osso 0.0.3.15 → 0.0.3.16
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/lib/osso/graphql/mutations/set_redirect_uris.rb +1 -1
- data/lib/osso/models/redirect_uri.rb +0 -11
- data/lib/osso/routes/auth.rb +24 -11
- data/lib/osso/routes/oauth.rb +7 -7
- data/lib/osso/version.rb +1 -1
- data/spec/routes/auth_spec.rb +18 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6e33fd333f7c329404b9a9bdeb62551629b38a8b615b6aef556bc4b4c0ca2a03
|
|
4
|
+
data.tar.gz: e8c21ea78f2f33e5b6497c85148ff67221949ded6c34380dcb48a6eb450d6dc6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 76779ec670e1a6c12589a3b2a1f319e8855ba8770a83489787d56c43bb8a23aa9a75ee9b9864dfce76f54061e3829ce639214ba5f5a4c7c8efc699e1776801a6
|
|
7
|
+
data.tar.gz: 356194bce279f215d58ea36e0e7e188c4ee134a4a4b55ce435fdee255caf23c39974f0b87a305e332a84b7aaf519db6ee13525beecd47117b9f9ebbd765679e3
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
osso (0.0.3.
|
|
4
|
+
osso (0.0.3.16)
|
|
5
5
|
activesupport (>= 6.0.3.2)
|
|
6
6
|
graphql
|
|
7
7
|
jwt
|
|
@@ -66,7 +66,7 @@ GEM
|
|
|
66
66
|
method_source (1.0.0)
|
|
67
67
|
mini_portile2 (2.4.0)
|
|
68
68
|
minitest (5.14.1)
|
|
69
|
-
multi_json (1.
|
|
69
|
+
multi_json (1.15.0)
|
|
70
70
|
mustermann (1.1.1)
|
|
71
71
|
ruby2_keywords (~> 0.0.1)
|
|
72
72
|
nokogiri (1.10.9)
|
|
@@ -31,7 +31,7 @@ module Osso
|
|
|
31
31
|
|
|
32
32
|
def update_existing(oauth_client, redirect_uris)
|
|
33
33
|
oauth_client.redirect_uris.each do |redirect|
|
|
34
|
-
updating_index = redirect_uris.index{ |incoming| incoming[:id] == redirect.id }
|
|
34
|
+
updating_index = redirect_uris.index { |incoming| incoming[:id] == redirect.id }
|
|
35
35
|
|
|
36
36
|
if updating_index
|
|
37
37
|
updating = redirect_uris.delete_at(updating_index)
|
|
@@ -4,17 +4,6 @@ module Osso
|
|
|
4
4
|
module Models
|
|
5
5
|
class RedirectUri < ActiveRecord::Base
|
|
6
6
|
belongs_to :oauth_client
|
|
7
|
-
|
|
8
|
-
# TODO
|
|
9
|
-
# before_validation :set_primary, on: :creaet, :update
|
|
10
|
-
|
|
11
|
-
private
|
|
12
|
-
|
|
13
|
-
def set_primary
|
|
14
|
-
if primary_was.true? && primary.false?
|
|
15
|
-
|
|
16
|
-
end
|
|
17
|
-
end
|
|
18
7
|
end
|
|
19
8
|
end
|
|
20
9
|
end
|
data/lib/osso/routes/auth.rb
CHANGED
|
@@ -14,10 +14,6 @@ module Osso
|
|
|
14
14
|
/[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
|
|
15
15
|
freeze
|
|
16
16
|
|
|
17
|
-
def self.internal_redirect?(env)
|
|
18
|
-
env['HTTP_REFERER']&.match(env['SERVER_NAME'])
|
|
19
|
-
end
|
|
20
|
-
|
|
21
17
|
use OmniAuth::Builder do
|
|
22
18
|
OmniAuth::MultiProvider.register(
|
|
23
19
|
self,
|
|
@@ -26,8 +22,8 @@ module Osso
|
|
|
26
22
|
path_prefix: '/auth/saml',
|
|
27
23
|
callback_suffix: 'callback',
|
|
28
24
|
) do |identity_provider_id, _env|
|
|
29
|
-
|
|
30
|
-
|
|
25
|
+
Models::IdentityProvider.find(identity_provider_id).
|
|
26
|
+
saml_options
|
|
31
27
|
end
|
|
32
28
|
end
|
|
33
29
|
|
|
@@ -36,11 +32,10 @@ module Osso
|
|
|
36
32
|
# their Identity Provider. We find or create a user record,
|
|
37
33
|
# and then create an authorization code for that user. The user
|
|
38
34
|
# is redirected back to your application with this code
|
|
39
|
-
# as a URL query param, which you then
|
|
35
|
+
# as a URL query param, which you then exchange for an access token.
|
|
40
36
|
post '/saml/:id/callback' do
|
|
41
37
|
provider = Models::IdentityProvider.find(params[:id])
|
|
42
|
-
oauth_client = provider.oauth_client
|
|
43
|
-
redirect_uri = env['redirect_uri'] || oauth_client.primary_redirect_uri.uri
|
|
38
|
+
@oauth_client = provider.oauth_client
|
|
44
39
|
|
|
45
40
|
attributes = env['omniauth.auth']&.
|
|
46
41
|
extra&.
|
|
@@ -56,11 +51,29 @@ module Osso
|
|
|
56
51
|
end
|
|
57
52
|
|
|
58
53
|
authorization_code = user.authorization_codes.create!(
|
|
59
|
-
oauth_client: oauth_client,
|
|
54
|
+
oauth_client: @oauth_client,
|
|
60
55
|
redirect_uri: redirect_uri,
|
|
61
56
|
)
|
|
62
57
|
|
|
63
|
-
|
|
58
|
+
# Mark IDP as active
|
|
59
|
+
|
|
60
|
+
redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{provider_state}")
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def redirect_uri
|
|
64
|
+
return @oauth_client.primary_redirect_uri.uri if valid_idp_initiated_flow
|
|
65
|
+
|
|
66
|
+
session[:osso_oauth_redirect_uri]
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
def provider_state
|
|
70
|
+
return 'IDP_INITIATED' if valid_idp_initiated_flow
|
|
71
|
+
|
|
72
|
+
session[:osso_oauth_state]
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def valid_idp_initiated_flow
|
|
76
|
+
!session[:osso_oauth_redirect_uri] && !session[:osso_oauth_state]
|
|
64
77
|
end
|
|
65
78
|
end
|
|
66
79
|
end
|
data/lib/osso/routes/oauth.rb
CHANGED
|
@@ -6,7 +6,7 @@ module Osso
|
|
|
6
6
|
class Oauth < Sinatra::Base
|
|
7
7
|
include AppConfig
|
|
8
8
|
register Sinatra::Namespace
|
|
9
|
-
|
|
9
|
+
|
|
10
10
|
namespace '/oauth' do
|
|
11
11
|
# Send your users here in order to being an authentication
|
|
12
12
|
# flow. This flow follows the authorization grant oauth
|
|
@@ -19,11 +19,11 @@ module Osso
|
|
|
19
19
|
|
|
20
20
|
Rack::OAuth2::Server::Authorize.new do |req, _res|
|
|
21
21
|
client = Models::OauthClient.find_by!(identifier: req.client_id)
|
|
22
|
-
req.verify_redirect_uri!(client.redirect_uri_values)
|
|
22
|
+
session[:osso_oauth_redirect_uri] = req.verify_redirect_uri!(client.redirect_uri_values)
|
|
23
23
|
end.call(env)
|
|
24
24
|
|
|
25
25
|
if @enterprise.single_provider?
|
|
26
|
-
session[:
|
|
26
|
+
session[:osso_oauth_state] = params[:state]
|
|
27
27
|
redirect "/auth/saml/#{@enterprise.provider.id}"
|
|
28
28
|
end
|
|
29
29
|
|
|
@@ -35,9 +35,10 @@ module Osso
|
|
|
35
35
|
return erb :error
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
# Exchange an authorization code
|
|
39
|
-
# In addition to the
|
|
40
|
-
# required by
|
|
38
|
+
# Exchange an authorization code for an access token.
|
|
39
|
+
# In addition to the authorization code, you must include all
|
|
40
|
+
# paramaters required by OAuth spec: redirect_uri, client ID,
|
|
41
|
+
# and client secret
|
|
41
42
|
post '/token' do
|
|
42
43
|
Rack::OAuth2::Server::Token.new do |req, res|
|
|
43
44
|
code = Models::AuthorizationCode.
|
|
@@ -60,4 +61,3 @@ module Osso
|
|
|
60
61
|
end
|
|
61
62
|
end
|
|
62
63
|
end
|
|
63
|
-
# rubocop:enable Metrics/BlockLength
|
data/lib/osso/version.rb
CHANGED
data/spec/routes/auth_spec.rb
CHANGED
|
@@ -63,6 +63,24 @@ describe Osso::Auth do
|
|
|
63
63
|
)
|
|
64
64
|
end.to change { Osso::Models::AuthorizationCode.count }.by(1)
|
|
65
65
|
end
|
|
66
|
+
|
|
67
|
+
describe 'for an IDP initiated login' do
|
|
68
|
+
it 'redirects with a default state' do
|
|
69
|
+
mock_saml_omniauth
|
|
70
|
+
|
|
71
|
+
post(
|
|
72
|
+
"/auth/saml/#{okta_provider.id}/callback",
|
|
73
|
+
nil,
|
|
74
|
+
{
|
|
75
|
+
'omniauth.auth' => OmniAuth.config.mock_auth[:saml],
|
|
76
|
+
'identity_provider' => okta_provider,
|
|
77
|
+
},
|
|
78
|
+
)
|
|
79
|
+
expect(last_response).to be_redirect
|
|
80
|
+
follow_redirect!
|
|
81
|
+
expect(last_request.url).to match(/.*state=IDP_INITIATED$/)
|
|
82
|
+
end
|
|
83
|
+
end
|
|
66
84
|
end
|
|
67
85
|
|
|
68
86
|
describe 'on subsequent authentications' do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: osso
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.3.
|
|
4
|
+
version: 0.0.3.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sam Bauch
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-08-
|
|
11
|
+
date: 2020-08-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|