oauth_im 0.8.1 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8208d820c7e100554ecce30e7059fd4d082679a90875a6345a19cb072c010f2c
-  data.tar.gz: 4210b53980b4d73a75bd4a48ec5318d2369e22e7d3db15253b5d706dd4c46821
+  metadata.gz: 4c516706747b55e09365f8803351f8a282fa15fc47c7c5dfb0eb8fbd20cea0b5
+  data.tar.gz: dfe17e0f5b654cc518d813ec9c645edcb951b9b8a8111f8360dba5c078639934
 SHA512:
-  metadata.gz: 38d9767641f6b8b691cfc1ceaabac18db7bfdade8f04d4110d669c3c5b48f9e0a501931c859650d7976f458225233e97eb475f92b8dcb2ca9b2b66488c596cfc
-  data.tar.gz: 2ed159a29e9164d3aec610e20559a65fe6386e065945b942f7b1dded21a4aac0bc7f38ac2333b2a0a529134273286700dff636a65ba75518ee1586cd677ff0cb
+  metadata.gz: 19bbc2692b590850e2b73de9d8c082c200da8b667083715156bbcf80004d43ada5876038c79f2fee12dc0bd2c40b1cae49c5df80074abd75f01fb1d6f1f075e0
+  data.tar.gz: da2dd4a76af69919b00a57e2db4f75ef1ba2b6bf18c4631b71472c3d88eb1729affd4e8d6d7d5facb397cabbde6b395a7093b6b3f59c3cbb739cf130dfd924d2

data/README.md

@@ -17,51 +17,13 @@ $ bundle
 ```
 
 ## Configuration
-Once the gem is installed, add an initializer. Here is an example:
+Once the gem is installed, add an initializer.  The [iiab
+app](https://github.com/illustrativemathematics/iiab/blob/master/config/initializers/oauth_im.rb)
+provides an example.
 
-```ruby
-# config/initializers/oauth_im.rb
-module OauthIm
-  configure do |config|
-    #####################################
-    # these routes are local to the app #
-    #####################################
-    config.authorize_url  = ENV.fetch 'FUSION_AUTH_AUTHORIZE_URL', DEFAULT_AUTHORIZE_URL
-    config.callback_route = ENV.fetch 'FUSION_CALLBACK_ROUTE',     DEFAULT_CALLBACK_ROUTE
-    config.token_url      = ENV.fetch 'FUSION_AUTH_TOKEN_URL',     DEFAULT_TOKEN_URL
-
-    ##############################################
-    # identity provider url (e.g., fusion auth): #
-    ##############################################
-    config.idp_url        = ENV.fetch 'FUSION_AUTH_IDP_URL',       DEFAULT_IDP_URL
-
-    ################################################
-    # Issuer domain: find on FA tenant General tab #
-    ################################################
-    config.iss_domain     = ENV.fetch 'FUSION_AUTH_ISS_DOMAIN',    DEFAULT_ISS_DOMAIN
-
-    ####################################
-    # find on FA application OAuth tab #
-    ####################################
-    config.client_id      = ENV['FUSION_AUTH_CLIENT_ID']
-    config.client_secret  = ENV['FUSION_AUTH_CLIENT_SECRET']
-
-    #################################################################################
-    # 1. Find signing key name on the app details name.                             #
-    # 2. Look up the key (by name) under Key Master tab under Settings:             #
-    #    https://illustrativemath-dev.fusionauth.io/admin/key/                      #
-    # 3. The key should be either HMAC or RSA.                                      #
-    #   - If HMAC, view the Secret under Details. You will need to click to reveal. #
-    #   - If RSA, copy the PEM encoded public key as-is.                            #
-    # Note: You don't need both keys --- TokenDecoder will use the one available.   #
-    #################################################################################
-    config.hmac           = ENV['FUSION_AUTH_HMAC']
-    config.rsa_public     = ENV['FUSION_AUTH_RSA_PUBLIC]
-  end
-end
-```
+### Environment
 
-* The `ENV` variable values can be obtained from the OAuth provider.
+The `ENV` variable values can be obtained from the OAuth provider.
 * Here is [an article at FusionAuth](https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails) describing many of these settings.
 * The `callback_route` setting is used in two related ways:
   * It [defines a route](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L4) to the [`OAuthIm::ClientController#callback`
@@ -75,7 +37,30 @@ end
     must be entered in the OAuth provider's list of authorized
     redirect URLs.
 
+### RSA v. HMAC
+
+To determine the access token signing key, find the name of the key and then look it up
+on the Settings|Key Master pane. (See screenshots.)
+
+* Inspect your app settings. The screenshot shows this being done for the app
+  `Kendall Hunt - Terraform`.
+
+  ![app settings](./docs/images/fa-app-settings.png?raw=true)
+
+* Find the name of the token. The screenshot shows this being done for the app
+  `Kendall Hunt - Terraform`. You will need to scroll down the page to the `JWT` section.
+
+  ![token name](./docs/images/fa-signing-key-name.png?raw=true)
+
+* Look up this signing token under Home|Settings|Key Master. The screenshot shows this being done
+  for the signing token `KendallHunt-Terraform (12)`.
+  * For RSA tokens like this one, use the PEM encoded public key as-is.
+  * For HMAC tokens, view the secret under Details (click to reveal).
+
+  ![token name](./docs/images/fa-access-token.png?raw=true)
+
 ## Usage
+
 ### Helpers for Logging in and Out
 The engine provides [two endpoints](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L5-L6) for logging in and out, and exposes
 corresponding view helpers. These are accessible from the main app as:
@@ -154,6 +139,20 @@ After many false starts, this repo includes two (seemingly functional) github wo
 
 ## Version History
 
+### 0.9.1
+* Facilitate specs for privileged users by providing spec_user_data on AppContext
+
+### 0.9.0
+* Consolidate all OAuth (FusionAuth) functionality
+  * the register app can now include this gem for OAuth to create users
+  * IIAB can include this gem to authenticate users
+  * IIAB can include this gem to determine user privileges
+* Relax Rails version constraint in Gemfile
+  * necessary in order for register app to use gem
+
+### 0.8.2
+* README
+
 ### 0.8.1
 * Tightened up test environment helpers.
 

data/app/controllers/concerns/oauth_im/authenticable.rb

@@ -11,25 +11,23 @@ module OauthIm
 
     private
 
+    delegate :email, :email_verified?,
+             :user_privileges,
+             to: :user_client,
+             allow_nil: true
+
     def authenticated?
       AppContext.authenticated_for_specs? ||
         (AppContext.provide_authentication? && logged_in?)
     end
 
-    def email
-      @email ||= jwt_token['email']
-    end
-
     def user_jwt
-      @user_jwt ||= session[:user_jwt] || {}
-    end
-
-    def jwt_token
-      @jwt_token ||= user_jwt['value']&.first || {}
+      @user_jwt ||= session[:user_jwt]
     end
 
-    def email_verified?
-      jwt_token.present? && jwt_token['email_verified'].present?
+    def user_client
+      @user_client ||= OauthIm::Client.for(user_jwt: user_jwt) if
+        user_jwt.present?
     end
 
     def current_user

data/app/controllers/oauth_im/client_controller.rb

@@ -15,7 +15,7 @@ module OauthIm
 
     def logout
       reset_session
-      redirect_to logout_url
+      redirect_to oauth_client.logout_url
     end
 
     def local_login
@@ -34,11 +34,10 @@ module OauthIm
 
     private
 
-    delegate :logout_url, :user_jwt,
-             to: :oauth_client
+    delegate :user_jwt, to: :oauth_client
 
     def oauth_client
-      @oauth_client ||= OauthIm::Client.new request: request
+      @oauth_client ||= OauthIm::Client.for request: request
     end
 
     def local_login_userinfo

data/app/services/oauth_im/client.rb

@@ -2,75 +2,16 @@
 
 module OauthIm
   class Client
-    attr_reader :request
-
-    def initialize(request:)
-      @request = request
-    end
-
-    def login_url
-      @login_url ||= auth_code.authorize_url
-    end
-
-    def logout_url
-      @logout_url ||= "#{idp_url}/oauth2/logout" \
-                      "?post_logout_redirect_uri=#{return_to_url}" \
-                      "&client_id=#{client_id}"
-    end
-
-    def user_jwt
-      @user_jwt ||= { value: decoded_token, httponly: httponly? }
-    end
-
-    private
-
-    delegate :host_with_port, :params, to: :request
-    delegate :configuration, to: OauthIm
-    delegate :authorize_url, :token_url, :idp_url, :client_id, :client_secret,
-             to: :configuration
-    delegate :auth_code, to: :oauth_client
-
-    def httponly?
-      true
-    end
-
-    def return_to_url
-      @return_to_url ||= params.fetch :return_to
-    end
-
-    def redirect_url
-      @redirect_url ||=
-        Engine.routes.url_helpers.callback_url callback_url_params
-    end
-
-    def callback_url_params
-      @callback_url_params ||= { host: host_with_port,
-                                 protocol: protocol }.freeze
-    end
-
-    def protocol
-      @protocol ||= Rails.env.production? ? :https : :http
-    end
-
-    def decoded_token
-      @decoded_token ||= TokenDecoder.new(access_token, oauth_client.id).decode
-    end
-
-    def access_token
-      @access_token ||= response_hash[:access_token]
-    end
-
-    def oauth_client
-      @oauth_client ||= ::OAuth2::Client.new client_id,
-                                             client_secret,
-                                             authorize_url: authorize_url,
-                                             site: idp_url,
-                                             token_url: token_url,
-                                             redirect_uri: redirect_url
-    end
-
-    def response_hash
-      @response_hash ||= auth_code.get_token(params[:code]).to_hash
+    def self.for(request: nil, user_jwt: nil, secure_id: nil)
+      if request.present?
+        RequestClient.new request: request
+      elsif user_jwt.present?
+        UserClient.new user_jwt: user_jwt
+      elsif secure_id.present?
+        RegistrationClient.new secure_id: secure_id
+      else
+        raise ArgumentError
+      end
     end
   end
 end

data/app/services/oauth_im/idp_client.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'fusionauth/fusionauth_client'
+
+module OauthIm
+  class IdpClient
+    private
+
+    delegate :configuration, to: OauthIm
+    delegate :api_key, :idp_url, to: :configuration
+
+    def client
+      @client ||= ::FusionAuth::FusionAuthClient.new api_key, idp_url
+    end
+  end
+end

data/app/services/oauth_im/registration_client.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module OauthIm
+  class RegistrationClient < IdpClient
+    attr_reader :secure_id
+
+    def initialize(secure_id:)
+      @secure_id = secure_id
+      super()
+    end
+
+    def register(submission_params:)
+      client.register secure_id, submission_params
+    end
+  end
+end

data/app/services/oauth_im/request_client.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module OauthIm
+  class RequestClient
+    attr_reader :request
+
+    def initialize(request:)
+      @request = request
+    end
+
+    def login_url
+      @login_url ||= auth_code.authorize_url
+    end
+
+    def logout_url
+      @logout_url ||= "#{idp_url}/oauth2/logout" \
+                      "?post_logout_redirect_uri=#{return_to_url}" \
+                      "&client_id=#{client_id}"
+    end
+
+    def user_jwt
+      @user_jwt ||= { value: decoded_token, httponly: httponly? }
+    end
+
+    private
+
+    delegate :host_with_port, :params, to: :request
+    delegate :configuration, to: OauthIm
+    delegate :authorize_url, :token_url, :idp_url, :client_id, :client_secret,
+             to: :configuration
+    delegate :auth_code, to: :oauth_client
+
+    def httponly?
+      true
+    end
+
+    def return_to_url
+      @return_to_url ||= params.fetch :return_to
+    end
+
+    def redirect_url
+      @redirect_url ||=
+        Engine.routes.url_helpers.callback_url callback_url_params
+    end
+
+    def callback_url_params
+      @callback_url_params ||= { host: host_with_port,
+                                 protocol: protocol }.freeze
+    end
+
+    def protocol
+      @protocol ||= Rails.env.production? ? :https : :http
+    end
+
+    def decoded_token
+      @decoded_token ||= TokenDecoder.new(access_token, oauth_client.id).decode
+    end
+
+    def access_token
+      @access_token ||= response_hash[:access_token]
+    end
+
+    def oauth_client
+      @oauth_client ||= ::OAuth2::Client.new client_id,
+                                             client_secret,
+                                             authorize_url: authorize_url,
+                                             site: idp_url,
+                                             token_url: token_url,
+                                             redirect_uri: redirect_url
+    end
+
+    def response_hash
+      @response_hash ||= auth_code.get_token(params[:code]).to_hash
+    end
+  end
+end

data/app/services/oauth_im/user_client.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'fusionauth/fusionauth_client'
+
+module OauthIm
+  class UserClient < IdpClient
+    attr_reader :user_jwt
+
+    def initialize(user_jwt:)
+      @user_jwt = user_jwt&.with_indifferent_access
+      super()
+    end
+
+    def email
+      @email ||= jwt_token[:email]
+    end
+
+    def email_verified?
+      email.present?
+    end
+
+    def user_privileges
+      @user_privileges ||= data[:privileges] || []
+    end
+
+    private
+
+    def user_data
+      @user_data ||= user[:registrations]&.first || {}
+    end
+
+    def data
+      @data ||= user_data[:data] || {}
+    end
+
+    def success_response
+      @success_response ||= client_response&.success_response || {}
+    end
+
+    def user
+      @user ||= success_response[:user] || {}
+    end
+
+    # https://www.rubydoc.info/gems/fusionauth_client/1.32.1/FusionAuth/FusionAuthClient#retrieve_user-instance_method
+    def client_response
+      @client_response ||= client.retrieve_user user_id
+    end
+
+    def jwt_token
+      @jwt_token ||= user_jwt[:value]&.first&.with_indifferent_access || {}
+    end
+
+    def user_id
+      @user_id ||= jwt_token[:sub]
+    end
+  end
+end

data/config/initializers/app_context.rb

@@ -5,28 +5,32 @@ module AppContext
     true
   end
 
-  def self.privileged?
-    @privileged if provide_authentication?
-  end
-
   def self.spec_user
-    @spec_user if Rails.env.test? && provide_authentication?
+    @spec_user if override_for_specs?
   end
 
   def self.authenticated_for_specs?
-    @authenticated_for_specs if Rails.env.test? && provide_authentication?
+    @authenticated_for_specs if override_for_specs?
+  end
+
+  def self.spec_user_data
+    override_for_specs? ? (@spec_user_data.presence || {}) : {}
+  end
+
+  def self.override_for_specs?
+    Rails.env.test? && provide_authentication?
   end
 
-  def self.authenticate_for_specs(spec_user: nil, privileged: false)
+  def self.authenticate_for_specs(spec_user: nil, spec_user_data: {})
     return unless provide_authentication?
     raise 'Use only in test environment!!' unless Rails.env.test?
 
     @authenticated_for_specs = true
     @spec_user               = spec_user
-    @privileged              = privileged
+    @spec_user_data          = spec_user_data
     yield
-    @privileged              = false
-    @spec_user               = nil
+    @privileged_for_specs    = false
+    @spec_user_data          = {}
     @authenticated_for_specs = false
   end
 end

data/lib/oauth_im/configuration.rb

@@ -7,6 +7,7 @@
 module OauthIm
   CONFIGURABLE_FIELDS =
     %i[
+      api_key
       authorize_url
       callback_route
       token_url

data/lib/oauth_im/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OauthIm
-  VERSION = '0.8.1'
+  VERSION = '0.9.1'
 end

data/lib/oauth_im.rb

@@ -9,11 +9,16 @@ require 'oauth_im/engine'
 require 'oauth_im/configuration'
 
 module OauthIm
-  DEFAULT_AUTHORIZE_URL  = '/oauth2/authorize'
-  DEFAULT_CALLBACK_ROUTE = 'callback'
-  DEFAULT_TOKEN_URL      = '/oauth2/token'
-  DEFAULT_IDP_URL        = 'https://illustrativemath-dev.fusionauth.io'
-  DEFAULT_ISS_DOMAIN     = 'illustrativemathematics.org'
+  DEFAULT_AUTH_AUTHORIZE_URL  = '/oauth2/authorize'
+  DEFAULT_AUTH_CALLBACK_ROUTE = 'callback'
+  DEFAULT_AUTH_TOKEN_URL      = '/oauth2/token'
+  DEFAULT_AUTH_IDP_URL        = 'https://illustrativemath-dev.fusionauth.io'
+  DEFAULT_AUTH_ISS_DOMAIN     = 'illustrativemathematics.org'
+  DEFAULT_AUTH_API_KEY        = nil
+  DEFAULT_AUTH_CLIENT_ID      = nil
+  DEFAULT_AUTH_CLIENT_SECRET  = nil
+  DEFAULT_AUTH_HMAC           = nil
+  DEFAULT_AUTH_RSA_PUBLIC     = nil
 
   class << self
     attr_reader :configuration
@@ -29,6 +34,6 @@ module OauthIm
   end
 
   def self.callback_route
-    configuration&.callback_route || DEFAULT_CALLBACK_ROUTE
+    configuration&.callback_route || DEFAULT_AUTH_CALLBACK_ROUTE
   end
 end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: oauth_im
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.9.1
 platform: ruby
 authors:
 - Eric Connally
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-26 00:00:00.000000000 Z
+date: 2022-06-14 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: fusionauth_client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.32.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.32.1
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -42,14 +56,14 @@ dependencies:
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 5.pre.2.pre.stable
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 5.pre.2.pre.stable
 - !ruby/object:Gem::Dependency
@@ -126,7 +140,11 @@ files:
 - app/controllers/oauth_im/client_controller.rb
 - app/helpers/oauth_im/application_helper.rb
 - app/services/oauth_im/client.rb
+- app/services/oauth_im/idp_client.rb
+- app/services/oauth_im/registration_client.rb
+- app/services/oauth_im/request_client.rb
 - app/services/oauth_im/token_decoder.rb
+- app/services/oauth_im/user_client.rb
 - app/views/layouts/oauth_im/application.html.erb
 - config/initializers/app_context.rb
 - config/routes.rb