_hash,
+        redirect_uris: redirect_uris,
+        grant_types: grant_types,
+        response_types: response_types,
+        token_endpoint_auth_method: token_endpoint_auth_method,
+        client_name: client_name,
+        client_uri: client_uri,
+        scope: scope,
+        preferred_key_group: preferred_key_group,
+        client_id_issued_at: client_id_issued_at,
+        expiry: expiry,
+        ttl: expiry,
+        registration_ip: registration_ip,
+        registration_remote_addr: registration_remote_addr,
+        registration_x_forwarded_for: registration_x_forwarded_for,
+        ignore_localhost_redirect_uri_port: ignore_localhost_redirect_uri_port,
+      }
+    end
+
+    # RFC 7591 §3.2.1 client information response. Includes client_secret only when freshly
+    # generated (the plaintext is never persisted, so it is available only right after register).
+    def registration_response
+      response = {
+        client_id: id,
+        client_id_issued_at: client_id_issued_at,
+        redirect_uris: redirect_uris,
+        grant_types: grant_types,
+        response_types: response_types,
+        token_endpoint_auth_method: token_endpoint_auth_method,
+        client_name: client_name,
+        client_uri: client_uri,
+        scope: scope,
+      }.compact
+
+      if confidential? && secret
+        response[:client_secret] = secret
+        response[:client_secret_expires_at] = expiry
+      end
+
+      response
+    end
+  end
+end

data/lib/himari/id_token.rb

@@ -1,60 +1,47 @@
+# frozen_string_literal: true
+
 require 'rack/oauth2'
 require 'openid_connect'
 require 'base64'
 require 'json/jwt'
 
+require 'himari/jwt_token'
+
 module Himari
-  class IdToken
+  class IdToken < JwtToken
     # @param authz [Himari::AuthorizationCode]
     def self.from_authz(authz, **kwargs)
-      
       new(
         claims: authz.claims,
         client_id: authz.client_id,
         nonce: authz.nonce,
         lifetime: authz.lifetime.is_a?(Integer) ? authz.lifetime : authz.lifetime.id_token, # compat
-        **kwargs
+        **kwargs,
       )
     end
 
-    def initialize(claims:, client_id:, nonce:, signing_key:, issuer:, access_token: nil, time: Time.now, lifetime: 3600)
-      @claims = claims
-      @client_id = client_id
+    def initialize(nonce:, access_token: nil, **kwargs)
+      super(**kwargs)
       @nonce = nonce
-      @signing_key = signing_key
-      @issuer = issuer
       @access_token = access_token
-      @time = time
-      @lifetime = lifetime
     end
 
-    attr_reader :claims, :nonce, :signing_key
+    attr_reader :nonce
 
     def final_claims
       # https://openid.net/specs/openid-connect-core-1_0.html#IDToken
-      claims.merge(
-        iss: @issuer,
-        aud: @client_id,
-        iat: @time.to_i,
-        nbf: @time.to_i,
-        exp: (@time + @lifetime).to_i,
+      standard_claims.merge(
+        @nonce ? {nonce: @nonce} : {},
       ).merge(
-        @nonce ? { nonce: @nonce } : {}
-      ).merge(
-        @access_token ? { at_hash: at_hash } : {}
+        @access_token ? {at_hash: at_hash} : {},
       )
     end
 
     def at_hash
-      return nil unless @access_token
-      dgst = @signing_key.hash_function.digest(@access_token)
-      Base64.urlsafe_encode64(dgst[0, dgst.size/2], padding: false)
-    end
+      return unless @access_token
 
-    def to_jwt
-      jwt = JSON::JWT.new(final_claims)
-      jwt.kid = @signing_key.id
-      jwt.sign(@signing_key.pkey, @signing_key.alg.to_sym).to_s
+      dgst = signing_key.hash_function.digest(@access_token)
+      Base64.urlsafe_encode64(dgst[0, dgst.size / 2], padding: false)
     end
   end
 end

data/lib/himari/item_provider.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module Himari
   module ItemProvider
     # :nocov:
     # Return items searched by hints. This method can perform fuzzy match with hints. OTOH is not expected to return exact match results.
     # Use Item#match_hint? to do exact match in later process. See also: ProviderChain
-    def collect(**hints) 
+    def collect(**hints)
       raise NotImplementedError
     end
     # :nocov: