himari 0.5.0 → 0.7.0

data/lib/himari/storages/base.rb

@@ -1,6 +1,10 @@
+# frozen_string_literal: true
+
 require 'himari/authorization_code'
 require 'himari/access_token'
+require 'himari/refresh_token'
 require 'himari/session_data'
+require 'himari/dynamic_client_registration'
 
 module Himari
   module Storages
@@ -42,6 +46,46 @@ module Himari
         delete('token', handle)
       end
 
+      def find_refresh_token(handle)
+        content = read('refresh', handle)
+        content && RefreshToken.new(**content)
+      end
+
+      # @param if_version [Integer, nil] when given, only write if the stored record's
+      #   version equals this value (compare-and-swap); raises Conflict otherwise.
+      def put_refresh_token(token, overwrite: false, if_version: nil)
+        write('refresh', token.handle, token.as_json, overwrite: overwrite, if_version: if_version)
+      end
+
+      def delete_refresh_token(token)
+        delete_refresh_token_by_handle(token.handle)
+      end
+
+      def delete_refresh_token_by_handle(handle)
+        delete('refresh', handle)
+      end
+
+      def find_dynamic_client(id)
+        # ids are server-generated url-safe base64; reject anything else before it reaches a
+        # storage key (defense-in-depth against path traversal on filesystem-backed storage).
+        return unless id.is_a?(String) && id.match?(/\A[A-Za-z0-9_-]+\z/)
+
+        content = read('dynamic_client', id)
+        content && DynamicClientRegistration.from_json(content)
+      end
+
+      def put_dynamic_client(client, overwrite: false)
+        write('dynamic_client', client.id, client.as_json, overwrite: overwrite)
+      end
+
+      def delete_dynamic_client(client)
+        delete_dynamic_client_by_id(client.id)
+      end
+
+      def delete_dynamic_client_by_id(id)
+        delete('dynamic_client', id)
+      end
+
       def find_session(handle)
         content = read('session', handle)
         content && SessionData.new(**content)
@@ -59,7 +103,7 @@ module Himari
         delete('session', handle)
       end
 
-      private def write(kind, key, content, overwrite: false)
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         raise NotImplementedError
       end
 

data/lib/himari/storages/filesystem.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/storages/base'
 
 module Himari
@@ -11,11 +13,20 @@ module Himari
 
       attr_reader :path
 
-      private def write(kind, key, content, overwrite: false)
+      # The version compare-and-swap below is a read-compare-write, which is not atomic
+      # across processes. Adequate for filesystem storage's dev/single-node use; the
+      # production atomic path is DynamoDB's conditional update.
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         dir = File.join(@path, kind)
         path = File.join(dir, key)
         Dir.mkdir(dir) unless Dir.exist?(dir)
-        raise Himari::Storages::Base::Conflict if File.exist?(path)
+        if if_version
+          existing = read(kind, key)
+          raise Himari::Storages::Base::Conflict unless existing && existing[:version] == if_version
+        elsif File.exist?(path) && !overwrite
+          raise Himari::Storages::Base::Conflict
+        end
+
         File.write(path, "#{JSON.pretty_generate(content)}\n")
         nil
       end
@@ -24,7 +35,7 @@ module Himari
         path = File.join(@path, kind, key)
         JSON.parse(File.read(path), symbolize_names: true)
       rescue Errno::ENOENT
-        return nil
+        nil
       end
 
       private def delete(kind, key)

data/lib/himari/storages/memory.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'himari/storages/base'
 
 module Himari
@@ -9,9 +11,15 @@ module Himari
         @memory = {}
       end
 
-      private def write(kind, key, content, overwrite: false)
+      private def write(kind, key, content, overwrite: false, if_version: nil)
         path = File.join(kind, key)
-        raise Himari::Storages::Base::Conflict if @memory.key?(path)
+        if if_version
+          existing = read(kind, key)
+          raise Himari::Storages::Base::Conflict unless existing && existing[:version] == if_version
+        elsif @memory.key?(path) && !overwrite
+          raise Himari::Storages::Base::Conflict
+        end
+
         @memory[path] = JSON.pretty_generate(content)
         nil
       end

data/lib/himari/token_string.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'securerandom'
 require 'base64'
 require 'digest/sha2'
@@ -11,6 +13,10 @@ module Himari
     class TokenExpired < Error; end
     class InvalidFormat < Error; end
 
+    # Outcome of a successful verify_secret!: which stored secret slot the presented secret
+    # matched (:current or :previous) and the hash it matched against. nil until verified.
+    Verification = Data.define(:via, :secret_hash)
+
     module ClassMethods
       def magic_header
         raise NotImplementedError
@@ -25,7 +31,7 @@ module Himari
           handle: SecureRandom.urlsafe_base64(32),
           secret: SecureRandom.urlsafe_base64(48),
           expiry: Time.now.to_i + (lifetime || default_lifetime),
-          **kwargs
+          **kwargs,
         )
       end
 
@@ -38,6 +44,10 @@ module Himari
       k.extend(ClassMethods)
     end
 
+    def self.hash_secret(secret)
+      Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+    end
+
     def handle
       @handle
     end
@@ -48,11 +58,19 @@ module Himari
 
     def secret
       raise SecretMissing unless @secret
+
       @secret
     end
 
     def secret_hash
-      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+      @secret_hash ||= TokenString.hash_secret(secret)
+    end
+
+    # Optional second valid secret hash. Tokens that rotate in place (RefreshToken) keep the
+    # previously-issued secret valid for one more turn so a client whose rotation response was
+    # lost can retry. nil for single-secret tokens (AccessToken, SessionData).
+    def secret_hash_prev
+      @secret_hash_prev
     end
 
     def verify!(secret:, now: Time.now)
@@ -61,13 +79,30 @@ module Himari
     end
 
     def verify_secret!(given_secret)
-      dgst = Base64.urlsafe_decode64(secret_hash) # TODO: rescue errors
       given_dgst = Digest::SHA384.digest(given_secret)
-      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
+      @verification =
+        if secret_hash_match(secret_hash, given_dgst)
+          Verification.new(via: :current, secret_hash: secret_hash)
+        elsif secret_hash_prev && secret_hash_match(secret_hash_prev, given_dgst)
+          Verification.new(via: :previous, secret_hash: secret_hash_prev)
+        end
+      raise SecretIncorrect unless @verification
+
       @secret = given_secret
       true
     end
 
+    # The Verification from the last successful verify_secret!, or nil. Used for logging
+    # (#via) and to let a rotating token keep the just-presented secret valid (#secret_hash).
+    attr_reader :verification
+
+    private def secret_hash_match(stored_hash, given_dgst)
+      stored_dgst = Base64.urlsafe_decode64(stored_hash)
+      Rack::Utils.secure_compare(stored_dgst, given_dgst)
+    rescue ArgumentError
+      raise SecretIncorrect
+    end
+
     def verify_expiry!(now = Time.now)
       raise TokenExpired if @expiry <= now.to_i
     end
@@ -77,6 +112,7 @@ module Himari
         parts = str.split('.')
         raise InvalidFormat unless parts.size == 3
         raise InvalidFormat unless parts[0] == header
+
         new(header: header, handle: parts[1], secret: parts[2])
       end
 

data/lib/himari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Himari
-  VERSION = "0.5.0"
+  VERSION = "0.7.0"
 end

data/public/public/index.css

@@ -60,6 +60,24 @@ main > header img, main > footer img {
   margin-top: 30px;
 }
 
+.consent-detail {
+  margin: 12px 0 24px;
+}
+.consent-scopes {
+  display: inline-block;
+  text-align: left;
+}
+.himari-consent .actions form {
+  display: flex;
+  flex-direction: row;
+  gap: 12px;
+}
+.consent-deny {
+  border-color: #4E6994 !important;
+  background: transparent !important;
+  color: #4E6994 !important;
+}
+
 .notice {
   background-color: white;
   border: 1px #bfa88a solid;

data/views/consent.erb

@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title><%= h(msg(:consent_page_title, nil) || msg(:consent_title, "Authorize access")) %></title>
+    <link rel="stylesheet" href="/public/index.css?cb=<%= cachebuster %>" type="text/css" />
+    <meta name="viewport" content="initial-scale=1">
+    <meta name="robots" content="noindex, nofollow">
+
+    <meta name="himari:release" content="<%= release_code %>">
+  </head>
+
+  <body class='himari-app himari-consent'>
+    <main>
+
+      <header>
+        <h1><%= msg(:consent_title, "Authorize access") %></h1>
+        <%= msg(:consent_header) %>
+
+        <% if @notice %>
+          <div class='notice'>
+            <p><%=h @notice %></p>
+          </div>
+        <% end %>
+      </header>
+
+      <section class='consent-detail'>
+        <p><strong><%=h(@consent_client.name || @consent_client.id) %></strong> <%= msg(:consent_request_message, "is requesting access to your account.") %></p>
+
+        <% if @consent_scopes.any? %>
+          <p><%= msg(:consent_scopes_message, "The following will be shared:") %></p>
+          <ul class='consent-scopes'>
+            <% @consent_scopes.each do |scope| %>
+              <li><%=h msg(:"scope_#{scope}", scope) %></li>
+            <% end %>
+          </ul>
+        <% else %>
+          <p><%= msg(:consent_no_scopes_message, "Basic sign-in information will be shared.") %></p>
+        <% end %>
+      </section>
+
+      <nav class='actions'>
+        <form action="<%=h request.path %>" method="POST" id='consent-form'>
+          <input type="hidden" name="<%= csrf_token_name %>" value="<%= csrf_token_value %>" />
+          <% request.GET.each do |k, v| %>
+            <% next if k == csrf_token_name || k == '_consent' %>
+            <input type="hidden" name="<%=h k %>" value="<%=h v %>" />
+          <% end %>
+          <button type='submit' name='_consent' value='approve' class='consent-approve'><%= msg(:consent_approve, "Approve") %></button>
+          <button type='submit' name='_consent' value='deny' class='consent-deny'><%= msg(:consent_deny, "Deny") %></button>
+        </form>
+      </nav>
+
+      <footer>
+        <%= msg(:consent_footer) %>
+      </footer>
+    </main>
+  </body>
+</html>

metadata

@@ -1,29 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: himari
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Sorah Fukumori
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-05-10 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: sinatra
+  name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rack-protection
   requirement: !ruby/object:Gem::Requirement
@@ -39,19 +38,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: omniauth
+  name: sinatra
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
@@ -67,7 +66,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rack-oauth2
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: httpx
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -94,7 +107,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
+- !ruby/object:Gem::Dependency
+  name: rack-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email:
 - her@sorah.jp
 executables: []
@@ -102,10 +128,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rspec"
+- CHANGELOG.md
 - LICENSE.txt
 - Rakefile
 - lib/himari.rb
 - lib/himari/access_token.rb
+- lib/himari/access_token_jwt.rb
 - lib/himari/app.rb
 - lib/himari/authorization_code.rb
 - lib/himari/client_registration.rb
@@ -114,9 +142,13 @@ files:
 - lib/himari/decisions/authorization.rb
 - lib/himari/decisions/base.rb
 - lib/himari/decisions/claims.rb
+- lib/himari/dynamic_client_registration.rb
 - lib/himari/id_token.rb
 - lib/himari/item_provider.rb
+- lib/himari/item_providers/oauth_client_metadata.rb
 - lib/himari/item_providers/static.rb
+- lib/himari/item_providers/storage.rb
+- lib/himari/jwt_token.rb
 - lib/himari/lifetime_value.rb
 - lib/himari/log_line.rb
 - lib/himari/middlewares/authentication_rule.rb
@@ -124,10 +156,15 @@ files:
 - lib/himari/middlewares/claims_rule.rb
 - lib/himari/middlewares/client.rb
 - lib/himari/middlewares/config.rb
+- lib/himari/middlewares/dynamic_clients.rb
+- lib/himari/middlewares/metadata_clients.rb
 - lib/himari/middlewares/signing_key.rb
 - lib/himari/provider_chain.rb
+- lib/himari/rack_oauth2_ext.rb
+- lib/himari/refresh_token.rb
 - lib/himari/rule.rb
 - lib/himari/rule_processor.rb
+- lib/himari/services/client_registration_endpoint.rb
 - lib/himari/services/downstream_authorization.rb
 - lib/himari/services/jwks_endpoint.rb
 - lib/himari/services/oidc_authorization_endpoint.rb
@@ -144,6 +181,7 @@ files:
 - lib/himari/version.rb
 - public/public/index.css
 - sig/himari.rbs
+- views/consent.erb
 - views/login.erb
 homepage: https://github.com/sorah/himari
 licenses:
@@ -151,7 +189,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/sorah/himari
   source_code_uri: https://github.com/sorah/himari
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -166,8 +203,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
-signing_key:
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Small OIDC IdP for small teams - Omniauth to OIDC
 test_files: []