leash_provider 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0c0be375cbb6253ccc5da502a1a99ae947a35374
+  data.tar.gz: 632504ad3d0dc3cfc9dc572c97821c5b040b8487
+SHA512:
+  metadata.gz: 11b1cee0a728b76afe7b9ad1111e3644efda0ee25dde08d6d33ae87766c088ab35e96cad127368fea7d23a81ba04df6e1e1aa2056a4a950df57af3fdead22a9f
+  data.tar.gz: 8245c45f44f494691f2df264471feee46d72925999e99779af3235f6ea82de0561560af0b10f356817e62c982822d9b48d77157df9a0a8af6e7b5769f2bfdb9f

data/.gitignore

@@ -0,0 +1,4 @@
+/.ruby-version
+*.sqlite
+/spec/internal/log/
+*.gem

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--require spec_helper
+--format documentation

data/.travis.yml

@@ -0,0 +1,4 @@
+rvm:
+  - 2.2.1
+services:
+  - redis-server

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+gemspec
+

data/Gemfile.lock

@@ -0,0 +1,165 @@
+PATH
+  remote: .
+  specs:
+    leash_provider (0.0.1)
+      devise
+      ohm
+      rails (~> 4.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.1)
+      actionview (= 4.2.1)
+      activesupport (= 4.2.1)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    actionview (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    activejob (4.2.1)
+      activesupport (= 4.2.1)
+      globalid (>= 0.3.0)
+    activemodel (4.2.1)
+      activesupport (= 4.2.1)
+      builder (~> 3.1)
+    activerecord (4.2.1)
+      activemodel (= 4.2.1)
+      activesupport (= 4.2.1)
+      arel (~> 6.0)
+    activesupport (4.2.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    arel (6.0.0)
+    bcrypt (3.1.10)
+    builder (3.2.2)
+    combustion (0.5.3)
+      activesupport (>= 3.0.0)
+      railties (>= 3.0.0)
+      thor (>= 0.14.6)
+    devise (3.4.1)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 3.2.6, < 5)
+      responders
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    factory_girl (4.5.0)
+      activesupport (>= 3.0.0)
+    factory_girl_rails (4.5.0)
+      factory_girl (~> 4.5.0)
+      railties (>= 3.0.0)
+    globalid (0.3.5)
+      activesupport (>= 4.1.0)
+    hiredis (0.6.0)
+    i18n (0.7.0)
+    json (1.8.2)
+    loofah (2.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.5)
+    mini_portile (0.6.2)
+    minitest (5.6.1)
+    msgpack (0.5.11)
+    nido (0.0.1)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    ohm (2.2.0)
+      msgpack
+      nido
+      redic
+      stal
+    orm_adapter (0.5.0)
+    rack (1.6.1)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails (4.2.1)
+      actionmailer (= 4.2.1)
+      actionpack (= 4.2.1)
+      actionview (= 4.2.1)
+      activejob (= 4.2.1)
+      activemodel (= 4.2.1)
+      activerecord (= 4.2.1)
+      activesupport (= 4.2.1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.2.1)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.6)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    railties (4.2.1)
+      actionpack (= 4.2.1)
+      activesupport (= 4.2.1)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.4.2)
+    redic (1.5.0)
+      hiredis
+    responders (2.1.0)
+      railties (>= 4.2.0, < 5)
+    rspec-core (3.2.3)
+      rspec-support (~> 3.2.0)
+    rspec-expectations (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-mocks (3.2.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.2.0)
+    rspec-rails (3.2.1)
+      actionpack (>= 3.0, < 4.3)
+      activesupport (>= 3.0, < 4.3)
+      railties (>= 3.0, < 4.3)
+      rspec-core (~> 3.2.0)
+      rspec-expectations (~> 3.2.0)
+      rspec-mocks (~> 3.2.0)
+      rspec-support (~> 3.2.0)
+    rspec-support (3.2.2)
+    sprockets (3.1.0)
+      rack (~> 1.0)
+    sprockets-rails (2.3.1)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.10)
+    stal (0.1.0)
+      redic
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    warden (1.2.3)
+      rack (>= 1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  combustion (~> 0.5.3)
+  factory_girl_rails (~> 4.0)
+  leash_provider!
+  rake
+  rspec-rails
+  sqlite3

data/README.md

@@ -0,0 +1,56 @@
+# leash-provider
+
+[![Build Status](https://travis-ci.org/mspanc/leash-provider.svg?branch=master)](https://travis-ci.org/mspanc/leash-provider)
+
+High-performance Ruby on Rails OAuth2 provider for a closed set of trusted apps with multiple roles support.
+
+## Use cases
+
+Leash is built to support the following scenario:
+
+* You build a system that consists of multiple apps.
+* List of the apps does not change too often and apps are not created during system runtime.
+* You want to have a central authentication system for these apps but authorization can vary from app to app.
+* You have a few fundamentally different user classes (user, admin etc.).
+* These apps are trusted, in other words: if app talks to auth server with valid credentials, you don't ask user whether he/she allows to enable data flow.
+
+Potential use cases are:
+
+* Intranet.
+* Larger websites that are decoupled into several smaller apps.
+
+## Fundamental ideas
+
+* As the app list is fixed, let's store their credentials in ENV. Fast, easy to maintain and compatible with 12factor.
+* As tokens are not very persistent, let's use redis for storing them.
+* As such app can be a subject of high load, let's use redis as a backend.
+* Do not reinvent the wheel, let's use devise for authentication.
+
+## Supported OAuth 2 flows
+
+* Authorization Code (for apps running on a web server)
+* Implicit (for browser-based or mobile apps)
+
+## Unsupported features
+
+At the moment, Leash does not support:
+
+* Any other flows than mentioned above.
+* Scopes.
+* Token refreshing and invalidation.
+
+## Compatible ruby version
+
+* Leash is tested with ruby 2.2.1.
+
+## Status
+
+Work in progress. Early stage of development.
+
+## License
+
+MIT
+
+## Author
+
+Marcin Lewandowski

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task test: [:spec]
+task default: :test

data/app/controllers/leash/provider/authorize_controller.rb

@@ -0,0 +1,92 @@
+class Leash::Provider::AuthorizeController < Leash::ProviderController
+  RESPONSE_TYPES   = [ "token", "code" ].freeze
+
+  before_action :determine_response_type!
+  before_action :determine_client_id!
+  before_action :determine_redirect_url!
+  before_action :determine_user_role!
+  before_action :authenticate_user_by_role!
+
+
+  def authorize
+    case @response_type
+    when "token"
+      if Leash::Provider.reuse_access_tokens == true
+        access_token_obj = Leash::Provider::AccessToken.find_by_app_name_and_owner @app_name, current_owner
+
+        if access_token_obj
+          access_token = access_token_obj.access_token
+        else
+          access_token = Leash::Provider::AccessToken.assign! @app_name, current_owner
+        end
+
+      else
+        access_token = Leash::Provider::AccessToken.assign! @app_name, current_owner
+      end
+
+      Rails.logger.info "[Leash::Provider] Authorize ok: response_type=#{@response_type} app_name=#{@app_name} current_owner=#{current_owner} access_token=#{access_token} request_ip=#{request.remote_ip} request_user_agent=#{request.user_agent}"
+      redirect_to params[:redirect_uri] + "#access_token=#{URI.encode(access_token)}"
+
+    when "code"
+      auth_code = Leash::Provider::AuthCode.assign! @app_name, current_owner
+  
+      Rails.logger.info "[Leash::Provider] Authorize ok: response_type=#{@response_type} current_owner=#{current_owner} auth_code=#{auth_code} request_ip=#{request.remote_ip} request_user_agent=#{request.user_agent}"
+      redirect_to params[:redirect_uri] + "?code=#{URI.encode(auth_code)}"
+
+    else
+      fail "Should not be reached"
+    end
+  end
+
+
+  protected
+
+
+  def callback_with_error(error_code, message)
+    Rails.logger.warn "[Leash::Provider] Authorize error: #{error_code} (#{message})"
+
+    case @response_type
+    when "token"
+      if @redirect_url
+        redirect_to @redirect_urls.first + "#error=#{error_code}"
+      else
+        render text: error_code, status: :unprocessable_entity
+      end
+
+    when "code"
+      render text: error_code, status: :unprocessable_entity
+    
+    else
+      fail "Should not be reached"
+    end
+  end
+
+
+  def determine_user_role!
+    params.require("user_role")
+
+    if Leash::Provider.user_roles.include? params[:user_role].to_s
+      @user_role = params[:user_role]
+      @user_role_underscored = params[:user_role].underscore.gsub("/", "_")
+
+    else
+      callback_with_error "invalid_user_role", "Authorize error: Unknown role of '#{params[:user_role]}'"
+    end
+  end
+
+
+  def determine_response_type!
+    params.require("response_type")
+
+    if RESPONSE_TYPES.include? params[:response_type]
+      @response_type = params[:response_type]
+    else
+      callback_with_error "unknown_response_type", "Unknown response type of '#{params[:response_type]}'"
+    end
+  end
+
+
+  def authenticate_user_by_role!
+    send "authenticate_#{@user_role_underscored}!"
+  end
+end

data/app/controllers/leash/provider/token_controller.rb

@@ -0,0 +1,48 @@
+class Leash::Provider::TokenController < Leash::ProviderController
+  GRANT_TYPES = [ "authorization_code" ].freeze
+
+  before_action :determine_grant_type!
+  before_action :determine_client_id!
+  before_action :determine_client_secret!
+
+
+  def token
+    case @grant_type
+    when "authorization_code"
+      params.require("code")
+
+      if Leash::AuthCode.valid?(params[:code])
+        access_token = Leash::Provider::AccessToken.assign_from_auth_code! Leash::Provider::AuthCode.find_by_auth_code(params[:code])
+        
+        render json: { access_token: access_token }
+      end
+
+    else
+      fail "Should not be reached"
+    end
+  end
+
+
+  protected
+
+
+  def callback_with_error(error_code, message)
+    Rails.logger.warn "[Leash::Provider] Token error: #{error_code} (#{message})"
+    
+    case @grant_type
+    when "authorization_code"
+      render json: { error: error_code }, status: :unprocessable_entity
+    end
+  end
+
+
+  def determine_grant_type!
+    params.require("grant_type")
+
+    if GRANT_TYPES.include? params[:grant_type]
+      @grant_type = params[:grant_type]
+    else
+      callback_with_error "unknown_grant_type", "Unknown grant type of '#{params[:grant_type]}'"
+    end
+  end
+end

data/app/controllers/leash/provider_controller.rb

@@ -0,0 +1,63 @@
+class Leash::ProviderController < LeashController
+  include Devise::Controllers::Helpers
+
+  CLIENT_ID_REGEXP = /\AAPP\_([A-Z0-9\_]+)\_OAUTH2\_CLIENT\_ID\z/.freeze
+
+  protected
+
+  def current_owner
+    send("current_#{@user_role_underscored}")
+  end
+
+
+  def determine_client_id!
+    params.require("client_id")
+
+    # FIXME can be suboptimal but for now let it be
+    # Env vars simplicity FTW!
+    ENV.find{ |k,v| k =~ CLIENT_ID_REGEXP and v == params[:client_id] }
+    if $1
+      @client_id = params[:client_id]
+      @env_name = $1.dup
+      @app_name = @env_name.gsub("_", "-").downcase
+
+    else
+      callback_with_error "unknown_client_id", "Unknown client ID '#{params[:client_id]}'"
+    end
+  end
+
+
+  def determine_redirect_url!
+    params.require("redirect_uri")
+
+    @redirect_url = ENV["APP_#{@env_name}_OAUTH2_REDIRECT_URL"]
+    if @redirect_url and not @redirect_url.blank?
+      @redirect_urls = @redirect_url.split(" ")
+      unless @redirect_urls.include? params[:redirect_uri]
+        callback_with_error "invalid_redirect_uri", "Redirect URL mismatch (should be '#{@redirect_url}', given '#{params[:redirect_uri]}'"
+      end
+    
+    else
+      callback_with_error "unknown_redirect_uri", "Unable to find redirect URL associated with app '#{@app_name}'"
+    end
+  end
+
+
+  def determine_client_secret!
+    params.require("client_secret")
+
+    @client_secret = ENV["APP_#{@env_name}_OAUTH2_SECRET"]
+    if @client_secret
+      unless @client_secret == params[:client_secret]
+        callback_with_error "invalid_secret", "Secret mismatch"
+      end      
+    else
+      callback_with_error "unknown_secret", "Unable to find secret associated with app '#{@app_name}'"
+    end
+  end
+
+
+  def callback_with_error(error_code, message)
+    fail "Please override this method"
+  end
+end