omniauth-himari 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2a1280e30d7d894b2db9ed7f9bbc12ddc2feb23c05b8b7e2114b0346ae314966
+  data.tar.gz: e9d350f407d5de7c26a72eaef8886935abb0334da60249e7137fd594af3a4eab
+SHA512:
+  metadata.gz: 978c7555d9221b256309c56019a85e3030151627fc3f865d70c72976ebfe8008f4f2ae8d66e998e49eb8cbb0f955f794f38ebec7135dcc5d41cdda7b7c849f31
+  data.tar.gz: 82129a5f925165b1cf4edabfc0882d900acfbd81dad4da6bb6066b7edca7c94e9cdc4f163dfbd766542095e307d0812b1f515cb31416af21fbe899e1e39b3079

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2023-03-24
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Sorah Fukumori
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,106 @@
+# OmniAuth strategy for Himari
+
+OmniAuth strategy to act as OIDC RP and use [Himari](https://github.com/sorah/himari) for OP.
+
+## Installation
+
+```ruby
+# Gemfile
+gem 'omniauth-himari'
+```
+
+## Usage
+
+### Setup
+
+```ruby
+use OmniAuth::Builder do
+  provider :himari, {
+    site: 'https://himari.example.invalid',
+    client_id: '...',
+    client_secret: '...',
+
+    # verify_options: { ... } # JWT.decode verify options override
+    # verify_at_hash: true, # Verify at_hash returned in ID token
+
+    # use_userinfo: false # force use of userinfo endpoint for raw_info
+    # jwks_url: '...' # JWKs url to override (default=/public/jwks)
+
+    # user_agent: '...' # user-agent to send (default=OmniAuthHimari/X.Y.Z)
+
+    ## omniauth-oauth2 common strategy options
+    # client_options: { ... },
+    # pkce: true,
+  }
+end
+```
+
+### Auth Hash
+
+```json
+{
+  "provider": "himari",
+  "uid": "id_claim.sub",
+  "info": {
+    "name": "name || sub",
+    "nickname": "preferred_username",
+    "email": "email",
+    "first_name": "given_name",
+    "last_name": "family_name",
+    "image": "picture"
+  },
+  "credentials": {
+    "token": "access_token",
+    "expires_at": 42,
+    "expires": true,
+    "id_token": "id_token"
+  },
+  "extra": {
+    "userinfo_used": false,
+    "id_token": {
+      "claims": {
+        "sub": "sub",
+        "name": "name",
+        "preferred_username": "preferred_username",
+        "iss": "https://himari.example.invalid",
+        "aud": "...",
+        "iat": 1679595201,
+        "nbf": 1679595201,
+        "exp": 1679598801,
+        "at_hash": "..."
+      },
+      "header": {
+        "typ": "JWT",
+        "alg": "RS256",
+        "kid": "..."
+      }
+    },
+    "raw_info": {
+      "sub": "sub",
+      "name": "name",
+      "preferred_username": "preferred_username",
+      "iss": "https://himari.example.invalid",
+      "aud": "...",
+      "iat": 1679595201,
+      "nbf": 1679595201,
+      "exp": 1679598801,
+      "at_hash": "..."
+    }
+  }
+}
+```
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/himari.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+Bundler::GemHelper.tag_prefix = "omniauth-himari/"
+
+task default: :spec

data/lib/omniauth/strategies/himari.rb

@@ -0,0 +1,177 @@
+require 'omniauth'
+require 'omniauth-oauth2'
+require 'oauth2'
+require 'digest/sha2'
+
+require 'omniauth-himari/version'
+
+module OmniAuth
+  module Strategies
+    class Himari < OmniAuth::Strategies::OAuth2
+      class IdTokenMissing < StandardError; end
+      class ConfigurationError < StandardError; end
+      class VerificationError < StandardError; end
+
+      option :name, 'himari'
+
+      option :client_options, {}
+      option :pkce, true
+
+      option :verify_options, {}
+      option :verify_at_hash, true
+
+      option :use_userinfo, false
+
+      option :jwks_url, nil
+
+      option :user_agent, nil
+
+      args %i(site)
+
+      def client
+        options.client_options.site ||= options.site
+        options.client_options.authorize_url ||= '/oidc/authorize'
+        options.client_options.token_url ||= '/public/oidc/token'
+        options.client_options.userinfo_url ||= '/public/oidc/userinfo'
+        options.client_options.access_token_class ||= AccessToken # https://gitlab.com/oauth-xx/oauth2/-/issues/628
+
+        options.client_options.connection_opts ||= {}
+        options.client_options.connection_opts[:headers] ||= {}
+        options.client_options.connection_opts[:headers] = {
+          'User-Agent' => user_agent,
+        }.merge(options.client_options.connection_opts[:headers])
+
+        raise ConfigurationError, "client_id and client_secret is required" unless options.client_id && options.client_secret
+        raise ConfigurationError, "site is required" unless options.client_options.site
+        super
+      end
+
+      uid { raw_info['sub'] }
+
+      credentials do
+        retval = {
+          'token' => access_token.token,
+          'expires' => access_token.expires?,
+          'expires_at' => access_token.expires_at,
+          'id_token' => access_token.params && access_token.params['id_token'],
+        }
+        raise IdTokenMissing, 'id_token is missing' unless retval['id_token']
+        retval
+      end
+
+      info do
+        {
+          name: raw_info['name'] || raw_info['sub'],
+          nickname: raw_info['preferred_username'],
+          email: raw_info['email'],
+          first_name: raw_info['given_name'],
+          last_name: raw_info['family_name'],
+          image: raw_info['picture'],
+        }
+      end
+
+      extra do
+        {
+          userinfo_used: options.use_userinfo,
+          id_token: id_token.to_h,
+          raw_info: raw_info,
+        }
+      end
+
+      def verify_at_hash!(id_token)
+        return unless options.verify_at_hash
+
+        function = case id_token.header['alg'] # this is safe as we've verified
+        when 'ES256', 'RS256'; Digest::SHA256
+        when 'ES384'; Digest::SHA384
+        when 'ES512'; Digest::SHA512
+        else
+          raise VerificationError, "unknown hash function to verify at_hash for #{id_token.header['alg']}"
+        end
+
+        dgst = function.digest(access_token.token)
+        expected_at_hash = Base64.urlsafe_encode64(dgst[0, dgst.size/2], padding: false)
+
+        given_at_hash = id_token.claims['at_hash']
+
+        unless given_at_hash == expected_at_hash
+          raise VerificationError, "at_hash mismatch #{given_at_hash.inspect}, #{expected_at_hash.inspect}"
+        end
+      end
+
+      def raw_info
+        @raw_info ||= (!skip_info? && options.use_userinfo) ? access_token.get('/public/oidc/userinfo').parsed : id_token.claims
+      end
+
+      def faraday
+        @faraday ||= Faraday.new(options.site, headers: {'User-Agent' => user_agent}) do |b|
+          b.response :json
+          b.response :raise_error
+        end
+      end
+
+      def callback_url
+        options[:redirect_uri] || (full_host + callback_path) # https://github.com/omniauth/omniauth-oauth2/pull/142
+      end
+
+      def user_agent
+        options.user_agent || "OmniauthHimari/#{Omniauth::Himari::VERSION}"
+      end
+
+      def authorize_params
+        super.tap do |params|
+          params[:scope] = 'openid'
+        end
+      end
+
+      IdToken = Struct.new(:claims, :header)
+
+      def id_token
+        @id_token ||= begin
+          jwt = access_token.params['id_token'] or raise(IdTokenMissing, 'id_token is missing')
+          retval = IdToken.new(*JWT.decode(
+            jwt,
+            nil,
+            true,
+            {
+              algorithms: jwks.map { |k| k[:alg] }.compact.uniq,
+              jwks: jwks,
+              verify_aud: true,
+              aud: options.client_id,
+              verify_iss: true,
+              iss: options.site,
+              verify_expiration: true,
+            }.merge(options.verify_options)
+          ))
+          verify_at_hash!(retval)
+          retval
+        end
+      end
+
+      def jwks
+        JWT::JWK::Set.new(jwks_json).tap do |set|
+          set.filter! { |k| k[:use] == 'sig' }
+        end
+      end
+
+      def jwks_json
+        faraday.get(options.jwks_url || 'public/jwks').body
+      rescue Faraday::Error => e
+        raise JwksUnavailable, "failed to retrieve jwks; #{e.inspect}"
+      end
+
+      # https://github.com/omniauth/omniauth-oauth2/pull/142
+      class AccessToken < ::OAuth2::AccessToken
+        private def extra_tokens_warning(*)
+          # do nothing
+        end
+
+        def inspect
+          "#<#{self.class.name}:0x#{self.__id__.to_s(16)}>"
+        end
+      end
+    end
+  end
+end
+
+

data/lib/omniauth-himari/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module Himari
+    VERSION = "0.1.0"
+  end
+end

data/lib/omniauth-himari.rb

@@ -0,0 +1,2 @@
+require 'omniauth-himari/version'
+require 'omniauth/strategies/himari'

data/omniauth-himari.gemspec

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require_relative "lib/omniauth-himari/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-himari"
+  spec.version = Omniauth::Himari::VERSION
+  spec.authors = ["Sorah Fukumori"]
+  spec.email = ["her@sorah.jp"]
+
+  spec.summary = "OmniAuth strategy for Himari"
+  spec.description = "OmniAuth strategy to act as OIDC RP and use [Himari](https://github.com/sorah/himari) for OP."
+  spec.homepage = "https://github.com/sorah/himari"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/sorah/himari"
+  #spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  if ENV['HIMARI_LAMBDA_IMAGE']
+    spec.files = Dir.chdir(__dir__) { Dir["./**/*"] }.reject { |f|  (File.expand_path(f) == __FILE__) }
+  else
+    spec.files = Dir.chdir(__dir__) do
+      `git ls-files -z`.split("\x0").reject do |f|
+        (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+      end
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'omniauth'
+  spec.add_dependency 'omniauth-oauth2'
+  spec.add_dependency 'oauth2'
+  spec.add_dependency 'faraday'
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency "example-gem", "~> 1.0"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/sig/omniauth/himari.rbs

@@ -0,0 +1,6 @@
+module Omniauth
+  module Himari
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,112 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-himari
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Sorah Fukumori
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2023-03-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OmniAuth strategy to act as OIDC RP and use [Himari](https://github.com/sorah/himari)
+  for OP.
+email:
+- her@sorah.jp
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-himari.rb
+- lib/omniauth-himari/version.rb
+- lib/omniauth/strategies/himari.rb
+- omniauth-himari.gemspec
+- sig/omniauth/himari.rbs
+homepage: https://github.com/sorah/himari
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/sorah/himari
+  source_code_uri: https://github.com/sorah/himari
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: OmniAuth strategy for Himari
+test_files: []