openid_connect 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 806c31b986d5df085e19f74d6b7140f3db2b70c5
-  data.tar.gz: ad199229fe09fc363fd985c047c038c874c1ef8f
+  metadata.gz: 7e2f19e123a06f31e0d6081e5ec4f8b05eaa56b7
+  data.tar.gz: 4a90cb5da6acf0bc5382562a047badd6dec4efd5
 SHA512:
-  metadata.gz: 1a2abe2d41fc859cf818416f3f91a55f0c87644bf0254ddfa8438d905d8ac14f21abb6bdadd52744d3567c99680d95acc4e746bedb9dd48d634c3b3a7a7b70e1
-  data.tar.gz: 25e21e4e866c87d4a3732a62152f3ecff3c0f8c24b9ea992417d6c138039c464a44c90e8c68cfec46a131878615356de8f4939a1f6aa574a71c6394e31af7b79
+  metadata.gz: 061da991172819aca5f12d331a8dc05116821b3bf4b56843f5c9a0cf987e3369756bad429fe135ee49322f126154d65d8f28c3b9adabac8c5acbf0380cf6264f
+  data.tar.gz: 814e741ecf52b5669278a88412f16b4ff2141029709bdf151f1a601b371650a7090df6de3f5eff1883b93e8d909237cc98fc4d8d7562ffadb8b50610184017e3

data/.travis.yml

@@ -1,3 +1,3 @@
 rvm:
-  - 1.9.2
   - 1.9.3
+  - 2.0.0

data/README.rdoc

@@ -2,6 +2,8 @@
 
 OpenID Connect Server & Client Library
 
+{<img src="https://secure.travis-ci.org/nov/openid_connect.png" />}[http://travis-ci.org/nov/openid_connect]
+
 == Installation
 
   gem install openid_connect
@@ -25,7 +27,7 @@ OpenID Connect Server & Client Library
 * Source on GitHub (https://github.com/nov/openid_connect_sample_rp)
 
 == Note on Patches/Pull Requests
- 
+
 * Fork the project.
 * Make your feature addition or bug fix.
 * Add tests for it. This is important so I don't break it in a

data/VERSION

@@ -1 +1 @@
-0.6.1
+0.7.0

data/lib/openid_connect/access_token.rb

@@ -14,7 +14,6 @@ module OpenIDConnect
       end
       ResponseObject::UserInfo::OpenID.new hash
     end
-    alias_method :user_info!, :userinfo!
 
     private
 
@@ -22,7 +21,7 @@ module OpenIDConnect
       res = yield
       case res.status
       when 200
-        JSON.parse res.body, symbolize_names: true
+        JSON.parse(res.body).with_indifferent_access
       when 400
         raise BadRequest.new('API Access Faild', res)
       when 401

data/lib/openid_connect/client.rb

@@ -1,13 +1,10 @@
 module OpenIDConnect
   class Client < Rack::OAuth2::Client
     attr_optional :userinfo_endpoint, :expires_in
-    alias_method :user_info_endpoint, :userinfo_endpoint
-    alias_method :user_info_endpoint=, :userinfo_endpoint=
 
     def initialize(attributes = {})
-      attributes[:userinfo_endpoint] ||= attributes[:user_info_endpoint]
       super attributes
-      self.userinfo_endpoint ||= '/user_info'
+      self.userinfo_endpoint ||= '/userinfo'
     end
 
     def authorization_uri(params = {})
@@ -19,7 +16,6 @@ module OpenIDConnect
     def userinfo_uri
       absolute_uri_for userinfo_endpoint
     end
-    alias_method :user_info_uri, :userinfo_uri
 
     private
 
@@ -30,7 +26,7 @@ module OpenIDConnect
     end
 
     def handle_success_response(response)
-      token_hash = JSON.parse response.body, symbolize_names: true
+      token_hash = JSON.parse(response.body).with_indifferent_access
       case token_type = token_hash[:token_type].try(:downcase)
       when 'bearer'
         AccessToken.new token_hash.merge(client: self)

data/lib/openid_connect/client/registrar.rb

@@ -5,22 +5,20 @@ module OpenIDConnect
 
       class RegistrationFailed < HttpError; end
 
+      cattr_accessor :plurar_uri_attributes, :metadata_attributes
+      singular_uri_attributes = [
+        :logo_uri,
+        :client_uri,
+        :policy_uri,
+        :tos_uri,
+        :jwks_uri,
+        :sector_identifier_uri,
+        :initiate_login_uri
+      ]
       singular_attributes = [
-        :operation,
-        :client_id,
-        :client_secret,
-        :access_token,
         :application_type,
         :client_name,
-        :logo_url,
         :token_endpoint_auth_method,
-        :policy_url,
-        :tos_url,
-        :jwk_url,
-        :jwk_encryption_url,
-        :x509_url,
-        :x509_encryption_url,
-        :sector_identifier_url,
         :subject_type,
         :request_object_signing_alg,
         :userinfo_signed_response_alg,
@@ -30,81 +28,47 @@ module OpenIDConnect
         :id_token_encrypted_response_alg,
         :id_token_encrypted_response_enc,
         :default_max_age,
-        :require_auth_time,
-        :default_acr,
-        :initiate_login_uri,
-        :post_logout_redirect_url
+        :require_auth_time
+      ] + singular_uri_attributes
+      self.plurar_uri_attributes = [
+        :redirect_uris,
+        :post_logout_redirect_uris,
+        :request_uris
       ]
       plurar_attributes = [
+        :response_types,
+        :grant_types,
         :contacts,
+        :default_acr_values,
+      ] + plurar_uri_attributes
+      self.metadata_attributes = singular_attributes + plurar_attributes
+      required_metadata_attributes = [
         :redirect_uris
       ]
       attr_required :endpoint
-      attr_optional *(singular_attributes + plurar_attributes)
-
-      plurar_attributes.each do |_attr_|
-        define_method "#{_attr_}_with_split" do
-          value = self.send("#{_attr_}_without_split")
-          case value
-          when String
-            value.split(' ')
-          else
-            value
-          end
-        end
-        alias_method_chain _attr_, :split
-      end
-
-      validates :operation,             presence: true
-      validates :client_id,             presence: {if: ->(c) { ['client_update', 'rotate_secret'].include?(c.operation.to_s) }}
-      validates :sector_identifier_url, presence: {if: :sector_identifier_required?}
-
-      validates :operation,        inclusion: {in: ['client_register', 'rotate_secret', 'client_update']}
-      validates :application_type, inclusion: {in: ['native', 'web']},      allow_nil: true
-      validates :subject_type,     inclusion: {in: ['pairwise', 'public']}, allow_nil: true
-      validates :token_endpoint_auth_method, inclusion: {
-        in: ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt']
-      }, allow_nil: true
-
-      validates(
-        :logo_url,
-        :policy_url,
-        :tos_url,
-        :jwk_url,
-        :jwk_encryption_url,
-        :x509_url,
-        :x509_encryption_url,
-        :sector_identifier_url,
-        :initiate_login_uri,
-        :post_logout_redirect_url,
-        url: true,
-        allow_nil: true
-      )
-
+      attr_optional :initial_access_token
+      attr_required *required_metadata_attributes
+      attr_optional *(metadata_attributes - required_metadata_attributes)
+
+      validates *required_attributes,   presence: true
+      validates :sector_identifier_uri, presence: {if: :sector_identifier_required?}
+      validates *singular_uri_attributes, url: true, allow_nil: true
+      validate :validate_plurar_uri_attributes
       validate :validate_contacts
-      validate :validate_redirect_uris
-      validate :validate_key_urls
-      validate :validate_signature_algorithms
-      validate :validate_encription_algorithms
 
       def initialize(endpoint, attributes = {})
-        @endpoint = endpoint
-        optional_attributes.each do |_attr_|
-          value = if _attr_ == :access_token
-            attributes[_attr_]
-          else
-            attributes[_attr_].try(:to_s)
-          end
-          self.send "#{_attr_}=", value
+        self.endpoint = endpoint
+        self.initial_access_token = attributes[:initial_access_token]
+        self.class.metadata_attributes.each do |_attr_|
+          self.send "#{_attr_}=", attributes[_attr_]
         end
-        attr_missing!
       end
 
       def sector_identifier
-        if valid_uri?(sector_identifier_url)
-          URI.parse(sector_identifier_url).host
+        if valid_uri?(sector_identifier_uri)
+          URI.parse(sector_identifier_uri).host
         else
-          hosts = Array(redirect_uris).collect do |redirect_uri|
+          hosts = redirect_uris.collect do |redirect_uri|
             if valid_uri?(redirect_uri, nil)
               URI.parse(redirect_uri).host
             else
@@ -121,32 +85,21 @@ module OpenIDConnect
 
       def as_json(options = {})
         validate!
-        (optional_attributes - [:access_token]).inject({}) do |hash, _attr_|
-          value = self.send(_attr_)
-          hash.merge! _attr_ => case value
-          when Array
-            value.collect(&:to_s).join(' ')
-          else
-            value
-          end
-        end.delete_if do |key, value|
-          value.nil?
+        self.class.metadata_attributes.inject({}) do |hash, _attr_|
+          value = self.send _attr_
+          hash.merge! _attr_ => value unless value.nil?
+          hash
         end
       end
 
       def register!
-        self.operation = 'client_register'
-        post!
-      end
-
-      def rotate_secret!
-        self.operation = 'rotate_secret'
-        post!
+        handle_response do
+          http_client.post endpoint, to_json, 'Content-Type' => 'application/json'
+        end
       end
 
-      def update!
-        self.operation = 'client_update'
-        post!
+      def read
+        # TODO: Do we want this feature even if we don't have rotate secret nor update metadata support?
       end
 
       def validate!
@@ -156,14 +109,13 @@ module OpenIDConnect
       private
 
       def sector_identifier_required?
-        subject_type == 'pairwise' &&
+        subject_type.to_s == 'pairwise' &&
         sector_identifier.blank?
       end
 
       def valid_uri?(uri, schemes = ['http', 'https'])
         # NOTE: specify nil for schemes to allow any schemes
-        URI::regexp(schemes).match(uri).present? &&
-        URI.parse(uri).fragment.blank?
+        URI::regexp(schemes).match(uri).present?
       end
 
       def validate_contacts
@@ -180,42 +132,26 @@ module OpenIDConnect
         end
       end
 
-      def validate_redirect_uris
-        if redirect_uris
-          include_invalid = redirect_uris.any? do |redirect_uri|
-            !valid_uri?(redirect_uri, nil)
+      def validate_plurar_uri_attributes
+        self.class.plurar_uri_attributes.each do |_attr_|
+          if (uris = self.send(_attr_))
+            include_invalid = uris.any? do |uri|
+              !valid_uri?(uri, nil)
+            end
+            errors.add _attr_, 'includes invalid URL' if include_invalid
           end
-          errors.add :redirect_uris, 'includes invalid URL' if include_invalid
-        end
-      end
-
-      def validate_key_urls
-        # TODO
-      end
-
-      def validate_signature_algorithms
-        # TODO
-      end
-
-      def validate_encription_algorithms
-        # TODO
-      end
-
-      def post!
-        handle_response do
-          http_client.post endpoint, as_json
         end
       end
 
       def http_client
-        case access_token
+        case initial_access_token
         when nil
           OpenIDConnect.http_client
         when Rack::OAuth2::AccessToken::Bearer
-          access_token
+          initial_access_token
         else
           Rack::OAuth2::AccessToken::Bearer.new(
-            access_token: access_token
+            access_token: initial_access_token
           )
         end
       end
@@ -231,7 +167,7 @@ module OpenIDConnect
       end
 
       def handle_success_response(response)
-        credentials = JSON.parse response.body, symbolize_names: true
+        credentials = JSON.parse(response.body).with_indifferent_access
         Client.new(
           identifier: credentials[:client_id],
           secret:     credentials[:client_secret],

data/lib/openid_connect/discovery.rb

@@ -1,7 +1,5 @@
 module OpenIDConnect
   module Discovery
-    REL_VALUE = 'http://openid.net/specs/connect/1.0/issuer'
-
     class InvalidIdentifier < Exception; end
     class DiscoveryFailed < Exception; end
   end

data/lib/openid_connect/discovery/provider.rb

@@ -2,6 +2,8 @@ module OpenIDConnect
   module Discovery
     module Provider
       module Issuer
+        REL_VALUE = 'http://openid.net/specs/connect/1.0/issuer'
+
         def issuer
           self.link_for(REL_VALUE)[:href]
         end
@@ -16,7 +18,7 @@ module OpenIDConnect
         end
         response = WebFinger.discover!(
           resource,
-          rel: REL_VALUE
+          rel: Issuer::REL_VALUE
         )
         response.extend Issuer
         response

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -2,112 +2,91 @@ module OpenIDConnect
   module Discovery
     module Provider
       class Config
-        class Response < SWD::Resource
-          include AttrOptional
+        class Response
+          include ActiveModel::Validations, AttrRequired, AttrOptional
 
+          cattr_accessor :metadata_attributes
           attr_reader :raw
-          attr_optional(
-            :version,
-            :issuer,
-            :authorization_endpoint,
-            :token_endpoint,
-            :userinfo_endpoint,
-            :refresh_session_endpoint,
-            :check_session_endpoint,
-            :end_session_endpoint,
-            :jwk_url,
-            :jwk_encryption_url,
-            :x509_url,
-            :x509_encryption_url,
-            :registration_endpoint,
-            :scopes_supported,
+          uri_attributes = {
+            required: [
+              :issuer,
+              :jwks_uri
+            ],
+            optional: [
+              :authorization_endpoint,
+              :token_endpoint,
+              :userinfo_endpoint,
+              :check_session_endpoint,
+              :end_session_endpoint,
+              :registration_endpoint,
+              :service_documentation,
+              :op_policy_uri,
+              :op_tos_uri
+            ]
+          }
+          attr_required *(uri_attributes[:required] + [
             :response_types_supported,
-            :acr_values_supported,
             :subject_types_supported,
-            :claims_supported,
+            :id_token_signing_alg_values_supported
+          ])
+          attr_optional *(uri_attributes[:optional] + [
+            :scopes_supported,
+            :grant_types_supported,
+            :acr_values_supported,
             :userinfo_signing_alg_values_supported,
             :userinfo_encryption_alg_values_supported,
             :userinfo_encryption_enc_values_supported,
-            :id_token_signing_alg_values_supported,
             :id_token_encryption_alg_values_supported,
             :id_token_encryption_enc_values_supported,
             :request_object_signing_alg_values_supported,
             :request_object_encryption_alg_values_supported,
             :request_object_encryption_enc_values_supported,
             :token_endpoint_auth_methods_supported,
-            :token_endpoint_auth_signing_alg_values_supported
-          )
-          [
-            :userinfo_endpoint,
-            :userinfo_signing_alg_values_supported,
-            :userinfo_encryption_alg_values_supported,
-            :userinfo_encryption_enc_values_supported
-          ].each do |userinfo_attribute|
-            user_info_attribute = userinfo_attribute.to_s.sub('userinfo', 'user_info').to_sym
-            alias_method user_info_attribute, userinfo_attribute
-            alias_method :"#{user_info_attribute}=", userinfo_attribute
-          end
+            :token_endpoint_auth_signing_alg_values_supported,
+            :display_values_supported,
+            :claim_types_supported,
+            :claims_supported,
+            :claims_locales_supported,
+            :ui_locales_supported,
+            :claims_parameter_supported,
+            :request_parameter_supported,
+            :request_uri_parameter_supported,
+            :require_request_uri_registration
+          ])
+
+          validates *required_attributes, presence: true
+          validates *uri_attributes.values.flatten, url: true, allow_nil: true
 
           def initialize(hash)
-            optional_attributes.each do |key|
+            (required_attributes + optional_attributes).each do |key|
               self.send "#{key}=", hash[key]
             end
-            self.userinfo_endpoint ||= hash[:user_info_endpoint]
-            self.userinfo_signing_alg_values_supported ||= hash[:user_info_signing_alg_values_supported]
-            self.userinfo_encryption_alg_values_supported ||= hash[:user_info_encryption_alg_values_supported]
-            self.userinfo_encryption_enc_values_supported ||= hash[:user_info_encryption_enc_values_supported]
-            self.version ||= '3.0'
             @raw = hash
           end
 
           def as_json(options = {})
-            hash = optional_attributes.inject({}) do |hash, _attr_|
-              hash.merge(
-                _attr_ => self.send(_attr_)
-              )
-            end
-            hash.delete_if do |key, value|
-              value.nil?
+            validate!
+            (required_attributes + optional_attributes).inject({}) do |hash, _attr_|
+              value = self.send _attr_
+              hash.merge! _attr_ => value unless value.nil?
+              hash
             end
           end
 
-          def signing_key
-            x509_public_key || jwk_public_key
+          def validate!
+            valid? or raise ValidationFailed.new(self)
           end
 
-          def encryption_key
-            if x509_encryption_url
-              x509_public_key :for_encryption
-            elsif jwk_encryption_url
-              jwk_public_key :for_encryption
-            else
-              signing_key
-            end
+          def jwks
+            @jwks ||= JSON.parse(
+              OpenIDConnect.http_client.get_content(jwks_uri)
+            ).with_indifferent_access
+            JSON::JWK::Set.new @jwks[:keys]
           end
 
-          private
-
-          def x509_public_key(for_encryption = false)
-            endpoint = if for_encryption
-              x509_encryption_url || x509_url
-            else
-              x509_url
-            end
-            if endpoint
-              cert = OpenSSL::X509::Certificate.new OpenIDConnect.http_client.get_content(endpoint)
-              cert.public_key
-            end
-          end
-
-          def jwk_public_key(for_encryption = false)
-            endpoint = if for_encryption
-              jwk_encryption_url || jwk_url
-            else
-              jwk_url
-            end
-            if endpoint
-              jwk_set = JSON.parse OpenIDConnect.http_client.get_content(endpoint), symbolize_names: true
-              JSON::JWK.decode jwk_set[:keys].first
+          def public_keys
+            @public_keys ||= jwks.collect do |jwk|
+              JSON::JWK.decode jwk
             end
           end
         end