RubyGems - omniauth_openid_connect_test - Versions diffs - 0.3.6 - Mend

omniauth_openid_connect_test 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +7 -0
data/.github/config/rubocop_linter_action.yml +59 -0
data/.github/stale.yml +17 -0
data/.github/workflows/rubocop.yml +22 -0
data/.gitignore +20 -0
data/.rubocop.yml +58 -0
data/.travis.yml +8 -0
data/CHANGELOG.md +47 -0
data/Gemfile +4 -0
data/Guardfile +16 -0
data/LICENSE.txt +22 -0
data/README.md +126 -0
data/Rakefile +10 -0
data/lib/omniauth/openid_connect/errors.rb +9 -0
data/lib/omniauth/openid_connect/version.rb +7 -0
data/lib/omniauth/openid_connect.rb +5 -0
data/lib/omniauth/strategies/openid_connect.rb +365 -0
data/lib/omniauth_openid_connect.rb +3 -0
data/omniauth_openid_connect_test.gemspec +35 -0
data/test/fixtures/id_token.txt +1 -0
data/test/fixtures/jwks.json +8 -0
data/test/fixtures/test.crt +19 -0
data/test/lib/omniauth/strategies/openid_connect_test.rb +620 -0
data/test/strategy_test_case.rb +51 -0
data/test/test_helper.rb +16 -0
metadata +258 -0

data/lib/omniauth/openid_connect/version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+module OmniAuth
+  module OpenIDConnect
+    VERSION = '0.3.6'
+  end
+end

data/lib/omniauth/openid_connect.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+require 'omniauth/openid_connect/errors'
+require 'omniauth/openid_connect/version'
+require 'omniauth/strategies/openid_connect'

data/lib/omniauth/strategies/openid_connect.rb ADDED Viewed

@@ -0,0 +1,365 @@
+# frozen_string_literal: true
+require 'addressable/uri'
+require 'timeout'
+require 'net/http'
+require 'open-uri'
+require 'omniauth'
+require 'openid_connect'
+require 'forwardable'
+module OmniAuth
+  module Strategies
+    class OpenIDConnect
+      include OmniAuth::Strategy
+      extend Forwardable
+      RESPONSE_TYPE_EXCEPTIONS = {
+        'id_token' => { exception_class: OmniAuth::OpenIDConnect::MissingIdTokenError, key: :missing_id_token }.freeze,
+        'code' => { exception_class: OmniAuth::OpenIDConnect::MissingCodeError, key: :missing_code }.freeze,
+      }.freeze
+      def_delegator :request, :params
+      option :name, 'openid_connect'
+      option(:client_options, identifier: nil,
+                              secret: nil,
+                              redirect_uri: nil,
+                              scheme: 'https',
+                              host: nil,
+                              port: 443,
+                              authorization_endpoint: '/authorize',
+                              token_endpoint: '/token',
+                              userinfo_endpoint: '/userinfo',
+                              jwks_uri: '/jwk',
+                              end_session_endpoint: nil)
+      option :issuer
+      option :discovery, false
+      option :client_signing_alg
+      option :client_jwk_signing_key
+      option :client_x509_signing_key
+      option :scope, [:openid]
+      option :response_type, 'code' # ['code', 'id_token']
+      option :state
+      option :response_mode # [:query, :fragment, :form_post, :web_message]
+      option :display, nil # [:page, :popup, :touch, :wap]
+      option :prompt, nil # [:none, :login, :consent, :select_account]
+      option :hd, nil
+      option :max_age
+      option :ui_locales
+      option :id_token_hint
+      option :acr_values
+      option :send_nonce, true
+      option :send_scope_to_token_endpoint, true
+      option :client_auth_method
+      option :post_logout_redirect_uri
+      option :extra_authorize_params, {}
+      option :uid_field, 'sub'
+      def uid
+        user_info.raw_attributes[options.uid_field.to_sym] || user_info.sub
+      end
+      info do
+        {
+          name: user_info.name,
+          email: user_info.email,
+          nickname: user_info.preferred_username,
+          first_name: user_info.given_name,
+          last_name: user_info.family_name,
+          gender: user_info.gender,
+          image: user_info.picture,
+          phone: user_info.phone_number,
+          urls: { website: user_info.website },
+        }
+      end
+      extra do
+        { raw_info: user_info.raw_attributes }
+      end
+      credentials do
+        {
+          id_token: access_token.id_token,
+          token: access_token.access_token,
+          refresh_token: access_token.refresh_token,
+          expires_in: access_token.expires_in,
+          scope: access_token.scope,
+        }
+      end
+      def client
+        @client ||= ::OpenIDConnect::Client.new(client_options)
+      end
+      def config
+        @config ||= ::OpenIDConnect::Discovery::Provider::Config.discover!(options.issuer)
+      end
+      def request_phase
+        options.issuer = issuer if options.issuer.to_s.empty?
+        discover!
+        redirect authorize_uri
+      end
+      def callback_phase
+        error = params['error_reason'] || params['error']
+        error_description = params['error_description'] || params['error_reason']
+        invalid_state = params['state'].to_s.empty? || params['state'] != stored_state
+        raise CallbackError, error: params['error'], reason: error_description, uri: params['error_uri'] if error
+        raise CallbackError, error: :csrf_detected, reason: "Invalid 'state' parameter" if invalid_state
+        return unless valid_response_type?
+        options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
+        verify_id_token!(params['id_token']) if configured_response_type == 'id_token'
+        discover!
+        client.redirect_uri = redirect_uri
+        return id_token_callback_phase if configured_response_type == 'id_token'
+        client.authorization_code = authorization_code
+        access_token
+        super
+      rescue CallbackError => e
+        fail!(e.error, e)
+      rescue ::Rack::OAuth2::Client::Error => e
+        fail!(e.response[:error], e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
+      def other_phase
+        if logout_path_pattern.match?(current_path)
+          options.issuer = issuer if options.issuer.to_s.empty?
+          discover!
+          return redirect(end_session_uri) if end_session_uri
+        end
+        call_app!
+      end
+      def authorization_code
+        params['code']
+      end
+      def end_session_uri
+        return unless end_session_endpoint_is_valid?
+        end_session_uri = URI(client_options.end_session_endpoint)
+        end_session_uri.query = encoded_post_logout_redirect_uri
+        end_session_uri.to_s
+      end
+      def authorize_uri
+        client.redirect_uri = redirect_uri
+        opts = {
+          response_type: options.response_type,
+          response_mode: options.response_mode,
+          scope: options.scope,
+          state: new_state,
+          login_hint: params['login_hint'],
+          ui_locales: params['ui_locales'],
+          claims_locales: params['claims_locales'],
+          prompt: options.prompt,
+          nonce: (new_nonce if options.send_nonce),
+          hd: options.hd,
+          acr_values: options.acr_values,
+        }
+        opts.merge!(options.extra_authorize_params) unless options.extra_authorize_params.empty?
+        client.authorization_uri(opts.reject { |_k, v| v.nil? })
+      end
+      def public_key
+        return config.jwks if options.discovery
+        key_or_secret
+      end
+      private
+      def issuer
+        resource = "#{ client_options.scheme }://#{ client_options.host }"
+        resource = "#{ resource }:#{ client_options.port }" if client_options.port
+        ::OpenIDConnect::Discovery::Provider.discover!(resource).issuer
+      end
+      def discover!
+        return unless options.discovery
+        client_options.authorization_endpoint = config.authorization_endpoint
+        client_options.token_endpoint = config.token_endpoint
+        client_options.userinfo_endpoint = config.userinfo_endpoint
+        client_options.jwks_uri = config.jwks_uri
+        client_options.end_session_endpoint = config.end_session_endpoint if config.respond_to?(:end_session_endpoint)
+      end
+      def user_info
+        return @user_info if @user_info
+        if access_token.id_token
+          decoded = decode_id_token(access_token.id_token).raw_attributes
+          @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded)
+        else
+          @user_info = access_token.userinfo!
+        end
+      end
+      def access_token
+        return @access_token if @access_token
+        @access_token = client.access_token!(
+          scope: (options.scope if options.send_scope_to_token_endpoint),
+          client_auth_method: options.client_auth_method
+        )
+        verify_id_token!(@access_token.id_token) if configured_response_type == 'code'
+        @access_token
+      end
+      def decode_id_token(id_token)
+        ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
+      end
+      def client_options
+        options.client_options
+      end
+      def new_state
+        state = if options.state.respond_to?(:call)
+                  if options.state.arity == 1
+                    options.state.call(env)
+                  else
+                    options.state.call
+                  end
+                end
+        session['omniauth.state'] = state || SecureRandom.hex(16)
+      end
+      def stored_state
+        session.delete('omniauth.state')
+      end
+      def new_nonce
+        session['omniauth.nonce'] = SecureRandom.hex(16)
+      end
+      def stored_nonce
+        session.delete('omniauth.nonce')
+      end
+      def session
+        return {} if @env.nil?
+        super
+      end
+      def key_or_secret
+        case options.client_signing_alg
+        when :HS256, :HS384, :HS512
+          client_options.secret
+        when :RS256, :RS384, :RS512
+          if options.client_jwk_signing_key
+            parse_jwk_key(options.client_jwk_signing_key)
+          elsif options.client_x509_signing_key
+            parse_x509_key(options.client_x509_signing_key)
+          end
+        end
+      end
+      def parse_x509_key(key)
+        OpenSSL::X509::Certificate.new(key).public_key
+      end
+      def parse_jwk_key(key)
+        json = JSON.parse(key)
+        return JSON::JWK::Set.new(json['keys']) if json.key?('keys')
+        JSON::JWK.new(json)
+      end
+      def decode(str)
+        UrlSafeBase64.decode64(str).unpack1('B*').to_i(2).to_s
+      end
+      def redirect_uri
+        return client_options.redirect_uri unless params['redirect_uri']
+        "#{ client_options.redirect_uri }?redirect_uri=#{ CGI.escape(params['redirect_uri']) }"
+      end
+      def encoded_post_logout_redirect_uri
+        return unless options.post_logout_redirect_uri
+        URI.encode_www_form(
+          post_logout_redirect_uri: options.post_logout_redirect_uri
+        )
+      end
+      def end_session_endpoint_is_valid?
+        client_options.end_session_endpoint &&
+          client_options.end_session_endpoint =~ URI::DEFAULT_PARSER.make_regexp
+      end
+      def logout_path_pattern
+        @logout_path_pattern ||= %r{\A#{Regexp.quote(request_path)}(/logout)}
+      end
+      def id_token_callback_phase
+        user_data = decode_id_token(params['id_token']).raw_attributes
+        env['omniauth.auth'] = AuthHash.new(
+          provider: name,
+          uid: user_data['sub'],
+          info: { name: user_data['name'], email: user_data['email'] },
+          extra: { raw_info: user_data }
+        )
+        call_app!
+      end
+      def valid_response_type?
+        return true if params.key?(configured_response_type)
+        error_attrs = RESPONSE_TYPE_EXCEPTIONS[configured_response_type]
+        fail!(error_attrs[:key], error_attrs[:exception_class].new(params['error']))
+        false
+      end
+      def configured_response_type
+        @configured_response_type ||= options.response_type.to_s
+      end
+      def verify_id_token!(id_token)
+        return unless id_token
+        decode_id_token(id_token).verify!(issuer: options.issuer,
+                                          client_id: client_options.identifier,
+                                          nonce: stored_nonce)
+      end
+      class CallbackError < StandardError
+        attr_accessor :error, :error_reason, :error_uri
+        def initialize(data)
+          self.error = data[:error]
+          self.error_reason = data[:reason]
+          self.error_uri = data[:uri]
+        end
+        def message
+          [error, error_reason, error_uri].compact.join(' | ')
+        end
+      end
+    end
+  end
+end
+OmniAuth.config.add_camelization 'openid_connect', 'OpenIDConnect'

data/lib/omniauth_openid_connect.rb ADDED Viewed

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+require 'omniauth/openid_connect'

data/omniauth_openid_connect_test.gemspec ADDED Viewed

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/openid_connect/version'
+Gem::Specification.new do |spec|
+  spec.name          = 'omniauth_openid_connect_test'
+  spec.version       = OmniAuth::OpenIDConnect::VERSION
+  spec.authors       = ['John Bohn', 'Ilya Shcherbinin']
+  spec.email         = ['jjbohn@gmail.com', 'm0n9oose@gmail.com','burak.akca834@gmail.com']
+  spec.summary       = 'OpenID Connect Strategy for OmniAuth'
+  spec.description   = 'OpenID Connect Strategy for OmniAuth.'
+  spec.homepage      = 'https://github.com/burakakca/omniauth_openid_connect'
+  spec.license       = 'MIT'
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+  spec.add_dependency 'addressable', '~> 2.5'
+  spec.add_dependency 'omniauth', '~> 2.0'
+  spec.add_dependency 'openid_connect', '~> 1.1'
+  spec.add_development_dependency 'coveralls', '~> 0.8'
+  spec.add_development_dependency 'faker', '~> 1.6'
+  spec.add_development_dependency 'guard', '~> 2.14'
+  spec.add_development_dependency 'guard-bundler', '~> 2.2'
+  spec.add_development_dependency 'guard-minitest', '~> 2.4'
+  spec.add_development_dependency 'minitest', '~> 5.1'
+  spec.add_development_dependency 'mocha', '~> 1.7'
+  spec.add_development_dependency 'rake', '~> 12.0'
+  spec.add_development_dependency 'rubocop', '~> 0.63'
+  spec.add_development_dependency 'simplecov', '~> 0.12'
+end

data/test/fixtures/id_token.txt ADDED Viewed

@@ -0,0 +1 @@

+ eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg

data/test/fixtures/jwks.json ADDED Viewed

@@ -0,0 +1,8 @@
+{"keys": [{
+    "kty": "RSA",
+    "n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+    "e": "AQAB",
+    "alg": "RS256",
+    "kid": "1e9gdk7"
+  }]
+}

data/test/fixtures/test.crt ADDED Viewed

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJDCCAgwCCQC57Ob2JfXb+DANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJK
+UDEOMAwGA1UECBMFVG9reW8xITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAxMJbG9jYWxob3N0MB4XDTE0MDgwMTA4NTAxM1oXDTE1MDgw
+MTA4NTAxM1owVDELMAkGA1UEBhMCSlAxDjAMBgNVBAgTBVRva3lvMSEwHwYDVQQK
+ExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+7czSGHN2087T+oX2kBCY/
+XN6UOS/mdU2Gn//omZlyxsQXIqvgBLNWeCVt4QdlFUbgPLggfXUelECV/RUOCIIi
+F2Th4t3x1LviN2XkUiva0DZBnOycqEaJdkyreEuGL1CLVZgZjKmSzNqLl0Yci3D0
+zgVsXFZSadQebietm4CCmfJYREt9NJxXcrLxVDgat/Xm/KJBsohs3f+cbBT8EXer
+7+2oZjZoVUgw1hu0alaOvAfE4mxsVwjn3g2mjDqRJLbbuWqgDobjMHah+d4zwJvN
+ePK8E0hfaz/XBLsJ4e6bQA3M3bANEgSvsicup/qb/0th4gUdc/kj4aJGj0RP7oEC
+AwEAATANBgkqhkiG9w0BAQUFAAOCAQEADuVec/8u2qJiq6K2W/gSLGYCBZq64OrA
+s7L2+S82m9/3gAb62wGcDNZjIGFDQubXmO6RhHv7JUT5YZqv9/kRGTJcHDUrwwoN
+IE99CIPizp7VfnrZ6GsYeszSsw3m+mKTETm+6ELmaSDbYAsrCg4IpGwUF0L88ATv
+CJ8QzW4X7b9dYVc7UAYyCie2N65GXfesBbRlSwFLuVqIzZfMdNpNijTIUwUqGSME
+b8IjLYzvekP53CO4wEBRrAVIPNXgftorxIE30OLWua2Qw3y6Pn+Qp5fLe47025S7
+Lcec18/FbHG0Vbq0qO9cKQw80XyK31N6z556wr2GN2WyixkzVRddXA==
+-----END CERTIFICATE-----