openid_connect 0.0.31 → 0.0.32

data/.gitignore

@@ -14,7 +14,7 @@ tmtags
 *.swp
 
 ## PROJECT::GENERAL
-coverage
+coverage*
 rdoc
 pkg
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.0.30)
+    openid_connect (0.0.31)
       activemodel (>= 3)
       attr_required (>= 0.0.3)
       json (>= 1.4.3)
@@ -15,34 +15,43 @@ PATH
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.1.1)
-      activesupport (= 3.1.1)
+    activemodel (3.1.3)
+      activesupport (= 3.1.3)
       builder (~> 3.0.0)
       i18n (~> 0.6)
-    activesupport (3.1.1)
+    activesupport (3.1.3)
       multi_json (~> 1.0)
     addressable (2.2.6)
     attr_required (0.0.3)
     bouncy-castle-java (1.5.0146.1)
     builder (3.0.0)
+    configatron (2.8.4)
+      yamler (>= 0.1.0)
+    cover_me (1.2.0)
+      configatron
+      hashie
     crack (0.3.1)
     diff-lcs (1.1.3)
-    httpclient (2.2.1)
+    hashie (1.2.0)
+    httpclient (2.2.4)
     i18n (0.6.0)
     jruby-openssl (0.7.4)
       bouncy-castle-java
-    json (1.6.1)
-    json-jwt (0.0.3)
+    json (1.6.5)
+    json (1.6.5-java)
+    json-jwt (0.0.4)
+      activesupport (>= 2.3)
+      i18n
       json (>= 1.4.3)
       url_safe_base64
-    mail (2.3.0)
+    mail (2.4.0)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    mime-types (1.16)
-    multi_json (1.0.3)
-    polyglot (0.3.2)
-    rack (1.3.4)
+    mime-types (1.17.2)
+    multi_json (1.0.4)
+    polyglot (0.3.3)
+    rack (1.4.0)
     rack-oauth2 (0.11.0)
       activesupport (>= 2.3)
       attr_required (>= 0.0.3)
@@ -50,17 +59,15 @@ GEM
       i18n
       json (>= 1.4.3)
       rack (>= 1.1)
-    rake (0.9.2)
-    rcov (0.9.11)
-    rcov (0.9.11-java)
-    rspec (2.6.0)
-      rspec-core (~> 2.6.0)
-      rspec-expectations (~> 2.6.0)
-      rspec-mocks (~> 2.6.0)
-    rspec-core (2.6.4)
-    rspec-expectations (2.6.0)
+    rake (0.9.2.2)
+    rspec (2.8.0)
+      rspec-core (~> 2.8.0)
+      rspec-expectations (~> 2.8.0)
+      rspec-mocks (~> 2.8.0)
+    rspec-core (2.8.0)
+    rspec-expectations (2.8.0)
       diff-lcs (~> 1.1.2)
-    rspec-mocks (2.6.0)
+    rspec-mocks (2.8.0)
     swd (0.0.7)
       activesupport (>= 3)
       attr_required (>= 0.0.3)
@@ -70,25 +77,26 @@ GEM
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.30)
+    tzinfo (0.3.31)
     url_safe_base64 (0.2.1)
     validate_email (0.1.5)
       activemodel (>= 3.0)
       mail (>= 2.2.5)
     validate_url (0.2.0)
       activemodel (>= 3.0.0)
-    webmock (1.7.6)
-      addressable (> 2.2.5, ~> 2.2)
+    webmock (1.7.10)
+      addressable (~> 2.2, > 2.2.5)
       crack (>= 0.1.7)
+    yamler (0.1.0)
 
 PLATFORMS
   java
   ruby
 
 DEPENDENCIES
+  cover_me (>= 1.2.0)
   jruby-openssl (>= 0.7)
   openid_connect!
   rake (>= 0.8)
-  rcov (>= 0.9)
   rspec (>= 2)
   webmock (>= 1.6.2)

data/README.rdoc

@@ -16,12 +16,12 @@ OpenID Connect Server & Client Library
 
 === Provider
 
-* Running on Heroku (https://openid-connect.herokuapp.com)
+* Running on Heroku (http://connect-op.heroku.com)
 * Source on GitHub (https://github.com/nov/openid_connect_sample)
 
 === Relying Party
 
-* Running on Heroku (https://openid-connect-rp.herokuapp.com)
+* Running on Heroku (https://connect-rp.heroku.com)
 * Source on GitHub (https://github.com/nov/openid_connect_sample_rp)
 
 == Note on Patches/Pull Requests

data/Rakefile

@@ -1,11 +1,19 @@
-require 'bundler/gem_tasks'
+require 'bundler'
+Bundler::GemHelper.install_tasks
 
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
-RSpec::Core::RakeTask.new(:rcov) do |spec|
-  spec.rcov = true
-  spec.rcov_opts = ['-Ilib -Ispec --exclude spec,gems']
+if RUBY_VERSION >= '1.9'
+  require 'cover_me'
+  CoverMe.config do |c|
+    c.file_pattern = /(#{CoverMe.config.project.root}\/lib\/.+\.rb)/i
+  end
+else
+  RSpec::Core::RakeTask.new(:rcov) do |spec|
+    spec.rcov = true
+    spec.rcov_opts = ['-Ilib -Ispec --exclude spec,gems']
+  end
 end
 
 task :default => :spec

data/VERSION

@@ -1 +1 @@
-0.0.31
+0.0.32

data/lib/openid_connect/access_token.rb

@@ -15,6 +15,14 @@ module OpenIDConnect
       ResponseObject::UserInfo::OpenID.new hash
     end
 
+    def id_token!
+      client.check_id_uri
+      hash = resource_request do
+        get client.check_id_uri
+      end
+      ResponseObject::IdToken.new hash
+    end
+
     private
 
     def resource_request

data/lib/openid_connect/client/registrar.rb

@@ -0,0 +1,217 @@
+module OpenIDConnect
+  class Client
+    class Registrar
+      include ActiveModel::Validations, AttrRequired, AttrOptional
+
+      class RegistrationFailed < HttpError; end
+
+      singular_attributes = [
+        :type,
+        :client_id,
+        :client_secret,
+        :access_token,
+        :application_type,
+        :application_name,
+        :logo_url,
+        :token_endpoint_auth_type,
+        :policy_url,
+        :jwk_url,
+        :jwk_encryption_url,
+        :x509_url,
+        :x509_encryption_url,
+        :sector_identifier_url,
+        :user_id_type,
+        :require_signed_request_object,
+      ]
+      plurar_attributes = [
+        :contacts,
+        :redirect_uris,
+        :userinfo_signed_response_algs,
+        :userinfo_encrypted_response_algs,
+        :id_token_signed_response_algs,
+        :id_token_encrypted_response_algs
+      ]
+      attr_required :endpoint
+      attr_optional *(singular_attributes + plurar_attributes)
+
+      plurar_attributes.each do |_attr_|
+        define_method "#{_attr_}_with_split" do
+          self.send("#{_attr_}_without_split").to_s.split(' ')
+        end
+        alias_method_chain _attr_, :split
+      end
+
+      validates :type,                  :presence => true
+      validates :client_id,             :presence => {:if => lambda { |c| c.type.to_s == 'client_update' }}
+      validates :sector_identifier_url, :presence => {:if => :sector_identifier_required?}
+
+      validates :type,             :inclusion => {:in => ['client_associate', 'client_update']}
+      validates :application_type, :inclusion => {:in => ['native', 'web']},      :allow_nil => true
+      validates :user_id_type,     :inclusion => {:in => ['pairwise', 'public']}, :allow_nil => true
+      validates :token_endpoint_auth_type, :inclusion => {
+        :in => ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt']
+      }, :allow_nil => true
+
+      validates(
+        :logo_url,
+        :policy_url,
+        :jwk_url,
+        :jwk_encryption_url,
+        :x509_url,
+        :x509_encryption_url,
+        :sector_identifier_url,
+        :url => true, :allow_nil => true
+      )
+
+      validate :validate_contacts
+      validate :validate_redirect_uris
+      validate :validate_key_urls
+      validate :validate_signature_algorithms
+      validate :validate_encription_algorithms
+
+      def initialize(endpoint, attributes = {})
+        @endpoint = endpoint
+        optional_attributes.each do |_attr_|
+          self.send "#{_attr_}=", attributes[_attr_].try(:to_s)
+        end
+        attr_missing!
+      end
+
+      def sector_identifier
+        if valid_uri?(sector_identifier_url)
+          URI.parse(sector_identifier_url).host
+        else
+          hosts = Array(redirect_uris).collect do |redirect_uri|
+            if valid_uri?(redirect_uri, nil)
+              URI.parse(redirect_uri).host
+            else
+              nil
+            end
+          end.compact.uniq
+          if hosts.size == 1
+            hosts.first
+          else
+            nil
+          end
+        end
+      end
+
+      def as_json(options = {})
+        validate!
+        (optional_attributes - [:access_token]).inject({}) do |hash, _attr_|
+          value = self.send(_attr_)
+          hash.merge! _attr_ => case value
+          when Array
+            value.collect(&:to_s).join(' ')
+          else
+            value
+          end
+        end.delete_if do |key, value|
+          value.nil?
+        end
+      end
+
+      def associate!
+        self.type = 'client_associate'
+        post!
+      end
+
+      def update!
+        self.type = 'client_update'
+        post!
+      end
+
+      def validate!
+        valid? or raise ValidationFailed.new(errors)
+      end
+
+      private
+
+      def sector_identifier_required?
+        user_id_type == 'pairwise' &&
+        sector_identifier.blank?
+      end
+
+      def valid_uri?(uri, schemes = ['http', 'https'])
+        # NOTE: specify nil for schemes to allow any schemes
+        URI::regexp(schemes).match(uri).present?
+      end
+
+      def validate_contacts
+        contacts.each do |contact|
+          EmailValidator.new.validate_each(self, :contacts, contact)
+        end
+        include_invalid = contacts.any? do |contact|
+          begin
+            mail = Mail::Address.new(contact)
+            mail.address != contact || mail.domain.split(".").length <= 1
+          rescue
+            :invalid
+          end
+        end
+        errors.add :contacts, 'includes invalid email' if include_invalid
+      end
+
+      def validate_redirect_uris
+        include_invalid = redirect_uris.any? do |redirect_uri|
+          !valid_uri?(redirect_uri, nil)
+        end
+        errors.add :redirect_uris, 'includes invalid URL' if include_invalid
+      end
+
+      def validate_key_urls
+        # TODO
+      end
+
+      def validate_signature_algorithms
+        # TODO
+      end
+
+      def validate_encription_algorithms
+        # TODO
+      end
+
+      def post!
+        handle_response do
+          http_client.post endpoint, as_json
+        end
+      end
+
+      def http_client
+        case access_token
+        when nil
+          OpenIDConnect.http_client
+        when Rack::OAuth2::AccessToken::Bearer
+          access_token
+        else
+          Rack::OAuth2::AccessToken::Bearer.new(
+            :access_token => access_token
+          )
+        end
+      end
+
+      def handle_response
+        response = yield
+        case response.status
+        when 200..201
+          handle_success_response response
+        else
+          handle_error_response response
+        end
+      end
+
+      def handle_success_response(response)
+        credentials = JSON.parse(response.body).with_indifferent_access
+        Client.new(
+          :identifier => credentials[:client_id],
+          :secret     => credentials[:client_secret],
+          :expires_in => credentials[:expires_in]
+        )
+      end
+
+      def handle_error_response(response)
+        raise RegistrationFailed.new(response.status, 'Client Registration Failed', response)
+      end
+    end
+  end
+end

data/lib/openid_connect/client.rb

@@ -42,4 +42,8 @@ module OpenIDConnect
       raise Exception.new("Unknown Token Type")
     end
   end
+end
+
+Dir[File.dirname(__FILE__) + '/client/*.rb'].each do |file|
+  require file
 end

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -6,18 +6,53 @@ module OpenIDConnect
           include AttrOptional
 
           attr_reader :raw
-          attr_optional :version, :issuer
-          attr_optional :authorization_endpoint, :token_endpoint, :user_info_endpoint
-          attr_optional :check_id_endpoint, :refresh_session_endpoint, :end_session_endpoint
-          attr_optional :jwk_document, :x509_url, :registration_endpoint
-          attr_optional :scopes_supported, :flows_supported, :iso29115_supported, :identifiers_supported
+          attr_optional(
+            :version,
+            :issuer,
+            :authorization_endpoint,
+            :token_endpoint,
+            :user_info_endpoint,
+            :check_id_endpoint,
+            :refresh_session_endpoint,
+            :end_session_endpoint,
+            :jwk_url,
+            :jwk_encryption_url,
+            :x509_url,
+            :x509_encryption_ur,
+            :registration_endpoint,
+            :scopes_supported,
+            :response_types_supported,
+            :acrs_supported,
+            :user_id_types_supported,
+            :user_info_algs_supported,
+            :id_token_algs_supported,
+            :request_object_algs_supported,
+            :token_endpoint_auth_types_supported,
+            :token_endpoint_auth_algs_supported
+          )
 
           def initialize(hash)
             optional_attributes.each do |key|
               self.send "#{key}=", hash[key]
             end
+            @user_info_endpoint ||= hash[:userinfo_endpoint]
+            @user_info_algs_supported ||= hash[:userinfo_algs_supported]
+            @version ||= '3.0'
             @raw = hash
           end
+
+          def as_json(options = {})
+            hash = optional_attributes.inject({}) do |hash, _attr_|
+              hash.merge(
+                _attr_ => self.send(_attr_)
+              )
+            end
+            hash[:userinfo_endpoint] = hash.delete(:user_info_endpoint)
+            hash[:userinfo_algs_supported] = hash.delete(:user_info_algs_supported)
+            hash.delete_if do |key, value|
+              value.nil?
+            end
+          end
         end
       end
     end

data/lib/openid_connect/exception.rb

@@ -1,6 +1,15 @@
 module OpenIDConnect
   class Exception < StandardError; end
 
+  class ValidationFailed < Exception
+    attr_reader :errors
+
+    def initialize(errors)
+      super errors.full_messages.to_sentence
+      @errors = errors
+    end
+  end
+
   class HttpError < Exception
     attr_accessor :status, :response
     def initialize(status, message = nil, response = nil)

data/lib/openid_connect/response_object/id_token.rb

@@ -30,38 +30,16 @@ module OpenIDConnect
       end
 
       class << self
-        def from_jwt(jwt_string, key_or_client)
+        def decode(jwt_string, key_or_client)
           attributes = case key_or_client
           when Client
-            resource_request do
-              http_client.post key_or_client.check_id_uri, :id_token => jwt_string
-            end
+            OpenIDConnect::AccessToken.new(
+              :client => key_or_client,
+              :access_token => jwt_string
+            ).id_token!
           else
-            JSON::JWT.decode(jwt_string, key_or_client).with_indifferent_access
+            new JSON::JWT.decode(jwt_string, key_or_client)
           end
-          new attributes
-        end
-
-        def resource_request
-          res = yield
-          case res.status
-          when 200
-            JSON.parse(res.body).with_indifferent_access
-          when 400
-            raise BadRequest.new('Check Session Faild', res)
-          else
-            raise HttpError.new(res.status, 'Unknown HttpError', res)
-          end
-        end
-
-        private
-
-        def http_client
-          _http_client_ = HTTPClient.new(
-            :agent_name => "OpenIDConnect (#{VERSION})"
-          )
-          _http_client_.request_filter << Debugger::RequestFilter.new if OpenIDConnect.debugging?
-          _http_client_
         end
       end
     end

data/lib/openid_connect/response_object/user_info/open_id.rb

@@ -2,28 +2,35 @@ module OpenIDConnect
   class ResponseObject
     module UserInfo
       class OpenID < ResponseObject
-        attr_optional :user_id, :name, :given_name, :family_name, :middle_name, :nickname
+        attr_optional(
+          :user_id,
+          :name,
+          :given_name,
+          :family_name,
+          :middle_name,
+          :nickname,
+          :phone_number,
+          :verified,
+          :gender,
+          :zoneinfo,
+          :locale,
+          :birthday,
+          :updated_time,
+          :profile,
+          :picture,
+          :website,
+          :email,
+          :address
+        )
 
-        attr_optional :phone_number
-
-        attr_optional :verified, :gender, :zoneinfo, :locale
         validates :verified, :inclusion => {:in => [true, false]},                             :allow_nil => true
         validates :gender,   :inclusion => {:in => ['male', 'female']},                        :allow_nil => true
         validates :zoneinfo, :inclusion => {:in => TZInfo::TimezoneProxy.all.collect(&:name)}, :allow_nil => true
-        # TODO: validate locale
-
-        attr_optional :birthday, :updated_time
-
-        attr_optional :profile, :picture, :website
         validates :profile, :picture, :website, :url => true, :allow_nil => true
-
-        attr_optional :email
         validates :email, :email => true, :allow_nil => true
-
-        attr_optional :address
         validate :validate_address
-
         validate :require_at_least_one_attributes
+        # TODO: validate locale
 
         def initialize(attributes = {})
           super
@@ -33,7 +40,7 @@ module OpenIDConnect
         end
 
         def validate_address
-          errors.add :address, 'cannot be blank' unless address.blank? || address.valid?
+          errors.add :address, address.errors.full_messages.join(', ') if address.present? && !address.valid?
         end
 
         def address=(hash_or_address)

data/lib/openid_connect/response_object.rb

@@ -1,23 +1,7 @@
-require 'active_model'
-require 'tzinfo'
-require 'validate_url'
-require 'validate_email'
-require 'attr_required'
-require 'attr_optional'
-
 module OpenIDConnect
   class ResponseObject
     include ActiveModel::Validations, AttrRequired, AttrOptional
 
-    class ValidationFailed < Exception
-      attr_reader :errors
-
-      def initialize(errors)
-        super errors.full_messages.to_sentence
-        @errors = errors
-      end
-    end
-
     def initialize(attributes = {})
       all_attributes.each do |_attr_|
         self.send :"#{_attr_}=", attributes[_attr_]

data/lib/openid_connect.rb

@@ -1,6 +1,12 @@
 require 'json'
 require 'logger'
 require 'swd'
+require 'active_model'
+require 'tzinfo'
+require 'validate_url'
+require 'validate_email'
+require 'attr_required'
+require 'attr_optional'
 require 'rack/oauth2'
 require 'rack/oauth2/server/id_token_response'
 
@@ -43,6 +49,14 @@ module OpenIDConnect
     self.debugging = original
   end
   self.debugging = false
+
+  def self.http_client
+    _http_client_ = HTTPClient.new(
+      :agent_name => "OpenIDConnect (#{VERSION})"
+    )
+    _http_client_.request_filter << Debugger::RequestFilter.new if OpenIDConnect.debugging?
+    _http_client_
+  end
 end
 
 require 'openid_connect/exception'

data/openid_connect.gemspec

@@ -20,7 +20,11 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "swd", ">= 0.0.6"
   s.add_runtime_dependency "rack-oauth2", ">= 0.10.0"
   s.add_development_dependency "rake", ">= 0.8"
-  s.add_development_dependency "rcov", ">= 0.9"
+  if RUBY_VERSION >= '1.9'
+    s.add_development_dependency "cover_me", ">= 1.2.0"
+  else
+    s.add_development_dependency "rcov", ">= 0.9"
+  end
   s.add_development_dependency "rspec", ">= 2"
   s.add_development_dependency "webmock", ">= 1.6.2"
 end

data/spec/mock_response/discovery/config.json

@@ -3,11 +3,11 @@
     "issuer": "https://connect-op.heroku.com",
     "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
     "token_endpoint": "https://connect-op.heroku.com/access_tokens",
-    "user_info_endpoint": "https://connect-op.heroku.com/user_info",
+    "userinfo_endpoint": "https://connect-op.heroku.com/user_info",
     "check_id_endpoint": "https://connect-op.heroku.com/id_token",
     "registration_endpoint": "https://connect-op.heroku.com/connect/client",
-    "scopes_supported": ["openid", "profile", "email", "address", "PPID"],
-    "flows_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
-    "identifiers_supported": ["public", "ppid"],
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "user_id_types_supported": ["public", "pairwise"],
     "x509_url": "https://connect-op.heroku.com/cert.pem"
 }