openid-token-proxy 0.1.0

data/spec/dummy/config/initializers/cookies_serializer.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/spec/dummy/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/spec/dummy/config/initializers/inflections.rb

@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

data/spec/dummy/config/initializers/mime_types.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf

data/spec/dummy/config/initializers/openid.rb

@@ -0,0 +1,5 @@
+OpenIDTokenProxy.configure do |config|
+  config.token_acquirement_hook = proc { |token|
+    main_app.root_url + "?token=#{token}&refresh_token=#{token.refresh_token}"
+  }
+end

data/spec/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_dummy_session'

data/spec/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,9 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/spec/dummy/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  root to: 'home#index'
+  resource :account
+  mount OpenIDTokenProxy::Engine, at: '/auth'
+end

data/spec/dummy/config/secrets.yml

@@ -0,0 +1,22 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+development:
+  secret_key_base: 108dd645d65f238e23c78f443335185beebc37a18ddb6226cbb54331b31fc3c03a92dd33cdffcd0dcdd0a361f2ec6a2d8c5a0553808de41f8be5ae2119de627c
+
+test:
+  secret_key_base: ed6785ee3b0d5e4c6a705454ba80cd699be6f1cea7b1a24494ffab9e044dc2bb5834b2f6239991d46e6df2a6550cf36b3f6f9c40589eebf21e2c11f8256eb166
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application

data/spec/dummy/public/404.html

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <div>
+      <h1>The page you were looking for doesn't exist.</h1>
+      <p>You may have mistyped the address or the page may have moved.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/spec/dummy/public/422.html

@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <div>
+      <h1>The change you wanted was rejected.</h1>
+      <p>Maybe you tried to change something you didn't have access to.</p>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/spec/dummy/public/500.html

@@ -0,0 +1,66 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  body {
+    background-color: #EFEFEF;
+    color: #2E2F30;
+    text-align: center;
+    font-family: arial, sans-serif;
+    margin: 0;
+  }
+
+  div.dialog {
+    width: 95%;
+    max-width: 33em;
+    margin: 4em auto 0;
+  }
+
+  div.dialog > div {
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #BBB;
+    border-top: #B00100 solid 4px;
+    border-top-left-radius: 9px;
+    border-top-right-radius: 9px;
+    background-color: white;
+    padding: 7px 12% 0;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+
+  h1 {
+    font-size: 100%;
+    color: #730E15;
+    line-height: 1.5em;
+  }
+
+  div.dialog > p {
+    margin: 0 0 1em;
+    padding: 1em;
+    background-color: #F7F7F7;
+    border: 1px solid #CCC;
+    border-right-color: #999;
+    border-left-color: #999;
+    border-bottom-color: #999;
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-top-color: #DADADA;
+    color: #666;
+    box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17);
+  }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <div>
+      <h1>We're sorry, but something went wrong.</h1>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/spec/fixtures/keys.json

@@ -0,0 +1,26 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "use": "sig",
+      "kid": "kriMPdmBvx68skT8-mPAB3BseeA",
+      "x5t": "kriMPdmBvx68skT8-mPAB3BseeA",
+      "n": "kSCWg6q9iYxvJE2NIhSyOiKvqoWCO2GFipgH0sTSAs5FalHQosk9ZNTztX0ywS_AHsBeQPqYygfYVJL6_EgzVuwRk5txr9e3n1uml94fLyq_AXbwo9yAduf4dCHTP8CWR1dnDR-Qnz_4PYlWVEuuHHONOw_blbfdMjhY-C_BYM2E3pRxbohBb3x__CfueV7ddz2LYiH3wjz0QS_7kjPiNCsXcNyKQEOTkbHFi3mu0u13SQwNddhcynd_GTgWN8A-6SN1r4hzpjFKFLbZnBt77ACSiYx-IHK4Mp-NaVEi5wQtSsjQtI--XsokxRDqYLwus1I1SihgbV_STTg5enufuw",
+      "e": "AQAB",
+      "x5c": [
+        "MIIDPjCCAiqgAwIBAgIQsRiM0jheFZhKk49YD0SK1TAJBgUrDgMCHQUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTQwMTAxMDcwMDAwWhcNMTYwMTAxMDcwMDAwWjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkSCWg6q9iYxvJE2NIhSyOiKvqoWCO2GFipgH0sTSAs5FalHQosk9ZNTztX0ywS/AHsBeQPqYygfYVJL6/EgzVuwRk5txr9e3n1uml94fLyq/AXbwo9yAduf4dCHTP8CWR1dnDR+Qnz/4PYlWVEuuHHONOw/blbfdMjhY+C/BYM2E3pRxbohBb3x//CfueV7ddz2LYiH3wjz0QS/7kjPiNCsXcNyKQEOTkbHFi3mu0u13SQwNddhcynd/GTgWN8A+6SN1r4hzpjFKFLbZnBt77ACSiYx+IHK4Mp+NaVEi5wQtSsjQtI++XsokxRDqYLwus1I1SihgbV/STTg5enufuwIDAQABo2IwYDBeBgNVHQEEVzBVgBDLebM6bK3BjWGqIBrBNFeNoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQsRiM0jheFZhKk49YD0SK1TAJBgUrDgMCHQUAA4IBAQCJ4JApryF77EKC4zF5bUaBLQHQ1PNtA1uMDbdNVGKCmSf8M65b8h0NwlIjGGGy/unK8P6jWFdm5IlZ0YPTOgzcRZguXDPj7ajyvlVEQ2K2ICvTYiRQqrOhEhZMSSZsTKXFVwNfW6ADDkN3bvVOVbtpty+nBY5UqnI7xbcoHLZ4wYD251uj5+lo13YLnsVrmQ16NCBYq2nQFNPuNJw6t3XUbwBHXpF46aLT1/eGf/7Xx6iy8yPJX4DyrpFTutDz882RWofGEO5t4Cw+zZg70dJ/hH/ODYRMorfXEW+8uKmXMKmX2wyxMKvfiPbTy5LmAU8Jvjs2tLg4rOBcXWLAIarZ"
+      ]
+    },
+    {
+      "kty": "RSA",
+      "use": "sig",
+      "kid": "MnC_VZcATfM5pOYiJHMba9goEKY",
+      "x5t": "MnC_VZcATfM5pOYiJHMba9goEKY",
+      "n": "vIqz-4-ER_vNWLON9yv8hIYV737JQ6rCl6XfzOC628seYUPf0TaGk91CFxefhzh23V9Tkq-RtwN1Vs_z57hO82kkzL-cQHZX3bMJD-GEGOKXCEXURN7VMyZWMAuzQoW9vFb1k3cR1RW_EW_P-C8bb2dCGXhBYqPfHyimvz2WarXhntPSbM5XyS5v5yCw5T_Vuwqqsio3V8wooWGMpp61y12NhN8bNVDQAkDPNu2DT9DXB1g0CeFINp_KAS_qQ2Kq6TSvRHJqxRR68RezYtje9KAqwqx4jxlmVAQy0T3-T-IAbsk1wRtWDndhO6s1Os-dck5TzyZ_dNOhfXgelixLUQ",
+      "e": "AQAB",
+      "x5c": [
+        "MIIC4jCCAcqgAwIBAgIQQNXrmzhLN4VGlUXDYCRT3zANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE0MTAyODAwMDAwMFoXDTE2MTAyNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyKs/uPhEf7zVizjfcr/ISGFe9+yUOqwpel38zgutvLHmFD39E2hpPdQhcXn4c4dt1fU5KvkbcDdVbP8+e4TvNpJMy/nEB2V92zCQ/hhBjilwhF1ETe1TMmVjALs0KFvbxW9ZN3EdUVvxFvz/gvG29nQhl4QWKj3x8opr89lmq14Z7T0mzOV8kub+cgsOU/1bsKqrIqN1fMKKFhjKaetctdjYTfGzVQ0AJAzzbtg0/Q1wdYNAnhSDafygEv6kNiquk0r0RyasUUevEXs2LY3vSgKsKseI8ZZlQEMtE9/k/iAG7JNcEbVg53YTurNTrPnXJOU88mf3TToX14HpYsS1ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAfolx45w0i8CdAUjjeAaYdhG9+NDHxop0UvNOqlGqYJexqPLuvX8iyUaYxNGzZxFgGI3GpKfmQP2JQWQ1E5JtY/n8iNLOKRMwqkuxSCKJxZJq4Sl/m/Yv7TS1P5LNgAj8QLCypxsWrTAmq2HSpkeSk4JBtsYxX6uhbGM/K1sEktKybVTHu22/7TmRqWTmOUy9wQvMjJb2IXdMGLG3hVntN/WWcs5w8vbt1i8Kk6o19W2MjZ95JaECKjBDYRlhG1KmSBtrsKsCBQoBzwH/rXfksTO9JoUYLXiW0IppB7DhNH4PJ5hZI91R8rR0H3/bKkLSuDaKLWSqMhozdhXsIIKvJQ=="
+      ]
+    }
+  ]
+}

data/spec/fixtures/openid-configuration.json

@@ -0,0 +1,30 @@
+{
+  "issuer": "https://sts.windows.net/{tenantid}/",
+  "authorization_endpoint": "https://login.windows.net/common/oauth2/authorize",
+  "token_endpoint": "https://login.windows.net/common/oauth2/token",
+  "token_endpoint_auth_methods_supported": ["client_secret_post", "private_key_jwt"],
+  "jwks_uri": "https://login.windows.net/common/discovery/keys",
+  "response_types_supported": ["code", "id_token", "code id_token", "token"],
+  "response_modes_supported": ["query", "fragment", "form_post"],
+  "subject_types_supported": ["pairwise"], "scopes_supported": ["openid"],
+  "id_token_signing_alg_values_supported": ["RS256"],
+  "claims_supported": [
+    "sub",
+    "iss",
+    "aud",
+    "exp",
+    "iat",
+    "auth_time",
+    "acr",
+    "amr",
+    "nonce",
+    "email",
+    "given_name",
+    "family_name",
+    "nickname"
+  ],
+  "microsoft_multi_refresh_token": true,
+  "check_session_iframe": "https://login.windows.net/common/oauth2/checksession",
+  "end_session_endpoint": "https://login.windows.net/common/oauth2/logout",
+  "userinfo_endpoint": "https://login.windows.net/common/openid/userinfo"
+}

data/spec/lib/openid_token_proxy/client_spec.rb

@@ -0,0 +1,150 @@
+require 'spec_helper'
+
+require 'securerandom'
+
+RSpec.describe OpenIDTokenProxy::Client do
+  subject { described_class.new config }
+  let(:config) do
+    OpenIDTokenProxy::Config.new do |config|
+      config.client_id = 'id'
+      config.issuer = 'https://example.com'
+      config.resource = nil
+      config.domain_hint = nil
+      config.prompt = nil
+      config.authorization_endpoint = 'https://example.com/auth'
+      config.token_endpoint = 'https://example.com/token'
+      config.userinfo_endpoint = 'https://example.com/users'
+    end
+  end
+
+  describe '#config' do
+    it 'defaults to OpenIDTokenProxy.config' do
+      client = described_class.new
+      expect(client.config).to eq OpenIDTokenProxy.config
+    end
+
+    it 'may be given explicitly' do
+      expect(subject.config).to eq config
+    end
+  end
+
+  describe '#authorization_uri' do
+    it 'may be explicitly set through configuration' do
+      config.authorization_uri = 'overridden'
+      expect(subject.authorization_uri).to eq 'overridden'
+    end
+
+    context 'when not explicitly set' do
+      let(:expected_auth_uri) {
+        'https://example.com/auth?client_id=id&response_type=code&scope=openid'
+      }
+
+      it 'builds OpenID authorization URI' do
+        expect(subject.authorization_uri).to eq expected_auth_uri
+      end
+
+      context 'when domain hint given' do
+        it 'includes domain hint' do
+          hint = SecureRandom.hex
+          config.domain_hint = hint
+          expect(subject.authorization_uri).to include "domain_hint=#{hint}"
+        end
+      end
+
+      context 'when prompt given' do
+        it 'includes prompt' do
+          prompt = SecureRandom.hex
+          config.prompt = prompt
+          expect(subject.authorization_uri).to include "prompt=#{prompt}"
+        end
+      end
+
+      context 'when resource given' do
+        it 'includes resource' do
+          resource = SecureRandom.hex
+          config.resource = resource
+          expect(subject.authorization_uri).to include "resource=#{resource}"
+        end
+      end
+
+      context 'when redirect_uri given' do
+        it 'includes redirect_uri' do
+          uri = SecureRandom.hex
+          config.redirect_uri = uri
+          expect(subject.authorization_uri).to include "redirect_uri=#{uri}"
+        end
+      end
+    end
+  end
+
+  describe '#retrieve_token!' do
+    let(:client) {
+      double(
+        'authorization_code=' => nil,
+        'refresh_token=' => nil
+      )
+    }
+    let(:access_token) { 'access token' }
+    let(:id_token) { 'id token' }
+    let(:refresh_token) { 'refresh token' }
+    let(:response) {
+      double(
+        access_token: access_token,
+        id_token: id_token,
+        refresh_token: refresh_token
+      )
+    }
+    let(:token) {
+      OpenIDTokenProxy::Token.new(access_token, id_token)
+    }
+
+    before do
+      expect(subject).to receive(:new_client).and_return client
+      allow(OpenIDTokenProxy::Token).to receive(:decode!).and_return token
+    end
+
+    context 'using auth code' do
+      context 'when auth code could not be exchanged' do
+        it 'raises' do
+          error = Rack::OAuth2::Client::Error.new 400, {}
+          expect(client).to receive(:access_token!).and_raise error
+          expect do
+            subject.retrieve_token! auth_code: 'malformed auth code'
+          end.to raise_error OpenIDTokenProxy::Client::AuthCodeError
+        end
+      end
+
+      context 'when auth code is valid' do
+        it 'returns token instance' do
+          expect(client).to receive(:access_token!).and_return response
+          token = subject.retrieve_token! auth_code: 'valid auth code'
+          expect(token.access_token).to eq access_token
+          expect(token.id_token).to eq id_token
+          expect(token.refresh_token).to eq refresh_token
+        end
+      end
+    end
+
+    context 'using refresh token' do
+      context 'when refresh token could not be exchanged' do
+        it 'raises' do
+          error = Rack::OAuth2::Client::Error.new 400, {}
+          expect(client).to receive(:access_token!).and_raise error
+          expect do
+            subject.retrieve_token! refresh_token: 'malformed refresh token'
+          end.to raise_error OpenIDTokenProxy::Client::RefreshTokenError
+        end
+      end
+
+      context 'when refresh token is valid' do
+        it 'returns token instance' do
+          expect(client).to receive(:access_token!).and_return response
+          token = subject.retrieve_token! refresh_token: 'valid refresh token'
+          expect(token.access_token).to eq access_token
+          expect(token.id_token).to eq id_token
+          expect(token.refresh_token).to eq refresh_token
+        end
+      end
+    end
+  end
+end