oauth_im 0.7.4 → 0.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 85fc483377f0cf348af3a8399c70fec84395915203cb6bfa203f7d147eedb7d6
-  data.tar.gz: 40f90809e1e7405640098732aa41ac1ab96771230d9721d22f41ebfed3b19e74
+  metadata.gz: 7c32ade2f9c543728b3946076d1f8cad2566f06f4959c20b7c67613b6c296240
+  data.tar.gz: ad6148ef5c4bed447ee4468ef03825a5802b9df3f3a0dd096bda20f4024b803a
 SHA512:
-  metadata.gz: ec6f87a823e4ea3c8bd51bfc6ef09d65908840282c9228d88b78e98f686933c8eaaf2b0d844e0b2967bbed54e271f9f4c5c3b27cd7d4824b52539007018bbf29
-  data.tar.gz: dfbb145b3cf8658853b41f7d86e62024f957a21a5f6a99b69a9f682e49ad839734ab629c4a5d9ced89a53265726de029724645710dee9efa42760a0650bf2dd8
+  metadata.gz: 4824f3121b1ee2e24c0f706041c0295335a9efd35317442c5e1c857836224b88713ee61d1d1ae0694d01acd8559ef363ad44047393bb2b00128af96a97b60603
+  data.tar.gz: 656cbad5b4111347e5b0f277fcb99d9ac794fc8defccc1d49cb0637d1971d21f900315ab731f6d3eec16b9606f4b2de2902028d8a6bb8ddc13630a74aa261b78

data/README.md

@@ -40,21 +40,30 @@ module OauthIm
     ################################################
     config.iss_domain     = ENV.fetch 'FUSION_AUTH_ISS_DOMAIN',    DEFAULT_ISS_DOMAIN
 
-    ###############################
-    # on FA application OAuth tab #
-    ###############################
+    ####################################
+    # find on FA application OAuth tab #
+    ####################################
     config.client_id      = ENV['FUSION_AUTH_CLIENT_ID']
     config.client_secret  = ENV['FUSION_AUTH_CLIENT_SECRET']
 
-    ###################################################################################
-    # View default signing key: https://illustrativemath-dev.fusionauth.io/admin/key/ #
-    ###################################################################################
+    ####################################################################################
+    # 1. Find signing key name on the app details pane. (See RSA v. HMAC screenshots.) #
+    # 2. Look up the key (by name) under Key Master tab under Settings:                #
+    #    https://illustrativemath-dev.fusionauth.io/admin/key/                         #
+    # 3. The key should be either HMAC or RSA.                                         #
+    #   - If HMAC, view the Secret under Details. You will need to click to reveal.    #
+    #   - If RSA, copy the PEM encoded public key as-is.                               #
+    # Note: You don't need both keys --- TokenDecoder will use the one available.      #
+    ####################################################################################
     config.hmac           = ENV['FUSION_AUTH_HMAC']
+    config.rsa_public     = ENV['FUSION_AUTH_RSA_PUBLIC]
   end
 end
 ```
 
-* The `ENV` variable values can be obtained from the OAuth provider.
+### Environment
+
+The `ENV` variable values can be obtained from the OAuth provider.
 * Here is [an article at FusionAuth](https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails) describing many of these settings.
 * The `callback_route` setting is used in two related ways:
   * It [defines a route](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L4) to the [`OAuthIm::ClientController#callback`
@@ -68,7 +77,30 @@ end
     must be entered in the OAuth provider's list of authorized
     redirect URLs.
 
+### RSA v. HMAC
+
+To determine the access token signing key, find the name of the key and then look it up
+on the Settings|Key Master pane. (See screenshots.)
+
+* Inspect your app settings. The screenshot shows this being done for the app
+  `Kendall Hunt - Terraform`.
+
+  ![app settings](./docs/images/fa-app-settings.png?raw=true)
+
+* Find the name of the token. The screenshot shows this being done for the app
+  `Kendall Hunt - Terraform`. You will need to scroll down the page to the `JWT` section.
+
+  ![token name](./docs/images/fa-signing-key-name.png?raw=true)
+
+* Look up this signing token under Home|Settings|Key Master. The screenshot shows this being done
+  for the signing token `KendallHunt-Terraform (12)`.
+  * For RSA tokens like this one, use the PEM encoded public key as-is.
+  * For HMAC tokens, view the secret under Details (click to reveal).
+
+  ![token name](./docs/images/fa-access-token.png?raw=true)
+
 ## Usage
+
 ### Helpers for Logging in and Out
 The engine provides [two endpoints](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L5-L6) for logging in and out, and exposes
 corresponding view helpers. These are accessible from the main app as:
@@ -104,12 +136,16 @@ end
 ### Initializer
 * The gem provides a single initializer, `AppContext`.
 * This module is **not** name-spaced.
-* It provides a single method, `provide_authentication?`, which by
-  default is `true`.
-* Client apps can override this initializer method.
+
+#### Methods
+* `AppContext#provide_authentication?` method defaults to `true` and
+  can be overridden as required.
   * For example, `iiab` overrides this initializer so that the
-    `provide_authentication?` method returns `false` unless the app is
-    `kh_iiab` (not `demo_im`).
+    `provide_authentication?` method returns `false` unless the app
+    is `kh_iiab` (not `demo_im`).
+* `AppContext#privileged?` defaults to `nil` and can be overridden as required.
+* `AppContext#authenticate_for_specs` offers a way to mock
+  authentication and privilege in specs. It accepts a block.
 
 ## Gem Maintenance
 After many false starts, this repo includes two (seemingly functional) github workflows.
@@ -142,6 +178,17 @@ After many false starts, this repo includes two (seemingly functional) github wo
   you.
 
 ## Version History
+
+### 0.8.2
+* README
+
+### 0.8.1
+* Tightened up test environment helpers.
+
+### 0.8.0
+* Allow RSA signing keys in addition to HMAC.
+  This is because Terraform creates RSA keys during runs.
+
 ### 0.7.4
 * Use https protocol for callback in production; http otherwise
 

data/app/controllers/concerns/oauth_im/authenticable.rb

@@ -35,13 +35,9 @@ module OauthIm
     def current_user
       @current_user ||=
         if user_jwt.present?
-          if email_verified?
-            email
-          else
-            head :forbidden
-          end
-        else
-          AppContext.current_user
+          email if email_verified?
+        elsif Rails.env.test?
+          AppContext.spec_user
         end
     end
 

data/app/controllers/oauth_im/client_controller.rb

@@ -7,8 +7,6 @@ module OauthIm
     def callback
       session[:user_jwt] = user_jwt
       redirect_to main_app.root_path
-    rescue StandardError
-      head :forbidden
     end
 
     def login

data/app/services/oauth_im/token_decoder.rb

@@ -20,14 +20,30 @@ module OauthIm
     private
 
     delegate :configuration, to: OauthIm
-    delegate :hmac, :iss_domain, to: :configuration
+    delegate :hmac, :rsa_public, :iss_domain, to: :configuration
 
     def decoded_token
-      @decoded_token ||= JWT.decode token, hmac, true, decode_params
+      @decoded_token ||= JWT.decode token, key, verify?, decode_params
     end
 
-    def decode_algorithm
-      DEFAULT_DECODE_ALGORITHM
+    def decode_using_hmac?
+      hmac.present?
+    end
+
+    def key
+      @key ||= decode_using_hmac? ? hmac : rsa_public_key
+    end
+
+    def rsa_public_key
+      @rsa_public_key ||= OpenSSL::PKey::RSA.new rsa_public
+    end
+
+    def algorithm
+      @algorithm ||= decode_using_hmac? ? 'HS256' : 'RS256'
+    end
+
+    def verify?
+      true
     end
 
     def verify_iss?
@@ -43,7 +59,7 @@ module OauthIm
                            iss: iss_domain,
                            verify_aud: verify_aud?,
                            aud: aud,
-                           algorithm: decode_algorithm }.freeze
+                           algorithm: algorithm }.freeze
     end
   end
 end

data/config/initializers/app_context.rb

@@ -5,25 +5,28 @@ module AppContext
     true
   end
 
-  def self.authenticated_for_specs?
-    @authenticated_for_specs
+  def self.privileged?
+    @privileged if provide_authentication?
   end
 
-  def self.privileged?
-    @privileged
+  def self.spec_user
+    @spec_user if Rails.env.test? && provide_authentication?
   end
 
-  def self.current_user
-    @current_user
+  def self.authenticated_for_specs?
+    @authenticated_for_specs if Rails.env.test? && provide_authentication?
   end
 
-  def self.authenticate_for_specs(current_user: nil, privileged: false)
+  def self.authenticate_for_specs(spec_user: nil, privileged: false)
+    return unless provide_authentication?
+    raise 'Use only in test environment!!' unless Rails.env.test?
+
     @authenticated_for_specs = true
-    @current_user            = current_user
+    @spec_user               = spec_user
     @privileged              = privileged
     yield
     @privileged              = false
-    @current_user            = nil
+    @spec_user               = nil
     @authenticated_for_specs = false
   end
 end

data/lib/oauth_im/configuration.rb

@@ -15,6 +15,7 @@ module OauthIm
       client_id
       client_secret
       hmac
+      rsa_public
     ].freeze
 
   class Configuration

data/lib/oauth_im/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OauthIm
-  VERSION = '0.7.4'
+  VERSION = '0.8.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauth_im
 version: !ruby/object:Gem::Version
-  version: 0.7.4
+  version: 0.8.2
 platform: ruby
 authors:
 - Eric Connally
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-24 00:00:00.000000000 Z
+date: 2022-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt