masks 0.3.1 → 0.4.0

data/app/models/masks/openid/authorization.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+module Masks
+  module OpenID
+    # Manages authorizations for OpenID/OAuth2 requests.
+    class Authorization
+      attr_accessor :client, :scopes, :response, :response_type
+
+      class << self
+        def perform(env, **opts)
+          authorization = new(env, **opts)
+          authorization.perform
+          authorization
+        end
+      end
+
+      def initialize(env, **opts)
+        @env = env
+        @app =
+          Rack::OAuth2::Server::Authorize.new do |req, res|
+            @client =
+              session.config.model(:openid_client).find_by(key: req.client_id)
+
+            req.bad_request!(:client_id, "not found") unless @client
+
+            unless req.redirect_uri
+              req.invalid_request!('"redirect_uri" missing')
+            end
+
+            unless @client.redirect_uris.any?
+              @client.redirect_uris = [req.redirect_uri.to_s]
+              @client.valid? || req.invalid_request!('"redirect_uri" invalid')
+            end
+
+            res.redirect_uri = req.verify_redirect_uri!(@client.redirect_uris)
+
+            @scopes = req.scope & @client.scopes
+
+            if res.protocol_params_location == :fragment && req.nonce.blank?
+              req.invalid_request! "nonce required"
+            end
+
+            if @client.response_types.include?(
+                 Array(req.response_type).collect(&:to_s).join(" ")
+               )
+              if actor
+                if opts[:approved] || client.auto_consent?
+                  @client.save if @client.redirect_uris_changed?
+
+                  approved! req, res
+                elsif opts.key?(:approved)
+                  req.access_denied!
+                end
+              end
+            else
+              req.unsupported_response_type!
+            end
+          end
+      end
+
+      def session
+        @session ||= @env[Masks::Middleware::SESSION_KEY]
+      end
+
+      def actor
+        @actor ||= (session.actor if session.passed?)
+      end
+
+      def perform
+        @response = @app.call(@env)
+      end
+
+      def approved!(req, res)
+        response_types = Array(req.response_type)
+
+        if response_types.include? :code
+          authorization =
+            actor.openid_authorizations.create!(
+              openid_client: client,
+              redirect_uri: res.redirect_uri,
+              nonce: req.nonce,
+              scopes: @scopes
+            )
+
+          res.code = authorization.code
+        end
+
+        if response_types.include? :token
+          access_token =
+            actor.openid_access_tokens.create!(
+              openid_client: client,
+              scopes: @scopes
+            )
+
+          res.access_token = access_token.to_bearer_token
+        end
+
+        if response_types.include? :id_token
+          id_token =
+            actor.openid_id_tokens.create!(
+              openid_client: @client,
+              nonce: req.nonce
+            )
+
+          res.id_token =
+            id_token.to_jwt(
+              code: (res.respond_to?(:code) ? res.code : nil),
+              access_token:
+                (res.respond_to?(:access_token) ? res.access_token : nil)
+            )
+        end
+
+        res.approve!
+      end
+    end
+  end
+end

data/app/models/masks/openid/token.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module Masks
+  module OpenID
+    # Implementation of the Token Endpoint in OIDC.
+    #
+    # Technically speaking, this conforms to the rack interface
+    # so it can be used directly for managing requests for access
+    # tokens.
+    class Token
+      attr_accessor :app
+
+      delegate :call, to: :app
+
+      def initialize
+        @app =
+          Rack::OAuth2::Server::Token.new do |req, res|
+            client =
+              Masks
+                .configuration
+                .model(:openid_client)
+                .find_by(key: req.client_id) || req.invalid_client!
+            client.secret == req.client_secret || req.invalid_client!
+            client.grant_types.include?(req.grant_type.to_s) ||
+              req.unsupported_grant_type!
+
+            case req.grant_type
+            when :client_credentials
+              res.access_token = client.access_tokens.create!.to_bearer_token
+            when :authorization_code
+              authorization =
+                client.authorizations.valid.where(code: req.code).first
+              unless authorization&.valid_redirect_uri?(req.redirect_uri)
+                req.invalid_grant!
+              end
+              access_token = authorization.access_token
+              res.access_token = access_token.to_bearer_token
+
+              if access_token.scope?("openid")
+                res.id_token =
+                  access_token
+                    .actor
+                    .openid_id_tokens
+                    .create!(
+                      openid_client: access_token.openid_client,
+                      nonce: authorization.nonce
+                    )
+                    .to_jwt
+              end
+            else
+              req.unsupported_grant_type!
+            end
+          end
+      end
+    end
+  end
+end

data/app/models/masks/rails/actor.rb

@@ -32,6 +32,15 @@ module Masks
       has_many :keys,
                class_name: Masks.configuration.models[:key],
                autosave: true
+      has_many :openid_authorizations,
+               class_name: Masks.configuration.models[:openid_authorization],
+               autosave: true
+      has_many :openid_access_tokens,
+               class_name: Masks.configuration.models[:openid_access_token],
+               autosave: true
+      has_many :openid_id_tokens,
+               class_name: Masks.configuration.models[:openid_id_token],
+               autosave: true
 
       has_secure_password
 
@@ -41,7 +50,7 @@ module Masks
 
       before_validation :reset_version, unless: :version
 
-      validates :nickname, uniqueness: { case_sensitive: false }
+      validates :nickname, presence: true, uniqueness: { case_sensitive: false }
       validates :totp_secret, presence: true, if: :totp_code
       validates :version, presence: true
       validate :validates_totp, if: :totp_code
@@ -52,6 +61,14 @@ module Masks
 
       serialize :backup_codes, coder: JSON
 
+      def to_param
+        nickname
+      end
+
+      def primary_email
+        emails.where(verified: true).first
+      end
+
       def email_addresses
         emails.pluck(:email)
       end
@@ -68,6 +85,11 @@ module Masks
         save!
       end
 
+      def logout!
+        reset_version
+        save!
+      end
+
       def totp_uri
         (totp || random_totp).provisioning_uri(nickname)
       end

data/app/models/masks/rails/openid/access_token.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+module Masks
+  module Rails
+    module OpenID
+      class AccessToken < ApplicationRecord
+        include Masks::Scoped
+
+        self.table_name = "openid_access_tokens"
+
+        scope :valid, -> { where("expires_at >= ?", Time.now.utc) }
+
+        belongs_to :actor,
+                   class_name: Masks.configuration.models[:actor],
+                   optional: true
+        belongs_to :openid_client,
+                   class_name: Masks.configuration.models[:openid_client]
+
+        serialize :scopes, coder: JSON
+
+        before_validation :generate_token
+
+        validates :openid_client, presence: true
+        validates :token, presence: true, uniqueness: true
+        validates :expires_at, presence: true
+
+        def scopes
+          value = self[:scopes]
+
+          return [] unless value
+
+          value & ((actor&.scopes || []) + openid_client.scopes)
+        end
+
+        def roles(*args, **opts)
+          (actor || openid_client).roles(*args, **opts)
+        end
+
+        def to_bearer_token
+          Rack::OAuth2::AccessToken::Bearer.new(
+            access_token: token,
+            expires_in: (expires_at - Time.now.utc).to_i
+          )
+        end
+
+        private
+
+        def generate_token
+          self.token ||= SecureRandom.uuid
+          self.expires_at ||= openid_client.token_expires_at
+          self.scopes ||= []
+        end
+      end
+    end
+  end
+end

data/app/models/masks/rails/openid/authorization.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+module Masks
+  module Rails
+    module OpenID
+      class Authorization < ApplicationRecord
+        self.table_name = "openid_authorizations"
+
+        scope :valid, -> { where("expires_at >= ?", Time.now.utc) }
+
+        belongs_to :actor, class_name: Masks.configuration.models[:actor]
+        belongs_to :openid_client,
+                   class_name: Masks.configuration.models[:openid_client]
+
+        serialize :scopes, coder: JSON
+
+        before_validation :generate_code
+
+        validates :actor, presence: true
+        validates :openid_client, presence: true
+        validates :code, presence: true, uniqueness: true
+        validates :expires_at, presence: true
+
+        def valid_redirect_uri?(uri)
+          uri == redirect_uri
+        end
+
+        def access_token
+          @access_token ||=
+            update_attribute!(:expires_at, Time.now) && generate_access_token!
+        end
+
+        def generate_access_token!
+          actor.openid_access_tokens.create!(openid_client:, scopes:)
+        end
+
+        private
+
+        def generate_code
+          self.code ||= SecureRandom.uuid
+          self.expires_at ||= openid_client.code_expires_at
+        end
+      end
+    end
+  end
+end

data/app/models/masks/rails/openid/client.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+module Masks
+  module Rails
+    module OpenID
+      class Client < ApplicationRecord
+        include Masks::Scoped
+
+        self.table_name = "openid_clients"
+
+        validates :name, presence: true
+
+        after_initialize :generate_credentials
+        before_validation :generate_key, on: :create
+
+        serialize :scopes, coder: JSON
+        serialize :redirect_uris, coder: JSON
+        serialize :response_types, coder: JSON
+        serialize :grant_types, coder: JSON
+
+        validates :key, :secret, :scopes, presence: true
+        validates :key, uniqueness: true
+        validates :client_type,
+                  inclusion: {
+                    in: %w[public confidential]
+                  },
+                  presence: true
+        validates :subject_type,
+                  inclusion: {
+                    in: Masks.configuration.openid[:subject_types]
+                  },
+                  presence: true
+        validate :validate_expiries
+
+        has_many :access_tokens,
+                 class_name: Masks.configuration.models[:openid_access_token],
+                 inverse_of: :openid_client
+        has_many :authorizations,
+                 class_name: Masks.configuration.models[:openid_authorization],
+                 inverse_of: :openid_client
+        has_many :saved_roles,
+                 class_name: Masks.configuration.models[:role],
+                 autosave: true
+
+        def to_param
+          key
+        end
+
+        def response_types
+          case client_type
+          when "confidential"
+            ["code"]
+          when "public"
+            ["token", "id_token", "id_token token"]
+          end
+        end
+
+        def grant_types
+          case client_type
+          when "confidential"
+            %w[refresh_token authorization_code client_credentials]
+          else
+            []
+          end
+        end
+
+        def scopes
+          self[:scopes]
+        end
+
+        def roles(record, **opts)
+          case record
+          when Class, String
+            saved_roles.where(record_type: record.to_s, **opts).includes(
+              :record
+            )
+          else
+            saved_roles.where(record:, **opts)
+          end
+        end
+
+        def issuer
+          Masks::Engine.routes.url_helpers.openid_issuer_url(
+            id: key,
+            host: Masks.configuration.site_url
+          )
+        end
+
+        def kid
+          :default
+        end
+
+        def private_key
+          OpenSSL::PKey::RSA.new(rsa_private_key)
+        end
+
+        delegate :public_key, to: :private_key
+
+        def subject(actor)
+          case subject_type
+          when "nickname"
+            actor.nickname
+          else
+            Digest::SHA256.hexdigest(
+              [
+                sector_identifier,
+                actor.actor_id,
+                Masks.configuration.openid[:pairwise_salt]
+              ].join("/")
+            )
+          end
+        end
+
+        def audience
+          key
+        end
+
+        def auto_consent?
+          !consent
+        end
+
+        def pairwise_subject?
+          sector_identifier && subject_type == "pairwise"
+        end
+
+        def assign_scopes!(*scopes)
+          self.scopes = [*scopes, *self.scopes].uniq.compact
+          save!
+        end
+
+        def remove_scopes!(*scopes)
+          scopes.each { |scope| self.scopes.delete(scope) }
+
+          save!
+        end
+
+        def code_expires_at
+          Time.now + ChronicDuration.parse(code_expires_in)
+        end
+
+        def token_expires_at
+          Time.now + ChronicDuration.parse(token_expires_in)
+        end
+
+        def refresh_expires_at
+          Time.now + ChronicDuration.parse(refresh_expires_in)
+        end
+
+        private
+
+        def generate_credentials
+          self.secret ||= SecureRandom.uuid
+          self.client_type ||= "confidential"
+          self.subject_type ||= "nickname"
+          self.scopes ||= Masks.configuration.openid[:scopes] || []
+          self.rsa_private_key ||= OpenSSL::PKey::RSA.generate(2048).to_pem
+          self.sector_identifier ||=
+            URI.parse(Masks.configuration.site_url).host
+          self.code_expires_in ||= "5 minutes"
+          self.token_expires_in ||= "1 day"
+          self.refresh_expires_in ||= "1 week"
+        end
+
+        def generate_key
+          return unless name
+
+          key = name.parameterize
+          count = self.class.where("key LIKE ?", "#{key}%").count
+
+          self.key = count.positive? ? "#{key}-#{count + 1}" : key
+        end
+
+        def validate_expiries
+          %i[
+            code_expires_in
+            token_expires_in
+            refresh_expires_in
+          ].each do |param|
+            unless ChronicDuration.parse(send(param))
+              errors.add(param, :invalid)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/models/masks/rails/openid/id_token.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module Masks
+  module Rails
+    module OpenID
+      class IdToken < ApplicationRecord
+        self.table_name = "openid_id_tokens"
+
+        belongs_to :actor, class_name: Masks.configuration.models[:actor]
+        belongs_to :openid_client,
+                   class_name: Masks.configuration.models[:openid_client]
+
+        def to_response_object(with = {})
+          subject =
+            if openid_client.pairwise_subject?
+              openid_client.subject_for(actor)
+            else
+              actor.actor_id
+            end
+
+          claims = {
+            sub: subject,
+            iss: openid_client.issuer,
+            aud: openid_client.audience,
+            exp: expires_at.to_i,
+            iat: created_at.to_i,
+            nonce:
+          }
+
+          id_token = OpenIDConnect::ResponseObject::IdToken.new(claims)
+          id_token.code = with[:code] if with[:code]
+          id_token.access_token = with[:access_token] if with[:access_token]
+          id_token
+        end
+
+        def to_jwt(with = {})
+          to_response_object(with).to_jwt(openid_client.private_key) do |jwt|
+            jwt.kid = openid_client.kid
+          end
+        end
+      end
+    end
+  end
+end

data/app/models/masks/sessions/access.rb

@@ -19,7 +19,8 @@ module Masks
       def matches_mask?(mask)
         return false unless mask.access == name.to_s
 
-        original.mask.access&.try(:include?, name.to_s) || original.mask.access
+        original.mask.access&.try(:include?, name.to_s) ||
+          original.mask.access == mask.access
       end
     end
   end

data/app/resources/masks/session_resource.rb

@@ -9,7 +9,7 @@ module Masks
     attribute :authorized, &:passed?
 
     attribute :actor do |session|
-      ActorResource.new(session.actor).to_h
+      ActorResource.new(session.actor).to_h if session.actor
     end
   end
 end

data/app/views/layouts/masks/manage.html.erb

@@ -9,12 +9,29 @@
     <%= javascript_include_tag "masks/application", "data-turbo-track": "reload", defer: true %>
   </head>
   <body class="h-full">
-    <div class="navbar my-2 join box-border px-6">
-      <div class="flex items-center gap-1 bg-accent rounded px-2 py-1.5 join-item">
-        <%= image_tag "masks.png", class: 'w-5 h-5 rounded-full border-black border' %>
+    <div class="navbar bg-base-100 mb-6">
+      <div class="navbar-start">
+        <div class="dropdown">
+          <div tabindex="0" role="button" class="btn btn-ghost text-lg">
+            masks
+          </div>
+          <ul tabindex="0" class="menu  dropdown-content mt-3 z-[1] p-2 shadow bg-base-100 rounded-box w-52 gap-1">
+            <li><a class="<%= section == :dashboard ? 'active' : '' %>" href="<%= manage_path %>">Dashboard</a></li>
+            <li><a class="<%= section == :clients ? 'active' : '' %>" href="<%= manage_clients_path %>">Clients</a></li>
+            <li><a class="<%= section == :actors ? 'active' : '' %>" href="<%= manage_actors_path %>">Actors</a></li>
+            <li><a class="<%= section == :devices ? 'active' : '' %>" href="<%= manage_devices_path %>">Devices</a></li>
+          </ul>
+        </div>
       </div>
-      <div class="flex items-center bg-base-100 rounded px-2 py-1.5 join-item">
-        <a href="<%= actors_path %>" class="text-sm text-accent-content opacity-75 hover:opacity-100 hover:underline focus:underline font-mono">/manage</a>
+
+      <div class="navbar-end pr-2">
+        <a href="<%= manage_actor_path(current_actor) %>">
+          <div class="avatar placeholder">
+            <div class="bg-neutral text-neutral-content rounded-full w-10">
+              <span class="text-base"><%= current_actor.nickname.slice(0, 1).upcase %></span>
+            </div>
+          </div>
+        </a>
       </div>
     </div>
 

data/app/views/masks/actor_mailer/recover_credentials.html.erb

@@ -15,9 +15,8 @@
         </div>
         <a
           role="button"
-          href="<%= recover_password_url(token: @recovery)%>"
-          class="btn"
-        >
+          href="<%= recover_password_url(token: @recovery) %>"
+          class="btn">
           <%= lucide_icon("rotate-cw", class: "stroke-warning") %>
           <%= t(".recover") %>
         </a>

data/app/views/masks/actor_mailer/verify_email.html.erb

@@ -16,9 +16,8 @@
         </div>
         <a
           role="button"
-          href="<%= email_verify_url(email: @email, approve: true)%>"
-          class="btn"
-        >
+          href="<%= email_verify_url(email: @email, approve: true) %>"
+          class="btn">
           <%= lucide_icon("mail-check", class: "stroke-success") %>
           <%= t(".verify") %>
         </a>