identizer 0.1.0

data/lib/identizer/configuration.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module Identizer
+  # Everything the provider needs to run, with sensible dev defaults. Replaces
+  # the Rails.* / ENV reads of the original emulator with one explicit object.
+  class Configuration
+    def initialize
+      @host = "127.0.0.1"
+      @port = int_env("IDENTIZER_PORT", "SSO_MOCK_PORT", default: 9999)
+      @tls_cert_path = env_presence("IDENTIZER_TLS_CERT", "SSO_MOCK_TLS_CERT")
+      @tls_key_path = env_presence("IDENTIZER_TLS_KEY", "SSO_MOCK_TLS_KEY")
+      @config_dir = ENV.fetch("IDENTIZER_CONFIG_DIR", File.join(Dir.pwd, "tmp", "identizer"))
+      @shared_password = "password"
+      @signing = :hs256 # :hs256 (unsigned-style parity) or :rs256 (verifiable)
+      @hs256_key = "identizer-development-key"
+      @scheme = "https"
+      @url_host = "localhost"
+      @ldap_base_dn = "dc=identizer,dc=local"
+      @ldap_host = nil
+      @ldap_port = optional_int_env("IDENTIZER_LDAP_PORT") # nil = LDAP listener off
+      @ldaps_port = optional_int_env("IDENTIZER_LDAPS_PORT") # nil = LDAPS listener off
+      @seed_identities = []
+      # Optional client registry: [{ client_id:, redirect_uris:, post_logout_redirect_uris: }].
+      # A client_secret may be present but is NOT verified (dev tool). Separate from
+      # the apps provisioned at runtime via the Auth0 Management API.
+      @clients = []
+      @saml_allowed_acs = [] # optional allowlist of SAML ACS URLs ([] = allow any, dev default)
+      @saml_sign_response = true # sign the SAML Response in addition to the Assertion
+      @saml_encrypt_assertion = false # encrypt the assertion when an SP certificate is set
+      @saml_sp_certificate = nil # SP cert (PEM) used to encrypt the assertion
+      @code_ttl = 600
+      @access_token_ttl = 3600
+      @refresh_token_ttl = 86_400
+      @request_logging = true # standalone server logs a concise request line
+    end
+
+    # All plain settings, grouped (defaults are set in #initialize).
+    attr_accessor :host, :port, :tls_cert_path, :tls_key_path, :config_dir, :shared_password, :signing, :hs256_key,
+                  :scheme, :url_host, :request_logging,
+                  :ldap_base_dn, :ldap_host, :ldap_port, :ldaps_port,
+                  :clients,      # OAuth client registry ([] = lenient); enables redirect_uri allowlisting
+                  :sqlite_path,  # set by --sqlite to swap in the SQLite-backed directory
+                  :code_ttl, :access_token_ttl, :refresh_token_ttl, # grant lifetimes (seconds)
+                  :saml_allowed_acs, :saml_sign_response, :saml_encrypt_assertion
+
+    # The SP certificate used to encrypt the assertion (PEM string or cert object).
+    def saml_sp_certificate
+      cert = @saml_sp_certificate
+      return nil if cert.nil?
+
+      cert.is_a?(OpenSSL::X509::Certificate) ? cert : OpenSSL::X509::Certificate.new(cert.to_s)
+    end
+
+    # The IdP's SAML signing key + certificate, generated/persisted on first use.
+    def saml_keypair
+      @saml_keypair ||= begin
+        require "identizer/saml/keypair"
+        Saml::Keypair.load_or_generate(config_dir)
+      end
+    end
+
+    # Claim -> SAML Attribute Name. Defaults to the Microsoft/WS-Fed claim URIs
+    # that real SAML IdPs (Azure AD, ADFS, Okta) emit and SPs match on; the short
+    # claim name is kept as the FriendlyName. Override to suit a specific SP.
+    SAML_ATTRIBUTE_NAMES = {
+      "email" => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+      "given_name" => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+      "family_name" => "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+      "name" => "http://schemas.microsoft.com/identity/claims/displayname",
+      "groups" => "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
+    }.freeze
+
+    def saml_attribute_names
+      @saml_attribute_names ||= SAML_ATTRIBUTE_NAMES.dup
+    end
+
+    attr_writer :saml_sp_certificate, :identity_store, :base_url, :issuer, :seed_identities, :providers, :saml_keypair,
+                :saml_attribute_names
+
+    # Public URL the provider advertises in metadata, discovery and redirects.
+    def base_url
+      @base_url ||= "#{scheme}://#{url_host}:#{port}"
+    end
+
+    def issuer
+      @issuer ||= base_url
+    end
+
+    def rs256?
+      signing == :rs256
+    end
+
+    def seed_identities
+      Array(@seed_identities).map { |entry| DirectoryEntry.from(entry, base_dn: ldap_base_dn) }
+    end
+
+    def identity_store
+      @identity_store ||= IdentityStore::ConfigStore.new(
+        path: File.join(config_dir, "config.json"),
+        seed: seed_identities,
+        base_dn: ldap_base_dn
+      )
+    end
+
+    # Cheatsheet rendered on the dashboard. Override to match your app's stack.
+    def providers
+      @providers || Providers.default(base_url)
+    end
+
+    # Open-redirect guard. Lenient (true) until clients are registered; then the
+    # redirect_uri must match one registered for that client.
+    def redirect_uri_allowed?(client_id, redirect_uri)
+      return true if clients.empty?
+
+      client = clients.find { |entry| entry[:client_id] == client_id }
+      return false unless client
+
+      allowed = Array(client[:redirect_uris])
+      allowed.empty? || allowed.include?(redirect_uri)
+    end
+
+    # RP-initiated-logout guard, mirroring redirect_uri_allowed?.
+    def post_logout_redirect_allowed?(client_id, uri)
+      return true if clients.empty?
+
+      client = clients.find { |entry| entry[:client_id] == client_id }
+      return false unless client
+
+      allowed = Array(client[:post_logout_redirect_uris])
+      allowed.empty? || allowed.include?(uri)
+    end
+
+    # SAML ACS guard. Lenient until an allowlist is configured.
+    def acs_allowed?(acs)
+      saml_allowed_acs.empty? || saml_allowed_acs.include?(acs)
+    end
+
+    def settings_path
+      File.join(config_dir, "settings.json")
+    end
+
+    # Apply settings previously saved from the web admin (password, signing mode).
+    # Called at boot; explicit flags/config still override afterwards.
+    def apply_persisted_settings!
+      data = JSON.parse(File.read(settings_path))
+      self.shared_password = data["shared_password"] if data["shared_password"]
+      self.signing = data["signing"].to_sym if data["signing"]
+      self
+    rescue StandardError
+      self
+    end
+
+    def persist_settings!
+      FileUtils.mkdir_p(config_dir)
+      File.write(settings_path, JSON.generate("shared_password" => shared_password, "signing" => signing.to_s))
+    end
+
+    private
+
+    def env_presence(*keys)
+      keys.each do |key|
+        value = ENV.fetch(key, nil)
+        return value if value && !value.empty?
+      end
+      nil
+    end
+
+    def optional_int_env(key)
+      raw = env_presence(key)
+      return nil if raw.nil?
+
+      Integer(raw)
+    rescue ArgumentError
+      raise ArgumentError, "#{key} must be an integer (got #{raw.inspect})"
+    end
+
+    def int_env(*keys, default:)
+      raw = env_presence(*keys)
+      return default if raw.nil?
+
+      Integer(raw)
+    rescue ArgumentError
+      raise ArgumentError, "#{keys.first} must be an integer (got #{raw.inspect})"
+    end
+  end
+end

data/lib/identizer/directory_entry.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Identizer
+  # An LDAP-flavoured directory entry: an attribute bag (uid, cn, sn, givenName,
+  # mail, ou, memberOf, ...) with a computed DN. This is the unit the directory
+  # stores and the web admin edits. `to_identity` projects it onto the token-
+  # facing Identity, mapping LDAP attributes to standard OIDC claims.
+  class DirectoryEntry
+    DEFAULT_BASE_DN = "dc=identizer,dc=local"
+    DEFAULT_OU = "people"
+
+    # LDAP attribute -> OIDC claim mapping for the token projection.
+    CLAIM_MAP = {
+      "givenName" => "given_name",
+      "sn" => "family_name",
+      "cn" => "name",
+      "memberOf" => "groups",
+      "uid" => "preferred_username"
+    }.freeze
+
+    # Attributes surfaced as editable fields in the web admin (in order).
+    EDITABLE_ATTRIBUTES = %w[mail uid givenName sn cn ou memberOf].freeze
+
+    attr_reader :attributes
+
+    def initialize(attributes = {}, base_dn: DEFAULT_BASE_DN)
+      @base_dn = base_dn
+      @attributes = normalize(attributes)
+      backfill!
+    end
+
+    def self.from(value, base_dn: DEFAULT_BASE_DN)
+      return value if value.is_a?(DirectoryEntry)
+
+      attributes = value.is_a?(Hash) ? value : { "mail" => value }
+      new(attributes, base_dn: base_dn)
+    end
+
+    def [](key)
+      @attributes[key.to_s]
+    end
+
+    def mail = self["mail"]
+    def uid = self["uid"]
+    def ou = self["ou"] || DEFAULT_OU
+    def groups = Array(self["memberOf"]).reject { |group| group.to_s.empty? }
+
+    # Attributes beyond the standard editable set — provider-specific names a SP
+    # might expect (e.g. custom_1, department). Emitted verbatim as claims.
+    def custom_attributes
+      @attributes.except(*EDITABLE_ATTRIBUTES)
+    end
+
+    def dn
+      "uid=#{uid},ou=#{ou},#{@base_dn}"
+    end
+
+    # Token-facing projection: email + OIDC-mapped claims (+ dn).
+    def to_identity
+      claims = { "dn" => dn }
+      @attributes.each do |key, value|
+        next if %w[mail userPassword].include?(key)
+
+        claims[CLAIM_MAP[key] || key] = value
+      end
+      Identity.new(email: mail, sub: dn, claims: claims)
+    end
+
+    def to_h
+      @attributes
+    end
+
+    private
+
+    def normalize(attributes)
+      attributes.each_with_object({}) do |(key, value), acc|
+        key = key.to_s
+        key = "mail" if key == "email" # email is an alias for the mail attribute
+        next if value.nil? || value == ""
+
+        acc[key] = key == "memberOf" ? Array(value).reject { |group| group.to_s.empty? } : value
+      end
+    end
+
+    def backfill!
+      @attributes["mail"] = mail.to_s
+      @attributes["uid"] ||= default_uid
+      @attributes["cn"] ||= default_cn
+    end
+
+    def default_uid
+      local = mail.to_s.split("@").first
+      local.nil? || local.empty? ? "user" : local
+    end
+
+    def default_cn
+      name = [self["givenName"], self["sn"]].compact.join(" ").strip
+      name.empty? ? uid : name
+    end
+  end
+end

data/lib/identizer/docs.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Identizer
+  # Registry of the bundled, read-only documentation pages shown under /docs.
+  # Each slug maps to a web/views/docs/<slug>.html.erb template.
+  module Docs
+    PAGES = [
+      { slug: "getting-started", title: "Getting started" },
+      { slug: "oidc", title: "OIDC integration" },
+      { slug: "cognito", title: "AWS Cognito broker" },
+      { slug: "broker-app", title: "Cheatsheet: Cognito-brokered app" },
+      { slug: "saml", title: "SAML" },
+      { slug: "ldap", title: "LDAP listener" },
+      { slug: "tls", title: "TLS & mkcert" },
+      { slug: "troubleshooting", title: "Troubleshooting" }
+    ].freeze
+
+    def self.find(slug)
+      PAGES.find { |page| page[:slug] == slug }
+    end
+  end
+end

data/lib/identizer/grant_store.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Identizer
+  # A small thread-safe, TTL'd key -> value store for the short-lived grants the
+  # provider issues (authorization codes, access tokens, refresh tokens). Entries
+  # expire and are pruned lazily on access, plus an opportunistic sweep once the
+  # store grows, so even never-redeemed grants don't accumulate without bound. The
+  # advertised lifetimes are enforced. Uses a monotonic clock (immune to wall-clock
+  # changes).
+  class GrantStore
+    SWEEP_THRESHOLD = 1000
+
+    def initialize
+      @entries = {}
+      @mutex = Mutex.new
+    end
+
+    def put(key, value, ttl:)
+      @mutex.synchronize do
+        sweep if @entries.size >= SWEEP_THRESHOLD
+        @entries[key] = [value, monotonic + ttl]
+      end
+      value
+    end
+
+    # Read without consuming; nil if missing or expired.
+    def get(key)
+      @mutex.synchronize { fetch(key) }
+    end
+
+    # Read and remove (single-use); nil if missing or expired.
+    def take(key)
+      @mutex.synchronize do
+        value = fetch(key)
+        @entries.delete(key)
+        value
+      end
+    end
+
+    def size
+      @mutex.synchronize { @entries.size }
+    end
+
+    private
+
+    def fetch(key)
+      entry = @entries[key]
+      return nil unless entry
+
+      value, expires_at = entry
+      return value if monotonic < expires_at
+
+      @entries.delete(key)
+      nil
+    end
+
+    def sweep
+      now = monotonic
+      @entries.delete_if { |_, (_, expires_at)| now >= expires_at }
+    end
+
+    def monotonic
+      Process.clock_gettime(Process::CLOCK_MONOTONIC)
+    end
+  end
+end

data/lib/identizer/handlers/auth0.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # Auth0-style flow: the code is exchanged for an access_token (no id_token by
+    # design — the original integration only verifies a JWT when one is returned
+    # and a certificate is configured), then the profile is fetched at /userinfo.
+    class Auth0 < Base
+      def token(request)
+        # The Management API authenticates with a client_credentials grant.
+        if merged_params(request)["grant_type"] == "client_credentials"
+          return json(200, { access_token: SecureRandom.hex(32), token_type: "Bearer", expires_in: 86_400 })
+        end
+
+        authorization = redeem_code(request) # single-use code, PKCE-checked
+        return json(400, { error: "invalid_grant" }) if authorization.nil?
+
+        # Mint a distinct access_token that /userinfo resolves to the profile.
+        access_token = SecureRandom.hex(20)
+        access_tokens.put(access_token, authorization, ttl: config.access_token_ttl)
+        json(200, { access_token: access_token, token_type: "Bearer", expires_in: config.access_token_ttl })
+      end
+
+      def userinfo(request)
+        authorization = access_tokens.get(bearer(request))
+        return json(401, { error: "invalid_token" }) if authorization.nil?
+
+        json(200, authorization.identity.to_h)
+      end
+    end
+  end
+end

data/lib/identizer/handlers/auth0_management.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # Emulates the slice of the Auth0 Management API a brokering app uses to
+    # provision/deprovision SSO: creating and deleting applications (clients) and
+    # SAML connections. Reached by pointing the Auth0 domain at Identizer; the
+    # management bearer token (from the client_credentials grant) is accepted as-is.
+    #
+    # Created objects are kept in memory so list/delete behave consistently within
+    # a running process.
+    class Auth0Management < Base
+      def initialize(context)
+        super
+        @clients = {}
+        @connections = {}
+        @mutex = Mutex.new # the WEBrick server is multithreaded
+      end
+
+      def create_client(request)
+        client = parse_json(request).merge(
+          "client_id" => SecureRandom.alphanumeric(32),
+          "client_secret" => SecureRandom.alphanumeric(64)
+        )
+        @mutex.synchronize { @clients[client["client_id"]] = client }
+        json(201, client)
+      end
+
+      def update_client(request, id)
+        body = parse_json(request)
+        updated = @mutex.synchronize { @clients[id] = (@clients[id] || { "client_id" => id }).merge(body) }
+        json(200, updated)
+      end
+
+      def delete_client(_request, id)
+        @mutex.synchronize { @clients.delete(id) }
+        no_content
+      end
+
+      def list_clients(_request)
+        json(200, @mutex.synchronize { @clients.values })
+      end
+
+      def create_connection(request)
+        connection = parse_json(request).merge("id" => "con_#{SecureRandom.alphanumeric(24)}")
+        @mutex.synchronize { @connections[connection["id"]] = connection }
+        json(201, connection)
+      end
+
+      def update_connection(request, id)
+        body = parse_json(request)
+        updated = @mutex.synchronize { @connections[id] = (@connections[id] || { "id" => id }).merge(body) }
+        json(200, updated)
+      end
+
+      def delete_connection(_request, id)
+        @mutex.synchronize { @connections.delete(id) }
+        no_content
+      end
+
+      def list_connections(_request)
+        json(200, @mutex.synchronize { @connections.values })
+      end
+    end
+  end
+end

data/lib/identizer/handlers/base.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # Shared base for the protocol handlers. Each handler is constructed with a
+    # context carrying the configuration, identity store, token minter and the
+    # in-memory session map (opaque code/token -> Identity).
+    class Base
+      include Responses
+
+      def initialize(context)
+        @context = context
+        @config = context.config
+        @store = context.store
+        @minter = context.minter
+        @codes = context.codes
+        @refresh_tokens = context.refresh_tokens
+        @access_tokens = context.access_tokens
+        @renderer = context.renderer
+      end
+
+      private
+
+      attr_reader :config, :store, :minter, :codes, :refresh_tokens, :access_tokens, :renderer
+
+      # Render a web-admin page through the shared layout.
+      def page(template, request, nav:, title:, **locals)
+        html(renderer.render(template, nav: nav, title: title, prefix: request.script_name, **locals))
+      end
+
+      # Render the shared sign-in form (used by the OIDC and SAML login surfaces).
+      def render_login(title:, heading:, note:, form_method:, action:, hidden:, config_link:)
+        html(renderer.render_bare("login", emails: store.emails, title: title, heading: heading, note: note,
+                                           form_method: form_method, action: action, hidden: hidden,
+                                           config_link: config_link))
+      end
+
+      def consume(code)
+        codes.take(code)
+      end
+
+      # Consume a one-time authorization code and enforce PKCE when a challenge
+      # was issued — uniformly, so a code can't be redeemed at a different token
+      # endpoint to skip the check. Returns the Authorization, or nil if the code
+      # is unknown or PKCE verification fails.
+      def redeem_code(request)
+        authorization = consume(code_param(request))
+        return nil if authorization.nil?
+        return nil unless authorization.pkce_valid?(request.params["code_verifier"])
+
+        authorization
+      end
+
+      def code_param(request)
+        if json_request?(request)
+          parse_json(request)["code"]
+        else
+          request.params["code"]
+        end
+      end
+
+      def bearer(request)
+        request.get_header("HTTP_AUTHORIZATION").to_s.sub(/\ABearer\s+/i, "")
+      end
+
+      def parse_json(request)
+        raw = request.body.read
+        request.body.rewind
+        safe_json(raw)
+      end
+
+      def json_request?(request)
+        request.content_type.to_s.include?("json")
+      end
+
+      # Form params merged with a JSON body, so handlers work for either encoding.
+      def merged_params(request)
+        json = json_request?(request) ? parse_json(request) : {}
+        request.params.merge(json)
+      rescue StandardError
+        request.params
+      end
+
+      def safe_json(raw)
+        JSON.parse(raw.to_s)
+      rescue JSON::ParserError
+        {}
+      end
+    end
+  end
+end

data/lib/identizer/handlers/cognito.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # Emulates the two AWS Cognito surfaces the original integration depends on:
+    # the management API (used at provider-save time via the AWS SDK, reached by
+    # pointing COGNITO_ENDPOINT here) and the hosted-UI token endpoint.
+    class Cognito < Base
+      # Provider-save time. The AWS SDK marks the operation with x-amz-target.
+      def management_api(target, request)
+        operation = target.split(".").last
+        body = parse_json(request)
+        name = body["ProviderName"] || body["ClientName"] || "identizer"
+
+        amz_json(payload_for(operation, name, body))
+      end
+
+      # Cognito hosted-UI code exchange.
+      def token(request)
+        authorization = redeem_code(request)
+        return json(400, { error: "invalid_grant" }) if authorization.nil?
+
+        id_token = minter.id_token(authorization.identity, audience: authorization.client_id)
+        json(200, { id_token: id_token, token_type: "Bearer" })
+      end
+
+      private
+
+      def payload_for(operation, name, body)
+        case operation
+        when "CreateUserPoolClient"
+          {
+            "UserPoolClient" => {
+              "ClientId" => SecureRandom.hex(13),
+              "ClientSecret" => SecureRandom.hex(32),
+              "ClientName" => body["ClientName"],
+              "UserPoolId" => body["UserPoolId"]
+            }
+          }
+        when "CreateIdentityProvider"
+          { "IdentityProvider" => { "ProviderName" => name, "ProviderType" => body["ProviderType"] } }
+        when "ListIdentityProviders"
+          { "Providers" => [] }
+        else
+          {}
+        end
+      end
+    end
+  end
+end

data/lib/identizer/handlers/directory.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # CRUD over the LDAP-flavoured user directory. Requires a store exposing the
+    # management interface (#entries, #upsert, #delete) — the default does.
+    class Directory < Base
+      # Reserved/standard names a custom attribute must not set — otherwise it
+      # could overwrite a form field or forge a registered token claim.
+      BLOCKED_ATTRIBUTES = (
+        DirectoryEntry::EDITABLE_ATTRIBUTES +
+        %w[iss aud exp iat nbf jti nonce sub email given_name family_name name groups preferred_username dn]
+      ).map(&:downcase).freeze
+
+      def index(request)
+        editing = request.params["edit"]
+        page("directory/index", request, nav: :directory, title: "Directory",
+                                         entries: store.entries,
+                                         entry: entry_for(editing),
+                                         base_dn: config.ldap_base_dn)
+      end
+
+      def create(request)
+        attributes = entry_params(request)
+        # On rename (mail changed while editing), drop the old row so we don't
+        # leave a duplicate behind.
+        original = request.params["original_mail"].to_s
+        store.delete(original) if !original.empty? && original != attributes["mail"]
+        store.upsert(attributes)
+        redirect("#{request.script_name}/directory")
+      end
+
+      def destroy(request)
+        store.delete(request.params["mail"])
+        redirect("#{request.script_name}/directory")
+      end
+
+      private
+
+      def entry_for(mail)
+        return DirectoryEntry.new(base_dn: config.ldap_base_dn) if mail.to_s.empty?
+
+        store.entries.find { |entry| entry.mail == mail } ||
+          DirectoryEntry.new(base_dn: config.ldap_base_dn)
+      end
+
+      def entry_params(request)
+        params = request.params
+        {
+          "mail" => params["mail"], "uid" => params["uid"],
+          "givenName" => params["givenName"], "sn" => params["sn"],
+          "cn" => params["cn"], "ou" => params["ou"],
+          "memberOf" => split_multi(params["memberOf"])
+        }.merge(custom_attributes(params["custom_attributes"]))
+      end
+
+      def split_multi(value)
+        value.to_s.split(/[\n,]/).map(&:strip).reject(&:empty?)
+      end
+
+      # Parse the free-form "name = value" (or "name: value") textarea into extra
+      # attributes, so any provider-specific claim name can be set from the UI.
+      def custom_attributes(text)
+        text.to_s.lines.each_with_object({}) do |line, acc|
+          key, value = line.split(/[:=]/, 2)
+          next if key.nil? || value.nil?
+
+          name = key.strip
+          next if name.empty? || value.strip.empty? || BLOCKED_ATTRIBUTES.include?(name.downcase)
+
+          acc[name] = value.strip
+        end
+      end
+    end
+  end
+end