identizer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 76e9316e637b4f310e3bd6a3de54774b7fd22ca365ae04942b0aae0196a218ad
+  data.tar.gz: 2c99082c990f28cabab4e57139dca3659839df1a3b6297a6f1aa3c42a175ec1d
+SHA512:
+  metadata.gz: 71bc913525b42bc3ddad2762cc5dc6f869a694c26cbfb45830a9eb74923631a158b49eba54c95e7ed6e2c26f6507d6cc136af3539f73669357174b7a8c1823e4
+  data.tar.gz: 31fbca1b65dc8b02de55d4adf1acac07c12f4e59db1a712bdae0bac0da2e3c1b8f38d534eb2d5cb398e891cd49dbc08d192b817a7b75616e5c384ff4d4718f3d

data/CHANGELOG.md

@@ -0,0 +1,48 @@
+# Changelog
+
+All notable changes to this project are documented here. The format is based on
+[Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres
+to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0] - 2026-06-27
+
+First release. A local identity provider for developing and testing auth/SSO
+integrations, extracted and decoupled from the tap-v3 SSO emulator.
+
+### OIDC / OAuth2
+- Authorization-code flow with PKCE (S256/plain), refresh-token grant (rotated,
+  single-use), RP-initiated logout, `nonce` in the id_token, `scope` echo.
+- Token introspection (RFC 7662) and revocation (RFC 7009, revokes the paired
+  token). OIDC discovery + JWKS; HS256 (default) and RS256 signing.
+- AWS Cognito hosted-UI + management-API emulation, Auth0 login + Management API
+  (`/api/v2/clients`, `/api/v2/connections`) for app provisioning/deprovisioning.
+- Okta-style `/oauth2/v1/*` aliases for fixed-path clients; `aud` is the client_id.
+- Optional client registry enabling `redirect_uri` / post-logout allowlists.
+
+### SAML 2.0
+- Real IdP: signed Response + Assertion (XML-DSig / RSA-SHA256), optional
+  EncryptedAssertion (AES-256-CBC + RSA-OAEP), metadata, SP- and IdP-initiated SSO.
+- Attribute names default to Microsoft/WS-Fed claim URIs; fully configurable
+  (`saml_attribute_names`). Optional ACS allowlist; deflate-bomb guards.
+
+### LDAP
+- Simple-bind authentication and subtree search (equality / presence / substring /
+  `&` `|` `!`) over the same directory; implicit-TLS LDAPS and StartTLS.
+
+### Directory & storage
+- LDAP-flavoured user directory (`DirectoryEntry`) projected onto OIDC claims,
+  with arbitrary custom attributes. Pluggable identity store (default JSON
+  `ConfigStore`; optional `SqliteStore`).
+
+### Operability & security
+- Standalone HTTPS server + `identizer` CLI; mountable, `SCRIPT_NAME`-aware Rack
+  app. Seeded demo user, quick-start banner, request logging, `/healthz`, custom
+  domain (`--domain`).
+- Thread-safe, TTL-enforced grant store; private keys written `0600`; uniform PKCE
+  enforcement; registered JWT claims protected from directory-attribute forging.
+- `nokogiri` (SAML) and `net-ldap` (LDAP) load lazily; `sqlite3` is optional.
+
+[Unreleased]: https://github.com/alex-andreiev/identizer/compare/v0.1.0...HEAD
+[0.1.0]: https://github.com/alex-andreiev/identizer/releases/tag/v0.1.0

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Alex Andreiev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,218 @@
+# Identizer
+
+[![CI](https://github.com/alex-andreiev/identizer/actions/workflows/ci.yml/badge.svg)](https://github.com/alex-andreiev/identizer/actions/workflows/ci.yml)
+
+A local identity provider for developing and testing auth/SSO integrations.
+
+**The problem it solves:** to test "Sign in with SSO", you normally need a real
+Okta/Auth0/Azure/Cognito tenant, real metadata, real certificates. That's slow to
+set up and impossible to script in CI. Identizer is a fake-but-real IdP you run
+locally: point your app at it, sign in as a test user, done. No accounts, no cloud.
+
+## Quick start (60 seconds)
+
+```sh
+gem install identizer
+identizer                       # boots on https://localhost:9999
+```
+
+It prints exactly where to point your app. Open the dashboard at
+`https://localhost:9999/` — a demo user (`demo@example.com`, password `password`)
+is already there, so login works immediately. Then in your app's SSO settings:
+
+- **OIDC / OpenID Connect** → issuer `https://localhost:9999` (the client reads
+  everything else from `/.well-known/openid-configuration`).
+- **SAML** → metadata `https://localhost:9999/metadata`.
+- **OAuth2 / Auth0** → domain `localhost:9999`.
+
+Trigger login in your app, sign in as the demo user, and you're testing the real
+flow. (For browser/server TLS trust, see [TLS](#tls) — one `SSL_CERT_FILE` line.)
+
+## Which protocol do I need?
+
+If you're not sure how your app talks to its IdP, match the setting it asks for:
+
+| Your app's SSO config mentions… | Use | Point it at |
+|---|---|---|
+| "Issuer URL", "discovery", "client ID/secret", `openid` | **OIDC** | `https://localhost:9999` |
+| "Metadata URL/XML", "ACS", "SAML", "certificate" | **SAML** | `https://localhost:9999/metadata` |
+| "Auth0 domain", `/authorize` + `/userinfo` | **OAuth2/Auth0** | `localhost:9999` |
+| "Cognito", "user pool", `COGNITO_ENDPOINT` | **Cognito** | `COGNITO_ENDPOINT=https://localhost:9999` |
+| "LDAP bind", `ldap://` | **LDAP** | `identizer --ldap-port 1389` |
+
+## How it works (two halves)
+
+- a **directory** of sign-in identities (the pluggable "users" store), and
+- a **provider** that accepts auth requests, signs the user in, and hands the
+  profile back over whichever protocol your app expects (OIDC, OAuth2, SAML, …).
+
+## Why not an existing tool?
+
+Generic OIDC mocks (e.g. `mock-oauth2-server`) are JVM/Docker, and SAML-only Ruby
+gems (e.g. `saml_idp`) cover one protocol. Identizer is a single, zero-infra Ruby
+gem that covers OIDC + OAuth2 + a Cognito/Auth0 **broker** with a pluggable user
+directory — installable, mountable, and scriptable.
+
+## Install
+
+```ruby
+# Gemfile (development/test)
+gem "identizer", group: %i[development test]
+```
+
+```sh
+bundle install
+```
+
+## Run standalone
+
+```sh
+bundle exec identizer --port 9999
+# open https://localhost:9999/  (dashboard: identities + provider cheatsheet)
+```
+
+Common flags: `--port`, `--host`, `--url-host`, `--config-dir`, `--tls-cert`,
+`--tls-key`, `--password`, `--rs256`. Anything not passed falls back to env vars
+(`IDENTIZER_PORT`, `IDENTIZER_TLS_CERT/KEY`, `IDENTIZER_CONFIG_DIR`, …).
+
+## Mount inside a Rack/Rails app
+
+`Identizer::App` is a plain Rack app, so it works mounted at any path — internal
+links honour `SCRIPT_NAME`.
+
+```ruby
+# config.ru
+require "identizer"
+run Identizer.app
+```
+
+```ruby
+# Rails config/routes.rb (development only)
+mount Identizer::App.new => "/idp" if Rails.env.development?
+```
+
+```ruby
+# RSpec / rack-test
+require "rack/test"
+
+app = Identizer::App.new(
+  Identizer::Configuration.new.tap do |c|
+    c.config_dir = Dir.mktmpdir
+    c.seed_identities = [{ email: "alice@example.com", claims: { given_name: "Alice" } }]
+  end
+)
+```
+
+## Configure
+
+```ruby
+Identizer.configure do |config|
+  config.port = 9999
+  config.shared_password = "password"          # type this to succeed; anything else exercises the error path
+  config.signing = :rs256                       # :hs256 (default) or :rs256 + JWKS for clients that verify
+  config.seed_identities = [
+    { email: "alice@example.com", claims: { given_name: "Alice", family_name: "Doe" } }
+  ]
+  # config.identity_store = MyDbBackedStore.new  # plug in any object exposing #emails / #identity_for(email)
+end
+```
+
+Other options (all have sane defaults): `code_ttl` / `access_token_ttl` /
+`refresh_token_ttl` (grant lifetimes), `clients` (registry that enables
+`redirect_uri` allowlisting), `saml_sign_response`, `saml_encrypt_assertion` +
+`saml_sp_certificate`, `saml_allowed_acs`, `saml_attribute_names`, `ldap_port` /
+`ldaps_port`, and `request_logging`. See `lib/identizer/configuration.rb`.
+
+### Identity store interface
+
+Any object responding to this duck-typed interface can be a directory:
+
+```
+#emails              -> Array<String>   addresses the login form accepts
+#identity_for(email) -> Identity | nil  resolve an address to an Identity
+```
+
+For full management through the web admin, a store also exposes the directory
+interface `#entries`, `#upsert(attrs)` and `#delete(email)` (the bundled
+`ConfigStore` and `SqliteStore` do).
+
+The default `Identizer::IdentityStore::ConfigStore` persists identities to a JSON
+file the dashboard writes, seeded from `config.seed_identities`.
+
+### SQLite backend (optional)
+
+Prefer a database? Add `gem "sqlite3"` to your Gemfile and use the bundled adapter
+— it implements the same directory interface, so the web admin and LDAP work
+against it unchanged:
+
+```sh
+bundle exec identizer --sqlite ./dev.sqlite3
+```
+
+```ruby
+require "identizer/identity_store/sqlite_store"
+config.identity_store = Identizer::IdentityStore::SqliteStore.new(path: "dev.sqlite3")
+```
+
+`sqlite3` is not a default dependency — JSON files remain the zero-infra default.
+
+## Endpoints
+
+Most clients only need the issuer/metadata URL; the rest is discovered. Okta-style
+`/oauth2/v1/*` aliases exist for the OIDC routes (authorize/token/userinfo/keys).
+
+| Purpose | Route |
+|---|---|
+| Dashboard / config | `GET /` |
+| Health | `GET /healthz` |
+| Login form | `GET /login`, `/authorize`, `/v1/authorize` |
+| Cognito hosted-UI token | `POST /oauth2/token` |
+| Auth0 token + profile | `POST /oauth/token`, `GET /userinfo` |
+| OIDC token / logout | `POST /v1/token`, `GET /v1/logout` |
+| OIDC introspection / revocation | `POST /introspect`, `POST /revoke` |
+| OIDC discovery / JWKS | `GET /.well-known/openid-configuration`, `/.well-known/jwks.json` |
+| SAML metadata / SSO | `GET /metadata`, `GET|POST /saml/sso` |
+| Cognito management API | `POST /` with `x-amz-target` (point `COGNITO_ENDPOINT` here) |
+| Auth0 Management API | `POST/DELETE /api/v2/clients`, `/api/v2/connections` |
+
+## LDAP listener (optional)
+
+Apps that authenticate via LDAP can bind and search against the same directory.
+It's off unless you ask for it:
+
+```sh
+bundle exec identizer --port 9999 --ldap-port 1389
+# ldapsearch -x -H ldap://localhost:1389 -b dc=identizer,dc=local "(mail=alice@example.com)"
+```
+
+Simple bind (user DN + shared password, or anonymous) and subtree search with
+equality / presence / substring / `&` `|` `!` filters. Entries project to
+`uid, cn, sn, givenName, mail, ou, memberOf, objectClass`. Plain TCP + simple
+bind — a development listener, not LDAPS.
+
+## TLS
+
+Login URLs must be `https` (browser popup guards reject `http`). Identizer uses a
+provided cert (`--tls-cert/--tls-key`, ideally [mkcert](https://github.com/FiloSottile/mkcert)-generated
+and locally trusted) or falls back to a self-signed cert written under
+`config_dir`. For the app's server-to-server calls, trust it via
+`export SSL_CERT_FILE=…/cert.pem`.
+
+## SAML 2.0
+
+A real SAML IdP: it issues **signed** assertions (XML-DSig, RSA-SHA256) verifiable
+by standard SPs. Metadata at `/metadata`, SSO at `/saml/sso` (Redirect & POST
+bindings), SP- and IdP-initiated. Signing uses `nokogiri`, loaded only when a
+Response is produced. A development IdP — convenient, not hardened.
+
+## Development
+
+```sh
+bin/setup            # install dependencies
+bundle exec rake     # rspec + rubocop
+bin/console          # an IRB session with identizer loaded
+```
+
+## License
+
+MIT.

data/exe/identizer

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "identizer"
+require "identizer/cli"
+
+Identizer::CLI.start(ARGV)

data/lib/identizer/app.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module Identizer
+  # The Rack application. Mount it in a test harness or run it standalone via
+  # Identizer::Server. It serves three surfaces: the web admin (Overview /
+  # Directory / Settings / Docs), the runtime IdP endpoints, and the AWS Cognito
+  # management API (requests carrying x-amz-target).
+  class App
+    include Responses
+
+    Context = Struct.new(:config, :store, :minter, :codes, :refresh_tokens, :access_tokens, :renderer)
+
+    def initialize(config = Identizer.configuration)
+      @config = config
+      context = Context.new(config, config.identity_store, TokenMinter.new(config),
+                            GrantStore.new, GrantStore.new, GrantStore.new, Renderer.new)
+      @overview = Handlers::Overview.new(context)
+      @directory = Handlers::Directory.new(context)
+      @settings = Handlers::Settings.new(context)
+      @docs = Handlers::Docs.new(context)
+      @login = Handlers::Login.new(context)
+      @cognito = Handlers::Cognito.new(context)
+      @auth0 = Handlers::Auth0.new(context)
+      @auth0_management = Handlers::Auth0Management.new(context)
+      @oidc = Handlers::Oidc.new(context)
+      @saml = Handlers::Saml.new(context)
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+      target = env["HTTP_X_AMZ_TARGET"]
+
+      if target
+        @cognito.management_api(target, request)
+      else
+        route(request)
+      end
+    rescue StandardError => e
+      # Surface the failure to the console (this is a local dev tool) instead of
+      # silently swallowing it; still return a JSON 500 to the client.
+      env["rack.errors"]&.puts("[identizer] #{e.class}: #{e.message}\n  #{e.backtrace&.first(8)&.join("\n  ")}")
+      json(500, { error: e.message })
+    end
+
+    private
+
+    def route(request)
+      admin(request) || idp(request) || auth0_management(request) ||
+        not_found("No route for #{request.request_method} #{request.path_info}")
+    end
+
+    # Auth0 Management API: provision/deprovision applications and connections.
+    def auth0_management(request)
+      case [request.request_method, request.path_info]
+      in ["POST", "/api/v2/clients"] then @auth0_management.create_client(request)
+      in ["GET", "/api/v2/clients"] then @auth0_management.list_clients(request)
+      in ["POST", "/api/v2/connections"] then @auth0_management.create_connection(request)
+      in ["GET", "/api/v2/connections"] then @auth0_management.list_connections(request)
+      in ["PATCH", String => path] if path.start_with?("/api/v2/clients/")
+        @auth0_management.update_client(request, path.delete_prefix("/api/v2/clients/"))
+      in ["DELETE", String => path] if path.start_with?("/api/v2/clients/")
+        @auth0_management.delete_client(request, path.delete_prefix("/api/v2/clients/"))
+      in ["PATCH", String => path] if path.start_with?("/api/v2/connections/")
+        @auth0_management.update_connection(request, path.delete_prefix("/api/v2/connections/"))
+      in ["DELETE", String => path] if path.start_with?("/api/v2/connections/")
+        @auth0_management.delete_connection(request, path.delete_prefix("/api/v2/connections/"))
+      else nil
+      end
+    end
+
+    # Web admin surface.
+    def admin(request)
+      case [request.request_method, request.path_info]
+      in ["GET", "/healthz"] then json(200, { status: "ok", name: "identizer", version: Identizer::VERSION })
+      in ["GET", "/"] then @overview.index(request)
+      in ["GET", "/directory"] then @directory.index(request)
+      in ["POST", "/directory"] then @directory.create(request)
+      in ["POST", "/directory/delete"] then @directory.destroy(request)
+      in ["GET", "/settings"] then @settings.show(request)
+      in ["POST", "/settings"] then @settings.update(request)
+      in ["GET", "/docs"] then @docs.index(request)
+      in ["GET", String => path] if path.start_with?("/docs/")
+        @docs.show(request, path.delete_prefix("/docs/"))
+      else nil
+      end
+    end
+
+    # Runtime IdP + protocol surface.
+    def idp(request)
+      case [request.request_method, request.path_info]
+      in ["GET", "/metadata" | "/saml/metadata"] then @saml.metadata(request)
+      in ["GET" | "POST", "/saml/sso"] then @saml.sso(request)
+      in ["POST", "/saml/finish"] then @saml.finish(request)
+      # Includes the Okta-style /oauth2/v1/* paths (omniauth-okta and other
+      # fixed-path OAuth2 clients) alongside the canonical ones.
+      in ["GET", "/login" | "/authorize" | "/v1/authorize" | "/oauth2/v1/authorize"] then @login.form(request)
+      in ["GET", "/__select"] then @login.select(request)
+      in ["POST", "/oauth2/token"] then @cognito.token(request)
+      in ["POST", "/oauth/token"] then @auth0.token(request)
+      in ["POST", "/v1/token" | "/oauth2/v1/token"] then @oidc.token(request)
+      in ["GET", "/v1/logout"] then @oidc.logout(request)
+      in ["GET", "/userinfo" | "/oauth2/v1/userinfo"] then @auth0.userinfo(request)
+      in ["POST", "/introspect" | "/oauth2/v1/introspect"] then @oidc.introspect(request)
+      in ["POST", "/revoke" | "/oauth2/v1/revoke"] then @oidc.revoke(request)
+      in ["GET", "/.well-known/openid-configuration"] then @oidc.discovery
+      in ["GET", "/jwks" | "/.well-known/jwks.json" | "/oauth2/v1/keys"] then @oidc.jwks
+      else nil
+      end
+    end
+  end
+end

data/lib/identizer/authorization.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Identizer
+  # What an issued code/refresh token stands for: the signed-in identity plus the
+  # authorization-request parameters needed at token time (PKCE, scope, nonce).
+  Authorization = Struct.new(:identity, :code_challenge, :code_challenge_method, :scope, :nonce, :client_id,
+                             :access_token, :refresh_token, keyword_init: true) do
+    # RFC 7636 PKCE check. No challenge issued -> nothing to verify.
+    def pkce_valid?(verifier)
+      return true if code_challenge.to_s.empty?
+
+      case code_challenge_method
+      when "S256"
+        digest = Digest::SHA256.digest(verifier.to_s)
+        Base64.urlsafe_encode64(digest, padding: false) == code_challenge
+      else # "plain" (or unspecified)
+        verifier.to_s == code_challenge
+      end
+    end
+  end
+end

data/lib/identizer/cli.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require "optparse"
+
+module Identizer
+  # `identizer` command: configure from flags/env and boot the standalone server.
+  class CLI
+    # Seeded on first run so the directory isn't empty and login works immediately.
+    DEMO_USER = { mail: "demo@example.com", givenName: "Demo", sn: "User" }.freeze
+
+    def self.start(argv)
+      new(argv).run
+    end
+
+    def initialize(argv)
+      @argv = argv
+      @demo = true
+    end
+
+    def run
+      config = configure(Identizer.configuration)
+      start_ldap(config)
+      Server.start(config)
+    end
+
+    # Parse the flags onto a configuration and apply any saved settings, without
+    # starting the server. Separated out so it can be exercised in tests.
+    def configure(config = Identizer.configuration)
+      parser(config).parse!(@argv)
+      config.apply_persisted_settings! # web-admin saved password/signing
+      config.seed_identities = [DEMO_USER] if @demo && config.seed_identities.empty?
+      load_sqlite(config) if config.sqlite_path
+      config
+    end
+
+    private
+
+    def load_sqlite(config)
+      require "identizer/identity_store/sqlite_store"
+      config.identity_store = IdentityStore::SqliteStore.new(
+        path: config.sqlite_path, base_dn: config.ldap_base_dn, seed: config.seed_identities
+      )
+    rescue LoadError
+      abort "--sqlite needs the sqlite3 gem. Add `gem \"sqlite3\"` to your Gemfile or `gem install sqlite3`."
+    end
+
+    def start_ldap(config)
+      return unless config.ldap_port || config.ldaps_port
+
+      require "identizer/ldap"
+      Thread.new { Ldap::Server.new(config, port: config.ldap_port).start } if config.ldap_port
+      Thread.new { Ldap::Server.new(config, port: config.ldaps_port, tls: true).start } if config.ldaps_port
+    end
+
+    def parser(config)
+      OptionParser.new do |opts|
+        opts.banner = "Usage: identizer [options]"
+
+        opts.on("--port PORT", Integer, "Listen port (default 9999)") { |value| config.port = value }
+        opts.on("--host HOST", "Bind address (default 127.0.0.1)") { |value| config.host = value }
+        opts.on("--url-host HOST", "Hostname used in advertised URLs (default localhost)") do |value|
+          config.url_host = value
+        end
+        opts.on("--domain HOST", "Serve under a custom domain (add it to /etc/hosts -> 127.0.0.1)") do |value|
+          config.url_host = value
+        end
+        opts.on("--config-dir DIR", "Where identities + certs are stored") { |value| config.config_dir = value }
+        opts.on("--tls-cert PATH", "TLS certificate (PEM)") { |value| config.tls_cert_path = value }
+        opts.on("--tls-key PATH", "TLS private key (PEM)") { |value| config.tls_key_path = value }
+        opts.on("--password PASS", "Shared sign-in password (default 'password')") do |value|
+          config.shared_password = value
+        end
+        opts.on("--sqlite PATH", "Use a SQLite-backed directory at PATH (needs the sqlite3 gem)") do |value|
+          config.sqlite_path = value
+        end
+        opts.on("--rs256", "Sign id_tokens with RS256 + publish JWKS") { config.signing = :rs256 }
+        opts.on("--no-demo", "Don't seed the demo user on first run") { @demo = false }
+        opts.on("--quiet", "Don't log requests") { config.request_logging = false }
+        opts.on("--ldap-port PORT", Integer, "Also start an LDAP listener on PORT") { |value| config.ldap_port = value }
+        opts.on("--ldaps-port PORT", Integer, "Also start an LDAPS (TLS) listener on PORT") do |value|
+          config.ldaps_port = value
+        end
+        opts.on("--ldap-host HOST", "Bind address for the LDAP listener") { |value| config.ldap_host = value }
+        opts.on("-v", "--version", "Print version") do
+          puts Identizer::VERSION
+          exit
+        end
+        opts.on("-h", "--help", "Show this help") do
+          puts opts
+          exit
+        end
+      end
+    end
+  end
+end