identizer 0.1.0

data/lib/identizer/handlers/docs.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # Bundled, read-only documentation pages under /docs.
+    class Docs < Base
+      def index(request)
+        page("docs/index", request, nav: :docs, title: "Docs", pages: Identizer::Docs::PAGES)
+      end
+
+      def show(request, slug)
+        meta = Identizer::Docs.find(slug)
+        return not_found("No doc page: #{slug}") unless meta
+
+        page("docs/#{slug}", request, nav: :docs, title: meta[:title], config: config)
+      end
+    end
+  end
+end

data/lib/identizer/handlers/login.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # The interactive login surface: a form (shared by the Cognito hosted-UI,
+    # Auth0 and OIDC authorize endpoints) and the selection step that mints a
+    # code and redirects back to the app.
+    class Login < Base
+      # The authorization-request parameters that must survive the login form.
+      CARRIED_PARAMS = %w[redirect_uri state scope nonce code_challenge code_challenge_method client_id].freeze
+
+      def form(request)
+        render_login(
+          title: "Identizer — Sign in", heading: "Identizer — Sign in", note: sign_in_note,
+          form_method: "get", action: "#{request.script_name}/__select",
+          hidden: CARRIED_PARAMS.map { |name| [name, request.params[name]] },
+          config_link: "#{request.script_name}/"
+        )
+      end
+
+      def select(request)
+        email = request.params["email"].to_s.strip
+        password = request.params["password"].to_s
+        redirect_uri = request.params["redirect_uri"].to_s
+        state = request.params["state"].to_s
+
+        # Validate the redirect target FIRST — never bounce to an unregistered URI,
+        # not even on the error paths below (that would be the open redirect).
+        unless config.redirect_uri_allowed?(request.params["client_id"], redirect_uri)
+          return notice_page("Sign-in blocked",
+                             "redirect_uri <code>#{escape_html(redirect_uri)}</code> is not registered " \
+                             "for this client.")
+        end
+
+        unless password == config.shared_password
+          return error_redirect(redirect_uri, state, "access_denied", "Invalid credentials")
+        end
+
+        unless store.emails.include?(email)
+          return error_redirect(redirect_uri, state, "access_denied", "Unknown user: #{email}")
+        end
+
+        code = SecureRandom.hex(20)
+        codes.put(code, authorization_for(request, email), ttl: config.code_ttl)
+        auth_redirect(redirect_uri, state, code: code)
+      end
+
+      private
+
+      def authorization_for(request, email)
+        Authorization.new(
+          identity: store.identity_for(email),
+          code_challenge: request.params["code_challenge"],
+          code_challenge_method: request.params["code_challenge_method"],
+          scope: request.params["scope"],
+          nonce: request.params["nonce"],
+          client_id: request.params["client_id"]
+        )
+      end
+
+      def sign_in_note
+        "Sign in as one of the configured identities. The password for every identity is " \
+          "<code>#{escape_html(config.shared_password)}</code> — use a wrong password or an " \
+          "unconfigured email to test the provider's error response."
+      end
+
+      def error_redirect(redirect_uri, state, error, description)
+        auth_redirect(redirect_uri, state, error: error, error_description: description)
+      end
+
+      def auth_redirect(redirect_uri, state, params)
+        query = params.merge(state: state)
+                      .map { |key, value| "#{key}=#{Rack::Utils.escape(value.to_s)}" }
+                      .join("&")
+        separator = redirect_uri.include?("?") ? "&" : "?"
+
+        redirect("#{redirect_uri}#{separator}#{query}")
+      end
+    end
+  end
+end

data/lib/identizer/handlers/oidc.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # OpenID Connect: the authorization-code + refresh-token grants, PKCE, the
+    # discovery and JWKS documents, and the end-session (logout) endpoint.
+    class Oidc < Base
+      def token(request)
+        case request.params["grant_type"]
+        when "refresh_token" then refresh(request)
+        else authorization_code(request)
+        end
+      end
+
+      def discovery
+        json(200, minter.discovery)
+      end
+
+      def jwks
+        json(200, minter.jwks)
+      end
+
+      # RFC 7662 token introspection (access or refresh token).
+      def introspect(request)
+        token = merged_params(request)["token"]
+        authorization = token && (access_tokens.get(token) || refresh_tokens.get(token))
+        return json(200, { active: false }) if authorization.nil?
+
+        identity = authorization.identity
+        json(200, {
+          active: true, sub: identity.sub, username: identity.email,
+          scope: authorization.scope, client_id: authorization.client_id, token_type: "Bearer"
+        }.compact)
+      end
+
+      # RFC 7009 token revocation: revoke the submitted token AND its paired
+      # access/refresh token. Always 200, even for unknown tokens.
+      def revoke(request)
+        token = merged_params(request)["token"]
+        authorization = token && (access_tokens.get(token) || refresh_tokens.get(token))
+        if authorization
+          access_tokens.take(authorization.access_token)
+          refresh_tokens.take(authorization.refresh_token)
+        end
+        if token
+          access_tokens.take(token)
+          refresh_tokens.take(token)
+        end
+        json(200, {})
+      end
+
+      # RP-initiated logout: bounce back to post_logout_redirect_uri if given and allowed.
+      def logout(request)
+        target = request.params["post_logout_redirect_uri"].to_s
+        return notice_page("Signed out", "You have been signed out.") if target.empty?
+        unless config.post_logout_redirect_allowed?(request.params["client_id"], target)
+          return notice_page("Signed out", "The post_logout_redirect_uri is not registered.")
+        end
+
+        state = request.params["state"]
+        separator = target.include?("?") ? "&" : "?"
+        location = state.to_s.empty? ? target : "#{target}#{separator}state=#{Rack::Utils.escape(state)}"
+        redirect(location)
+      end
+
+      private
+
+      def authorization_code(request)
+        return json(401, { error: "invalid_client" }) unless valid_client?(request)
+
+        authorization = redeem_code(request)
+        return json(400, { error: "invalid_grant", error_description: "bad code or PKCE" }) if authorization.nil?
+
+        issue(authorization)
+      end
+
+      def refresh(request)
+        authorization = refresh_tokens.take(request.params["refresh_token"]) # single-use, rotated
+        return json(400, { error: "invalid_grant" }) if authorization.nil?
+
+        issue(authorization)
+      end
+
+      def issue(authorization)
+        access_token = SecureRandom.hex(20)
+        refresh_token = SecureRandom.hex(20)
+        # Record the pair so revoking one revokes the other (RFC 7009).
+        authorization.access_token = access_token
+        authorization.refresh_token = refresh_token
+        access_tokens.put(access_token, authorization, ttl: config.access_token_ttl) # /userinfo resolves it
+        refresh_tokens.put(refresh_token, authorization, ttl: config.refresh_token_ttl)
+
+        body = {
+          access_token: access_token,
+          id_token: minter.id_token(authorization.identity, nonce: authorization.nonce,
+                                                            audience: authorization.client_id),
+          token_type: "Bearer",
+          expires_in: config.access_token_ttl,
+          refresh_token: refresh_token
+        }
+        body[:scope] = authorization.scope unless authorization.scope.to_s.empty?
+        json(200, body)
+      end
+
+      # Lenient by default: only enforced when clients are configured.
+      def valid_client?(request)
+        return true if config.clients.empty?
+
+        config.clients.any? { |client| client[:client_id] == request.params["client_id"] }
+      end
+    end
+  end
+end

data/lib/identizer/handlers/overview.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # The web-admin home: status, the provider cheatsheet, and links into the rest.
+    class Overview < Base
+      def index(request)
+        page("overview/index", request, nav: :overview, title: "Overview",
+                                        config: config, count: directory_size)
+      end
+
+      private
+
+      def directory_size
+        store.respond_to?(:entries) ? store.entries.size : store.emails.size
+      end
+    end
+  end
+end

data/lib/identizer/handlers/saml.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+require "rexml/document"
+require "zlib"
+
+module Identizer
+  module Handlers
+    # A real SAML 2.0 IdP: signed metadata, an SSO endpoint that handles SP- and
+    # IdP-initiated requests, and a signed-Response auto-POST back to the SP's
+    # assertion consumer service. Signing is done by Identizer::Saml (nokogiri),
+    # required lazily so it is only loaded when actually producing a Response.
+    class Saml < Base
+      EMAIL_FORMAT = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      MAX_AUTHN_REQUEST = 100_000 # reject oversized SAMLRequest (deflate-bomb guard)
+
+      def metadata(request)
+        headers = {}
+        headers["content-disposition"] = "attachment; filename=\"identizer-metadata.xml\"" if request.params["download"]
+        xml(metadata_xml, headers: headers)
+      end
+
+      # SP-initiated (a SAMLRequest) or IdP-initiated (?acs=...): show the login form.
+      def sso(request)
+        context = authn_context(request)
+        return json(400, { error: "no AssertionConsumerServiceURL" }) if context[:acs].to_s.empty?
+        return saml_error("ACS not allowed: #{escape_html(context[:acs])}") unless config.acs_allowed?(context[:acs])
+
+        login_form(request.script_name, context)
+      end
+
+      # Validate the login and POST a signed SAML Response back to the SP.
+      def finish(request)
+        email = request.params["email"].to_s.strip
+        return saml_error("Invalid credentials") unless request.params["password"] == config.shared_password
+        return saml_error("Unknown user: #{escape_html(email)}") unless store.emails.include?(email)
+
+        acs = request.params["acs"].to_s
+        return saml_error("ACS not allowed: #{escape_html(acs)}") unless config.acs_allowed?(acs)
+
+        response = build_response(store.identity_for(email), acs, request)
+        html(auto_post(acs, response, request.params["relay_state"].to_s))
+      end
+
+      private
+
+      def build_response(identity, acs, request)
+        require "identizer/saml"
+        audience = present(request.params["audience"]) || acs
+        Identizer::Saml::ResponseBuilder.new(config, config.saml_keypair).build_base64(
+          identity: identity, acs_url: acs, audience: audience,
+          in_response_to: present(request.params["in_response_to"])
+        )
+      end
+
+      def authn_context(request)
+        saml_request = request.params["SAMLRequest"].to_s
+        relay_state = request.params["RelayState"].to_s
+        base = { relay_state: relay_state }
+
+        if saml_request.empty?
+          base.merge(acs: request.params["acs"], audience: present(request.params["audience"]), in_response_to: nil)
+        else
+          parsed = parse_authn_request(saml_request, request.request_method)
+          base.merge(acs: parsed[:acs] || request.params["acs"], audience: parsed[:issuer], in_response_to: parsed[:id])
+        end
+      end
+
+      def parse_authn_request(value, method)
+        return {} if value.bytesize > MAX_AUTHN_REQUEST
+
+        raw = Base64.decode64(value)
+        xml = method == "GET" ? inflate(raw) : raw
+        document = REXML::Document.new(xml)
+        root = document.root
+        issuer = REXML::XPath.first(document, "//*[local-name()='Issuer']")&.text
+        { acs: root&.attributes&.[]("AssertionConsumerServiceURL"), id: root&.attributes&.[]("ID"), issuer: issuer }
+      rescue StandardError
+        {}
+      end
+
+      def inflate(raw)
+        out = Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(raw)
+        raise "SAMLRequest too large" if out.bytesize > 5_000_000
+
+        out
+      rescue StandardError
+        raw
+      end
+
+      def present(value)
+        value.to_s.empty? ? nil : value
+      end
+
+      def metadata_xml
+        base = config.base_url
+        <<~XML
+          <?xml version="1.0" encoding="UTF-8"?>
+          <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="#{base}/metadata">
+            <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false">
+              <KeyDescriptor use="signing">
+                <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                  <X509Data><X509Certificate>#{config.saml_keypair.certificate_base64}</X509Certificate></X509Data>
+                </KeyInfo>
+              </KeyDescriptor>
+              <NameIDFormat>#{EMAIL_FORMAT}</NameIDFormat>
+              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="#{base}/saml/sso"/>
+              <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="#{base}/saml/sso"/>
+            </IDPSSODescriptor>
+          </EntityDescriptor>
+        XML
+      end
+
+      def login_form(prefix, context)
+        render_login(
+          title: "Identizer — SAML sign in", heading: "Identizer — SAML sign in",
+          note: "Signing in to <code>#{escape_html(context[:acs])}</code>. Password for every identity: " \
+                "<code>#{escape_html(config.shared_password)}</code>.",
+          form_method: "post", action: "#{prefix}/saml/finish",
+          hidden: [["acs", context[:acs]], ["audience", context[:audience]],
+                   ["in_response_to", context[:in_response_to]], ["relay_state", context[:relay_state]]],
+          config_link: ""
+        )
+      end
+
+      def saml_error(message_html)
+        notice_page("SAML error", message_html)
+      end
+
+      def auto_post(acs, saml_response, relay_state)
+        relay = relay_state.empty? ? "" : %(<input type="hidden" name="RelayState" value="#{escape_html(relay_state)}">)
+        <<~HTML
+          <!doctype html><html><body onload="document.forms[0].submit()">
+            <form method="post" action="#{escape_html(acs)}">
+              <input type="hidden" name="SAMLResponse" value="#{escape_html(saml_response)}">
+              #{relay}
+              <noscript><button type="submit">Continue</button></noscript>
+            </form>
+          </body></html>
+        HTML
+      end
+    end
+  end
+end

data/lib/identizer/handlers/settings.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Handlers
+    # View and edit runtime settings (shared password, token signing), persisted
+    # to settings.json so the standalone server picks them up on the next boot.
+    class Settings < Base
+      def show(request)
+        page("settings/index", request, nav: :settings, title: "Settings", config: config)
+      end
+
+      def update(request)
+        password = request.params["shared_password"].to_s
+        config.shared_password = password unless password.empty?
+        config.signing = request.params["signing"] == "rs256" ? :rs256 : :hs256
+        config.persist_settings!
+
+        redirect("#{request.script_name}/settings")
+      end
+    end
+  end
+end

data/lib/identizer/identity.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Identizer
+  # A signed-in identity: a subject id, an email, and an arbitrary bag of
+  # additional claims (given_name, family_name, groups, ...). `to_h` is what the
+  # provider encodes into id_tokens and returns from /userinfo.
+  class Identity
+    attr_reader :sub, :email, :claims
+
+    def initialize(email:, sub: nil, claims: {})
+      @email = email.to_s
+      @sub = (sub || "identizer|#{@email}").to_s
+      @claims = stringify(claims)
+    end
+
+    # Coerce a Hash, String (email) or Identity into an Identity.
+    def self.from(value)
+      return value if value.is_a?(Identity)
+
+      attrs = value.is_a?(Hash) ? value.transform_keys(&:to_sym) : { email: value }
+      claims = attrs[:claims] || attrs.except(:email, :sub)
+      new(email: attrs[:email], sub: attrs[:sub], claims: claims)
+    end
+
+    def to_h
+      { "sub" => sub, "email" => email }.merge(claims)
+    end
+
+    def ==(other)
+      other.is_a?(Identity) && other.to_h == to_h
+    end
+
+    private
+
+    def stringify(hash)
+      (hash || {}).each_with_object({}) { |(k, v), acc| acc[k.to_s] = v }
+    end
+  end
+end

data/lib/identizer/identity_store/sqlite_store.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "sqlite3"
+require "json"
+
+module Identizer
+  module IdentityStore
+    # Optional SQLite-backed directory. Same interface as ConfigStore, so it drops
+    # in via `config.identity_store`. Requires the `sqlite3` gem (not a default
+    # dependency) — add it to your Gemfile to use this adapter.
+    #
+    #   require "identizer/identity_store/sqlite_store"
+    #   config.identity_store = Identizer::IdentityStore::SqliteStore.new(path: "dev.sqlite3")
+    class SqliteStore
+      def initialize(path:, base_dn: DirectoryEntry::DEFAULT_BASE_DN, seed: [])
+        @base_dn = base_dn
+        @db = SQLite3::Database.new(path.to_s)
+        @db.execute("CREATE TABLE IF NOT EXISTS entries (mail TEXT PRIMARY KEY, data TEXT NOT NULL)")
+        seed_if_empty(Array(seed))
+      end
+
+      def entries
+        @db.execute("SELECT data FROM entries ORDER BY mail").map do |row|
+          DirectoryEntry.from(JSON.parse(row[0]), base_dn: @base_dn)
+        end
+      end
+
+      def emails
+        entries.map(&:mail)
+      end
+
+      def identity_for(email)
+        email = email.to_s.strip
+        return nil if email.empty?
+
+        entry = entries.find { |candidate| candidate.mail == email }
+        (entry || DirectoryEntry.from({ "mail" => email }, base_dn: @base_dn)).to_identity
+      end
+
+      def upsert(attrs)
+        entry = DirectoryEntry.from(attrs, base_dn: @base_dn)
+        @db.execute(<<~SQL, [entry.mail, JSON.generate(entry.to_h)])
+          INSERT INTO entries (mail, data) VALUES (?, ?)
+          ON CONFLICT(mail) DO UPDATE SET data = excluded.data
+        SQL
+        entry
+      end
+
+      def delete(email)
+        @db.execute("DELETE FROM entries WHERE mail = ?", [email.to_s.strip])
+      end
+
+      private
+
+      def seed_if_empty(seed)
+        return if seed.empty?
+        return if @db.get_first_value("SELECT COUNT(*) FROM entries").to_i.positive?
+
+        @db.transaction { seed.each { |entry| upsert(DirectoryEntry.from(entry, base_dn: @base_dn).to_h) } }
+      end
+    end
+  end
+end

data/lib/identizer/identity_store.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module Identizer
+  # An identity store is the "user directory" half of the provider. The provider
+  # only needs this duck-typed read interface, so any backend (the default JSON
+  # ConfigStore, a future SQLite adapter, an app's own DB) can be plugged in via
+  # `config.identity_store`:
+  #
+  #   #emails              -> Array<String>  the addresses the login form accepts
+  #   #identity_for(email) -> Identity|nil   resolve an address to an Identity
+  #
+  # For full management through the web admin a store also exposes the directory
+  # interface: #entries, #upsert(attrs), #delete(email) (the default does).
+  module IdentityStore
+    # Default store: an LDAP-flavoured directory persisted to a JSON file the web
+    # admin writes, seeded from in-code DirectoryEntry seeds until the file fills.
+    class ConfigStore
+      def initialize(path:, seed: [], base_dn: DirectoryEntry::DEFAULT_BASE_DN)
+        @path = path
+        @base_dn = base_dn
+        @seed = Array(seed).map { |entry| DirectoryEntry.from(entry, base_dn: base_dn) }
+      end
+
+      def entries
+        hashes = read
+        return @seed if hashes.nil? # no usable file yet -> fall back to the seed
+
+        hashes.map { |entry| DirectoryEntry.from(entry, base_dn: @base_dn) }
+      end
+
+      def emails
+        entries.map(&:mail)
+      end
+
+      def identity_for(email)
+        email = email.to_s.strip
+        return nil if email.empty?
+
+        entry = entries.find { |candidate| candidate.mail == email }
+        (entry || DirectoryEntry.from({ "mail" => email }, base_dn: @base_dn)).to_identity
+      end
+
+      # Create or replace a directory entry, keyed by mail.
+      def upsert(attrs)
+        entry = DirectoryEntry.from(attrs, base_dn: @base_dn)
+        remaining = current_hashes.reject { |hash| hash["mail"] == entry.mail }
+        write(remaining + [entry.to_h])
+        entry
+      end
+
+      def delete(email)
+        email = email.to_s.strip
+        write(current_hashes.reject { |hash| hash["mail"] == email })
+      end
+
+      private
+
+      def current_hashes
+        entries.map(&:to_h)
+      end
+
+      # Returns the persisted entry hashes (possibly empty), or nil when there is
+      # no usable file yet — nil is what triggers the seed fallback.
+      def read
+        return nil unless File.exist?(@path)
+
+        data = JSON.parse(File.read(@path))
+        data["entries"] || data["identities"] || legacy(data) || []
+      rescue StandardError
+        nil
+      end
+
+      # Accept the {"emails": [...]} shape too, so simple configs keep working.
+      def legacy(data)
+        return nil unless data["emails"].is_a?(Array)
+
+        data["emails"].map { |email| { "mail" => email } }
+      end
+
+      def write(entries)
+        FileUtils.mkdir_p(File.dirname(@path))
+        File.write(@path, JSON.generate("entries" => entries))
+      end
+    end
+  end
+end

data/lib/identizer/ldap/filter.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Identizer
+  module Ldap
+    # Matches an LDAP search filter (as parsed by Net::LDAP's BER reader) against
+    # an entry's attribute hash. Operates directly on the BER structure, keyed by
+    # ber_identifier, so it supports the compound filters Net::LDAP::Filter#match
+    # does not (and / or / not), plus equality, presence and substrings.
+    module Filter
+      AND       = 0xa0
+      OR        = 0xa1
+      NOT       = 0xa2
+      EQUALITY  = 0xa3
+      SUBSTRING = 0xa4
+      PRESENT   = 0x87
+
+      module_function
+
+      def match?(filter, attributes)
+        case filter.ber_identifier
+        when AND       then filter.all? { |sub| match?(sub, attributes) }
+        when OR        then filter.any? { |sub| match?(sub, attributes) }
+        when NOT       then !match?(filter.first, attributes)
+        when EQUALITY  then equality?(filter, attributes)
+        when SUBSTRING then substring?(filter, attributes)
+        when PRESENT   then present?(filter, attributes)
+        else true # unsupported filter types match everything (permissive for a test IdP)
+        end
+      end
+
+      def equality?(filter, attributes)
+        wanted = filter[1].to_s
+        values(attributes, filter[0].to_s).any? { |value| value.casecmp?(wanted) }
+      end
+
+      def present?(filter, attributes)
+        name = filter.to_s
+        return true if name.casecmp?("objectclass")
+
+        !values(attributes, name).empty?
+      end
+
+      def substring?(filter, attributes)
+        parts = Array(filter[1]).map { |part| Regexp.escape(part.to_s) }
+        return true if parts.empty?
+
+        pattern = Regexp.new(parts.join(".*"), Regexp::IGNORECASE)
+        values(attributes, filter[0].to_s).any? { |value| pattern.match?(value) }
+      end
+
+      # Case-insensitive attribute lookup -> array of string values.
+      def values(attributes, name)
+        key = attributes.keys.find { |candidate| candidate.to_s.casecmp?(name) }
+        key ? Array(attributes[key]).map(&:to_s) : []
+      end
+    end
+  end
+end