lobby_boy 0.1.0

data/config/initializers/omniauth.rb

@@ -0,0 +1,4 @@
+require 'omniauth'
+require 'lobby_boy/omni_auth/failure_endpoint'
+
+OmniAuth.config.on_failure = LobbyBoy::OmniAuth::FailureEndpoint

data/config/routes.rb

@@ -0,0 +1,6 @@
+LobbyBoy::Engine.routes.draw do
+  get 'session/check'
+  get 'session/state'
+  get 'session/end'
+  get 'session/refresh'
+end

data/lib/lobby_boy.rb

@@ -0,0 +1,6 @@
+require "lobby_boy/engine"
+require "lobby_boy/configuration"
+
+module LobbyBoy
+  extend Configuration
+end

data/lib/lobby_boy/configuration.rb

@@ -0,0 +1,80 @@
+module LobbyBoy
+  module Configuration
+    module HashInit
+      def initialize(attr)
+        attr.each do |name, value|
+          instance_variable_set "@#{name}", value
+        end
+      end
+    end
+
+    class Client
+      attr_reader :host, :cookie_domain,
+                  :logged_in, :end_session_endpoint,
+                  :refresh_offset, :refresh_interval,
+                  :on_login_js_partial, :on_logout_js_partial
+
+      include HashInit
+    end
+
+    class Provider
+      attr_reader :name,
+                  :client_id,
+                  :issuer,
+                  :end_session_endpoint,
+                  :check_session_iframe
+
+      include HashInit
+    end
+
+    def build_url(host, path)
+      if path =~ /^https?:\/\//
+        path
+      else
+        URI.join(host, path).to_s
+      end
+    end
+
+    def host_name(host_address)
+      URI.parse(host_address).host
+    end
+
+    def configure_client!(options)
+      opts = options.dup
+
+      opts[:end_session_endpoint] = build_url opts[:host], opts[:end_session_endpoint]
+      opts[:cookie_domain] ||=
+        if opts[:host].is_a? Symbol # e.g. :all to allow all domains
+          opts[:host]
+        else
+          host_name opts[:host]
+        end
+      opts[:refresh_offset] ||= 60.seconds
+      opts[:refresh_interval] ||= 30.seconds
+      opts[:logged_in] ||= lambda { false }
+
+      @client = Client.new opts
+    end
+
+    def configure_provider!(options)
+      opts = options.dup
+
+      opts[:end_session_endpoint] = build_url opts[:issuer], opts[:end_session_endpoint]
+      opts[:check_session_iframe] = build_url opts[:issuer], opts[:check_session_iframe]
+
+      @provider = Provider.new opts
+    end
+
+    def client
+      @client
+    end
+
+    def provider
+      @provider
+    end
+
+    def configured?
+      client && provider
+    end
+  end
+end

data/lib/lobby_boy/engine.rb

@@ -0,0 +1,31 @@
+module LobbyBoy
+  class Engine < ::Rails::Engine
+    isolate_namespace LobbyBoy
+
+    config.assets.precompile += %w( jquery.js js.cookie-1.5.1.min.js )
+
+    config.to_prepare do
+      require 'lobby_boy/patches/session_management'
+    end
+
+    ##
+    # Use CORS to allow AJAX re-reauthentication.
+    initializer 'lobby_boy.add_middleware' do |app|
+      require 'rack/cors'
+
+      app.middleware.insert_before 0, 'Rack::Cors' do
+        allow do
+          omniauth = ::OmniAuth.config.path_prefix
+
+          origins '*'
+          resource "#{omniauth}/*", headers: :any, methods: [:get], credentials: true
+        end
+
+        allow do
+          origins '*'
+          resource '/session/*', headers: :any, methods: [:get], credentials: true
+        end
+      end
+    end
+  end
+end

data/lib/lobby_boy/omni_auth/failure_endpoint.rb

@@ -0,0 +1,110 @@
+module LobbyBoy
+  module OmniAuth
+    # This is a copy of the default OmniAuth FailureEndpoint
+    # minus the raise_out! we don't want and plus the actual error message
+    # as opposed to always just 'missing_code'.
+    #
+    # Also when authentication with prompt=none fails it will retry with prompt=login.
+    class FailureEndpoint
+      attr_reader :env
+
+      def self.call(env)
+        new(env).call
+      end
+
+      def initialize(env)
+        @env = env
+      end
+
+      def call
+        if script?
+          redirect_to '/session/state?state=unauthenticated'
+        elsif retry?
+          retry_interactive
+        else
+          redirect_to_failure
+        end
+      end
+
+      def params
+        request.params
+      end
+
+      def request
+        @request ||= ::Rack::Request.new env
+      end
+
+      def error
+        env['omniauth.error'] || ::OmniAuth::Error.new(env['omniauth.error.type'])
+      end
+
+      def script?
+        origin =~ /#{script_name}\/session\/state/
+      end
+
+      def retry?
+        error.message == 'interaction_required'
+      end
+
+      def retry_interactive
+        url = "#{omniauth_path}/#{strategy.name}?#{origin_query_param}&prompt=login"
+
+        redirect_to url
+      end
+
+      def redirect_to_failure
+        params = [
+          message_query_param(error.message),
+          origin_query_param,
+          strategy_name_query_param
+        ]
+
+        url = omniauth_path + '/failure?' + params.compact.join('&')
+
+        redirect_to url
+      end
+
+      def omniauth_path
+        script_name + ::OmniAuth.config.path_prefix
+      end
+
+      def script_name
+        env['SCRIPT_NAME']
+      end
+
+      def message_query_param(message)
+        'message=' + escape(message)
+      end
+
+      def strategy_name_query_param
+        'strategy=' + escape(strategy.name) if strategy
+      end
+
+      def strategy
+        env['omniauth.error.strategy']
+      end
+
+      def origin
+        env['omniauth.origin']
+      end
+
+      def origin_query_param
+        'origin=' + escape(origin) if origin
+      end
+
+      module Functions
+        module_function
+
+        def redirect_to(url)
+          Rack::Response.new(['302 Moved'], 302, 'Location' => url.to_s).finish
+        end
+
+        def escape(string)
+          Rack::Utils.escape(string)
+        end
+      end
+
+      include Functions
+    end
+  end
+end

data/lib/lobby_boy/openid_connect/id_token.rb

@@ -0,0 +1,39 @@
+module LobbyBoy
+  module OpenIDConnect
+    ##
+    # Wraps a OpenIDConnect::ResponseObject::IdToken providing some useful
+    # methods for it.
+    class IdToken < SimpleDelegator
+      attr_accessor :jwt_token
+
+      ##
+      # Creates a new IdToken by decoding the given JWT token using the given public key.
+      #
+      # @param jwt_token [String] The JWT token received from the OpenID Connect provider.
+      # @param public_key [String] Public key or secret. Only required for signed tokens.
+      def initialize(jwt_token, public_key = nil)
+        @jwt_token = jwt_token
+        id_token = ::OpenIDConnect::ResponseObject::IdToken.decode jwt_token, public_key
+        super id_token
+      end
+
+      def expires_at
+        datetime_from_seconds __getobj__.exp
+      end
+
+      def issued_at
+        datetime_from_seconds __getobj__.iat
+      end
+
+      ##
+      # Number of seconds left until this ID token expires.
+      def expires_in
+        [0, __getobj__.exp - Time.now.to_i].max
+      end
+
+      def datetime_from_seconds(seconds)
+        DateTime.strptime seconds.to_s, '%s'
+      end
+    end
+  end
+end

data/lib/lobby_boy/patches/session_management.rb

@@ -0,0 +1,45 @@
+require 'omniauth/strategies/openid_connect'
+require 'lobby_boy/openid_connect/id_token'
+require 'lobby_boy/util/uri'
+
+module SessionManagement
+  ##
+  # Always append 'prompt=none' to every authorization request to make the login
+  # automatic if possible.
+  def authorize_uri
+    LobbyBoy::Util::URI.add_query_params super,
+                                         prompt: request.params['prompt'] || 'none',
+                                         id_token_hint: request.params['id_token_hint']
+  end
+
+  def access_token
+    return super unless LobbyBoy.configured?
+    
+    at = super
+
+    @id_token ||= begin
+      session_state = request.params['session_state']
+      id_token = ::LobbyBoy::OpenIDConnect::IdToken.new at.id_token
+      env['lobby_boy.id_token'] = id_token
+
+      if session_state
+        cookie = {
+            state: session_state,
+            expires_at: id_token.exp
+        }
+
+        env['lobby_boy.cookie'] = {
+            value: cookie.to_json,
+            expires: id_token.expires_in.seconds.from_now,
+            domain: LobbyBoy.client.cookie_domain
+        }
+
+        id_token
+      end
+    end
+
+    at
+  end
+end
+
+OmniAuth::Strategies::OpenIDConnect.prepend SessionManagement

data/lib/lobby_boy/util/uri.rb

@@ -0,0 +1,25 @@
+require 'uri'
+
+module LobbyBoy
+  module Util
+    module URI
+      module_function
+
+      def add_query_params(url, additional_params = {})
+        return nil if url.nil?
+
+        uri = ::URI.parse url.to_s
+        params = ::URI.decode_www_form(uri.query || '')
+
+        additional_params.each do |name, value|
+          if value
+            params << [name, value]
+          end
+        end
+
+        uri.query = ::URI.encode_www_form params
+        uri.to_s
+      end
+    end
+  end
+end

data/lib/lobby_boy/version.rb

@@ -0,0 +1,3 @@
+module LobbyBoy
+  VERSION = "0.1.0"
+end

data/lib/tasks/lobby_boy_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :lobby_boy do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: lobby_boy
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Finn GmbH
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-07-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.21
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.21
+- !ruby/object:Gem::Dependency
+  name: rack-cors
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: omniauth-openid-connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.2'
+description: 
+email:
+- info@finn.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- Rakefile
+- app/controllers/lobby_boy/session_controller.rb
+- app/helpers/lobby_boy/session_helper.rb
+- app/views/lobby_boy/_iframes.html.erb
+- app/views/lobby_boy/session/check.html.erb
+- config/initializers/omniauth.rb
+- config/routes.rb
+- lib/lobby_boy.rb
+- lib/lobby_boy/configuration.rb
+- lib/lobby_boy/engine.rb
+- lib/lobby_boy/omni_auth/failure_endpoint.rb
+- lib/lobby_boy/openid_connect/id_token.rb
+- lib/lobby_boy/patches/session_management.rb
+- lib/lobby_boy/util/uri.rb
+- lib/lobby_boy/version.rb
+- lib/tasks/lobby_boy_tasks.rake
+homepage: https://github.com/finnlabs/lobby_boy
+licenses:
+- GPLv3
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.3
+signing_key: 
+specification_version: 4
+summary: Rails engine for OpenIDConnect Session Management
+test_files: []