osso 0.0.3.7

data/lib/osso/models/models.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'sinatra/activerecord'
+
+module Osso
+  module Models
+  end
+end
+
+require_relative 'access_token'
+require_relative 'authorization_code'
+require_relative 'enterprise_account'
+require_relative 'oauth_client'
+require_relative 'redirect_uri'
+require_relative 'identity_provider'
+require_relative 'user'

data/lib/osso/models/oauth_client.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+module Osso
+  module Models
+    class OauthClient < ActiveRecord::Base
+      has_many :access_tokens
+      has_many :refresh_tokens
+      has_many :identity_providers
+      has_many :redirect_uris
+
+      before_validation :setup, on: :create
+      validates :name, :secret, presence: true
+      validates :identifier, presence: true, uniqueness: true
+
+      def default_redirect_uri
+        redirect_uris.find(&:primary)
+      end
+
+      def redirect_uri_values
+        redirect_uris.map(&:uri)
+      end
+
+      private
+
+      def setup
+        self.identifier = SecureRandom.hex(16)
+        self.secret = SecureRandom.hex(64)
+      end
+    end
+  end
+end

data/lib/osso/models/redirect_uri.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class RedirectUri < ActiveRecord::Base
+      belongs_to :oauth_client
+
+      # TODO
+      # before_validation :set_primary, on: :creaet, :update
+
+      private
+
+      def set_primary
+        if primary_was.true? && primary.false?
+
+        end
+      end
+    end
+  end
+end

data/lib/osso/models/saml_provider.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Base class for SAML Providers
+    class IdentityProvider < ActiveRecord::Base
+      NAME_FORMAT = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+      belongs_to :enterprise_account
+      belongs_to :oauth_client
+      has_many :users
+
+      before_create :create_enterprise_account
+
+      # def name
+      #   raise(
+      #     NoMethodError,
+      #     '#name must be defined on each provider specific subclass',
+      #   )
+      # end
+
+      # def saml_options
+      #   raise(
+      #     NoMethodError,
+      #     '#saml_options must be defined on each provider specific subclass',
+      #   )
+      # end
+
+      def assertion_consumer_service_url
+        [
+          ENV.fetch('BASE_URL'),
+          'auth',
+          'saml',
+          id,
+          'callback',
+        ].join('/')
+      end
+
+      alias acs_url assertion_consumer_service_url
+
+      def create_enterprise_account
+        return if enterprise_account_id
+
+        self.enterprise_account = Models::EnterpriseAccount.create(
+          domain: domain,
+        )
+      end
+    end
+  end
+end

data/lib/osso/models/saml_providers/azure_saml_provider.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Subclass for Azure / ADFS IDP instances
+    class AzureSamlProvider < Models::IdentityProvider
+      def name
+        'Azure'
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).merge(
+          issuer: "id:#{id}",
+        ).symbolize_keys
+      end
+    end
+  end
+end

data/lib/osso/models/saml_providers/okta_saml_provider.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    # Subclass for Okta IDP instances
+    class OktaSamlProvider < Models::IdentityProvider
+      def name
+        'Okta'
+      end
+
+      def saml_options
+        attributes.slice(
+          'domain',
+          'idp_cert',
+          'idp_sso_target_url',
+        ).merge(
+          issuer: id,
+          name_identifier_format: NAME_FORMAT,
+        ).symbolize_keys
+      end
+    end
+  end
+end

data/lib/osso/models/user.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Osso
+  module Models
+    class User < ActiveRecord::Base
+      belongs_to :enterprise_account
+      belongs_to :identity_provider
+      has_many :authorization_codes, dependent: :delete_all
+      has_many :access_tokens, dependent: :delete_all
+
+      def oauth_client
+        identity_provider.oauth_client
+      end
+
+      def as_json(*)
+        {
+          email: email,
+          id: id,
+          idp: identity_provider.name,
+        }
+      end
+    end
+  end
+end

data/lib/osso/rake.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+load 'active_record/railties/databases.rake'
+require "sinatra/activerecord/rake/activerecord_#{ActiveRecord::VERSION::MAJOR}"

data/lib/osso/routes/admin.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module Osso
+  class Admin < Sinatra::Base
+    include AppConfig
+    helpers Helpers::Auth
+    register Sinatra::Namespace
+
+    before do
+      chomp_token
+    end
+
+    namespace '/admin' do
+      get '' do
+        admin_protected!
+
+        erb :admin
+      end
+
+      get '/enterprise' do
+        admin_protected!
+
+        erb :admin
+      end
+
+      get '/enterprise/:domain' do
+        enterprise_protected!(params[:domain])
+
+        erb :admin
+      end
+
+      get '/config' do
+        admin_protected!
+
+        erb :admin
+      end
+    end
+  end
+end

data/lib/osso/routes/auth.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'cgi'
+require 'omniauth'
+require 'omniauth-multi-provider'
+require 'omniauth-saml'
+
+module Osso
+  class Auth < Sinatra::Base
+    include AppConfig
+    register Sinatra::Namespace
+
+    UUID_REGEXP =
+      /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
+        freeze
+
+    def self.internal_redirect?(env)
+      env['HTTP_REFERER']&.match(env['SERVER_NAME'])
+    end
+
+    use OmniAuth::Builder do
+      OmniAuth::MultiProvider.register(
+        self,
+        provider_name: 'saml',
+        identity_provider_id_regex: UUID_REGEXP,
+        path_prefix: '/saml',
+        callback_suffix: 'callback',
+      ) do |identity_provider_id, _env|
+        provider = Models::IdentityProvider.find(identity_provider_id)
+        provider.saml_options
+      end
+    end
+
+    namespace '/auth' do
+      # Enterprise users are sent here after authenticating against
+      # their Identity Provider. We find or create a user record,
+      # and then create an authorization code for that user. The user
+      # is redirected back to your application with this code
+      # as a URL query param, which you then exhange for an access token
+      post '/saml/:id/callback' do
+        provider = Models::IdentityProvider.find(params[:id])
+        oauth_client = provider.oauth_client
+        redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
+
+        attributes = env['omniauth.auth']&.
+          extra&.
+          response_object&.
+          attributes
+
+        user = Models::User.where(
+          email: attributes[:email],
+          idp_id: attributes[:id],
+        ).first_or_create! do |new_user|
+          new_user.enterprise_account_id = provider.enterprise_account_id
+          new_user.identity_provider_id = provider.id
+        end
+
+        authorization_code = user.authorization_codes.create!(
+          oauth_client: oauth_client,
+          redirect_uri: redirect_uri,
+        )
+
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+      end
+    end
+  end
+end

data/lib/osso/routes/oauth.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'rack/oauth2'
+
+module Osso
+  class Oauth < Sinatra::Base
+    include AppConfig
+    register Sinatra::Namespace
+    # rubocop:disable Metrics/BlockLength
+    namespace '/oauth' do
+      # Send your users here in order to being an authentication
+      # flow. This flow follows the authorization grant oauth
+      # spec with one exception - you must also pass the domain
+      # of the user who wants to sign in.
+      get '/authorize' do
+        @enterprise = Models::EnterpriseAccount.
+          includes(:identity_providers).
+          find_by!(domain: params[:domain])
+
+        Rack::OAuth2::Server::Authorize.new do |req, _res|
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.verify_redirect_uri!(client.redirect_uri_values)
+        end.call(env)
+
+        if @enterprise.single_provider?
+          session[:oauth_state] = params[:state]
+          redirect "/auth/saml/#{@enterprise.provider.id}"
+        end
+
+        # TODO: multiple provider support
+        # erb :multiple_providers
+
+      rescue Rack::OAuth2::Server::Authorize::BadRequest => e
+        @error = e
+        return erb :error
+      end
+
+      # Exchange an authorization code token for an access token.
+      # In addition to the token, you must include all paramaters
+      # required by Oauth spec: redirect_uri, client ID, and client secret
+      post '/token' do
+        Rack::OAuth2::Server::Token.new do |req, res|
+          code = Models::AuthorizationCode.
+            find_by_token!(params[:code])
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.invalid_client! if client.secret != req.client_secret
+          req.invalid_grant! if code.redirect_uri != req.redirect_uri
+          res.access_token = code.access_token.to_bearer_token
+        end.call(env)
+      end
+
+      # Use the access token to request a user profile
+      get '/me' do
+        json Models::AccessToken.
+          includes(:user).
+          valid.
+          find_by_token!(params[:access_token]).
+          user
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/BlockLength

data/lib/osso/routes/routes.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'rack/contrib'
+require 'sinatra/base'
+require 'sinatra/contrib'
+require 'sinatra/json'
+
+require_relative 'admin'
+require_relative 'auth'
+require_relative 'oauth'

data/lib/osso/routes/views/error.erb

@@ -0,0 +1 @@
+<%= @error %>

data/lib/osso/routes/views/multiple_providers.erb

@@ -0,0 +1 @@
+multiple providers

data/lib/osso/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Osso
+  VERSION = '0.0.3.7'
+end

data/lib/tasks/bootstrap.rake

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'sinatra/activerecord'
+require 'sinatra/activerecord/rake'
+require 'osso'
+
+namespace :osso do
+  desc 'Bootstrap Osso data for a deployment'
+  task :bootstrap do
+    %w[Production Staging Development].each do |environement|
+      Osso::Models::OauthClient.create!(
+        name: environement,
+      )
+    end
+  end
+end

data/osso-rb.gemspec

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative 'lib/osso/version'
+
+# rubocop:disable Metrics/BlockLength
+Gem::Specification.new do |spec|
+  spec.name          = 'osso'
+  spec.version       = Osso::VERSION
+  spec.authors       = ['Sam Bauch']
+  spec.email         = ['sbauch@gmail.com']
+
+  spec.summary       = 'Main functionality for Osso'
+  spec.description   = 'This gem includes the main functionality for Osso apps,'
+  spec.homepage      = 'https://github.com/enterprise-oss/osso-rb'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+  spec.license = 'MIT'
+
+  spec.add_runtime_dependency 'activesupport', '>= 6.0.3.2'
+  spec.add_runtime_dependency 'graphql'
+  spec.add_runtime_dependency 'jwt'
+  spec.add_runtime_dependency 'omniauth-multi-provider'
+  spec.add_runtime_dependency 'omniauth-saml'
+  spec.add_runtime_dependency 'rack', '>= 2.1.4'
+  spec.add_runtime_dependency 'rack-contrib'
+  spec.add_runtime_dependency 'rack-oauth2'
+  spec.add_runtime_dependency 'rake'
+  spec.add_runtime_dependency 'sinatra'
+  spec.add_runtime_dependency 'sinatra-activerecord'
+  spec.add_runtime_dependency 'sinatra-contrib'
+
+  spec.add_development_dependency 'bundler', '~> 2.1'
+  spec.add_development_dependency 'pry'
+
+  spec.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  spec.files         = `git ls-files`.split("\n")
+  spec.test_files    = `git ls-files -- {spec}/*`.split("\n")
+  spec.bindir        = 'bin'
+  spec.require_paths = ['lib']
+end
+# rubocop:enable Metrics/BlockLength