RubyGems - oidc - Versions diffs - 0.0.1 - Mend

oidc 0.0.1

Files changed (40) hide show

checksums.yaml +7 -0
data/.rspec +2 -0
data/.rubocop.yml +28 -0
data/CHANGELOG.md +4 -0
data/CODE_OF_CONDUCT.md +84 -0
data/LICENSE.txt +21 -0
data/README.md +46 -0
data/Rakefile +12 -0
data/lib/oidc/access_token/mtls.rb +9 -0
data/lib/oidc/access_token.rb +45 -0
data/lib/oidc/client/registrar.rb +186 -0
data/lib/oidc/client.rb +43 -0
data/lib/oidc/connect_object.rb +52 -0
data/lib/oidc/discovery/provider/config/resource.rb +39 -0
data/lib/oidc/discovery/provider/config/response.rb +112 -0
data/lib/oidc/discovery/provider/config.rb +20 -0
data/lib/oidc/discovery/provider.rb +34 -0
data/lib/oidc/discovery.rb +8 -0
data/lib/oidc/exception.rb +39 -0
data/lib/oidc/jwtnizable.rb +14 -0
data/lib/oidc/request_object/claimable.rb +54 -0
data/lib/oidc/request_object/id_token.rb +8 -0
data/lib/oidc/request_object/user_info.rb +7 -0
data/lib/oidc/request_object.rb +37 -0
data/lib/oidc/response_object/id_token.rb +99 -0
data/lib/oidc/response_object/user_info/address.rb +10 -0
data/lib/oidc/response_object/user_info.rb +65 -0
data/lib/oidc/response_object.rb +8 -0
data/lib/oidc/version.rb +5 -0
data/lib/oidc.rb +98 -0
data/lib/rack/oauth2/server/authorize/error_with_connect_ext.rb +34 -0
data/lib/rack/oauth2/server/authorize/extension/code_and_id_token.rb +40 -0
data/lib/rack/oauth2/server/authorize/extension/code_and_id_token_and_token.rb +36 -0
data/lib/rack/oauth2/server/authorize/extension/id_token.rb +40 -0
data/lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb +36 -0
data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb +26 -0
data/lib/rack/oauth2/server/id_token_response.rb +24 -0
data/oidc.gemspec +46 -0
data/sig/omniauth_oidc.rbs +4 -0
metadata +252 -0

data/lib/oidc/discovery/provider/config/response.rb ADDED Viewed

@@ -0,0 +1,112 @@
+module Oidc
+  module Discovery
+    module Provider
+      class Config
+        class Response
+          include ActiveModel::Validations, AttrRequired, AttrOptional
+          cattr_accessor :metadata_attributes
+          attr_reader :raw
+          attr_accessor :expected_issuer
+          uri_attributes = {
+            required: [
+              :issuer,
+              :authorization_endpoint,
+              :jwks_uri
+            ],
+            optional: [
+              :token_endpoint,
+              :userinfo_endpoint,
+              :registration_endpoint,
+              :end_session_endpoint,
+              :service_documentation,
+              :check_session_iframe,
+              :op_policy_uri,
+              :op_tos_uri
+            ]
+          }
+          attr_required(*(uri_attributes[:required] + [
+            :response_types_supported,
+            :subject_types_supported,
+            :id_token_signing_alg_values_supported
+          ]))
+          attr_optional(*(uri_attributes[:optional] + [
+            :scopes_supported,
+            :response_modes_supported,
+            :grant_types_supported,
+            :acr_values_supported,
+            :id_token_encryption_alg_values_supported,
+            :id_token_encryption_enc_values_supported,
+            :userinfo_signing_alg_values_supported,
+            :userinfo_encryption_alg_values_supported,
+            :userinfo_encryption_enc_values_supported,
+            :request_object_signing_alg_values_supported,
+            :request_object_encryption_alg_values_supported,
+            :request_object_encryption_enc_values_supported,
+            :token_endpoint_auth_methods_supported,
+            :token_endpoint_auth_signing_alg_values_supported,
+            :display_values_supported,
+            :claim_types_supported,
+            :claims_supported,
+            :claims_locales_supported,
+            :ui_locales_supported,
+            :claims_parameter_supported,
+            :request_parameter_supported,
+            :request_uri_parameter_supported,
+            :require_request_uri_registration
+          ]))
+          validates(*required_attributes, presence: true)
+          validates(*uri_attributes.values.flatten, url: true, allow_nil: true)
+          validates :issuer, with: :validate_issuer_matching
+          def initialize(hash)
+            (required_attributes + optional_attributes).each do |key|
+              self.send "#{key}=", hash[key]
+            end
+            @raw = hash
+          end
+          def as_json(options = {})
+            validate!
+            (required_attributes + optional_attributes).inject({}) do |hash, _attr_|
+              value = self.send _attr_
+              hash.merge! _attr_ => value unless value.nil?
+              hash
+            end
+          end
+          def validate!
+            valid? or raise ValidationFailed.new(self)
+          end
+          def jwks
+            @jwks ||= Oidc.http_client.get(jwks_uri).body.with_indifferent_access
+            JSON::JWK::Set.new @jwks[:keys]
+          end
+          def jwk(kid)
+            @jwks ||= {}
+            @jwks[kid] ||= JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
+          end
+          def public_keys
+            @public_keys ||= jwks.collect(&:to_key)
+          end
+          private
+          def validate_issuer_matching
+            if expected_issuer.present? && issuer != expected_issuer
+              if Oidc.validate_discovery_issuer
+                errors.add :issuer, 'mismatch'
+              else
+                Oidc.logger.warn 'ignoring issuer mismach.'
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oidc/discovery/provider/config.rb ADDED Viewed

@@ -0,0 +1,20 @@
+module Oidc
+  module Discovery
+    module Provider
+      class Config
+        def self.discover!(identifier, cache_options = {})
+          uri = URI.parse(identifier)
+          Resource.new(uri).discover!(cache_options).tap do |response|
+            response.expected_issuer = identifier
+            response.validate!
+          end
+        rescue SWD::Exception, ValidationFailed => e
+          raise DiscoveryFailed.new(e.message)
+        end
+      end
+    end
+  end
+end
+require 'oidc/discovery/provider/config/resource'
+require 'oidc/discovery/provider/config/response'

data/lib/oidc/discovery/provider.rb ADDED Viewed

@@ -0,0 +1,34 @@
+module Oidc
+  module Discovery
+    module Provider
+      module Issuer
+        REL_VALUE = 'http://openid.net/specs/connect/1.0/issuer'
+        def issuer
+          self.link_for(REL_VALUE)[:href]
+        end
+      end
+      def self.discover!(identifier)
+        resource = case identifier
+        when /^acct:/, /https?:\/\//
+          identifier
+        when /@/
+          "acct:#{identifier}"
+        else
+          "https://#{identifier}"
+        end
+        response = WebFinger.discover!(
+          resource,
+          rel: Issuer::REL_VALUE
+        )
+        response.extend Issuer
+        response
+      rescue WebFinger::Exception => e
+        raise DiscoveryFailed.new(e.message)
+      end
+    end
+  end
+end
+require 'oidc/discovery/provider/config'

data/lib/oidc/discovery.rb ADDED Viewed

@@ -0,0 +1,8 @@
+module Oidc
+  module Discovery
+    class InvalidIdentifier < Exception; end
+    class DiscoveryFailed < Exception; end
+  end
+end
+require 'oidc/discovery/provider'

data/lib/oidc/exception.rb ADDED Viewed

@@ -0,0 +1,39 @@
+module Oidc
+  class Exception < StandardError; end
+  class ValidationFailed < Exception
+    attr_reader :object
+    def initialize(object)
+      super object.errors.full_messages.to_sentence
+      @object = object
+    end
+  end
+  class HttpError < Exception
+    attr_accessor :status, :response
+    def initialize(status, message = nil, response = nil)
+      super message
+      @status = status
+      @response = response
+    end
+  end
+  class BadRequest < HttpError
+    def initialize(message = nil, response = nil)
+      super 400, message, response
+    end
+  end
+  class Unauthorized < HttpError
+    def initialize(message = nil, response = nil)
+      super 401, message, response
+    end
+  end
+  class Forbidden < HttpError
+    def initialize(message = nil, response = nil)
+      super 403, message, response
+    end
+  end
+end

data/lib/oidc/jwtnizable.rb ADDED Viewed

@@ -0,0 +1,14 @@
+module Oidc
+  module JWTnizable
+    def to_jwt(key, algorithm = :RS256, &block)
+      as_jwt(key, algorithm, &block).to_s
+    end
+    def as_jwt(key, algorithm = :RS256, &block)
+      token = JSON::JWT.new as_json
+      yield token if block_given?
+      token = token.sign key, algorithm if algorithm != :none
+      token
+    end
+  end
+end

data/lib/oidc/request_object/claimable.rb ADDED Viewed

@@ -0,0 +1,54 @@
+module Oidc
+  class RequestObject
+    module Claimable
+      def self.included(klass)
+        klass.send :attr_optional, :claims
+      end
+      def initialize(attributes = {})
+        super
+        if claims.present?
+          _claims_ = {}
+          claims.each do |key, value|
+            _claims_[key] = case value
+            when :optional, :voluntary
+              {
+                essential: false
+              }
+            when :required, :essential
+              {
+                essential: true
+              }
+            else
+              value
+            end
+          end
+          self.claims = _claims_.with_indifferent_access
+        end
+      end
+      def as_json(options = {})
+        keys = claims.try(:keys)
+        hash = super
+        Array(keys).each do |key|
+          hash[:claims][key] ||= nil
+        end
+        hash
+      end
+      def required?(claim)
+        accessible?(claim) && claims[claim].is_a?(Hash) && claims[claim][:essential]
+      end
+      alias_method :essential?, :required?
+      def optional?(claim)
+        accessible?(claim) && !required?(claim)
+      end
+      alias_method :voluntary?, :optional?
+      def accessible?(claim)
+        claims.try(:include?, claim)
+      end
+    end
+  end
+end

data/lib/oidc/request_object/id_token.rb ADDED Viewed

@@ -0,0 +1,8 @@
+module Oidc
+  class RequestObject
+    class IdToken < ConnectObject
+      include Claimable
+      attr_optional :max_age
+    end
+  end
+end

data/lib/oidc/request_object/user_info.rb ADDED Viewed

@@ -0,0 +1,7 @@
+module Oidc
+  class RequestObject
+    class UserInfo < ConnectObject
+      include Claimable
+    end
+  end
+end

data/lib/oidc/request_object.rb ADDED Viewed

@@ -0,0 +1,37 @@
+module Oidc
+  class RequestObject < ConnectObject
+    include JWTnizable
+    attr_optional :client_id, :response_type, :redirect_uri, :scope, :state, :nonce, :display, :prompt, :userinfo, :id_token
+    validate :require_at_least_one_attributes
+    undef :id_token=
+    def id_token=(attributes = {})
+      @id_token = IdToken.new(attributes) if attributes.present?
+    end
+    undef :userinfo=
+    def userinfo=(attributes = {})
+      @userinfo = UserInfo.new(attributes) if attributes.present?
+    end
+    def as_json(options = {})
+      super.with_indifferent_access
+    end
+    class << self
+      def decode(jwt_string, key = nil)
+        new JSON::JWT.decode(jwt_string, key)
+      end
+      def fetch(request_uri, key = nil)
+        jwt_string = Oidc.http_client.get(request_uri).body
+        decode jwt_string, key
+      end
+    end
+  end
+end
+require 'oidc/request_object/claimable'
+require 'oidc/request_object/id_token'
+require 'oidc/request_object/user_info'

data/lib/oidc/response_object/id_token.rb ADDED Viewed

@@ -0,0 +1,99 @@
+module Oidc
+  class ResponseObject
+    class IdToken < ConnectObject
+      class InvalidToken < Exception; end
+      class ExpiredToken < InvalidToken; end
+      class InvalidIssuer < InvalidToken; end
+      class InvalidNonce < InvalidToken; end
+      class InvalidAudience < InvalidToken; end
+      attr_required :iss, :sub, :aud, :exp, :iat
+      attr_optional :acr, :amr, :azp, :jti, :sid, :auth_time, :nonce, :sub_jwk, :at_hash, :c_hash, :s_hash
+      attr_accessor :access_token, :code, :state
+      alias_method :subject, :sub
+      alias_method :subject=, :sub=
+      def initialize(attributes = {})
+        super
+        (all_attributes - [:aud, :exp, :iat, :auth_time, :sub_jwk]).each do |key|
+          self.send "#{key}=", self.send(key).try(:to_s)
+        end
+        self.auth_time = auth_time.to_i unless auth_time.nil?
+      end
+      def verify!(expected = {})
+        raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
+        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
+        raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]
+        # aud(ience) can be a string or an array of strings
+        unless Array(aud).include?(expected[:audience] || expected[:client_id])
+          raise InvalidAudience.new('Invalid ID token: Audience does not match')
+        end
+        true
+      end
+      include JWTnizable
+      def to_jwt(key, algorithm = :RS256, &block)
+        hash_length = algorithm.to_s[2, 3].to_i
+        if access_token
+          token = case access_token
+          when Rack::OAuth2::AccessToken
+            access_token.access_token
+          else
+            access_token
+          end
+          self.at_hash = left_half_hash_of token, hash_length
+        end
+        if code
+          self.c_hash = left_half_hash_of code, hash_length
+        end
+        if state
+          self.s_hash = left_half_hash_of state, hash_length
+        end
+        super
+      end
+      private
+      def left_half_hash_of(string, hash_length)
+        digest = OpenSSL::Digest.new("SHA#{hash_length}").digest string
+        Base64.urlsafe_encode64 digest[0, hash_length / (2 * 8)], padding: false
+      end
+      class << self
+        def decode(jwt_string, key_or_config)
+          case key_or_config
+          when :self_issued
+            decode_self_issued jwt_string
+          when Oidc::Discovery::Provider::Config::Response
+            jwt = JSON::JWT.decode jwt_string, :skip_verification
+            jwt.verify! key_or_config.jwk(jwt.kid)
+            new jwt
+          else
+            new JSON::JWT.decode jwt_string, key_or_config
+          end
+        end
+        def decode_self_issued(jwt_string)
+          jwt = JSON::JWT.decode jwt_string, :skip_verification
+          jwk = JSON::JWK.new jwt[:sub_jwk]
+          raise InvalidToken.new('Missing sub_jwk') if jwk.blank?
+          raise InvalidToken.new('Invalid subject') unless jwt[:sub] == jwk.thumbprint
+          jwt.verify! jwk
+          new jwt
+        end
+        def self_issued(attributes = {})
+          attributes[:sub_jwk] ||= JSON::JWK.new attributes.delete(:public_key)
+          _attributes_ = {
+            iss: 'https://self-issued.me',
+            sub: JSON::JWK.new(attributes[:sub_jwk]).thumbprint
+          }.merge(attributes)
+          new _attributes_
+        end
+      end
+    end
+  end
+end

data/lib/oidc/response_object/user_info/address.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module Oidc
+  class ResponseObject
+    class UserInfo
+      class Address < ConnectObject
+        attr_optional :formatted, :street_address, :locality, :region, :postal_code, :country
+        validate :require_at_least_one_attributes
+      end
+    end
+  end
+end

data/lib/oidc/response_object/user_info.rb ADDED Viewed

@@ -0,0 +1,65 @@
+module Oidc
+  class ResponseObject
+    class UserInfo < ConnectObject
+      attr_optional(
+        :sub,
+        :name,
+        :given_name,
+        :family_name,
+        :middle_name,
+        :nickname,
+        :preferred_username,
+        :profile,
+        :picture,
+        :website,
+        :email,
+        :email_verified,
+        :gender,
+        :birthdate,
+        :zoneinfo,
+        :locale,
+        :phone_number,
+        :phone_number_verified,
+        :address,
+        :updated_at
+      )
+      alias_method :subject, :sub
+      alias_method :subject=, :sub=
+      validates :email_verified, :phone_number_verified, allow_nil: true, inclusion: {in: [true, false]}
+      validates :zoneinfo,                               allow_nil: true, inclusion: {in: TZInfo::TimezoneProxy.all.collect(&:name)}
+      validates :profile, :picture, :website,            allow_nil: true, url: true
+      validates :email,                                  allow_nil: true, email: true
+      validates :updated_at,                             allow_nil: true, numericality: {only_integer: true}
+      validate :validate_address
+      validate :require_at_least_one_attributes
+      # TODO: validate locale
+      def initialize(attributes = {})
+        super
+        (all_attributes - [:email_verified, :phone_number_verified, :address, :updated_at]).each do |key|
+          self.send "#{key}=", self.send(key).try(:to_s)
+        end
+        self.updated_at = updated_at.try(:to_i)
+      end
+      def validate_address
+        errors.add :address, address.errors.full_messages.join(', ') if address.present? && !address.valid?
+      end
+      undef :address=
+      def address=(hash_or_address)
+        @address = case hash_or_address
+        when Hash
+          Address.new hash_or_address
+        when Address
+          hash_or_address
+        end
+      end
+    end
+  end
+end
+Dir[File.dirname(__FILE__) + '/user_info/*.rb'].each do |file|
+  require file
+end

data/lib/oidc/response_object.rb ADDED Viewed

@@ -0,0 +1,8 @@
+module Oidc
+  class ResponseObject < ConnectObject
+  end
+end
+Dir[File.dirname(__FILE__) + '/response_object/*.rb'].each do |file|
+  require file
+end

data/lib/oidc/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Oidc
+  VERSION = "0.0.1"
+end

data/lib/oidc.rb ADDED Viewed

@@ -0,0 +1,98 @@
+require 'json'
+require 'logger'
+require 'faraday'
+require 'faraday/follow_redirects'
+require 'swd'
+require 'webfinger'
+require 'active_model'
+require 'tzinfo'
+require 'validate_url'
+require 'email_validator/strict'
+require 'mail'
+require 'attr_required'
+require 'attr_optional'
+require 'json/jwt'
+require 'rack/oauth2'
+require 'rack/oauth2/server/authorize/error_with_connect_ext'
+require 'rack/oauth2/server/authorize/request_with_connect_params'
+require 'rack/oauth2/server/id_token_response'
+module Oidc
+  def self.logger
+    @@logger
+  end
+  def self.logger=(logger)
+    @@logger = logger
+  end
+  self.logger = Logger.new(STDOUT)
+  self.logger.progname = 'Oidc'
+  @sub_protocols = [
+    SWD,
+    WebFinger,
+    Rack::OAuth2
+  ]
+  def self.debugging?
+    @@debugging
+  end
+  def self.debugging=(boolean)
+    @sub_protocols.each do |klass|
+      klass.debugging = boolean
+    end
+    @@debugging = boolean
+  end
+  def self.debug!
+    @sub_protocols.each do |klass|
+      klass.debug!
+    end
+    self.debugging = true
+  end
+  def self.debug(&block)
+    sub_protocol_originals = @sub_protocols.inject({}) do |sub_protocol_originals, klass|
+      sub_protocol_originals.merge!(klass => klass.debugging?)
+    end
+    original = self.debugging?
+    debug!
+    yield
+  ensure
+    @sub_protocols.each do |klass|
+      klass.debugging = sub_protocol_originals[klass]
+    end
+    self.debugging = original
+  end
+  self.debugging = false
+  def self.http_client
+    Faraday.new(headers: {user_agent: "Oidc (#{VERSION})"}) do |faraday|
+      faraday.request :url_encoded
+      faraday.request :json
+      faraday.response :json
+      faraday.adapter Faraday.default_adapter
+      http_config&.call(faraday)
+      faraday.response :logger, Oidc.logger, {bodies: true} if debugging?
+    end
+  end
+  def self.http_config(&block)
+    @sub_protocols.each do |klass|
+      klass.http_config(&block) unless klass.http_config
+    end
+    @@http_config ||= block
+  end
+  def self.validate_discovery_issuer=(boolean)
+    @@validate_discovery_issuer = boolean
+  end
+  def self.validate_discovery_issuer
+    @@validate_discovery_issuer
+  end
+  self.validate_discovery_issuer = true
+end
+require 'oidc/exception'
+require 'oidc/client'
+require 'oidc/access_token'
+require 'oidc/jwtnizable'
+require 'oidc/connect_object'
+require 'oidc/discovery'

data/lib/rack/oauth2/server/authorize/error_with_connect_ext.rb ADDED Viewed

@@ -0,0 +1,34 @@
+module Rack
+  module OAuth2
+    module Server
+      class Authorize
+        module ErrorWithConnectExt
+          DEFAULT_DESCRIPTION = {
+            invalid_redirect_uri: 'The redirect_uri in the request does not match any of pre-registered redirect_uris.',
+            interaction_required: 'End-User interaction required.',
+            login_required: 'End-User authentication required.',
+            session_selection_required: 'The End-User is required to select a session at the Authorization Server.',
+            consent_required: 'End-User consent required.',
+            invalid_request_uri: 'The request_uri in the request returns an error or invalid data.',
+            invalid_openid_request_object: 'The request parameter contains an invalid OpenID Request Object.'
+          }
+          def self.included(klass)
+            DEFAULT_DESCRIPTION.each do |error, default_description|
+              # NOTE:
+              #  Connect Message spec doesn't say anything about HTTP status code for each error code.
+              #  It probably means "use 400".
+              error_method = :bad_request!
+              klass.class_eval <<-ERROR
+                def #{error}!(description = "#{default_description}", options = {})
+                  #{error_method} :#{error}, description, options
+                end
+              ERROR
+            end
+          end
+        end
+        Request.send :include, ErrorWithConnectExt
+      end
+    end
+  end
+end