osso 0.0.2.8

data/lib/osso/db/migrate/20200328143303_create_oauth_tables.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+class CreateOauthTables < ActiveRecord::Migration[6.0]
+  def change
+    create_table :oauth_applications, id: :uuid do |t|
+      t.string  :name,    null: false
+      t.string  :secret,  null: false
+      t.text    :redirect_uri, null: false
+      t.string  :scopes,       null: false, default: ''
+      t.boolean :confidential, null: false, default: true
+      t.timestamps             null: false
+    end
+
+    create_table :oauth_access_grants, id: :uuid do |t|
+      t.uuid :resource_owner_id, null: false
+      t.references :application, type: :uuid, null: false
+      t.string   :token,             null: false
+      t.integer  :expires_in,        null: false
+      t.text     :redirect_uri,      null: false
+      t.datetime :created_at,        null: false
+      t.datetime :revoked_at
+      t.string   :scopes, null: false, default: ''
+    end
+
+    add_index :oauth_access_grants, :token, unique: true
+    add_foreign_key(
+      :oauth_access_grants,
+      :oauth_applications,
+      column: :application_id
+    )
+
+    create_table :oauth_access_tokens, id: :uuid do |t|
+      t.uuid :resource_owner_id
+      t.references :application, type: :uuid
+      t.string :token, null: false
+
+      t.string   :refresh_token
+      t.integer  :expires_in
+      t.datetime :revoked_at
+      t.datetime :created_at, null: false
+      t.string   :scopes
+
+      t.string   :previous_refresh_token, null: false, default: ''
+    end
+
+    add_index :oauth_access_tokens, :token, unique: true
+    add_index :oauth_access_tokens, :refresh_token, unique: true
+    add_foreign_key(
+      :oauth_access_tokens,
+      :oauth_applications,
+      column: :application_id
+    )
+
+    add_foreign_key :oauth_access_grants, :users, column: :resource_owner_id
+    add_foreign_key :oauth_access_tokens, :users, column: :resource_owner_id
+  end
+end

data/lib/osso/db/migrate/20200411144528_create_saml_providers.rb

@@ -0,0 +1,13 @@
+class CreateSamlProviders < ActiveRecord::Migration[6.0]
+  def change
+    create_table :saml_providers, id: :uuid do |t|
+      t.string  :provider,  null: false
+      t.string  :domain, null: false
+      t.string :idp_sso_target_url, null: false
+      t.text :idp_cert, null: false
+      t.string :assertion_consumer_service_url
+    end
+
+    add_index :saml_providers, [:domain, :provider], unique: true
+  end
+end

data/lib/osso/db/migrate/20200411184535_add_provider_id_to_users.rb

@@ -0,0 +1,7 @@
+class AddProviderIdToUsers < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :saml_provider_id, :uuid
+
+    add_foreign_key :users, :saml_providers
+  end
+end

data/lib/osso/db/migrate/20200411192645_create_enterprise_accounts.rb

@@ -0,0 +1,15 @@
+class CreateEnterpriseAccounts < ActiveRecord::Migration[6.0]
+  def change
+    create_table :enterprise_accounts, id: :uuid do |t|
+      t.string  :domain, null: false
+      t.uuid :external_uuid
+      t.integer :external_int_id
+      t.string :external_id
+    end
+
+    add_index :enterprise_accounts, :domain, unique: true
+
+    add_reference :saml_providers, :enterprise_account, type: :uuid, index: true    
+    add_reference :users, :enterprise_account, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200413132407_add_oauth_clients.rb

@@ -0,0 +1,13 @@
+class AddOauthClients < ActiveRecord::Migration[6.0]
+  def change
+    create_table :oauth_clients, id: :uuid do |t|
+      t.string :name, null: false
+      t.string :secret, null: false
+      t.string :identifier, null: false
+      t.jsonb :redirect_uris, default: [], null: false
+    end
+
+    add_index :oauth_clients, :redirect_uris, using: :gin
+    add_index :oauth_clients, :identifier, unique: true
+  end
+end

data/lib/osso/db/migrate/20200413142511_create_authorization_codes.rb

@@ -0,0 +1,15 @@
+class CreateAuthorizationCodes < ActiveRecord::Migration[6.0]
+  def change
+    create_table :authorization_codes, id: :uuid do |t|
+      t.string :token
+      t.string :redirect_uri
+      t.datetime :expires_at
+
+      t.timestamps
+    end
+
+    add_index :authorization_codes, :token, unique: true
+    add_reference :authorization_codes, :user, type: :uuid, index: true
+    add_reference :authorization_codes, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200413153029_add_oauth_client_reference_to_saml_providers.rb

@@ -0,0 +1,5 @@
+class AddOauthClientReferenceToSamlProviders < ActiveRecord::Migration[6.0]
+  def change
+    add_reference :saml_providers, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200413163451_create_access_tokens.rb

@@ -0,0 +1,13 @@
+class CreateAccessTokens < ActiveRecord::Migration[6.0]
+  def change
+    create_table :access_tokens, id: :uuid do |t|
+      t.string :token
+      t.datetime :expires_at
+
+      t.timestamps
+    end
+
+    add_reference :access_tokens, :user, type: :uuid, index: true
+    add_reference :access_tokens, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200501203026_drop_null_constraints_from_saml_provider.rb

@@ -0,0 +1,7 @@
+class DropNullConstraintsFromSamlProvider < ActiveRecord::Migration[6.0]
+  def change
+    change_column :saml_providers, :idp_sso_target_url, :string, null: true
+    change_column :saml_providers, :idp_cert, :text, null: true
+    change_column :saml_providers, :assertion_consumer_service_url, :string, null: false
+  end
+end

data/lib/osso/db/migrate/20200501204047_drop_acs_url.rb

@@ -0,0 +1,5 @@
+class DropAcsUrl < ActiveRecord::Migration[6.0]
+  def change
+    remove_column :saml_providers, :assertion_consumer_service_url
+  end
+end

data/lib/osso/db/migrate/20200502120616_create_redirect_uris_and_drop_from_oauth_clients.rb

@@ -0,0 +1,13 @@
+class CreateRedirectUrisAndDropFromOauthClients < ActiveRecord::Migration[6.0]
+  def change
+    remove_column :oauth_clients, :redirect_uris
+
+    create_table :redirect_uris, id: :uuid do |t|
+      t.string :uri, null: false
+      t.boolean :primary, default: false, null: false
+    end
+
+    add_index :redirect_uris, [:uri, :primary], unique: true
+    add_reference :redirect_uris, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200502135008_add_oauth_client_id_to_enterprise_account.rb

@@ -0,0 +1,5 @@
+class AddOauthClientIdToEnterpriseAccount < ActiveRecord::Migration[6.0]
+  def change
+    add_reference :enterprise_accounts, :oauth_client, type: :uuid, index: true
+  end
+end

data/lib/osso/db/migrate/20200601131227_drop_null_constraint_from_saml_providers_provider.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class DropNullConstraintFromSamlProvidersProvider < ActiveRecord::Migration[6.0]
+  def change
+    change_column :saml_providers, :provider, :string, null: true
+  end
+end

data/lib/osso/db/schema.rb

@@ -0,0 +1,132 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# This file is the source Rails uses to define your schema when running `rails
+# db:schema:load`. When creating a new database, `rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2020_05_02_135008) do
+
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "pgcrypto"
+  enable_extension "plpgsql"
+
+  create_table "access_tokens", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "token"
+    t.datetime "expires_at"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.uuid "user_id"
+    t.uuid "oauth_client_id"
+    t.index ["oauth_client_id"], name: "index_access_tokens_on_oauth_client_id"
+    t.index ["user_id"], name: "index_access_tokens_on_user_id"
+  end
+
+  create_table "authorization_codes", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "token"
+    t.string "redirect_uri"
+    t.datetime "expires_at"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.uuid "user_id"
+    t.uuid "oauth_client_id"
+    t.index ["oauth_client_id"], name: "index_authorization_codes_on_oauth_client_id"
+    t.index ["token"], name: "index_authorization_codes_on_token", unique: true
+    t.index ["user_id"], name: "index_authorization_codes_on_user_id"
+  end
+
+  create_table "enterprise_accounts", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "domain", null: false
+    t.uuid "external_uuid"
+    t.integer "external_int_id"
+    t.string "external_id"
+    t.uuid "oauth_client_id"
+    t.index ["domain"], name: "index_enterprise_accounts_on_domain", unique: true
+    t.index ["oauth_client_id"], name: "index_enterprise_accounts_on_oauth_client_id"
+  end
+
+  create_table "oauth_access_grants", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.uuid "resource_owner_id", null: false
+    t.uuid "application_id", null: false
+    t.string "token", null: false
+    t.integer "expires_in", null: false
+    t.text "redirect_uri", null: false
+    t.datetime "created_at", null: false
+    t.datetime "revoked_at"
+    t.string "scopes", default: "", null: false
+    t.index ["application_id"], name: "index_oauth_access_grants_on_application_id"
+    t.index ["token"], name: "index_oauth_access_grants_on_token", unique: true
+  end
+
+  create_table "oauth_access_tokens", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.uuid "resource_owner_id"
+    t.uuid "application_id"
+    t.string "token", null: false
+    t.string "refresh_token"
+    t.integer "expires_in"
+    t.datetime "revoked_at"
+    t.datetime "created_at", null: false
+    t.string "scopes"
+    t.string "previous_refresh_token", default: "", null: false
+    t.index ["application_id"], name: "index_oauth_access_tokens_on_application_id"
+    t.index ["refresh_token"], name: "index_oauth_access_tokens_on_refresh_token", unique: true
+    t.index ["token"], name: "index_oauth_access_tokens_on_token", unique: true
+  end
+
+  create_table "oauth_applications", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "name", null: false
+    t.string "secret", null: false
+    t.text "redirect_uri", null: false
+    t.string "scopes", default: "", null: false
+    t.boolean "confidential", default: true, null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+  end
+
+  create_table "oauth_clients", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "name", null: false
+    t.string "secret", null: false
+    t.string "identifier", null: false
+    t.index ["identifier"], name: "index_oauth_clients_on_identifier", unique: true
+  end
+
+  create_table "redirect_uris", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "uri", null: false
+    t.boolean "primary", default: false, null: false
+    t.uuid "oauth_client_id"
+    t.index ["oauth_client_id"], name: "index_redirect_uris_on_oauth_client_id"
+    t.index ["uri", "primary"], name: "index_redirect_uris_on_uri_and_primary", unique: true
+  end
+
+  create_table "saml_providers", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "provider", null: false
+    t.string "domain", null: false
+    t.string "idp_sso_target_url"
+    t.text "idp_cert"
+    t.uuid "enterprise_account_id"
+    t.uuid "oauth_client_id"
+    t.index ["domain", "provider"], name: "index_saml_providers_on_domain_and_provider", unique: true
+    t.index ["enterprise_account_id"], name: "index_saml_providers_on_enterprise_account_id"
+    t.index ["oauth_client_id"], name: "index_saml_providers_on_oauth_client_id"
+  end
+
+  create_table "users", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+    t.string "email", null: false
+    t.string "idp_id", null: false
+    t.uuid "saml_provider_id"
+    t.uuid "enterprise_account_id"
+    t.index ["email", "idp_id"], name: "index_users_on_email_and_idp_id", unique: true
+    t.index ["enterprise_account_id"], name: "index_users_on_enterprise_account_id"
+  end
+
+  add_foreign_key "oauth_access_grants", "oauth_applications", column: "application_id"
+  add_foreign_key "oauth_access_grants", "users", column: "resource_owner_id"
+  add_foreign_key "oauth_access_tokens", "oauth_applications", column: "application_id"
+  add_foreign_key "oauth_access_tokens", "users", column: "resource_owner_id"
+  add_foreign_key "users", "saml_providers"
+end

data/lib/osso/helpers/auth.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Helpers
+  module Auth
+    attr_accessor :current_scope
+    
+    def enterprise_protected!(domain = nil)
+      return if admin_authorized?
+      return if enterprise_authorized?(domain)
+
+      redirect ENV['JWT_URL']
+    end
+
+    def enterprise_authorized?(domain)
+      payload, _args = JWT.decode(
+        token,
+        ENV['JWT_HMAC_SECRET'],
+        true,
+        { algorithm: 'HS256' },
+      )
+
+      @current_scope = payload['scope']
+
+      true
+    rescue JWT::DecodeError
+      false
+    end
+
+    def admin_protected!
+      return if admin_authorized?
+
+      redirect ENV['JWT_URL']
+    end
+
+    def admin_authorized?
+      payload, _args = JWT.decode(
+        token,
+        ENV['JWT_HMAC_SECRET'],
+        true,
+        { algorithm: 'HS256' },
+      )
+
+      if payload['scope'] == 'admin'
+        @current_scope = :admin
+        return true
+      end
+
+      false
+    rescue JWT::DecodeError
+      false
+    end
+
+    def token
+      request.env['admin_token'] || session['admin_token'] || request['admin_token']
+    end
+
+    def chomp_token
+      return unless request['admin_token'].present?
+
+      session['admin_token'] = request['admin_token']
+
+      return if request.post?
+
+      redirect request.path
+    end
+  end
+end

data/lib/osso/helpers/helpers.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module Helpers
+end
+
+require_relative 'auth'

data/lib/osso/lib/app_config.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rack/contrib'
+
+module Osso
+  module AppConfig
+    def self.included(klass)
+      klass.class_eval do
+        use Rack::JSONBodyParser
+        use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
+
+        error ActiveRecord::RecordNotFound do
+          status 404
+        end
+
+        set :root, Dir.pwd
+      end
+    end
+  end
+end

data/lib/osso/lib/oauth2_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module Osso
+  module OAuth2Token
+    def self.included(klass)
+      klass.class_eval do
+        cattr_accessor :default_lifetime
+        self.default_lifetime = 1.minute
+        belongs_to :user
+        belongs_to :oauth_client
+
+        before_validation :setup, on: :create
+        validates :oauth_client, :expires_at, presence: true
+        validates :token, presence: true, uniqueness: true
+
+        scope :valid, -> { where('expires_at > ?', Time.now.utc) }
+      end
+    end
+
+    def expires_in
+      (expires_at - Time.now.utc).to_i
+    end
+
+    def expired!
+      self.expires_at = Time.now.utc
+      save!
+    end
+
+    private
+
+    def setup
+      self.token = SecureRandom.hex(32)
+      self.expires_at ||= default_lifetime.from_now
+    end
+  end
+end

data/lib/osso/models/access_token.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class AccessToken < ::ActiveRecord::Base
+      include OAuth2Token
+      self.default_lifetime = 10.minutes
+      belongs_to :refresh_token
+
+      def to_bearer_token
+        Rack::OAuth2::AccessToken::Bearer.new(
+          access_token: token,
+          expires_in: expires_in,
+        )
+      end
+
+      private
+
+      def setup
+        super
+        return unless refresh_token
+
+        self.user = refresh_token.user
+        self.client = refresh_token.client
+        self.expires_at = [expires_at, refresh_token.expires_at].min
+      end
+    end
+  end
+end

data/lib/osso/models/authorization_code.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class AuthorizationCode < ActiveRecord::Base
+      include OAuth2Token
+
+      def access_token
+        @access_token ||= expired! &&
+          user.access_tokens.create(oauth_client: oauth_client)
+      end
+    end
+  end
+end

data/lib/osso/models/enterprise_account.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for Enterprises. This should map one-to-one with
+    # your own Account model. Persisting the EnterpriseAccount id
+    # in your application's database is recommended. The table also
+    # includes fields for external IDs such that you can persist
+    # your ID for an account in your Osso instance.
+    class EnterpriseAccount < ActiveRecord::Base
+      belongs_to :oauth_client
+      has_many :users
+      has_many :saml_providers
+
+      def single_provider?
+        saml_providers.one?
+      end
+
+      def provider
+        return nil unless single_provider?
+
+        saml_providers.first
+      end
+
+      alias saml_provider provider
+    end
+  end
+end

data/lib/osso/models/models.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'sinatra/activerecord'
+
+module Osso
+  module Models
+  end
+end
+
+require_relative 'access_token'
+require_relative 'authorization_code'
+require_relative 'enterprise_account'
+require_relative 'oauth_client'
+require_relative 'redirect_uri'
+require_relative 'saml_provider'
+require_relative 'user'

data/lib/osso/models/oauth_client.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+module Osso
+  module Models
+    class OauthClient < ActiveRecord::Base
+      has_many :access_tokens
+      has_many :refresh_tokens
+      has_many :saml_providers
+      has_many :redirect_uris
+
+      before_validation :setup, on: :create
+      validates :name, :secret, presence: true
+      validates :identifier, presence: true, uniqueness: true
+
+      def default_redirect_uri
+        redirect_uris.find(&:primary)
+      end
+
+      def redirect_uri_values
+        redirect_uris.map(&:uri)
+      end
+
+      private
+
+      def setup
+        self.identifier = SecureRandom.hex(16)
+        self.secret = SecureRandom.hex(64)
+      end
+    end
+  end
+end

data/lib/osso/models/redirect_uri.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class RedirectUri < ActiveRecord::Base
+      belongs_to :oauth_client
+
+      # TODO
+      # before_validation :set_primary, on: :creaet, :update
+
+      private
+
+      def set_primary
+        if primary_was.true? && primary.false?
+
+        end
+      end
+    end
+  end
+end

data/lib/osso/models/saml_provider.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for SAML Providers
+    class SamlProvider < ActiveRecord::Base
+      NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+      self.inheritance_column = :provider
+      belongs_to :enterprise_account
+      belongs_to :oauth_client
+      has_many :users
+
+      before_create :create_enterprise_account
+
+      def name
+        raise(
+          NoMethodError,
+          '#name must be defined on each provider specific subclass',
+        )
+      end
+
+      def saml_options
+        raise(
+          NoMethodError,
+          '#saml_options must be defined on each provider specific subclass',
+        )
+      end
+
+      def assertion_consumer_service_url
+        [
+          ENV.fetch('BASE_URL'),
+          'auth',
+          'saml',
+          id,
+          'callback',
+        ].join('/')
+      end
+
+      alias acs_url assertion_consumer_service_url
+
+      def create_enterprise_account
+        return if enterprise_account_id
+
+        self.enterprise_account = Models::EnterpriseAccount.create(
+          domain: domain,
+        )
+      end
+    end
+  end
+end
+require_relative 'saml_providers/azure_saml_provider'
+require_relative 'saml_providers/okta_saml_provider'