masks 0.3.1 → 0.4.0

data/app/assets/javascripts/controllers/application.js

@@ -3,7 +3,7 @@ import { Application } from "@hotwired/stimulus";
 const application = Application.start();
 
 // Configure Stimulus development experience
-application.debug = false;
+application.debug = true;
 window.Stimulus = application;
 
 export { application };

data/app/assets/javascripts/controllers/index.js

@@ -1,12 +1,21 @@
 import { application } from "./application";
 
+import PasswordVisibilityController from "@stimulus-components/password-visibility";
+import RevealController from "@stimulus-components/reveal";
+import DialogController from "@stimulus-components/dialog";
 import SessionController from "./session_controller";
 import RecoverController from "./recover_controller";
 import RecoverPasswordController from "./recover_password_controller";
 import EmailsController from "./emails_controller";
 import KeysController from "./keys_controller";
+import TableController from "./table_controller";
+
 application.register("session", SessionController);
 application.register("recover", RecoverController);
 application.register("recover-password", RecoverPasswordController);
 application.register("emails", EmailsController);
 application.register("keys", KeysController);
+application.register("table", TableController);
+application.register("password-visibility", PasswordVisibilityController);
+application.register("reveal", RevealController);
+application.register("dialog", DialogController);

data/app/assets/javascripts/controllers/table_controller.js

@@ -0,0 +1,15 @@
+import { Controller } from "@hotwired/stimulus";
+
+export default class extends Controller {
+  static get targets() {
+    return ["url"];
+  }
+
+  get href() {
+    return this.urlTarget.href;
+  }
+
+  click(e) {
+    Turbo.visit(this.href);
+  }
+}

data/app/assets/stylesheets/application.css

@@ -17,10 +17,18 @@
 @tailwind components;
 @tailwind utilities;
 
-.pagination {
+.pagy {
   @apply flex gap-2 items-center justify-center p-4;
-}
 
-.pagination .page {
-  @apply btn btn-sm;
+  a:not(.gap) {
+    @apply btn btn-sm;
+
+    &:not([href]) {
+      @apply btn-disabled;
+    }
+
+    &.current {
+      @apply btn-neutral;
+    }
+  }
 }

data/app/controllers/concerns/masks/controller.rb

@@ -85,7 +85,7 @@ module Masks
     # @return [Masks::Actor]
     # @visibility public
     def current_actor
-      masked_session.scoped
+      masked_session.actor
     end
 
     # Returns the mask for the request.

data/app/controllers/masks/manage/actors_controller.rb

@@ -4,8 +4,79 @@ module Masks
   # @visibility private
   module Manage
     class ActorsController < BaseController
+      section :actors
+
+      before_action :find_actor
+
       def index
-        @pagy, @actors = pagy(Masks::Rails::Actor.all)
+        @pagy, @actors = pagy(actor_model.all)
+      end
+
+      def create
+        actor =
+          signup_access.signup(
+            nickname: params[:nickname],
+            password: params[:password]
+          )
+
+        if actor.valid?
+          redirect_to manage_actor_path(actor)
+        else
+          flash[:errors] = actor.errors.full_messages
+          redirect_to manage_actors_path
+        end
+      end
+
+      def update
+        actor_model.transaction do
+          if params[:add_scope]
+            @actor.assign_scopes!(params[:add_scope])
+            flash[:info] = "added scope \"#{params[:add_scope]}\""
+          elsif params[:remove_scope]
+            @actor.remove_scopes!(params[:remove_scope])
+            flash[:info] = "removed scope \"#{params[:remove_scope]}\""
+          elsif params[:remove_factor2]
+            @actor.remove_factor2!
+            flash[:info] = "removed second factor authentication"
+          elsif params[:logout]
+            @actor.logout!
+            flash[:info] = "logged out of all devices"
+          elsif password_param
+            password_access.change_password(password_param, actor: @actor)
+
+            if @actor.valid?
+              flash[:info] = "password changed"
+            else
+              flash[:error] = "invalid password"
+            end
+          end
+
+          redirect_to manage_actor_path(@actor)
+        end
+
+        @actor
+      end
+
+      private
+
+      def find_actor
+        @actor = actor_model.find_by(nickname: params[:actor])
+      end
+
+      def actor_model
+        Masks.configuration.model(:actor)
+      end
+
+      def signup_access
+        masked_session.access("actor.signup")
+      end
+
+      def password_access
+        masked_session.access("actor.password")
+      end
+
+      def password_param
+        params[:change_password]
       end
     end
   end

data/app/controllers/masks/manage/base_controller.rb

@@ -4,9 +4,17 @@ module Masks
   # @visibility private
   module Manage
     class BaseController < ApplicationController
-      # require_mask type: :manage
-
       layout "masks/manage"
+
+      class << self
+        def section(name)
+          before_action { @section = name }
+        end
+      end
+
+      helper_method :current_actor, :section
+
+      attr_accessor :section
     end
   end
 end

data/app/controllers/masks/manage/clients_controller.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  module Manage
+    class ClientsController < BaseController
+      section :clients
+
+      before_action :find_client, only: %i[show update destroy]
+
+      rescue_from Pagy::OverflowError do
+        redirect_to manage_clients_path
+      end
+
+      def index
+        @pagy, @clients =
+          pagy(Masks::Rails::OpenID::Client.all.order(created_at: :desc))
+      end
+
+      def create
+        client =
+          Masks.configuration.model(:openid_client).new(name: params[:name])
+
+        if client.save
+          redirect_to manage_client_path(client)
+        else
+          flash[:errors] = client.errors.full_messages
+
+          redirect_to manage_clients_path
+        end
+      end
+
+      def update
+        Masks
+          .configuration
+          .model(:openid_client)
+          .transaction do
+            if params[:add_scope]
+              @client.assign_scopes!(params[:add_scope])
+              flash[:info] = "added scope"
+            elsif params[:remove_scope]
+              @client.remove_scopes!(params[:remove_scope])
+              flash[:info] = "removed scope"
+            else
+              update_client
+            end
+
+            redirect_to manage_client_path(@client)
+          end
+      end
+
+      def destroy
+        @client.destroy
+
+        flash[:destroyed] = @client.name
+
+        redirect_to manage_clients_path
+      end
+
+      private
+
+      def update_client
+        @client.name = params[:name]
+        @client.secret = params[:secret]
+        @client.consent = params[:consent]
+        @client.redirect_uris = params[:redirect_uris].split("\n")
+        @client.subject_type = params[:subject_type]
+        @client.code_expires_in = params[:code_expires_in]
+        @client.token_expires_in = params[:token_expires_in]
+        @client.refresh_expires_in = params[:refresh_expires_in]
+        @client.save
+
+        return if @client.valid?
+
+        flash[:errors] = @client.errors.full_messages
+      end
+
+      def find_client
+        @client =
+          Masks.configuration.model(:openid_client).find_by(key: params[:id])
+      end
+    end
+  end
+end

data/app/controllers/masks/manage/dashboard_controller.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  module Manage
+    class DashboardController < BaseController
+      section :dashboard
+
+      def index
+        @clients = Masks.configuration.model(:openid_client).count
+        @actors = Masks.configuration.model(:actor).count
+      end
+    end
+  end
+end

data/app/controllers/masks/manage/devices_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Masks
+  # @visibility private
+  module Manage
+    class DevicesController < BaseController
+      section :devices
+
+      rescue_from Pagy::OverflowError do
+        redirect_to manage_devices_path
+      end
+
+      def index
+        @pagy, @devices =
+          pagy(Masks.configuration.model(:device).all.order(created_at: :desc))
+      end
+    end
+  end
+end

data/app/controllers/masks/openid/authorizations_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+module Masks
+  module OpenID
+    class AuthorizationsController < ApplicationController
+      rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
+        @error = e
+
+        render :error, status: e.status
+      end
+
+      def new
+        authorize
+      end
+
+      def create
+        authorize approved: params[:approve]
+      end
+
+      private
+
+      def authorize(**opts)
+        # TODO: support incoming id_token request object + max_age parameter
+        @authorization = Authorization.perform(request.env, **opts)
+
+        _status, header, = @authorization.response
+
+        if header["WWW-Authenticate"].present?
+          headers["WWW-Authenticate"] = header["WWW-Authenticate"]
+        end
+
+        if header["Location"]
+          return redirect_to header["Location"], allow_other_host: true
+        end
+
+        unless @authorization.actor
+          session[:return_to] = request.url
+
+          return redirect_to session_path
+        end
+
+        render :new
+      end
+    end
+  end
+end

data/app/controllers/masks/openid/discoveries_controller.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+module Masks
+  module OpenID
+    class DiscoveriesController < ApplicationController
+      before_action :find_client
+
+      def jwks
+        jwks =
+          JSON::JWK::Set.new(
+            JSON::JWK.new(client.public_key, use: :sig, kid: client.kid)
+          )
+
+        render json: jwks
+      end
+
+      def new
+        render json:
+                 OpenIDConnect::Discovery::Provider::Config::Response.new(
+                   issuer: client.issuer,
+                   authorization_endpoint: openid_authorization_url,
+                   token_endpoint: openid_token_url,
+                   userinfo_endpoint: openid_userinfo_url,
+                   jwks_uri: openid_jwks_url,
+                   #  registration_endpoint: site_url, # TODO
+                   scopes_supported: client.scopes,
+                   response_types_supported: client.response_types,
+                   grant_types_supported: client.grant_types,
+                   claims_parameter_supported: false,
+                   request_parameter_supported: false,
+                   request_uri_parameter_supported: false,
+                   subject_types_supported: [
+                     client.pairwise_subject? ? "pairwise" : "public"
+                   ],
+                   id_token_signing_alg_values_supported: [:RS256],
+                   token_endpoint_auth_methods_supported: %w[
+                     client_secret_basic
+                     client_secret_post
+                   ],
+                   claims_supported: %w[sub iss name email address phone_number]
+                 )
+      end
+
+      private
+
+      def find_client
+        head :not_found unless client
+      end
+
+      def client
+        @client ||=
+          Masks.configuration.model(:openid_client).find_by(key: params[:id])
+      end
+    end
+  end
+end

data/app/controllers/masks/openid/tokens_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+module Masks
+  module OpenID
+    class TokensController < ApplicationController
+      rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
+        @error = e
+
+        render :error, status: e.status
+      end
+
+      def new
+        authorize
+      end
+
+      def create
+        authorize approved: params[:approve]
+      end
+
+      private
+
+      def authorize(**opts)
+        # TODO: support incoming id_token request object + max_age parameter
+        @authorization = Authorization.perform(request.env, **opts)
+
+        unless @authorization.actor
+          session[:return_to] = request.url
+
+          return redirect_to session_path
+        end
+
+        _status, header, = @authorization.response
+
+        if header["WWW-Authenticate"].present?
+          headers["WWW-Authenticate"] = header["WWW-Authenticate"]
+        end
+
+        if header["Location"]
+          redirect_to header["Location"]
+        else
+          render :new
+        end
+      end
+    end
+  end
+end

data/app/controllers/masks/openid/userinfo_controller.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module Masks
+  module OpenID
+    class UserInfoController < ApplicationController
+      def show
+        claims = { sub: openid_client.subject(current_actor) }
+
+        if access_token.scope?("email")
+          claims[:email] = current_actor.primary_email&.email
+        end
+
+        if access_token.scope?("phone")
+          claims[:phone] = current_actor.phone_number
+        end
+
+        render json: OpenIDConnect::ResponseObject::UserInfo.new(claims)
+      end
+
+      private
+
+      def access_token
+        @access_token ||= masked_session.extra(:access_token)
+      end
+
+      delegate :openid_client, to: :access_token
+    end
+  end
+end

data/app/controllers/masks/sessions_controller.rb

@@ -21,7 +21,7 @@ module Masks
           path =
             (
               if masked_session.passed?
-                masked_session.mask.pass ||
+                session.delete(:return_to) || masked_session.mask.pass ||
                   Masks.configuration.site_links[:after_login]
               else
                 masked_session.mask.fail ||

data/app/models/concerns/masks/access.rb

@@ -53,10 +53,10 @@ module Masks
       def actor
         raise Masks::Error::InvalidSession unless session
 
-        session.scoped || session.actor
+        session.actor
       end
 
-      delegate :configuration,
+      delegate :config,
                :roles,
                :role?,
                :role_records,

data/app/models/masks/access/actor_password.rb

@@ -10,7 +10,8 @@ module Masks
 
       access "actor.password"
 
-      def change_password(password)
+      def change_password(password, **opts)
+        actor = opts[:actor] || self.actor
         actor.changed_password_at = Time.current
         actor.password = password
         actor.save if actor.valid?

data/app/models/masks/access/actor_signup.rb

@@ -11,8 +11,7 @@ module Masks
       access "actor.signup"
 
       def signup(**opts)
-        actor =
-          configuration.build_actor(session, **opts.slice(:nickname, :email))
+        actor = config.build_actor(session, **opts.slice(:nickname, :email))
         actor.password = opts[:password]
         actor.save if actor.valid?
         actor

data/app/models/masks/credentials/access_token.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Masks
+  module Credentials
+    # Checks :key given a valid Authorization header.
+    class AccessToken < Masks::Credential
+      checks :access_token
+
+      def lookup
+        access_token =
+          session.config.model(:openid_access_token).valid.find_by(token:)
+
+        return unless access_token&.actor
+
+        session.extras(access_token:)
+        session.scoped = access_token
+
+        access_token.actor
+      end
+
+      def maskup
+        access_token = session.extra(:access_token)
+
+        if access_token&.actor && access_token&.actor == session&.actor &&
+             session.scoped == access_token
+          approve!
+        else
+          deny!
+        end
+      end
+
+      private
+
+      def token
+        return if [header_token, param_token].uniq.compact.length != 1
+
+        header_token || param_token
+      end
+
+      def header_token
+        unless auth_header.provided? && !auth_header.parts.first.nil? &&
+                 auth_header.scheme.to_s == "bearer"
+          return
+        end
+
+        auth_header.params
+      end
+
+      def param_token
+        params[:access_token]
+      end
+
+      def auth_header
+        return unless session.try(:request)
+
+        @auth_header = Rack::Auth::AbstractRequest.new(session.request.env)
+      end
+    end
+  end
+end

data/app/models/masks/credentials/key.rb

@@ -31,7 +31,7 @@ module Masks
       end
 
       def backup
-        session.scoped.touch(:accessed_at) if session&.passed? && accessed
+        session.extra(:key).touch(:accessed_at) if session&.passed? && accessed
       end
     end
   end

data/app/models/masks/credentials/return_to.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Masks
+  module Credentials
+    # Assigns the request URL to session data, under the key +return_to+.
+    #
+    # This credential is intended to keep track of an actor's attempts to
+    # access protected resources, so it only assigns the value if the session
+    # has not passed.
+    #
+    # In some cases, you may want to selectively disable the functionality
+    # of this credential. To do so, set +return_to+ to +false+ in the
+    # mask configuration.
+    class ReturnTo < Masks::Credential
+      def backup
+        return if session&.passed?
+        return unless session.try(:request) && session.request.get?
+        if session.mask.extras.key?(:return_to) &&
+             !session.mask.extras[:return_to]
+          return
+        end
+
+        session.data[:return_to] = session.request.url
+      end
+    end
+  end
+end

data/app/models/masks/mask.rb

@@ -66,6 +66,10 @@ module Masks
     #   Whether or not to save results of masks
     #   @return [Boolean]
     attribute :backup, default: true
+    # @!attribute [rw] extras
+    #   Extra attributes and configuration accessible on the mask
+    #   @return [Hash]
+    attribute :extras, default: -> { {} }
 
     # @visibility private
     attribute :config
@@ -77,7 +81,14 @@ module Masks
         attrs = type.deep_merge(**attrs)
       end
 
-      super(attrs)
+      # required for `attribute_names` to work
+      super({})
+
+      extras = attrs.except(*attribute_names.map(&:to_sym))
+      attrs = attrs.slice(*attribute_names.map(&:to_sym))
+      attrs[:extras] = extras.deep_symbolize_keys
+
+      assign_attributes(**attrs)
     end
 
     # Returns the class name expected for any actor attached to this session.