keycloak_oauth 0.1.5 → 0.1.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c4e4bd1db90c3f3a2b6b16c41d339d50210d01052d1de2473a6c7dd99736e2f
-  data.tar.gz: 43cd08c9c3a233a307e1b87f8b8e842e0949d1c8cfe29a6f48ba4741d22dd6f2
+  metadata.gz: 4ff0dc0f042c247d145da35d78002bd2df0661c2715961e613af8d3fdc29f4c7
+  data.tar.gz: 8b388dd1ba17fa13d28963e6b358de48dc5e714a886e705842ad45020bb9b0c5
 SHA512:
-  metadata.gz: 8a3f24340b2967be6a3e0a3a7db140f74bf8a3b68ff73e933c1fa48b7975d18bf266c3b3663033270c3fd7ea6ab28dec88ae8b4806b218fe030dd4b9efb45a13
-  data.tar.gz: 508d3abe88044f5adcfdbbe47f08be2a7328d26d8a33acfbe31f8aa42213c54ec8042881a929401493d9ecc88ad6ac0549e150515deeed2c3004d751573f19fe
+  metadata.gz: 1bde5d1f50e865d856c755af7ab87a0f5e93697941276cde3bde1d92d20f6551ba9a5d412dd4c1e41c680f34f4bbeb05ff81c39363a10ed62fd7ee15cfb6892b
+  data.tar.gz: 13d1228bce48b5fffa1097d36726a3e5f1bcb0867f294b83d097a23422c81ef7f7f548224789a2b156c207c2767d9fcc51e2431c75cf58e570f1434494832e3b

data/README.md

@@ -88,6 +88,22 @@ def map_authenticatable(_request)
 end
 ```
 
+**Logging out**
+In order to log out, you can use the following API call:
+`KeycloakOauth.connection.logout(session: session)`
+
+Note that you need to pass in the session, as the gem needs to remove the Keycloak tokens from there.
+
+e.g.
+```ruby
+class SessionsController < ApplicationController
+  def destroy
+    KeycloakOauth.connection.logout(session: session)
+    redirect_to new_session_path
+  end
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/app/controllers/keycloak_oauth/callbacks_controller.rb

@@ -7,8 +7,7 @@ module KeycloakOauth
     def oauth2
       authentication_service = KeycloakOauth::AuthenticationService.new(
         authentication_params: authentication_params,
-        session: session,
-        redirect_uri: current_uri_without_params
+        session: session
       )
       authentication_service.authenticate
       map_authenticatable_if_implemented(session)
@@ -19,7 +18,7 @@ module KeycloakOauth
     private
 
     def authentication_params
-      params.permit(:code)
+      params.permit(:code).merge({ redirect_uri: current_uri_without_params })
     end
 
     def map_authenticatable_if_implemented(request)

data/app/services/keycloak_oauth/authentication_service.rb

@@ -1,59 +1,31 @@
-require 'net/http'
-
 module KeycloakOauth
-  class AuthenticationError < StandardError; end
-
   class AuthenticationService
-    GRANT_TYPE = 'authorization_code'.freeze
-    CONTENT_TYPE = 'application/x-www-form-urlencoded'.freeze
     ACCESS_TOKEN_KEY = 'access_token'.freeze
     REFRESH_TOKEN_KEY = 'refresh_token'.freeze
 
-    attr_reader :session
+    attr_reader :session, :authentication_params
 
-    def initialize(authentication_params:, session:, redirect_uri:)
-      @code = authentication_params[:code]
+    def initialize(authentication_params:, session:)
+      @authentication_params = authentication_params
       @session = session
-      @redirect_uri = redirect_uri
     end
 
     def authenticate
-      store_credentials(get_tokens)
+      post_token_service = KeycloakOauth::PostTokenService.new(
+        connection: KeycloakOauth.connection,
+        request_params: authentication_params
+      )
+      post_token_service.perform
+      store_credentials(post_token_service)
     end
 
     private
 
-    attr_reader :code, :redirect_uri
-
-    def get_tokens
-      uri = URI.parse(KeycloakOauth.connection.authentication_endpoint)
-      Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
-        request = Net::HTTP::Post.new(uri)
-        request.set_content_type(CONTENT_TYPE)
-        request.set_form_data(token_request_params)
-        http.request(request)
-      end
-    end
-
-    def token_request_params
-      {
-        client_id: KeycloakOauth.connection.client_id,
-        client_secret: KeycloakOauth.connection.client_secret,
-        grant_type: GRANT_TYPE,
-        code: code,
-        redirect_uri: redirect_uri
-      }
-    end
-
-    def store_credentials(http_response)
-      response_hash = JSON.parse(http_response.body)
+    def store_credentials(post_token_service)
+      response_hash = post_token_service.parsed_response_body
 
-      if http_response.code_type == Net::HTTPOK
-        session[:access_token] = response_hash[ACCESS_TOKEN_KEY]
-        session[:refresh_token] = response_hash[REFRESH_TOKEN_KEY]
-      else
-        raise KeycloakOauth::AuthenticationError.new(response_hash)
-      end
+      session[:access_token] = response_hash[ACCESS_TOKEN_KEY]
+      session[:refresh_token] = response_hash[REFRESH_TOKEN_KEY]
     end
   end
 end

data/app/services/keycloak_oauth/authorizable_service.rb

@@ -0,0 +1,74 @@
+require 'net/http'
+
+module KeycloakOauth
+  class AuthorizableError < StandardError; end
+  class NotFoundError < StandardError; end
+
+  class AuthorizableService
+    HTTP_SUCCESS_CODES = [Net::HTTPOK, Net::HTTPNoContent, Net::HTTPCreated]
+    CONTENT_TYPE_X_WWW_FORM_URLENCODED = 'application/x-www-form-urlencoded'.freeze
+    CONTENT_TYPE_JSON = 'application/json'.freeze
+    AUTHORIZATION_HEADER = 'Authorization'.freeze
+
+    attr_reader :http_response, :parsed_response_body
+
+    def perform
+      @http_response = send_request
+      @parsed_response_body ||= parse_response_body(http_response)
+    end
+
+    def self.uri_with_supported_query_params(url, supported_params, given_params)
+      uri = URI.parse(url)
+
+      query_params = supported_params.inject({}) do |acc, query_param|
+        acc[query_param] = given_params[query_param] if given_params[query_param].present?
+        acc
+      end
+
+      log_unsupported_params(given_params.keys - supported_params)
+
+      uri.query = URI.encode_www_form(query_params) if query_params.values.any?
+      uri
+    end
+
+    private
+
+    def parse_response_body(http_response)
+      response_body = http_response.body.present? ? JSON.parse(http_response.body) : http_response.body
+
+      return response_body if HTTP_SUCCESS_CODES.include?(http_response.code_type)
+
+      # TODO: For now, we assume that the access token is always valid.
+      # We do not yet handle the case where a refresh token is passed in and
+      # used if the access token has expired.
+      raise KeycloakOauth::AuthorizableError.new(error_message_from(response_body))
+    end
+
+    def error_message_from(response)
+      # Keycloak sometimes sends back a hash containing the "errorMessage" key,
+      # other times it returns a hash containing the "error_description key" key
+      # and other times it returns an empty string. There could be more cases,
+      # but for the moment we are only handling these three.
+      case response.class.to_s
+      when 'Hash'
+        if response.has_key?('errorMessage')
+          return response['errorMessage']
+        elsif response.has_key?('error_description')
+          return response['error_description']
+        elsif response.has_key?('error')
+          return response['error']
+        end
+      when 'String'
+        return response
+      else
+        'Unexpected Keycloak error'
+      end
+    end
+
+    def self.log_unsupported_params(query_params)
+      query_params.each do |query_param|
+        Rails.logger.warn { "Unsupported query param was passed in: #{query_param}" }
+      end
+    end
+  end
+end

data/app/services/keycloak_oauth/get_users_service.rb

@@ -0,0 +1,42 @@
+require 'net/http'
+
+module KeycloakOauth
+  class GetUsersService < KeycloakOauth::AuthorizableService
+    SUPPORTED_QUERY_PARAMS = %i(briefRepresentation email first firstName lastName max search username)
+
+    attr_reader :connection, :options
+
+    def initialize(connection:, access_token:, refresh_token:, options: {})
+      @connection = connection
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @options = options
+    end
+
+    def send_request
+      get_users
+    end
+
+    private
+
+    attr_reader :access_token, :refresh_token
+
+    def get_users
+      uri = build_uri
+
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Get.new(uri)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        http.request(request)
+      end
+    end
+
+    def build_uri
+      self.class.uri_with_supported_query_params(
+        connection.users_endpoint,
+        SUPPORTED_QUERY_PARAMS,
+        options
+      )
+    end
+  end
+end

data/app/services/keycloak_oauth/logout_service.rb

@@ -0,0 +1,44 @@
+require 'net/http'
+
+module KeycloakOauth
+  class LogoutService < KeycloakOauth::AuthorizableService
+    def initialize(session)
+      @session = session
+    end
+
+    def send_request
+      post_logout
+    end
+
+    private
+
+    attr_accessor :session
+
+    def post_logout
+      uri = URI.parse(KeycloakOauth.connection.logout_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request.set_content_type(CONTENT_TYPE_X_WWW_FORM_URLENCODED)
+        request.set_form_data(logout_request_params)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        http.request(request)
+      end
+    end
+
+    def logout_request_params
+      {
+        client_id: KeycloakOauth.connection.client_id,
+        client_secret: KeycloakOauth.connection.client_secret,
+        refresh_token: refresh_token
+      }
+    end
+
+    def access_token
+      session[:access_token]
+    end
+
+    def refresh_token
+      session[:refresh_token]
+    end
+  end
+end

data/app/services/keycloak_oauth/post_token_service.rb

@@ -0,0 +1,43 @@
+require 'net/http'
+
+module KeycloakOauth
+  class PostTokenService < KeycloakOauth::AuthorizableService
+    DEFAULT_GRANT_TYPE = 'authorization_code'.freeze
+
+    attr_reader :request_params, :connection
+
+    def initialize(connection:, access_token: nil, refresh_token: nil, request_params:)
+      @connection = connection
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @request_params = request_params
+    end
+
+    def send_request
+      post_token
+    end
+
+    private
+
+    attr_reader :code, :redirect_uri, :access_token, :refresh_token
+
+    def post_token
+      uri = URI.parse(connection.authentication_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}" if access_token.present?
+        request.set_content_type(CONTENT_TYPE_X_WWW_FORM_URLENCODED)
+        request.set_form_data(token_request_params)
+        http.request(request)
+      end
+    end
+
+    def token_request_params
+      {
+        client_id: connection.client_id,
+        client_secret: connection.client_secret,
+        grant_type: DEFAULT_GRANT_TYPE
+      }.merge(request_params)
+    end
+  end
+end

data/app/services/keycloak_oauth/post_users_service.rb

@@ -0,0 +1,47 @@
+require 'net/http'
+
+module KeycloakOauth
+  class DuplicationError < StandardError; end
+
+  class PostUsersService < KeycloakOauth::AuthorizableService
+    attr_reader :request_params, :connection, :user_params
+
+    def initialize(connection:, access_token:, refresh_token:, user_params:)
+      @connection = connection
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @user_params = user_params
+    end
+
+    def send_request
+      post_users
+    end
+
+    private
+
+    attr_accessor :access_token, :refresh_token
+
+    def post_users
+      uri = URI.parse(connection.users_endpoint)
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Post.new(uri)
+        request.set_content_type(CONTENT_TYPE_JSON)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        request.body = user_params.to_json
+        http.request(request)
+      end
+    end
+
+    def parse_response_body(http_response)
+      super
+    rescue KeycloakOauth::AuthorizableError => exception
+      raise exception unless is_exception_a_duplication?(exception)
+      raise KeycloakOauth::DuplicationError.new(exception)
+    end
+
+    def is_exception_a_duplication?(exception)
+      exception.message == "User exists with same email" ||
+      exception.message == "User exists with same username"
+    end
+  end
+end

data/app/services/keycloak_oauth/put_execute_actions_email_service.rb

@@ -0,0 +1,57 @@
+require 'net/http'
+
+module KeycloakOauth
+  class PutExecuteActionsEmailService < KeycloakOauth::AuthorizableService
+    SUPPORTED_QUERY_PARAMS = %i(client_id lifespan redirect_uri)
+
+    attr_reader :connection, :user_id, :actions, :options
+
+    def initialize(connection: KeycloakOauth.connection, access_token:, refresh_token:, user_id:, actions:, options: {})
+      @connection = connection
+      @access_token = access_token
+      @refresh_token = refresh_token
+      @user_id = user_id
+      @actions = actions
+      @options = options
+    end
+
+    def send_request
+      put_execute_actions_email
+    end
+
+    private
+
+    attr_accessor :access_token, :refresh_token
+
+    def put_execute_actions_email
+      uri = build_uri
+
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        request = Net::HTTP::Put.new(uri)
+        request.set_content_type(CONTENT_TYPE_JSON)
+        request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
+        request.body = actions.to_json
+        http.request(request)
+      end
+    end
+
+    def build_uri
+      self.class.uri_with_supported_query_params(
+        connection.put_execute_actions_email_endpoint(user_id),
+        SUPPORTED_QUERY_PARAMS,
+        options
+      )
+    end
+
+    def parse_response_body(http_response)
+      super
+    rescue KeycloakOauth::AuthorizableError => exception
+      raise exception unless not_found_error?(exception)
+      raise KeycloakOauth::NotFoundError.new(exception)
+    end
+
+    def not_found_error?(exception)
+      exception.message == "User not found"
+    end
+  end
+end

data/app/services/keycloak_oauth/user_info_retrieval_service.rb

@@ -1,45 +1,30 @@
 require 'net/http'
 
 module KeycloakOauth
-  class UserInfoRetrievalError < StandardError; end
-
-  class UserInfoRetrievalService
-    AUTHORIZATION_HEADER = 'Authorization'.freeze
-    CONTENT_TYPE = 'application/x-www-form-urlencoded'.freeze
-
+  class UserInfoRetrievalService < KeycloakOauth::AuthorizableService
     attr_reader :user_information
 
-    def initialize(access_token:)
+    def initialize(access_token:, refresh_token:)
       @access_token = access_token
+      @refresh_token = refresh_token
     end
 
-    def retrieve
-      @user_information = parsed_user_information(get_user)
+    def send_request
+      get_user
     end
 
     private
 
-    attr_accessor :access_token
+    attr_accessor :access_token, :refresh_token
 
     def get_user
       uri = URI.parse(KeycloakOauth.connection.user_info_endpoint)
       Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
         request = Net::HTTP::Get.new(uri)
-        request.set_content_type(CONTENT_TYPE)
+        request.set_content_type(CONTENT_TYPE_X_WWW_FORM_URLENCODED)
         request[AUTHORIZATION_HEADER] = "Bearer #{access_token}"
         http.request(request)
       end
     end
-
-    def parsed_user_information(http_response)
-      response_hash = JSON.parse(http_response.body)
-
-      return response_hash if http_response.code_type == Net::HTTPOK
-
-      # TODO: For now, we assume that the access token is always valid.
-      # We do not yet handle the case where a refresh token is passed in and
-      # used if the access token has expired.
-      raise KeycloakOauth::UserInfoRetrievalError.new(response_hash)
-    end
   end
 end

data/lib/keycloak_oauth/connection.rb

@@ -14,10 +14,18 @@ module KeycloakOauth
       @callback_module = callback_module
     end
 
-    def get_user_information(access_token:)
-      service = KeycloakOauth::UserInfoRetrievalService.new(access_token: access_token)
-      service.retrieve
-      service.user_information
+    def get_user_information(access_token:, refresh_token:)
+      service = KeycloakOauth::UserInfoRetrievalService.new(
+        access_token: access_token,
+        refresh_token: refresh_token
+      )
+      service.perform
+      service.parsed_response_body
+    end
+
+    def logout(session:)
+      service = KeycloakOauth::LogoutService.new(session)
+      service.perform
     end
   end
 end

data/lib/keycloak_oauth/endpoints.rb

@@ -16,5 +16,17 @@ module KeycloakOauth
     def user_info_endpoint
       "#{auth_url}/realms/#{realm}/protocol/openid-connect/userinfo"
     end
+
+    def logout_endpoint
+      "#{auth_url}/realms/#{realm}/protocol/openid-connect/logout"
+    end
+
+    def users_endpoint
+      "#{auth_url}/admin/realms/#{realm}/users"
+    end
+
+    def put_execute_actions_email_endpoint(user_id)
+      "#{auth_url}/admin/realms/#{realm}/users/#{user_id}/execute-actions-email"
+    end
   end
 end

data/lib/keycloak_oauth/version.rb

@@ -1,3 +1,3 @@
 module KeycloakOauth
-  VERSION = "0.1.5"
+  VERSION = "0.1.10"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keycloak_oauth
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.10
 platform: ruby
 authors:
 - simplificator
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-03 00:00:00.000000000 Z
+date: 2020-11-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -69,6 +69,12 @@ files:
 - Rakefile
 - app/controllers/keycloak_oauth/callbacks_controller.rb
 - app/services/keycloak_oauth/authentication_service.rb
+- app/services/keycloak_oauth/authorizable_service.rb
+- app/services/keycloak_oauth/get_users_service.rb
+- app/services/keycloak_oauth/logout_service.rb
+- app/services/keycloak_oauth/post_token_service.rb
+- app/services/keycloak_oauth/post_users_service.rb
+- app/services/keycloak_oauth/put_execute_actions_email_service.rb
 - app/services/keycloak_oauth/user_info_retrieval_service.rb
 - config/routes.rb
 - lib/keycloak_oauth.rb
@@ -99,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Implementing OAuth with Keycloak in Ruby