omniauth-rpi 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6c5b02d8e9d7d9c3c2cfd05e4101beb1cf020f4179fd60df438158e28e4b55fd
+  data.tar.gz: a900c630e232d93a8a9285215020dd9f11455d7c53e03d0682eefd59079cc588
+SHA512:
+  metadata.gz: 11e427ee349802267163fb769c6359f1229e31fc3478fe279d2b3cd6bb372d25ef739b5b0788aae0743e518f9f5358d9655addac56e8c60b2342b66da193abd5
+  data.tar.gz: 7a00f600a2b83a4cd90dcd6d3424d53412ce8422d480cd49dfecb62a6d99946d832bb47b3be31afdca14379f5307fa7764640c5b77562def9cc61ff19ebe623b

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,18 @@
+## Status
+
+- Closes _add issue numbers or delete_
+- Related to _add issue numbers or delete_
+
+## Points for consideration:
+
+- Security
+- Performance
+- Has Changelog been updated?
+
+## What's changed?
+
+_Description of what's been done - bullets are usually best, but you do you._
+
+## Steps to perform after merge
+
+_Does a new version of the gem needs to be tagged and released?_

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,75 @@
+require: rubocop-rspec
+
+AllCops:
+  Exclude:
+    - 'Gemfile'
+    - 'vendor/**/*'
+    - 'spec/fixtures/**/*'
+    - 'tmp/**/*'
+    - 'db/schema.rb'
+    - 'db/migrations/**/*'
+    - 'db/seeds/**/*'
+    - 'bin/**/*'
+  TargetRubyVersion: 2.3
+
+Documentation:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+    - 'config/routes.rb'
+
+Metrics/LineLength:
+  Max: 120
+
+Metrics/MethodLength:
+  Max: 15
+
+Rails:
+  Enabled: true
+
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+
+Style/AlignHash:
+  EnforcedHashRocketStyle: table
+  EnforcedColonStyle:      table
+
+Style/BracesAroundHashParameters:
+  EnforcedStyle: context_dependent
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
+
+Style/IndentHash:
+  EnforcedStyle: consistent
+
+Style/SymbolProc:
+  Enabled: true
+
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInLiteral:
+  EnforcedStyleForMultiline: comma
+
+RSpec/HookArgument:
+  EnforcedStyle: each
+
+RSpec/NestedGroups:
+  Enabled: false
+
+RSpec/ExampleLength:
+  Max: 15
+
+RSpec/ExpectActual:
+  Exclude:
+    - 'spec/routing/**/*'
+
+RSpec/InstanceVariable:
+  Exclude:
+    - 'spec/views/**/*'

data/.tool-versions

@@ -0,0 +1 @@
+ruby 2.7.2

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.1
+before_install: gem install bundler -v 1.15.4

data/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.1.0] - 2021-09-10
+### Added
+- Changelog in preparation for publishing app to rubygems.org
+- Omniauth strategy for authenticating via RPI Hydra V1 endpoints

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in omniauth_rpi.gemspec
+gemspec

data/LICENCE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Raspberry Pi Foundation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,87 @@
+# OmniAuth Raspberry Pi
+
+This is the official OmniAuth strategy for authenticating to Raspberry pi.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-rpi', '~> 1.1.0'
+```
+
+And then execute:
+
+    $ bundle
+
+## Basic Usage
+
+- [Integrating with OmniAuth](https://github.com/omniauth/omniauth/wiki)
+- [Integrating with Devise](https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview)
+
+
+```ruby
+use OmniAuth::Builder do
+  provider OmniAuth::Strategies::Hydra1, ENV['RASPBERRY_KEY'], ENV['RASPBERRY_SECRET']
+end
+```
+
+## Use in development
+
+In development it is sometimes useful to point at a staging/local version of the authentication
+server (ie Hydra).
+
+```ruby
+use OmniAuth::Builder do
+  provider OmniAuth::Strategies::Hydra1, ENV['RASPBERRY_KEY'], ENV['RASPBERRY_SECRET'],
+    :scope           => 'openid email profile',
+    :client_options  => {
+      :site          => 'http://localhost:9000',
+      :authorize_url => 'http://localhost:9000/oauth2/auth',
+      :token_url     => 'http://localhost:9000/oauth2/token'
+    }
+ )
+```
+
+## Bypassing OmniAuth/OAuth
+
+It is also possible to bypass OmniAuth (and OAuth) **entirely**, which can be useful in circumstances where hostnames are dynamic, e.g. in review deployments.  To do this add the following code to your OmniAuth initializer.
+
+```ruby
+# We've usually used an environment variable set outside the app to trigger the
+# auth bypass.
+if ENV.has_key? 'BYPASS_OAUTH'
+  using RpiAuthBypass
+  OmniAuth.config.enable_rpi_auth_bypass
+end
+```
+
+This will log you in with the following details:
+  * uid: `b6301f34-b970-4d4f-8314-f877bad8b150`
+  * email: `web@raspberrypi.org`
+  * name: `Web Team`
+  * nickname: `Web`
+
+If you wish to specify your user's details, you can add the info manually with the following method call.
+```
+OmniAuth.config.add_rpi_mock(uid: '1234', info: {name: 'Example', nickname: 'Ex', email: 'ex@example.com' } )
+```
+
+All this could also be done inside the `OmniAuth::Builder` block too.
+
+```ruby
+using RpiAuthBypass
+
+use OmniAuth::Builder do
+  configure do |c|
+    if ENV.has_key? 'BYPASS_OAUTH'
+      c.enable_rpi_auth_bypass
+      c.add_rpi_mock(uid: 'foo', info: {name: ... } )
+    end
+  end
+end
+```
+
+## Publishing changes
+
+When publishing changes to the provider, don't forget to bump the version number in `lib/omniauth-rpi/version.rb`

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "omniauth_rpi"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/omniauth/strategies/hydra0.rb

@@ -0,0 +1,79 @@
+require 'omniauth-oauth2'
+require 'jwt'
+
+module OmniAuth::Strategies
+  class Hydra0 < OmniAuth::Strategies::OAuth2
+    option :client_options,
+           :site          => 'https://auth.raspberrypi.org',
+           :authorize_url => 'https://auth.raspberrypi.org/oauth2/auth',
+           :token_url     => 'https://auth.raspberrypi.org/oauth2/token'
+
+    def authorize_params
+      super.tap do |params|
+        %w[scope client_options].each do |v|
+          params[v.to_sym] = request.params[v] if request.params[v]
+        end
+      end
+    end
+
+    def build_access_token
+       options.token_params[:headers] = { 'Authorization' => basic_auth_header }
+       super
+     end
+
+    def basic_auth_header
+     'Basic ' + Base64.strict_encode64("#{options[:client_id]}:#{options[:client_secret]}")
+    end
+
+    def callback_url
+      full_host + callback_path
+    end
+
+    uid { raw_info['uuid'].to_s }
+
+    info do
+      {
+        'email'    => email,
+        'username' => username,
+        'name'     => fullname,
+        'nickname' => nickname,
+        'image'    => image,
+      }
+    end
+
+    extra do
+      {
+        'raw_info' => raw_info
+      }
+    end
+
+    def raw_info
+      @raw_info ||= (JWT.decode access_token.params['id_token'], nil, false)[0]
+    end
+
+    def email
+      raw_info['email']
+    end
+
+    # <13 accounts have username instead of email
+    def username
+      raw_info['username']
+    end
+
+    def nickname
+      raw_info['nickname']
+    end
+
+    # use fullname to avoid clash with 'name'
+    def fullname
+      raw_info['name']
+    end
+
+    def image
+      # deserialise openid claim into auth schema
+      raw_info['picture']
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'hydra0', 'Hydra0'

data/lib/omniauth/strategies/hydra1.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'omniauth-oauth2'
+require 'jwt'
+
+module OmniAuth
+  module Strategies
+    class Hydra1 < OmniAuth::Strategies::OAuth2 
+      option :client_options, {
+        site:         'https://auth-v1.raspberrypi.org',
+        authorize_url:'https://auth-v1.raspberrypi.org/oauth2/auth',
+        token_url:    'https://auth-v1.raspberrypi.org/oauth2/token'
+      }
+
+      def authorize_params
+        super.tap do |params|
+          %w[scope client_options].each do |v|
+            params[v.to_sym] = request.params[v] if request.params[v]
+          end
+        end
+      end
+
+      def callback_url
+        full_host + callback_path
+      end
+
+      uid { raw_info['user'].to_s }
+
+      info do
+        {
+          'email'    => email,
+          'username' => username,
+          'name'     => fullname,
+          'nickname' => nickname,
+          'image'    => image,
+        }
+      end
+
+      extra do
+        {
+          'raw_info' => raw_info
+        }
+      end
+
+      def raw_info
+        @raw_info ||= (JWT.decode access_token.params['id_token'], nil, false)[0]
+      end
+
+      def email
+        raw_info['email']
+      end
+
+      # <13 accounts have username instead of email
+      def username
+        raw_info['username']
+      end
+
+      def nickname
+        raw_info['nickname']
+      end
+
+      # use fullname to avoid clash with 'name'
+      def fullname
+        raw_info['name']
+      end
+
+      def image
+        # deserialise openid claim into auth schema
+        raw_info['picture']
+      end
+    end
+  end
+end
+
+OmniAuth.config.add_camelization 'hydra1', 'Hydra1'

data/lib/omniauth/strategies/rpi.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'omniauth-oauth2'
+require 'jwt'
+
+module OmniAuth::Strategies
+  class Rpi < OmniAuth::Strategies::Hydra1
+    option name: "raspberrypi_accounts"
+  end
+end
+
+OmniAuth.config.add_camelization 'rpi', 'Rpi'

data/lib/omniauth-rpi/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Rpi
+    VERSION = '1.1.0'.freeze
+  end
+end

data/lib/omniauth-rpi.rb

@@ -0,0 +1,5 @@
+require 'omniauth-rpi/version' # rubocop:disable Naming/FileName
+require 'omniauth/strategies/hydra0'
+require 'omniauth/strategies/hydra1'
+require 'omniauth/strategies/rpi'
+require 'rpi_auth_bypass'

data/lib/rpi_auth_bypass.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module RpiAuthBypass
+  DEFAULT_UID = 'b6301f34-b970-4d4f-8314-f877bad8b150'
+  DEFAULT_EMAIL = 'web@raspberrypi.org'
+  DEFAULT_USERNAME = 'webteam'
+  DEFAULT_NAME = 'Web Team'
+  DEFAULT_NICKNAME = 'Web'
+  DEFAULT_PROFILE = 'https://profile.raspberrypi.org/not/a/real/path'
+  DEFAULT_IMAGE = 'https://www.placecage.com/200/200'
+  DEFAULT_ROLES = 'user'
+  DEFAULT_COUNTRY = 'United Kingdom'
+  DEFAULT_COUNTRY_CODE = 'GB'
+  DEFAULT_POSTCODE = 'SW1A 1AA'
+  DEFAULT_INFO = {
+    name: DEFAULT_NAME,
+    nickname: DEFAULT_NICKNAME,
+    email: DEFAULT_EMAIL,
+    username: DEFAULT_USERNAME,
+    image: DEFAULT_IMAGE,
+  }.freeze
+  DEFAULT_EXTRA = {
+    raw_info: {
+      roles: DEFAULT_ROLES,
+      name: DEFAULT_NAME,
+      nickname: DEFAULT_NICKNAME,
+      email: DEFAULT_EMAIL,
+      username: DEFAULT_USERNAME,
+      country: DEFAULT_COUNTRY,
+      country_code: DEFAULT_COUNTRY_CODE,
+      postcode: DEFAULT_POSTCODE,
+      profile: DEFAULT_PROFILE,
+      avatar: DEFAULT_IMAGE,
+    }
+  }.freeze
+
+  refine OmniAuth::Configuration do
+    def enable_rpi_auth_bypass
+      logger.info 'Enabling RpiAuthBypass'
+      add_rpi_mock unless @mock_auth[:rpi]
+
+      self.test_mode = self.rpi_auth_bypass = true
+    end
+
+    def disable_rpi_auth_bypass
+      logger.debug 'Disabing RpiAuthBypass'
+      @mock_auth.delete(:rpi)
+
+      self.test_mode = self.rpi_auth_bypass = false
+    end
+
+    def add_rpi_mock(uid: RpiAuthBypass::DEFAULT_UID, info: RpiAuthBypass::DEFAULT_INFO, extra: RpiAuthBypass::DEFAULT_EXTRA)
+      add_mock(:rpi, {
+                 provider: 'Rpi',
+                 uid: uid,
+                 info: info,
+                 extra: extra,
+               })
+    end
+
+    attr_writer :rpi_auth_bypass
+  end
+end

data/omniauth-rpi.gemspec

@@ -0,0 +1,33 @@
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth-rpi/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'omniauth-rpi'
+  spec.version       = OmniAuth::Rpi::VERSION
+  spec.author        = 'Raspberry Pi Foundation'
+  spec.email         = 'web@raspberrypi.org'
+
+  spec.summary       = 'Official OmniAuth strategy for Raspberry Pi.'
+  spec.description   = 'Supporting OmniAuth OAuth 2 authentication for Raspberry Pi accounts.'
+  spec.license       = 'MIT'
+  spec.homepage      = 'https://www.raspberrypi.org'
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+
+  spec.add_runtime_dependency 'jwt', '~> 2.2.3'
+  spec.add_runtime_dependency 'omniauth', '~> 2.0'
+  spec.add_runtime_dependency 'omniauth-oauth2', '~> 1.4'
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'rake', '~> 12.3.3'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 1.20'
+  spec.add_development_dependency 'rubocop-rspec', '~> 2.4.0'
+  spec.add_development_dependency 'simplecov', '~> 0.21.2'
+end

metadata

@@ -0,0 +1,190 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-rpi
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+platform: ruby
+authors:
+- Raspberry Pi Foundation
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-09-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 12.3.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 12.3.3
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.20'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.20'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.4.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+description: Supporting OmniAuth OAuth 2 authentication for Raspberry Pi accounts.
+email: web@raspberrypi.org
+executables:
+- console
+- setup
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/PULL_REQUEST_TEMPLATE.md"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".tool-versions"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENCE.md
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/omniauth-rpi.rb
+- lib/omniauth-rpi/version.rb
+- lib/omniauth/strategies/hydra0.rb
+- lib/omniauth/strategies/hydra1.rb
+- lib/omniauth/strategies/rpi.rb
+- lib/rpi_auth_bypass.rb
+- omniauth-rpi.gemspec
+homepage: https://www.raspberrypi.org
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: Official OmniAuth strategy for Raspberry Pi.
+test_files: []