openid-token-proxy 0.1.0

data/lib/openid_token_proxy/token/unverifiable_signature.rb

@@ -0,0 +1,12 @@
+module OpenIDTokenProxy
+  class Token
+
+    # Raised when a token's signature could not be verified
+    class UnverifiableSignature < Error
+      def initialize
+        super 'Token signature could not be verified.'
+      end
+    end
+
+  end
+end

data/lib/openid_token_proxy/token.rb

@@ -0,0 +1,80 @@
+require 'openid_token_proxy/token/expired'
+require 'openid_token_proxy/token/invalid_application'
+require 'openid_token_proxy/token/invalid_audience'
+require 'openid_token_proxy/token/invalid_issuer'
+require 'openid_token_proxy/token/malformed'
+require 'openid_token_proxy/token/required'
+require 'openid_token_proxy/token/unverifiable_signature'
+
+module OpenIDTokenProxy
+  class Token
+    attr_accessor :access_token, :id_token, :refresh_token
+
+    def initialize(access_token, id_token = nil, refresh_token = nil)
+      @access_token = access_token
+      if id_token.is_a? Hash
+        id_token = OpenIDConnect::ResponseObject::IdToken.new(id_token)
+      end
+      @id_token = id_token
+      @refresh_token = refresh_token
+    end
+
+    def to_s
+      @access_token
+    end
+
+    # Retrieves data from identity attributes
+    def [](key)
+      id_token.raw_attributes[key]
+    end
+
+    # Validates this token's expiration state, application, audience and issuer
+    def validate!(assertions = {})
+      raise Expired if expired?
+
+      # TODO: Nonce validation
+
+      if assertions[:audience]
+        audiences = Array(id_token.aud)
+        raise InvalidAudience unless audiences.include? assertions[:audience]
+      end
+
+      if assertions[:client_id]
+        appid = id_token.raw_attributes['appid']
+        raise InvalidApplication if appid && appid != assertions[:client_id]
+      end
+
+      if assertions[:issuer]
+        issuer = id_token.iss
+        raise InvalidIssuer unless issuer == assertions[:issuer]
+      end
+
+      true
+    end
+
+    def expired?
+      id_token.exp.to_i <= Time.now.to_i
+    end
+
+    # Decodes given access token and validates its signature by public key(s)
+    # Use :skip_verification as second argument to skip signature validation
+    def self.decode!(access_token, keys = OpenIDTokenProxy.config.public_keys)
+      raise Required if access_token.blank?
+
+      Array(keys).each do |key|
+        begin
+          object = OpenIDConnect::RequestObject.decode(access_token, key)
+        rescue JSON::JWT::InvalidFormat => e
+          raise Malformed.new(e.message)
+        rescue JSON::JWT::VerificationFailed
+          # Iterate through remaining public keys (if any)
+          # Raises TokenInvalid if none applied (see below)
+        else
+          return Token.new(access_token, object.raw_attributes)
+        end
+      end
+
+      raise UnverifiableSignature
+    end
+  end
+end

data/lib/openid_token_proxy/version.rb

@@ -0,0 +1,3 @@
+module OpenIDTokenProxy
+  VERSION = '0.1.0'
+end

data/lib/openid_token_proxy.rb

@@ -0,0 +1,40 @@
+require File.expand_path('../../config/initializers/inflections', __FILE__)
+
+require 'openid_connect'
+
+require 'openid_token_proxy/error'
+
+require 'openid_token_proxy/client'
+require 'openid_token_proxy/config'
+require 'openid_token_proxy/engine'
+require 'openid_token_proxy/token'
+require 'openid_token_proxy/token/authentication'
+require 'openid_token_proxy/token/refresh'
+require 'openid_token_proxy/version'
+
+module OpenIDTokenProxy
+  class << self
+    def client
+      @client ||= Client.new
+    end
+
+    def config
+      @config ||= Config.new
+    end
+
+    def configure
+      yield config
+    end
+
+    # Sets and yields a new global config for the duration of the given block
+    def configure_temporarily
+      original = config
+      @config = original.dup
+      client.config = @config
+      yield @config
+    ensure
+      @config = original
+      client.config = @config
+    end
+  end
+end

data/openid-token-proxy.gemspec

@@ -0,0 +1,35 @@
+# encoding: utf-8
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'openid_token_proxy/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'openid-token-proxy'
+  spec.version       = OpenIDTokenProxy::VERSION
+  spec.authors       = ['Tim Kurvers']
+  spec.email         = ['ruby@hyper.no']
+  spec.summary       = 'Retrieves and refreshes OpenID tokens on behalf of a user'
+  spec.description   = 'Retrieves and refreshes OpenID tokens on behalf of a user when dealing with complex authentication schemes, such as client-side certificates'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'openid_connect', '~> 0.8.3'
+  spec.add_dependency 'rails', '~> 4.0'
+
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'coveralls', '~> 0.7.12'
+  spec.add_development_dependency 'guard', '~> 2.12.5'
+  spec.add_development_dependency 'guard-rspec', '~> 4.5.0'
+  spec.add_development_dependency 'pry', '~> 0.10.1'
+  spec.add_development_dependency 'pry-rails', '~> 0.3.4'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec-rails', '~> 3.2.1'
+  spec.add_development_dependency 'simplecov', '~> 0.9.2'
+  spec.add_development_dependency 'webmock', '~> 1.21.0'
+end

data/spec/controllers/openid_token_proxy/callback_controller_spec.rb

@@ -0,0 +1,72 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy::CallbackController, type: :controller do
+  routes { OpenIDTokenProxy::Engine.routes }
+  let(:access_token) { 'access token' }
+  let(:auth_code) { 'authorization code' }
+  let(:client) { OpenIDTokenProxy.client }
+  let(:token) { double(access_token: access_token) }
+
+  context 'when authorization code is missing' do
+    it 'results in 400 BAD REQUEST with error message' do
+      get :handle
+      expect(response.body).to eq "Required parameter 'code' missing."
+      expect(response).to have_http_status :bad_request
+    end
+  end
+
+  context 'when authorization code is given' do
+    context 'when authorization code could not be exchanged' do
+      it 'results in 400 BAD REQUEST with error message' do
+        error = OpenIDTokenProxy::Client::AuthCodeError.new 'msg'
+        expect(client).to receive(:retrieve_token!).with(
+          auth_code: auth_code
+        ).and_raise error
+        get :handle, code: auth_code
+        expect(response.body).to eq 'Could not exchange authorization code: msg.'
+        expect(response).to have_http_status :bad_request
+      end
+    end
+
+    context 'when authorization code could be exchanged' do
+      before do
+        expect(client).to receive(:retrieve_token!).and_return token
+      end
+
+      context 'with no-op token acquirement hook' do
+        it 'redirects to root' do
+          OpenIDTokenProxy.configure_temporarily do |config|
+            config.token_acquirement_hook = proc { }
+            get :handle, code: auth_code
+            expect(response).to redirect_to controller.main_app.root_url
+          end
+        end
+      end
+
+      context 'when returning URI from token acquirement hook' do
+        it 'redirects to returned URI' do
+          OpenIDTokenProxy.configure_temporarily do |config|
+            uri = '/#token'
+            config.token_acquirement_hook = proc { |token, error|
+              uri
+            }
+            get :handle, code: auth_code
+            expect(response).to redirect_to uri
+          end
+        end
+      end
+
+      context 'when performing an action within token acquirement hook' do
+        it 'takes no additional action' do
+          OpenIDTokenProxy.configure_temporarily do |config|
+            config.token_acquirement_hook = proc { |token, error|
+              render text: 'Custom action'
+            }
+            get :handle, code: auth_code
+            expect(response.body).to eq 'Custom action'
+          end
+        end
+      end
+    end
+  end
+end

data/spec/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/spec/dummy/app/controllers/accounts_controller.rb

@@ -0,0 +1,10 @@
+class AccountsController < ApplicationController
+  include OpenIDTokenProxy::Token::Authentication
+  include OpenIDTokenProxy::Token::Refresh
+
+  require_valid_token
+
+  def show
+    render json: current_token, status: :ok
+  end
+end

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,5 @@
+class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+end

data/spec/dummy/app/controllers/home_controller.rb

@@ -0,0 +1,7 @@
+class HomeController < ApplicationController
+  include OpenIDTokenProxy::Token::Authentication
+  include OpenIDTokenProxy::Token::Refresh
+
+  def index
+  end
+end

data/spec/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/spec/dummy/app/views/home/index.html.erb

@@ -0,0 +1,25 @@
+Visit <a href="<%= OpenIDTokenProxy.client.authorization_uri %>"> authorization URI</a> and sign in.
+
+<% if raw_token %>
+  <hr />
+
+  <dl>
+    <dt>Token</dt>
+    <dd><%= current_token %></dd>
+    <dt>Refresh token</dt>
+    <dd><%= raw_refresh_token || '-' %></dd>
+  </dl>
+
+  <hr />
+
+  <%= link_to 'Use your token', account_path(token: current_token, refresh_token: raw_refresh_token) %> for API authentication.
+
+  <hr />
+
+  <dd>
+    <% current_token.id_token.raw_attributes.each_pair do |key, value| %>
+      <dt><%= key.humanize %></dt>
+      <dd><%= value %></dd>
+    <% end %>
+  </dl>
+<% end %>

data/spec/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>OpenID token proxy</title>
+  <meta charset="utf8" />
+  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
+  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
+  <%= csrf_meta_tags %>
+  <style>
+    body {
+      font: 14px 'Helvetica';
+      line-height: 1.2em;
+    }
+
+    dt {
+      font-weight: bold;
+      margin: 1em 0 .2em;
+    }
+
+    dd {
+      margin: 0 1em;
+      word-break: break-all;
+    }
+
+    hr {
+      margin: 2em 0;
+      border: 1px solid #DDDDDD;
+    }
+  </style>
+</head>
+<body>
+  <%
+    client = OpenIDTokenProxy.client
+    config = OpenIDTokenProxy.config
+  %>
+
+  <dl>
+    <dt>Client ID</dt>
+    <dd><%= config.client_id %></dd>
+    <dt>Client secret</dt>
+    <dd><%= config.client_secret %></dd>
+    <dt>Issuer</dt>
+    <dd><%= config.issuer %></dd>
+    <dt>Public keys</dt>
+    <dd><%= config.public_keys.count %></dd>
+    <dt>Authorization URI</dt>
+    <dd><%= client.authorization_uri %></dd>
+  </dl>
+
+  <hr />
+
+  <%= yield %>
+</body>
+</html>

data/spec/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/spec/dummy/config/application.rb

@@ -0,0 +1,27 @@
+require File.expand_path('../boot', __FILE__)
+
+# Pick the frameworks you want:
+# require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+require "action_view/railtie"
+require "sprockets/railtie"
+require "rails/test_unit/railtie"
+
+Bundler.require(*Rails.groups)
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end

data/spec/dummy/config/boot.rb

@@ -0,0 +1,5 @@
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+$LOAD_PATH.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,34 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Debug mode disables concatenation and preprocessing of assets.
+  # This option may cause significant delays in view rendering with a large
+  # number of complex assets.
+  config.assets.debug = true
+
+  # Adds additional error checking when serving assets at runtime.
+  # Checks for improperly declared sprockets dependencies.
+  # Raises helpful error messages.
+  config.assets.raise_runtime_errors = true
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/spec/dummy/config/environments/production.rb

@@ -0,0 +1,75 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this).
+  config.serve_static_files = false
+
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor = :uglifier
+  # config.assets.css_compressor = :sass
+
+  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # Generate digests for assets URLs.
+  config.assets.digest = true
+
+  # `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Set to :debug to see everything in the log.
+  config.log_level = :info
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+end

data/spec/dummy/config/environments/test.rb

@@ -0,0 +1,39 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_files  = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/spec/dummy/config/initializers/assets.rb

@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+# Version of your assets, change this if you want to expire all your assets.
+Rails.application.config.assets.version = '1.0'
+
+# Precompile additional assets.
+# application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+# Rails.application.config.assets.precompile += %w( search.js )

data/spec/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!